
On the new Snowden documents - donmcc
http://blog.cryptographyengineering.com/2014/12/on-new-snowden-documents.html
======
AlyssaRowan
Snowden pretty much had _root_ \- he had access to more or less everything
that wasn't airgapped, including things the NSA wasn't supposed to have direct
access to as part of their data-sharing agreements. (Of course, some ECIs
presumably _are_ airgapped - but _much_ less than you probably expect these
days.)

Not everything is being published, however. There are details from GCHQ STRAP3
(location of individual listening sites) but only STRAP2 documents, and all
details of personnel and telephone numbers has been redacted by the
journalists (perhaps a little too broadly - for example as in the GCHQ "refer
requests for disclosure to" telephone number, you could actually Google it! I
think they know by now, however <g>). Snowden wanted to end mass surveillance
and sabotage of public security products; not reveal their cryptanalytic
advantage to targets. It's the journalists who are doing most of the
selection, I gather - but they've seen the whole haul, including what is _not_
being published, and the picture is consistent, though (yes) incomplete.

My impression has been for some time that their cryptanalytic advantage is not
actually vast, but their operational resources truly are. Throwing money at
things doesn't magically give you breaks to the DLP - but it totally can buy
you computing resources that can break 1024-bit Diffie-Hellman. (It mentions
Cavium cores - suggesting large, parallel RSA/DH-optimised multipliers were on
their HPC shopping list. They are much faster at 1024-bit than higher.) It can
buy you insiders, or let you conduct operations that threaten or coerce
insiders, or conduct astroturfing campaigns to frighten people away from
encryption you can't break, or further the goals of your agency (which do not
necessarily align with the government paying your way - it's not so much
"oversight" as "don't get caught doing anything you shouldn't"). You can throw
(a lot of) money at military contractors and hope some malware-by-committee
comes out that you can use to hack anyone that looks interesting, grab
intelligence or keys, or any of the above. And they typically attack from
_every_ angle at once.

My take on the HPC resources is that they're mostly used as brute force
CPU/GPU power for low-entropy situations - anything where passwords are
involved may be vulnerable. Email an encrypted DOC, ZIP or RAR file to
someone? They're going to at least _try_ it as a matter of course, even _en
masse_ , but they're not going to give it much juice unless you're tasked.

Money can't give you magic. However you very, very rarely need magic.

~~~
bsimpson
Ed had root, but I don't think he took everything. Moreover, some of the news
orgs were intimidated into destroying their copies both before and after the
release started. I don't think the news orgs know everything.

It doesn't take away from your larger point, but we can't presume they know
more than they've published. They probably do, but we don't know what they
know and what they don't (either because it was omitted or destroyed).

------
huhtenberg
One thing to keep in mind.

It's inherently dangerous to assume that NSA doesn't pay much of attention to
the breaking of fundamental crypto math based on these documents.

If they _did_ find a practical weakness in RSA and such, I think it's safe to
assume it would be assigned the highest level of secrecy and simply won't be
in range of Snowden's document sweep.

~~~
revelation
This seems to be a recurring argument: they have RSA breaking magic sauce in a
safe in a bunker in a fort.

If they do indeed - surely they would at least employ it in the backend to
decrypt data? The documents we are seeing are geared towards analysts and
provided from the groups implementing various attacks/capturing/decryption
functionality. They wouldn't even have to reveal anything - just "give us
data, we'll send you back decrypted results". Yet they frequently set rather
low expectations for decryption. And then theres the organizational question.
Why have groups targeting VPNs, IPSec, HTTPS etc. when breaking RSA gives you
a golden key to any of these?

What I'm saying is these arguments routinely devolve into "it's so secret,
they can't tell their own employees or analysts and they can't use it for the
capability could be leaked". At that point the consequence is that the magic
RSA breaking sauce becomes pointless as you can't use it, certainly not for
the objective the NSA has spent the last decade on: capture everything.

~~~
jmhobbs
I see it like the judicious use of signals intelligence in WWII. If you use it
for everything, you risk tipping the enemy off that their crypto is broken.
You have to balance the benefit from the inherent knowledge leak from using
it.

I'm not saying they have it, but if they had it, they would be foolish to use
it all over instead of only on key targets.

------
diminoten
Overall I'd like to commend the writer of this document on what has been by
far the most neutral writing I've ever seen on this topic. The writer still
takes jabs at the NSA here and there (NSA and Tor, for example), but generally
the tone is very neutral.

~~~
smtddr
I think part of the reason for this is that his audience hardly need
convincing at this point. If you're a software-security-enthusiast you'll want
to know how security is being broken regardless if it's ethical or not. If for
no other reason than to know how to make stronger security in the future. If
you are a Snowden-supporter you don't need convincing. If you're just a
security-aware "regular" person, you'll also be interested in what is and
isn't broken in the world of encryption. If you don't care about any of this,
like most of my family, you won't be reading this article. If you're still
anti-Snowden and/or pro-NSA after all the stuff that has come out then you're
probably hardcore/immovable in your position and you believe deep down that
foreign terrorists are plentiful and out to destroy USA - in which case, this
author can do nothing to convince you otherwise.

~~~
minimax
There are plenty of people out there who aren't paranoid xenophobes that think
what Snowden did was wrong. I think Marc Andreesen and Benedict Evans from
a16z are probably two names most HN readers would recognize. Edward Lucas (a
reporter for the Economist) does a pretty decent job making a case against
Snowden in his book The Snowden Operation.

[http://www.amazon.com/The-Snowden-Operation-Greatest-
Intelli...](http://www.amazon.com/The-Snowden-Operation-Greatest-Intelligence-
ebook/dp/B00I0W61OY)

~~~
smtddr
I'm not sure I want to engage into a debate about Snowden's actions at this
stage of the game but that book's introduction seems to fit my description of
a pro-NSA / anti-Snowden person. At least the opening paragraphs. It's up to
the rest of HN to read that intro and see if they disagree with me and see
something else in those words that I'm not seeing.

EDIT: I will acknowledge that the paragraph starting with _" This book is not
based on complacency about the status quo"_ does indicate, at least to me,
that he's not 100% anti-Snowden though. Perhaps I could grossly, and only
based on the intro, paraphrase his opinion as _" Snowden just took things a
bit too far"_. I can see that as a reasonable position to take. Even I don't
think USA should just shutdown all secretive intelligence and pretend that
there are zero terrorists.

~~~
minimax
_If you 're still anti-Snowden and/or pro-NSA after all the stuff that has
come out then ... you believe deep down that foreign terrorists are plentiful
and out to destroy USA._

I was taking issue with that bit. There are good reasons to think what Snowden
did was wrong that don't involve paranoia about "plentiful" terrorists. You
could, for example, draw a distinction between responsible whistleblowing and
irresponsibly fleeing to a foreign country with literally thousands of
classified documents.

~~~
nishonia
You know that "responsible whistleblowing" has failed multiple times in the
past right? Anybody who is upset with Snowden for not repeating the same
pattern that failed to change anything, except the destruction of the
whistleblower's life, is either unfamiliar with history or just completely
illogical.

------
jostmey
I find the story very telling. The NSA is one of the largest employers of
mathematicians, and yet it appears that the NSA has had more success simply by
using backdoors.

I have to wonder if academic progress (like defeating cryptographic
algorithms) can be achieved under a climate of secrecy. Without the free
exchange of ideas and knowledge, how much progress can be had?

~~~
fredgrott
Math can only get so far..for example RSA keys have a brute force
weakness..25% of the keys can be brute force guessed if you do not worry about
validating primes when using one of five methods for guessing primes and just
rely on huge computation power...hence US gov entities in 2010 suggesting the
move to other key systems.

Whereas the new key system relies on hardening of packaging to offset any
flaws in the one-way functions.

------
diminoten
I wonder why the writer claims the recommendations of the presidential review
council have been "largely disregarded". Do we know that's the case?

------
nl
_During the period in question, we know of at least one vulnerability
(Heartbleed) that could have been used to extract private keys from software
TLS implementations. There are still other, unreported vulnerabilities that
could be used today._

His analysis that there are unreported vulnerabilities in TLS implementations
sounds definitive enough to think he knows some of these vulnerabilities.

~~~
Decade
Not at all. Given the history of TLS implementations, I would call "There are
exploitable vulnerabilities" the null hypothesis, and require extraordinary
proof that a particular TLS implementation doesn't have vulnerabilities.

~~~
nl
Perhaps, but this is an academic security researcher we are talking about. To
generalise massively, academics are very deliberate and conservative in their
language.

If he wasn't aware of at least one unreported exploitable vulnerability then I
would expect him to say "There are _almost certainly_ still other, unreported
vulnerabilities".

~~~
tedunangst
I don't think the crypto engineering blog is where Prof. Green publishes his
very conservative academic writing. It's a blog, not a refereed paper.

~~~
tptacek
His academic communication mostly happens on Twitter.

