Hacker News new | comments | show | ask | jobs | submit login

There's a lot of neat things there. (This one looks interesting: https://iadgov.github.io/goSecure/)

Also interesting is splitting the repos: that the NSA and IAD have different repos, and that one seems focused on defensive tech while the other is publishing analysis tools.

I know there's a lot of people who aren't fans of the NSA (or what they do), but I think most of us can see a need for a military-grade organization to research defensive technologies for helping secure our infrastructure. I don't think many of us would be unhappy with the NSA if that's all they did. (Or phrased another way: most of us are unhappy because of how they conduct intel work or compromise defensive capability for offensive ones, eg, that whole business with ECC.)

So I think it's important to respond positively to things like the IAD github page, even if we're not fans in general.

I think you're right. It's sad to see many people are looking at these tools and performing a sort of "Allegory of the Cave" by extrapolating, then, the evils that can be done with these tools.

Something, mostly common sense, tells me that we will not find some smoking gun to a crime here in these OSS repos...if anyone wanted that, they can refer to any number of leaks.

Ultimately, I'm happy to see this stuff shared, happy to see others use it and happy to see the OSS community build on it.

There's multiple reasons why you wouldn't want to use these newly released open-source projects. First one is, like you said, the danger of a backdoor. The second one is that due to the very long list of non-ethical and illegal practices of the organisation you don't want to contribute or depend on them.

Bleach has been used in bombs around the world, should I not use it because there's a chance it's been used for (perceived) evil?

Cluster bombs have such blatant propaganda spread against them by well-meaning but naive individuals. Don't be fooled - look at all their positive uses!

That's not a like for like comparison, one is a bomb designed for destruction, one is software designed to solve a problem. The software isn't designed to kill, maim, or destroy, if it can be used as part of the process that doesn't make the software itself evil. Should we throw out linux systems since linux powers many control systems in war machines?

One thing to remember is that the NSA isn't a monolith: there are factions and differing opinions inside of the agency.

It's likely someone spent a fair amount of political capital to draw attention to the agency by emphasizing their public projects and trying to engage with the wider public. If there's a negative response to that, it only lends weight to the voices inside the agency who are against that sort of thing.

I, for one, prefer the NSA to be working on defensive technologies in collaboration with the tech community to any number of things they could be spending the resources on -- and think we badly need their expertise and help to secure domestic assets.

So I'm going to say "good job!" when they're doing things I like and save my criticism of their other behaviors for more appropriate moments.

I think collaboration is fundamentally more powerful an instrument of change than shunning is.

"military-grade" doesn't mean anything in the context of crypto. We all use "military-grade" crypto every day. If your argument is that somehow the armed forces are better at computer security than the rest of us, because "military", then I reject it wholeheartedly.

They are criminals and should be disbanded. The US intel community is full of cheats and liars, straight to the top.


In my experience what military-grade crypto really means is crypto that complies to requirements stipulated by various laws and directives related to protection of state secrets. This includes widely used cryptographic primitives (AES, SHA...), various NATO, or NATO member specific primitives (often with weird interfaces, eg. DES-like checksums in keys and such), complete cryptosystems for particular usecase (often with questionable security under security models used by academic cryptographers) and various utter nonsense that only exists in order to comply with aforementioned legal framework (eg. various "solutions" for connecting two systems with different security classification without actually connecting them)

In other words, military-grade means used by military, which has no meaningful correlation to security.

Well that is a bit uninformed. Military grade (at least the US context) means algorithms and implementations analyzed and approved for use by the NSA. Today this means 'Suite B' crypto like AES, RSA, ECDH, etc. It should also mean dedicated hardware or certified implementations, physical key fill, etc. However, the words 'military grade' are frequently abused by sales to mean a badly performing variable time noise spewing implementation of AES.

In days past the 'commercial grade' crypto was often not real crypto, like voice scramblers, using 40-bit DES (when govt was using Triple-DES), XORing against a non-cryptographic PRNG keystream repeatedly, all sorts of rubbish.

That is mostly what I meant. Military-grade means approved by NSA or it's equivalent in given state. What I tried to point out is that such approval does not necessarily mean that such cryptosystem is secure for your application (eg. various tactical radio encryption systems, "military DRM"...) or even secure and meaningful at all ("data diode", various NATO TS approved quantum cryptography things...).

I wonder why https://www.iad.gov (linked at https://github.com/iadgov) is not using a TLS certificate trusted in normal browsers. I cannot visit the webpage as it uses DoD Root CA, which is not installed on my computer.

Having the US department of defense be able to forge certificates for every site world-wide, in every major browser - out of the box - might be a little too much, even with the CA system as broken as it is.

On the other hand, if you run your own CA and mostly care about your own users - using a cert signed by your own CA makes sense - to a certain extent.

I think the question was "why aren't they running this public website with a cert signed by a widely trusted CA"?

Well it is widely trusted by everyone on NIPRnet...

So TLS (X.509) only allows serving a single certificate. You have to choose to serve one trusted by people you need not to be hacked (your own CA) or a commercial one to reduce in general the likelihood of being hacked. I can see why they chose the first option.

Obviously if websites were not signed by one of the 'root trust' paths but by several, and the reputation of each of those trust paths, and the host itself, was tracked in a decentralised secure database where trust was built over time, that would be better.

Oops, I just suggested blockchain snake oil would solve something.

A danger is that if you use their tech, you might become dependent on their tools.

What, like Microsoft?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact