
Unraveling NSA's TURBULENCE Programs - acqq
https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html
======
r0h1n
So if you're a VPN user, you get extra special attention from the NSA.

 _> In the case of VPN traffic, a system called HAMMERSTEIN identifies the
traffic and sends the metadata to a database called TOYGRIPPE. The TOYGRIPPE
database is a “repository of VPN endpoints”14 that is used by targeting
officers to determine if that computer should be a target for further
exploitation 13. The TURMOIL VPN module also looks up the IP information in a
database called KEYCARD to determine if the target should be tasked for
targeted SIGINT collection or to recover the VPN key. Of special note is that
this VPN traffic passes through a system called “TE-VPN PIQ Blade.” PIQ refers
to the PICARESQUE ECI marking 38, which is associated with BULLRUN 16. The
BULLRUN program is NSA’s effort to weaken and exploit encryption that protects
digial SIGINT, whether by finding bugs in cryptographic algorithms or by
manipulating standards bodies or companies into weakening encryption tools. It
is safe to assume that PIQ is a compartment that contains the details of a
cryptologic attack against a specific VPN technology (or technologies), which
the NSA/GCHQ either found or paid for._

~~~
hammock
C.f. stenography, hiding in plain sight, etc. Drawing less suspicion
generally, and if you are in the "mainstream" e.g. a crowded place, your
signal becomes more difficult to parse out of the chaos.

------
fit2rule
This is so disturbing. I honestly feel that with every one of these
revelations, my interest in the technology world is degraded more and more.
The existence of such heinous things as the TAO, and its tendrils, brings on a
serious depression. Just who do these people think they are, to defeat our
lives so completely, for their own sakes? Despicable.

~~~
higherpurpose
They have a very pro-end-justifies-the-means attitude. Just listen to DoJ
defend most of the illegal spying they get caught with. They keep saying
"...but it's effective!". As if that makes it _less illegal_.

The sad part is the mass surveillance done by the NSA, by and large, isn't
even that. Maybe it's effective for economic spying, or spying on political
leaders, or hacking into other countries infrastructures, or even helping to
assassinate random people in Middle East who happen to be in the area of
"terrorists", who may or may not be guilty of terrorism. But it's so easy to
just press that drone's button, especially when it happens so far away from
home and with nobody to hold them accountable...so who cares, I guess? It's
easier and cheaper to kill someone with perhaps 20 percent chance of being a
terrorist, than _not_ doing that (I think that's their attitude towards this).
Autonomous killer drones will only make this problem 10 times worse, as they
can kill many more such people, faster. And with every innocent life taken
this way, 10 more people ending up _hating_ America (but not for its
freedoms).

But so far there's no evidence that this mass spying would actually help with
its promoted and intended goal - "stopping the next 9/11". If anything,
there's probably evidence _against_ it. A bigger haystack is just that - a
_bigger_ haystack in which to find the needle, and way more false leads, with
biased algorithms that lead to the harassment of tens of thousands, if not
millions, and without them ever knowing why they are even harassed in such a
way.

~~~
drcomputer
> and way more false leads, with biased algorithms that lead to the harassment
> of tens of thousands, if not millions, and without them ever knowing why
> they are even harassed in such a way.

If there is one thing I feel like people should understand about algorithms
and computers, it is about this. Just because something is computed does not
make it more accurate. It just means greater precision based on the
specifications and initial assumptions. More inaccurate calculations does not
equal better. Greater dependency on machines to do our reasoning for us, I am
partially concerned, has our species ignoring their own capacity to reason for
themselves.

The thing I can't understand is how these people who do spy have any sense of
self of which to reason with. The more they focus on that which exists outside
of themselves, the harder it is to discern between what they are and what they
fight against. I wish people would just honestly, sit down for like a year or
something, and take a good long look in the mirror and introspect, rather than
everything being action action action. Just because everything looks like it's
moving doesn't mean it actually is.

~~~
acqq
Just as the historical perspective, the automatic data processing was used
even before electronic computers, and even by the Nazi regime to support
genocide:

[http://en.wikipedia.org/wiki/IBM_during_World_War_II](http://en.wikipedia.org/wiki/IBM_during_World_War_II)

That's why it's important to actively care and to organize the society to
minimize the potential for the undesired use of the possibilities given by the
technology: the technology can amplify both the good and and the bad acts. The
society has the chance to influence that easier before the tipping points and
only after a lot of harm already being done after them. On another side, once
the tipping point is reached, even if some system didn't exist before, it
would be implemented fast.

The position of the "consumers" in the digital world is also something that
has some interesting comparisons:

[http://www.wired.com/2012/11/feudal-
security/](http://www.wired.com/2012/11/feudal-security/)

~~~
drcomputer
In theory, I absolutely agree with you.

In practice, every choice as to how to care and organize society become a
question of what to control and what not to control. Who can be trusted, and
who can't trusted. Then it just seems to go in a circle. Regulation on top of
regulation. People make judgments and claim they are assertions rather than
assumptions, based on correlative and observationally biased inferences. The
system becomes deterministic based on individual impulse, rather than caution,
patience, and 'opened' trust.

With individual impulse, it becomes a question of who decides to shape
society, rather than how society is shaped. Whoever makes a move first has an
advantage in the short term. But this has the potential to be twisted by
greed, selfish desire, and delusions of grandeur, or the idea that "what works
for me will work for you". Then things get directed towards tipping points.
People start believing in power hierarchies, groups, differing orders and
levels of intelligence and ability as intrinsic and permanent properties of
their existence. And so the pendulum keeps swinging.

~~~
acqq
Then, not in theory, but in practice, do you think we should care about the
topic of the article?

Is it good when we discover what is actually being done "behind the closed
doors" related to our profession right now?

It's also a task of every engineer to consider what could go wrong.

~~~
drcomputer
I don't think we will ever be at a point in our existence, where we know what
to do before we have to do it.

> It's also a task of every engineer to consider what could go wrong.

Within a reasonably defined threshold. If I have a business making rubber
ducks, I don't have to design those rubber ducks with the specification that
they withstand temperatures of 200 degrees C.

> Then, not in theory, but in practice, do you think we should care about the
> topic of the article?

I do care. I choose to not work for places that I disagree with the intent and
usage of such things. I know I have the capacity and capability to work at
those places. I don't want to contribute my intellect to something I consider
destructive, to the best of my knowledge and awareness to do so.

But even given my choices, I never feel like I have the right answers. I
always can find perspectives in where I could be wrong. I try to pick the one
I consider 'least wrong'. It's not really a lesser of two evils thing, it's
more reducing the probability for things to go wrong. I'm also young and
probably very naive in many ways.

------
mike_hearn
Would love to know more about the "Pairing and Crypt attacks" along with
"Cryptovariable management". Probably the pairing here is referring to the
pairing between client and server rather than the cryptographic technique of
using pairings ... but it seems this hasn't surfaced in any of the other
snowden docs. I often wish the journalists working on that story had released
more source material.

~~~
AlyssaRowan
They're only slides. We don't have audio of the presentations. :)

I did wonder about that, but no "common" internet encryption protocols use
pairing-friendly (in the open source cryptographic community sense)
primitives. I think you're about right and it probably refers to matching
public and private keys for CAs in SSL/TLS, looking up suitable intermediate
CAs, for which they may have a few keys stashed away. They don't seem
enthusiastic to wave them around much, however.

I believe they probably have long-term cryptologic cracking capability (HPC)
including 1024-bit RSA, but probably not 2048-bit. Maybe MD5? Maybe SHA1?

Look at the long list of trusted CAs in a browser, and try to map all the
intermediates they've ever signed. You may find a few likely candidates.

~~~
EthanHeilman
To extend your statements:

* breaking 1024-bit RSA is believed to be well within the resources of the NSA given public research/attacks.[0]

* MD5 is already completely broken in the public research and the NSA has used MD5 collisions in malware attacks that are independent of public methods[1].

* RC4 has been attacked for a number of years, and someone who has seen unreleased Snowden documents claimed that the NSA has the ability to break RC4 in realtime[2]. Plenty of HTTPS traffic is protected by RC4.

[0]:"One estimate is made by Shamir & Tromer (2003) in their hypothetical
TWIRL device. They suggested that for "a few dozen million US dollars", a
hardware device could be built to break a 1024-bit RSA key within around a
year. Franke et al (2005) similarly estimate a cost of 200 million dollars2
for a machine to factorise a 1024-bit number in one year. If these cost
estimates are accurate, it's safe to assume that the NSA has built such a
machine (unless they have another way of breaking RSA more efficiently). And
by Moore's Law alone, we'd assume that their machine takes considerably less
than a year."
[http://www.javamex.com/tutorials/cryptography/rsa_key_length...](http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml)

[1]: "He discovered that for this spy malware an as yet unknown cryptographic
attack variant of his own MD5 attack is used."
[http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-
new-c...](http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-new-
cryptographic-attack-variant-in-flame-spy-malware)

[2]: "RC4 is broken in real time by the #NSA - stop using it."
[https://twitter.com/ioerror/status/398059565947699200](https://twitter.com/ioerror/status/398059565947699200)

~~~
AlyssaRowan
Yes - I concur that the "cryptanalytic breakthrough" GCHQ talked about the NSA
having a few years ago was _most probably_ some kind of a practical RC4 break,
from context. (Schneier thought this one of the likely possibilities too.)
It's used enough in TLS (especially at the time these documents were penned,
as some advising on BEAST countermeasures actually _encouraged_ people to use
it, instead of switching to TLSv1.2 to use the strong AEAD ciphers - awfully
convenient for them!) that if they have, say a known-plaintext-prefix attack
of reasonable complexity that can be hardware-accelerated, that would be
widely leveragable into very real breaks to them - and the structure of such a
thing would look remarkably like what we see here.

RC4 is about as good as such a simple crypter can be, but it really is _too_
simple and _not_ good enough now, and I strongly suspect it is already toast
and way too late to safely phase out - which is why the IETF are hopefully
about to publish an RFC strongly recommending it MUST NOT be used in TLS, at
all. (Worse, even if RC4 isn't toast to everyone right now, an attacker who
can put your data on ice for a few years - like just about every Nation State
Adversary does - may very well _make_ toast with it down the line and read all
your data.)

 _We_ don't have any second-preimages in MD5, yet; what's demonstrated are
techniques for efficient collisons. They _might_ , but collisions are easily
enough for practical problems as many have publicly demonstrated. SHA-1 hasn't
been publicly demonstrated with a collision yet, but it has all the same
underlying problems as MD5 (and the original SHA), just to a lesser extent - I
suspect that NSA can produce SHA-1 collisions with enough effort. Don't expect
them to spend more effort than they _need_ , however, to save money and avoid
revealing capabilities where possible. Several attackers have happily
leveraged simpler shortcuts - there's a piece of (probably South Korean)
malware that has signing keys co-opted from hapless developers who've somehow
been derping around with 512-bit RSA keys. _I_ could break those, so that's
completely ridiculous!

By the way - do be on the look out for PGP signatures with 1024-bit DSA
signing keys. There's a _lot_ of them. Upgrade to at least 3072-bit RSA, I
suggest (or Ed25519).

