[HacktionLab] Is cryptography still safe? (was: BULLRUN & NSA. An Interesting Read)

Patrice Riemens patrice at xs4all.nl
Sat Sep 14 13:56:13 UTC 2013


Hejhej,

https://lilithlela.cyberguerrilla.org/?p=5139

Translation of 'Is cryptografie nog wel veilig?' (Dutch) by Jaap-Henk Hoepman

In response to the revelation that the NSA is trying to learn the contents
of encrypted messages in many ways, Bruce Schneier gives some tips to stay
safe (see the discussion on his blog). However, his advice to use
symmetric cryptography surprised me.

The main conclusions are the following. Both Schneier and Snowden say the
NSA can not break strong cryptography immediately. The NSA can, however,
access any possible device and thus get its hands on the data before it is
encrypted. Implementations of cryptography in running systems may indeed
be weak or made intentionally weak. For example, by building backdoors in
telecom equipment. The NSA also puts a lot of effort into that. This is
also indirect evidence for the proposition that they can not directly
crack cryptography itself.

(...)


Re:

> Date: Fri, 13 Sep 2013 19:53:28 +0100
> From: Zoe Young <zoe at esemplastic.net>
> To: hacktionlab at lists.aktivix.org
> Subject: Re: [HacktionLab] BULLRUN & NSA. An Interesting Read
>
>
>
> This seems to be serious and important stuff, good info for your average
> bod to have. Thank you.
>
> I still don't know what to DO though.
>
> Where is the super simple, highly circulable, easy for anyone to use..
>
> 1. graphic or other sexy summary of the info below, plus
>
> 2. entry point for your average bod, in a couple of clicks and a sign
> up, "to use a VPN, make sure you control both endpoints, and that the
> VPS you set up for this is at a small provider in a country outside of
> you local 'landlords' reach.'?
>
> Looking fwd to seeing them in use, won't they be more use than a million
> demos in support of Snowden etc?
>
> Cheers
>
> Z
>
>
>
> On 07/09/2013 14:04, Sikes wrote:
>> HAI
>>
>> The bottomline so far:
>>
>> Snowden leaked a document showing a roadmap to how the NSA wants to
>> have SSL/TLS broken 'soon', on how they have talked different software
>> and service providers to put exploitable weaknesses in crypto products
>> and how they have compromised '30 VPNs', aiming at 300.
>>
>> commented about amongst others on:
>> https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
>>
>> It cannot be excluded, but there is little indication that they have
>> successfully attacked SSL/TLS on the level of math&algorythm. Again,
>> like very often in cryptoland, that weakness is the collusion of the
>> providers of actual implementations.
>>
>> In other words:
>>
>> - Yes they can read you 'encrypted' gmail/facebook stuff, but not
>> because encryption is so weak, but because google/facebook gives them
>> access. That's what Snowdens first revelations already yielded. Same
>> thing might count for the provider of VPN/S services, but it's by
>> provider really.
>>
>> - The more of the (crypto) infrastructure you run yourselves, the
>> safer communication will be. Real end-to-end encryption (e.g GPGed
>> email with private keys stored on your respective devices, you reading
>> a website via https on a server hosted by a friend, or a VPS you run
>> there) is not really compromised.
>>
>> The fact that 2 encryption providers in the US (Silent circle,
>> Lavabit:
>> http://thenextweb.com/insider/2013/08/09/silent-circle-follows-lavabit-in-closing-its-encrypted-email-service-because-it-cannot-be-secure/
>> ) closed down, hinting that installing a backdoor was about to be
>> forced upon them, gives a good indication of what really might be the
>> matter. If the NSA/GHCQ would really have broken SSL or PGP, they
>> would never have asked those for a backdoor.
>>
>> Same thing here:
>> http://boingboing.net/2013/09/06/uk-censorwall-bans-vpns.html . Why
>> would they ban Ipredator, if snooping on a VPN was so easy ?
>>
>> So to be 'safer':
>>
>> Ditch you gmail/yahoo/facebook/<insertbigbrandhere> accounts or at
>> least sanitize them to the point that these channels only are used to
>> communicate public(able) information, _and_ stop using your real names.
>>
>> If you want to use a VPN, make sure you control both endpoints, and
>> that the VPS you set up for this is at a small provider in a country
>> outside of you local 'landlords' reach.
>>
>> kizziz
>> IAH
>>
>>
>>
>>
>>
>>
>>
>> ________________________________
>> fighting for your digital rights:
>> https://gnu.org/ (A)
>>
>>
>> On Sat, 7 Sep 2013, Martin (Crypt) wrote:
>>
>>> I'm just amazed people are supprised at all about this.  We've had
>>> the NSA insert a backdoor into windows, and we had several articles
>>> as far back as 2007, including this:
>>> http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
>>>
>>>
>>> All point to this kind of activity, so it should come as no supprise
>>> really.  It all adds up to yet another reason to use open standards
>>> and open source software.  This isn't a perfect solution to protect
>>> yourself, but its a lot better than commercial
>>> packages where the NSA can easily influence the developers to put the
>>> backdoors in.  In an open development community this is a lot harder.
>>>
>>>
>>>
>>> On Sat, Sep 7, 2013 at 9:50 AM, Chris <greenbean at riseup.net> wrote:
>>>       This article contains leaked information about the NSA's
>>> BULLRUN project
>>>
>>>       "  two facts must remain top secret: that NSA makes
>>> modifications to commercial encryption software and devices "to make
>>> them exploitable", and that NSA "obtains cryptographic details of
>>> commercial cryptographic information security systems
>>>       through industry relationships"."
>>>
>>> http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
>>>
>>> _______________________________________________
>>> HacktionLab mailing list
>>> HacktionLab at lists.aktivix.org
>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>>
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> HacktionLab mailing list
>> HacktionLab at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.aktivix.org/pipermail/hacktionlab/attachments/20130913/25f417dd/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>
>
> ------------------------------
>
> End of HacktionLab Digest, Vol 65, Issue 6
> ******************************************
>





More information about the HacktionLab mailing list