OpenBSD Journal

NSA Crypto Sabotage

Contributed by Dengue on from the The-quiet-spot-on-the-dial-that-listens-to-you dept.

Kart writes : "A recent article at Cryptome.org, http://cryptome.org/nsa-sabotage.htm, claims "The NSA engages in sabotage, much of it against American companies and products." Even way back in 1998, CNN said: "The NSA wants software vendors to make sure that any product with strong encryption has some way for the government to tap into the data. Because practically every commercial network application, router or switch these days includes encryption or an option for it, almost every [US] vendor now has to answer to the NSA if it wants to export [from the US]."

Not exactly news, and redolent of conspiracy theory, but still relevant. Who can you trust? Can full disclosure vulnerability testing and open source code review protect us from our "protectors"?

(Comments are closed)


Comments
  1. By Brendan () rel@mac.com on mailto:rel@mac.com

    The Masons are poisoning the wells!

  2. By Noryungi () n o r y u n g i @ y a h o o . c o m on http://www.slashdot.org

    Actually, this whole thing is not a conspiracy theory.

    Think about it for a second: part of the NSA job is to crack whatever encryption scheme Russia, Lybia, Iraq, Iran, North Korea, China and others are using to protect their confidential information. And when I am naming countries, I mean governments, companies, and the average Joe Citizen -- very interesting information can come from multiple sources.

    Now consider these facts:

    • Everybody is getting on the Internet. Including most of the countries cited above.
    • Since most of these countries do not have top-notch 'net equipment manufacturers, they buy their stuff (routers, servers, firewalls, you name it) from the USA.
    • Most users/administrators do not understand one thing about security and encryption. Otherwise, why would everybody be using NT for web servers? Therefore, they use the default functions/settings and feel somewhat safe.
    • If said default settings are weak enough to be cracked in a matter of hours or minutes by the NSA, our friends in the government have a wide-open source of information. And remember: we are talking minutes here, folks -- NSA's appetite for supercomputers is world-famous.

    So, yes, from the NSA point of view, it makes a lot of sense to apply pressure on a company to get it to weaken its encryption. A few months of lobbying can save them years of hard work.

    What are the solutions? Not too good I am afraid...

    • Source-code review, especially when it comes to encryption, must be done by highly competent people. Not a lot of coders, even if very competent, do not have the time or the experience to review encryption software. It took a few years for the ADK 'bug' in PGP to be discovered...
    • When all is said and done, it's fairly obvious that any proprietary encryption software should be considered as insecure. No matter what anyone says, encryption software must be open to peer review. Anything else should be considered as insecure, compromised, or worse.

    Finally, there is also the possibility that the NSA scientists have been able to achieve some sort of mathematical breakthrough (prime number computation comes to mind) that allows them to crack most encryption schemes out there. That said, my money is on GPG . Or on one-time pads, which are, after all, the only uncrackable encryption scheme -- just a little bit inconvenient to use in real life... =)

    Just my paranoid US$0.02...

  3. By Kart () on

    Oops, typo in the article.

    Yeah, I hate to sound like a conspiracy nut, but you can't deny that stuff like this is going on.

    As an international project, distributed out of Canada, I wonder if OpenBSD has ever felt pressure from the NSA?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]