Speaking today in Hamburg at the 31st Chaos Communication Congress, documentary maker Laura Poitras and Tor team member Jacob Applebaum (ioerror) confirmed some things we’ve feared, reassured the world on a couple of things that were shaky, and provided one somewhat shocking revelation.
Der Spiegel has over forty internal documents from the Snowden leak that detail how the NSA approaches the following problems:
- Attacks against Crypto
- Attacks on SSL/TLS
- Attacks on VPN
Also read: Tor Network May Face Disabling Attack
Chaos Communication Congress Revelations
The documents summarize various keyword programs such as LONGHAUL, an end to end encryption key recovery system, and GALLANTWAVE, a subsystem of LONGHAUL that live decrypts traffic. SSL/TLS is attacked with a tool called SCARLETFEVER and results end up in a ‘flying pig database”.
As VPN protocols, PPTP has long been considered a weak link and per the talk it seems that IPsec must also be placed in this category. If you’re an IPsec user, you probably need to dig deeper into this; it’s a complex protocol, and it may just be one specific area that has weak mathematics, likely the key exchange process.
There were many bright spots. Tor is considered ‘a nightmare’, particularly when coupled with the TAILS Linux distribution. Off The Recorder (OTR) chat encryption is an equally intractable problem. The big shock for the more technical listeners was the revelation that ssh, the secure shell, a ubiquitous remote administration tool, has some flaw. This is curious, as the most prevalent implementation, OpenSSH, was developed by the OpenBSD team, and they are notoriously focused about security matters.
During the talk, ACLU’s Christopher Soghoian had sharp words for the NSA regarding the alleged flaws in AES, the Advanced Encryption Standard, and praise for OTR chat and PGP email encryption, which remain safe.
The other clear message, backed by leaked official documents, that Tor is still seen as a ‘nightmare’ for the NSA, touched off another round of the Torgate feud. Pando editor Paul Carr @paulcarr spent most of the talk pointing out parallels between Tor and troubled global ride share company Uber.
We have covered the Pando/Tor conflict and related issues several times previously, see Debunking (Mostly) Torgate, and Tor Network May Face Disabling Attack. The fact that this is continuing coupled with the nature of Carr’s complaints against the Tor team would seem to point to the involvement of some of the Internet Hate Machine’s more unpleasant denizens, which may have heeded this call by @YourAnonNews for the person destruction of Carr and two other Pando employees.
Today’s presentation should put a stop to some of the back and forth between Pando/Tor, and put the privacy community back to where their focus needs to be – the NSA’s surveillance dragnet and the danger it poses to our civil liberties. Today’s talk revealed an equal mix of bright spots and areas that need work, but overall the message to the online privacy community seems to be “You can do this, but you have to focus.”
Images from Twitter and Shutterstock.