Slashdot Mirror

← Back to Stories (view on slashdot.org)

The NSA Uses the Same Chat Protocol As Hackers

Posted by samzenpus on from the I-think-I'm-in-the-wrong-chatroom dept.

rossgneumann writes NSA documents obtained by Edward Snowden and reported on by Der Spiegel on Sunday reveal that the agency communicates internally with Jabber, an open source messaging service used by hackers and activists trying to skirt the NSA's internet surveillance dragnet. A document outlining the NSA's Scarletfever program—a "message driven cryptologic exploitation service" designed as part of the larger Longhaul initiative, a program that collects data and finds ways to break its encryption—contains a curious point buried near the end: "Jabber Chat Room: TBD."

2 of 81 comments (clear)

  1. Do your part by Brain-Fu · · Score: 2, Interesting

    An AC in a previous Snowden story posted this link:

    Grant Snowden Clemency

    You can sign this petition to pressure the government to pardon Snowden, so he can come back to the states a free man.

    Please share this link on your other forums. It is the least you can do for him, after all he has sacrificed for you.

  2. Re:stupidest. revelation. ever. by unrtst · · Score: 4, Interesting

    There's a whole lot of comments here saying this is stupid, obvious, not surprising, etc, and pointing out other clients that have used (and still use) XMPP (jabber).

    The one potentially interesting bit that brought me here... what are they using for encryption?

    I'm assuming they have TLS enabled from client to server, and from server to server. The details for that layer are not very important to me, though I'd still be interested to know.
    The end-to-end encryption used, that's what I'd be most curious to hear about. There's a lot of apps and plugins and such that boast end-to-end encryption, but there is little interoperability AFAICT. There's a fairly wide variety of implementations and specs (and lack thereof). OTR may be the best known one (http://en.wikipedia.org/wiki/Off-the-Record_Messaging). IMO, what it uses seems somewhat dated with respect to all the SSL/TLS issues that came to light this past year. Ex, OTR uses:

    * Diffie-Hellman key exchange with 1536 bit group size. (is this ADH, static DH, DHE, ECDH, ECDHE, etc)
    * AES symmetric key with 128 bit key length (AES 256 is more the norm now, and there are certainly lots of other alternatives)
    * SHA-1 hash function (SHA1 is deprecated in many situations, and SHA256 and other stronger hash functions are readily available)
    * forward secrecy (that's good... but I wonder if it's using similar and well tested methods such as used in current PFS TLS implementations)
    * NO support for multi-user group chat

    I'm betting there's better and/or more updated things out there. Seems OTR could be updated fairly easily (define new protocol version and use different set of stuff in the various places in the protocol), but what is it that others that are extremely paranoid are using?