Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Government Privacy Security United States

NSA Says They Have VPNs In a 'Vulcan Death Grip' 234

An anonymous reader sends this quote from Ars Technica: The National Security Agency's Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP's VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.
This discussion has been archived. No new comments can be posted.

NSA Says They Have VPNs In a 'Vulcan Death Grip'

Comments Filter:
  • NSA gets...popular culture take on "Damn Yankees".
  • to get a "dead" Kirk past the baddies. Now, if they had them in a Vulcan nerve pinch, I'd worry.
  • Sigh. (Score:5, Insightful)

    by ledow ( 319597 ) on Tuesday December 30, 2014 @07:49PM (#48700853) Homepage

    So if they have the PSK, then they can decrypt your VPN connection?

    Yeah, not surprising.

    Nowhere does it say they actually have effective techniques for extracting the PSK from, say, a Diffie-Hellman exchange. Because.... well... pretty much, nobody can.

    But, sure, if you plug in your VPN PSK into a router that's then compromised, your PSK is then public knowledge. Hell, in most places it's listed in your Cisco CLI and extractable if you have access to it (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/82076-preshared-key-recover.html).

    Isn't this why we have several things, not least SSL VPN with proper keychains, certificate revocation, passphrase-protected keys, etc.?

    You can try to scaremonger all you like (this is, what? The fourth of fifth article this month with scaremongering like this about Tor, SSL, etc.?). Fact is nobody has demonstrated, or even pointed to suspicious circumstances that may hint, that the NSA or anyone else are doing anything different to the bad guys out there - finding out that compromising the devices is generally easier than decrypting proper TLS security. And nobody's been seen to actually have a shred of evidence that they can decrypt TLS by any way other than being handed the keys.

    All this does is tell me the exact OPPOSITE of what the little guy (and presumably anyone reading this article, shame on you Slashdot) would take home. The NSA aren't able to do anything more than I thought they could. That the encryption is serving it's purpose to the point that it's easier to compromise the routers en-masse than it is to break the encryption.

    All this does is say to me "Keep doing what you're doing". Use proper PKE with decent size keys and secure them as much as humanly possible.

    All I've thought about these kinds of articles for the past year is "What are you trying to scare me onto?" Truecrypt, SSL, PFS etc. It all points towards a certain set of algorithms which are hailed as the "solution" to all these problems - Elliptic Curve. Strangely, one of the "official" curved was designed in co-operation with these people and they won't provide justification for it, and their track-record in this area is quite well-known. These are the people who paid RSA to weaken their encryption, the people who didn't want us to be able to have large-bit encryption available in any case, and who wanted us to have backdoored chips protecting our devices.

    PKE is doing it's job at the moment. I'd hate to think that we all jump-ship to the thing that's ACTUALLY broken, in our haste to secure things against this kind of propaganda.

    • On the other hand, it's kind of reassuring that all the attacks revealed about the NSA so far are relatively mundane. They haven't found a simple way to factor large numbers, for example.
      • by gweihir ( 88907 )

        An NSA employee once told me "If we could do what people think we can do, the world would look differently". I still find that very convincing and plausible. All what the NSA does is the same that ordinary IT criminals can do, just scaled up. Regarding the respective groups at the NSA as ordinary IT criminals is in fact a rather accurate model, as in the end, they are just after money and power. All this "fighting XYZ" propaganda is just the usual lies.

        • Regarding the respective groups at the NSA as ordinary IT criminals is in fact a rather accurate model, as in the end, they are just after money and power.

          Do you really believe any member of this particular NSA team is really an anarchist and has the lifegoal of robber-baron?

      • At what Security Classification level would such information be kept? Would some random IT tech have access to that knowledge?
        • That information is probably kept on this computer [cultofmac.com]
        • by dbIII ( 701233 )
          Probably. Truth seems to be far more incompetent than fiction.
          If I was a foreign spy I'd use vectors like that Star Trek set designer they let into the place, or showgirls, or whoever else those egotistical horse judges running the place let inside. Put a modern equivalent of the theremin bug into artwork just like the original theremin bug was put into a carved " Great Seal of the United States" (how's that for nasty style). Pander to their egos and suddenly competence has left the building. Remember t
    • by gweihir ( 88907 )

      I completely agree. Sure, some implementations are flawed, but they can be fixed. All that fear-mongering and fact-distorting just serves to drive people to less secure alternatives. That is by design and I expect that quite a few people posting in this thread here (and in other places) on this subject are actually paid to create a certain atmosphere of fear and uncertainty about tools that are very likely secure or can only be broken by targeted, high-effort attacks.

      As to Elliptic Curve Crypto (ECC): Stay

    • by dbIII ( 701233 )

      Nowhere does it say they actually have effective techniques for extracting the PSK from, say, a Diffie-Hellman exchange. Because.... well... pretty much, nobody can.

      They don't need to. Compromising Cisco etc plus a pile of Telcos does the job. Ever wondered about those stupid "SSL accelerator" boxes that some places have been fooled into buying? Pretty fucking obvious way in there since people are granting access to their VPNs, bank accounts etc to the admins of those proxy boxes and most likely the vend

  • Breaking into VPN isn't that easy.

    • The months or years of work its taking to do so, takes only handful of days for a vpn to change overto an encryption that hasn't been cracked yet.
  • Good news (Score:5, Interesting)

    by Charliemopps ( 1157495 ) on Tuesday December 30, 2014 @07:53PM (#48700881)

    This is actually good news. The clearly state that "Ubiquitous Encryption" is a threat to the NSA. They are currently assuming that encrypted traffic is something they should target so if everything's encrypted... viola.

    So go out, encrypt everything you can. I'm looking directly at you SlashDot. Fix your 10yrs out of date website for christs sake. You want me to start using "Beta"? Secure it!

    • Re:Good news (Score:5, Insightful)

      by wbr1 ( 2538558 ) on Tuesday December 30, 2014 @08:29PM (#48701125)
      To what end should slashdot secure itself? Are you storing confidential info here? It is a public forum. Anyone, including an NSA agent can browse all your postings regardless of any encryption used between you and this site.

      There would need to be a compelling business/financial reason for any site to do so. Helping others hide their traffic is not all that compelling from a beancounters point of view.

      • Re:Good news (Score:4, Insightful)

        by Charliemopps ( 1157495 ) on Tuesday December 30, 2014 @10:19PM (#48701647)

        To what end should slashdot secure itself?

        To keep me as a viewer.

        Are you storing confidential info here?

        Yes. Everything I do is confidential until I explicitly declare it's not. This text is displayed publicly for all to see. But how it got here, from where I'm logging in and who I am in real life is none of your business until I say I'm ok with that.

        It is a public forum. Anyone, including an NSA agent can browse all your postings regardless of any encryption used between you and this site.

        But linking them to me is an entirely different thing. Sure, anonymity doesn't gain me a lot currently. But we've no idea what the next US administration is going to look like do we? And what of my friends in China? I'd like to hear their thoughts on this as well. Oh... they can't even remotely post here... I guess Slashdot doesn't need 1/3rd of the worlds audience... oh well.

        There would need to be a compelling business/financial reason for any site to do so. Helping others hide their traffic is not all that compelling from a beancounters point of view.

        being a tech site, and the ever increasing consumer demand for secure communications, I think the rather trivial effort it would take to implement HTTPS would forever mar this "Tech" website as being ridiculously out of date. It doesn't really matter if you ever use the intermittent wipers in your car... it makes a new car look pretty stupid not to have them either way.

        • by wbr1 ( 2538558 )
          The cat is gone from that bag. Do you think dive wouldn't just handover the keys when asked? If you want security, encrypt yourself and kep private messages private. Trusting a 3rd party to any secrets is laughable.
      • It is a public forum. Anyone, including an NSA agent can browse all your postings regardless of any encryption used between you and this site.

        Nobody can browse my posts if I am posting as "anonymous coward" ... except that is not quite true without a secure connection!

      • by dbIII ( 701233 )

        To what end should slashdot secure itself? Are you storing confidential info here?

        Impersonation can be annoying with real world consequences depending on what the impersonator writes.

      • To what end should slashdot secure itself?

        Because without HTTPS, anyone who owns a router between me and their hosting site can see everything I'm reading, every comment I make as AC, every session cookie I pass over the wire, everything. More importantly, there's no good reason whatsoever not to secure it. Encryption is incredibly cheap, so Just Do It.

      • by AmiMoJo ( 196126 ) *

        The NSA/GCHQ can currently see what you are looking at on the site, who you log in as, whose profiles you look at etc. Those things are not public. Presumably they are logged somewhere, but a warrant should be required to view those logs. As it is, the security services just grab everything and file it away in your dossier, and that's wrong.

      • To what end should slashdot secure itself?

        Because all sites should be secure. All the way from your bank to that page you tossed up on some old slackware box where to post pictures of your dog. Just as all email should be sent private key/public key now.

        Think of it like this. If only the important shit is encrypted then that data steam stands out as important on the internet. If all the shit is encrypted then nothing stands out as "decrypt me, I'm important." Its the herd principal.

    • They are currently assuming that encrypted traffic is something they should target so if everything's encrypted... viola.

      So.... they can play them like a violin? Or did you mean "voila"?

    • if everything's encrypted... viola.

      Interesting. How do you plan to encrypt a big violin? :)

  • It's really nice when a tyrannical government agency gets cute and gives its tools of oppression pet names.

  • If the NSA can do it, maybe you can too!
  • by seeker_1us ( 1203072 ) on Tuesday December 30, 2014 @10:40PM (#48701777)
    My content sent over VPNs is original work encrypted to protect it against those not authorized to have a copy. It is thus covered by copyright law. The NSA is circumventing encryption to obtain illegal access to copyright work.
    • Your EULA grants the ISP a perpetual transferable right to your data, or else it would be a copyright violation for them to transmit it anywhere. They can then sub-license to whomever in exchange for not being named an accessory for every criminal act that involved a communication that crossed their network.

      • True, but if the transmission is encrypted, wouldn't that be in violation of the DMCA?

        If so the government owes a lot of people a ton of money (even for single offenses) if they are decrypting anything. There is implicit copyright to most everything we say/write (at least there is for anything of consequential complexity or value).

        In fact, per Wikipedia: (The DMCA) It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.

        Encryption is

  • Sounds like a fun place to work. They have all the toys.
  • by rossdee ( 243626 )

    We should switch to using Cardassian Codes - the NSA and their Vulcan advisors won't be able to decrypt that.

  • I am pretty sure that MS, Cisco and Checkpoint will have mandatory backdoors for their VPN services, and that it wont help to your security not using private certificates.
  • They really call it VULCANDEATHGRIP? As I recall (and Memory Alpha confirms [memory-alpha.org]) the "Vulcan death grip" does not exist, it was merely a ruse used to fool the Romulans. Given the code name I surmise that the ability to crack VPNs doesn't exist, the NSA just wants us to believe that it does.

    Next they'll be telling us that if they go "by the book, hours will seem like days". We see through your clever wordplay, NSA!

    P.S. Deal me in for the Tuesday night fizzbin game. I want a piece of that action!

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...