Press "Enter" to skip to content

NSA: Crypto compromise news gets worse

Edited

The non-surprising, horrendously shocking, news about the National “Security” Agency’s perfidy gets worse. Again, we’re dealing with something that’s been speculated about for years but whose real bogeyman shape has only now materialized thanks to Edward Snowden.

Wired has one take on it — and some doubts.

A friend whose profession is data center security has a more apocalyptic take (the second half of what he says is what we all need to be aware and beware of):

RSA has now admitted that they pushed a known flawed random number generator in most if not of all of their products …. I know a bit about the firm. It is chock full of serious crypto people.

The flawed code was known in 2006 and widely discussed in 2007 and since at crypto conferences, hacker cons, Schneier’s blog, etc. There is absolutely no way that RSA just made a mistake. They were coerced or willing accomplices in making a flawed PRNG the default in their products.

I’ve asked for an emergency session at the upcoming data center conference; I don’t know if I will get it. Here is the gist of what I think most people are missing.

Snowden was not the first to steal NSA data. He is only the first to publicize it.

The NSA’s massive database is essentially impossible to secure even with competent help and leadership. They have neither. Snowden was just a sysadmin, no special skills. Yet to this day the NSA has no idea what he took or when.

This means that other people can and will take information from the NSA and sell it to interested parties. You can think about that list as long as you would like.

Why did Willie Sutton rob banks? When the NSA leadership decides to “vacuum it all up,” and “collect everything” where do they go? Data centers. The banks of the information age.

Every data center of any size, every one of them, has been attacked. We must assume that, it is almost certainly true. Even if the NSA hasn’t the time or interest to break the crypto on the data streams, they are recorded.

This means there are huge sacks of digital treasures stored at the NSA. Pick your target. Credit cards? Stock info? Automate stock buy./sell strategies? Oil fields? Diplomatic cables? All of them are there, insecurely stored at the laughably misnamed NSA, waiting for thieves.

And we know that the thieves can get not only the data, they can get the keys to the weakened crypto protecting that data.

Every firm in the Fortune 500 must assume that they are compromised. No matter what they think about the NSA and the fedgov, they have to now think about what to do with the knowledge that their adversaries can almost certainly get access to every byte passed into or out of their data centers in the 21st century.

The Guardian, the outfit that’s broken most of the Snowden-related news, opened a story:

A major American computer security company has told thousands of customers to stop using an encryption system that relies on a mathematical formula developed by the National Security Agency (NSA)

I have to believe that one reason people aren’t reacting more strongly to this is that the problem is so huge that it’s hard to grasp the implications.

Again, this isn’t talking about the crypto we keep on our computers and use for email or document privacy. This is about the “security” that’s supposed to protect the Internet. Banking. Buying. Medical data. Credit cards. Everything.

If the news is true, then the NSA — and its accomplices in alleged private enterprise — have not only broken the Internet, but they have put the safety and security of every person who uses the Internet at dire risk. They have opened everyone’s “private” data to thieves and villains of every stripe — that is, thieves and villains even outside of the thieving, villainous NSA itself.

Oh, what a travesty to commit in the name of “security.”

(Wired story via Borepatch.)

13 Comments

  1. Scott
    Scott September 25, 2013 6:57 pm

    The problem is huge, and it’s intractable. How do you walk back technology? If you can’t, and I say you can’t, how do you stop the misuse of technology? If you can’t, and I say you can’t because humans are humans, how do you discourage the misuse of technology? Prison? Death? What do you do until people actually start going to prison because they were caught? What about the ones who aren’t caught?

    I roll this around in my head almost every day, and haven’t come up with an answer yet, or even the start of an answer. Keeping your head down by staying off of Twitter & Facebook seems utterly futile. TOR and VPNs seem futile. Encrypting a laptop seems futile.

    I remain mystified as to where to go or what to do.

  2. Pat
    Pat September 26, 2013 5:20 am

    Well, there is one way to let the bastards know what they’re dealing with – SHUN internet business for, say, three months, and see what happens.

    I know… no one could or would do it. No company, bank, credit system, hospital, or database could afford to return to a paper balance sheet even if immediate changeover was possible – which it isn’t. And people in general are not willing to put extra effort into any cause which might inconvenience them for one minute, let alone an extended period of time.

    But if individuals _did_ return to a paper/offline budget – by removing themselves from automatic or online payments, bank accounts, buying/selling, etc. – it would certainly impact companies sufficiently to wake them up. It might force them to insist their own systems be secure, and put out both intellectual and technological effort to ensure it was done – instead of relying blindly on those companies that “secure” them. By making all businesses (big and small alike) aware that people are no longer willing to deal with them, those companies might grow some backbone in dealing with government.

    It would be interesting to know how reverting back to paper _would_ impact business. For all we know, many individals might already be attempting this, in light of revelations about NSA.

    Certainly online transactions are convenient, but – are they worth it? While we talk about not having the ability to change the course of technological impact, we DO have the ability to change our own actions.

  3. Claire
    Claire September 26, 2013 6:37 am

    REW — That first link is wild speculation from someone who seems not to understand how radios work.

    Second link is great and I will happily take it to the front of the blog ASAP.

  4. Bob Robertson
    Bob Robertson September 26, 2013 7:56 am

    Assume all data online is compromised. You have no secrets, and never did.

    If my bank account is emptied by thieves, I have legal recourse. By govt, I have none. I’m not really worried about thieves.

    As far as govt secrets go, I could not care less. “How to build a nuclear bomb” is utterly irrelevant to people’s lives, and anything that inconveniences govt is fine by me.

    The only thing I would really recommend is to not keep all your money in the bank. Keep what you need to keep in the bank, the rest in tangible assets (ne Cash).

    Lastly, use good passwords. Write them down. Use Linux and GPG.

    At this point the common man is exposed, but each of us is only one of billions so exposed. It’s a horrible case of needle-in-a-haystack. Revel in your personal irrelevance.

  5. Claire
    Claire September 26, 2013 8:08 am

    I’m not a techie, either, REW. So maybe some of our authentic techies will chime in. But my take is that while the “feature” (according to genuine reports) does exist in the chip, it probably doesn’t do what the some non-techies fear it does.

    But then, I’ve discovered in the past that, no matter how paranoid I think I am, I’m never paranoid enough.

    The TGDaily piece (thanks for the link) is definitely thought provoking.

  6. Paul Bonneau
    Paul Bonneau September 26, 2013 8:39 am

    Uh, the thing to do is not panic.

    First, a philosophical point: “In the long term, we are all dead.” Puts a little perspective on things. Humans muddle through despite complete inability to reach perfection. In this case, no OS or hardware was ever perfect, yet we find use for them anyway.

    As to all this FUD, read some of the comments. Here’s one example:
    “There’s nothing new in this. It is all known for years and well documented. This is a corporate/enterprise feature for IT admins. By the way the corporation owns those computers and not the employee. There’s no conspiracy theory here. If you happen to buy a vPro Core i5/i7 but you don’t buy the SMB or the AT you can’t even activate the function, and noone is able to remotely turn on your computer. I hope the author is happy about the income generated by the increased visitor count using fake news.”

  7. Paul Bonneau
    Paul Bonneau September 26, 2013 9:58 am

    BTW I checked my own computer (along with the hardware manual) that I bought a couple of months ago (a Lenovo G780). It had no Q45 chipset; instead it had an HM76 one. Nothing at all about vPro. This stuff sounds like things they put on corporate computers (for added cost, mind you) that would never be found on a consumer grade computer. This is not to say you shouldn’t, for example, turn off “wake on lan” or any similar sort of thing you have in your BIOS. Also, don’t install things like “GoToMyPC” on your machine, and turn off any error reporting facilities you have in your OS.

    The most important thing you can do for security remains, GET OFF WINDOWS! There is no need to get your panties in a bind over vPro.

  8. Claire
    Claire September 26, 2013 10:14 am

    Thanks, Paul. That’s helpful stuff.

    There’s so much to get genuinely alarmed about; it’s good to be able to save energy by not getting alarmed about something for a change. 😉

  9. Paul Bonneau
    Paul Bonneau September 28, 2013 9:32 am

    Claire, did you catch this article? Another one that makes a person go, “Hmmmm…”

    http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/

    No matter what, it looks like lots of this kind of code is going to get scrutiny and fixing – even if they are not sure a back door was intentionally put in. The end result will be better security; just give the process some time…

  10. Claire
    Claire September 28, 2013 1:41 pm

    Paul — I did, thank you. In fact it’s up there in the main body of this blog entry. No problem on the duplicating, though. Good article.

  11. Paul Bonneau
    Paul Bonneau September 28, 2013 2:54 pm

    Ah hah 🙂

Leave a Reply