Bullrun - All Your Encryption Are Belong To Us
- Thread starter Unarmed Gunman
- Start date
The next time some mother fucker tells me "Our government would never do that" I'm going to fucking drop them on the spot.
Yep. Saw this earlier this evening in NYT. Not surprised at all, and it pisses me off to no end. But I do get a bit of a chuckle thinking back to all of the amateur encryption experts that we so sure the government wasn't even capable of this.
As always, if you allow someone in a position of power to do something in secret, they will find a way to exploit everyone and everything in any way possible.
As always, if you allow someone in a position of power to do something in secret, they will find a way to exploit everyone and everything in any way possible.
From the article:
It seems to me that the NSA is relying on keystroke recording, trickery, backdoors, and weak commercially available closed source encryption to decrypt most data successfully. Encryption for SSL is quite weak and typically only 256-bit at best. This is fine for protecting credit card data, but it doesn't surprise me that they were successful in breaking it.
I have my doubts about the NSA's ability to decrypt an encrypted hard disk using an open source package like TrueCrypt without the reliance of tricks such as freezing the computer's ram in order to try to extract the passphrase. Apparently if the RAM is kept at low temperatures, data stays on it after power is cut for a few precious seconds more. If the PC has been powered down for a while though, this trick is not very helpful.
It's only a matter of time before the NSA starts to have fully functional quantom computers though. So I do think that in a few years it might be possible for the NSA to brute force decrypt even the strongest encryption available today. But it's also only a matter of time before quantom computers are commercially available and capable of offering quantom encryption which can not be decrypted by a quantom computer.
You don't have to only use AES-256. You also have the option to cascade multiple encryption algorithms in addition to AES-256.
^^^
I don't doubt that what you're saying is correct. I'm not sure that it is, but that's simply because I don't know enough about encryption technologies in the first place. But my statement was primarily relating to online transactions, emails, and what not anyway. In all honesty, I didn't even think about information stored on local hard drives. Though that's obviously a concern as well.
Even if that is the case, that's a minor point. For the vast majority of the population, most of this stuff is beyond the scope of their knowledge. They rely on banks, online checkouts, and the like to ensure their encryption keeps their credit card and purchase information private. That includes keeping it private from the government, at least when there is no search warrant.
It's not realistic or reasonable for every person who shops online or even uses a computer to know the ins and outs of encryption. And it's certainly unreasonable to force them to purchase a solution just because their government can't keep their noses out of their business.
For most people none of this will have any real life implications. But for others it will. The people working for the government are only people. Some have good intentions, some have bad intentions. Some are altruistic and some are out to better themselves by taking from others. But all of that is besides the point. You shouldn't have to worry about a massive government entity having a massive database of everything you purchase, all of your financial information, and tons of other information on you at the tips of their fingers.
If they need that information for a specific purpose, they should have to work to get it and go through the proper legal channels. Those would be the channels that are available for the public at-large to examine and know. Not some nasty backroom special directive that they pass off as law, but in reality isn't law.
Of course, I'm more than old enough to know that's a pipe dream. But it's still horseshit.
Ultimately it's all a part of the larger problem of the surveillance states that we all live in. It's only gotten worse over the years. Hell there was just a report the other day that AT&T has every phone call made in the states stored (meta data) since something like 1986. The only thing the DOJ needs to access that information is an administrative subpoena. That means it just takes some jackass at Justice to decide he wants to look up every phone call his neighbor ever made because his dog pissed in his yard. No judge. No oversight. Not even the appearance of it. Just some asshole with an ax to grind.
I don't doubt that what you're saying is correct. I'm not sure that it is, but that's simply because I don't know enough about encryption technologies in the first place. But my statement was primarily relating to online transactions, emails, and what not anyway. In all honesty, I didn't even think about information stored on local hard drives. Though that's obviously a concern as well.
Even if that is the case, that's a minor point. For the vast majority of the population, most of this stuff is beyond the scope of their knowledge. They rely on banks, online checkouts, and the like to ensure their encryption keeps their credit card and purchase information private. That includes keeping it private from the government, at least when there is no search warrant.
It's not realistic or reasonable for every person who shops online or even uses a computer to know the ins and outs of encryption. And it's certainly unreasonable to force them to purchase a solution just because their government can't keep their noses out of their business.
For most people none of this will have any real life implications. But for others it will. The people working for the government are only people. Some have good intentions, some have bad intentions. Some are altruistic and some are out to better themselves by taking from others. But all of that is besides the point. You shouldn't have to worry about a massive government entity having a massive database of everything you purchase, all of your financial information, and tons of other information on you at the tips of their fingers.
If they need that information for a specific purpose, they should have to work to get it and go through the proper legal channels. Those would be the channels that are available for the public at-large to examine and know. Not some nasty backroom special directive that they pass off as law, but in reality isn't law.
Of course, I'm more than old enough to know that's a pipe dream. But it's still horseshit.
Ultimately it's all a part of the larger problem of the surveillance states that we all live in. It's only gotten worse over the years. Hell there was just a report the other day that AT&T has every phone call made in the states stored (meta data) since something like 1986. The only thing the DOJ needs to access that information is an administrative subpoena. That means it just takes some jackass at Justice to decide he wants to look up every phone call his neighbor ever made because his dog pissed in his yard. No judge. No oversight. Not even the appearance of it. Just some asshole with an ax to grind.
(O_o)
H̨̼̩͐̑͆̀̚&
....?
AES-256 is the exact same encryption the US government uses for some classified information.
Unless you have millions of dollars in funding and insanely fast computers, you aren't cracking that shit if its a strong password.
There are several documented cases where the FBI raids people and they cannot crack their TrueCrypt drives.
Thank the internet gods for Tor and TrueCrypt.
Unfortunately quantum computers already exist. For example: D-Wave, The Quantum Computing Company.
A few of those machines are likely already in the NSA's hands. So if what that article says is true then brute force is already a very likely capability of the NSA.
(O_o)
H̨̼̩͐̑͆̀̚&
Not sure if I'd be in a hurry to trust Tor. One of my clients kept having his Bitcoin wallets wiped, and after a few weeks of pissing around, we're quite confident it's a Tor exit node.
(O_o)
H̨̼̩͐̑͆̀̚&
Ok then, how about I send you a TrueCrypted AES-256bit flashdrive and you crack it?
PM me address.
PM me address.
http://csrc.nist.gov/groups/STM/cmvp/documents/CNSS15FS.pdf
^AES is also a relatively simple algorithm. It's highly unlikely that it has some unfound weaknesses. The same cannot be said for ECC, which the NSA also recommends. RSA is a bit unknown, but probably secure. All the weaknesses usually lie in the implementation.
Here's a good article about the D-Wave:
Google's Quantum Computer Proven To Be Real Thing (Almost) | Wired Enterprise | Wired.com
The D-wave isn't the kind of general purpose quantom computer that can break open any encrypted hard drive. However that sort of quantom computing is close, and it isn't outside the realm of reality to perhaps consider that maybe the NSA already has a fully functional quantom computer or is a few years away from such a breakthrough.
Thanks, that was a good read.
Quantum computers do exist and its up to the software developers to expand the basic capabilities so that they can use the processing power. Obviously there are only a handful of these machines in existence so there aren't many "quantum" software developers out there, yet. It would seem however that the most recent version is 512 qubit which is a ridiculous amount of processing power.
I also think Google is full of shit, I'd bet that they bought more than one and as they expand the software, will move theirs brains and algos to these quantum machines. Imagine what 512 qubit algos will be like. It'll make Panda and Penguin updates look like old kids toys at a flee market.
They also can't get into a locked android phone. :hollering: It's all about priorities.
There are a lot of things I can't do that other people /entities can.
Why would you believe the government's publicly given information about their own capabilities? That's just stupid. Even poker players playing for fake money don't show their hand, and you expect the largest, most actively militarized, most secret government in the world to just hand over systems information? :usa:
He has wallets at Bitcoin Block Explorer - Blockchain.info. His accounts were getting wiped, and we were struggling to find out how his wallet IDs and passwords were getting into the wrong hands. After playing around, we realized it's not my software, and most likely a Tor exit node. Or maybe a virus on his computer.