Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

North Spore Shop: Cultivation Supplies

Jump to first unread post Pages: < Back | 1 | 2  [ show all ]
Invisibleh0ldthedoor
HODOR
I'm a teapot User Gallery


Registered: 06/25/16
Posts: 510
Loc: North of The Wall
Re: A brief introduction to TAILS, Tor, GNUPG, Bitcoin, and VPN (The short, short version :) [Re: tdubz]
    #23705113 - 10/03/16 09:36 PM (7 years, 3 months ago)

Quote:

tdubz said:
I will have to dig through the NSA programs, but yes I can find the specific program they use in which they have claimed to be able to either decrypt or intercept most VPN data regardless of provider or set up.




Great, the security community would benefit greatly from a public disclosure like you are describing.

Defeating the protection offered by properly configured encryption, within the last four years would be no small feat; especially for the NSA.


--------------------
Always keep your foes confused. If they are never certain who you are or what you want, they cannot know what you are like to do next. Sometimes the best way to baffle them is to make moves that have no purpose, or even seem to work against you.

– Petyr Baelish


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: A brief introduction to TAILS, Tor, GNUPG, Bitcoin, and VPN (The short, short version :) [Re: h0ldthedoor]
    #23706206 - 10/04/16 09:45 AM (7 years, 3 months ago)

https://www.lawfareblog.com/nsa-and-weak-dh

This may be the only NSA capability suggested to date that is mostly-NOBUS (Nobody But Us).  Today, building such a supercomputer truly is a $100M program (and add another 0 for classified markups and trusted fabs), limiting the ability of others to perform the same attack.  Unfortunately Moore’s law on price/performance remains.  What takes a $100M supercomputer today takes a $10M supercomputer tomorrow and a $1M supercomputer the day after that.

The NSA is directly breaking the the cryptography of VPN architecture, the exchange keys themselves. As computers get faster an cheaper (and the government has more money) they can decipher the exchange keys at a faster rate regardless of the encrypted protocol used.

It's not really about having a properly configured client and server...the NSA is breaking the VPN cipher keys in general and all encryption types for that matter.

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

The cost for adversaries is by no means modest. For commonly used 1024-bit keys, it would take about a year and cost a "few hundred million dollars" to crack just one of the extremely large prime numbers that form the starting point of a Diffie-Hellman negotiation. But it turns out that only a few primes are commonly used, putting the price well within the NSA's $11 billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities."

"Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections."

The article you posted has a lot more sources about this I'm not sure what we are arguing about.

VPN as mentioned above can be cracked regardless of configuration. By a nation state actor such as the NSA with an profound budget. 


Edited by tdubz (10/04/16 09:54 AM)


Extras: Filter Print Post Top
Invisibleh0ldthedoor
HODOR
I'm a teapot User Gallery


Registered: 06/25/16
Posts: 510
Loc: North of The Wall
Re: A brief introduction to TAILS, Tor, GNUPG, Bitcoin, and VPN (The short, short version :) [Re: tdubz]
    #23706722 - 10/04/16 12:41 PM (7 years, 3 months ago)

Quote:

tdubz said:
https://www.lawfareblog.com/nsa-and-weak-dh

This may be the only NSA capability suggested to date that is mostly-NOBUS (Nobody But Us).  Today, building such a supercomputer truly is a $100M program (and add another 0 for classified markups and trusted fabs), limiting the ability of others to perform the same attack.  Unfortunately Moore’s law on price/performance remains.  What takes a $100M supercomputer today takes a $10M supercomputer tomorrow and a $1M supercomputer the day after that.

The NSA is directly breaking the the cryptography of VPN architecture, the exchange keys themselves. As computers get faster an cheaper (and the government has more money) they can decipher the exchange keys at a faster rate regardless of the encrypted protocol used.

It's not really about having a properly configured client and server...the NSA is breaking the VPN cipher keys in general and all encryption types for that matter.

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

The cost for adversaries is by no means modest. For commonly used 1024-bit keys, it would take about a year and cost a "few hundred million dollars" to crack just one of the extremely large prime numbers that form the starting point of a Diffie-Hellman negotiation. But it turns out that only a few primes are commonly used, putting the price well within the NSA's $11 billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities."

"Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections."

The article you posted has a lot more sources about this I'm not sure what we are arguing about.

VPN as mentioned above can be cracked regardless of configuration. By a nation state actor such as the NSA with an profound budget. 




Again,

Quote:

h0ldthedoor said:
Quote:

tdubz said:
The NSA can surely crack VPN encryption can the FBI, I don't know again just depends on the severity of crime you are committing. Small drug buys might not warrant the need for the FBI to ask for the NSA's help but other stuff most certainly can. The NSA can hack and see everyone pretty much they are the master hackers after all. Even the masters get fucked once in awhile as was seen by the Snowden leaks and the Shadow brokers leak.




Do you have any proof to corroborate your claims? Assuming you're not referring to broken tech like PPTP with MS-CHAPv2, IPv6 traffic leakage or brain-dead "sysadmins" that lack the knowledge to properly configure a VPN (e.g. - using MD5 or SHA1, self-signed certificates, insecure key files, deprecated protocols.).

To recap; can someone, not just a nation-state actor, exploit a VPN? Yes, provided the target VPN was configured without following best practices.

Is there an fundamental issue with Virtual Private Networks that renders them useless, insecure or ineffective? No.

The fact is, your VPN is only as secure as the practices that were followed during implementation. That said, rather than depending on someone else (like a commercial VPN provider who is only worried about saving money and satisfying the lowest common denominator) to do things right, it is advantageous for a user to learn how to properly configure and implement a VPN and do so.

Best practices are aptly named. Failure to adhere to best practices will result in less-than-desirable results. Unfortunately, most (if not all) commercial VPN providers do not follow best practices for compatibility reasons.




We are not arguing. There is no room for argument in this presentation of facts.

In the lawfareblog.com link above, it is stated that "Much of the vulnerable VPNs involve VPN hardware, not software." This goes back to the earlier point about brain-dead "sysadmins". If you are running hardware from a decade ago, without taking into consideration the repercussions that could arise from keeping legacy equipment in service despite the advancements in technology, you deserve to have your asshole owned by your adversary(ies).

Heck, the UK is still using equipment from 2009 despite it's being proven vulnerable to cryptographic attacks. Using an NSA developed tool, researchers were able to extract keys from the equipment, up to 4096 bits.

With any current VPN technology, IPSEC, SSTP, L2TP, OpenVPN, et al. it is possible (and also extremely reckless and negligent) to configure the product in such a way that renders it utterly insecure. Alternatively, the products can also be configured in such a way as to mitigate all known attacks from the NSA. Again, it all comes down to the competence of the "sysadmin" and whether or not they bothered to follow and keep current with BCP.

Though, in limited cases, a sysadmin can do everything possible to follow BCP; only to be defeated by the NSA through interdiction and modification of hardware. Today, Cisco is using fake addresses to send hardware to clients, in an effort to avoid interdiction by the NSA.

As outlined in the quoted post above, the attacks on PKI released through the NSA leaks require a flawed implementation to be viable. If a "sysadmin" decides to go against best practices and configure their implementation to use weak key files, attacks on the flawed implementation should come as no surprise.

One major method of exploitation is through weak DH primes; which can be avoided entirely by following BCP and/or the use of sound EC cryptographic standards (avoiding back-doored cryptographic standards).

For reference, the following SSL Test was run on a server configured with the goal of following best practices, at the expense of compatibility.



Notice the A+ Grade and lack of any warnings or red flags.

Here are two SSL Tests, both sites tested are extremely popular and are accessed by countless users on a daily basis to handle sensitive information. Due to their popularity, the servers are configured with legacy compatibility in mind. As a consequence of making these sites compatible, you will notice warnings and red flags on both; as a result the security of both sites is degraded when compared against the web server configured with goal of following BCP.





You have yet to present a single shred of evidence that supports the argument that "VPN as mentioned above can be cracked regardless of configuration."; as the likelihood of exploitation depends on whether or not best practices were taken into consideration during PKI implementation (assuming the hardware being configured has not been compromised).

Is the NSA decrypting encrypted communications en masse? Of course, that's their job.

Can the NSA pick and exploit any target? No (assuming the target is up-to-date, current on patches/updates, has not been physically or technologically compromised and was configured following BCP).

To borrow a line,

Quote:

Alan Rockefeller said:
Do you have some kind of amazing secret that you are hiding, or are you just talking out of your ass?




Until objective evidence is presented to support the former, we can only assume the latter.


--------------------
Always keep your foes confused. If they are never certain who you are or what you want, they cannot know what you are like to do next. Sometimes the best way to baffle them is to make moves that have no purpose, or even seem to work against you.

– Petyr Baelish


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: A brief introduction to TAILS, Tor, GNUPG, Bitcoin, and VPN (The short, short version :) [Re: h0ldthedoor]
    #23708020 - 10/04/16 08:23 PM (7 years, 3 months ago)

First of, there are many articles/research that allude to that possibility (you have said it yourself)....I guess I would stand down and say "I'm speculating" but with the largest budget in cryptology in the entire world I cannot see how it is unreasonable to think that any targeted VPN can be compromised regardless of hardware or server configuration. Maybe only in a completely perfect setting, but that is not the case on the internet. You are essentially proving myself right I understand what you are saying but there are too many factors to consider to believe that a VPN configuration would be "completely optimal" especially with any large amount of traffic. 


Extras: Filter Print Post Top
Invisibleh0ldthedoor
HODOR
I'm a teapot User Gallery


Registered: 06/25/16
Posts: 510
Loc: North of The Wall
Re: A brief introduction to TAILS, Tor, GNUPG, Bitcoin, and VPN (The short, short version :) [Re: tdubz] * 1
    #23708969 - 10/05/16 05:58 AM (7 years, 3 months ago)

Quote:

tdubz said:
You are essentially proving myself right I understand what you are saying but there are too many factors to consider to believe that a VPN configuration would be "completely optimal" especially with any large amount of traffic. 




The only thing being proved here, is that you are talking out of your ass.


--------------------
Always keep your foes confused. If they are never certain who you are or what you want, they cannot know what you are like to do next. Sometimes the best way to baffle them is to make moves that have no purpose, or even seem to work against you.

– Petyr Baelish


Extras: Filter Print Post Top
Jump to top Pages: < Back | 1 | 2  [ show all ]

North Spore Shop: Cultivation Supplies


Similar ThreadsPosterViewsRepliesLast post
* choosing vpn: buy anonymously with bitcoin or just with my cc? use with tor and general browsing Anonymous 450 12 01/07/15 07:46 PM
by Stonehenge
* SILK ROAD CAN BE TRACED EASY AS FUCK ( PUBLIC DOCUMENTS ON BITCOIN) *DELETED*
( 1 2 all )
Tsukasa 983 23 11/14/12 05:12 AM
by Alan Rockefeller
* TOR Security Advisory - "relay early" traffic confirmation attack unmasks hidden services
( 1 2 all )
Alan RockefellerM 767 29 03/28/15 05:35 PM
by filamentous
* Using TOR correctly Anonymous 531 17 10/07/12 07:46 PM
by Observatory
* How safe is Tor ???
( 1 2 all )
desant 853 20 07/10/14 07:31 PM
by Alan Rockefeller
* tor and vpn Anonymous 273 6 03/26/15 01:01 PM
by filamentous
* TOR and the silk road
( 1 2 3 all )
otaku on shrooms 1,981 40 10/07/12 06:00 PM
by unknown1123
* TOR for long time members? An appeal to admins and mods Abraxis0 501 19 06/26/13 04:15 PM
by Anonymous

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Enlil, Alan Rockefeller
1,718 topic views. 0 members, 1 guests and 0 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.022 seconds spending 0.004 seconds on 13 queries.