Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Encryption The Internet

How 1990s Encryption Backdoors Put Today's Internet In Jeopardy 42

An anonymous reader writes: While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is "a direct result of weakening cryptography legislation in the 1990s," researcher J. Alex Halderman said. "Thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software. The backdoor might have seemed like a good idea at the time. Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy."
This discussion has been archived. No new comments can be posted.

How 1990s Encryption Backdoors Put Today's Internet In Jeopardy

Comments Filter:
  • by Anonymous Coward

    But don't worry guys! Only the GOOD GUYS can use this backdoor...

    • by Dunbal ( 464142 ) * on Wednesday May 20, 2015 @05:57PM (#49740489)
      Anyone using a back door is not a good guy in my book. Even if law enforcement thought this was a good idea - there are already established procedures and methods of putting someone in jail. Cops aren't allowed to break into your house when you're not home and search your stuff. Why should they be allowed to use a back door? Unless of course they have something to hide...
      • They are allowed to break into your hours when you're not home and search your stuff. They just have to get a judge to rubber-stamp a piece of paper first, which doesn't take any great amount of effort.
  • Anyone?!? (Score:5, Funny)

    by SpankiMonki ( 3493987 ) on Wednesday May 20, 2015 @05:42PM (#49740413)

    ...the ability to break that crypto is something really anyone can do with open-source software.

    I asked my mom to to break crypto with open-source software...her eyes glazed over and I had to perform CPR.

    • Your Mom isn't much of a "Cyber Criminal" then. I guess she should stick with baking cookies.

      Of course, the obvious solution to this is to ban open-source software.

      • Your Mom isn't much of a "Cyber Criminal" then. I guess she should stick with baking cookies.

        True. I've heard her baking is criminal enough.

      • He's clearly not part of the Roberts family, then:

        https://xkcd.com/341/
    • by mi ( 197448 )

      I asked my mom to to break crypto with open-source software...

      She'd also have to be in a position to intercept the traffic to begin with. The article's problem-description is rather silly, indeed.

      I also do not see, who would still be allowing weak ciphers on their servers — after all the earlier SSL-vulnerabilities we went through in the last 6 months, that is... But the report [weakdh.org] on the matter estimates 8.4% of the top million web-sites and 3.4% of all HTTPS-using sites as still vulnerable. Shrug...

      • by Lennie ( 16154 )

        People just fix the things that have been reported, they don't actually look at what they mean. Because most people don't really know what all the crypto really means.

  • What's all this then? I heard it from a different guy that all modern computer security krazy-krypto-keys are divisible by 69, so just keep it under your hat, guy

  • Logjam (Score:5, Interesting)

    by phantomfive ( 622387 ) on Wednesday May 20, 2015 @06:04PM (#49740527) Journal
    AFAICT it doesn't put 'the internet' in jeopardy, reports are only a small percentage of websites are even vulnerable to this (link [arstechnica.com]).

    Here's the weird thing about this to me (in bullet points):
    * A couple years ago, the only people who cared about vulns were people who knew how to use metasploit or ethereal or something.
    * Last year, with Heartbleed, the news organization found out it could generate page views if the vulnerability had a pretty logo.
    * Now with this story, the non-techy articles are so numerous it's hard to figure out what the actual exploit even is. But if you want to find an 'personal interest' story blaming Bush or Clinton (or whatever president), they're all over the place.

    I wonder what will happen if the mainstream media learns to read Apple's or Microsoft's security bulletins and finds out how common security exploits actually are......
    • by Anonymous Coward

      Adding to this is that a lot of these 'new vulnerabilites' are long known things. It's been long known you should be generating unique dhparam. It's been long known that export grade 90s ciphers were weak (that's the whole point).

      Of course, on the flip side, awareness obviously wasn't that high in the general wider world, so dressing up old news as something novel and exciting has its merits.

    • Yeah, I thought "Internet in jeopardy" was over the top. It's some serious hindsight to complain that decisions made 20 years ago are screwing up software today. There are so many decisions from the early days we're stuck with now, why are these so special? Because it's security?

      The PC has tons of cruft, such as the hard drive partitioning scheme, boot code, the layers and layers of hardware discovery, and memory organization. The platform has been updated repeatedly, with many hard limits raised repe

      • by Trogre ( 513942 )

        It'll break again in 2100, rolling over to 2000, but I very much doubt that software will still be in use then.

        That's exactly how we got into the Y2K mess in the first place :p

      • by dbIII ( 701233 ) on Thursday May 21, 2015 @12:25AM (#49741635)
        In 2008 the Macromedia flexlm program (an annoying thing with the role of sporadically preventing you from using the software you have actually paid for - thus punishing people who didn't pirate it) had a bug where permanent licences, given a date of "00", were mapped onto the date of 1st January 2000 and thus had expired. Annoying. Even more annoying was the "expert" I dealt with on the issue said "what's a Y2K bug?".
        Such stupidity took a full two weeks to fix.
      • by johanw ( 1001493 )

        "There are so many decisions from the early days we're stuck with now, why are these so special?"

        This one is special because some organizations (those that didn't learn those lessons in the 90's) are pushing to make the same mistakes again. Only this time the results could be different: people not buying US-made software anymore. And with open source crypto generaly available now this won't work anyway.

  • by GigaplexNZ ( 1233886 ) on Wednesday May 20, 2015 @08:45PM (#49740877)
    The cycle is repeating [lifehacker.com.au]
    • by Whiteox ( 919863 )

      There has already been enough discussion about this in IT circles and more in the future. I bet that there will be a bill passed to clarify this.
      Encryption/cryptography are not the sole property of the good good guys anyway. If someone builds a bigger wall, there's always someone else that can pull it down.

  • ...to three-letter agencies. If we allow them in, we also allow the 'baddies' in -- and the NSA has proven to be at least as bad as the terrorists and criminals they're ostensibly monitoring. At least the criminals don't maintain the polite fiction that they're following the law.
    • Re: (Score:1, Insightful)

      "...to three-letter agencies. If we allow them in, we also allow the 'baddies' in -- and the NSA has proven to be at least as bad as the terrorists and criminals they're ostensibly monitoring."

      Can you draw me a ven diagram for three letter agencies, baddies, criminals and terrorists, I'm getting confused.

      Must be be a millennium thing, I don't remember it being so difficult 15 years ago...

  • I don't think this is a good comparison to make. As I understand it, the restrictions of the 1990s did not require a back door to be inserted; they just limited the strength of the cryptography, presumably to a level breakable by the NSA even then. The old Clipper-chip back door fiasco was not responsible for logjam et al. and the new proposals are not intending to limit key length.

    N.B.: I still definitely think that the current noises about mandating back doors is very worrying. My hope is that it won't

  • I can't believe it, slashdot. That girl's standing over there listening and you're telling everyone about our back doors?

One person's error is another person's data.

Working...