Contributed by
Dengue
on
from the The-quiet-spot-on-the-dial-that-listens-to-you dept.
Kart
writes :
"A recent article at Cryptome.org,
http://cryptome.org/nsa-sabotage.htm,
claims "The NSA engages in sabotage, much of it against American companies and products."
Even way back in 1998,
CNN
said: "The NSA wants software vendors to make sure that any product with strong encryption has some way for the government to tap into the data. Because practically every commercial network application, router or switch these days includes encryption or an option for it, almost every [US] vendor now has to answer to the NSA if it wants to export [from the US]."
Not exactly news, and redolent of conspiracy theory, but still relevant. Who can you trust? Can full disclosure vulnerability testing and open source code review protect us from our "protectors"?
Actually, this whole thing is
not
a conspiracy theory.
Think about it for a second: part of the NSA job is to crack whatever encryption scheme Russia, Lybia, Iraq, Iran, North Korea, China and others are using to protect their confidential information. And when I am naming countries, I mean governments, companies, and the average Joe Citizen -- very interesting information can come from multiple sources.
Now consider these facts:
Everybody is getting on the Internet. Including most of the countries cited above.
Since most of these countries do not have top-notch 'net equipment manufacturers, they buy their stuff (routers, servers, firewalls, you name it) from the USA.
Most users/administrators do not understand one thing about security and encryption. Otherwise, why would everybody be using NT for web servers? Therefore, they use the
default
functions/settings and feel somewhat safe.
If said default settings are weak enough to be cracked in a matter of hours or minutes by the NSA, our friends in the government have a wide-open source of information. And remember: we are talking
minutes
here, folks -- NSA's appetite for supercomputers is world-famous.
So, yes, from the NSA point of view, it makes a lot of sense to apply pressure on a company to get it to weaken its encryption. A few months of lobbying can save them years of hard work.
What are the solutions? Not too good I am afraid...
Source-code review, especially when it comes to encryption, must be done by highly competent people. Not a lot of coders, even if very competent, do not have the time or the experience to review encryption software. It took
a few years
for the ADK 'bug' in PGP to be discovered...
When all is said and done, it's fairly obvious that
any
proprietary encryption software should be considered as insecure. No matter what anyone says, encryption software
must
be open to peer review. Anything else should be considered as insecure, compromised, or worse.
Finally, there is also the possibility that the NSA scientists have been able to achieve some sort of mathematical breakthrough (prime number computation comes to mind) that allows them to crack most encryption schemes out there. That said, my money is on
GPG
. Or on one-time pads, which are, after all, the only uncrackable encryption scheme -- just a little bit inconvenient to use in real life... =)
Just my paranoid US$0.02...
By
Kart ()
on
Oops, typo in the article.
Yeah, I hate to sound like a conspiracy nut, but you can't deny that stuff like this is going on.
As an international project, distributed out of Canada, I wonder if OpenBSD has ever felt pressure from the NSA?
By Brendan () rel@mac.com on mailto:rel@mac.com
By Noryungi () n o r y u n g i @ y a h o o . c o m on http://www.slashdot.org
Actually, this whole thing is not a conspiracy theory.
Think about it for a second: part of the NSA job is to crack whatever encryption scheme Russia, Lybia, Iraq, Iran, North Korea, China and others are using to protect their confidential information. And when I am naming countries, I mean governments, companies, and the average Joe Citizen -- very interesting information can come from multiple sources.
Now consider these facts:
So, yes, from the NSA point of view, it makes a lot of sense to apply pressure on a company to get it to weaken its encryption. A few months of lobbying can save them years of hard work.
What are the solutions? Not too good I am afraid...
Finally, there is also the possibility that the NSA scientists have been able to achieve some sort of mathematical breakthrough (prime number computation comes to mind) that allows them to crack most encryption schemes out there. That said, my money is on GPG . Or on one-time pads, which are, after all, the only uncrackable encryption scheme -- just a little bit inconvenient to use in real life... =)
Just my paranoid US$0.02...
By Kart () on
Yeah, I hate to sound like a conspiracy nut, but you can't deny that stuff like this is going on.
As an international project, distributed out of Canada, I wonder if OpenBSD has ever felt pressure from the NSA?