NSA Decryption capabilities

29 replies [Last post]
WootMoon
Offline
Joined: 03/06/2013

http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

Well, this proves that a purely technological solution to encryption/privacy is not nearly enough. This is definitely a political fight.

ahj
ahj

I am a member!

Offline
Joined: 06/03/2012

This is huge. If the NSA can control HTTPS and other encryption protocols, then they have effectively broken the internet.

It's over.

edit: Here's the Guardian article, very interesting (and disturbing).

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Mach.
Offline
Joined: 09/06/2013

I dont think anyone can break strong encryption. The NSA is just getting the keys, monitoring the keystrokes etc, not defeating the encryption.

I think users can beat it, it is just harder and less convieniant.

As an analogy, you can beat any audio drm by just holding a tape recorder next to the speaker while the music is playing. Not the easiest way to do it but works. You start with that and improve.

Maybe I dont understand the process correctly, but with shared key, as long as the key is not typed into a connected computer, it cannot be compromised.

With encryption, you need computers that are isolated to be involved.

Sender Computer A - Isolated (not connected to a network)
Sender Computer B - connected to internet

Reciever Computer A - connected to internet
Reciever computer B - Isolated (not connected to any network)

Write message in sender computer A, then encrypt it also on sender computer A. From that screen write down encrypted message on paper. Type this message into sender computer B, send via email or whatever to Reciever Computer A.

On Reciever computer A, write down encrypted message. Type into reciever computer B, decrypt it using the shared key.

Not very practical, but its encryption that cannot be broken, even by the NSA unless they get physical access to the isolated computers.

I would think take the above system and improve on it provided at least 2 computers remain isolated.

oralfloss
Offline
Joined: 06/20/2013

How is receiver computer B going to get the "shared key"?

t3g
t3g
Offline
Joined: 05/15/2011

Here's another link about them getting around SSL, VPNs, and other secure protocols through brute force.

http://www.usatoday.com/story/news/nation/2013/09/05/nsa-snowden-encryption-cracked/2772721/

Scary indeed.

dudeski

I am a member!

Offline
Joined: 07/03/2013

These articles sure seem to be lacking in any real meaty details. Seems like a lot of marketing hyperbole to make people paranoid to be perfectly honest..

..But if I might speculate aloud a little then.
Getting around SSL is obviously easy, as with 99% of websites you need only go knock on their door and ask for the certificates from which the asymmetric encryption keys are derived.
And then, oh look, you can decrypt any past and future traffic until they change the cert.
Now there are some websites that use OTR-style perfect forward secrecy, in which case that method would not work.
But even then you could, with the certificate in hand, do a man in the middle attack, which is always the problem with a trust-based encryption system.
Or better yet, just ask the service in question to CC you on all the data, there is really no need to overcomplicate these things.

As for actually bruteforcing the symmetric or asymmetric encryption used, unless there are deliberate backdoors in implementation, or someone has some very fancy quantum computers, I don't see that happening yet. Not with proper key length anyway.
And there does exist quantum-resistant crypto schemes last I checked.

As for VPN's, yeah, we already know that the most common protocol, PPTP, is more or less as secure as 56bit DES, which is to say easily bruteforceable by any random guy in a basement with a powerful GPU or two.
And it goes without saying that using VPN providers in, say, the US or the UK, or any other fascist polite state is rather counterintuitive, to put it very politely.

jxself
Offline
Joined: 09/13/2010

> lacking in any real meaty details.

Like exactly how it's done? And with who? Of course - "These details are guarded by still higher levels of classification."

Jodiendo
Offline
Joined: 01/09/2013
dudeski

I am a member!

Offline
Joined: 07/03/2013

No, I mean any facts whatsoever actually. Like what they're even doing. From a cursory reading those articles are just nothing but run for the hills hysteria with a few buzz words mixed in.

So figured it might be worth writing a quick little summary of what kind of stuff they SEEM to be talking about, although to my mind it hardly qualifies as news, as all of it is well known.

Fernando_Negro
Offline
Joined: 06/17/2012
t3g
t3g
Offline
Joined: 05/15/2011

What I don't like is how they spent $255 million of tax payer money to basically snoop on the people that had no choice into paying for it since that's how taxes work.

That is a lot of money going into taking away not only the freedom of Americans, but other countries. I also don't like how they are in bed with major tech companies to produce vulnerabilities and back doors for the encryption they helped create.

lembas
Offline
Joined: 05/13/2010

Who's the conspiracy theorist now?

Fernando_Negro
Offline
Joined: 06/17/2012

And, here goes a(nother) warning that I know will be (once more) ignored by the less politically informed, aware and sophisticated...

Watch out for the *fake* alternatives, that the media (http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying) controlled (https://id.theguardian.com/profile/ptanarchist/public) by the "public-private partnership" gang will start promoting (http://www.theguardian.com/technology/2013/feb/26/kim-dotcom-mega-encrypted-email)... (The links included in this paragraph, are just one example.)

If you trust companies that sign their work with labels such as "1984" (http://www.mailpile.is/) - or that use the same symbol (http://www.youtube.com/watch?v=MokNvbiRqCM#t=03m48s) with which the mentioned "public-private partnership" signs some of their controlled movements (http://www.globalresearch.ca/occupy-wall-street-and-the-american-autumn-is-it-a-colored-revolution/27053) - you're, not only falling into a trap, but also being the target of an "inside joke" you're not aware of...

onpon4
Offline
Joined: 05/30/2012

1984 Hosting is called that as a reference to Nineteen Eighty-Four, obviously. It's obvious what the name means: that it's the hosting service you use to stay away from such a government as in Nineteen Eighty-Four.

Anyway, what you linked to isn't even 1984 Hosting, it's Mailpile. I'm not familiar with that, but it looks to me like it's an e-mail client. 1984 Hosting is just listed among several others as a part of their "community of supporters and participants", whatever that means.

I think you should consider that maybe, not everything in the world is driven by a conspiracy. There are real conspiracies, but either they are legal and therefore out in the open, or illegal and therefore secret.

Fernando_Negro
Offline
Joined: 06/17/2012

"It's obvious what the name means: that it's the hosting service you use to stay away from such a government as in Nineteen Eighty-Four."

Or the other way around... - https://trisquel.info/en/forum/fundraising-campaign-privacy-friendly-mail-tlsopengpgetc-software#comment-42176

(And the joke is on the people using such service, and not on the government they are trying to hide from...)

"1984" is listed in Mailpile's web page as one of the companies who helped create that e-mail hosting service.

And, I know that "not everything in the world is driven by a conspiracy"...

But, having been researching such a topic (of corporate/government surveillance, and what really goes on behind the scenes) for 10 years now, I am now (well) aware of the amount of fake movements and organizations that are actually working for the "powers-that-be" (and the kind of dirty tricks and insidious methods that this "public-private partnership" uses).

(From what I know, the number of fake movements and organizations even surpasses the number of real, or legitimate, ones...)

icarolongo
Offline
Joined: 03/26/2011

It is free software. It's good, doesn't matters the company. *You* have the freedom to change all if you want.

Linux kernel is made by many private companies like Red Hat, SUSE, HP, Google, etc and you probably use it.

With GNU project is the same. Many companies help with the project and the foundation.

Fernando_Negro
Offline
Joined: 06/17/2012

Just because a piece of software is free (and "open source"), it doesn't necessarily mean it's a good piece of software - or a "secure" one.

And, just because everyone can change its source code, it doesn't necessarily mean that every (well-intended) person (with a knowledge of computing) has the knowledge of the complexity (and also the patience, and the time) necessary to spot every weaknesses in it (and solve them).

Take the "Tor" network example, that I've repeatedly mentioned in this forum...

It was created by the US government itself, and it is said to be "private" (or "secure"). But, already some universities' departments (with, surely, a limited amount of personnel and money) have already discovered that it's not as "private" (or "secure") as people thought it was.

(https://trisquel.info/en/forum/how-use-tor-trisquel#comment-26792)

icarolongo
Offline
Joined: 03/26/2011

I know about this. Like years ago someone said about backdoor from FBI in OpenBSD.

dudeski

I am a member!

Offline
Joined: 07/03/2013

I'd would like to point out that OpenBSD backdoor thing is entirely unproven and by all accounts just nonsense.

onpon4
Offline
Joined: 05/30/2012

We don't live in Oceania. The closest thing to that in the world is North Korea, which I'm certain none of us live in because the Internet is heavily censored there (or more appropriately, they have their own Internet). There is no reason to believe that we have fake movements and organizations set up by the governments as a trap. Our governments have problems, but they are nothing like the totalitarian regime of Oceania and there is no evidence that they are setting up fake movements or organizations.

Fernando_Negro
Offline
Joined: 06/17/2012

We don't live in "Oceania", *yet*... But, as I recently said elsewhere (https://trisquel.info/en/forum/ubuntu-1310-second-step-spy-its-users#comment-41977), that's the kind of regime that is planned for us.

"The technetronic era involves the gradual appearance of a more controlled society. Such a society would be dominated by an elite, unrestrained by traditional values. Soon it will be possible to assert almost continuous surveillance over every citizen and maintain up-to-date complete files containing even the most personal information about the citizen. These files will be subject to instantaneous retrieval by the authorities."
--- Zbigniew Brzezinski, in "Between Two Ages: America's Role in the Technetronic Era"

(Notice the term *gradual*... Germany also didn't turn into a Police State and Dictatorship over night...)

As for censorship...

- The UK has already started censoring the web (http://www.huffingtonpost.co.uk/olly-lennard/why-david-camerons-intern_b_3653566.html).
- And, so has Australia (http://www.wired.co.uk/news/archive/2013-05/17/australia-internet-block), for example.
- And it will, surely, be just a matter of time before other Western governments start doing the same (https://trisquel.info/en/forum/internet-censorship-authoritarian-countries#comment-30744).

And, as for the proofs of fake movements and organizations...

(Besides looking for well-known signatures...)

You can spot a lot of them through their funding and by knowing which other organizations are giving them help (and by knowing who's at the source of such money, and who runs this last organizations that help the first ones).

(The well-know phrase, among investigators, that is said, when researching these kind of links, is: "Follow the money"...)

For "civil liberties" organizations, of the type mentioned in the articles posted on this thread, for example, (that make the "controlled criticism" that less hurts the establishment) all that you have to do is to check out their "annual reports", on their web pages, and learn about the foundations that fund them (who runs them, where they get their money from, who's "in bed" with the people that have founded them - or, in other words, with whom they associate, and have common business, with - etc.)

People who are well-known for their misdeeds are not altruistic persons. And, if they fund organizations other than their own, it's because it somehow benefits them. (And, if you're well-informed about what they're up to - http://www.amazon.com/The-True-Story-Bilderberg-Group/dp/1611203155 - you'll know what specific benefits, and ultimate goals, are those...)

onpon4
Offline
Joined: 05/30/2012

I know that there are problems, and I know that people want power. But any assertion that someone already has enough power to do that kind of deception is baseless.

Fernando_Negro
Offline
Joined: 06/17/2012

(But, just to finish my comments in this thread...)

I don't know if other people, in here, realize how *serious* all of this is...

(Forget the light critics, made by the controlled "civil liberties organizations", and pay real attention to what's going on around you.)

You have an *out*-*of*-*control* government, who doesn't even obey the Supreme Law of your country.

(Ever heard of something called "The Fourth Amendment to the United States Constitution"?)

This kind of *illegal* surveillance network build-up is just one of several steps (http://www.theguardian.com/world/2007/apr/24/usa.comment) that indicate the beginning of a Police State (/Dictatorship).

And your own government has already warned (http://www.infowars.com/print/ps/franks_martial.htm) that all that it will take for the present order (i.e. Democracy) to end, is another major terrorist attack, and you'll have Martial Law in the country.

(And, then, it's goodbye "Constitution", civil rights, elections etc...)

There are people, in intelligence circles, who are fleeing the country, because of what they know that is planned for the Near Future.

And, if you're not willing to either (1) fight this, politically, or (2) flee the country, yourselves...

You should (psychologically, at least) (3) start preparing for the worse...

(http://www.prisonplanet.com/%E2%80%9Cpolice-state%E2%80%9D-episode-of-hit-ventura-show-covering-fema-camps-pulled-from-air.html)

(http://www.youtube.com/watch?v=Klqv9t1zVww)

Fernando_Negro
Offline
Joined: 06/17/2012

"The Truthseeker: US civil war is coming (E22)"

www.youtube.com/watch?v=5wu8fjNr61Q

Jodiendo
Offline
Joined: 01/09/2013

Fernando

If there is another USA Civil War, probably you are the first victim of collateral damage. If that doesn't work out; just for GP, broadcast your name I'm "Fernando_Negro" in an all white neghborhood and wait for the results.

AND THAT IS FREEDOM OF SPEECH!

Fernando_Negro
Offline
Joined: 06/17/2012

A most *important* movie that everyone living in the US will want to see: http://www.youtube.com/watch?v=i8XNbgxntW4

(And, an alternative footage of this same lecture: http://www.youtube.com/watch?v=RjALf12PAWc)

If the links, eventually, die, look for:

"Naomi Wolf - The End of America (2008)"

WootMoon
Offline
Joined: 03/06/2013

For those who have more technical knowledge (and thought the first article lacked details), this guy read the snowden files and has a good idea of what the NSA can and cannot do:

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

He didn't use the words "Free Software", but he could have. The more the code and the math are on the open, the safer you are.

Also, I thought it was particularly interesting how he mentions network devices as weak points, since they are not as widely discussed as the others.

Edit: thinking more about this, it's essential for the Free Software Movement to seize the political moment right now. This can be a very good argument, very easy to explain to the common user.

Fernando_Negro
Offline
Joined: 06/17/2012

The *NSA can tap Android systems(!)* (and also other, non-Linux, mobile devices).

There's an initial report here: http://rt.com/news/nsa-smart-phones-spying-563/

And, I'll probably post some more links about the Android part (that most interests me) once I find some more information about this.

In the meantime, everyone else feel free to add more information about this...

Fernando_Negro
Offline
Joined: 06/17/2012

Correction: Since this is not about "decryption" capabilities (but tapping capabilities), I think it deserves a thread of its own. So, I'll just create one, instead.

trisq

I am a member!

Offline
Joined: 09/03/2013