Slashdot Mirror
U.S. Using Key Escrow To Steal Secrets?
Anonymous Coward writes "US/UK stealing industrial secrets?
Report: U.S. Uses Key Escrow To Steal Secrets "
Report: U.S. Uses Key Escrow To Steal Secrets "
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Wow, there were just MOUNTAINS of supporting evidence in that story. Like, er... uh... and, uh... wait a second. No, there was NONE. This sounds to me like one of those lame paranoia articles that the nuts put up on their web pages so the internet equivalent of check-out-line efficianados can have something to talk about when the X-Files hits a commercial. Come on! Doesn't it bother anyone that there's NO supporting evidence named in this story WHATSOEVER? Not even a SHRED! Not even a "Yeah, I heard from bob that the government is stealing corporations' secrets. What's that? Bob? Oh, he works for the government. What branch? Well, actually... the post office. Yeah, I ran into him while he was putting mail into my box yesterday, and he told me." There are real issues out there, people, and this (and CPUIDs,) isn't one of them!
Anonymous, and proud of it. Bite me.
I've read about this recently. Basically, the 128 bit security in most domestic browsers is crippled to 40 bits. That's the part of the story that everyone knows.
What people *don't* know is that the way this is implemented is by still performing 128 bit encryption, but supplying a "help field" which contains the remaining 88 bits of key encrypted with the NSA's public key. This means that the NSA can easily break the (for them) 40-bit encryption, but for anyone else(such as the european governments), they face the encryption full strength at 128 bit.
I'm probably a bit inaccurate on the details (I don't have a link handy), but that's the gist.
They do it because the big aerospace co's make their hardware. They protect or help out these co's by telling them the European's competitor's bid, and then the US co. bids lower to get the job.
Intercepting international communications
Privacy Rights: Echelon and the UKUSA
go and do a search in your favorite search engine and type in the 3 letter acronym and echelon. See what you get. Very educational.
just don't say the word echelon out loud.
but hey they're only covering "foreign" non-domestic communications right? um. uh. hmm.
Anyway, GPG isn't a bad idea, either.
-- Erich
Slashdot reader since 1997
This is demonstrably nonsense.
It's true that the way the key strength is reduced from 128 bits to 40 bits is by sending 40 bits of the key in the clear. Everything you wrote beyond that is fantasy.
Things encrypted using the exportable version of Communicator can be easily decrypted by anyone with equal ease. It really is 40 bits.
Furthermore, the article itself said:
Um, hello, there's no deal involved here. The only deal is that the US Government has made it illegal to export strong crypto. The deal is, alter your product to use weak crypto in the export versions, or go to jail. Everyone who hasn't been living under a rock for the last six years knows this already.
So Rob, how often does the NSA send a bot to /.?
I find it amazing that the NSA would be foolish enough not to spoof its own IP address if it was gathering information for illegal purposes. They actually work in secrets. They would know about web page logs.
Something else is going on here. But I'm not paranoid enough to really care.
At the very least, I would consider it my civic duty to print out and mail a copy of this article to every one of my elected representatives.
Anyone have any luck with that "report" link? It keeps giving me a 500 Server Error.
"The number of suckers born each minute doubles every 18 months."
-jafac's law
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Second: all these inconveniences to get a secure browser to hide your communications are mostly useless considering the fact that only sites of very commercial nature let you use https (secure http via SSL/TLS). Of course, the point is not that "they" can see what we are talking about something on slashdot. They can see what we are talking about anything on anywhere.
U.S. is still pretty much driving the internet communications, protocols, applications and implementations, and when at every point we are limited to non-encrypted traffic, the bad guys still can get the whole picture (see, the bad guys even have the habit of defining the bad guys..). It's important do anything to get the U.S. lift those crypto controls, the regulations are not there for you! We would be in a much safer world where encryption would be ubiquitious, including even protocols like DNS, SMTP, POP3, HTTP. Maybe they would be a bit slower, but there would finally be another reason to get faster CPU's other than to run Bloatware version N+1 from MS. :)
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
It's true. A stealth aircraft reflects radar about as much as a duck. All you have to do is track the ducks that fly at mach 1...
,hacker Perl another Just)'
perl -e 'print scalar reverse q(\)-:
Matt. Want XML + Apache + Stylesheets? Get AxKit.
Better use GPG instead. PGP (post v2.6.2, at least) uses RSA libraries, and probably also escrows keys with the government. GPG, on the other hand, is completely open source. It's also completely compatible with PGP.
--Be human.
It seems that too many people watch X-Files, and are starting to confuse fact and fiction. This seems like a paraphrasing of the Echelon story run here about 1 1/2 weeks ago. That story, too, seemed design to confuse fact and fiction (very few verfiable sources were cited).
;-).
The hardware and man hours required for this level of communications monitoring is simply too great. Besides, too many people would know about this if this were true. The secret would have gotten out long ago, and with many more verifiable sources.
Ever think that Intel & Microsoft made it through clever, strategic, and downright dirty business tactics? If Intel had illegally obtained secrets from competitors, don't you think their chips would be at least as fast as their competitors? Don't you think that you, too, could do pull some pretty brutish moves if you had $20 billion cash-on-hand to use as investment capital?
Look, maybe I'm wrong. Maybe there is a huge conspiracy. However, I usually tend to believe that the simplest explanation is also usually the correct one.
I'm not trying to say that the US gov't doesn't have the ability to track any given piece of e-mail, or that they can't crack any widely used encryption scheme, or that they can't monitor any given phone conversation in most parts of the world. I'm just saying that they don't monitor *every* e-mail and/or http: request. They can't crack *every* encrypted message. They can't monitor *every* phone call simultaneously. There's simply too much to do for that to be possible. And, while the US does have some interesting technologies in its military and intelligence wings, these technologies are orders of magnitude better than what ordinary individuals and companies have access to.
Ever wonder why the F-117 (the "stealth fighter") is composed of flat panels, all at odd angles? For purposes of stealth aircraft, corners are bad ju-ju. Yet the F-117 has tons of them. The reason is that the plane was designed in the early 70s, using commonly available technology during that time (not alien tech, as some suggest). They couldn't model curved surfaces on the supercomputers of their day! If they had access to some superior, ultra-fast technology, the F-117 would have looked more similar to the B-2. This isn't intended as definative proof that the US doesn't have such wonderous computing & networking tech. It is merely intended to show that the US gov't, too, proceeds at the same pace as the rest of the world, albeit with a quarter step head start. The tech required to do these sorts of things is simply too great--and I therefore reject these stories as X-Files inspired paranoia (and I hope that I am correct
--Be human.
This is news? Only because it concentrates on key escrow. It is known however that intelligence agencies are used to spy on foreign industry and to use the information to help local companies. They have to be of some use after the cold war has ended, after all.
/. a few days ago. There's a sort of funny story about that. A European (would have to look up whether it was German or Netherland) firm were sued by an US company over a patent they registered earlier. When the European company asked for the paperworks on that, they got some of their own internal fax communication that was eavesdropped. The agencies didn't even bother to remove the original company logo. IIRC the European company even lost in court...
Remember ECHELON? Was on
Seems our government consists of a bunch of peeping toms. :)
Stealing industrial secrets when nobody's looking, enabling NSA "help fields" in netscape and internet explorer, advocating "secure communications" using the clipper chip, and a multi-billion dollar system dating back to the late 1960's to listen in on the phone conversations of Pamela Anderson (Located on Meredith Hill).
Shame on you! You've spent billions of taxpayer dollars to do do what the Drudge Reports pump out every week.
--
I'm appalled by these findings. I always dismissed stories of what the spooks are listening to as totally blown out of proportion. Not any more. After reading the technical details section in the report it seems clear that the NSA so far must be ecstatic with joy over the popularity of the Internet: less pesky voice recognition, less error-prone handwriting recognition, more digital food, easy to digest, high in information content and relatively easy to filter.
I think the best way to make the spooks life harder is for as many people as possible to use strong crypto: the more well-encrypted messages they listen to the more resources they have to dedicate to the much harder task of breaking strong crypto rather than developing strong filters.
If I were a company interested in keeping my stuff secret, I wouldn't buy any American software: the Lotus example in the report is ridiculous --- does the US government really need a convenient way of listening in on the Swiss governments internal dealings ?
The only reasonable choice is Free Software. Use GPG, hit on it, beat on it, try to break it until we can believe it's reasonably secure.
Fill the Internet with encrypted noise to get the spooks sweating. It's not important if they can break your 'Happy birthday, Mom!' message; but all those encrypted 'Happy birthday' messages might keep them from reading the stuff you really don't want anybody to read.
This report is a Good Thing for a number of reasons. It documents how the NSA and our "national security state" have been joined at the hip to U.S. economic interests. It corroborates various reports over the years of state sponsored economic surveillance. It debunks that argument that key-recovery is needed for law enforcement. Lots of good stuff with the authoratative imprimateur of the EU.
But the real good news is found in both " Comint capabilities after 2000" and in " Policy issues for the European Parliament". The cost of ComInt surveillance has proven to be prohibitive - a waste of time and money. And the rise of optical fibre networks has rendered snooping methods obsolete. But best of all, "Communications intelligence organisations recognise that the long war against civil and commercial cryptography has been lost."
Finally, check out this recommendation:
The bad news is this is a report by the Chief Geek at EU to the parliament. What are the chances that anyone other than geeks will pay any attention?This is obviously paranoid ramblings. But that doesn't surprise me.
What surprises me here is that it doesn't seem to bother anyone that we've come to the point where nobody questions the assumption that our government isn't any more trustworthy than the latest despot-of-the-week.
It surprises me that our government accepts the fact that we've grown cynical of their sincerity, and isn't worried about it.
This is just like television, only you can see much further.
Picking up a gun is not the way to make your country better. Don't assume you have no power as a citizen beyond the threat of force; that should be your *last* resort. Realize that the you have much more potential influence over government in the US than the average person in most other countries does over theirs. Speak to your representatives about this, because someone should.
... run the country" allows for 'the people' to influence decisions at the highest level.
It's about time someone said this, and now I've heard it I'll be saying it over and over myself.
Democracy has become irrelevant in the US, thanks to the entrenched power of the Pentagon, its corporate subsidiaries and other major corporations, the two major parties
The ridiculous individualist ideology which values guns and investment above community and the vote keeps those people who might do something to improve public policy in opposition to public policy *itself*, as though the only possible policy was fascism. This leaves the US's more subtle, less fascist fascists firmly in control.
But the democratic institutions themselves exist! The US is, technically, a democratic country! Never mind that the Constitution (I mean the 1796 one, not the 1779 one) crippled the independent, radical democracy of the New England states; even Madison's document, designed to let "the people who own the country
The US polity is flawed and its government (including the unaccountable corporate elite) is fundamentally serving its own interests alone. But violence is not the way to change that.
Thanks.
J
Correct, the fact that Lotus has escrowed 24-bits of the International version of Notes is clearly documented. (Now is it so clear for Intl Netscape?)
Just a small factual correction - Lotus has had a Intl (56 bit with escrow) and North American version (with no escrow, as far as anyone knows) for many years, and the new release (R5) has not changed this at all. (R5 NA does support 128 bit SSL.)
I fail to see how 56 bits with 24 escrowed by the USG is worse than plain old 40 bit security.
--
Business. Numbers. Money. People. Computer World.
The complete report has some nice recommendations. Such as:
:)
2. At the technical level, protective measures may best be focused on defeating hostile Comint activity by denying access or, where this is impractical or impossible, preventing processing of message content and associated traffic information by general use of cryptography.
5. At the present time, Internet browsers and other software used in almost every personal computer in Europe is deliberately disabled such that "secure" communications they send can, if collected, be read without difficulty by NSA. US manufacturers are compelled to make these arrangements under US export rules. A level playing field is important. Consideration could be given to a countermeasure whereby, if systems with disabled cryptographic systems are sold outside the United States, they should be required to conform to an "open standard" such that third parties and other nations may provide additional
applications which restore the level of security to at least enjoyed by domestic US customers.
We could tell them that is already possible
I mean, if you can't trust the US government, who can you trust? :)
It's called PGP, folks. Download it (illegally if necessary) and use it.
FinkPloyd
The fact that you believe that sharp corners increase radar visibility AND belive that a plane that appears to have had all smooth curves removed in favor of sharp corners is radar invisible probably means you are wrong. Nothing personal, but these two beliefs are logically inconsistant. Either the F-117 is not really a stealth aircraft, or you don't understand how sharp edges affect radar.
On a similar note, comparing the tech required to design a plane to the tech required to scan text is really apples and oranges. The first is pretty much computation fluid dynamics, and is primarily floating-point operations. It also doesn't parallelize very well due to the high I/O requirements between nodes. That's why scientists in the field still like big vector processing Crays instead of SMP machines.
On the other hand, scanning text is entirely an integer problem. It is also easy to parallelize it to a massive scale. You could do it effectively using 8088 PC's if you had to. Just pass each message or packet off to a different node, and each node has it's own copy of the "dictionary" you are searching for. Easy. Note that the report does NOT claim that the NSA has been scanning phone calls for years. Only that they have been scanning text-based communications. It's really easy to build computers to scan huge amounts of text.
So, I don't think you are correct in calling the whole Eschelon report "X-Files" stuff. It's quite resonable to think that they could have built most of this thing using off-the-shelf parts. Or that they could have had custom chips built using standard processes.
Oh, and if you want a more reliable source, some of this stuff was discussed at US Congressional hearings back in the 1970's. At that time, a Congressman likened the NSA to a giant ear which was listening to the world. He also said that if that ear was turned inward, there would be nowhere to hide from it. And this was in the 1970's. If you really belive that the NSA is not sniffing and analyzing every bit of communication that it can get it's hands on, your not looking very hard because it's not really a secret. We are talking about the NSA. Spying on the electronic communications of foreign powers is their job. No one is accusing the Department of Agriculture of spying. It's the NSA. It's what they do. Why do people keep trying to pretend that the NSA isn't doing it's job?
Some people dismiss news like this as being made up by loony conspiracy-theorists. Sure, a lot of the stuff you hear about the NSA is not true, but you'd be fool to claim that it's all BS.
/. and viewing porn. NSA employs ten's of thousands of people (35000-50000), i bet they aren't all gardeners.
The NSA budget is estimated to be around 5 billion USD - that buys a shitload hardware and bandwith, i bet the not all of that bandwith is used for reading
Here a couple of excerpts from the NSA's about-page
- "It is said that NSA is one of the largest employers of mathematicians in the United States and perhaps the world. Mathematicians at NSA contribute directly to the two missions of the Agency: they help design cipher systems that will protect the integrity of U.S. information systems while others search for weaknesses in adversaries' codes."
- "The NSA/CSS is responsible for the centralized coordination, direction, and performance of highly specialized technical functions in support of U.S. Government activities to protect U.S. information systems and produce foreign intelligence information."
Now, what do you think the NSA does?
The document went on to detail how the agencies specifically studied Internet data. [...] it said they stored and analyzed Usenet discussions. "In the U.K., the Defence Evaluation and Research Agency maintains a 1-terabyte database containing the previous 90 days of Usenet messages."
Ha! So I guess now they know how to Make Money Fast.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
UK readers might be interested in going to the http://www.stand.org.uk website and "@dopting" their local MP, especially if your MP is currently in the list of unadopted MP's.
...should be required reading for you, my dear AC.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I do have a problem with governments engaging in commercial espionage, though probably not as big as you do :). However all I've seen (this report included) is a lot of allegations, heavy hints, and FOAF (friend of the friend) stories. I have NOT seen any verifiable, hard-data-supported, smoking-gun accusations of commercial espionage against NSA/CIA/etc.
In any case, the role of national intelligence agencies is in flux following the end of the Cold War and it has been repeatedly suggested that they be used for gaining economic advantage. It has also been suggested that the Japanese, as well as Taiwan, Israel, etc. etc. have been doing this for a long time. I don't see any high moral problems here, anyway. All we are talking about are trade secrets of some corporation. The objections to economic espionage tend to be on the lines of "Gentlemen do not read other gentlemen's mail" and, unfortunately, that line of argument exhausted itself in the XIX century.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
I don't like key escrow at all and have strong feelings about my own right to privacy. However the article in question is just fluff. Think about it: it is a report generated from the bowels of European bureacracy which has repeatedly proved itself to be totally clueless, and has numerous axes to grind. Basically, the report says two things:
One, the US/UK/etc. intelligence agencies collect data from the world communications network. So? Does this surprise anybody? Didn't we hear about it a zillion times before? Would anybody expect any intelligence agency with proper capabilities to do otherwise? So the UK spooks have a terabyte of Usenet data. Big deal. If I had a terabyte of storage handy I could have it, too. DejaNews likely has much more. Usenet is public forum anyway so I don't see any problems here.
Two, US intelligence agencies use intercepted data for commercial advantage of US companies. Again, this is old news. The report doesn't add any new hard data except some vague allegations that I (at least) have heard before. Airbus has been bitching about being spied upon for years by now.
In any case I don't see what this has to do with key escrow. It was a bad idea, it is a bad idea and it will stay a bad idea. *Of course* the spooks love it, but that's only to be expected and has been demonstrated numerous times before.
So I guess I don't understand what the whole noise is about.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
The government's claim that key escrow is needed to intercept communications between criminals isn't even plausible on the surface. Basically what they are talking about is organized crime. The people running these organizations are not stupid, otherwise it wouldn't take something like the Rico Act to put a serious crimp in their style. The mob is not going to use encryption schemes that have a backdoor that the feds can get through. Neither would any other criminal organization that had a lick of sense period. The key escrow business is intended to listen in on innocent citizens like you and me, and industries as well it would seem. The people in power who are pushing this are not serving the public from whom they derive their authority, they are serving their own interests and the interests of those with enough money to buy them. When some politician starts pushing key escrow it is nothing short of a violation of their oath of office. Some claim that they are pushing key escrow because that is what law enforcement agencies want. Well that simply shows that those agencies need to be investigated themselves. Lets not forget either that our representatives were elected to represent us, not a federal agency. The whole business is a crock and is just one more example of how messed up our country has become. Government of the people by the people for the people is in grave danger mostly because the people are complacent. Don't let government officials shove crap like this down our throats, they aren't in charge, we are. They are there because we elected them, we put them there, and there are more than a few we should yank right out. This is a free country based on the principle that the rights of the individual are more valuable to good government than the powers of the state. Someone take this soap box away from me already.....
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
The Lotus "example" is pure unsubstatianted, poorly researched garbage!!!
I have been working with Lotus Notes since version 2 first came out, I know the product well. The entire time Lotus and now Lotus\IBM (actually IRIS) have been producing Notes the Govt. has been all over them about their encryption. The entire time Lotus has been putting out a "weaker" 40bit version of Notes to satisfy the export laws, until R5.
Now, Lotus has come up with a compromise that they had hoped would allow them to get back to having only one code stream. That solution was to escrow 24bits (believe that's right) with NSA such that they could export Notes without major changes. This has been PUBLICLY STATED BY LOTUS in at least two VERY PUBLIC conferences dedicated to Notes that I have personally attended - and probably many others I haven't. Anyone attend Euro-Lotusphere that can comment? Folks, IT WAS NO SECRET! Period - end of story - full stop. Lotus made this known! To assert otherwise is truly funny!
This story about the Swiss is pure BS - if they didn't know that 24bits were escrowed with NSA it was because they didn't ask - not the fault of Lotus is it? Is the US Govt. policy on encryption so secret that the Swiss never bothered to wonder how it was Lotus got a product "stronger" than 40bits out of the country? Come on - are they that stupid? Someone in Switzerland didn't do their homework, covering it up by saying Lotus did this in "secret" is pretty silly.
If you want really bad - look at the French version of Notes. It's WEAKER than 40bits! How, Why?! Well, it seems the French Govt. wouldn't allow them to sell Notes in their country if it wasn't this weak! Yup, R5 French is weak as wet tissue and not because Lotus wanted it this way. In a security forum hosted by Lotus they publicly stated they wouldn't use the French version no matter what - it's that weak and they hate it! But, they had to satisfy the French Govt. or not sell their product. I THINK the French version is only 24bit - I'm not positive.
Lotus is NOT a bad guy in this, stupid reporters to the contrary. Sit in on any of the security forums at Lotusphere and listen to the Lotus guys talk about how they don't think 64bit is strong enough anymore, how they intend to go 128bit or better (did R5 get this? I'm not yet using it yet), and how they do their Public Key stuff. These guys are and have been so far ahead of the X509 crap it's not even funny. These guys have had certificates for years and STILL have useful features not yet implemented in X509 (hello - cert chaining?). They did this for funsies? And then we get articles that blast Lotus for being in cahoots with the Govt or NSA? Obviously someone isn't paying attention and hasn't done any research on Lotus - their making encryption so easy to use in Notes has NOT made them the US Govt's friend by ANY stretch of the imagination!
P.S. Know what's really funny? That someone will read an article like this or the one dealing with the Swiss and take it as gospel without ever researching it. Heh, if you want to know how it all really works Lotus has a White Paper in PDF on their site that goes DEEP into the details. I'd provide an URL but it's not handy, I'm only part way through it myself but it's damned detailed. Let's see M$ put something this detailed together about Exchange or NT! (lol)
Build it, Drive it, Improve it! Hybridz.org
Hmm. Reading... They sound just a little too paranoid to me. The reason so much European traffic is going through Vienna VIRGINIA is not the NSA, or even BGP finding empty routes through the US, exactly... it's because European long distance rates are so high it's cheaper to cross the Atlantic twice!
Java: the COBOL of the new millenium.
The one in the TechWeb article is slightly mangled... if you didn't figure it out, try this.
Check out the May 1999 STOA newsletter for a very quick summary (scroll down a bit). None of it is US authored, AFAICT.
Java: the COBOL of the new millenium.
Somehow I think this "finding" is not quite accurate. Why would the US gov blow its wad on leaking confidential data to contractors to give them an advantage? The best part of having a secret is keeping it.