Ex-NSA Analyst Warns Of NSA Security Backdoors 205
jagger writes: "In this ZD-Net article ex-NSA analyst Wayne Madison has issued a warning about many proprietary software packages coming bundled with NSA backdoors. This must be very troubling for non-US governments, because it means that they have no security against anyone knowing the backdoor. " This is one of the reasons China has cited in wanting to use Open Source and home-cooked solutions.
Pentagon Papers, part II (Score:1)
MS (Score:1)
Software companies including Microsoft have in the past been accused of colluding with the NSA to provide backdoors into their applications.
Am I the only one that doesn't find this surprising?
Did i spell surprising right? Oh well, spell check on slashdot doesn't really matter anyway.
How much do they pay Bill? (Score:2)
Not surprising! (Score:1)
NSA= (Score:1)
I say go for it (Score:1)
Software *may* come bundled... (Score:4)
If anyone has any actual hard evidence for or against NSA backdoors in commercial software, I'd be very interested in seeing it. Meanwhile, it looks like we'll have to put up with the usual conspiracy stuff.
And we're supposed to be shocked and surprised (Score:2)
Maybe this is how the DOJ will settle with Microsoft. Put this little password into your server software and we'll forget we saw any anti-trust violations.
Don't call it paranoia, call it realism!
Re:Not surprising! (Score:2)
No, pick any dictatorships, and you would find a government who is more paranoid.
Hooray! (Score:1)
Re:NSA= (Score:2)
Re:Software *may* come bundled... (Score:1)
Re:Software *may* come bundled... (Score:2)
Re:MS (Score:1)
"Software companies including Microsoft have in the past been accused of colluding with the NSA to provide backdoors into their applications." Am I the only one that doesn't find this surprising?
Uh, nobody finds that surprising. There probably isn't a negative thing remaining that Slashdot hasn't accused Microsoft of having done.
Cheers,
Hrmnn... (Score:2)
Note to the humour impaired: Win95 2nd ed=Win 98, Win 95 3rd ed=Win 98 se, Win 94 4th ed=Win Me, MacOS 7.6=MacOS8, MacOS7.7=MacOS9
The real conspiracy is ... (Score:1)
Resistance is futile, we have backdoors to get into your backyard, so why bother?
Re:I say go for it (Score:1)
After M$'s use of backdoors in Frontpage [...]
Okay, I'm up for a good conspiracy theorist laugh. Please explain what on earth you're talking about.
Cheers,
another reason to use open source (Score:3)
And while I think this is a valid reason to use open source, we should remember that unless we compile the software we use ourselves from our own source that we ourselves have checked, then we can never be sure if there exists a backdoor into our software. I speculate most people are not willing to wade through literally millions of lines of source and compile by hand each program they use to ensure that the "man" is not watching them. However, the article (which refers to the NSA agent as a "spook") does not mention why he is an ex NSA agent. What is the reason he is no longer with the NSA and why is he so freely admitting these facts. Having had clearance in the past I know very well you need to sign many numerous agreements that state you can be imprisoned indefinitely without trial if you violate said agreements. You basically sign over your rights as a US citizen to obtain that kind of security clearance. This story raises some good issues about how much we as citizens should trust our government and our software, as well as raise the ire of many foreign nations using US software. But there is always a nagging doubt in my head when we hear stories from ex employees and there is no knowledge given about why they are ex-employees.
But in general this news is not really new. The government has had backdoors in software as long as software has been around. And this has been shown in the press before to be true.
I do think however this presents those of us in the open source world with a strong argument in favour of open source software with respect to dealing with trusted programs.
Regards...
The ex-NSA guy is only guessing. (Score:2)
Nice that the person writing the comment couldn't even read, his comments make it sound as if Wayne had personal information about these backdoors or even any backdoors, but the actual news items states:
Notice the 'may'.
Next the article states:
These are just GUESSES from Wayne, not any hard proof. The article never states that he has seen this, only very indirect evidense. I bet alot of people will get irate without even reading the original article.
Remember the Micros~1 backdoor story? (Score:2)
---
MS/NSA - Whats in it for me says Billy-G? (Score:1)
desktop PC hit the 1st desk.
Now, with all of this cooperation with the NSA and
what not, one has to figure... why is Bill Gates
in so much trouble? Now, I don't mean to be
so paranoid, but I can't help it... but it seems to
me that the government has a very distinct
interest in taking down Microsoft... and I
certainly can see the reason why they would be
considered a monopoly (hell, I consider them one)
But what if one of the driving forces behind this FINALLY
occuring was Microsoft refusing to cooperate with
the NSA?
Just something to keep you up and night..
Re:Not surprising! (Score:1)
Wayne Madsen related article (Score:2)
"In 1985, their long-term goal was "total hearability", i.e. the
capability to listen in on all communication around the world."
EX-AGENT TO DANISH MINISTERS: YOU ARE BEING MONITORED
Former Echelon agent warns Danish politicians against confidential
conversations over the phone.
The Echelon system not only listens in on private persons, companies and
interest groups, Danish politicians and ministers are also the target of
the NSA's extensive espionage, reveals Wayne Madsen to Ekstra Bladet, who
meets him in Washington D.C. Wayne Madsen was once a spy for the National
Security Agency NSA - the intelligence service behind Echelon - but he has
severed connections with his former employer.
We are crossing the border into the state of Maryland. Behind us lies
Washington D.C., the US capital - and somewhere in front before us lies
Fort Meade in neighbor-state Maryland. 'The Fort' is the headquarters for
world-wide espionage and the workplace for 38,613 of the most talented
secret agents in the world.
Wayne Madsen is very familiar with Fort Meade. For several years, it was
his clandestine workplace. He has a pistol in the glove compartment of his
car. Loaded. Wayne Madsen is always armed wherever he drives.
"I don't carry a gun because I think it's cool to have a pistol. But based
on the sources I still have in the NSA, I know there are people in the
intelligence services who do not care for people who talk about the secret
services. Since they are armed, I had better be prepared, too."
Wayne Madsen is an experienced man in regards to secret projects and
surveillance. Since 1975, he has been operating the most sophisticated
computer technology in existence. First as a marine in the US Navy, then
as an agent for the National Security Agency, NSA, and most recently as an
employee at two of the NSA's partners, RCA and the Computer Science
Corporation.
"Whenever anyone criticizes the NSA, it is important to remember that they
have done a lot of important work, too. Both during the Second World War
and the Cold War, when they were talented at breaking the codes of the
Nazis and the East Bloc countries respectively."
TOTAL HEARABILITY
To prove to us that the NSA does more than just 'black work', Wayne Madsen
wants to show us an unusual museum, the NSA's Center for Cryptologic
History.
"Since it is located at the same address as NSA headquarters, Fort Meade,
we can see the buildings I worked in at the same time -from the outside at
least."
Just before we get to Fort Meade, Wayne Madsen points down an access road.
"I went through a lie-detector test and a voice-test analysis over there,
before I was approved by the NSA," Wayne tells us with a faint, shy smile.
He was a lieutenant in the Navy at the time with ten years of experience
in tracking Soviet U-boats and monitoring computer security.
What is the role of the NSA now that the Cold War is over?
"Primarily, they have a global network of computers known as Echelon. The
computers are connected with their intelligence satellites and listening
posts all over the world. And they still do military work. The difference
is, however, that today they monitor everything and everyone. Politicians,
organizations, companies, private individuals, even friends in allied
countries. In 1985, their long-term goal was "total hearability", i.e. the
capability to listen in on all communication around the world."
MINISTERS MONITORED
Is Denmark part of this system?
"Yes. Denmark is a third-party partner in the surveillance agreements. On
the other hand, however, Danish ministers and politicians must assume that
they are under surveillance."
What?
"Yes, that is part of the way they work. At their embassies, they have
groups called 'Special Collection Elements' that monitor local
low-frequency communication. Anything of interest is forwarded here to
Fort Meade where it is analyzed."
"If something can't be intercepted from the embassies, they try to
intercept it from the listening posts in the various neighboring
countries. So is it very risky for Danish ministers to talk on cellular
and satellite telephones alike," says Wayne Madsen as we enter the NSA
museum.
SPY TO EX-SPY
Inside the museum, Wayne Madsen asks whether Jack Ingram is at work today.
A moment later, a tall man appears. Ingram has been an NSA spy for many
years. Now he administrates the museum. He shakes hands with Wayne, and
the pair quickly strike up a conversation about common acquaintances at
various intelligence agencies and companies.
Shortly after, we walk around looking at the NSA's exhibits of cast-off
super-computers and code deciphering equipment - debris from more than
fifty years of intensive espionage in world-wide communication. Wayne
Madsen continues:
"Denmark doesn't get very much out of being a third party, because NSA is
the first party and decides which information the other countries receive.
So obviously, whenever they monitor specific politicians or companies in a
certain country, they naturally don't tell the local government about it.
The information they give to Denmark is something that promotes their own
interests or something they themselves consider to be a threat. For
example something about Tamilians or the PKK, the Kurdish resistance
movement. If it involves information which promotes their own financial
interests, then naturally they use it for their own benefit."
Do you have specific examples of what you are saying?
"Mike Frost, who worked for Canada's intelligence service, which also
participates in Echelon, has personally monitored both politicians and
companies in other countries. He told me among other things about
monitoring the Chinese embassy in Canberra, Australia. All the information
was forwarded here, to Fort Meade. The Australians never saw the
information because the US could use it to control the world wheat trade.
Although I write books and articles about the NSA, I still have good
contacts in intelligence circles at present," states Wayne Madsen.
As we drive back to Washington, he turns briefly toward Fort Meade's
parabolic antennas with a serious look on his face:
"The problem is that the NSA has lost sight of its purpose. It's not right
that taxpayers' money is used to help major shareholders in large
corporations to earn huge profits. Or for that matter the fact that the
NSA puts ordinary people, legal organizations and politicians under
constant suspicion."
EXTRA FACTS
In a joint council in September, Minister for Defense Hans Hækkerup
admitted that Denmark cooperates with other countries on surveillance.
However, Hans Hækkerup would not reveal which countries and intelligence
agencies Denmark cooperates with. It does appear, however, in the archives
left behind by the former head of the Danish Defense Department's
Intelligence Service, Commander Mørch.
Sources in Mørch's archives show that Denmark entered into an agreement
with the US on surveillance cooperation all the way back in 1947 - the
same year that the UKUSA - the pact behind Echelon - was established. The
UKUSA pact is controlled by the National Security Agency in the US, in
which the Australian, Canadian, New Zealand and British intelligence
services participate as second-party partners.
Most NATO countries - including Denmark - officially entered the pact as
third-party partners in 1950.
According to documents in the possession of Extra Bladet, the National
Security Agency has now confirmed that it has third-party partners.
BY BO ELKJÆR AND KENAN SEEBERG
COPYRIGHT 1999: EKSTRA BLADET - COPENHAGEN, DENMARK
Too much room for abuse (Score:5)
*sigh* I can understand why the NSA wants to be able to monitor Internet traffic. National security and all that.
BUT.
There is wayyy too much room for abuse.
I, for one, wouldn't want my software to be sending data to NSA or any other place without my knowing.
I'm glad that Open Source is where it's at today. It would be our worst nightmares if Open Source hadn't gained enough widespread acceptance and entities like the NSA lobby for outlawing Open Source software for "security reasons". I mean, it's very conceivable that your local ISP will only grant you access if you install their proprietary software which contains who knows what kinds of backdoors. Good thing open source systems like Linux is so widely available, and not locked into any proprietary vendor, so that ISPs *have* to allow for users to not use their software.
Thank God for open source software...
OTOH, I think NSA is shooting themselves in the foot. Foreign goverments aren't gonna put up with this backdoor nonsense in *their* software. So open source is going to become even more attractive, which will be good for all of us.
---
Viva la (free|open) software (Score:1)
I sure as hell wouldn't want anyone from a government looking at my stuff, just on general principle - therefore I will never have a proprietary system running the security on any network I run. I want to check out the code for all the daemons I run, the TCP/IP stack, the ethernet drivers, the login stuff. You can't get much more secure than that.
--
"The Bear and The Dragon" (Score:1)
Article lacks facts (Score:1)
The only example given was Carnivore, which has nothing to do with backdoors in software, and doesn't appear to have anything to do with the NSA.
you know... (Score:3)
What about legitimate law-enforcement issues? (Score:1)
If law enforcement could not get access to the Bad Guys' goodies, it would be an absolute disaster for everyone -- our freedoms would be confiscated not by the government but by crimelords and other unaccountable groups like multinational corporations. Is this really what people want? On the other hand, of course, unrestricted government access would be an equally severe disaster.
The existing U.S. system of requiring a court warrant is a compromise that allows some public scrutiny (after the fact, which is usually good enough to ensure the health of the system if not of every case).
Unfortunately, things like Carnivore are a kind of end-run around that system, which is why they are so distressing. But it meets the real, legitimate need of detecting crime in the first place, much like we have policemen running a beat to observe and prevent crimes rather than dispatching them after the fact.
So what is the real compromise? How do we resolve these issues? Neither extreme is acceptable.
----
-- Bandannaman
Finally the truth (Score:2)
I found another article that said he worked for the NSA for 20 years.
My incredible deductive powers have allowed me to determine that he left the NSA 5 years ago.
(knock knock)
Ummm. Folks, I have to go now. It seems that I have impressed more people than just myself and thou. Some men wearing nice suits are offering me a job. Bye.
How government agencies get their way (Score:1)
"The regulations were relaxed after pressure from industry but Madison believes that this may have driven the NSA to find ways to carry out surveillance. "They're not going to give in over exporting strong cryptography without getting something in return," he says."
Although nothing concrete is stated in this article, it's good to remember the tendency government agencies have to never turn back from their goals. Any time you think you have won a victory for free-speech, or privacy rights, or whatever, and that that big, bad evil government has been beaten, realize that they probably just made it look as if they were beaten. Meanwhile, they made a quid-pro-quo agreement to backdoor their way around the defeat. We then don't hear about this alternative method until years down the road. At which point they are actively working on yet another method of achieving their goals.
Never assume the government is as powerless or as clueless as they may appear.
________________
This is a conspiracy (Score:2)
Seriously, treat ANY statement by the NSA as potential disinformation, potentially mistaken and potentially correct.
In short, stop judging and treat it as you would a claim by any stranger on the street - with a pinch of skeptisism (NOT cynicism) and LOTS of salt.
Linux (Score:1)
On the subject of MS and NSA security holes.... I want to know why they still haven't fixed any of the nuke problems.... hmmm... Why would they want to be able to get into open ports on a computer... Seems strange..
Bill Gates is God
Hey Wait a second!!!! I didn't write that!
Duh (Score:1)
1. You have no idea if those coders are l337 h4x0rZ by night now walk in on their own backdoors and snoop around.
2. You have no idea if they even uses the advertised encryption.
3. You have no idea if that encryption does exactly as advertised.
4. You have no idea who is watching.
It is clear, you ONLY choices for security are:
1. Code it yourself.
2. Use publicly available source.
Then and ONLY then you will know what you are getting into.
Even the source isn't a 100% guarantee (Score:3)
Sure there is (Score:5)
Microsoft always leaves the toilet seat up.
Microsoft chews with its mouth open.
Microsoft left its cell phone on during a movie, and answered it when it rang.
Microsoft snores in bed.
Surprise Surprise Surprise (Score:1)
/. fodder (Score:4)
Oh yah - let's see we've got:
all in one story. It's like the story was written to be posted on /. for crying out loud!
Furthermore, it lacks any real meat. This Madison guy isn't saying that they are doing it: "Ex-spook believes", "applications may have backdoors" (emphasis mine). It's nothing definite - just this one guy's beliefs. And if he used to be an analyst, shouldn't he know this rather than sucumb to conjecture? The article got one thing right though: he's "fuelling conspiracy theories".
Now I hate MS as much as the next guy, but I also believe in the principle: Don't subscribe to mallice what can be explained by stupidity. I think they gave a reasonable explaination of the whole NSA key thing back when that happened. They also made the very valid point that it's not in their best interests to do something like that because if a foreign nation found out, MS would be skinned alive. Furthermore, I think people give the NSA too much credit - despite all the talented people they have, they're still a government agency and as such tend to resource limited. Can you imagine how much computational power would be required for Echelon to actually do everything that people claim it can? Do you think even the US Government has that type of money and could spend it in a covert manner even if it did? If you do, I think you give bureaucracy too much credit.
Standard disclaimer - these opinions are entirely my own. My employeer may well disagree with me - I can't speak for them.
-"Zow"
This is pretty old news (Score:1)
The question is, how will the NSA try to fight open-source backdoor-free software? Don't think that they won't. They tried for a long time to keep crypto export restrictions. Having lost that, they are not just sitting there -- "oh woe is me, the open-source guys beat us!" Remember, these are the Echelon guys. They don't send cease-and-desist orders through a bunch of lawyers. They bug your house and tap your phone. They're working on the way to open up strong encryption like a can of tuna.
-------------
Previous Examples (Score:3)
In later years, the NSA and other NATO intelligence agencies arranged for subtle defects to be added to the systems sold by Crypto AG.
I wouldn't doubt that the NSA is still trying to get backdoors installed in commercial software. How successful they've been is an open question.
Xerox provided the Soviet embassy in Washington with a photocopy machine that had a "special feature", a well hidden camera that photographed every document that was copied.
Re:another reason to use open source (Score:1)
This reminds me of Ken Thompson's Reflections on Trusting Trust [acm.org] Basically, he was talking about the login program in Unix.
How do you know that there isn't some special login that's universal? Ok, you say, "well, I'll just compile the source & run it myself".
His response would be, "how do you know that I didn't put something in gcc that figured out if it was compiling the login program and automatically added that one entry into the code?"
You would respond "So, I'll just recompile gcc"
And of course he'd say, "How do you know that I haven't put code into the compiled gcc that checks to see if your compiling gcc & add that code into the gcc binary?"
SOOO, mr. NSA, read THIS! (Score:1)
Hmmmmm.... and since the link in my
Wait... I just realized, you can track me down to the very room using this information! Uh-oh...
*hears tapping at the door*
AAAAAAAAAHHHHHHH!!! OHHH NO!!! THE NSA IS DRAGIN ME FROM THE KEYB
-----
Let's get this right... (Score:1)
I'm sorry, but you've insulted the wrong guys. For the Slashdot Side of the Force is With Us!
I call on a Slashdotting of their webserver, until they bow to the mightiness of our geekdom!
Re:MS (Score:1)
But the AC that replied before me showed a much greater sense of humor, certainly a lot more than you deserve. Too bad he's not yet (moderators - wink, wink, nudge, nudge) visible at +1.
--
Microsoft's New Marketting Slogan (Score:4)
In small print, printed on the backside of the seal you have to break, thereby agreeing to the EULA, "contains less than 3% backdoor code; percentage measured by volume and may not apply to this release as code does not occupy space".
My mom is not a Karma whore!
Re:Software *may* come bundled... (Score:2)
--
Re:Linux (Score:2)
Have you actually read the source? Understood it? All of it?
I personally don't have the time to read through each new version of, say, glibc, to find that it's clean. Now, I happen to believe that it's fine, but that's a faith-based opinion, not a knowledge-based one. And it only takes a few lines of source buried deep in some function to open up a back door.
In any case, you've got a better shot at finding backdoors with Open Source, but it's not like a back door'll jump out at you and wave, just because it's in an Open Source program.
Eternal vigilance, etc...
-
bukra fil mish mish
-
Monitor the Web, or Track your site!
Re:Why would anyone but terrorists & pedophiles ca (Score:1)
Put another way, imagine we had had modern computers in the years leading up to WWII: would you have counselled that the US buy closed-source software from German vendors, knowing that the German government had all kinds of backdoor access to those products? Of course not. You would insist on open-source products that you could modify to your satisfaction, or home-grown closed source products. It's not surprising that security-conscious foreign governments find software to which the American NSA might have a master key a bit distasteful.
Re:Hrmnn... (Score:1)
MacOS 7.6 was a real, shipping operating system. MacOS 8.0 was originally slated to be 7.7, not 7.6. Mac OS 9 is just that, Mac OS 9. It appeared on the roadmaps way after the whole Copland/Gershwin debacle...
I get what you're saying, but i'm just trying to remind you that there are a whole lot more differences between the cores of Mac OS 7.5 and 9.0 than between Win 95 and Win ME...
Re:And we're supposed to be shocked and surprised (Score:1)
What I'm saying is that this type of behavior isn't limited to just the NSA. Almost every government agency acts in some sort of underhanded way. Just look at the FBI and Carnivore. That whole project smells of the NSA.
Re:another reason to use open source (Score:1)
First, I'd have to know what the source code "looked" like for every version of every compiler. So instead I make sure that the binary that gcc compiles to using gcc will have this code put in.
But what if I use cc from Sun or HP to cross-compile gcc? or make gcc the first time on that system? Now I need to go to each company and convince them to include a rather large and ugly piece of code that recognizes all of these compilers.
Now, what about all the software projects in undergraduate and graduate courses that build compilers? Do I now have a "universal compiler checker?" Is it even possible to tell what a piece of code will do?
So now we're in the unique position that the compiler we would be using would have to be what most people would call "Artificially Intelligent."
So now I've built a piece of Artificially Intelligent code that watches compilers for compilings of compilers to watch for compilings of login prompts. Yeah. I can certainly believe in that happening.
Not really... (Score:1)
--------------------------------------------
Re:How much do they pay Bill? (Score:1)
After all, the laws governing crypto in this country give the NSA authority to approve or disapprove cryptographic systems incorporated into commercial products. Companies like Microsoft are pretty much at the mercy of NSA demands if they want their products approved. There have been numerous news stories (and one or two slashdot articles) in the past pointing out that NSA has demanded back doors be placed in commercial software that contains crypto.
Also, there is nothing secret about this fact. Microsoft and other companies have made public releases in the past that acknowledge they have been required to incorporate back doors and reserve special keys for the NSA in order to get approval.
Re:Software *may* come bundled... (Score:3)
Here's some reading:
This thread [slashdot.org] on SlashDot.
This article [freedomforum.org] on Freedom Forum.
It's also been reported that the NSA requires U.S.-made communications satellites to be equipped with intercept devices that can be used to transmit copies of their traffic to the NSA for analysis. Don't have a link at present, but I'm sure you could find a source if you're interested enough.
Re:Software *may* come bundled... (Score:1)
And the password would be... (Score:5)
Name 'em (Score:4)
I'll call him on it. Name 'em or shut up.
Re:What about legitimate law-enforcement issues? (Score:2)
Let me explain. What if Carnivore was authored in such a way that it could only sniff a particular person's e-mail? Further, what if it could only do this if law enforcement could prove to the system that a warrant had been issued, perhaps via an incredibly strong digital signature that even Moore's Law wouldn't bring into the realm of crackability for centuries? And finally, what if Carnivore would not function at all, not even passively watching the data stream, if there were none of these "proofs of warrant" active in the system (the only functionality still available, in other words, would be to put proofs of warrant into the system to unlock the remaining functionality)? And, as a crowning touch, what if the Carnivore system were Open-Source, so it could be inspected, and also put through formal verification to ensure no exploits either from hackers or law enforcement trying to hack around the security to do a little illegal surveillance)? Oh, yes, and make it an embedded system (no Windows NT to introduce exploits of its own).
Once that mechanism is in place, it's guaranteed that it cannot be abused. And if Carnivore can, by these means, be proven conclusively to be unabusable, then I no longer have any problems with it. But as the situation is now, I very much doubt any of the measures I mentioned above are in place.
----------
Hard to believe (Score:3)
Backdoors or security holes? (Score:2)
I'd go online, and find me a small group of talented crackers and script kiddies, and offer them the job of their dreams: cracking into every bit of software and computer system on the planet and getting paid for it. Not to mention the added perk of being cool spys. Even open source software has the occasional security hole, and if the hole is patched, my team could simply find another one. Microsoft's software is so riddled with silly security holes, and so popular, that it would not be difficult to have an in on most of the computers in the nation, if not the world. Plus, Microsoft sometimes never fixes known bugs because fixing bugs doesn't give them market dominance, so the holes might stay open longer.
As for the "ex-NSA employee", I pretty much take what he is saying with a grain of salt the size of Utah. Ex-employees shoot off their mouths for two reasons: to make the former employer look bad, or because the former employer wants them to say what they are saying. Sometimes it is just as effective to make people think you are watching them, and it is certainly easier on the budget.
Another thought: did you ever consider that this might be a big piece of FUD against proprietary software? Perhaps the NSA prefers open source.
In further news... (Score:5)
Seriously folks, does it take 30Megs of software to read email. Not only is it likely that large software houses are cooperating with the US gov, it is probable.
I was working at an AT&T plant as a technician several years ago, and one of our projects was a device about the size of a Palm Pilot. You plug your handset into it, then plug it into your telephone. The person on the other end used a similar device, and with one button press you got instant voice encryption. We built hundreds. I tested a large portion personally. Then I personally helped tear them apart and install the clipper chip after the FEDS moved in. Funny, but we didn't build anymore after that.
We also built another telephone. It's the one that Harrison Ford uses on Air Force One. Not the little satellite phone, the big white desk phone. We had to count the ICs that did the cryptography for that every morning and evening. The phones had to stay under lock and key at all time. Not that it has any relevancy here, just to note that the FEDs will control cryptography and if you trust anything they approve of, you're going to be tracked.
Re:Not really... (Score:2)
I'm sure a higher percentage could probably apply a patch and recompile, but that's not too much different than applying a MS hotfix - except
a) the patch comes quicker
b) the hotfix is usually "delete this dll unless you really need this functionality"
My NSA Experience (Score:5)
That is not to say that the NSA did not have some influnce on the design (back before the rules changed and put the FBI and State Department in charge of export procedures). The NSA really discouraged (using the export license stick) the use of triple-DES. The fact they discouraged certain designs types is pretty much public knowledge.
What is less known, is that the NSA did a through examination of the product. In order to get an export license, the NSA also had to review the product - all specifications, code, manufacturing diagrams, samples devices. They also requested and got our future product plans. It is my impression that the NSA did this future product research everywhere they could.
So this means the NSA knew all details of any crypto product that was being exported. They knew the specifications, and in some cases the future product directions. I never heard of a case where the NSA would come back after a product evaluation and say "you have a security hole". In summary, even without a formal backdoor, they have (had?) a lot of knowledge.
PS: When I hear about ex-NSA members joining public companies, I wonder how many of my company's ideas (forcefully obtained by USA export regulations) went with them. You might say, the NSA was all knowing, so their was nothing to steal. The truth is that the NSA was really into military uses (they supposedly passed up developing public key algorithms because they did not have any use for them). Don't under estimate the value of a practical commercial related applied cryptography use.
Re:Too much room for abuse (Score:5)
There's a doctrine in U.S. case law, articulated by the Supreme Court as "Fruit of the poisoned tree". It means that you can't use evidence obtained illegally as the reason for going in and collecting legitmate evidence. If you don't know that they're collecting data and you send email talking about your marijuana farm and then the DEA is tipped off (by an 'anonymous' source), this would be a violation of that doctrine, but you'd never be able to prove it.
Even opensource can have backdoors (Score:4)
- MbM
Re:you know... (Score:2)
You don't think their home-cooked solutions wouldn't have their own backdoors in them?
--
Re:Software *may* come bundled... (Score:2)
--
Re:Software *may* come bundled... (Score:2)
Re:NSA= (Score:2)
Has anyone told china about login? (Score:3)
For those who don't see where I'm going: one of the early unix guys (Ken Thompson if I remember right) created a version of login with a backdoor for him to get in. Then he created a C compiler that could tell if login was being compiled and if so insert his backdoor. Then he modified the C compiler to check if it was compiling itself and if so insert both hacks. Soon he was able to (but claims he never did) distribute a C compiler that looked normal, yet would give him access to any machine.
It wouldn't have been hard to put this hack into compilers, so long as they started early and had some assistence. There must be someone at mit who can be bribed (there always is) to put it into any binaries on ftp.gnu.org. Sun is a closed company, and easially bribed to put it into their code. Of course we are today in a maze of unix's, all different. (4 BSDs, SCO, linux, Solaris, Irix, Aix, HPux, and probably others I've forgotten) You get the idea though.
Re:Too much room for abuse (Score:2)
I have a question. Does it really matter if they watch you? There are laws covering what they can and cannot use as evidence agianst you. If they had a folder of you doing subversive freaky things....so what? They can't use it unless they had a reason to suspect you in the first place.
Just because they can't use it in court doesn't mean they can't use it.
The info can be leaked to destroy your reputation. Imagine what Nixon or Hoover would have done with this.
It can be used for blackmail. Again think Nixon or Hoover.
Recall the McCarthy hearings. If you were a suspected comunist sympathizer you were done. You had no recourse. And you had done nothing illegal. And nobody cared how the info was gathered.
Fast forward to today. Want to destroy a political foe, leak info that she had an abortion. Or is gay. Or likes looking at images of naked people. All of these things are legal. And the voters won't care that the data was uncovered illegally.
It really does matter if they watch you. Because if it can be abused it will be.
Steve M
Re:And we're supposed to be shocked and surprised (Score:3)
So you aren't saying anything are you?
Home-cooked encryption the best (Score:2)
If every government wants perfect security, they should have their own classified programs with classified keys. That way, even if an opponent were to discover a key, they would still have to figure out the encryption scheme (one of the tacit assumptions of encryption is that the opponent already knows the scheme. It also is the most difficult part of an encryption program to discover through reverse engineering).
Re:Hard to believe (Score:2)
-- You send something encrypted over the wire, they sniff it and are able to recover the plaintext.
-- You keep something encrypted in your office, if they decide you might be important then they break in, copy and decrypt.
-- You keep something on your computer, if they decide you might be important then they break in over the Internet and copy your data.
Evidence, please? Any evidence?.... (silence) (Score:2)
This article could have been lifted straight from the pages of the National Enquirer. You've got a so-called "authority" that nobody has ever heard of, warning that there "may be backdoors" in some unspecified software. There's NOTHING specific here, no real information, just some lunatic jumping up and down and shouting.
So, of course, half of Slashdot starts screaming about how "Microsoft is downloading all our personal information!"Yeesh.
Re:What about legitimate law-enforcement issues? (Score:2)
> of the underlying problem (Bad Guys Doing Bad
> Things In Secret
Please define "Bad Guys".
Terrorists maybe? You mean the people who are out there blowing things up and making a rukus because their people were screwed over by some government
Perhaps there would be less bombings if governments didn't go around pissing people off? You know doing things like supporting people loosing their homelands that they have inhabited for centuries? Or interfereing with other governments and people every time there is a buck to be made, or it fits "our needs".
That doesn't even matter, since echalon and the NSA arn't used for law enforcement. They are used to spy on everyone. They are used to gain advantage over other countries, or to serve the special interests of whoever controls the NSA.
Crime is easy to detect. Someone gets hurt, they either complain, or a dead body is found. Until that happens, there is nothing to do. Any crime that doesn't involve someone being killed or otherwise hurt, is not a crime anyway. (may be illegal...but the real crime is the fact that its illegal).
Whats more...none of this is even being used to "detect crime". Carnivore is (supposedly) just for monitoring individuals that are already under surveilence (which is suspect...since capturing email and or traffic can be done less intrusivly).
Echelon data isn't even available to law enforcement, only to the NSA and whoever the NSA sees advantage in filling in. Its mostly used for spying on foreign politicians and companies.
Frankly....crime is easy to detect. Either someone tells you about it, or you find a dead body. Those are the only crimes that I support the government looking into.
And finnally there are no "Bad Guys", only people. The world is not, and never has been, divided into "white hats and black hats", just people.
More important than finding the criminals is allowing the innocent to live their lives undisturbed and without fear of having every dirty little secret about themselves reviewed by others.
Putting a person under a microscope and examining their life should be done very carefully, in fact it should be considered as if it were itself a punishment and used with much caution.
There is just too much potential for abuse in these systems.
-Steve
Re:Why would anyone but terrorists & pedophiles ca (Score:2)
Because it can be abused.
Think what Nixon or Hoover would have done with this ability.
As I mentioned in another post [slashdot.org] in this thread, it would be very easy to ruin someone's reputation or blackmail them.
Yes, the legitimate uses for a system like this is to watch for terrorist attacks or organized crime activities. But how hard would it be for the NSA to track the activities of those on its 'enemies list'? Not hard at all.
So when Senator Doe, formerly an out spoken critic of the NSA, comes out of a meeting with the NSA and now says he understands why the NSA needs to do what they do, is it because he has had a change of heart? Or is it because the NSA showed him his file? And mentioned that information wants to be free.
That's why we should all care.
Steve M
Re:Too much room for abuse (Score:2)
Yes, it really matters. Matter of fact, it is a constitutional right in the US to be secure in your person and possessions against unreasonable search and seizure. That is right - secure by default is the law. It is not ease of law enforcement by default.
This is an essential liberty. It threatens free speech. It threatens many essential liberties guaranteed in the Bill of Rights.
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-Benjamin Franklin, 1759
One real-world example (Score:5)
This was publically announced and the technical details disclosed, so while it isn't great conspiracy fodder, it does point to close collaboration between the NSA and at least one major software company...
Re:Software *may* come bundled... (Score:2)
Re:checks and balances, the basis of it from day 1 (Score:2)
This is true and this is why the NSA is exempt from most of the checks in the system. People outside of the US (The targets of the NSA), don't have anyone on their side and the congressman from some small districat won't get worked up about something the NSA does because it won't effect his district.
This is why congress has almost never had a problem with the NSA but has had issues with the ones that work in the US (by their charter) like FBI, CIA, BATF.
How about bad crypto? (Score:2)
How about some of 1024 bit public key crypto? Ever wonder why most of this stuff puts the message digest on the outside of they crypto payload? Its so you don't have to decrypt the data, if you can guess at the contents and can do the md fast, you don't ever even need to brute force they key. Its amzaing how much crypto does this. Also most of it is based on finding good primes. The keys you have are not good primes. If you look at RSA public key stuff you will find that if you have 2 primes as the keys you have a one to one mapping of the encode to decode keys. If one of thouse keys has two factors you will find that you 4 decode keys. 3 facotrs and you have 9 keys since the number seems to square. One bad pseudoprime and your rsa key could have thousands of decoding keys. Considering the NSA gave up buying machines that do big primes fast in about 1994, I'm assuming that the've found out something very interesting about factoring large psuedoprimes.
Recently someone gave me a sample of a bunch of credit card numebrs that were safe since they md5ed them. A bit of code, a few computers and I was generating the card numbers within seconds. 5 minutes later the entire database was converted to plain text.
Re:Home-cooked encryption the best (Score:2)
The point is, while there is a great deal of math occasionally involved, anyone can put together an effective computer program. As long as you're not concerned with distributing it, and thus having the enemy learn its inner workings, you should be ok.
Also, I don't believe having the source wide-open is a good idea. I'd rather craft my program and not have the enemy know my scheme.
Re:What about legitimate law-enforcement issues? (Score:2)
Bad guys are people who hurt me or those who I care about. _Dangerous_ guys are people who have the potential to hurt me or those who I care about (even if they haven't done any hurting yet).
Being under the scrutiny of either type of person makes me feel unsafe, and looking for a means of protecting myself (either through offense or defense).
Truth is stranger than wild speculation (Score:2)
At the "Information, National Policies, and International Infrastructure" Symposium held at Harvard Law School, Paul Strassmann, of the National Defense University, and William Marlow, of Science Applications International Corporation, in a session entitled "Anonymous Remailers as Risk-Free International Infoterrorists" were asked by Professor Charles Nesson, Harvard Law School, whether the CIA and similar government agencies are involved in running anonymous remailers as this would be a perfect target to scan possibly illegal messages. The answer: Yes. In addition they mentioned that the NSA has successfully developed systems to break encrypted messages below 1000 bit of key length and strongly suggested to use at least 1024 bit keys. They said that they themselves use 1024 bit keys.
And this one is really amazing: Crypto AG, which several post have cited as having been revealed in numerous press accounts to have sold compromised crypto systems to governments around the world, is still in business! But the gold plating on the brass balls is the following statement from their CEO, which is currently on their Web site: "Since 1952, Crypto AG has been the specialist for information security at the highest cryptological and technical level. More than 130 countries have chosen Crypto AG as their trusted partner. This trust is based on the fact that Crypto AG is a financially and legally independent Swiss company. All shares are owned by one shareholder: a foundation with one goal, the commercial success of our company. Foundation status rules out any third-party influence, and this also guarantees full independence and freedom in the design, production and marketing of our products."
What does this mean? For one, it means that having a backdoor revealed will not sink your company even if supposedly secure government communication systems are your only customers. And second, it means that back doors, if they do exist, are an economy measure. If it was encrypted by any popular and widely used tool, it can be forced. Which might explain why you don't see Louis Freeh on TV every night bashing consumer crypto tools.
Staggeringly wrong. (Score:2)
Wrong. Amazingly, staggeringly wrong. The minimum amount of energy required to flip a bit is kT, which is 1.3 * 10**-23 joules per Kelvin. Multiply that by the ambient temperature of the universe, 3.2 K, and you get a minimum of 4.16 * 10**-23 joules per bitflip. This is a thermodynamic limitation of computers, and cannot be surpassed without shifting computation away from Turing machines.
Now, 3DES has an effective 112-bit keyspace. 2**112 is about 5.2 * 10**33. Multiply (5.2 * 10**33) by (4.16 * 10**-23) and you get 2.16 * 10**11 joules of energy required to break 112 bits by brute force.
2.16 * 10**11 is a huge amount of energy, on the order of 200 terajoules. But that assumes you have to exhaust the entire keyspace--considering you only have to search 50% of it, on average, you only have to apply 100 terajoules of energy.
Remember: there is no way around this that we know of. This is a thermodynamic limitation; as soon as you figure out how to get past this, I suggest waiting by the phone because the Nobel folks are going to be calling long-distance from Oslo soon.
I've got no choice but to completely and wholly discount your entire message. This analysis took me all of five minutes to conduct. It's not hard.
Insofar as the likelihood of pseudoprimes not actually being prime--do you have any idea what you're talking about? I hate to sound irate (it's only because I'm very irate), but the entire notion of pseudoprimes is that they are probably prime. The likelihood of a pseudoprime not being prime is less likely than you winning the lottery, getting into a car crash, and being struck by lightning while having a hot date with a supermodel. Really. No, I'm not kidding.
Please, get a clue.
Re:Too much room for abuse (Score:3)
This sort of stuff has been going on for a long time.
During the Iraq/Iran war the United States was backing Iraq (this was before Iraq invaded Kuwait). A Swiss company, "Crypto AG", was selling encryption hardware. Being Swiss they were not subject to U.S. export restrictions and there was an assumed neutrality. But, Crypto AG was in fact an NSA front. Iran bought encryption hardware from Crypto AG. The algorithms used had NSA backdoors. The NSA decrypted the Iranian communications and sent the info to Iraq.
Eventually the Iranians figured out that there was a backdoor, and they arrested/kidnapped a Crypto AG salesman. If they hadn't this info probably never would have gone public.
Interestingly enough, Crypto AG is still around [crypto.ch]. "High security solutions for governmental, business and military customers for networking, electronic data processing, telephony and radio applications." Heh.
You can find more info through a Google search on "crypto AG NSA" [google.com].
Quite wrong. (Score:2)
It's fairly simple to write an encryrption scheme using the available algorhythms...
Yes. It's even simpler to screw it up. Any fool can make a system which they can't break. Making a system which nobody can break requires absolute genius.
If every government wants perfect security, they should have their own classified programs with classified keys.
No. Wrong. Go back to class and study some more. The Germans thought that Enigma was secure since the Allies didn't know how it worked, but Turing and friends did amazing work breaking the Enigma even before they had one of their own. The Japanese PURPLE cipher (?) was broken without ever knowing how it worked; they recreated it entirely from first principles.
Without exception, every cipher I know of which kept its internals a trade secret has been a failure. The most recent spectacular failure is the NSA's SKIPJACK, which for years had its internals protected as a national secret. It didn't do anything to preserve the integrity of its messages; Eli Biham invented an entirely new branch of cryptanalysis (impossible-differential) and used it to cryptanalyze all but one round of SKIPJACK.
The only systems which are worth trusting are those which have survived years and years of brutal peer review. I trust PGP and GPG; I trust Blowfish, IDEA and 3DES; I trust this, that and the other. I trust the PKCS-11 CRYPTOKI standard, I trust SSL when used properly. All of these have been peer reviewed extensively and exhaustively, and so far they're still standing.
I don't trust anything which hasn't been extensively peer-reviewed. History shows that systems which have not survived brutal peer review do not survive in the real world.
Some of my Marine friends are fond of saying, "Training ought to be so hard combat is a vacation." There's a lot of merit to that. In cryptography, peer review means that everyone is trying to break a system. Of all those people, odds are there are people with more skill and better resources than the people who are trying to break your system for-real. If a system survives peer review, it'll probably survive your enemies.
If it's not submitted for peer review, you take your chances.
Your chances aren't very good.
Where to look for backdoors (Score:2)
Where to look next? I'd look closely at
-
Voice-over-IP software
-
Instant messaging systems
-
Methods by which microphones on computers or cell phones might be remotely activated
-
PBX remote maintenance systems
-
Router remote maintenance ports
Look closely at tools for private person-to-person communication.I used to be pro-NSA. But since we beat the Commies, we just don't have a big, well-organized enemy that requires that kind of snooping. Let's face it; the countries that really hate the US are basically losers. We might have some terrorism problems from some loser country, but they'll be down in the noise compared to, say, drunk driving. If state-sponsored terrorism gets to be a real problem, it's an act of war. This limits what a government can do before they end up at war with the Last Remaining Superpower, or, as with Iraq, most of the developed world.
Even wiretapping is marginal from a law enforcement perspective. Well under 1% of prosecutions involve wiretaps. A total prohibition on wiretaps wouldn't cause a measurable blip in the crime rate. On the other hand, lousy computer security makes lots of white-collar crimes possible, some with high dollar amounts.
So bad computer security as public policy is bad public policy. Any government official involved with backdoors or wiretapping should be considered soft on crime. That's the position to take in political forums.
$1000 Challenge. (Score:2)
I am very, very tired of hearing people say that they can break this-and-that, or that such-and-such is trivial, or what-have-you. Most of the time, these people are total incompetents who like to make themselves sound much more clued in than they really are.
The last time someone made claims like thogard did, I made a public challenge which was not accepted. Maybe this time will be different. So, without further ado:
THE 6-HOUR MD5 CHALLENGE
1. Rules.
The only rule is you can't bribe the judges. If you want to lurk around my workplace, bushwhack me when I come out and beat the answer out of me, feel free. Don't do the crime if you can't do the time, though. You can cryptanalyze this, you can attempt to coerce it out of me, you can send an attractive woman my way (free hint: I'm partial to tall redheads) to coax it out of me, you can try and eavesdrop on my phone lines and overhear me give it away, I don't care.
But you can't go after the judges, because then we don't have a fair contest. Fair?
2. The Challenge
If this challenge is accepted, I will submit to CmdrTaco (or another Slashdot employee, as he assigns) a credit card number. Specifically, my credit card number (with a few digits changed for my own self-preservation). I will also submit the MD5 hash of this (slightly modified) credit card number.
No cribs will be given. It will not be announced whether it's the credit card number by itself, whether my name is part of the data, whether the expiration date is included, etc. CmdrTaco will verify that I'm not cheating.
Once everything is set up, the MD5 hash will be put up on Slashdot. From the time it's put up, you'll have SIX HOURS to reverse the MD5 hash and get my credit card number.
3. The Reward
The reward is $1,000 cash. (Well, it'd actually be a cashier's check, but same difference.) If you can do it--especially if it's as easy as "a bit of code, a few computers, and I was generating the card numbers within seconds"--then this will be the easiest grand you've ever made in your life.
All monies will be deposited in advance with CmdrTaco (or others as he assigns). If I don't cough up the dinero up front, the contest doesn't go forward.
4. Frequently Asked Questions
Why only six hours?
Credit card numbers really aren't all that entropic; they're very predictable. The card I'm looking at right now has 16 digits, plus my name and two dates (valid-throughs). Brute-forcing 10**16 would take some time, even for an immensely large network, and that doesn't include the permutations of my name, the expiration dates, etc.
Breaking DES by brute force requires an average of about 3 * 10**16 operations. Thus, breaking my credit card is a little harder than breaking DES. It's possible some Slashdotters with access to extremely large networks would be able to brute-force this, but I don't find it likely.
If it's really as easy to break MD5 as thogard is claiming, six hours will be plenty of time.
Why are you changing the digits of your credit card? If you have such faith in MD5, shouldn't you leave it unaltered?
As I said, some Slashdotters may have access to extremely large networks which could brute-force it in a few days' time. I'm changing it just to cover my tail in case someone decides to spend weeks of processor time brute-forcing every possibility.
Isn't MD5 in disfavor nowadays? Wouldn't SHA-1 be better?
Yes, MD5 has a couple of potential attacks against it. I still have faith that it's very strong in practice, though.
Are you serious about this?
I'm serious about this. Are you?
Re:Too much room for abuse (Score:2)
A Dick and a Bush .. You know somebody's gonna get screwed.
Show me just one case. (Score:2)
Show me just one instance where someone used this attack against DES to break it by brute force in an average of 2**38 operations.
Your argument about computing hardware is (a) wrong and (b) irrelevant. Moore's Law says that we can expect it to roughly double every eighteen months; if it increased eightfold in a year, this is highly unusual and is likely not a trend. Please point out the academic reports which talk about chips capable of doing a billion keys a second by themselves, or that the field of brute-force crackers is increasing by eightfold a year. That's why it's wrong; it's irrelevant because no matter what, thermodynamic limitations still apply.
Please present me with a real analysis which backs up your claims, not some vague statement of potential attacks and a made-up number about hardware crackers.
Too bad the crypto only works with one to one keys if the numbers are prime, probably prime isn't close enough.
The odds of a good probable-prime being composite is less than the odds of you being struck by a meteor at the instant you read this post. If you're concerned about your probable-primes being composite, I would respectfully suggest that you should consider the threats to your life that meteor strikes, attack by killer bees, random violent stranglings with rabid wombats, etc., pose. To lament the likelihood of a composite probable-prime while not living in stark fear of death by slipping in the tub and breaking your neck is extremely irrational. The one is far more likely than the other, and has much more dire consequences.
I have already issued a challenge to you on one of your more outrageous claims. I hope you take me up on it.
Re:Too much room for abuse (Score:2)
From the Crypto AG site. To recapitulate: The rumours about Crypto AG originated from a former staff member of Crypto AG who had to be dismissed.
What would you expect them to say? "Oh yeah, we're working with the NSA to invade your privacy. Sorry! Do call again!" Read some of the stuff that shows up on Google about them. It is a lot more than just one disgruntled employee. "Just a disgruntled ex-employee" is the standard defence of any company faced with a whistleblower.
Re:**"P.R.O.M.I.S."** IS THE NAME; pay attention!! (Score:2)
I repeat: prove it.
Re:Name 'em, Here's an example (Score:2)
The allegation here was independent software apps (predictably, everyone immediately mentioned Microsoft) had such backdoors. I'm challenging them to provide any example of that.
Re:$1000 Challenge. (Score:2)
I propose you generate a sample so that others can play with the concept and pre test their setups.
To anyone else that wants to play, here is an inner loop of the program (mentioned in the first post). It takes 63 user seconds on the slowest box I had handy.
while(count++<9999999 ) {
int sum;
MD5_Init(&c);
sprintf(buf,"%s%07d%s",cc1,count,cc2);
len=strlen(buf);
MD5_Update(&c,buf,len);
MD5_Final(&(md[0]),&c);
for (sum=i=0; i<MD5_DIGEST_LENGTH; i++)
if(md[i] == md5cc[i])
sum++;
if(sum==MD5_DIGEST_LENGTH) {
printf("%s %07d %s\t",cc1,count,cc2),print_md5(md);
exit(0);
}
}
It can be made much faster by MD5_Update only on the bits that change but keep in mind it does things by blocks. Removing the libc calls would help reduce it a bit too.
Re:$1000 Challenge. (Score:2)
No samples will be provided. As I said--no cribs. (Actually, I lied. I intentionally put lots of cribs in that challenge, if you're smart enough to pick up on them.)
Time to fish or cut bait, thogard. It's all up to you.
Re:Show me just one case. (Score:2)
I'm not sure what you're meaning to infer there; my desktop box is a calculator. Just a really fast one with a large display. Moore's Law does apply to performance, and has applied for about the last 40 years.
It was designed in 1997
Of course it doesn't. CBC mode is ECB that's been XORed with the previous ciphertext block. Breaking CBC mode is computationally equivalent to breaking ECB mode, especially since if you have N blocks of text, you've got N-1 cribs. Or N cribs, if the CBC mode is brain-damaged and has a known IV.
As far as the large primes go
Reference, please? Even assuming this is true and not urban myth, it still demonstrates nothing. They could just as easily have discovered a proof that P != NP, thus making the entire attempt to break large composite two-factor numbers moot. There's not enough information there to draw any sort of inference from. It is just as dangerous to overestimate your enemy's capabilities as it is to underestimate them.
I also know that some even numbers will pass many of the "prime" test used by many popular key generation programs.
Bullshit. The first step in selecting a probable prime is to see if it's divisible by 2. This is really, really simple; you just check one of the low-order bits in the number and if it's set, it's not prime.
If you've found a program which does prime generation and skips this step, please tell me, so that I can spread the word and trumpet from the mountaintop, "don't you dare even think of using this piece of crap".
But I don't think you've found one, otherwise you'd have mentioned it by name.
Re:Show me just one case. (Score:2)
Cryptography is a science. Science is inherently skeptical; it's the process of saying "I'm from Missouri; show me." I've been saying "show me" until I'm blue in the face, and all you can say is "I'm right". Sorry. Science doesn't work that way. Nor does cryptography.
You can't give me a single verifiable reference to back up your claims. You can't present me with any evidence that your supposed 2**78 attack against 3DES works. You can't present me with any evidence that there exist any prime number generators in commercial use which will pass on even numbers. You can't present me with a cryptanalysis of MD5, much less reverse it. You won't even accept a challenge to prove your claims, even when there's $1000 in it for "just a few seconds" of work on your part.
You're a crypto poseur. Get a life.
Re:Software *may* come bundled... (Score:2)