my heart bleeds for NSA and GCHQ, wholly still able to steal your passwords


So folks are happily patching the exploit-laden openssl NSA engineered into open source  couple of years ago. Of course, it dumped memory. Now, folks are happily upgrading to the new openssl NSA engineered exploit, since the old one is widely know to others. And, lots of boondoogle vendors are telling to “check” which server centers have or have not updated (i.e. don’t use those who have not!), and change your password!

Of course, then your home router, which has the same bug, and is not patched and never will be is still open to, ahem, a memory dumping mechanism on your passwords AS they transit over to the server farm.

OF COURSE, the (compromised home) router cannot see anything of the cleartext, since its got its SSL passthrough ports enabled and they duly pass through the information from the browser encrypted end-end by server and browser!

Which is fine until you realize that the typical corporate browser learns its connect proxy automatically. Strange that, no! And it’s the corporate browser NSA wants (it wants you in work mode, not social mode, while socializing with other “workers of interest”)

So what is a connect proxy? it’s a way of offloading SSL to the (home) router, in the clear. The train tunnel starts at the home router (and heads for the server), that is. The path between your browser and your router is clear, and the memory of the router is full of  the plaintext and the cryptovariable used to THEN establish the forward tunnel.

In general American home routers are connected to broadband. Just like NASA Ames ran a huge intelligence collection infrastructure for NSA in the 1980s (to BRING BACK the exfil data) by having dedicated management ports on the then-internet backbone router (think admin port!) so too home routers are managed by the cable company – who can reflash the firmware whenever they want. This means they may participate on demand in connect path discovery, assuming the corp browser is so set to be willing to try to find a happy spying port – which they are all!

What is fun about the US approach to stasification is the SHEER degree of the penetration, at multiple levels, through the society and its vendors. The UK approach is much less sophisticated technologically – and relies much more on deception  and social engineering.

Which probably explains so much money has been thrown in the UK at cybercenters hiring computer science-related psychologists.

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in spying. Bookmark the permalink.