Slashdot Mirror
U.S. Using Key Escrow To Steal Secrets?
Anonymous Coward writes "US/UK stealing industrial secrets?
Report: U.S. Uses Key Escrow To Steal Secrets "
Report: U.S. Uses Key Escrow To Steal Secrets "
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
They do it because the big aerospace co's make their hardware. They protect or help out these co's by telling them the European's competitor's bid, and then the US co. bids lower to get the job.
Intercepting international communications
Privacy Rights: Echelon and the UKUSA
go and do a search in your favorite search engine and type in the 3 letter acronym and echelon. See what you get. Very educational.
just don't say the word echelon out loud.
but hey they're only covering "foreign" non-domestic communications right? um. uh. hmm.
This is demonstrably nonsense.
It's true that the way the key strength is reduced from 128 bits to 40 bits is by sending 40 bits of the key in the clear. Everything you wrote beyond that is fantasy.
Things encrypted using the exportable version of Communicator can be easily decrypted by anyone with equal ease. It really is 40 bits.
Furthermore, the article itself said:
Um, hello, there's no deal involved here. The only deal is that the US Government has made it illegal to export strong crypto. The deal is, alter your product to use weak crypto in the export versions, or go to jail. Everyone who hasn't been living under a rock for the last six years knows this already.
Second: all these inconveniences to get a secure browser to hide your communications are mostly useless considering the fact that only sites of very commercial nature let you use https (secure http via SSL/TLS). Of course, the point is not that "they" can see what we are talking about something on slashdot. They can see what we are talking about anything on anywhere.
U.S. is still pretty much driving the internet communications, protocols, applications and implementations, and when at every point we are limited to non-encrypted traffic, the bad guys still can get the whole picture (see, the bad guys even have the habit of defining the bad guys..). It's important do anything to get the U.S. lift those crypto controls, the regulations are not there for you! We would be in a much safer world where encryption would be ubiquitious, including even protocols like DNS, SMTP, POP3, HTTP. Maybe they would be a bit slower, but there would finally be another reason to get faster CPU's other than to run Bloatware version N+1 from MS. :)
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
Better use GPG instead. PGP (post v2.6.2, at least) uses RSA libraries, and probably also escrows keys with the government. GPG, on the other hand, is completely open source. It's also completely compatible with PGP.
--Be human.
It seems that too many people watch X-Files, and are starting to confuse fact and fiction. This seems like a paraphrasing of the Echelon story run here about 1 1/2 weeks ago. That story, too, seemed design to confuse fact and fiction (very few verfiable sources were cited).
;-).
The hardware and man hours required for this level of communications monitoring is simply too great. Besides, too many people would know about this if this were true. The secret would have gotten out long ago, and with many more verifiable sources.
Ever think that Intel & Microsoft made it through clever, strategic, and downright dirty business tactics? If Intel had illegally obtained secrets from competitors, don't you think their chips would be at least as fast as their competitors? Don't you think that you, too, could do pull some pretty brutish moves if you had $20 billion cash-on-hand to use as investment capital?
Look, maybe I'm wrong. Maybe there is a huge conspiracy. However, I usually tend to believe that the simplest explanation is also usually the correct one.
I'm not trying to say that the US gov't doesn't have the ability to track any given piece of e-mail, or that they can't crack any widely used encryption scheme, or that they can't monitor any given phone conversation in most parts of the world. I'm just saying that they don't monitor *every* e-mail and/or http: request. They can't crack *every* encrypted message. They can't monitor *every* phone call simultaneously. There's simply too much to do for that to be possible. And, while the US does have some interesting technologies in its military and intelligence wings, these technologies are orders of magnitude better than what ordinary individuals and companies have access to.
Ever wonder why the F-117 (the "stealth fighter") is composed of flat panels, all at odd angles? For purposes of stealth aircraft, corners are bad ju-ju. Yet the F-117 has tons of them. The reason is that the plane was designed in the early 70s, using commonly available technology during that time (not alien tech, as some suggest). They couldn't model curved surfaces on the supercomputers of their day! If they had access to some superior, ultra-fast technology, the F-117 would have looked more similar to the B-2. This isn't intended as definative proof that the US doesn't have such wonderous computing & networking tech. It is merely intended to show that the US gov't, too, proceeds at the same pace as the rest of the world, albeit with a quarter step head start. The tech required to do these sorts of things is simply too great--and I therefore reject these stories as X-Files inspired paranoia (and I hope that I am correct
--Be human.
Seems our government consists of a bunch of peeping toms. :)
Stealing industrial secrets when nobody's looking, enabling NSA "help fields" in netscape and internet explorer, advocating "secure communications" using the clipper chip, and a multi-billion dollar system dating back to the late 1960's to listen in on the phone conversations of Pamela Anderson (Located on Meredith Hill).
Shame on you! You've spent billions of taxpayer dollars to do do what the Drudge Reports pump out every week.
--
I'm appalled by these findings. I always dismissed stories of what the spooks are listening to as totally blown out of proportion. Not any more. After reading the technical details section in the report it seems clear that the NSA so far must be ecstatic with joy over the popularity of the Internet: less pesky voice recognition, less error-prone handwriting recognition, more digital food, easy to digest, high in information content and relatively easy to filter.
I think the best way to make the spooks life harder is for as many people as possible to use strong crypto: the more well-encrypted messages they listen to the more resources they have to dedicate to the much harder task of breaking strong crypto rather than developing strong filters.
If I were a company interested in keeping my stuff secret, I wouldn't buy any American software: the Lotus example in the report is ridiculous --- does the US government really need a convenient way of listening in on the Swiss governments internal dealings ?
The only reasonable choice is Free Software. Use GPG, hit on it, beat on it, try to break it until we can believe it's reasonably secure.
Fill the Internet with encrypted noise to get the spooks sweating. It's not important if they can break your 'Happy birthday, Mom!' message; but all those encrypted 'Happy birthday' messages might keep them from reading the stuff you really don't want anybody to read.
This report is a Good Thing for a number of reasons. It documents how the NSA and our "national security state" have been joined at the hip to U.S. economic interests. It corroborates various reports over the years of state sponsored economic surveillance. It debunks that argument that key-recovery is needed for law enforcement. Lots of good stuff with the authoratative imprimateur of the EU.
But the real good news is found in both " Comint capabilities after 2000" and in " Policy issues for the European Parliament". The cost of ComInt surveillance has proven to be prohibitive - a waste of time and money. And the rise of optical fibre networks has rendered snooping methods obsolete. But best of all, "Communications intelligence organisations recognise that the long war against civil and commercial cryptography has been lost."
Finally, check out this recommendation:
The bad news is this is a report by the Chief Geek at EU to the parliament. What are the chances that anyone other than geeks will pay any attention?This is obviously paranoid ramblings. But that doesn't surprise me.
What surprises me here is that it doesn't seem to bother anyone that we've come to the point where nobody questions the assumption that our government isn't any more trustworthy than the latest despot-of-the-week.
It surprises me that our government accepts the fact that we've grown cynical of their sincerity, and isn't worried about it.
This is just like television, only you can see much further.
The complete report has some nice recommendations. Such as:
:)
2. At the technical level, protective measures may best be focused on defeating hostile Comint activity by denying access or, where this is impractical or impossible, preventing processing of message content and associated traffic information by general use of cryptography.
5. At the present time, Internet browsers and other software used in almost every personal computer in Europe is deliberately disabled such that "secure" communications they send can, if collected, be read without difficulty by NSA. US manufacturers are compelled to make these arrangements under US export rules. A level playing field is important. Consideration could be given to a countermeasure whereby, if systems with disabled cryptographic systems are sold outside the United States, they should be required to conform to an "open standard" such that third parties and other nations may provide additional
applications which restore the level of security to at least enjoyed by domestic US customers.
We could tell them that is already possible
Some people dismiss news like this as being made up by loony conspiracy-theorists. Sure, a lot of the stuff you hear about the NSA is not true, but you'd be fool to claim that it's all BS.
/. and viewing porn. NSA employs ten's of thousands of people (35000-50000), i bet they aren't all gardeners.
The NSA budget is estimated to be around 5 billion USD - that buys a shitload hardware and bandwith, i bet the not all of that bandwith is used for reading
Here a couple of excerpts from the NSA's about-page
- "It is said that NSA is one of the largest employers of mathematicians in the United States and perhaps the world. Mathematicians at NSA contribute directly to the two missions of the Agency: they help design cipher systems that will protect the integrity of U.S. information systems while others search for weaknesses in adversaries' codes."
- "The NSA/CSS is responsible for the centralized coordination, direction, and performance of highly specialized technical functions in support of U.S. Government activities to protect U.S. information systems and produce foreign intelligence information."
Now, what do you think the NSA does?
The document went on to detail how the agencies specifically studied Internet data. [...] it said they stored and analyzed Usenet discussions. "In the U.K., the Defence Evaluation and Research Agency maintains a 1-terabyte database containing the previous 90 days of Usenet messages."
Ha! So I guess now they know how to Make Money Fast.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
I don't like key escrow at all and have strong feelings about my own right to privacy. However the article in question is just fluff. Think about it: it is a report generated from the bowels of European bureacracy which has repeatedly proved itself to be totally clueless, and has numerous axes to grind. Basically, the report says two things:
One, the US/UK/etc. intelligence agencies collect data from the world communications network. So? Does this surprise anybody? Didn't we hear about it a zillion times before? Would anybody expect any intelligence agency with proper capabilities to do otherwise? So the UK spooks have a terabyte of Usenet data. Big deal. If I had a terabyte of storage handy I could have it, too. DejaNews likely has much more. Usenet is public forum anyway so I don't see any problems here.
Two, US intelligence agencies use intercepted data for commercial advantage of US companies. Again, this is old news. The report doesn't add any new hard data except some vague allegations that I (at least) have heard before. Airbus has been bitching about being spied upon for years by now.
In any case I don't see what this has to do with key escrow. It was a bad idea, it is a bad idea and it will stay a bad idea. *Of course* the spooks love it, but that's only to be expected and has been demonstrated numerous times before.
So I guess I don't understand what the whole noise is about.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
The Lotus "example" is pure unsubstatianted, poorly researched garbage!!!
I have been working with Lotus Notes since version 2 first came out, I know the product well. The entire time Lotus and now Lotus\IBM (actually IRIS) have been producing Notes the Govt. has been all over them about their encryption. The entire time Lotus has been putting out a "weaker" 40bit version of Notes to satisfy the export laws, until R5.
Now, Lotus has come up with a compromise that they had hoped would allow them to get back to having only one code stream. That solution was to escrow 24bits (believe that's right) with NSA such that they could export Notes without major changes. This has been PUBLICLY STATED BY LOTUS in at least two VERY PUBLIC conferences dedicated to Notes that I have personally attended - and probably many others I haven't. Anyone attend Euro-Lotusphere that can comment? Folks, IT WAS NO SECRET! Period - end of story - full stop. Lotus made this known! To assert otherwise is truly funny!
This story about the Swiss is pure BS - if they didn't know that 24bits were escrowed with NSA it was because they didn't ask - not the fault of Lotus is it? Is the US Govt. policy on encryption so secret that the Swiss never bothered to wonder how it was Lotus got a product "stronger" than 40bits out of the country? Come on - are they that stupid? Someone in Switzerland didn't do their homework, covering it up by saying Lotus did this in "secret" is pretty silly.
If you want really bad - look at the French version of Notes. It's WEAKER than 40bits! How, Why?! Well, it seems the French Govt. wouldn't allow them to sell Notes in their country if it wasn't this weak! Yup, R5 French is weak as wet tissue and not because Lotus wanted it this way. In a security forum hosted by Lotus they publicly stated they wouldn't use the French version no matter what - it's that weak and they hate it! But, they had to satisfy the French Govt. or not sell their product. I THINK the French version is only 24bit - I'm not positive.
Lotus is NOT a bad guy in this, stupid reporters to the contrary. Sit in on any of the security forums at Lotusphere and listen to the Lotus guys talk about how they don't think 64bit is strong enough anymore, how they intend to go 128bit or better (did R5 get this? I'm not yet using it yet), and how they do their Public Key stuff. These guys are and have been so far ahead of the X509 crap it's not even funny. These guys have had certificates for years and STILL have useful features not yet implemented in X509 (hello - cert chaining?). They did this for funsies? And then we get articles that blast Lotus for being in cahoots with the Govt or NSA? Obviously someone isn't paying attention and hasn't done any research on Lotus - their making encryption so easy to use in Notes has NOT made them the US Govt's friend by ANY stretch of the imagination!
P.S. Know what's really funny? That someone will read an article like this or the one dealing with the Swiss and take it as gospel without ever researching it. Heh, if you want to know how it all really works Lotus has a White Paper in PDF on their site that goes DEEP into the details. I'd provide an URL but it's not handy, I'm only part way through it myself but it's damned detailed. Let's see M$ put something this detailed together about Exchange or NT! (lol)
Build it, Drive it, Improve it! Hybridz.org
The one in the TechWeb article is slightly mangled... if you didn't figure it out, try this.
Check out the May 1999 STOA newsletter for a very quick summary (scroll down a bit). None of it is US authored, AFAICT.
Java: the COBOL of the new millenium.
Somehow I think this "finding" is not quite accurate. Why would the US gov blow its wad on leaking confidential data to contractors to give them an advantage? The best part of having a secret is keeping it.