[HacktionLab] BULLRUN & NSA. An Interesting Read

penguin penguin at riseup.net
Sat Sep 14 12:23:31 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Zoe

Picking up on your second point, https://techtoolsforactivism.org/ was
an attempt to do this (esp. Help Using the Tools). A few people, some
of which are on this list, put in together in the pre-Snowden times.
It's not perfect, (partly because people lack time (especially given
that there are so many applications and services that have privacy &
security implications), partly cos there's no such thing as an
'average bod' so it's always hard to know where to pitch things, and
other reasons).

However, in the post-Snowden epoch (if I may be so bold) there's some
talk about refreshing and updating the site & accompanying leaflet.

What would be really useful is for people that consider themselves as
non-experts to pop over to https://techtoolsforactivism.org/ and
provide feedback on what they understood, what they didn't, and what
else they'd like to see on the site.

Cheers

G


On 13/09/13 19:53, Zoe Young wrote:
> This seems to be serious and important stuff, good info for your
> average bod to have. Thank you.
> 
> I still don't know what to DO though.
> 
> Where is the super simple, highly circulable, easy for anyone to
> use..
> 
> 1. graphic or other sexy summary of the info below, plus
> 
> 2. entry point for your average bod, in a couple of clicks and a
> sign up, "to use a VPN, make sure you control both endpoints, and
> that the VPS you set up for this is at a small provider in a
> country outside of you local 'landlords' reach.'?
> 
> Looking fwd to seeing them in use, won't they be more use than a
> million demos in support of Snowden etc?
> 
> Cheers
> 
> Z
> 
> 
> 
> On 07/09/2013 14:04, Sikes wrote:
>> HAI
>> 
>> The bottomline so far:
>> 
>> Snowden leaked a document showing a roadmap to how the NSA wants
>> to have SSL/TLS broken 'soon', on how they have talked different
>> software and service providers to put exploitable weaknesses in
>> crypto products and how they have compromised '30 VPNs', aiming
>> at 300.
>> 
>> commented about amongst others on: 
>> https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
>>
>>
>> 
It cannot be excluded, but there is little indication that they have
>> successfully attacked SSL/TLS on the level of math&algorythm.
>> Again, like very often in cryptoland, that weakness is the
>> collusion of the providers of actual implementations.
>> 
>> In other words:
>> 
>> - Yes they can read you 'encrypted' gmail/facebook stuff, but
>> not because encryption is so weak, but because google/facebook
>> gives them access. That's what Snowdens first revelations already
>> yielded. Same thing might count for the provider of VPN/S
>> services, but it's by provider really.
>> 
>> - The more of the (crypto) infrastructure you run yourselves,
>> the safer communication will be. Real end-to-end encryption (e.g
>> GPGed email with private keys stored on your respective devices,
>> you reading a website via https on a server hosted by a friend,
>> or a VPS you run there) is not really compromised.
>> 
>> The fact that 2 encryption providers in the US (Silent circle, 
>> Lavabit: 
>> http://thenextweb.com/insider/2013/08/09/silent-circle-follows-lavabit-in-closing-its-encrypted-email-service-because-it-cannot-be-secure/
>>
>> 
) closed down, hinting that installing a backdoor was about to be
>> forced upon them, gives a good indication of what really might be
>> the matter. If the NSA/GHCQ would really have broken SSL or PGP,
>> they would never have asked those for a backdoor.
>> 
>> Same thing here: 
>> http://boingboing.net/2013/09/06/uk-censorwall-bans-vpns.html .
>> Why would they ban Ipredator, if snooping on a VPN was so easy ?
>> 
>> So to be 'safer':
>> 
>> Ditch you gmail/yahoo/facebook/<insertbigbrandhere> accounts or
>> at least sanitize them to the point that these channels only are
>> used to communicate public(able) information, _and_ stop using
>> your real names.
>> 
>> If you want to use a VPN, make sure you control both endpoints,
>> and that the VPS you set up for this is at a small provider in a
>> country outside of you local 'landlords' reach.
>> 
>> kizziz IAH
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ________________________________ fighting for your digital
>> rights: https://gnu.org/ (A)
>> 
>> 
>> On Sat, 7 Sep 2013, Martin (Crypt) wrote:
>> 
>>> I'm just amazed people are supprised at all about this.  We've
>>> had the NSA insert a backdoor into windows, and we had several
>>> articles as far back as 2007, including this: 
>>> http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
>>>
>>>
>>>
>>> 
All point to this kind of activity, so it should come as no supprise
>>> really.  It all adds up to yet another reason to use open
>>> standards and open source software.  This isn't a perfect
>>> solution to protect yourself, but its a lot better than
>>> commercial packages where the NSA can easily influence the
>>> developers to put the backdoors in.  In an open development
>>> community this is a lot harder.
>>> 
>>> 
>>> 
>>> On Sat, Sep 7, 2013 at 9:50 AM, Chris <greenbean at riseup.net>
>>> wrote: This article contains leaked information about the
>>> NSA's BULLRUN project
>>> 
>>> "  two facts must remain top secret: that NSA makes 
>>> modifications to commercial encryption software and devices "to
>>> make them exploitable", and that NSA "obtains cryptographic
>>> details of commercial cryptographic information security
>>> systems through industry relationships"."
>>> 
>>> 
>>> http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
>>>
>>>
>>> 
_______________________________________________
>>> HacktionLab mailing list HacktionLab at lists.aktivix.org 
>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> _______________________________________________ HacktionLab
>> mailing list HacktionLab at lists.aktivix.org 
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
> 
> 
> 
> _______________________________________________ HacktionLab mailing
> list HacktionLab at lists.aktivix.org 
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
> 

- -- 
penguin

GPG key: http://tiny.cc/gpg-key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSNFUlAAoJEJZb6mLZ7ehDlugP/RZfoDdJXUFAqrd/ULnuvHOx
EWJT6Lb6OXjvFQOWEFkK118DkHxaB58AUeO8UHRvDBE1iyWabyWSnImBNoBDKUBw
moxOay0/dMzbaEaD1FhEWHc03uo41+H+4KNNjmk7UhWxiO9G856C3dFQibo8elzu
SgJeYL9dYGYD+BKF/ck3MUbTFQsKp7iA7KuBZfYEfMxQFSltHcDhMnrnA/3bUziZ
y3W26sAjNlZkM/iGk/NfQIeOGylajtyzOFplh8lp4mpJTyqxtYIlO/PBPBIUS+CQ
1CQZz+ecIZLysXgvPQ2m36oiUL5i8S/p5tHD9BhH0kX2koSmzeL5BV1Lbt8l/bab
enz5zd+5/hAS0pzU6uBHKIaqU1r+dBDVE1kjSkYwl1j/dbK3rmZoyjxqMq1bdzjN
I0q/Lm7GZHU1Rtcv6b7kM7KibfkLIj/O+plCCexT1b79Qr/LDhegJzKD/J7vIjc6
dKpvqYCs6vFKd2CHxWLMc8zTIE86EnOm52KA94ZM6qNHcW1Sd1j5py/NQP16m/v4
XGJZg77IWAUzFT2Vwh45btSdWQuYfDIvfoKpV4EWVC/ZVZe57Bg/vIx8g18z7Xq8
onSrYmaThsoYse4yaYFe6+ZHFvnAqA8KNsWCldD3Pv7RK8807PxMeEv/X/m1LyOX
P2foUKikZ7YP7WMFpLzQ
=7ueb
-----END PGP SIGNATURE-----

More information about the HacktionLab mailing list