Slashdot Mirror
New Vista Random Numbers to Include NSA Backdoor?
Schneier is reporting that Microsoft has added the new Dual_EC-DRBG random-number generator to Vista SP1. This random-number generator is the same one discussed earlier that may have a secret NSA backdoor built into it.
I guess it's not so secret then, is it?
"I'm just here to regulate funkiness."
Wouldn't this go under "Your Rights Online"?
To regale us with the myriad ways in which government plots are about to unfold with this. But sincerely, this is ripe for negative speculation. There is no good reason for something of this nature. Sure, some will say it's for the kids and what about the terrorists being thwarted before they can act and all, but I still say this is BS. Closed source buffoonary if you ask me.
My humor is probably your flamebait
"It's not enabled by default, and my advice is to never enable it. Ever."
Given the known problems of Dual_EC_DRBG, which, from the Bruce Schneier article, include the fact that's slow, that it's got an obvious backdoor, and that it was inexplicably pushed for the NSA for seemingly no reason, why would Microsoft add it to Vista SP1?
Now adding the algorithm itself isn't really a backdoor per se, because no one is forcing you to use that particular random number generator. But it is also interesting to note that this isn't the first time Microsoft has been accused of inserting backdoors for the CIA or the NSA. Of course, Microsoft vehemently denies such allegations, but I would assume that they would. Given what the telcos did for the NSA, would anyone be surprised if it really did come out that the NSA actually forced Microsoft to put backdoors in Office or Windows?
My blog
I worry more about the 0-day backdoors in Vista than I do about the NSA backdoors.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Boy, this is getting tiring.
You're concerned about security, and you're using WINDOWS VISTA???
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Are they touting is as secure? Do they mention the NSA backdoor? Do they have a response to it?
Some US government agencies REQUIRE the ability to use this PRNG algorithm, so anyone who wants to sell a product to those agencies (IBM? RedHat? Sun?) is going to have to provide that algorithm.
And, this algorithm is NOT the default.
So... ??? This article is simple FUD.
i seeded the dual_EC-DRBG with the following ASCII strings the and got the following output in ASCII:
missionaccomplished -> LOL
waterboard -> buckshottotheface
osamabinladen -> loofahnotfalafel
iraq -> vietnam
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
No surprise, really. After all, Microsoft did this a long time ago (remember the whole "NSA KEY" fiasco?)
http://en.wikipedia.org/wiki/NSAKEY
Is this "feature" back-ported to XP SP3, too?
SP3 is supposed to have some of Vista's most useful features as well as all previous bug fixes.
Would a shame to ruin a good service pack that speeds up XP by 10%.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
I implemented this on my Linux box. Does this mean that all of Linux now has a back door too?
Slashdots anti-Microsoft alarmist bullshit is so boring.
I see what you did there. You implied that anyone who criticizes the US or Vista is a paranoid loony. Now why would you do that? Do you just assume that people will criticize the US? Is the US that worthy of criticism that you have to defend it preemptively? I know that's a popular tactic these days, but is it entirely necessary? Nice how you posted AC, too. You sir are an all-around class act.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
... can't they just include their own list of secret numbers in order for the generator to be semi-secure? The NSA has the numbers that generate the random numbers in the base code but even they say to make your own reference numbers if you are to use the code. So if Microsoft were to ultimately use the numbers the numbers would probably end up being both random and not known to anyone in the development team if they so wanted.
...does every article about Vista make me less likely to ever use it? Aren't things like this supposed to _improve_ with time?
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
So, let's review:
1. Government introduces a new cryptography standard (which it will presumably require for some applications) that requires that systems provide a choice of 4 random number generators, one of which MAY have a flaw.
2. Manufacturers implement the new standard.
3. Grand conspiracy!!!
Come on, could it just possibly be that Microsoft wants to be able to claim to be NIST 800-90 compliant for customers who want that kind of thing and that the NSA likes the idea of there being a variety of random number generators available? The only way that making this function available is a risk is the NSA also has control of the application and can force it to call this random number generator without properly seeding it. If they have that level of control, they have enough control to do whatever else they want in a much more direct way.
I like my beverages with warning labels!
What kind of commie doesn't just trust the NSA? I mean, we've got a FISA to protect us from the government and from corporations cooperating with rogue regimes, right?
--
make install -not war
I assume by not putting in any category, the editors get to bypass a users filtration by preferences selections.
I disagree.
This has absolutely nothing to do with open or closed source. A completely open source random number generator would have precisely the same vulnerability, because the problem isn't potential skulduggery by the vendor, it's potential skulduggery by the people who designed the standard.
What Microsoft has done is to implement a questionable standard. It makes no sense in this case to blame them for its shortcomings, especially since developers have alternative standards they can use.
Now when it comes to application software using a random number generator, then there actually is a closed/open source argument to be made. Do you know which random number generator is used by the software you use? With closed source, almost certainly not. With open source, programmers can undo the choice of the dodgy elliptic curve RNG and replace it with a more solid, equally standards compliance alternative. And get a speed boost too. You also know that you might not want to trust the source for your software if they use the inferior algorithm.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
My understanding is that you need 32 bytes of consecutive output.
Why not populate a buffer with the PRNG output.
Create an index to the end of the buffer. (Assuming an array)
Then.
Use as output the byte at this index value.
Decrement the index by one.
Subtract the byte value at the index, from the index value.
Use the byte value at the index as the second output value.
Keep doing this stepping backwards through the buffer in this manner, when you role off the start of the buffer repopulate the buffer with new random data.
Set the index value for the repopulated buffer to the buffers length minus the absolute value of the currently negative index.
Or simply add the buffers length the index.
Have fun.
Maybe the NSA could have thought a little harder at entering a back door code. Secret sources have revealed the NSA back door code to be.
up, up, down, down, left, right, left, right, B, A
..........FULL STOP.
I'm 24 years old. I don't want to go through the next 50 years of my life living in an international air of worry and uncertainty. I don't want to live in a permanent state of fear, generated by a megalomaniacal American government taking advantage of the majority low IQ populous' capacity for being brainwashed.
Can I suggest you up your meds? Your current dosage isn't doing its job.
I like my beverages with warning labels!
Just as it is untrue that the US used printers (small 68000 series computers) to disrupt the Iraqi networks and sniff traffic, and they are not diverting telephone cable Net traffic at the main connection sites in San Francisco and other locations.
And, I never was in the shack at Yakima, and we never listened to your long-distance phone calls and made fun of you going kissy-kissy with your wife overseas.
Really.
Pay no attention to the curtain, nothing is behind it. Really. And get that dog away from it!
-- Tigger warning: This post may contain tiggers! --
finally, Microsoft is taking it in the backdoor - about freaking time.
ReaLemon is yummy
Yet one more reason I am glad I still use Xp and not the malware that is MS/NSA Vista Now, it begs to question, will SP3 for Xp have this same new random number generator with backdoor?
~DF
I think this "backdoor" story would be an appropriate time for the Goatse link. Where is that dude with the ASCI picture?
Virginia is for lovers. EVE is for griefers.
Your options:
1. Hard Liquor
2. Pills
3. Step 1 followed by Step 2
4. Step in conjunction with Step 2
5. See Slashdot poll for today - make friends will billionaire space pilot - relocate to the moon. Die when oxygen runs out.
ReaLemon is yummy
I hope the NSA thought to put a screen door on their backdoor, what with all the bees in the internet
I'm with ya... America sucks... and i'm American. Sigh.
We're doomed.
...because this one seems too obvious. So, perhaps the NSA crypto folks have a couple of found back doors in some of the other algorithms, and this is a bit of misdirection to keep people from noticing what they really intend to use... :)
Have any expectation of privacy or security in the first place?
IIRC, some of the key SCOTUS decisions regarding the Fourth Amendment have centered around a person's expectation of privacy. They've argued:
That said, the government could persuasively argue that someone who runs Windows, especially Vista, has no expectation of privacy in the first place:
Now the sad thing is that this does come across as a troll, but sadly, it's true. And it needs to be addressed. For some reason, the /. crowd thinks it is acceptable that a majority of the population uses an OS which is horribly less secure than the ones we ourselves use (Linux, Macs, etc...). We're supposed to be the technical ones who have the solution to these problems, and yet, most /.ers just choose to blame the victim and whine about Microsoft being evil. Granted, we already know that.
Is it really acceptable that our collective rights are surrendered because a major corporation finds more profit in insufficient design and testing of its software? I realize that most of you loathe Windows, but unless we actually do something to fix the social barriers to the adoption of Linux, we can expect that, because Windows is so insecure, our government will be able to convince SCOTUS that a computer user has no "reasonable expectation of privacy".
It doesn't matter so much that this PRNG is insecure. A knowledgeable cryptographer isn't going to trust the OS for random numbers, anyway - unless it is in compliance with some standard to which their code must comply. What matters is that Vista is full of holes, and we're talking about a PRNG which no software of cryptographical consequence is going to use anyway.
Instead, we ought to worry that Windows itself is easily compromised by the government. That is the real problem. Why would you break the PRNG when you can rootkit even a fully patched Vista box with an email?.
The society for a thought-free internet welcomes you.
i can't see how i got a troll for that - i was posting that with the unnoted refrence to my sig... i mean this "back door" isnt' even confirmed - it is jsut someones idea that it "might" exist.. without proof though you don't know - so MS is using it - sure give them bad press if it is "known to have" a "back door" but really without proof what do you have other than random people trolling about nothing..
come to think about it my comment isn't any better than the rest of the people's here.. feel free to read my sig and troll away..
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Supporting Information from Original Author:
|Cryptanalytic Attacks on Pseudorandom Number Generators
J. Kelsey, B. Schneier, D. Wagner, and C. Hall
Fast Software Encryption, Fifth International Workshop Proceedings (March 1998), Springer-Verlag, 1998, pp. 168-188.
ABSTRACT: In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of this model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions. | http://www.schneier.com/paper-prngs.html
If you have been keeping up with computer security, everyone should be aware of the weakness of Random Number generators and it's vast effects over large sections of the computer world. This is not trivial...
"Children so stupid they think America invented the Internet, computer, motor car, light bulb, telephone etc ad infinitum...."
Hmmm.....America invented the:
Internet.....check
Computer.....check...holy crap...modern computing actually has it's roots in TEXAS of all places (see the integrated circuit)...so DOUBLE check
Motor Car....check again...lol - who would have thought, surely SOMETHING on this list was not invented by America
Light Bulb....check again, wow
Telephone.....and....wait for it.......check
ReaLemon is yummy
The talk referenced by Schneier in his essay as being the one that publicly disclosed the backdoor was given by two Microsoft researchers. So all the "OMG micro$oft iz so stoopid" posts might be a bit .... misdirected.
There is known to be a backdoor, but nobody knows what it is. That's the part that's secret.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
The obvious joke here is that its a lot of trouble to go after the 12 people still using Vista. Baddump-bump!
But seriously, this is a continuation of Microsoft's vendor-first, consumer-second approach.
So it "may have" a top-secret magic NSA backdoor. I hear it also "may have" a portal to the magical world of Stupidia, and also "may have" a contest where the winner gets adopted by Bill Gates.
I've also heard any version of Lunix using the GPLv3 "may have" a secret program which will turn us all into robotic mutant drones in the service of Richard Stallinman.
Why, oh why, do teh FOSSies continue posting rumors, speculation, and insane conspiracy theories as news?
Germany invented the car.
An automobile powered by an Otto gasoline engine was built in Mannheim, Germany by Karl Benz in 1885 and granted a patent in January of the following year under the auspices of his major company, Benz & Cie. which was founded in 1883.
Although several other German engineers (including Gottlieb Daimler, Wilhelm Maybach, and Siegfried Marcus) were working on the problem at about the same time, Karl Benz is generally acknowledged as the inventor of the modern automobile.[5] In 1879 Benz was granted a patent for his first engine, designed in 1878. Many of his other inventions made the use of the internal combustion engine feasible for powering a vehicle and in 1896, Benz designed and patented the first internal combustion flat engine.
Approximately 25 Benz vehicles were built and sold before 1893, when his first four-wheeler was introduced. They were powered with four-stroke engines of his own design. Emile Roger of France, already producing Benz engines under license, now added the Benz automobile to his line of products. Because France was more open to the early automobiles, more were built and sold in France through Roger than Benz sold in Germany.
Daimler and Maybach founded Daimler Motoren Gesellschaft (Daimler Motor Company, DMG) in Cannstatt in 1890 and under the brand name, Daimler, sold their first automobile in 1892. By 1895 about 30 vehicles had been built by Daimler and Maybach, either at the Daimler works or in the Hotel Hermann, where they set up shop after falling out with their backers. Benz and Daimler seem to have been unaware of each other's early work and worked independently.
Daimler died in 1900 and later that year, Maybach designed a model named Daimler-Mercedes, special-ordered by Emil Jellinek. Two years later, a new model DMG automobile was produced and named Mercedes after the engine. Maybach quit DMG shortly thereafter and opened a business of his own. Rights to the Daimler brand name were sold to other manufacturers.
Karl Benz proposed co-operation between DMG and Benz & Cie. when economic conditions began to deteriorate in Germany following the First World War, but the directors of DMG refused to consider it initially. Negotiations between the two companies resumed several years later and in 1924 they signed an Agreement of Mutual Interest valid until the year 2000. Both enterprises standardized design, production, purchasing, sales, and advertising--marketing their automobile models jointly--although keeping their respective brands. On June 28, 1926, Benz & Cie. and DMG finally merged as the Daimler-Benz company, baptizing all of its automobiles Mercedes Benz honoring the most important model of the DMG automobiles, the Maybach design later referred to as the 1902 Mercedes-35hp, along with the Benz name. Karl Benz remained a member of the board of directors of Daimler-Benz until his death in 1929.
8======> (_O_)
Yes, Germany invented the car, America developed the assembly line production of cars... (Which is why many people somehow believe the car was invented here.... when in actuality the building process was just streamlined)
I agree that the vulnerability of this particular PRNG has nothing to do with closed vs. open source, but I think there is some relevance to the larger issue. Namely, in a closed source OS it seems (at least naively) that there are lots of ways to insert various sorts of back doors. If one is so worried about the government twisting MS's arm to put in a back door, it seems like a publicly known PRNG algorithm with known vulnerabilities is really the least of your worries.
I'm not one of the people who thinks all software must be open source, but it seems like there are strong arguments in favor of open source as far as avoiding back doors from powerful interests.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
Internet: Only one on the list that is really US made.
Computer: Charles Babbage, England
Motor Car: Karl Benz, Germany
Light Bulb: Lots of people had working but impractical incandecent light bulbs for nearly 100 years before Edison, but Alexander Nikolayevich Lodygin of Russia would be the earliest inventor of "Edison's" style of light bulb, not Edison.
Telephone: Either Bell, a Scot invented it in Canada, or Antonio Meucci, an Italian invented it in the US.
The U.S. isn't doomed, but there is certainly a huge, deep pile of shit to be shoveled if it's going to get back to what it was.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
If you have read any recent history about modern US foreign and domestic actions things like this arent conspiracy theories, its just a likely conclusion. The terrorist thing is just a continuation on the soviet angle that was rendered useless for controlling the masses when the cold war ended. Encryption is the biggest threat to big brother society. Its just natural that US govt try to get their own backdoors in.
The thing is, real terrorists arent so stupid that they use the POTS or the internet. Its you and me they are after.
HTTP/1.1 400
how are you gentlemen?
I always use Pi as a random seed and haven't had anyone waste the computer time yet to... whoops
Telephone was the culmination of the work of several people, and so the nationality of the inventor is in dispute. Bell did most of his work on the telephone in Canada.
The first computer was a German invention (Konrad Zuse's Z3 in 1941).
The first automobile was a French invention (1881).
The light bulb had already been invented by several people, mostly European, before Edison perfected it.
The pursuit of absolute tolerance leads to the most rigorous and ludicrous intolerance. - REX MURPHY
Well surely that implies he'll not have time to work either? So who's going to earn money to feed them and pay the mortgage? I assume it's the African-Americans mentioned in the story - if so, why not mention this benevolence in the story - surely it's a mitigating factor? Frankly, I'm beginning to suspect the telling of this story has a racist bias.
Let's walk through these expert comments one step at a time:
Anybody who is paranoid about this issue
Did you see what just happened there? This is a clever sleight of words used to disparage and marginalize anyone who questions his premise. Disagree? Put on your tin foil hat and go to the psych ward. There's no room for discussion or even consideration of alternatives. Based on my direct, but very distant experience, Bruce is right in calling the backdoor.
The Common Criterial evaluators look for such issues
They do? Really? Anyone that has undergone EAL evaluation knows it's a giant tree-killing documentation project above all. I don't want to bore anyone with the details of CC evaluation, but it's not a creditable rebuttal to the issue. The meat of the matter from wikipedia "Higher EAL levels do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively validated." http://en.wikipedia.org/wiki/Common_Criteria
As another post so insightfully states, there's no reason why, IF some project actually needs the feature, they can't install it as a library. Just like we all do for openssl on windows.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Aren't you the same one who told us that about some security hole that XP wasn't vulnerable to it like 2K was because you knew the "very smart" people working on it? And then we turned around only to find out that it was vulnerable in the next news release? I'm the same AC who didn't really believe you in that Slashdot story, either.
Well, I'll believe that you work for Microsoft. But I won't trust the code until it's been audited.
This kind of reminds me of the old days of computing where random number generators simply cycled through a fixed series of values that would be repeated over and over each time you powered up the computer. One fun exploit of these early random number generators was to place two identical computers on the same circuit, then flip the switch causing both machines to boot simultaneously. Assuming the factors were reasonably identical, you could simultaneously launch any program that used random numbers and use one computer to predict the results of the other with 100% accuracy.
For example, using this technique on a pair of Apple IIs (same series/configuration), you could load up a stock trading game on both machines and play one machine normally to see which companies were going to increase/decrease in value, then pour all the funds into the companies on the first computer that increased into those same companies on the second computer.
Near as I can tell, the random number generator (at least on the Apple II) would only change state when a new value was requested from it... otherwise it simply sat idly by waiting for the next request.
8==8 Bones 8==8
Bzzzt, wrong! Even though he is dead, his guy: http://en.wikipedia.org/wiki/Konrad_Zuse would argue with that.
Wait another dead guy wants a chat - http://en.wikipedia.org/wiki/Karl_Benz - says he invented the automobile.Um, better check your's again, I think its a bit dim if not burnt out. If you refer to Edison, he was not even close to the first to demonstrate what is now known as the incandescent light bulb. http://en.wikipedia.org/wiki/Lightbulb
Well, 2 out of 5 ain't bad right? Well, the telephone is not a sure thing, so lets make it 1.5.
Going on means going far
Going far means returning
"Don't worry, our Chinese contractors assure us there are no NSA backdoors"
Big deal. Hackers are already reading my emails and trying to steal my identity. Why not the NSA as well? Why don't I just mount a cloned monitor on my front door so people I *do* know can read it too!
Trust us, we're from a multinational corporation!
If true, do you really think Microsoft would 'want' to do this? They have been pretty strong privacy advocates, especially Gates, denying even backdoor access for Bitlocker in a fight several years ago when bitlocker was demonstrated to the FBI.
If the government is FORCING MS to do this, then we should be calling our representatives and not sitting around speculating or smacking on Microsoft.
The whole big brother NSA thing is very much a Republican/Bush/Neo-con era mechanism, and Gates and lots of others at Microsoft vote democrat, even when it was NOT in their best interest as during the DOJ trials of the 90s.
(Look up contributions, MS by far gives to Democratic canidates, and ironically companies that we think are on the side of the little people are ones shoving money toward pro-corporate/authoritarian canidates.)
"invented the computer" is ambiguous. Many people, Babbage, Turing, etc. worked on the analytical model, and dozens if not hundreds of engineers worked out the details.
http://en.wikipedia.org/wiki/Von_Neumann_architecture#History
An American did however invent the concept of the modern computer.
Teh way the story started, i thought they were going to make the guy their sex slave and rape him every time he came to the gym. But the bit about th e wife was an interesting twist to tthe plot. Maybe they make the husband quit his job and pimp him to patrons at the gym, like in the sauna or something, and he earns a living that way.
Internet: Yeah, we did.
Computer: Arguable, depends on your definition of what constitutes a computer. Take a look at the work of Konrad Zuse. Yes, the US invented the integrated circuit.
Motor Car: No, Benz, Daimler and others invented the car. However, an American, Ford, was the first with an affordable mass-produced car.
Light Bulb: Edison may not have invented the light bulb but he did significantly improve it and mass produced the first long-lived incandescent.
Telephone: Given that telephone is the name of a specific invention by Alexander Graham Bell, yeah, we did. Other inventors claimed to have transmitted sound over wires contemporaneously or nearly so. The courts stood by Bell's patent. Bell was a naturalized citizen of the US so we get to claim him.
He's neither informative or interesting since his arguments only consist of shouting and words like holy crap,lol,...
Informative or interesting would be a timeline for each invention.
internet : http://inventors.about.com/od/istartinventions/a/internet.htm
computer : http://inventors.about.com/library/blcoindex.htm
car : http://inventors.about.com/library/inventors/blcar.htm
lightbulb : http://inventors.about.com/od/lstartinventions/a/lighting_2.htm
telephone : http://inventors.about.com/od/bstartinventors/a/telephone.htm
Strictly speaking that gives him a 2 out of 5 (internet+telephone) and
actually confirming the original statement
Now watch how people will start coloring the facts to fit their agenda...
As a cryptographer I've seen the EC-DBRG spec already and immediately dismissed it as completely stupid. From a practical stand point it's too slow to be useful, and from a statistical standpoint it's no better than say a hash in CTR mode (e.g. hmac'ing a counter).
I know why MSFT added it [e.g. blind compliance with some spec, which from MSFT sounds odd to be honest...] but I don't agree with using the design.
As I recall NIST specifies other hash/cipher based PRNGs which are also standard so I don't think that the EC approach is really "required."
Tom
Let us all eat a large slice of humble pie.
Well, let's extend your analogy: Suppose you bought a Jeep. Would you expect the contents in the back to be safe from theft, or inspection by law enforcement? Vista is that Jeep - it exposes your personal life to anyone who wants to have a look, breaks down a lot, costs a lot to maintain, and leaves the user exposed to anything hostile coming its way.
The society for a thought-free internet welcomes you.
""invented the computer" is ambiguous. Many people, Babbage, Turing, etc. worked on the analytical model, and dozens if not hundreds of engineers worked out the details."
Fair enough.
The pursuit of absolute tolerance leads to the most rigorous and ludicrous intolerance. - REX MURPHY
lynxcache plain-text mirror: http://lynxcache.com/Did_NSA_Put_a_Secret_Backdoor_in_New_Encryption_Standard_.html
interesting, and I'm very inclined to believe you. I think it's great to hear from someone in MS that has relevant knowledge on these kind of subjects. (ie: I think most of MS related articles on Slashdot have some rather obvious "anti" written all over them.) So my question is, why do you "hang out with the slashdot crowd" so to speak? I know if I were working for MS I would've gone away long ago before I need a daily dose of Prozac. Seriously, I want to know.
"This should be fun, and by fun, I mean a wholly depressing insight into the cognitive ability of some grown adults."
The U.S. isn't doomed, but there is certainly a huge, deep pile of shit to be shoveled if it's going to get back to what it was.
Nice try, keeping your chin up, positive attitude and all that. Showing you are real and not a nut. Well now try realizing that you've only learned the tip of the iceberg.
Once I saw a college kid tap into the FSB on his Xbox1 to get some serial number* or what not, I then realize that we as consumers, at least in this very narrow field, have some recourse for the actions of the powers that be... Just imagine how hard it would be for Microsoft to successfully include a back door in its most popular products that would escape the scrutiny of a million not so dumb users along with the actions and specific setups of millions pretty dumb users. It would be the single greatest program ever made. *Honestly I forget the specifics/goals of the project but it was nuts.
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Exactly. This is why it is the NSA and Microsoft involved.
We already know the NSA is spying, it's just the methods are
supposed to be secret. Obviously, they are not really secret,
but they want to maintain the air of plausible deniability.
NSA is doing the spying on everyone with the help of Microsoft.
It is no surprise therefore, that Microsoft is attacking FLOSS.
You are being MICROattacked, from various angles, in a SOFT manner.
> From a more practical demonstration point of view, if there was a backdoor, governments
> would not need to get warrants for inserting hardware keyloggers or custom malware on
> systems to access system information. Governments both in the US and elsewhere do this,
> which suggests that no backdoor is available.
You made a fairly convincing argument until you spouted this idiocy. It is so error filled I'm uncertain where to begin the disection but since I must pick one....
1. A backdoor gives no LEGAL right to collect information from a system thus anything obtained in such a manner would be inadmissable. A court approved keylogger, etc. yields admissable evidence.
2. The existance of such a backdoor, if it existed, would be one of the US government's most treasured secrets, not to be squandered collecting inadmissable evidence on some petty crimelord or terrorist. I doubt it would be considered 'worth it' to bag UBL and his top ten minions. It probably wouldn't be worth giving up (and enduring the shitstorm from the Kostards) to prevent another 9/11 scale attack.
Here one should reflect on history to see how such a resource would be used, and examine the rules that governed actionable intelligence gathered via Ultra. Unless a plausible alternative method can be shown where a piece of intelligence COULD have been obtained (even if they had to use other Ultra derived info to fake things) such that the enemy would not conclude that a break in Enigma was the ONLY way the allies could have known a fact, then it could not be used. England was willing to allow an entire city to be firebombed to preserve the Ultra Secret.
3. Just because the NSA doesn't make public use of things pulled from the ultimate backdoor doesn't mean they aren't using it or wouldn't use it in some future crisis. And it doesn't mean someone else might not discover it and instead of publishing, ferret out a way to themselves activate it. (unlikely given the nature of public key crypto)
Personally I'd like it if we someday learned the NSA had such a backdoor since it would prove they still knew how to 'spy hard' but sadly I doubt they have the chops for that sort of caper anymore, content instead to just sit in their lair and listen to signals.
Democrat delenda est
yes, but hte emphasis is on semi. In this cryptographic application, the number in question must be the product of two primes. There are 2 possibilities --- either the NSA multiplied the two primes, and has a theoretical chance of compromising something that uses the random number generator and poor security, or that they approved the number because they haven't factored it. Since this security standard is used by the US government to protect the US government, the odds of the second are much higher then the first.
The FIPS standards aren't really for other people; they're published so the federal government can buy hardware/software combos that meet the FIPS standards. However, other people are free to use them, as they're one thing that the government hasn't stolen from the people, unlike ANSI and ISO standards, many of which are written by the government, made into an ISO standard, and then you have to pay the copyright fee for something your government wrote. That's a real travesty.
"might know"
Again... baseless and idle speculation. This is why FOSSies always get pwned by Microsoft: because they are always half-baked, and have nothing to present to anyone (especially prospective customers) aside from a whole lot of anti-MS FUD and their never ending hatred of all things MS.
Reality Check: only 0.0000000001% of software customers (and that may be overly generous) will give two shits about being able to see your source code. You would be better off giving them a book written in a foreign language. At least that might look good sitting on their shelf or coffee table.
Software generators, such as one build into Vista are only pseudo random. They rely on clever algorithms to generate sequences that in short series seem to be random but they are not in reality. Only hardware generators based on thermal noise or some other physical random process are capable to produce true random sequences. Therefore Microsoft product has "back door" just like every other software "random" number generator. This is another anti Microsoft FUD.
JAM
The constants were:
4, 8, 15, 16, 23, & 42
Hmmm...
Well, the telephone is not a sure thing, so lets make it 1.5.
Well it is 1 out of 5 because Antonio Meucci, who originally developed his invention in Italy, was recognized as the inventor by Congress in 2002 under resolution 269:
http://en.wikipedia.org/wiki/Invention_of_the_telephone#Antonio_Meucci
However, Texas did give us the Dairy Queen with a quarter acre of floorspace. That's got to count for something.
"Why use linux unless you have something to hide?"
Bruce Schneier could produce literally truck loads of evidence, however, I would just deny it all. Sorry, but I can't help myself. I am just mimicking the masses of sheeple who will just cry Baahhhhh Bahhhhh.
Yeah, they're coming for you because you're the special intellectual elite. I'm sure.
Go read Catcher in the Rye and check your perimeter traps again, tinfoil boy.
> What matters is that Vista is full of holes
I don't see any evidence for this. How do you say that? AFAIK OS X has had more security patches than Vista this year. And don't give me BS about "proving that Vista does not have security holes" -- you can't prove a negative.
> you can rootkit even a fully patched Vista box with an email?
I'm not sure exactly what you're talking about. If I send you an email with some sort of file, and you're stupid enough to go ahead and execute it, then I don't see what any OS can do to stop you. So you can basically rootkit even a fully patched OS X/Linux box with an email. User intervention is required in each case.
But what have you done for me lately?
SCROTUMS
From TFA: "It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective"
No wonder why MS is using it...
another reason why no one should upgrade to vista...please just put it out of its misery already.
Bring out behind the shed and shoot it, let the penguin get caught holding the gun!
Relax, parent is an ancient troll: http://yro.slashdot.org/article.pl?sid=04/05/21/1339237
I really don't think the parent was going for "Informative"....
What's purple and commutes? An Abelian grape.
Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.
John Von Neumann, 1951
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
"The first computer was a German invention (Konrad Zuse's Z3 in 1941)."
Depending on your definition ENIGMA might have been the first - but that wasn't American either....
"The light bulb had already been invented by several people, mostly European, before Edison perfected it."
All Europeaqns, and Edison did not perfect it - he just copied their existing work. Welsbach and Hannamann were the inventors of the 'perfected' tungsten bulb
But the one I always like is the idea that the Wright brothers 'invented' the airplane. Not only did they not invent something which had been technically specified for over 100 years before by Sir George Cayley, their sum contribution to the American aircraft industry was to tie it up in legal wrangling so that when WW1 came we had no world-class aircraft at all and had to buy them from the French!
Reliabiliy and Performance Improvements
Hmm... welcome to the operating system of the future, where nothing can *possibliye* go wrong...
EAL is not about security features, it is about assurance levels
Your initial post suggest EAL would magically expose the back door. It will not. That is not how an CC review works.
CC evaluation lab has source level access to the system
As if source code access would expose the back door? It would not. Source code needs to agree with the documentation provided. Period. Back doors to a cryptographic algorithm are way outside the scope of CC certification.
I am running Windows Server 2K8
Don't get me started on Microsoft's elaborate blame-shifting system (Are you sure?) that's difficult to use. Maintaining a mixed environment of 2000/2003/MSSQL is extremely difficult. I can't keep a single cluster node at 99.999 uptime. Meanwhile, my Linux servers are running at 99.999% uptime.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Why not use your own algorithm then?
For example, use an azerty keyboard (or a Dvorak) and encode everything using EBCDIC.
...as if we really NEEDED another reason...