Slashdot Mirror
Ex-NSA Analyst Warns Of NSA Security Backdoors
jagger writes: "In this ZD-Net article ex-NSA analyst Wayne Madison has issued a warning about many proprietary software packages coming bundled with NSA backdoors. This must be very troubling for non-US governments, because it means that they have no security against anyone knowing the backdoor. " This is one of the reasons China has cited in wanting to use Open Source and home-cooked solutions.
I wonder if this is the first ex-NSA analyst to make this statement. Wonder how long it is before he gets sued or taken out.
----------
ah honey, we're all resplendent - Bill Mallonee
I found this line interesting.
Software companies including Microsoft have in the past been accused of colluding with the NSA to provide backdoors into their applications.
Am I the only one that doesn't find this surprising?
Did i spell surprising right? Oh well, spell check on slashdot doesn't really matter anyway.
It scares me that big corporations would agree to allow the NSA to place these backdoors into their software, especially with the very bad press this would generate if the rumors were ever substantiated. How much do you think Mirosoft is payed or what informaion are they given acess to in exchange for this service?
Why is this not surprising at all? The U.S government is probably the most paranoid government in the world.
Things Fall Apart
Non Secure Application
After M$'s use of backdoors in Frontpage, i wouldnt trust anything without proof that it didnt have any little tricks up its sleave. (hence why i dont use M$)
I am !amused.
If you read the article more carefully, you'll see that this guy has been "ex"-NSA for a long time. He probably has no idea of what the current position on software is inside the agency itself. If he did, he certainly wouldn't be allowed to release it.
If anyone has any actual hard evidence for or against NSA backdoors in commercial software, I'd be very interested in seeing it. Meanwhile, it looks like we'll have to put up with the usual conspiracy stuff.
Visit the
Maybe this is how the DOJ will settle with Microsoft. Put this little password into your server software and we'll forget we saw any anti-trust violations.
Don't call it paranoia, call it realism!
No boom today. Boom tomorrow. There's always a boom tomorrow. - Cmdr. Susan Ivanova
Finally our government does something fairly intelligent, even if it was evil, morally corrupt, and leaked prematurely.
I demand a million helicopters and a DOLLAR!
Note to the humour impaired: Win95 2nd ed=Win 98, Win 95 3rd ed=Win 98 se, Win 94 4th ed=Win Me, MacOS 7.6=MacOS8, MacOS7.7=MacOS9
Resistance is futile, we have backdoors to get into your backyard, so why bother?
This is not exactly new news, many people may remember how a certain Melissa virus author was tracked due to some serial number in the Microsoft software he was using. (if memory serves correct)
And while I think this is a valid reason to use open source, we should remember that unless we compile the software we use ourselves from our own source that we ourselves have checked, then we can never be sure if there exists a backdoor into our software. I speculate most people are not willing to wade through literally millions of lines of source and compile by hand each program they use to ensure that the "man" is not watching them. However, the article (which refers to the NSA agent as a "spook") does not mention why he is an ex NSA agent. What is the reason he is no longer with the NSA and why is he so freely admitting these facts. Having had clearance in the past I know very well you need to sign many numerous agreements that state you can be imprisoned indefinitely without trial if you violate said agreements. You basically sign over your rights as a US citizen to obtain that kind of security clearance. This story raises some good issues about how much we as citizens should trust our government and our software, as well as raise the ire of many foreign nations using US software. But there is always a nagging doubt in my head when we hear stories from ex employees and there is no knowledge given about why they are ex-employees.
But in general this news is not really new. The government has had backdoors in software as long as software has been around. And this has been shown in the press before to be true.
I do think however this presents those of us in the open source world with a strong argument in favour of open source software with respect to dealing with trusted programs.
Regards...
Nice that the person writing the comment couldn't even read, his comments make it sound as if Wayne had personal information about these backdoors or even any backdoors, but the actual news items states:
Notice the 'may'.
Next the article states:
These are just GUESSES from Wayne, not any hard proof. The article never states that he has seen this, only very indirect evidense. I bet alot of people will get irate without even reading the original article.
http://slashdot.org/articles/99/09/03/0940241.shtm l
---
This was just waiting to happen since the 1st
desktop PC hit the 1st desk.
Now, with all of this cooperation with the NSA and
what not, one has to figure... why is Bill Gates
in so much trouble? Now, I don't mean to be
so paranoid, but I can't help it... but it seems to
me that the government has a very distinct
interest in taking down Microsoft... and I
certainly can see the reason why they would be
considered a monopoly (hell, I consider them one)
But what if one of the driving forces behind this FINALLY
occuring was Microsoft refusing to cooperate with
the NSA?
Just something to keep you up and night..
~- Llah -~
Printed in Denmark nov. 26. 1999.
"In 1985, their long-term goal was "total hearability", i.e. the
capability to listen in on all communication around the world."
EX-AGENT TO DANISH MINISTERS: YOU ARE BEING MONITORED
Former Echelon agent warns Danish politicians against confidential
conversations over the phone.
The Echelon system not only listens in on private persons, companies and
interest groups, Danish politicians and ministers are also the target of
the NSA's extensive espionage, reveals Wayne Madsen to Ekstra Bladet, who
meets him in Washington D.C. Wayne Madsen was once a spy for the National
Security Agency NSA - the intelligence service behind Echelon - but he has
severed connections with his former employer.
We are crossing the border into the state of Maryland. Behind us lies
Washington D.C., the US capital - and somewhere in front before us lies
Fort Meade in neighbor-state Maryland. 'The Fort' is the headquarters for
world-wide espionage and the workplace for 38,613 of the most talented
secret agents in the world.
Wayne Madsen is very familiar with Fort Meade. For several years, it was
his clandestine workplace. He has a pistol in the glove compartment of his
car. Loaded. Wayne Madsen is always armed wherever he drives.
"I don't carry a gun because I think it's cool to have a pistol. But based
on the sources I still have in the NSA, I know there are people in the
intelligence services who do not care for people who talk about the secret
services. Since they are armed, I had better be prepared, too."
Wayne Madsen is an experienced man in regards to secret projects and
surveillance. Since 1975, he has been operating the most sophisticated
computer technology in existence. First as a marine in the US Navy, then
as an agent for the National Security Agency, NSA, and most recently as an
employee at two of the NSA's partners, RCA and the Computer Science
Corporation.
"Whenever anyone criticizes the NSA, it is important to remember that they
have done a lot of important work, too. Both during the Second World War
and the Cold War, when they were talented at breaking the codes of the
Nazis and the East Bloc countries respectively."
TOTAL HEARABILITY
To prove to us that the NSA does more than just 'black work', Wayne Madsen
wants to show us an unusual museum, the NSA's Center for Cryptologic
History.
"Since it is located at the same address as NSA headquarters, Fort Meade,
we can see the buildings I worked in at the same time -from the outside at
least."
Just before we get to Fort Meade, Wayne Madsen points down an access road.
"I went through a lie-detector test and a voice-test analysis over there,
before I was approved by the NSA," Wayne tells us with a faint, shy smile.
He was a lieutenant in the Navy at the time with ten years of experience
in tracking Soviet U-boats and monitoring computer security.
What is the role of the NSA now that the Cold War is over?
"Primarily, they have a global network of computers known as Echelon. The
computers are connected with their intelligence satellites and listening
posts all over the world. And they still do military work. The difference
is, however, that today they monitor everything and everyone. Politicians,
organizations, companies, private individuals, even friends in allied
countries. In 1985, their long-term goal was "total hearability", i.e. the
capability to listen in on all communication around the world."
MINISTERS MONITORED
Is Denmark part of this system?
"Yes. Denmark is a third-party partner in the surveillance agreements. On
the other hand, however, Danish ministers and politicians must assume that
they are under surveillance."
What?
"Yes, that is part of the way they work. At their embassies, they have
groups called 'Special Collection Elements' that monitor local
low-frequency communication. Anything of interest is forwarded here to
Fort Meade where it is analyzed."
"If something can't be intercepted from the embassies, they try to
intercept it from the listening posts in the various neighboring
countries. So is it very risky for Danish ministers to talk on cellular
and satellite telephones alike," says Wayne Madsen as we enter the NSA
museum.
SPY TO EX-SPY
Inside the museum, Wayne Madsen asks whether Jack Ingram is at work today.
A moment later, a tall man appears. Ingram has been an NSA spy for many
years. Now he administrates the museum. He shakes hands with Wayne, and
the pair quickly strike up a conversation about common acquaintances at
various intelligence agencies and companies.
Shortly after, we walk around looking at the NSA's exhibits of cast-off
super-computers and code deciphering equipment - debris from more than
fifty years of intensive espionage in world-wide communication. Wayne
Madsen continues:
"Denmark doesn't get very much out of being a third party, because NSA is
the first party and decides which information the other countries receive.
So obviously, whenever they monitor specific politicians or companies in a
certain country, they naturally don't tell the local government about it.
The information they give to Denmark is something that promotes their own
interests or something they themselves consider to be a threat. For
example something about Tamilians or the PKK, the Kurdish resistance
movement. If it involves information which promotes their own financial
interests, then naturally they use it for their own benefit."
Do you have specific examples of what you are saying?
"Mike Frost, who worked for Canada's intelligence service, which also
participates in Echelon, has personally monitored both politicians and
companies in other countries. He told me among other things about
monitoring the Chinese embassy in Canberra, Australia. All the information
was forwarded here, to Fort Meade. The Australians never saw the
information because the US could use it to control the world wheat trade.
Although I write books and articles about the NSA, I still have good
contacts in intelligence circles at present," states Wayne Madsen.
As we drive back to Washington, he turns briefly toward Fort Meade's
parabolic antennas with a serious look on his face:
"The problem is that the NSA has lost sight of its purpose. It's not right
that taxpayers' money is used to help major shareholders in large
corporations to earn huge profits. Or for that matter the fact that the
NSA puts ordinary people, legal organizations and politicians under
constant suspicion."
EXTRA FACTS
In a joint council in September, Minister for Defense Hans Hækkerup
admitted that Denmark cooperates with other countries on surveillance.
However, Hans Hækkerup would not reveal which countries and intelligence
agencies Denmark cooperates with. It does appear, however, in the archives
left behind by the former head of the Danish Defense Department's
Intelligence Service, Commander Mørch.
Sources in Mørch's archives show that Denmark entered into an agreement
with the US on surveillance cooperation all the way back in 1947 - the
same year that the UKUSA - the pact behind Echelon - was established. The
UKUSA pact is controlled by the National Security Agency in the US, in
which the Australian, Canadian, New Zealand and British intelligence
services participate as second-party partners.
Most NATO countries - including Denmark - officially entered the pact as
third-party partners in 1950.
According to documents in the possession of Extra Bladet, the National
Security Agency has now confirmed that it has third-party partners.
BY BO ELKJÆR AND KENAN SEEBERG
COPYRIGHT 1999: EKSTRA BLADET - COPENHAGEN, DENMARK
If tits were wings it'd be flying around.
*sigh* I can understand why the NSA wants to be able to monitor Internet traffic. National security and all that.
BUT.
There is wayyy too much room for abuse.
I, for one, wouldn't want my software to be sending data to NSA or any other place without my knowing.
I'm glad that Open Source is where it's at today. It would be our worst nightmares if Open Source hadn't gained enough widespread acceptance and entities like the NSA lobby for outlawing Open Source software for "security reasons". I mean, it's very conceivable that your local ISP will only grant you access if you install their proprietary software which contains who knows what kinds of backdoors. Good thing open source systems like Linux is so widely available, and not locked into any proprietary vendor, so that ISPs *have* to allow for users to not use their software.
Thank God for open source software...
OTOH, I think NSA is shooting themselves in the foot. Foreign goverments aren't gonna put up with this backdoor nonsense in *their* software. So open source is going to become even more attractive, which will be good for all of us.
---
mikre he sophia he tou Mikrosophou.
I sure as hell wouldn't want anyone from a government looking at my stuff, just on general principle - therefore I will never have a proprietary system running the security on any network I run. I want to check out the code for all the daemons I run, the TCP/IP stack, the ethernet drivers, the login stuff. You can't get much more secure than that.
--
NO TOUCH MONKEY!
Tom Clancy's newest book explores this concept, too... in that case, a CIA operative uses something that was programmed for the government that images the hard disk, compresses it, and sends it out to America from a Chinese government official's personal system. It sounded plausible last week in the book, it sounds plausible now...although I wonder about this guy's motivation and timing.
I wish there was a choice that said "Factually Wrong -1" when I mod.
The only example given was Carnivore, which has nothing to do with backdoors in software, and doesn't appear to have anything to do with the NSA.
you know that there's a problem when CHINA gets it right...
"I hope I don't make a mistake and manage to remain a virgin." - Britney Spears
If law enforcement could not get access to the Bad Guys' goodies, it would be an absolute disaster for everyone -- our freedoms would be confiscated not by the government but by crimelords and other unaccountable groups like multinational corporations. Is this really what people want? On the other hand, of course, unrestricted government access would be an equally severe disaster.
The existing U.S. system of requiring a court warrant is a compromise that allows some public scrutiny (after the fact, which is usually good enough to ensure the health of the system if not of every case).
Unfortunately, things like Carnivore are a kind of end-run around that system, which is why they are so distressing. But it meets the real, legitimate need of detecting crime in the first place, much like we have policemen running a beat to observe and prevent crimes rather than dispatching them after the fact.
So what is the real compromise? How do we resolve these issues? Neither extreme is acceptable.
----
-- Bandannaman
Bandannarama
I found one article that said he started in the spy business in 1975.
I found another article that said he worked for the NSA for 20 years.
My incredible deductive powers have allowed me to determine that he left the NSA 5 years ago.
(knock knock)
Ummm. Folks, I have to go now. It seems that I have impressed more people than just myself and thou. Some men wearing nice suits are offering me a job. Bye.
If tits were wings it'd be flying around.
"The regulations were relaxed after pressure from industry but Madison believes that this may have driven the NSA to find ways to carry out surveillance. "They're not going to give in over exporting strong cryptography without getting something in return," he says."
Although nothing concrete is stated in this article, it's good to remember the tendency government agencies have to never turn back from their goals. Any time you think you have won a victory for free-speech, or privacy rights, or whatever, and that that big, bad evil government has been beaten, realize that they probably just made it look as if they were beaten. Meanwhile, they made a quid-pro-quo agreement to backdoor their way around the defeat. We then don't hear about this alternative method until years down the road. At which point they are actively working on yet another method of achieving their goals.
Never assume the government is as powerless or as clueless as they may appear.
________________
________________
Private Essayist
Seriously, treat ANY statement by the NSA as potential disinformation, potentially mistaken and potentially correct.
In short, stop judging and treat it as you would a claim by any stranger on the street - with a pinch of skeptisism (NOT cynicism) and LOTS of salt.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Well. Let's give a hand then to the people (like myself) who use open source software and linux! That's right. We can SEE the source code. Think about it this way. It's hard to install a backdoor in something without the user knowing if the user has the sourcecode.
On the subject of MS and NSA security holes.... I want to know why they still haven't fixed any of the nuke problems.... hmmm... Why would they want to be able to get into open ports on a computer... Seems strange..
Bill Gates is God
Hey Wait a second!!!! I didn't write that!
[Something witty and intelligent should have appeared here.]
{Traicovn}
1. You have no idea if those coders are l337 h4x0rZ by night now walk in on their own backdoors and snoop around.
2. You have no idea if they even uses the advertised encryption.
3. You have no idea if that encryption does exactly as advertised.
4. You have no idea who is watching.
It is clear, you ONLY choices for security are:
1. Code it yourself.
2. Use publicly available source.
Then and ONLY then you will know what you are getting into.
Burn Hollywood Burn
Even if you have the source, that isn't a 100% guarantee that there aren't any back doors. Surely everyone remembers the famous Ken Thompson article about the back door in login with support in the C compiler, which is even referenced in the Jargon File.
One more drink, and I'll move on. --Dave Matthews Band
Microsoft always leaves the toilet seat up.
Microsoft chews with its mouth open.
Microsoft left its cell phone on during a movie, and answered it when it rang.
Microsoft snores in bed.
The government looking at our private information what a shock
Oh yah - let's see we've got:
all in one story. It's like the story was written to be posted on /. for crying out loud!
Furthermore, it lacks any real meat. This Madison guy isn't saying that they are doing it: "Ex-spook believes", "applications may have backdoors" (emphasis mine). It's nothing definite - just this one guy's beliefs. And if he used to be an analyst, shouldn't he know this rather than sucumb to conjecture? The article got one thing right though: he's "fuelling conspiracy theories".
Now I hate MS as much as the next guy, but I also believe in the principle: Don't subscribe to mallice what can be explained by stupidity. I think they gave a reasonable explaination of the whole NSA key thing back when that happened. They also made the very valid point that it's not in their best interests to do something like that because if a foreign nation found out, MS would be skinned alive. Furthermore, I think people give the NSA too much credit - despite all the talented people they have, they're still a government agency and as such tend to resource limited. Can you imagine how much computational power would be required for Echelon to actually do everything that people claim it can? Do you think even the US Government has that type of money and could spend it in a covert manner even if it did? If you do, I think you give bureaucracy too much credit.
Standard disclaimer - these opinions are entirely my own. My employeer may well disagree with me - I can't speak for them.
-"Zow"
Do a search on Google. You'll find nearly identical articles going back at least two years. Is anyone really surprised that the NSA is strongarming software companies into giving them backdoors?
The question is, how will the NSA try to fight open-source backdoor-free software? Don't think that they won't. They tried for a long time to keep crypto export restrictions. Having lost that, they are not just sitting there -- "oh woe is me, the open-source guys beat us!" Remember, these are the Echelon guys. They don't send cease-and-desist orders through a bunch of lawyers. They bug your house and tap your phone. They're working on the way to open up strong encryption like a can of tuna.
-------------
-------------
The truth is out th- oh, wait, here it is...
In later years, the NSA and other NATO intelligence agencies arranged for subtle defects to be added to the systems sold by Crypto AG.
I wouldn't doubt that the NSA is still trying to get backdoors installed in commercial software. How successful they've been is an open question.
Xerox provided the Soviet embassy in Washington with a photocopy machine that had a "special feature", a well hidden camera that photographed every document that was copied.
Mea navis aericumbens anguillis abundat
president bomb nsa terrorist libya iran plane explosive congress usa senator bribe cash cocaine drug money assassinate kill destroy
.sig isn't working properly, why don't I post my IP address for now.
Hmmmmm.... and since the link in my
Wait... I just realized, you can track me down to the very room using this information! Uh-oh...
*hears tapping at the door*
AAAAAAAAAHHHHHHH!!! OHHH NO!!! THE NSA IS DRAGIN ME FROM THE KEYB
-----
I'm sorry, but you've insulted the wrong guys. For the Slashdot Side of the Force is With Us!
I call on a Slashdotting of their webserver, until they bow to the mightiness of our geekdom!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
In small print, printed on the backside of the seal you have to break, thereby agreeing to the EULA, "contains less than 3% backdoor code; percentage measured by volume and may not apply to this release as code does not occupy space".
My mom is not a Karma whore!
What about a country, like China, that thinks maybe they might want to go to war with us some day? The NSA would of course take an interest in that country's plans to bomb embassies, airports, and government buildings. Even our allies might want to keep their own intelligence activities from being known by the NSA, or why else we they even bother conducting intelligence?
Put another way, imagine we had had modern computers in the years leading up to WWII: would you have counselled that the US buy closed-source software from German vendors, knowing that the German government had all kinds of backdoor access to those products? Of course not. You would insist on open-source products that you could modify to your satisfaction, or home-grown closed source products. It's not surprising that security-conscious foreign governments find software to which the American NSA might have a master key a bit distasteful.
you make it sound like a group of MS programmers got together and wanted to program in a back door. What you are referring to is yet another MS security hole that exists if someone doesn't setup their sites correctly. I'm sick and tired of Slashdot readers always bashing MS with such knee jerk reactions. Any distro of Linux straight out of the box has holes as well - but you have to fix it. Everyone just shrugs and says "oh, well, yeah, that happens - just fix it and no prob" - but MS does it and everyone freaks out and calls them worthless. I'm no big fan of them, but at least pick the proper things to pick on.- -----
--------------------------------------------
There are some odd things afoot now, in the Villa Straylight.
seineeweraseipsteivos
Aren't all NSA employees bound by Government Secrecy laws and/or agreements? Wouldn't revealing backdoors violate these agreements? He could be hauled off to prison or sued.
OTOH, he may provably have no direct knowledge in which case he's just expressing an opinion like any other private citizen. Then why should we listen? Or it could be disinformation.
I don't think this is a good thing at all. Of course, it's getting to the point of them requiring us to have this software and it will be completely treading on our constitutional rights as U.S. citizens...nevermind how illegal this should be to do to the rest of the world. I see it as search and siezure of my personal data, also, if this backdoor uses up any space on my hard drive, any processing or memory power, then it is also illegally forcing me to house government troops on my property (a bit of a stretch, but still true.) I'm sure that we could also say that they are pressuring us against speaking freely online because we know they are "watching" us. Hmmm...let's just say that it's very obvious that the NSA is doing all they can to take away the Bill of Rights from U.S. citizens...I see this as treason, and I think everyone in the NSA deserves to be lined up against the wall and shot.
Yes, I am very opinionated.
Mas vale cholo, que mal acompañado.
As a journalist, I can tell you that this smells as fishy as they come. I say the guy's a self-promoter hyping himself by exploiting paranoia. If he's brave (and informed) enough to go public with this kind of imflammatory charge, he should be brave and informed enough to be able to name a single app that has such a backdoor (and, no, Carnivore doesn't count. Sheesh!).
I'll call him on it. Name 'em or shut up.
This is a hard story to believe. If there are backdoors, then there has to be a way for the NSA to transfer the information gleaned. Surely someone would have noticed activity like this. RealAudio certainly didn't get away with it for long. Not to mention the likelihood that someone in one of the companies is going to notice and talk. His hedging language ("may have backdoors"), means he has no direct knowledge. If that's the game, I can warn of lots of things the NSA "may" be doing as well. Did you know that the NSA may be secretly running SlashDot? (And apparently deliberately botching the job ...)
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
Which is my way of saying, how is the NSA getting this surveillance data it's supposedly collecting without anyone noticing?
If I were the NSA (and I'm not), except for something big and common like Windows 2000, I wouldn't bother sticking backdoors in every bit of software out there. For one thing, it's too likely that someone will open their big mouth, and the general public won't like it much.
;)
I'd go online, and find me a small group of talented crackers and script kiddies, and offer them the job of their dreams: cracking into every bit of software and computer system on the planet and getting paid for it. Not to mention the added perk of being cool spys. Even open source software has the occasional security hole, and if the hole is patched, my team could simply find another one. Microsoft's software is so riddled with silly security holes, and so popular, that it would not be difficult to have an in on most of the computers in the nation, if not the world. Plus, Microsoft sometimes never fixes known bugs because fixing bugs doesn't give them market dominance, so the holes might stay open longer.
As for the "ex-NSA employee", I pretty much take what he is saying with a grain of salt the size of Utah. Ex-employees shoot off their mouths for two reasons: to make the former employer look bad, or because the former employer wants them to say what they are saying. Sometimes it is just as effective to make people think you are watching them, and it is certainly easier on the budget.
Another thought: did you ever consider that this might be a big piece of FUD against proprietary software? Perhaps the NSA prefers open source.
Extremely bloated commercial software may contain full fledged flight simulators and pictures of the software designers. It is also suspected that some software may harbor dancing blue elephants.
Seriously folks, does it take 30Megs of software to read email. Not only is it likely that large software houses are cooperating with the US gov, it is probable.
I was working at an AT&T plant as a technician several years ago, and one of our projects was a device about the size of a Palm Pilot. You plug your handset into it, then plug it into your telephone. The person on the other end used a similar device, and with one button press you got instant voice encryption. We built hundreds. I tested a large portion personally. Then I personally helped tear them apart and install the clipper chip after the FEDS moved in. Funny, but we didn't build anymore after that.
We also built another telephone. It's the one that Harrison Ford uses on Air Force One. Not the little satellite phone, the big white desk phone. We had to count the ICs that did the cryptography for that every morning and evening. The phones had to stay under lock and key at all time. Not that it has any relevancy here, just to note that the FEDs will control cryptography and if you trust anything they approve of, you're going to be tracked.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
That is not to say that the NSA did not have some influnce on the design (back before the rules changed and put the FBI and State Department in charge of export procedures). The NSA really discouraged (using the export license stick) the use of triple-DES. The fact they discouraged certain designs types is pretty much public knowledge.
What is less known, is that the NSA did a through examination of the product. In order to get an export license, the NSA also had to review the product - all specifications, code, manufacturing diagrams, samples devices. They also requested and got our future product plans. It is my impression that the NSA did this future product research everywhere they could.
So this means the NSA knew all details of any crypto product that was being exported. They knew the specifications, and in some cases the future product directions. I never heard of a case where the NSA would come back after a product evaluation and say "you have a security hole". In summary, even without a formal backdoor, they have (had?) a lot of knowledge.
PS: When I hear about ex-NSA members joining public companies, I wonder how many of my company's ideas (forcefully obtained by USA export regulations) went with them. You might say, the NSA was all knowing, so their was nothing to steal. The truth is that the NSA was really into military uses (they supposedly passed up developing public key algorithms because they did not have any use for them). Don't under estimate the value of a practical commercial related applied cryptography use.
- MbM
- MbM
Not sure if you covered this but even with a lot of people switching to (or already using) open source software there still could be the problems with existing backdoors put into other proprietary software such as the Microsoft IIS services, etc. Those would still permit the backdoor to do what will with users of that service. Also how would these backdoors go undetected depending on what they do? I mean sure if they are sending little data or a lot of data over a long time then the small amount of packets over time would be very hard to notice still. I'm babbling now but hopefully enough of this was understandable to start a discussion :D
( o ) one could say I'm rather baked
For those who don't see where I'm going: one of the early unix guys (Ken Thompson if I remember right) created a version of login with a backdoor for him to get in. Then he created a C compiler that could tell if login was being compiled and if so insert his backdoor. Then he modified the C compiler to check if it was compiling itself and if so insert both hacks. Soon he was able to (but claims he never did) distribute a C compiler that looked normal, yet would give him access to any machine.
It wouldn't have been hard to put this hack into compilers, so long as they started early and had some assistence. There must be someone at mit who can be bribed (there always is) to put it into any binaries on ftp.gnu.org. Sun is a closed company, and easially bribed to put it into their code. Of course we are today in a maze of unix's, all different. (4 BSDs, SCO, linux, Solaris, Irix, Aix, HPux, and probably others I've forgotten) You get the idea though.
If every government wants perfect security, they should have their own classified programs with classified keys. That way, even if an opponent were to discover a key, they would still have to figure out the encryption scheme (one of the tacit assumptions of encryption is that the opponent already knows the scheme. It also is the most difficult part of an encryption program to discover through reverse engineering).
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
My question is this then: What is the NSA (or what do we think the NSA is) going to do about IPsec? IPsec supports 3DES - I'm working on a chip right now for my company that works with an IPsec encryption chip (our chip doesn't actually do the encryption). The IETF is an international standards body not governed by the NSA/US and as I recall (I don't keep up _that_ much with IETF meetings), they pretty much blew off the US Feds.
Any thoughts?
Do not connect it to a network and there is no security threat.
:P
Moderate me as you will I did not read the article and am a terrible noise generator
This article could have been lifted straight from the pages of the National Enquirer. You've got a so-called "authority" that nobody has ever heard of, warning that there "may be backdoors" in some unspecified software. There's NOTHING specific here, no real information, just some lunatic jumping up and down and shouting.
So, of course, half of Slashdot starts screaming about how "Microsoft is downloading all our personal information!"Yeesh.
Now I've seen it all!
Appended to the end of comments I post? 120 chars?!
--
Build a man a fire, and he's warm for a day.
Time is Nature's way of keeping everything from happening at once... the bitch.
Because it can be abused.
Think what Nixon or Hoover would have done with this ability.
As I mentioned in another post in this thread, it would be very easy to ruin someone's reputation or blackmail them.
Yes, the legitimate uses for a system like this is to watch for terrorist attacks or organized crime activities. But how hard would it be for the NSA to track the activities of those on its 'enemies list'? Not hard at all.
So when Senator Doe, formerly an out spoken critic of the NSA, comes out of a meeting with the NSA and now says he understands why the NSA needs to do what they do, is it because he has had a change of heart? Or is it because the NSA showed him his file? And mentioned that information wants to be free.
That's why we should all care.
Steve M
The point being, that there are genuine threats out there, and the NSA is, really, trying its best to protect you, whether you realize it or not.
I can basically agree with this as long as it is understood that societies are like humans -- they do not have treatably isolated disorders.
The personality trait-set that makes someone insightful, sensitive, and generous may also be what makes them vulnerable to rejection and depression.
By the same token, it is the existence and legacy of america's (and the West's) global policies for the last couple centuries that has made us the target of terrorist attacks in the first place. These policies are administered and operated with the same mindset, by the same cadre of military-industrial traditionalists that also give us organizations like the NSA.
Yes, I suppose it's great that I enjoy a personal leisure, life-expectancy, and security than any other comparable civilization/era, but the piper must always be paid. In other words, if we didn't have a society run by people with an "NSA mindset", then perhaps we wouldn't need the NSA in the first place.
[heh. as you may notice, i like to mix metaphors and analogies]
Confucius says, "It is a wise physician who can discern when the Cure is also the Disease".
---
the problem with teens is they're looking for certainties
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
By using this web site yuo agree to the following:
END-USER LICENSE AGREEMENT FOR MICROSOFT SOFTWARE
IMPORTANT - READ CAREFULLY: This Microsoft End-User License Agreement (EULA) is a legal agreement between you (either an individual or a single entity) and Microsoft Corporation for the Microsoft software product identified above, which includes computer software and may include associated media, printed materials, and online or electronic documentation (SOFTWARE PRODUCT). The SOFTWARE PRODUCT also includes any updates and supplements to the original SOFTWARE PRODUCT provided to you by Microsoft. Any software provided along with the SOFTWARE PRODUCT that is associated with a separate end-user license agreement is licensed to you under the terms of that license agreement. By installing, copying, downloading, accessing or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, do not install or use the SOFTWARE PRODUCT; you may, however, return it to your place of purchase for a full refund.
Software PRODUCT LICENSE
The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The SOFTWARE PRODUCT is licensed, not sold.
1. GRANT OF LICENSE. This EULA grants you the following rights:
h Applications Software. You may install, use, access, display, run, or otherwise interact with (RUN) one copy of the SOFTWARE PRODUCT, or any prior version for the same operating system, on a single computer, workstation, terminal, handheld PC, pager, smart phone, or other digital electronic device (COMPUTER). The primary user of the COMPUTER on which the SOFTWARE PRODUCT is installed may make a second copy for his or her exclusive use on a portable computer.
h Storage/Network Use. You may also store or install a copy of the SOFTWARE PRODUCT on a storage device, such as a network server, used only to RUN the SOFTWARE PRODUCT on your other COMPUTERS over an internal network; however, you must acquire and dedicate a license for each separate COMPUTER on which the SOFTWARE PRODUCT is RUN from the storage device. A license for the SOFTWARE PRODUCT may not be shared or used concurrently on different COMPUTERS.
h License Pack. If this package is a Microsoft License Pack, you may RUN additional copies of the computer software portion of the SOFTWARE PRODUCT up to the number of copies specified above as Licensed Copies. You are also entitled to make a corresponding number of secondary copies for portable computer use as specified above.
h Reservation of Rights. All rights not expressly granted are reserved by Microsoft.
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
h Academic Edition Software. If the SOFTWARE PRODUCT is identified as Academic Edition or AE, you must be a Qualified Educational User to use the SOFTWARE PRODUCT. If you are not a Qualified Educational User, you have no rights under this EULA. To determine whether you are a Qualified Educational User, please contact the Microsoft Sales Information Center/One Microsoft Way/Redmond, WA 98052-6399 or the Microsoft subsidiary serving your country.
h Not for Resale Software. If the SOFTWARE PRODUCT is labeled Not For Resale or NFR, then, notwithstanding other sections of this EULA, your use of the SOFTWARE PRODUCT is limited to use for demonstration, test, or evaluation purposes and you may not resell, or otherwise transfer for value, the SOFTWARE PRODUCT.
h Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.
h Separation of Components. The SOFTWARE PRODUCT is licensed as a single product. Its component parts may not be separated for use on more than one COMPUTER.
h Trademarks. This EULA does not grant you any rights in connection with any trademarks or service marks of Microsoft.
h Rental. You may not rent, lease, or lend the SOFTWARE PRODUCT.
h Application Sharing. The SOFTWARE PRODUCT may contain Microsoft NetMeeting, a product that enables applications to be shared between two or more COMPUTERS, even if an application is installed on only one of the COMPUTERS. You may use this technology with all Microsoft application products for multi-party conferences. For non-Microsoft applications, you should consult the accompanying license agreement or contact the licensor to determine whether application sharing is permitted by the licensor.
h Support Services. Microsoft may provide you with support services related to the SOFTWARE PRODUCT (Support Services). Use of Support Services is governed by the Microsoft policies and programs described in the user manual, in online documentation, and/or in other Microsoft-provided materials. Any supplemental software code provided to you as part of the Support Services shall be considered part of the SOFTWARE PRODUCT and subject to the terms and conditions of this EULA. With respect to technical information you provide to Microsoft as part of the Support Services, Microsoft may use such information for its business purposes, including for product support and development. Microsoft will not utilize such technical information in a form that personally identifies you.
h Software Transfer. The initial licensee of the SOFTWARE PRODUCT may make a one-time permanent transfer of this EULA and SOFTWARE PRODUCT only directly to an end user. This transfer must include all of the SOFTWARE PRODUCT (including all component parts, the media and printed materials, any upgrades, this EULA, and, if applicable, the Certificate of Authenticity). Such transfer may not be by way of consignment or any other indirect transfer. The transferee of such one-time transfer must agree to comply with the terms of this EULA, including the obligation not to further transfer this EULA and SOFTWARE PRODUCT.
h Termination. Without prejudice to any other rights, Microsoft may terminate this EULA if you fail to comply with the terms and conditions of this EULA. In such event, you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.
3. UPGRADES. If the SOFTWARE PRODUCT is labeled as an upgrade, you must be properly licensed to use a product identified by Microsoft as being eligible for the upgrade in order to use the SOFTWARE PRODUCT. A SOFTWARE PRODUCT labeled as an upgrade replaces and/or supplements (and may disable) the product that formed the basis for your eligibility for the upgrade. You may use the resulting upgraded product only in accordance with the terms of this EULA. If the SOFTWARE PRODUCT is an upgrade of a component of a package of software programs that you licensed as a single product, the SOFTWARE PRODUCT may be used and transferred only as part of that single product package and may not be separated for use on more than one COMPUTER.
4. COPYRIGHT. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT are owned by Microsoft or its suppliers. All title and intellectual property rights in and to the content which may be accessed through use of the SOFTWARE PRODUCT is the property of the respective content owner and may be protected by applicable copyright or other intellectual property laws and treaties. This EULA grants you no rights to use such content. If this SOFTWARE PRODUCT contains documentation which is provided only in electronic form, you may print one copy of such electronic documentation. You may not copy the printed materials accompanying the SOFTWARE PRODUCT.
5. DUAL-MEDIA SOFTWARE. You may receive the SOFTWARE PRODUCT in more than one medium. Regardless of the type or size of medium you receive, you may use only one medium that is appropriate for your single COMPUTER. You may not RUN the other medium on another COMPUTER. You may not loan, rent, lease, or otherwise transfer the other medium to another user, except as part of the permanent transfer (as provided above) of the SOFTWARE PRODUCT.
6. BACKUP COPY. After installation of one copy of the SOFTWARE PRODUCT pursuant to this EULA, you may keep the original media on which the SOFTWARE PRODUCT was provided by Microsoft solely for backup or archival purposes. If the original media is required to use the SOFTWARE PRODUCT on the COMPUTER, you may make one copy of the SOFTWARE PRODUCT solely for backup or archival purposes. Except as expressly provided in this EULA, you may not otherwise make copies of the SOFTWARE PRODUCT or the printed material accompanying the SOFTWARE PRODUCT.
7. U.S. GOVERNMENT RESTRICTED RIGHTS. All SOFTWARE PRODUCT provided to the U.S. Government pursuant to solicitations issued on or after December 1, 1995 is provided with the commercial rights and restrictions described elsewhere herein. All SOFTWARE PRODUCT provided to the U.S. Government pursuant to solicitations issued prior to December 1, 1995 is provided with RESTRICTED RIGHTS as provided for in FAR, 48 CFR 52.227-14 (JUNE 1987) or FAR, 48 CFR 252.227-7013 (OCT 1988), as applicable.
8. EXPORT RESTRICTIONS. This SOFTWARE PRODUCT has been classified by the US Government as exportable under License Exception TSU. Therefore the following terms apply: You agree that you will not export or re-export the SOFTWARE PRODUCT, any part thereof, or any process or service that is the direct product of the SOFTWARE PRODUCT (the foregoing collectively referred to as the Restricted Components), to any country, person or entity subject to U.S. export restrictions. You specifically agree not to export or re-export any of the Restricted Components (i) to any country to which the U.S. has embargoed or restricted the export of goods or services, which currently include, but are not necessarily limited to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria, or to any national of any such country, wherever located, who intends to transmit or transport the Restricted Components back to such country; (ii) to any person or entity who you know or have reason to know will utilize the Restricted Components in the design, development or production of nuclear, chemical or biological weapons; or (iii) to any person or entity who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government. You warrant and represent that neither the BXA nor any other U.S. federal agency has suspended, revoked or denied your export privileges.
9. NOTE ON JAVA SUPPORT. THE SOFTWARE PRODUCT MAY CONTAIN SUPPORT FOR PROGRAMS WRITTEN IN JAVA. JAVA TECHNOLOGY IS NOT FAULT TOLERANT AND IS NOT DESIGNED, MANUFACTURED, OR INTENDED FOR USE OR RESALE AS ON-LINE CONTROL EQUIPMENT IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, SUCH AS IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, DIRECT LIFE SUPPORT MACHINES, OR WEAPONS SYSTEMS, IN WHICH THE FAILURE OF JAVA TECHNOLOGY COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE.
MISCELLANEOUS
If you acquired this SOFTWARE PRODUCT in the United States, this EULA is governed by the laws of the State of Washington.
If you acquired this SOFTWARE PRODUCT in Canada, unless expressly prohibited by local law, this EULA is governed by the laws in force in the Province of Ontario, Canada; and, in respect of any dispute which may arise hereunder, you consent to the jurisdiction of the federal and provincial courts sitting in Toronto, Ontario. If this SOFTWARE PRODUCT was acquired outside the United States, then local law may apply.
Should you have any questions concerning this EULA, or if you desire to contact Microsoft for any reason, please contact the Microsoft subsidiary serving your country, or write: Microsoft Sales Information Center/One Microsoft Way/Redmond, WA 98052-6399.
LIMITED WARRANTY
LIMITED WARRANTY FOR SOFTWARE PRODUCTS ACQUIRED OUTSIDE THE US AND CANADA. FOR THE LIMITED WARRANTIES AND SPECIAL PROVISIONS PERTAINING TO YOUR PARTICULAR JURISDICTION, PLEASE REFER TO YOUR WARRANTY BOOKLET INCLUDED WITH THIS PACKAGE OR PROVIDED WITH THE SOFTWARE PRODUCT PRINTED MATERIALS.
LIMITED WARRANTY FOR SOFTWARE PRODUCTS ACQUIRED IN THE US AND CANADA. Microsoft warrants that (a) the SOFTWARE PRODUCT will perform substantially in accordance with the accompanying written materials for a period of ninety (90) days from the date of receipt, and (b) any Support Services provided by Microsoft shall be substantially as described in applicable written materials provided to you by Microsoft, and Microsoft support engineers will make commercially reasonable efforts to solve any problem issues. Some states and jurisdictions do not allow limitations on duration of an implied warranty, so the above limitation may not apply to you. To the extent allowed by applicable law, implied warranties on the SOFTWARE PRODUCT, if any, are limited to ninety (90) days.
CUSTOMER REMEDIES. Microsoft's and its suppliers' entire liability and your exclusive remedy shall be, at Microsoft's option, either (a) return of the price paid, if any, or (b) repair or replacement of the SOFTWARE PRODUCT that does not meet Microsoft's Limited Warranty and which is returned to Microsoft with a copy of your receipt. This Limited Warranty is void if failure of the SOFTWARE PRODUCT has resulted from accident, abuse, or misapplication. Any replacement SOFTWARE PRODUCT will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. Outside the United States, neither these remedies nor any product support services offered by Microsoft are available without proof of purchase from an authorized international source.
NO OTHER WARRANTIES. To the maximum extent permitted by applicable law, Microsoft and its suppliers disclaim all other warranties and conditions, either express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement, with regard to the SOFTWARE PRODUCT, and the provision of or failure to provide Support Services. This limited warranty gives you specific legal rights. You may have others, which vary from state/jurisdiction to state/jurisdiction.
LIMITATION OF LIABILITY. To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision of or failure to provide Support Services, even if Microsoft has been advised of the possibility of such damages. In any case, Microsoft's entire liability under any provision of this EULA shall be limited to the greater of the amount actually paid by you for the SOFTWARE PRODUCT or U.S.$5.00; provided, however, if you have entered into a Microsoft Support Services Agreement, Microsoft's entire liability regarding Support Services shall be governed by the terms of that agreement. Because some states and jurisdictions do not allow the exclusion or limitation of liability, the above limitation may not apply to you.
Cunning linguists
It should be clear to anyone who followed the link and read the article that Madison has no hard evidence that there are now or have ever been NSA backdoors in anyone's software. If he had any, he would name companies and applications. Where are they? I believe in free encryption and hate the NSA as much as the next guy, but muttering vague imprecations like "manufacturers play ball with the NSA" and "they're not going to give up control of strong crypto and get nothing in return" serves no purpose but to feed the conspiracy theories on Slashdot. AH
I can't speak for others, but I can relate my experience in the software industry. I was an employee at a well-known company that produces and sells computer security products. I can tell you all without a doubt that the NSA had nothing to do with the products and had absolutely no backdoors. It isn't even a remote possibility. I strongly doubt that any company would agree to backdoor their own product. It just doesn't make sense. If the public found out, it would destroy faith in the company and its stock price would plummet. Executives work for their own best interests. Stock crashes and bad press are not one of them. For that reason alone, personal GREED, they would never do it.
This is a common theme in the Slashdot forums, and I usually keep my mouth shut, 'cause I hate to beat a dead horse, but I'm feeling a bit saucy today, so forgive the rant.
Everyone whines, complains and generally just bitches when it comes to the U.S. Government having any responsibility or privacy concerns. The topic for today's thread is the NSA having backdoors in software. Tomorrow it will be something different, but with the same general theme: who can trust the gov't to do what they say? Who will "guard the guardians?" The basic problem here is a lack of education and understanding. Or, to put things more simply, people pulling information from their nether reigons. (no offense meant, Gurlia)
The gov't is not a single person or organization. The US gov't, and gov'ts in general are made up of hundreds of different organizations. There is a clearly defined chain of command and accountability, from the lowest GS-5 all the way up to Congress and the President. These are the people that "guard the guardians", in this case. Assuming that these backdoors exist, whomever is responsible for the use of these backdoors most likely has to get authorization from his boss in order to retrieve the information to make use of the backdoor. His use of said backdoors will be closely monitored and reported. If the use of these backdoors is an uncommon occurence, the single case of use will get reported up a couple levels of responsibility. If it's a common thing, the number and reason for each use will be reported en masse at month's, quarter's, or year's end. Ultimately, all this information will end up in some committee in Congress - those Congressmen have the access, security clearance, need to know and resonsibility to understand exactly why "NSA lackey Joe" utilized the backdoor in Microsoft Project in May. Or perhaps why the NSA software backdoor dept. utilized the backdoor information 47 times over the course of FY99.
"Yeah right," I hear you saying. "What good is all that when it only takes once illigitimate use to make a difference?" Three responses to that:
"So what?", I hear, "It only takes once, I said." True, true, but being the US government, they do a good job of doing their best to prevent that.
Oh, but it's different, you think? The government deals with more sensitive information? They've got more responsiblity? You're right, they do. How many people in your company are responsible for someone's life?
Government does a good job. It's extremely hard to run a system as large, diverse and as widespread as a government in an efficient way. Quit taking what you have for granted, take a step back and look at some of the positions of the rest of the world.
disclaimer: yes, I am a gov't employee. No I don't get paid to think or say this, but I work with the system on a daily basis and have a real appreciation for the way that things get done. I thought all the red tape, policies and regulations were silly in the beginning. A lot are outdated and ineffective, but the vast majority keep the behemoth that is the US gov't running.
Considering that we know for a fact that IBM caved on the original Lucifer chip, which resulted in crappy ass 40 bit DES becoming an encryption standard, at the behest of the American Government, and considering that until very recently the gov't of the US of A considered crypto to be a munition, and the US keeps a very very close eye on it's guns, why is this so implausable?
Vintage computer games and RPG books available. Email me if you're interested.
Back before export restrictions were loosened (1996), Lotus worked out a "deal" with the NSA that would allow them export 64 bit encryption internationally in Lotus notes. For the international versions, they took 24 bits of the private key and encrypted them with the NSA's public key, so that (in theory) the NSA would get these 24 bits for "free", and would only need to crack the remaining 40 (which was export legal). The theory was that this was ultimately better for their international coverage, since they'd have 64 bit protection from everyone except the US government. (I won't waste space by pointing out the obvious problems with this approach.)
This was publically announced and the technical details disclosed, so while it isn't great conspiracy fodder, it does point to close collaboration between the NSA and at least one major software company...
> Congresscritters are very territorial.
This is true and this is why the NSA is exempt from most of the checks in the system. People outside of the US (The targets of the NSA), don't have anyone on their side and the congressman from some small districat won't get worked up about something the NSA does because it won't effect his district.
This is why congress has almost never had a problem with the NSA but has had issues with the ones that work in the US (by their charter) like FBI, CIA, BATF.
(Some twit will probably miss the point of my post and mark me as a troll, but I think the point needs to be made...)
I suppose you don't mind then if all your private information is given out to people you hardly know.
Please then answer the following questions for Slashdot:
What is your full name and age?
What is your mailing address?
What is your Home address?
What are your phone numbers?
What is your SIN number?
What are your credit card numbers?
What is your sex life like, (please describe in livid detail)?
What is your standing police record?
What drugs have you used?
Do you drink? If so, how often.
How often do you have sexual thoughts?
How ofted do you masturbate?
What do you think about when you do?
I could go on, but I think you get the idea.
Privacy is important.
So, I have a question. Does it really matter if they watch you? I don't know. How about you answer those questions and you tell me???
Try to hack my 31337 firewall!
As for other operating systems, there is probably a way to configure a standard firewall to let data exit the system only on a need-to-go basis, minimizing the chance of access through a back door.
Of course, this may not ensure rock-solid security, and if there are backdoors in firewalls themselves, then this is not a Good Thing (tm), but I guess it's at least one way of countering the problem.
--
So why are there two Lybians in the dock? I have read enough reporting that suggests even the CIA had the Syrians in the frame for the first few months before switching to the politically more acceptable Lybians.
I had a conversation with a bank recently about them thinking about switching to 3des from des. I pulled out the Applied Crypto book, found the table of how fast things can be cracked, fixed up the historical data (it is an Old book), added a few factors that I've heard about and a projected when 3des should be able to be broken in real time. Its about 10 years away.
How about some of 1024 bit public key crypto? Ever wonder why most of this stuff puts the message digest on the outside of they crypto payload? Its so you don't have to decrypt the data, if you can guess at the contents and can do the md fast, you don't ever even need to brute force they key. Its amzaing how much crypto does this. Also most of it is based on finding good primes. The keys you have are not good primes. If you look at RSA public key stuff you will find that if you have 2 primes as the keys you have a one to one mapping of the encode to decode keys. If one of thouse keys has two factors you will find that you 4 decode keys. 3 facotrs and you have 9 keys since the number seems to square. One bad pseudoprime and your rsa key could have thousands of decoding keys. Considering the NSA gave up buying machines that do big primes fast in about 1994, I'm assuming that the've found out something very interesting about factoring large psuedoprimes.
Recently someone gave me a sample of a bunch of credit card numebrs that were safe since they md5ed them. A bit of code, a few computers and I was generating the card numbers within seconds. 5 minutes later the entire database was converted to plain text.
Here is an intersting article on trojaned hardware. Why would they do anything less with todays software?
---
taken! (by Davidleeroth) Thanks Bingo Foo!
Nowhere in this article did this ex-NSA agent provide an example of the NSA collaborating with a corporation. Basically all this article consists of is the claim of an old NSA agent. Really, it sounds like little more than he's repeating tales and rumors he's heard since his retirement. Unless this guy provide some reasonable proof that this is going on, I'm afraid its nothing more than conspiracy theory, and not a well-put-together one at that.
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
At the "Information, National Policies, and International Infrastructure" Symposium held at Harvard Law School, Paul Strassmann, of the National Defense University, and William Marlow, of Science Applications International Corporation, in a session entitled "Anonymous Remailers as Risk-Free International Infoterrorists" were asked by Professor Charles Nesson, Harvard Law School, whether the CIA and similar government agencies are involved in running anonymous remailers as this would be a perfect target to scan possibly illegal messages. The answer: Yes. In addition they mentioned that the NSA has successfully developed systems to break encrypted messages below 1000 bit of key length and strongly suggested to use at least 1024 bit keys. They said that they themselves use 1024 bit keys.
And this one is really amazing: Crypto AG, which several post have cited as having been revealed in numerous press accounts to have sold compromised crypto systems to governments around the world, is still in business! But the gold plating on the brass balls is the following statement from their CEO, which is currently on their Web site: "Since 1952, Crypto AG has been the specialist for information security at the highest cryptological and technical level. More than 130 countries have chosen Crypto AG as their trusted partner. This trust is based on the fact that Crypto AG is a financially and legally independent Swiss company. All shares are owned by one shareholder: a foundation with one goal, the commercial success of our company. Foundation status rules out any third-party influence, and this also guarantees full independence and freedom in the design, production and marketing of our products."
What does this mean? For one, it means that having a backdoor revealed will not sink your company even if supposedly secure government communication systems are your only customers. And second, it means that back doors, if they do exist, are an economy measure. If it was encrypted by any popular and widely used tool, it can be forced. Which might explain why you don't see Louis Freeh on TV every night bashing consumer crypto tools.
I wrote parts of this stuff
... projected when 3des should be able to be broken in real time. Its about 10 years away.
Wrong. Amazingly, staggeringly wrong. The minimum amount of energy required to flip a bit is kT, which is 1.3 * 10**-23 joules per Kelvin. Multiply that by the ambient temperature of the universe, 3.2 K, and you get a minimum of 4.16 * 10**-23 joules per bitflip. This is a thermodynamic limitation of computers, and cannot be surpassed without shifting computation away from Turing machines.
Now, 3DES has an effective 112-bit keyspace. 2**112 is about 5.2 * 10**33. Multiply (5.2 * 10**33) by (4.16 * 10**-23) and you get 2.16 * 10**11 joules of energy required to break 112 bits by brute force.
2.16 * 10**11 is a huge amount of energy, on the order of 200 terajoules. But that assumes you have to exhaust the entire keyspace--considering you only have to search 50% of it, on average, you only have to apply 100 terajoules of energy.
Remember: there is no way around this that we know of. This is a thermodynamic limitation; as soon as you figure out how to get past this, I suggest waiting by the phone because the Nobel folks are going to be calling long-distance from Oslo soon.
I've got no choice but to completely and wholly discount your entire message. This analysis took me all of five minutes to conduct. It's not hard.
Insofar as the likelihood of pseudoprimes not actually being prime--do you have any idea what you're talking about? I hate to sound irate (it's only because I'm very irate), but the entire notion of pseudoprimes is that they are probably prime. The likelihood of a pseudoprime not being prime is less likely than you winning the lottery, getting into a car crash, and being struck by lightning while having a hot date with a supermodel. Really. No, I'm not kidding.
Please, get a clue.
If I get any more irate (see my other posts in response to this story) I'm going to get the Theo deRaadt Award...
It's fairly simple to write an encryrption scheme using the available algorhythms...
Yes. It's even simpler to screw it up. Any fool can make a system which they can't break. Making a system which nobody can break requires absolute genius.
If every government wants perfect security, they should have their own classified programs with classified keys.
No. Wrong. Go back to class and study some more. The Germans thought that Enigma was secure since the Allies didn't know how it worked, but Turing and friends did amazing work breaking the Enigma even before they had one of their own. The Japanese PURPLE cipher (?) was broken without ever knowing how it worked; they recreated it entirely from first principles.
Without exception, every cipher I know of which kept its internals a trade secret has been a failure. The most recent spectacular failure is the NSA's SKIPJACK, which for years had its internals protected as a national secret. It didn't do anything to preserve the integrity of its messages; Eli Biham invented an entirely new branch of cryptanalysis (impossible-differential) and used it to cryptanalyze all but one round of SKIPJACK.
The only systems which are worth trusting are those which have survived years and years of brutal peer review. I trust PGP and GPG; I trust Blowfish, IDEA and 3DES; I trust this, that and the other. I trust the PKCS-11 CRYPTOKI standard, I trust SSL when used properly. All of these have been peer reviewed extensively and exhaustively, and so far they're still standing.
I don't trust anything which hasn't been extensively peer-reviewed. History shows that systems which have not survived brutal peer review do not survive in the real world.
Some of my Marine friends are fond of saying, "Training ought to be so hard combat is a vacation." There's a lot of merit to that. In cryptography, peer review means that everyone is trying to break a system. Of all those people, odds are there are people with more skill and better resources than the people who are trying to break your system for-real. If a system survives peer review, it'll probably survive your enemies.
If it's not submitted for peer review, you take your chances.
Your chances aren't very good.
Where to look next? I'd look closely at
-
Voice-over-IP software
-
Instant messaging systems
-
Methods by which microphones on computers or cell phones might be remotely activated
-
PBX remote maintenance systems
-
Router remote maintenance ports
Look closely at tools for private person-to-person communication.I used to be pro-NSA. But since we beat the Commies, we just don't have a big, well-organized enemy that requires that kind of snooping. Let's face it; the countries that really hate the US are basically losers. We might have some terrorism problems from some loser country, but they'll be down in the noise compared to, say, drunk driving. If state-sponsored terrorism gets to be a real problem, it's an act of war. This limits what a government can do before they end up at war with the Last Remaining Superpower, or, as with Iraq, most of the developed world.
Even wiretapping is marginal from a law enforcement perspective. Well under 1% of prosecutions involve wiretaps. A total prohibition on wiretaps wouldn't cause a measurable blip in the crime rate. On the other hand, lousy computer security makes lots of white-collar crimes possible, some with high dollar amounts.
So bad computer security as public policy is bad public policy. Any government official involved with backdoors or wiretapping should be considered soft on crime. That's the position to take in political forums.
This is not a joke.
I am very, very tired of hearing people say that they can break this-and-that, or that such-and-such is trivial, or what-have-you. Most of the time, these people are total incompetents who like to make themselves sound much more clued in than they really are.
The last time someone made claims like thogard did, I made a public challenge which was not accepted. Maybe this time will be different. So, without further ado:
THE 6-HOUR MD5 CHALLENGE
1. Rules.
The only rule is you can't bribe the judges. If you want to lurk around my workplace, bushwhack me when I come out and beat the answer out of me, feel free. Don't do the crime if you can't do the time, though. You can cryptanalyze this, you can attempt to coerce it out of me, you can send an attractive woman my way (free hint: I'm partial to tall redheads) to coax it out of me, you can try and eavesdrop on my phone lines and overhear me give it away, I don't care.
But you can't go after the judges, because then we don't have a fair contest. Fair?
2. The Challenge
If this challenge is accepted, I will submit to CmdrTaco (or another Slashdot employee, as he assigns) a credit card number. Specifically, my credit card number (with a few digits changed for my own self-preservation). I will also submit the MD5 hash of this (slightly modified) credit card number.
No cribs will be given. It will not be announced whether it's the credit card number by itself, whether my name is part of the data, whether the expiration date is included, etc. CmdrTaco will verify that I'm not cheating.
Once everything is set up, the MD5 hash will be put up on Slashdot. From the time it's put up, you'll have SIX HOURS to reverse the MD5 hash and get my credit card number.
3. The Reward
The reward is $1,000 cash. (Well, it'd actually be a cashier's check, but same difference.) If you can do it--especially if it's as easy as "a bit of code, a few computers, and I was generating the card numbers within seconds"--then this will be the easiest grand you've ever made in your life.
All monies will be deposited in advance with CmdrTaco (or others as he assigns). If I don't cough up the dinero up front, the contest doesn't go forward.
4. Frequently Asked Questions
Why only six hours?
Credit card numbers really aren't all that entropic; they're very predictable. The card I'm looking at right now has 16 digits, plus my name and two dates (valid-throughs). Brute-forcing 10**16 would take some time, even for an immensely large network, and that doesn't include the permutations of my name, the expiration dates, etc.
Breaking DES by brute force requires an average of about 3 * 10**16 operations. Thus, breaking my credit card is a little harder than breaking DES. It's possible some Slashdotters with access to extremely large networks would be able to brute-force this, but I don't find it likely.
If it's really as easy to break MD5 as thogard is claiming, six hours will be plenty of time.
Why are you changing the digits of your credit card? If you have such faith in MD5, shouldn't you leave it unaltered?
As I said, some Slashdotters may have access to extremely large networks which could brute-force it in a few days' time. I'm changing it just to cover my tail in case someone decides to spend weeks of processor time brute-forcing every possibility.
Isn't MD5 in disfavor nowadays? Wouldn't SHA-1 be better?
Yes, MD5 has a couple of potential attacks against it. I still have faith that it's very strong in practice, though.
Are you serious about this?
I'm serious about this. Are you?
i was beginning to think that i had only imagined the existence of that book because no one seems to have heard of it! i've scoured used bookstores for years and now have two pbk copies (so i can keep one permanently and occasionally loan out the other if someone proves worthy). everyone's reaction is the same: "wow! why haven't i heard of this before?"
seriously, i consider it the best novel i've read, and it puzzles me that it's not as well known as its cohorts like Hitchhiker's Guide, Catch22, vonnegut (esp. Sirens of Titan), Confederacy of Dunces...
as far as the phil dick story, if it's a short story i may have read it since i used to read every sf anthology i could find (maybe that's why the memory-wipe idea was floating around in my subconscious); since it comes recommended from someone who has read Satan i'll definitely track it down.
i'd be interested in hearing how you came across Satan and what kind of impression it made on you.. you can email me using my nick (it's a hotmail address).
---
the problem with teens is they're looking for certainties
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
Oh boy. I have foiled their attempts to control my mind, but now I know I can communicate only with carrier pigeons.
Personally, I live outside the USA (Australia to be precise), well out of the duristiction of the NSA, or any US organisation (no carnivore going to be at MY ISP!). Which means not only is any data collected on me by the NSA invalid, but also that the NSA has no right to collect it in the first place!
I also remember a little while back there was outrage over Internet Explorer contacting not just microsoft, but the NSA before going to any secure ASP sites, which means both microsoft AND the NSA have to approve of you going to that site before it will let you get the page up. This has been used in the past to block people outside the US from getting strong encryption. What I want to know is, what on earth gives the NSA the right to say stop me downloading strong encryption from Finland -- where the source and destination are out of their control and duristiction, but the software still asks for their 'approval' first.
I believe if the NSA wants to go poking around in proprietary software, they should 1) have to have some kind of notification not only that the NSA backdoor is there, but what it enables the NSA to do (not how it works, thats up to them -- just what it allows). and 2) provide an international version WITHOUT the NSA interferance/code in there, that the software houses can export without people internationally having to contact the US government before using their software.
IMHO, the US govt is taking big brother a bit too far, especially when it concerns software or internet traffic that is being used or transmitted outside their own boarders. I for one am glad I am part of the GNU generation.
Show me the academic papers which show you can reduce 3DES to complexity 2**78. The same attack could be used to reduce DES to complexity 2**39, which would be the world's first strong cryptanalytic attack against DES.
Show me just one instance where someone used this attack against DES to break it by brute force in an average of 2**38 operations.
Your argument about computing hardware is (a) wrong and (b) irrelevant. Moore's Law says that we can expect it to roughly double every eighteen months; if it increased eightfold in a year, this is highly unusual and is likely not a trend. Please point out the academic reports which talk about chips capable of doing a billion keys a second by themselves, or that the field of brute-force crackers is increasing by eightfold a year. That's why it's wrong; it's irrelevant because no matter what, thermodynamic limitations still apply.
Please present me with a real analysis which backs up your claims, not some vague statement of potential attacks and a made-up number about hardware crackers.
Too bad the crypto only works with one to one keys if the numbers are prime, probably prime isn't close enough.
The odds of a good probable-prime being composite is less than the odds of you being struck by a meteor at the instant you read this post. If you're concerned about your probable-primes being composite, I would respectfully suggest that you should consider the threats to your life that meteor strikes, attack by killer bees, random violent stranglings with rabid wombats, etc., pose. To lament the likelihood of a composite probable-prime while not living in stark fear of death by slipping in the tub and breaking your neck is extremely irrational. The one is far more likely than the other, and has much more dire consequences.
I have already issued a challenge to you on one of your more outrageous claims. I hope you take me up on it.
... subject says it all.
You could've hired me.
I remember hearing something about this last year.. The Indian decided that many closed software products included backdoors accessible to US (and possibly other) govt agencies.. THey passed a mandate to use either opensource or in-house developed software for ALL critical applications... This includes OS, security, networking, etc apps but probably not MS Word, etc... I'm sure this decision was based on some investigation/findings that they did...but maybe did not release...
$.01,
11oh8
It may not seem like a big deal now.Most of use are not under the risk of being locked up they are only looking for major crimes.But if they are aloud to get away with such things soon every agency will be using similar methods to bust use for the smallest of crimes.Remember you have to crawl before you walk!
We are used all day long, so why not a little "shocking" article to get people awake?
I enjoyed reading all the toughts people had while reading...
There once was a Bill from Seattle, Who wished to herd users like cattle He said with a grin, as the profits rolled in, "I think I hear freedom's death rattle.."
"Normal is a cycle on a washing machine" -John P. McAfee
The NSA is using terrorist threat and child porn as an EXCUSE to use such measures. Wasn't the saying "The goal justifies the means?". In fact the real reason is that the USA seeks to get an industrial and economic advantage over the rest of the world by intercepting inter-company communication.
I mean, really. Would a real terrorist be so stoopid to use any commercially available encryption? Use e-mail? Use electronic communication?
-Danny
What about the GNU compiler? It already compiles a ready-to-go backdoor in each probram you make. Maybe this code was already there in the compiler for the GNU compiler. Or the compiler from the compiler from the compiler.......
-Danny
I'd love to see this happen... I too get sick of people who dismiss things with a wave of a hand ("give me a paper clip and some scratch paper, I'll have it in two minutes"). People like to bullshit -- I'd love a chance for them to step up to the plate!
willis/
there is no thing
what else could you want?
I know of a commercial encryption package that allows you to have variable sets of users and passwords per encryption/decryption key. To clarify this, you can create a key that Alice can use with her own password, Bob with his own (different) password, etc. It would be extremely easy to add a backdoor user/password to every key without the regular users ever knowing (unless they disassemble and reverse engineer the executable...). So, how paranoid is it to think that a security agency would have a backdoor in this product? Or maybe we should just trust the software vendor?
MSN 8: Now Microsoft even has bugs in their ad campaigns.
Same as the R.I.P act here in the UK. It's supposedly to catch 'terrorists, drug lords and paedophiles' (everyone's pet crime atm). So they're going to have _all_ our net traffic going through their version of carnivore, which will be installed in all the major ISPs. Hmm.. well that's okay the people say, after all it's just to catch the terrorists, drug lords and paedophiles, so what have we to worry about? PEOPLE USE ENCRYPTION! Well if you don't give the government your key when requested you get 2 years in prison... 1. Is anyone who is guilty of one of these major crimes going to give two shits whther they go to prison for two years? I think not compared to the alternative. 2. Threfore, the only people who the law is effective against are the innocent, and people who have committed crimes which carry a sentence of under 2 years, ie. relatively minor crimes. Dont believe the hype
This seems to confirm last years the claims by cryptonym that Microsoft Windows CryptoAPI does contain a NSA back door.
Not to mention of course, that the country that has been most involved in bombing other countries' embassies, airports and government buildings were precisely the USA. Shouldn't this lead to a right of other countries to inspect the NSA's secrets?
-- eddie
That's comic. So they're alleging that software *bought from* the justice department might have a possible backdoor that the justice department could access? Please. Not only has no evidence turned up (did the mounties drop the investigation?), but even if it did, that would be neither very surprising nor what this thread is about. The allegation here is that commercial software from independent software firm (even possibly the scary evil empire itself, whooo) contain such a backdoor.
I repeat: prove it.
Sorry, that's a telecommunications network, not a software app. Most telecoms networks have the capability to be tapped under court order; indeed, Globalstar would be one of the few exceptions if it didn't.
The allegation here was independent software apps (predictably, everyone immediately mentioned Microsoft) had such backdoors. I'm challenging them to provide any example of that.
And... ...who watches the Watchmen?
Hmm?
Hmm?
You still want that golf scholarship....DON'T YOU?
No.