Slashdot Mirror
Classified Cyber-Security Directive Puts NSA In Charge
dpreformer sends word that President Bush signed a classified directive Jan. 8 (it only came to light this week) putting all cyber-defense and counter-offensive activity for government networks under the aegis of the National Security Agency. Previously, federal agencies had disparate intrusion and attack monitoring programs. The directive does not address private-sector networks and systems. While some lawmakers and civil-rights advocates are unhappy with expanding the NSA's role domestically, one alternative that was considered and rejected — putting Homeland Security in charge — might have been worse. "A proposal last year by the White House Homeland Security Council to put the Department of Homeland Security in charge of the initiative was resisted by national security agencies on the grounds that the department, established in 2003, lacked the necessary expertise and authority. The tug-of-war lasted weeks and was resolved only recently, several sources said."
It might not be TOO bad of a move. Making one agency group head of related projects might make it more efficient. Uh, this being a government agency might just blow my theory out of the water though...
Seven Days with Ubuntu Unity
The NSA's probably the most qualified. Friends of mine who've worked there are some of the brightest people I know.
That said, I'm still pretty unhappy with them over the domestic spying. They really should have known better --- the damage to the democracy far outweighs the security loss involved. Thankfully my friends stopped working there before all this started... well AFAIK, clearances & all.
This is essentially an official statement, as I'm sure they're reading it right now.
Care about electronic freedom? Consider donating to the EFF!
Worse. a relative evaluation of the possible alternatives - begging the question:
"Worse, for whom?"
By the way - welcome to East Germany!
"Flyin' in just a sweet place,
Never been known to fail..."
these guys do know what they're doing so far as security is concerned, that's true. The problem here, though, is less one of technical expertise as it is enforcement of standards and security best practices. The NSA would be the one of the best groups, I'd say, to lay out those standards in the first place ... whether they're a wise choice to enforce them is another question entirely. I don't have an answer to that.
The higher the technology, the sharper that two-edged sword.
"Please remove your shoes before boarding the Series of Tubes..."
While this is not the most secret of the secretive (for years the very existence of the NSA was a secret) the fact that duties this big were assigned by a classified letter is appalling. When you couple this with the use of National Security Letters to compel the handover of goods to any thug in a trenchcoat it more and more appears that the goal of the present administration is to produce a kingly executive. One where oversight by the public and for the public is nonexistent and the whole process is simply inscrutable to us even as were are expected to knuckle under.
It is also interesting to me that it comes from this president who campaigned on the idea of a less controlling government, a smaller government, one that stayed out of our lives. This was based largely on the accusation that Clinton's favoratism for "Hate Crimes" legislation was an invasion of our privacy. It would be ironic if it was the least bit funny.
What I find is most interesting through is the use of the NSA in this manner. In many ways it is a textbook illustration of the way in which powers and agencies once built simply grow to fill all space they can. The NSA as initially instituted was a cold-war shop with the sole purpose of tapping and securing communications abroad while the existence of the group was a secret (many Americans were not aware of it until the 70's and the publication of the book "The Crystal Palace") it was, like the CIA, clearly setup to operate abroad and to spy on everyone but Americans.
It was, for lack of a better description a tool intended to work with us against others. With this addition that role has formally changed (it practically chainged with the AT&T hypocracy). While the formal change has been a secret the fact of the matter is that ever more of our resources are being turned inwards, onwords. Ever more effort is being expended to spy on us, on Americans with the understanding that our own government fears us as much or more than the rest of the world or at least that our own resources are better spent to attack us than others.
The idea of an executive floating on hostile seas rather than operating in safe waters has one crucial flaw. Dictators fall, and take everything around them, with them.
Bullshit. To find meaninful events, you are critical and selective. When looking for needles in metaphoric haystacks, you are best able to succeed with smaller haystacks. Anyone who has ever performed log analysis understands wht I always called "the bigger haystack problem". Log everything, and finding meaningful occurrences becomes impossible - or at least requiring too much effort for the value of the event.
Paller is a surveillance apologist, masquerading as a "security guru."
P.S. How do you really find a needle in a haystack? With a match.
"Flyin' in just a sweet place,
Never been known to fail..."
Oh, it doesn't work here. Nevermind.
dpreformer: President Bush signed a classified directive Jan. 8
Ellen Nakashima; Washington Post Staff Writer; Saturday, January 26, 2008; A03:
January 26 - January 8 = 18 days.
I.e. it takes less than three weeks for "Congressional Aides" to leak our most sensitive secrets to our enemies.
I don't know why we even bother to have secrets.
In fact, the level of treason in Washington DC is so high these days that I don't even know why we bother to have a military or an NSA.
We might as well just run up the white flag and let the Chinese enslave & sodomize us.
Not that it matters much at this point.
---- Booth was a patriot ----
The only thing I can say, is I've started some major "learning" about encryption and various other personal privacy applications.
.Net libraries and are required. This version is ALPHA quality and does not yet meet the current functionality of the 1.x branch. This was started due to the fact of people requesting features that would require significant rewrites to implement. Also FOSS. Available for Windows 98/98SE/ME/NT/2K/XP/2K3/Vista 32 and 64 bit. Third party ports also available for PocketPC, Linux, MacOSX, J2ME, Blackberry, PalmOS.
So far, what I've found and like are:
TrueCrypt - "On-The-Fly" Disk/Storage Encryption. Actually, I've been using this for 24 hours and love it. I've also seen great reviews of this, and some of its very interesting features, such as plausible deniability. Oh, and its Free Open Source Software. Available for Windows 2K/2K3/XP/Vista, Linux, and soon MacOS (v5.0, due in Jan 08)
KeePass - Encrypted Password Storage Database. I've been using this for years, and love it. Also good reviews. If you wish to try it, there are two versions, v1.x and v2.x. v1.x (1.10 being current) is the original independent version. Can be run standalone, no system requirements (.Net or the like). Can be run from a USB Key. v2.x (2.04 being current) is a total rewrite of the application based on the
Gnu Privacy Guard - An open source PGP implementation. I use a port of this, GPG for Windows. It seems a bit clunky, and am actively looking for something to replace it so suggest away if you do know something better. I will say though that it does work as advertised, and its FOSS. GPG is distributed mainly as source code I believe, where as G4W is as binaries.
People have looked at some of us who use PGP/GPG, and other encryption/digital signatures for a few years with the look of "why do I need that, I have nothing to hide." I keep waiting for people to finally wake up and realize that the concept of "inherent privacy" (meaning anything not actively publicly published is not publicly known) is gone. We have entered the age of "explicit privacy." If you want something to be private, you must make explicitly so, especially on your computer, with these recent news articles of laptops being fair searching territories at Customs, or the reports that the NSA has feeds from AT&Ts offices to intercept everything.
Problem was that W. created DHS and then put all this under them. The ppl inside of DHS are such idiots that they standardized on Windows. NSA (and major parts of DOD as well as CIA) insisted on our systems to be done only on *nix for those that are exposed to the world. The would accept any of the *nix, but prefered Solaris or a couple of Linux's. But DHS did not want to deal with us unless we ported to Windows. It was a joke. We ported parts of it, and showed them performance, and then they wanted our equipment to have at least as good as *nix. It was not even close. Needless to say, no DHS contracts.
All I have to say, is thank God. DHS was total idiots.
P.S. How do you really find a needle in a haystack? With a match.
So, does that mean, if you get all the hay there is, and burn it, you'll find all the needles?
This is my sig.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
This is a context thing. Whenever "cybercrime" or "cyberterrorism" is the topic, Paller is unearthed as the rational technology expert - rationailising the unpalatable and invasive loss of liberty that these grave threats require.
You don't see Bruce quoted by the WaPo or WSJ.
"Flyin' in just a sweet place,
Never been known to fail..."
Yes.
Of course, you starve the livestock...
"Flyin' in just a sweet place,
Never been known to fail..."
Getting advice from the ensurence arm the NSA seems like a good thing. That part of the NSA is relatively open and does publish things openly and do development of SELinux and should give good advice. The interception side doesn't talk much.
You do know the NSA supercomputers can crack any of the encryption applications the general public has access to without breaking a sweat, right?
The only people you will be keeping out with any of the above applications is like... maybe your boss, maybe a private investigator a spouse hired to find out if you are exchanging e-mail with someone you are having an affair with. That's it.
This is basically about internal U.S. Government computer security. The problem is that the last three agencies assigned this task blew it. Early on, computer security was under NIST, which is really the old National Bureau of Standards. They were just an advisory agency on this. There was also an NSA effort, about which more later.
There's a National Cyber Security Division of Homeland Security. When it was set up, it was headed by Amit Yoran, who actually knew something about the subject. He was unpopular because he publicly mentioned the vulnerabilities of Microsoft operating systems as the biggest single problem. So he was replaced by Gregory Garcia, a lawyer and 3COM's lobbyist in Washington, who has accomplished little, if anything.
The General Services Administration, which handles public buildings and purchasing for most of the U.S. Government, has a role in computer security, but they haven't accomplished much. other than some vendor evaluation.
NSA first got into computer security in the 1980s, when I had some dealings with them. They had an institutional problem. First, it wasn't about the USSR, on which NSA used to be narrowly focused. Second, the computer security effort was located at the "Friendship Annex", which was NSA's lower-security facility near Friendship Airport (now BWI). FANX was where NSA's less important stuff was done - personnel, accounting, etc. Being assigned to FANX was a big career step down within NSA.
NSA went at computer security in the same way they went at safes and locks - you build it, they break it. NSA policy on evaluating the security of computer products was that the vendor got two tries. On try one, NSA told the vendor what was wrong. Try two was pass/fail - if they could break it, it flunked, and went on the rejected list. Vendors hated this.
Under heavy pressure from vendors, security evaluation was outsourced to third party companies, and vendors could retry forever until they wore down the evaluators. The higher levels of security (fully verified everything) were dropped from the evaluation criteria.
NSA Secure Linux was a good idea that didn't really catch on. Most Linux people don't get the point of NSA Secure Linux. It's not about making Linux more secure. It's about getting applications rewritten to work under a tight security model. Unless applications are rewritten to have only very small and heavily verified trusted parts, NSA Secure Linux doesn't help much.
While I have some problems with certain things the NSA has been doing of late, from the description in TFA there really isn't a privacy problem here.
"The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies"
"Supporters of cyber-security measures say the initiative falls short because it doesn't include the private sector -- power plants, refineries, banks -- where analysts say 90 percent of the threat exists."
So the NSA is going to be monitoring government networks, not private ones. I don't think there's any real expectation of privacy if you're sending bits to or over a government computer network.
It's definitely a strange argument to attempt when really what you need when searching for a needle in a haystack, is a method of needle location that IGNORES THE HAY, not cataloging each and every instance of !needle.
If one is searching for needles amongst haystacks, trying to control the size of the haystack or the number of haystacks seems rather....absurd.... Then the needles that don't want to be found now know exactly which pile to stay out of, even more so than now.
K, i think i've anthropomorphized at random enough for one post. I entirely agree with you except for that last bit, as needle finding tactics should require direct interaction with the hay itself as infrequently as possible.
Ice Cream has no bones.
The key space for AES 256 is pretty big. Even a million keys per second would take an impractical amounts of time.
You don't see Bruce quoted by the WaPo or WSJ. Perhaps it's true that Paller gets called in for the evil terrorism angle on security issues... creating a crisis sells papers, after all. However, your last point appears to be in error:
6 results for "Bruce Schneier" on wsj.com.
3 results for "Alan Paller" on wsj.com.
169 results for "Bruce Schneier" on washingtonpost.com.
96 results for "Alan Paller" on washingtonpost.com.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Assuming the NSA has that capability, then the only people you would be keeping out of your business is everybody but the NSA. You think your friendly neighborhood police detective, or district attorney, can summon the NSA to decrypt or trace whatever they want? Or more importantly, that gang that stole your laptop and is scanning the disk for credit card numbers.
Maybe the FBI can get a helping hand once in awhile, but for a myriad of technocratic and strategic reasons, it's in the NSA's best interests to keep their tools to themselves. They're not omnipotent, and while criminals might be stupid, do they catch on eventually and alter their tactics.
Most professionals, however, don't believe the NSA can crack RSA, AES or Whirlpool. And in any event, 99 times of out 100 its far easier to circumvent those obstacles. 128-bit AES key is useless when stretched from your 12-character passphrase, with maybe 50-bits of entropy. And don't forget active attacks. How often do _you_ check to see if your laptop cover was removed and a key logger installed? Or if your machine is "phoning home"?
Begging the question means something else.
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
The NSA as initially instituted was a cold-war shop with the sole purpose of tapping and securing communications abroad
Close, but not quite, if memory serves.
The NSA's limits were not so much geographical as they were national. The limits are more on foreign targets - whether or not those targets happen to be in the U.S. This would include foreign embassies and consulates on U.S. soil and foreign intelligence agents operating on U.S. soil as well, if memory serves (although much of this falls under the FBI, of course).
The CIA - another agency with a foreign focus - does much the same. It has numerous intelligence officers who interview U.S. citizens who travel to foreign countries of interest when that citizen allows it, run recruiting, and work with their own officers in the UN and in other places. The difference is not so much where the CIA and NSA operate as against whom they operate.
Terrorism throws a big kink in this, as some of the terrorist/terror supporters are U.S. citizens who, however, are acting under the power or inspiration of an ideology that knows no legal boundaries. Have these people given up U.S. citizenship, in a manner of speaking, by pledging their allegiance to a "foreign military"? (look at your passport for how to give up your citizenship) But are terrorist groups, such as Al Qaeda, truly a military? Can terrorists - who act with very different motives, generally have different goals, and who often present a greater risk to life and limb - be treated as mere criminals?
It's a big area of debate at the moment and, unlike many on the web who would come down hard for one side or another, it's not entirely clear what the proper legal or policy answers are to these questions. Most law - international and otherwise - still assumes a type of war that will be increasingly rare for the U.S.; nations facing off against each other with well-identified armies. The simple fact is that war has changed, but the laws and policies are not keeping up with it - and it's doubtful they will be able to adapt with required speed.
Context is the operative word in my post. :-) I mean to provide supportive information on Government surveillance / fourth ammendment abbrogation.
"Flyin' in just a sweet place,
Never been known to fail..."
mod parent up I use Truecrypt as well, it's a great application. It's also limited to 256-bit keys. Anyone wonder why? It encrypts and decrypts in no time flat, so the small keys aren't for CPU load or anything (well, not for the user's CPU load). It's because that's the biggest key we're allowed to have. I keep Googling around looking for where this rule/law/whatever is published but I never seem to find it. Does anyone have a handy link to where the laws are as to what encryption strength we can and can't have?
My favorite quote doesn't fit into 120 characters. Now no one will like me.
There is a long history here that needs to be taken into consideration... We are seeing a paradigm shift in our government that is long overdue. It used to be that the government had to protect paper documents, "eyes only", and the biggest threat were photocopiers and miniature cameras... not any more.
I wrote about this transformation last year. Is it any wonder why the NSA is being brought up and groomed to help protect the critical information assets that the United States has?
From my post:
HumInt/SigInt:
Human Intelligence, CIA
Signal Intelligence, NSA
The English have been masters at the spy trade for centuries. In WWII, the United States felt that it should get into the act and turned to the English for guidance.
With their tutelage, the CIA became a formidable tool against the Soviet threat throughout the cold war. We had clearly defined enemies with clearly defined borders. Gathering intelligence became a methodical science... then, once the Soviet Union collapsed, the clearly defined enemies with clearly defined borders went with it.
The growth of the internet created an atmosphere wherein information and 'intelligence' became a commodity. Then the emergence of an enemy that is not only difficult, if not impossible, to clearly define but who also operates entirely without borders. The polar opposite from what the CIA were trained to do.
Not only has this rule-set reset turned the CIA upside-down, it has rendered it all but useless. The UK isn't doing much better either. The problem is that western society itself is at odds with the rules required to make an effective spy agency. Our open government(s), free access to information, laws against spying on citizens and so forth are what both protect our civil liberties as well as create the environment in which our enemies can plot against us.
The CIA knew about al Qaeda operators operating in the USA prior to 9/11, yet did nothing to notify the FBI. This is because of the opposing nature of each agency. The CIA finds a criminal and wants to string them along to see what intelligence they can uncover by monitoring them. When the FBI finds a criminal, they want to string them up. From the CIA perspective, the FBI sure knows how to screw up an investigation and destroy your intelligence network.
The CIA is now dysfunctional to the point of uselessness. In fact, there isn't a single effective spy agency in the western world. The current battle we're fighting and the enemy we face is one that cannot be defeated by military might, it is a war that MUST be fought using intelligence.
So, the administration turned to the only other agency with experience in gathering and monitoring enemies. It also happens that this agency is experts at SigInt, as opposed to the HumInt. The problem is that the NSA is forbidden by law from spying on American Citizens, UNLESS they are monitoring overseas communications. This exception has always been allowed, no warrant necessary. There is no law that states that I have the constitutional right to conspire with enemies overseas.
No other nation even comes close to the SigInt capabilities of the NSA...
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Is your main problem.
You are being MICROattacked, from various angles, in a SOFT manner.
The bad news is NSA shouldn't have this authority. By the time we're cooked it will be too late to jump out of the pot.
The good news is this will make it easier to get rid of DHS. I've never been a radical shrink-the-gov-to-nothing person, but DHS is a boondoggle of epic proportions. I hate the word "homeland". This isn't the 21st century of a European country, dammit, this is America. DHS's mission is to secure the nation? Isn't that what the Department of fucking DEFENSE is for? DHS is a wolf in sheep's clothing and a black hole for Congressional pork barrel spending. For every worthwhile undertaking they engage in there are 10 that serve only to enrich the wallets of those with the right connections. Put the Coast Guard back under the Transportation Department, or even DoD if it's that important (I think it is). Pick off the other tasks that really need doing and give them to DoD and the rest goes with the FBI. DHS... sayonara.
Context is the operative word in my post. :-) I mean to provide supportive information on Government surveillance / fourth ammendment abbrogation.
In that case, well duh. The newspaper decided what angle it wanted to go with and found someone to quote who would support that angle. Obviously you're not going to get a sober Schneier to support this kind of junk without some kind of arm-twisting.
Right. Propaganda. Tell the story you want - then find "experts" to support the angle.
Reporting. That might include investigating the motive, historical context and legal/technical ramifications of an event. Where there are significant conflicts of interest or point-of-view, significant advocates of those views are quoted, without providing a platform for advocacy disguised as "news".
"Flyin' in just a sweet place,
Never been known to fail..."
Great post, thanks!
I think this statement cuts to the heart of the matter quite nicely.
I don't know why the Mad King George moniker hasn't been applied before: perfect for the "kingly executive" and harkens back to the Revolution with a nice bit of foreshadowing.
But that's just me thinking out loud...
rb
Yes. Of course, you starve the livestock...
Ah Jerry/Elric, my sweet, thou art the champion eternal! Of course we know however, that for similar reasons, economic sanctions do not work either...
Arioch.
This is my sig.
>Staffed and run by a lot of political appointees. There are no -- as in none -- political appointees at NSA. Not a one.
The FBI, CIA, NSA are now subcontractors for an unknown (to us, at least) asset managing entity.
It's like a shell game, Area 51 is now too well known, but they keep up appearances - wave your hand over here - palm the coin in another.
What we keep doing is concentrating on what we think is possible (tech-wise) while you have absofuckinglutly amazing things happening right under our noses. (i.e. what ARE those networking protocol hardlinks DOING in your bootblock under "bad boot sectors".
Chip crowding/code obfuscation is another.
Get the picture?
The real power doesn't want the exposure.
~hylas
"While some lawmakers and civil-rights advocates are unhappy with shooting this toddler in the face, one alternative that was considered and rejected -- feeding the toddler to the Sarlacc -- might have been worse."
Just because it could have been worse doesn't mean it wasn't a bad outcome the way it is now.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Most professionals would not tell you the truth. Some of them still push Windows as being secure. Don't want to believe that NSA can do it? Ever look up the story of Phil Zimmerman and PGP? FTC was prosecuting him, NSA stepped in and had all charges dropped. FTC did not want to do it. After a half hour recess with FTC and NSA, the FTC came back and dropped all charges. And that was in early 90's.
There is a severe lack of logic and intelligence over the last 7 years in America. No wonder we have crooks at the helm.
This is the most common myth surrounding encryption. A lot of people assume that a larger key size will make the encrypted data more secure. This is true up to the point where it becomes impractical to try and crack the encryption safeguarding your data.
To use an analogy, imagine a theoretical 1km thick steel reinforced bunker with a 1km thick blast door (completely sealed airtight). Are you going to try and drill away at that 1km thick steel reinforced concrete? Or would you instead target the method for opening the door?
Encryption is a similar circumstance where the Rijndael algorithm with a 128bit key size is equivalent to a 10km thick steel reinforced bunker (probably more - but you get the idea). Are you going to try every key in a brute force attack (drilling through the 10km thick bunker)? Or are you instead going to try and steal the key from the person holding it (coercion/trickery/stealth)?
Additionally, how are you generating your encryption keys? If you're entering a password which you can remember, the weakest point is not the key size but rather the weak point is how you are generating the key. It doesn't matter what key size you're using if you're generating the key from an md5 hash of your password 'qwerty'. Even if you're generating random keys, the weak point is the random number generator itself and how it comes up with random data.
Key sizes have little impact on your level of security because the algorithm is often the most secure part of a security system. Do you know if your attackers have soldered a chip onto your motherboard which records USB bus traffic and transmits data via fluctuations in the electricity cabling in your house to a metallic pipe/bracing that is acting as an antenna? I deliberately use this far fetched movie-plot scenario because it is many times more reasonable than someone cracking 128bit Rijndael.
The NSA is a DoD agency with no vacancies that are filled by political appointment. There are NO political appointees in it. None. Not a one. Not now. Not ever.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I know most of you don't realize it, but the NSA has had monitoring capabilities in all computers since windows 95.
Microsoft gave them free reign to windows.
Don't think that Linux is left out. Do you think the NSA would generously donate the code for SELinux? It's a trade for priority placement in the kernel.
The NSA knows what they're doing. The real problem is, they're being tasked with things that violate their mandate. They had one rule: Don't spy on Americans.
The NSA is to thank for all sorts of cool technology we have now. Where do you think RFID tags came from?
I say stick to your rule, keep us safe, and give us more of your cool spy-tech.
For those who have wondered, the CIA doesn't require government money anymore. They have their own investments and hedge-funds. They never lose money. Which is how they can afford to overthrow governments and alter the course of history.
It's funny, the CIA is supposed to be the Central Intelligence Agency. They are supposed to be responsible for the 5 W's. Interestingly enough, it's the NSA which handles most of that now. The CIA does mostly HumInt and blackops these days.
Rest assured knowing that there are powerful men indeed at the reigns of these agencies. Not necessarily those appointed by sitting presidents. This is where our "shadow government" really sits. The military industrial complex is firmly embedded with these agencies. Eisenhower was right. America stopped being democratic in the mid-60's.
They're using their grammar skills there.
The TSA has got to be the biggest collection of the stupidest fjukwits the government ever assembled and given federal badges to. The next administration needs to make sure the very first thing they do, once in office, is not only dismantle the entire TSA and replace it with something better, but make sure that every single employee and appointee of the TSA, and every other government official who created or hired any of the TSA personnel is not ever allowed to hold any federal, state or local government job again for the rest of their lives, and extend that prohibition against public sector employment to the next three generations of their children, grand children, and great grandchildren too.
You guys are in denial. You think there's a single public encryption application the NSA hasn't got an easily opened back door into?
Ever heard of Crypto AG?
"It may be the greatest intelligence scam of the century: For decades, the US has routinely intercepted and deciphered top secret encrypted messages of 120 countries. These nations had bought the world's most sophisticated and supposedly secure commercial encryption technology from Crypto AG, a Swiss company that staked its reputation and the security concerns of its clients on its neutrality. The purchasing nations, confident that their communications were protected, sent messages from their capitals to embassies, military missions, trade offices, and espionage dens around the world, via telex, radio, teletype, and facsimile. They not only conducted sensitive albeit legal business and diplomacy, but sometimes strayed into criminal matters, issuing orders to assassinate political leaders, bomb commercial buildings, and engage in drug and arms smuggling. All the while, because of a secret agreement between the National Security Agency (NSA) and Crypto AG, they might as well have been hand delivering the message to Washington. Their Crypto AG machines had been rigged so that when customers used them, the random encryption key could be automatically and clandestinely transmitted with the enciphered message. NSA analysts could read the message traffic as easily as they could the morning newspaper. The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG's marketing representative in Teheran...."
http://mediafilter.org/caq/cryptogate/
It's not like people can read through the machine language output of a crypto application to make sure there isn't anything extra that been attached to the output that gives away the key. It's encrypted. it looks like garbage.
All the NSA has to do is either get someone to join the project helping develop the software, or swap the download file with one that includes whatever the NSA wants included. Matter of fact... how do you know the developers of, for example, "true crypt" isn't the NSA itself?
This is the Bush Administration, dude. The most secrecy obsessed White House in US History. They've got the FBI tracking and conducting surveillance like little senior citizen Quaker pacifist groups.
NT
You know, the kind you can self-verify are correct and pass all the relevant tests?
The mathematical algorithms are open, the implementations open... there's no reason why you shouldn't be able to find and test an implementation that you feel secure with. Be that twofish or AES, whatever.
The trick is keeping your key material and plaintext (when not encrypted) from being exposed.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Because the algorithm doesn't exist.
There are currently no reliable symmetric cyphers that use keysizes greater than 256 bits. They just haven't been written and tested yet, because we don't need them until something drastic happens in math or quantum computing to make guessing that symmetric key feasible.
Other algorithms from PKI are where you see 512, 1024, 2048 bits. These algorithms use math that works in two directions and the security rests on the difficulty of factoring very large numbers. These types of keys are long-term use keys used to prove identity and sign documents, and protect randomly selected encryption keys that are one-time-use between parties. You need those one-time-keys when exchanging a lot of data; you'd use it with the aforementioned symmetric cypher with those smaller 256-bit keys and blocks in that case. It's simultaneously stronger per bit of key, but faster to compute than the PKI encryption.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
All this is really going to do is give the Federal Government more power in the one place it has the least authority. Can we have anything without their intrusion. The Federal Government is like a spoiled teenager. If you give it a inch, it will take a mile. They will eventually make the Internet a wasteland like TV. Gone will be the free flow of ideas. Gone will be the power of the individual to be heard. Im sure they will keep the porn because it makes numb-skulls giggle. All in the name of some threat they keep dangling in front of us to gain more power over our day-to-day lives. What are the terrorist going to do? Suicide bomb the Internet? The Founding Fathers would be pissed. I know I am. Hear that? That's the slow sound of Liberty dying. May God have mercy on our pitiful soles.
So how do you suppose a Whitespace interpreter is added to every version of GCC ever used to compile any crypto code that gets tested?
Oh wait, it doesn't, whitespace is a horrible language only Touring-complete in name and the extra whitespace that would be required to do anything subversive would be 10 times larger than the source code to the encryption itself, and you don't think anyone would notice that?
Jesus Fucking Christ, you're retarded. You're out of your league. Take your tinfoil hat off and swallow it.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
is to improve our average IQ by leaving immediately. You'd make a good North Korean.
Tech Public Policy stuff
Here is the "official" text, straight from page 4 of my US passport.
"LOSS OF CITIZENSHIP. Under certain circumstances, you may lose your U.S. citizenship by performing any of the following acts: (1) being naturalized in a foreign state; (2) taking an oath or making a declaration to a foreign state; (3) serving in the armed forces of a foreign state; (4) accepting employment with a foreign government; or (5) formally renouncing U.S. citizenship before a U.S. consular officer overseas. For detailed information, consult the nearest American Embassy or Consulate, or contact the Office of Citizens Counsular Services, Department of State, Washington, DC 20520-4818, or call (202) 647-3444."
Disclaimer: That passport was issued eight years ago, so the text may have changed.
(I find it amusing that the captcha for this post is "jailing".)
-Q
Thanks for your demonstration that the only real response you offered to the documentation proving the NSA compromised Crypto AG, the best crypto in the world, for decades was 4 letter words and personal insults. The NSA has made sure nobody on the planet other than the US has had secure communication since the 50's. Naive insistences regarding "tinfoil hats" is a religious mantra that fools repeat over and over and over again hoping their faith-based beliefs that "things like that can't happen in the US" will stay strong. Your religious beliefs are not facts.
Every major telecom carrier in the US except Qwest obediently surrendered the constitutional rights of their customer base to private communications upon demand of the Bush White House to the wiretap every Americans phone and internet usage in 2001 BEFORE 9/11. The facts are every bit of telecom traffic that didn't begin and end within Quest's lines was intercepted at the network level.
"1024-bit encryption is 'compromised'
Upgrade to 2048-bit, says crypto expert
James Middleton, vnunet.com 26 Mar 2002
1024-bit encryption is 'compromised'
Upgrade to 2048-bit, says crypto expert
James Middleton, vnunet.com 26 Mar 2002
ADVERTISEMENT
According to a security debate sparked off by cryptography expert Lucky Green on Bugtraq yesterday, 1,024-bit RSA encryption should be "considered compromised".
The Financial Cryptography conference earlier this month, which largely focused on a paper published by cryptographer Dan Bernstein last October detailing integer factoring methodologies, revealed "significant practical security implications impacting the overwhelming majority of deployed systems utilising RSA as the public key algorithm".
Based on Bernstein's proposed architecture, a panel of experts estimated that a 1,024-bit RSA factoring device can be built using only commercially available technology for a price range of several hundred million to $1bn.
These costs would be significantly lowered with the use of a chip fab. As the panel pointed out: "It is a matter of public record that the National Security Agency [NSA] as well as the Chinese, Russian, French and many other intelligence agencies all operate their own fabs."
And as for the prohibitively high price tag, Green warned that we should keep in mind that the National Reconnaissance Office regularly launches Signal Intelligence satellites costing close to $2bn each.
"Would the NSA have built a device at less than half the cost of one of its satellites to be able to decipher the interception data obtained via many such satellites? The NSA would have to be derelict of duty to not have done so," he said.
The machine proposed by Bernstein would be able to break a 1,024-bit key in seconds to minutes. But the security implications of the practical 'breakability' of such a key run far deeper.
None of the commonly deployed systems, such as HTTPS, SSH, IPSec, S/MIME and PGP, use keys stronger than 1,024-bit, and you would be hard pushed to find vendors offering support for any more than this.
What this means, according to Green, is that "an opponent capable of breaking all of the above will have access to virtually any corporate or private communications and services that are connected to the internet"...."
http://www.vnunet.com/vnunet/news/2118141/1024-bit-encryption-compromised
No text
Sorry, but claiming that just because someone was appointed to a political position later in life makes all the previous organizations with jobs he/she held, also have positions of political appointment IS absurd. Maybe he worked for McDonald's in high school. Does that mean that McDonald's has political appointees in it? It must following your (il-)logic. And it IS absurd.