Firsthand account of NSA sabotage of Internet security standards

That is an important point.

The Declaration of Independence said (and still says):

We hold these truths to be self-evident, that all men are created
equal, that they are endowed by their Creator with certain unalienable
Rights, that among these are Life, Liberty and the pursuit of
Happiness.–That to secure these rights, Governments are instituted
among Men, deriving their just powers from the consent of the
governed,

I see no mention of nationality there, and I clearly see ‘consent of the governed’.

I’m pretty sure we shouldn’t be approving of any of this.

3 Likes

You’re right. I don’t.

2 Likes

A group of high-minded cryptological programmers needs to convene and set things right. Throw IPSEC and the elliptical ring of power into the fires of Mordor and start fresh.

There we go. Make it all transparent and understandable - at least to crypto keeners. Make sure there are no hidden backdoors, and that everyone who has an interest understands what is going on. (I say this because I get completely lost with this stuff. Just give me some credible people who tell me the best way to maintain privacy and I’m in.

Keep it open, keep it transparent and let anyone who wants to try to crack it. Meanwhile, keep making better ones.

Also meanwhile, could you Americans please defund the NSA and the rest. We here in the rest of the world could use a little isolationism from your bunch for awhile.

1 Like

While you should never attribute to malice that which can be adequately explained by incompetence, there were plenty of both to go around, often in the same people!

The mess that is IPSEC key management reminds me a lot of projects I worked on in the 1980s on a bid for secure communications networks for the State Department. The NSA was “helping” them with requirements, so the network not only had to run X.25 (a reasonable choice back then), on Commercial Off-The-Shelf equipment (a popular cost-saving mantra back then), but it had to have dozens of various specific options selected in ways the NSA thought would improve the security and let you use their classified-design X.25 encryption boxes. Almost none of it was actually available from any commercial equipment, so bidders had to take the risk and get a couple of their friends to buy it so they could call it COTS. And the management equipment also had to run TCP/IP and GOSIP and be at least B1-certified (even though the NSA Red Book was still basically research.) And they weren’t trying to compromise the State Department’s communication - they really were trying to help.

On the other hand, blocking DNSSEC? Pure malice at first; ITAR was only supposed to cover encryption technology, not the digital signatures which were all DNSSEC needs, but they wouldn’t even let Gilmore export that. Later on, there was a lot of “perfection is the enemy of good enough” that delayed things another decade, until after the Web was well-established and commercially important and really badly needed to have had DNSSEC in it from the near-beginnings, and some of that may have been their fault, in addition to the foot-dragging that they were doing on purpose.

1 Like

well, that was truly depressing.
sometimes, when you see the size and strength of the enemy before you…you wonder: “can we stop it” a system so well built an maintained, a checks and balance of corruption with influence in EVERYTHING. what do you do? do you run? find better encryption means and hide from the force before you or wage a futile fight? can anything be done?
we can elect new people, but we would have to replace every single person from the president down, and even then the corporations will corrupt the newly elected people. a new president doesn’t have enough power to defeat the checks and balance of corruption. add to that the NSA, FBI, CIA, and all those spying organizations, you think they can’t stop a threat to their power?
so many places broken at once and any attempt to fix one will be thwarted by the other, what can you do?

…i don’t want to live on this planet anymore…

Well yeah, you deserve your privacy. However I must point out two things; 1) The massive majority of the United States citizenry has little control over this sort of thing. If We pulled a switch eliminating such things other countries would be free of such surveillance as well. And 2) Do you really want the U.S. to come in a rectify all the surveillance crimes being committed globally?

lurking in a keylogger or screen mirror or peeking at your RAM

We’re not living in a 1990’s movie about hackers and your comment bears almost no relevance to the line you blockquoted. If your machine is adequately protected (frequently patched, antivirus, firewall, admin auth for installs) the chances of a keylogger/malware making it onto your machine is next to nothing. Furthermore, there’s nothing stopping you from moving that encrypted file to a machine with an airgap and decrypting it there.

I don’t think this battle is going to be won by users getting better at keeping secrets.

You think wrong. The only way to guarantee your privacy is by taking measures to guarantee it. You cannot trust others, especially the commercial manufacturers of major software who we know have been putting backdoors in their software for years and years.

The question then becomes: how do you communicate the key? Provided the key has not gone in plaintext across a compromised network and provided that (if the key has been shared securely) it has not then been saved locally as “awsum_encryption_pw.txt” you should have a pretty tight system on your hands there.

The other thing to bear in mind: most people are far too uninteresting for the NSA to pay attention. Enrcypting data that is non-vital has two effects:

  1. Guarantees that if the NSA has seen your data going across the network they have kept a copy. It’s ostensibly illegal for the NSA to spy on US-US conversations. The NSA makes the correct assertion that there’s no way to be sure if an encrypted data stream originates from or is going to an American citizen, therefore it is not unconstitutional to collect it. They might not be able to read it now, but in 25 years when they get a freaking sweet supercomputer for crunching hashes they’ll get a good look at you and/or your wife’s junk.

  2. Makes life harder for the NSA. If we all encrypted everything the NSA simply wouldn’t be able to store and decrypt the sheer volume of data.

The rest of the world deserves their privacy as well.

Not to mention that US citizens enjoy more protections from the NSA than world citizens do because the constitution protects American’s rights, not ours.

I’m just mostly dumbfounded at the gall of the US govt in being so extremely vocal this year about the scale and scope of China’s alleged cyber-espionage and hacking while the whole time actually being the executors of the biggest privacy invasion in the history of forever.

Yes, but you’re also the least directly affected. There is no “switch” to pull, short of removing back doors in software. There will always be a market for “0-days” for which there’s no defence as the exploit vector wasn’t included in the software deliberately. Other countries would still be able to spy, irrespective of NSA moves which is why the only solution is: robust encryption and open source software that can be vetted.

well, that was truly depressing. …i don’t want to live on this planet anymore…

Some felt the same way in the 1960’s when dealing with widespread, instiutional civil rights issues like segregation. Some resigned themselves into to thinking the odds of success were insurmountable while others ignored that pansy shit and kicked some ass.

The rest is history.

sometimes, when you see the size and strength of the enemy before you…you wonder: “can we stop it” a system so well built an maintained, a checks and balance of corruption with influence in EVERYTHING.

Can we stop it? Yes. Will it take decades? Yes. The fight is ON.

3 Likes

Don’t take this the wrong way, cowicide. But in this case, i almost see no fight. It is the most depressing aspect of this thing, so far. Plenty of forum posts, but not a single demonstration, no nothing. The all-american laziness surrounding it is quite a sight.
You people know for a fact that americans, and everyone else in the world, who want and have nothing to do with your megalomaniac government, have had their privacy snatched away from them. Look at brazil, at what happenned to morales’s plane during the snowden chase farce. There ought to be a LOT more outrage than this. This is as passive as it gets.

You do realize a lot of NSA-approved encryption devices use IPSEC, don’t you? Also, two “major flaws” pointed out by this guy actually have valid purposes:

  • Null encryption is useful for when you need to troubleshoot all of the other aspects of an IPSEC tunnel (MSS, authentication, routing, etc…) without encryption obscuring your view of traffic. It is not for production use and production VPNs should be configured to reject null crypto.

  • single DES and 768-bit DH are weak and everyone knows it. There are plenty of cases where weak crypto is OK, if bandwidth is more important, the endpoints are small/embeded systems, and the data you are encrypting isn’t that sensitive. Case in point: DRM on DVD, CableCARD, satellite, IPTV… for the most part it is all DES, RC4, or something similarly weak. (The keys do change frequently tho so cracking one key is just going to give you a few seconds of video)

but whatever… neckbeards gonna wharrgbl…

3 Likes

Yes, but that’s not sufficient. As Schneier and Gillmore suspected and Snowden basically confirmed, there are open standards out there which are actually crackable by the NSA. They might not be 20 years ahead of us like they were in the late '70s, but they’re still ahead in theory and in practice. It will take a lot of care to unfuck even existing open source code; for starters, lots of innuendo and accusations about programs like OpenSSH and OpenBSD made in the last 15 years don’t look that outlandish now, and they are the gold standard of open source security and key infrastructure for everyone else.

However you look at it, it’s another case of the worst possible scenario actually being confirmed as true.

1 Like

But in this case, i almost see no fight. It is the most depressing aspect of this thing, so far. Plenty of forum posts, but not a single demonstration, no nothing. The all-american laziness surrounding it is quite a sight.

Well, the good news is the most depressing aspect you posited isn’t true.


Also, there is very much a fight. Many average Americans are spreading the worst kind of high-casualty, figurative carpet bombs authoritarian regimes fear the most… facts spiked with critical thinking.

Sure, there’s still an embarrassing amount of Americans who still don’t “get it”, but you’re also talking about the same people who voted in GW Bush… twice. But as we continue to educate one another by spreading facts and information, so spreads more dissent.

The American middle-class who is already struggling for mere survival isn’t going to quit their scarce jobs to hop up and down in the streets en masse. But, what many are doing is asking questions, spreading information and demanding better. This struggle is timeless… it’s nothing new. It’s all just a little bit if history repeating.

“One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors.” - Plato

“If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.” - Thomas Jefferson

“Remember that a government big enough to give you everything you want is also big enough to take away everything you have.” - Davy Crockett

“Giving money and power to government is like giving whiskey and car keys to teenage boys.” - P.J. O’Rourke

“I hope we shall crush in its birth the aristocracy of our monied corporations which dare already to challenge our government to a trial by strength, and bid defiance to the laws of our country.” - Thomas Jefferson

“The liberties of a people never were, nor ever will be, secure, when the transactions of their rulers may be concealed from them.” - Patrick Henry

“I had been looking for leaders, but I realized that leadership is about being the first to act.” - Edward Snowden

"EVERY attack now made on WikiLeaks and Julian Assange was made against me and the release of the Pentagon Papers at the time.” - Daniel Ellsberg

There IS a fight and please don’t discount those that participate and/or support it by ignoring it…

Not the huge, stomping rallies i’d expect, but it’s a lot better than the nothing i imagined. (there are maybe 20 people on the bottom picture?)

The middle and lower class are exactly who need to go there, we are the turtle holding the world. I agree though when you say a lot more critical thinking is popping up; but i’m afraid that as long as it doesnt embarass them publicly, on their redneck voters tv’s, they wont fear it one bit. There should really be some rage in the streets. As in brazil, with the world cup fiasco. Maybe i’ve been spoiled by living where i live, where this sort of stuff works.

I do love your enthusiasm though. Keep informing everybody. Something big has to start soon, from us, or we are all fucked.

If you haven’t donated lately, now’s a perfect time… https://supporters.eff.org/donate

1 Like

It doesn’t have to take decades if we stop playing to the strengths of stupid.

It doesn’t have to take decades if we stop playing to the strengths of stupid.

You’re in a battle with human nature and I commend you for it. But, I think changing human nature will take even longer than decades. More like centuries.