An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.
In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them.
The NSA has now agreed to drop all but the most powerful versions of the techniques - those least likely to be vulnerable to hacks - to address the concerns.
Have the chickens come home to roost for the NSA, or should we distrust the report that they backed down?
(Score: 2) by takyon on Friday September 22 2017, @02:33PM (4 children)
You fell for it! Mwahahahahahah!
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by linkdude64 on Friday September 22 2017, @03:13PM (3 children)
Actually that was the CIA's doing - they likely have the NSA convinced that it can crack HTTPS, when in reality everything is fabricated.
Even the existence of the CIA itself is likely a psy-op. I doubt they even exist.
(Score: 3, Funny) by Anonymous Coward on Friday September 22 2017, @03:40PM (2 children)
I think linkdude has devolved to 32 bit.
(Score: 0) by Anonymous Coward on Friday September 22 2017, @07:21PM
Actually that's his fallback means of transmission. Probably triggered by a MITM-attack by the NSA.
(Score: 2) by TheGratefulNet on Saturday September 23 2017, @01:28AM
not sure if it was big or little indians...
"It is now safe to switch off your computer."
(Score: 4, Insightful) by bzipitidoo on Friday September 22 2017, @02:50PM (12 children)
There is no such thing as middle ground on this. Encryption can be broken, or not. This attempt to walk an invisibly thin line in which those with massive computing resources can break the encryption while those with just a little less cannot, is extremely difficult even without skeptics pointing out various problems. The spy agencies ought to give up on this approach.
(Score: 2, Insightful) by Anonymous Coward on Friday September 22 2017, @03:07PM
It's not about a little less computing resources. The right maths can dramatically reduce the complexity of breaking an ostensibly secure encryption standard. When the NSA promotes weak encryption, it is being lazy, but it could work.
(Score: 4, Insightful) by linkdude64 on Friday September 22 2017, @03:13PM (10 children)
Encryption can be broken, but am I not mistaken in that it is much more common for it to be bypassed by some other means?
(Score: 2) by DannyB on Friday September 22 2017, @03:32PM (2 children)
I'm going to assume practical feasibility here.
While a brute force attack can discover a key that reveals plaintext, is such an attack practical? If it would take more seconds than there are atoms in the universe, then such an attack is theoretical but not practical. A cipher is secure enough if a brute force attack could not succeed in the expected lifetime of the human species, even if all the mater in the solar system were converted into computers to perform the attack.
A brute force attach may work in a mathematical logical sense. But not in an engineering sense.
So I'll state this: If you don't have a way to bypass the encryption, then you cannot break the encryption.
By 'bypass' the encryption, I mean capture plaintext either at the point of encryption, at the point of decryption, or have some flaw in the encryption enabling you to recover the plaintext without a brute force attack. And this flaw still could involve expending significant amounts of compute horsepower*.
Therefore ALL success in breaking encryption is by bypassing the encryption. (And my definition of 'bypass' also includes a trap door in the algorithm.)
-=-=-=-=-=-=-=-=-=-
(*1 compute horsepower = amount of thinking one horse can do, like mechanical hp.)
The lower I set my standards the more accomplishments I have.
(Score: 3, Funny) by DannyB on Friday September 22 2017, @03:44PM
Let me add: also use of any techniques to steal encryption keys, in order to recover plaintext.
Efforts, such as malware to capture the encryption key. Spies. Sneaking into facility and copying encryption keys.
What? You photocopied the USB thumb drive? That's not what I meant when I said to bring back a copy of the USB thumb drive with the encryption key.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Friday September 22 2017, @11:14PM
> A cipher is secure enough if a brute force attack could not succeed in the expected lifetime of the human species
"Great! I feel better about legacy system's security!"
"Why, you got a new way to patch the hundreds of known flaws?"
"Nope, but the nukes launch at midnight"
(Score: 3, Informative) by http on Friday September 22 2017, @03:35PM
The BULLRUN program administrators at the NSA would beg to differ with you. They devised at least one cryptographic routine with a backdoor (the one in Dual_EC_DRBG is moderately obscure, but "obvious" if you're a crypto-wonk like Bruce Schneier), and have been known to stack the standards board in charge of reviewing candidate cryptographic routines.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by Runaway1956 on Friday September 22 2017, @03:54PM (5 children)
Spearphishing works best, I believe. That, or the bargain bin five dollar wrench. The choice is a matter of finesse and elegance.
(Score: 2) by DannyB on Friday September 22 2017, @06:46PM (1 child)
The choice may also be a matter of being detected. The wrench is fairly likely to be detected. The spear phishing may not be depending on how well it is done. But then I suppose that reinforces your point about finesse and elegance.
I bet that even today, leaving a USB thumb drive in the men's room, or parking lot is likely to work.
attractive male/female: "Oh, I'm late for my meeting, could you please, PLEASE print my document for me real quick? I have it right here on this USB stick."
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Friday September 22 2017, @11:17PM
> The wrench is fairly likely to be detected.
I sell dual-use wrenches, which provide passwords and guarantee that their owners need a long leave of absence.
If you order with your credit card in the next five minutes, you get the exclusive upgrade code which enables you to also torque bolts.
(Score: 3, Funny) by The Mighty Buzzard on Friday September 22 2017, @10:58PM (2 children)
You haven't been tool shopping in a while. A good beatin-sized wrench ain't that cheap nowadays.
My rights don't end where your fear begins.
(Score: 2) by c0lo on Friday September 22 2017, @11:32PM (1 child)
Given the glut of steel persists, that should be a sign that the demand is increasing fast.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by The Mighty Buzzard on Saturday September 23 2017, @12:14AM
Nah. I'd say it's mostly just inflation. It took quite some time for a $5 wrench to become a $10-15 wrench. Also, tools are always way more expensive than the amount of steel in them would suggest, given that they're a necessary component to make significant amounts of money for the purchaser.
My rights don't end where your fear begins.
(Score: 1, Insightful) by Anonymous Coward on Friday September 22 2017, @03:08PM
With this we can have the internet everybody hoped we could because we would no longer use if for commercial purposes
Take off and nuke it from orbit it's the only way to be sure
(Score: 3, Insightful) by DannyB on Friday September 22 2017, @03:41PM (1 child)
Have the chickens come home to roost for the NSA?
Yes, in a sense.
It seems the NSA thinks short term. This mission success.
Even if they shoot themselves in the foot in the long term. Sort of like corporations. If I can make a ton of money today by cutting off the corporation's right leg, then great! I can take the golden parachute and move on.
Trust is hard to gain. Easy to lose.
And spy agencies don't generally have trust to begin with.
They had seemed to build a measure of trust by also having a mission of protecting US signals from foreign snoops. And this possibly extended to US commercial interests as well, since an economic disaster could endanger national security. So when the NSA would 'help' with national encryption standards that seemed to help commercial interests, others in the world would consider that maybe those standards were useful to them as well. Like AES-256.
Now the NSA doesn't even make a pretense of trying to protect US signals. At least not anyone's except the government's. They realize that encryption security works both ways. So they've focused on weakening encryption and bypassing encryption. Bypassing encryption generally means malware is implanted somewhere to capture plaintext before encryption or after decryption. Or to capture the encryption keys.
Why would anyone trust a spy agency to 'help' with encryption standards? Especially a foreign spy agency. Which leaves the question, how do you trust the people in standards bodies who develop and select national or international encryption standards?
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Friday September 22 2017, @11:20PM
> Why would anyone trust a spy agency to 'help' with encryption standards? Especially a foreign spy agency. Which leaves the question,
> how do you trust the people in standards bodies who develop and select national or international encryption standards?
Because they don't want (state-sponsored) script kiddies to launch strikes on their neighborhood For The Lulz?
(Score: 4, Insightful) by Runaway1956 on Friday September 22 2017, @03:59PM (2 children)
That age old phrase fits here, perfectly.
I can't understand how and why "allies" would bow to the wishes of the US and/or the "Five Eyes". I most certainly can't understand those who are not close allies doing so.
And, why can't our "intelligence" communities understand that they are cutting their own throats by pushing these stupid ideas? If they get their way, they quash innovation in the "free" world, but the REST of the world is going full-steam ahead, trying to defeat our best. As time passes, our high school / college grads and job applicants are severely handicapped in comparison to hackers from the "non-free" world.
The world at large really needs to tell Uncle Sam to fuck off.
(Score: 2) by DannyB on Friday September 22 2017, @06:51PM (1 child)
Money. Bribes. Blackmail. Pee pee tapes. Threats of violence. Ransom of someone or something. Threats the US president might visit your country. Etc.
See above list.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Friday September 22 2017, @11:22PM
> Threats the US president might visit your country
Have they no shame, ethics, or professional conscience? The Monsters!
(Score: 0) by Anonymous Coward on Friday September 22 2017, @04:19PM (6 children)
M$ has all the tools that 3-letter agencies need secretly and stealthily hard boiled into the kernel. Even the web traffic is hidden from the flashing lights of the modem.
(Score: 1, Touché) by Anonymous Coward on Friday September 22 2017, @04:30PM (1 child)
M$ designed the firmware for my external modem? The one that has RJ45 on one end and coax on the other?
(Score: 2) by Runaway1956 on Friday September 22 2017, @05:01PM
To be perfectly honest - it wouldn't surprise me to find that they hold patents on whichever modem you're using. Nor would it surprise me very much to find that MS has obscure agreements with any or even all of the modem manufacturers. I'm skeptical of MS ability to control our external modems, but MS is the evil empire in computing.
(Score: 0) by Anonymous Coward on Friday September 22 2017, @05:00PM (1 child)
[citation needed]
No really, I'd wager that if stuff like this was there in a readily disassembleable kernel the kind folks at the RBN would've found and abused it by now. By saying that M$ can hide something in plain sight so well you're actually calling them competent.
(Score: 0) by Anonymous Coward on Friday September 22 2017, @05:19PM
It was reported years ago that some M$ web traffic can be sent without triggering the modem lights or even show up in wireshark.
(Score: 5, Insightful) by DannyB on Friday September 22 2017, @06:54PM
Forget M$.
Intel has done one better. Deep compromise baked right into your hardware. And best of all -- you paid for it!
Followed by AMD.
Gee, I wonder why Intel and AMD would do something like that this, that nobody wants. Not customers or end users. Not even large organizations that use computers. It almost seems like some outside influence forced Intel / AMD / M$ to do pre-compromise systems.
The lower I set my standards the more accomplishments I have.
(Score: 5, Funny) by DannyB on Friday September 22 2017, @08:17PM
Since you mention MS, I will note that there are two kinds of MS. Try not to get them confused.
1. an affliction suffered by millions of people which can make even the simplest tasks become difficult.
2. a medical condition.
The lower I set my standards the more accomplishments I have.
(Score: 2) by Gaaark on Friday September 22 2017, @05:00PM
It's distrust AAAALLLLL the way down.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---