 You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
The tinfoil hat brigade will love this.
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
Shocking stuff.
Not shocking, really. Moore's law ensures the vulnerability of electronic comms to surveillance. Email is about as secure as the Post Office.
[img] 
[/img]
boxfish - Member
Not shocking, really. Moore's law ensures the vulnerability of electronic comms to surveillance. Email is about as secure as the Post Office
Not really - a truly random password of 16 characters is essentially uncrackable by any computer smaller than a planet. The rate at which the job gets harder just by adding one character far outstrips Moores Law.
DrJ - Member
Not really - a truly random password of 16 characters is essentially uncrackable by any computer smaller than a planet. The rate at which the job gets harder just by adding one character far outstrips Moores Law.
Not as simple as that, the algorithm may have flaws or backdoors engineered into it - IIRC the NSA already are known to have previous on doing exactly this. Sophisticated hardware such as FPGAs can also be used to massively accelerate the process beyond what's possible with a normal CPU.
Also this sounds like it isn't really anything to do with passwords, but TLS/SSL i.e. for eaves dropping on connections to 'secure' sites (HTTPS).
That was sort of my point - that just brute force is not enough, so Moore's Law is of limited help. The spies need to cheat.
(Bit more info [url= http://arstechnica.com/security/2013/09/the-nsas-work-to-make-crypto-worse-and-better/ ]here[/url] BTW)
DrJ - Member
That was sort of my point - that just brute force is not enough, so Moore's Law is of limited help. The spies need to cheat.
Oh I see, (and I agree)
Dan Brown, Digital Fortress similarites me thinks...
Didn't they get a bit shifty with the guy who did PVP keys or is that just an old wives tale that they couldn't break it
Huh. And there I was thinking one of the pros of shelling out for a Westmere chip was the on-the fly AES encryption.... hmmm if anyones implementations are compromised it'll be Intel's
No mention of open source in that article, but in the comments TOR and TrueCrypt.
Hmmmmmm indeed.
I was thinking about this and thought;
"Open source encryption software would be relatively immune to this - it's the keys that make it secure and if the source is visible then there can't be backdoors"
and then I thought;
"They'll just get the people who write the compilers to insert code that looks for particular sequences of source and inserts the back door during a build."
It seems, at the moment, that it's not being paranoid that's the problem, it's not being paranoid enough.
and that 'well if you've done nothign wrong you've got nothing to hide" argument is, frankly, bollocks - if you have no idea who is lookign at your online activity and why you have no basis for judging whether it is a threat to you or not.
The Stasi would be amazed by what we've achieved.....
Anyone know of a good alternative to gmail?
Didn't they get a bit shifty with the guy who did PVP keys or is that just an old wives tale that they couldn't break it
Oh there was all sorts of problems with that. Without some sort of back door hack PGP is effectively unhackable, unless someone has come up with a short cut method of factoring for prime numbers. The maths behind it is actually deceptively simple. There is a section on it in Simon Singh "Code Book"
But have they found Fred's new log-in yet?
brute force is not enough
No, on it's own it isn't, but if you have known vulnerabilities then processing oomph enables quicker exploitation of the holes.
This isn't particularly new news unfortunately. Stories of commercial software with agency backdoors in have been circulating for years. PGP and TrueCrypt being the main headline ones.
One of the points made in the article is that agencies may have been sitting on encrypted data waiting for computers to catch up so they could brute force it or wait for a vulnerability to be announced.
Don't forget it's not the just the length of your password that makes it difficult to crack, the algorithm used to encrypt it is paramount. Stuff that was deemed effective years ago is now understood to be weak such as DES and WEP and even stuff that is still in regular use such as SSL is known to be vulnerable. We intercept and decrypt all SSL traffic leaving our company on the fly with a few exceptions (medical/banking etc).
"They'll just get the people who write the compilers to insert code that looks for particular sequences of source and inserts the back door during a build."
Thank goodness we have open source compilers then.
The NSA/GCHQ stuff appears to rely on nobbling the server's private keys, so if you have some method where the private keys aren't available (person - person PGP using short term keys) then its back to being unhackable (at least in a sensible timeframe). That's just what the math dictates.
Its a bit like car theft now. Cars are so difficult to break into, its far easier to pinch the keys by mugging the owner.
Anyway, this kind of stuff has been going on for years, RSA was limited to 64 bits by the US so that they could hack it using brute force.
http://en.wikipedia.org/wiki/Key_size
[i]Thank goodness we have open source compilers then.[/i]
and they'll just put something in the firmware...
[i]Thank goodness we have open source compilers then.[/i]
the article suggests the NSA have been 'influencing' closed source vendors
We intercept and decrypt all SSL traffic leaving our company on the fly with a few exceptions (medical/banking etc).
How do you decrypt SSL? Is that simply by playing around with the CAs that the computers in your organization trust and then doing a MITM attack? Surely not brute-forcing the secret keys?
Didn't they get a bit shifty with the guy who did PVP keys
Yeah. He accused them of "camping" and "greifing" him. In an offical statement, they replied "less QQ, moar pew pew".
This isn't particularly new news unfortunately
It is in so far as it's backed up with facts rather than conspiracy-theory speculation.
How do you decrypt SSL? Is that simply by playing around with the CAs that the computers in your organization trust and then doing a MITM attack? Surely not brute-forcing the secret keys?
Exactly that... Publish a new root cert via AD.
I work with proxies that do MITM attacks on a daily basis and I have no doubt the American and maybe British security services have a high level Root CA that they can use to decrypt and re-encrypt SSL traffic if they feel the need to snoop.
All the other stuff probably has manufactured flaws.
Yes, MITM but SSL is historically flawed anyway which has been known for a long time
[i]It is in so far as it's backed up with facts rather than conspiracy-theory speculation. [/i]
Well I'm still seeing no real evidence here but there's plenty of evidence from leading security commentators (Schneider et al) that TrueCrypt has deliberately been nobbled going way back.
the thing about mitm attacks is you need to be set up to intercept the traffic in the first place.the information available seems to be more hinting at they can retrospectively decrypt, which more points to either flaws in encryption algorithms or backdoors. also the point about passwords being longer=stronger is not correct. password is only as good as the way it's hashed, they are very really encrypted as it's not the securest way of storing and using them.
The software is not the weak link in all of this... https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis
Deliberately forcing companies to either weaken the encryption or leave back doors everywhere is pretty poor, as it weakens security for everyone. Eventually some criminal gangs will spot a back door and then hack all our bank traffic online etc. The government can always get access to specific data via court orders, so there is no need to undermine all encryption on the web.
The NSA, now:
[img] 
[/img]
Things are bad. And I'm not overly worried about people reading my emails, but the flouting of the principles behind laws is more worrying.
The government can always get access to specific data via court orders, so there is no need to undermine all encryption on the web
I think a court order against, say, a suspected terrorist might (a) be ineffective and (b) give away the fact that they're being monitored.
I think a court order against, say, a suspected terrorist might (a) be ineffective and (b) give away the fact that they're being monitored.
They do it all the time and the suspect wouldn't be told. The order would be between GCHQ / Police and the relevant company eg Vodafone, Google, your bank etc.
c, if they are using one time encryption get them nowhere
They'll just get the people who write the compilers to insert code that looks for particular sequences of source and inserts the back door during a build.
Thank goodness we have open source compilers then.
Actually... it turns out you can still hide a backdoor in an open source compiler:
http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/
http://cm.bell-labs.com/who/ken/trust.html
People are surprised by this?
They do it all the time and the suspect wouldn't be told. The order would be between GCHQ / Police and the relevant company eg Vodafone, Google, your bank etc.
Those requests are for for intercepting communications, which is a separate issue from weakening crypto or putting in back doors. A RIPA request may result in a load of ciphertext, at which point you either serve a notice to try to get the keys or more likely exploit one of those weaknesses/back doors.
[img] 
[/img]