UK Cryptographers Call For UK and US To Out Weakened Products

Trailrunner7 writes "A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ 'have been acting against the interests of the public that they are meant to serve.' The appeal comes a couple of weeks after leaked documents from the NSA and its UK counterpart, Government Communications Headquarters, showed that the two agencies have been collaborating on projects that give them the ability to subvert encryption protocols and also have been working with unnamed security vendors to insert backdoors into hardware and software products."

Proprietary Routers

[Anonymous Coward]

Let's start with these as they are of great importance and often fall behind with updates.

Google search:

cisco routers backdoor
cisco routers rootkit

Unlikely

[AmiMoJo]

Does anyone really expect these criminal organizations, headed by the kind of people who set up a Star Trek style command bridge, are going to do the right thing? The only way to deal with these scum is to shut them down and start from scratch.

Likely outcome

[return 42]

I suspect the agencies will make a great show of reluctance, then reveal what they did to some protocols and algorithms -- those where the backdoors are most likely to be noticed, or have already been found, such as Dual_EC_DRBG. The crown jewels, those least likely to be noticed, will remain secret. Nothing to see here folks, move along.

NSA and GCHG couldn't care less about the public interest. They have a mandate to spy on as much as possible on the off chance that it may prevent some terrorist act. They will continue to do so in any way they can unless the legislative bodies or courts in their respective nations rein them in. This seems moderately likely in the US, quite unlikely in the UK.

Re:hahhaha

[F.Ultra]

No they think that the _should_ care about the public interest since that is why we have them. If they do not serve the public interest we should abolish them.

Re:Likely outcome

[FriendlyLurker]

on the off chance that it may prevent some terrorist act. .

Oh, that must mean those terrorist organizations like Occupy Wall Street [motherjones.com], - or any other community based activist group trying to agitate for improved conditions for the people. Must be why we are treated as the enemy.

Re:Likely outcome

[mrspoonsi]

It needs more people to be outraged by it, to what lengths are people willing to accept this kind of intrusion? If these spy agencies shipped all domestic post to a 3rd country, where it was opened, photocopied, stored then sent on its way, people would be doing a Bastille style take down, yet somehow because these letters (email) are electronic, and it does not need a huge complex of Stasi officers doing the actual work, then it is OK for most of the people?

Well I say to those people, your liberty is gone, a form of government is in place which is open to internal corruption / blackmail, there is a massive abuse of power going on. Information is power, and the next President, well the NSA, FBI, etc might just have a file on said future president, all his little secrets, so the President is in their pocket so to speak.

Remember, for a true democracy, government needs to be transparent.

Re:Likely outcome

[AmiMoJo]

We have to assume everything up to this point is compromised and start pretty much from scratch. Replace AES with TwoFish, re-design all the lower level protocols, increase all key lengths, remove any ability to downgrade security and mercilessly cut off clients that don't upgrade when an issue is found.

The whole trusted certificate system has to be replaced as well, which is going to be hard.

Re:hahhaha

[Anonymous Coward]

How many truck bombs have been set off in your town? And if you think the long string of successful non-explosive days is thanks to the alphabet soup agencies, I have a lovely truck bomb preventing rock here I'd be willing to part with for a few thousand dollars.

Re:hahhaha

[ultranova]

And part of "the public interest" is tracking down the people who want to drop off a truck bomb at the shopping center I'm going to be at. And part of tracking those people down is monitoring their communications.

1) You know some particular person is planning to bomb a shopping center. You don't need bugged encryption protocols, you can simply get a warrant to keep them under surveillance until you have enough evidence to arrest them.

2) You know there's a plan to bomb the shopping center, but don't know who's involved. Fortunately truck bombs need lots of materials, such as fertilizer, so start asking local sellers. And as a last resort you could simply stop and search every truck that approaches the center - you have probable cause, after all.

3) You don't know anything, but have a gnawing suspicion that some unspecified bad guy might be planning an attack against an unspecified shopping center for unspecified reason at unspecified date. Thus, you want the right and ability to open random letters on the off chance that these shadowy figures are discussing their evil plans on them. In this case, have you considered getting psychiatric help? Because it sure sounds like classic paranoia to me.