# NSA can decrypt VPNs?



## stim (Jul 31, 2013)

Hi,

Amongst today's revelations about NSA's data collection activities is the suggestion that VPNs can be decrypted at will.
See slide #17

Not being an expert in this stuff, can anyone explain how this could be possible?

If it was do-able in 2008, how far have they advanced since then?

Cheeeers.


----------



## concerto49 (Jul 31, 2013)

Well anything can be brute forced provided you have enough money. When you have data centers and supercomputers for mass processing it does wonders.


Encryption is just so no one can in a reasonable time for reasonable cost.


----------



## D. Strout (Jul 31, 2013)

concerto49 said:


> Encryption is just so no one can in a reasonable time for reasonable cost.


...But of course the NSA isn't reasonable.


----------



## stim (Jul 31, 2013)

concerto49 said:


> Well anything can be brute forced provided you have enough money. When you have data centers and supercomputers for mass processing it does wonders.
> 
> 
> Encryption is just so no one can in a reasonable time for reasonable cost.




The slide suggests that all VPNs in country X can be decrypted and the users identified.

This means that decrypting one VPN is a trivial task.

No?


----------



## wlanboy (Jul 31, 2013)

A lot of users are still using pptp - so I think NSA does not have a lot of money to get access to these "vpn" connections.


----------



## acd (Jul 31, 2013)

Here's a quotation from the referenced slide:



> Show me all the VPN startups in country X, and *give me the data so I can decrypt and discover the users*These events are easily browsable in XKEYSCORENo strong-selector
> [*]XKEYSCORE extracts and stores authoring information for many major document types -- can perform a retrospective survey to trace the document origin since metadata is typically kept for up to 30 days
> [*]No other system performs this on raw unselected bulk traffic, data volumes prohibit forwarding


Emphasis mine. Yes, they can decrypt the data, but it still costs processing time and it is probably not realtime. Worried? Use bigger SSL keys for authentication and stronger encryption. I'm sure 2048 bit RSA keys from a private CA and AES256 + SHA256-HMAC is going to be reasonably hard to a. forge and b. decrypt, but of course, this is a government agency with a metric *#&#-load of money; if they try hard enough, it doesn't matter. The point is they don't care about people who aren't persons of interest.


----------



## jarland (Jul 31, 2013)

http://quotes.liberty-tree.ca/quote_blog/Thomas.Jefferson.Quote.EFEC


Relevant.


----------



## KuJoe (Jul 31, 2013)

Best of all, your secret: nothing extant could extract it. 

By 2025 a children’s Speak & Spell could crack it. 

 

You can’t hide secrets from the future with math. 

You can try, but I bet that in the future they laugh 

at the half-assed schemes and algorithms amassed 

to enforce cryptographs in the past.


----------



## Slownode (Jul 31, 2013)

KuJoe said:


> Best of all, your secret: nothing extant could extract it.&nbsp;
> 
> 
> By 2025 a children’s Speak &amp; Spell could crack it.&nbsp;
> ...


If you use non-standard encryption all of a sudden noone can crack you with stock tools until they find out how you're doing it.
Something as simple as interlaced NOTing can throw off brute forcers.


----------



## bfj (Jul 31, 2013)

KuJoe said:


> By 2025 a children’s Speak & Spell could crack it.


But the world ends in December of 2012. What kind of nonsense is this "future" and "2025"


----------



## KuJoe (Jul 31, 2013)

They got alien technology to make the rainbow tables with,

then in an afternoon of glancing at ‘em, secrets don’t resist

the loving coax of the mathematical calculation,

heart of your mystery sent free-fall into palpitations.

Computron will rise up in the dawn, a free agent.

Nobody knows the future now; gonna find out — be patient.


----------



## Damian (Jul 31, 2013)




----------



## wdq (Jul 31, 2013)

I wonder if they have a supercomputer hidden in here, behind all of the hard drives, to decrypt encrypted traffic.


----------



## MannDude (Jul 31, 2013)

wdq said:


> I wonder if they have a supercomputer hidden in here, behind all of the hard drives, to decrypt encrypted traffic.


They sure have a shit-ton of water going to to it (1.7 million gallons per day), when other properties in the area are already struggling due to drought like conditions.

Best case scenario is an earthquake that interrupts the flow of water, no electricity, backup generators don't work as well as intended, everything overheats and melts. 

I read somewhere that the entire facility will only have 200 people working there. That's over 4,000 sq/ft per employee, assuming they all work the same shift (which is unlikely), so that number increases dramatically.


----------



## tonysala87 (Jul 31, 2013)

If you're talking about a vpn for internet access, like privateinternetaccess.com then they don't need to decrypt that because your traffic enters the internet unencrypted from the vpn server.

As for VPN over the internet connecting two private networks, I have no idea if they can decrypt it, but my guess is yes.


----------



## Slownode (Jul 31, 2013)

tonysala87 said:


> If you're talking about a vpn for internet access, like privateinternetaccess.com then they don't need to decrypt that because your traffic enters the internet unencrypted from the vpn server.
> 
> 
> &nbsp;
> ...


Well several major cert authorities are intercepted so HTTPS traffic can be spied upon with triangle spying.


----------



## concerto49 (Jul 31, 2013)

Slownode said:


> Well several major cert authorities are intercepted so HTTPS traffic can be spied upon with triangle spying.


Forget the certs. They HAVE the private key etc to the cert.


----------



## Slownode (Jul 31, 2013)

concerto49 said:


> Forget the certs. They HAVE the private key etc to the cert.


Client specific encryption keys never felt better.


----------



## Enterprisevpssolutions (Aug 1, 2013)

I wonder if people remember where the internet started? I'm sure the Gov has the tech to decrypt what they want. If a programmer can use the nvidia or amd video GPUS to bruteforce something what do you think a supercomputer with millions of processors can do? http://hackaday.com/2012/12/06/25-gpus-brute-force-348-billion-hashes-per-second-to-crack-your-passwords/  the only issue occurs when you are selling a vps service that has many clients using the same vpn then you have more ips and more clients you have to look at and get warrents for but its still possible. Data forensics is some scary stuff and i played with some of that software I would love to play around with a few million processors running in parallel =D


----------



## blergh (Aug 1, 2013)

Let's leave the internet!


----------



## stim (Aug 1, 2013)

Hi and thanks for the responses.

My question was borne out of technical curiosity rather than paranoia. Your pointers have got me reading....

Cheers again...


----------



## RiotSecurity (Aug 1, 2013)

Slownode said:


> If you use non-standard encryption all of a sudden noone can crack you with stock tools until they find out how you're doing it.
> 
> 
> Something as simple as interlaced NOTing can throw off brute forcers.


Incorrect. 

It's quite easy for NSA to decrypt it, no matter what encryption because they have huge computers to process it all.


----------



## Reece-DM (Aug 1, 2013)

RiotSecurity said:


> Incorrect.
> 
> It's quite easy for NSA to decrypt it, no matter what encryption because they have huge computers to process it all.


Its speculation really.

However I have no doubt they can watch what people are doing via VPN's especially if they're US based.

They've got the UK in there top pocket for Europe!


----------



## terafire (Aug 1, 2013)

Soon the NSA is going to have access to all camera-enabled devices.


----------



## Slownode (Aug 1, 2013)

terafire said:


> Soon the NSA is going to have access to all camera-enabled devices.


They already do somewhat; iOS, Andriod(sketchy), Blackberry, Xbox, Playstation, Skype, Flash, WindersLive.


----------



## KuJoe (Aug 1, 2013)

People think I'm crazy for putting tape over my cameras, but when I was in high school I found out just how easy it is to turn on and use somebody else's camera remotely and that was years ago before Google was a real thing. I do like the indicator lights some laptop companies put next to their cameras but tape just works better.


----------



## MannDude (Aug 2, 2013)

KuJoe said:


> People think I'm crazy for putting tape over my cameras, but when I was in high school I found out just how easy it is to turn on and use somebody else's camera remotely and that was years ago before Google was a real thing. I do like the indicator lights some laptop companies put next to their cameras but tape just works better.


Indicator lights can be turned off, or in cases of social engineering the user may be contacted and told that updates to their system are being made and that the flashing light is an indicator of a 'system scan', or 'cleaning of the system' or something. Average laptop consumers aren't that tech-savvy, they'll buy that and not think twice about that flashing light.

Tape over a camera just seems like common sense. It'd make me feel really uncomfortable having a built in cam always facing me, and 95% of the time I'm fully clothed in front of the computer too!

Now, a phone with front/back facing cameras... Need to obscure that.


----------

