Mysterious Company With Government Ties Plays Key Internet Role (washingtonpost.com) 67
whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.
The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.
The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.
I use G(overnment)mail for everything. (Score:1)
Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto?
Sure, why not? Everything else on the Internet is spied on like crazy, so what's another pair of prying eyes?
I'm still waiting (Score:3, Funny)
I'm still waiting for Honest Achmed's Used Cars And Certificates to become an approved rootCA.
Re: I'm still waiting (Score:4, Funny)
Re:CLEARLY ILLUMINATTI!1!!111 (Score:4, Funny)
Oh c'mon, you can't blame us for everything that happens to you, get real!
Re: (Score:1)
Re: (Score:3)
Erh... yes ... of course ... a joke ... he ... hehe...
Re: (Score:2)
Re: (Score:3)
Very true. Poe's Law [wikipedia.org] is not just for religion anymore.
Re: (Score:1)
Re: (Score:3)
Re: (Score:1)
Re: CLEARLY ILLUMINATTI!1!!111 (Score:2)
Re: CLEARLY ILLUMINATTI!1!!111 (Score:1)
Re: (Score:2)
FNORD!
Re: (Score:2)
Anytime more than one someone has influence and a motive they can't 100% disclose publicly drunk confession style there is a conspiracy. If history shows us anything it is that conspiracies aren't just real but common.
In the security world we know that trust networks are the most commonly successful attack vector. Everything has an opposite and destroying the trust networks opposing your interests is equally powerful. The best defense is universal skepticism.
Re: (Score:1)
MITM (Score:5, Interesting)
Re: (Score:2)
A pretty safe bet. Looks like a new Crypto AG that you're a customer of even if you never bought from them...
Re: (Score:2, Interesting)
Any bets that this is the government go-to company when they need a bogus cert to run MITM attacks?
Any bets the government can walk into any American office of any cert provider and demand the same? That's today's government you're talking about. They could make it to an early dinner with a 12-pound FISA warrant wrapped in an NDA bow with all the fixin's if they got the invite after lunch. Hardly need your knowledge or justification, since the Constitution has become more of a guideline at best.
Now the real question for TrustCor is, where is the canary clause in the contract/EULA that stipulates you w
Re: (Score:1)
You're talking about the government using standover tactics to get issued a single certificates so that they can fake a particular domain name. Op is talking about spyware tools having Fiddler-like functionality and being able to silently MiTM every single "secure" web site those devices visit. There's a magnitude of difference between the two.
Apple, Google, Microsoft and Mozilla happily removed StartSSL from their Trusted Root certificate stores a few years ago based on nothing more than rumors of Chinese
Re: (Score:3, Interesting)
"If they have *not* removed TrustCor from their Trusted Root certificate stores by the end of the week you should be extremely concerned about what's going on."
Yes you should but even if they do you should remember the agencies would never build one when they can have two for just twice the price.
Re: (Score:2)
Any bets the government can walk into any American office of any cert provider and demand the same? That's today's government you're talking about. They could make it to an early dinner with a 12-pound FISA warrant wrapped in an NDA bow with all the fixin's if they got the invite after lunch. Hardly need your knowledge or justification, since the Constitution has become more of a guideline at best.
Now the real question for TrustCor is, where is the canary clause in the contract/EULA that stipulates you will inform your other customers if such a request happens? If you want to flush out the stooge, perhaps see where the canary isn't singing so loudly.
It is a little more involved. It would require a writ from the court ordering the company to do something, and there is a legal question about whether that is enough.
And then if that worked, the false certificate once used publicly, destroys the credibility of the certificate authority.
Re: (Score:3)
"In a February 2022 court motion related to Michael Sussmann's prosecution, Durham alleged that Joffe and his associates had exploited access his company had through a pending cybersecurity contract with the Executive Office of the President (EOP) to acquire nonpublic government domain name system and other data traffic "for the purpose of gathering derogatory information about Donald Trump."[14][15] On March 4, 2022, Special counsel John Durham dropped these claims against Joffe.[16][17]
Durham also did not
Re: (Score:1)
Raymond Saulino? Packet Forensics? Principal (owner of Packet Forensics)? Rodney Joffe, in the news to nonâ"oblivians who followed the Sussmann Indictment, court filings, Sussmann trial, etc. Raymond Saulino is INTIMATELY CONNECTED to Rodney Joffe as Saulino was with Packet Forensics for years, and more recently a Senior VP at another Joffe company, Neustar. Remember, Rodney Joffe was the dude who fabricated that DNS/Internet data to falsely implicate a presidemt of the United States of America (the countey Packet Forensics is located at --- for the UC/Berkeley studemts)!
Note no 'mistakes' until the last statement. Then....'presidemt' instead of 'president', 'countey' instead of 'country' and 'studemts' instead of 'students'.
The message is clear, use the mistake letters, 'mem'. The message is 'mem' !!!! What it means though....I bet it means memtest86+ [slashdot.org] coming back was a mistake! The world is doomed! Agrghhghhghhh!!!
Re: Hello ---- anybody AWAKEY here?!?!?!?! RUSSIAG (Score:2)
Re: (Score:1)
Tin foil hats ready? (Score:2, Funny)
Re: (Score:3, Insightful)
What i think is more entertaining is those noobs to internet security who haven't seen this slow creep of surveillance and manipulation as it evolved treat it all as a conspiracy theory because they think they know better than those that did.
pay attention and maybe in 20 year or so you may have a clue, though with the way things are going, i reckon you're going to have fuck all chance of finding out anything in the public interest on governmental and corporate corruption by then.
Re: (Score:1)
I just point them to Ken Thompson's talk "Reflections on Trusting Trust" from the ACM in 1984, and that usually makes their heads explode. Even in the every beginning, we were all screwed.
https://www.cs.cmu.edu/~rdrile... [cmu.edu]
Is anyone surprised? (Score:3)
The only surprise, surely, is that it's been spotted. It's exactly what one would expect given the tasks which the NSA has been given. Now if this has come as news to the NSA, THEN we have a problem!
Re: (Score:1)
Re: (Score:2)
Ability? Nah - just the enthusiasm to spell out the many examples that are public knowledge about what the three letter agencies get up to and are never held to account for.
How to disable these certs in Firefox: (Score:5, Informative)
I am not a security expert, but I believe that the following procedure will disable these certificates while allowing you to change your mind and re-instate them later:
1) Open Firefox's menau and select: Settings
2) In the Security section, click on the View Certificates button
3) Find the certificated for TrustCor Systems S. de R.L.
4) For all certificates listed under TrustCor, select a certificate, Click on the Edit Trust button, Deselect all check boxes, and Click on the OK button
Re: (Score:1)
thanks!
Re: (Score:2)
That's the correct procedure, good thing there are only 3 items to iterate through...
Re: (Score:1)
Re: (Score:2)
Firefox is open source. It can do anything. The only question is how much effort.
Re:How to disable these certs in Firefox: (Score:4, Interesting)
Since these certificates are imported onto your machine/browser automatically, won't they be refreshed/reimported/re-enabled on(to) your machine by the same automatic process after some time?
Re: How to disable these certs in Firefox: (Score:2)
Genuine question: do CA's ever trust stuff simply because other CA's trust it? If not, how are sites proven trustworthy?
Re: (Score:2)
Re: (Score:2)
Good news: LetsEncrypt offers free CA certificates to anyone with an active website and aworking email address. This is great because I can now get the lock to turn green on visitors to my small personal website.
Bad news: LetsEncrypt offers free CA certificates to anyone with an active website and working email address. This includes any scam artist that has a legit looking throw away email address. Lets encrypt does not do any additional checking.
Certificate athorities have always been a scam (Score:1, Troll)
The entire world has been scammed into blindly trusting 3rd party certificate authorities - all of the major tech companies and the browsers they make are complicit. If you think you can trust ANY 3rd party with your encryption keys, you are very naive.
Re: (Score:3)
CAs never get your encryption keys.
Re: (Score:2, Informative)
It's not about your private key. It's about a compromised CA subverting the whole authentication system. They only need to make you think you are visiting a trusted web site or receiving email from a trusted user. Go ahead, use a Chinese CA... enjoy your man in the middle attack.
Re: (Score:1)
Re: (Score:2)
the GP was dead-wrong when he/she said the Root CAs don't get your encryption keys
They get the public one
Re: (Score:1)
the GP was dead-wrong when he/she said the Root CAs don't get your encryption keys
They get the public one
NO SHIT. It's still a key, is it not? I made that EXTREMELY clear on my 1st post. Having trouble with reading comprehension?
The GP said they don't get your encryption keys. I was being pedantic, clearly, but they do GET ONE OF THEM.
Re: (Score:2)
"The whole system works because they sign your PUBLIC KEY. Yeah, it's the public one.. But there's only two (public and private).. and they get one of them."
Uh, EVERYBODY gets the public key. That's why it's called the "public key". Only the secret key has or needs any confidentiality.
Re: (Score:2)
No, literally EVERYBODY gets the key. It's public. You can fetch the public key right now from virtually every webserver on the Internet.
Re: (Score:2)
It's okay to admit you've learned something. It's probably made unnecessarily harder by having called everybody a 'tard though.
macOS (Score:2)
On macOS, the TrustCor root certificates can be found in the Keychain Access app.
Re: (Score:1)
That's not all (Score:5, Informative)
Re:That's not all (Score:4, Informative)
I think maybe you don't quite understand what these certificates are for.
When your browser connects to a website, it contacts a server by IP address. That server needs to provide a certificate for the domain of the site, which has a chain of trust going back to one of these trusted Certificate Authorities. Otherwise the browser will show a warning that the server might not be the real slashdot.org.
So what is the threat model for a Chinese CA? They could in theory issue a certificate for slashdot.org to the Chinese government, or to some criminals. Hopefully any important website you use has implement HPKP, which basically pins a certificate for that site for a certain period of time, so even if they did create a fake one the browser would ignore it.
They would then need to get you to connect to their bogus server somehow. They could try to replace the real server's address in your DNS server, but hopefully you are using a secure DNS server which makes that difficult. They could also screw with internet routing to sent requests to Slashdot's IP address to them instead, but doing that in a way that isn't easily detected is difficult too.
If they were discovered doing any of that, they would quickly be distrusted by Mozilla and others who manage CAs, so their business would be destroyed. It has already happened to one CA, DigiNotar, based in the Netherlands.
So overall the risk of having Chinese CAs, or for that matter Dutch CAs in your list, is fairly low. There are so many hurdles to clear, and a great incentive to have decent security.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Just another DarkMatter, then? (Score:2)
https://www.reuters.com/articl... [reuters.com]
https://darknetdiaries.com/epi... [darknetdiaries.com]
Whose certs have they been signing? (Score:2)
Does anyone have any examples signed by this root CA?