Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Targeted 'The Two Leading' Encryption Chips (theintercept.com)

Posted by Soulskill on from the makes-more-sense-than-targeting-the-two-trailing-ones dept.

Advocatus Diaboli sends a report from Glenn Greenwald at The Intercept about the NSA's efforts to subvert encryption. Back in 2013, several major publications reported that the NSA was able to crack encryption surrounding commerce and banking systems. Their reports did not identify which specific technology was affected. The recent backdoor found in Juniper systems has caused the journalists involved to un-redact a particular passage from the Snowden documents indicating the NSA targeted the "two leading encryption chips" in their attempts to compromise encryption. Quoting: The reference to "the two leading encryption chips" provides some hints, but no definitive proof, as to which ones were successfully targeted. Matthew Green, a cryptography expert at Johns Hopkins, declined to speculate on which companies this might reference. But he said that "the damage has already been done. From what I've heard, many foreign purchasers have already begun to look at all U.S.-manufactured encryption technology with a much more skeptical eye as a result of what the NSA has done. That's too bad, because I suspect only a minority of products have been compromised this way."

3 of 113 comments (clear)

  1. Re:Good on them by ledow · · Score: 5, Insightful

    Not really.

    It hasn't been their job to insert backdoors into their own and existing systems worldwide, really. Not even the early codebreakers did that kind of thing.

    It's their job to produce foreign signals intelligence, yes, but backdooring every piece of hardware in the country doesn't achieve that. All that achieves is compromise of people who were trusting US hardware already. For example, their allies.

    All they've done is hurt their other core purpose - the national security of the US - and significantly damage their country's economy in a few specific areas.

    Spying is not about having backdoors in hardware you produce in your own country. It's about getting those into foreign countries, foreign hardware, and about defeating encryptions that you're NOT already in control of.

    Literally, a signed court order saying that Cisco/Juniper has to put in a backdoor for US intelligence into products X, Y, Z achieves this aim in the same way. With non-disclosure clauses, it's as secret. That's not what the NSA should be wasting their time on, if that's even what the US want to do.

  2. Re:Good on them by PvtVoid · · Score: 5, Insightful

    This.

    One of the NSA's mandates is signals intelligence. Another is information assurance, i.e. making sure our communications infrastructure is secure. Inserting backdoors in crypto hardware represents a pyrrhic victory for the first, and a complete disaster for the second.

    The one thing that advocates for crypto backdoors completely fail to understand is that what you gain from the ability to monitor traffic comes at an enormous cost, which is the indroduction of a systemic flaw in our entire information infrastructure, which could potentially have catastrophic consequences. The best reason to oppose backdoors is not because "privacy" or "freedom" (although those may indeed be sufficient), but because backdoors combat a nuisance by making us vulnerable to a truly existential threat.

  3. Re:Only a minority? by Anonymous Coward · · Score: 2, Insightful

    And yet with the proper processing, either drum can be turned into clean, safe drinking water. That's why to some extent, none of this matters. You can use all the compromised leaky back-doored broken products that you want (this is what you're doing anyway, every time you communicate over the Internet, where your packets are routed through other peoples' systems), provided that all the data that these products ever see, is your cyphertext.

    That's hard to do with a phone (you're not going to "tunnel through" the microphone and speaker) but nevertheless in a lot of cases, it's pretty easy.

    Someone says you have to use their VPN? Fine. Your VPN software ought to be able to tunnel through their VPN just fine.

    Government forces you to use encryption software that also encrypts the session key with their public key? No problem. Let them decrypt that data, revealing the cyphertext that you previously encrypted before exposing it to their ridiculous pre-broken system.

    GooMicrapple's DropPlan backup system is just fine for backing up your already-GPG-encrypted files, as long as you have a convenient way to run their shitty proprietary backup client since they don't use standard protocols? Oh, it's not convenient? Well, pretend it were convenient: of course you could use it. You just wouldn't trust it.

    When it comes down to how you decide what to trust, nothing is changing at all. You-twenty-years-ago would advise 2016-you: if you built it and understand it, you can probably trust it. If someone unaccountable provided it for you, then obviously you don't trust it. You can still use it, though.