Mass Surveillance Methods: Cybersecurity Primer

➡ The speaker discusses the potential vulnerability of web data, including email and browser traffic, to cybersecurity threats, even with TLS encryption. While apps with end-to-end encryption are safer, they could still be compromised via methods like client-side scanning. The speaker further explains the feasibility of hijacking the root certificate authority to decrypt and surveil web data and proposes the use of a VPN as a protective solution.

I get blasted all the time by people who don’t understand the mechanics of cybersecurity and question some of the things I say. I’ll give you a common one I get. I stated often in past videos that it is guaranteed that all emails collected for mass surveillance by the three letter agency. I point to the fact that email transfer from mail transfer agent to mail transfer agent empty is in plain text.

Someone then argues with me and says that the majority of traffic now between mtas is TLS encrypted. Let’s assume for a moment that this is true. In this video, I’ll show you that some government entity can still suck out all the email traffic and store it into a database, even with the so called TLS encryption. In fact, I will show you at least three examples of how a government could capture your web browsing traffic, your email traffic, and your notifications traffic, all without the participation of the platform.

This is just a theoretical analysis. First, Snowden already revealed that big tech companies have willingly participated in mass surveillance, but here we will make some assumption that we exclude that willing participation from the discussion. Aside from the obvious privacy invasions I expose here, this is also an advanced cybersecurity lesson for those wanting to understand how things work. This, by the way, is my final segment in the series of videos on web encryption.

Stay tuned for another technical deep dive. What I will explain first is the simplest concept, and that is how some government can scan everything you do on the Internet, including banking and personal messages. This does not include the use of endtoend encryption apps, by the way, that would be secure from this, although that can also be beaten by something called client side scanning, which I’ve discussed in prior videos.

Anyway, I’m going to focus mostly on just normal browser traffic. This could also include normal traffic on some popular app connecting to its server. The first step to breaking the encryption is to ensure that there is a trusted root certificate in your device that is friendly to the entity doing the surveillance. Now, something I’ve explained to you all in the last few videos. If you have the private key to a root certificate, then you can decrypt any website traffic that use that certificate as a certificate authority.

Or to rephrase, if that root certificate is used to create fake certificates, then you can impersonate any website and break the encryption. I will explain the actual mechanics of how that’s done a little later. Creating a fake root certificate is not that hard to do, by the way, something I’ve shown you in many videos, any application can install a root certificate a vast antivirus will install itself as a root certificate, meaning an entity can just have you click on some application on a PCOS and then that application could install itself as a root certificate.

This is commonly done in corporate computers where the it department preinstalls some apps and puts in the corporate root certificate. In some other country, the root certificate can be installed by requiring some application to access some government service, and then that application will install a root certificate. The EU is going to enforce a law that says it will be a root certificate and any attempts to remove it will be against the law.

Another approach is possible. All Windows and Linux computers have a Microsoft root certificate pre installed. Not only is it installed, but uninstalling it has a temporary effect because apparently certificates are updated every Tuesday on Windows. I’m sure every Linux update will also update these Microsoft certificates. Now let’s look at another possibility here. It would be too obvious to power a fake certificate with a Microsoft root certificate because then the name Microsoft would show up there as the certificate authority and that would make me suspicious.

Why? Because Microsoft isn’t really a root certificate authority. The original root certificate authority used to be their sign and now this was bought by Digicert. You can see the root certificates preloaded on Windows here. But to allay suspicions, another approach is to create a new intermediate certificate authority that is signed by the Microsoft Root CA. Obviously this would require the support of Microsoft, but this can also be done by any inserted fake root certificate.

As I discussed earlier, Bill Gates would often speak up in support of government surveillance. So having Microsoft do this would not be inconsistent with their beliefs. And obviously for a price. Just theoretically, let’s say the name of the CA of the intermediate certificate is something close, like Digicert X four. So in theory this entity could sign fake certificates and when you examine certificates it would look normal. You see the problem is that intermediate certificate authorities are not listed on your computer.

Intermediate cas are shown on the website certificates as part of the certificate chain. Your computer would validate the certificate as being validated by a root CA Microsoft. But when you actually look at the website to see the certificate, it will not show that, it just shows the next CA up the chain. It will show Digicert X four as a certificate authority, thus it can obfuscate the validity of the certificate.

I couldn’t tell you all the possible permutations of intermediate cas. This is part of the lack of transparency of the PKI system. I’d have to individually search for the stated intermediate CA to see if it is valid that’s a lot of work that no normal person will do. Now, moving on, let’s say you are on your browser and you search for the website facebook. com. What your computer does is first try to resolve what facebook.

com is, so it uses DNS to do that and finds the actual IP address. If you ping facebook. com on the computer, it will show you an IP address used by facebook. com. That is what you expect will be returned by the DNS. However, DNS traffic is in plain text mostly and it is frequently intercepted by isps. For example, if you set your DNS server to be google, which is eight eight, the ISP can capture that and then redirect it to their DNS instead.

This is called DNS hijacking and is actually quite common. How does the ISB redirect DNS, specifically the DNS as announced by the use of port 53, which is obvious in the DNS IP packet. This then can be redirected by the router to another router, which will push the DNS request to another DNS server, all without the knowledge of the user. The DNS can then spoof any website by passing a different ip address that is not the original server, but the government proxy server.

The government proxy server will then have a fake certificate for facebook. com and your browser will not complain. It will show the lock icon as usual. Now what this proxy does is break the httpf in two segments. One your segment and then two. The proxy communicates with the actual facebook. com as a second segment and using the real certificate of facebook. com. The problem here is that because of two segments, the traffic to facebook.

com is now decrypted at the proxy server. So all the government has to do is to monitor all the traffic going into the proxy server together with the IP address of the user and store it all in a database. Someone will say, that’s too much data. No one will capture that. That’s really a stupid statement. Storage is so cheap. I’m sure there’s plenty of space for all this at the three letter agency’s facility in Utah.

With a multi billion dollar budget now being a proxy server, it will cache content so there’s no need to duplicate information, just unique traffic needs to be saved. It is more efficient than you think. What can be captured by this method? Well, certainly all your banking, all your social activity, and any standard messages sent on any app that uses standard TLS encryption. How do you get around this, by the way? Well, a VPN actually helps quite a bit here.

First, the hijacking of DNS would fail and the IP address would be obfuscated by the VPN, making the user identity unknown, at least for mass surveillance on bytesVPN. We cached the DNS using Pihole automatically, so even the DNS traffic leaving the server is very, very limited. I mentioned that email is collected globally by the three letter agency in the introduction. Let me just explain this briefly. Each user communicates using some email client, like a Microsoft Outlook or Apple Mail or Thunderbird or some webmail alternative like Gmail.

Your connection to the server nowadays is protected by the same Tls I described for web traffic, meaning a fake certificate could capture your direct communications with the email server. But I will skip that and use a more backend and more bulk approach to capturing data. While your communications with the mail server is encrypted, the typical traffic between mail servers called MTAs is frequently not encrypted. This is what I call MTA to MTA traffic.

This SMTP standard, which is the standard for normal email transfer on port 25, is in plain text, so this should be obvious. Any government listening in to the Internet traffic can capture email data. There’s an article in the Guardian about how at and t is the central location used to examine Internet traffic, since their eight peering stations around the USA can see the majority of the Internet traffic all over the world.

And that article also lays out how the traffic is searched for keywords and IP addresses and then forwarded to the three letter agency for filing in their database. Now since Snowden released details of some of this ten years ago, some of the bigger email providers like Google, Yahoo. Microsoft decided to use smtps, which is the TLS based version of the email standard. This is not globally used, since MTAs have to negotiate to use smtps.

All MTAs support SMTP, which is the non encrypted version. Now here we have the same problem with smtps. In reality, smtps is just wrapping normal smtp traffic with a TLS connection, so the MTAs at the end still see normal unencrypted traffic, just like normal web traffic. Someone can do a packet inspection. That’s a term used for examining the traffic, recognize that it is smtps, and then redirect it to a proxy.

The proxy will create a TLS encrypted tunnel as expected, but it is now a man in the middle. The proxy can send traffic elsewhere for filtering and copying. Then it can push the same traffic to the original destination, again very similar to the web traffic example. But the difference here is that since the communications are MTA to MTA, no human can see if the web certificate uses some suspicious ca.

It is actually easier to hide this kind of interception than web traffic. Now the difference between MTA to MTA traffic and your home Internet is that DNS spoofing will be quite unlikely and plainly discoverable by isps. An MTA server is a cloud server on some ISP. However, if you intercept traffic at a known central point for Internet traffic, such as an at T peering station for the US, or through some gateway to the undersea fiber optic cables in some foreign country, this same procedure could be done without even needing any DNS hijacking.

Recently it was revealed that the government can spy on Apple and Google via push notifications. Since these are the only two makers of popular phone operating systems, this pretty much includes everyone who uses a phone. Obviously, if Apple and Google are willing to send their notifications data to the government, then there is no further need to break encryption. But we will theorize some approaches here that does not necessitate a direct read of Apple and Google databases by the government.

Is there a way to capture traffic on phones between the Apple and Google servers and your phones? Now note that Apple and Google are both root certificate authorities on their own devices, meaning they have inserted themselves as root cas. And the other interesting detail is that there are a limited number of servers handling push notifications. It is likely in one location for each company. A simple solution would be to make the government an intermediate ca.

Again, this does not have to be published anywhere since this is not like browser traffic. Everything is negotiated by the devices in an opaque manner. Then the government could insert a proxy server for notifications traffic to these two companies at only two locations and then feed all the traffic to the Utah data center. No big deal. Now I mentioned the possibility that a big tech company with an inserted root certificate to create intermediate cas to basically authorize someone to do surveillance.

In case you haven’t heard, the EU is planning on doing id verification for all EU citizens by forcing an EU certificate into all browsers. Then they will give intermediate CAA certificates to each EU country. This then makes each of these EU countries a root authority and they can issue further intermediate root certificates down the chain. So to put it in easy terms, having a government be a certificate authority makes the stuff I’m talking about immediately doable by any EU country or their friends.

But hey, no one really does mass surveillance. Yeah right. My last video was to propose changing the PKI system so that this method of breaking encryption via fake root certificates is completely eliminated. Until that happens, this kind of mass surveillance is always possible. Now, everything I said here is just theory. Meaning I don’t actually know the techniques used by three letter agencies. I’m just describing some methods I know based on my knowledge of cybersecurity.

Maybe they have other ways, but I know that this way is much easier than using quantum computers to break TLS. That’s too much effort. What I describe here is easy to do. So do you want us to continue? I created a company to offer solutions to privacy instead of just talking about problems. The first important product is the D Google phone. There is no Google on these phones and there is no Google id, so they are invisible to Google and hides your identity.

These phones are also immune from geofencing, where the government can find who was in a certain location at a particular time. Most apps will work just fine as long as they’re not from Google. These phones are around $400. So much cheaper than a regular phone. I started a VPN service, BytesVPN, years ago. The thing about a VPN service is that you have to trust the provider of the service.

So some of you choose to trust some unknown corporation with some unknown affiliation. Here’s a VPN service coming from someone you know. My face is attached to this service. Me and my staff support it directly and as I mentioned in the video, it could protect you from mass surveillance. Definitely no logging and we do not block email. Check it out. We have worldwide coverage and we do not scam you with auto renewals.

I created a Braxmail product from user request of a stealthy email solution. The main claim to fame of our email products is that there’s no mated data. We do not record IP addresses and ensure that IP addresses do not appear on your email headers. And this of course is used in mass surveillance identification. Thus this provides with a quiet way to gain privacy by not revealing where the messages come from.

You get to use any of our seven domains, some of which are very obscure and you can create unlimited aliases. Sign up quickly to use short usernames which will be very popular for use with aliases. You can also use webmail so no setup is required to use it. Just a normal browser will be fine. All these products are on the store on my app Braxme. Sign up on there.

Don’t worry, you will not be asked to give any personal information to sign up. Thank you for watching and see you again soon. It’s. .