
The NSA is not made of magic (2014) - CapacitorSet
https://www.schneier.com/blog/archives/2014/05/the_nsa_is_not_.html
======
anvandare
Part of the security of observation comes from the observed not knowing
whether or not they are being watched. The Stasi (as well as every other
secret police) never had the manpower to keep eyes on everyone. (Of course,
that was before massive computational power, widespread cameras, voluntary
personal trackers (cellphones), facial recognition AI, etc.). They had to rely
a lot on reputation and fear to get their job done (securing the state). It's
in the NSA's interests to make themselves seem spooky and magical.

The encryption algorithms themselves might be unbreakable, but there are so
many other stages involved in communication. And all it takes is one weak link
in the chain, one tiny mistake or opening, and humans make plenty of those.

No, the magician did not look at you picking your card, but he found a way
(based on your inherent inability to be fully attentive to everything) to
figure it out anyway.

Then again, maybe they do have magic and it's a massive triple bluff. Or
maybe...

~~~
skummetmaelk
If Stasi had had todays technology, the wall would never have fallen.

~~~
jacquesm
Well, that I'm not sure of because the wall rested for a pretty big chunk on
the iron fist of the Soviet Empire while it lasted but there definitely would
have been far fewer successful escapes from Eastern Germany to the West.

------
empath75
I think you can make an analogy to actual magic, in that a lot of magic tricks
only work because the audience doesn't know the extent to which the magician
will go to fool them. They'll use stooges, lie to you, glue magnets to playing
cards, eavesdrop on the audience for mentalism tricks, etc.

Similarly, the NSA can accomplish what would seem like magic by doing brute
force stuff like tapping an undeground cable with a submarine or getting you
to hire moles into your organization, or just plain breaking and entering. 10
billion dollars may not buy you a lot of computers but it buys you more man
hours than their targets can ever hope to expend on protecting themselves.

~~~
Zigurd
Quite so. You can say "there is no magical technology for bridging air gaps."
Unless you include suitcases full of money to compromise the people traversing
those air gaps. Beyond being reasonably certain the NSA can't break strong
encryption to access data at rest in situations where the key can't be bought,
this is some comfort, but not a lot of comfort.

~~~
strictnein
I mean, there's quite a few ways to communicate between air gapped systems.
The biggest difficulty is getting your code running on the internal air gapped
system, so it can talk back to the first system. And transmission methods are
typically pretty slow.

A recent public example, but there's lots of other techniques:
[https://www.youtube.com/watch?v=ZD8CNxYe5dk](https://www.youtube.com/watch?v=ZD8CNxYe5dk)

Paying lots of money to access data at rest would really be more under the
CIA, to be honest. The CIA is, theoretically, only supposed to go after data
at rest, and leave all the sigint to the NSA.

~~~
BigJono
Has anyone else noticed a small 'click' when scrubbing to a section of that
video where data is being transferred. I'm assuming that's not co-incidental?

------
Jabbles
[https://arstechnica.com/information-
technology/2012/06/flame...](https://arstechnica.com/information-
technology/2012/06/flame-crypto-breakthrough/)

Sounds like "super-secret cryptanalysis" to me. That was 2012 and Schneier was
writing in 2014. I wonder what would qualify as magic to him?

~~~
mikeash
SHA-0 is another good example. It was withdrawn and replaced with the tweaked
SHA-1 for no apparent reason. Years later techniques were discovered that the
tweak defended against.

DES also defended against a technique that wasn’t developed in the public
until two decades later. That technique was originally developed at IBM and
NSA merely convinced them to keep it secret, so I’m not sure how that
qualifies.

Edit: Schneier has written about these before, of course. I wonder if his
point here is not that the NSA was always boring, but rather that its lead is
way less impressive than it once was.

~~~
monocasa
Also the Diffie-Hellman attack that we only knew about because of Snowden.

[https://weakdh.org/imperfect-forward-secrecy-
ccs15.pdf](https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf)

~~~
tialaramex
Did you have a link that somehow relates this to Snowden?

~~~
bangonkeyboard
Section 4.2 of that selfsame link.

~~~
tialaramex
Thanks, nobody to blame for not seeing that but me.

------
lallysingh
He's right, of course. I went through the docs when they came out and was
seriously underwhelmed.

But with all the people (e.g. costs) NSA has, I don't think much of their
budget goes to the kind of blue sky research you need to make their own magic.

~~~
killjoywashere
If you read Michael Hayden's book, one gets the sense a lot of the NSA is farm
work. He had to buck the system from above to find bands of "young Turks" in
the organization and empower them. The problem of managers afraid of letting
good people executeis everywhere.

------
bangonkeyboard
Schneier likened NSA crypto to alien technology just a few days ago [0], which
I guess is not technically magic.

[0]:
[https://www.schneier.com/blog/archives/2018/04/two_nsa_algor...](https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html)

~~~
dfox
What he probably means by this is that lot of NSA-designed crypto contains
somewhat weird design choices and it is interesting to try to find out what is
rationale behind such choices. One well-known example of this are DES S-boxes,
while the somewhat complex key-schedule of Speck/Simon is also interesting
(both algorithms use essentially same feistel network for both key schedule
and main cipher). Another interesting thing is NSA's tendency to design
cryptographic primitives with explicit key checksums byked into them (parity
bits in DES, BATON with 320bit key out of which 160bits (!) apparently are
checksum...).

~~~
Rebelgecko
What makes Simon/Speck more complex than something like Chacha20? They seem to
be based on the same operations, just shifted around and with some slightly
different bit shifts

------
onetimemanytime
Magic it is when a country with $20 Trillion GDP is behind you...and not just
with money, but with everything.

Are you a US telecom and help the NSA? DOJ will not bother you for a lot of
things

~~~
sillysaurus3
[https://en.wikipedia.org/wiki/Joseph_Nacchio](https://en.wikipedia.org/wiki/Joseph_Nacchio)

 _He was convicted of 19 counts of insider trading in Qwest stock on April 19,
2007[1] – charges his defense team claimed were U.S. government retaliation
for his refusal to give customer data to the National Security Agency in
February, 2001.[2] This defense was not admissible in court because the U.S.
Department of Justice filed an in limine motion,[3] which is often used in
national security cases, to exclude information which may reveal state
secrets. Information from the Classified Information Procedures Act hearings
in Mr. DiNaccio 's case was likewise ruled inadmissible._

------
jessaustin
[2014]

Otherwise the references are a bit confusing...

~~~
sctb
We've updated the headline. Thank you!

------
whataretensors
They want to create magic with regulation like gdpr that removes the ability
for other organizations to have as much data. NSA-types are trying to appoint
themselves as the only people able to massively collect data with no opt out.

~~~
jacquesm
Legislation like the GDPR makes it harder for outsiders to get at the data
that companies have _including_ NSA like entities. This is because companies
will spend - for the first time ever - some serious $ on getting their stuff
secured rather than to see security as some hard to avoid theater they need to
take part in. You can already begin to see the difference and the law hasn't
even come into effect yet.

~~~
gleenn
Personally, I've seen companies holding back waiting to see how GDPR actually
pans out in courts before investing in fixing things, albeit my view is pretty
anecdotal. Where have you seen companies being proactive?

~~~
jacquesm
Well, if they like playing the lottery that's their problem. The companies
that I see that are being pro-active are the companies that pass by - one per
week, regular as clockwork - in my practice. So far all the companies I've
looked at this year so far had a GDPR impact study or something closely
resembling it done. Quite a few had engaged outside help but also plenty of
them did their own homework and the vast majority had already made changes to
their applications and processes to get closer to being compliant.

