Posted on 08/01/2013 12:42:21 PM PDT by LibWhacker
National Security Agency's XKeyscore system can collect just about everything that happens online, even things encrypted by VPNs, according to Edward Snowden.
The National Security Agency has a system that allows it to collect pretty much everything a user does on the Internet, according to a report published by The Guardian on Wednesday, apparently even when those activities are done under the presumed protection of a virtual private network (VPN).
The Guardian's information comes from whistleblower Edward Snowden, the former NSA contractor now seeking asylum in Russia from U.S. authorities for revealing classified documents about the NSA's intelligence-gathering capabilities to the media. The news organization's report suggests that Snowden's claim that he could wiretap anyone from his desk, dismissed by U.S. lawmakers as false, was essentially accurate.
Described in a 2008 presentation, the system, called XKeyscore, can reportedly track email addresses, logins, phone numbers, IP addresses and online activities — files, email contents, Facebook chats, for example — and can cross-reference this information with other metadata.
Even after weeks of revelations about the scope and breadth of NSA data gathering, news that XKeyscore can penetrate VPNs comes as a something of a shock.
"This is huge: XKeyscore slides also suggest NSA regularly decrypts encrypted VPN traffic," said security researcher Ashkan Soltani via Twitter.
Responding to Soltani, CDT senior staff technologist Joseph Lorenzo Hall expressed skepticism that the NSA can break all VPN encryption. But Soltani contends the NSA at least has the capability to crack weak cipher implementations on Windows machines common in the Middle East, such as PPTP and MS-Chap. He points to a 2012 post from security researcher Moxie Marlinspike that states, "PPTP traffic should be considered unencrypted."
Whether or not the NSA is able to crack more robust implementations remains to be seen. Given the resources available to the NSA, the issue may be how much the NSA wants to break a given code rather than its ability to do so. After all, in cases where codes cannot be broken, people can be. As Danish developer Poul-Henning Kamp argues in ACM Queue, politics trumps cryptography.
The White House, trying to contain discontent with its surveillance programs, chose Wednesday to release formerly classified documents about the NSA's domestic phone surveillance program as a Senate Judiciary Committee meeting convened to address the oversight of Foreign Intelligence Surveillance Act programs.
The documents, published by the Office of the Director of National Intelligence, detail the collection of telephone metadata under Section 215 of the Patriot Act.
Senate Judiciary Committee chair Sen. Patrick J. Leahy (D-Vt.) said in a statement that if the government's collection of phone records is not effective, the program should be discontinued. He suggested that NSA chief Gen. Keith Alexander's prior claim that Section 215 surveillance programs have led to the disruption of 54 terrorist plots is not supported by the classified documentation he was provided.
A 2008 presentation states, "Over 300 terrorists [have been] captured using intelligence generated from XKeyscore."
Gen. Alexander contended with skeptical hecklers Wednesday at the Black Hat USA 2013 security conference in Las Vegas, where he defended NSA surveillance as necessary for national security.
In prepared remarks presented during the Judiciary Committee meeting, Stewart A. Baker, a partner in the Washington office of Steptoe & Johnson, LLP, and former assistant secretary for policy at the Department of Homeland Security, dismissed worries about civil liberties concerns.
"[I]t appears that law enforcement has been gaining access to our call metadata for as long as billing records have existed — nearly a century," he said. "If this were the road to Orwell's 1984, surely we'd be there by now, and without any help from NSA's 300 searches."
Baker advocates protecting privacy by, paradoxically, embracing big data and subjecting government employees to more effective surveillance.
"We need systems that audit for data misuse, that flag questionable searches, and that require employees to explain why they are seeking unusual data access," he said. "That's far more likely to provide effective protection against misuse of private data than trying to keep cheap data out of government hands. ... A proper system for auditing access to restricted data would not just improve privacy enforcement, it likely would have flagged both Bradley Manning and Edward Snowden for their unusual network browsing habits."
Jameel Jaffer, deputy legal director of the American Civil Liberties Union Foundation, offered testimony in the opposite direction. He called for Congress to amend the Foreign Intelligence Surveillance Act "to prohibit suspicionless, 'dragnet' monitoring or tracking of Americans' communications," to require more disclosure about Foreign Intelligence Surveillance Court opinions, and to ensure that government surveillance activities are subject to reasonable judicial scrutiny.
Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the Guide To Network Vulnerability report from Dark Reading, we examine the products and practices that will get you there. (Free registration required.)
Duh. I have been telling folks that for a while that security is a joke. If you use the cloud you are giving it away for free and they don’t even have to work for it.
1984 was only 30 years late, but it’s here now under comrade Chairman Obama.
If NSA can penetrate VPN’s, so can hackers.
Impeachment File on Benghazi Coward “B. Hussein Obama,” formerly known as Barry Soetoro, currently a Legal Citizen of the Sovereign Nation of Indonesia.
Impeachment File on Benghazi Coward “B. Hussein Obama,” formerly known as Barry Soetoro, currently a Legal Citizen of the Sovereign Nation of Indonesia.
Remember, the NSA is run by government employees. Mostly, lazy, sorry assed, pathetic boot lickers. Mark my word, they WILL get hacked.
Then we will see who gets the last laugh.
It seems like privacy is an obsolete concept in this country, that’s for sure! The once robust constitutional constraints on government are thread-bare nowadays, not worth the paper they’re written on.
Ping.
Less obsolete than selectively applied. The entire argument for legalizing abortion is based on a right to privacy found nowhere in the Constitution.
To my mind, the Ninth Amendment has always seemed to specifically refer to a right to privacy, first and foremost, but only a right to privacy in one’s personal and business affairs that are otherwise legal, certainly not in the murdering of people. No one can claim that their right to privacy (if it’s ever affirmed) means the government has no business snooping into murders that one may be committing. That was a complete, disgusting, deliberate perversion of its intent (like most things the Left touches). imo
Penetrating all but the weakest VPNs would require them to crack the VPN standard encryption plus any additional encryption that the client and service share. I call BS.
Triple DES just runs the data through the encryption 3 times, but it wouldn't surprise me in the least bit if the NSA were able to break the encryption relatively easily.
Mark
Double DES has been shown to be defeated by a plaintext “Meet-in-the-Middle” attack so triple DES is used for stronger encryption.
And the government went to an Advance Encryption Standard (AES) about a decade or so back. They adopted Rijndael block ciper, which has up to possible 256 bit keys.
I wonder if they can read what you put through Fax machines.
Yup. :-)
What the heck.
“Penetrating all but the weakest VPNs would require them to crack the VPN standard encryption plus any additional encryption that the client and service share. I call BS.”
They can crack ANY encryption that you have in real-time.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.