Before the software was released, Ray Ozzie and Kauffman openly described what they were doing at an RSA conference. This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.
Also worth reading barrkel’s comment a couple comments down…
ethbr1 305 days ago [-]
For people younger than ~37, I'd remind them that crypto before 2000, especially in shipped commercial products, was playing under substantially different government restrictions.
Effectively and in short, you were prohibited by the US government from shipping strong encryption in any internationally distributed product. Which generally meant everything commercial.
Despite open source implementations of strong encryption existing (e.g. PGP et al.).
Now, no one bats an eye if you ship the most secure crypto you want. Then, it was a coin flip as to whether you'd feel the full weight of the US government legal apparatus.
It was a crazy, schizophrenic time.
matheusmoreira 305 days ago [-]
> It was a crazy, schizophrenic time.
Still is. To this day, we have to debate and justify ourselves to these people. They make us look like pedophiles for caring about this stuff. They just won't give up, they keep trying to pass these silly laws again and again. It's just a tiresome never ending struggle.
And that's in the US which is relatively good about this. Judges in my country were literally foaming at the mouth with rage when WhatsApp told them they couldn't provide decryption keys. Blocked the entire service for days out of spite, impacting hundreds of millions.
Can't 'judges' in any country could block Whatsapp, or any software, for an indefinite period of time?
Should they even be considered 'judges' if they lack that authority?
305 days ago [-]
a1369209993 305 days ago [-]
[flagged]
tasty_freeze 305 days ago [-]
I down-voted this and I'll say why. I'm pretty dang liberal in my politics; my push back isn't because I'm carrying water for right wing groups.
Q-Anon is a current right wing conspiracy group that claims powerful democrats are trafficking children, the "we must protect our kids from XYZ" justification crosses political lines. But they aren't alone.
Back in the 90s there were a few years of "the satanic panic", where there were wild claims made about daycare centers doing unspeakable things to children, things that beggar belief just from a logistical perspective. People spent years in prison over this. There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.
Back in the 80s Tipper Gore, wife of then senator Al Gore, drove a campaign to label and censor music to "protect the children."
eg, children were coached into giving answers and making up scenarios. for instance, one child claimed that they were taken in an airplane and flown to a secret location with clowns and sex, then flown back to the class in time for their 2pm pickup. Stories about ritual animal sacrifice in their daycare room, stories about children being murdered even though none were reported missing.
a1369209993 305 days ago [-]
> the "we must protect our kids from XYZ" justification crosses political lines.
> There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.
Yes, and? The point is to repay lies and ad hominem with lies and ad hominem.
If opponents of strong encryption want a good-faith argument, they are free to admit that the actual reason strong encryption is "bad" is because it stops them from attacking and spying on everyone in the world, but I doubt they'll take that option.
Akronymus 305 days ago [-]
> Yes, and? The point is to repay lies and ad hominem with lies and ad hominem.
That just weakens your own position.
305 days ago [-]
snakeyjake 305 days ago [-]
Windows 2000 came on a CD... and a floppy disk.
The CD was a globally-legal image, and export-controlled strong crypto came on the floppy in countries where it was allowed.
How hard would it have been for a "rogue state" to get a copy of that floppy? I understand that times were different, you couldn't just PGP encrypt it and attach a 1.44 MB blob to an email, sending it at 24 kbps. You couldn't just upload it to an anonymous filesharing site.
But today it seems fundamentally obvious that once a single copy is leaked, it's all over... was that not true in 2000?
semi-extrinsic 305 days ago [-]
Gnutella, including popular clients like LimeWire, were released around the same time as Windows 2000. People were doing decentralized filesharing of files larger than 1.44 MB just fine in 2000.
Filesharing at that time was just wild, by the way. It was far too easy to set up your client such that you were sharing the entire contents of your computer with the whole internet. More often than not, this was done by the kids in the family on the same machine where mom and dad had their work stuff plus their private finances.
So of course the files were leaked. If you were intending to share something illegal to distribute outside the US, you could easily get plausible deniability just by sharing everything on your computer and feigning ignorance.
nirav72 304 days ago [-]
Back in those days you didn't even need to be on LimeWire or eMule to look at the contents of someone's home PC. I remember around the late 90s/early 2000s, when I got DSL. This is before consumer grade routers became a common thing in the household. So most people had their PC connected directly to their DSL box. Browsing through windows share on other people's home PC was one of this easiest things to do.
NL807 305 days ago [-]
eDonkey and eMule was fire during those years.
nurettin 305 days ago [-]
with dc++ and a fiber network connecting major universities in Germany at 10MegaBytes/s, it was more than fire. I remember downloading the entire ** trilogy in minutes.
wmf 305 days ago [-]
Of course all that stuff was leaked (and there were anonymous filesharing sites). The whole export-grade crypto thing was a legal fig leaf.
pdw 305 days ago [-]
It was all extremely silly. Debian took a different approach: before 2005, they put all crypto packages in a separate "non-US" archive, hosted in the Netherlands. American developers weren't allowed to upload there. That way, Debian never exported crypto code from the United States, it only ever imported it.
wmf 305 days ago [-]
Yep, US export restrictions ended up spurring foreign investment in crypto like Thawte (founded by Mark Shuttleworth) and SSLeay (later forked as OpenSSL).
eastbound 305 days ago [-]
There was a story of a hundred programmers taking the program PRINTED ON PAPER to a conference in Sweden to type it in again, because somehow export of binaries was forbidden but not the printed version of it. Is it true? Which event organized this?
> A book comprised entirely of thousands of lines of source code looks pretty dull. But then so does a nondescript fragment of concrete -- unless it happens to be a piece of the Berlin Wall, which many people display on their mantels as a symbol of freedom opening up for millions of people. Perhaps in the long run, this book will help open up the US borders to the free flow of information.
This is beautiful.
sillywalk 305 days ago [-]
I believe OpenBSD (based in Canada) was in a similar situation.
icedchai 305 days ago [-]
It was. People were sharing pirated software on BBSes 40 years ago! Downloading a floppy might take an hour. In the 90's, I knew kids who got jobs at ISPs just so they could run warez FTP sites off of the T1.
Yes! In the early 90's, anyone with a T1 was almost god like. Most local ISPs were still connected with 56k or maybe fractional T1 lines.
0xbadcafebee 305 days ago [-]
Fast forward to 2000: T1 lines were still being used, but ADSL deployment was growing like wildfire. Some providers were legendary for offering synchronous DSL with extremely few limitations, for a fraction of the cost of a T1. That's what really kicked off a new generation of distributed file sharing. Nothing today compares; the dark web is a tiny blip in the ocean that was the 2000's file sharing scene.
icedchai 304 days ago [-]
I'm skeptical. In terms of actual usage, there are many, many more people online today. Many people are sharing torrents over their broadband connections: entire movies, all seasons of show. We won't even get into the piracy of books! I think the piracy scene today is much bigger.
0xbadcafebee 304 days ago [-]
There is more bandwidth used today, but there was so much more shared material before. The most heinous illegal shit you could imagine would just float over the network through your node. Your dad's QuickBooks files were downloaded by strangers, along with your family photos. Corporate records, lists of social security numbers kept on a hospital computer. Anything you could imagine. It's vastly different today; the content you can get is curated, only select things get put onto services, and takedown notices often get them dropped. Nothing was taken down back in the day, nobody was watching, and there was no filter. I saw things at 17 that no kid today could possibly get access to. The nature of file sharing today just isn't an open tap like it used to be. You have to try hard to publish or retrieve stuff today; back then it was almost accidental.
Akronymus 305 days ago [-]
dark or deep web? Because the dark web is HUGE. But the deep one not so much.
rconti 305 days ago [-]
We were sharing lots of 3-7MB files peer-to-peer at the time :D Napster, Limewire, Audiogalaxy, etc. Plenty of public FTP sites all over the place as well.
Even in the late 90s, 128kbps ISDN connections were not unheard of, and 256kbps DSL was rolling out as well.
netsharc 305 days ago [-]
Damn, Audiogalaxy! That takes me back! A simple Windows client for downloading (and well uploading), and to search and download you go to their website, login and add stuff to your queue (although I barely remember what the website looked like). Sooner or later someone with the files you want would come online and your computer would begin downloading from their computer..
A few years before that plenty of people were downloading 30ish floppy images over modems to install Slackware or SLS.
pdntspa 305 days ago [-]
In 2000 there was absolutely nothing stopping you from connecting to an FTP server and uploading whatever you wanted, other than time and bandwidth.
brudgers 305 days ago [-]
Now, no one bats an eye if you ship the most secure crypto you want.
To me, there are only two plausible explanations for the change:
1. The three letter agencies gave up on backdooring cryptography.
2. The three letter agencies successfully subverted the entire chain of trust.
Only one of them is consistent with a workforce consisting of highly motivated codebreaking professionals available working for many decades with virtually unlimited resources and minimal oversight.
I think a 3rd option is actually much more likely and (semi) less conspiratorial:
3. NSA realized that "frontal assaults" against encryption were a lot less fruitful than simply finding ways to access info once it has been decrypted.
Would have to search for the quote, but Snowden himself said exactly that, something along the lines of "Encryption works, and the NSA doesn't have some obscure 'Too Many Secrets' encryption breaking machine. But endpoint security is so bad that the NSA has lots of tools that can read messages when you do." And indeed, that's exactly what we saw in things like the Snowden revelations, Pegasus, and I'd argue even things like side-chain attacks.
Plus, I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means. In the case of something like TLS root certificates that makes sense, but there are many, many forms of cryptography (like cryptocurrency) where no keys are any more privileged than any other keys - there is no "chain of trust" to speak about in the first place.
smolder 305 days ago [-]
I've long (post-snowden?) estimated NSAs capabilities are roughly what you imply. Lots of implementation-specific attacks, plus a collection of stolen/coerced/reversed TLS certs so they can MITM a great deal of web traffic. US-based cloud represents another big backdoor for them to everyone's data there, I think.
sethhochberg 305 days ago [-]
They've presumably got a pretty vested interest in making sure most communications are legitimately secure against most common attacks - arguably good for national security overall, but doubly good for making sure that if anyone can find a novel way in, its them, and not any of their adversarial peers.
There's a reason many corporate information security programs don't go overboard with mitigations for targeted, persistent, nation-state level attacks. Security is a set of compromises, and we've seen time and time again in industry that this sort of agency doesn't need to break your encryption to get what they need.
hutzlibu 305 days ago [-]
When the NSA for example has access to the Intel ME or AMDs version of it(and I think they do) then they surely don't need to break any encryption. They don't even need to hack. They just would have direct access, to most Desktops/Servers.
hn_throwaway_99 305 days ago [-]
Even this is too conspiratorial for me. Not because I believe the NSA wouldn't like access, but because it's not the best approach. Convincing Intel or AMD to have a hidden back door, and to somehow keep that it hidden, is a nearly impossible task. Compare that with just hunting for 0-days like the rest of the world, which the NSA has shown to be quite good at.
Not saying there couldn't be a targeted supply chain attack (that's essentially what was revealed in some of the Snowden leaks, e.g. targeting networking cables leased by big tech companies), but I don't believe there is some widely dispersed secret backdoor, even if just for the reason that it's too hard to keep secret.
smolder 305 days ago [-]
At a minimum, it's a thing that certain security conscious consumers (cough DoD) were able to get Intel to include a hidden (not typically user accessible) bios flag for disabling most features of the management engine. So they're at least concerned about it as a security risk. That doesn't necessarily mean they also have backdoors into it, but it's not crazy to think they might. It's hard to be too conspiratorially minded with respect to intelligence stuff, if you aren't making the mistake of treating suppositions as facts.
dannyw 305 days ago [-]
I have a workstation bought from eBay that has a “ME DISABLED” sticker on the chassis.
>Convincing Intel or AMD to have a hidden back door, and to somehow keep that it hidden, is a nearly impossible task
Interesting, how would an X86 instruction with hardcoded 256-bit key would be detected? IIRC it's really hard to audit the instruction space for CISC architecture.
hutzlibu 305 days ago [-]
Well sure, they would not use it for everyday standard cases to limit exposure. Intel does have something to loose, if this would became public knowledge.
But I cannot believe they resisted the temptation to use that opportunity to get such an easy access to so many devices.
ethbr1 305 days ago [-]
Parent's point is that its very existence (not just use, as this is hardware/firmware we're talking about) in widely deployed form would be too risky.
Consequently, if there is an ME-subversion, it's only deployed / part-replaced for extraordinary targets. Not "every system."
hutzlibu 305 days ago [-]
Huh? As far as I know every Intel ME has access to the internet, can receive push firmware updates and write access to everything else on the system. It does not need a modified version, they can just use the official way, the normal Intel ME on target devices, if they can cloack their access of the official server, which I think could be achieved of using just the key of the official server and then use another server posing as the official server.
But it has been a while that I read about it and I never took it apart myself, so maybe what I wrote is not possible for technical reasons.
toast0 305 days ago [-]
I don't think that's the case. Don't you need to have a selected NIC, integrated properly to get the Intel ME network features? Typically branded as "Intel vPro"
Otherwise, you need something in your OS to ship data back and forth between the ME and whatever NIC you have.
bonzini 305 days ago [-]
vPro, also known as AMT, is proprietary and it's for professional desktop and laptop systems. ME instead is based on IPMI and is for server-class systems.
toast0 305 days ago [-]
Are they reusing the name to be more confusing? Intel ME calls to mind the management engine that's been embedded in most Intel based computers for the last 15 or so years.
I would believe, really sensitive networks, have ME deactivated anyway and need other, specialised infiltration methods.
But when targeting a random individual in a hurry, I think it would be handy to just use the build in backdoor.
wavesquid 305 days ago [-]
The trouble is, as far as I know, that the ME cannot be deactivated. Even if you are a really sensitive network.
Your option is to find some of the few Intel chips without it, or find another chip vendor.
This often means you can't use common off the shelf systems, so now you can be a victim of a targetted supply chain attack.
smolder 305 days ago [-]
Attacking machines directly over the network is dangerous for them from the standpoint of detection, though. You can bet that any ME/PSP remote access exploits are used very carefully due to potential detection.
You're right though, I guess I didn't mean to say that NSA would give up on or would not want back doors into widely deployed crypto algorithms, but even with Dual_EC_DRBG the suspicions were widely known and discussed before it was a NIST standard (i.e. I guess you could say it was a conspiracy, but it wasn't really a secret conspiracy), and the standard was withdrawn in 2014.
knewter 304 days ago [-]
Do you believe NIST stopped trying to backdoor curves in 2014?
maqp 305 days ago [-]
>I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means.
For one thing, they're interdicting hardware and inserting hardware implants:
I think that's basically what the parent's #2 point implies.
ethbr1 305 days ago [-]
IMHO, the IC gave up on the feasibility of maintaining hegemony over encryption, particularly in the face of non-corporate open source. You can't sue a book / t-shirt / anonymous contributors.
Consequently, they still have highly motivated and talented cryptanalysts and vast resources, but they're attacking widely-deployed academically-sound crypto systems.
Hypothetical encryption-breaking machines (e.g. large quantum computers) are too obviously a double-edged sword: who else has one? And given that possibility, wouldn't you switch to algorithms more secure against them?
In reality, the NSA's preference would likely be that no-such machine exists, but rather there are brute-force attacks that require incredibly large and expensive amounts of computational resources. Because if it's just a money problem, the US can feel more confident that they're near the top of the pile.
Which probably means that their most efficient target has shifted from mathematical forced decryption to implementation attacks. Even the strongest safe has a weakest point. Which may still be strong, but is the best option if you need to get in.
chaxor 305 days ago [-]
I don't know much about hardware, but is it not possible that there is a small part of a chip somewhere deep in the highly complex systems we have that simply intercepts prior to encryption and, if some condition is met (a remote connection sets a flag via hardware set keys), encrypts/sends the data elsewhere? Something like that anyway. It seems possible, but idk how plausible it is, and if things like the Linux kernel would be likely to not report on it, if the hardware is not known enough.
Anyway, just suggesting something that wouldn't require quantum cryptography.
ethbr1 305 days ago [-]
As pointed out by another comment above, exfiltration then becomes the risky step.
If that did exist, you'd still have to get packets out through an unknown network, running unknown detection tools. Possible, but dicey over the intermediate term.
Who's to say they didn't just plug a box in, run a fake workload on it, and put all network traffic it emits under a microscope?
yomlica8 305 days ago [-]
Seems like you could just blast it out on one of the endless Microsoft telemetry or update channels that are chatting away all day and either intercept outside the network or with Microsoft's help. Only way to protect against that would be blocking all internet access.
305 days ago [-]
southernplaces7 305 days ago [-]
I don't buy that it has to be just one or the other. Fundamentally, crypto is just very dense information and once it became widely enough standardized by people who could easily share and apply it commercially, getting even the strongest crypto to the most basic user becomes extremely easy.
Short of blocking the very essence of digital data spread and transactions, the three-letter agencies and the giant governments behind them realized that there was no way to effectively put that particular genie back in the bottle without fucking over too many other extremely well-connected commercial interests.
Thus, while they didn't entirely give up on their bullshit, and keep looking to find arguments for privacy subversion, they realized that roundabout methods were a usable practical course.
That's where we stand today: a world in which there's no obvious way to block something that's so cheaply easy to share and securely be applied by so many people, but governed by technocrats who do what they can to subvert meanwhile.
The fundamental math of crypto is secure, regardless of any conspiracy theories. AES-256, for example, can't just be broken by some secret Area 51 alien decoder ring. The mathematics of good modern crypto simply crush any human computing technology for breaking them regardless of budget. However, the agencies also know that in a complex world of half-assed civilian security and public habits, they still have enough methods to work with without delving into political firestorms.
ethbr1 305 days ago [-]
I've always thought the ratio of average residential network bandwidth to average file size is underappreciated as an arbiter of change.
The only true solution to distribution / piracy is for the file to be so big as to be inconvenient.
Which is why mp3 was such a game changer.
southernplaces7 305 days ago [-]
I'm sorry? Responding to the wrong comment?
ethbr1 305 days ago [-]
>> That's where we stand today: a world in which there's no obvious way to block something that's so cheaply easy to share...
hedora 305 days ago [-]
Note that ACME (Let's Encrypt) means that anyone that can reliably man-in-the-middle a server can intercept SSL traffic (module certificate revocation lists, and pinning, but those are mostly done by big sites with extremely broad attack surfaces).
Similarly, most consumer devices have a few zero-days each year, if not more, so if you really want to decrypt someone's stuff, you just need to wait a few months.
I think that both your explanations are probably incorrect though. It's a bit of "neither" in this case.
They continue to backdoor all sorts of stuff (they recently were marketing and selling backdoored "secure" cell phones to crooks), and most chains of trust are weak enough in practice.
woodruffw 305 days ago [-]
> Note that ACME (Let's Encrypt) means that anyone that can reliably man-in-the-middle a server can intercept SSL traffic (module certificate revocation lists, and pinning, but those are mostly done by big sites with extremely broad attack surfaces).
I don't understand why you think ACME means this. Can you explain?
icedchai 305 days ago [-]
Not the original poster, but if you can control responses to and from a server (MITM) you can get a TLS/SSL certificate issued for it easily. In the old days, getting a cert was quite a hassle! You used to have to fill out paperwork and perhaps even talk to a human. It could literally take weeks.
woodruffw 305 days ago [-]
I don’t think a MITM would be sufficient to fool ACME. As Let’s Encrypt’s guide explains[1], an attacker in the middle would still fail to possess the target’s private key. As a result, the proof of possession check would fail.
The attacker could sign with their own key instead, but this is trivially observable to the target (they don’t end up with a correct cert, and it all gets logged in CT anyways.)
If you have a full MITM (you can do anything you like with all traffic to/from the target), you just do your own ACME validation with the target's domain without involving the target at all. Then you use that to MITM the SSL on any connections to the target (terminate SSL between the other side and your middlebox, then push the plaintext into your target, which is unaware anything has changed at all).
If the owner watches CT logs they will know about it (and you may need to jump through some more hoops once the target tries to renew their cert), but you get a lot of info in the meantime.
woodruffw 305 days ago [-]
Sure, but this has nothing to do with ACME itself. The attack model here is "if the attacker is effectively in control of the domain, then they can demonstrate that control." That's a way stronger posture than being able to maliciously MITM a specific ACME session, which (I think) is what the original concern was.
However, even with the full MITM here, this attack assumes that the attacker can proxy plaintext to the host. I'm not aware of many sites that allow sensitive actions (e.g. logging in) over HTTP anymore.
(And, as you note, this is detectable via CT. But it's fair to point out that many/most smaller operators probably aren't bothering to monitor public CT logs for unexpected issuances.)
hedora 304 days ago [-]
The attacker could just proxy the plaintext by issuing HTTPS requests to the backend server instead of issuing HTTP requests.
Also, what threat model does SSL protect against that doesn’t involve an attacker in control of a hop in the path between the client and the server?
woodruffw 304 days ago [-]
> The attacker could just proxy the plaintext by issuing HTTPS requests to the backend server instead of issuing HTTP requests.
Yes, assuming the target has HTTPS. The context I originally assumed was one where the target doesn’t yet have a certificate and is using ACME to obtain one.
Separate from that, I agree that an attacker with the ability to demonstrate domain control can subvert issuance in a way that only CT, stapling, and other “post hoc” methods can detect.
fragmede 305 days ago [-]
Would the target get notified by LetsEncrypt about this scenario though? Let's say I setup Certbot on my server. I'm not watching CT logs. How would I know about the double issuance?
woodruffw 305 days ago [-]
I don’t think it would be a double issuance; it’d be either a failed issuance or a single issuance with a single unexpected key. In other words: the target would end up with in an error state, and they could use CT to determine what happened.
icedchai 305 days ago [-]
What if they're getting a new certificate and proxying the traffic? As long as the cert looks okay to the end user, they're not going to notice for a while.
woodruffw 305 days ago [-]
Perhaps I’m misunderstanding what you’re saying, but this still doesn’t break the scheme: an attacker who interposes on ACME with their own private key is going to result in a CSR response for the wrong private key being sent back to the target server, which should cause an alertable failure. Even if this is somehow not checked (this would be a serious vulnerability in an ACME client!), the targeted server would end up serving a certificate that it can’t actually use (because it doesn’t have the private half).
icedchai 304 days ago [-]
I think you're misunderstanding. Say as an attacker, I am able to get control of the DNS zone for a target. We will assume the site is not using an ACME issued cert, but some other provider.
I am now able to get a new certificate issued with ACME using the DNS-01 challenge. I set up one of my own servers as a proxy, HTTPS terminated with this new cert. I then have it proxy to the existing site (by IP address.) I then change the site's DNS to point to my own server. The users are no wiser, but I am able to intercept all traffic.
woodruffw 304 days ago [-]
Okay, I think I understand what you're saying now: this is similar to the attack described by 'rcxdude here[1].
I interpreted the original comment that started this thread to imply an attack on ACME itself, not the fact that ACME can't detect the difference between someone who legitimately controls a domain and someone who illegitimately controls a domain. As far as I know, that's considered a more general defect in the Web PKI, one that predates ACME substantially.
Yes, it is the same. I agree, it is not ACME's fault, ACME just makes it simpler due to the automation.
hedora 304 days ago [-]
ACME doesn’t require control over the DNS record though. It has a mode where it issues a challenge and you put it on port 80 of your web server.
The DNS based attack would be harder than doing that, for, say, a malicious cloud vendor to implement.
Also, you don’t need a private key to bootstrap a new domain with a new ACME provider.
woodruffw 304 days ago [-]
The HTTP-based challenge is similar in scope to the DNS one: an attacker would still need the target’s private key to actually impersonate the ACME session itself.
Put another way: this is still not an issue with ACME itself, but the fact that the Web PKI is built on top of unauthenticated substrates (primarily DNS). If someone (like your cloud provider) can demonstrate control of your domain, then it is ipso facto their domain as well. ACME can’t solve that any more than the previous generation of DV techniques could.
icedchai 304 days ago [-]
I understand. I just used the DNS challenge as an example. I generally use the DNS challenge since I can assign certs on my private network more easily (the zone is public.)
sandworm101 305 days ago [-]
They aren't backdooring modern open-source encryption. They may have some elite knowledge about some esoteric corner of the code that allows them to theoretically throw a data center at the problem for a month or two, but the days of easy backdoors to decrypting everything in real time are gone imho. It is just too easy to implement mathematically-strong encryption these days. Too many people know how to do it from scratch. The NSA's real job is keeping american systems safe. That is done through creating the best encryption possible. They are very good at that job.
yencabulator 302 days ago [-]
"We kill people based on metadata." -- former head of NSA Gen. Michael Hayden
Fighting against crypto is a public and costly affair, it was deemed easier to twist Intel/AMD's arm a little on the silicon level.
jraph 305 days ago [-]
I see another plausible explanation: The NSA is concerned with maintaining security of its own / the government's infrastructure / is interested in finding breaches in infrastructures of others.
(this is speculation, I have no actual knowledge on this)
lern_too_spel 305 days ago [-]
Only one is consistent with the documents that have been leaked since the change to export restrictions. The other is what the marketing department at Reynolds Wrap would like you to believe.
rozzie 305 days ago [-]
"Now, no one bats an eye if you ship the most secure crypto you want."
The most surprising thing to me is that, in speaking in the past several years with younger entrepreneurs, they're not even aware of the obligation to file for an export license for any/all software containing crypto (such as that submitted to the App Store).
I've not yet seen a case in which a mass market exemption isn't quickly granted, but devs still need to file - and re-file annually.
Essentially Apple built a system so you have to agree to export restrictions with every single build you upload to Apple.
pkaye 305 days ago [-]
Not just US but other countries had their own restrictions. For example I think France didn't allow anything better than 40-bit encryption without key escrow.
Or, we are currently experiencing a brief oasis of freedom in between extended periods of encryption lockdowns and controls.
Jerrrry 305 days ago [-]
Yup, networks with a neuron count above a certain threshold (2+T?) will likely be on the IDAR restriction list again.
bagels 305 days ago [-]
ITAR? Also, was there a time where there was a restriction based on neuron count?
SkyMarshal 305 days ago [-]
What’s a neuron count?
bagels 305 days ago [-]
Neuron in a neural network. Not sure if the parent is talking about models, software or hardware though.
305 days ago [-]
UI_at_80x24 305 days ago [-]
For anybody who hasn't already read it, I highly recommend the book: "Crypto" by Steven Levy. I was 30% of my way through the book before I started recognizing real world events, news stories, whispered computer secrets; and realized that it wasn't a fictional book and was instead talking about real history.
Fabulous book, I found it in a public library when I was 15 or so and it was a hell of an education. Not least because I was already reading about tor and i2p. I'd recommend it to anyone - the story about Phil Zimmerman printing the code to PGP in a book made me laugh my head off.
r3trohack3r 305 days ago [-]
IIRC this is part of what shifted hardware manufacturing out of the US.
If you wanted to build in the U.S. you had to produce two versions of your product, one with “full encryption” and one with encryption hobbled.
Or you could go build one version somewhere else and import it into the U.S.
mike50 305 days ago [-]
Similar situation with space hardware. Even cots memory chips hardened for radiation and space are ITAR export restricted.
stephen_g 305 days ago [-]
Yeah, I worked at a company up to a few years ago where it was actually a huge competitive advantage for us not being in the US, because the products we designed, manufactured and sold (full satcom terminals as well as the microwave converters in them) would have been ITAR if they came from the US (being ‘dual use’).
archgoon 305 days ago [-]
I had never heard of this particular aspect of demanufacturing, that's fascinating. Do you know of any products where this was a deciding factor, or at least a major consideration? (I recognize you probably can't easily cite internal corporate documents)
hinkley 305 days ago [-]
Except to Iran, Syria, North Korea…
Also you couldn’t just ship products with a spot where crypto went and remove the crypto. API designs had to go through mental gymnastics to allow crypto without explicitly adding crypto. Which is why you have odd constructs that take strings as arguments and give you encryption back. Sometimes.
And since new languages copy patterns from old to remain familiar, these APIs are still frequently some of the most patience-testing.
wkat4242 305 days ago [-]
It's not completely gone. If you implement crypto in an iOS app you have to get an "export license" even if you're not based in the US or publish your app there.
fullspectrumdev 305 days ago [-]
I’ve had to sign ITAR related paperwork a few times for commercial software specifically because it was made in the US and being “exported” to the UK.
Really boils my piss given a lot of it, upon inspection, just used OpenSSL under the hood.
brokenmachine 305 days ago [-]
I'm in Australia and had to sign ITAR paperwork to order a bluetooth evaluation board.
forgetfreeman 305 days ago [-]
That this is no longer the case is a fairly strong indication that The Powers That Be have durably resolved the issue of decryption.
Also, always makes you wonder, why the standards the OS ships with are exempt...
convolvatron 305 days ago [-]
and I believe it was a major contributor to us having poor infrastructure for PKI protocols today, since these restrictions meant that it was pointless to try to bake them into standards
CTDOCodebases 305 days ago [-]
An ex Microsoft dev did a good breakdown video of NSAkey:
It was an interesting time. I forget the person's name, but I talked briefly with the guy who implemented the crc32 and encryption algorithms for ZIP, and he (almost apologetically) said the encryption was designed to be exportable under those laws. It's still not trivial to break, but you can test millions of passwords on a ZIP archive entry in the time it takes to try one on a modern Office document.
fullspectrumdev 305 days ago [-]
Partial known plaintext attacks are very, very useful when cracking ZIP “encryption”.
I’ve mostly used this to unpack ZyXEL firmware updates (reference below to this), but it also works on a lot of other stuff if you can get a partial plaintext. Some file formats headers might work.
Whether secret or not, it was a backdoor that could be/was exploited. Today governments are asking for 'secret backdoors' from tech companies, not seeing the immense risks. Crazy times.
gadders 305 days ago [-]
None of this was secret. I worked at Lotus in the mid-90s and there were 2 versions of Lotus Notes, one for the US and the other labelled "International".
thewanderer1983 305 days ago [-]
>This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.
The author states it correctly. Here is the text from the author
"The idea was that they got permission to export 64 bit crypto if 24 of those bits were encrypted for the NSA's public key. The NSA would then only have the small matter of brute-forcing the remaining 40 bits to get the plaintext"
Here is the text from the RSA conference.
Hello,
1st off please don't publish my name on your site. I'm too lazy to
set up another cheezy mail acct.
Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from
your site. I have a close friend who is a developer for Iris (the
people who make Notes for lotus.) I sent him the file I downloaded and
asked him what the deal was, and here's his response:
Here's the necessary info to truly understand the issue here; a speech by Ray
Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is
that notes provides superior exportable encryption technology when compared to
other US products on the market. For anyone (but the NSA) to crack our
international encryption keys they must crack a 64 bit key, the same as with a
US encryption key. In the international version we take 24 of the 64 bit
encryption key and encrypt the 24 bits with the NSA's public key and send it,
encrypted strongly, along with the encrypted message. This means the NSA can
decrypt with their key and have 24 of the 64 bit key. They still have to break
the remaining 40 bits. 40 bit key encryption has been the max for exportable
encryption and that is what all other US exportable encryption providers
allow.
That limit has just been raised to 56 bits and we are incorporating that as I
type. In the worst case: the NSA's private key is compromised, the 40 bit
portion of the key still must be cracked. So we haven't weakened the security
of international encryption, but actually made it equal to the US security (to
everyone but the NSA). We are proud of this arrangement because we have found
a way to make Notes as secure as the US government will allow for our
international customers. If we hadn't used this technique all of the
international notes encrypted data would be with only a 40 bit key. As it
stands, the 64 bit key used in both US and international encryption is
extremely secure.
It's too bad the author of this article choose to attack Lotus Notes without
considering the options the US government provides. We could have just
shipped 40 bit encryption like MS, Netscape, etc. and leave our international
customers with weak encryption but we didn't. Oh well, you can't make everyone
understand, this confusing and frustrating stuff. I hope this helps.
ChrisArchitect 306 days ago [-]
(2002)
Some previous discussions all mentioning Lotus Notes in the title:
This and the Clipper Chip aren't NOBUS. The NSA doesn't want you to know that the cryptosystem has law-enforcement access capability. The FBI doesn't care if you know as the kinds of criminals they are attacking don't do OPSEC.
sneak 305 days ago [-]
NOBUS isn't just intentional vulnerabilities, it's any vulnerability assumed to only be exploitable by US IC, whether engineered or otherwise.
I think these qualify.
rvnx 305 days ago [-]
Well, the article mentions backdoor in Dual_EC_DRBG mostly targeting TLS/SSL communications, now we have Cloudflare, a much more scalable solution
tptacek 305 days ago [-]
Dual EC is sort of the archetypical NOBUS backdoor.
thesuitonym 305 days ago [-]
It's amazing to me that the folks at the NSA had enough self-reflection to see that this is Big Brother behavior, but not enough to realize why that's a bad thing.
masfuerte 305 days ago [-]
I'd guess that was snark from the Lotus engineer who embedded it.
w1nst0nsm1th 304 days ago [-]
The Lotus engineer embedded it, but was he the guy who created the key ?
w1nst0nsm1th 304 days ago [-]
The 'Big Brother' thing doesn't shock me, I know about it for some time now. At least you can still believe a modicum they maybe have good intentions... You know, protecting us from bad guys or something...
But the 'MiniTruth' thing... Wow,just wow...
Context: The Ministry Of Truth in the 1984 novel is the service dedicated to propaganda, in which the whole society is drowned. Everything about the society they live in is a lie...
It just blows away any hope of good intention from their part.
The last time I read about something so cynic, suggesting so much contempt for the people they pretend to serve, with such carelessness, is when it was revealed que FTX internal chatroom was called 'Wirefraud'.
consoomer 305 days ago [-]
Wasn't the original backdoor in a code example the NSA provided to companies interested in using cryptography? They gave an example seed or whatever, and most companies copy/pasted it instead of generating their own primes, so the NSA could break it trivially.
My memory around this is fuzzy and I can't seem to find the original source.
Later, in 2019, a 795 bit key was factored with CPU time that "amounted to approximately 900 core-years on a 2.1 GHz Intel Xeon Gold 6130 CPU. Compared to the factorization of RSA-768, the authors estimate that better algorithms sped their calculations by a factor of 3–4 and faster computers sped their calculation by a factor of 1.25–1.67."
So assuming the better algorithms transfer to smaller numbers, someone who knows how to use them (factoring big numbers seems significantly harder than just running CADO-NFS and pointing it at a number and a cluster) could probably do it in a couple months on a couple dozen modern machines.
For example, using the "795-bit computations should be 2.25 times harder than 768-bit
computations" from the publication accompanying the second factorization, we could assume 900/2.25 = 400 Core-years of the Xeon reference CPU (which is 6 years old by now) would be needed to break the smaller key with the modern software. Two dozen servers with 64 equivalently strong cores each would need slightly over 3 months. Not something a hobbyist would want to afford just for fun, but something that even a company with a moderate financial interest in doing could easily do, provided they had people capable of understanding and replicating this work.
I assume there is some reason why the past factorizations weren't done with GPUs. It could be just lack of a good implementation and insufficient numbers of people interested in the topic, but it could also be something about the algorithm not being very suitable for GPUs.
boastful_inaba 305 days ago [-]
CUDA only had its initial release in 2007 (compared to the mentioned crack in 2009), and I remember it being a fairly limited product at that point. GPUS were also much slower back then.
Oddly specific question, something in particular on your mind?
cmeacham98 305 days ago [-]
Presumably they are referring to the 760 bit RSA key this entire post is about.
15457345234 305 days ago [-]
But the header talks about a 64 bit key? I'm a bit lost actually.
Edit: Okay, I see it now. 64 bits of cipher of which 24 bits of that cipher are set to a value derived from a 760 bit pubkey.
305 days ago [-]
MaintenanceMode 305 days ago [-]
Now with the cloud none of this is necessary. With data at rest laws, all our email older than six months is open game.
93po 304 days ago [-]
i googled this and didnt see any obvious results as to what the laws are for a company like google to provide access to their data at rest to government agencies without a warrant/NSL
With no context, I don't know why this is front page news today. Am I missing something?
dredmorbius 306 days ago [-]
This would be a repost rather than a dupe.
HN considers dupes to be stories with significant discussion repeated within a year. (Items with little or no discussion can be resubmitted a few times.)
Stories reshared after a year are reposts, and are perfectly fine, though its appreciated to have the item's original publication year included in the title.
No. I'm pointing out that (a) it's not marked as being from 2002 and someone would therefore assume it was some newly discovered backdoor and (b) there's no context or commentary as to why it is relevant in 2023.
I've pinged mods to fix the year based on that, thanks.
boffinAudio 306 days ago [-]
I'd wager that its still relevant today because the NSA is still the worlds greatest wholesale violator of human rights, at massive scale, and literally nothing effective has been done about this situation - we are still tolerating this repression, because we don't see it and simply don't care enough about the human rights violations, as a people, to reign in this out of control agency.
Bringing these articles to light is of great utility to those of us who do not consider the NSA state of affairs to be, in any way, tolerable.
acdha 306 days ago [-]
> the NSA is still the worlds greatest wholesale violator of human rights, at massive scale, and literally nothing effective has been done about this situation - we are still tolerating this repression
I don’t approve of their actions but turning the hyperbole up to 11 doesn’t help. There are millions of people in China who’d love to be only that repressed, for example.
boffinAudio 305 days ago [-]
You can always rely on an American to bust out the China hate train when challenged on the facts of their own empires crimes ..
Did you miss the fact that the NSA is literally violating the human rights of billions of people (including the Chinese), while China in the meantime has brought a billion people out of poverty conditions into their new middle class?
>There are millions of people in China who’d love to be only that repressed, for example
I seriously doubt you understand the nature of this fallacy. Meanwhile, how many families live under a broken bridge in the USA, just because Mom got cancer? Those 1,000 black-ops CIA sites around the world - you know for sure what they are being used for, eh? No torture?
Seriously, get a grip. The moral authority you claim is a fallacy.
FredPret 306 days ago [-]
... are you serious?
You don't think military invasions & communist dictatorships constitute "wholesale violation of human rights at a massive scale"?
If the NSA is spying on people, that's an invasion of their privacy, but it is nothing in comparison to those other violations
boffinAudio 305 days ago [-]
Its a massive, wholesale violation of human rights, which can then be used as further justification for more atrocities and calamity at the hands of the US' military industrial complex ..
And yes, the USA is still the worlds worst violator of human rights, bar none. The NSA is why.
FredPret 304 days ago [-]
It's completely unreal that you can think this.
Russia is invading a sovereign country right now. Civilians are getting killed. You'll hopefully agree that getting killed is a human rights violation?
Saudi Arabia is invading Yemen.
North Korea is running a giant state apparatus that lets one man lord it over tens of millions; all his whims are satisfied while they go literally hungry.
Venezuela is ruled by a dictator - millions are hungry and poor. Families torn apart by mass emigration.
China has 1.5 BILLION people in economic and political pseudo-slavery. They don't really own anything and are more or less forced to go along with the government.
But boo-hoo, the NSA can read your texts, so they're the ultimate bad guy?
Dude.
boffinAudio 304 days ago [-]
The USA is invading a sovereign country right now. It has occupied 1/3rd of its territory with the specific goal of denying the people of that nation access to those resources needed to rebuild their shattered state.
>Civilians are getting killed.
The USA has dropped a bomb on innocent people every twenty minutes for the last twenty years. The state of Ukraine today is not even close to the atrocities committed by the USA.
>The open genocide of Yemen by a known fascist totalitarian authoritarian dictatorship, with the support of the US military
Saudi Arabia has been sold the weapons it needs for its genocide by the USA. The genocide of Yemen is 100% on the American people - it wouldn't happen without your states' complicity. All those resources being provided to 'stop' the 'genocide of Ukraine' - where are they while 10 million Yemeni children are being starved to death?
North Korea? They wish they had the ability to govern their nations mindset the way the West does.
China has lifted a billion people out of poverty into their new middle class. The USA, meanwhile, has all but eradicated its middle class.
The NSA are violating human rights at massive scale; the USA is the worlds #1 supporter of terror and exporter of calamity, and has committed decades of war crimes, crimes against humanity and massive violations of human rights at scale - with impunity - precisely because of the utter ignorance citizens (or are you military) such as yourself demonstrate...
kmeisthax 305 days ago [-]
The NSA violates privacy at scale - a lot of little violations of civil liberties. It's the difference between robbing a man for everything he has, versus pick-pocketing 30 cents out of the pocket of every person on the planet.
Furthermore, they're part of a larger intelligence apparatus that has absolutely committed very large and very harmful violations of civil liberties. The NSA's sister org, the CIA, was overthrowing democratically elected left-wingers in South America for decades, replacing them with brutal dictators and tyrants that gave both Hitler and Stalin runs for their money. The CIA wrote the book on how to do so, arguably even moreso than the KGB did. In fact, the reason why Russia today[0] is so effective at information warfare and covert propaganda is specifically because they learned from observation.
[0] Not(?) to be confused with Russia Today
tptacek 305 days ago [-]
If you're thinking about overseas signals intelligence, then, like the signals intelligence practice in every industrialized state in the world, the chartered purpose of NSA is to conduct those privacy violations. The safeguards we're given against NSA --- take them as seriously as you want --- are about domestic surveillance.
boffinAudio 305 days ago [-]
Just because Americans believe they have domestic rights being protected doesn't mean their intelligence apparatus isn't violating human rights at massive scale.
Yes, the purpose of the NSA is to violate human rights at scale. No, this is not a tolerable situation for those of us in the free world.
tptacek 304 days ago [-]
You keep saying "NSA", but you mean "the intelligence agencies of every industrialized country in the world".
boffinAudio 304 days ago [-]
No, you mean that - in order to justify the continued existence of the NSA - but I really do mean NSA when I state NSA.
There are no other intelligence agencies coming even close to the human rights violations committed every millisecond by the American people.
ollemasle 306 days ago [-]
Adding the date in the HN title would be better (it is not present in the article)
nonrandomstring 306 days ago [-]
I think a Microsoft coder recently came clean about some pretty funky
stuff from the 90s and 00's. Hope I didn't hallucinate that.
https://news.ycombinator.com/item?id=5846189
Before the software was released, Ray Ozzie and Kauffman openly described what they were doing at an RSA conference. This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.
Also worth reading barrkel’s comment a couple comments down…
https://en.m.wikipedia.org/wiki/Crypto_Wars
Effectively and in short, you were prohibited by the US government from shipping strong encryption in any internationally distributed product. Which generally meant everything commercial.
Despite open source implementations of strong encryption existing (e.g. PGP et al.).
Now, no one bats an eye if you ship the most secure crypto you want. Then, it was a coin flip as to whether you'd feel the full weight of the US government legal apparatus.
It was a crazy, schizophrenic time.
Still is. To this day, we have to debate and justify ourselves to these people. They make us look like pedophiles for caring about this stuff. They just won't give up, they keep trying to pass these silly laws again and again. It's just a tiresome never ending struggle.
And that's in the US which is relatively good about this. Judges in my country were literally foaming at the mouth with rage when WhatsApp told them they couldn't provide decryption keys. Blocked the entire service for days out of spite, impacting hundreds of millions.
Should they even be considered 'judges' if they lack that authority?
Q-Anon is a current right wing conspiracy group that claims powerful democrats are trafficking children, the "we must protect our kids from XYZ" justification crosses political lines. But they aren't alone.
Back in the 90s there were a few years of "the satanic panic", where there were wild claims made about daycare centers doing unspeakable things to children, things that beggar belief just from a logistical perspective. People spent years in prison over this. There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.
Back in the 80s Tipper Gore, wife of then senator Al Gore, drove a campaign to label and censor music to "protect the children."
eg, children were coached into giving answers and making up scenarios. for instance, one child claimed that they were taken in an airplane and flown to a secret location with clowns and sex, then flown back to the class in time for their 2pm pickup. Stories about ritual animal sacrifice in their daycare room, stories about children being murdered even though none were reported missing.
> There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.
Yes, and? The point is to repay lies and ad hominem with lies and ad hominem.
If opponents of strong encryption want a good-faith argument, they are free to admit that the actual reason strong encryption is "bad" is because it stops them from attacking and spying on everyone in the world, but I doubt they'll take that option.
That just weakens your own position.
The CD was a globally-legal image, and export-controlled strong crypto came on the floppy in countries where it was allowed.
https://winworldpc.com/product/windows-2000-high-encryption/...
But today it seems fundamentally obvious that once a single copy is leaked, it's all over... was that not true in 2000?
Filesharing at that time was just wild, by the way. It was far too easy to set up your client such that you were sharing the entire contents of your computer with the whole internet. More often than not, this was done by the kids in the family on the same machine where mom and dad had their work stuff plus their private finances.
So of course the files were leaked. If you were intending to share something illegal to distribute outside the US, you could easily get plausible deniability just by sharing everything on your computer and feigning ignorance.
This is beautiful.
Serial Port recently tried to set one up!
https://youtu.be/MEda7SQxh18
Even in the late 90s, 128kbps ISDN connections were not unheard of, and 256kbps DSL was rolling out as well.
Mostly off-topic, but your use of rhyme is reminiscent of https://www.youtube.com/watch?v=up863eQKGUI
To me, there are only two plausible explanations for the change:
1. The three letter agencies gave up on backdooring cryptography.
2. The three letter agencies successfully subverted the entire chain of trust.
Only one of them is consistent with a workforce consisting of highly motivated codebreaking professionals available working for many decades with virtually unlimited resources and minimal oversight.
The other is what people want to believe.
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
3. NSA realized that "frontal assaults" against encryption were a lot less fruitful than simply finding ways to access info once it has been decrypted.
Would have to search for the quote, but Snowden himself said exactly that, something along the lines of "Encryption works, and the NSA doesn't have some obscure 'Too Many Secrets' encryption breaking machine. But endpoint security is so bad that the NSA has lots of tools that can read messages when you do." And indeed, that's exactly what we saw in things like the Snowden revelations, Pegasus, and I'd argue even things like side-chain attacks.
Plus, I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means. In the case of something like TLS root certificates that makes sense, but there are many, many forms of cryptography (like cryptocurrency) where no keys are any more privileged than any other keys - there is no "chain of trust" to speak about in the first place.
There's a reason many corporate information security programs don't go overboard with mitigations for targeted, persistent, nation-state level attacks. Security is a set of compromises, and we've seen time and time again in industry that this sort of agency doesn't need to break your encryption to get what they need.
Not saying there couldn't be a targeted supply chain attack (that's essentially what was revealed in some of the Snowden leaks, e.g. targeting networking cables leased by big tech companies), but I don't believe there is some widely dispersed secret backdoor, even if just for the reason that it's too hard to keep secret.
Any analysis I could or should do?
Interesting, how would an X86 instruction with hardcoded 256-bit key would be detected? IIRC it's really hard to audit the instruction space for CISC architecture.
But I cannot believe they resisted the temptation to use that opportunity to get such an easy access to so many devices.
Consequently, if there is an ME-subversion, it's only deployed / part-replaced for extraordinary targets. Not "every system."
But it has been a while that I read about it and I never took it apart myself, so maybe what I wrote is not possible for technical reasons.
Otherwise, you need something in your OS to ship data back and forth between the ME and whatever NIC you have.
https://en.m.wikipedia.org/wiki/Intel_Management_Engine
This seems like as good a short-form intro as any: https://blogs.cisco.com/learning/security-in-network-design-...
But when targeting a random individual in a hurry, I think it would be handy to just use the build in backdoor.
You're right though, I guess I didn't mean to say that NSA would give up on or would not want back doors into widely deployed crypto algorithms, but even with Dual_EC_DRBG the suspicions were widely known and discussed before it was a NIST standard (i.e. I guess you could say it was a conspiracy, but it wasn't really a secret conspiracy), and the standard was withdrawn in 2014.
For one thing, they're interdicting hardware and inserting hardware implants:
https://www.theguardian.com/books/2014/may/12/glenn-greenwal...
Consequently, they still have highly motivated and talented cryptanalysts and vast resources, but they're attacking widely-deployed academically-sound crypto systems.
Hypothetical encryption-breaking machines (e.g. large quantum computers) are too obviously a double-edged sword: who else has one? And given that possibility, wouldn't you switch to algorithms more secure against them?
In reality, the NSA's preference would likely be that no-such machine exists, but rather there are brute-force attacks that require incredibly large and expensive amounts of computational resources. Because if it's just a money problem, the US can feel more confident that they're near the top of the pile.
Which probably means that their most efficient target has shifted from mathematical forced decryption to implementation attacks. Even the strongest safe has a weakest point. Which may still be strong, but is the best option if you need to get in.
Anyway, just suggesting something that wouldn't require quantum cryptography.
If that did exist, you'd still have to get packets out through an unknown network, running unknown detection tools. Possible, but dicey over the intermediate term.
Who's to say they didn't just plug a box in, run a fake workload on it, and put all network traffic it emits under a microscope?
Short of blocking the very essence of digital data spread and transactions, the three-letter agencies and the giant governments behind them realized that there was no way to effectively put that particular genie back in the bottle without fucking over too many other extremely well-connected commercial interests.
Thus, while they didn't entirely give up on their bullshit, and keep looking to find arguments for privacy subversion, they realized that roundabout methods were a usable practical course.
That's where we stand today: a world in which there's no obvious way to block something that's so cheaply easy to share and securely be applied by so many people, but governed by technocrats who do what they can to subvert meanwhile.
The fundamental math of crypto is secure, regardless of any conspiracy theories. AES-256, for example, can't just be broken by some secret Area 51 alien decoder ring. The mathematics of good modern crypto simply crush any human computing technology for breaking them regardless of budget. However, the agencies also know that in a complex world of half-assed civilian security and public habits, they still have enough methods to work with without delving into political firestorms.
The only true solution to distribution / piracy is for the file to be so big as to be inconvenient.
Which is why mp3 was such a game changer.
Similarly, most consumer devices have a few zero-days each year, if not more, so if you really want to decrypt someone's stuff, you just need to wait a few months.
I think that both your explanations are probably incorrect though. It's a bit of "neither" in this case.
They continue to backdoor all sorts of stuff (they recently were marketing and selling backdoored "secure" cell phones to crooks), and most chains of trust are weak enough in practice.
I don't understand why you think ACME means this. Can you explain?
The attacker could sign with their own key instead, but this is trivially observable to the target (they don’t end up with a correct cert, and it all gets logged in CT anyways.)
[1]: https://letsencrypt.org/how-it-works/
If the owner watches CT logs they will know about it (and you may need to jump through some more hoops once the target tries to renew their cert), but you get a lot of info in the meantime.
However, even with the full MITM here, this attack assumes that the attacker can proxy plaintext to the host. I'm not aware of many sites that allow sensitive actions (e.g. logging in) over HTTP anymore.
(And, as you note, this is detectable via CT. But it's fair to point out that many/most smaller operators probably aren't bothering to monitor public CT logs for unexpected issuances.)
Also, what threat model does SSL protect against that doesn’t involve an attacker in control of a hop in the path between the client and the server?
Yes, assuming the target has HTTPS. The context I originally assumed was one where the target doesn’t yet have a certificate and is using ACME to obtain one.
Separate from that, I agree that an attacker with the ability to demonstrate domain control can subvert issuance in a way that only CT, stapling, and other “post hoc” methods can detect.
I am now able to get a new certificate issued with ACME using the DNS-01 challenge. I set up one of my own servers as a proxy, HTTPS terminated with this new cert. I then have it proxy to the existing site (by IP address.) I then change the site's DNS to point to my own server. The users are no wiser, but I am able to intercept all traffic.
I interpreted the original comment that started this thread to imply an attack on ACME itself, not the fact that ACME can't detect the difference between someone who legitimately controls a domain and someone who illegitimately controls a domain. As far as I know, that's considered a more general defect in the Web PKI, one that predates ACME substantially.
[1]: https://news.ycombinator.com/item?id=37567200
The DNS based attack would be harder than doing that, for, say, a malicious cloud vendor to implement.
Also, you don’t need a private key to bootstrap a new domain with a new ACME provider.
Put another way: this is still not an issue with ACME itself, but the fact that the Web PKI is built on top of unauthenticated substrates (primarily DNS). If someone (like your cloud provider) can demonstrate control of your domain, then it is ipso facto their domain as well. ACME can’t solve that any more than the previous generation of DV techniques could.
https://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-chief-...
(this is speculation, I have no actual knowledge on this)
The most surprising thing to me is that, in speaking in the past several years with younger entrepreneurs, they're not even aware of the obligation to file for an export license for any/all software containing crypto (such as that submitted to the App Store).
I've not yet seen a case in which a mass market exemption isn't quickly granted, but devs still need to file - and re-file annually.
As in, currently.
Essentially Apple built a system so you have to agree to export restrictions with every single build you upload to Apple.
http://www.cnn.com/TECH/computing/9805/19/encryption/index.h...
http://www.opengroup.org/security/meetings/apr98/french-regu...
Or, we are currently experiencing a brief oasis of freedom in between extended periods of encryption lockdowns and controls.
https://www.goodreads.com/book/show/984428.Crypto?from_searc...
If you wanted to build in the U.S. you had to produce two versions of your product, one with “full encryption” and one with encryption hobbled.
Or you could go build one version somewhere else and import it into the U.S.
Also you couldn’t just ship products with a spot where crypto went and remove the crypto. API designs had to go through mental gymnastics to allow crypto without explicitly adding crypto. Which is why you have odd constructs that take strings as arguments and give you encryption back. Sometimes.
And since new languages copy patterns from old to remain familiar, these APIs are still frequently some of the most patience-testing.
Really boils my piss given a lot of it, upon inspection, just used OpenSSL under the hood.
https://developer.apple.com/documentation/security/complying...
Also, always makes you wonder, why the standards the OS ships with are exempt...
https://www.youtube.com/watch?v=vjkBAl84PJs
I’ve mostly used this to unpack ZyXEL firmware updates (reference below to this), but it also works on a lot of other stuff if you can get a partial plaintext. Some file formats headers might work.
https://www.fullspectrum.dev/the-hunt-for-cve-2023-28771-par...
The author states it correctly. Here is the text from the author "The idea was that they got permission to export 64 bit crypto if 24 of those bits were encrypted for the NSA's public key. The NSA would then only have the small matter of brute-forcing the remaining 40 bits to get the plaintext"
Here is the text from the RSA conference.
Hello, 1st off please don't publish my name on your site. I'm too lazy to set up another cheezy mail acct. Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from your site. I have a close friend who is a developer for Iris (the people who make Notes for lotus.) I sent him the file I downloaded and asked him what the deal was, and here's his response:
Some previous discussions all mentioning Lotus Notes in the title:
4 years ago
https://news.ycombinator.com/item?id=21859581
8 years ago
https://news.ycombinator.com/item?id=9291404
10 years ago
https://news.ycombinator.com/item?id=5846189
NSA's Backdoor Key from Lotus Notes (2002) - https://news.ycombinator.com/item?id=21859581 - Dec 2019 (87 comments)
NSA's Backdoor Key from Lotus Notes - https://news.ycombinator.com/item?id=9291404 - March 2015 (51 comments)
NSA's Backdoor Key from Lotus Notes - https://news.ycombinator.com/item?id=5846189 - June 2013 (85 comments)
https://en.wikipedia.org/wiki/Clipper_chip
https://en.wikipedia.org/wiki/Dual_EC_DRBG
I think these qualify.
But the 'MiniTruth' thing... Wow,just wow...
Context: The Ministry Of Truth in the 1984 novel is the service dedicated to propaganda, in which the whole society is drowned. Everything about the society they live in is a lie...
It just blows away any hope of good intention from their part.
The last time I read about something so cynic, suggesting so much contempt for the people they pretend to serve, with such carelessness, is when it was revealed que FTX internal chatroom was called 'Wirefraud'.
My memory around this is fuzzy and I can't seem to find the original source.
Later, in 2019, a 795 bit key was factored with CPU time that "amounted to approximately 900 core-years on a 2.1 GHz Intel Xeon Gold 6130 CPU. Compared to the factorization of RSA-768, the authors estimate that better algorithms sped their calculations by a factor of 3–4 and faster computers sped their calculation by a factor of 1.25–1.67."
So assuming the better algorithms transfer to smaller numbers, someone who knows how to use them (factoring big numbers seems significantly harder than just running CADO-NFS and pointing it at a number and a cluster) could probably do it in a couple months on a couple dozen modern machines.
For example, using the "795-bit computations should be 2.25 times harder than 768-bit computations" from the publication accompanying the second factorization, we could assume 900/2.25 = 400 Core-years of the Xeon reference CPU (which is 6 years old by now) would be needed to break the smaller key with the modern software. Two dozen servers with 64 equivalently strong cores each would need slightly over 3 months. Not something a hobbyist would want to afford just for fun, but something that even a company with a moderate financial interest in doing could easily do, provided they had people capable of understanding and replicating this work.
https://crypto.stackexchange.com/a/1982
Edit: Okay, I see it now. 64 bits of cipher of which 24 bits of that cipher are set to a value derived from a 760 bit pubkey.
With no context, I don't know why this is front page news today. Am I missing something?
HN considers dupes to be stories with significant discussion repeated within a year. (Items with little or no discussion can be resubmitted a few times.)
Stories reshared after a year are reposts, and are perfectly fine, though its appreciated to have the item's original publication year included in the title.
<https://news.ycombinator.com/item?id=37312416>
<https://news.ycombinator.com/newsfaq.html>
Also, on closer inspection the story is from 1997 https://catless.ncl.ac.uk/Risks/19.52.html#subj1
Bringing these articles to light is of great utility to those of us who do not consider the NSA state of affairs to be, in any way, tolerable.
I don’t approve of their actions but turning the hyperbole up to 11 doesn’t help. There are millions of people in China who’d love to be only that repressed, for example.
Did you miss the fact that the NSA is literally violating the human rights of billions of people (including the Chinese), while China in the meantime has brought a billion people out of poverty conditions into their new middle class?
>There are millions of people in China who’d love to be only that repressed, for example
I seriously doubt you understand the nature of this fallacy. Meanwhile, how many families live under a broken bridge in the USA, just because Mom got cancer? Those 1,000 black-ops CIA sites around the world - you know for sure what they are being used for, eh? No torture?
Seriously, get a grip. The moral authority you claim is a fallacy.
You don't think military invasions & communist dictatorships constitute "wholesale violation of human rights at a massive scale"?
If the NSA is spying on people, that's an invasion of their privacy, but it is nothing in comparison to those other violations
And yes, the USA is still the worlds worst violator of human rights, bar none. The NSA is why.
Russia is invading a sovereign country right now. Civilians are getting killed. You'll hopefully agree that getting killed is a human rights violation?
Saudi Arabia is invading Yemen.
North Korea is running a giant state apparatus that lets one man lord it over tens of millions; all his whims are satisfied while they go literally hungry.
Venezuela is ruled by a dictator - millions are hungry and poor. Families torn apart by mass emigration.
China has 1.5 BILLION people in economic and political pseudo-slavery. They don't really own anything and are more or less forced to go along with the government.
But boo-hoo, the NSA can read your texts, so they're the ultimate bad guy?
Dude.
>Civilians are getting killed.
The USA has dropped a bomb on innocent people every twenty minutes for the last twenty years. The state of Ukraine today is not even close to the atrocities committed by the USA.
>The open genocide of Yemen by a known fascist totalitarian authoritarian dictatorship, with the support of the US military
Saudi Arabia has been sold the weapons it needs for its genocide by the USA. The genocide of Yemen is 100% on the American people - it wouldn't happen without your states' complicity. All those resources being provided to 'stop' the 'genocide of Ukraine' - where are they while 10 million Yemeni children are being starved to death?
North Korea? They wish they had the ability to govern their nations mindset the way the West does.
China has lifted a billion people out of poverty into their new middle class. The USA, meanwhile, has all but eradicated its middle class.
The NSA are violating human rights at massive scale; the USA is the worlds #1 supporter of terror and exporter of calamity, and has committed decades of war crimes, crimes against humanity and massive violations of human rights at scale - with impunity - precisely because of the utter ignorance citizens (or are you military) such as yourself demonstrate...
Furthermore, they're part of a larger intelligence apparatus that has absolutely committed very large and very harmful violations of civil liberties. The NSA's sister org, the CIA, was overthrowing democratically elected left-wingers in South America for decades, replacing them with brutal dictators and tyrants that gave both Hitler and Stalin runs for their money. The CIA wrote the book on how to do so, arguably even moreso than the KGB did. In fact, the reason why Russia today[0] is so effective at information warfare and covert propaganda is specifically because they learned from observation.
[0] Not(?) to be confused with Russia Today
Yes, the purpose of the NSA is to violate human rights at scale. No, this is not a tolerable situation for those of us in the free world.
There are no other intelligence agencies coming even close to the human rights violations committed every millisecond by the American people.
He recently have a good talk at VCF, too: https://youtube.com/watch?v=Ig_5syuWUh0