XKeyscoreQ. – WTF happened now?

A. – Well the Snowden NSA leak revelations just keep rolling out from Glenn Greenwald at The Guardian. More specifically, there was another new one today covering a NSA program called XKeyscore.

I have to say I love the way this is playing out. Leaked info gets published, public officials react, downplay, and deny capabilities, then more leaked info comes out negating those reactions and denials. Officials are being given just enough rope to verbally hang themselves again and again. It’s beautiful!

Anywhoo, one of the things revealed in today’s news about XKeyscore is the practice of watching for VPN and encryption usage in the process of identifying targets.

Q. – Ok so I use a VPN, what does this mean and do I need to pack for GITMO?

A. – So what the hell can you do to make yourself less likely to be singled out for deeper monitoring as a VPN user?

You could of course use nothing at all, but then you’re still wide open. A VPN is still really one of the best defences we have right now, so we have to make the best of it, combined with being more conscious of our habits.

Now from the Guardian slideshow released, the whole operational aspect of the XKeyscore system seems to be about systematically narrowing down targets through incredibly powerful, deep, and complex cross-referencing capabilities. With that in mind, the more difficult and obscure you make it for someone to narrow down your specific activity, the more likely they are to take a pass on looking closer at your data.

The TL;DR version of how to help guard against some of this is really to use your VPN and other encryption methods more often, not less, plus being more aware of related habits surrounding it’s usage. Sure you’ll still be a target, but a less discernible one.

Q. – Heh?

A. – If you only use a VPN once in a while and only small chunks of your datastream are encrypted or tunneled through a VPN, those chunks stand out and become bigger targets. By contrast, if all or most of your data is encrypted, nothing in particular is suspicious or easy to zero in on. They don’t know really what to look for and the dataset is larger. On a more meta scale, the more people who do the same thing, the better.

A prime comparison is walking into a person’s house and seeing a huge combination safe in the middle of the room. The first thing you’re going to think is “What’s in the safe?!“. On the other hand, if everything including groceries are locked up in safes around the house, and the house itself is one giant safe, narrowing down anything suspicious to look at becomes tough. To an observer you’re just a paranoid wierdo, nothing more.

The same goes for all your bits of data flying across the tubes™. The more you have encrypted, the less likely any one thing stands out, and it’s a lot more work to sift through and investigate all of it.

The mere fact that you’re using encryption might be suspicious to someone, but it’s still encrypted and isn’t as suspicious as someone connecting to a VPN for just an hour when they normally don’t use one.

The point is, make it a normal habit to use a VPN and other encrypted platforms. Don’t suddenly throw up a big flag on a tiny stream of data. That essentially says “Heyoo there! Look at me!”. Think about it from a NSA analyst’s point of view. What’s a juicier target to focus on? A short abnormal burst of encrypted data running through a VPN, or a large endless stream of VPN data? The latter is too vague and could be anything, so the abnormal burst is what you’d likely focus on.

Q. – Can the NSA ninja-crack my VPN encryption?

A. – Ok so yeah there’s the issue of VPN encryption itself. Can the NSA crack it? I suppose it’s hard to say for sure, but here’s an educated guess…

As long as you’re using a strong protocols like OpenVPN or L2TP (not PPTP), it’s unlikely the NSA could just straight up decrypt the raw VPN traffic without some other means. Existing computer technology is still too weak for that and none of these leaks indicate that as a real widespread possibility.

So no, the more likely way they’d be able to decrypt your traffic is exploiting some other vulnerable link in the chain as implied by the leaked slides, or by using X-Keyscore itself to dig for something careless and stupid you did, like accidentally backing up your VPN keys, certs, or passwords to a cloud service like Dropbox. (Protip: don’t do that)

Even still, a big hurdle for NSA eavesdropping is that most VPN configurations are commonly set to renegotiate client keys at regular intervals (15, 30, 60 minutes, etc.). An AirVPN staff member addressed this as well on their forums saying:

“the unsolvable problem for NSA in this case is that our customers client keys for OpenVPN Data Channel encryption are re-negotiated at each new connection AND every 60 minutes (essentially the core of Perfect Forward Secrecy). Customers can also lower the TLS re-keying interval on the client side.”

Q. – My drunk uncle says the NSA has quantum computing. Do they?

A. – Fun to think about, but again not likely. That’s such a holy grail of computing technology and with so many people working on it, it’s hard to imagine that big of a breakthrough could remain secret for long these days. Possible? My tinfoil hat says I want to believe, but reality says it’s a wild stretch and probably impossible for that to exist at this point in time. One would also think if any single government had that capability, foreign relations would be a ridiculously insane shitstorm right now, as it would bust all existing encryption wide open.

Q. – What else can I do besides move to another planet?

For the average user:

  1. Use a VPN more often for a higher percentage of your traffic. Try to use it for pretty much everything you can. The exception would mainly be things like banking. Paypal, banks, credit card processors, etc. tend to freak the hell out if they detect you’re logging into your account via VPN.
  2. Keep an ultra tight lid on access to any of your VPN user keys, certs, passwords, client area login details, etc. And when downloading keys and certs, double check to make sure it’s over ssl (https) connection. Most VPN providers are good about always redirecting your browser to https for the client areas of their sites, but some sloppy ones may not be.
  3. Don’t reuse passwords or use similar passwords…ever! This is bad practice in general, but even more so in relation to this program.
  4. Use anti-tracking extensions in your browser to reduce cookie and other types of tracking (another key part used in XKeyscore). Adblockplus, NoScript, Ghostery, DNTMe, HttpsEverywhere, Vanilla Cookie Manager, etc. are all great choices to look at installing and using.

Additional steps for the more paranoid:

  1. Use Tor when connecting to a VPN. This has limits though, as Tor isn’t suitable for high speeds (especially not torrenting) and doesn’t encrypt all your traffic unless configured properly. This might not be good for routine use and really just depends what you get up to online.
  2. Pay for your VPN anonymously with bitcoin.
  3. Double up and use 2 high speed VPN’s on top of each other by using a different protocol for each (L2TP for one, OpenVPN for the other). Even if it’s known that you’re a user of both, decrypting the actual activity behind it becomes more difficult.

Published by vpnadmin

1 Comment

  1. With all the warnings about hackers, identity theft, etc., and all the spam email and phishing calls I get, I am concerned about internet use, and was considering a VPN.

    But I want the option to be able to complete the Census and other government surveys online, and based on your article about banks, etc. not being compatible with VPN, I assume that would also be the case for working on government websites to complete government census and other surveys.

    Is that correct?

    Is that also the case with a Firewall?

    Is it really safe to complete a sensitive-info census online even though it’s on a government website?

    I use an Android laptop with Win. 10. I am far from being a “tecchy” tech so I need an answer in simple terms.


Leave a Reply

Your email address will not be published. Required fields are marked *