NHacker Next
  • new
  • past
  • show
  • ask
  • show
  • jobs
  • submit
NSA Backdoor Key from Lotus-Notes (1997) (cypherspace.org)
gregw2 276 days ago [-]
It’s worth reading Ray Ozzie’s (Lotus Notes creator)’s comment on this from a HN 2013 discussion:

https://news.ycombinator.com/item?id=5846189

Before the software was released, Ray Ozzie and Kauffman openly described what they were doing at an RSA conference. This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.

Also worth reading barrkel’s comment a couple comments down…

ethbr1 276 days ago [-]
For people younger than ~37, I'd remind them that crypto before 2000, especially in shipped commercial products, was playing under substantially different government restrictions.

https://en.m.wikipedia.org/wiki/Crypto_Wars

Effectively and in short, you were prohibited by the US government from shipping strong encryption in any internationally distributed product. Which generally meant everything commercial.

Despite open source implementations of strong encryption existing (e.g. PGP et al.).

Now, no one bats an eye if you ship the most secure crypto you want. Then, it was a coin flip as to whether you'd feel the full weight of the US government legal apparatus.

It was a crazy, schizophrenic time.

matheusmoreira 276 days ago [-]
> It was a crazy, schizophrenic time.

Still is. To this day, we have to debate and justify ourselves to these people. They make us look like pedophiles for caring about this stuff. They just won't give up, they keep trying to pass these silly laws again and again. It's just a tiresome never ending struggle.

And that's in the US which is relatively good about this. Judges in my country were literally foaming at the mouth with rage when WhatsApp told them they couldn't provide decryption keys. Blocked the entire service for days out of spite, impacting hundreds of millions.

MichaelZuo 275 days ago [-]
Can't 'judges' in any country could block Whatsapp, or any software, for an indefinite period of time?

Should they even be considered 'judges' if they lack that authority?

276 days ago [-]
a1369209993 276 days ago [-]
[flagged]
tasty_freeze 276 days ago [-]
I down-voted this and I'll say why. I'm pretty dang liberal in my politics; my push back isn't because I'm carrying water for right wing groups.

Q-Anon is a current right wing conspiracy group that claims powerful democrats are trafficking children, the "we must protect our kids from XYZ" justification crosses political lines. But they aren't alone.

Back in the 90s there were a few years of "the satanic panic", where there were wild claims made about daycare centers doing unspeakable things to children, things that beggar belief just from a logistical perspective. People spent years in prison over this. There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.

Back in the 80s Tipper Gore, wife of then senator Al Gore, drove a campaign to label and censor music to "protect the children."

eg, children were coached into giving answers and making up scenarios. for instance, one child claimed that they were taken in an airplane and flown to a secret location with clowns and sex, then flown back to the class in time for their 2pm pickup. Stories about ritual animal sacrifice in their daycare room, stories about children being murdered even though none were reported missing.

a1369209993 275 days ago [-]
> the "we must protect our kids from XYZ" justification crosses political lines.

> There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.

Yes, and? The point is to repay lies and ad hominem with lies and ad hominem.

If opponents of strong encryption want a good-faith argument, they are free to admit that the actual reason strong encryption is "bad" is because it stops them from attacking and spying on everyone in the world, but I doubt they'll take that option.

Akronymus 275 days ago [-]
> Yes, and? The point is to repay lies and ad hominem with lies and ad hominem.

That just weakens your own position.

276 days ago [-]
snakeyjake 276 days ago [-]
Windows 2000 came on a CD... and a floppy disk.

The CD was a globally-legal image, and export-controlled strong crypto came on the floppy in countries where it was allowed.

https://winworldpc.com/product/windows-2000-high-encryption/...

LeifCarrotson 276 days ago [-]
How hard would it have been for a "rogue state" to get a copy of that floppy? I understand that times were different, you couldn't just PGP encrypt it and attach a 1.44 MB blob to an email, sending it at 24 kbps. You couldn't just upload it to an anonymous filesharing site.

But today it seems fundamentally obvious that once a single copy is leaked, it's all over... was that not true in 2000?

semi-extrinsic 276 days ago [-]
Gnutella, including popular clients like LimeWire, were released around the same time as Windows 2000. People were doing decentralized filesharing of files larger than 1.44 MB just fine in 2000.

Filesharing at that time was just wild, by the way. It was far too easy to set up your client such that you were sharing the entire contents of your computer with the whole internet. More often than not, this was done by the kids in the family on the same machine where mom and dad had their work stuff plus their private finances.

So of course the files were leaked. If you were intending to share something illegal to distribute outside the US, you could easily get plausible deniability just by sharing everything on your computer and feigning ignorance.

nirav72 275 days ago [-]
Back in those days you didn't even need to be on LimeWire or eMule to look at the contents of someone's home PC. I remember around the late 90s/early 2000s, when I got DSL. This is before consumer grade routers became a common thing in the household. So most people had their PC connected directly to their DSL box. Browsing through windows share on other people's home PC was one of this easiest things to do.
NL807 275 days ago [-]
eDonkey and eMule was fire during those years.
nurettin 275 days ago [-]
with dc++ and a fiber network connecting major universities in Germany at 10MegaBytes/s, it was more than fire. I remember downloading the entire ** trilogy in minutes.
wmf 276 days ago [-]
Of course all that stuff was leaked (and there were anonymous filesharing sites). The whole export-grade crypto thing was a legal fig leaf.
pdw 276 days ago [-]
It was all extremely silly. Debian took a different approach: before 2005, they put all crypto packages in a separate "non-US" archive, hosted in the Netherlands. American developers weren't allowed to upload there. That way, Debian never exported crypto code from the United States, it only ever imported it.
wmf 276 days ago [-]
Yep, US export restrictions ended up spurring foreign investment in crypto like Thawte (founded by Mark Shuttleworth) and SSLeay (later forked as OpenSSL).
eastbound 275 days ago [-]
There was a story of a hundred programmers taking the program PRINTED ON PAPER to a conference in Sweden to type it in again, because somehow export of binaries was forbidden but not the printed version of it. Is it true? Which event organized this?
wmf 275 days ago [-]
The PGP source code was published as a book so that it could be exported under the theory that the first amendment beats ITAR. https://philzimmermann.com/EN/essays/BookPreface.html
notpushkin 275 days ago [-]
> A book comprised entirely of thousands of lines of source code looks pretty dull. But then so does a nondescript fragment of concrete -- unless it happens to be a piece of the Berlin Wall, which many people display on their mantels as a symbol of freedom opening up for millions of people. Perhaps in the long run, this book will help open up the US borders to the free flow of information.

This is beautiful.

sillywalk 276 days ago [-]
I believe OpenBSD (based in Canada) was in a similar situation.
icedchai 276 days ago [-]
It was. People were sharing pirated software on BBSes 40 years ago! Downloading a floppy might take an hour. In the 90's, I knew kids who got jobs at ISPs just so they could run warez FTP sites off of the T1.
fragmede 275 days ago [-]
Oh man, a T1. That brings back memories.

Serial Port recently tried to set one up!

https://youtu.be/MEda7SQxh18

icedchai 275 days ago [-]
Yes! In the early 90's, anyone with a T1 was almost god like. Most local ISPs were still connected with 56k or maybe fractional T1 lines.
0xbadcafebee 275 days ago [-]
Fast forward to 2000: T1 lines were still being used, but ADSL deployment was growing like wildfire. Some providers were legendary for offering synchronous DSL with extremely few limitations, for a fraction of the cost of a T1. That's what really kicked off a new generation of distributed file sharing. Nothing today compares; the dark web is a tiny blip in the ocean that was the 2000's file sharing scene.
icedchai 275 days ago [-]
I'm skeptical. In terms of actual usage, there are many, many more people online today. Many people are sharing torrents over their broadband connections: entire movies, all seasons of show. We won't even get into the piracy of books! I think the piracy scene today is much bigger.
0xbadcafebee 275 days ago [-]
There is more bandwidth used today, but there was so much more shared material before. The most heinous illegal shit you could imagine would just float over the network through your node. Your dad's QuickBooks files were downloaded by strangers, along with your family photos. Corporate records, lists of social security numbers kept on a hospital computer. Anything you could imagine. It's vastly different today; the content you can get is curated, only select things get put onto services, and takedown notices often get them dropped. Nothing was taken down back in the day, nobody was watching, and there was no filter. I saw things at 17 that no kid today could possibly get access to. The nature of file sharing today just isn't an open tap like it used to be. You have to try hard to publish or retrieve stuff today; back then it was almost accidental.
Akronymus 275 days ago [-]
dark or deep web? Because the dark web is HUGE. But the deep one not so much.
rconti 276 days ago [-]
We were sharing lots of 3-7MB files peer-to-peer at the time :D Napster, Limewire, Audiogalaxy, etc. Plenty of public FTP sites all over the place as well.

Even in the late 90s, 128kbps ISDN connections were not unheard of, and 256kbps DSL was rolling out as well.

netsharc 275 days ago [-]
Damn, Audiogalaxy! That takes me back! A simple Windows client for downloading (and well uploading), and to search and download you go to their website, login and add stuff to your queue (although I barely remember what the website looked like). Sooner or later someone with the files you want would come online and your computer would begin downloading from their computer..
hunter2_ 276 days ago [-]
> a copy of that floppy

Mostly off-topic, but your use of rhyme is reminiscent of https://www.youtube.com/watch?v=up863eQKGUI

mgerdts 275 days ago [-]
A few years before that plenty of people were downloading 30ish floppy images over modems to install Slackware or SLS.
pdntspa 275 days ago [-]
In 2000 there was absolutely nothing stopping you from connecting to an FTP server and uploading whatever you wanted, other than time and bandwidth.
brudgers 276 days ago [-]
Now, no one bats an eye if you ship the most secure crypto you want.

To me, there are only two plausible explanations for the change:

1. The three letter agencies gave up on backdooring cryptography.

2. The three letter agencies successfully subverted the entire chain of trust.

Only one of them is consistent with a workforce consisting of highly motivated codebreaking professionals available working for many decades with virtually unlimited resources and minimal oversight.

The other is what people want to believe.

https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...

hn_throwaway_99 276 days ago [-]
I think a 3rd option is actually much more likely and (semi) less conspiratorial:

3. NSA realized that "frontal assaults" against encryption were a lot less fruitful than simply finding ways to access info once it has been decrypted.

Would have to search for the quote, but Snowden himself said exactly that, something along the lines of "Encryption works, and the NSA doesn't have some obscure 'Too Many Secrets' encryption breaking machine. But endpoint security is so bad that the NSA has lots of tools that can read messages when you do." And indeed, that's exactly what we saw in things like the Snowden revelations, Pegasus, and I'd argue even things like side-chain attacks.

Plus, I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means. In the case of something like TLS root certificates that makes sense, but there are many, many forms of cryptography (like cryptocurrency) where no keys are any more privileged than any other keys - there is no "chain of trust" to speak about in the first place.

smolder 276 days ago [-]
I've long (post-snowden?) estimated NSAs capabilities are roughly what you imply. Lots of implementation-specific attacks, plus a collection of stolen/coerced/reversed TLS certs so they can MITM a great deal of web traffic. US-based cloud represents another big backdoor for them to everyone's data there, I think.
sethhochberg 276 days ago [-]
They've presumably got a pretty vested interest in making sure most communications are legitimately secure against most common attacks - arguably good for national security overall, but doubly good for making sure that if anyone can find a novel way in, its them, and not any of their adversarial peers.

There's a reason many corporate information security programs don't go overboard with mitigations for targeted, persistent, nation-state level attacks. Security is a set of compromises, and we've seen time and time again in industry that this sort of agency doesn't need to break your encryption to get what they need.

hutzlibu 276 days ago [-]
When the NSA for example has access to the Intel ME or AMDs version of it(and I think they do) then they surely don't need to break any encryption. They don't even need to hack. They just would have direct access, to most Desktops/Servers.
hn_throwaway_99 276 days ago [-]
Even this is too conspiratorial for me. Not because I believe the NSA wouldn't like access, but because it's not the best approach. Convincing Intel or AMD to have a hidden back door, and to somehow keep that it hidden, is a nearly impossible task. Compare that with just hunting for 0-days like the rest of the world, which the NSA has shown to be quite good at.

Not saying there couldn't be a targeted supply chain attack (that's essentially what was revealed in some of the Snowden leaks, e.g. targeting networking cables leased by big tech companies), but I don't believe there is some widely dispersed secret backdoor, even if just for the reason that it's too hard to keep secret.

smolder 276 days ago [-]
At a minimum, it's a thing that certain security conscious consumers (cough DoD) were able to get Intel to include a hidden (not typically user accessible) bios flag for disabling most features of the management engine. So they're at least concerned about it as a security risk. That doesn't necessarily mean they also have backdoors into it, but it's not crazy to think they might. It's hard to be too conspiratorially minded with respect to intelligence stuff, if you aren't making the mistake of treating suppositions as facts.
dannyw 276 days ago [-]
I have a workstation bought from eBay that has a “ME DISABLED” sticker on the chassis.

Any analysis I could or should do?

mkup 276 days ago [-]
Run Intel MEInfo utility, check if it reports "Alt Disable Mode" or anything like that. Article for some context: https://web.archive.org/web/20170828150536/http://blog.ptsec...
maqp 275 days ago [-]
>Convincing Intel or AMD to have a hidden back door, and to somehow keep that it hidden, is a nearly impossible task

Interesting, how would an X86 instruction with hardcoded 256-bit key would be detected? IIRC it's really hard to audit the instruction space for CISC architecture.

hutzlibu 276 days ago [-]
Well sure, they would not use it for everyday standard cases to limit exposure. Intel does have something to loose, if this would became public knowledge.

But I cannot believe they resisted the temptation to use that opportunity to get such an easy access to so many devices.

ethbr1 276 days ago [-]
Parent's point is that its very existence (not just use, as this is hardware/firmware we're talking about) in widely deployed form would be too risky.

Consequently, if there is an ME-subversion, it's only deployed / part-replaced for extraordinary targets. Not "every system."

hutzlibu 276 days ago [-]
Huh? As far as I know every Intel ME has access to the internet, can receive push firmware updates and write access to everything else on the system. It does not need a modified version, they can just use the official way, the normal Intel ME on target devices, if they can cloack their access of the official server, which I think could be achieved of using just the key of the official server and then use another server posing as the official server.

But it has been a while that I read about it and I never took it apart myself, so maybe what I wrote is not possible for technical reasons.

toast0 276 days ago [-]
I don't think that's the case. Don't you need to have a selected NIC, integrated properly to get the Intel ME network features? Typically branded as "Intel vPro"

Otherwise, you need something in your OS to ship data back and forth between the ME and whatever NIC you have.

bonzini 276 days ago [-]
vPro, also known as AMT, is proprietary and it's for professional desktop and laptop systems. ME instead is based on IPMI and is for server-class systems.
toast0 275 days ago [-]
Are they reusing the name to be more confusing? Intel ME calls to mind the management engine that's been embedded in most Intel based computers for the last 15 or so years.

https://en.m.wikipedia.org/wiki/Intel_Management_Engine

ethbr1 276 days ago [-]
That's... definitely not how sensitive networks work. To say nothing of airgapped ones.

This seems like as good a short-form intro as any: https://blogs.cisco.com/learning/security-in-network-design-...

hutzlibu 276 days ago [-]
I would believe, really sensitive networks, have ME deactivated anyway and need other, specialised infiltration methods.

But when targeting a random individual in a hurry, I think it would be handy to just use the build in backdoor.

wavesquid 275 days ago [-]
The trouble is, as far as I know, that the ME cannot be deactivated. Even if you are a really sensitive network. Your option is to find some of the few Intel chips without it, or find another chip vendor. This often means you can't use common off the shelf systems, so now you can be a victim of a targetted supply chain attack.
smolder 276 days ago [-]
Attacking machines directly over the network is dangerous for them from the standpoint of detection, though. You can bet that any ME/PSP remote access exploits are used very carefully due to potential detection.
knewter 276 days ago [-]
Did you forget about NIST curve recommendations?
hn_throwaway_99 276 days ago [-]
Not at all, considering that coincidentally just yesterday I was having an HN discussion on an unrelated topic about DJ Bernstein, https://en.wikipedia.org/wiki/Daniel_J._Bernstein#Cryptograp....

You're right though, I guess I didn't mean to say that NSA would give up on or would not want back doors into widely deployed crypto algorithms, but even with Dual_EC_DRBG the suspicions were widely known and discussed before it was a NIST standard (i.e. I guess you could say it was a conspiracy, but it wasn't really a secret conspiracy), and the standard was withdrawn in 2014.

knewter 275 days ago [-]
Do you believe NIST stopped trying to backdoor curves in 2014?
maqp 275 days ago [-]
>I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means.

For one thing, they're interdicting hardware and inserting hardware implants:

https://www.theguardian.com/books/2014/may/12/glenn-greenwal...

wkat4242 276 days ago [-]
I think that's basically what the parent's #2 point implies.
ethbr1 276 days ago [-]
IMHO, the IC gave up on the feasibility of maintaining hegemony over encryption, particularly in the face of non-corporate open source. You can't sue a book / t-shirt / anonymous contributors.

Consequently, they still have highly motivated and talented cryptanalysts and vast resources, but they're attacking widely-deployed academically-sound crypto systems.

Hypothetical encryption-breaking machines (e.g. large quantum computers) are too obviously a double-edged sword: who else has one? And given that possibility, wouldn't you switch to algorithms more secure against them?

In reality, the NSA's preference would likely be that no-such machine exists, but rather there are brute-force attacks that require incredibly large and expensive amounts of computational resources. Because if it's just a money problem, the US can feel more confident that they're near the top of the pile.

Which probably means that their most efficient target has shifted from mathematical forced decryption to implementation attacks. Even the strongest safe has a weakest point. Which may still be strong, but is the best option if you need to get in.

chaxor 276 days ago [-]
I don't know much about hardware, but is it not possible that there is a small part of a chip somewhere deep in the highly complex systems we have that simply intercepts prior to encryption and, if some condition is met (a remote connection sets a flag via hardware set keys), encrypts/sends the data elsewhere? Something like that anyway. It seems possible, but idk how plausible it is, and if things like the Linux kernel would be likely to not report on it, if the hardware is not known enough.

Anyway, just suggesting something that wouldn't require quantum cryptography.

ethbr1 276 days ago [-]
As pointed out by another comment above, exfiltration then becomes the risky step.

If that did exist, you'd still have to get packets out through an unknown network, running unknown detection tools. Possible, but dicey over the intermediate term.

Who's to say they didn't just plug a box in, run a fake workload on it, and put all network traffic it emits under a microscope?

yomlica8 276 days ago [-]
Seems like you could just blast it out on one of the endless Microsoft telemetry or update channels that are chatting away all day and either intercept outside the network or with Microsoft's help. Only way to protect against that would be blocking all internet access.
276 days ago [-]
southernplaces7 276 days ago [-]
I don't buy that it has to be just one or the other. Fundamentally, crypto is just very dense information and once it became widely enough standardized by people who could easily share and apply it commercially, getting even the strongest crypto to the most basic user becomes extremely easy.

Short of blocking the very essence of digital data spread and transactions, the three-letter agencies and the giant governments behind them realized that there was no way to effectively put that particular genie back in the bottle without fucking over too many other extremely well-connected commercial interests.

Thus, while they didn't entirely give up on their bullshit, and keep looking to find arguments for privacy subversion, they realized that roundabout methods were a usable practical course.

That's where we stand today: a world in which there's no obvious way to block something that's so cheaply easy to share and securely be applied by so many people, but governed by technocrats who do what they can to subvert meanwhile.

The fundamental math of crypto is secure, regardless of any conspiracy theories. AES-256, for example, can't just be broken by some secret Area 51 alien decoder ring. The mathematics of good modern crypto simply crush any human computing technology for breaking them regardless of budget. However, the agencies also know that in a complex world of half-assed civilian security and public habits, they still have enough methods to work with without delving into political firestorms.

ethbr1 275 days ago [-]
I've always thought the ratio of average residential network bandwidth to average file size is underappreciated as an arbiter of change.

The only true solution to distribution / piracy is for the file to be so big as to be inconvenient.

Which is why mp3 was such a game changer.

southernplaces7 275 days ago [-]
I'm sorry? Responding to the wrong comment?
ethbr1 275 days ago [-]
>> That's where we stand today: a world in which there's no obvious way to block something that's so cheaply easy to share...
hedora 276 days ago [-]
Note that ACME (Let's Encrypt) means that anyone that can reliably man-in-the-middle a server can intercept SSL traffic (module certificate revocation lists, and pinning, but those are mostly done by big sites with extremely broad attack surfaces).

Similarly, most consumer devices have a few zero-days each year, if not more, so if you really want to decrypt someone's stuff, you just need to wait a few months.

I think that both your explanations are probably incorrect though. It's a bit of "neither" in this case.

They continue to backdoor all sorts of stuff (they recently were marketing and selling backdoored "secure" cell phones to crooks), and most chains of trust are weak enough in practice.

woodruffw 276 days ago [-]
> Note that ACME (Let's Encrypt) means that anyone that can reliably man-in-the-middle a server can intercept SSL traffic (module certificate revocation lists, and pinning, but those are mostly done by big sites with extremely broad attack surfaces).

I don't understand why you think ACME means this. Can you explain?

icedchai 276 days ago [-]
Not the original poster, but if you can control responses to and from a server (MITM) you can get a TLS/SSL certificate issued for it easily. In the old days, getting a cert was quite a hassle! You used to have to fill out paperwork and perhaps even talk to a human. It could literally take weeks.
woodruffw 276 days ago [-]
I don’t think a MITM would be sufficient to fool ACME. As Let’s Encrypt’s guide explains[1], an attacker in the middle would still fail to possess the target’s private key. As a result, the proof of possession check would fail.

The attacker could sign with their own key instead, but this is trivially observable to the target (they don’t end up with a correct cert, and it all gets logged in CT anyways.)

[1]: https://letsencrypt.org/how-it-works/

rcxdude 275 days ago [-]
If you have a full MITM (you can do anything you like with all traffic to/from the target), you just do your own ACME validation with the target's domain without involving the target at all. Then you use that to MITM the SSL on any connections to the target (terminate SSL between the other side and your middlebox, then push the plaintext into your target, which is unaware anything has changed at all).

If the owner watches CT logs they will know about it (and you may need to jump through some more hoops once the target tries to renew their cert), but you get a lot of info in the meantime.

woodruffw 275 days ago [-]
Sure, but this has nothing to do with ACME itself. The attack model here is "if the attacker is effectively in control of the domain, then they can demonstrate that control." That's a way stronger posture than being able to maliciously MITM a specific ACME session, which (I think) is what the original concern was.

However, even with the full MITM here, this attack assumes that the attacker can proxy plaintext to the host. I'm not aware of many sites that allow sensitive actions (e.g. logging in) over HTTP anymore.

(And, as you note, this is detectable via CT. But it's fair to point out that many/most smaller operators probably aren't bothering to monitor public CT logs for unexpected issuances.)

hedora 274 days ago [-]
The attacker could just proxy the plaintext by issuing HTTPS requests to the backend server instead of issuing HTTP requests.

Also, what threat model does SSL protect against that doesn’t involve an attacker in control of a hop in the path between the client and the server?

woodruffw 274 days ago [-]
> The attacker could just proxy the plaintext by issuing HTTPS requests to the backend server instead of issuing HTTP requests.

Yes, assuming the target has HTTPS. The context I originally assumed was one where the target doesn’t yet have a certificate and is using ACME to obtain one.

Separate from that, I agree that an attacker with the ability to demonstrate domain control can subvert issuance in a way that only CT, stapling, and other “post hoc” methods can detect.

fragmede 275 days ago [-]
Would the target get notified by LetsEncrypt about this scenario though? Let's say I setup Certbot on my server. I'm not watching CT logs. How would I know about the double issuance?
woodruffw 275 days ago [-]
I don’t think it would be a double issuance; it’d be either a failed issuance or a single issuance with a single unexpected key. In other words: the target would end up with in an error state, and they could use CT to determine what happened.
icedchai 275 days ago [-]
What if they're getting a new certificate and proxying the traffic? As long as the cert looks okay to the end user, they're not going to notice for a while.
woodruffw 275 days ago [-]
Perhaps I’m misunderstanding what you’re saying, but this still doesn’t break the scheme: an attacker who interposes on ACME with their own private key is going to result in a CSR response for the wrong private key being sent back to the target server, which should cause an alertable failure. Even if this is somehow not checked (this would be a serious vulnerability in an ACME client!), the targeted server would end up serving a certificate that it can’t actually use (because it doesn’t have the private half).
icedchai 275 days ago [-]
I think you're misunderstanding. Say as an attacker, I am able to get control of the DNS zone for a target. We will assume the site is not using an ACME issued cert, but some other provider.

I am now able to get a new certificate issued with ACME using the DNS-01 challenge. I set up one of my own servers as a proxy, HTTPS terminated with this new cert. I then have it proxy to the existing site (by IP address.) I then change the site's DNS to point to my own server. The users are no wiser, but I am able to intercept all traffic.

woodruffw 275 days ago [-]
Okay, I think I understand what you're saying now: this is similar to the attack described by 'rcxdude here[1].

I interpreted the original comment that started this thread to imply an attack on ACME itself, not the fact that ACME can't detect the difference between someone who legitimately controls a domain and someone who illegitimately controls a domain. As far as I know, that's considered a more general defect in the Web PKI, one that predates ACME substantially.

[1]: https://news.ycombinator.com/item?id=37567200

icedchai 275 days ago [-]
Yes, it is the same. I agree, it is not ACME's fault, ACME just makes it simpler due to the automation.
hedora 274 days ago [-]
ACME doesn’t require control over the DNS record though. It has a mode where it issues a challenge and you put it on port 80 of your web server.

The DNS based attack would be harder than doing that, for, say, a malicious cloud vendor to implement.

Also, you don’t need a private key to bootstrap a new domain with a new ACME provider.

woodruffw 274 days ago [-]
The HTTP-based challenge is similar in scope to the DNS one: an attacker would still need the target’s private key to actually impersonate the ACME session itself.

Put another way: this is still not an issue with ACME itself, but the fact that the Web PKI is built on top of unauthenticated substrates (primarily DNS). If someone (like your cloud provider) can demonstrate control of your domain, then it is ipso facto their domain as well. ACME can’t solve that any more than the previous generation of DV techniques could.

icedchai 274 days ago [-]
I understand. I just used the DNS challenge as an example. I generally use the DNS challenge since I can assign certs on my private network more easily (the zone is public.)
sandworm101 276 days ago [-]
They aren't backdooring modern open-source encryption. They may have some elite knowledge about some esoteric corner of the code that allows them to theoretically throw a data center at the problem for a month or two, but the days of easy backdoors to decrypting everything in real time are gone imho. It is just too easy to implement mathematically-strong encryption these days. Too many people know how to do it from scratch. The NSA's real job is keeping american systems safe. That is done through creating the best encryption possible. They are very good at that job.
yencabulator 273 days ago [-]
"We kill people based on metadata." -- former head of NSA Gen. Michael Hayden

https://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-chief-...

intelVISA 276 days ago [-]
Fighting against crypto is a public and costly affair, it was deemed easier to twist Intel/AMD's arm a little on the silicon level.
jraph 276 days ago [-]
I see another plausible explanation: The NSA is concerned with maintaining security of its own / the government's infrastructure / is interested in finding breaches in infrastructures of others.

(this is speculation, I have no actual knowledge on this)

lern_too_spel 276 days ago [-]
Only one is consistent with the documents that have been leaked since the change to export restrictions. The other is what the marketing department at Reynolds Wrap would like you to believe.
rozzie 275 days ago [-]
"Now, no one bats an eye if you ship the most secure crypto you want."

The most surprising thing to me is that, in speaking in the past several years with younger entrepreneurs, they're not even aware of the obligation to file for an export license for any/all software containing crypto (such as that submitted to the App Store).

I've not yet seen a case in which a mass market exemption isn't quickly granted, but devs still need to file - and re-file annually.

justinclift 275 days ago [-]
Is that still a requirement for US developers?

As in, currently.

lstamour 275 days ago [-]
When you submit the documentation via Apple, also submitting it to the government is not necessary: https://developer.apple.com/documentation/security/complying...

Essentially Apple built a system so you have to agree to export restrictions with every single build you upload to Apple.

pkaye 276 days ago [-]
Not just US but other countries had their own restrictions. For example I think France didn't allow anything better than 40-bit encryption without key escrow.

http://www.cnn.com/TECH/computing/9805/19/encryption/index.h...

http://www.opengroup.org/security/meetings/apr98/french-regu...

bo1024 276 days ago [-]
> It was a crazy, schizophrenic time.

Or, we are currently experiencing a brief oasis of freedom in between extended periods of encryption lockdowns and controls.

Jerrrry 276 days ago [-]
Yup, networks with a neuron count above a certain threshold (2+T?) will likely be on the IDAR restriction list again.
bagels 276 days ago [-]
ITAR? Also, was there a time where there was a restriction based on neuron count?
SkyMarshal 276 days ago [-]
What’s a neuron count?
bagels 276 days ago [-]
Neuron in a neural network. Not sure if the parent is talking about models, software or hardware though.
276 days ago [-]
UI_at_80x24 276 days ago [-]
For anybody who hasn't already read it, I highly recommend the book: "Crypto" by Steven Levy. I was 30% of my way through the book before I started recognizing real world events, news stories, whispered computer secrets; and realized that it wasn't a fictional book and was instead talking about real history.

https://www.goodreads.com/book/show/984428.Crypto?from_searc...

hkt 275 days ago [-]
Fabulous book, I found it in a public library when I was 15 or so and it was a hell of an education. Not least because I was already reading about tor and i2p. I'd recommend it to anyone - the story about Phil Zimmerman printing the code to PGP in a book made me laugh my head off.
r3trohack3r 276 days ago [-]
IIRC this is part of what shifted hardware manufacturing out of the US.

If you wanted to build in the U.S. you had to produce two versions of your product, one with “full encryption” and one with encryption hobbled.

Or you could go build one version somewhere else and import it into the U.S.

mike50 275 days ago [-]
Similar situation with space hardware. Even cots memory chips hardened for radiation and space are ITAR export restricted.
stephen_g 275 days ago [-]
Yeah, I worked at a company up to a few years ago where it was actually a huge competitive advantage for us not being in the US, because the products we designed, manufactured and sold (full satcom terminals as well as the microwave converters in them) would have been ITAR if they came from the US (being ‘dual use’).
archgoon 276 days ago [-]
I had never heard of this particular aspect of demanufacturing, that's fascinating. Do you know of any products where this was a deciding factor, or at least a major consideration? (I recognize you probably can't easily cite internal corporate documents)
hinkley 276 days ago [-]
Except to Iran, Syria, North Korea…

Also you couldn’t just ship products with a spot where crypto went and remove the crypto. API designs had to go through mental gymnastics to allow crypto without explicitly adding crypto. Which is why you have odd constructs that take strings as arguments and give you encryption back. Sometimes.

And since new languages copy patterns from old to remain familiar, these APIs are still frequently some of the most patience-testing.

wkat4242 276 days ago [-]
It's not completely gone. If you implement crypto in an iOS app you have to get an "export license" even if you're not based in the US or publish your app there.
fullspectrumdev 276 days ago [-]
I’ve had to sign ITAR related paperwork a few times for commercial software specifically because it was made in the US and being “exported” to the UK.

Really boils my piss given a lot of it, upon inspection, just used OpenSSL under the hood.

brokenmachine 275 days ago [-]
I'm in Australia and had to sign ITAR paperwork to order a bluetooth evaluation board.
forgetfreeman 276 days ago [-]
That this is no longer the case is a fairly strong indication that The Powers That Be have durably resolved the issue of decryption.
hoc 275 days ago [-]
Well... some folks still do care.

https://developer.apple.com/documentation/security/complying...

Also, always makes you wonder, why the standards the OS ships with are exempt...

convolvatron 276 days ago [-]
and I believe it was a major contributor to us having poor infrastructure for PKI protocols today, since these restrictions meant that it was pointless to try to bake them into standards
CTDOCodebases 276 days ago [-]
An ex Microsoft dev did a good breakdown video of NSAkey:

https://www.youtube.com/watch?v=vjkBAl84PJs

13of40 276 days ago [-]
It was an interesting time. I forget the person's name, but I talked briefly with the guy who implemented the crc32 and encryption algorithms for ZIP, and he (almost apologetically) said the encryption was designed to be exportable under those laws. It's still not trivial to break, but you can test millions of passwords on a ZIP archive entry in the time it takes to try one on a modern Office document.
fullspectrumdev 276 days ago [-]
Partial known plaintext attacks are very, very useful when cracking ZIP “encryption”.

I’ve mostly used this to unpack ZyXEL firmware updates (reference below to this), but it also works on a lot of other stuff if you can get a partial plaintext. Some file formats headers might work.

https://www.fullspectrum.dev/the-hunt-for-cve-2023-28771-par...

grammers 276 days ago [-]
Whether secret or not, it was a backdoor that could be/was exploited. Today governments are asking for 'secret backdoors' from tech companies, not seeing the immense risks. Crazy times.
gadders 275 days ago [-]
None of this was secret. I worked at Lotus in the mid-90s and there were 2 versions of Lotus Notes, one for the US and the other labelled "International".
thewanderer1983 275 days ago [-]
>This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.

The author states it correctly. Here is the text from the author "The idea was that they got permission to export 64 bit crypto if 24 of those bits were encrypted for the NSA's public key. The NSA would then only have the small matter of brute-forcing the remaining 40 bits to get the plaintext"

Here is the text from the RSA conference.

Hello, 1st off please don't publish my name on your site. I'm too lazy to set up another cheezy mail acct. Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from your site. I have a close friend who is a developer for Iris (the people who make Notes for lotus.) I sent him the file I downloaded and asked him what the deal was, and here's his response:

      Here's the necessary info to truly understand the issue here; a speech by Ray
      Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is
      that notes provides superior exportable encryption technology when compared to
      other US products on the market. For anyone (but the NSA) to crack our
      international encryption keys they must crack a 64 bit key, the same as with a
      US encryption key. In the international version we take 24 of the 64 bit
      encryption key and encrypt the 24 bits with the NSA's public key and send it,
      encrypted strongly, along with the encrypted message. This means the NSA can
      decrypt with their key and have 24 of the 64 bit key. They still have to break
      the remaining 40 bits. 40 bit key encryption has been the max for exportable
      encryption and that is what all other US exportable encryption providers 
      allow.
      That limit has just been raised to 56 bits and we are incorporating that as I
      type. In the worst case: the NSA's private key is compromised, the 40 bit
      portion of the key still must be cracked. So we haven't weakened the security 
      of international encryption, but actually made it equal to the US security (to
      everyone but the NSA). We are proud of this arrangement because we have found 
      a way to make Notes as secure as the US government will allow for our
      international customers. If we hadn't used this technique all of the
      international notes encrypted data would be with only a 40 bit key. As it
      stands, the 64 bit key used in both US and international encryption is 
      extremely secure.
      
      It's too bad the author of this article choose to attack Lotus Notes without
      considering the options the US government provides. We could  have just 
      shipped 40 bit encryption like MS, Netscape, etc. and leave our international 
      customers with weak encryption but we didn't. Oh well, you can't make everyone 
      understand, this confusing and frustrating stuff. I hope this helps.
ChrisArchitect 276 days ago [-]
(2002)

Some previous discussions all mentioning Lotus Notes in the title:

4 years ago

https://news.ycombinator.com/item?id=21859581

8 years ago

https://news.ycombinator.com/item?id=9291404

10 years ago

https://news.ycombinator.com/item?id=5846189

dang 276 days ago [-]
Thanks! Macroexpanded:

NSA's Backdoor Key from Lotus Notes (2002) - https://news.ycombinator.com/item?id=21859581 - Dec 2019 (87 comments)

NSA's Backdoor Key from Lotus Notes - https://news.ycombinator.com/item?id=9291404 - March 2015 (51 comments)

NSA's Backdoor Key from Lotus Notes - https://news.ycombinator.com/item?id=5846189 - June 2013 (85 comments)

lelandfe 276 days ago [-]
kmeisthax 276 days ago [-]
This and the Clipper Chip aren't NOBUS. The NSA doesn't want you to know that the cryptosystem has law-enforcement access capability. The FBI doesn't care if you know as the kinds of criminals they are attacking don't do OPSEC.
sneak 276 days ago [-]
NOBUS isn't just intentional vulnerabilities, it's any vulnerability assumed to only be exploitable by US IC, whether engineered or otherwise.

I think these qualify.

rvnx 276 days ago [-]
Well, the article mentions backdoor in Dual_EC_DRBG mostly targeting TLS/SSL communications, now we have Cloudflare, a much more scalable solution
tptacek 276 days ago [-]
Dual EC is sort of the archetypical NOBUS backdoor.
thesuitonym 276 days ago [-]
It's amazing to me that the folks at the NSA had enough self-reflection to see that this is Big Brother behavior, but not enough to realize why that's a bad thing.
masfuerte 276 days ago [-]
I'd guess that was snark from the Lotus engineer who embedded it.
w1nst0nsm1th 274 days ago [-]
The Lotus engineer embedded it, but was he the guy who created the key ?
w1nst0nsm1th 274 days ago [-]
The 'Big Brother' thing doesn't shock me, I know about it for some time now. At least you can still believe a modicum they maybe have good intentions... You know, protecting us from bad guys or something...

But the 'MiniTruth' thing... Wow,just wow...

Context: The Ministry Of Truth in the 1984 novel is the service dedicated to propaganda, in which the whole society is drowned. Everything about the society they live in is a lie...

It just blows away any hope of good intention from their part.

The last time I read about something so cynic, suggesting so much contempt for the people they pretend to serve, with such carelessness, is when it was revealed que FTX internal chatroom was called 'Wirefraud'.

consoomer 276 days ago [-]
Wasn't the original backdoor in a code example the NSA provided to companies interested in using cryptography? They gave an example seed or whatever, and most companies copy/pasted it instead of generating their own primes, so the NSA could break it trivially.

My memory around this is fuzzy and I can't seem to find the original source.

_def 275 days ago [-]
consoomer 275 days ago [-]
Ah yeah, that rings a bell now!
agazso 276 days ago [-]
I wonder how difficult would it be to brute force the private key for an RSA 760 bit public key from 1998. Does anyone know?
tgsovlerkhgsel 276 days ago [-]
https://en.wikipedia.org/wiki/Integer_factorization_records and https://en.wikipedia.org/wiki/RSA_numbers gives some pointers. Specifically, the latter describes a 768 bit key being factored "on December 12, 2009, over the span of two years", with CPU time that "amounted approximately to the equivalent of almost 2000 years of computing on a single-core 2.2 GHz AMD Opteron-based computer".

Later, in 2019, a 795 bit key was factored with CPU time that "amounted to approximately 900 core-years on a 2.1 GHz Intel Xeon Gold 6130 CPU. Compared to the factorization of RSA-768, the authors estimate that better algorithms sped their calculations by a factor of 3–4 and faster computers sped their calculation by a factor of 1.25–1.67."

So assuming the better algorithms transfer to smaller numbers, someone who knows how to use them (factoring big numbers seems significantly harder than just running CADO-NFS and pointing it at a number and a cluster) could probably do it in a couple months on a couple dozen modern machines.

For example, using the "795-bit computations should be 2.25 times harder than 768-bit computations" from the publication accompanying the second factorization, we could assume 900/2.25 = 400 Core-years of the Xeon reference CPU (which is 6 years old by now) would be needed to break the smaller key with the modern software. Two dozen servers with 64 equivalently strong cores each would need slightly over 3 months. Not something a hobbyist would want to afford just for fun, but something that even a company with a moderate financial interest in doing could easily do, provided they had people capable of understanding and replicating this work.

rocketnasa 276 days ago [-]
Classic CPU hasn't held a candle compared to GPU on very repetitive math calculations. AI this year has really shown the same difference. In other words, it isn't just graphics... https://www.spiceworks.com/it-security/identity-access-manag...
tgsovlerkhgsel 276 days ago [-]
I assume there is some reason why the past factorizations weren't done with GPUs. It could be just lack of a good implementation and insufficient numbers of people interested in the topic, but it could also be something about the algorithm not being very suitable for GPUs.
boastful_inaba 275 days ago [-]
CUDA only had its initial release in 2007 (compared to the mentioned crack in 2009), and I remember it being a fairly limited product at that point. GPUS were also much slower back then.
btdmaster 276 days ago [-]
Someone has tried to factorize it before (2018) http://factordb.com/index.php?query=444376527415060195687748...
panki27 276 days ago [-]
Always depends on what resources you have (compute, time). It's possible, but not easy.

https://crypto.stackexchange.com/a/1982

15457345234 276 days ago [-]
Oddly specific question, something in particular on your mind?
cmeacham98 276 days ago [-]
Presumably they are referring to the 760 bit RSA key this entire post is about.
15457345234 276 days ago [-]
But the header talks about a 64 bit key? I'm a bit lost actually.

Edit: Okay, I see it now. 64 bits of cipher of which 24 bits of that cipher are set to a value derived from a 760 bit pubkey.

276 days ago [-]
MaintenanceMode 275 days ago [-]
Now with the cloud none of this is necessary. With data at rest laws, all our email older than six months is open game.
93po 275 days ago [-]
i googled this and didnt see any obvious results as to what the laws are for a company like google to provide access to their data at rest to government agencies without a warrant/NSL
leoh 276 days ago [-]
dartvox 276 days ago [-]
[dead]
276 days ago [-]
Quentincestino 276 days ago [-]
[flagged]
denysvitali 276 days ago [-]
spzb 276 days ago [-]
Dupe (2002!) https://news.ycombinator.com/item?id=21859581

With no context, I don't know why this is front page news today. Am I missing something?

dredmorbius 276 days ago [-]
This would be a repost rather than a dupe.

HN considers dupes to be stories with significant discussion repeated within a year. (Items with little or no discussion can be resubmitted a few times.)

Stories reshared after a year are reposts, and are perfectly fine, though its appreciated to have the item's original publication year included in the title.

<https://news.ycombinator.com/item?id=37312416>

<https://news.ycombinator.com/newsfaq.html>

baby 276 days ago [-]
Are you asking what reposts are?
spzb 276 days ago [-]
No. I'm pointing out that (a) it's not marked as being from 2002 and someone would therefore assume it was some newly discovered backdoor and (b) there's no context or commentary as to why it is relevant in 2023.

Also, on closer inspection the story is from 1997 https://catless.ncl.ac.uk/Risks/19.52.html#subj1

dredmorbius 276 days ago [-]
I've pinged mods to fix the year based on that, thanks.
boffinAudio 276 days ago [-]
I'd wager that its still relevant today because the NSA is still the worlds greatest wholesale violator of human rights, at massive scale, and literally nothing effective has been done about this situation - we are still tolerating this repression, because we don't see it and simply don't care enough about the human rights violations, as a people, to reign in this out of control agency.

Bringing these articles to light is of great utility to those of us who do not consider the NSA state of affairs to be, in any way, tolerable.

acdha 276 days ago [-]
> the NSA is still the worlds greatest wholesale violator of human rights, at massive scale, and literally nothing effective has been done about this situation - we are still tolerating this repression

I don’t approve of their actions but turning the hyperbole up to 11 doesn’t help. There are millions of people in China who’d love to be only that repressed, for example.

boffinAudio 275 days ago [-]
You can always rely on an American to bust out the China hate train when challenged on the facts of their own empires crimes ..

Did you miss the fact that the NSA is literally violating the human rights of billions of people (including the Chinese), while China in the meantime has brought a billion people out of poverty conditions into their new middle class?

>There are millions of people in China who’d love to be only that repressed, for example

I seriously doubt you understand the nature of this fallacy. Meanwhile, how many families live under a broken bridge in the USA, just because Mom got cancer? Those 1,000 black-ops CIA sites around the world - you know for sure what they are being used for, eh? No torture?

Seriously, get a grip. The moral authority you claim is a fallacy.

FredPret 276 days ago [-]
... are you serious?

You don't think military invasions & communist dictatorships constitute "wholesale violation of human rights at a massive scale"?

If the NSA is spying on people, that's an invasion of their privacy, but it is nothing in comparison to those other violations

boffinAudio 275 days ago [-]
Its a massive, wholesale violation of human rights, which can then be used as further justification for more atrocities and calamity at the hands of the US' military industrial complex ..

And yes, the USA is still the worlds worst violator of human rights, bar none. The NSA is why.

FredPret 275 days ago [-]
It's completely unreal that you can think this.

Russia is invading a sovereign country right now. Civilians are getting killed. You'll hopefully agree that getting killed is a human rights violation?

Saudi Arabia is invading Yemen.

North Korea is running a giant state apparatus that lets one man lord it over tens of millions; all his whims are satisfied while they go literally hungry.

Venezuela is ruled by a dictator - millions are hungry and poor. Families torn apart by mass emigration.

China has 1.5 BILLION people in economic and political pseudo-slavery. They don't really own anything and are more or less forced to go along with the government.

But boo-hoo, the NSA can read your texts, so they're the ultimate bad guy?

Dude.

boffinAudio 274 days ago [-]
The USA is invading a sovereign country right now. It has occupied 1/3rd of its territory with the specific goal of denying the people of that nation access to those resources needed to rebuild their shattered state.

>Civilians are getting killed.

The USA has dropped a bomb on innocent people every twenty minutes for the last twenty years. The state of Ukraine today is not even close to the atrocities committed by the USA.

>The open genocide of Yemen by a known fascist totalitarian authoritarian dictatorship, with the support of the US military

Saudi Arabia has been sold the weapons it needs for its genocide by the USA. The genocide of Yemen is 100% on the American people - it wouldn't happen without your states' complicity. All those resources being provided to 'stop' the 'genocide of Ukraine' - where are they while 10 million Yemeni children are being starved to death?

North Korea? They wish they had the ability to govern their nations mindset the way the West does.

China has lifted a billion people out of poverty into their new middle class. The USA, meanwhile, has all but eradicated its middle class.

The NSA are violating human rights at massive scale; the USA is the worlds #1 supporter of terror and exporter of calamity, and has committed decades of war crimes, crimes against humanity and massive violations of human rights at scale - with impunity - precisely because of the utter ignorance citizens (or are you military) such as yourself demonstrate...

kmeisthax 276 days ago [-]
The NSA violates privacy at scale - a lot of little violations of civil liberties. It's the difference between robbing a man for everything he has, versus pick-pocketing 30 cents out of the pocket of every person on the planet.

Furthermore, they're part of a larger intelligence apparatus that has absolutely committed very large and very harmful violations of civil liberties. The NSA's sister org, the CIA, was overthrowing democratically elected left-wingers in South America for decades, replacing them with brutal dictators and tyrants that gave both Hitler and Stalin runs for their money. The CIA wrote the book on how to do so, arguably even moreso than the KGB did. In fact, the reason why Russia today[0] is so effective at information warfare and covert propaganda is specifically because they learned from observation.

[0] Not(?) to be confused with Russia Today

tptacek 276 days ago [-]
If you're thinking about overseas signals intelligence, then, like the signals intelligence practice in every industrialized state in the world, the chartered purpose of NSA is to conduct those privacy violations. The safeguards we're given against NSA --- take them as seriously as you want --- are about domestic surveillance.
boffinAudio 275 days ago [-]
Just because Americans believe they have domestic rights being protected doesn't mean their intelligence apparatus isn't violating human rights at massive scale.

Yes, the purpose of the NSA is to violate human rights at scale. No, this is not a tolerable situation for those of us in the free world.

tptacek 275 days ago [-]
You keep saying "NSA", but you mean "the intelligence agencies of every industrialized country in the world".
boffinAudio 274 days ago [-]
No, you mean that - in order to justify the continued existence of the NSA - but I really do mean NSA when I state NSA.

There are no other intelligence agencies coming even close to the human rights violations committed every millisecond by the American people.

ollemasle 276 days ago [-]
Adding the date in the HN title would be better (it is not present in the article)
nonrandomstring 276 days ago [-]
I think a Microsoft coder recently came clean about some pretty funky stuff from the 90s and 00's. Hope I didn't hallucinate that.
EvanAnderson 276 days ago [-]
I feel like you might be talking about Dave Plummer: https://www.youtube.com/@DavesGarage

He recently have a good talk at VCF, too: https://youtube.com/watch?v=Ig_5syuWUh0

ranting-moth 276 days ago [-]
Link?
qingcharles 276 days ago [-]
ranting-moth 275 days ago [-]
Thanks!
276 days ago [-]
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Rendered at 09:51:25 GMT+0000 (Coordinated Universal Time) with Vercel.