[Crypto-chi] Good, Bad and the ugly

Sun Dec 28 17:35:28 CST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone,

New detailed documents from Snowden show some of the decryption
capabilities of the NSA. [0]  I wrote some very quick thoughts.

The Good:

Lots of our technologies remain safe from decryption. OTR, Tor, Signal
/ TextSecure, and GPG all seem to give the NSA a hard time.
Specifically with Tor, the NSA is looking at "traffic correlation"
timing. The good news is that this is not novel or new and there is a
lot of research in this area.

The Bad:

A lot of attacks on VPNs. This is not unexpected, VPNs are not going
to keep you safe from a highly skilled adversary. (If you think a
piece of software will then you're going to have a bad time). VPNs are
good to prevent dragnet surveillance and passive scanning on networks
(ISP level).

The Ugly (my opinions here):

The NSA seems to be stealing a lot of CA certificates. (BULLRUN /
XKEYSCORE etc).  This is how they select a VPN (Security Kiss).

Fingerprint('encryption/securitykiss/x509') = $pkcs and ( ($tcp and
from_port(443)) or ($udp and (from_port(123) or from_por (5000) or
from_port(5353)) ) ) and (not (ip_subnet('10.0.0.0/8' or
'172.16.0.0/12'  or '192.168.0.0/16' )) ) and 'RSA Generated Server
Certificate'c and  'Dublin1'c and 'GL CA'c;

They seem to be part of a larger programs (BULLRUN etc) to break HTTPS
by stealing certs using BLUEBOX and related programs.[1] Page 14
should have an overview.

Disturbing the NSA is monitoring the IETF, one of many groups which
set standards and protocols for the Internet as a whole. For example,
the NSA is worried about the adoption of ZRTP, a more secure phone
standard for telephony (used by Signal/RedPhone). This makes the
Internet much less secure for everyone.

Just some thoughts,
Freddy

tl;dr Most of the tools we teach at cryptoparty are safe.

[0]
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
[1] http://www.spiegel.de/media/media-35534.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJUoJO4AAoJEPMZXCkqgi71jqQP/j5Wpnfz7OusDTfWhIk7NH7q
vlarjJluOPepImK/tW+WoPL25EEsiOwJXyl/tjtmAUbp8NFlWJirMIhkYrNyzi75
jKeen8NH5m1M81JQbPHjKgxUd4+fZXCjTKY9b3uLyoCFDQJRE4UhQU8yTLq+6hCt
cFL6KPsZCBlLjqF/Dm0AhBH05YLbWrxWD0/MC2yANh/9txH645SIm2gvNb4JNSHX
zDJXBOsDz1D16ZrUw1OFKwrbbMt4bkJ4o0pUMBT33pzscbptFthC+QunEaRBz7Vp
6QdnuZJkrokqGo5QLE+apP3UYrot3y93icuCHkooHY97CS4VNAq/5naGO2FpMRqy
dpQ8JbD2DEBAPcI28ix4Krb7JrD9bHDdyPzZDKHOVnJcJ6nabwZQdA41j8vZcobw
VAK2pOWzx1NUyQdpKwN5Zy0Q3WpClwHWfn6XJH378ze6EI4yR3ZeUp8bUbKNK392
BtZwLrHcBKliRY8gtZowWvOhYZ8hsGE50xxS6mXWSiqCwiE3ZAYAo1vTlVC56Glm
hD4yo6KDwUvdbPmQDX42qErphlQry4Kx4/MFS82r1+9qZYcmDqyP600qDu+TVS+x
mn2RHntGZCLBLNx9021e7Z5mK2/K4FVqDeOtM0YZYJPwka6hv5AVtpYRZpwJmJ1p
P5UZddMACnLec+1jhWI7
=ISjl
-----END PGP SIGNATURE-----