
Meeting Snowden in Princeton - zmanian
https://www.lightbluetouchpaper.org/2015/05/02/meeting-snowden-in-princeton/
======
tptacek
A couple of things that bugged me from this writeup (these may be attributable
to Anderson instead of Snowden):

1:

 _Homegrown crypto is routinely problematic, but properly implemented crypto
keeps the agency out; gpg ciphertexts with RSA 1024 were returned as fails._
is later followed by _The NSA is even more cautious than the FBI, and won’t
use top exploits against clueful targets unless it really matters.
Intelligence services are at least aware of the risk of losing a capability,
unlike vanilla law enforcement_.

Reconciling these statements is disquieting. _Snowden_ has never seen a
successful decrypted RSA-1024 intercept. But he also believes that the good
stuff is kept under wraps, which is what everyone else who understands SIGINT
thinks as well.

2:

 _We can push back a bit by blocking papers from conferences or otherwise
denying academic credit where researchers prefer cash or patriotism to
responsible disclosure, but that only goes so far._

Well, that, and the whole thing about how publishing papers isn't merely an
exercise in making the authors feel better, but also how science works.

3:

 _People who can pay for a new kitchen with their first exploit sale can get
very patriotic; NSA contractors have a higher standard of living than
academics._

I have a problem with casual innuendo about how vulnerabilities are expensive
because exploiters pay so much for them. In fact, ever-increasing dollar
amounts for serious vulnerabilities is what you want to see: if there's a
liquid market for vulnerabilities, the last thing you want is for serious ones
to be cheap. This is highly specialized engineering work; whether Ron Paul
likes it or not, it commands a high rate.

A simpler response: lots of people have made enough off vuln sales to replace
kitchens without ever selling them to anyone who would exploit them.

I do have a moral problem with people who sell vulnerabilities to (a) the USG
or (b) people who exploit them. I do not love the emergence of vuln markets.
But I am not willing to tar everyone who earns a living doing this work as an
NSA shill.

Moreover: all reverence for Snowden stipulated and set aside: nobody has ever
made a claim for his expertise in vulnerability research or sales. Can we be
clearer about why we're meant to carefully consider his take on it?

•:

Generally, this reads a lot like STRATFOR to me. It starts out with facts and
stuff that appears verifiable/falsifiable, but it trends into a sort of
geopolitical/legal LARPing exercise.

~~~
AlyssaRowan
Regarding your first point, there's some confusion between active exploits
(i.e. botnet infections, etc) and passive intercepts. They are indeed cautious
about using exploits and botnet platforms (I don't think that makes any of it
_right_ ).

Absolutely NSA & GCHQ should be able to crack RSA-1024: it is not magical, and
it is _definitely_ well within their budget, but it still isn't particularly
_cheap_ timewise, so unless something is really _super_ important, it's not
going to join the crypt attack queue for supercomputing resources, and they
would not be waving it around too widely.

By comparison, we know RC4 is _toast_. We have a rough sketch of the attack
(though please correct me if any of this is wrong): passive; returns plaintext
from ciphertext, with either no or a few bytes of known plaintext header at
most; runs in software on blades and other places at mass-intercept scale in
_real-time_ , so we have an upper bound on its complexity (and it's very low
compared to RSA-1024).

We don't know many technical details about the attack yet. RC4 is a peculiar
beast, quite unlike semi-modern or modern ciphers like AES or
Salsa20/ChaCha20: huge state; crappy diffusion; several known weaknesses, but
no public break yet. I can't wait to find out more: this is one of the few
areas NSA actually are ahead, as the public sphere definitely know RC4 is too
wobbly to use, but still quite some way off decrypts of it. Whatever technique
is used may well not be applicable to ciphers of a more modern design (but
what about Spritz?).

If you've been using RC4, ever, this should give you pause. Think about what's
ever gone out using it. Think about what someone could have recorded - likely
_did_ record. Do you need to be changing any passwords?

If you're _still_ using or accepting RC4 anywhere for any reason (ahem,
Mozilla, Google, Microsoft?), for heaven's sake, get your arses in gear.
You're not beating the attackers, you're now only limiting the damage. Given
the RFC and everything, and the internal discussions you've been having, I
personally would be loathe to consider any further delay ethical before
action. Please do remember Holmes' Law of Reverse-Engineering: what one can
invent, another can discover.

~~~
noinsight
> If you're still using or accepting RC4 anywhere for any reason (ahem,
> Mozilla, Google, Microsoft?), for heaven's sake, get your arses in gear.

Amazon AWS signup, as of last night?
[http://i.imgur.com/Wq0lnnR.png](http://i.imgur.com/Wq0lnnR.png)

~~~
wolf550e
[https://www.ssllabs.com/ssltest/analyze.html?d=portal.aws.am...](https://www.ssllabs.com/ssltest/analyze.html?d=portal.aws.amazon.com)

If your TLS client tried stronger cipher suites before weaker ones (which only
MSIE does, and it considers only RC4 weak), you can get TLS 1.0 with RSA key
exchange, AES-256-CBC encryption, HMAC-SHA1 authentication with that server.
That's not secure (only TLS 1.2 with PFS and AEAD is secure).

------
itistoday2
> _Secret laws are pure poison; government lawyers claim authority and act on
> it, and we don’t know about it._

"Secret laws" are not laws. It is the equivalent of "because I said so", and
that is simply a fascist edict.

@CombiHack points out:

> _If “ignorance of the law is no excuse”, then the law MUST be publicly
> available. [..] Alternatively (less preferable): If “secret laws are laws”,
> then ignorance of the law MUST be a complete defense. End of story._

------
eliteraspberrie
I have immense respect for the author, and I know these are just notes, but
the tone of technologists who talk about Snowden is very annoying.

We know certain technologies like Tor and OTR are safe because of the weight
of scientific research that support them, and the immense effort of the
developers. Not because someone said so at an event. Statements like "gpg
ciphertexts with RSA 1024 were returned as fails" are totally meaningless.

I wish people had more confidence in good old science (like Anderson's works)
than glamorous events like this. You should all check out _Security
Engineering_ by the same author, it's free! www.cl.cam.ac.uk/~rja14/book.html

~~~
vilhelm_s
I mean, that scientific research includes a bunch of timing attacks which
shows that if someone can manipulate both the entry and exit points (like the
NSA can), they can deanonymize TOR users. The TOR team specifically state that
a "global" adversary (like the NSA) is beyond the scope of threats they are
trying to protect against.

There is no theoretical guarantee that the NSA cannot break TOR, the question
is whether they have actually got the engineering in place to do so. And the
Snowden leaks showed they didn't, at least not in 2013, although they were
working on it.

