Silk Road forums
Discussion => Security => Topic started by: National Direct on September 06, 2013, 03:07 am
-
CLEARNET Warning (nsa:// warning?)
http://www.theglobeandmail.com/news/world/nsa-has-cracked-most-digital-encryption-reports-say/article14153289/?cmpid=rss1&utm_source=dlvr.it&utm_medium=twitter
Just noticed this article and thought it relevant to share whether or not the information is accurate.
_____________________________________________________________________________________
Full Excerpt:
The National Security Agency, working with the British government, has secretly been unraveling encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential data safe from prying eyes, according to published reports Thursday based on internal U.S. government documents.
The NSA has bypassed or altogether cracked much of the digital encryption used by businesses and everyday Web users, according to reports in The New York Times, Britain’s Guardian newspaper and the non-profit news website ProPublica. The reports describe how the NSA invested billions of dollars since 2000 to make nearly everyone’s secrets available for government consumption.
In doing so, the NSA built powerful supercomputers to break encryption codes and partnered with unnamed technology companies to insert “back doors” into their software, the reports said. Such a practice would give the government access to users’ digital information before it was encrypted and sent over the Internet.
“For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” according to a 2010 briefing document about the NSA’s accomplishments meant for its UK counterpart, Government Communications Headquarters, or GCHQ. Security experts told the news organizations such a code-breaking practice would ultimately undermine Internet security and leave everyday Web users vulnerable to hackers.
The revelations stem from documents leaked by former NSA contractor Edward Snowden, who sought asylum in Russia this summer. His leaks, first published by the Guardian, revealed a massive effort by the U.S. government to collect and analyze all sorts of digital data that Americans send at home and around the world.
Those revelations prompted a renewed debate in the United States about the proper balance between civil liberties and keeping the country safe from terrorists. President Barack Obama said he welcomed the debate and called it “healthy for our democracy” but meanwhile criticized the leaks; the Justice Department charged Snowden under the federal Espionage Act.
Thursday’s reports described how some of the NSA’s “most intensive efforts” focused on Secure Sockets Layer, a type of encryption widely used on the Web by online retailers and corporate networks to secure their Internet traffic. One document said GCHQ had been trying for years to exploit traffic from popular companies like Google, Yahoo, Microsoft and Facebook.
GCHQ, they said, developed “new access opportunities” into Google’s computers by 2012 but said the newly released documents didn’t elaborate on how extensive the project was or what kind of data it could access.
Even though the latest document disclosures suggest the NSA is able to compromise many encryption programs, Snowden himself touted using encryption software when he first surfaced with his media revelations in June.
During a Web chat organized by the Guardian on June 17, Snowden told one questioner that “encryption works.” Snowden said that “properly implemented strong crypto systems” were reliable, but he then alluded to the NSA’s capability to crack tough encryption systems. “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it,” Snowden said.
It was unclear if Snowden drew a distinction between everyday encryption used on the Internet — the kind described in Thursday’s reports — versus more-secure encryption algorithms used to store data on hard drives and often requires more processing power to break or decode. Snowden used an encrypted email account from a now-closed private email company, Lavabit, when he sent out invitations to a mid-July meeting at Moscow’s Sheremetyevo International Airport.
The operator of Lavabit LLC, Ladar Levison, suspended operations of the encrypted mail service in August, citing a pending “fight in the 4th (U.S.) Circuit Court of Appeals.” Levison did not explain the pressures that forced him to shut the firm down but added that “a favourable decision would allow me to resurrect Lavabit as an American company.”
The government asked the news organizations not to publish their stories, saying foreign enemies would switch to new forms of communication and make it harder for the NSA to break. The organizations removed some specific details but still published the story, they said, because of the “value of a public debate regarding government actions that weaken the most powerful tools for protecting the privacy of Americans and others.”
Such tensions between government officials and journalists, while not new, have become more apparent since Snowden’s leaks. Last month, Guardian editor Alan Rusbridger said that British government officials came by his newspaper’s London offices to destroy hard drives containing leaked information. “You’ve had your debate,” one UK official told him. “There’s no need to write any more.”
_____________________________________________________________________________________
-
I have no doubts they inserted backdoors in commercially available software. I only use open source software for SR purposes now. I also don't think the NSA can crack 4096bit key encrypted PGP at this point in time. (Please correct me if I'm wrong)
-
Was wondering when someone would share this info.
How bout they do something useful instead
-
So far, it looks like they've backdoored lots of implementations, but the math appears to be holding.
Bruce Schneier posted two interesting articles on the topic that address it in more detail. He's had access to the actual NSA documents from Glenn Greenwold.
CLEARNET (duh):
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
An interesting read with his practical analysis.
and http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
This one is dead-on, and hopefully we will see increased activity and effort to develop new system
I'd caution against blindly accepting Schneier's advice in the first link as gospel, but he's a bright guy. His Applied Cryptography book taught many of us the basics, but its reference implementations aren't the way to do it any more.
His perspective on using discrete-log systems (DH) over elliptical curve (ECDH) is interesting. He has some valid points. We're damned if we do (discrete-log can't last forever), and damned if we don't (elliptical curve implementations are dependent on some fixed values, and the curves in Suite B were developed by NSA).
-
They sure have backdoors in commercial/closed source software etc. And I don't need no Snowden to tell me this... my tinfoil hat told me. Use open source. And don't panic! All you need is your terrycloth towel.
-
While this is unsettling news and another short-sighted and unambiguously evil move on the NSA's part, let's clarify a few things first. This article is a bit high on sensationalism and low on facts; the original New York Timesand Guardian articles it cites are a bit more clear about what exactly the NSA has accomplished.
To be clear, the NSA has not broken public-key encryption; the algorithms themselves are as safe as they ever were. If they weren't, it would imply significant conflicts with some rather important currently accepted concepts in mathematics and computer science, and have effects far beyond just establishing a surveillance state.
The security exploits, then, are in practically everything else: closed-source protocols and implementations with backdoors (in both hardware and sofware), underhanded means of acquiring encryption keys and other credentials, and basically everything else they can do to bypass and undermine encryption. Maybe that's just a matter of semantics, but it's important to note that they haven't "cracked" encryption itself in the way this article seems to imply. Also, most of this isn't really breaking news, just further confirmation of things we've already been aware of for awhile.
I'd reccomend looking up some of the recent posts by Bruce Scheiner for some more clarification on the issues and what can be done about them. (Edit: whoops, ECC_ROT13 beat me to it!)
-
I would say "bypassed" is a better choice of words than "cracked" or "broken", but the implications are still the same.
Back in the 80s and 90s, I'd laugh at anyone fussing over echelon, which was followed by carnivore, magic lantern, and all the other conspiracies involving the intercept and analysis of ALL phone and internet data. Anyone who was aware of the true extent of foreign signals intelligence monitoring during that time knew that no one was able to capture and store global internet traffic, let alone analyze it all.
By the time 1TB hard drives became affordable and network appliances came with the processing power of supercomputers from back in the day, it became clear that not only were we eventually headed towards NSA/PRISM but that it would come sooner than anyone thought. Combine that with the ubiquity of today's cellphones, aka 24/7 GPS trackers, and it paints a scary picture of what may come 0_0
-
This is why you use only one type of encryption when you absolutely positively can not have the payload compromised: OTP. Maths say it can not be cracked, and even if your 4096-bit public key encryption cant be cracked today doesnt mean it cant be cracked tomorrow - see wired's article about a mathematician, google, and dkim for one example of this being applied in practice.
So to future proof your encryption the only way to go is OTP. When you see someone you know, exchange pads, and you're good to communicate completely securely as long as the integrity of the pad is not compromised
-
Fuck 'em. They should be scared if US!!!
They're too busy committing war crimes to be concerned with my personal usage amounts.
Plausible deniability. Always there for me.
I want to know, who want's to take the Obama regime out of power NOW???
We can''t wait for phony elections with voting machines owned by George Soros and other international "Dr Evil" types.
Take back America now! Don't let these eggheads from academia sell us out! - Let's hang them!
Death tp Obama, Hillaray, Samantha Powers, who said about John the Vietnam Commie Kerry “He must have thought that having got shrapnel in his ass out there bought him some credibility. It didn’t.” - actual quote from Samantha Powers.
Then you have Susan Rice, another hate filled woman of the Obama Four Horsewomen of the Apocalypse.
I really don't think they care about my recent order of speed, LSD, or Heroin. In fact I think they WANT us Drugged!
So I'm not worried.
You can be though.
-
This is why you use only one type of encryption when you absolutely positively can not have the payload compromised: OTP. Maths say it can not be cracked, and even if your 4096-bit public key encryption cant be cracked today doesnt mean it cant be cracked tomorrow - see wired's article about a mathematician, google, and dkim for one example of this being applied in practice.
So to future proof your encryption the only way to go is OTP. When you see someone you know, exchange pads, and you're good to communicate completely securely as long as the integrity of the pad is not compromised
OTP is great in some situations but the real problem with it is that you need to exchange keying material face to face, or over a quantum key exchange system, for it to actually be useful. So if you are a spy being sent to a foreign country, chances are you bring an OTP with you. If you are buying drugs from some anonymous vendor, it is totally useless.
-
While this is unsettling news and another short-sighted and unambiguously evil move on the NSA's part, let's clarify a few things first. This article is a bit high on sensationalism and low on facts; the original New York Timesand Guardian articles it cites are a bit more clear about what exactly the NSA has accomplished.
To be clear, the NSA has not broken public-key encryption; the algorithms themselves are as safe as they ever were. If they weren't, it would imply significant conflicts with some rather important currently accepted concepts in mathematics and computer science, and have effects far beyond just establishing a surveillance state.
The security exploits, then, are in practically everything else: closed-source protocols and implementations with backdoors (in both hardware and sofware), underhanded means of acquiring encryption keys and other credentials, and basically everything else they can do to bypass and undermine encryption. Maybe that's just a matter of semantics, but it's important to note that they haven't "cracked" encryption itself in the way this article seems to imply. Also, most of this isn't really breaking news, just further confirmation of things we've already been aware of for awhile.
I'd reccomend looking up some of the recent posts by Bruce Scheiner for some more clarification on the issues and what can be done about them. (Edit: whoops, ECC_ROT13 beat me to it!)
+1 as I was about to say pretty much the same. Although I have a couple of points to make..
For starters, GCHQ IS trying to bruteforce the weaker encryption keys, so make sure you a) used strong encryption and b) choose a LONG password - the strength of a password increases with the amount of entropy it has, so long is more important that throwing a load of random numbers, but make sure adjacent words are not connected.
Secondly, they're are spending 12 times what they spent of PRISM and STILL haven't actually 'cracked' encryption, all they've done is resort to sneaky and underhand tactics to circumvent encryption, I think this tells us all we need to know about how secure strong encryption is.
Thirdly, the Guardian article explicitly states that "the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL)". This is not to target SR-types, or CP, or hackers, or Anonymous, this is targeting normal everyday people. This weakens some of the basic foundations of the internet. This doesn't harm SR or TOR AFAIK, but does damage the integrity of online commerce and digital banking. It looks like the NSA is actually willing to break the internet in order to spy on ordinary citizens.
Lastly, although the article only mentions commercial products, I personally think it's really important for open-source projects to run audits for how the encryption is implemented, to ensure no NSA shills have been planting backdoors on the sly. I wish I had the programming knowhow to help with that....
-
agree 100% that using otp has one very big implementation challenge that makes it not a practical choice for most. but it has kept communication lines free and open between associates around the world - not spies just friends who live far away and know better than 'OTR' or other drivel.
all of this 'well the government needs crypto too' stuff kinda falls apart if you assume they use otp for things that matter. governments are just the kind of entities that can send a person halfway around the world to deliver a sd card filled with seemingly random data to keep their communications secure.
and for all the knocks on ssl, at least we didn't get seed. i pity south koreans over that.. IE was the only browser you could use with 'secure' sites in s. korea until 2008/9!