Re: German Government claims to be able to break PGP and SSH
>Peter Laufenberg wrote: > >> My German's rusty but the follow-up article quoting Symantec mentions >> spyware/keylogging, which has been the traditional "technique" used in >> in the past. > >But that's for targeted surveillance. They still cast a wide net: on ccc.de there's a detailed report of one target wanking to phone-sex. >The original article refers >to a bulk grep of 16,400 search terms over 37 million e-mail messages. I just read the PDF, in 2010 they dumped a raw IP stream from which they extracted individual emails (90% spam) in which they searched for words like "bomb". High-tech stuff. The one-sentence answer about PGP has so many qualifiers that only an idiot would read it as a blanket success claim, the gov official was probably puzzled by the question's "half-pregnant" formulation. Golem seem to have buried their story in an embarrassed rush; whoever came up with the title must be flipping BratwC
Re: German Government claims to be able to break PGP and SSH
Peter Laufenberg wrote: > My German's rusty but the follow-up article quoting Symantec mentions > spyware/keylogging, which has been the traditional "technique" used in > in the past. But that's for targeted surveillance. The original article refers to a bulk grep of 16,400 search terms over 37 million e-mail messages. I would not in the least be surprised if a caesar chiffre successfully defended against this. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: German Government claims to be able to break PGP and SSH
>car + eimer? ay carambas?!! "Autoeimer", with unlimited strcat() known to overflow students' brains. Yes the "Bundestrojaner". I pictured a fat politician's soggy condom on the back of his doggy-style mistress: "one for the country!" Mild stuff considering German pr0n culture. -- p >On Thu, May 24, 2012 at 10:13 PM, Stuart VanZee >wrote: What do you guys think about the reliability of the news (unfortunatelly in German only) on www.golem.de >>> >>>My German's rusty but the follow-up article quoting Symantec mentions >> spyware/keylogging, which has been the >traditional "technique" used in >> in the past. >>> >>>-- p >> >> Quick, someone, how do you say autobucket in German! >> >> s
Re: German Government claims to be able to break PGP and SSH
car + eimer? ay carambas?!! On Thu, May 24, 2012 at 10:13 PM, Stuart VanZee wrote: >>>What do you guys think about the reliability of the news >>>(unfortunatelly in German only) on www.golem.de >> >>My German's rusty but the follow-up article quoting Symantec mentions > spyware/keylogging, which has been the >traditional "technique" used in > in the past. >> >>-- p > > Quick, someone, how do you say autobucket in German! > > s > -- joe gain jacob-burckhardt-str. 16 78464 konstanz germany +49 (0)7531 60389 (...otherwise in ???)
Re: German Government claims to be able to break PGP and SSH
>>What do you guys think about the reliability of the news >>(unfortunatelly in German only) on www.golem.de > >My German's rusty but the follow-up article quoting Symantec mentions spyware/keylogging, which has been the >traditional "technique" used in in the past. > >-- p Quick, someone, how do you say autobucket in German! s
Re: German Government claims to be able to break PGP and SSH
Peter Laufenberg wrote: What do you guys think about the reliability of the news (unfortunatelly in German only) on www.golem.de My German's rusty but the follow-up article quoting Symantec mentions spyware/keylogging, which has been the traditional "technique" used in in the past. Yes, that's what the "Bundestrojaner" is for :) Best regards, Mikkel C. Simonsen
Re: German Government claims to be able to break PGP and SSH
>What do you guys think about the reliability of the news (unfortunatelly >in German only) on www.golem.de My German's rusty but the follow-up article quoting Symantec mentions spyware/keylogging, which has been the traditional "technique" used in in the past. -- p
Re: German Government claims to be able to break PGP and SSH
On 2012-05-24 14:00:01 naddy () mips ! inka ! de (Christian Weisgerber) wrote: > Stefan Wollny wrote: > > > that the German government claims to be able to break PGP and SSH. > > I think you have to be cluelessly paranoid to read such a claim > into a meaningless statement. > > > Question: > > "3. Is the technique used also able to at least in part decode and/or > > analyze encrypted communication (e.g. by SSH of PGP)?" > > > > Answer: > > "Yes, the technique used is in principle able to do this, depending on > > the way and quality of the encryption." > > As Buffy would say: Can you you vague that up for me? > > > Is this some sort of Governmental FUD by just NOT adding s.th. like "if > > the password/passphrase is weak enough"? > > Yes. > > Actually, no. The term FUD would imply intentional disinformation. > The intelligence agencies' ability to decode ROT13, filtered through > layers of management who don't understand anything about crypto, > would be fully consistent with an honestly given answer like the > one above. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de > And of course, the German security services are pleased as punch to give a precise answer to this question in public. Just the way US Naval Intelligence was so proud to get public credit for breaking Japanese codes in 1942 while the war was still going on. Ed Ahlsen-Girard
Re: German Government claims to be able to break PGP and SSH
You wrote: > Hi there! > > What do you guys think about the reliability of the news (unfortunatelly > in German only) on www.golem.de > (http://www.golem.de/news/bundesregierung-deutsche-geheimdienste-koennen-pgp- > entschluesseln-1205-92031.html) that the German government claims to be > able to break PGP and SSH. The official answer to some MPs and the party > "Die Linke" is here: > http://www.andrej-hunko.de/start/download/doc_download/225-strategische-fernm > eldeaufklaerung-durch-geheimdienste-des-bundes > > For the non-German speaking (found on page 3 of the official document): > > Question: > "3. Is the technique used also able to at least in part decode and/or > analyze encrypted communication (e.g. by SSH of PGP)?" > > Answer: > "Yes, the technique used is in principle able to do this, Another theoretical attack? Yawn RC4? MD5? don't use them. > depending on the way and quality ^^^ 512 bit pubkeys, definitely factorable. 768 maybe. 1024 with the help of the MIBs. More than that, not for another 5-10 years. If you have the private key, weak passphrases are always susceptible to dictionary attacks. > Is this some sort of Governmental FUD by just NOT adding s.th. like "if > the password/passphrase is weak enough"? Can't read the article but sounds like FUD from what they answered. Password or passphrase has nothing to do with breaking PGP or SSH unless you have the user's private key. Only the length of the public key matters. Use 2048 bit keys and nobody is getting your plaintext without bashing your balls. -BEGIN PGP MESSAGE- jA0ECgMKIXIw0QVfan1g0lUBkJ3SZO7SlnfESJIKbRHgSr+1VlpnsD/zs6lephjt Xd8LKAMjYZIkTtgNdnusBSz4Y7H53sV4i8jvHSomZUi1F1dcQFIyUT9JZXnyrq8q JLJeyIHw =NcjT -END PGP MESSAGE-
Re: German Government claims to be able to break PGP and SSH
Stefan Wollny wrote: > that the German government claims to be able to break PGP and SSH. I think you have to be cluelessly paranoid to read such a claim into a meaningless statement. > Question: > "3. Is the technique used also able to at least in part decode and/or > analyze encrypted communication (e.g. by SSH of PGP)?" > > Answer: > "Yes, the technique used is in principle able to do this, depending on > the way and quality of the encryption." As Buffy would say: Can you you vague that up for me? > Is this some sort of Governmental FUD by just NOT adding s.th. like "if > the password/passphrase is weak enough"? Yes. Actually, no. The term FUD would imply intentional disinformation. The intelligence agencies' ability to decode ROT13, filtered through layers of management who don't understand anything about crypto, would be fully consistent with an honestly given answer like the one above. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: German Government claims to be able to break PGP and SSH
Hi Stefan, On May 24, 2012, at 2:26 PM, Stefan Wollny wrote: > Question: > "3. Is the technique used also able to at least in part decode and/or > analyze encrypted communication (e.g. by SSH of PGP)?" > > Answer: > "Yes, the technique used is in principle able to do this, depending on > the way and quality of the encryption." (Yepp - that's the complete > answer!) > > Is this some sort of Governmental FUD by just NOT adding s.th. like "if > the password/passphrase is weak enough"? I think the answer is very shallow and misguiding. There are only two ways to do this: (1) immediately via man-in-the-middle attacks, or (2) later decryption of recorded traffic. The first method is easily detectable, and the second method creates a lot of overhead in the long run. Storage, where to get private keys from, etc. Both of them offer full decryption, so I am not sure what the "partial decode and/or analyze" really means. The question is way too broad to get a precise answer. Of course you can decode SSH, but only on the protocol layer itself, not the payload. "Analyzing" encrypted protocols is easy, and it may raise a flag, but there is no way there's this thing that will read your emails on-the-fly even though you are using PGP. Franco
Re: German Government claims to be able to break PGP and SSH
On Thu, May 24, 2012 at 02:26:43PM +0200, Stefan Wollny wrote: > Hi there! > > What do you guys think about the reliability of the news (unfortunatelly > in German only) on www.golem.de > (http://www.golem.de/news/bundesregierung-deutsche-geheimdienste-koennen-pgp- > entschluesseln-1205-92031.html) that the German government claims to be > able to break PGP and SSH. The official answer to some MPs and the party > "Die Linke" is here: > http://www.andrej-hunko.de/start/download/doc_download/225-strategische-fernm > eldeaufklaerung-durch-geheimdienste-des-bundes > > For the non-German speaking (found on page 3 of the official document): > > Question: > "3. Is the technique used also able to at least in part decode and/or > analyze encrypted communication (e.g. by SSH of PGP)?" > > Answer: > "Yes, the technique used is in principle able to do this, depending on > the way and quality of the encryption." (Yepp - that's the complete > answer!) > > Is this some sort of Governmental FUD by just NOT adding s.th. like "if > the password/passphrase is weak enough"? Why, do you think, did they add the word "grundsdtzlich" (in principle) to their short answer? Wouldn't they look completely stupid and a waste of money if they said: "No, we're not able to decrypt SSH or PGP traffic/communication. We are incompetent clowns and all we can do is try to brute-force weak user passwords and install trojans to grab the key." That's not going to happen. > > STEFAN > > --- > Mail: ste...@wollny.de > Gnu PG-Key ID: 0x9C26F1D0
German Government claims to be able to break PGP and SSH
Hi there! What do you guys think about the reliability of the news (unfortunatelly in German only) on www.golem.de (http://www.golem.de/news/bundesregierung-deutsche-geheimdienste-koennen-pgp- entschluesseln-1205-92031.html) that the German government claims to be able to break PGP and SSH. The official answer to some MPs and the party "Die Linke" is here: http://www.andrej-hunko.de/start/download/doc_download/225-strategische-fernm eldeaufklaerung-durch-geheimdienste-des-bundes For the non-German speaking (found on page 3 of the official document): Question: "3. Is the technique used also able to at least in part decode and/or analyze encrypted communication (e.g. by SSH of PGP)?" Answer: "Yes, the technique used is in principle able to do this, depending on the way and quality of the encryption." (Yepp - that's the complete answer!) Is this some sort of Governmental FUD by just NOT adding s.th. like "if the password/passphrase is weak enough"? STEFAN --- Mail: ste...@wollny.de Gnu PG-Key ID: 0x9C26F1D0
