• úvod
  • témata
  • události
  • tržiště
  • diskuze
  • nástěnka
  • přihlásit
    registrace
    ztracené heslo?
    LITTLEBOYAnonymita na internetu :: TOR - FREENET - FREEPROXY - ...
    OVERDRIVE
    OVERDRIVE --- ---
    Date: Tue, 10 Sep 2013 14:38:01 -0400
    From: John Young <jya@pipeline.com>
    To: cryptography@randombit.net, cyperhpunks@cpunks.org, cryptome@freelists.org
    Subject: [cryptography] ProPublica's Jeff Larson on the NSA Crypto Story and Another View
    X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9

    ProPublica's Jeff Larson on the NSA Crypto Story

    http://source.mozillaopennews.org/en-US/articles/propublicas-jeff-larson-nsa-crypto-story/

    Describes two months of digging through the Snowden documents, using
    search tool Intella, finding code words, looking for references to those,
    scrambling to understand and explain the technology to experts and the
    public, traveling between New York and London, thrill of working with
    NYT, Guardian and others.

    Claims extraordinary security was laid on to protect the material. But
    doesn't say what it was or is.

    Pretty good gritty back story compared to the burnished fronts. Hard to
    tell if it is a front story as well due to admission of withholding materials.

    Nothing said about consulting with USG or HMG.

    Here's a much less polite viewpoint:

    http://ohtarzie.wordpress.com/2013/09/10/fuck-the-guardian-take-your-drip-and-stick-it/
    OVERDRIVE
    OVERDRIVE --- ---
    OVERDRIVE
    OVERDRIVE --- ---
    Me pripadlo tohle hodne uzitecne, neptejete se me proc...
    eugen@leitl.org
    Re: [cryptography] [Cryptography] Opening Discussion: Speculation on "BULLRUN"

    ----- Forwarded message from arxlight <arxlight@arx.li> ----- Date: Fri, 06 Sep 2013 00:46:15 +0200 From: arxlight <arxlight@arx.li> To: cryptography@metzdowd.com Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130620 Thunderbird/17.0.7

    -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What surprises me is that anyone is surprised. If you believed OpenBSD's Theo de Raadt and Gregory Perry back in late 2010, various government agencies (in this specific case the FBI- though one wonders if they were the originating agency) have been looking to introduce weaknesses wholesale into closed AND open source software and OS infrastructures for some time. Over a decade in his example. (See: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2) Those of us old enough might marvel at the fact that going back to the late 1980s a huge dust up was caused by the allegations that Swiss firm "Crypto AG" introduced backdoors into their products at the behest of Western (read: United States and the BND) intelligence agencies, products that, at the time, were in widespread use by foreign governments who, one presumes, could not afford to field their own national cryptology centers to protect their own infrastructure (or were just lazy and seduced by a Swiss flag on the corporate domicile of Crypto AG). For the unwashed on the list, Wikipedia (and Der Spiegel) relate the story of (probably) hapless Crypto AG salesman Hans Buehler's 1992 arrest by the Iranian authorities after those allegations came to light, and the fact that Crypto AG paid a $1m ransom for him (but then later billed him for the $1m--you stay classy, Crypto AG). (See: http://en.wikipedia.org/wiki/Crypto_AG) But fear not. Governments and NGOs around the world will be pleased to know that Crypto AG lives on and continues to provide superior crypto and security solutions to foreign institutions of all kinds, including: "National security councils, national competence centres, e-government authorities, encryption authorities, national banks, ministries of defence, combined/joint commands, cyber commands, air forces, land forces, naval forces, special forces, military intelligence services, defence encryption authorities, ministries of foreign affairs and numerous international organisations, ministries of the interior, presidential guards, critical infrastructure authorities, homeland security authorities, intelligence services, police forces, and cyber forces." (See: http://www.crypto.ch/ - The inclusion of a shot of the Patrouille Suisse is an especially nice touch. I often drive by their offices in Steinhausen and was stunned to realize a few years ago that they are thriving- I can only imagine what the mortgage on that place costs). I expect that today many of us feel quite naive at being shocked by those penetration revelations (sorry, allegations) given that it seems highly probable now that anyone using any sort of Microsoft, Cisco, Google, Facebook, Yahoo, YouTube, Skype, AOL or Apple product has now been elevated to a collection priority that seemed confined to the Irans of the world in the 1990s and early 2000s. Perry wondered after the "unpardonable carelessness" of the NSA in giving 50,000 Snowden's access to a Powerpoint with all the Prism partners. I would argue that the NSA had good cause to think no one would notice or care given how many people who should know MUCH MUCH better still send Crypto AG scads of money. And going back to the days of toad.com hasn't this always been the story? Security is expensive. Most people (and some governments) are cheap. There's something about the present political climate in the United States that really interests me. Mere mention of the word "fascism" in any context other than sarcasm seems to brand one quite instantly as a tin-foil nutjob. Granted, I think the world "fascism" is as overused as the word "communism," but it bears mentioning that the usurpation of corporate entities and industry by the state to its own purposes is one of the classic tenants of fascism. I'm sure the list's readers sense where I'm going with this by now. It is hard to escape noticing that the NSA and its sister and orbital agencies have long since broken the traditional firewall and morphed themselves into domestic surveillance agencies. But the United States is late to the party here. In the world of finance it was long understood that certain state-dominated Russian firms were front-running a number of U.S. economic indicators prior to release. The rumor at the time was that this activity stopped cold after a security audit at the offending U.S. agencies. It's possible that the story was apocryphal, but I sort of doubt it. The economic intelligence apparatus of foreign intelligence services was the place to be if you wanted to find yourself in the good graces of your nation-state. (It's not an accident that Nikolay Patolichev, once the Soviet Union's Foreign Trade Minister, led the pack having been awarded the Order of Lenin twelve times). Of course, drafting otherwise independent-appearing private enterprises to the purposes of the state was popular then (the CIA would routinely interview U.S. businessmen and businesswomen after trips to jurisdictions of interest, and leverage their presence in foreign lands to their own advantage), and appears even more popular now. I won't belabor the point (made long ago and loudly by Kate Martin, only to fall upon decidedly deaf ears) that U.S. Courts generally refuse to examine the legality of collection of inculpatory evidence that is dropped into their lap- but it is important to at least acknowledge. Again, those of us shocked by those revelations (that evidence of domestic crimes "accidentally" collected by intelligence agencies would not necessarily be inadmissible) might feel awfully stupid now that it seems that the NSA expressly retains or passes on evidence of crimes unrelated to foreign intelligence activities or terrorism, and that the DEA (presumably among others) routinely engages what could fairly be called wholesale perjury to conceal the source of such evidence from courts and defense counsel when it is presented in support of criminal prosecutions. Finally returning to the original topic (please forgive the diversion) I think what is the most important element to understand is that what was once opportunistic synergy between national intelligence agencies and law enforcement agencies (here the War on Drugs was clearly the camel's nose) has become Fusion Center level integration- and bilateral information flow. Don't take my word for it, just read some of the Fusion Center testimony to various congressional committees- this is their bread and butter. Whichever asshole it was who first blamed 911 on a lack of cooperation between law enforcement and intelligence did a great deal of damage to the United States, but the trend was already pressing forward. What seems even more daunting is the new path of information from the bottom up. Now that you have local law enforcement humming around in cars collecting position and "metadata" on every license plate within 20m of a cop car prowling around on its beat, federal agencies are just a "Fusion Center query" away from access to... well... nearly everything. Look at this model (local collection at local expense re-purposed to federal exploitation), basic "exception processing," and the impact of the last decade and a half of "crony capitalism" and it is suddenly pretty hard not to credit BULLRUN with far more access than is public even given the latest revelations. Certainly, I don't run the NSA, but it doesn't take much more than a middling operations professional to tell you that exception processing is the key. Attacking this stuff is a question of priorities. Though experiment: What order of difficulty would you assign: Catch it in the clear. Compromising a vendor (including keys and users passwords- which might be reused). Injecting poor RNG (with vendor cooperation). Stealing a master key. Stealing a session key. Stealing a password to master or session key. Dictionary-attacking a password. Brute-forceing a weak password. Compromising an endpoint. Compromising a physical machine. Rubber-hoseing a password. Brute-forceing a strong password. Brute-forceing a weak key. Brute-forceing a strong key. Include in your analysis the cost of bending (or breaking) constitutional protections in the post-911 era (if any). Just look at the leverage an unwieldy, all-encompassing central government has on large US based firms (See e.g. Qwest post-cooperation refusal) and reflect on the bi-lateral Fusion Center model and then try to speculate that BULLRUN is overstated. I don't think you need a major factoring breakthrough to have FANTASTIC success in accessing the vast majority of (for example) SSL "protected" internet traffic. Anyone know what the market penetration of Microsoft IIS is? No, quite the contrary. I'll be amazed to find that the NYT piece isn't UNDERstated. To coin a phrase with reference to large and medium sized Western IT firms: They're all Crypto AG now. - - uni -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iQIcBAEBAgAGBQJSKQm3AAoJEAWtgNHk7T8QJOEQALI381nUcAHtALvqw/ac/k84 Tdn+Zd2+T54stDJPwJvOQXkeIJJKAURyhPgG+oGkXHbzjLnwTp6zpB9+et4pM5n7 PRc8X/9fAF8+X8EzDwQA90wYEZaAaSmnnaXi034faw0kKw0T0EDenDBgJ6J9fHGa DtsQECUlYenj2Evm0cY60Uz52/zJcXryWS5vRS4IU+i4ELCC3CbY6cX3MAT6Y6jc reh1B8Wf1fbmaXYR5Ws+Dd5VE4+9T2VkB2MZQN9T+/NbS9abe+lFVZkqjNx28RT4 OHC9VVqG0rGgn3a7tiLY2StmPSIxyV08LRmoz89CU0smdjb8pZDc+08V29anIH+Q E6xo+pJdc+SF34wHurCBRYqeH4TLowB2Bl/pLQ05FUFCcj6bIGO1lwf5sHaPpsKU 3mAC4HnQwlgd61epbLVbNcltp40nz5Soz/tfyyRM2T2VNdkxcriJUezKQRwu+t6d pCbQow9KEpcrdL3TlaQgcvNH0btU5HRnz7EJSrctL+FfZBKUj4jcRCUgASt6gRBd cnrzFcFAYoSgBBR/wJBxUATpzxMl+xZ74zPKJPdaIiA0XPd1F9ZIUe+mzDL+IxHT b08+gUgME9OMpjwToSkoopYL02AkK/GRirC14C2cXieC8JwjrevIoBQmCLUutNK6 XC4sOGrFZ7Z37sXL+1jT =4NbV -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message -----
    -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
    ENKIE
    ENKIE --- ---
    Ja si btw stejne myslim, ze elektronicka komunikace jako takova je jedna velka past pro vsechny, kteri nemaji obrovske (tj. statni) financni a jine zdroje na zajisteni zabezpeceni neceho tak komplexniho.

    Zpocatku cely ten internet vypada jako svobodny kvuli svoji distribuovanosti a masovosti, ale nakonec ho cely bude kontrolovat ten, kdo dokaze nejlepe a nejdriv organizovane vyuzit jeho bezpecnostni diry. Z nastroje pro vetsi svobodu jednotlivce se tak stane jeste efektivnejsi stroj na automatizovane a masove monitorovani vseho. Bin Ladin pry vyuzival ke komunikaci jen lidske posly a postovni holuby, na tom mozna je neco moudrosti :)
    ENKIE
    ENKIE --- ---
    OVERDRIVE: Jestli ruzne "omyly" presne tohoto typu nesouvisi s timto:

    What Exactly Are the NSA's 'Groundbreaking Cryptanalytic Capabilities'? | Wired Opinion | Wired.com
    http://www.wired.com/...n/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/
    OVERDRIVE
    OVERDRIVE --- ---
    weakness of SecureRandom na Andoridu:

    [cryptography] Android SecureRandom poor entropy
    http://lists.randombit.net/pipermail/cryptography/2013-August/005138.html
    OVERDRIVE
    OVERDRIVE --- ---
    MAT: Metadata Anonymisation Toolkit

    Supported formats so far:

    For now, MAT fully supports the following formats:

    Portable Network Graphics (.png)
    JPEG (.jpg, .jpeg, ...)
    Open Documents (.odt, .odx, .ods, ...)
    Office OpenXml (.docx, .pptx, .xlsx, ...)
    Portable Document Fileformat (.pdf)
    Tape ARchives (.tar, .tar.bz2, .tar.gz, ...)
    Zip (.zip)
    MPEG AUdio (.mp3, .mp2, .mp1, ...)
    Ogg Vorbis (.ogg, ...)
    Free Lossless Audio Codec (.flac)
    Torrent (.torrent)


    https://mat.boum.org/


    zda se, ze je to Linux only, Windows obdobu jsem zatim jeste nenasel...
    OVERDRIVE
    OVERDRIVE --- ---
    INF1466: navod nic moc, ono provlem je, ze treba po IPv6 jsou tam leaky.... torrenty nejsou moc vhodne v pripade, ze chces zustat nepoznan...
    Jinak pokud bys shanel nejakou VPNku, za prachy, ale primo spojenou s piratama, tak tahle se mi docela osvedcila, padalo jim to obcas, ale zas to bylo HODNE rychle:

    https://ipredator.se/page/legal
    OVERDRIVE
    OVERDRIVE --- ---
    Dukzy o tom, ze Prizm se pouziva na odposlouchavani i jinych, nez terroristickych aktivit, treba pry na K.Dotcoma

    http://www.itnews.com.au/News/354407,nz-police-affidavits-show-use-of-prism-for-surveillance.aspx
    INF1466
    INF1466 --- ---
    How to Completely Anonymize Your BitTorrent Traffic with a Proxy
    http://lifehacker.com/5863380/how-to-completely-anonymize-your-bittorrent-traffic-with-btguard
    OVERDRIVE
    OVERDRIVE --- ---
    zajimaci:

    DiskCryptor vs Truecrypt comparison | Hacker 10 – Security Hacker
    http://www.hacker10.com/encryption-software-2/diskcryptor-vs-truecrypt-comparison/
    OVERDRIVE
    OVERDRIVE --- ---
    mate aktualni pluginy, pokud pouzivate firefox?

    https://www.mozilla.org/en-US/plugincheck/
    OVERDRIVE
    OVERDRIVE --- ---
    musim rict, ze u tohohle jsem se i/spis zasmal:

    Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot? | Privacy Lover
    http://www.privacylover.com/...nalysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/
    INF1466
    INF1466 --- ---
    Declassified Documents Prove NSA Is Tapping the Internet | Threat Level | Wired.com
    http://www.wired.com/threatlevel/2013/08/nsa-tapping-internet/

    Foreign Intelligence Surveillance Court opinion on unconstitutional surveillance
    https://www.eff.org/sites/default/files/filenode/fisc_opinion_-_unconstitutional_surveillance_0.pdf
    NAVARA
    NAVARA --- ---
    OVERDRIVE: Po hodině jsem to kilnul, to je použitelné leda pro konspirační komunikaci, kde na dnech nezáleží - na běžnou výměnu informací (aby tajné zprávy zanikly v šumu) nikoli.

    OVERDRIVE: Hostingy jsem měnil několikrát, vždy to bylo jen o přípravě a přesměrování domény

    INF1466: První co se v korporaci naučíš, je že rozhodně poštu nikdy nemazat :) to samozřejmě nebrání odlévání bokem a archivace bezpečným způsobem

    OVERDRIVE: Afaik to právo máš... musíš jen vydržet a nenechat se rozkecat před tím, než dorazí. Jinak u podání vysvětlení jsem jako svědek byl a je to zážitek... nic na coby zážitkové agentury pořádaly výlet :)
    ZAPPO
    ZAPPO --- ---
    OVERDRIVE: To jo, ať už na předvolání nebo když si pro tebe přijedou - ale nemusíš vypovídat.
    OVERDRIVE
    OVERDRIVE --- ---
    ZAPPO: ale na vyslech prijit musis, pokud se nepletu
    ZAPPO
    ZAPPO --- ---
    OVERDRIVE: Tam je klicovy ( u nas), že nemusíš vypovídat. Můžeš prostě mlčet.
    OVERDRIVE
    OVERDRIVE --- ---
    mmchodem na tu nejistotu se tady uplne explicitne v cechach hraje. oni vedi, ze vetsina lidi naprosto nema jasno co bude....

    tedy dobra rada ze zkusenosti [dlouhe i na konci]:
    - nebojte se a budte si jisti tim co rikate.
    - nerikejte nic na co se vas neptaji, nepouzivejte slozita souveti ano ne bohate staci, obcas i nevim je dobre
    - neberte si ssebou nikam, kde cekate problemy elektroniku plnou dat
    - cislo na pravnika v penezence NEMUZE uskodit, kdyz vas zavrou, dluhy vam budou v prdeli, kdyz ne, nejak se to zaplati
    - nebavte se s policajty o nicem soukromem [casto, ale hodne casto, jsou to side otazky na to na co se chtej opravdu zeptat, takovej jinej "hodnej polda"]
    - nebudte drzi, neodmitejte pomoc, ale nepomahejte jim

    a vice verza, pokud potrebujete od nich pomoc, tak se chovejte presne opacne, nez je muj manual...
    Kliknutím sem můžete změnit nastavení reklam