[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 26/06/13 18:42, Martijn Grooten wrote: > On Wed, Jun 26, 2013 at 5:01 PM, bad apple wrote: >> 2: SSL is a red herring - the relevant agencies already have all CA keys >> through escrow or can force disclosure at will. > Could you expand on this? For I believe that with the CA signing keys, > which I assume the agencies to have access to, and with the ability to > route traffic to your servers, which I assume the agencies to be able > to do, you can make the vast majority of people believe that they are > connecting to the real service. > > But some people will notice. And make a fuss. > > Mind you, they don't need to issue fake certificates if they are able > to force these providers to install backdoors. > > Martijn. > Certainly: I meant that the powers that be either already have the relevant (i.e., all of them) CA certificates or can force disclosure of them at will (through means fair or foul), rather than they could force any other kind of disclosure although they'll obviously be able to do that as well. The data capture will be subject to tiering obviously, considering the veritable flood they'll have to deal with: the vast majority of it cold, destined for metadata filtering and storage on vast racks of spinning rust and then archival tape backup. The warm data will be dumped directly into whatever vast "big data" crunching systems they're using - presumably something rather more specialised and therefore efficient than the CouchDB/Mongo/Hadoop/etc stuff we use. The hot data is stuff that relates to current actively pursued high value targets and will be treated completely differently, and probably in realtime, by a completely different set of equipment and analysts - this is where the scary spy stuff like live MITM, cell intercepts and the like happen. It's also the realm where even with my paranoia, I would think it highly likely that only people like espionage agents, Snowden, Assange, Taliban members and the like would normally end up. So, the warm layer is where the interesting stuff happens, and is also where your data will end up if you get on the wrong list somewhere. This is where they're doing first stage fishing to see if you warrant serious investigation, so they'll want to go beyond metadata and start looking deep into actual content - depending on whom you believe, this is also the point at which they'll probably need to start getting legal approval (rubber stamped or not). This is the stage that any SSL/TLS encrypted traffic in your history will simply be isolated to TCP streams, or UDP for VPNs, etc, the correct private keys from Google, Facebook or whomever will be applied and they simply decrypt all of it for checking out. With access to said keys, it should be pointed out that anyone can do this with wireshark or other more specialised tools. It's important to realise that this is not live MITM, traffic redirection, host hijacking or anything else that you hint at (I agree that live MITM attacks are eventually going to get spotted by someone and are thus much more dangerous for them, although they most certainly will also have this capability and use it frequently). This is simple tapping of the data torrent at peering centres and major infrastructure points as already detailed, dropping it into their system (I wish they'd at least come clean and GHCQ would just tell us whatever cool name they've got for it, like "funcrusher plus" or something, it would make referring to it a lot easier) and then decrypting it later, at their leisure. Way too much attention seems to be on the scarier James Bond-esque live interception and masquerading type attacks which although they are most definitely happening, will comprise a tiny, tiny percentage of the activity. Much much more of it is simply record everything; filter to tiers as appropriate; decrypt stuff later as required. After all, spy agencies and governments tend to only respond in realtime to the most serious of threats - even for a Muslim preacher in South London emailing rural Pakistan every other week he is still only going to qualify for the warm tier and decryption and analysis after the event, presumably within 48 hours or so. GCHQ still then have to deal with the fact they presumably don't have enough fluent Punjabi or Urdu translators to be handling the amount of data they'll be seeing, even after the technical challenges of capturing and decrypting the data in the first place. Lastly, an analyst will then have to look at the translated plaintext and find out what his boss wants to do about it... In essence: virtually everything is captured live, sure. But the vast majority of it is only decrypted and processed afterwards, depending on *insert unknown GCHQ/NSA policies here*. Hopefully that makes this clearer - at least my take on it. Regards PS> Disclaimer - I most definitely don't work for these guys, so obviously, this is nothing more than educated musings! -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq