
NOBUS (Nobody but Us) - apsec112
https://en.wikipedia.org/wiki/NOBUS
======
andrewflnr
I've wondered occasionally if Rijndael was chosen over the other AES finalists
so that the NSA would have a NOBUS backdoor in the form of the whole s-box
timing side channel thing. Is there any good info/commentary on that
possibility?

~~~
ggm
Its impossible to prove absent a snowden-class leak. The premise is they have
secret knowledge. Maths is inductive reasoning, they might have a non-
inductive insight into a thing which exposes a magic key to them, but they
have to do a risk analysis the bad guys (tm) can do the same AHA moment and
secure the same advantage.

In this space, I feel about the only public evidence would be when the NSA
feel the protocol cannot be trusted for government use, where the primary risk
is other-state actors.

I also feel the blurring of the role for the agencies here does nobody any
favours. NOBUS confers a specific advantage which massively undermines your
own position in the longer term for tactical advantage now. I would probably
be told by wiser heads tactics trumps strategy, but when you face 20-50 year
relationships and you burned your partners 15 years ago, that tactical win can
be a bit of a problem.

The UK did this with Enigma: kept their insight secret and handed the captured
units to the commonwealth governments. They did not help their own cause in
the 1960s independence wars, trust was close to zero. I have no evidence the
ability to decrypt their signals helped or hindered btw. Its conjecture on my
part.

~~~
badrabbit
Could they simply use a different sbox? Or can specific implementations be
written to avoid the vuln?

You have to also keep in mind,aes is class-b crypto, the only publicly known
class-a ciphers are decades older than aes.

~~~
alephnil
The sbox is a part of the definition of AES. If you change it it is no longer
AES, and the new algorithm (that may well have vulnerabilities) is no longer
compatible with the cryptographic protocols that specifies that they use AES
as a cipher.

------
zzo38computer
Can you write deceptive messages in order to try to determine what kind of
messages the government can decrypt?

~~~
closeparen
Taking great care to avoid revealing your capabilities has been integral to
spycraft for a _long_ time.

~~~
badrabbit
That's why parallel reconsruction is a thing.

[https://en.m.wikipedia.org/wiki/Parallel_construction](https://en.m.wikipedia.org/wiki/Parallel_construction)

~~~
3fe9a03ccd14ca5
This is a term everyone should know. It’s not just to protect technology. It’s
used to launder what would otherwise be unconstitutional spying.

This is effectively what we’re learning the government does through its
FVEY[1] “partnerships”. Can’t spy on a US citizen? Have our neighbor do it and
pass it back to us!

1\. [https://theintercept.com/2018/03/01/nsa-global-
surveillance-...](https://theintercept.com/2018/03/01/nsa-global-surveillance-
sigint-seniors/)

------
saagarjha
> If there's a vulnerability here that weakens encryption but you still need
> four acres of Cray computers in the basement in order to work it you kind of
> think "NOBUS" and that's a vulnerability we are not ethically or legally
> compelled to try to patch – it's one that ethically and legally we could try
> to exploit in order to keep Americans safe from others.

Not sure about the law, but I'd say that assuming that nobody else has that
kind of computing power is quite arrogant, and it's certainly not "ethical" to
keep it undisclosed…

~~~
derefr
I don't know about arrogant; when you're a state actor, you have available
things like a detailed infrared map of the entire Earth, order flow from every
chip fab, power figures for all extant power plants with attempted "balancing
of the books" against all above-board known uses of that power, etc.

Because of this, it might be unclear exactly _what_ a rival power is doing
with all that heat and power and all those chips, but it's very easy to know
that they're doing _something_. And, therefore, very easy to know when you're
"ahead", in terms of nowhere else on Earth showing the right MASINT signature
to represent the same compute capacity you have.

Mind you, this is commutative; the Russians, Chinese, and other powers with
satellite networks can take the same infrared imagery, and do the same maths,
to calculate exactly how much more compute the NSA has than they do; and their
OPSEC doctrine is necessarily designed around this knowledge.

~~~
xscott
> I don't know about arrogant

Does Google or Amazon have enough compute power to compete with the NSA? My
guess would be yes. They certainly have a good cover story if they were
interested in using it for exploits. :-)

~~~
CalChris
That is a good question. My first intuition was yes. But Google has about 2.5M
servers at say $2000 per. That's $5B which is chump change for the NSA.

~~~
bashinator
I’d be very surprised if that were even close to the average cost of a cloud
datacenter server. Wouldn’t they be optimized for physical density and power
efficiency (which is to say, maxed out CPU/RAM)?

~~~
vonseel
Interested to know more about this. I don’t think much public information is
out there, but a quick Google revealed Snap signed a five year $2B contract
with G back in 2017, and that’s just one major customer.

------
Fnoord
I was thinking about NOBUS in relation to the NSA's finding of a critical
security vulnerability in Windows 10 / 2016 [1]. Ie. "how it at least does not
apply right now."

[1]
[https://news.ycombinator.com/item?id=22048633](https://news.ycombinator.com/item?id=22048633)

------
LockAndLol
Sounds a bit pretentious. Pride comes before the fall.

~~~
deadbunny
I was reading thinking NOBUS does sound a lot like HUBRIS.

------
gHosts
Sort like the short bus, but shorter.

------
ngcc_hk
If it is war there is ...

And if you inform everyone that they have vulnerabilities not only that is
security leakage it is a kind of security commerical activities without pay.

But nobody it is not. You have Russia and totalitarian china.

... the world is not pure and black And white. The wiki writing is too bias.
And too political correct based on the wrong assumption.

