NSA Targeted 'The Two Leading' Encryption Chips (theintercept.com) 113
Advocatus Diaboli sends a report from Glenn Greenwald at The Intercept about the NSA's efforts to subvert encryption. Back in 2013, several major publications reported that the NSA was able to crack encryption surrounding commerce and banking systems. Their reports did not identify which specific technology was affected. The recent backdoor found in Juniper systems has caused the journalists involved to un-redact a particular passage from the Snowden documents indicating the NSA targeted the "two leading encryption chips" in their attempts to compromise encryption.
Quoting:
The reference to "the two leading encryption chips" provides some hints, but no definitive proof, as to which ones were successfully targeted. Matthew Green, a cryptography expert at Johns Hopkins, declined to speculate on which companies this might reference. But he said that "the damage has already been done. From what I've heard, many foreign purchasers have already begun to look at all U.S.-manufactured encryption technology with a much more skeptical eye as a result of what the NSA has done. That's too bad, because I suspect only a minority of products have been compromised this way."
Re:How is this a story exactly? (Score:4, Interesting)
This is about deliberately sell defective products to about anyone.
I would applaud the NSA if they managed to include their backdoor in Huawei products. That would have been quite a stunt.
Re: (Score:2)
Re: (Score:2)
Every governmental agency can legally force domestic companies to include a backdoor and keep their mouth shut about it.
Cite? Under what law?
Note that National Security Letters do not provide the power you mention. NSLs are restricted, by law, to requests for metadata about communications that the target possesses. Court orders have few limitations, but judges tend not to issue the sort of open-ended, unrestricted order that would be required for what you describe (the Lavabit story is famous because it's exceptional, not because it's normal).
Re:How is this a story exactly? (Score:5, Interesting)
Obviously, nobody is "shocked" or is even claiming that someone else is stupid enought to be shocked. The emotion is anger, not shock.
Why? Because actually the NSA's job is to protect US security, whereby breaking crypto is only one possible strategy for accomplishing that goal. A rational actor running the NSA might decide that it would be directly contrary to their mission to undermine the encryption used by the US, and also contrary to their mission to undermine the sale of US products.
For whatever reason, that's not what they decided, so now we have a less secure country than if the NSA had done nothing.
Either someone made a dumb decision (d'oh!), or someone within the NSA decided to do the opposite of their job (in exchange for whatever from whomever). Either way, that's something to be legitimately angry about. We all realize that even the cleverest mathematicians can have stunning-stupid PHBs telling them to do stupid things, but we all tend to hope for better. (Nothing wrong with trying to set the bar high, is there?) And one of the neat things about America is that above the PHBs there's an elected president. And now we're seeing that even as late as 2010 the guy on top wasn't firing people left and right for incompetence and betrayal, so we have yet again, another president in a long uninterrupted series of presidents making the wrong call.
It's like we really are too stupid to elect someone to end the stupidity. Worse, at this point it looks like pretty much no matter how things go, in Jan 2017 we are going to get an even worse president than the last two. That's no matter whether you think the country is going to vote R or D. (Hillary Trump will have us longing for a return of Barrack Bush.) So that means the NSA is going to be working against the interests of America's security through at least 2020 (and We The People will be funding them, with taxes and externalities). With friends like these, we don't need enemies. Leave it to us, IIS and Al Queda: just sit back and relax.
And yes, telling people about evidence of what they had already suspected, is news. Unless you're going to tell me that when aliens are (or aren't) found, viable fusion power is (or isn't) invented, and next year's CPUs are a few percent faster, those things also won't be news. (But you're not really going to claim you're that stupid, are you?)
Re: (Score:1)
So assume Snowden never existed.
Who here is shocked that a government agency whose job it is to FUCKING BREAK CRYPTOGRAPHY would target products that people actually use for cryptography?
This isn't news. This is stating that water is wet with a clickbait conspiracy spin to sucker in the usual crowd.
Imbecile much? Fer crisake, dude, assuming that it was the NSA, breaking the products that the good guys use (by inserting a backdoor that renders the product's "security" features questionable at best) makes no fucking sense at all. In other words, such an action is well outside the NSA's mission and is, arguably, counterproductive WRT that mission.
Remember Huawei? (Score:5, Interesting)
Re:Remember Huawei? (Score:5, Interesting)
Re: (Score:2)
Manufacturing the latest Google Nexus..
Re: (Score:2)
The difference is that we have concrete proof of the NSA backdoors. Apparently the Chinese ones are so good no one else has found them yet, at least not publicly.
Well of course ... (Score:5, Informative)
Not just encryption, but pretty much any US created technology ... cloud services or anything else.
If the US has made their technology companies part of their spy apparatus, then who the hell would trust a US technology company? You simply can't.
So don't go all boo-hoo that people are looking at your products with some skepticism they can trust you when you created the situation in which they can't trust you.
Anybody outside of the US has no choice but to look at US technologies and ask "given that it's almost certain they're under the thumb of the NSA, what are my alternatives?"
You can't have it both ways. And you don't get to whine if people stop buying your products because they can't trust you anymore.
Re: (Score:2, Informative)
Well the US doing this is fact.
Other countries doing it is a suspicion.
The NSA and CIA being involved in corporate espionage is fact.
Other countries doing corporate espionage is suspicion.
Re: (Score:2)
You're the naïve fool (or the paid shill). Let me give you a hint, the DoD has spent billions of dollars on trusted fabs. That's because we know that the Asian fabs are compromised.
I hope reading comprehension isn't among your best abilities, because you're not very good at it.
Re:Well of course ... (Score:5, Interesting)
Have you seen Intel's Management Engine (ME).
Jesus Christ on a hopping frog. It's basically a system for allowing Intel/NSA/GCHQ free reign over your IT.
It's a small computer that runs alongside your main machine. It's sips power and runs even when the machine is off. It talks directly to the network card and takes instructions/returns data. It has open access to the entire machine's memory. You aren't allowed to know what it does. The entire system is cryptoed and proprietary.
Intel is flogging this nightmare as a management system... when you couldn't design a more effective government sponsored backdoor into every PC. It's Intel giving the spies their wettest of dreams.
Re: (Score:2)
Re: (Score:2)
It is, however, extremely useful. Having a remote console and the ability to reset the computer over the network is great.
Re: (Score:2)
Re: (Score:1)
Prefer the non-US/EU/Australian. Go Chinese first, they tend to stick to themselves, so at least that provides a reasonable buffer from NSA/GCHQ/ASIO.
- foreigner from allied country
Re: (Score:2)
And you don't get to whine if people stop buying your products because they can't trust you anymore.
Why the hell not?
If my government is damaging my business, against my wishes, in order to spy on me (and the rest of the world), I'd damned well better not just whine but yell and shout. I suppose the "you" in your statements was intended to refer to the US as a whole, but the US as a whole didn't do it and isn't on board with it. Unfortunately, a lot of voters who don't understand the issues and are afraid of brown people are on board with it. That just means those of us who do understand need to educate
Too late (Score:5, Interesting)
I think it's more because of the NSA, CIA, etc and the general feeling we get from the U.S.A. that we cannot trust anything you do, period.
Signed,
the rest of the world.
Re:FTFY (Score:4, Interesting)
"without question, protected by US free speech rights even if the US government happened to have been able to access some of the encrypted data."
The US is not the bastian of freedom you seem to think it is.
The US treated the detainees at Guantanamo bay with utter disregard for civil rights and international law.
Your double-think is disgusting.
Re: (Score:2)
This is the other big problem for non-US citizens. Any rights the US has only apply to US citizens. In Europe human rights apply to everyone world wide, to the point where we can't deport people to out cooperate with countries that will violate those rights.
That's why data sharing with the US is such a problem. We don't enjoy the same protections that us citizens do, which by our standards are quite weak anyway.
Re: (Score:1)
I think it's more because of the NSA, CIA, etc and the general feeling we get from the U.S.A. that we cannot trust anything you do, period.
Signed,
the rest of the world.
Yes, much better to trust the equipment made in China...
At this point unless you produce domestically, then the origin of your communications equipment determines which intelligence service (and their former employees and subcontractors) you are trusting with your national security. Even then, with the probable level of infiltration on all sides it is going to be hard to tell which foreign intelligence and criminal gangs DON'T have you by the balls.
Re: (Score:2)
I think it's more because of the NSA, CIA, etc and the general feeling we get from the U.S.A. that we cannot trust anything you do, period.
Signed, the rest of the world.
How about you prove that the rest of the world hasn't already followed suit.
Hugs and Kisses,
- Common F. Sense
Re: (Score:1)
There's no chip on our shoulder, no envy, no resentment, etc. You guys just can't be trusted, just like North Korea.
Re: (Score:2)
> There's no chip on our shoulder, no envy, no resentment, etc. You guys just can't be trusted, just like North Korea. ... just like every single country in the world that hasn't its thumb up their ass. This was the point of the guy you were answering to.
Re:Too late (Score:4, Informative)
* perpetual state of pseudowar
* extreme incarceration rate
* taking the mickey out of your own constitution (misuse of state power)
* state == religion (flag code, indoctrination of children with pledge of allegiance, flags everywhere, anthem at every sporting event with people standing up touching their hearts, etc)
* mass media just a codeword for party propaganda machine
* most of the nation living in poverty with elite 1% untouchable by law
i'm not saying there aren't differences but do you seriously not see the similarities? you do not have a single dictator, instead you have a powerful corporate elite buying legislation.
Re: (Score:2)
Where are my mod points when I need them to +5 your comment ???
Re: (Score:2)
The anthem, sure. A lot of countries sing that at sporting events.
But it's true that the pledge of allegiance is kinda creepy and has no equivalent in other Western, free countries. It is hard not to see the parallel with the kind of childhood indoctrination seen in places like NK (though obviously it's nowhere near the same scale in the US).
Same with the flags EVERYWHERE. I'm sure those that grew up in America simply don't see it as they've been immersed since birth. But as someone who first came to the US
Re: (Score:2)
UK is as european as the pope is protestant. the level of brownnosing america is embarrassing. germany has probably the strongest privacy protection laws in europe. also, laws in germany are not there to be laughed at by acronym agencies.
Re: (Score:2)
Seven cavemen and a modern teenage boy walk into your room.
They leave and then mysteriously, your cell phone's wallpaper was changed to goatse.
Which one of them do you think did it?
Re: (Score:2)
Are you comparing countries that are not the US as cavemen? Really?
That is their job (Score:2)
CYRIX 6X86 (Score:2)
These forums were getting much too boring this wee (Score:1)
It was time for some more NSA red-meat to rile up the rabid /. base
Re: (Score:3)
Re: (Score:2)
I'd mod you up, but the patriarchy has all the mods points today.
Only a minority? (Score:3, Interesting)
When you have a 55-gallon drum of sewage with a teaspoon of pure water in it, you have a 55-gallon drum of sewage.
When you have a 55-gallon drum of pure water with a teaspoon of sewage in it, you have a 55-gallon drum of sewage.
Re: (Score:2, Insightful)
And yet with the proper processing, either drum can be turned into clean, safe drinking water. That's why to some extent, none of this matters. You can use all the compromised leaky back-doored broken products that you want (this is what you're doing anyway, every time you communicate over the Internet, where your packets are routed through other peoples' systems), provided that all the data that these products ever see, is your cyphertext.
That's hard to do with a phone (you're not going to "tunnel through
Re: (Score:1)
"Trust but verify." The ability to verify, usually referred to as transparency, is necessary for the establishment of trust. Anything you cannot understand or verify is not trustworthy. You may be forced by circumstances to "trust" it, but if it says "no user serviceable parts inside," the trust is hollow
Re: (Score:1)
It occurs to me that a somewhat different analogy is in order.
You have ten bottles of wine from a foreign country standing in front of you. You have absolute knowledge from an informant that your enemies have put undetectable poison in two of those bottles, and they've even told you which two have the poison. They have not provided any information about the other eight bottles. Remember, the poison is undetectable.
Getting Close to Provable Constitutional Violation (Score:2)
Purposeful, nonconsensual, warrantless, bit manipulation of a private computer, located inside a home (or other constitutionally protected zone of privacy) within the United States is very likely a clear civil rights violation.
Should this become provable, the NSA won't be able to stay out of Federal Court.
I would like to trust the NSA (I really would), but J. Edgar Hoover.
Fool me once....
Re: (Score:1)
What other nations can do (Score:2)
Great for interacting with tourists but dont put the entire nations secrets on foreign systems.
Have staff fly back h
Re:Good on them (Score:5, Funny)
When was that? I've been here since before Echelon and general consensus here when Echelon was revealed was bomb nuclear jihad assault rifle terrorism explosion poison murder kill.
Re: (Score:1)
Easy there, Saika.
Re: (Score:1)
You've been on /. since a couple of decades before it existed?
BRAVO good sir, BRAVO
Re: (Score:2)
Re: (Score:2)
I tried it once - it blew up my slashdot account because it started randomly reading slashdot pages at a furious pace.
Re:Good on them (Score:5, Insightful)
Not really.
It hasn't been their job to insert backdoors into their own and existing systems worldwide, really. Not even the early codebreakers did that kind of thing.
It's their job to produce foreign signals intelligence, yes, but backdooring every piece of hardware in the country doesn't achieve that. All that achieves is compromise of people who were trusting US hardware already. For example, their allies.
All they've done is hurt their other core purpose - the national security of the US - and significantly damage their country's economy in a few specific areas.
Spying is not about having backdoors in hardware you produce in your own country. It's about getting those into foreign countries, foreign hardware, and about defeating encryptions that you're NOT already in control of.
Literally, a signed court order saying that Cisco/Juniper has to put in a backdoor for US intelligence into products X, Y, Z achieves this aim in the same way. With non-disclosure clauses, it's as secret. That's not what the NSA should be wasting their time on, if that's even what the US want to do.
Re:Good on them (Score:5, Interesting)
Spying is not about having backdoors in hardware you produce in your own country. It's about getting those into foreign countries, foreign hardware, and about defeating encryptions that you're NOT already in control of. Literally, a signed court order saying that Cisco/Juniper has to put in a backdoor for US intelligence into products X, Y, Z achieves this aim in the same way. With non-disclosure clauses, it's as secret. That's not what the NSA should be wasting their time on, if that's even what the US want to do.
Sure, because slapping a multi-national full of foreigners with no security clearance with an NDA is totally simliar to an in-house NSA project with all Top Secret clearances. And if China or Russia is the customer, we'll just make a special order just for you without anybody noticing. It's not like the end result would be any better either, everybody would wonder if their hardware has been NSL'd instead of r00ted. I'm not saying either way is a good gamble, but I'd rather take the technical one than the legal one.
Re:Good on them (Score:5, Insightful)
This.
One of the NSA's mandates is signals intelligence. Another is information assurance [nsa.gov], i.e. making sure our communications infrastructure is secure. Inserting backdoors in crypto hardware represents a pyrrhic victory for the first, and a complete disaster for the second.
The one thing that advocates for crypto backdoors completely fail to understand is that what you gain from the ability to monitor traffic comes at an enormous cost, which is the indroduction of a systemic flaw in our entire information infrastructure, which could potentially have catastrophic consequences. The best reason to oppose backdoors is not because "privacy" or "freedom" (although those may indeed be sufficient), but because backdoors combat a nuisance by making us vulnerable to a truly existential threat.
Re: (Score:2)
Re: (Score:2)
IA doesn't extend to private citizens -- it's only for government data. But you don't have to take my word for it. http://www.c-span.org/video/?3... [c-span.org]
Re: (Score:3)
Re: (Score:3)
Nonsense. The US government hasn't been about protecting US citizen interests for some time. The "economy" of the US government itself is bigger than that of most world countries, after all. They only care in so far as we are able to perpetuate them.
Re: (Score:3)
Remember those photos of NSA agents intercepting Cisco hardware during shipping and installing backdoors? It's not just anything built in America, it's anything exported from there too.
Best not to buy stuff online really, get it in person and pay cash.
Re:Good on them (Score:5, Interesting)
However, if you are inept enough to keep getting caught in the act, eventually all you do is cripple foreign sales of the companies who cooperate with your efforts.
Eventually, you have less ability to target the threats you are so afraid of.
Re: (Score:1)
Re: (Score:1)
So comrade 'Anonymous' you celebrate our 'National Sabotage Agency' in its efforts to destroy the credibility of the evil US pig-dog computing industry.. Soon we will get the world to buy our superior Russian made hackware and encryption products.. No security destroying backdoors or spying-software in our products..