I linked to that RFC for the text in the introduction section, from which I got the "chosen ad hoc" language. My point is not to cast suspicion on all ECC, which is a valid mathematical technique developed in the open by civilian academics. But rather, to provide more evidence for the fact that nobody seems to know how the seed values were generated (we know WHO generated them, but not HOW).
I just found this new blog post from the NYT which gives a very small amount of additional context. It also explicitly names the NSA RNG as what they were talking about.
But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged “contributions” from N.S.A., but not primary authorship.
Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”
At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor.”
The Guardian, ProPublica, the NYT and Schneier all appear confident enough in what they've read to state assertively that it's a hacked standard. Also, why else would the NSA care so much about pushing a crap and slow RNG that we know can have a backdoor into international standards?
That story is about Dual_EC_DRBG which was indeed strongly suspected of being an NSA back door back in 2007. Snowden confirmed the suspicion. However this story is not about that algorithm. It's about the SEC random curves that are used for signing and other crypto, not random number generation. There are two different algorithms under discussion here.
Bitcoin uses what the SEC calls a Koblitz curve (secp256k1) for which there is much less design freedom and it seems much less likely that there is any way to back-door those curves. Unfortunately many ECC implementations don't support all the curves, just a few of the plain vanilla random ones. Actually I'm not aware of anything except Bitcoin that uses secp256k1.
Sorry, I could have provided a link for that too. It was in the major Snowden story of last week that revealed the NSA was undermining public standards. The New York Times said this:
Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.
Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says.
Although the NYT didn't explicitly name the bad standard, there's only one that fits the criteria given which is Dual_EC_DRBG.
I want to high five the reporter that asked that question. Holy shit. A single question be a single reporter possibly changing the course of an entire war. Not every day you see that.
I think it's more likely that the RDRAND thing has been an ongoing argument/flamewar for a long time. See this thread for an example.
BTW Linus is right. According to what we know about randomness, even if RDRAND is hacked then mixing it with other entropy can't hurt - at worst, it merely is a no-op and achieves nothing. However, even if RDRAND is backdoored, the NSA is not the worlds only adversary. Given that when mixed with other randomness it doesn't hurt, it's still better to use it against all the other adversaries out there than not.
Linus' point is, exclusive reliance on RDRAND would be bad, but the kernel doesn't/shouldn't do that.
Two datacenters owned by the same company using MPC is a really dumb use case. That won't help at all. The point of Google encrypting cross-dc communications is a forcing manoeuvre - it forces intelligence agencies to go via Google Legal to get information where the request can be analyzed and pushed back on. Even in countries where the legal system is flimsy and corrupt, that's an issue that can be improved significantly just with a single act of Congress or Parliament, whereas undoing their wiretapping infrastructure will prove somewhat harder because there's no adversarial lawyer standing in the way.
A better example might be two datacenters owned by different companies, where they don't mutually trust each other. Or, to give an actual use case, the OTR chat encryption protocol uses MPC to authenticate connections. They call it the socialist millionaires protocol. The two parties agree on a secret word (typically by one user posing a question to the other), and then a variant of MPC is used to verify that both parties selected the same word. The word itself never transits the wire and it's only used for authentication, so it's relatively strong even if the secret word is short or predictable.
Now, for some background. The paper can be found here if you want to skip the million+1 links and registration crap.
The basic idea behind MPC is that you write your shared computation in the form of a boolean circuit, made up of logic gates as if you were making an electronic circuit. The inputs to the program are represented as if they were electronic signals (i.e. as one and zero bits on wires). Once done, there are two protocols you can follow. The original one is by a guy named Andrew Yao. Each wire in the circuit is assigned a pair of keys. The details I'll gloss over now, but basically given the circuit (program) as a template, lots of random keys are created by party A, then the entire "garbled circuit" is sent to party B who will run it. Party A also selects the keys for his input wires and sends them to party B, who doesn't know whether they represent 0 or 1, only party A knows that.
Now party B wants to run the program with his input, but he doesn't want party A to know what his input is. So they use a separate protocol called an oblivious transfer protocol to get party A to cough up the right keys for B's input wires, without A finding out what they were. Finally, party B can run the program by progressively decrypting the wires until the output is arrived at.
What I described above is Yao's protocol. There is also a slightly different protocol called BGV. In BGV you don't send the entire program all at once. Instead, as party B runs through the program, each time they encounter an AND gate they do an oblivious transfer with party A. XOR gates are "free" and don't require any interaction. I forgot what happens for other kinds of gates. Basically, BGV involves both parties interacting throughout the computation, however, it can result in much less network traffic being required if your OT protocol is cheap, because if your circuit is very wide and shallow then most of the garbled program never has to even get transferred at all.
From what I can tell, most of the best results in MPC these days are coming from BGV coupled with new, highly efficient OT protocols. SPDZ appears to work on yet another design, but the basic reliance on circuit form remains.
Eh, you realise that Google has lots of engineers who don't live in the USA, have no ties to the USA, even strongly dislike the US government, right? Some of them are even working in China or Russia.
The idea that every Google employee is a slave to the NSA is absurd. The vast majority wouldn't even qualify for basic security clearance.
The link you provided makes no mention of any such thing. In fact it says the UK government refused to prosecute because the evidence was too vague. However, a film industry body was able to do so and the guy was found guilty. It seems he didn't really try to argue that he ran the websites in question but tried to rely on technicalities all the way, and the judge didn't buy it.
I'm all for being worried about abuses of due process and excessive government power. But what we have here is an asshole who was apparently making nearly $80k per month off advertising on a site dedicated to piracy and illegal downloading of films. The film industry was able to bring a private criminal prosecution (I didn't know that was possible), and won. Almost by definition a private prosecution couldn't have had access to material obtained via GCHQ or the NSA so the point you're trying to make is lost.
What's more, this analysis is very fresh. Remember that right now huge chunks of Tor traffic appear to be botnet control circuits. The botnet runs on 0.2.3.x - so that's going to bias the sample somewhat.
BTW - not surprised to learn that Linux distributors are screwing their users with stale repos yet again. Anyone who is using distributor repositories to get security sensitive software is just asking to be compromised.
Not all Google searches are encrypted. Only if you're logged in, or specifically visit encrypted.google.com. The reasons are complicated and stupid - to do with US schools with political clout that outsourced their internet filtering and couldn't filter searches (for the children!) if SSL was enabled for everyone. A bunch of companies/orgs in similar positions also complained.
If you use Chrome at least then Chrome-Google communication is forward secure (compromise of the private key let's you MITM but not passively decrypt).
Did you RTFA? The articles say specifically that Dual_EC_DRBG was a backdoor operation and even quotes from the documents themselves (look for the word finesse).
There's nothing in the articles that implies this. Backdooring a CA only helps if several things hold:
1) They can not only intercept but also rewrite traffic on the fly. Possible, but if so, not yet mentioned in any leaks.
2) They're willing to take the chance that someone might notice.
So an operation against a single site, definitely possible. But they are clearly desperate to grab everything, all the time! Their whole MO is not targeted investigations but to spy on everyone simultaneously. You can't use a rogue CA to do that. They'd be detected immediately, if only by geeks setting up SSL for their new personal VPS and suddenly noticing the CA their browser gets isn't the one they installed.
The problems with SSL are not that CAs exist. The model holds against the global adversary who wants to decrypt everything. The problems with SSL are almost certainly more prosaic - many websites can be automatically hacked and their keys stolen without the owners ever knowing. In the default config that allows you to then decrypt all past traffic as well. Some implementations will use old, weak keys that were strong once upon a time but have since become obsolete. Some implementations will have bad random number generators. Some implementations will run on VPS providers and are subject to side channel attacks by colocated VMs. Some keys can be subpoenad and others can be obtained by covert agents. And of course you still leak traffic metadata even when SSL works perfectly.
There are lots of ways to attack SSL that will work some of the time, and that's exactly what the leaks imply - they can beat encryption sometimes but they don't have a magic skeleton key to everything.
Certificate authorities never see private keys so you are dead wrong about that. What's more, even if a rogue CA was minting bad certs on the fly to attest that the NSA was really foobar.com, that would have been noticed. Remember that secrecy is something they value insanely highly. They wouldn't ever do something so easily noticed and the articles do not imply any kind of CA compromise.
In fact if you read all the stories (they overlap largely but not entirely) you can get a vague picture of what's going on. Firstly, they record all encrypted traffic in case they can decrypt it later. Secondly, they have a database of public to private keys, populated via any means they can. Thirdly, they obtain keys in lots of ways (hacking, subversion, bogus court orders, brute forcing old/weak keys etc) but they don't seem to have a magical solution to all strong crypto. The closest that the leaks come to this is discussion of some amazing cryptoanalytic breakthrough, which could possibly mean they're able to break some kinds of RSA? Perhaps they're ahead of Joux et al by some years?
Regardless, what it is, it can't be a solution to all crypto, because these governments apparently asked the newspapers not to publish on the grounds that people might switch to stronger systems that worked.
No offence, but there absolutely is reason to believe you're incorrect. The reasons are in the Tor mailing lists which I've been keeping up with for the past few weeks.
Firstly, exit traffic has hardly moved, despite massive increase in Tor usage overall. This is consistent with the bots getting instructions from a hidden service. So exit node operators can't do much here.
Secondly, the whole point of the hidden service protocol is that relays don't know the IP of the hidden service. That's why there are rendezvous nodes that join user and service together via two 3-hop circuits. De-anonymizing such a service is very hard and requires you to control large numbers of nodes over a period of many months, according to the latest research. It's not something the Tor community can just do.
If you think you know of a slick way to resolve this problem, I suggest taking it to the Tor developers, because all the evidence I see from their lists is that right now they don't have any great ideas.
Because if you RTFA you will see that they reverse engineered the botnet and found that it's trying to contact a C&C server, what's more, this bot has a history of using Tor for receiving commands. It's obviously not a deliberate attempt to wreck Tor.
I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct. Rather than just act as normal clients of the Tor network - placing extreme load on existing relays.
In fact, this botnet appears to be basically breaking Tor with many node operators reporting that their relays cannot keep up. The Tor developers recently started developing code to prioritise the more efficient NTOR handshake over the older protocol, and because the botnet runs older code people who upgrade to the latest code (once they are finished) should take priority over the botnet traffic. Until the botnet also upgrades, of course.
To make it worse, when a circuit fails to build because of overloaded relays, Tor retries. I'm not sure there's any kind of exponential backoff. Thus the network goes into a death spiral in which clients constantly try to build circuits and fail, placing even more load on the already overloaded system and making it impossible to recover.
Unfortunately we may be looking at the end of Tor here, at least temporarily. The botnet operator doesn't seem to realise what's happening, otherwise they'd be backing off. Tor is effectively experiencing a massive, global, accidental denial of service attack by this botnet. Many relays don't have enough CPU power to weather the circuit storms. It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network. They practically have to ask nicely for the operators to go away.
I think this speaks to the fact that post-Snowden, the game has entered a new stage.
Pre-Snowden the NSA or whoever would not have been willing to do such a thing, due to the very high likelyhood of detection. Yes, 99.9% of people aren't going to notice their phone doing something unexpected. But if you apply it to everyone because you want the ability to grep their communications for keywords a.k.a. selectors then you need all of it, all the time. There are over a billion Android activations now. Even 0.01% of users being tech savvy and using custom/modified ROMs or analyzing their phone more carefully would notice what's up, and then their secrecy (the most prized asset) is blown. Secrecy is a double edged sword, it protects them but also limits them. So - not feasible.
Unfortunately, post-Snowden, the intelligence agencies know two things. Firstly, their secrecy is blown. Everyone knows they spy on every person alive, all the time. Most of their secrets are now ex-secrets. There's nothing to defend anymore there. The second thing they know is that it seems people don't give a shit. There were no protests in the streets. There were no diplomatic repercussions. It went in front of Congress and got voted down. The UK didn't even get to have a vote, the government just went full Orwell and other than some angry newspaper columns jack shit happened. Time to invade Syria? Parliamentary recall. Journalists have their materials seized? Stay on vacation. Generally they learned, totalitarian surveillance ranks lower in the priority stack than whether to invade Syria or not.
The combination of these two things means they're going to get really aggressive now. Automatically MITM every SSL connection using a FISAd CA? Unthinkable before, too easily detected. Post-Snowden, why not, it's just another way to do what people already know about. Force Google to back door every Android? Why not! They already track peoples movements everywhere, including people who switch phones to try and avoid detection. They apparently have the ability to turn phones into bugs, even if they appear to be switched off. Automatic, global backdooring of every mobile device wouldn't surprise people.
In short I think we may have lost as much as we gained from Snowden's leaks. Sure, the veil of secrecy was torn down. But society failed to rise up. The secret police have won. Now they can do anything without fear, and there's literally nothing to stop them.
Er, what? We just learned this summer that governments are sucking up EVERYTHING and storing it for god knows how long, and you think it's useless because you would need to obtain the device to read the content?
No way! At this point any kind of crypto, even the unauthenticated kind, is a good step forward.
It is queried for phone numbers of interest mainly using what are called “administrative subpoenas,” those issued not by a grand jury or a judge but by a federal agency, in this case the D.E.A.
In other words, no, there's no oversight. The DEA issues its own legal requests. The AT&T "contractors" who issue the queries sit next to the agents and are paid for by the DEA (in other words, they're employees of the government). Elsewhere the presentation makes a reference to routing requests via Washington state which somehow converts them into court orders, not sure what that's about.
Also, the presentation tells agents to cover up the fact that it exists and how to do so, so we're back into "parallel reconstruction" terroritory.
That said, I actually care less about this sort of thing than what the NSA is doing, as it's (a) not classified and apparently can be learned about via the regular channels despite their requests for secrecy and (b) it's being used to catch more ordinary, every day criminals like people who rob jewellery shops or make bomb threats. The almost total blurring between corporation and state is very concerning because it implies there's nothing stopping it from stepping over the line and becoming used for petty political activism or worse, but at least they try to actually justify the programs existence with examples (unlike nearly all NSA training material, it seems).
Not only that, but actually current cell-site data for any phone is publicly available for a small fee (1 cent). The GSM Home Location Register is a worldwide database which all carriers need access to for roaming to work, the fact that somehow some companies are able to sell access to it perhaps should not really surprise anyone. What you get back are cell tower IDs, not co-ordinates, but I guess it may be possible to build a map of tower IDs to physical locations (or obtain one) if you're determined enough. For many uses it's not even that hard, as you don't need all of them but just the small set of locations where you expect your target is likely to be.
I guess the next step for drug dealers and other people who don't want to carry a portable tracking device would be to use VoIP via VPNs or other proxy services. I anticipate that over time proxying traffic will become illegal ("packet laundering" anyone?). No way are governments going to give up this wonderful gift society gave them in the form of knowing everyones location, all the time.
Slashdot Mirror
I linked to that RFC for the text in the introduction section, from which I got the "chosen ad hoc" language. My point is not to cast suspicion on all ECC, which is a valid mathematical technique developed in the open by civilian academics. But rather, to provide more evidence for the fact that nobody seems to know how the seed values were generated (we know WHO generated them, but not HOW).
I just found this new blog post from the NYT which gives a very small amount of additional context. It also explicitly names the NSA RNG as what they were talking about.
http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/
The Guardian, ProPublica, the NYT and Schneier all appear confident enough in what they've read to state assertively that it's a hacked standard. Also, why else would the NSA care so much about pushing a crap and slow RNG that we know can have a backdoor into international standards?
That story is about Dual_EC_DRBG which was indeed strongly suspected of being an NSA back door back in 2007. Snowden confirmed the suspicion. However this story is not about that algorithm. It's about the SEC random curves that are used for signing and other crypto, not random number generation. There are two different algorithms under discussion here.
Bitcoin uses what the SEC calls a Koblitz curve (secp256k1) for which there is much less design freedom and it seems much less likely that there is any way to back-door those curves. Unfortunately many ECC implementations don't support all the curves, just a few of the plain vanilla random ones. Actually I'm not aware of anything except Bitcoin that uses secp256k1.
Sorry, I could have provided a link for that too. It was in the major Snowden story of last week that revealed the NSA was undermining public standards. The New York Times said this:
Although the NYT didn't explicitly name the bad standard, there's only one that fits the criteria given which is Dual_EC_DRBG.
I want to high five the reporter that asked that question. Holy shit. A single question be a single reporter possibly changing the course of an entire war. Not every day you see that.
I think it's more likely that the RDRAND thing has been an ongoing argument/flamewar for a long time. See this thread for an example.
BTW Linus is right. According to what we know about randomness, even if RDRAND is hacked then mixing it with other entropy can't hurt - at worst, it merely is a no-op and achieves nothing. However, even if RDRAND is backdoored, the NSA is not the worlds only adversary. Given that when mixed with other randomness it doesn't hurt, it's still better to use it against all the other adversaries out there than not.
Linus' point is, exclusive reliance on RDRAND would be bad, but the kernel doesn't/shouldn't do that.
Two datacenters owned by the same company using MPC is a really dumb use case. That won't help at all. The point of Google encrypting cross-dc communications is a forcing manoeuvre - it forces intelligence agencies to go via Google Legal to get information where the request can be analyzed and pushed back on. Even in countries where the legal system is flimsy and corrupt, that's an issue that can be improved significantly just with a single act of Congress or Parliament, whereas undoing their wiretapping infrastructure will prove somewhat harder because there's no adversarial lawyer standing in the way.
A better example might be two datacenters owned by different companies, where they don't mutually trust each other. Or, to give an actual use case, the OTR chat encryption protocol uses MPC to authenticate connections. They call it the socialist millionaires protocol. The two parties agree on a secret word (typically by one user posing a question to the other), and then a variant of MPC is used to verify that both parties selected the same word. The word itself never transits the wire and it's only used for authentication, so it's relatively strong even if the secret word is short or predictable.
Now, for some background. The paper can be found here if you want to skip the million+1 links and registration crap.
The basic idea behind MPC is that you write your shared computation in the form of a boolean circuit, made up of logic gates as if you were making an electronic circuit. The inputs to the program are represented as if they were electronic signals (i.e. as one and zero bits on wires). Once done, there are two protocols you can follow. The original one is by a guy named Andrew Yao. Each wire in the circuit is assigned a pair of keys. The details I'll gloss over now, but basically given the circuit (program) as a template, lots of random keys are created by party A, then the entire "garbled circuit" is sent to party B who will run it. Party A also selects the keys for his input wires and sends them to party B, who doesn't know whether they represent 0 or 1, only party A knows that.
Now party B wants to run the program with his input, but he doesn't want party A to know what his input is. So they use a separate protocol called an oblivious transfer protocol to get party A to cough up the right keys for B's input wires, without A finding out what they were. Finally, party B can run the program by progressively decrypting the wires until the output is arrived at.
What I described above is Yao's protocol. There is also a slightly different protocol called BGV. In BGV you don't send the entire program all at once. Instead, as party B runs through the program, each time they encounter an AND gate they do an oblivious transfer with party A. XOR gates are "free" and don't require any interaction. I forgot what happens for other kinds of gates. Basically, BGV involves both parties interacting throughout the computation, however, it can result in much less network traffic being required if your OT protocol is cheap, because if your circuit is very wide and shallow then most of the garbled program never has to even get transferred at all.
From what I can tell, most of the best results in MPC these days are coming from BGV coupled with new, highly efficient OT protocols. SPDZ appears to work on yet another design, but the basic reliance on circuit form remains.
Eh, you realise that Google has lots of engineers who don't live in the USA, have no ties to the USA, even strongly dislike the US government, right? Some of them are even working in China or Russia.
The idea that every Google employee is a slave to the NSA is absurd. The vast majority wouldn't even qualify for basic security clearance.
The link you provided makes no mention of any such thing. In fact it says the UK government refused to prosecute because the evidence was too vague. However, a film industry body was able to do so and the guy was found guilty. It seems he didn't really try to argue that he ran the websites in question but tried to rely on technicalities all the way, and the judge didn't buy it.
I'm all for being worried about abuses of due process and excessive government power. But what we have here is an asshole who was apparently making nearly $80k per month off advertising on a site dedicated to piracy and illegal downloading of films. The film industry was able to bring a private criminal prosecution (I didn't know that was possible), and won. Almost by definition a private prosecution couldn't have had access to material obtained via GCHQ or the NSA so the point you're trying to make is lost.
What's more, this analysis is very fresh. Remember that right now huge chunks of Tor traffic appear to be botnet control circuits. The botnet runs on 0.2.3.x - so that's going to bias the sample somewhat.
BTW - not surprised to learn that Linux distributors are screwing their users with stale repos yet again. Anyone who is using distributor repositories to get security sensitive software is just asking to be compromised.
Not all Google searches are encrypted. Only if you're logged in, or specifically visit encrypted.google.com. The reasons are complicated and stupid - to do with US schools with political clout that outsourced their internet filtering and couldn't filter searches (for the children!) if SSL was enabled for everyone. A bunch of companies/orgs in similar positions also complained.
If you use Chrome at least then Chrome-Google communication is forward secure (compromise of the private key let's you MITM but not passively decrypt).
Did you RTFA? The articles say specifically that Dual_EC_DRBG was a backdoor operation and even quotes from the documents themselves (look for the word finesse).
It's here: http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html?ref=us
There's nothing in the articles that implies this. Backdooring a CA only helps if several things hold:
1) They can not only intercept but also rewrite traffic on the fly. Possible, but if so, not yet mentioned in any leaks.
2) They're willing to take the chance that someone might notice.
So an operation against a single site, definitely possible. But they are clearly desperate to grab everything, all the time! Their whole MO is not targeted investigations but to spy on everyone simultaneously. You can't use a rogue CA to do that. They'd be detected immediately, if only by geeks setting up SSL for their new personal VPS and suddenly noticing the CA their browser gets isn't the one they installed.
The problems with SSL are not that CAs exist. The model holds against the global adversary who wants to decrypt everything. The problems with SSL are almost certainly more prosaic - many websites can be automatically hacked and their keys stolen without the owners ever knowing. In the default config that allows you to then decrypt all past traffic as well. Some implementations will use old, weak keys that were strong once upon a time but have since become obsolete. Some implementations will have bad random number generators. Some implementations will run on VPS providers and are subject to side channel attacks by colocated VMs. Some keys can be subpoenad and others can be obtained by covert agents. And of course you still leak traffic metadata even when SSL works perfectly.
There are lots of ways to attack SSL that will work some of the time, and that's exactly what the leaks imply - they can beat encryption sometimes but they don't have a magic skeleton key to everything.
The New York Times has an infographic that claims they have some capabilities against SSH.
Certificate authorities never see private keys so you are dead wrong about that. What's more, even if a rogue CA was minting bad certs on the fly to attest that the NSA was really foobar.com, that would have been noticed. Remember that secrecy is something they value insanely highly. They wouldn't ever do something so easily noticed and the articles do not imply any kind of CA compromise.
In fact if you read all the stories (they overlap largely but not entirely) you can get a vague picture of what's going on. Firstly, they record all encrypted traffic in case they can decrypt it later. Secondly, they have a database of public to private keys, populated via any means they can. Thirdly, they obtain keys in lots of ways (hacking, subversion, bogus court orders, brute forcing old/weak keys etc) but they don't seem to have a magical solution to all strong crypto. The closest that the leaks come to this is discussion of some amazing cryptoanalytic breakthrough, which could possibly mean they're able to break some kinds of RSA? Perhaps they're ahead of Joux et al by some years?
Regardless, what it is, it can't be a solution to all crypto, because these governments apparently asked the newspapers not to publish on the grounds that people might switch to stronger systems that worked.
No offence, but there absolutely is reason to believe you're incorrect. The reasons are in the Tor mailing lists which I've been keeping up with for the past few weeks.
Firstly, exit traffic has hardly moved, despite massive increase in Tor usage overall. This is consistent with the bots getting instructions from a hidden service. So exit node operators can't do much here.
Secondly, the whole point of the hidden service protocol is that relays don't know the IP of the hidden service. That's why there are rendezvous nodes that join user and service together via two 3-hop circuits. De-anonymizing such a service is very hard and requires you to control large numbers of nodes over a period of many months, according to the latest research. It's not something the Tor community can just do.
If you think you know of a slick way to resolve this problem, I suggest taking it to the Tor developers, because all the evidence I see from their lists is that right now they don't have any great ideas.
Because if you RTFA you will see that they reverse engineered the botnet and found that it's trying to contact a C&C server, what's more, this bot has a history of using Tor for receiving commands. It's obviously not a deliberate attempt to wreck Tor.
I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct. Rather than just act as normal clients of the Tor network - placing extreme load on existing relays.
In fact, this botnet appears to be basically breaking Tor with many node operators reporting that their relays cannot keep up. The Tor developers recently started developing code to prioritise the more efficient NTOR handshake over the older protocol, and because the botnet runs older code people who upgrade to the latest code (once they are finished) should take priority over the botnet traffic. Until the botnet also upgrades, of course.
To make it worse, when a circuit fails to build because of overloaded relays, Tor retries. I'm not sure there's any kind of exponential backoff. Thus the network goes into a death spiral in which clients constantly try to build circuits and fail, placing even more load on the already overloaded system and making it impossible to recover.
Unfortunately we may be looking at the end of Tor here, at least temporarily. The botnet operator doesn't seem to realise what's happening, otherwise they'd be backing off. Tor is effectively experiencing a massive, global, accidental denial of service attack by this botnet. Many relays don't have enough CPU power to weather the circuit storms. It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network. They practically have to ask nicely for the operators to go away.
I think this speaks to the fact that post-Snowden, the game has entered a new stage.
Pre-Snowden the NSA or whoever would not have been willing to do such a thing, due to the very high likelyhood of detection. Yes, 99.9% of people aren't going to notice their phone doing something unexpected. But if you apply it to everyone because you want the ability to grep their communications for keywords a.k.a. selectors then you need all of it, all the time. There are over a billion Android activations now. Even 0.01% of users being tech savvy and using custom/modified ROMs or analyzing their phone more carefully would notice what's up, and then their secrecy (the most prized asset) is blown. Secrecy is a double edged sword, it protects them but also limits them. So - not feasible.
Unfortunately, post-Snowden, the intelligence agencies know two things. Firstly, their secrecy is blown. Everyone knows they spy on every person alive, all the time. Most of their secrets are now ex-secrets. There's nothing to defend anymore there. The second thing they know is that it seems people don't give a shit. There were no protests in the streets. There were no diplomatic repercussions. It went in front of Congress and got voted down. The UK didn't even get to have a vote, the government just went full Orwell and other than some angry newspaper columns jack shit happened. Time to invade Syria? Parliamentary recall. Journalists have their materials seized? Stay on vacation. Generally they learned, totalitarian surveillance ranks lower in the priority stack than whether to invade Syria or not.
The combination of these two things means they're going to get really aggressive now. Automatically MITM every SSL connection using a FISAd CA? Unthinkable before, too easily detected. Post-Snowden, why not, it's just another way to do what people already know about. Force Google to back door every Android? Why not! They already track peoples movements everywhere, including people who switch phones to try and avoid detection. They apparently have the ability to turn phones into bugs, even if they appear to be switched off. Automatic, global backdooring of every mobile device wouldn't surprise people.
In short I think we may have lost as much as we gained from Snowden's leaks. Sure, the veil of secrecy was torn down. But society failed to rise up. The secret police have won. Now they can do anything without fear, and there's literally nothing to stop them.
Er, what? We just learned this summer that governments are sucking up EVERYTHING and storing it for god knows how long, and you think it's useless because you would need to obtain the device to read the content?
No way! At this point any kind of crypto, even the unauthenticated kind, is a good step forward.
However, the original bulletin does not seem to contain such language, judging from the auto translation.
From the article:
In other words, no, there's no oversight. The DEA issues its own legal requests. The AT&T "contractors" who issue the queries sit next to the agents and are paid for by the DEA (in other words, they're employees of the government). Elsewhere the presentation makes a reference to routing requests via Washington state which somehow converts them into court orders, not sure what that's about.
Also, the presentation tells agents to cover up the fact that it exists and how to do so, so we're back into "parallel reconstruction" terroritory.
That said, I actually care less about this sort of thing than what the NSA is doing, as it's (a) not classified and apparently can be learned about via the regular channels despite their requests for secrecy and (b) it's being used to catch more ordinary, every day criminals like people who rob jewellery shops or make bomb threats. The almost total blurring between corporation and state is very concerning because it implies there's nothing stopping it from stepping over the line and becoming used for petty political activism or worse, but at least they try to actually justify the programs existence with examples (unlike nearly all NSA training material, it seems).
Not only that, but actually current cell-site data for any phone is publicly available for a small fee (1 cent). The GSM Home Location Register is a worldwide database which all carriers need access to for roaming to work, the fact that somehow some companies are able to sell access to it perhaps should not really surprise anyone. What you get back are cell tower IDs, not co-ordinates, but I guess it may be possible to build a map of tower IDs to physical locations (or obtain one) if you're determined enough. For many uses it's not even that hard, as you don't need all of them but just the small set of locations where you expect your target is likely to be.
I guess the next step for drug dealers and other people who don't want to carry a portable tracking device would be to use VoIP via VPNs or other proxy services. I anticipate that over time proxying traffic will become illegal ("packet laundering" anyone?). No way are governments going to give up this wonderful gift society gave them in the form of knowing everyones location, all the time.