
N.S.A. Foils Much Internet Encryption - ebildsten
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html
======
tc
This is really damaging.

Not only will this cause other countries to put up barriers against US (and
UK) services and products, it's going to affect uptake of standards developed
here.

On the lighter side, a treasure hunt was just announced. Can you find one of
these vulnerabilities, or evidence of the NSA having attacked a particular
system to steal keys?

\----

[Edit 1] Some speculation:

By careful hardware design -- and lots of it -- the NSA may be able to find
keys large enough that we would be mildly surprised but not shocked. It's not
well known that searching for _many_ keys in parallel amortizes well -- it's
much cheaper than finding all the keys individually. DJB has a great paper
about this:

[http://cr.yp.to/snuffle/bruteforce-20050425.pdf](http://cr.yp.to/snuffle/bruteforce-20050425.pdf)

If I were looking for subverted hardware, I'd be really interested in reverse
engineering Ethernet chips and BMCs. The CPU would be an obvious choice as
well -- could there be some sequence of instructions that enables privilege
escalation?

On protocols, the best sort of vulnerability for the NSA would be the kind
that is still somewhat difficult and expensive to exploit. They want the
security lowered just far enough that they can get the plaintext, but not so
far that our adversaries can.

There is some history with not taking timing attacks seriously enough. Perhaps
careful timing observation, which the NSA is well positioned to do, could give
more of an edge than we suspect. Or perhaps you could push vendors to make
their products susceptible to this kind of attack, secure in the belief that
it may be difficult for others to detect.

[Edit 2]

I gave a talk that discussed what I think we as engineers should do here:

[https://www.youtube.com/watch?v=c7oK59DZwR4#t=1m46s](https://www.youtube.com/watch?v=c7oK59DZwR4#t=1m46s)

And Phil Zimmermann and I discussed a number of these issues in a Q&A session:

[https://www.youtube.com/watch?v=W42i8zCEizI#t=49m55s](https://www.youtube.com/watch?v=W42i8zCEizI#t=49m55s)

~~~
mrb
I think we know very well which encryption has been foiled by the NSA. This is
not speculation, but quasi-certainty: 1024-bit RSA.

\- Crytographers all acknowledge 1024-bit RSA is dead [1].

\- Attack cost 10 years ago was estimated to be a few million USD to build a
device able to crack a 1024-bit key every 12 months [2].

\- "Much of" the "secure" HTTPS websites use such weak key sizes [3].

\- NSA had a budget of 10.8 billion USD in 2013.

Drawing a conclusion is not very hard.

[1]
[http://arstechnica.com/uncategorized/2007/05/researchers-307...](http://arstechnica.com/uncategorized/2007/05/researchers-307-digit-
key-crack-endangers-1024-bit-rsa/) [2]
[http://www.cs.tau.ac.il/~tromer/twirl/](http://www.cs.tau.ac.il/~tromer/twirl/)
[3] [https://www.eff.org/pages/howto-using-ssl-observatory-
cloud](https://www.eff.org/pages/howto-using-ssl-observatory-cloud)

~~~
Achshar
I am confused. When I see HN or facebook certs they show 128 bit encryption in
the browser box. 128 bit seems pretty low.

~~~
F30
This is the size of the AES key. AES is a symmetric algorithm and 128 bit are
still considered solid there, although the trend is moving towards 256 bit.
What we're talking about here is the key size of RSA, which is an asymmetric
algorithm. If you don't know the difference, go find a basic crypto tutorial.
As you can read above, 1024 bit RSA is probably borken. I wouldn't trust 2048
bit too much as well. Also, progress in breaking RSA is happening a lot faster
than with AES.

In the context of SSL, an assymetric algorithm like RSA is used to exchange
symmetrc keys, which are used afterwards.

~~~
XorNot
That said, 256-bit isn't really that much of an improvement for AES - its
favored since that's the US standard for Top Secret classification, but in
practice any attack which brings down AES-128 will almost certainly get
AES-256 as well. I've switched most of my SSH servers over to default to
128-bit AES ciphers since the difference in difficulty seems small enough that
it won't matter if someone actually tries targeting it and can succeed.

------
tptacek
You can't have read Applied Cryptography from the mid-90s and not understand
this to have been NSA's M.O. from the jump. Bruce Scheier, who was quoted in
the Guardian piece about the same story, is America's foremost popularizer of
the notion of NSA as crypto's global passive adversary. People who build real
cryptosystems have never, ever been allowed to rely on the goodwill of the NSA
not to cryptanalyze their systems.

Entire crypto schemes, from the RIPEMD hash to the specific parameter
generation mechanism in DSA, are premised on the idea that USG-sponsored
crypto concepts aren't inherently trustworthy. Similarly, all of Applied
Cryptography was premised on the idea that NSA was decades ahead of commercial
and academic crypto.

Of the revelations about NSA, this has to be the least revelatory (it's
up/down there with the "revelation" that NSA employs teams of people whose job
it is to break into Windows computers); it essentially restates something we
were already supposed to have taken for granted.

That's not to say this isn't a fascinating story. It is; just keep it in
context. Things to remember:

* You really want to know whether NSA is directly attacking cryptographic primitives or whether they're subverting endpoints. I think if you talk to cryptographers, you'll get a slight bias towards the belief that it's the latter: that there are implementation weaknesses at play here more than fundamental breaks in crypto.

* You want to keep in mind that breaks in cryptosystems represent _new knowledge_ , and that the enterprise of breaking cryptosystems is an issue distinct from the public policy concern of where NSA is allowed to deploy those breaks.

* Bear in mind that in the legacy TLS security model, before things like pinning and TACK, NSA would only require a viable attack on a small subset of CAs to gain (along with pervasive network taps) massive capabilities. The payoff for these kinds of capabilities is radically degraded by the anti-surveillance mechanisms of modern browsers like Chrome, which is something you probably want to be thanking people like Adam Langley, Trevor Perrin, and Moxie Marlinspike for pushing so hard to implement.

~~~
alasdair_
Can you expand a bit on chrome's anti-surveilance capabilities?

~~~
tptacek
They pin certificates, so that a CA compromise that would enable MITM attack
by the global passive adversary would be detectable (and in fact that
mechanism has already been used to detect CA compromises.)

~~~
cbr
Why do you say "passive adversary"? I wouldn't call an MITM with a fake cert
"passive".

~~~
tptacek
I wouldn't call a MITM with a fake cert an effective global attack in 2013.

~~~
socceroos
As we've already seen, NSA and other such agencies already have direct
connections into the under-sea cables that connect countries across the globe.
MITM is exactly what they do ALL THE TIME. To not see it as effective is to
miss the point of Total Information Awareness.

~~~
tptacek
This is parody, right?

------
tytso
I am so glad I resisted pressure from engineers working at Intel to let
/dev/random in Linux rely blindly on the output of the RDRAND instructure.
Relying solely on an implementation sealed inside a chip and which is
impossible to audit is a _BAD_ idea. Quoting from the article...

"By this year, the Sigint Enabling Project had found ways inside some of the
encryption chips that scramble information for businesses and governments,
either by working with chipmakers to insert back doors..."

~~~
magicalist
Was that really a seriously considered plan? I don't see how that would ever
be a suitable /dev/random replacement. Obviously it works for /dev/urandom,
but it should be added to the entropy pool for /dev/random at most.

~~~
lambda
Matt Mackall, the former maintainer of /dev/random, actually stepped down over
this issue, because Linus overrode Matt and applied Intel's patch that used
their hardware random number generator directly:

[http://comments.gmane.org/gmane.comp.security.cryptography.r...](http://comments.gmane.org/gmane.comp.security.cryptography.randombit/4689)

> It's worth noting that the maintainer of record (me) for the Linux RNG quit
> the project about two years ago precisely because Linus decided to include a
> patch from Intel to allow their unauditable RdRand to bypass the entropy
> pool over my strenuous objections.

> From a quick skim of current sources, much of that has recently been rolled
> back (/dev/random, notably) but kernel-internal entropy users like sequence
> numbers and address-space randomization appear to still be exposed to raw
> RdRand output.

Ted Ts'o later reverted this, separating out Intel's hardware random number
generation into a separate function that could be used to seed the entropy
pool but wouldn't be trusted directly as the main kernel source of random
numbers:

[http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g...](http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2557a303ab6712bb6e09447df828c557c710ac9)

~~~
tytso
If Matt protested, he did so quietly/privately. I wasn't aware of the fact
that he had stepped down until the authors of the paper described in
[http://factorable.net](http://factorable.net) showed up and pointed out we
had a really bad problem for embedded devices on the internet. I had always
assumed he had gotten too busy and distracted on other interests, since I do
follow LKML, and I didn't see any kind of public debate/controversy about the
change to the random driver described above.

If I had to guess what happened, some intel people pushed this as a feature,
probably pushing it via one of the x86 git trees, and Linus either (a) didn't
notice, or (b) didn't understand the implications, and then Matt quit in a
huff --- by just stopping to do work, and not even updating the entry in the
MAINTAINERS file. (That didn't happen until I took over the random driver
again.)

~~~
lambda
Ah, here's the thread I was looking for:

[http://thread.gmane.org/gmane.linux.kernel/1173350/focus=117...](http://thread.gmane.org/gmane.linux.kernel/1173350/focus=1173517)

It doesn't really look like he had NAKed it on paranoia grounds, but more on
design grounds; others brought up the paranoia arguments. You were even
involved in that thread, so you should have seen his stepping down, although
he didn't submit a patch to MAINTAINERS.

------
untog
_Because strong encryption can be so effective, classified N.S.A. documents
make clear, the agency’s success depends on working with Internet companies —
by getting their voluntary collaboration, forcing their cooperation with court
orders or surreptitiously stealing their encryption keys or altering their
software or hardware._

That's the money quote there- the NSA hasn't cracked encryption. They've just
put back doors in.

And we can't even be that angry at the (e.g.) Microsoft execs that authorise
the back doors- they potentially face jail time if they resist NSA requests.
All the while presumably not able to talk about the requests publicly.

EDIT: and the really fun part - did you know the former head of the NSA serves
on the board of directors for Motorola Solutions?
[http://en.wikipedia.org/wiki/Michael_Hayden_(general)](http://en.wikipedia.org/wiki/Michael_Hayden_\(general\))

~~~
philfreo
> That's the money quote there- the NSA hasn't cracked encryption. They've
> just put back doors in.

It's not like they've just gotten secret keys. They've specifically gotten
chip manufacturers to add backdoors to hardware, as well as significantly
influenced actual cryptography standards themselves:

> "The N.S.A. wrote the standard and aggressively pushed it on the
> international group, privately calling the effort “a challenge in finesse.”

> “Eventually, N.S.A. became the sole editor,” the memo says.

~~~
magicalist
Presumably that's DRBGs[1]? Does anyone actually use them in that form?

[1]
[http://en.wikipedia.org/wiki/Dual_EC_DRBG](http://en.wikipedia.org/wiki/Dual_EC_DRBG)

------
pedrocr
> _the Bullrun program, the successor to one called Manassas — both names of
> American Civil War battles. A parallel GCHQ counterencryption program is
> called Edgehill, named for the first battle of the English Civil War of the
> 17th century._

Spying on your own citizens codenamed as civil war. How nice.

> _Only a small cadre of trusted contractors were allowed to join Bullrun. It
> does not appear that Mr. Snowden was among them, but he nonetheless managed
> to obtain dozens of classified documents referring to the program’s
> capabilities, methods and sources._

Once again, the people spying on everyone suck at keeping their own secrets.
How many others have taken the information with them and sold it off instead
of leaking it?

> _In one case, after the government learned that a foreign intelligence
> target had ordered new computer hardware, the American manufacturer agreed
> to insert a back door into the product before it was shipped,_

If you're a non-US company how can you keep trusting US IT vendors? I wouldn't
want to be one of these companies' reps at Airbus for example.

~~~
brown9-2
_Spying on your own citizens codenamed as civil war. How nice._

Nowhere in the article does it state that these methods can be used against US
persons separate from other protections against surveillance on US persons,
nor does it give the impression that this is special to US persons:

 _The agency’s success in defeating many of the privacy protections offered by
encryption does not change the rules that prohibit the deliberate targeting of
Americans’ e-mails or phone calls without a warrant._

Let's keep in mind the fact that an intelligence agency is built to gather
intelligence on other governments/organizations and that often involves
breaking other jurisdiction's rules.

~~~
sshconnection
You must have been living under a rock for the past few months. Welcome to
September, where we now know that to not be the case.

~~~
unreal37
I know we're not supposed to make these kinds of comments in HN, but yours
made me laugh.

Welcome to September, where the NSA can keep any data it accidentally
collected about US persons for five years if its plaintext. And if that data
is encrypted, it can keep data on US persons forever.

------
quotemstr
What's truly frightening is this line from the Guardian's article on the
topic:

> The NSA describes strong decryption programs as the "price of admission for
> the US to maintain unrestricted access to and use of cyberspace".

What does that even mean? That statement is at the same time paranoid,
arrogant, and subtly threatening. It's as if to say that without the ability
to decrypt interesting traffic, the NSA would be forced to take stronger
measures to curtail internet traffic.

~~~
toyg
Look at what's happening in the UK, in Australia, in France, in Italy, in
Spain... the Chinese model is winning hearts and minds of politicians
everywhere, and how could it not? If you're into politics, you likely want to
reach a Platonic ideal of harmonic society, where nobody is offended, nobody
is threatened, and all laws are perfectly respected and enacted. You can't
have that on a fully-open network. How can you keep your people from enduring
child porn and Islamic propaganda, without censorship?

So most states are slowly moving towards implementing their own little
firewalls. The only notable absence? The US. Despite occasional campaigns from
religious nutters of various sizes and shapes and continuous pressures from
commercial telcos, subsequent US administrations repeatedly affirmed that
fundamental Net freedoms would not be curtailed.

This document states that such a position is not coming from idealism or even
commercial convenience: it's a way to persuade the rest of the world to do
business over networks and protocols that the NSA can tap at will. Should this
capability be forcefully contained, there wouldn't be a political incentive to
keep the Net flowing freely through US routers.

It's a perfectly reasonable and plausible position, and that's why it's so
terrifying.

~~~
GabrielF00
Completely off-base. The US has, by longstanding tradition, had a more
expansive attitude towards free speech than Europe. Consider blasphemy laws in
the UK, which were only abolished in 2008 but would never have been
constitutional in the US. Consider laws against Holocaust denial or displaying
Nazi symbols in continental Europe that would be unconstitutional in the US.
In Germany you can be arrested for displaying a swastika. In the United
States, the courts (in National Socialist Party of America v. Village of
Skokie) allowed a Nazi group to march through a neighborhood populated largely
by Jewish Holocaust survivors. None of these have to do with controlling
networks. They have to do with the first amendment and with both jurisprudence
and attitudes towards freedom of speech that are different in the US than in
many other countries.

~~~
phaemon
> The US has, by longstanding tradition, had a more expansive attitude towards
> free speech than Europe...Consider laws against Holocaust denial or
> displaying Nazi symbols in continental Europe that would be unconstitutional
> in the US. In Germany you can be arrested for displaying a swastika.

These laws were included in the German constitution following the
"denazification" of Germany by the USA, where Nazi symbols were banned and
literature burned.

The laws against Holocaust denial and Nazi symbols were pretty much _forced_
by the USA. It's extremely ironic how often they're mentioned as an
illustration of the USA's devotion to free speech.

~~~
mpyne
> The laws against Holocaust denial and Nazi symbols were pretty much forced
> by the USA.

So why doesn't German remove the laws now that they've served their wartime
reconstruction purpose?

And that _is_ why they were put in, the same reason that even in the U.S. free
speech was curtailed in many areas during the American Civil War.

~~~
phaemon
Are you asking why a German politician doesn't start a campaign seeking to
alter the German constitution in favour of allowing Nazism?

I think you know the answer to that one ;-)

------
JulianMorrison
Up until very recently, the received wisdom was: the crypto wars are over, we
fought the law and the law gave up, the NSA has quit trying to crack
encryption, they have decided the USA is best strengthened by having a
reliable internet which business rival nations can't just read like the
morning's news. The NSA knows the problems in crypto and their suggestions
make it stronger against attacks we don't know. Trust the NSA.

Would that it were true! It would make sense. This makes no damn sense. Just
recently I would have ruled out huge conspiracies as implausible because they
inevitably leak (roll save against ethics how many times?). The joke's on me,
folks. The NSA has no sense. And the conspiracy leaked.

So now every single decision that was taken with help from the NSA (SELinux,
TLS, elliptic curves, etc) needs unpicking and running by a cryptographer who
isn't a shill. What a damn drag. And meanwhile, the aftershocks will run for
years trashing trust in the networked economy.

Fuckin' brilliant, NSA. You screwed the pooch. You accidentally the whole
internet.

~~~
cbr

        So now every single decision that was taken with help
        from the NSA (SELinux, TLS, elliptic curves, etc) needs
        unpicking and running by a cryptographer who isn't a
        shill.
    

Cryptographers have already been looking very carefully at everything that
comes out of the NSA. Lots of security researchers, in and out of the US,
would love to find NSA-introduced flaws.

~~~
mpyne
It would even be ironic if people's aversion to things like SELinux caused
them to use software which is even less secure, and correspondingly easier for
NSA to break. They know the long game too...

------
smutticus
Reminds me of this: [http://marc.info/?l=openbsd-
tech&m=129236621626462&w=2](http://marc.info/?l=openbsd-
tech&m=129236621626462&w=2)

As someone who has been following the NSA and government monitoring of online
activity for close to 15 years the Snowden leaks just keep taking the wind out
of me. It's like everything that we thought might be going on was actually
going on. When Theo de Raadt wrote the above mail I, like many at the time,
assumed it was tinfoil hat territory. I was clearly wrong.

~~~
m0nastic
In that particular instance you weren't wrong[1], but that's the problem when
stories like this come out, is that it makes it much harder to know what's a
crazy conspiracy theory and what's real.

[1] Those claims made by Greg are completely untrue. I ran the professional
services group for that company and will happily attest to whomever asks that
at no time did we insert a backdoor (or anything that could even be construed
as such) into IPSEC.

~~~
unimpressive
>Those claims made by Greg are completely untrue. I ran the professional
services group for that company and will happily attest to whomever asks that
at no time did we insert a backdoor (or anything that could even be construed
as such) into IPSEC.

Somehow I doubt if you did that you could tell us. You might even have to
_lie_ to be able to comment on that letter at all.

~~~
m0nastic
I'm still unclear on the government's ability to compel falsehoods (even the
discussions around National Security Letters seem to indicate that they
prevent disclosure, but can't require lying), but I don't think I can convince
you of that.

When all the hullabaloo around the alleged IPSEC backdoor occurred, it was
frustrating to not be able to be as open about it as I wanted (not because of
any government/security issues, but because at the time I still worked for the
company and we were advised against talking about it).

You are free to assume that even right now as I type this, a shadowy figure in
an ill-fitting Brooks Brothers suit is standing over me dictating my
responses, and then chastising me for spending my time on HackerNews.

~~~
smutticus
The effect of all of this is mistrust and suspicion of nearly everything.
Which, compared to the alternative of implicitly trusting nearly everything,
may not be a bad thing.

I'm hoping open development models(open source, peer production, peer review)
end up providing the correct institutional incentives for us to innovate away
the mistrust.

To misquote Linus: “given enough eyeballs, all backdoors are shallow.”

------
16s
Normal people don't need 256-bit symmetric encryption. That's assault
encryption and should only be used on the battlefield. 40-bits is enough and
anything over that should be banned.

I'm only joking, but the same argument is used against other technologies that
governments seek to control/dominate.

Edit: Skipjack was 80-bits I think. It was used in Clipper Phones:
[http://en.wikipedia.org/wiki/Skipjack_(cipher)](http://en.wikipedia.org/wiki/Skipjack_\(cipher\))

~~~
cromwellian
People don't take a 256-bit cryptoalgorithm into a middle school and kill kids
with it, so I don't think the analogy works exactly. Maybe if you print it out
on paper, or use a floppy disk or CD, you could cut a few people.

~~~
dictum
People who intend to enter a middle school and kill kids can hide their plans
and communications using 256-bit encryption.

Edit: Devil's advocate.

~~~
jacquesm
Or they could be loners or they could meet and communicate face to face.

~~~
bigiain
You're right. That's why I'm introducing a bill to make it illegal to have a
conversation without a certified government agent (or authorized private
contractor) present. To improve citizen's security, a rider on the bill will
also make it illegal to talk about, write about, or represent in interpretive
dance the existence of those agents.

:-/

------
albertsun
"In one case, after the government learned that a foreign intelligence target
had ordered new computer hardware, the American manufacturer agreed to insert
a back door into the product before it was shipped, someone familiar with the
request told The Times."

Wow.... this really puts all the furor over Huawei contracts in the US in
context.

~~~
pja
All that furore over Huawei contracts in the US was just projection wasn't it?
You're might be _more_ secure buying your network kit from Huawei than from a
US manufacturer.

~~~
theintern
Sounds like it was justified really, the NSA know since they've done similar
things themselves that it's possible, so it's not a stretch to assume China is
doing the same thing.

------
donohoe
So at this rate are there any encryption methods that we're pretty sure that
the NSA cannot crack?

    
    
      By introducing such back doors, the N.S.A. has
      surreptitiously accomplished what it had failed 
      to do in the open. Two decades ago, officials 
      grew concerned about the spread of strong 
      encryption software like Pretty Good Privacy, 
      or P.G.P., designed by a programmer named Phil 
      Zimmermann. The Clinton administration fought 
      back by proposing the Clipper Chip, which 
      would have effectively neutered digital 
      encryption by ensuring that the N.S.A. always 
      had the key.
    

Link to Paragraph w/ highlighting: [http://www.nytimes.com/2013/09/06/us/nsa-
foils-much-internet...](http://www.nytimes.com/2013/09/06/us/nsa-foils-much-
internet-encryption.html?pagewanted=all#p\[Eapdst\],h\[Bisaht,3\])

Should I bother to read up on PGP?

------
Zigurd
_The N.S.A. hacked into target computers to snare messages before they were
encrypted. And the agency used its influence as the world’s most experienced
code maker to covertly introduce weaknesses into the encryption standards
followed by hardware and software developers around the world._

This is mostly a confirmation of what has been supposed: No magic, mostly
bribed and coerced cooperation from the people who should be keeping our
communications secure.

And while it doesn't do anything for the credibility of US-based companies,
N.B.: _" hardware and software developers around the world._"

~~~
devx
So, should we re-evaluate if Intel/AMD's chips (and possibly even the new ARM
ones) contain hardware backdoors for the NSA?

~~~
tubbzor
If the source code/hardware diagrams are kept private you should assume
backdoors, always, with everything. How is there any other way to know for
sure otherwise?

These government agencies are obviously dug much deeper in private industry
than many expected so I wouldn't put it past them

~~~
chris_mahan
If you see the diagram, and someone else makes the chip, how do you know the
diagram matches exactly with what's on the chip? Unless you can make your own
chip from the diagram, you still cannot be sure.

~~~
tubbzor
Very valid point, and I you're right you really would have no idea. You could
check on some devices if you knew enough about hardware to compare the
internals and the diagram, but that is a select few people.

This is why customer-company relationships and company integrity is becoming
increasingly important, and frankly not many US companies are doing well in
that regard.

------
MattJ100
Snowden claimed a while back that encryption itself was not broken by the NSA,
but that the endpoint security usually was (no surprise there):
[http://www.theguardian.com/world/2013/jun/17/edward-
snowden-...](http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-
files-whistleblower?commentpage=1#block-51bf3588e4b082a2ed2f5fc5)

------
w1ntermute
Can someone who actually knows about encryption comment on whether it's
actually physically feasible for the NSA to have actually broken, say, SSL 3.0
(which has 128 bits of entropy, IIRC) on a large scale (i.e., when you're
sifting through petabytes of data on a daily basis)?

And if this were really an issue, couldn't you just use 4096-bit RSA (unless
they have managed to surreptitiously insert a backdoor in it)?

~~~
kylec
SSL relies on a chain of trust, and it's prudent to assume that the NSA has
the private keys necessary to produce valid certificates that will be accepted
by the certificates that ship with Windows, OS X, Firefox, etc out of the box.

So man-in-the-middle attacks are certainly within their capability and fairly
hard to detect. As to whether the NSA can passively intercept and decrypt SSL
traffic, I don't know, but they may not need to.

~~~
joelhaasnoot
How are they hard to detect? Wouldn't solutions like certificate pinning
prevent this?

~~~
kylec
Yes, certificate pinning would alert the user to a MITM attack, but it's not
commonly used. By "hard to detect", I meant that it's impossible to see simply
by examining the certificate if it's genuine, you can only detect when the
certificate changes. And since SSL certs expire and are re-issued all the
time, it makes it a fairly large headache to continually try and guess whether
the other party changed their own cert or if you are experiencing a MITM
attack.

~~~
joelhaasnoot
Isn't it considered best practice, especially for situations where you can
control the client - i.e. banking apps on your phone?

------
dailyrorschach
This is likely a minority view, but I have no problem with the NSA being able
to break encryption, that's in fact part of their job. Decoding encryption has
long been part of their mission. I also suspect they're not alone in terms of
signals intelligence groups in having this capability.

The issue to me has always been how and what data they access and store, and
how it is used.

~~~
smtddr
I have a problem with encryption being breakable, regardless of who's doing
the breaking. I want encryption to be mathematically solid with the only
option being brute-force older-than-age-of-earth time. When we get to quantum
computing, then I don't know what we'll do...

~~~
gizmo686
Quantom computing cannot break all of crypto. Anything based on P!=NP is
believed to be secure against quantom computing, and there are several
encryption methods backed by P!=NP

~~~
mcherm
> Quantom computing cannot break all of crypto.

Correct (except for the spelling of "Quantum").

> Anything based on P!=NP is believed to be secure against quantom computing,
> and there are several encryption methods backed by P!=NP

Incorrect, well mostly. The deal is that there are problems that can be done
in "polynomial time" (how long it takes is not exponential in the size of they
key) for a normal computer (or person); the set of these is called "P", the
ones that CANNOT be done on polynomial time is "NP". And there are problems
that can be done in "polynomial time" (with reasonable limits on errors) by a
quantum computer; the set of these is called "BQP". If P = BQP it would mean
that quantum computers can (in reasonable time) solve all the same problems
that classical computers can. But in fact, P is a subset of BQP: there are
problems that are "hard" for classical computers but "easy" for quantum
computers.

An example of this is factoring numbers. Shor's algorithm is a way to factor
numbers using a quantum computer and it runs in polynomial time. Now it isn't
practical today: the biggest quantum computers in existence are hard put to
factor the number "10", much less some 40-digit monstrosity. But computers
only get better.

Fortunately, there are problems which are NOT in BQP -- problems that are hard
even for quantum computers. And these are the ones you want (not those in NP)
if you want to stymie a quantum computer.

For more details, see
[http://www.scottaaronson.com/papers/bqpph.pdf](http://www.scottaaronson.com/papers/bqpph.pdf)
or frankly ANYTHING written by Scott Aaronson
([http://www.scottaaronson.com/blog/](http://www.scottaaronson.com/blog/)).

~~~
mcpherrinm
> the ones that CANNOT be done on polynomial time is "NP".

I see you've solved one of the great open problems!

NP is defined as problems that a nondeterministic turing machine can solve in
polynomial time. Imagine, if you will, a turing machine that when it
"branches" always chooses the right path (Or: chooses "both" without overhead)

~~~
Filligree
The latter of which sounds suspiciously like what a quantum computer does.

How sure are we that BQP != NP?

~~~
mcppherrinrinm
We aren't:
[https://en.wikipedia.org/wiki/BQP](https://en.wikipedia.org/wiki/BQP)

However a quantum machine that would be capable of post-selection is described
by the more powerful class PostBQP = PP, and we know that PP includes NP, so
this justifies your analogy.

I don't know much about quantum physics or quantum computing, so I may be
mistaken, but it seems to me that post-selection is more of a philosophical
construct than something that is physically possible, though.

~~~
Filligree
I've seen post-selection demonstrated in a laboratory. It definitely isn't
just a philosophical construct, except inasmuch as what it says about time
making people _want_ it to be less than real, and logic doesn't work that way.

As for whether you could make a PostBQP-capable computer, though.. I don't
think so, at least in the most general case. I don't understand this nearly
well enough to be sure, but from what I've heard, tricking causality like that
has the problem that you're increasing the chance of your circuitry failing
right along with the chance of getting the right result, and quantum computers
are already hard enough.

------
junto
There is an old saying that states that a jealous husband or wife can't be
trusted. They don't trust you because they are, have, or are thinking about
fucking someone else.

When the combined '5 eyes' come out and ban Lenovo / Huawei from being used on
any of their secure networks, because of fears of back doors [1], one has to
imagine that the same is true of themselves.

The hardware is most likely backdoored as well as firmware, the OS and
installed software. I would not trust anything, even open source, because to
be perfectly honest, there a very few people who really are smart enough to
understand the in depth cryptographic requirements. If there are people, then
they probably already work for the NSA or GCHQ.

If you want to plan a terrorist attack or become a politician or business
leader who does not want to be blackmailed, don't do anything on the internet
apart from share pictures of cute cats.

My advice to any terrorists is to go dark. Speak in private. Write it down
pass the note and then burn it. Use old methods like book ciphers. Touch and
electronic device and they have you.

Legal note: Of course I'm not advocating 'advising' terrorists, well only the
good ones, you know those ones that we call 'freedom fighters'. The ones
western governments like to back when it suits their purposes.

[1] [http://www.infosecurity-magazine.com/view/33679/lenovo-
compu...](http://www.infosecurity-magazine.com/view/33679/lenovo-computers-
banned-by-the-five-eyes-spy-agencies/)

------
mindslight
I feel like these kinds of articles are meant to induce a sense of
hopelessness regarding the ability to push back against the NSA.

If it turns out one way functions actually don't exist, I'll give in and learn
to love big brother. Withstanding that, I'll continue considering
communications freedom (and all that it implies) as our manifest right and
view these types of breaks as implementation errors.

~~~
jrochkind1
You mean ability to push back _technologically_ against the NSA, right? This
sort of article makes you think you can't beat the NSA tech, they will
outsmart you.

What this sort of article does to me (unlike you, I make no claims to know
what the article was 'meant' to do, other than report the news) is make it
clear that we need to push back against the NSA _politically_ to win, make
what they are doing illegal, change the gag order laws, etc. We aren't going
to beat them technologically, but (for those of in the U.S.), it's
theoretically a democracy, we can tell them to stop.

I've seen that argument made before, several times, in essays linked to on HN.
It's a political problem, not a tech problem, that the NSA can force
corporations to install back doors and give the NSA the keys.

~~~
mindslight
The problem is technological, as deficiencies in relied-upon communication
technologies is what have allowed surveillance to scale from human
intelligence on prioritized targets to dragnet _scrutiny of everybody_. No
matter how much effort is required, "law enforcement" will always be snooping
on _some_ suspects - what we'd like to prevent is an institutionalized fishing
expedition.

You're signing up for a losing game. The myth of Democracy (tm) is another
layer of control over individuals.

1\. Most people will never have a problem with what the NSA is doing. They
support the NSA's goals (tautology, since as you've mentioned, it is
responsible to the majority), and if its methods end up causing harm to enough
people, they will simply be adjusted to reduce aggregate harm (not to rule out
any possible harm). The feedback loop of democracy works on specific
actualities, not hypothetical corner cases.

2\. The most memetically fit ideas are the simplest ones that elicit the
strongest feelings (see: bikeshedding). Outrage peddlers swamp the political
reception bandwidth with lowest common denominator controversy - usually
judgments on other's lifestyles.

3\. Even if there is a widespread preference to reduce the scope of the NSA,
the people simply do not have the transmit bandwidth to make this preference
clearly known. And they are easily led into squandering their input on the
aforementioned manufactured controversy.

4\. Elected figures don't actually run the government, the entrenched
bureaucracy does at an imperceptible glacial pace. The elected figures run
interference by making the majority believe they voted for this shit.

------
uptown
This essentially bolsters the claims in this article that the NSA has
"neutralized" SSL.

[http://rt.com/usa/allegations-nsa-tool-decrypts-
https-085/](http://rt.com/usa/allegations-nsa-tool-decrypts-https-085/)

~~~
lazyjones
This "SSL Locksmith" software isn't really a top-secret NSA tool:
[http://www.accessdata.com/products/cyber-security/ssl-
locksm...](http://www.accessdata.com/products/cyber-security/ssl-locksmith)

It's a MITM solution that injects fake certificates, i.e. nothing
groundbreaking and equivalent to compromised/corrupt CAs (which, as we know,
exist and are able and willing to hand out fake intermediate certs etc. to
rogue entities). The Whole CA ecosystem is broken and basically snake oil and
pretty much everyone knows it.

------
16s
Some organizations have IT security departments that attempt to foil
encryption already. They use devices to terminate SSL before it leaves their
network and forge certs back to clients and basically act as a MITM for the
clients making the TLS/SSL request. They do this to inspect the traffic before
it leaves the network.

I predict that in the next 5 to 10 years, many organizations across all
industry sectors will drop/reject encrypted packets (SSL, SSH, SFTP, etc) that
they cannot decrypt. And the reason they'll give is that it makes them more
secure.

The concern I have (as a security technologist) is that most people who use
encryption are not bad, however everyone is punished and every packet must now
be inspected because a few people use encryption to do bad things. So one day
soon, I'm afraid that anyone who uses encryption will be suspect simply
because they do and the stronger the encryption, then the more suspect they'll
be.

Will it become illegal to do encryption research or use OpenPGP unless you
agree to escrow your private key or will everyone be forced to use very weak
ciphers? In today's climate (encryption is evil), I see all of these things as
very real possibilities.

~~~
wiml
Cisco firewalls, _by default_ , perform a MITM protocol downgrade attack on
the SMTP sessions they see. They modify the SMTP setup to prevent the
endpoints from negotiating STARTTLS and cause them to fall back to cleartext
communication. Has been true for years.

You can turn it off... but how many admins do? If you want an example of
behavior which is completely plausibly-deniable, but which immensely reduces
internet security, this is a good one.

------
csense
Speaking as an American, it's not a problem that the capability to break
encryption exists and the NSA has it. It _really does_ make national security
stronger if your intelligence people can read enemy communications.

The problem is that the NSA apparently used those capabilities on basically
_everyone_ , millions of innocent Americans whose activities should be of no
interest to intelligence agencies, not just the handful of genuine spooks and
terrorists our intelligence agencies are supposed to protect us from. (To
international people: Cosmically speaking, you're not less important than we
are, but the NSA's first responsibility is to protect and serve the USA, so
them spying on innocent Americans is _at least as bad_ as them spying on
innocent foreigners.)

And it has been shown that the NSA provided information to ordinary criminal
investigations with no links to terrorism or foreign intelligence, having
police say "it's a lucky traffic stop," where the government actually knew the
drugs were in that car ahead of time due to a decrypted phone call. This makes
a mockery of the Fourth Amendment because, when prosecutors/police lie to the
courts about the origin of evidence, the courts cannot properly answer the
question of whether their methods of gathering evidence violate the
defendant's Constitutional protection against unreasonable search and seizure.

In short, this is coming out -- which, as the article said, will weaken those
capabilities -- because the NSA went too far outside their mission scope. If
they hadn't done those two things, I'd be willing to bet Snowden wouldn't have
leaked this data.

~~~
7952
A political counter-argument is that this program may represent terrible value
for money in the long run. If we are in a security arms race this money
neither buys weapons or a defence that can't be overcome by opponents simply
buying better weapons and defences.

The NSA could have made more of an effort to harden American business and
infrastructure to attack. They could have spent the money on developing
intelligence sources who actually work for opponents instead of US telcos.
They could have fixed zero day exploits.

We are rapidly approach a time where oponents will be able to attack
completely annonymously. American infrastructure or buisness could be
damanaged and know one ever know who or why. If that happens cold war tactics
will seem hopelessly naive.

------
nrmilstein
Can someone elaborate on how secure the underlying algorithms still are? Most
of the NSA's "foiling" seems to be done via coercing corporations and side-
channel attacks. Are TLS, AES, etc. still thought of as secure?

~~~
dannyobrien
Bruce Schneier has seen the documents, and here's his advice:
[http://www.theguardian.com/world/2013/sep/05/nsa-how-to-
rema...](http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-
secure-surveillance)

~~~
nrmilstein
Saw that too. Thanks!

------
ternaryoperator
"the agency used its influence as the world’s most experienced code maker to
covertly introduce weaknesses into the encryption standards."

This is the part that truly disgusts me.

~~~
abat
I think people were speculating this on HN with this article:
[http://www.wired.com/politics/security/commentary/securityma...](http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115)

------
danso
> _The documents are among more than 50,000 shared with The New York Times and
> ProPublica, the nonprofit news organization, by The Guardian, which has
> published its own article. They focus primarily on GCHQ but include
> thousands either from or about the N.S.A._

Is this the first time we've seen a 5-digit number to describe the number of
documents Snowden has? Of course, these are just the ones used for this
story...

~~~
jlgaddis
I noticed that number as well and don't recall seeing it before, but I do seem
to recall reading something about "multiple laptops" of Snowden's. Obviously,
one can store a helluva lot of documents on three or four laptops.

------
lelf
One-page [http://www.nytimes.com/2013/09/06/us/nsa-foils-much-
internet...](http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-
encryption.html?pagewanted=all)

------
Achshar
So does this means they have broken or fund a bug in RSA, fast enough
computers to brute force or solved the P versus NP problem. In decreasing
chances of possibility. I am also an encryption noob, so I gather that if they
have broken a crypto then my 4096 bit files will be no more secure than 1024
bit ones. Right?

~~~
_phred
The best publicly known attacks on RSA reduce the attack time by a few orders
of magnitude at best. A functional quantum CPU could reduce that by a few more
orders. Your 4096-bit RSA key is still 2^3072 times harder to break, so even
with reductions we're still talking about "heat death of the universe" amounts
of time to brute force.

RSA has issues but as of yet hasn't yielded entirely to cryptanalysis.

As the article says, it's easier to attack the system and try to get the
plaintext, or coerce you into giving up your key through legal means.

Edit: adding a link to Wikipedia's article on post-quantum crypto, it's a good
place to start understanding how to answer these type of questions:

[http://en.wikipedia.org/wiki/Post-
quantum_cryptography](http://en.wikipedia.org/wiki/Post-quantum_cryptography)

~~~
pja
"Your 4096-bit RSA key is still 2^3072 times harder to break,"

No, because the difficulty of breaking RSA keys doesn't scale in the same way
as symmetric encryption. Integer factorisation is much easier than a brute
force search of the keyspace. A 1024-bit RSA key is believed to be roughly
equivalent to an 80-bit symmetric key. A 3072 bit key is about as hard to
brute force as an 128-bit symmetric key.

(Source: [http://www.keylength.com/en/4/](http://www.keylength.com/en/4/) )

~~~
_phred
Ah shoot, you're right. I'm an armchair crypto geek at best.

In any case, you can choose a public key exponent large enough to still make
it a hard problem to crack in a reasonable amount of time. Barring some huge
vulnerability in RSA that hasn't been discovered in 30 years of public
scrutiny, of course.

------
brown9-2
The most fascinating part of this article to me is this part, which proves
that even a super-secure intelligence agency can still have very weak links
that can be penetrated:

 _Only a small cadre of trusted contractors were allowed to join Bullrun. It
does not appear that Mr. Snowden was among them, but he nonetheless managed to
obtain dozens of classified documents referring to the program’s capabilities,
methods and sources._

Who knows what other documents other internal hackers could have stolen?

------
chacham15
Can someone boil this down and tell me the same thing from the technical side?
I.e. what technical barriers have they managed to break (RSA, DSA, AES, etc.)
?

~~~
ternaryoperator
I think you have to assume the answer is: all.

------
lambda
> A 2010 document calls for “a new approach for opportunistic decryption,
> rather than targeted.” By that year, a Bullrun briefing document claims that
> the agency had developed “groundbreaking capabilities” against encrypted Web
> chats and phone calls. Its successes against Secure Sockets Layer and
> virtual private networks were gaining momentum.

This paragraph interests me the most.

For one, it's clear that their goal is opportunistic decryption; that is,
decrypting everything and being able to search through it, rather than
targeting known endpoints. This is an important point that a lot of people
miss when debating cryptography. While it's fairly likely that the government
can find ways to access any communication they want in a targeted manner, as
they have so many means to do so (hacking the endpoints, physically breaking
in and performing an evil maid attack, etc), widespread encryption is
generally good enough to prevent opportunistic data gathering.

The other point I note is that they only mention "web chats and phone calls"
in their breakthrough. It doesn't sound like the breakthrough is something
that works well for arbitrary SSL connections. The main link I can see between
web chats and phone calls is that they are long lived connections, with bursty
traffic (HTTP or email protocols, on the other hand, tend to stream a lot of
data at once, and then the connection is closed). I'm wondering if there's
some kind of traffic or timing analysis vulnerability that they've discovered.

Also interesting is this quote from the Guardian article:

> To help secure an insider advantage, GCHQ also established a Humint
> Operations Team (HOT). Humint, short for "human intelligence" refers to
> information gleaned directly from sources or undercover agents. > > This
> GCHQ team was, according to an internal document, "responsible for
> identifying, recruiting and running covert agents in the global
> telecommunications industry."

Various technology companies have been adamant in maintaining that they
haven't been been giving the NSA direct access to their data. However, with
HUMINT programs like this, you always have to wonder if the NSA has hired
anyone within such companies to put backdoors into their systems, without
authorization by the company. Obviously, they'd have to be subtle about it
(it's hard to install new gigabit fiber pipes to siphon off the data without
anyone noticing), but just setting up a way for the NSA to covertly run
queries, disguised as some other type of job that would normally run on the
system, would probably not be too hard to do.

~~~
malandrew

        (it's hard to install new gigabit fiber pipes to siphon
        off the data without anyone noticing)
    

If you have access to manufacturers that can put in back doors for you, I
reckon you don't even need your mole to install stuff for you. Instead you
just ask your mole to inform you want is going to be installed and then make
sure that the company gets backdoored systems when hardware is
installed/upgraded/replaced.

I'm wondering is datacenter monitoring utilities like the stuff Boundary[0] is
working on could be used to identify anomalies in how network hardware is
behaving versus how it should be behaving. I know that in my conversations
with cliff, they are trying to get their monitoring solution to the point
where they can visualize "the circulatory system" of a data system with the
goal of spotting things that don't look quite right.

[0] [http://boundary.com/](http://boundary.com/)

------
jashkenas
With a byline from our very own "thejefflarson" (on HN). That's a lovely thing
to see.

------
MarcusBrutus
The Allies had broken most of the Nazi codes during WWII but they still
withheld information from commanders unless the information concerned an
absolutely strategic battlefield that hang on the balance. Better suffer a few
dead or some minor setbacks than let the Germans grow suspicious and start
doubting their cryptography. Morale of the story: unless you're the next Osama
or Showden or some major narco-trafficker it doesn't apply to you.

~~~
vkou
Or the next MLK...

------
bhauer
Out of humor and a bit of worry, I had previously posed a conspiracy theory
that the NSA/etc. had undermined (coerced, compromised, whatever) the
Internet's certificate authorities. I no longer am comfortable dismissing it
as silly humor. I worry that such a theory has about equal parts merit as not.

I now want viable open source web-of-trust encryption for the web as soon as
possible.

~~~
ihsw
The worrying part is the "etc" part of your sentence, namely that all federal
agencies in the US Government now have unrestricted access to encrypted
communications. The DEA and the IRS are only the tip of the iceberg.

If one government agency has your data then the rest of them do too.

~~~
Filligree
Oh, don't forget other governments. If the NSA can do it, China and Russia
certainly can too.

------
jacquesm
From the other article on the same subject:

"Among the specific accomplishments for 2013, the NSA expects the program to
obtain access to "data flowing through a hub for a major communications
provider" and to a "major internet peer-to-peer voice and text communications
system". "

That second one is hard to read other than 'skype'.

------
ianstallings
I really wish these guys would understand how they're impacting Internet-based
commerce. What good is controlling the Internet if people stop using it
because of privacy concerns? They seem completely unconcerned about how IT
drives the US economy and how a lack of confidence in that sector leads to bad
things.

------
jjoe
This doesn't make sense. It can't be. Why would cryptography be subject to
export regulations then? If we follow this logic, you would think export
barriers would have been brought down decades ago and use of NSA cryptography
highly encouraged worldwide.

------
joe_the_user
Can I spotlight exactly why installing backdoor in software is especially
worrisome?

Why is this not just the same as the other clever ways the smart NSA listens
in things (not that I'd like but there's something more)?

Well, the thing about backdoors is they get installed on the outside of
everyone's software/chips/machines and then ... someone _else_ , someone with
less to loose than the NSA, starts to use them for more crudely nefarious
reasons, either criminal activity or spying by other nations.

All of this bears resemblance to the former USSR. Once bureaucracy claimed
unlimited political power, the next step was for the "mafiya" to take
advantage of the universal silence and surveillance.

------
Scramblejams
Single page link: [http://www.nytimes.com/2013/09/06/us/nsa-foils-much-
internet...](http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-
encryption.html?pagewanted=all)

------
B-Con
> The N.S.A.’s Commercial Solutions Center, for instance, invites the makers
> of encryption technologies to present their products to the agency with the
> goal of improving American cybersecurity. But a top-secret N.S.A. document
> suggests that the agency’s hacking division uses that same program to
> develop and “leverage sensitive, cooperative relationships with specific
> industry partners” to insert vulnerabilities into Internet security
> products.

That sounds a lot like "the division to provide security advice was providing
advice that would make it easier for the NSA to break".

Page 4 of the article was the most interesting.

------
croddin
This thread reminds me of an xkcd comic which is a good description of what
might be happening: [http://xkcd.com/538/](http://xkcd.com/538/)

------
zorlem
I wonder if the recently discovered problems with non-unique key parameters
could be the result of the cooperation of particular network gear vendors with
NSA.

[https://factorable.net/weakkeys12.conference.pdf](https://factorable.net/weakkeys12.conference.pdf)

[https://www.usenix.org/system/files/conference/usenixsecurit...](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf)

------
josephlord
TLS/SSL has a whole bunch of options that are negotiated between client and
server to find one that they can both accept. I speculate that some of these
may be badly broken by the NSA but the exact ones haven't been revealed so we
don't know which ones need taking off the table.

Is there anything unusual about the cipher options offered by NSA/GCHQ
servers? Or any recent changes at The NYTimes or Guardian's servers.

------
pyaniv
Just shame on the rest of countries around the world to let the USA control
and abuse the internet and all relevant technologies. Every major chip, OS and
software is created in the USA. If people elsewhere lack the brains and
innovation of USA, they should accept the consequences. Of course, I'm part of
the dumb ass rest of the world.

------
pdonis
As is usually the case with an article in the mainstream media, the most
interesting part is what _isn 't_ in it. If much Internet traffic is
vulnerable to the NSA (and to the UK's GCHQ), doesn't that imply that much
Internet traffic is also vulnerable to other governments? Such as, oh, say,
China and Russia?

------
conorh
It always seemed likely to me that governments can generate fake trusted certs
for browser TLS traffic and then man in the middle the traffic, but what are
the likely modes of attack otherwise? I don't really see what they are from
this article - do they have a database of keys they have acquired nefariously?

------
jlgaddis
If you need me, I'll be off changing every password that I've ever stored in
LastPass (incidentally enough, I just realized that their Corporate HQ is just
outside Washington, D.C.).

------
abeinstein
So, NSA has solved P vs NP and they're just not telling us?

~~~
lurkinggrue
What they have is a bunch of telepaths in tanks that can see dimly into the
future and they recover the keys.

------
ChrisAntaki
The NSA promises to make our country stronger, then they purposefully weaken
it. Then they name the programs after battles in the Civil War.

------
peterhunt
Where are the original documents (primary sources)?

------
induscreep
I am not really concerned about this encryption business...but have they
managed to solve P=NP in the process of cracking crypto algos??

------
codex
I wonder if RHEL and Ubuntu distros have NSA/FBI root kit backdoors in their
kernel binaries and/or subscription services.

~~~
SEMW
You think no-one's tried recreating various distros' binaries from their
published source, to check they're the same? E.g. Jos van den Oever did that
for Debian, Fedora, and OpenSUSE here[1].

Which isn't to say that backdoors inserted into the binary that aren't in the
published source are impossible, only that they need something more subtle
than the crude/easily-detectable 'merge backdoor, compile, ship'. Something
like a Ken Thompson 'Trusting Trust'[2]-style attack. (Though there are ways
of at least having a good chance of detecting even those - see [3]).

(More likely, IMHO, are just deliberately-introduced, plausibly-deniable bugs
in the source - think [4]. Yeah, they might be found & reported by an outsider
reviewing the source, in which case you thank them, fix it, and introduce
another couple somewhere else next week).

[1] [http://blogs.kde.org/2013/06/19/really-source-code-
software](http://blogs.kde.org/2013/06/19/really-source-code-software)

[2] [http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

[3] [http://www.dwheeler.com/trusting-
trust/](http://www.dwheeler.com/trusting-trust/)

[4] [http://underhanded.xcott.com/](http://underhanded.xcott.com/)

------
csense
> In effect, facing the N.S.A.’s relentless advance, [Lavabit] surrendered

I disagree with this characterization. Surrendering to the NSA would be
Google/Facebook/Microsoft's approach of unconditional cooperation. Lavabit's
refusal to work with the NSA -- even though apparently the only alternative
was shutting down their business or going to jail -- is more along the lines
of a scorched earth retreat (destroying your own stuff when you can't hold the
line).

------
wildster
It would be so damaging for Intel or AMD if a credible leak revealed they had
backdoors built in, is it this really conceivable?

------
jonknee
> The N.S.A. hacked into target computers to snare messages before they were
> encrypted.

I wonder which computer viruses belong to the NSA.

~~~
wvenable
Windows, Mac OS, Android, iOS, Symbian, and any Linux distribution you haven't
culled together and compiled yourself.

~~~
__david__
> ...any Linux distribution you haven't culled together and compiled yourself.

And maybe even ones you have compiled yourself "from scratch":

[http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

------
solnyshok
Knowing what kind of encryption NSA uses internally, can tell all about what
is compromised and what's still secure.

~~~
jlgaddis
Every publicly known cipher is compromised then? The ciphers that the NSA
primarily uses (internally) are classified.

~~~
solnyshok
wouldn't it be logical for them to use ciphers that they do not know how to
compromise yet?

------
vasilipupkin
I am saddened by how out of control this is

------
eggoa
So the Feds mandate data security, e.g. HIPAA, and then actively subvert our
ability to achieve that security.

------
16s
If we are going to vilify encryption, then we should just stop teaching math.
That's all encryption is.

~~~
Cyranix
That is a really weird conclusion to draw from this article. I don't know who
you think is "vilifying" encryption as an application of mathematics.

------
w_t_payne
Wow .... so SSH is broken? Wow ....

------
ivarv
Shouldn't this result in a drastic devaluation of crypto currencies like
bitcoin?

------
Mordor
All the more reason for choosing Chinese own brand.

------
lurkinggrue
Best to only use Open Source encryption software.

~~~
outside1234
yeah, cuz there's no way the NSA could contribute code to that too.

~~~
kamjam
It might be time for the community to do some thorough code audits on stuff
like this... :(

------
dictum
_" The NSA is just doing its job."_

~~~
w_t_payne
In a sense, yes. In fact, it is good that they put the effort into breaking
these systems, and good that Snowden let us know about it. Now we know that
the vulnerabilities exist, we can go about fixing it.

------
yuhong
"Cryptographers have long suspected that the agency planted vulnerabilities in
a standard adopted in 2006 by the National Institute of Standards and
Technology, the United States’ encryption standards body, and later by the
International Organization for Standardization, which has 163 countries as
members."

Wonder if it is referring to the Dual_EC_DRBG RNG.

~~~
lambda
Well, it goes on to say "Classified N.S.A. memos appear to confirm that the
fatal weakness, discovered by two Microsoft cryptographers in 2007, was
engineered by the agency." The Dual_EC_DRBG vulnerability was revealed by two
Microsoft researchers in 2007:
[http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)

So I'd say yes, it sounds like that's what they're talking about.

Speaking of which, I'm really quite frustrated how many of these recent
reports about the NSA elide the technical details. You have to read between
the lines to figure out what's really going on, what weaknesses there really
are.

As a matter of security, it would be better to know specifically what
vulnerabilities there really are. Merely the announcement of vulnerabilities
can allow a dedicated black-hat to find and exploit it; but someone who's
trying to secure their system, and isn't following cryptography incredibly
closely, won't know what they need to do or change to make their systems more
secure against these types of attacks.

There's a reason that the security community advocates for full disclosure (or
at least responsible disclosure, if it's possible to selectively disclose to a
few vendors so they can do a coordinated release that fixes the vulnerability
before it becomes public), in which you completely disclose a vulnerability so
people aren't left guessing about it.

~~~
mcherm
> Speaking of which, I'm really quite frustrated how many of these recent
> reports about the NSA elide the technical details.

Are you? Well please sign up to work for the NSA, learn the technical details,
then go public with them. The reason that the NYTimes isn't publishing the
technical details is because they DON'T KNOW THEM. (They might not publish
them if they did.) They don't know them because Edward Snowden was a system
administrator not a cryptography expert and he's releasing memos about the
process.

~~~
john_b
From the article:

> _" Intelligence officials asked The Times and ProPublica not to publish this
> article, saying that it might prompt foreign targets to switch to new forms
> of encryption or communications that would be harder to collect or read. The
> news organizations removed some specific facts but decided to publish the
> article because of the value of a public debate about government actions
> that weaken the most powerful tools for protecting the privacy of Americans
> and others."_

NYT, the Guardian, etc do have access to these details, but chose not to
publish them.

~~~
mcherm
They say that they were asked not to publish at all, but did so anyway and
chose to remove some specific facts. I don't understand how you get from that
to concluding that they know (and are suppressing) the particular
vulnerabilities that the NSA is exploiting.

------
consonants
I want to take a step away from the personal privacy violations here, and
approach from an angle that (unfortunately) would motive those with money to
lobby against this: your business secrets are out there being collected and
reviewed by an organization composed of the smartest and most secretive people
in our country.

There really should be no doubt at all that there is corporate espionage and
insider trading going on. On one hand, if the NSA approached this with giving
helpful 'heads up' when a US-based multinational's overseas factory might be
planning to strike, or provide their foreign competitors' private dealings etc
etc, they could win brownie points.

But you know it won't stop with screwing around with overseas business. If
they are not already, you can bet that internal insider information is going
to be traded and sold. You can't trust a rogue, so as long as it is not
dismantled they are indirectly if not directly a hostile threat to your
ability to conduct business.

------
wfunction
I've take a look at half the article so far and still can't find a single
_specific_ example of a "backdoor".

The entire thing seems hand-wavy.

