

NSA XKeyscore Tool ‘Could Crack VPNs And Expose The Anonymous' - filipmaertens
http://www.techweekeurope.co.uk/news/nsa-xkeyscore-vpn-cracking-123499

======
junto
I had also noticed this and commented on it in another HN discussion:
[https://news.ycombinator.com/item?id=6145932](https://news.ycombinator.com/item?id=6145932)

    
    
       "Show me all the VPN startups in country X, and give me
        the data so I can decrypt and discover users."
    

Can someone explain this bit to me please? I read this as:

    
    
      1) The NSA have a list of companies (grouped by country),
         which analysts can 'target' for further inspection.
    
      2) The NSA can 'decrypt' that encrypted data.
    
      3) The NSA can 'discover' users.
    

2) and 3) are weird and scary. This suggests that VPN traffic is not secure at
all. It also suggests that they can target specific users exiting at that VPN
provider. There is nothing stated about restrictions on particular VPN
protocols, suggesting that all are decryptable. Hence, OpenVPN could be also
as vulnerable as PPTP and L2TP/IPSEC.

To me this suggests that VPN's provide no privacy value against NSA spying.

How have other people interpreted this slide?

@thepackrat comments suggested that:

    
    
       "By VPN startups, they mean initiation of a VPN session. 
       Specifically, this means they can grab the credentials 
       at the beginning of a PPTP VPN session, and then decrypt
       it. PPTP has been known to be vulnerable to this sort of
       attack for some time."
    

([https://news.ycombinator.com/item?id=6148869](https://news.ycombinator.com/item?id=6148869))

It still isn't clear which types on VPN are vulnerable and which are safe.
Based on the fact that the slides didn't specify VPN protocols that we all
know are vulnerable (i.e. PPTP), one has to assume that they all possibly are.

Here is another possibility:

    
    
       - The NSA might just have 'catch all' filters where 
         VPN's exit.
    
       - Using the data from this you could match up traffic 
         which leak the user's identity.
    
       - Hence, I use a VPN that exits in London. I have 
         specific browser signatures that can help to isolate 
         my traffic.
    
       - I visit Facebook using that VPN. That action has now
         leaked my identity. I now start searching for how to
         make a pressure cooker bomb. Bam, you're on the    
         'potential terrorist' list and identified via your
         matched traffic.

