Slashdot Mirror
NSA Says They Have VPNs In a 'Vulcan Death Grip'
An anonymous reader sends this quote from Ars Technica:
The National Security Agency's Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP's VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.
I plan to block all of them. So yeah, this might be one of my last posts here.
Is her IP address free now?
Have VPNs not improved over the past 4 years? I would think just the efforts to get around the Chinese GFW ought to have mitigated whatever the NSA could do four years ago.
NSA gets...popular culture take on "Damn Yankees".
At some point, we will all just disconnect and call it a day.. Then what will they do?
He was mad because his VPN was compromised.
Why are we always on the defense about this kind of thing? I wish some people with the proper skills to out flank the digital rape happening would flip the script on these turkeys.
It sounds like that child had his mother's gun in a Vulcan Death Grip.
We all know there's no such thing as the Vulcan Death Grip.
to get a "dead" Kirk past the baddies. Now, if they had them in a Vulcan nerve pinch, I'd worry.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
who cares? it's not a darwin award because she had already reproduced, it's not a tragedy because it's her own damn fault.
So if they have the PSK, then they can decrypt your VPN connection?
Yeah, not surprising.
Nowhere does it say they actually have effective techniques for extracting the PSK from, say, a Diffie-Hellman exchange. Because.... well... pretty much, nobody can.
But, sure, if you plug in your VPN PSK into a router that's then compromised, your PSK is then public knowledge. Hell, in most places it's listed in your Cisco CLI and extractable if you have access to it (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/82076-preshared-key-recover.html).
Isn't this why we have several things, not least SSL VPN with proper keychains, certificate revocation, passphrase-protected keys, etc.?
You can try to scaremonger all you like (this is, what? The fourth of fifth article this month with scaremongering like this about Tor, SSL, etc.?). Fact is nobody has demonstrated, or even pointed to suspicious circumstances that may hint, that the NSA or anyone else are doing anything different to the bad guys out there - finding out that compromising the devices is generally easier than decrypting proper TLS security. And nobody's been seen to actually have a shred of evidence that they can decrypt TLS by any way other than being handed the keys.
All this does is tell me the exact OPPOSITE of what the little guy (and presumably anyone reading this article, shame on you Slashdot) would take home. The NSA aren't able to do anything more than I thought they could. That the encryption is serving it's purpose to the point that it's easier to compromise the routers en-masse than it is to break the encryption.
All this does is say to me "Keep doing what you're doing". Use proper PKE with decent size keys and secure them as much as humanly possible.
All I've thought about these kinds of articles for the past year is "What are you trying to scare me onto?" Truecrypt, SSL, PFS etc. It all points towards a certain set of algorithms which are hailed as the "solution" to all these problems - Elliptic Curve. Strangely, one of the "official" curved was designed in co-operation with these people and they won't provide justification for it, and their track-record in this area is quite well-known. These are the people who paid RSA to weaken their encryption, the people who didn't want us to be able to have large-bit encryption available in any case, and who wanted us to have backdoored chips protecting our devices.
PKE is doing it's job at the moment. I'd hate to think that we all jump-ship to the thing that's ACTUALLY broken, in our haste to secure things against this kind of propaganda.
Breaking into VPN isn't that easy.
This is actually good news. The clearly state that "Ubiquitous Encryption" is a threat to the NSA. They are currently assuming that encrypted traffic is something they should target so if everything's encrypted... viola.
So go out, encrypt everything you can. I'm looking directly at you SlashDot. Fix your 10yrs out of date website for christs sake. You want me to start using "Beta"? Secure it!
Two NSA agents, one keyboard.
Required post follows....
"We must stop pedophiles and similar criminals from terrorizing our children. THINK OF THE CHILDREN."
"We must stop terrorism and similar criminals from...."
"We must stop...."
The rest of this post was stopped by the NSA-FBI-CIA spyware secretly installed on this computer. YOU HAVE BEEN WARNED!!!
Well, technically the definition is someone who, by their stupidity, removes themselves from the gene pool. Unless she has a twin sister, her genes are history.
Nominees significantly improve the gene pool by eliminating themselves from the human race in an obviously stupid way. They are self-selected examples of the dangers inherent in a lack of common sense, and all human races, cultures, and socioeconomic groups are eligible to compete. Actual winners must meet the following criteria:
Reproduction Out of the gene pool: dead or sterile.
Excellence Astounding misapplication of judgment.
Self-Selection Cause one's own demise.
Maturity Capable of sound judgment.
Veracity The event must be true.
Nowhere does is say that they can't already have kids. Putting a loaded gun where your kid can get it is incredibly dumb, and this dummy won't continue to pass their genes along. Natural selection means that eventually, as gun-totin' mamas produce fewer offspring before dying, they will be out-competed (natural selection at work).
So, she can take her place among the other people of Walmart
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Intel Management Engine . Direct download document
TOR is free and totally not dominated by government-run endpoints in the US. I mean the stories of LEOs taking down various NGO endpoints to create natural GO chokepoints on the US part of the network is way overblown. TOR is very secure and anonymous!
http://www.schneier.com/blog/a...
Examples of better approaches and some exemplar secure products:
https://www.schneier.com/blog/...
The NSA are evil, and operating outside of any known laws and boundaries besides what they themselves deem appropriate. Which is everything.
If the NSA is a hostile entity to the rights and freedoms of everyone on the planet ... there really is only one option left:
People who work for the NSA are fair game.
I don't want to advocate violence, but I think we have no further choice. If the NSA is going to be hostile to our liberty, then the people who make up the NSA are hostile to our liberty and need to be treated as such.
If the NSA want to be tyrants, than a short rope or a bullet are the recourse we have left.
Because they will never stop. And the idiots who keep making excuses for them are too stupid to understand what this really means.
Fuck the NSA ... and, yes, I'm sure they know who is really posting this. But I don't care.
Unless she has a twin sister, her genes are history.
Her genes are in the kid that shot her, unless the kid gets the death penalty.
"Don't you think you should have to suffer for all the harm you've done and intend to do to the human race?"
--Allegra, "eXistenZ"
Sometimes I worry about Edward.
Sometimes I worry *a lot*.
It's really nice when a tyrannical government agency gets cute and gives its tools of oppression pet names.
You are welcome on my lawn.
Not only off-topic but also factually incorrect. Utah is to Idaho as California is to Oregon or as South Australia is to Northern Territory or even as England is to Scotland.
My computer has a Corbomite device. If I am compromised, everyone please avoid this IP address for the next 20 solar years..
But no cookie :(
It appears that all of Walmart's IP's are in one netblock.
Here is the link to the report:
http://ipinfo.io/AS46312
161.169.64.0/18 Wal-Mart Stores 16,384
I believe that all of their web stuff is on ackamai.
Most Respectfully Yours Mark Allyn Bellingham, Washington
Unless she has a twin sister, her genes are history.
Her genes are in the kid that shot her, unless the kid gets the death penalty.
No, that's not how it works. Her genes would only be in the kid if the kid was a clone. What's in the kid is a unique amalgam composed of the genetic material of two people, and easily shown to be different from the mother's genetic material. Only SOME of her genes are in the kid, but some of those same genes are in others as well.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
... I downloaded the Tor browser and I'm, like going to cnn, disney, xvideos, and then I try going to my Facebook page and WHAM!!!!
I'm in validation mode,
That's much better than the "command mode" ("commode" for short), but I had to prove I am me by sending Facebook my passport and giving them my phone number.
The fucking NSA isn't allowed to blow their cover and stuff.
It little behooves the best of us to comment on the rest of us.
putz's
No more.
If the NSA can do it, maybe you can too!
Do you mean the Black Sabbath singer or the character on the 60s TV sitcom?
Any insufficiently advanced magic is indistinguishable from technology.
You are misrepresenting the slides IMHO, its clear they take control of the routers doing the VPN, Cisco, Juniper and Huawi were mentioned specifically. The rest isn't 'brute force' anything. Its grabbing the keys from vulnerable machines and open comms outside the VPN, so if they have the email explaining from IT on how to set up the VPN to your accounting department, they have your companies financial data.
If that fails they hack the machines at either end. If all else fails they break in to the room and and bug the computers.
"But for those that aren’t successfully cracked, the VPN Exploit Team’s presentation noted, the team works to “turn that frown upside down” by doing more data collection—trying to capture IPSec Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic during VPN handshakes to help build better attacks. In cases where the keys just can’t be recovered, the VPN Exploit Team will “contact our friends for help”— gathering more information on the systems of interest from other data collection sites or doing an end-run by calling on Tailored Access Operations to “create access points” through exploits of one of the endpoints of the VPN connection."
You are pretending they just catch weak passwords and thats garbage.
My content sent over VPNs is original work encrypted to protect it against those not authorized to have a copy. It is thus covered by copyright law. The NSA is circumventing encryption to obtain illegal access to copyright work.
truth be told all countries with the expertise do this espoionage + the rouge hackers so best to invest in cryptology
SSH is great technology because the certificate is self signed and relies on TIME to protect it, even the NSA can't travel back in time and do a man in the middle attack on the first SSH link and every subsequent SSH session between those computers, to swap that cert.
Likewise the documents said NSA was intercepting 10 million TLS (HTTPS) a day. By now, three years later that will be 100 million or a billion. The problem is the certificate authorities are US companies and all backdoored by the NSA. SSH doesn't have this problem, the certificate is self signed, we don't trust the certificate authority to verify the source of the certificate as us and not the NSA.
Also my port 22 SSH is blocked, and I live in one of those Asian repressive regimes, so I take it as a sign that SSH is considered secure by said repressive regime because they block it.
Sounds like a fun place to work. They have all the toys.
We should switch to using Cardassian Codes - the NSA and their Vulcan advisors won't be able to decrypt that.
Unless she has a twin sister, her genes are history.
Her genes are in the kid that shot her, unless the kid gets the death penalty.
No, that's not how it works. Her genes would only be in the kid if the kid was a clone.
Oh, good lord. Fine. Then by your pointlessly pedantic semantic lawyering, no mammal has ever passed on their genes, and every individual's genes are culled from the gene pool.
You can't split hairs by trying to disingenuously pretend the "passing on genes" synecdoche is understood differently than it is. People understand that children aren't clones, and they still call it passing on their genes.
even if the Romulans or the NSA thinks there is.
BTW I never saw the reference video... is it still out there?
NSA resistant VPNs are easy, just XOR a few times with a HUGE random key you exchanged MANUALLY at both ends.
i.e. a one-time-pad.
Its not necessary to have a computationally difficult algorithm when we can move very large random keys (by large I mean terrabytes of random not kilobytes of key) carried easily by trusted employee. The nature of the key means it is not reused and not subject to pattern analysis.
We need to add extra layers like this to all comms now that we find the kit we've been using has been backdoored.
NSA already has the capability to decrypt anything commercially available put in front of them. CALEA just gives other agencies access to similar information, but through more transparent channels (SNMP provisioning of traffic mirroring in ISP backbone routers). NSA is actually NOT the brain trust of our government when it comes to IT/Network security. The most talented group of technologists actually work for USAF Central Command. My opinion, of course. If I were sitting on a tank of gasoline hung over a bonfire, and the only way I escaped was if a security expert broke the payload of some piece of data transiting the globe, I would want a guy from USAF CentCom working on the challenge. Not saying NSA analysts aren't capable, but I'd trust those guys over an outsourced NSA contractor any day of the week.
After reading so many comments I fail to find a single comment that talks / asks about ways to defeat NSA's snooping, so I am asking ...
Can someone please share with us what we should / can do to defeat (if not a total blockage, at least slow down) NSA's snooping on us, whether on VPN, or off
Anyone ?
I am pretty sure that MS, Cisco and Checkpoint will have mandatory backdoors for their VPN services, and that it wont help to your security not using private certificates.
They act far more like Cardassians, they should use the planet that fits their role best.
Vulcan's only pull that crap in that lousy Enterprise series.
Democracy Now! - uncensored, anti-establishment news
A. If you choose your device and provider wisely you can avoid sheep-alism
B. Take a closer look at your pwd and cert
C. Never use your everyday OS
D. You can always check if your connection is monitored or insecure
s6d
They really call it VULCANDEATHGRIP? As I recall (and Memory Alpha confirms) the "Vulcan death grip" does not exist, it was merely a ruse used to fool the Romulans. Given the code name I surmise that the ability to crack VPNs doesn't exist, the NSA just wants us to believe that it does.
Next they'll be telling us that if they go "by the book, hours will seem like days". We see through your clever wordplay, NSA!
P.S. Deal me in for the Tuesday night fizzbin game. I want a piece of that action!
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
... because that is about all I use my vpn for since Netflix is blocked over here. Occasionally I put my normal other traffic through the vpn but not for any particular privacy reason, unless I'm doing internet banking on wifi. Exciting espionage stuff not!
Normally I wouldn't be so pedantic, but this whole notion has caused a lot of harm. Too many people still see their offspring as "continuing the line" or "passing on the genes" and try to mold their kids into mini me's of themselves. They get angry when their kids act differently than they "expect", rather than being fascinated with how their kids are unique people, and grow into their own unique place in the world.
Too many people put too much value in the fiction of "passing on their genes" as actually having any real meaning. We are more than our genes. But please think of this - if people weren't so hung up on "genetic lineage", nobody would see adopted children as being any different from "their own" children, causing a lot less hassles for those who adopt.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I suppose you guys will shred me for this, but I took on this topic in my SCI-FI story, "The Observer Effect" where a scientist attempts to prove the existence of god through a kind of "cat in the box" experiment using a large cluster spun up on AWS. You can imagine that it doesn't end well. http://insidehpc.com/2013/11/o... For my day job, I write tech news at insideHPC. Forgive me for sharing my hobby here, but I think it has something to say about this topic. -Rich
"MY GOD, ITS FULL OF GOATSE!"
Snowden's leaks revealed how Cisco routers set to be exported were intercepted and physically compromised. I wouldn't say that the information reveleaed about the NSA's techniques is mundane in the least.
Needlessly? How else should I debunk his baseless claim that I was "rude and insulting" when Jane/Lonny Eachus was actually just projecting his own obscene insults onto me? And if you have a better approach in mind, why not just suggest that better approach rather than repeatedly suggest that I kill myself?
Once again, Rujiel accuses me of being a paid oil shill. But once again, why would the oil industry pay me to debunk the same baseless accusations they're helping to spread? I've been debunking misinformation about climate from Jane/Lonny Eachus and many others for 5 years now. Again, why would the oil industry pay me to do that?
Really? Among other things, I've contributed open source software to estimate mass changes on the surface of the Earth using GRACE satellite data. Here's my dissertation which explains the methods. Does that count for anything, or should I kill myself?
I really don't understand why people like Jane/Lonny Eachus and Rujiel are filled with so much hatred. However, sociology research suggests that people are less likely to hurl abuse at other people after seeing their faces. So here I am at JPL's open house explaining that our CO2 emissions are melting ice sheets. And here's a clip from the Weather Channel where I explained (at 19m36s and 26m34s) how NASA measures these ice sheets from space.
Rujiel, now that you've seen my face, do you still hate me so much that you still think I should kill myself? Or would you like to retract those odious statements?
I think you mean Idaho is to Utah as California is to Oregon.
We are spending billions to employ script-kiddies.
No new skills, no new factorization techniques; just a vast store of traffic for replay and a cache of fumbled keys.
Weakness.
But they still don't understand why kids love Cinnamon Toast Crunch.
A poster wondered if anyone else has the Intelligence gathering budget that the US does. I wonder if NSA is the new NASA, in that it provides jobs for geeks the way the space program did. And by geeks I mean those gifted individuals who would be bored trying to help K-Tar-Mart better ship and sell diapers and bottled water. Give them a mission (save the world from terror, get to the moon) and make them feel special. Keep them busy so they don't just hack apart your world.
"There is no god but allah" - well, they got it half right.
And your response now to my calling you out for posting spam... is to spam a different topic with unrelated garbage? Are you even sentient? Or are you just so scared of being called out that you hope if you try to harass me, I'll go away?
You didn't call me out for posting spam. You repeatedly told me to kill myself. There's a difference. Once again:
Needlessly? How else should I debunk his baseless claim that I was "rude and insulting" when Jane/Lonny Eachus was actually just projecting his own obscene insults onto me? And if you have a better approach in mind, why not just suggest that better approach rather than repeatedly suggest that I kill myself?
Once again, Rujiel accuses me of being a paid oil shill. But once again, why would the oil industry pay me to debunk the same baseless accusations they're helping to spread? I've been debunking misinformation about climate from Jane/Lonny Eachus and many others for 5 years now. Again, why would the oil industry pay me to do that?
Really? Among other things, I've contributed open source software to estimate mass changes on the surface of the Earth using GRACE satellite data. Here's my dissertation which explains the methods. Does that count for anything, or should I kill myself?
I really don't understand why people like Jane/Lonny Eachus and Rujiel are filled with so much hatred. However, sociology research suggests that people are less likely to hurl abuse at other people after seeing their faces. So here I am at JPL's open house explaining that our CO2 emissions are melting ice sheets. And here's a clip from the Weather Channel where I explained (at 19m36s
No Utah is south of Idaho as California is south of Oregon. At least it is on every map I've ever seen.
The Vulcan death grip was a feint, invented by Spock to get out of a crisis situation. If the NSA is truly using the "vulcan death grip" analogy correctly, that means they don't have shit.