Slashdot Mirror

← Back to Stories (view on slashdot.org)

The NSA Uses the Same Chat Protocol As Hackers

Posted by samzenpus on from the I-think-I'm-in-the-wrong-chatroom dept.

rossgneumann writes NSA documents obtained by Edward Snowden and reported on by Der Spiegel on Sunday reveal that the agency communicates internally with Jabber, an open source messaging service used by hackers and activists trying to skirt the NSA's internet surveillance dragnet. A document outlining the NSA's Scarletfever program—a "message driven cryptologic exploitation service" designed as part of the larger Longhaul initiative, a program that collects data and finds ways to break its encryption—contains a curious point buried near the end: "Jabber Chat Room: TBD."

81 comments

  1. OMG Jabber by rednip · · Score: 5, Funny

    Whatsapp is a jabber client as well. I fail to see why this is surprising connection. Seems more like click bait.

    --
    The force that blew the Big Bang continues to accelerate.
    1. Re:OMG Jabber by Iconoclysm · · Score: 1

      Agreed, Jabber is the second most popular Enterprise IM and Presence system around.

    2. Re:OMG Jabber by Anonymous Coward · · Score: 0

      Too bad it sucks rocks. Or at least Pidgin does.

    3. Re:OMG Jabber by brunes69 · · Score: 1

      Google Talk / Hangouts are also XMPP based as well, although they have pretty much closed it off to all outside clients.

    4. Re: OMG Jabber by Albanach · · Score: 1

      Yeah, rebellious stuff sold by upstarts like Cisco. Good chance they have done unified communications from Cisco that comes with jabber on the desktops.

    5. Re:OMG Jabber by allo · · Score: 1

      talk yes, hangouts no.

  2. stupidest. revelation. ever. by Anonymous Coward · · Score: 5, Insightful

    i bet those sons of bitches are using imap and ethernet too! just like hackers!

    1. Re:stupidest. revelation. ever. by NoNonAlphaCharsHere · · Score: 4, Funny

      Yup. The difference is the internal NSA's systems are air-gapped so those sons-of-bitches at the GCHQ can't listen in.

    2. Re:stupidest. revelation. ever. by Anonymous Coward · · Score: 0

      And slashdot has sinked to new lows in terms of article quality.

    3. Re:stupidest. revelation. ever. by F.Ultra · · Score: 3, Informative

      Didn't stop Snowden though :)

    4. Re:stupidest. revelation. ever. by Anonymous Coward · · Score: 2, Funny

      And slashdot has sunk to new lows in terms of article quality.

      And despite that, I bet they still haven't reached their full downward potential.

    5. Re:stupidest. revelation. ever. by Anonymous Coward · · Score: 0

      Fuck 'em. I'm rockin' ircd. That protocol comes pre-hacked!

    6. Re:stupidest. revelation. ever. by unrtst · · Score: 4, Interesting

      There's a whole lot of comments here saying this is stupid, obvious, not surprising, etc, and pointing out other clients that have used (and still use) XMPP (jabber).

      The one potentially interesting bit that brought me here... what are they using for encryption?

      I'm assuming they have TLS enabled from client to server, and from server to server. The details for that layer are not very important to me, though I'd still be interested to know.
      The end-to-end encryption used, that's what I'd be most curious to hear about. There's a lot of apps and plugins and such that boast end-to-end encryption, but there is little interoperability AFAICT. There's a fairly wide variety of implementations and specs (and lack thereof). OTR may be the best known one (http://en.wikipedia.org/wiki/Off-the-Record_Messaging). IMO, what it uses seems somewhat dated with respect to all the SSL/TLS issues that came to light this past year. Ex, OTR uses:

      * Diffie-Hellman key exchange with 1536 bit group size. (is this ADH, static DH, DHE, ECDH, ECDHE, etc)
      * AES symmetric key with 128 bit key length (AES 256 is more the norm now, and there are certainly lots of other alternatives)
      * SHA-1 hash function (SHA1 is deprecated in many situations, and SHA256 and other stronger hash functions are readily available)
      * forward secrecy (that's good... but I wonder if it's using similar and well tested methods such as used in current PFS TLS implementations)
      * NO support for multi-user group chat

      I'm betting there's better and/or more updated things out there. Seems OTR could be updated fairly easily (define new protocol version and use different set of stuff in the various places in the protocol), but what is it that others that are extremely paranoid are using?

    7. Re:stupidest. revelation. ever. by Anonymous Coward · · Score: 0

      i bet those sons of bitches are using imap and ethernet too! just like hackers!

      Now if we could just use different 1s and 0s for our bits, the NSA won't be able to read our traffic.

    8. Re:stupidest. revelation. ever. by chill · · Score: 2

      OTR is mentioned as one of those things they really can't crack if you dig through the whole Spiegel article.

      --
      Learning HOW to think is more important than learning WHAT to think.
    9. Re:stupidest. revelation. ever. by Anonymous Coward · · Score: 0

      And also using social media to manipulate a conversation by discrediting posts critical to their organization. Fur sure.

    10. Re:stupidest. revelation. ever. by Anonymous Coward · · Score: 0

      but what is it that others that are extremely paranoid are using?

      The paranoid are using one-time-pads smuggled on microSD cards in the nether regions of donkeys. With 4GB of OTP, you can communicate for a long time, provided you filter out any DoS. OTP is the only proven unbreakable crypto.

      For example, if you want to send daily status messages of no more than 1MB, 4GB OTP will last for 4,000 days or 11 years.

    11. Re: stupidest. revelation. ever. by bill_mcgonigle · · Score: 1

      It may not be end-to-end : one of the ways the sixteen intelligence agencies handle security is through the use of xml-bridges. Payloads are rewritten between networks of different classifications - only data gets across, not even binary documents. XMPP is useful for more than just chat clients. source: chatty dude at a tradeshow booth a few years back (niche market). This is one of the ways corporate actors fail to grok security - they accept the bets of COTS even if it's not good enough. TLA's hire staff to fill those needs.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    12. Re:stupidest. revelation. ever. by unrtst · · Score: 1

      The paranoid are using one-time-pads...

      Thank you for this but:
      a) if they're using that for real time chat, that's not the complete solution. How does it all tie together?
      b) if they're not using it for real time chat, then that doesn't answer the question really.

      Even for simple status updates and such, "OTP on a microSD" is still not a complete answer. If I had my OTP stored anywhere, then it'd also be encrypted. Then there's the matter of how to decrypt the OTP wherever one happens to be. All very solvable, but a detailed doc of all the parts and how they fit together and what tools are used with them etc etc would be nice to see.

      The details are what I was hoping to see. As it is, the article(s) seem pretty useless (though they had that potential).

    13. Re:stupidest. revelation. ever. by Vintermann · · Score: 1

      This is damage control. What the docs show, is that OTR encryption is safe. You can use OTR encryption with Jabber, but Jabber isn't encrypted by default.

      What they presumably hope is that people will use Jabber and think they're safe. And Slashdot editors are being the useful idiots as usual.

      --
      xkcd is not in the sudoers file. This incident will be reported.
    14. Re:stupidest. revelation. ever. by Dr_Barnowl · · Score: 1

      It's likely to be something which they can read easily, so not OTR.

      SIGINT dudes are not just keen on encryption. They are keen on reading communications too. To this end they usually advocate systems with key escrow at the very least, because they want to be able to keep tabs on their agents and analysts.

      I saw a brief prepared for the UK National Health Service by GCHQ on data security, it heavily emphasised key escrow, which reveals the bias of the agency that produced it. A crypto brief prepared by doctors would most emphatically not include the capability to forge signatures - no doctor is going to sign up for a system where his word might be brought into doubt.

    15. Re:stupidest. revelation. ever. by houghi · · Score: 1

      Although it might be interesting to know what they use, it would not mean that it would be safe for others to use.
      They only need to be concerned that others can't hack it, and read their messages. I am sure they will be happy to read their own messages.

      --
      Don't fight for your country, if your country does not fight for you.
    16. Re:stupidest. revelation. ever. by ganjadude · · Score: 1

      what next, you gonna tell me they use monitors too????

      --
      have you seen my sig? there are many others like it but none that are the same
    17. Re:stupidest. revelation. ever. by Anonymous Coward · · Score: 0

      GCHQ don't need to listen in. They just have to wait for the NSA to send them all the data so they can listen to all of you lot.

  3. Dumb by Anrego · · Score: 4, Insightful

    Wow, that article said absolutely nothing interesting.

    The gist: jabber is a widely used protocol, there is a widely used way to encrypt it,and the NSA has played around with it.

    Also what is the deal with every website now using this weird scrolling hackery. I find it very unpleasant.

    1. Re:Dumb by Anonymous Coward · · Score: 0

      The summary is (as always) a flaming pile of shit that conflated two ideas: 1) The NSA uses Jabber (whoopdefuckingdoo) and 2) Their scarletfever attack apparatus will be used to crack Jabber communication at a to-be-determined date (as of the document's date, which is at least as old as Snowden fleeing the country).

      The second is slightly more important, at least if you are an American who still thinks the NSA should not be spying on Americans like yourself. Cold Fjord probably can't wait for it to happen fast enough though, since he clearly feels that big government should spend billions of dollars to spy on every American to make sure they are properly participating in the two minutes of hate.

    2. Re:Dumb by Anonymous Coward · · Score: 0

      Cold Fjord probably can't wait for it to happen fast enough though, since he clearly feels that big government should spend billions of dollars to spy on every American to make sure they are properly participating in the two minutes of hate.

      Duh! Who the fuck do you think signs his paycheck?

    3. Re:Dumb by Anonymous Coward · · Score: 0

      Ditto on the scrolling hackery.

    4. Re:Dumb by cold+fjord · · Score: 2

      ...properly participating in the two minutes of hate.

      I'm guessing that the irony eludes you.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  4. As 'Hackers'? by Anonymous Coward · · Score: 1, Insightful

    Is this like nerd, where everyone is calling themselves that?

    Because XMPP (Jabber prior to it's adoption as a standard) is/has been used by google, plus about a hundred other chat services, including Kik (albeit a proprietary derivative, seems to be what all the kids are using nowadays).

    So really it's less a story of NSA using the same service as hackers and more 'Whoa! NSA uses the same chat protocols as *EVERYONE ELSE DOES*"

    What a non-story.

    1. Re:As 'Hackers'? by Anonymous Coward · · Score: 0

      tech organization uses technology! zomg!

    2. Re:As 'Hackers'? by Ketorin · · Score: 2

      >Is this like nerd, where everyone is calling themselves that? Someday they will claim "obese shut-in", what is there then left for me? Go out and exercise?

  5. I'll bet that's not all... by Chris+Mattern · · Score: 4, Funny

    They probably use the same email system hackers do!

    1. Re:I'll bet that's not all... by Anonymous Coward · · Score: 0

      They probably use the same email system hackers do!

      Surely the NSA doesn't use Microsoft Exchange Server and Outlook. Surely. ;-)

  6. In other news... by x0ra · · Score: 2, Funny

    NSA employees enjoy the same daily disturbing bodily functions as hackers; they poop...

    1. Re:In other news... by rubycodez · · Score: 2, Informative

      in fascist USA NSA poops on you

    2. Re:In other news... by Anonymous Coward · · Score: 1

      You can't prove you have standing not to be pooped on, says 5 assholes out of 9.

    3. Re:In other news... by Anonymous Coward · · Score: 0

      in fascist USA NSA poops you

      FTFY

  7. Jabber by darkain · · Score: 1

    So does Google Talk and Facebook Messenger and countless other chat systems. Way to go article. Next you'll be telling us that the NSA uses the same operating systems as hackers (OMG LINUXESSES N SHIT)

    1. Re:Jabber by NoNonAlphaCharsHere · · Score: 2, Funny

      Well, it's not like they're gonna use Windows and be pwned by third-graders, is it?

  8. Generally by Anonymous Coward · · Score: 0

    I have used Lync mainly since the big Windows-7 upgrade came through. Jabber clients are available as well. We even do email, phone calls, and face-to-face meetings! It's another organization that needs to communicate internally.

    But when we know we're doing illegal things like spying on my old girlfriend and her new boyfriend (at least 99% of my day-to-day activity) we use invisible paper and quantum telephones and sign into the computer as 'guest' so we can get away with it. God dammit when will people realize they have more important things to do.

  9. Not at all senationalist headline by hymie! · · Score: 1

    I'll bet the NSA uses Linux, too. Isn't that the hacking OS that uses text on a black screen?

    And FTP, that's how the hackers move their files around. I'll bet NSA uses that too.

    1. Re:Not at all senationalist headline by Anonymous Coward · · Score: 0

      And FTP, that's how the hackers move their files around. I'll bet NSA uses that too.

      Um, actually, no they don't. They may be a few years behind in certain areas, but not that behind.

    2. Re:Not at all senationalist headline by Anonymous Coward · · Score: 0

      You started good, but went downhill. Nobody uses FTP any more, they use SSH (scp/rsync). Not just encrypted, but also compressed.

  10. Keyboards also used by hackers & NSA by OrangeTide · · Score: 3, Funny

    Both the NSA and Hackers are using Keyboards to input data into computers.

    Seriously, Jabber/XMPP are well known standards for implementing internet messaging.

    This whole article smells like misinformation to work the media up into a frenzy. I don't see how these revelations can accomplish anything positive.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:Keyboards also used by hackers & NSA by Anonymous Coward · · Score: 0

      OMG, I heard they have laptops too. I was at a conference and saw the NSA director boot his up and the screen said ACID BURN, it was so cool.

    2. Re:Keyboards also used by hackers & NSA by phantomfive · · Score: 2

      This whole article smells like misinformation to work the media up into a frenzy. I don't see how these revelations can accomplish anything positive.

      Most people can't distinguish between Jabber and Metadata. Expecting people to come to reasonable conclusions, and be outraged about the proper things when dealing with computer related issues, is asking too much.

      Reporters don't care, they are looking for something sensationalistic to bring in eyeballs. They aren't really journalists, they're eyeball-mongers.

      The important thing is that people realize the NSA is spying on them, and presumably that would outrage them, but somehow it seems to not. I don't know why.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Keyboards also used by hackers & NSA by OrangeTide · · Score: 1

      The important thing is that people realize the NSA is spying on them, and presumably that would outrage them, but somehow it seems to not. I don't know why.

      Obviously the NSA is protecting us for terrorists.

      --
      “Common sense is not so common.” — Voltaire
  11. "NSA using same technologies as hackers!" by Paul+Jakma · · Score: 3, Funny

    “Shocking revelations have come out today that the NSA is using the same kind of computers and Internet technologies as hackers, criminals and even paedophiles! The NSA are known to use PCs and operating systems such as Microsoft Windows - a paeophiles favourite - and even Linux - beloved by hackers. The NSA even has spent money on making Linux more secure, which may help thwart law enforcement from investigating computers used by criminals. Further reports suggest the NSA also regularly use TCP in a variety of ways. TCP is known to be heavily deployed by many criminals worldwide. We contacted the NSA and asked them to comment, but their spokesperson responded only with a sneering "Oh for fucks sake" before hanging up the phone.”

    --
    I use Friend/Foe + mod-point modifiers as a karma/reputation system.
  12. Uh, yeah. XMPP by Anonymous Coward · · Score: 0

    They're using the same protocol called TCP/IP too, I hear. There should be an investigation immediately.

  13. Slow News Day? by dunkindave · · Score: 1

    NSA uses same protocols on their network as everyone else (including hackers). So is this stunning revelation now what passes here as news? Is this just a slow news day or has Slashdot taken another step down?

  14. I have a reply to this. by Anonymous Coward · · Score: 0

    TBD

  15. Do your part by Brain-Fu · · Score: 2, Interesting

    An AC in a previous Snowden story posted this link:

    Grant Snowden Clemency

    You can sign this petition to pressure the government to pardon Snowden, so he can come back to the states a free man.

    Please share this link on your other forums. It is the least you can do for him, after all he has sacrificed for you.

    1. Re:Do your part by Anonymous Coward · · Score: 0

      It will be as successful as the "legalize marijuana" petition.

    2. Re:Do your part by Anonymous Coward · · Score: 0

      Maybe.. That particular wish seems to have been granted just fine, provided you live in Washington :)

    3. Re:Do your part by unrtst · · Score: 3, Insightful

      It will be as successful as the "legalize marijuana" petition.

      Is that really the example you want to use? Is the answer, "fairly successful"?

      23 states and District of Columbia currently have laws legalizing marijuana in some form.
      4 states have legalized it for recreational use (6 in 2015).
      Many states have eliminated or greatly reduced penalties for small amounts of it.
      Population-wise, and electoral-college-wise, I believe we are well past 50%.

    4. Re:Do your part by Anonymous Coward · · Score: 0

      Even if he came back as a "free man" he'd still be toast. In fact, even outside of the US he'll likely become toast. Any opportunity the US can find he's going to become toast.

      Even if they believed he had no more information to give he'll still become toast because no-one makes a fool of the US. Even if the president declares him a "protected person of interest" or "ambassador of the free people of America" or "Qua'g, ruler supreme of the universe"...he's toast. At this point it's chest thumping and rock throwing and it doesn't even matter who is right or wrong anymore. He's just toast. Too much egg on too many faces.

    5. Re:Do your part by Anonymous Coward · · Score: 0

      So he's toast.

      Did you benefit from what did?

      If so, you owe him a favor.

      Even if petitioning to grant him clemency won't accomplish much, it is an incremental benefit, and it costs you next-to-nothing.

      Your "he's toast" argument is just rationalization for utter laziness.

    6. Re:Do your part by lister+king+of+smeg · · Score: 1

      It will be as successful as the "legalize marijuana" petition.

      Well it seems to have worked out just fine where I live here in Washington state and in Colorado also.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    7. Re:Do your part by drinkypoo · · Score: 1

      The legalize marijuana petition on change.org had less than nothing to do with any of that, as it was roundly ignored by the administration just as we all knew it would be even though they'd promised to listen to us, because all the important campaign promises were empty, so why not that one? Just like the old boss, the old boss +1, ad infinitum.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:Do your part by Triklyn · · Score: 1

      Post hoc ergo propter hoc

    9. Re:Do your part by lister+king+of+smeg · · Score: 2

      Post hoc ergo propter hoc

      No if it were not for petitions we would not had the initiative put on the ballot where it succeeded, therefor it is not "Post hoc ergo propter hoc" as you say but simple cause and effect.

      QED bitches -xkcd

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  16. Dawwww! by Greyfox · · Score: 1

    I think we should name the NSA's jabber chatroom for them! I was going to throw "SexyFederalAgents" out there, but it's really not my best work.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  17. Jabber ?? by Anonymous Coward · · Score: 0

    ...oh, the same protocol Cisco uses in their chat solution ?

  18. TBD by Anonymous Coward · · Score: 0

    The masters of the internet have their own slang you know... Like this "T.B.D." in the article, I hear, it means Totally Broken Dumbshit.

    N.S.A. of course still means Nasty Sex Agency which is much better than the G.C.H.Q. because everyone the inside knows that it means Geriatric Cunt Humping Quiverers.

    Now, get back to work, you lazy internet surfers!

    -The great and magnificiant anonymous bastard

  19. This is also not new. by Anonymous Coward · · Score: 1

    I submit the Anonymous Coward's hypothesis:

    Every single Slashdot article has at least one post asking if today is a slow news day.

    Please attempt to disprove.

    1. Re:This is also not new. by Anonymous Coward · · Score: 0

      I submit the Anonymous Coward's hypothesis:

      Every single Slashdot article has at least one post asking if today is a slow news day.

      Please attempt to disprove.

      The vast majority do not have such a post, but if one were to identify a specific article, then someone could go to it and post said comment and claim the identification is incorrect. This is kind of like the uncertainty principle where a property can be true until you try to nail it down then it changes on you. Schrodinger's cat would agree.

    2. Re:This is also not new. by Anonymous Coward · · Score: 0

      But, by your very argument, you cannot provide evidence of your statement that "the vast majority do not have such a post."

      I guess the hypothesis is non-falsifiable.

    3. Re:This is also not new. by Anonymous Coward · · Score: 0

      But, by your very argument, you cannot provide evidence of your statement that "the vast majority do not have such a post."

      I guess the hypothesis is non-falsifiable.

      No, it is easily falsifiable since the claim is for "every single Slashdot article", meaning the articles in the current state, but a person like you will conveniently ignore the timestamps, submit a post-proof post to any named article, then claim a false victory. It would be like a robber telling a room of people he had shot all of them (past tense), then challenged them to prove him wrong, and when a person says "but I haven't been shot", the robber shoots him, and repeats his claim to see if anyone else will say he is wrong. Unfortunately for humanity, stupidity cannot be fixed.

  20. FTFY by CaptainDork · · Score: 0

    sunk

    --
    It little behooves the best of us to comment on the rest of us.
  21. And so you do nothing? by Brain-Fu · · Score: 1

    This petition is hosted by Snowden's legal advisers, who happen to be a political lobby with real economic assets. So, it bears a little more weight than the average Internet petition.

  22. Jabber smear by Anonymous Coward · · Score: 0

    Could this mis-information be designed to scare people away from jabber towards their own protocol? I think we used to call this a 'joe job' in the old days.,

  23. They are run by political appointees and friends by dbIII · · Score: 1

    Yes, the math geeks may speak to each other that way but they are run by a bunch of horse judges and cheerleaders that just happen to know the right people (as seen by how a contractor could get hold of so much) so it's probably a safe bet that it's in the clear instead of best practice.
    After the star trek set designer getting called in the only way to go is down. The Chinese or whoever would have just needed some way to pander to a huge ego to get a backdoor into the place.

  24. dem nsa by Anonymous Coward · · Score: 0

    dey be haxx0rz

  25. Stay Tuned... by vomitology · · Score: 1

    ...for the next exciting article, "Cops Use Guns Too!"

    --
    ~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
  26. Excellent Job by Anonymous Coward · · Score: 0

    Now each employee of NSA can be compromised and exploited. :-)

    Do you remember the Joker's first scene in the bank in 'The Dark Night'!

    Chitty Chitty Bang Bang. ;-)

    Da

  27. OS that uses text on a black screen by tepples · · Score: 1

    Isn't [Linux] the hacking OS that uses text on a black screen?

    I'm sorry. You must have Linux confused with Windows Server Core.

  28. Wow. People use Jabber? Yes, people use Jabber. by kriston · · Score: 1

    Wow. People use Jabber? Yes, people use Jabber.

    This is not news, not now, not ever. Jabber and XMPP is a real thing, much more real than IRC. Please move along and report something worthwhile, folks.

    --

    Kriston

  29. Apache Wave by BiggoronSword · · Score: 1

    *nudge* *nudge* http://incubator.apache.org/wa... *wink* *wink*

    --
    interactive hologram, or it didn't happen.
  30. funny thing is it's not just NSA by Anonymous Coward · · Score: 0

    All of the dod and intelligence community use jabber. Every domain, every cocom, every subject has servers/rooms.