
Crypto breakthrough shows Flame was designed by world-class scientists - llambda
http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
======
fleitz
Hmm... if only there was some sort of National Security Agency that employed
cryptographers so we'd know about these things first and could protect us from
these attacks.

~~~
ajross
Clearly posters aren't getting the sarcasm, so I'll spell it out: the NSA is
clearly suspect number one.

What's more interesting to me, though, isn't that they had this technique,
it's that they let it out for ... what? It seems like this is a garden variety
public worm. One would think that if the NSA had the ability to forge windows
code signatures like this, they would have used it more selectively. Some
spook is in deep trouble about this.

~~~
iuguy
The NSA is not suspect number one. The Russians have had superb cryptographers
for decades, heck GCHQ invented public key cryptography years before Diffie
Helmann and denied it's very existence within for decades.

Attribution is a bitch. It's not a slam dunk to suggest that a particular
agency is at fault without supporting evidence.

~~~
ajross
The NSA is the largest such organization, surely there are others. But just to
correct: the GCHQ beat DH by three years and RSA by four, not decades.

~~~
iuguy
> the GCHQ beat DH by three years and RSA by four, not decades.

Correct. But they kept the fact that they did secret for decades. That's what
I meant, apologies if it was ambiguous (I can't actually edit the comment now
to fix it).

------
dkarl
Intelligence agencies and criminal hackers use the same techniques that white
hat security researchers do, so every time I read about an attack like this, I
wonder who else discovered it and reverse-engineered it, when, and how they
used the knowledge. Imagine the irony (assuming Flame is an American product)
if China had discovered Flame first and used its technology to conduct
industrial espionage against U.S. companies. In fact, getting first crack at
advanced technology is great incentive for rival powers or criminals to
cooperate with targeted nations. Our next target might solicit the help of
Chinese or Russian hackers, government-affiliated or not, who might be very
happy to help so they could reverse-engineer the attack and replicate it
themselves.

Even worse -- and this is off-topic so I'll keep it brief -- I don't know if
the intelligence gleaned from this operation would produce any benefit at all.
Theoretically, if we discovered that Iran's nuclear program wasn't a threat,
we could save ourselves a lot of worry. It might save a lot of time and money,
and possibly even save lives if it prevented military action. But after Iraq
who can be confident that an accurate assessment of the threat from Iran would
have any effect on policy? We might be disseminating dangerous knowledge for
nothing.

~~~
eli
I _really_ don't think that the failure of accurate intelligence to drive
policy in the past suggests we should give up on trying to have policies
driven by facts.

------
DanielRibeiro
Well, MD5 attacks are actually quite old news[1,2,3,4]. There even are some
open source projects to help you find them[5]. Would love to hear more details
on what was the breakthrough that Flame introduced.

 _Edit:_ The breakthrough that Flame introduced can be read here[8, 9]

SHA-1 is not yet _broken_ , as MD5 is, but fortunately we are having the
SHA-3[6] competition (like we had for AES[7]).

[1] <http://www.springerlink.com/content/d7pm142n58853467/?MUD=MP>

[2]
[http://www.computer.org/portal/web/csdl/doi/10.1109/CIS.2009...](http://www.computer.org/portal/web/csdl/doi/10.1109/CIS.2009.214)

[3] <http://eprint.iacr.org/2010/643>

[4] [http://stackoverflow.com/questions/1999824/whats-the-
shortes...](http://stackoverflow.com/questions/1999824/whats-the-shortest-
pair-of-strings-that-causes-an-md5-collision)

[5] <http://code.google.com/p/hashclash/>

[6] <http://en.wikipedia.org/wiki/Sha3>

[7] <http://en.wikipedia.org/wiki/Advanced_Encryption_Standard>

[8] [http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-
new-c...](http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-new-
cryptographic-attack-variant-in-flame-spy-malware)

[9] <http://news.ycombinator.com/item?id=4080240>

~~~
dfc
Did you read the article or the mailing list threads? This attack is hardly
old news.

------
jcfrei
it's always unsettling seeing a governmental or otherwise undisclosed
institution developing such cryptographic breakthroughs in secrecy. this
leaves me as a developer with inferior tools to protect my data against any
kind of intrusion. it’s understandable from a national perspective but
unfortunate for the programming community at large. so far we still have
bcrypt or scrypt - but who knows, maybe someday we'll have an efficient
collision attack there as well...

~~~
dfc
The "programming community's" threat model in cyberspace is no different than
anyone's threat model in meatspace. If a well funded government decides you
are an enemy of the state they can harm you in meatspace or cyberspace. Are
you staying up at night worried about a hellfire missile coming in your
window?

~~~
vecinu
His fear stems from the fact that most people believe they have a right to the
Internet and are essentially anonymous.

To respond to your hellfire missile analogy, if I am in Canada or the US, I'm
not worrying about it but if I'm in the middle east, it's a different story.

~~~
dfc
And I am saying that he does not have to worry about NSA, Mossad or The Secret
Army of Northern Virginia spending years to develop Flame 2.0 so they can read
his email. On the flip side if you are a high level enemy of the state you
should still be worried if you are in Topeka or Ottawa; if its not a hellfire
coming in the window it will be equally lethal scary rough men dressed in
black.

------
kposehn
"Flame could only have been developed by a wealthy nation-state"

While I do agree that it was indeed developed by one, I'm not sure how it
could _only_ have been developed by one. Would it truly take massive levels of
money to do or simply some smart, determined people?

~~~
batista
Smart determined people don't come for cheap, and you don't get world class
cryptanalysts and mathematicians working on such a specific endeavor out of
"determination".

Plus, we can all guess what wealthy nation-state developed the software and
similar things in the past, let's not be hypocritical here...

~~~
planetguy
Would _one_ smart, determined person, working in his spare time and for his
own satisfaction, be capable of doing it?

I mean, if I had the capability to screw up Iran's nuclear program in my spare
time I probably would, because, y'know, fuck Iran.

~~~
batista
> _I mean, if I had the capability to screw up Iran's nuclear program in my
> spare time I probably would, because, y'know, fuck Iran._

Fuck Iran why exactly? Because toppling their democratically elected
government and establishing a puppet in the fifties wasn't enough? Or arming
Saddam's Iraq to fight them in the eighties?

Or maybe because, say, TX can execute 15 year old "criminals" and ban abortion
and/or gay marriage, but Iranians don't get to decide how they want to live?
Or maybe because what's OK for Saudi Arabia is not OK for everybody?

Or is it because they haven't harmed anyone in the region, where other nations
have already invaded 2 nearby countries?

Or just because, you know, muslims are bad in general? (I don't like the
religion myself, but they have the right to do as they damn please in their
OWN country).

~~~
keithpeter
I understand your position here, but, please make contact with some Iranian
refugees/dissidents near you for the full picture. Its bad. Worse than I
understand Texas to be, by several ball parks.

~~~
batista
> _I understand your position here, but, please make contact with some Iranian
> refugees/dissidents near you for the full picture. Its bad. Worse than I
> understand Texas to be, by several ball parks._

Sure, but those are "refugees/dissidents", of course they would think that.
It's not like the great Iranian masses are held there by force or hate their
culture.

In general, dissidents are also overplayed for political gain by other
countries. I mean, even the USSR played upon US political dissidents, the
McCarthy era etc. If you are going to judge a whole country better ask the
locals, not the dissidents.

~~~
niels_olson
<http://en.wikipedia.org/wiki/Death_of_Neda_Agha-Soltan>

You are arguing a very weak position.

~~~
batista
No, you're arguing from isolated facts presented in a sentimental package from
mainstream media. Do you know how many deaths there have been in protests in
the US? Like, say, the Kent State shootings, were police shot 4 students dead.
Or all around the world, for that matter? There have been 2-3 killings by the
British police in the last 2 years, they even beat a guy in wheelchair (
<http://www.bbc.co.uk/news/uk-11987395> ). And that's an "advanced western
democracy".

Now, put this to perspective. The Kent students were shot doing a mostly
harmless protesting, in a country that had sent troops to a third country
(Cambodia), and that was in no danger itself. The tension in Iran, on the
other hand, is in a country that feels threatened by the US, that has seen 2
other countries invaded in the region, and that foreign powers are known to
support vocal dissidents and minorities against the state. In the name of
"democracy" of course, and not crude oil. Same foreign powers do nothing for
countries having even more extreme muslims, and far less democracy, like, say,
Saudi Arabia.

What would the US police do if the US was feeling directly threatened, say
like in the WWII? Well, we know what they did at the time: concentration camps
for Japanese, for example.

~~~
niels_olson
> No, you're arguing from isolated facts

Ok, look man, I'm down with anyone who wants to say the US could do better. I
could do better. You could do better. But _a_ fact, always beats a strawman,
which is what you presented previously. Because the reality is that the
Iranian government killed a bunch of its own people and did their level best
to suppress that information. Now you've switched from defending Iran to
reaching back a generation to find something you can cite to prosecute the
United States.

Just to add another fact, Here's a more comprehensive discussion of casualties
in the protests where that Iranian lady died

[http://en.wikipedia.org/wiki/2009_Iranian_election_protests#...](http://en.wikipedia.org/wiki/2009_Iranian_election_protests#Casualties)

My point stands: you are arguing from a very weak position. Further weakened
by the fact that your thesis keeps moving around. If you're going take on the
martyr's quest of defending an outrageous position, you can expect you're
going to be expected to present an outragously good argument: all your shit in
one bag, sewn up tight. If you're frustrated that people can come along and
shoot holes in your argument with a sentence or two, maybe you could consider
that as evidence that your argument may not _ever_ hold water.

There's a great passage, I think it's TH White's Once and Future King, where
Lancelot has a dream where he sees two armies of knights, white and black
fighting. The white side is loosing, so he takes their side. And gets
slaughtered. On waking, he is told: know what you're fighting for. Don't fight
for the losing side just because they're losing.

------
0x0
What exactly was the requirement for a "0day" MD5 collision attack here; I
thought the Terminal Server Licensing thing at Microsoft spat out good-for-
code-signing certificates by itself?

~~~
emily37
They did, but it seems that those certificates had some extensions that made
the code-signing attack difficult to carry out on some versions of Windows, so
the collisions were used to generate certs without those extensions. (I read
this at [http://blog.cryptographyengineering.com/2012/06/flame-
certif...](http://blog.cryptographyengineering.com/2012/06/flame-certificates-
collisions-oh-my.html))

~~~
0x0
I see; on Vista and above, certain fields in the certificate prevent it from
being accepted for code signature. So they did a collision attack to create a
slightly twisted certificate where all those fields are tucked away in a
useless segment and ignored.

Are there any details on what's new with this particular attack, compared to
the known previously published ones? Why wouldn't earlier public research
(such as that ps3 fake SSL CA stunt) suffice?

~~~
marshray
I believe the phrase you're searching for is "awesome applied crypto
research." :-) <http://www.win.tue.nl/hashclash/rogue-ca/>

We don't yet have details on the differences. I've looked at the evil
colliding cert and, AFAICT, the "MD5 Considered Harmful" technique would
probably have been sufficient to pull this off.

~~~
0x0
Thanks for the clarification.

The rogue-ca thing is awesome indeed! :)

------
alan_cx
Reading tech news these days is getting too close to reading Jane's Defence
Weekly for my liking.

------
mmcnickle
"Flame could only have been developed with the backing of a wealthy nation-
state"

Further to other people's comments here; Has anyone seen an estimated cost to
produce something like Flame or Stuxnet?

------
zaroth
News from a few days ago made it sounds like MS left their cert wide open to
using it to sign code and make it look like it came from Microsoft.

Now this news comes out that they used a pretty powerful crypto attack to
essentially create their own trusted root to be able to sign their code to
make it look like it came from Microsoft.

Why would you need both vectors? It seemed (yesterday) that the Microsoft bug
alone was enough to trick Windows Update into installing your code.

------
Achshar
I think it makes sense that a well funded government was behind flame, but it
makes me wonder, there is nothing that explicitly calls for huge funding.
Nothing is very costly other than talent. So just a hypothetical situation
here but why can't a hypothetical real life Tony Stark make it? (not rich like
Stark but intelligent like Stark) Just a one or two people in a garage on
their PC. What makes it impossible for that to be the case?

~~~
ertdfgcb
Time? But besides that, I can't really think of anything. Some guy on NPR was
talking about how it might be some professional developers who did this in
their free time, so that would kind of make sense.

~~~
Achshar
If someone is capable of doing stuff that flame is doing, he/she might as well
do it in 2 months time. The thing is we are unaware of the exact capabilities
of the author of the code, so it can be a very intelligent person doing it in
a few weeks or a group of smart people doing in a few years.

But the problem with later is that the more people know about it and the
longer it takes to make such malware, the higher are the chances of a pre
release leak, or some double agent doing his work. So one or two very
intelligent people doing it in very small time make more practical sense for a
covert mission.

------
fennecfoxen
Earlier information linked to from this site suggested that Flame was able to
spread by some quirk involving using Terminal Services licenses as signing
keys (instead of just licenses) and continuing up a trust chain. Was that
information accurate? Is this an additional technique Flame uses for its
attack? Or is it the only attack?

------
Fando
Wow that's incredible! Ground breaking mathematics and cryptography
techniques, sounds so interesting. I would love to understand it all.

------
niels_olson
Hi honey, what did you do today?

Oh, this and that. Let's see what's in the news, shall we?

------
its_so_on
stupid.

"There were mathematicians doing new science to make Flame work."

the government thinks that this is just like normal weapons research.

what they don't realize is that "secure-enough" crypto is far more important
to the world economy than their small use in breaking it.

if a government could spend $800B and prove/create a machine that makes
asymmetric cryptography impossible - and will be reverse-engineered and known
to the world within 3 years of when they start using it, they probably would.

meanwhile, the world loses a lot more than $800B if you can't do anything
secure over the public Internet anymore, or have to have previously exchanged
a one-time pad to anyone you want a secure connection with.

this isn't just another weapon. mathematics is a public good. Of course, if
you can spend $800B on new math and then break it, then in some sense it was
"always broken." In another sense, however, that's not true at all. Quit
messing it up for everyone.

~~~
InclinedPlane
Can't say I don't disagree.

It seems as though the governments of western democracies are spending a lot
more effort on digital swords to stab at our enemies than on digital shields
to protect their citizens.

~~~
smallblacksun
The NSA says that about 1/3 of their budget is put towards protecting US
government systems and data (though there is no way to verify that). It is
extremely difficult for them to even attempt to protect non-governmental
systems. The NSA was involved in SELinux, and designed the SHA family of hash
functions. This, along with their certification of various cryptographic
standards as acceptable for government use, seems to me to be about all they
could do defensively without requiring them to have access to private systems
and data.

------
loceng
Cool.

------
nixle
Ha! Everybody knows that this virus was hand-written by our Great Leader and
Horse Rider King Jong Ill, right before he decided to exchange his earthly
existence for another greater one.

