D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT surveillance

 

On 26/06/13 18:42, Martijn Grooten wrote:
> On Wed, Jun 26, 2013 at 5:01 PM, bad apple wrote:
>> 2: SSL is a red herring - the relevant agencies already have all CA keys
>> through escrow or can force disclosure at will.
> Could you expand on this? For I believe that with the CA signing keys,
> which I assume the agencies to have access to, and with the ability to
> route traffic to your servers, which I assume the agencies to be able
> to do, you can make the vast majority of people believe that they are
> connecting to the real service.
>
> But some people will notice. And make a fuss.
>
> Mind you, they don't need to issue fake certificates if they are able
> to force these providers to install backdoors.
>
> Martijn.
>

Certainly: I meant that the powers that be either already have the
relevant (i.e., all of them) CA certificates or can force disclosure of
them at will (through means fair or foul), rather than they could force
any other kind of disclosure although they'll obviously be able to do
that as well. The data capture will be subject to tiering obviously,
considering the veritable flood they'll have to deal with: the vast
majority of it cold, destined for metadata filtering and storage on vast
racks of spinning rust and then archival tape backup. The warm data will
be dumped directly into whatever vast "big data" crunching systems
they're using - presumably something rather more specialised and
therefore efficient than the CouchDB/Mongo/Hadoop/etc stuff we use. The
hot data is stuff that relates to current actively pursued high value
targets and will be treated completely differently, and probably in
realtime, by a completely different set of equipment and analysts - this
is where the scary spy stuff like live MITM, cell intercepts and the
like happen. It's also the realm where even with my paranoia, I would
think it highly likely that only people like espionage agents, Snowden,
Assange, Taliban members and the like would normally end up.

So, the warm layer is where the interesting stuff happens, and is also
where your data will end up if you get on the wrong list somewhere. This
is where they're doing first stage fishing to see if you warrant serious
investigation, so they'll want to go beyond metadata and start looking
deep into actual content - depending on whom you believe, this is also
the point at which they'll probably need to start getting legal approval
(rubber stamped or not). This is the stage that any SSL/TLS encrypted
traffic in your history will simply be isolated to TCP streams, or UDP
for VPNs, etc, the correct private keys from Google, Facebook or
whomever will be applied and they simply decrypt all of it for checking
out. With access to said keys, it should be pointed out that anyone can
do this with wireshark or other more specialised tools.

It's important to realise that this is not live MITM, traffic
redirection, host hijacking or anything else that you hint at (I agree
that live MITM attacks are eventually going to get spotted by someone
and are thus much more dangerous for them, although they most certainly
will also have this capability and use it frequently).

This is simple tapping of the data torrent at peering centres and major
infrastructure points as already detailed, dropping it into their system
(I wish they'd at least come clean and GHCQ would just tell us whatever
cool name they've got for it, like "funcrusher plus" or something, it
would make referring to it a lot easier) and then decrypting it later,
at their leisure. Way too much attention seems to be on the scarier
James Bond-esque live interception and masquerading type attacks which
although they are most definitely happening, will comprise a tiny, tiny
percentage of the activity. Much much more of it is simply record
everything; filter to tiers as appropriate; decrypt stuff later as
required. After all, spy agencies and governments tend to only respond
in realtime to the most serious of threats - even for a Muslim preacher
in South London emailing rural Pakistan every other week he is still
only going to qualify for the warm tier and decryption and analysis
after the event, presumably within 48 hours or so. GCHQ still then have
to deal with the fact they presumably don't have enough fluent Punjabi
or Urdu translators to be handling the amount of data they'll be seeing,
even after the technical challenges of capturing and decrypting the data
in the first place. Lastly, an analyst will then have to look at the
translated plaintext and find out what his boss wants to do about it...

In essence: virtually everything is captured live, sure. But the vast
majority of it is only decrypted and processed afterwards, depending on
*insert unknown GCHQ/NSA policies here*.

Hopefully that makes this clearer - at least my take on it.

Regards


PS> Disclaimer - I most definitely don't work for these guys, so
obviously, this is nothing more than educated musings!



-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq