Donate for the Cryptome archive of files from June 1996 to the present

25 December 2013

12 Ways of NSA Suspicion

List Cryptography Archive
http://www.metzdowd.com/pipermail/cryptography

List cryptography Archive
http://lists.randombit.net/pipermail/cryptography/


1. Partridge in a Pear Tree

I don't mean to call people names. I'm only using Cookie's post as a recent example, of which there are many. Cookie Cutter clearly doesn't want to switch to scrypt, which AFAIK any non-dork can tell improves security against common real attacks, which far outweighs Cookie's concerns about side-channel attacks, and OMG, what was that crazy rant about sprinkling secret data all over RAM? It's just the output of a respected stream cipher! From where I'm sitting, Cookie's position is so lame, it makes me think he may be getting paid to spread FUD.

So, is Cookie a dork or a shill? Do we live in a world where we can't chat intelligently about security because of NSA shills, or is the world really full of that many dorks?


2. Turtle Doves

How can an untraceable pseudonym, such as me, post to a forum?

(Don't say Tor -- Tor is connection based and deliberately low-latency, so the source can be identified with IP packet correlation attacks. Untraceable pseudonyms use anonymizing remailers, which are message-based and deliberately high latency.)


3. French Hens

It's not publically documented, but I hear TSMC added extra transistors to some Xilinx FPGAs, and the last I heard, no one had figured out what they were for.

On Tue, Dec 24, 2013 at 2:43 AM, wrote:
On 23/12/13 19:20 PM, wrote:

... And everyone is trying to reverse-engineer everyone else's designs. All the underpinnings are there. And various parts of the US military and security establishment are quite aware - have, in fact, talked publicly about - the problem of "spiked" chips making it into their supply chains.

Aha. So, are there any case studies of this actually happening? This might shed light on the RDRAND question. If we had a documented case of (say) the Chinese slipping spiked chips in to one of the hot USAF toys, then we'd have some sense of how likely this is.

Then what?
Yet another arms race.

Papers, conferences, budgets, hype, FUD, gosh.


4. Colly Birds

Please do not email me anything that you are not comfortable also sharing with the NSA.


5. Gold Rings

There's multiple archives of this mailing list, and starting you own is trivial:

http://lists.randombit.net/pipermail/cryptography/

https://www.mail-archive.com/cryptography@randombit.net

IMO ease of archiving and ease of passing around archives is one of the biggest strengths of mailing lists.


6. Geese-a-Laying

I'm in the Bitcoin community and we keep on talking about fully decentralized backends to mailing lists/usenet replacements, but until something like that is implemented, best to stick with the tried and true mailing list. When something like that is implemented, it's gonna look rather like a mailing list...

Mailing lists are great infrastructure: a pragmatic centralized core to push messages around/moderate, and a whole host of decentralized infrastructure around them like multiple archiving services and a wide variety of client software to interface with.

I also note that it's a pain in the butt to PGP sign message board posts, this is Cryptography after all...


7. Maids-a-Milking

https://en.bitcoin.it/wiki/Fidelity_bonds - Disclaimer: I invented them. Also "Just use fidelity bonds!" is a standard joke in the Bitcoin developer community, and for good reason.


8. Swans-a-Swimming

I don't think a backdoor is likely to survive a serious audit. Code audits, done right by competent people, are tough.

Though, done right, they are expensive.

If crypto code is open source, most people will use it without careful examination on the assumption that someone else is going to audit it.

But, some people, relying on that code, *are* going to audit it.


9. Ladies Dancing

In any case, as others have pointed out here: Until Snowdonia, the general attitude of big business - the customers for BSAFE - would have been "I don't care that the NSA can read my stuff, they're the good guys, they don't get involved in commerce, I have nothing to hide from them."


10. Lords-a-Leaping

There is historical precedent on switching to old tech. The Battle of the Bulge was a surprise attack because Adolf Hitler -- himself only, and not his generals -- did not trust the crypto and comms anymore. He got suspicious about how many battles were going the enemy's way.

In his last roll of the dice, Hitler sent all the orders by motorcycle riders. Total surprise.


11. Pipers Piping

> It's an interesting question, and one worth studying for pedagogical
> motives. From my experiences from both sides, it is clear that both sides
> failed. But for different reasons.
> Hence, I've concluded that email is unsecurable.

Obviously. It will never be able to escape the non-body header content and third party routing, storage and analysis with any form of patching over today's mail. And it's completely ridiculous that people continue to invest [aka: waste] effort in 'securing' it. The best you'll ever get clients down to is exposing a single 'To:' header within an antique transport model that forces you to authenticate to it in order to despam, bill, censor and control you.

That system is cooked, done and properly fucked. Abandon it. What the world needs now is a real peer to peer messaging system that scales. Take Tor for a partial example... so long as all the sender/recipient nodes [onions] are up, any message you send will get through, encrypted, in real time. If a recipient is not up, you queue it locally till they are... no third party ever needed, and you get lossless delivery and confirmation for free. Unmemorable node address?, quit crying and make use of your local address book. Doesn't have plugins for current clients?, so what, write some and use it if you're dumb enough to mix the old and new mail.

The only real problem that still needs solved is scalability... what p2p node lookup systems are out there that will handle a messaging world's population worth of nodes [billions] and their keys and tertiary data? If you can do that, you should be able to get some anon transport over the p2p for free.

Anyway, p2p messaging and anonymous transports have all been dreamed up by others before. But now is the time to actually abandon traditional email and just do it. If you build it, they will come.


12. Drummers Drumming

With open source code the NSA would be foolish to install a true back door.

i.e. The NSA would be foolish to assume that they could craft a side door in open source code that would withstand the scrutiny of another nations security agency (ANSA). The folk I have encountered that work there (short and old list) are not foolish or stupid. Their data integrity folk are darn good.

I can see weaknesses to establish a class of ability or a time window. For example in the days that RSA and the NSA negotiated the $10M contract FPGA and ASIC attacks were the tools of a rare and limited set of nations and corporations. My memory may be fading but I recall this time frame and believe I heard "smart" folk indicate that this was not clearly beyond the tools of the spooks but was beyond the tool reach of even organized crime at that time. Key concept "at that time".

I make weakness level security decisions all the time. I do not have the world's strongest lock on my home. I have also not replaced the locks on my car. My gym locker lock is an easy to open high school grade combination padlock. Most of these locks I can still open with my eyes closed in moments the same as I could back in high school.

Down the road is a high voltage transformer with a lock on it. OK it looks like a lock but is a seal in the shape of a padlock. It is made of aluminum(?) for the most part and is designed to be cut off with cutters. The same as used to cut heavy aluminum and copper cables. It is tamper evident, it should withstand an attack for a little bit of time with a hammer or bashing with a rock. If a teenager busted in and fried his little brain till it burst the power company clearly is not maintaining an attractive nuisance. There is no master key to be lost. It could be made of more durable material like hardened steel and more but it does not need to be.

My thoughts on this is that if you wish to be NSA proof you have some work to do.

All of this does take me to a couple places:

First is a reminder of the Morris worm attacks. The Dad wrote a book and none in the community addressed these design flaws and bugs Jr. crafted a worm that escaped or was let free on the world. Not zero day, no criminal element, no national security enemy. The BSD folk seem to have learned this lesson.

Second: "Target"... clearly criminals were involved , national interests & government sponsored... not likely. The Price tag of the breach at Target is possibly astounding. Some credit card companies have eviscerated their limits to limit their risk. All they have to do is write a report.... "if Used @ Target establish limits and throttle the limit of abuse and liability". There are many lessons to be learned here.

Third: can wait for the new year.

Forth/Fourth: All things are not equal and too many take two things as all the proof needed to take a product to market. Code reviews and code review tools need work today. The bad guys are looking at the same code you have. Clear, precise, testable.... etc... It is interesting that the word code is used in so many ways.