lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: adam at (Szilveszter Adam)
Subject: Wiretap or Magic Lantern?

Hello all,

As for the "Magic Lantern" stuff, yes AFAIR it was like your typical 
malware, was delivered eg via email and did pretty much the same stuff 
that today's keystroke-logging remote-controllable malware does. Nothing 
truly exciting, not even at the time, but for the fact that it was the 
Feds that were using it. (People simply *love* consipracy theories and 
things that have to do with any kind of secret services. These orgs 
profit from this fact tremendously. Just look at their booths at job 
fairs: they are bustling with hangers-on and wannabees.)

As for the article cited, whenever I read something like that I always 
think to myself: "It is quite reasonable to believe, that these 
so-called correspondents were already under surevillance for some reason 
or other, and therefore their emails were already monitored." It is the 
only feasible way for this to happen. All the rest of the tales of a 
super-duper system that monitors all the world's Internet, satellite, 
radio and phone traffic and screens it in real-time is just a 
smoke-screen for the ppl who love spy movies. And of course it furthers 
the interests of the U.S., since this way no one (not even the so-called 
allies) can be quite sure what they now or are capable of discovering.

Note that this is *not* to say that the technical ingredients of such a 
system are not already available to governments in many countries. They 
are. Phone calls, mobile calls, satellite traffic or Internet traffic: 
they can be and are monitored both by police and by the secret services. 
On more places than you would think. Just think about the scandals about 
the spying on UN delegates in New York, or the bugging of the EU 
Commission's offices in Brussels (both by the US). But this does not 
happen in an all-encompassing blanket manner. And certainly not with 
some automatic keyword search or what have you run against all that data.

BTW as for some of the myths that accompany these covert ops in 
cyberspace: you would be really surprised to learn how sophisticated 
criminals have already been caught simply by sending them HTML email 
that contained an invisible web bug, the kind that is in your spam every 
day. It is mostly still the human factor, that gives one away, there is 
mostly no need to go head-on against really strong crypto or stego. 
Approach it from the human side and you are there much faster.

BTW as for the "NSA-proof"-nes of PGP: It is not uncrackable. Nothing 
is, given the right amount of time and resources on your hands. The only 
question is, does it need to be? And is it worth it? If you can get at 
the info in say 10,000 years from now than clearly this is not an 
option. And there is no need to go there either, when all you need is 
some attractive woman and many men will readily tell more than you had 
ever hoped for. :-P

P.S. The article reminds me of the stories of drug busts on 
border-crossing stations when they say: "The passengers were behaving 
themselves in a suspicous manner so we subjected them to a thorough 
search. And guess what, we found the dope." Sure. It really wasn't 
someone giving the border guards a phone call just at the right time. ;-)


Powered by blists - more mailing lists