NSA Backdoors In Open Source and Open Standards: What Are the Odds?

New submitter quarrelinastraw writes "For years, users have conjectured that the NSA may have placed backdoors in security projects such as SELinux and in cryptography standards such as AES. However, I have yet to have seen a serious scientific analysis of this question, as discussions rarely get beyond general paranoia facing off against a general belief that government incompetence plus public scrutiny make backdoors unlikely. In light of the recent NSA revelations about the PRISM surveillance program, and that Microsoft tells the NSA about bugs before fixing them, how concerned should we be? And if there is reason for concern, what steps should we take individually or as a community?" Read more below for some of the background that inspires these questions. quarrelinastraw "History seems relevant here, so to seed the discussion I'll point out the following for those who may not be familiar. The NSA opposed giving the public access to strong cryptography in the '90s because it feared cryptography would interfere with wiretaps. They proposed a key escrow program so that they would have everybody's encryption keys. They developed a cryptography chipset called the "clipper chip" that gave a backdoor to law enforcement and which is still used in the US government. Prior to this, in the 1970s, NSA tried to change the cryptography standard DES (the precursor to AES) to reduce keylength effectively making the standard weaker against brute force attacks of the sort the NSA would have used.

Since the late '90s, the NSA appears to have stopped its opposition to public cryptography and instead (appears to be) actively encouraging its development and strengthening. The NSA released the first version of SELinux in 2000, 4 years after they canceled the clipper chip program due to the public's lack of interest. It is possible that the NSA simply gave up on their fight against public access to cryptography, but it is also possible that they simply moved their resources into social engineering — getting the public to voluntarily install backdoors that are inadvertently endorsed by security experts because they appear in GPLed code. Is this pure fantasy? Or is there something to worry about here?"

Re:Back doors are so 90s

[kc9jud]

Backdoors are passé.

And so is proper Unicode support...

Bitcoin?

[Fesh]

Obviously I haven't read the literature enough to know how it works or why it's impossible... But it would be really funny if it turned out that Bitcoin mining was actually the NSA's attempt at crowdsourcing brute-force decryption...

Re:This is stupid

Belgium - The more awesomer part of the Spanish Netherlands!

Re:This is stupid

[Alranor]

It's all Greek to me

Re:This is stupid

[PopeRatzo]

Belgian ffs.
Belgium, I hate it when people mistake us for Dutch!

Seriously, right? They probably don't even know you guys invented spaghetti and kung fu.

I for one think the Belgs are awesome.

Re:Yep

[Joce640k]

AES ... is the sole most attacked cypher in history, and remains secure.

The 128-bit version remains secure. The 256 and 192-bit versions are believed secure but have shown cracks (they should really have had a couple more encryption rounds).

The 256/192-bit versions are just re-fiddlings of the 128-bit version, made to fulfill the NIST requirements for key sizes. This was largely a waste of time since 128-bits can't be brute-forced with any imaginable technology.

(My advice to any potential cryptograpy coders out there is to stick with the 128 bit version).

Re:This is stupid

[ttucker]

So, you're illiterate and proud of it. Cool.

So, you're a dick, and don't know it. Awsome.

I think he probably knows.