ââI know from firsthand communications that a number of people at N.I.S.T. feel betrayed by their colleagues at the N.S.A.,â Mr. Green said in an interview Tuesday.ââ
âBetrayedâ? Really?! Either those people are the most naive people to have ever worked with (drum rolls!) a spying agency, or theyâre taking us for fools.
They feel betrayed because they were assured plausible deniability if this ever came out. The way it has worked out they have no cover at all. Never trust a white guy, especially if he is wearing a suit.
I donât know about that. Yes, NSA are spies, but that doesnât just mean that they want to access all your private data. It also means, presumably, that they donât want other countriesâ spies to be able to access all your private data.
I can understand why NIST might have thought that the NSA would be on their side.
Especially because there was a time when they were (at least the crypto side of the house, I assume that team eavesdropping was either less powerful at the time, or more confident that âeh, itâs not like anybody we canât subpoena will get their act together, so who caresâ). The whole DES S-box incident, where the NSAâs suspicious âNo, you should use these arbitrary numbers instead of the other onesâ turned out to be advice that prevented a then-publicly-unknown attack on the system, rather than malice.
NIST apparently didnât notice the NSA going off the rails, if they are in fact feeling shocked and betrayed; but there was a time when the NSA thought that better cryptography was a national security thing, rather than being fixated on whatever acronym soup the unwholesome spawn of Total Information Awareness are going by these daysâŚ
Hum surely that headline should be fixed? And not even because of the âthe theâ How about:
âThis is a crypto standard that the NSA sabotagedâ
We shouldnât stop re-examining the rest of them simply because Dual_EC_DRBG was spotted.
I like this from the articleâs comments:
T. Traub from Arizona:
The NSAâs meddling in public cryptographic communications
and standards has caused irreparable harm to the nation.
While the general public may be blissfully unaware of the
implications of compromised Internet security, the technology
industries certainly are not. Contracts are being canceled and
previously trusted relationships reevaluated.Ultimately, what will emerge from the ashes of this tainted system is
multiple systems operating in parallel: the officially sanctioned,
compromised internet with full government scrutiny of all data, and
one or more shadow networks where the real trusted transactions take
place.These âdarkâ networks will probably operate offshore and the U.S.
government will expend great amounts of time and energy and treasure
trying to trace them, block them, and shut them down, much as China
does today.Itâs the end of freedom and privacy.
T. Traub is right. Iâve had clients already approaching me in higher numbers about circumventing the risk of having their business secrets plucked and fucked by unscrupulous government employees in the TSA, NSA, CIA, ATF, FBI and WTF.
Needless to say, if they didnât already listen to me in the past, Iâm now moving clients away from some popular American corporations and pushing them towards more open source solutions instead.
The American government and top tech corporations brought this upon themselves. And, I have to admit Iâm a bit hostile since whenever I tried to bring this shit up on the Internet in the past Iâd get attacked from hoards of Microsoft and especially Google fanboys, lackeys, astroturfers, sockpuppets, etc. that suggested I wear fancy tinfoil hats and shit. Eat a bag of rotund dicks.
I donât know how many times when Iâd point out that a glaring security flaw in an Apple, MIcrosoft, Google, etc. product or service was discovered that it was perhaps an exposed backdoor that I was mocked and sent fancy tinfoil hat pictures.
Now it turns out those flaw were backdoors. How do those fancy dunce hats feel, fellas?
/end bitter rant
The damage done to the very structure of trust and its algorithmic implementations means that the NSA, NIST the US government will never again be entirely trusted.
This is inevitable and may all well be to the better.
Its already been proved the NSA were bastards and Edward Snowden deserves a medal and a Nobel peace prize.
I am wearing a T-Shirt saying: âNational Security Agency. Peeping while youâre sleepingâ around the NSA logo, and sub-titled â***The NSA. The only part of government that actually listens.***â [ http://www.cafepress.com/mf/78962026/the-nsa_tshirt ]
This strikes right at NISTâs credibility. The affect of all of this may make us less secure. The big minds, engineers, and scientists need to form an emergency commission to address this. NSA will not have seat at the table. NIST, Google, Apple, Verizon and other collaborators will have to wait outside. An institutional melt down has occurred.
I was about to take offense at this statement, as I just started wearing suits⌠But yeah, I probably wouldnât trust me either.
Bruce Schneier has suggested that basically every crypto algorithm built around elliptic curves should be considered deeply suspect. And, you know, itâs Schneier, he knows a thing or two about cryptoâŚ
Yeah, Iâm white as you can get, but Iâm not evil (even without a tie) What I am is unreliably committed to whatever you have in mind. Interested and a good listener, but when it comes time to divvy up the work I am suddenly unable to concentrate and need to sit down. Your secrets? Yes, I had them right here . . . um
I do feel sorry for NIST people in general. They generally try to do good work and are generally trying to make their processes and products open and transparent. And the NSA just fâed them. Completely and forever. I canât see any reason why a third party would ever trust a NIST standard again, no matter what damage control they do. Itâs not that theyâre bad people - itâs that we donât know how many NIST employees have been suborned by the NSA. We donât know whether theyâre required to submit everything to pre-clearance. Secrecy makes for less security.
Even if Dual_EC_DRBG is in fact compromised, the actual utility of the âbackdoorâ would be minimal. In the real world, hardly anybody uses Dual_EC_DRBG, because it is orders of magnitude slower than alternatives.
I like the âLimited Hangoutâ: THE crypto standard NSA sabotaged.
As if this were the only one.
I used to work at a number of different âenterpriseâ software companies, that built key management facility and crypto service providers for infrastructure platforms.
How many employees - hired in good faith - would have been sponsored and referenced in getting their jobs by NSA? Especially in security work?
I look all white
But my Dad was black
My mohair suit
Is really made out of sack
If we are all living in a simulation, things are sure getting interesting.
If vulnerabilities are found in these or any other N.I.S.T. standard,
âŚthe whistleblowers will be prosecuted.
Evil? I like to think of myself a Chaotic Neutral.
Enjoy a bit of delicious schadenfreude, my friend. I had a bowlful when Microsoft bought Nokia a few days ago (âElop is a MS trojan horse to prepare an acquisitionâŚâ âYouâre just a conspiracy theorist!â).
The fact that one is paranoid doesnât mean that somebody is not out to get one. Every single fear we had about the NSA turned out to be true: siphoning info out of Google/Apple/MS/FB/Skype? Check. Logging every phone call you make? Check. Mass-tapping internet pipes? Check. Breaking common cyphers? Check. Spying for corporations? Check. Backdooring public standards? Check. Passing everything to Israel? HEY WHATTAFâcheck. If all this is true, what else we commonly discard as tinfoil-hattery is also true?
Jeez, I need a drink.