NSA systematically inserting backdoors into everything they can, like banking

[Itse]

http://www.theguardian.com/world/201...codes-security

Quote:

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – "the use of ubiquitous encryption across the internet".

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.
Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

Meh. I fully expect people to keep on telling me it's to keep us safe and there's nothing to worry about.

I mean, what could possibly go wrong with inserting backdoors into the systems that are supposed to protect said systems from, say, terrorists and criminal?

Quote:

"The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

Quote:

This was a view echoed in a recent paper by Stephanie Pell, a former prosecutor at the US Department of Justice and non-resident fellow at the Center for Internet and Security at Stanford Law School."[An] encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users," she states.

[Rathji]

This is why encryption systems should be entirely open source.

Of course the wording of the article kind of leaves the door open that the vulnerabilities might actually just be 1024 bit keys, which we have known for a while are insufficient against the brute force decryption techniques available today, and which most big providers are in the process of phasing out.

I wonder if the real issue here is the laws which lets the US government openly and legally obtain old SSL keys from providers like Google, to use on traffic that was previously captured. The wording of the article doesn't discount that, and for me is far less of a concern than having an active back door.

[UKflames]

The hilarious thing is that all of these 'backdoors' keep getting found, made public as security issues and they were probably put there by the NSA. I bet these companies love the fact they keep getting throw under the bus by the press for having written a programme with a hole in it, when it was put there for the US government all along but they cannot say anything due to some official secrets act.

[Bobblehead]

Quote:

Originally Posted by UKflames

The hilarious thing is that all of these 'backdoors' keep getting found, made public as security issues and they were probably put there by the NSA. I bet these companies love the fact they keep getting throw under the bus by the press for having written a programme with a hole in it, when it was put there for the US government all along but they cannot say anything due to some official secrets act.

Which is why, on this issue, Google and Microsoft have teamed up to sue the NSA.

Quote:

Microsoft and Google's motion at the FISC (Foreign Intelligence Surveillance Court) to allow them to disclose their policies and some aggregate data on their compliance with court-ordered disclosures of customer data will be proceeding to litigation before the FISC.

http://www.zdnet.com/microsoft-googl...ed-7000020311/

They especially want to do that because a number of governments around the world have started to make demands that government systems avoid US products for fear of NSA spying.

[woob]

And people still believe Snowden is the bad guy.

[photon]

http://www.theregister.co.uk/2013/09...lrun_analysis/

[Rathji]

Let me just clarify that it doesn't actually appear to me that the NSA has 'installed backdoors' into anything, but they are likely just exploiting security holes in RCA (and other ciphers).

Considering what a gong show RCA has been over the last couple years as far as serious exploits, with the BEAST attacks and the recent SSL compression vulnerability that was just released at Black Hat, this really isn't that surprising.

[Itse]

Quote:

Originally Posted by Rathji

Let me just clarify that it doesn't actually appear to me that the NSA has 'installed backdoors' into anything, but they are likely just exploiting security holes in RCA (and other ciphers).

It's already old news to anybody who has been following that all post 95 versions of Windows have NSA backdoors, and hackers finding and exploiting them regurarly was news a decade ago. (Even though at that point it was only tinfoil hat people who thought that it might be because of the NSA.)

So if there's a place where there isn't a backdoor, it's because the NSA haven't found a way to put it there yet. Which is absolutely insane and is making the internet unsafer and weaker for everybody.

Also, the reason the article doesn't go into specifics is that the intelligence people asked them nicely, which it also says on the article.

Quote:

Considering what a gong show RCA has been over the last couple years as far as serious exploits, with the BEAST attacks and the recent SSL compression vulnerability that was just released at Black Hat, this really isn't that surprising.

The article specifically says that they have "inserted backdoors into commercial encryption software" (example mentioned here), and is actively working to continue doing such things everywhere it can and have already essentially taken hold of international encryption standardization in order to better control the internet.

[Rathji]

I get that the whole NSA/PRISM/XKeyScore thing is really a problem, but this particular revelation is not on the top of the list of things that are concerning to me personally.

Quote:

Originally Posted by Itse

It's already old news to anybody who has been following that all post 95 versions of Windows have NSA backdoors, and hackers finding and exploiting them regurarly was news a decade ago. (Even though at that point it was only tinfoil hat people who thought that it might be because of the NSA.)

I think you misunderstood what I was referring to, because as far as I was concerned, we were talking about SSL/TLS and HTTPS. Anything installed into Windows over 15 years ago really has no bearing on that conversation as far as I am concerned. Unless you are using an insecure implementation or version of these protocols, which as I mentioned previously, you shouldn't be at this point if you are serious about your security.

Quote:

So if there's a place where there isn't a backdoor, it's because the NSA haven't found a way to put it there yet. Which is absolutely insane and is making the internet unsafer and weaker for everybody.

You are misreading the article, I think.

Even though some of the access they have is through backdoors in commercial software, much of the access is due to being able to brute force or use known vulnerabilities in current ciphers. You can crack WPA/WPA2/WPA-E, PPTP, SHA-512, and MD5 in a day by uploading to to cloudcracker and making a simple credit card payment. There are currently at least 2 known attacks based on well known vulnerabilities in RC4, which make it completely unsafe to use. SSL compression has been shown to be insecure, but there are no attacks I know of which utilize this vulnerability.

Bottom line is, if you are not using secure encryption, then you cannot be sure. You used something like AES 128 or 256, and you can use an open source solution like OpenSSL, TrueCrypt or OpenVPN, then you can likely sleep well at night.

I think this assertion is supported by the article when it says:

Quote:

The agencies have not yet cracked all encryption technologies, however, the documents suggest. Snowden appeared to confirm this during a live Q&A with Guardian readers in June. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on,"

Quote:

The article specifically says that they have "inserted backdoors into commercial encryption software" (example mentioned here), and is actively working to continue doing such things everywhere it can and have already essentially taken hold of international encryption standardization in order to better control the internet.

Are you seriously concerned about backdoors built into these machines? in terms of you and anything that impacts you in your daily life?

Spoiled for size

Spoiler!

Its fine if you are, but for those of us living in the 21 century, I think we will be okay on that front.

[McG]

If this area is of interest, there are quite a few Wired magazine articles about this including a cover story on the new NSA facility in Utah and a cover story on the USA having covert cyber warriors.

One point of interest to me was the mass storage of encrypted content today with the full knowledge that brute force will enable the decryption at some point in the future.

[Rathji]

Quote:

Originally Posted by McG

If this area is of interest, there are quite a few Wired magazine articles about this including a cover story on the new NSA facility in Utah and a cover story on the USA having covert cyber warriors.

One point of interest to me was the mass storage of encrypted content today with the full knowledge that brute force will enable the decryption at some point in the future.

Also, the government can much more easily get encryption keys for old data as the keys expire (which happens every couple years) and are taken out of service. They don't even need to go to a FISA court and use the Patriot Act, as it is likely covered under the precedent set by the 1986 Electronic Communications Privacy Act.

http://www.scientificamerican.com/po...kings-13-06-06

Quote:

The 1986 Electronic Communications Privacy Act was mostly aimed at protecting digital messages in transit. The Act existed before the widespread use of email and of massive computer memory that could easily store decades’ worth of messages. The law thus considers information such as e-mail “abandoned” if it’s stored for more than 180 days on a service provider’s server. If law enforcement wants access to an abandoned e-mail, it only has to claim need for an investigation.

[Itse]

https://www.schneier.com/blog/archiv...cy_theo_1.html

Quote:

Conspiracy Theories and the NSA

I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public institution fails.

The NSA has repeatedly lied about the extent of its spying program. James R. Clapper, the director of national intelligence, has lied about it to Congress. Top-secret documents provided by Edward Snowden, and reported on by the Guardian and other newspapers, repeatedly show that the NSA's surveillance systems are monitoring the communications of American citizens. The DEA has used this information to apprehend drug smugglers, then lied about it in court. The IRS has used this information to find tax cheats, then lied about it. It's even been used to arrest a copyright violator. It seems that every time there is an allegation against the NSA, no matter how outlandish, it turns out to be true.

Quote:

All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There's simply no credibility, and -- the real problem -- no way for us to verify anything these people might say.

Quote:

Trust is essential for society to function. Without it, conspiracy theories naturally take hold. Even worse, without it we fail as a country and as a culture. It's time to reinstitute the ideals of democracy: The government works for the people, open government is the best way to protect against government abuse, and a government keeping secrets from its people is a rare exception, not the norm.

The article compares the NSA to the FBI of the Hoover-era. Personally I think that's being overly nice. With the incarcerations without arrests, the punitive torture of it's own citizens (see case Manning) and being obviously out of any outside control (for example the court that's supposed to oversee them doesn't know what they're doing and are being constantly lied to by NSA), I think it's fair to say the US intelligence apparatus is basicly already like Stasi or KGB.

But I'm sure they're going to be "nice about it", like one former NSA agent tweeted recently. Because sure, the problem with Stasi was not that they had ridiculous powers without oversight and were given orders to protect the system at all costs. No, it was propably that they were bad people.

[Itse]

Despite following myself;

This is a good explanation of what's this about.

http://blog.cryptographyengineering.com/

Quote:

If you haven't read the ProPublica/NYT or Guardian stories, you probably should. The TL;DR is that the NSA has been doing some very bad things. At a combined cost of $250 million per year, they include:

1. Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.
2. Influencing standards committees to weaken protocols.
3. Working with hardware and software vendors to weaken encryption and random number generators.
4. Attacking the encryption used by 'the next generation of 4G phones'.
5. Obtaining cleartext access to 'a major internet peer-to-peer voice and text communications system' (Skype?)
6. Identifying and cracking vulnerable keys.
7. Establishing a Human Intelligence division to infiltrate the global telecommunications industry.
8. And worst of all (to me): somehow decrypting SSL connections.

[Rathji]

I agree with that summary.

However, I don't agree with the author, who says that decrypting SSL is the worst of the bunch. We already know that RC4 implementations of SSL are pretty worthless in terms of security, and if that's all they have cracked (which is likely) then the news is pretty much meaningless. It also could refer to gaining access to outdated keys and decrypting stored data, which has legal precedent in the US, and it almost certainly happening.

For me, the big things are heavily influencing the standards by which crypto is done, around the world and ensuring that weaknesses exist, and placing assets to put vulnerabilities into commercial implementations.

The point referring to attacking encryption on 4G phones is almost nonsensical, since the link actually is referring to vulnerabilities on GSM, and points out that 3G, 4G and LTE are actually pretty secure (baring keys being obtained through legal coersion)

Everything else really isn't 'new' news at this point. Skype has been know to have backdoors for almost a year now?

[Itse]

Quote:

Originally Posted by Rathji

For me, the big things are heavily influencing the standards by which crypto is done, around the world and ensuring that weaknesses exist, and placing assets to put vulnerabilities into commercial implementations.

The details can of course be argued, although it's kind of hard to say much about them, when it seems that there could still be a lot we haven't been told.

I agree that the real core of the issue is not so much what they have done to this point, but the basic attitude of the NSA and the GCHQ. They are basicly trying to make the internet less safe so their jobs would be easier.

This is the real longterm problem, and shows how the people supposedly meant to protect others in practice think very about the every day problems they are causing while fighting against obscure and rare threats.

[Itse]

http://arstechnica.com/security/2013...lls-customers/

Quote:

Officials from RSA Security are advising customers of the company's BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that was recently revealed to contain a backdoor engineered by the National Security Agency.

Quote:

The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications. The RSA Data Protection Manager is used to manage cryptographic keys. Confirmation that both use the backdoored RNG means that an untold number of third-party products may be bypassed not only by advanced intelligence agencies, but possibly by other adversaries who have the resources to carry out attacks that use specially designed hardware to quickly cycle though possible keys until the correct one is guessed.

[Rathji]

Someone actually used that specification?

I would stop using a product entirely, and never touch the company again with a 10 foot pole, if the developers decided to use a RNG that was over 1000 times less efficient than any of the other specifications available in the exact same document, and has been shown to be insecure for almost 6 years.

In other news, people shouldn't be using Windows 98 anymore. Also, don't click on email attachments that are executable.

[Itse]

What line of work you in, Rathji?

Just curious, because I have yet to see an actual professional in the field with that attitude. And I know some pretty good ones.

[Rathji]

I am sysadmin.

I have issues with the fact that they influenced the standard, because they shouldn't be working towards weakening encryption.

I also have issues with people who implement terrible algorithms. That's almost like using bubble sort algorithm when writing database software.

[Shawnski]

Interesting recent story...