Slashdot Mirror
Reuters: RSA Weakened Encryption For $10M From NSA
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
The NSA sold its own customers out to the US government for the price of an NYC apartment.
Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.
RSA is publicly traded, is it not? Reuters is giving them a full weekend to come up with a PR response before the markets open on Monday.
-Also, that wasn't my initial reaction. My initial reaction was to pick my jaw up off the floor. And I thought it couldn't get much worse. Edward Snowden for man of the year.
"... We are now merely haggling over the price."
Oh, no, wait, it's $10M.
(apologies to George Bernard Shaw)
P.S. - AC, yes, if you used an RSA CA appliance with the default Dual EC DRBG PRNG configuration, your private key is probably easy to break and your traffic easy to intercept/decrypt if you're not using perfect forward secrecy (assuming that's not on an RSA appliance).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Hardly anyone uses FIPS-186-3, and its use isn't mandated by RFC 2246 or any later standard that describes SSL or TLS. While Dual_EC_DRBG can be used by TLS/SSL, almost no one does. TLS/SSL has its problems, sure, but this isn't one of them.
"If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
No. SSL doesn't specify the method to produce random numbers. Why would it? The NIST method is very very slow, so I'd be surprised if any browsers or servers used it as the random number source.
AccountKiller
This incident and their 100% CRAP one-time-password generator technology (use by the Chinese to get into Lockheed Martin), means they are simply a FRAUD.
This company is like shiny choclate-paper wrapped around a nice brown stink.
Just a printout of random numbers would be way much more secure than their otp generator electronic crapola. As I wrote even before Snowden: RSA epitomizes the corruption of the western world.
I mean, what the FUCK? The land of freedom and liberty. That's what I was always taught. We have a Constitution, which includes protections against unreasonable search. And now my FUCKING GOVERNMENT is doing pretty much anything you can conceive of in the name of spying on everybody including the people of the United States. They are so FUCKING PARANOID that EVERYTHING is on the table, including the privacy and liberty of the citizens. I lower my head in FUCKING SHAME as to what has become of this country.
Wow. With one single contract, RSA just destroyed their whole business. A company in the trust business cannot allow themselves to lose their customers' trust.
No RSA product can ever be trusted again.
TLS's current big problems are: /") by a Nation State Adversary in real time; NSA secretly control PCI DSS standard and used the excuse of the BEAST attack (CVE-2011-3389) to push RC4 as solution for PCI compliance, instead of TLS 1.2
- RC4, which is actually crackable given a few bytes of known-plaintext prefix (like "GET
- The CA PKI letting any CA impersonate any and every site; we need at minimum certificate transparency, DANE, and maybe something more
- The unencrypted ClientHello, which is what makes the FLYING PIG metadata trawling possible (nothing you couldn't do with Snort, in fact, it IS done with Snort)
All of these are going to be addressed by the TLS WG going forward: most urgently, RC4, which will be replaced with djb's ChaCha20_Poly1305 ciphersuite, courtesy of agl (live on Google servers and with Chrome dev and canary builds right now). More secure than AES-128-GCM or AES-256-GCM, I think - certainly has a higher security margin against both confidentiality and integrity.
The problem of the curves is a big problem, but what makes those curves (specifically Jerry Solinas @ NSA generated the SHA-1 hash seeds for Certicom) bad is mostly implementation choices: bad random numbers for DSA & ECDSA (hello Sony attack), which this subversion massively helps with, and non-constant-time addition ladders and lack of curve point validation, which can result in practical timing attacks and partial key disclosure leaks. djb & Lange already have a group of Safecurves which avoid all of these attacks and which are incidentally incredibly fast, and EdDSA's nonces are deterministic so no entropy needed during signatures, only keygen.
Oh, and - in similar news, which in other circumstance, I would have submitted, and might if for some crazy reason this gets ignored by the IETF chair, but I doubt it - there have been strong calls for the head of the co-chair of the crypto advisory board at the IRTF. He (openly) works for the NSA, which is now clearly a conflict of interest, and we caught him pushing a similarly-backdoored PAKE standard, which the TLS WG resoundingly rejected.
http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
They're owned by EMC now, all that data held on EMC kit and in EMC 'clouds' secured by RSA software. Or rather *not* secured by *NSA* software so the NSA can break in easier.
Wow, that is trillions in damage even before we get to the criminal law book.
I'm more surprised that civilization has lasted this long considering the greedy nature of man. It only takes one wealthy wackjob to buy a chemical or nuclear weapon and use it to kill millions of people.
"amirite?"
This wouldn't have been posted 10, or even 5, years ago. I don't want to see it. Please don't lower your standards.
Courtesy of Gizmodo http://gizmodo.com/the-scariest-part-of-the-latest-nsa-revelation-is-this-1455050775
RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."
That is one of the biggest loads of horse shit I have ever heard. If any part of that statement from the RSA were true then the NSA deal would never have happened and the NSA Formula would never even have been an option, much less the default...
I'm assuming for the moment that this evidence is, in fact, legitimate. Given how heinous the NSA's actions have been lately, it seems completely in character, which makes that likely a safe assumption. However, just to give them the benefit of the doubt, everyone involved should receive a fair trial. With that said, everyone involved should be tried for high crimes against the United States and its allies. These are accusations of very serious crimes.
Deliberately compromising the secure communications of hundreds of millions of computers all around the world just so a bunch of pencil-dicked asshats can play their little spy games goes so far beyond unconscionability that it borders on a crime against humanity. Such ends-justify-means thinking is fundamentally incompatible with any form of liberty or justice. Our data is fundamentally easier to crack not just by our own government, but also by organized crime syndicates, foreign governments, and even terrorist groups. In all likelihood, even military communications gear is less secure, which means our troops are at elevated risk during a time of war as a direct result of their actions. That's treason, even by the absolute strictest definition thereof. Further, such deliberate weakening of crypto endangers the lives of dissidents in countries with oppressive regimes, many of which are considered our enemies—an act that could also be considered treason.
Their actions, if true, clearly constitute providing material support to terrorists and treason by means of providing material aid to our enemies in a time of war. Therefore, according to U.S. law, everyone involved should be immediately treated as enemy combatants, deported to an appropriate holding facility outside our borders—preferably the one affectionately known as "Gitmo"—and tried before a military tribunal.
In addition to prosecution of individuals, there should be consequences for the groups involved. RSA should be immediately dissolved and all its assets destroyed. Further, at this point, it should be abundantly clear to anyone with even the slightest understanding of crypto that nothing short of the complete and total elimination of the NSA and a constitutional amendment clearly and plainly banning any similar organization from ever existing in the future can even begin to restore trust in cryptography and computers. That organization is fundamentally malevolent, and its very existence is inherently incompatible with the very concepts of security and privacy. No matter what successes they may have had, nothing can possibly even come close to justifying such a heinous breach of the public's trust.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The NIST/SECP curves are NOT safe. They were generated by the NSA, and they need replacing. http://safecurves.cr.yp.to/
We probably don't know the full extent of the 'trapdoors' left by Jerry. What we do know is that unless you're using Brier-Joye's (very, very slow) constant-time short-Weierstrass curve, a timing attack is possible, and probably practical; many of the routines are incomplete or wrongly-implemented, because they're very complex, and the curves aren't complete; some don't even check if the point is on the curve, and if it isn't, we're basically leaking private data; secp256k1 has a complex-multiplication field discriminant of just -3, which may make it more susceptible to one attack and very possible to one extended one we don't know about; and secp224r1 (P-224) definitely has an insecure twist. Something may well be wrong with secp256r1 and the others, but if so, we don't know what it is. Either way, we know the NSA generated it to ostensibly be random but really satisfy some very specific unknown conditions: that alone is reason enough to not trust it.
They advertised and sold a product promising to secure customers' data yet they intentionally put an algorithmic backdoor inside that could be used not only by the US government but also discovered and used by hackers to compromise customers' security.
Let's get together and make tons of new cryptographic systems. We'll keep selling out and weakening them until the NSA hits budget limits. We get rich; the NSA won't have money to continue spying. Win; win.
djb's funded by a NIST grant or two, but they're actually furious that, for example, he's running a crypto competition without telling them. Dude is a professor with tenure, and does what the fuck he wants, and is a great example why such things can sometimes be brilliant for science. (There are plenty of people who don't like him because of his personality and penchant for unusual decisions, but these decisions are often for very sound reasons.) I've checked his stuff out extensively, and this is great.
Similarly, I've been through Adam Langley's stuff on this draft with a fine-toothed comb, and it's fine. ChaCha20's great, we analysed it and its variant as part of the BLAKE hash in SHA-3 competition; best attack 7/20, which makes it slightly better than the eSTREAM winner Salsa20 (best attack 8/20).
Many cryptographers have worked together on all this stuff. Some of them are American. Bruce Schneier is American, but I don't think the NSA have subverted him. Quite the opposite.
It says a lot about the NSA's actions that they've irrevocably damaged the US's national interests by providing some very strong reasons for everyone else not to trust them, though. You're right not to put trust in people you don't know. You don't know me. Weigh in yourself, check this stuff, if you have better ideas, please contribute them, and at the very least feel free to provide oversight, please!
What if the NSA had gone to RSA in the past to get them to do what this Reuters article claims, and RSA did indeed say no?
And what if, since many things about the NSA are coming out anyway, the NSA went to Reuters (or used some in-between person or persons) to plant the false story that RSA is in NSAs pocket -- in order to punish them for their earlier refusal? Because they know that you, and most others reading this, will believe that RSA products are infected by NSA backdoors, and not use RSA products... whether the backdoors, or weaknesses, or whatever, are there or not. I mean, it's not like Reuters fact-checks their shit anymore, and the press can get a "deal they can't refuse" just as easily as any other company.
In that kind of scenario, RSA could be telling the absolute truth... and no one will believe them.
That should be the big news.
"They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption."
Right, the NSA, known to be codebreakers, paid them $10M to include their "special" algorithm, and no one had any idea that it could be compromised. Right. Why else would they pay them to use it?
No, it also takes a seller of such weapons. And there aren't any, or we'd have been sweeping up the remains of some city, political center, or major chunk of infrastructure by now. The whole "terrorists and nuclear weapons" is a total mind job done on you and yours by your government. One thing to to keep in mind: Nukes are very difficult and expensive to manufacture, and pretty damned difficult to lose track of.
Civilization isn't likely to die due to nuclear weapons. We've set off well over a thousand of them already, and there's no particular notable effects other than the low hum of hysteria at the intersection of the set of the ill-informed and the paranoid.
Also, Chemical weapons are a lot less "mass" than nukes are, barring very sophisticated delivery systems, which again, aren't available to religious tools. Bacterial weapons are vaguely possible (although still very, very technical), but incorporate the downside of most likely eventually killing everyone everywhere instead of just the target(s), and so not even your average superstition-addled dingbat seriously considers them.
If you are a US citizen, If you want to worry about civilization, you should be worrying about the decay of our government from one authorized by the constitution into a form exclusively controlled by corporate and political groups. Because unlike the "nuclear threat", said decay is real and ongoing and has already screwed things up immensely: almost 100% loss of manufacturing capacity and so also jobs, crippling inflation, loss of citizen's rights, usurpation of article five powers by the judiciary, illegal legislation that spans almost the entire bill of rights to ex post facto laws to the complete inversion of the commerce clause, promulgation of multiple very expensive, ultimately useless wars... the problem isn't terrorists. The problem is our federal government. The whole terrorist thing is to keep the citizens looking the wrong way.
I've fallen off your lawn, and I can't get up.
I remember a while ago that all the little RSA doodads had to be replaced because they had been breached.
I bet you 10 to 1, it was related to this.
Since there are only about three people in the world that could actually tell you whether one set of elliptic curve constants are inherently more secure than another set, I'd say they deserve the $10M, probably a lot more. (Whether or not what they did is ethical is a totally different issue. It clearly was not ethical to betray the whole world's trust like that, especially for a company where half their core business is verifying trust.)
We can't really recommend RSA 3072 bits now, 4096 for being safe. We're approaching the limits where RSA is going to become prohibitively slow - same for standard D-H. If we need more security but keep similar mechanics, representing the discrete log algorithms with a different field is definitely the way to go.
As far as practical quantum computers, it's hard to predict timescales. They'll probably mash all discrete log and polynomial/factoring algorithms into pulp - but we don't have any reason to suspect any NSA is THAT far ahead. That would be a phenomenal cryptanalytic and mathematical advance. I'd estimate we still have 20 years, but I'm plucking numbers out of the air here.
As far as post-quantum encryption goes, we're looking too far ahead, it's not developed enough yet to have anything good to switch to. Hash-based signatures which are a possibility, but two-key ciphers are a big problem: the few which have been proposed are often based, on, say, lattice algorithms (such as NTRU, although I have a hunch the NSA have a hand in that one, purely because it's a public key standard, it's American and it's patented; it's had bad security reviews too, with some key leakage with signatures) and linear codes (like Goppa codes with McEliece signatures, the drawback of these systems being the keys are REALLY BIG). Worst, we don't have any proof quantum computers are actually bad at solving these either: in fact, I think they ought to be really good at solving lattice algorithms, we just don't have an algorithm that we know of that would allow them to do it yet. We need another decade's research; we need something to switch to FOR that decade, first.
Yes, using TLS 1.2's AES-128-CCM or AES-128-GCM or CAMELLIA equivalents or something would have been more rational. That's why NSA convinced PCI DSS to recommend RC4.
I wouldn't recommend Blowfish nowadays, not when Twofish exists, at least. And 3DES? No. Way too old and creaky. Didn't you want to use a cipher they hadn't co-designed?
TYPO: you mean RSA sold out its customers
I've followed the Snowden releases, curious as anyone else as to the ways and means of the NSA. Until now, the only real 'news' for me was the incredible scope of the NSA's reach and their staggering, seemingly unlimited budget. But this crosses the line. This little stunt has mammoth, wide reaching and enduring ramifications. This is beyond just storing "metadata", hooking in to Google's pipes or recording German heads of state. This action by the NSA is egregiously unethical on so many levels. There is no legitimate justification for intentionally weakening security of this nature. They might as well have gone to Schlage and told them that, from now on, they may only build deadbolts out of cheap low-grade plastic with a faux metal finish.
The actions of the NSA carry immense potential risks for millions of people. Exploitation of the RSA weakness could lead to completely unnecessary breaches of privacy, political manipulation, loss of safety or financial loss. All in the name of protecting the country. The burden of risk created by weakening RSA is ultimately placed largely on the public. What benefit do we gain from this?
This is not how I want my country to be governed
They sold out for so little.
The land of freedom and liberty. That's what I was always taught.
It is, but you have to vote for people that want to keep it that way. You have to complain when people tell you that this or that part of the constitution doesn't mean anything anymore. You have to complain when government grows, for the larger a government is the farther it is from control even of elected officials.
Anything worthwhile requires care and upkeep, and a nation is no different.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Having worked with pre-2000 versions of RSA BSAFE, the thing that the NSA paid RSA to do was to change the default selection of the random number generator with a weaker one. Nobody had to use the default version--it was just picked if you didn't specify one (or a callback to your own RNG). We had our own multi-threaded rendezvous noise generator thing since this was back before hardware entropy engines.
Oh, and before that, the NSA had unsuccessfully tried to get RSA to tell people that 512-bit keys were safe enough. It wasn't successful mostly because the old guard was still running the company then.
Kriston
Because the people behind CryptoLocker (who are probably from Russia or China or some other country that isn't exactly best buddies with the US) are likely smart enough not to trust US-made off-the-shelf cryptography.
Dollars to doughnuts this is going to turn out to be that they were paid to *implement* the algorithm in their products. The NSA will have been touting a new "better" algorithm, and claiming they want to popularize it because it's more "secure" (or better, faster, pinker, whatever) than the other alternatives. By paying RSA to implement it in their software, and even more so by making it the default, they will achieve that.
RSA likely didn't know it was flawed (after all, nobody else did at the time).
Remember, this was a different time - no sane company would do something like this today if the NSA asked, but we're talking close to 10 years ago based on the Reuters article.
The sum of money does seem low, but when an agency like the NSA
comes calling, I have a feeling that it they make you a proposal you
cannot refuse.
(Or you can do what Lavabit did, and just shut it down)
..do I need an "EC PRNG",if any symmetric cipher and a simple couter is sufficient to generate PR numbers ?
I seriously would like to know !
If that were true, you would not. However, its not established that's true. Some believe iterative hashing is the best way because hashes are explicitly designed to be one-way functions, meaning they are intrinsically not reversible. That is believed to make hash-based PRNGs more resistant to attack. However, on the flip-side cipher-based PRNGs have the advantage that ciphers have been more closely studied, and are likely more resistant to attack because of that. That's why 800-90 specifies both hash-based and cipher-based PRNG algorithms.
The logic behind EC was based on the belief that ECs are more resistant to attack because they are based on different mathematical problems than most hash and cipher algorithms, and therefore are less vulnerable to the current state of the art in attacks designed to attack hashes and ciphers. That assertions seems to be false based on research done in the mid 2000s, but the general answer to your question is that no one is certain that, say, AES-based stream cipher PRNGs are certain to be uncrackable, and so people are always looking for alternatives. In fact, the *strongest* PRNG that I can think of is one that simultaneously generates SHA, AES, *and* EC random streams and XORs them together. To break that random stream, you would have to be able to break all three simultaneously. Even if EC had a backdoor in it, that would not help you at all to break a random stream with its contents XORed into two other generators.
So the general answer to the question of why you'd need anything other than a cipher PRNG is that a) no one knows if your preferred cipher PRNG might be broken tomorrow, and b) having multiple kinds of generators based on entirely different math opens the door to creating stronger generators that are a combination of all of them. And by the way, a cipher-based generator that was the XOR of two different cipher-based generators is not guaranteed to be twice as strong.
EC is a bad candidate in general for this kind of RNG hardening (because of its speed and its poorly understood backdoor possibilities), but we only knew that after it had been studied. If it was faster, and its constants were initialized by another PRNG guaranteed to not include the backdoor, it could serve as a PRNG hardener in theory, since its strength relies on an independent problem from hashes and traditional block ciphers.
As others have said above, this is not a lot of money, and how they got asked may have had a lot to do with it but surely someone said 'This will eventually come out'? I guess the people approving it were hoping to be long gone by then.
---- The above post was generated by the Turing Institute. Maybe.
Google has an interest in proper encryption. They can only sell your data if the potential buyer cannot acquire it without paying them.
Sigh.
Google does not sell data, at least not in any form other than anonymized and aggregated, and not very much even that way. Google makes money from using your data itself (to target ads to you), not from selling it to others.
FWIW, I work for Google, on crypto security stuff, and Google does have a strong interest in proper encryption, because it's the right thing to do. It allows people to control their data. With respect to Google's business, Google would like you to choose to provide your data because you think it's a good trade for Google's services, but wants you to have the ability to make the choice not to provide your data. To anyone, if that's what you want.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I know I'm posting AC, but I have to echo the above: as someone who groks this stuff deeply, I have a high level of trust in both djb and agl. They're on the Good Guys side, and they're putting out very strong, very reliable stuff. They've been doing it for years. If there's anyone whose crypto code I'd trust blindly, it's that pair of hackers.
Christopher Hitchens, in his inimitable style, tried to get across what makes states like North Korea, Iran, and Iraq (under the Ba'ath party) so... well... indescribably unpleasant to live in. One of the cornerstones of such states is that they eradicate privacy and private life (a core theme of Orwell's 1984). Here's Hitch's attempt to describe it on Fora.tv: https://www.youtube.com/watch?v=Z-rTT8TPcck (Running time 1:00:52). The USA is assembling the infrastructure for the mother of all totalitarian states. They can do it better than anyone else in history, ...ever.
How many more companies have these contracts?
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
For those of us who aren't au courant with this area but are trying to educate ourselves, can you explain a little further what you've said and why it might be significant? Tnx.
Well, when you use Windows, it probably really doesn't matter what kind of security policies you have since you are using proven insecure systems in the first place!
You are being MICROattacked, from various angles, in a SOFT manner.
> Dude ... does what the fuck he wants, and is a great example why such things can sometimes be brilliant for science.
> (There are plenty of people who don't like him because of his personality and penchant for
> unusual decisions, but these decisions are often for very sound reasons.
Having had the honor and the curse of working with him, I whole-heartedly agree.
Daniel J Berstein can be counted on to never do what anyone tells him to do.
It's rather annoying. It makes him hard to deal with, and it means if NSA asked him to do something he'd almost surely do the opposite - loudly.
After posting that I realized this is the second time recently I mentioned something about dealing with DJB. I don't want to overstate my own work. I was just one of many people part of IETF.
Selling dysfunctional encryption as functional encryption looks a lot like fraud to me.
Predictable, irritating but understandable.
When the crypto genie really got going was when home computers became fast enough to generate useful enough prime numbers in times that did not upset domestic home users.
Once this occurred the volume of encrypted "I want to lover you [sic]" traffic would start to drown out potentially useful-to-know-about encrypted traffic.
I am not surprised,
Start with this complete sentence:
This wouldn't have been posted 10 years ago.
That's the independent clause, it stands alone.
If we interject an dependent clause we set it off with commas. In this case, the dependent clause "or even 10" is set off with commas. This is the same as the more common explanatory pattern:
Google Incorporated, the leading search company, offers many services.
The part delimited by commas could be removed without changing the meaning of the sentence.
English majors feel free to correct any errors in the above.
I am appalled.
RSA had, for a long time, an antagonistic relationship with the NSA; we wanted to push good crypto to the world, and the USG felt otherwise.
I knew the people involved, and I don't think any of the original RSA Labs (which was what the RSA Data Security Inc people became) would have compromised their integrity in this manner. What's more, BSAFE (the SW library compromised), became more or less a dead duck after 2000, when the patent on the RSA algorithm expired; free libraries such as BouncyCastle became much more viable.
After RSADSI was bought by Security Dynamics (which later renamed itself RSA Security), there was a gradual Borgification of RSA Labs, with it being assimilated more and more into the mother company (SecurID was always the main source of revenue, not RSA encryption).
I haven't been able to find the date at which the bribe took place, but 10 million seems very low. If Coviello approved this, I hope he's sued by stockholders.
ce
Ps if the above isn't clear, replace the commas with parentheses and you'll see why balanced delimiters make sense.
I generally agree with your indignation. However, I believe you are mistaken about a technical fact that is central to your position. The following is NOT true, based on the current state of the art in cryptography:
> Our data is fundamentally easier to crack not just by our own government, but also by organized
> crime syndicates, foreign governments, and even terrorist groups.
What the NSA may have done is made it so your encrypted communications have two keys: yours and the NSA's. There is no evidence that it weakens the algorithm in any way, provided of course that NSA doesn't publish their private key.
We can't PROVE for certain that the algorithm is secure with or without the NSA constants, but the consensus probability is that it can only be read by someone who has a key. Keys are held only by the intended recipient and the NSA, so it does NOT weaken it, noone can read it, except maybe the NSA because they could have the key. It's like if I sold you a car and kept a copy of the car key. That doesn't make it any easier for car thieves. It only makes it easier for me to repo the car.
None of what I wrote above means we shouldn't be pissed at the US government. We should just be clear about exactly what we are pissed off about. We're mad that the NSA and RSA made it so NSA can decrypt our stuff. Noone else can.
A while back Ron Rivest (the R in RSA) announced the Three Ballot cryptography for voting systems which was touted a system that would let voters check if their ballot was counted without jeopardizing the anonymity of the secret ballot. The really cool thing about it was that the crypto was a one-way system without any key at all. So it seemed to be uncrackable since there was no trusted key-keeper.
Shortly before the publication was accepted, Andrew Appel at Princeton University and Charles Strauss at Los Alamos National Laboratory published articles showing it was invertable and not anonymous in practical election situations.
http://www.cs.princeton.edu/~appel/papers/DefeatingThreeBallot.pdf
http://www.cs.princeton.edu/~appel/voting/Strauss-ThreeBallotCritique2v1.5.pdf
Imagine if that had been adopted... Sort of makes you wonder about everything RSA has touched including SSL.
The big difference is that Larry Page is still running that company, though this does reminds me of Vic Gundotra.
NSA has customers? Surely not the voters
The other intelligence agencies within the government are considered "customers" of NSA products.
You guys have missed one important aspect of the RSA operation.
NSA gave RSA 10 million to weaken/broken the RSA encryption that they sold to US. The "US" here means the non-NSA non-GCHQ based customers.
And spook agencies such as NSA themselves do need to encrypt their OWN secret files too, and surely they are not that stupid to use the same weaken and/or broken encryption algo on their own files.
In other words, NSA and GCHQ (and some of the "trustworthy" spooks from the other 3 countries in the "five eyes" pact) do employ RSA in their day to day encryption, but THEIR version of RSA is the unbroken/unweaken one - unlike the broken version that the RSA sold to the rest of the world.
Muchas Gracias, Señor Edward Snowden !
Well said. History is just the cognitive version of those hagiographic paintings rulers like to put up in the palace.
And as far as "Land of the Free," there's free as in speech, free as in beer, and free as in range. Americans are "free" in that final sense: "Land of the Free Range."
Hey, at least we're waking up.
"When we said 'We the People,' we didn't mean you."
You are not the only one who is sad.
I too, as an American, am very sad.
I did not vote for Obama because I could see what he is (even before he became the President on 2008 I could already see through his lies) but then the other side (actually there's no other side ) the Republicans, fronted an even lousier asshole as their candidate.
That is why I voted for the 3rd party, TWICE
Muchas Gracias, Señor Edward Snowden !
You see, the easiest slave to control is one who doesn't realize he's a slave.
"Totalitarian" governments control their populations physically, with chains, clubs, physical restriction. "Democracies" control their populations mentally, with imagery, thoughts, mental restriction.
They're both the same process - one implemented in hardware, the other in software.
Some of the employees have/had a lot in stock too with restrictions on trading it. Someone I knew in RSA thought he was getting cash a while back for bringing in some of his IP from before he joined the company but it was all in stock he had to sit on all through the tech crash. When he started he was facing a "join or we sue you" situation as well.
They have/had some pretty nasty lawyers and execs in that place.
All the successful companies do U-turns to stay in business. Bill Gates did a U-turn on the Internet, Steve Jobs did a U-turn on the iPhone. IBM did several U-turns in its long history, they didn't even make computers when they were founded. And that's just U-turns, then there's acquisitions. When Larry Ellison buys Google in the next 10 years, do you think he'll have any qualms about selling peoples' data to anybody?
Google is Evil because they Built The Dataset. This data is so valuable and comprehensive, and the pioneering of the techniques to do it over and over again, ever more efficiently and cheaply, that people without scruples want it now, will want it in the future, and will eventually control it. That it certain, and you helped make it happen.
http://www.youtube.com/watch?v=l91ISfcuzDw
How sweet a victory would it have been if RSA had "accidentally" swapped said weakened & hardened encryptions, resulting in the NSA using the compromised method while the rest of the world continued to humm along as usual?
Following this. This headline is not exactly true. 1) RSA was paid 10M to make the NSA algo the default in their bSecure product. We have no direct evidence that RSA (now owned by EMC) KNEW the RNG (random number generator) in the NSA compromised algo had been compromised. This is 20/20 hindsight.
2) at the time, *some* people were suspiious generally of work done by NSA cryptographers for a variety of reason- the NSA had fought for the Clippe r Chip in the 90s ; the NSA was generally hsotile to strong encryption for civiliians etc. However, those opinions were countered by the majority of people who plausibly considered that the NSA had a real interest in seeing real encryption be used by US corporations etc. We now know who was right, the skeptics, but we didn't know that at the time that deal went down.
This is what's called "plausible deniability" or "cover" in intelligence circles and everywhere else now but that's the point- it IS plausible, entirely, that RSA was taking money (and not a lot to RSA) to make it the default because they believed the NSA.
Overall, at the time, the people who believed the NSA participated in encryption with the public out of a concern to see it done right were the majority.
Just keeping the story as straight as possible because what we're interested in is the truth as far as we can discern it, right?
Quoting JFK on honesty and openness in government. Maybe you should study some history.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Remember the Windows "NSA Key" flip a few years ago. You think Microsoft DIDN'T add a key for the NSA now?
What a vacuous truth! All societies inculcate their values to the next generation. The only ones who take issue with this are deluded individualists. I would strongly encourage any one who so believes to break from the herd, to live as an island of selfdom -- to have the courage of their convictions.
The individual person is as much a meaningless abstraction as a single atom. I rest serene in the confidence that, in the absurdly chance that there is a true individualist, they will have no effect on humanity.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
[Google] wants you to have the ability to make the choice not to provide your data. To anyone, if that's what you want.
So why did they cut the Android privacy tool? When will it be restored?
Why did they subvert the Safari privacy preference?
Why do they use supercookies when the most probable intent of a person with cookies disabled is to not be tracked?
Does Google really hold the right to choose privacy sacred? Or do they serve other masters first? Know them by their actions, not their words.
Stop-Prism.org: Opt Out of Surveillance
They're accused of sabotaging the random number generator that is used for generating keys. The net result is that what should be a random key is less random than it otherwise would be. That's not saying that it doesn't also somehow introduce some secondary key that can partially or completely decrypt the data, but whether it does or not, weakening key generation means all attackers (once they discover the flaw) benefit from the reduced entropy by being able to deduce things about the generated keys.
Check out my sci-fi/humor trilogy at PatriotsBooks.
They are suspected of weakening it in a very specific way. Their supposed backdoor uses essentially the SAME algorithm that it's advertised to use. In order for an attacker to "be able to deduce things about the generated keys" they'd need to crack the NSA key. They can break the encryption function, but to do so they first have to break the encryption function.
What NSA did was evil, but they were smart about how they did evil .
No matter what any government agency or official says about new limits regarding establishing back doors or weakened encryption in algorithms or hardware, interception of communications, analysis of meta data of US citizens communications, secretly installing root kits, etc. One must now, and forevermore, assume that they are lying. It will be outright lies (kind of hard now because they supposedly don't know all of what Snowden has passed on), partial lies, and misdirection.
It's all being done or our own good, of course.
Nate
It turns out that a coding error in SSL may have inadvertently(?) disabled the NIST/NSA recommended RNG.
http://www.theregister.co.uk/2013/12/20/openssl_crypto_bug_beneficial_sorta/
Have gnu, will travel.
"Totalitarian" governments control their populations physically, with chains, clubs, physical restriction. "Democracies" control their populations mentally, with imagery, thoughts, mental restriction.
They're both the same process - one implemented in hardware, the other in software.
Not only are you wrong (both types of government routinely use both types of control) but the American government uses lots of both types of control. Look at how much of our population is in prison or take a look at the reaction to a WTO protest sometime if there is any doubt.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm just not following your logic here. You say above you worked with IETF and Daniel J Berstein, so I have good reasons to suspect you're closer and more familiar with the details of this subject, but it seems to me that fundamentally the random number generator is an important part of the encryption math, so your statement that:
What the NSA may have done is made it so your encrypted communications have two keys: yours and the NSA's. There is no evidence that it weakens the algorithm in any way, provided of course that NSA doesn't publish their private key.
While the cipher may be more or less exactly as advertised, the weakening of the RNG is still an important factor. If "the algorithm is not weakened in any way" is true, it's only in the strictest technical sense, and not how most people will define it. You then go on to say that NSA has simply made themselves another key in the generation process. This strikes me as being exactly backwards. Care to elaborate?
Goddammit just when I get my first +5 the Beta rolls out and kills everything
Google does not sell data, at least not in any form other than anonymized and aggregated, and not very much even that way. Google makes money from using your data itself (to target ads to you), not from selling it to others.
I believe you are naive, and buying or regurgitating the plausible denial that has been crafted by Google. Even if Google truly is that innocent in intent, they have been negligent in securing that data so that it can't be stolen from them, even if they themselves aren't selling it. My oldest brother is an engineering VP at Google. There has been some serious kool-aid drinking there and in silicon valley over the last 10 years. And it's not so much that I believe he was misinformed, but rather, secretly informed, and doing a very good job of towing the public line which was a conspiracy to keep the public disinformed about the real state of security.
FWIW, I work for Google, on crypto security stuff, and Google does have a strong interest in proper encryption, because it's the right thing to do. It allows people to control their data. With respect to Google's business, Google would like you to choose to provide your data because you think it's a good trade for Google's services, but wants you to have the ability to make the choice not to provide your data. To anyone, if that's what you want.
Again, this is the naive line. Look at my epic saga over the past year complaining about GoogleFiber's terms of service that first "prohibited any kind of server" and now merely prohibit any kind of "commercial server". This is a conspiracy by Google, the NSA, and others, to keep the kinds of tools it would be necessary for people to secure their data at home - *as if it were their 'papers' (per 4th ammendment) - out of the marketplace. Call me a kook all you want, but the idea that chilling the market for commercial home server software (open source and otherwise), is consistent with what network neutrality was designed for... I mean really. You seriously believe you're employers line? Oh, that's right, enjoy your nice fat paychecks twice a month, and don't dare 'bite the hand that feeds'. Good luck to you brother.
The big difference is that Larry Page is still running that company
Sorry, but it was announced last year here on slashdot that the Lawyers have long since taken control. Seriously-
http://slashdot.org/comments.pl?sid=3106555&cid=41288357 (quoted entirely here-)
Posting anonymously for reasons that will be obvious.
Larry Page is really annoyed by the "no servers" clause. In an internal weekly all-hands meeting he repeatedly needled Patrick Pichette about the limitation, and pointedly reminded him that the only reason Google was able to get off the ground was because Page and Brin could use Stanford's high-speed Internet connection for free. Page wants to see great garage startups being enabled by cheap access to truly high-speed Internet. Pichette defended it saying they had no intention of trying to enforce it in general, but that it had to be there in case of serious abuse, like someone setting up a large-scale data center.
I don't think anyone really has to worry about running servers on their residential Google Fiber, as long as they're not doing anything crazy. Then again it's always possible that Page will change his mind or that the lawyers will take over the company, and the ToS is what it is. If I had Google Fiber I'd run my home server just as I do on my Comcast connection, but I'd also be prepared to look for other options if my provider complained.
They later backed off and clarified this rule, as I remembered.
The theory is that NSA has a partial private key to the RNG.
If you can crack the NSA's key, you may be able to crack the RNG.
HOWEVER, if you can crack keys, you can crack the encryption anyway.
In order to crack a key, you have to crack the RNG.
In order to crack the RNG, you have to crack the (NSA) key.
So in the end you can crack a key only if you can crack a key. Evil genius.
It DOES theoretically weaken it in one way. NSA's partial key is universal. If you crack MY key, you can read MY stuff. If you crack the NSA key, you can (maybe more easily) read EVERYONE'S stuff.
Still, you have to crack the NSA's key to get anywhere, and if you can crack keys that'd be game over anyway.
I wouldn't call myself an encryption expert . I've been doing information security for sixteen years. I can name a dozen people who understand this better than I do and I'd bet there are hundreds of people more knowledgeable than I on this subject.
They later backed off and clarified this rule, as I remembered.
I spent over a year complaining to the FCC, and the Kansas Attorney General about this. To this day the FCC hasn't uttered a single sentence analysis of either my original 1000 character complaint, or the 53 page escalation-manifesto that the KS-AG threw back at them like a hot potato. The backing off came after a period of time - measured in hours - after pictures like these hit the web (children who probably don't know the issues holding picket signs)
http://crossies.com/IMAG0778.jpg
The subsequent backing off into 'no commercial servers' allowed only bolsters my arguments that the issue was from the beginning, entirely about suppressing commercial home-hosted server competition from the internet services marketplace, and nothing at all about protecting the internet with 'reasonable network management' from the inherent danger of the 'server-ness' of any particular device. The real bottom line issue has always been simple fraud about the 'no data caps' claims. There is a cap, it is just arbitrarilty and selectively enforced by restricting whatever devices Google doesn't want off of its network. In this case, servers that commercially compete with the millions of servers Google has connected to it's endpoints of 'the internet'.
Who at ROSA knows the algorithm? That would be worth I ite a bit to hackers and malware writers. Not to mention CHICANO research and development thieves of USA tech as well as military data.
Google doesn't give the NSA access.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Right now, Google only packages and provides (rather than sells outright) data to law enforcement.
Actually, Google doesn't do that either. It does respond to subpeonas, warrants and National Security Letters, when those documents are provided per the requirements of the law and are narrow and specific (i.e. no dragnets). See David Drummond's numerous public statements on this topic.
you cannot seriously claim that Google won't package and sell data to ordinary customers in the future. All it takes is a decree from Larry Page, a change in policy, and it's done.
I agree, that is a valid concern. I don't believe it will happen, certainly not while Page and Brin are in charge. But it's a possibility. I'm skeptical that it could be made retroactive, but I suppose even that is a possibility.
When Larry Ellison buys Google in the next 10 years
LOL.
Google is Evil because they Built The Dataset. This data is so valuable and comprehensive, and the pioneering of the techniques to do it over and over again, ever more efficiently and cheaply, that people without scruples want it now, will want it in the future, and will eventually control it.
The dataset will be built, regardless. Personally, I'd much rather that it was Google doing it, because Google actually does care about user privacy. In the long term, this isn't a problem with a technological solution, it's going to require a legislative solution. Either that or we'll evolve a society that simply doesn't care about privacy (which isn't an entirely negative idea; read David Brin's "The Transparent Society"). Personally, I'm skeptical of a world that doesn't allow for personal privacy, so I think we need to address it legislatively. I don't know that we need to be quite as draconian about it as some European nations have, but their legal frameworks provide a good starting point.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
When Larry Ellison buys Google in the next 10 years, do you think he'll have any qualms about selling peoples' data to anybody?
Oracle's market cap is currently less than half Google's. I don't see Oracle gaining a lot of ground in the next decade, or Google losing that much value. If anything, Google would acquire Oracle, rather than the other way around.
Now, there are certainly companies that are big enough to buy Google, but they're certainly few and far between.
"City hall" in German is "Rathaus" Kinda explains a few things......
Got no arguments of substance, I see.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I will simply GOST(TruePhysicalRandomSeed1,Counter) XOR 3DES(TruePhysicalRandomSeed2,Counter) XOR AES(TruePhysicalRandomSeed3,Counter) XOR Blowfish (TruePhysicalRandomSeed4,Counter)
and BE DONE WITH IT ?
It is always funny to see that supposedly "smart" people are actually incredibly complicated and less than rational.
Those are all block ciphers. You should not trust intuition when it comes to combining block ciphers and presuming the combination is intrinsically stronger. See: why 3DES but no 2DES.
Be careful when commenting on things you know nothing about, especially when punctuating with condescension. It makes you look like an idiot, even if an anonymous idiot.
Ah, that's the problem. I was viewing this as a discussion, not a contest. In a discussion it's usually preferable to make some cogent arguments, or at least state some assertions, rather than just spew snark and sarcasm. If you're looking for a contest, I'll bow out and let you find someone else, because I'm not interested.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Obvious solution : every part of your tool chain has got to be open-source, and you've got to employ a multi-nationality team who group-review everything security-related in depth.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"