Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Cryptographers Call For UK and US To Out Weakened Products

Unknown Lamer posted about 10 months ago | from the instead-they-disappear dept.

Security 105

Trailrunner7 writes "A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ 'have been acting against the interests of the public that they are meant to serve.' The appeal comes a couple of weeks after leaked documents from the NSA and its UK counterpart, Government Communications Headquarters, showed that the two agencies have been collaborating on projects that give them the ability to subvert encryption protocols and also have been working with unnamed security vendors to insert backdoors into hardware and software products."

cancel ×

105 comments

Proprietary Routers (4, Insightful)

Anonymous Coward | about 10 months ago | (#44870589)

Let's start with these as they are of great importance and often fall behind with updates.

Google search:

cisco routers backdoor
cisco routers rootkit

Re:Proprietary Routers (2)

Anonymous Coward | about 10 months ago | (#44871067)

What makes you think non-proprietary routers or routers that come with source code aren't backdoored? Plenty of complexity to hide the malware in, plus the possibility of compromised hardware. There is quite a bit of firmware code in for example a Gobi 3G modem that your open source kernel can't do much about but send USB urbs to. It sometimes crashes and does weird things, and needs to be power cycled from time to times. I'm sure that there are other pieces of hardware in many routers that aren't yet reviewed thoroughly for security.

The plan will not work (1)

Taco Cowboy (5327) | about 10 months ago | (#44872107)

"A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services

You seriously think this plan will work ?

I'm afraid not.

It's as if there is still conscience left in the governments of the two countries.

If there was any conscience to start with, the government wouldn't have allowed their spooks to spy on their own people, in the first place.

It's also like asking a thief to confess to which items he has stolen.

It's like trusting the th

Other way. (1)

DrYak (748999) | about 10 months ago | (#44873785)

What makes you think non-proprietary routers or routers that come with source code aren't backdoored?

To each problems it own tool.

Planting backdoors (i.e.: definitely malicious code) is easier in a definitely closed environment, were very few people can see the code, and the one which understand it can easily by hushed by orders of top management.

In opensource software, that is a little bit more complicated, because the code is open and a lot more people are reading it. Hidden malicious stuff will get discovered eventually. The only variation is the amount of time until discovery. And again all it takes is one single developper poking in the wrong corner (because he/she hit a bizarre bug - side effect from your backdoor) to discover it and very likely he'll be out of reach (geography/jurisdiction) to be prevented from speaking about it and embarrassing the NSA. So this specific way (planting backdoors) won't necessarily be optimal.

Better aim for other better suited solutions in this case:
- exploitable bugs/botched code/and erroneous implementation, leaking information. If it looks like bugs, less change for the whole operation to be blown up if discovered. (buggy key generator as an example in Debian. Could be negligence. Could be an inside job).
- bugged hardware. hardware random number generator for example. Something as simple as a counter whose output is encrypted, would look genuinely random, but for someone knowing the encryption password, is completely trivial to abuse. (And an encryption stage would make sense in a genuine RNG, as a way to erase out any non randomness in the output. So no surprise if there is a AES-like stage in the RNG of a CPU. Simply, the data fed into it isn't the electrical noise generated by heat (as designed by the engineer), but a simple counter (discretely replaced by an anonymous employee at the maker, somewhere on the line between the engineer and the fab).
- limited ressource: randomness is hard to obtain, specially in embed devices like routers. There might not be enough accumulated entropy by the time the SSH keys need to be generated during the first boot of a home router. And thus the keys to the router could be quite easily predicted.

Re:Proprietary Routers (1)

rvw (755107) | about 10 months ago | (#44871141)

Let's start with these as they are of great importance and often fall behind with updates.

Even if these routers have updates available, when will they be applied? Looking at myself - I can't remember if I have ever checked for an update for my current router, which is three years old. Once I installed dd-wrt on a router, but did I ever install an update? I believe not. If I forgot about this, and don't do this on a regular basis, how about the people nextdoor, colleagues, family who don't know that a router is a computer in itself and can be updated?

Re:Proprietary Routers (0)

Anonymous Coward | about 10 months ago | (#44871665)

Direct backdooring may not even be necessary, most models have "lawful interception" capabilities built in which need only be turned on. As you say it's depressingly common to not keep them patched up to date, and due to lazy admins also somewhat common to leave the default enable password set and/or to have the password be something easily guessable like the DNS name of the router.

Re:Proprietary Routers (1)

Bert64 (520050) | about 10 months ago | (#44877029)

Backdoors have to be sufficiently hidden, something as trivial as a default password will get abused by random hackers on the internet...

And lawful interception only works within your area of jurisdiction, whereas you could access backdoors anywhere.

Re:Proprietary Routers (-1)

Anonymous Coward | about 10 months ago | (#44872625)

What exactly is your interpretation of "proprietary"? Cisco/Juniper/etc routers are implementing IETF and IEEE standardized protocols.

It's crowded in there (1)

DrYak (748999) | about 10 months ago | (#44873595)

...when you factor in the chinese backdoor that are here too, it's starting to be a bid crowded inside.

BTW: Speaking of China, maybe that's where to start asking question -
The UK cryptographer should ask the FSB and MSS to out products which got weakened by UK and US.

Very probably the russian and the chinese have knowledge about them too (In theory FSB and MSS are also intelligence agencies, so they should have done they own investigation and perhaps uncovered a few while doing their own security assessment. In practice they probably met a few backdoors while busy trying to plant their own), and unlike the UK and US they don't need to try hiding from public disgrace by trying to keep secretly these specific weakening.

hahhaha (1)

Anonymous Coward | about 10 months ago | (#44870605)

yeah,right.... they're going to give up the gold just like that!...

Re:hahhaha (1)

Anonymous Coward | about 10 months ago | (#44870647)

what's more the boffins at Bristol think they care about "the public interest." Reality check, blokes.

Re:hahhaha (4, Insightful)

F.Ultra (1673484) | about 10 months ago | (#44870751)

No they think that the _should_ care about the public interest since that is why we have them. If they do not serve the public interest we should abolish them.

Re:hahhaha (1, Informative)

murdocj (543661) | about 10 months ago | (#44871497)

And part of "the public interest" is tracking down the people who want to drop off a truck bomb at the shopping center I'm going to be at. And part of tracking those people down is monitoring their communications.

Re:hahhaha (4, Insightful)

Anonymous Coward | about 10 months ago | (#44871575)

How many truck bombs have been set off in your town? And if you think the long string of successful non-explosive days is thanks to the alphabet soup agencies, I have a lovely truck bomb preventing rock here I'd be willing to part with for a few thousand dollars.

Re:hahhaha (1)

number17 (952777) | about 10 months ago | (#44875097)

Well if you are talking UK then which town would you like to know about? I visited Portadown in '97. The next year the center of the town was blown up.

Here's a list of the bombings: http://en.wikipedia.org/wiki/List_of_bombings_during_the_Northern_Ireland_Troubles_and_peace_process [wikipedia.org]
Oddly enough the Portadown bombing isnt listed in the above list: http://en.wikipedia.org/wiki/The_Troubles_in_Portadown [wikipedia.org]

Re:hahhaha (3, Insightful)

ultranova (717540) | about 10 months ago | (#44874267)

And part of "the public interest" is tracking down the people who want to drop off a truck bomb at the shopping center I'm going to be at. And part of tracking those people down is monitoring their communications.

1) You know some particular person is planning to bomb a shopping center. You don't need bugged encryption protocols, you can simply get a warrant to keep them under surveillance until you have enough evidence to arrest them.

2) You know there's a plan to bomb the shopping center, but don't know who's involved. Fortunately truck bombs need lots of materials, such as fertilizer, so start asking local sellers. And as a last resort you could simply stop and search every truck that approaches the center - you have probable cause, after all.

3) You don't know anything, but have a gnawing suspicion that some unspecified bad guy might be planning an attack against an unspecified shopping center for unspecified reason at unspecified date. Thus, you want the right and ability to open random letters on the off chance that these shadowy figures are discussing their evil plans on them. In this case, have you considered getting psychiatric help? Because it sure sounds like classic paranoia to me.

Re: hahhaha (0)

Anonymous Coward | about 10 months ago | (#44880999)

No, just Great Britain and Northern Ireland in the 1970s, 80s and early 90s. Which made it ironic when the terrorists bombed Boston.

Re:hahhaha (5, Interesting)

TheRaven64 (641858) | about 10 months ago | (#44870977)

The problem is that the NSA and GCHQ have dual mandates. They are responsible for both ensuring their respective countries are not vulnerable to attacks and for ensuring that they have techniques for attacking others. This means that when they discover a vulnerability in a piece of widely deployed software, they have conflicting requirements. If they publish it, then the systems that they're defending will be safer because it will be fixed, but if they don't publish it then the systems that they're attacking will remain vulnerable. This gets even worse when they start introducing intentional back doors (given how many Russian spies there were in these institutions during the Cold War, it's pretty much expected that there will be some Chinese spies in there now, so those back doors are almost certainly not secret).

Re: hahhaha (2)

bkmoore (1910118) | about 10 months ago | (#44871281)

Splitting these organizations into separate parts, each with a different mission could fix that, but effective oversight would be required.

Re: hahhaha (1)

Ash-Fox (726320) | about 10 months ago | (#44872367)

They do have separate parts. One is to protect the United Kingdom, the other is to protect the United States.,

Re: hahhaha (1)

Will.Woodhull (1038600) | about 10 months ago | (#44872621)

Effective oversight IS required. Whether they are split up, remain as they are, or dissolved. Since even if they go away, there are going to be government agencies and private investigators who are going to continue to try and get away with this crap.

This is not a genie that can be tricked into going back into the bottle.

Re:hahhaha (1)

grep -v '.*' * (780312) | about 10 months ago | (#44873577)

The problem is that the NSA and GCHQ have dual mandates. They are responsible for both ensuring their respective countries are not vulnerable to attacks and for ensuring that they have techniques for attacking others.

I read a science fiction story a year ago (Daemon) that had the absolute best idea of very specific crypto usage, and I _really think_ the current NSA and such have always been implementing that.

They assume that "We're [the NSA] Number One" and everybody else is either behind or way, WAY behind. So: they weaken the initial crypto magic number standards just enough so that they can still manage to break it. #2 will eventually figure it out (or 13 can just ask 1600) and the #3 guys could just ask nicely [theguardian.com] , but #23 will just never get it, even though they're all playing the catch-up game. So NSA weakened crypto would apply to public content and most secrets with a time sensitive content; the REAL secrets use the non-weakened crypto strain or OTP.

Thus the NSA can walk the fine line that pays tribute to both of their conflicting demands: it's secure from everyone else, but not secure from THEM (the NSA) unless they want it to be.

But if somehow on-demand the NSA can't break into the crypto, there's always the $5,000 wrench [xkcd.com] . (This IS the government we're talking about, remember.)

Re:hahhaha (1)

GlennWaller1963 (689008) | about 10 months ago | (#44870965)

I agree, only tokens untill wikileaks or some other expose the docs, and then the politians will make excuses.

Too much work already and this is probably a lot bigger than anyone thinks.

Re:hahhaha (1)

Anonymous Coward | about 10 months ago | (#44871889)

-1 for douche-bag font.

And because people posting from typewriters don't have much to offer on cryptography in electronics, despite bugs having been placed in typewriters in the past.

Unlikely (4, Insightful)

AmiMoJo (196126) | about 10 months ago | (#44870629)

Does anyone really expect these criminal organizations, headed by the kind of people who set up a Star Trek style command bridge, are going to do the right thing? The only way to deal with these scum is to shut them down and start from scratch.

Re:Unlikely (2)

FriendlyLurker (50431) | about 10 months ago | (#44870717)

acting against the interests of the public that they are meant to serve.

Your right although the organizations are not being treated like criminals by the powers that be, more like rewarded as an owner rewards a guard dog. We the public are the enemy/being treated like we are all criminal "terrorists" so they are defiantly not operating in our interests - surely this is obvious at this point, or are the researchers just being polite?

Re:Unlikely (0)

Anonymous Coward | about 10 months ago | (#44870985)

Or are they the powers that be and are the politicians the guard dogs?

Re:Unlikely (1)

easyTree (1042254) | about 10 months ago | (#44871673)

*beeping sound made when public-service vehicle is reversing* WARNING - the box is open; WARNING - the box is open... Substantial danger - do not stray outside the box. WARNING....

Re:Unlikely (1)

Xemu (50595) | about 10 months ago | (#44871421)

Does anyone really expect these criminal organizations, headed by the kind of people who set up a Star Trek style command bridge, are going to do the right thing?

Sure. The Star Trek bridge seems to indicate that it's an organisation headed by a trekkie, so I think there is a pretty good chance they are geeks and will do the "right thing". I would be more worried if they had built a replica of the White House and was an organisation headed by politicans or lawyers.

The only way to deal with these scum is to shut them down and start from scratch.

Repeating the same experiment is likely to yield the same results.

Re:Unlikely (0)

Anonymous Coward | about 10 months ago | (#44871681)

so I think there is a pretty good chance they are geeks and will do the "right thing"

The NSA spends all day siphoning pr0n from everyone's machine?

Likely outcome (5, Insightful)

return 42 (459012) | about 10 months ago | (#44870643)

I suspect the agencies will make a great show of reluctance, then reveal what they did to some protocols and algorithms -- those where the backdoors are most likely to be noticed, or have already been found, such as Dual_EC_DRBG. The crown jewels, those least likely to be noticed, will remain secret. Nothing to see here folks, move along.

NSA and GCHG couldn't care less about the public interest. They have a mandate to spy on as much as possible on the off chance that it may prevent some terrorist act. They will continue to do so in any way they can unless the legislative bodies or courts in their respective nations rein them in. This seems moderately likely in the US, quite unlikely in the UK.

Re:Likely outcome (1)

loustic (1577303) | about 10 months ago | (#44870857)

Why would you ask the government to do it? They were caught red handed in the first place!

Re:Likely outcome (0)

Anonymous Coward | about 10 months ago | (#44871139)

Why would you ask the government to do it? They were caught red handed in the first place!

Well, I would say we could ask them to stop doing illegal activity, but you're right, I guess there little point in doing that.

That would require someone in office to have something called "morals". They surgically remove those once you're elected. There's only a handful that have dodged that special lobotomy.

Re:Likely outcome (1)

Will.Woodhull (1038600) | about 10 months ago | (#44872685)

It is much easier to get elected if you are not morally encumbered. Aspiring politicians who are lugging around ethical baggage don't get the money and favors needed to win campaigns.

Re:Likely outcome (5, Insightful)

FriendlyLurker (50431) | about 10 months ago | (#44870867)

on the off chance that it may prevent some terrorist act. .

Oh, that must mean those terrorist organizations like Occupy Wall Street [motherjones.com] , - or any other community based activist group trying to agitate for improved conditions for the people. Must be why we are treated as the enemy.

Re:Likely outcome (2)

easyTree (1042254) | about 10 months ago | (#44871689)

Duh. *They* are in a tower-block and we are the zombie horde climbing the walls. What would *you* do to maintain the relative positions?

Re:Likely outcome (1)

Anonymous Coward | about 10 months ago | (#44871711)

Play re-runs of popular football(soccer) matches on large screens whilst playing the anti-sound to 'brains......' over the speakers?

Re:Likely outcome (1)

jhol13 (1087781) | about 10 months ago | (#44872637)

... incorrect moderation, sorry

Re:Likely outcome (1)

tlhIngan (30335) | about 10 months ago | (#44873247)

Oh, that must mean those terrorist organizations like Occupy Wall Street, - or any other community based activist group trying to agitate for improved conditions for the people. Must be why we are treated as the enemy.

OWS scared bankers and traders - the people with money. Those people called their senators and reps and action got taken.

OWS terrorized those with money (i.e., power) therefore the OWS guys get branded as terrorists.

Remember, the victor writes the history books.

Proles like you and me? No money and no power, thus we'll never be able to recast OWS as a legitimate organization.

Re:Likely outcome (-1)

Anonymous Coward | about 10 months ago | (#44870919)

Unlikely in the UK, but maybe possible for an independent Scotland - if we can make a strong enough constitution. An actual constitution in the UK!

Re:Likely outcome (0, Offtopic)

Anonymous Coward | about 10 months ago | (#44871229)

Dream on Jock. An independent Scotland would be far too busy trying to work out how walk on its own to think about anything complicated. Constitution? You accept that you will have to leave Europe then and the constitution that applies in the UK (that you will no longer be a part of). The big question is who will you blame all your mistakes on when you no longer have England? You might have to start taking responsibility for yourselves and standing on your own instead of acting like spoilt schoolgirls all the time. Remember that it was Scotland that created this... but you guys still act like the victims and try to convince the world that it is England's fault that after taking over England your King decided that he preferred it there and stayed.

Re:Likely outcome (1)

Anonymous Coward | about 10 months ago | (#44872055)

You mean like this one:

http://en.wikipedia.org/wiki/Constitution_of_the_United_Kingdom [wikipedia.org]

Or did you mean a single written constitution, which, as the USA shows, has flaws of its own.

Re:Likely outcome (4, Insightful)

mrspoonsi (2955715) | about 10 months ago | (#44870927)

It needs more people to be outraged by it, to what lengths are people willing to accept this kind of intrusion? If these spy agencies shipped all domestic post to a 3rd country, where it was opened, photocopied, stored then sent on its way, people would be doing a Bastille style take down, yet somehow because these letters (email) are electronic, and it does not need a huge complex of Stasi officers doing the actual work, then it is OK for most of the people?

Well I say to those people, your liberty is gone, a form of government is in place which is open to internal corruption / blackmail, there is a massive abuse of power going on. Information is power, and the next President, well the NSA, FBI, etc might just have a file on said future president, all his little secrets, so the President is in their pocket so to speak.

Remember, for a true democracy, government needs to be transparent.

Re:Likely outcome (2, Interesting)

Anonymous Coward | about 10 months ago | (#44870975)

What makes you believe spying on everybody, including politicians and military, are about preventing terrorism? The Information Dominance (look it up), is for just that: Dominance. By an unaccountable entity.

Re:Likely outcome (5, Interesting)

Walterk (124748) | about 10 months ago | (#44871061)

Interesting you raise the point about the "mandate to spy on as much as possible on the off chance that it may prevent some terrorist act".

There is a very interesting article on the BBC blogs indicating just how useless MI5 has been at any sort of intelligence gathering, even the sort that's been painfully obvious over it's entire existence. It's opening gambit: "Maybe the real state secret is that spies aren't very good at their jobs and don't know very much about the world".

http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER [bbc.co.uk]

Re:Likely outcome (0)

Anonymous Coward | about 10 months ago | (#44872767)

This is why I still check out the comments, you really do find some nuggets here and there, it's a terriffic good read, and a horrific scare at the same time, laughable and very sad.

Good to know though that, given enough time, nothing really changes.

Thank you WalterK

Re:Likely outcome (0)

Anonymous Coward | about 10 months ago | (#44872957)

I read that when it was linked in off of Bruce Schier's blog. Its funny how we institutionalized paranoia.

If we find a enemy spy its proves its working, if we don't its because they are really good at hiding.

Re:Likely outcome (3, Insightful)

AmiMoJo (196126) | about 10 months ago | (#44871469)

We have to assume everything up to this point is compromised and start pretty much from scratch. Replace AES with TwoFish, re-design all the lower level protocols, increase all key lengths, remove any ability to downgrade security and mercilessly cut off clients that don't upgrade when an issue is found.

The whole trusted certificate system has to be replaced as well, which is going to be hard.

Re:Likely outcome (1)

Gr8Apes (679165) | about 10 months ago | (#44872571)

What makes you think TwoFish is any better? Or that the lower level protocols you will create will be any better? We have source for many of these. There are other ways of making things secure.

Re:Likely outcome (0)

Anonymous Coward | about 10 months ago | (#44874197)

twofish is better because it's not not sanctioned by the state.

Re:Likely outcome (1)

Gr8Apes (679165) | about 10 months ago | (#44874899)

They can fix that by sanctioning it. It was in the running, AES won.

Re:Likely outcome (1)

Dan Ost (415913) | about 10 months ago | (#44873903)

We have to assume everything up to this point is compromised and start pretty much from scratch. Replace AES with TwoFish, re-design all the lower level protocols, increase all key lengths, remove any ability to downgrade security and mercilessly cut off clients that don't upgrade when an issue is found.

I don't think any of that is strictly necessary. Verify the math and inspect the implementations, but there's no need to throw it all away. Some amount of paranoia is justified, but throwing it all away goes too far.

The whole trusted certificate system has to be replaced as well, which is going to be hard.

I agree there are serious issues with the current system, but I am at a loss to come up with what would replace it.

Re:Likely outcome (0)

Anonymous Coward | about 10 months ago | (#44877291)

I agree there are serious issues with the current system, but I am at a loss to come up with what would replace it.

http://perspectives-project.org/

The trouble here, is that notaries need to get paid, otherwise they will cease to function. This system doesn't lend itself to seeking money from a cite to become 'trusted', thus the money will need to come from somewhere else, but where?

Also, it seems some sites (cough google cough) serve up many different certs, which this system doesn't like.

Re:Likely outcome (1)

chihowa (366380) | about 10 months ago | (#44878497)

Perspectives is just shifting the Trusted Third Party from the CAs to the notaries... a few weaknesses:

  • While it's true that anyone can be a notary, there are fewer than two dozen of them listed and most of them are run by the same people (who you don't know... why would you trust them?)
  • The system of distributing the notary keys is subject to MitM, which means the whole system is subject to MitM attacks (which is what its intended to protect against).
  • The whole system only works if contact with the servers is maintained, which allows for a DoS attack or suppression of non-compromised servers (or servers from non-compromised regions). [this depends on your quorum settings, but when I tried it out various servers were offline for various periods of time so I had to decrease the quorum percentage for any site to validate]
  • Perspectives also has the side effect of sending the sites you visit to a third party. Even the CAs don't include this "feature". You can stop that by only having Perspectives check sites that generate certificate errors, but then you're back to trusting the CAs again.

I don't mean to totally poo-poo this interesting take on certificate trust, but there are serious flaws with it and some of them won't be going away.

Unlikely... (0)

Anonymous Coward | about 10 months ago | (#44870661)

I can see the marketing now. Add a sticker to your product NOW WITH NSA/MI6 approved Backdoors.

proprietary pieces of shit (0)

Anonymous Coward | about 10 months ago | (#44870715)

yeah man and what of firmware downloads for a bunch of the hardware like bios, game cards, cdrom drives and stuff how many times man have you seen a gpg signature how many times man have you seen checksums to go along with it tell me man how we arent fucked on a daily basis by all of this proprietary hardware and software?

the bullshit on windows systems never ceases to fascinate me:

INSTALL this bullshit program with no available source code and we promise it will work as advertised.

(goodfellas voice over) you want more options? fuck you - pay me. you want faster updates? fuck you - pay me.

Re:proprietary pieces of shit (0)

Anonymous Coward | about 10 months ago | (#44874675)

You are a sad individual.

We're doing something wrong? (-1)

Anonymous Coward | about 10 months ago | (#44870741)

...NSA and British GCHQ 'have been acting against the interests of the public that they are meant to serve...

Nonsense!

It is obviously critically important to the interests of the British and American publics that they are not blown up or shot.

After the Cold War the world is no longer predictable and safe - threats may come from any direction.

So the intelligence services need to be continuously monitoring every aspect of your lives and every communication to find out where the next threat may arise.

Therefore we are acting in your best interests. Do you want to be blown up? Think of the children!

P.S. This isn't anything to do with justifying our existence after the Cold War end effectively made us redundant. Oh dear me, no!

   

Re:We're doing something wrong? (1)

letherial (1302031) | about 10 months ago | (#44870953)

I do miss my childhood days being shown a movie on how to survive the impending apocalypse by hiding under the desk. A certain warm and comfy feeling that i haven't felt since Regan. I keep hoping the new world with terrorism coming from every direction will bring that feeling back. I suppose it wont happen till the terrorist get nukes they can deploy.

One day i dream of the cold war again, if only putin would just hurry up already.

Re:We're doing something wrong? (0)

Anonymous Coward | about 10 months ago | (#44871019)

You left off your signature. I'll add it:

Signed - Head of NSA/Head of GCHQ

Offtopic (0)

Anonymous Coward | about 10 months ago | (#44871809)

Here, this is for you: try to translate it from the Dutch:

Herman van Veen - De Bom Valt Nooit (single) - 1983

warning: lyrics contain sarcasm

Is it for real? (0)

SMNadim (3106481) | about 10 months ago | (#44870761)

I cant decide if this is for real or just a conspiracy theory! If it is real, our privacy is gone. No secrets. Everything is accesible to the agencies. SMNadim Anonymous Web Surfing [icensorbroken.org]

Re:Is it for real? (0)

Anonymous Coward | about 10 months ago | (#44870885)

we never had it anyways dude.

Re:Is it for real? (1)

letherial (1302031) | about 10 months ago | (#44870981)

Paranoia is often a byproduct of ignorance. If you research it you should find that it is a little disturbing, but not quite whats its being made out to be.

Stick with open source and you should be fine.

Re:Is it for real? (4, Informative)

Antique Geekmeister (740220) | about 10 months ago | (#44871329)

They've apparently been interfering with open source and free software. (See John Gilmore's notes about the security agency hindered deveopment of IPsec, at http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html [mail-archive.com] )

Re: Is it for real? (0)

Anonymous Coward | about 10 months ago | (#44876835)

how about the way red hat has refused to update or patch there distros with the newst openssl to provide tls 1.2 support. it has been years. counting centos and scientific linux millions of web sites and servers can not use it without manuelly patching each one from source. not even fedora will have the fixed openssl until fedora 20. that does not even count the numerious security holes. strictly speaking they have met their opensource requirements, but promote a cripled and insecure server enviroment in their own products and millions of derived works.

meanwhile one of their biggest customers is the us goverment.

Re:Is it for real? (1)

denis-The-menace (471988) | about 10 months ago | (#44872513)

FYI: This site is blocked at my work.

Oh, my phone is ringing. It's security!

take all European Cellular offline then (1)

Anonymous Coward | about 10 months ago | (#44870799)

GSM standard was weakened from 128 to 64, at the time at an explicit NSA request during the standard creation.
Even the NSA themselves talk about strenghtening the security of a GSM signal:
http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_1_2.pdf

Re:take all European Cellular offline then (1)

Quila (201335) | about 10 months ago | (#44872045)

At least the French admitted they wanted GSM encryption weak so they could break it.

Wrong target (2)

c0lo (1497653) | about 10 months ago | (#44870823)

conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services

I couldn't care less which are the ones that were weakened deliberately or by honest mistake. I'd feel much better if I'd know which algos/constants are still safe and/or what can be done with the algos/constant-sets that are under doubt.

Also, a simpler alternative to an unnecessary complicated IPSEC spec would be good (on the line of "as simple as possible, but no simpler") - though I expect this would be an engineering job rather than a pure crypto one.

Re:Wrong target (1)

drinkypoo (153816) | about 10 months ago | (#44871263)

a simpler alternative to an unnecessary complicated IPSEC spec

What is it about IPSEC that you find unnecessarily complicated?

Re:Wrong target (2)

c0lo (1497653) | about 10 months ago | (#44871591)

I'll let others speak, as they do it better [schneier.com] .

Our main criticism of IPsec is its complexity. IPsec contains too many options and too much flexibility; there are often several ways of doing the same or similar things. This is a typical committee effect. Committees are notorious for adding features, options, and additional flexibility to satisfy various factions within the committee. As we all know, this additional complexity and bloat is seriously detrimental to a normal (functional) standard. However, it has a devastating effect on a security standard.

(my emphasis).

Re:Wrong target (1)

drinkypoo (153816) | about 10 months ago | (#44872679)

The problem is that while there is overlap, the functions are still not identical. All traffic is intended to be in transport mode, tunnel mode is there only to replace unencrypted tunnels. And AH was created to provide auth without encryption explicitly, not just using a null cipher which was intended for testing, not actual use.

Re:Wrong target (1)

WuphonsReach (684551) | about 10 months ago | (#44872781)

Some of that is the IKEv1 design issue. You had an exponentially increasing combination of hashes, authentication methods and encryption methods. Which has been fixed in IKEv2 where you only offer "suites" to the client, plus a bunch of other improvements [blogspot.com] .

Intelligence Gathering Agencies (0)

Anonymous Coward | about 10 months ago | (#44870877)

Let me get this straight. The point of the NSA and the GCHQ is to gather intelligence. This involves collecting information. If information is encrypted then surely they would want to circumvent such encryption to access the information. The fact that they already have been doing that shows that they are fulfilling their role as intelligence gatherers.

I dislike the whole good guy bad guy theme, but if the bad guys are using encryption then wouldn't you want your intelligence gathering agencies to be able to circumvent it?

Re:Intelligence Gathering Agencies (0)

Anonymous Coward | about 10 months ago | (#44871083)

While the general theme of your point is admirable, the thing that most people object to is their

'We must read everything evetryone sends/receives over the internet just in case therr might be a 0.00000001% change of a terrorist/bank robber/drug seller/person who parks on double yellow lines/dog fouler might escape the full forces of the justice system ' approach.

Re:Intelligence Gathering Agencies (2)

Xtifr (1323) | about 10 months ago | (#44871287)

The point of the NSA and the GCHQ is to gather intelligence.

That's only part of their point. They're also supposed to protect US/UK secrets against spying. You may notice that these goals are somewhat at odds, which is why such organizations tend to be a little schizophrenic.

Collective noun (4, Funny)

wonkey_monkey (2592601) | about 10 months ago | (#44870913)

A group of cryptographers

I believe the correct term is a crib.

Re:Collective noun (1)

LoRdTAW (99712) | about 10 months ago | (#44874457)

Yea man those mother fuckers are hardcore. You don't want to get caught in the wrong part of internet town after dark. http://en.wikipedia.org/wiki/Crips#Etymology [wikipedia.org]

Re:Collective noun (0)

Anonymous Coward | about 10 months ago | (#44875709)

:) I believe however that the parent is referring to the cryptographic term crib, which is a fragment of plaintext that, when accompanied by the ciphertext which is known to contain it, gives clues which allow for cryptanalysis.

Been like this since post-WWII (1)

stiggle (649614) | about 10 months ago | (#44871035)

After WWII German enigma & lorenz machines were being sold to other nations as uncrackable. It was the forerunner to GCHQ, Bletchley Park which cracked them during the war and then buried all evidence of it.

good luck! (1)

Anonymous Coward | about 10 months ago | (#44871039)

ackcray isthay ouyay insensitiveway odclay!

frost 4ist (-1)

Anonymous Coward | about 10 months ago | (#44871075)

Cisco (1)

Gravis Zero (934156) | about 10 months ago | (#44871079)

if there is one brand of router that has been compromised, it's Cisco. why? simple, they are super popular and the NSA doesn't play nice. Cisco owns Linksys, so a huge amount of routers in people's homes have a backdoor just waiting to be used.

Re:Cisco (-1)

Anonymous Coward | about 10 months ago | (#44871295)

the "Proprietary Routers" thread at the top (FP?) of the comments page(s) already covered Cisco. Creating dupes is lame.

Re:Cisco (0)

Anonymous Coward | about 10 months ago | (#44873513)

Linksys got sold to Belkin.

http://en.wikipedia.org/wiki/Linksys
Belkin announced the completion of its Linksys acquisition in March 2013 and stated, "Linksys customers and retailers will continue to see new Linksys products come to market."

Come on! (1)

Anonymous Coward | about 10 months ago | (#44871093)

Did you ever thought of asking a burglar what he has taken from your house? and trusting his answer?

Re:Come on! (1)

ShoulderOfOrion (646118) | about 10 months ago | (#44880733)

Particularly when the burglar looks less like brilliant master thief Lara Croft and more like a big hairy dude with a hammer.

250 mil/year (1)

X.25 (255792) | about 10 months ago | (#44871233)

250 mil per year buys you a lot of backdoors.

Re:250 mil/year (0)

Anonymous Coward | about 10 months ago | (#44877327)

50250 mil per year buys you a lot of backdoors. (The billion untraced budges could be used for anything.)
Money and budgets get kind of meaningless when money is just bits on some computer, and you have backdoored every bank.
If they can spend 50 billion without saying where it was spend on, who is to know when they actually spend 200 billion? The banks could notice it, and may be slightly annoyed by not being the only one creating money out of thin air, but how much do banks care if it does not affect there paycheck?

Nobody liked to be reminded that they are meat. (0)

Anonymous Coward | about 10 months ago | (#44871305)

Many moons ago I used to work for Kronos. They do time tracking. The had a biometric meter that read the dimensions of the hand. It was pretty stupid in many ways. If you had a ring on during the registration you would have to wear it each time. It also required a code before you put your hand on it? How is it a hand reader if you need a code? Anyways, the workers did not want to use the device. Some people were kind enough to tell me that using your hand was the sign of the beast. Lucky for me that I am not superstitious.

I get why the don't like it. It is bad enough to direct your body every morning into a place to do repetitive tasks, but now you need to use your body to punch in. When do I get my ear tag?

Re:Nobody liked to be reminded that they are meat. (0)

Anonymous Coward | about 10 months ago | (#44871311)

My 'y' key and my proofreading was stuff. I hope you can add the missing y's.

Re:Nobody liked to be reminded that they are meat. (0)

SuricouRaven (1897204) | about 10 months ago | (#44871319)

Wrong topic.

Re:Nobody liked to be reminded that they are meat. (1)

Jeff Flanagan (2981883) | about 10 months ago | (#44872947)

The reason for a hand reader in addition to a code is to stop dishonest employees from clocking each other in. Of course dishonest employees should be unemployed, but in poor-paying jobs it's hard to attract quality people.

Known for years (-1)

Anonymous Coward | about 10 months ago | (#44872389)

This has been known for several years now, and anybody that uses an off the shelf encryption product is a fool. In fact, you should be using nothing short of 8192 Bits of high entropy encryption.

Hahahamlet...LOL (1)

ElitistWhiner (79961) | about 10 months ago | (#44873553)

The cryptographer doth protest too much.

PGP released mid 90's was pulled back and off the Internet for 6+ mo. Then re-launched with a wink and a nod for general consumption.

Re:Hahahamlet...LOL (0)

Anonymous Coward | about 10 months ago | (#44876755)

While it's possible PGP is backdoored, the hubbub in the 90s doesn't really indicate that. Phil Zimmerman never stopped publishing the source code -- he just had to do it via printed books which were then exported to Europe where the source was OCR'd back in and proofread, the built outside of the U.S. to get around ITAR export restrictions.

The crypto community was very watchful of that source, to ensure it never had questionable things 'just appear' between updates. Everyone knew even back then that the NSA would have loved to sneak something in. I think the amount of scrutiny on it was amongst the highest of all crypto products at the time.

Naive (1)

mspohr (589790) | about 10 months ago | (#44874357)

It is naive to believe that "the authorities" would conduct any kind of real investigation and release any real information on back doors. This is the proverbial fox guarding the hen house problem.
It would be much more effective to has a "backleaks" type web site where the programmers and managers who are aware of these back doors could silently post about compromised software. Then, the accused software could be investigated (easier if open source).
There are probably many people who know about compromised software... we just need a way for them to clear their conscience.

This sounds familiar (1)

I Read Good (2348294) | about 10 months ago | (#44875931)

The NSA has an interest in strong encryption as much as they do in subverting encryption. Take as an example the work they did with (read "for") IBM on DES.

"It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES." -Bruce Schneier

http://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.27s_involvement_in_the_design [wikipedia.org]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...