Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Cryptographers Call For UK and US To Out Weakened Products

Posted by Unknown on from the instead-they-disappear dept.

Trailrunner7 writes "A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ 'have been acting against the interests of the public that they are meant to serve.' The appeal comes a couple of weeks after leaked documents from the NSA and its UK counterpart, Government Communications Headquarters, showed that the two agencies have been collaborating on projects that give them the ability to subvert encryption protocols and also have been working with unnamed security vendors to insert backdoors into hardware and software products."

21 of 105 comments (clear)

  1. Proprietary Routers by Anonymous Coward · · Score: 4, Insightful

    Let's start with these as they are of great importance and often fall behind with updates.

    Google search:

    cisco routers backdoor
    cisco routers rootkit

    1. Re:Proprietary Routers by Anonymous Coward · · Score: 2

      What makes you think non-proprietary routers or routers that come with source code aren't backdoored? Plenty of complexity to hide the malware in, plus the possibility of compromised hardware. There is quite a bit of firmware code in for example a Gobi 3G modem that your open source kernel can't do much about but send USB urbs to. It sometimes crashes and does weird things, and needs to be power cycled from time to times. I'm sure that there are other pieces of hardware in many routers that aren't yet reviewed thoroughly for security.

  2. Unlikely by AmiMoJo · · Score: 4, Insightful

    Does anyone really expect these criminal organizations, headed by the kind of people who set up a Star Trek style command bridge, are going to do the right thing? The only way to deal with these scum is to shut them down and start from scratch.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Unlikely by FriendlyLurker · · Score: 2

      acting against the interests of the public that they are meant to serve.

      Your right although the organizations are not being treated like criminals by the powers that be, more like rewarded as an owner rewards a guard dog. We the public are the enemy/being treated like we are all criminal "terrorists" so they are defiantly not operating in our interests - surely this is obvious at this point, or are the researchers just being polite?

  3. Likely outcome by return+42 · · Score: 5, Insightful

    I suspect the agencies will make a great show of reluctance, then reveal what they did to some protocols and algorithms -- those where the backdoors are most likely to be noticed, or have already been found, such as Dual_EC_DRBG. The crown jewels, those least likely to be noticed, will remain secret. Nothing to see here folks, move along.

    NSA and GCHG couldn't care less about the public interest. They have a mandate to spy on as much as possible on the off chance that it may prevent some terrorist act. They will continue to do so in any way they can unless the legislative bodies or courts in their respective nations rein them in. This seems moderately likely in the US, quite unlikely in the UK.

    1. Re:Likely outcome by FriendlyLurker · · Score: 5, Insightful

      on the off chance that it may prevent some terrorist act. .

      Oh, that must mean those terrorist organizations like Occupy Wall Street, - or any other community based activist group trying to agitate for improved conditions for the people. Must be why we are treated as the enemy.

    2. Re:Likely outcome by mrspoonsi · · Score: 4, Insightful

      It needs more people to be outraged by it, to what lengths are people willing to accept this kind of intrusion? If these spy agencies shipped all domestic post to a 3rd country, where it was opened, photocopied, stored then sent on its way, people would be doing a Bastille style take down, yet somehow because these letters (email) are electronic, and it does not need a huge complex of Stasi officers doing the actual work, then it is OK for most of the people?

      Well I say to those people, your liberty is gone, a form of government is in place which is open to internal corruption / blackmail, there is a massive abuse of power going on. Information is power, and the next President, well the NSA, FBI, etc might just have a file on said future president, all his little secrets, so the President is in their pocket so to speak.

      Remember, for a true democracy, government needs to be transparent.

    3. Re:Likely outcome by Anonymous Coward · · Score: 2, Interesting

      What makes you believe spying on everybody, including politicians and military, are about preventing terrorism? The Information Dominance (look it up), is for just that: Dominance. By an unaccountable entity.

    4. Re:Likely outcome by Walterk · · Score: 5, Interesting

      Interesting you raise the point about the "mandate to spy on as much as possible on the off chance that it may prevent some terrorist act".

      There is a very interesting article on the BBC blogs indicating just how useless MI5 has been at any sort of intelligence gathering, even the sort that's been painfully obvious over it's entire existence. It's opening gambit: "Maybe the real state secret is that spies aren't very good at their jobs and don't know very much about the world".

      http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER

      --

      "If anyone needs me, I'm in the angry dome."
    5. Re:Likely outcome by AmiMoJo · · Score: 3, Insightful

      We have to assume everything up to this point is compromised and start pretty much from scratch. Replace AES with TwoFish, re-design all the lower level protocols, increase all key lengths, remove any ability to downgrade security and mercilessly cut off clients that don't upgrade when an issue is found.

      The whole trusted certificate system has to be replaced as well, which is going to be hard.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Likely outcome by easyTree · · Score: 2

      Duh. *They* are in a tower-block and we are the zombie horde climbing the walls. What would *you* do to maintain the relative positions?

      --
      Requiem for the American Dream
  4. Re:hahhaha by F.Ultra · · Score: 4, Insightful

    No they think that the _should_ care about the public interest since that is why we have them. If they do not serve the public interest we should abolish them.

  5. Wrong target by c0lo · · Score: 2

    conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services

    I couldn't care less which are the ones that were weakened deliberately or by honest mistake. I'd feel much better if I'd know which algos/constants are still safe and/or what can be done with the algos/constant-sets that are under doubt.

    Also, a simpler alternative to an unnecessary complicated IPSEC spec would be good (on the line of "as simple as possible, but no simpler") - though I expect this would be an engineering job rather than a pure crypto one.

    --
    Questions raise, answers kill. Raise questions to stay alive.
    1. Re:Wrong target by c0lo · · Score: 2
      I'll let others speak, as they do it better.

      Our main criticism of IPsec is its complexity. IPsec contains too many options and too much flexibility; there are often several ways of doing the same or similar things. This is a typical committee effect. Committees are notorious for adding features, options, and additional flexibility to satisfy various factions within the committee. As we all know, this additional complexity and bloat is seriously detrimental to a normal (functional) standard. However, it has a devastating effect on a security standard.

      (my emphasis).

      --
      Questions raise, answers kill. Raise questions to stay alive.
  6. Collective noun by wonkey_monkey · · Score: 4, Funny

    A group of cryptographers

    I believe the correct term is a crib.

    --
    systemd is Roko's Basilisk.
  7. Re:hahhaha by TheRaven64 · · Score: 5, Interesting

    The problem is that the NSA and GCHQ have dual mandates. They are responsible for both ensuring their respective countries are not vulnerable to attacks and for ensuring that they have techniques for attacking others. This means that when they discover a vulnerability in a piece of widely deployed software, they have conflicting requirements. If they publish it, then the systems that they're defending will be safer because it will be fixed, but if they don't publish it then the systems that they're attacking will remain vulnerable. This gets even worse when they start introducing intentional back doors (given how many Russian spies there were in these institutions during the Cold War, it's pretty much expected that there will be some Chinese spies in there now, so those back doors are almost certainly not secret).

    --
    I am TheRaven on Soylent News
  8. Re: hahhaha by bkmoore · · Score: 2

    Splitting these organizations into separate parts, each with a different mission could fix that, but effective oversight would be required.

  9. Re:Intelligence Gathering Agencies by Xtifr · · Score: 2

    The point of the NSA and the GCHQ is to gather intelligence.

    That's only part of their point. They're also supposed to protect US/UK secrets against spying. You may notice that these goals are somewhat at odds, which is why such organizations tend to be a little schizophrenic.

  10. Re:Is it for real? by Antique+Geekmeister · · Score: 4, Informative

    They've apparently been interfering with open source and free software. (See John Gilmore's notes about the security agency hindered deveopment of IPsec, at http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html )

  11. Re:hahhaha by Anonymous Coward · · Score: 4, Insightful

    How many truck bombs have been set off in your town? And if you think the long string of successful non-explosive days is thanks to the alphabet soup agencies, I have a lovely truck bomb preventing rock here I'd be willing to part with for a few thousand dollars.

  12. Re:hahhaha by ultranova · · Score: 3, Insightful

    And part of "the public interest" is tracking down the people who want to drop off a truck bomb at the shopping center I'm going to be at. And part of tracking those people down is monitoring their communications.

    1) You know some particular person is planning to bomb a shopping center. You don't need bugged encryption protocols, you can simply get a warrant to keep them under surveillance until you have enough evidence to arrest them.

    2) You know there's a plan to bomb the shopping center, but don't know who's involved. Fortunately truck bombs need lots of materials, such as fertilizer, so start asking local sellers. And as a last resort you could simply stop and search every truck that approaches the center - you have probable cause, after all.

    3) You don't know anything, but have a gnawing suspicion that some unspecified bad guy might be planning an attack against an unspecified shopping center for unspecified reason at unspecified date. Thus, you want the right and ability to open random letters on the off chance that these shadowy figures are discussing their evil plans on them. In this case, have you considered getting psychiatric help? Because it sure sounds like classic paranoia to me.

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.