Hacker News new | past | comments | ask | show | jobs | submit login
NOBUS (Nobody but Us) (wikipedia.org)
184 points by apsec112 9 days ago | hide | past | web | favorite | 55 comments

I've wondered occasionally if Rijndael was chosen over the other AES finalists so that the NSA would have a NOBUS backdoor in the form of the whole s-box timing side channel thing. Is there any good info/commentary on that possibility?

Its impossible to prove absent a snowden-class leak. The premise is they have secret knowledge. Maths is inductive reasoning, they might have a non-inductive insight into a thing which exposes a magic key to them, but they have to do a risk analysis the bad guys (tm) can do the same AHA moment and secure the same advantage.

In this space, I feel about the only public evidence would be when the NSA feel the protocol cannot be trusted for government use, where the primary risk is other-state actors.

I also feel the blurring of the role for the agencies here does nobody any favours. NOBUS confers a specific advantage which massively undermines your own position in the longer term for tactical advantage now. I would probably be told by wiser heads tactics trumps strategy, but when you face 20-50 year relationships and you burned your partners 15 years ago, that tactical win can be a bit of a problem.

The UK did this with Enigma: kept their insight secret and handed the captured units to the commonwealth governments. They did not help their own cause in the 1960s independence wars, trust was close to zero. I have no evidence the ability to decrypt their signals helped or hindered btw. Its conjecture on my part.

Could they simply use a different sbox? Or can specific implementations be written to avoid the vuln?

You have to also keep in mind,aes is class-b crypto, the only publicly known class-a ciphers are decades older than aes.

The sbox is a part of the definition of AES. If you change it it is no longer AES, and the new algorithm (that may well have vulnerabilities) is no longer compatible with the cryptographic protocols that specifies that they use AES as a cipher.

That's the opposite of a NOBUS backdoor; it's an everyone backdoor, since anyone can run a timing attack on AES.

Extremely unlikely; Rijndael S-Box entries can be calculated in constant time using first principles or bit-slicing. No lookup tables needed.

Timing side-channel vulnerabilities in an AES S-Box implementation would be flaws in the implementation and application as opposed to the algorithm.

Yes, they can be calculated in constant time, NSA's friends can be told to use constant time from the start while everyone else used libs that copies from the non constant time reference implementation?

Reference code is almost never what you want to go into production, what with various perf and security issues. It's there to test spec compliance.

Yes but flaws in he spec bleed into all implementation that ..you now...uses it as a reference.

Can you write deceptive messages in order to try to determine what kind of messages the government can decrypt?

Taking great care to avoid revealing your capabilities has been integral to spycraft for a long time.

That's why parallel reconsruction is a thing.


This is a term everyone should know. It’s not just to protect technology. It’s used to launder what would otherwise be unconstitutional spying.

This is effectively what we’re learning the government does through its FVEY[1] “partnerships”. Can’t spy on a US citizen? Have our neighbor do it and pass it back to us!

1. https://theintercept.com/2018/03/01/nsa-global-surveillance-...

looks at the history of major criminal conspiracy cases and historical events

The answer is throwing everything you have, and only some of the time reveal what you know.

> If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch – it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.

Not sure about the law, but I'd say that assuming that nobody else has that kind of computing power is quite arrogant, and it's certainly not "ethical" to keep it undisclosed…

I don't know about arrogant; when you're a state actor, you have available things like a detailed infrared map of the entire Earth, order flow from every chip fab, power figures for all extant power plants with attempted "balancing of the books" against all above-board known uses of that power, etc.

Because of this, it might be unclear exactly what a rival power is doing with all that heat and power and all those chips, but it's very easy to know that they're doing something. And, therefore, very easy to know when you're "ahead", in terms of nowhere else on Earth showing the right MASINT signature to represent the same compute capacity you have.

Mind you, this is commutative; the Russians, Chinese, and other powers with satellite networks can take the same infrared imagery, and do the same maths, to calculate exactly how much more compute the NSA has than they do; and their OPSEC doctrine is necessarily designed around this knowledge.

I never really thought about this before, but a thermodynamics breakthrough in power supply design, heat management, or power generation could qualify as a state secret.

We know that the NSA makes custom chips, and it's probably harder to know how many calculations per second that hardware can manage than predicting the capacity of COTS hardware based on how hot the building is and how hot the nearest powerplant is getting.

One of the things I loved about the history of the Blackbird is that it held the record for fastest plane, and when a new pretender to the throne arrived, on a couple different occasions they sent up another Blackbird pilot and retook the crown. When a private individual breaks a record, they tend to go as fast as they can. Bragging rights for an military airplane are "mine is faster than yours" not "mine is exactly this much faster than yours". Just keep that classified.

Note https://www.nitrd.gov/pubs/nsa/sta.pdf promising ~100Ghz cryogenic processors by 2010 with sufficient (but seemingly not ridiculous) government investment.

Fascinating. I see three possibilities:

1. the project succeeded and the government has kept cryogenic processors totally dark for a decade with no public leaks or hints to industry (far-fetched, though Skunkworks hid the Blackbird pretty well.)

2. they aggressively funded it as a black project but hit insurmountable design challenges (like quantum computers) or bureaucratic abyss (like the F35.)

3. the funding never materialized.

are any research teams working on superconducting classical computers, rather than quantum computers? does nonlinearity get in the way?

4. Attempts to create cryogenic CPUs were made well before 2005 and failed. The project was made somewhat public in order to misdirect adversaries into spending their budget and efforts on cryogenic processors.

5. The project was funded as a black project without the intention to actually deliver results but rather to justify RSFQ circuits R&D to later use those results elsewhere

I was trying to find an old article about someone who overclocked either a 486 or a Pentium to hell and gone [edit: with mineral oil and dry ice] so I could speculate on what sort of speed increase one could get from spending a ridiculous amount of time and effort on overclocking.

I didn't find any of what I was looking for, but I stumbled back onto the fact that Cray II's were cooled by running fluorinert over the components and that the NSA was one of their biggest customers at the time.

Whose to say they aren't still using fluorinert on servers?

But I've also heard rumors about TLAs getting access to pre-production versions of consumer chips (eg, when yields are still sad). And who knows what binning is going on at Intel. If I have a really good production run and I get 95 chips that have absolutely zero flaws, who do I sell them to? When you manufacture something you can't guarantee a certain yield to be above your wildest expectations, so would I even create a product number for the unicorns? Do I bin them with 'the best' chips even though I know they're better than the best?

Or do I just find someone with deep pockets who's happy to take whatever I've got, be it 3 or 300?

> I don't know about arrogant

Does Google or Amazon have enough compute power to compete with the NSA? My guess would be yes. They certainly have a good cover story if they were interested in using it for exploits. :-)

Companies operating legally under governments, are much more transparent to states (any state, not just the one they exist under) than other states are, because they interact through markets rather than through handshake deals. Amazon and Google have "public APIs" that they get all their chips through, and the NSA can see the "API calls." :)

On the other hand, this is exactly the reason that entities that do operate through handshake deals with no visible economic activity—organized crime and the zaibatsu/chaebol type of conglomerate—tend to be considered imminent threats to states. They're opaque to logistical analysis! (Not that your average mob boss would have any inherent reason to commit treason against the United States, but other nations might be rather motivated to give them extrinsic reasons.)

For this reason, even "benign" domestic crime syndicates or conglomerates will have their intelligence opacity hacked through with the application of good old-fashioned HUMINT.

Why would you throw zaibatsu/chaebols in with criminals...? They are just business conglomerates, their only difference from American-style corporations is that the ownership is organised around families a bit more explicitly on average - something that happens in the States as well, just with less success. The various governments they operate under have the same degree of visibility into them as in any other business. If they didn’t, you wouldn’t know they are zaibatsu in the first place. Are you confusing them with the actual Yakuza...? Why would you class the likes of Samsung as some sort of criminal enterprise outside the law?

It’s basically just the fact that they’re large enough to have a “complete economy” composed entirely of their business units. Samsung (or, for example, GE) doesn’t have to go outside itself to source chips, or trucks to transport them, or, well, anything, really. One business unit can “buy” those products/services from another business unit without anything necessarily appearing on a balance sheet of either business unit. (It’ll appear if it’s beneficial for them to do so, but half the reason they’ve conglomerated in the first place is to hide the things that’re not beneficial.)

Thus, such entities can do an entire skunkworks project without needing to touch the economy. Just like a state can.

That’s completely theoretical. They still have to report on plenty of things, starting from detailed payroll, handling of substances and so on. In some countries (like Australia or the US, no idea about JP/SK but I bet there too) the government can compel workers to reveal data without anyone else knowing.

Zaibatsu are complementary to (corporatist) governments, not adversarial. They feed off each other.

Don’t most government contracts tend to go through competitive bidding processes and such? Sans NSA and some top secret military ones, I’d think a bunch of this stuff is pretty open knowledge, at least somewhere out there.

They’re profit driven though so they have no ability to focus more than a fraction of their resources on a single problem. What makes governments powerful at solving problems is the ability to justify larger expenditures.

EDIT: to be clear when I say “no ability” I mean practically. Obviously they COULD put all employees on a single problem but they simply won’t.

> Obviously they COULD put all employees on a single problem but they simply won’t.

It wasn't all employees, but all servers, that I was thinking about.

yeah after the fact i realized i should have specified this. i should have just said "capital" because in our society it's all interchangeable because everything (time, resources, etc.) is related to its dollar cost

That is a good question. My first intuition was yes. But Google has about 2.5M servers at say $2000 per. That's $5B which is chump change for the NSA.

I’d be very surprised if that were even close to the average cost of a cloud datacenter server. Wouldn’t they be optimized for physical density and power efficiency (which is to say, maxed out CPU/RAM)?

Interested to know more about this. I don’t think much public information is out there, but a quick Google revealed Snap signed a five year $2B contract with G back in 2017, and that’s just one major customer.

if those were equipment dedicated to brute-forcing I would expect it to be ASICs/FPGAs rather than typical servers. You'd get orders of magnitude faster solution[0]. At the expense of flexibility of course since those chips would be single purpose.

[0] For a very simple example compare the hashrate on any CPU vs a bitcoin miner ASIC with a comparable size.

The thing is that not all servers in datacenters are maxed out to 100% usage all the time. A low priority process using idle resources could be used allowing for huge total cpu-power (given the scale of goog/fb/amzn datacenters) at no additional cost while if an agency wants $5B worth datacenter an agency must buy a $5B datacenter.

On the other hand those idle resources could be rented to an agency at a discount price

Would this NSA capability tell them how much compute capacity China has as result of being the world center of bitcoin mining? Would it tell them whether this capability could repurposed?

Also, can any actor be certain distributed compute capacity can't be harnessed in the fashion of concentrated capacity? How many GPUs does is take to make a Cray, etc?

> Would this NSA capability tell them how much compute capacity China has as result of being the world center of bitcoin mining? Would it tell them whether this capability could repurposed?

I suspect the answer is yes, and also that they monitor bitcoin mining rates to see if large bitcoin miners in adversarial countries suddenly disappear.

Given that you can buy these Bitcoin miners and they are specialised ASICs for calculating SHA256 hashes in a specific way to find the first acceptable nonce, it's unlikely that Bitcoin mining hardware can be repurposed in this way.

On the other hand a manufacturer capable of designing and producing SHA-256 chips could be also capable of designing and manufacturing $other_commonly_used_hash_algo chips allowing for brute-forcing $other_commonly_used_hash_algo encoded passwords. The same manufacturer/design team could also probably prepare $popular_block_cipher chips. So, while BTC miner chips would not be useful themselves, having an industry capable of creating those chips is.

Correct. The vast majority of bitcoin miners are specialised ASICs for calculating BTC related hashes explicitly, and nothing else. Optimised for efficiency of the task at hand.

I don't remember where I got this threat model, but I think it was Applied Cryptography.

Paraphrased, is your system safe against: an individual hacker, a group, a corporation, a city-state, a nation, a superpower? Are any of the ones you said 'no' to ever likely to give a damn about your software or data?

Then botnets became a thing. Suddenly individuals or small groups could have more resources than a city-state, and every year they just got bigger and bigger. If it's only computing resources that save you (as implied by that quote), that barrier isn't what it used to be. Sophistication of some other kind is the only protection and hubris can kill that off pretty quick too.

Individuals with access to giant botnets tend not to blow it on soft targets.

I think it's reasonable to build systems that are resistant to attacks up to but not including the superpower level.

The worst part is the human factor. The more people involved, the easier it is to compromise one of those people.

> I'd say that assuming that nobody else has that kind of computing power is quite arrogant

Maybe, but there's also probably a team of very smart people whose job it is to consider all of the information and make that call on a case-by-case basis. I'm sure they get it wrong sometimes, but I'd also imagine they get it right most of the time.

> it's certainly not "ethical" to keep it undisclosed

Sure, but by that ethical posture nothing the NSA does is ethical. If you accept as ethical the NSA's mission of protecting Americans at the expense of other humans, this particular method seems pretty ethical.

It probably wasn't unjustifiably arrogant back in the 90's.

The article mentions evidence that this supremacy is no longer true, but doesn't actually cite any evidence. I suppose they are alluding to private companies (mostly American but quite transnational), and also the Chinese government. Both likely have the kind of talent + computing infrastructure to challenge the NSA.

Do people like Palantir or Google exploit 0-days with the same NOBUS attitude?

Not to mention that the idea that the US is the one good country and must be protected to the detriment of all other countries is massively unethical IMO.

The NSA is a US agency. It has nothing to do with being a good country, their job is to protect the US.

Equally, something doesn't become ethical just because that's what your job is.

Isn't the point that they know with a high degree of certainty who is buying large amounts of the sort of computer equipment needed for this? Cray will let them know if the People's Liberation Army places an order for an acre of kit.

I agree about the ethical requirement,but between surveillance and torture, they're well beyond the point of ethical discussion so.

I was thinking about NOBUS in relation to the NSA's finding of a critical security vulnerability in Windows 10 / 2016 [1]. Ie. "how it at least does not apply right now."

[1] https://news.ycombinator.com/item?id=22048633

Sounds a bit pretentious. Pride comes before the fall.

I was reading thinking NOBUS does sound a lot like HUBRIS.

Sort like the short bus, but shorter.

If it is war there is ...

And if you inform everyone that they have vulnerabilities not only that is security leakage it is a kind of security commerical activities without pay.

But nobody it is not. You have Russia and totalitarian china.

... the world is not pure and black And white. The wiki writing is too bias. And too political correct based on the wrong assumption.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact