Mysterious Company With Government Ties Plays Key Internet Role

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.

I use G(overnment)mail for everything.

[Anonymous Coward]

Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto?

Sure, why not? Everything else on the Internet is spied on like crazy, so what's another pair of prying eyes?

I'm still waiting

[Anonymous Coward]

I'm still waiting for Honest Achmed's Used Cars And Certificates to become an approved rootCA.

Re: I'm still waiting

[RegistrationIsDumb83]

"Never pay full price for a new certificate when you can get one of our gently used certificates for half off!"

Re:CLEARLY ILLUMINATTI!1!!111

[Opportunist]

Oh c'mon, you can't blame us for everything that happens to you, get real!

Re:

[fbobraga]

You understand the joke, right? TFA smells like a conspiracy theory...

Re:

[Opportunist]

Erh... yes ... of course ... a joke ... he ... hehe...

Re:

[fbobraga]

a real problem today: text interpretation (it's very difficult to use irony...)

Re:

[Opportunist]

Very true. Poe's Law [wikipedia.org] is not just for religion anymore.

Re:

[fbobraga]

you know if this law name comes from Edgar Allan Poe?

Re:

[Opyros]

No, it's from a man named Nathan Poe [wikipedia.org].

Re:

[fbobraga]

ty

Re: CLEARLY ILLUMINATTI!1!!111

[Anonymouse Cowtard]

Typical zeta-Reticulan response

Re: CLEARLY ILLUMINATTI!1!!111

[fbobraga]

What is that?

Re:

[Opportunist]

FNORD!

Re:

[Shaitan]

Anytime more than one someone has influence and a motive they can't 100% disclose publicly drunk confession style there is a conspiracy. If history shows us anything it is that conspiracies aren't just real but common.

In the security world we know that trust networks are the most commonly successful attack vector. Everything has an opposite and destroying the trust networks opposing your interests is equally powerful. The best defense is universal skepticism.

Re:

[fbobraga]

TL;LD: "just don't see who doesn't want to" :P

MITM

[RemindMeLater]

Any bets that this is the government go-to company when they need a bogus cert to run MITM attacks?

Re:

[GameboyRMH]

A pretty safe bet. Looks like a new Crypto AG that you're a customer of even if you never bought from them...

Re:

[Anonymous Coward]

Any bets that this is the government go-to company when they need a bogus cert to run MITM attacks?

Any bets the government can walk into any American office of any cert provider and demand the same? That's today's government you're talking about. They could make it to an early dinner with a 12-pound FISA warrant wrapped in an NDA bow with all the fixin's if they got the invite after lunch. Hardly need your knowledge or justification, since the Constitution has become more of a guideline at best.

Now the real question for TrustCor is, where is the canary clause in the contract/EULA that stipulates you w

Re:

[Anonymous Coward]

You're talking about the government using standover tactics to get issued a single certificates so that they can fake a particular domain name. Op is talking about spyware tools having Fiddler-like functionality and being able to silently MiTM every single "secure" web site those devices visit. There's a magnitude of difference between the two.

Apple, Google, Microsoft and Mozilla happily removed StartSSL from their Trusted Root certificate stores a few years ago based on nothing more than rumors of Chinese

Re:

[Shaitan]

"If they have *not* removed TrustCor from their Trusted Root certificate stores by the end of the week you should be extremely concerned about what's going on."

Yes you should but even if they do you should remember the agencies would never build one when they can have two for just twice the price.

Re:

[Agripa]

Any bets the government can walk into any American office of any cert provider and demand the same? That's today's government you're talking about. They could make it to an early dinner with a 12-pound FISA warrant wrapped in an NDA bow with all the fixin's if they got the invite after lunch. Hardly need your knowledge or justification, since the Constitution has become more of a guideline at best.

Now the real question for TrustCor is, where is the canary clause in the contract/EULA that stipulates you will inform your other customers if such a request happens? If you want to flush out the stooge, perhaps see where the canary isn't singing so loudly.

It is a little more involved. It would require a writ from the court ordering the company to do something, and there is a legal question about whether that is enough.

And then if that worked, the false certificate once used publicly, destroys the credibility of the certificate authority.

Re:

[iserlohn]

"In a February 2022 court motion related to Michael Sussmann's prosecution, Durham alleged that Joffe and his associates had exploited access his company had through a pending cybersecurity contract with the Executive Office of the President (EOP) to acquire nonpublic government domain name system and other data traffic "for the purpose of gathering derogatory information about Donald Trump."[14][15] On March 4, 2022, Special counsel John Durham dropped these claims against Joffe.[16][17]

Durham also did not

Re:

[TrumpShaker]

OMG...he's Q! Look at this:

Raymond Saulino? Packet Forensics? Principal (owner of Packet Forensics)? Rodney Joffe, in the news to nonâ"oblivians who followed the Sussmann Indictment, court filings, Sussmann trial, etc. Raymond Saulino is INTIMATELY CONNECTED to Rodney Joffe as Saulino was with Packet Forensics for years, and more recently a Senior VP at another Joffe company, Neustar. Remember, Rodney Joffe was the dude who fabricated that DNS/Internet data to falsely implicate a presidemt of the United States of America (the countey Packet Forensics is located at --- for the UC/Berkeley studemts)!

Note no 'mistakes' until the last statement. Then....'presidemt' instead of 'president', 'countey' instead of 'country' and 'studemts' instead of 'students'.

The message is clear, use the mistake letters, 'mem'. The message is 'mem' !!!! What it means though....I bet it means memtest86+ [slashdot.org] coming back was a mistake! The world is doomed! Agrghhghhghhh!!!

Re: Hello ---- anybody AWAKEY here?!?!?!?! RUSSIAG

[sgt_doom]

Still the same commie useful idots ever since the jobs offshoring corporation bought this rag site! No, pooty, your "Q" is a CIA disinfo operation run by the CIA's Bradley Johnson. We truth seekers present the facts for others, not you site troll pervos here.

Re:

[TrumpShaker]

Wow, left out the second 'i' in "idiots"! That is confirmation! "i" is Q. sgt_doom is Q!

Tin foil hats ready?

[VeryFluffyBunny]

Got my refreshments. Now to sit back & watch the conspiracy theorists roam freely in their natural environment. It's like a beautiful nature documentary!

Re:

[BardBollocks]

What i think is more entertaining is those noobs to internet security who haven't seen this slow creep of surveillance and manipulation as it evolved treat it all as a conspiracy theory because they think they know better than those that did.

pay attention and maybe in 20 year or so you may have a clue, though with the way things are going, i reckon you're going to have fuck all chance of finding out anything in the public interest on governmental and corporate corruption by then.

Re:

[JohnnyT777]

I just point them to Ken Thompson's talk "Reflections on Trusting Trust" from the ACM in 1984, and that usually makes their heads explode. Even in the every beginning, we were all screwed.

https://www.cs.cmu.edu/~rdrile... [cmu.edu]

Is anyone surprised?

[Bruce66423]

The only surprise, surely, is that it's been spotted. It's exactly what one would expect given the tasks which the NSA has been given. Now if this has come as news to the NSA, THEN we have a problem!

Re:

[Chameleon Man]

"Is anyone surprised"...Literally the go-to comment you see on every thread from slashdotters who lack the ability to give a properly informed response.

Re:

[Bruce66423]

Ability? Nah - just the enthusiasm to spell out the many examples that are public knowledge about what the three letter agencies get up to and are never held to account for.

How to disable these certs in Firefox:

[OnlyInAZ]

I am not a security expert, but I believe that the following procedure will disable these certificates while allowing you to change your mind and re-instate them later:

1) Open Firefox's menau and select: Settings
2) In the Security section, click on the View Certificates button
3) Find the certificated for TrustCor Systems S. de R.L.
4) For all certificates listed under TrustCor, select a certificate, Click on the Edit Trust button, Deselect all check boxes, and Click on the OK button

Re:

[BardBollocks]

thanks!

Re:

[GameboyRMH]

That's the correct procedure, good thing there are only 3 items to iterate through...

Re:

[0xG]

Not for FF on android. Looks like it's not doable.

Re:

[phantomfive]

Firefox is open source. It can do anything. The only question is how much effort.

Re:How to disable these certs in Firefox:

[devslash0]

Since these certificates are imported onto your machine/browser automatically, won't they be refreshed/reimported/re-enabled on(to) your machine by the same automatic process after some time?

Re: How to disable these certs in Firefox:

[J-1000]

Genuine question: do CA's ever trust stuff simply because other CA's trust it? If not, how are sites proven trustworthy?

Re:

[Errol backfiring]

Very long answer: with public transparency [media.ccc.de] and Google threatening them to ban them from Chrome if they misbehave. The linked video is a long but informative talk about the subject.

Re:

[OnlyInAZ]

Good news: LetsEncrypt offers free CA certificates to anyone with an active website and aworking email address. This is great because I can now get the lock to turn green on visitors to my small personal website.

Bad news: LetsEncrypt offers free CA certificates to anyone with an active website and working email address. This includes any scam artist that has a legit looking throw away email address. Lets encrypt does not do any additional checking.

Certificate athorities have always been a scam

[Nocturrne]

The entire world has been scammed into blindly trusting 3rd party certificate authorities - all of the major tech companies and the browsers they make are complicit. If you think you can trust ANY 3rd party with your encryption keys, you are very naive.

Re:

[XanC]

CAs never get your encryption keys.

Re:

[Nocturrne]

It's not about your private key. It's about a compromised CA subverting the whole authentication system. They only need to make you think you are visiting a trusted web site or receiving email from a trusted user. Go ahead, use a Chinese CA... enjoy your man in the middle attack.

Re:

[JBeretta]

Dunno why you're explaining this to me. I know how the system works. I was merely pointing out that the GP was dead-wrong when he/she said the Root CAs don't get your encryption keys. They get the public one because you have to send it to them for them to sign it.

Re:

[XanC]

the GP was dead-wrong when he/she said the Root CAs don't get your encryption keys

They get the public one

Re:

[JBeretta]

the GP was dead-wrong when he/she said the Root CAs don't get your encryption keys

They get the public one

NO SHIT. It's still a key, is it not? I made that EXTREMELY clear on my 1st post. Having trouble with reading comprehension?

The GP said they don't get your encryption keys. I was being pedantic, clearly, but they do GET ONE OF THEM.

Re:

[Chris Mattern]

"The whole system works because they sign your PUBLIC KEY. Yeah, it's the public one.. But there's only two (public and private).. and they get one of them."

Uh, EVERYBODY gets the public key. That's why it's called the "public key". Only the secret key has or needs any confidentiality.

Re:

[XanC]

No, literally EVERYBODY gets the key. It's public. You can fetch the public key right now from virtually every webserver on the Internet.

Re:

[XanC]

It's okay to admit you've learned something. It's probably made unnecessarily harder by having called everybody a 'tard though.

macOS

[PCM2]

On macOS, the TrustCor root certificates can be found in the Keychain Access app.

Re:

[olydav]

Since these are 'System Roots' certificates, it is difficult to remove them from keychain in newer versions of MacOS. You can however, disable them with a few mouse clicks. Tested on MacOS Ventura 13.0.1. http://www.herongyang.com/PKI/... [herongyang.com] Disclaimer: I am unaffiliated with this site and can't vouch for the author, It was the most concise and offered the greatest detail on macOS PKI that I could find quickly. Most importantly, it helped me to disable TrustCor certs, which was my goal.

That's not all

[sentiblue]

If you open up any browser's list of trusted CA, you will find about a dozen of Chinese based entities already trusted. I was skeptical about this so I removed them, but the browser puts them back. I sent my concerned question to the browser makers and all of them gone unanswered. I guess them Chinese can read this message that I'm typing, even before I hit submit.

Re:That's not all

[AmiMoJo]

I think maybe you don't quite understand what these certificates are for.

When your browser connects to a website, it contacts a server by IP address. That server needs to provide a certificate for the domain of the site, which has a chain of trust going back to one of these trusted Certificate Authorities. Otherwise the browser will show a warning that the server might not be the real slashdot.org.

So what is the threat model for a Chinese CA? They could in theory issue a certificate for slashdot.org to the Chinese government, or to some criminals. Hopefully any important website you use has implement HPKP, which basically pins a certificate for that site for a certain period of time, so even if they did create a fake one the browser would ignore it.

They would then need to get you to connect to their bogus server somehow. They could try to replace the real server's address in your DNS server, but hopefully you are using a secure DNS server which makes that difficult. They could also screw with internet routing to sent requests to Slashdot's IP address to them instead, but doing that in a way that isn't easily detected is difficult too.

If they were discovered doing any of that, they would quickly be distrusted by Mozilla and others who manage CAs, so their business would be destroyed. It has already happened to one CA, DigiNotar, based in the Netherlands.

So overall the risk of having Chinese CAs, or for that matter Dutch CAs in your list, is fairly low. There are so many hurdles to clear, and a great incentive to have decent security.

Re:

[sentiblue]

I know what the certs are for.... my last sentence in the original msg was sarcastic LOL.

Re:

[sabbede]

I block most international traffic on my firewall. Pretty hard to get Chinese certs without talking to China.

Re:

[sentiblue]

That's not a bad idea! Since I have no business/personal needs to visit any destinations in that country, I can just configure my outbound blocked for all their subnets. Thanks!

Just another DarkMatter, then?

[devslash0]

https://www.reuters.com/articl... [reuters.com]
https://darknetdiaries.com/epi... [darknetdiaries.com]

Whose certs have they been signing?

[radarskiy]

Does anyone have any examples signed by this root CA?