Lot’s of people often gave agencies too many credits because of Snowden and other whistleblower leaks but GCHQ & Co. don’t have unlimited power over every program, connections or algorithm. In my little guide here I show what NSA still can’t crack based on researches and leaks.
All might NSA, GCHQ & Co.
Most of the things which NSA & Co. cracked are not based on their own work, they couldn’t even crack Apple’s FDE without the help from FBI, CIA & another organization in order to get some (not even all) information extracted from the device. The myth that NSA can break everything is nothing but this, a myth.
Most of the time they hire other people and invite other organizations in order to make their own work because they simply can’t do anything. Der Spiegel showed us based on Snowden’s leak that they have less power than you think.
Things become “catastrophic” for the NSA at level five – when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a “near-total loss/lack of insight to target communications, presence,” the NSA document states.
- Truecrypt / VeraCrypt
- Partially Telegram
- Miranda IM / Pidgin with MirOTR or OTR
- KeePass (even with default settings)
- TailsOS, QuobesOS & other isolated operating systems
- 256-bit Elliptic Curve
- 3072-bit Discrete Log
- NTRU Encrypt based on Lattice based cryptography
- Basically, all Shor’s algorithm factors with big integers are very efficiently even against Quantum PC’s
- Quantum computing will have the most dramatic impact on asymmetric encryption only while symmetric algorithms are considered safe with a large enough key size (256 bits+).
- Combining multiple layers of different kind of encryptions is not a good thing and mostly ends-up with a lot of problems.
- A more detailed article about post-quantum area encryption algorithm are posted by NIST itself over here.
These few examples showing what survives easily the known NSA attacks, some years old programs are still secure and there is no reason to switch if you satisfied with it. Some of the listed algorithms are even secure against the upcoming quantum pc’s.
In one of the more ironic sections from the documents shown by Der Spiegel, we learned that while the NSA is responsible for recommending the best security standards to the US National Institute of Standards and Technology, at the same time it is looking for ways to break the tools it recommends.
Is IPSec fundamental broken?
No, most of the internet ‘security’ pages claiming that IPSec is totally broken because ‘NSA’ broke it (they didn’t break anything btw, they ‘simply’ used an exploit) however, the point is that this is more or less possible with all protocols since every protocol has his pros & cons. Advertising xyz protocol as better without to mention that it’s also exploitable is marketing in order to sell you something and to play with fears, IPSec is not entirely broken. Since the leak days, the protocol got several updates in order to fix things, the protocol itself is open source. What’s important to mention here is that it’s for sure weaker than other protocols and more depending on the configuration.
NSA is spying on VPN users, no shit Sherlock!
Some other pages saying that NSA ‘cracked’ over 200 VPN providers, however cracking and monitoring are different things. The mentioned documentation only shows that NSA wants to see what’s behind the traffic, this doesn’t mean those mentioned providers are compromised – that NSA wants to see the traffic is not really a secret.
Recommend programs by privacytools.io & others
privacytools.io is a website developed on GitHub which aims to provide a basic overview of programs which are considerable ‘secure’ – Please keep in mind that this is maintained by the community from experts and non-experts, the listed programs are in a lot of cased not audited nor deeply analyzed based on the current vulnerabilities findings, this would require much more effort, keep that in mind before you blindly install any of those mentioned tools.
Alternative and similar pages are:
I’ll expand my conclusion in case I decide to write more about this topic, which is huge and there a lot of documents to read a lot of false statements and articles to ignore and some things which are totally correct. Recommend things without mentioning the whole story, is in my opinion, the wrong way, you should also always mention that several things are fixable, in our case IPSec is not really dead.
I think the mass already have a lot of choices and alternatives to the mainstream programs, the problem is moreover that using alternatives tools brings you in a bad position because you are might be the only one in your friends circle which cares about it, so the overall mission seems to spread the word, privacytools.io and other pages are not bad to show non interested person quickly why they should consider making the switch as soon as possible – but in my point of view this is not enough anymore, you should constantly monitor current events and react quickly to keep up with the reported vulnerabilities or recently found security relevant things.