NSA has VPNs in Vulcan death grip—no, really, that’s what they call it

VPN traffic repositories used to find keys, crack encryption of target traffic.

Read the whole story

 

[rodalpho]

It's important to note this doesn't in any way imply that VPN technology is inherently insecure. The NSA has a vast number of 0day exploits. They use them when needed. We already knew that. 0day exploits are valuable, precious commodities. They aren't using them to watch you pirate Game of Thrones on bittorrent over a VPN.

I find xkeyscore much more concerning, because it stores all traffic in the entire internet for a period of time, including data that has not been specifically noted as pertinent to national security. That's the true privacy violation here.

Storage is getting cheaper ever day. Imagine when they store everything, permanently. How many times do you technically break the law every day, in common banal ways? THAT is what we need to focus on-- limiting data retention.

 

[Jim Salter]

Netguru[/url]":3acpysb8]

Scallywag[/url]":3acpysb8]This article is short on details. Is OpenVPN compromised?

I believe OpenVPN uses the aforementioned PPTP (at least the one I sub does ). I could be wrong tho...

Jaw-droppingly wrong. OpenVPN != PPTP. PPTP != OpenVPN.

OpenVPN is an SSL based VPN which can use either TCP or UDP as its underlying transport.

 

[Deleted member 1]

When I was a little kid I was amazed, awed even, by the Death Star in the Star Wars movies. How on earth could people WORK at normal jobs on the Death Star? Didn't they know it's the death star?

Well, seeing that little happy dance screenshot now sort of answers all my lingering questions about that.

Once you are a part of the machinery of... the dark side... your values change. You lose sight of the fact that what you are doing is wrong and instead adopt a moral perspective that aligns with the point of view held by the Dark Overlords.

I am sure it's a lot of fun in a weird way.

 

[Jim Salter]

russlar[/url]":263jbfkn]I feel like now is a good time to point out that there's no such thing as a "Vulcan Death Grip"

Hilariously, the actual term is Vulcan Nerve Pinch.

Which means the NSA could have claimed to have the VNP on the VPN if they weren't a bunch of fake-nerd posers.

 

[bamn]

ScottTFrazer[/url]":2eol6gsf]

Bluefinger[/url]":2eol6gsf]

whoisit[/url]":2eol6gsf]

russlar[/url]":2eol6gsf]I feel like now is a good time to point out that there's no such thing as a "Vulcan Death Grip"

Well, 'Vulcan Death Grip' sounds better on budget forms than 'Violating Your Constitutional Rights Because We Have The Technology And Maybe Terror And Somesuch.'

[Devil's advocate]

This is what the NSA is for though. SIGINT, which will require them to figure a way past encryption systems in order to get at the intelligence they need.

[/Devil's advocate]

Now, if this was used in conjunction with mass-surveillance programs to the point where all your data/info gets hoovered into massive, indexable/searchable databases without due process/warrants/etc, then the complaint of this being a violation of one's rights is valid for various reasons. But faulting an intelligence agency for breaking into ciphers/encryption is like faulting the police for arresting suspects. It is just one aspect of their job and why they exist.

TL;DR: Mass-surveillance bad. But spying is what spy organisations do.

Agree completely.

If we assume perfect actors in all sectors, this is what I would want our intelligence operators to be doing: Efficiently going about their jobs.

The danger comes from the over-broad use of this power, not the power itself.

"It's not key-cracking metadata databases that expose VPN traffic, it's the people who use them" or something like that.

Yes, and I would say that using these tools against data captured in a constitutionally appropriate way would neatly meet their mandate. For example, tapping the Internet connection of a target by using their clever highly-targeted techniques (cables that surreptitiously transmit, replacing components in routers, TEMPEST [leaking EMF, etc.]) and then decrypting using this capability.

Getting in bed with all the top-tier backbone transit providers and gargling down every packet, and then applying these techniques, is obviously a whole other matter.

 

[Venotar]

Scallywag[/url]":1j9qso8b]This article is short on details. Is OpenVPN compromised?

TFA says:

But in 2010, the NSA had already developed tools to attack the most commonly used VPN encryption schemes: Secure Shell (SSH), Internet Protocol Security (IPSec), and Secure Socket Layer (SSL) encryption.

OpenVPN uses SSL. Ergo, "yes"

[Edit: OpenVPN versions 1.0.1 through 1.0.1f are linked against OpenSSL by default; but PolarSSL is an option in later versions (so I stripped the "Open" off from "OpenSSL"). Also, it's possible to add HMAC for authentication, which might complicate matters for the NSA, a bit, although I doubt it]

 

[B'Trey]

McDeath[/url]":295hugew]I'm most definitely against the illegal monitoring of US citizens and private individuals abroad. However, with that being said, I can't help but wonder if it's irresponsible to release information that sheds too much light in exactly what the NSA is and is not capable of. They are, after all, a spy agency-- it seems to me that this greatly hanpers their ability to perform their duties (what foreign government will now trust VPN connections?).

I would prefer to see more about how the NSA inappropriately targets US citizens and other individuals and less about their technical capabilities. It would be fine if the NSA had the abilities to decrypt anything and spy on anyone as long as they keep themselves on a leash and not spy on private citizens or do other unethical things.

Details about inappropriate targeting don't matter. The media will flutter; a few Congressman will bark (some of them, I think, sincerely) but most will do nothing; the President will do nothing; the courts will do nothing. Nothing will change. The only reasonable thing I can do is assume that most of what I send out is collected, and take whatever measures I can to protect what little privacy remains. That means details like this are much more valuable to the concerned citizen than more details about inappropriate targeting. If it's also valuable to the terrorists, there's little I can do about it. This isn't my choice. It's the NSAs choice. They've proven time and time again that they cannot be trusted to respect the Constitution and the rights of the citizens of this country. Thus the only option they leave us is to expose the details of their methods.

 

[dave_ruff]

Well, this is depressing, but hardly surprising. I never assumed my VPN would withstand any real attacks (technical, legal, political, etc.) by the NSA anyway (though I wonder if it matters if I use an overseas server, but then those governments all snoop too). I'll still continue to use it to keep Comcast and their ilk from packet snooping, injecting HTML, and crap like that. Also de rigeur when I'm on the road.

Now, when they finally get around to breaking the underlying crypto like AES (or it gets revealed that they've already broken it)... well, we're all and truly fucked that day.

 

[bamn]

Arms race! Time for a better VPN.

 

[Amos]

Spazzles[/url]":9wv0kfub]

Drakkenmensch[/url]":9wv0kfub]

Spazzles[/url]":9wv0kfub]

Ostracus[/url]":9wv0kfub]

deliciouswindow[/url]":9wv0kfub]Dear Americans,
Please never mention all that constitution, land of the free, statue of liberty, founding father bullshit ever again. You are the new soviet union.

Indeed. Any volunteers to be the next Ukraine?

I volunteer Alberta (I do not live there; I live in the US. If I'm the new Soviet Union, I think this is called "being in character.")

Ironically, Alberta is as close to Texas outside of the united states as you can get. Strong oil production industry, large scale cattle ranching and strong cowboy culture.

I know; I have a friend that lives in Calgary and I've visited a few times. Love the place.

I mostly want it because it's beautiful.

Alberta is beautiful to you? Oh god, nobody let this guy near BC.
Seriously though, Calgary is the only good thing in that province

 

[Superhair]

NSA joblisting:

Are you a geek? Are you a nerd? Are you an asshole?

You may qualify for a position at the NSA!

Edit: I'm sorry for that... NSA only has the concern for the good of American people. Let's not forget the good and honorable American NSA employees with a family. Let's think of the children.

 

[bamn]

pythagoreanmetronome[/url]":3e8kagaq]When I was a little kid I was amazed, awed even, by the Death Star in the Star Wars movies. How on earth could people WORK at normal jobs on the Death Star? Didn't they know it's the death star?

Well, seeing that little happy dance screenshot now sort of answers all my lingering questions about that.

Once you are a part of the machinery of... the dark side... your values change. You lose sight of the fact that what you are doing is wrong and instead adopt a moral perspective that aligns with the point of view held by the Dark Overlords.

I am sure it's a lot of fun in a weird way.

I'll Godwin this bad boy. Sorry Internet. But there's definitely lots of precedence for the phenomenon - Nazi concentration camps. There's plenty to read on the subject, but it's still an endless psychological fascination for me because I feel so certain that I'm impervious, and yet I'm probably not.

 

[irishScott]

deliciouswindow[/url]":1jg6lvop]Dear Americans,
Please never mention all that constitution, land of the free, statue of liberty, founding father bullshit ever again. You are the new soviet union.

Nah, the UK's a lot closer than we are.

 

[chrisjean]

This situation reminds me of the article about the HBO streaming CTO "stepping down" earlier this month. In that article the former CTO, Otto Berkes, was quoted as saying, "I am able to fully pursue my passion building world-class technology teams, products and businesses." In the two years that Otto spend building that new Seattle team, he spent a ton of money on the new office space and building a team. He even planned on doubling the size of the office and staff by the end of this year.

What did HBO get for this massive expenditure and trust? A talented team in a nice office which was lead by poor leadership, causing service failures at critical times (HBO Go failed due to technical issues during both the Game of Thrones and True Detective premiers) and continuously sliding deadlines on their new streaming tech. According to some sources, Berkes was described to have built a "Napoleonic empire" with an internal culture that was "toxic and lacking unity, direction and clarity."

What does this have to do with the NSA? I think we're seeing the same thing.

Berkes' spent a ton of money having fun. He didn't want to move, so HBO built an office in Seattle. The office was built to his specs and was no doubt a nerd paradise. He then got to hire all his old buddies at Microsoft while also pulling in all sorts of other notable names in order to bolster his resume. Not satisfied, he planned to double the size of the office and team even though there appeared to be management issues handling the current team. No matter. Just throw more money at it.

NSA's mission is protecting the communications infrastructure of the USA, detecting and thwarting external attacks, and being available to other intelligence and legal authorities for gathering foreign intelligence. In doing so, they have spent an untold amount of money (estimated at $10.8 billion in 2013), built a vast complex in Utah, built a Star Trek-inspired command center, have engaged in vast warrentless wiretapping (some of which has been used for personal interests), have installed secret taps into much--if not all--of our communications infrastructure, have used their TAO team to intercept and plant bugs in an untold amount of commercial hardware, have spent tax dollars to encourage adoption of poor crypto protocols, have shown in this article that they basically can't help themselves when it comes to trying to break every kind of security that exists, and have done countless other things that make me question if they are more interested in their role in the government or having toys and power. What do we get for all this expense? Questions on whether or not and to how much our constitutional rights are being violated or at a minimum, side-stepped; a crumbling of international and domestic trust in our government, our businesses, and our products; a crumbling sense of national and international network security; and to-date, no evidence that the NSA has helped prevent any kind of physical or virtual attack, identify and prevent any kind of terrorist activity, slow development of extremist organizations, identify and prevent foreign powers from creating situations that threaten global conflict, or anything else beneficial other than documented cases of the NSA providing evidence to other law enforcement agencies in ways that are technically illegal.

As a US citizen, I'd like to get some better management that wants the NSA to focus less on toys and power and more on the primary mission of security because from what they tell the public (basically zilch), they aren't.

 

[anotherMonkey]

Unless the people are willing to get really mad at the NSA intrusions and force the government to stop this behavior, it will continue. Why the NSA ilk are not arrested en mass and charged with treason is a mystery.

 

[Server n00b]

OMG where do they come up with these names? BLEAKINQUIRY? TOYGRIPPE? They may as well have their discussions in the Cone of Silence! <g>

 

[breze]

Honestly a sitting around with a bunch of other nerds trying to come up with clever ways to break into stuff sounds fun as heck. I bet the technical side of the NSA is cool dudes.

We need better laws in this country. Don't hate the players, hate the game.

whoisit[/url]":2c39byk4]

russlar[/url]":2c39byk4]I feel like now is a good time to point out that there's no such thing as a "Vulcan Death Grip"

Well, 'Vulcan Death Grip' sounds better on budget forms than 'Violating Your Constitutional Rights Because We Have The Technology And Maybe Terror And Somesuch.'

Violating yoUr Laws and Constitution, American Noobs?

 

[memphisbob]

I want the NSA to continue hacking everything so we know where the weak points are.

 

[Drakkenmensch]

breze[/url]":31o0831f]Honestly a sitting around with a bunch of other nerds trying to come up with clever ways to break into stuff sounds fun as heck. I bet the technical side of the NSA is cool dudes.

We need better laws in this country. Don't hate the players, hate the game.

Considering the NSA is involved here, I feel this is a rare exception where it's fair to hate the player and the game.

 

[Sobad]

Scallywag[/url]":1zia90lr]This article is short on details. Is OpenVPN compromised?

OpenVPN is owned, PIA with the "Maximum Protection" setting is still secure.

 

[infected]

McDeath[/url]":9p42amr1][...]

. It would be fine if the NSA had the abilities to decrypt anything and spy on anyone as long as they keep themselves on a leash and not spy on private citizens or do other unethical things.

No, it most certainly would not be fine.

 

[Ravant]

deliciouswindow[/url]":yaib59gi]Dear Americans,
Please never mention all that constitution, land of the free, statue of liberty, founding father bullshit ever again. You are the new soviet union.

Not all of us support this bullshit or subscribe blindly to "z0Mg patriotism." In fact, most of us would love to get back to what we used to have. Take a look at our approval ratings for Congress. Less than 20% of the people (high polls are around 14%, lows are starting to breach into single digits) approve of Congress' work on this. And less than half of the people in this country (range of 37%-48%) approve of the President's work on this. The vast majority of us (in the case of Congress, 89% +-5% of the people) find these practices to be abhorrent. Please do not conflate a bunch of corrupt, power/money-grubbing, bought/paid-for political whores to be the rest of us.

Some of us still have a spine, morals and such. But you keep painting with that broad brush of yours, friend.

Edit: 1 downvote. Do we have a politician on Ars?

 

[Sobad]

anotherMonkey[/url]":3irxseob]Unless the people are willing to get really mad at the NSA intrusions and force the government to stop this behavior, it will continue. Why the NSA ilk are not arrested en mass and charged with treason is a mystery.

You should look up the definition of treason some time. They are not attempting to overthrow the government... They ARE the government.

To the very best of my knowledge, there is no recourse to having your constitutional rights impinged upon, until you are charged with something.

 

[emcee_08990]

I have mixed feelings about this story. I can't help thinking to myself, "if these VPN's are 'crackable' then the NSA has, in a strange way, done us all a service by demonstrating this" The disgusting part is they kept this information to themselves instead of informing the citizens at risk.

The US needs *something* like the NSA, with a more noble intent. Codebreaking can actually HELP things get more secure. I wish this story would have provided more detailed information about what was broken and in what ways. The story mentions SSH is a problem... what version? what protocols?

 

[Drakkenmensch]

anotherMonkey[/url]":2hqh8x7w]Unless the people are willing to get really mad at the NSA intrusions and force the government to stop this behavior, it will continue. Why the NSA ilk are not arrested en mass and charged with treason is a mystery.

Some charges of abuse of power wouldn't be wasted here, though.

 

[macemoneta]

emcee_08990[/url]":w1n6wk6j]I wish this story would have provided more detailed information about what was broken and in what ways. The story mentions SSH is a problem... what version? what protocols?

It's very likely to be userid/password login for ssh. Private keys are never 'in motion', so I would expect that RSA keys+passphrase is still secure, unless someone actually gets access to the endpoint systems to steal the private keys.

 

[passivesmoking]

Scallywag[/url]":2bpuv9aq]This article is short on details. Is OpenVPN compromised?

It's probably safe to assume every major VPN is broken. Therefore no debit/credit card transaction, whether via e-commerce or in-store (the tills usually connect to the business' central servers via VPN) can be considered secure any more.

Thanks NSA, you broke the internet.

 

[Incunabulum]

operagost[/url]":2u2u3yhq]The NSA has placed itself in the position of having the entire population of the USA-- not to mention ANYONE who does business with multinational corporations-- as its enemy.

The financial industry has embraced security standards which incorporate technologies such as VPNs to secure cardholder data. The NSA can't be allowed to breach these VPNs and put cardholder data, not to mention other personally identifiable information, at risk. This is a problem both for profit and for ethics. The NSA is a rogue organization, and must be stopped or everyone will suffer.

On the one hand I agree with you, OTOH . . .

The silver lining here is that someone is testing these transaction systems - every vulnerability that the NSA finds (and then we subsequently find out they found out - through leaks) is a vulnerability that, if it can't be patched out, allows us to better risk price the use of these systems.

We need *someone* to test these systems until destruction - if its just criminals vs business then there's a strong incentive to push the dirt under the rug. With government intelligence agencies we can be assured of a string of leaks 9albeit slow leaks) to get this info out.

 

[Quiet Desperation]

russlar[/url]":1mivpp2n]I feel like now is a good time to point out that there's no such thing as a "Vulcan Death Grip"

There was a fake death grip Spock did to make it look like he killed Kirk when they were prisoners of the Romulans.

...

Wow. I just geeked out. Dammit. I thought I was out but it pulled me back in! Augh, now I film geeked! Halp!

 

[Faanchou]

memphisbob[/url]":c14wtp8b]I want the NSA to continue hacking everything so we know where the weak points are.

The problem with that is that while NSA keeps hacking everything they know where the weak points are. We still don't, not in time for it to be of any use.

 

[SuperDave]

Think about it. A large herd of top-tier geeks with an essentially unlimited black budget. Tell me what you'd do.

 

[Incunabulum]

emcee_08990[/url]":smkm6cng]I have mixed feelings about this story. I can't help thinking to myself, "if these VPN's are 'crackable' then the NSA has, in a strange way, done us all a service by demonstrating this" The disgusting part is they kept this information to themselves instead of informing the citizens at risk.

The US needs *something* like the NSA, with a more noble intent. Codebreaking can actually HELP things get more secure. I wish this story would have provided more detailed information about what was broken and in what ways. The story mentions SSH is a problem... what version? what protocols?

The difficulty of getting this 'something' is that a government agency dedicated to cracking these things as its primary role (vice the NSA's role in intell gathering where this is just one tool among many) is that there's too great a risk of either regulatory capture or going to far in the other direction - the agency overhyping minor exploits to gain political capital.

And civilians doing this on an ad-hoc basis - well that's simply illegal outright.

Even contractors hired to penetrate security to evaluate it would find there results hidden from the public as any company using a system they find a vulnerability in will have incentives to hide the embarrassment. Not to mention the money it costs to patch or switch to a better standard.

 

[Quiet Desperation]

SuperDave[/url]":tmgmbxq0]Think about it. A large herd of top-tier geeks with an essentially unlimited black budget. Tell me what you'd do.

Sell the whole lot of you out to the aliens running Area 51 for a starship, Galactic Express Black Card and a map of the best brothels in Known Space.

Hey, you asked.

 

[Deleted member 192806]

SuperDave[/url]":3rvs2vm5]Think about it. A large herd of top-tier geeks with an essentially unlimited black budget. Tell me what you'd do.

Create BSD.

 

[theoilman]

deliciouswindow[/url]":2h4w73w9]Dear Americans,
Please never mention all that constitution, land of the free, statue of liberty, founding father bullshit ever again. You are the new soviet union.

If only it was only America doing this. Alas, any country with an average or better GDP is at it. Even Germany which has been maybe the loudest critic of the snowden leaks is up to the same tricks.

 

[Lith]

So, uh, don't tell the MPAA about this please.

 

[passivesmoking]

anon_coward[/url]":1baaj9yt]

operagost[/url]":1baaj9yt]The NSA has placed itself in the position of having the entire population of the USA-- not to mention ANYONE who does business with multinational corporations-- as its enemy.

The financial industry has embraced security standards which incorporate technologies such as VPNs to secure cardholder data. The NSA can't be allowed to breach these VPNs and put cardholder data, not to mention other personally identifiable information, at risk. This is a problem both for profit and for ethics. The NSA is a rogue organization, and must be stopped or everyone will suffer.

is the NSA going to start using other people's credit cards?

If the NSA can capture that information and then gets hacked or the database leaks then anybody whose card data has been harvested could be at risk. Assuming that an organisation full of spooks like the NSA doesn't employ any criminally-minded people, of course.

 

[carcharoth]

how are people stupid enough to justify actions with "this is what they do!"

this is what they do? so murders murder, why do people care when there is a mass shooting?

 

[knbgnu]

Bluefinger[/url]":b60486a2]

whoisit[/url]":b60486a2]

russlar[/url]":b60486a2]I feel like now is a good time to point out that there's no such thing as a "Vulcan Death Grip"

Well, 'Vulcan Death Grip' sounds better on budget forms than 'Violating Your Constitutional Rights Because We Have The Technology And Maybe Terror And Somesuch.'

[Devil's advocate]

This is what the NSA is for though. SIGINT, which will require them to figure a way past encryption systems in order to get at the intelligence they need.

[/Devil's advocate]

Now, if this was used in conjunction with mass-surveillance programs to the point where all your data/info gets hoovered into massive, indexable/searchable databases without due process/warrants/etc, then the complaint of this being a violation of one's rights is valid for various reasons. But faulting an intelligence agency for breaking into ciphers/encryption is like faulting the police for arresting suspects. It is just one aspect of their job and why they exist.

TL;DR: Mass-surveillance bad. But spying is what spy organisations do.

Then perhaps the logical conclusion is that spy organisations are often if not always bad.

 

[Bluefinger]

carcharoth[/url]":ccq9skow]how are people stupid enough to justify actions with "this is what they do!"

this is what they do? so murders murder, why do people care when there is a mass shooting?

So by this logic, any soldier that has engaged in combat is potentially a murderer?