Thursday, September 5, 2013

Your tax dollars at work...

Unbelievable:
Personally, I thought the Internet was already quite insecure without the US government spending large amounts of money to deliberately make  it worse.

18 comments:

dr2chase said...

So, hang on to that WRT54G running Tomato, even though it is a little slow? It is a bit of a mystery, wondering which hardware is actually trustworthy for accessing the internet.

Rob Ryan said...

No, sadly, to me it's completely believable.

sunbeam said...

Look this kind of news is surprising to most people.

But it is hard for me to imagine that it has escaped the notice of the state intelligence agencies of the major, or even just the developed powers.

Or even hackers. I've seen copies of a magazine for hackers, it was called 2600 or something. Is that still around? It's been close to 15 years since I saw it.

My point is "If you build it, they will come."

Maybe there is some PFM built into this project such that only US intelligence can use these features.

I tend to think that is not the case. If you can reverse engineer it enough to figure out how it works, it will work just as well for Russian or Chinese intelligence as it does American.

Or Juan Carlos, cocaine kingpin, and his small team of kick-ass hackers he decided to employ.

Law of unintended consequences.

Given the stakes, or potential ramifications, this is probably going to sound petty or stupid or anti-American...

But I would love for this to bite the US on the ass. The whole thing might have been inevitable in retrospect, but someone deserves some fallout from this.

And it seems to me we started it, mainly because we had the most opportunity.

Another thing a lot of hardware, and more all the time, is manufactured in Asia.

The NSA can't see what's coming?

Dumbasses. And I mean that, and I think I could write a long, convincing article backing up that assertation.

Michael R said...

Seems like it was so long ago:

//Oh, in an aside, the Guardian is reporting from a supposedly knowledgeable US intelligence source that "We hack everyone everywhere. We like to make a distinction between us and the others. But we are in almost every country in the world" If that's true, not very much of it's been brought to light by the commercial security industry, suggesting that there are some interesting techniques in need of discovery.//

The innocence of youth.

Aaron said...

Sums it up for me:

Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society, told The Guardian, "Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the Internet."

from: http://arstechnica.com/security/2013/09/nsa-attains-the-holy-grail-of-spying-decodes-vast-swaths-of-internet-traffic/

Fortunately the IETF is working on the problem:

http://www.zerohedge.com/news/2013-08-24/internet-architects-plan-counter-attack-nsa-snooping

Ultimately, the NSA is just another hacker that will in the final analysis improve the overall security of network communications. The technology is there - and now we have the motivation to implement it. The golden age of NSA snooping is on its way out.

Michael R said...

And also, too:

//
Right off the bat I knew this was going to be an odd conversation, since this gentleman seemed convinced that the NSA had vast capabilities to defeat encryption. And not in a 'hey, d'ya think the NSA has vast capabilities to defeat encryption?' kind of way. No, the defeating was a given. We were just haggling over the details.

Oddness aside it was a fun (if brief) set of conversations, mostly involving hypotheticals. If the NSA could do this, how might they do it? What would the impact be? I admit that at this point one of my biggest concerns was to avoid coming off like a crank. After all, if I got quoted sounding too much like an NSA conspiracy nut, my colleagues would laugh at me. Then I might not get invited to the cool security parties.

All of this is a long way of saying that I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough.
//


http://blog.cryptographyengineering.com/2013/09/on-nsa.html

Gary said...

So just curious from a technical point of view ... Does the cracking involve stealing private keys somehow, or does it involve actually cracking public key encryption from the ground up? My guess is that the basic PK encryption methods are "theoretically" still secure as long as the private keys are secret. Most of the effort amounts to ways of obtaining the private keys. Any thoughts?

Dean said...

I keep thinking to myself that the TV show, "Person of Interest" is supposed to be fiction, not a documentary.

Stuart Staniford said...

Dean: Yeah, it's like my Bayesian prior on every conspiracy theory I ever heard has tripled or so.

Stuart Staniford said...

Gary:

We don't really know. Bruce Schneier has suggested in his essays at the Guardian that it's mainly introducing weaknesses into the implementations, rather than compromising the algorithms per se. But I haven't seen anything detailed enough to form any judgement.

Michael R said...

Stuart, with respect to your priors, have you accounted for the fact that modern CPUs have field programmable microcode?

Greg said...

Stuart,

I see you have changed occupations. Congratulations on your new job!

To make a general point with a personal example, these latest revelations will make sales extremely difficult for your old employer, and for any US-based company in the internet security industry.

In the light of these revelations, why would any non-US company buy any internet hardware or software from an American firm? Why would their government allow them to?

Rhetorical questions, but I fully expect that lawyers are busy preparing suits against the Federal government...

Stuart Staniford said...

Greg - I agree with you on the general direction this moves, but I think this kind of cultural shift actually takes a while and won't have a huge immediate effect. In particular, I would expect it to be driven by government mandates, which won't be an overnight thing.

Paula Hay said...

So far none of the Snowden revelations have really been revelations, and it is not surprising that the nsa is going after cryptography... i mean, that's basically just high-tech lock-picking, yes?

What has surprised me is that it has gone into the business of manufacturing locks and of determining lock standards. i suppose it should not be surprising.

Most disturbing is the fact that nsa and gchq are naming their spying operations after battles in each countries' respective civil wars, and that the general citizenry is openly referred to as "adversaries" in internal documents. It would appear that nsa has declared war on the population. None of this spying has anything whatever to do with "national security."

A_Nonny_Mouse said...

To Gary @ September 6, 2013 at 9:28 AM

I believe you're right, according to Karl Denninger, who dissected this back on 9/06 (see article):

http://market-ticker.org/akcs-www?post=224132

(& also see the comments)

Essentially: NSA has to get the key, or compromise the random-number generator, or create a backdoor, or intercept before encryption.

A_Nonny_Mouse

buck smith said...

I hope people who voted for Obama the Lightbringer, riding in on a unicorn to replace Bush the cowboy learn a lesson from all this ;)

Unknown said...

Hi Stuart, when are you posting next? Sorry, I just need my weekly dose of Early Warning wisdom.

rjs said...

i'd be interested in your take on this, stuart: http://angrybearblog.com/2013/09/balkanization-of-the-internet.html

brazil says they're gonna build their own internet; what if everyone does?