The full list of documents: http://www.spiegel.de/international/world/nsa-documents-atta...
The accompanying lecture: http://streaming.media.ccc.de/relive/6258/
Also, obligatory: https://eff.org/donate
In addition to encouraging the NSA (and equivalent agencies in other countries) to change its approach, developers will do what we always do and build new secure protocols and tools with the lessons from previous attempts in mind.
It is a cat-and-mouse game that will never cease.
By "targeting" its information gathering capabilities by providing information about its activities.
Information is power.
- Royal Jordanian
- Transaero Airlines
Govs:
- Mexico
- Pakistan
- Turkey
- Afghanistan
Slides 41/42.
http://gotocon.com/cph-2014/presentation/Privacy%20and%20Sec...
Where he argues that even though we can not achieve complete security there is great value in raising the bar. If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy. Where most communication will be secure. But he also argues that if one of these agencies really wants to target YOU specifically they will get to the information. By breaking into your house and installing cameras, if necessary.
It does raise the question what all the mathematicians are doing at NSA, and why they don't seem to have come up with any meaningful results. Suggests they are a waste of money, but then that's all of the NSA.
I suggest all of you check the original material (powerpoints w/ screenshots). A lot of people here suffer from the action movie mentality where they think the NSA is not like any other government agency, i.e. inefficient, behind the times, filled with horrible middle managers, deadweight, .. you get the idea. Things like the enterprise Java web interface, the CSV mass data export and "genericIPSec_wrapper.pl" can quickly dispel that myth.
For instance:
* We know that the NSA has a novel md5 collision capability since they have used it in their malware. None of the Snowden docs, that I have seen, have talked about this.
* It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.
My personal belief is that we are missing compartments dealing with cryptanalysis because Snowden did not have access to them. His work and access were focused on Computer Network Operations and not cryptanalysis.
For example, they claim Canada is monitoring hockey sites:
> Canada's Communications Security Establishment (CSEC) even monitors sites devoted to the country's national pastime: "We have noticed a large increase in chat activity on the hockeytalk sites. This is likely due to the beginning of playoff season," it says in one presentation.
But if you look at the actual slide https://i.imgur.com/2GO8H6L.png, it is clearly a fake sample report of what a real one might look like. It even uses the name 'Canukistan' as the country name.
There are 44 slide decks, one of the biggest leaks so far. It will take time to make sense of the noise. And any misinformation from reporting by non-technical journalists doesn't help the cause.
Additionally something like an effective attack against AES, RSA, or any other major encryption standard will probably be so compartmentalized that it won't even have a code word.
But on the other hand S31176 refers to a program which provides cryptanalysis against VPN (IPSEC, SSL and more) and it claims that they can decrypt (some of) the traffic. http://www.spiegel.de/media/media-35515.pdf
It would be expensive though. This is one reason why I consider 1024-bit end entity certificates much less of a threat than 1024-bit CA roots.
My overall impression is that this doesn't reveal any new attacks. They are most likely using known vulnerabilities. For example, they decrypt PSK IPSec by exploiting routers and getting the keys, not breaking the encryption.
Just like the rest of the government, the NSA is not a monolithic entity with no separation of concerns. There are people who clean the floor and people who are at the extreme cutting edge of research.
Don't let anyone convince you otherwise.
The belief that the NSA is at the extreme cutting edge and just so far ahead is exactly what stops us from making iterative, simple improvements on the technology we use. It's plain unhelpful, and as the data suggests, probably wrong.
(The separation of concerns part is hilarious. Remember, this is the same agency where Snowden managed to wget -r their wiki and various other databases and then go on an extended vacation unnoticed.)
non-technical journalists
Ever heard of a certain Jacob Appelbaum?
However we already knew for a while that the active attacks are being done:
http://www.theguardian.com/technology/2014/dec/07/north-kore...
The active attack can of course obtain enough information to decrypt the traffic automatically afterwards or even record it unencrypted. It appears that's the context of the SSH decryption in the documents.
So, all your sessions are hosed at some point in time. Either now or in the future.
And yes, sensationalize is sometimes necessary to get more folks onboard to work with the documents.
I look forward to the day when they walk away from their jobs.
[1] http://research.microsoft.com/en-us/people/mickens/thisworld...
Yes, for now OTR and PGP is fine. There must be a big speculation on future breakthroughs regarding breaking crypto - otherwise they wouldn't build Bluffdale.
Edit: Instead of downvoting, how about taking position?
>What they do if they find weaknesses is a different question.
Is it? It's obvious what they're going to do when they find those weaknesses. If they let people know of those weaknesses, they wouldn't be doing their job. Their job is to expose those weaknesses, so they can spy on us and take away whatever we have left, in this case is strong encryption.
The present is problematic enough, we don't even need to hypothesize on the future breakages.
1) http://en.wikipedia.org/wiki/Forward_secrecy
"As of December 2014, 20.0% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to web browsers."
IPSEC is also often configured with the disabled PFS, even if the RFC is from 1998 ( http://tools.ietf.org/html/rfc2412 )
Right now everyone's digital communications are being collected by those agencies, via fiber optic cable taps [1]. This could be called bulk surveillance. Different people & groups have access to these databases of communications. Some are government employees, some are contractors. Now, what if an activist or a Senator starts speaking out against bulk surveillance? Would those with access to the databases be tempted to run a few queries?
'SELECT * FROM `sms` WHERE `person_id`="$senator_id"'
[1] http://www.pbs.org/wgbh/pages/frontline/homefront/interviews...
No...their job is to exploit them, not expose.
Big difference.
This is why advocating for technical defenses alone is doomed to fail. It's great to employ as much technology as we can, but playing cat-and-mouse with our own government is a losing proposition. They are determined and have unlimited resources (read our money plus the printing press).
There needs to be much more pressing on the legal front, such that unwarranted breach of privacy is criminally punishable in very clear ways. If an individual is not the subject of an investigation, for which proper warrants have been obtained, then no records of any kind should be collected or maintained. Full-stop. And efforts to decrypt private communications, etc. should be considered criminal acts. All of this needs to be protected with very clear and robust whistle-blower laws.
Otherwise, thinking that we will deploy some tech to permanently stymie our government is fantasy. And over-focus on that aim tacitly cedes that our government is entitled to whatever it can crack.
Good enough privacy is no privacy.
Anyway, this is completely the wrong mindset. This is a legal problem which requires, not pretty good tech, but clear, strict laws, with whistle-blower protection. We have to stop ceding that this is legal or should be legal.
Otherwise, we've already lost.
I say "some" since Schneier has stated he now considers there to be at least 3 leakers... https://www.schneier.com/blog/archives/2014/08/the_us_intell...
The other two leakers got their information from somewhere, and it could have also included access at their own discretion.
* Revealed: US spy operation that manipulates social media (http://www.theguardian.com/technology/2011/mar/17/us-spy-ope...)
* How Covert Agents Infiltrate The Internet To Manipulate, Deceive, And Destroy Reputations (https://firstlook.org/theintercept/2014/02/24/jtrig-manipula...)
Changing economics by deploying more PFS ciphersuites and shifting to technology which requires active attacks instead of passive ones can give real, practical improvements in privacy, even against state actors.
http://www.spiegel.de/media/media-35515.pdf
Did he actually say break?
The United States and allies do use the internet to spread Western culture and ideas, start revolutions, and kindle insurrection.
The United States CIA attempted (and nearly succeeded) in inciting a revolution against Castro by pretending to be a series of grassroots movements on a Twitter-like platform and by inciting anti-administration feelings within the Cuban population. That was earlier this year.
"USAID effort to undermine Cuban government with fake ‘Twitter’ another anti-Castro failure" [1]
The United States has an ongoing effort to use Internet media to 'deradicalize' the next generation of Middle Easterners and actively manipulates public opinions in Jordan, Cairo, Syria and other Middle Eastern states. Here are some quotes from one DoD MINERVA paper:
"...it is imperative that we develop empirically-based procedures for countering messages that promote violent extremism and anti-Western beliefs..."
"...Neural predictors of Twitter impact in Cairo (UCLA & Egypt). Our prior work (Falk et al., 2012), indicates that neural responses of a small group can predict which persuasive messages will be more successful in mass media campaigns..."
"... Defense Group Inc. already tracks Twitter trends specific to Egypt and will identify which of the selected Twitter topics went on to be highly influential over the next month and which did not..." - Matthew Lieberman, UCLA, September 30, 2012, Department of Defense MINERVA Initiative [2]
Here's one US company that does it. MARAYA MEDIA - "Driving Intelligent Dialog". [3]
The United States engages in targeted mass media and social manipulation to stir dissent in target nations, and to quell dissent where destabilization would hurt policy objectives. The DoD's MINERVA project specifically looks to understand the cultural components of stability of various countries and mechanisms to encourage or disrupt that stability. Among a great number of social studies you will find DoD research on how to seed information inside of specific Asian countries, including China, for the targeted introduction of instability. I will leave speculations of possible connections to the Hong Kong protests to the reader. [4] During the Iraq war US officials were known to detain Iraqi journalists and bloggers and force them to write articles in favor of the American efforts or to spread misinformation useful to ongoing campaigns. The CIA purposefully slipped misinformation into American media outlets to fool counterinsurgents who were reading American media (the infamous "Fallujah PysOp").
This should not come as a surprise given the history of the US: The United States and allies are known to target media in other countries to stir dissent. Radio Free Europe, "Voice of Iraq" (cough American), the Lincoln Group infiltrations and partnerships, etc.
But now with global interconnectedness it is easy to set up 'foreign media', blogs and other politicizing content to influence other nations' populations.
In the past decade it has become a global issue.
This year Egypt sentenced Al Jazeera journalists that they believed were partnered with geopolitical interests of other states. Putin's administration is now requiring bloggers to register if they have a certain number of readers, so that his administration can curtail international influence. China blocks many American services including Facebook and Google. The usual story in America is that they are censoring free speech. The truth is that they do not want foreign influence to destabilize their population and that they do not want their citizen's data in America's PRISM program (there's a reason it's called the FISA "Foreign Intelligence Surveillance Act" court).
The Snowden revelations showed us how intelligence agencies are involved in PsyOps - the term for 'psychological operations' used by the CIA and others. The GCHQ's BIRDSONG/BADGER/GATEWAY/SLIPSTREAM/ETC and partnership with the NSA are used to influence online polls, discussion forums and to vote up and down content that aligns with policy goals. [5][6][7] The giant meta-data graph created by the NSA is also particularly valuable for 'influencer' and 'social contagion' analysis (leaks showed they do use it to understand internal chain-of-command and organization structure for target selection). It's why metadata matters. A nice illustration of this is the article "Finding Paul Revere."
And so we have issues here with the use of targeted social influence in America as well. First there are instances where other countries are trying to incite disruption in the US - the US wants to study and curtail it. [8]
A number of journalists have called out that the state has been extremely aggressive to dissenting opinions, even to go so far as labeling current policy on the issue "War on Journalism". American officials have exported a number of journalists with Middle Eastern descent and journalists like Ayman Mohyeldin have been pulled from Gaza and other conflicts when reporting has erred on the side of other state interests. The crackdown on journalism is worth another post I don't have time to write.
Just look at how central a role controlling internet dialog is for running a modern US presidency. A Google search for "Obama internet campaign" [9] results in headlines "How Obama's Internet Campaign Changed Politics", "How Obama won the internet", "Barack Obama and the Facebook Election", "Propelled by Internet, Barack Obama Wins Presidency" - this isn't because of grassroots discussion but because both Obama and McCain (and Romney before him) had cyber centers in control of internet PR engaging tens of millions of dollars in Twitter messages, etc.
You can nudge public opinion by bombarding them with an influx of the same message, slightly disguised in one way and then another. The MINERVA program has plenty of good reading with regard to this. Anyway, the USG does this overseas and, to a limited degree (you decide how limited) presidential campaigns and journalistic partnerships (anyone want me to write a blurb on that...?) have them doing it inside the United States as well.
[1] http://www.washingtonpost.com/lifestyle/style/usaid-effort-t...
[2] http://minerva.dtic.mil/doc/samplewp-Lieberman.pdf
[3] http://www.marayamedia.com/company.php
[4] https://firstlook.org/theintercept/2014/02/24/jtrig-manipula...
[5] https://firstlook.org/theintercept/2014/02/24/jtrig-manipula...
[6] http://www.theguardian.com/commentisfree/cifamerica/2011/jun...
[7] http://www.dailykos.com/story/2011/02/16/945768/-UPDATED-The...
[8] http://www.washingtonpost.com/opinions/truthy-project-is-unw...
[9] https://www.google.com/?q=obama+internet+campaign
Comment reprised from here: https://news.ycombinator.com/item?id=8709976
My comment was specifically with regard to the NSA, as is the topic of this article.
Certainly the NSA should be concerned with laws, and laws should be sufficient.
Their official line is that the data isn't being collected, correct?
It's fun to think that we're so important that the US government cares enough to intervene in our political discussions. But we are not, not a single one of us. If pg himself called for open insurrection in his next essay, no one in the NSA would lift an eyebrow or raise a finger. Until this or any community becomes known as a hotbed for muslim extremism or communist agitation we're simply not on the radar in any way. As far as hackernews and reddit are concerned, "shill" is a synonym for "someone who disagrees with me" and always will be.
Most people here don't have a lot of faith in our system of government these days and even less faith in those that do the governing. But the truth is that the american democracy has been around for hundreds of years and it will take more than a SQL statement to bring it down. There are checks and balances and highly motivated and intelligent people with a lot to lose on both sides of every issue. This too shall pass.
I agree with the sentiment that this does not imply reddit or hackernews are subject to influence by the United States Government or allies.
I do not agree that the idea is preposterous or laughable. This is because we do know that the NSA infiltrates domestic technical groups as they did with the IETF to affect standards discussions, that they infiltrate activist groups inside the United States to disrupt them, that they are aware of social contagion theory and its usefulness in affecting public opinion, that they have done studies with at least the UCLA on viral messaging for Americans (to compare to, with and against foreign countries), that political campaigns use social targeting techniques without branding and will comment on news articles (to be 'first to post') to color conversation on hot button issues during the races, and that companies with political interests and who share a revolving door with elected office also advertise political discourse online in this way. Thinkst researchers studied how easy it is to manipulate online social conversation, news media outlets and platforms. We know that the GCHQ have JTRIG capabilities to perform internet manipulation and that there are documents from Snowden that specifically mention their use in derailing conversations on online forums. There have been reports of PR firms of private companies astroturfing reddit and others. And we know that HBGary Federal and other cyberoperations contractors for the US Government sell astroturfing services.
What we don't know is that reddit or hackernews are targeted specifically or for domestic purposes by the US Government. We have a few indications that this is done for large media outlets (recently Judith Miller, Ken Dilanian, CNN on Bahrain) in tandem with other leverage like access to officials, exclusive press passes and permission to report at the edges of no-reporting zones. Unfortunately there isn't enough evidence to be conclusive yet about the reddit/HN case as there have not been leaks that speak directly about it, so any debate in this area is bound to be speculation versus speculation.
The bulk collection has been going on for at least a decade now.
> Politicians aren't known for being tech savvy, but they aren't known for being stupid either.
I've observed politicians get away with certain behaviors, to a point. For example, Eliot Spitzer, or Bill Clinton. Once they become a target, their trespasses aren't necessarily forgiven.
> This too shall pass.
The Snowden revelations are "The Jungle" of our time. We'll adapt to these issues. Still, our adaption won't be free, and a proactive attitude will benefit us.
(But I guess you knew that already.)
Additionally, domestic US propaganda is now legal:
https://www.techdirt.com/articles/20130715/11210223804/anti-...
Further, sock puppetry is an established tactic:
http://www.theguardian.com/technology/2011/mar/17/us-spy-ope...
http://mashable.com/2011/03/17/centcom-social-media-personal...
http://www.fbodaily.com/archive/2010/06-June/24-Jun-2010/FBO...
So the only question is, specifically which sites are targeted and to what ends. If the metadata shows that HN or your favorite sub-reddit has out-sized influence on matters of national concern, then they're probably targeted.
Presented by Spiegel are internal services that are designed on purpose to be more economical. They exploit more bad implementations. It doesn't really matter as long as the dirty tricks get the work done.
Also, NSA seems to troll for targets from the vicinity of their targets of interest. It is again more economical, and can be just as revealing. The risk there is that the broken target has nothing of use. The real movie style "let's break the encryption keys" stuff is done for sure targets when they get the extremely rare high value target on platter.
That said, better encryption will raise the cost of NSA's surveillance which might eventually lead to policy reform (when budget hawks are forced to act). And it might mean their dragnets have to be more targeted which could slow the expanding the definition of "terrorist".
I think the most effective actions would be to make the public outraged over cracked encryption and surveillance. And even with all these leaks, that hasn't happened IMO (debatable I know). Outrage would happen if people understood how this has real-life effects. Storytelling is what's needed, not white-papers and tech blogs.
edit: wanted to add that Bruce Schneier gave an excellent talk on the topic of your question, https://www.youtube.com/watch?v=3v9t_IoOgyI
Please don't reprise comments on Hacker News. This is a place for conversation, not boilerplate.
(Just to be clear, your other comments are part of the conversation and are thus fine.)
I'd say most of commercial crypto systems are rigged. https://pbs.twimg.com/media/B5-aW_8CEAAUzji.jpg:large
While you could use a faux CA root to sign faux certs for any site you want (ideally ones who are customers of that CA), in practice your use is severely limited. If faux certs are spotted and no one knows where they came from, suspicions are going to be raised. Not only is your faux CA root compromised, but now you may have tipped your hand regarding your capabilities.
To limit that possibility, your attacks would have to be extremely targeted. The more often a fake cert is used and the more people exposed to it, the higher the likelihood that someone will notice what is going on.
It also doesn't help you decrypt the real traffic to the site, or historical traffic, which busting the site's actual SSL key can yield. This presumes that you have a way of intercepting said traffic, but I think it's pretty clear that that is not out of the question (public wifi / ISP cooperation / fiber optic taps / malware). It's more work to bust individual certs, but you're leaving a smaller trail and you aren't sending out examples of your RSA cracking capabilities to your opponents over the public Internet.
Lowering the risk of exposure will let an attacker use the same methods over a much longer period of time, which I think is the goal here.
As to how to combat this: there is a lot of low hanging fruit. Besides the obvious, I would love to see much shorter expiration times for certs become the norm (as in weeks, if not days). For this to realistically happen in a widespread fashion, at minimum CAs need to embrace the concept from a pricing perspective.
But the moment he breathed SSH, pretty much all of IRC and the whole Saal 1 could not think of anything else. Everyone and their brother wanted to know what to use instead of SSH now that it's broken. It was a bit of panic in the air.
My suggestion is to go to the leaked slide and make your own conclusions. There are among the most credible people we have behind openssh and the crypto primitives are used in a very straightforward way.
Do I take the ssh claim seriously? Do I just pretend the hockey monitoring paragraph isn't there?
Perhaps I should read the source for myself. http://www.spiegel.de/media/media-35515.pdf
Alas, there's very little in the way of detail. There's exactly one slide (19) dedicated to ssh, which says it can "potentially recover usernames and passwords." That would adequately describe a simple mitm attack where somebody either accepts an unknown server key or uses a client that doesn't even check (e.g. Prompt for iOS). Slides 35 and 36 mention ssh and decryption, but it sounds like they're talking about further processing after decryption. How is that decryption being done?
https://www.imperialviolet.org/2013/06/27/botchingpfs.html
"I'm not aware of any open source servers that support anything like that."
The article is from June 2013, has anything changed since?
https://firstlook.org/theintercept/2014/12/13/belgacom-hack-...
Active attacks allow access to the keys, and once the attackers have the keys, unless the PFS is properly used, the old captured streams are readable. But often it's even easier to read the documents on the attacked machine directly.
Still, all this was known before the material we comment now. Which doesn't mean we should let PFS remain unused or wrongly used as it is now and that we shouldn't try to protect us from the active attacks.
If we worry about the decryption of our SSH traffic, do we properly use PFS? What do we do to prevent or detect active attacks?
Shutting down opposing dissent usually means that all your press is now only good as toilet paper (like the Pravda in Cuba)
"inciting anti-administration feelings within the Cuban population"
So, the population love the Castro administration then? And whoever opposes is an US shill, sure...
We are a bunch of disorganized folks with no budget and with no agreed goal on what is the best way to achieve this.
Also in defense you have to protect all the walls, in attack you just have to breach one.
I'm not saying we should do nothing, but that they will almost always be several steps ahead of us.
http://www.forbes.com/sites/kylesmith/2011/06/01/insider-tra...
The money quote: "There is no limit to how much money you can earn on insider trading in the House or Senate. Lawmakers and their staffers are specifically exempted."
While I would consider it unlikely that NSA feeds senators with free stock market tips, the members of the oversight committee are sure to have an extensive advance view to foreign (and domestic) market-changing intelligence. There has been systematic resistance to reforms - the members probably consider making a quick and safe half-million on the stock market a necessary perk of the job.
With public funding, lots of hardware and expert math/algorithm experts, it's less expensive
That is, even if the generated key-pair is really 1024-bit strong (and doesn't have any biases known by them)
https://www.usenix.org/system/files/1309_14-17_mickens.pdf
i don't know how he gets paid to write these. perhaps as class clown for the fine folks at microsoft research? in any case, very amusing.
Another alternative (mentioned on otr-dev) is an implementation which uses a low quality rng feeding the ECDH might result in some messages being recoverable and others not.
An attack on CTR would indeed be pretty fundamental. Though some of the other documents appeared to support some level of cryptanalysis capability against some implementations of at least some symmetric ciphers.
I guess there is this: http://www.crypto.ch/en/solutions/crypto-secure-diplomatic-m...
From the Spiegel article: "Electronic codebooks, such as the Advanced Encryption Standard, are both widely used and difficult to attack cryptanalytically. The NSA has only a handful of in-house techniques. The TUNDRA project investigated a potentially new technique -- the Tau statistic -- to determine its usefulness in codebook analysis."
According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012.
By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month.
Of course, all we have is a probably - this selection of documents is not anywhere near as comprehensive as we'd perhaps like here. We're having to fill in the blanks - and there's too many blanks to fill in clearly. There seems to be relatively little in this leak from NSA's PICARESQUE/PIEDMONT, or GCHQ's STRAP3 (which covers specific operational details: purely by way of hypothetical example :-), where individual full-take feed taps actually are in Telehouse North, or specific details about SIGINT enabling via the Cavium Nitrox chips), sadly. Alternative ideas (or leaks!) are welcomed.
Recent versions of OpenSSH have using some non-NIST primitives from djb, including Curve25519-SHA256 key exchange, Ed25519 keys and ChaCha20-Poly1305 transports. I am quite confident neither NSA nor GCHQ have any good cryptanalytic attacks against those primitives.
There is mention of some exploitation against finite-field Diffie-Hellman in TLS (PHOENIX). That lacks context, however, and we can only guess about what's missing. One possibility is it's an active attack which tricks the peers into agreeing keys over an unsafe field (TLS 1.2 has no way to date for peers to suggest or agree on lists of named fields; however, the recent ffdhe draft does provide one) - however active attacks don't really fit the context under discussion in the slides. The TLS Working Group at IETF is currently discussing this, and a suggestion's been made to remove the old finite-field DHE transports due to their poor performance and apparent vulnerability, replacing them with ECDHE over secp256r1 (a NIST curve), and quite possibly in the near future X25519 over Curve25519 (a non-NIST curve). I don't know how that's going to resolve yet.
As a sysadmin, Snowden basically had root, and probably had access to pretty much everything that wasn't thoroughly airgapped. However, very few computing resources would have been cleared for that Exceptionally Compartmented Information. The documents he gathered were focused more on activities like mass surveillance and standard undermining, that he sought to blow the whistle on, rather than their targeted cryptanalytic capabilities in general.
640-bit RSA could be broken essentially in real-time by the computing resources available to GCHQ a couple years ago. Of course, they don't actually have to work in real-time, so I suspect that 1024-bit RSA is entirely within their capabilities currently, given that. Diffie-Hellman is slightly harder, but if they're prepared to throw some in the bin or lag behind, they can probably do it, but that's just guesswork.
Removing DHE is a mistake. The discrete log in prime fields is fine---as fine as RSA is, anyway---and it's a handy PFS backup in the (unlikely) case deployed elliptic curves turn out to be significantly wounded.
There is no known algorithm that can break a properly generated RSA key of that size - the work required with GNFS is equivalent to brute forcing a symmetric key of something like 280 bits. Anything that could do that should be able to break even 4096 bit RSA keys (~144 bit security) pretty much instantaneously, and their problems with PGP pretty heavily imply they cannot do that.
Skype insecure Cloud email popular ones used by end users insecure Whatsapp insecure Facebook messenger insecure Email insecure Dropbox insecure
So in conclusion they are tapping into mainstream communication channels, its their job.
People have become a bit lazy with cloud solutions and proprietary software because of their fast setup and convenience. People pay with their privacy for the convenience/laziness.
If the public thinks that the most prominent attackers on their privacy, security or identify are the best founded intelligence agencies on the planet, then the likely outcome will be grumpy resignation and consequent failure to protect against more mundane (and more likely) threats. Security and encryption are considered difficult and tricky. Even for software engineers. Raising the bar by highlighting the scale of resources of the most competent attackers is counterproductive.
I think a practical threat model for an average internet user should highlight cyber-criminals, accidental misconfiguration, and careless handling of private information. Not NSA or GCHQ.
Edit: The discussion of mischief by NSA and GCHQ belongs to the debate on public oversight of government agencies. The article above is about using encryption on the internet.
Your first sentence seems to me like an excellent reason to remove DHE altogether from TLS 1.3, considering those servers do not support, and presumably may never support, (the draft) Finite Field DHE parameter negotiation.
Discrete log in prime fields does have the index calculus problem; it won't keep being good forever, and the performance gets worse. I'm banking on having enough different backup between ECDHE over secp256r1 and X25519 over Curve25519 that any elliptic curve difficulty won't be a problem.
The latter half of AGL's post is about systems security, not (really) the cryptographic security of TLS. It's about things you can do that would make NSA owning up your servers a greater or lesser threat to previously encrypted TLS sessions.
Index calculus. Over prime fields it has seen essentially no major progress (beyond small complexity tweaks, some of which are useful) since 1992 with the number field sieve. Index calculus also exists for elliptic curves, under some conditions: once again, over prime fields things seem fine (modulo MOV, anomalous, etc curves). I suspect we will also have to drop RSA if the index calculus for prime field discrete logs ever improves significantly. Likewise, some efficient attack against P-256 or curve25519 has a good chance to eliminate most or all curves in that size range.
People, if the private botnets didn't made you disable password authentication already, do it for the NSA.
I did my part and upvoted the story to get it more exposure here:)
"Incredibly costly" + "I don't see how they would benefit" is only an effective argument against individuals and businesses whose continued existence depends on not wasting money. The state runs on taxes and executive orders.
You may not realize that one of the non-publicized goals of recent executive administrations has been to keep the official unemployment rate of war veterans low enough that it stays out of the public consciousness. This has been accomplished in large part by steering them into make-work jobs with strict citizenship or clearance requirements along with hiring preference points for military service.
The government probably does not care to intervene in our nerd talk, but it can afford to, and if that provides a minor political benefit beyond sticking loyalists in dubious, relatively-high-paying desk jobs, then so be it. If I were to attempt to promote state interests with respect to encryption and network security, HN is certainly one of the sites I would pay my subordinates to read and influence.
Don't assume that just because you think it is stupid and pointless, no one is actually doing it. That doesn't mean that anyone is, but you can't realistically argue that everyone is not.
To use his book as a metaphor implies that Snowden's leaks will do nothing to stop domestic dragnet surveillance and everything to seal the system against future whistleblower leaks.
I find that I must agree.
And: http://blog.erratasec.com/2014/12/that-spiegel-nsa-story-is-...
Which isn't to say the NSA isn't legitimately participating in IETF and taking such notes ... but that codenames can be taken out of context. ;-)
http://research.microsoft.com/en-us/people/mickens/
He just also has a sense of humor, and makes time to exercise it.
Seems your doubts are what helps the NSA.
I also don't get the idea of "some privacy". It seems to me along the lines of "somewhat pregnant". But, you (and many others) are advocating an approach that says, "let's untether our government from even the pretense of adherence to any laws, allow them to attack us with impunity, and simply do the best we can with what we have to fend them off".
If I were of the lying, obfuscating NSA-worker ilk, what you are advocating is exactly the response that would make me salivate.
I know that many people have this romanticized notion that we will do tech battle against our government and win, but we simply won't. If years of battling virus writers, rootkits, and zero days have taught us nothing, it should have taught us that a determined adversary will own us. Add to that unlimited resources and claimed legal authority to compel cooperation from tech/infrastructure providers.
You really want to unleash the lying, obfuscating NSA and trust that your open-source encryption and ciphers won't be cracked, that your full software and hardware stacks have not been compromised, and that the same is true for everyone with whom you communicate, etc., then patch things up and try again if and when you are made aware of a compromise? Sorry, friend. That's a losing proposition.
runs on as much cores as available; also for this it goes into some length to avoid multithreading locks in openssl (where possible).
http://mosermichael.github.io/cstuff/all/projects/2014/02/24...
Improve the existing key-recovery attacks (http://research.microsoft.com/en-us/projects/cryptanalysis/a...) on AES from 2^126 to 2^80 (through unknown methods, potentially exploiting the trivial relation of CTR plaintexts), which is a scale at which a state level party could perform computation, especially on specialized hardware. Observe a CTR block on known plaintext and recover the key.
Practical key recovery attacks have existed against many block ciphers. AES is pedantically weaker than it should be (since an attack exists at 2^126).
Do I think this is likely? I don't have enough information to answer, and in the absence of information I'd default to "probably not". It wouldn't be inconceivable, however.
