Many here are now owed Beer and Travel Money with an apology
Last edited Sat Dec 21, 2013, 01:27 PM - Edit history (1)"The generation of random numbers is too important to be left to chance."
- Robert R. Coveyou, Oak Ridge National Laboratory
To all you people who said I was crazy that the NSA could have a back door into encryption, my inference back in July is now confirmed.
My mistake back then was I thought Cisco was compromised and it now turns out that RSA itself is compromised. How was it compromised? A subtle flaw in the random number generation that I suspect allows the private key to be deduced from the public key.
This would be funny if it wasn't so sickening.
So to all who said I was nuts, who hassled me for attending the anti-NSA rally, it's your turn to be mocked. Unless you want to stand up and say Sorry, Hoot I guess you did know a little about this tech stuff.
For those who remember our old friend Random Thoughts.
I'm not enough of a geek to have ever gotten into the details of the matter, but in my dark little paranoid soul I never doubted that They were Watching Us in myriad ways, or that They could access anything we put online.
watched every episode I could and still do during sci fi station marathons usually on a holiday. Rod Serling had a sterling mind. He died too young.
I used to think I was always missing something whenever I read his responses.
Image managers know how important it is to hide when they've finally been rumbled.
But I know I couldn't be complete, because those are just my OPs in which I was told I was nuts. It doesn't reflect the myriad of other threads where I heard the same thing. At least the person ridiculing the anti-NSA rally was tombstoned, but many who agree with him remain.
I seriously doubt that any of them will come by to say anything, but catharsis happened by putting this on the record.
others for daring to disseminate bullshit and come to conclusions that turn out later to be true. And the NEVER belly up to their crow dinner. That says all about them that needs to be said.
Would seem reasonable for an ostensibly Liberal board.
It's easy to spot them. They never actually post anything - articles, analysis, funny pictures - but only show up to discourage people from paying attention or to sneer at people who do.
their poisons which are proven to kill people every day, and who even say so in their TV spots, while calling that "science". We can call them "Big Pharma Toadies".
And some of them are even forum hosts for God's sake!
But if they do they may not be quite as anonymous as people think.
... and the NSA employs a lot of talent with the skillez to pull this off. 4 the Lulz.
But yeah there are some really sharp tacks in the box.
Interesting that Snowden used it with his chats with Greenwald.
And of course Bitcoin is not anonymous at all despite its supporters ignorant claims.
Java nonce collision
In August 2013, it was revealed that bugs in the Java class SecureRandom could generate collisions in the k nonce values used for ECDSA in implementations of Bitcoin on Android. When this occurred the private key could be recovered, in turn allowing stealing BitCoins from the containing wallet.
"Bugs". Yah, sure, just a "bug".
Not to say that this is not correct but I think the US government needs it to succeed since it works as a honypot for illegal behavior and is 100% not anonymous.
... I'm going to buy/sell an illegal substance from someone, somewhere, I know not who. I'm going to give my delivery information to that person, and make payment using an information system that posts the entire ledger to the internet where anyone, anywhere can access it without warrant or reason. Then I'm going to entrust the illegal substance to a courier service staffed and run by government agents that photograph and electronically record everything they touch.
What could possibly go wrong?
Oh yes, AND I'm going to do this relying on the privacy provided by routers and clients developed by the Navel Research Laboratory.
But that doesn't prove you're not nuts. Neener.
Shutting people up isn't fascistic, it's for their own good, hootinholler. Otherwise they might forget that this is mostly like a free country, apart from the wars without end for profit, stolen elections, KKKoch brothers fiscal policies and the bankster-run just-us department. Do you want me to report that you're not with the Program?
That is a breach I will gladly fill.
You know it's funny that I have this penchant towards revealing truth as I know it.
Thank you for helping me to preserve what sanity I have left.
Not much in the way of reward, wot, other than doing the right thing for the sake of democracy and justice.
I believe from a Twilight Zone episode.
Wiki says he was in four episodes, so it may be another one. The guy was tops in every way -- a genius and a war hero.
Mr. Meredith sports a moustache as Mr. Bemis in the TZ episode in which he plays the bibliophile:
The second is cowardice. These cowards are really authoritarian (bully) followers. They hope that the almighty authority (bully) will appreciate their loyalty and bestow kindness upon them. The third is also an authoritarian follower, but enjoys being on the side of the almighty bully. Reasons two and three overlap.
We live in an authoritarian state. We are taught from a very young age to blindly follow authoritarian leaders, whether parents, teachers, coaches, Scout leaders, and religious leaders. Some of us resist these teachings, but IMHO most Americans are authoritarian followers to some degree.
but it seems I never have and it's likely I never will.
on faith. That's why there is such a problem with priests. The Church promotes the idea that priests are not mere men, but should be revered and trusted. It's easier to control people if you can get them to believe in you blindly. As you see here in DU that some here support the NSA blindly because they dont want their blind faith in authority shaken. We live in an authoritarian society.
Cannot agree with that more. I could say it's patriarchal and it is to an extent but as a pagan, I can tell you I've seen plenty of women rule with an iron fist.
Apologies for pile ons are just not done
It is what makes DU suck in so many ways.
That said, you did get the experiences.
Unfortunately another aspect of the authoritarian personality, in addition to their need to feel they are in control, is that they are deadbeats and don't pay unless publicly shamed into it.
It's worth the cost just to not have to look at them.
Nor am I clairvoyant.
I just know how systems hang together. I've built a career of 30+ years building and troubleshooting large and complex systems.
for that I have no problem whatsoever in admitting that you were right and I was wrong.
our behavior pretty much sucks on several levels!)
back at you!
There is so much at stake. In the realm of pure speculation, I will bet that the Koch Brothers have someone with capabilities like Snowden had on their payroll and have access to what ever private correspondence they desire.
Think about it, I bet they have a lock on the Orange Market Report before anyone sees it. Where Orange Market Report is a variable to be replaced with any other industry of interest. Want to know what Exxon-Mobile is up to?
Robert R. Coveyou, Oak Ridge National Laboratory
And then there's this:
It's been a very long time since I read Knuth and it was indeed random number that took me to the bible of IT (Is it still taught? Is the dragon book still taught?)
I will correct forthwith. That's what I get for relying on *my* memory. Apologies to Mr Coveyou!
exactly who they were.
NSA is monitoring this website. There's no reason not to believe they are also participating on this website.
And they are not apologetic.
Because that shit is way over my head...
But I would buy you a beer just for being right and speaking up...
I never said you were crazy. In fact... I never said anything to you.
Good thing there are many open source algorithms available.
What else has been tampered with?
Yay for GnuPG!
It was simply making logical inferences from stated capabilities.
They say they can do this, well how could that happen?
...who kept insisting that there was nothing to worry about when Fukushima blew up?
They are just venting a little steam.
I know Science, and these nuclear plants are perfectly safe
because they have redundant back up systems.
Did I mention that I know science, and you are just a dumb ass?
I don't remember any retractions or apologies then either.
But I'm always glad to raise a glass with you (wine for me though, please)
And thanks for posting on the tech aspects of this. I'm fairly geeky in some areas, but wouldn't be aware of what some of this means without your explanations.
And haven't been posting much recently.
But now I have some well-deserved time off and am looking forward to relaxing and catching up.
How have you been?
And back atcha:
My Sis came up for a visit and had a heart attack, She's gonna be ok.
Work has been a zoo with nebulous desires by the customer.
I'm happy to be alive and employed on this fine solstice day. I think I should take my pet out for a nice dinner tonight.
RSA is two things. One, it is a public key encryption algorithm, and two, it is a company. The RSA algorithm is not compromised. What is compromised is some of the software that the company RSA produced. According to the article, the problem is that RSA's Bsafe crypto software's default random number generator (Dual_EC_DRBG) is vulnerable to a back door. And the NSA paid RSA $10M to use Dual_EC_DRBG, so it is a pretty good guess that the suspicions that NSA put a back door into Dual_EC_DRBG are true.
But this is pretty far from saying that VPN traffic can be read by the NSA. At worst, it means traffic encrypted by providers using Bsafe can be read by the NSA, but I have no idea how many of them do (and I don't think you do either).
What's more, the fact that the Dual_EC_DRBG random number generator had a potential back door has been known since at least 2007, so people that knew what they were doing have considered Dual_EC_DRBG to be broken for some time now. Which means that VPN or any other crypto software written by people who were actually trying to provide security, as opposed to intentionally letting the NSA in, probably were not using Dual_EC_DRBG to begin with. And now that this has all become public, nobody is going to use Dual_EC_DRBG anymore.
This is not to say that the NSA isn't doing things they shouldn't be doing, and of course, it's also possible that the NSA has other hacks that we don't know about. But simply claiming that the NSA has "a back door into encryption" is a pretty big overstatement.
Thanks for that article! I wasn't aware as I don't generally get that involved in the encryption side of things.
I would remind you that the notion that the NSA has the capability to decrypt VPN traffic comes directly from the NSA:
At the time I was speculating on how it could be accomplished.
It's unsettling, but it certainly doesn't mean that they can read all VPN traffic. Particularly since different VPNs use different encryption protocols, it is doubtful that this is true. For example, I haven't seen any suggestion that the open source OpenVPN is compromised, nor have I read any security experts who think it is.
Also, VPN also refers to more than one thing (sort of). First, a VPN is a virtual private network, the way you described in your other OP -- basically a way to be securely connected to your office network while you are at home or at Starbucks.
But what this slide is talking about by "VPN startups" is most likely VPN services (for example) that let users surf the internet anonymously via proxy servers, using a VPN protocol for the connection to the proxy server. This is something the NSA would be particularly interested in, since people using VPN services in this way are trying to avoid detection.
Notice, though, that the slide doesn't say that the NSA can actually read encrypted packets. Instead, it says that if they have the "data" they can decrypt and discover the users. To me, this doesn't mean they are hacking the actual VPN encryption, but instead that they have (or want) some way to figure out who is using these VPN services. I have no idea what they have in mind exactly, but it could be any number of things, not necessarily involving breaking crypto. It could even mean hacking into the servers at the VPN startups and stealing their logs.
For a recent example of a non-codebreaking method of tracking people through supposedly secure connections, the guy who used TOR to mail bomb threats to Harvard got caught not because the police were able to crack TOR, but because they simply got hold of the logs of everyone who was connected from the Harvard network to TOR at the time the threat was sent.
I might tend to agree. But there is a scalability caveat on the slide as well suggesting that this is the tool to do bulk decryption. Capturing logs for analysis is a tedious process and likely not to require bulk decryption.
Maybe they are only mapping the connections and not the content, but at this point, as a practical matter, I think it would be incredibly naive to trust that assertion.
With luck we will actually know.
I just don't know if they can. I also don't know if they can get the users either. I don't think the NSA is limiting themselves based on some concern for the privacy of VPN users in other countries. It's just that that slide doesn't say much about their actual decryption capabilities.
All plaintext. On the entire internet. This is being grabbed. This discussion is likely causing headaches to the automated software.
What they're saying on that slide is obvious, they say on the slide before they can't download everything because there's too much.
ignored you. But I will gladly set up a pint of Mongoose IPA for you tomorrow. If you dont show up, it wont go to waste.
DU Tech Savvy who didn't trash Snowden and those of us non-tech savvy who post here who supported him because we knew the NSA's history of spying and figured why wouldn't they be taking advantage of exactly what Snowden has revealed.
Yes you are owed and here's a Toast to You (from someone who welcomed your input).
I am too tech-ignorant. But I do feel that the spying-surveillance thing is out of hand.
And I give you a K & R. I don't think you are nuts, and would gladly attend an anti-NSA rally with you.
Tin foil actually got you a better picture too.
Beer won't help me at this point.....but thanks
I busted a gut laughing
And crim son
And Haole Girl
And God_Bush_n_Cheney - RIP
And Jimmy Jazz
And so many more...
It's actually likely that Cisco's routers are using Dual EC_DRBG which is why their sales have dropped dramatically and how the NSA has been able to so easily snoop on everyone.
Ever since Dual EC_DRBG was announced almost every sane security person didn't use it. Now EMC's implementation of it defaults to Dual EC_DRBG but that is easily changed by changing a configuration process. Simple, and if you were a sane developer, you'd do it.
What's more important is how the NSA and US government shut down lavabit for providing truly anonymous email. In other words, those who want to provide anonymity, must be forced to do so by the government.
As Bruce Schneier says (one of the original people to break the Dual EC_DRBG, and btw he wasn't afraid to call it that), what the NSA is doing and has been doing is unsurprising and it's good that it's finally out in the open.
I meant RSA the company. It could be that only one of the protocols are compromised, but at this point RSA as a company is not IMHO trustworthy.
We're talking about networked systems that allowed 30,000 customers to be affected and L3 and Lockheed Martin were compromised. I think that's when RSA lacked trustworthiness. Not when they signed up with the NSA.
At that moment RSA (the company) / EMC should've lost all contracts with the government. For the same reason that if we were serious here if what Booz Allen contends Snowden did then Booz Allen should be summarily fired from working for the government. Forever. Every person who worked with Booz Allen completely ostracized.
(Note: I am not saying what Snowden did was wrong, I am saying that if he pulled off what he did, which I am not certain he did, then that is a huge, major security breach and the corporations who lobbied to get the power to take taxpayer funding and turn the country into a surveillance state should be punished.)
I admit I'm stupid on this one.
DUer of old. It's like the tombstoning of Walt Starr. He became far more famous after he demanded to be tombstoned. Or like spelling Moron, "Moran" because of the famous picture. DU loves it's memes and especially loves it's self made memes.
I miss Random Thoughts. He was genuinely mystifying to many of us, myself included, but I'll never forget the many times he demanded beer and travel money. And experiences.
Hence, the reason I clicked on what is a mystifying topic for me. I know the NSA has compromised something and I get that it's about encryption but I wasn't even able to wrap my mind around PGP in the day. I think this is something like that. Or not?
That's one way I know I'm not one of the called outs. I couldn't write a coherent enough post about this topic if my life depended on it.
It is indeed a reference to Random Thoughts, who often posted what some consider word salad, but every now and then posted something that would really take you places through abstract profundity.
because I agreed with you. I even offered my opinion on why that was true, too. So send forth the beer and travel money.