Yesterday, the latest in Summer of Surveillance's disclosures on illegal National Security Agency spying hit the wires: XKeyscore. It's a big deal, as have been all of Snowden's offerings - directly contradicting the lies of NSA's junta leaders with cold, hard facts. On the very same day Alexander the Geek was bullshitting to an audience at Black Hat - he's definitionally a terrorist, as he's using terror to build his personal cyber army into a weapon for totalitarian enforcement - Snowden's astonishing courage was shining yet more cold, hard light of truth on what's actually been going on secretly during these post-9/11 years. Others are doing excellent work dissecting this latest round; we won't add to that pile.
However, this latest round has hit very close to home for us. There, in black and white, is a mention of VPN companies. It's like being called out by the Stasi as a problematic dissident, in a way. We are proud of the role we played in creating the VPN "industry" that's so prominent in the discussions about online privacy nowadays, and we've obviously been watching this all play out - the Summer of Surveillance - with more than a passing interest. Now, it's our moment in the sun. Let's cite the specifics, pull together some historical data, and fill in the remaining blank spots on the page when it comes to VPN services - and what they mean in the context of NSA dragnet surveillance. Without further ado...
On slide 17 of the XKeyscore training presentation, as reported by Glenn Greenwald, we find the following text:
* Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users
Pics or it didn't happen:
So what are we to read of this? Some folks, understandably, fear this means the NSA can crack all our encryptions and it's totally useless to even try to protect yourself - specifically, with VPN service. All hope is gone, &c. Is this true - is VPN service a waste of time and money, and in fact a dangerous form of "security theatre" that activists and others might use to protect themselves but actually be no more secure than running plaintext? In a word: yes.
Yes, with a pretty big "if" - if the VPN service is running on a piece of shit cryptographic foundation. A foundation of, for example, PPTP. This is the part of the process where we beg folks: please don't get us started on PPTP as a VPN protocol. Please. Because, you see, we've been ranting about PPTP being unsuitable for VPN service for as long as we've been in business - which is just about as long as there's been a VPN "industry." This isn't some amazing information we developed through our own research, much as we might be proud to claim such a thing, Nope, it's been "known broken" as a protocol... since fucking 1998.
PPTP has been known as a broken, insecure VPN protocol since 1998. That's fifteen years, and counting. Follow this link to our forum thread on this issue, as well as tweet after tweet we've sent out over the years reminding people not to trust PPTP.
- (historical footnote: we were the second genuine provider of VPN service to non-corporate customers, back in 2007 - the first in market was, of course, Relakks... which offered only PPTP service for years and years. As such, we helped define the "VPN industry" that would, years later, come to include hundreds and hundreds of service providers of varying quality. Back when we started up, we chose the OpenVPN protocol as our technical foundation - the first VPN company to do so, and the only one to do so for several years. Ironically, when Ipredator launched, they licensed the old Relakks backend - which was PPTP based - and were called to task for doing so in public. Peter Sunde admitted that the "privacy service" he'd started was insecure, and was intended merely as a "political statement" and not as, you know, actual privacy protection. Well... we never saw our service as performance art - we always intended it to be the strongest and most secure we could make it with existing tools. That's a philosophical difference that's still quite relevant today - although, to their credit, Ipredator finally started offering real, OpenVPN based service... last year.)
PPTP sucks, and is broken, and is easy to crack. The NSA aren't dumb - they didn't need Moxie's clever Cloudcracker tool to show them that anything built on top of MS-CHAP can be brute-forced without breaking a sweat. No doubt, they've been brute-forcing PPTP for many years. Hence page 17, confirming what we've warned about over, and over, and over until even we were sick of hearing about it. Then we warned about it some more, because it's life and death for some people. We've warned about it, even as we've grudgingly offered it for customers using smartphones without OpenVPN support - begging our customers to find a way to use a real protocol. Because, once again: PPTP is broken.
- Funny aside, the sad-funny kind: When HideMyAss was launched - in 2009, not earlier as they now routinely claim in their marketing hype - they were PPTP-only, as well. They were called out for that decision, in public, by Cryptocloud's founders. HMA, of course, went on to earn infamy as 'SnitchMyAss' in 2011, betraying customers despite promises they didn't log customer activity. Too bad folks didn't know more about their choice of "security theatre" cryptography at their inception, and what it said about their lack of concern for genuine protection of their customers, or their incompetence in understanding basic concepts of applied cryptographic engineering. Or both.
Which is to say, when Sabu wanted to appear credible - and not like an FBI snitch - he referenced Cryptocloud as a VPN provider that actually does protect customers, doesn't log customer activity (and never has - and was the first VPN company to bring "no logging" into existence), and isn't #snitchware. Which is telling - and accurate. But also really, really sad in that during that time Sabu was working to entrap other courageous activists - which means Cryptocloud was used as "window dressing" for Sabu to appear credible at a time when it would have been far better for him to be known as anything but that. Bittersweet endorsement, that one.
Does that mean that all encryption is broken, and can be easily unwound by the NSA? No, it doesn't. That'd be like saying all cars suck because one model of cars sucks and everyone knows they suck and yet, inexplicably, some people still buy and (try to) drive those cars. We're not the only ones to note this, of course: there's an entire community of real cryptographic experts who have documented and studied these very issues for decades. Cryptography works, and public-key cryptography in particular is quite mathematically sound. The flaws in crypto are almost always implementation issues, or coding bugs, or bad choice of randomizers - tactical, not strategic. Cryptographic theory is sound, and well-studied. Cryptographic implementation is difficult, and complex, and - unless done right, reviewed constantly, and tested continuously - often results in flawed systems being put into production.
Flawed systems like PPTP.
It's important to understand that it's not a question of "implementing PPTP wrong" - in fact, there's simply no right way to implement PPTP so that it is secure. In contrast, it's still possible to make mistakes implementing OpenVPN... but it's also possible to put it into production in such a way that it's doing real key exchange via 2048 RSA cipher, and using real messaging stream symmetric crypto based on those keys that's provably robust against all known current attack vectors at 256 bit keylength. Which William Binney confirms... Binney being, you know, that guy who helped develop a big chunk of the NSA's modern surveillance infrastructure, quit in protest at its unconstitutional mutation, and provided James Bamford with information for Wired's now-famous cover story on the NSA's datacentre. Quoting from that story:
There is still one technology preventing untrammeled government access to private digital data: strong encryption. Anyone—from terrorists and weapons dealers to corporations, financial institutions, and ordinary email senders—can use it to seal their messages, plans, photos, and documents in hardened data shells. For years, one of the hardest shells has been the Advanced Encryption Standard, one of several algorithms used by much of the world to encrypt data. Available in three different strengths—128 bits, 192 bits, and 256 bits—it’s incorporated in most commercial email programs and web browsers and is considered so strong that the NSA has even approved its use for top-secret US government communications. Most experts say that a so-called brute-force computer attack on the algorithm—trying one combination after another to unlock the encryption—would likely take longer than the age of the universe. For a 128-bit cipher, the number of trial-and-error attempts would be 340 undecillion....
“Why were we building this [multi-billion dollar Utah] NSA facility? And, boy, they rolled out all the old guys—the crypto guys.” According to the official, these experts told then-director of national intelligence Dennis Blair, “You’ve got to build this thing because we just don’t have the capability of doing the code-breaking.” It was a candid admission. In the long war between the code breakers and the code makers—the tens of thousands of cryptographers in the worldwide computer security industry—the code breakers were admitting defeat.
Cryptocloud implements 256 bit messaging symmetric key encryption, after key exchange is accomplished via certificate-based, 2048-bit, RSA handshake. Those protocols are provided via the standard, opensource, widely-reviewed OpenSSL libraries. We don't try to make new crypto ciphers, or use proprietary ones, or otherwise fiddle with the successful work of cryptographic specialists - that would be dumb, worse than reinventing the wheel. We use the best that's out there and proven to work, and we do our best to implement it in a secure way according to the best advice out there from those same experts.
We're not perfect. There's some elements of our current cipher implementation that some of our more cryptographically paranoid team members have been agitating to "turn up" - and that's going to happen, sooner or later. Sooner rather than later, in fact. As is a rollout of perfect forward secrecy in our SSL infrastructure (already in process) - even though we don't use SSL for messaging encryption at all, but rather merely as a web service and as part of the routine account auth handshake (which simply allows for network access, but has nothing to do with the secure tunnel's instantiation or maintenance or security).
[align=center]~ ~ ~[/align]
The NSA don't play. They're for real - about as "for real" as it gets. They have billions of dollars at their disposal. Hundreds of the best cryptographic minds in the world... hundreds of them. They are not constrained by "laws" and can thus do things that actual citizens would go to prison for even trying - note the complete absence of any prosecution, ever, of an NSA employee for breaking the law that's supposed to prevent them from spying illegally on Americans, or otherwise violating U.S. statutes. They're exempt, and they know it - so that's a huge strategic advantage. They have all those tools, and they're sure as fuck using them. They're using them to illegally spy on Americans, and they're also spying on the rest of the world - unashamedly, and with essentially no viable oversight by anyone. They employ thousands of "offensive cyber specialists"... thousands of offensive cyber specialists. Sorry for the scare-italics, but read those lines again carefully. The NSA don't play.
That doesn't mean we can't protect ourselves against their criminal, unconstitutional rampage of Orwellian surveillance. There's viable, practical, effective methods of response to the threat profile presented by the NSA - they're not magical silver bullets, or guarantees of perfect immunity from spying... but they're a fuck of alot more than nothing.
One thing is quite clear: deploying broken, pathetic #encraption like PPTP-based VPN service in the face of the NSA's firepower isn't even as effective as pissing in the ocean: it's worse. It's pretending to be wearing magickal armour and walking into a gun battle - better to know you're naked, and take appropriate precautions. Best of all, of course, is to find some real armour - it might not be perfect, and it might have limits (what armour doesn't, in the real world?)... but it's a real step up from vulnerable nakedness.
One part of that armour is real VPN protection, and our UnPRISM Campaign is an effort to make that tool as widely available as possible. There's many other pieces, and it's going to take all of us quite some time to weave together practical, reliable systems of protection that can stand up to what we now know about the NSA's dragnet spying; as one well-credentialled observer has recently noted, us mere civilians are no longer the "apex predators" when it comes to digital life. Now, we're the underdogs - and we're going to need the smarts, cleverness, and teamwork at our disposal to stand up to the growing totalitarian threat.
"A turnkey totalitarian state" - that's how William Binney described Alexander's massive, illegal spying apparatus. He wasn't speaking metaphorically - he meant it, literally. Push back. Fuck that: shove back! Don't ask them to respect us - instead, wrest that respect back from these clown-suited, peeping-Tom fascists in (very minimal) disguise. This isn't a time for meek acquiescence - nor is it a time for making "political statements" with bullshit, pathetic encryption shamware.
Now is the time for real tools, real actions, and a real commitment to a free future for our planet. Fuck the NSA - and fuck those who think we can be beaten into silence through their Panopticon on uncut meth. We have tools to protect ourselves, and we're damned well going to use them - and teach others how to do the same!
- ~ cryptostorm_team