Firsthand account of NSA sabotage of Internet security standards


#1

[Permalink]


#2

Is it possible to unfuck these standards? Lawyer up and not invite US Gov. to the next meeting? Place some emphasis on peer review. If a large panel of experts can't figure out what lines of code do, then it's automatically assumed to be tainted.


#3

So the government agency that was tasked at keeping US citizens safe in the digital landscape has used that directive as an excuse to weaken US citizens safety in the digital landscape.

I feel like Obama is daring me to google Ron Paul, but only to record it and hold it against me.


#4

Yep. It's just not true what they say about Americans and irony.


#5

Build a prison under Yucca Mountain. I can't think of any other place to hold people this toxic.


#6

Weird question here...regarding the program TrueCrypt, does anyone know if it's capable of using elliptical curve Diffie-Hellman encryption? I recall reading a couple of days ago that that protocol (or whatever it may be called) is magnitudes more unlikely to be broken even using supercomputers. I had the weird thought of encrypting my stuff using it and then sending the file. As long as only I and the person that I send it to know the key, then I can't see as how it'd be readable by the NSA or whoever else might want to do so. Not that I have anything to do with sedition or anything but I get pretty fucking pissed off when I find out that the Government has the capability to invade my privacy to this extent. It'd be kind of nice to be able to send a private file to my wife and have it be just that: private.

Now if I'm talking out of my ass, please feel free to tell me so.


#7

Schneier has an article in the Guardian about new best practices in light of all this new shit. If I recall he said to stay away from elliptical curve algos because they used constants and the NSA was involved in defining those constants such that it reduces the complexity of breaking files encrypted in that way. It might not have been in his piece that this was discussed, but here it is:

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

Here is another very useful piece that touches on this:

http://blog.cryptographyengineering.com/2013/09/on-nsa.html

I find this whole story incredible. The outrageous corruption involved is mindblowing. The NSA has singlehandedly destroyed the US IT industry, just watch. Over the next few years there is going to be a mass exodus away from software designed or built in the US and towards locally built systems. Any software that has a security component is done, at least on the foreign markets, and likely within the US as well. I imagined standards bodies will also become fragmented, with European and Asian standards bodies moving away from international cooperation, especially with the US and UK. This story feels like the first flash of lightning in a storm that will tear the internet and computer technology apart, likely for the rest of our lives.


#8

What is this... I don't even...

I'm so goddamn angry!


#9

TrueCrypt uses your choice of AES (Rijndael), TwoFish, Serpent, or a combination thereof; Serpent is the slowest, Rijndael is the fastest.

If you're worried about which to use, you should know that Wikileaks (which has seen the totality of the NSA leaks) released three insurance files encrypted with AES; the catch there being, they may not care whether the US government finds out what's in those insurance files.

There's some speculation about the ultimate security of TrueCrypt, but until and unless a true OTP implementation can be set up, TrueCrypt and GPG/PGP are the best we have.


#10

All rooted in truly epic levels of hubris.

They thought the internet belongs to the the US, and therefore they can make sure they control it and can read it all. As with all examples of hubristic overreach, they have made it a certainty that the US will, fairly quickly, lose all control of the internet globally speaking.

Anyone who actually is guilty of something will find ways to hide their stuff, and the only people left for the NSA to spy on effectively will be their own innocent citizens. Needing to justify their existence, we can expect the NSA to start 'finding' potential 'terrorists' - almost certainly all dumb kids who said something in jest or anger on the internet.


#11

Open source and open standards. Its the only way to be sure.


#12

It will certainly tear down the security infrastructure we have in place; what is important to note is that what will arise from this is a security infrastructure with far fewer central points of failure or control. Certificate Authorities will disappear. People's devices will create shared keys over near-field communications during lunch dates and overnight. Jailbroken mobile devices will have tweaks which remove the root certificate / keys for the system and replace them with your own keys, and you won't update the software on your system until it passes several notarisations against software patches issued at large (so you know you're not getting a specially backdoored-for-you patch). Attorneys will be getting a lot of business escrowing printed copies of master encryption keys.


#13

This movie makes a lot more sense if you change the James Clapper character's name to Lt. Colonel Nicholson.


#14

Can we just tell them all to screw off and make a new internet? We can just copy the good bits out of the old one, right?

IPvFree.0?


#15

Noooo, because the InterTubez are for commerce, and in CommerceWorld, anonymity is an untenable farce that no profit-oriented sane person would entertain. The Internet will NOT come crashing down. It is becoming something that you do not like, but it is not going the way of the landline, that is for certain.


#16

No, the Internet isn't going crashing down, but the profits are already being affected.

http://www.ibtimes.com/nsa-surveillance-costing-us-businesses-billions-prism-xkeyscore-hurt-american-cloud-companies

@Ygret is probably right about this. The more average Americans and business owners realize their data and privacy is being compromised by their own government and quasi-governmental entities, the more individuals and businesses are going to reach out to those who don't play ball with the NSA. That's going to send business outside of the USA. Probably the best thing you can do as an IT person in the U.S. is focus on support for open source security services and apps. The money is going there.

It's happening already...

http://thehackernews.com/2013/08/NSA-PRISM-Tor-users-privacy-tool-surveillance.html


#17

If I'm standing behind you while you write your message, or behind your pal while she reads it, I can read it, too. Standing behind you, lurking in a keylogger or screen mirror or peeking at your RAM, whatever.

Or you could do the encryption/decryption in your head. That might work.

I don't think this battle is going to be won by users getting better at keeping secrets. I think it has to be won in D.C.


#18

Everyone needs to reevaluate their prior-held concept of trust in "authority". We needed to do this anyway b/c the Intelligence Community is not the only one that cannot be trusted to do what's right; obviously our people in Congress only pretend to represent us and many multinational boardrooms no longer have allegiance to their country of origin.


#19

Frankly, I am appalled at the unethical manner in which the NSA seems to have violated the privacy rights of millions of Americans. We need to determine who authorized these unethical actions so that they can be held accountable for their actions.

It sounds like they've been performing warrantless searches at will and in great numbers. It's ironic, really, that this organization, designed to help safeguard the dignity and freedom of Americans seems to have shredded the scruples by which that dignity and freedom is maintained.


#20

@ginobean why is it that Americans only care about the NSA spying on them? The rest of the world deserves their privacy as well.