Jump to content



Photo

How NSA access was built into Windows

nsa back door windows

  • Please log in to reply
77 replies to this topic

#46 JonnyLH

JonnyLH

    I say things.

  • 1,226 posts
  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 26 June 2013 - 13:58

So you're not on about NAT as a security mechanism... That's so disingenuous. Especially since you're now claiming that it's in relation to a cryptographic backdoor as described in OP. Laughable.

 

 

 

 

 

 

You have not laid down any technical explanation of why you're correct, or evidence that calls that quote or link into question. All you've done is brag and say trust me.

Dude, your sources back me up. NAT Pinning, an attack I looked into while designed CG-NAT is prompted by calling a service on a port which then is open to communicate with that client. That's what your sources say, so why should I find more sources when you don't understand yours to begin with.

 

It doesn't need much explaining. Even if there was a "backdoor" in Windows, they wouldn't be able to remotely call most computers around the world because they sit behind a NAT. Simple.




#47 thomastmc

thomastmc

    Unofficial Attorney of Neowin

  • 1,329 posts
  • Joined: 18-July 12
  • Location: Kansas City
  • OS: Windows 8.1 Pro
  • Phone: Lumia 928

Posted 26 June 2013 - 16:13


Dude, your sources back me up. NAT Pinning, an attack I looked into while designed CG-NAT is prompted by calling a service on a port which then is open to communicate with that client. That's what your sources say, so why should I find more sources when you don't understand yours to begin with.
 
It doesn't need much explaining. Even if there was a "backdoor" in Windows, they wouldn't be able to remotely call most computers around the world because they sit behind a NAT. Simple.

 

You can't even remember what you said on page 2 by the time you got to page 3, and it's in writing for you.Then you claimed you just didn't give a toss what the content of your posts were, (as you explain how intelligent and educated you are). Then you claim that this convo isn't about NAT security, but rather about NAT security, relating to cryptographic backdoors. My sources were all bunk, but now they back you up.

NATs can't be hacked from the outside... Sure, sure. Whatever you say Jonny :) I won't hold you back from your very important job anymore.



#48 Innuendo

Innuendo

    Neowinian

  • 233 posts
  • Joined: 01-June 02

Posted 26 June 2013 - 21:25

Really, my job positions tell me other wise. Ran a hosting company when I was 14 and worked at 3 of the top ISP's in the UK and I'm only 21.

 

Dude, I know you think this statement is making you look knowledgeable, but all I see is you've had 4 jobs in 7 years.

 

Without any background as to why you quit running your hosting company or why you worked at 3 different ISPs, all this tells us is you have trouble holding a job.

 

If you behave at work like you have in this thread then I can see why you've changed jobs so much.



#49 HawkMan

HawkMan

    Neowinian Senior

  • 21,426 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 26 June 2013 - 22:16

Well from my experience, running a hosting company was something anyone could do a few years ago. leaving him with 3 real jobs probably in a lot less than 7 years, and those jobs could be anything, based on age and experience probably support...

 

On that note, everyone in this thread is wrong and correct though...but everyone is to stubborn to change ;)



#50 JonnyLH

JonnyLH

    I say things.

  • 1,226 posts
  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 27 June 2013 - 08:15

You can't even remember what you said on page 2 by the time you got to page 3, and it's in writing for you.Then you claimed you just didn't give a toss what the content of your posts were, (as you explain how intelligent and educated you are). Then you claim that this convo isn't about NAT security, but rather about NAT security, relating to cryptographic backdoors. My sources were all bunk, but now they back you up.

NATs can't be hacked from the outside... Sure, sure. Whatever you say Jonny :) I won't hold you back from your very important job anymore.

Still haven't gave any evidence to prove me wrong. I never said your sources were wrong, just over explaining a simple fact.

 

Dude, I know you think this statement is making you look knowledgeable, but all I see is you've had 4 jobs in 7 years.

 

Without any background as to why you quit running your hosting company or why you worked at 3 different ISPs, all this tells us is you have trouble holding a job.

 

If you behave at work like you have in this thread then I can see why you've changed jobs so much.

It gives my statements more weight because its knowledge I use on a daily basis in my profession. The first two jobs were temporary contracts on which I moved away from my place of study during summer. Those places of work were interested in keeping me on after my place of study, which is something I have to think about. The position I'm currently at now is my year placement in which I was offered a permanent place in my position with a pay rise. I'll be returning back to study but working part-time at my current position, which is a first for the company. I've also received 2 pay rises and 2 substantial bonuses in 6 months for the money I've saved them.

 

If you've worked in IT and engineering places, you'd realise there's plenty of temporary contract positions and contractors. Here we see a mostly new engineering department every 6 months. 

 

Well from my experience, running a hosting company was something anyone could do a few years ago. leaving him with 3 real jobs probably in a lot less than 7 years, and those jobs could be anything, based on age and experience probably support...

 

On that note, everyone in this thread is wrong and correct though...but everyone is to stubborn to change ;)

When I did hosting, it was a free hosting service. The hosting company was something very small to begin with but it gained a lot of credit and I ended up selling it on for quite a nice fee when I couldn't give enough time to pursue it. When I finished with it, it was spread across 3 dedicated servers in which I owned at 16. This experience gave me a lot to talk about during interviews and a lot to go with. 

 

I even created my own client management system dedicated for free-hosting which is still used widely to this day across the free hosting market. 

http://thehostingtool.com. I launched that website in 2008 when I was 16. 

 

Sorry for being a professional giving my own experience to add to a discussion regarding something quite sensitive. I love how I have to defend myself on some information regarding NAT which is quite frankly, simple knowledge. The integrity of my whole past comes into question by some bafoon who knows how to put "NAT Attacks" in google to get his source. Yes, its the first result on the page. Yet someone who has rolled out two CG-NAT implementations nationally in the UK for ISP's, implemented a new traffic management system and looked at IPv6 deployment for all customers doesn't know what they're talking about.

 

I'm going to put it in the easiest simplest statement possible.

 

When your home gateway receives a packet which hasn't had an outbound packet from your LAN, it drops it. This is due to the fact that when your client sends a packet, your router stores the information of who and what type of information it sent. When it receives a reply back, your router knows which computer to send the packet to because its remembered the information from when your machine sent it out. Without that information, it hasn't got a clue where to send it, so it drops it. The only technical way for your router to get round that is by broadcasting the reply it receives to the whole LAN. This is a huge security risk and a traffic hogger, hence why its not done and its not specified in the RFC.

 

If you ran a minecraft server and you wanted people to connect to it and your behind a NAT, you have to port forward. This means when your gateway ever receives minecraft traffic, it always sends it to that machine you specified in the port-forward. Its the EXACT same principle. 

 

Source: http://tools.ietf.org/html/rfc4787

 

That is basic NAT knowledge, its very simple CCNA NAT information.



#51 HawkMan

HawkMan

    Neowinian Senior

  • 21,426 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 27 June 2013 - 11:48

then you turn on UPnP or IPv6 and your theory breaks :)

 

there's a few other targeted attacks that would break it to. granted an attack using UPnP would mostly need to be targeted anyway, or it would first need to bomb the router to find what ports are open which in many routers would block it anyway, and even if it finds an open port it would need an attack vector on that port. so UPnP isn't really a problem.



#52 JonnyLH

JonnyLH

    I say things.

  • 1,226 posts
  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 27 June 2013 - 13:30

then you turn on UPnP or IPv6 and your theory breaks :)

 

there's a few other targeted attacks that would break it to. granted an attack using UPnP would mostly need to be targeted anyway, or it would first need to bomb the router to find what ports are open which in many routers would block it anyway, and even if it finds an open port it would need an attack vector on that port. so UPnP isn't really a problem.

UPnP is initialized by the client which sends a packet to the router letting it know about its intentions. This lets the router know that if it receives traffic for a certain protocol, send it to this machine or that machine. Its just an automated port-forwarding protocol.

 

IPv6 gives everyone a public address. Completely different to the subject matter. IPv6 allows the internet be what it was designed to be, an all connected network. That invalidates all my statements regarding NAT because every client is directly reachable and NAT isn't existing on those networks. Although, there's very few ISP's which actually provide CPE's which are IPv6 and IPv4 supporting, let alone give them both an address. Your probably looking at 20~ years before IPv6 becomes the norm. Especially when more providers are investing in CG-NAT rather than a correct IPv6 deployment.



#53 +DonC

DonC

    Neowinian

  • 996 posts
  • Joined: 16-August 07
  • Location: England

Posted 27 June 2013 - 13:50

You know, the original article was about the NSA and a supposed back door in Windows.  NAT is a side issue.  How about you consider the scenario of a Starbucks or Internet café with free WI-FI instead.

 

Even though I was taken for a ride by the purpose of NSAKEY in my post on page 1, the rest of my post stands IMHO.  You'd have to have no understanding of the technicalities of Windows to think that the details as posted would give secret remote access.



#54 HawkMan

HawkMan

    Neowinian Senior

  • 21,426 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 27 June 2013 - 16:02

UPnP is initialized by the client which sends a packet to the router letting it know about its intentions. This lets the router know that if it receives traffic for a certain protocol, send it to this machine or that machine. Its just an automated port-forwarding protocol.

 

IPv6 gives everyone a public address. Completely different to the subject matter. IPv6 allows the internet be what it was designed to be, an all connected network. That invalidates all my statements regarding NAT because every client is directly reachable and NAT isn't existing on those networks. Although, there's very few ISP's which actually provide CPE's which are IPv6 and IPv4 supporting, let alone give them both an address. Your probably looking at 20~ years before IPv6 becomes the norm. Especially when more providers are investing in CG-NAT rather than a correct IPv6 deployment.

UPnP opens the port, it doesn't care about the data outside of UDP and TCP. 

 

Problem with IPv6, is while it restores the internet to what it's supposed to be, a lot of tech wannabes don't understand the implication of it, and the tech idiots don't understand it anyway and their ISP never tells them, granted that category of users will have their windows or internet security firewall on anyway. 


You know, the original article was about the NSA and a supposed back door in Windows.  NAT is a side issue.  How about you consider the scenario of a Starbucks or Internet café with free WI-FI instead.

 

Even though I was taken for a ride by the purpose of NSAKEY in my post on page 1, the rest of my post stands IMHO.  You'd have to have no understanding of the technicalities of Windows to think that the details as posted would give secret remote access.

 

 

You have to understand that these articles are made for two kinds of people. The techies who are also paranoid conspiracy theorists who will ignore all their tech knowledge if there's a conspiracy theory they can apply instead. and then there's the tech idiots, also known as regular people, who just don't know better and think tech conspiracy nut journalists who don't know anything about the tech they're writing about are more trustworthy than their actual tech specialists locally. 



#55 thomastmc

thomastmc

    Unofficial Attorney of Neowin

  • 1,329 posts
  • Joined: 18-July 12
  • Location: Kansas City
  • OS: Windows 8.1 Pro
  • Phone: Lumia 928

Posted 27 June 2013 - 18:00

Still haven't gave any evidence to prove me wrong. I never said your sources were wrong, just over explaining a simple fact.

 

So, could you please explain how it is impossible to hijack a connection and/or relay a spoofed malicious packet to a member of the internal network relying on NAT alone?



#56 HawkMan

HawkMan

    Neowinian Senior

  • 21,426 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 27 June 2013 - 18:51

So, could you please explain how it is impossible to hijack a connection and/or relay a spoofed malicious packet to a member of the internal network relying on NAT alone?

 

 

That would be what I referred to as a targeted attack earlier. it's "nearly" impossible to defend yourself against a targeted attack by a dedicated and skilled hacker with enough time, with consumer grade equipment. 



#57 thomastmc

thomastmc

    Unofficial Attorney of Neowin

  • 1,329 posts
  • Joined: 18-July 12
  • Location: Kansas City
  • OS: Windows 8.1 Pro
  • Phone: Lumia 928

Posted 27 June 2013 - 19:05

That would be what I referred to as a targeted attack earlier. it's "nearly" impossible to defend yourself against a targeted attack by a dedicated and skilled hacker with enough time, with consumer grade equipment. 

 

I absolutely agree. I've always heard from friends I trust on security that nothing is truly secure, it's just degrees of difficulty. I would also assume that the NSA is capable of the greatest degree of difficulty possible.

 

It's my contention as well that the operative mechanism in defending against any sophisticated attack would be the firewall, intrusion detection, etc., not the NAT.



#58 +DonC

DonC

    Neowinian

  • 996 posts
  • Joined: 16-August 07
  • Location: England

Posted 27 June 2013 - 19:12

NAT is not a security measure. A good summary of why NAT is a bad idea, including the security issues, is given in RFC 4966: "Reasons to Move the Network Address Translator - Protocol Translator (NAT-PT) to Historic Status."

 

http://www.ietf.org/rfc/rfc4966.txt



#59 primexx

primexx

    Neowinian Senior

  • 12,737 posts
  • Joined: 24-April 05

Posted 27 June 2013 - 19:20

This NSAKEY thing was all over the place when it was discovered. Turns out, it doesn't actually mean what OP says it means.



#60 nullie

nullie

    Neowinian

  • 822 posts
  • Joined: 04-June 03
  • Location: Springfield, OR

Posted 27 June 2013 - 21:46

This NSAKEY thing was all over the place when it was discovered. Turns out, it doesn't actually mean what OP says it means.

there's only a few things that it could actually do. and plus, I am sure the NSA has access to the WIndows source code and kernel directly. knowing them, they have deals with Intel and AMD to have debug access on the CPUs which would allow them to bypass any protection mechasnism or code isolation on a computer, giving them super root access regardless of OS settings. there is no limit to how far the NSA goes with this, asking and getting backdoors into things.

 

but what proof do you have that the NSA key's don't give access to decryption and password cracking capabilities? if all the NSA wanted was to protect their own systems or network, they could install their own keys on the side like everyone else. this is definitely backdoor access type **** into how Windows handles encryption.

 

you know, it's possible that there can be more than one key that can decrypt a certain crypto; possible that Windows has built in backdoors like this for the NSA. like I said, they also think OpenSSL has backdoors like this. that no one knows if the code is secure or not because it's impossible to tell.