NSA Attacks on VPN, SSL, TLS, SSH, Tor - cypherpunks - lists.cpunks.org

newer
GNU Taler: Taxable Anonymous Libre...

NSA Attacks on VPN, SSL, TLS, SSH, Tor

older
List: Why Zenaan's volcanos are bad

John Young

28 Dec 2014 28 Dec '14

11:14 p.m.

Der Spiegel released largest single day number of Snowden docs today, 666 pages, on NSA Attacks on VPN, SSL, TLS, SSH, Tor. http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-t... We offer a RAR of the 44 docs: http://cryptome.org/2014/12/nsa-spiegel-14-1228.rar (197MB)

Reply

Sign in to reply online Use email software

Show replies by date

Ryan Carboni

28 Dec 28 Dec

11:24 p.m.

New subject: [cryptography] NSA Attacks on VPN, SSL, TLS, SSH, Tor

On Sun, Dec 28, 2014 at 3:14 PM, John Young wrote:

Der Spiegel released largest single day number of Snowden docs today, 666 pages, on NSA Attacks on VPN, SSL, TLS, SSH, Tor.

http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-t...

We offer a RAR of the 44 docs:

http://cryptome.org/2014/12/nsa-spiegel-14-1228.rar (197MB)

my browser says it's 188 MB... am I being man in the middled? -Ryan C.

Reply

Sign in to reply online Use email software

Seth

29 Dec 29 Dec

12:51 a.m.

Related Spiegel article (hat tip to cryptoparty.is mailing list): http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet... The money quote: "Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states. Would like to own an IP hard phone with built-in ZRTP support. So far Snom 370s with TLS enabled firmware have been the next best thing. Never even heard of IM system 'CSpace' before, no mention of in the cpunk archives either. Might be standing up a MixMinion node after watching Tom Ritters talk at Defcon 21 'De-Anonymizing Alt.Anonymous.Messages' http://www.youtube.com/watch?v=_Tj6c2Ikq_E

Reply

Sign in to reply online Use email software

Seth

31 Dec 31 Dec

8:26 p.m.

New subject: Cspace and Trilight software

On Sun, 28 Dec 2014 16:51:44 -0800, Seth wrote:

"Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.

John Gilmore dug up the Cspace software (see below), and I believe this is the Trilight software/service mentioned in the NSA docs: https://www.trilightzone.org/ Return-Path: Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id sBV5oaCl013715; Tue, 30 Dec 2014 21:50:36 -0800 Message-Id: <201412310550.sBV5oaCl013715[at]new.toad.com> To: cryptography[at]metzdowd.com, gnu[at]toad.com Subject: "Catastrophic" for NSA: Tor+ Trilight Zone + Cspace + ZRTP on Linux Date: Tue, 30 Dec 2014 21:50:36 -0800 From: John Gilmore Nice to hear that there's some software that makes NSA go deaf, dumb and blind. Here is the Snowden release that mentions it (page 20): "Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and techniques can be attacked and which not" http://www.spiegel.de/media/media-35535.pdf I found cspace (http://cspace.aabdalla.com/), which was a bit obscure and hasn't seen any maintenance since 2009 or so. Its dependency ncrypt-0.6.4's source code is at Pypi and ncrypt-0.6.4 is in current Ubuntu distros. But I haven't yet found Trilight Zone. Any clues? And I haven't found a reliable, usable, simple, free software VoIP client for Linux, let alone one that uses ZRTP. Though I admit I gave up on looking about a year ago when I couldn't get anything to actually work. John

Reply

Sign in to reply online Use email software

Jason McVetta

10:36 p.m.

New subject: Cspace and Trilight software

Posted the CSpace source, downloaded from the aabdalla.com site, to Github for easy browsing: http://github.com/jmcvetta/cspace On Wed Dec 31 2014 at 12:39:59 PM Seth wrote:

On Sun, 28 Dec 2014 16:51:44 -0800, Seth wrote:

...
"Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.

John Gilmore dug up the Cspace software (see below), and I believe this is the Trilight software/service mentioned in the NSA docs: https://www.trilightzone.org/

Return-Path: Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id sBV5oaCl013715; Tue, 30 Dec 2014 21:50:36 -0800 Message-Id: <201412310550.sBV5oaCl013715[at]new.toad.com> To: cryptography[at]metzdowd.com, gnu[at]toad.com Subject: "Catastrophic" for NSA: Tor+ Trilight Zone + Cspace + ZRTP on Linux Date: Tue, 30 Dec 2014 21:50:36 -0800 From: John Gilmore

Nice to hear that there's some software that makes NSA go deaf, dumb and blind. Here is the Snowden release that mentions it (page 20):

"Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and techniques can be attacked and which not" http://www.spiegel.de/media/media-35535.pdf

I found cspace (http://cspace.aabdalla.com/), which was a bit obscure and hasn't seen any maintenance since 2009 or so. Its dependency ncrypt-0.6.4's source code is at Pypi and ncrypt-0.6.4 is in current Ubuntu distros.

But I haven't yet found Trilight Zone. Any clues?

And I haven't found a reliable, usable, simple, free software VoIP client for Linux, let alone one that uses ZRTP. Though I admit I gave up on looking about a year ago when I couldn't get anything to actually work.

John

Reply

Sign in to reply online Use email software

Александр

1 Jan 1 Jan

6:26 a.m.

New subject: Cspace and Trilight software

Seth I haven't found a reliable, usable, simple, free software VoIP client for Linux This is the best I see. For most of the platforms. https://jitsi.org/Main/Download https://github.com/jitsi/jitsi

From their page:

Encrypted password storage

Password protection with a master password Encrypted Instant Messaging with Off-the-Record Messaging (OTRv4) Chat authentication with the Socialist Millionaire Protocol over *OTR* Call encryption with SRTP and *ZRTP* for XMPP and SIP Call encryption with SRTP and SDES for XMPP and SIP DNSSEC support

TLS support and certificate-based client authentication for SIP and XMPP

Reply

Sign in to reply online Use email software

rysiek

9 Jan 9 Jan

10:41 p.m.

New subject: Cspace and Trilight software

Dnia czwartek, 1 stycznia 2015 08:26:54 Александр pisze:

Seth

I haven't found a reliable, usable, simple, free software VoIP client for Linux

Scratch the "simple" part, and you can try to use RetroShare: http://rys.io/en/129 -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147

Reply

Sign in to reply online Use email software

Cathal Garvey

11 Jan 11 Jan

8 p.m.

New subject: Cspace and Trilight software

https://meet.jit.si AFAIK it's only SSL-secured, but if you set up your own meet server with a good enough TLS (with no fallbacks to bad ciphers), it might make the cut as a useful and well-engineered VoiP system. I doubt SSH is fast enough without the "High Performance" patches that were never mainlined (sadface!), but you could *try* making the meet server listen only on local ports and require participants to SSH into the server: more secure than SSL/TLS, at least! :) On 09/01/15 22:41, rysiek wrote:

Dnia czwartek, 1 stycznia 2015 08:26:54 Александр pisze:

...
Seth

I haven't found a reliable, usable, simple, free software VoIP client for Linux

Scratch the "simple" part, and you can try to use RetroShare: http://rys.io/en/129

Reply

Sign in to reply online Use email software

Jason McVetta

16 Dec 16 Dec

5:44 a.m.

New subject: Cspace and Trilight software

For those who may be curious, I was recently sent some information on the history of CSpace. The info has been included in the README: https://github.com/jmcvetta/cspace#history Please note I have no insight into the accuracy of this history. It was provided unsolicited by a person I've never met. On Wed, Dec 31, 2014 at 12:26 PM, Seth wrote:

On Sun, 28 Dec 2014 16:51:44 -0800, Seth wrote:

...
"Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.

John Gilmore dug up the Cspace software (see below), and I believe this is the Trilight software/service mentioned in the NSA docs: https://www.trilightzone.org/

Return-Path: Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id sBV5oaCl013715; Tue, 30 Dec 2014 21:50:36 -0800 Message-Id: <201412310550.sBV5oaCl013715[at]new.toad.com> To: cryptography[at]metzdowd.com, gnu[at]toad.com Subject: "Catastrophic" for NSA: Tor+ Trilight Zone + Cspace + ZRTP on Linux Date: Tue, 30 Dec 2014 21:50:36 -0800 From: John Gilmore

Nice to hear that there's some software that makes NSA go deaf, dumb and blind. Here is the Snowden release that mentions it (page 20):

"Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and techniques can be attacked and which not" http://www.spiegel.de/media/media-35535.pdf

I found cspace (http://cspace.aabdalla.com/), which was a bit obscure and hasn't seen any maintenance since 2009 or so. Its dependency ncrypt-0.6.4's source code is at Pypi and ncrypt-0.6.4 is in current Ubuntu distros.

But I haven't yet found Trilight Zone. Any clues?

And I haven't found a reliable, usable, simple, free software VoIP client for Linux, let alone one that uses ZRTP. Though I admit I gave up on looking about a year ago when I couldn't get anything to actually work.

John

Reply

Sign in to reply online Use email software

Rayzer

3:49 p.m.

New subject: Cspace and Trilight software

Jason McVetta wrote:

And I haven't found a reliable, usable, simple, free software VoIP client for Linux

qtox. Text voip video file transfers. https://wiki.tox.chat/binaries#gnulinux Federated networking (description above my pay grade) As far as Trilight, it's a commercial service. Nice for businesses I guess, but why bother with openvpn when there's bitmask? -- RR "You might want to ask an expert about that - I just fiddled around with mine until it worked..."

Reply

Sign in to reply online Use email software

3200

Age (days ago)

3553

Last active (days ago)

Download

9 comments

8 participants

tags

participants (8)

Cathal Garvey
Jason McVetta
John Young
Rayzer
Ryan Carboni
rysiek
Seth
Александр