Adventures in Contacting the Russian FSB

boomzilla

Adventures in Contacting the Russian FSB

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSB's website said in order…

This kinda makes sense:

James said that given their position, he could see why many antivirus products might think it’s malware.

“Since they won’t use our crypto and we won’t use theirs,” James said. “It’s a great explanation on political weirdness with crypto.”

Gribnit

@boomzilla in short - go ahead and cooperate with the FSB, their tech is a little weird but at least they're not communists like the FBI, and we can all have a great August.

Carnage

@boomzilla said in Adventures in Contacting the Russian FSB:

Adventures in Contacting the Russian FSB

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSB's website said in order…

This kinda makes sense:

James said that given their position, he could see why many antivirus products might think it’s malware.

“Since they won’t use our crypto and we won’t use theirs,” James said. “It’s a great explanation on political weirdness with crypto.”

Makes perfect sense for the Russians not to trust anything that the US TLAs have had their fingers in. And not terribly surprising it's a very strange concoction.

aitap

TFA:

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSB’s clear web site, the agency’s Tor site does not ask visitors to download some dodgy software before contacting them.

So why didn't Krebs use that website instead? After all, it's exactly tailored to his use-case and even has instructions in English. And there's always the K department of Ministry of Internal Affairs which specialises in computer-related crimes and can be contacted via simple HTTPS over clearnet.

Carnage

@aitap said in Adventures in Contacting the Russian FSB:

TFA:

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSB’s clear web site, the agency’s Tor site does not ask visitors to download some dodgy software before contacting them.

So why didn't Krebs use that website instead? After all, it's exactly tailored to his use-case and even has instructions in English. And there's always the K department of Ministry of Internal Affairs which specialises in computer-related crimes and can be contacted via simple HTTPS over clearnet.

It's amusing they picked tor, as tor is definitely compromised.

boomzilla

@aitap said in Adventures in Contacting the Russian FSB:

So why didn't Krebs use that website instead?

Ahem:

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSB’s clear web site, the agency’s Tor site does not ask visitors to download some dodgy software before contacting them.

topspin

@Carnage said in Adventures in Contacting the Russian FSB:

It's amusing they picked tor, as tor is definitely compromised.

But they're probably running as many compromised exit nodes as the US side, so they're well aware.

aitap

@topspin To be fair, it's a hidden service, which doesn't require exit nodes to function, only relays.

bobjanova

Makes sense that Russian government agencies, especially the FSB, wouldn't trust internet cryptography software written by American corporations. Though if all you want is a contact form, they could just serve that over HTTP, or provide an email address.

Gribnit

@bobjanova said in Adventures in Contacting the Russian FSB:

Makes sense that Russian government agencies, especially the FSB, wouldn't trust internet cryptography software written by American corporations. Though if all you want is a contact form, they could just serve that over HTTP, or provide an email address.

Yeah. But given the pragma that US government institutions are the least trustworthy, and further that the enemy of your enemy is your friend, I see no reason for you not to accept a RAT from the FSB.

error

@bobjanova said in Adventures in Contacting the Russian FSB:

Makes sense that Russian government agencies, especially the FSB, wouldn't trust internet cryptography software written by American corporations. Though if all you want is a contact form, they could just serve that over HTTP, or provide an email address.

Even if you (wrongly) assume there's some backdoor built in to HTTPS cryptography that the US government has the secret key to, it's still absolutely better than plain HTTP for 100% of other possible eavesdroppers.

VPN or HTTPS?

Filed under: I leave my house unlocked because I don't trust locksmiths.

Gurth

@bobjanova said in Adventures in Contacting the Russian FSB:

Makes sense that Russian government agencies, especially the FSB, wouldn't trust internet cryptography software written by American corporations

Aren’t the details of this kind of encryption publicly available? I would think that if you’re an agency that is heavily involved with encryption, you will have the knowledge to go over the specs and implementations to see if they are as good as they claim. Or at least, that nobody put in the kinds of backdoors you would if you had designed the system.

topspin

@Gurth said in Adventures in Contacting the Russian FSB:

@bobjanova said in Adventures in Contacting the Russian FSB:

Makes sense that Russian government agencies, especially the FSB, wouldn't trust internet cryptography software written by American corporations

Aren’t the details of this kind of encryption publicly available? I would think that if you’re an agency that is heavily involved with encryption, you will have the knowledge to go over the specs and implementations to see if they are as good as they claim. Or at least, that nobody put in the kinds of backdoors you would if you had designed the system.

The thing is that the backdoor can be designed in such a way that without the secret knowledge you cannot actually tell:

Dual_EC_DRBG - Wikipedia

One of the weaknesses publicly identified was the potential of the algorithm to harbour a kleptographic backdoor advantageous to those who know about it—the United States government's National Security Agency (NSA)—and no one else.

In many other standards, constants that are meant to be arbitrary are chosen by the nothing up my sleeve number principle, where they are derived from pi or similar mathematical constants in a way that leaves little room for adjustment. However, Dual_EC_DRBG did not specify how the default P and Q constants were chosen, possibly because they were constructed by NSA to be backdoored.

Gurth

@topspin Could well be that plays a part in it. I suspect the real reason, though, is NIH-mentality coupled to political decisions not based in much real knowledge about the subject at hand (which is a pleonasm, of course).