General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsMany here are now owed Beer and Travel Money with an apology
Last edited Sat Dec 21, 2013, 02:27 PM - Edit history (1)
"The generation of random numbers is too important to be left to chance."- Robert R. Coveyou, Oak Ridge National Laboratory
To all you people who said I was crazy that the NSA could have a back door into encryption, my inference back in July is now confirmed.
My mistake back then was I thought Cisco was compromised and it now turns out that RSA itself is compromised. How was it compromised? A subtle flaw in the random number generation that I suspect allows the private key to be deduced from the public key.
This would be funny if it wasn't so sickening.
So to all who said I was nuts, who hassled me for attending the anti-NSA rally, it's your turn to be mocked. Unless you want to stand up and say Sorry, Hoot I guess you did know a little about this tech stuff.
Feral Child
(2,086 posts)to an historic DUer.
nolabear
(41,959 posts)Travel well, RT!!
Jackpine Radical
(45,274 posts)For those who remember our old friend Random Thoughts.
I'm not enough of a geek to have ever gotten into the details of the matter, but in my dark little paranoid soul I never doubted that They were Watching Us in myriad ways, or that They could access anything we put online.
awoke_in_2003
(34,582 posts)who was that picture of in his sig line?
woo me with science
(32,139 posts)heaven05
(18,124 posts)watched every episode I could and still do during sci fi station marathons usually on a holiday. Rod Serling had a sterling mind. He died too young.
Jazzgirl
(3,744 posts)I used to think I was always missing something whenever I read his responses.
dreamnightwind
(4,775 posts)I understand that feeling, though I don't think it was you who was missing something.
Jackpine Radical
(45,274 posts)tavalon
(27,985 posts)And sometimes, I almost got it.
sibelian
(7,804 posts)Image managers know how important it is to hide when they've finally been rumbled.
hootinholler
(26,449 posts)But I know I couldn't be complete, because those are just my OPs in which I was told I was nuts. It doesn't reflect the myriad of other threads where I heard the same thing. At least the person ridiculing the anti-NSA rally was tombstoned, but many who agree with him remain.
I seriously doubt that any of them will come by to say anything, but catharsis happened by putting this on the record.
sibelian
(7,804 posts)it MUSHROOMED...
ChisolmTrailDem
(9,463 posts)others for daring to disseminate bullshit and come to conclusions that turn out later to be true. And the NEVER belly up to their crow dinner. That says all about them that needs to be said.
Maedhros
(10,007 posts)Would seem reasonable for an ostensibly Liberal board.
Vattel
(9,289 posts)Maedhros
(10,007 posts)It's easy to spot them. They never actually post anything - articles, analysis, funny pictures - but only show up to discourage people from paying attention or to sneer at people who do.
ChisolmTrailDem
(9,463 posts)their poisons which are proven to kill people every day, and who even say so in their TV spots, while calling that "science". We can call them "Big Pharma Toadies".
And some of them are even forum hosts for God's sake!
Hassin Bin Sober
(26,325 posts)JVS
(61,935 posts)malthaussen
(17,187 posts)Hell, have some virtual money, too.
-- Mal
hootinholler
(26,449 posts)MannyGoldstein
(34,589 posts)Hmmm...
hootinholler
(26,449 posts)But if they do they may not be quite as anonymous as people think.
reACTIONary
(5,770 posts)... and the NSA employs a lot of talent with the skillez to pull this off. 4 the Lulz.
hootinholler
(26,449 posts)In communications.
But yeah there are some really sharp tacks in the box.
joshcryer
(62,269 posts)Interesting that Snowden used it with his chats with Greenwald.
And of course Bitcoin is not anonymous at all despite its supporters ignorant claims.
reACTIONary
(5,770 posts)Java nonce collision
In August 2013, it was revealed that bugs in the Java class SecureRandom could generate collisions in the k nonce values used for ECDSA in implementations of Bitcoin on Android. When this occurred the private key could be recovered, in turn allowing stealing BitCoins from the containing wallet.
"Bugs". Yah, sure, just a "bug".
hootinholler
(26,449 posts)Thanks for that.
MannyGoldstein
(34,589 posts)joshcryer
(62,269 posts)Not to say that this is not correct but I think the US government needs it to succeed since it works as a honypot for illegal behavior and is 100% not anonymous.
reACTIONary
(5,770 posts)... I'm going to buy/sell an illegal substance from someone, somewhere, I know not who. I'm going to give my delivery information to that person, and make payment using an information system that posts the entire ledger to the internet where anyone, anywhere can access it without warrant or reason. Then I'm going to entrust the illegal substance to a courier service staffed and run by government agents that photograph and electronically record everything they touch.
What could possibly go wrong?
Oh yes, AND I'm going to do this relying on the privacy provided by routers and clients developed by the Navel Research Laboratory.
Lasher
(27,573 posts)But that doesn't prove you're not nuts. Neener.
[url=http://www.cosgan.de/smilie.php][img][/img][/url]
hootinholler
(26,449 posts)But I just may be the lunatic you're looking for.
pintobean
(18,101 posts)Octafish
(55,745 posts)Shutting people up isn't fascistic, it's for their own good, hootinholler. Otherwise they might forget that this is mostly like a free country, apart from the wars without end for profit, stolen elections, KKKoch brothers fiscal policies and the bankster-run just-us department. Do you want me to report that you're not with the Program?
hootinholler
(26,449 posts)That is a breach I will gladly fill.
You know it's funny that I have this penchant towards revealing truth as I know it.
Thank you for helping me to preserve what sanity I have left.
PeoViejo
(2,178 posts)A former member of DU would be very pleased to read this.
Octafish
(55,745 posts)Not much in the way of reward, wot, other than doing the right thing for the sake of democracy and justice.
awoke_in_2003
(34,582 posts)Who is it and what movie?
suffragette
(12,232 posts)Is it the episode where he wants to be let alone to read?
Octafish
(55,745 posts)I believe from a Twilight Zone episode.
http://en.wikipedia.org/wiki/Time_Enough_at_Last
Wiki says he was in four episodes, so it may be another one. The guy was tops in every way -- a genius and a war hero.
awoke_in_2003
(34,582 posts)thanks Octafish.
tiny elvis
(979 posts)suitably random and obscure
Octafish
(55,745 posts)Mr. Meredith sports a moustache as Mr. Bemis in the TZ episode in which he plays the bibliophile:
woo me with science
(32,139 posts)rhett o rick
(55,981 posts)The second is cowardice. These cowards are really authoritarian (bully) followers. They hope that the almighty authority (bully) will appreciate their loyalty and bestow kindness upon them. The third is also an authoritarian follower, but enjoys being on the side of the almighty bully. Reasons two and three overlap.
We live in an authoritarian state. We are taught from a very young age to blindly follow authoritarian leaders, whether parents, teachers, coaches, Scout leaders, and religious leaders. Some of us resist these teachings, but IMHO most Americans are authoritarian followers to some degree.
Maedhros
(10,007 posts)tavalon
(27,985 posts)but it seems I never have and it's likely I never will.
rhett o rick
(55,981 posts)on faith. That's why there is such a problem with priests. The Church promotes the idea that priests are not mere men, but should be revered and trusted. It's easier to control people if you can get them to believe in you blindly. As you see here in DU that some here support the NSA blindly because they dont want their blind faith in authority shaken. We live in an authoritarian society.
tavalon
(27,985 posts)Cannot agree with that more. I could say it's patriarchal and it is to an extent but as a pagan, I can tell you I've seen plenty of women rule with an iron fist.
annabanana
(52,791 posts)nadinbrzezinski
(154,021 posts)Apologies for pile ons are just not done
It is what makes DU suck in so many ways.
That said, you did get the experiences.
Egalitarian Thug
(12,448 posts)Unfortunately another aspect of the authoritarian personality, in addition to their need to feel they are in control, is that they are deadbeats and don't pay unless publicly shamed into it.
hootinholler
(26,449 posts)Many here are owed as well.
Egalitarian Thug
(12,448 posts)It's worth the cost just to not have to look at them.
undeterred
(34,658 posts)Not sarcasm.
I never said you were nuts.
hootinholler
(26,449 posts)Nor am I clairvoyant.
I just know how systems hang together. I've built a career of 30+ years building and troubleshooting large and complex systems.
progressoid
(49,978 posts)oh, and the NSA thing too.
Hatchling
(2,323 posts)11 Bravo
(23,926 posts)for that I have no problem whatsoever in admitting that you were right and I was wrong.
hootinholler
(26,449 posts)And this shows me why.
11 Bravo
(23,926 posts)our behavior pretty much sucks on several levels!)
back at you!
hootinholler
(26,449 posts)There is so much at stake. In the realm of pure speculation, I will bet that the Koch Brothers have someone with capabilities like Snowden had on their payroll and have access to what ever private correspondence they desire.
Think about it, I bet they have a lock on the Orange Market Report before anyone sees it. Where Orange Market Report is a variable to be replaced with any other industry of interest. Want to know what Exxon-Mobile is up to?
eomer
(3,845 posts)Robert R. Coveyou, Oak Ridge National Laboratory
And then there's this:
Donald Knuth
hootinholler
(26,449 posts)It's been a very long time since I read Knuth and it was indeed random number that took me to the bible of IT (Is it still taught? Is the dragon book still taught?)
I will correct forthwith. That's what I get for relying on *my* memory. Apologies to Mr Coveyou!
WillyT
(72,631 posts)awoke_in_2003
(34,582 posts)to send either, but I can send a rec.
ChisolmTrailDem
(9,463 posts)exactly who they were.
NSA is monitoring this website. There's no reason not to believe they are also participating on this website.
And they are not apologetic.
zeemike
(18,998 posts)Because that shit is way over my head...
But I would buy you a beer just for being right and speaking up...
DeSwiss
(27,137 posts)Demeter
(85,373 posts)and the first mead is on me!
TwilightGardener
(46,416 posts)woo me with science
(32,139 posts)raouldukelives
(5,178 posts)Glassunion
(10,201 posts)I never said you were crazy. In fact... I never said anything to you.
hootinholler
(26,449 posts)Scuba
(53,475 posts)hootinholler
(26,449 posts)MannyGoldstein
(34,589 posts)And Ron Paul's sperm.
paleotn
(17,911 posts)....A Randpaul. Yuuuck!
MannyGoldstein
(34,589 posts)I started feeling quesy. Not kidding.
Amost didn't hit the post button.
PrestonLocke
(217 posts)Good thing there are many open source algorithms available.
What else has been tampered with?
Yay for GnuPG!
randr
(12,409 posts)a tin hat is apropos.
kudos
hootinholler
(26,449 posts)It was simply making logical inferences from stated capabilities.
They say they can do this, well how could that happen?
bvar22
(39,909 posts)...who kept insisting that there was nothing to worry about when Fukushima blew up?
Everyone RELAX.
They are just venting a little steam.
I know Science, and these nuclear plants are perfectly safe
because they have redundant back up systems.
Did I mention that I know science, and you are just a dumb ass?
Those people?
I don't remember any retractions or apologies then either.
suffragette
(12,232 posts)But I'm always glad to raise a glass with you (wine for me though, please)
And thanks for posting on the tech aspects of this. I'm fairly geeky in some areas, but wouldn't be aware of what some of this means without your explanations.
hootinholler
(26,449 posts)Thanks for the kind words.
suffragette
(12,232 posts)And haven't been posting much recently.
But now I have some well-deserved time off and am looking forward to relaxing and catching up.
How have you been?
And back atcha:
hootinholler
(26,449 posts)My Sis came up for a visit and had a heart attack, She's gonna be ok.
Work has been a zoo with nebulous desires by the customer.
I'm happy to be alive and employed on this fine solstice day. I think I should take my pet out for a nice dinner tonight.
suffragette
(12,232 posts)NYC_SKP
(68,644 posts)sibelian
(7,804 posts)DanTex
(20,709 posts)RSA is two things. One, it is a public key encryption algorithm, and two, it is a company. The RSA algorithm is not compromised. What is compromised is some of the software that the company RSA produced. According to the article, the problem is that RSA's Bsafe crypto software's default random number generator (Dual_EC_DRBG) is vulnerable to a back door. And the NSA paid RSA $10M to use Dual_EC_DRBG, so it is a pretty good guess that the suspicions that NSA put a back door into Dual_EC_DRBG are true.
But this is pretty far from saying that VPN traffic can be read by the NSA. At worst, it means traffic encrypted by providers using Bsafe can be read by the NSA, but I have no idea how many of them do (and I don't think you do either).
What's more, the fact that the Dual_EC_DRBG random number generator had a potential back door has been known since at least 2007, so people that knew what they were doing have considered Dual_EC_DRBG to be broken for some time now. Which means that VPN or any other crypto software written by people who were actually trying to provide security, as opposed to intentionally letting the NSA in, probably were not using Dual_EC_DRBG to begin with. And now that this has all become public, nobody is going to use Dual_EC_DRBG anymore.
This is not to say that the NSA isn't doing things they shouldn't be doing, and of course, it's also possible that the NSA has other hacks that we don't know about. But simply claiming that the NSA has "a back door into encryption" is a pretty big overstatement.
hootinholler
(26,449 posts)Thanks for that article! I wasn't aware as I don't generally get that involved in the encryption side of things.
I would remind you that the notion that the NSA has the capability to decrypt VPN traffic comes directly from the NSA:
At the time I was speculating on how it could be accomplished.
DanTex
(20,709 posts)It's unsettling, but it certainly doesn't mean that they can read all VPN traffic. Particularly since different VPNs use different encryption protocols, it is doubtful that this is true. For example, I haven't seen any suggestion that the open source OpenVPN is compromised, nor have I read any security experts who think it is.
Also, VPN also refers to more than one thing (sort of). First, a VPN is a virtual private network, the way you described in your other OP -- basically a way to be securely connected to your office network while you are at home or at Starbucks.
But what this slide is talking about by "VPN startups" is most likely VPN services (for example) that let users surf the internet anonymously via proxy servers, using a VPN protocol for the connection to the proxy server. This is something the NSA would be particularly interested in, since people using VPN services in this way are trying to avoid detection.
Notice, though, that the slide doesn't say that the NSA can actually read encrypted packets. Instead, it says that if they have the "data" they can decrypt and discover the users. To me, this doesn't mean they are hacking the actual VPN encryption, but instead that they have (or want) some way to figure out who is using these VPN services. I have no idea what they have in mind exactly, but it could be any number of things, not necessarily involving breaking crypto. It could even mean hacking into the servers at the VPN startups and stealing their logs.
For a recent example of a non-codebreaking method of tracking people through supposedly secure connections, the guy who used TOR to mail bomb threats to Harvard got caught not because the police were able to crack TOR, but because they simply got hold of the logs of everyone who was connected from the Harvard network to TOR at the time the threat was sent.
hootinholler
(26,449 posts)I might tend to agree. But there is a scalability caveat on the slide as well suggesting that this is the tool to do bulk decryption. Capturing logs for analysis is a tedious process and likely not to require bulk decryption.
Maybe they are only mapping the connections and not the content, but at this point, as a practical matter, I think it would be incredibly naive to trust that assertion.
With luck we will actually know.
DanTex
(20,709 posts)I just don't know if they can. I also don't know if they can get the users either. I don't think the NSA is limiting themselves based on some concern for the privacy of VPN users in other countries. It's just that that slide doesn't say much about their actual decryption capabilities.
joshcryer
(62,269 posts)All plaintext. On the entire internet. This is being grabbed. This discussion is likely causing headaches to the automated software.
What they're saying on that slide is obvious, they say on the slide before they can't download everything because there's too much.
Logical
(22,457 posts)Didn't RSA wonder why the NSA paid them 10 million to use it!
cantbeserious
(13,039 posts)eom
rhett o rick
(55,981 posts)ignored you. But I will gladly set up a pint of Mongoose IPA for you tomorrow. If you dont show up, it wont go to waste.
KoKo
(84,711 posts)DU Tech Savvy who didn't trash Snowden and those of us non-tech savvy who post here who supported him because we knew the NSA's history of spying and figured why wouldn't they be taking advantage of exactly what Snowden has revealed.
Yes you are owed and here's a Toast to You (from someone who welcomed your input).
and
Lifelong Protester
(8,421 posts)I am too tech-ignorant. But I do feel that the spying-surveillance thing is out of hand.
And I give you a K & R. I don't think you are nuts, and would gladly attend an anti-NSA rally with you.
Spitfire of ATJ
(32,723 posts)Tin foil actually got you a better picture too.
lunasun
(21,646 posts)Beer won't help me at this point.....but thanks
Demo_Chris
(6,234 posts)Incitatus
(5,317 posts)I'll just settle for the money and beer.
Xipe Totec
(43,890 posts)I busted a gut laughing
Aristus
(66,316 posts)And crim son
And Haole Girl
And NewWaveChick
And nuevocat
And sffreeways
And slinkerwink
And God_Bush_n_Cheney - RIP
And GOPisEvil
And Jimmy Jazz
And so many more...
woo me with science
(32,139 posts)Love to see DU trashing the propaganda.
joshcryer
(62,269 posts)It's actually likely that Cisco's routers are using Dual EC_DRBG which is why their sales have dropped dramatically and how the NSA has been able to so easily snoop on everyone.
Ever since Dual EC_DRBG was announced almost every sane security person didn't use it. Now EMC's implementation of it defaults to Dual EC_DRBG but that is easily changed by changing a configuration process. Simple, and if you were a sane developer, you'd do it.
What's more important is how the NSA and US government shut down lavabit for providing truly anonymous email. In other words, those who want to provide anonymity, must be forced to do so by the government.
As Bruce Schneier says (one of the original people to break the Dual EC_DRBG, and btw he wasn't afraid to call it that), what the NSA is doing and has been doing is unsurprising and it's good that it's finally out in the open.
hootinholler
(26,449 posts)I meant RSA the company. It could be that only one of the protocols are compromised, but at this point RSA as a company is not IMHO trustworthy.
joshcryer
(62,269 posts)We're talking about networked systems that allowed 30,000 customers to be affected and L3 and Lockheed Martin were compromised. I think that's when RSA lacked trustworthiness. Not when they signed up with the NSA.
http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise
At that moment RSA (the company) / EMC should've lost all contracts with the government. For the same reason that if we were serious here if what Booz Allen contends Snowden did then Booz Allen should be summarily fired from working for the government. Forever. Every person who worked with Booz Allen completely ostracized.
(Note: I am not saying what Snowden did was wrong, I am saying that if he pulled off what he did, which I am not certain he did, then that is a huge, major security breach and the corporations who lobbied to get the power to take taxpayer funding and turn the country into a surveillance state should be punished.)
Owl
(3,641 posts)I admit I'm stupid on this one.
tavalon
(27,985 posts)DUer of old. It's like the tombstoning of Walt Starr. He became far more famous after he demanded to be tombstoned. Or like spelling Moron, "Moran" because of the famous picture. DU loves it's memes and especially loves it's self made memes.
I miss Random Thoughts. He was genuinely mystifying to many of us, myself included, but I'll never forget the many times he demanded beer and travel money. And experiences.
Hence, the reason I clicked on what is a mystifying topic for me. I know the NSA has compromised something and I get that it's about encryption but I wasn't even able to wrap my mind around PGP in the day. I think this is something like that. Or not?
That's one way I know I'm not one of the called outs. I couldn't write a coherent enough post about this topic if my life depended on it.
hootinholler
(26,449 posts)It is indeed a reference to Random Thoughts, who often posted what some consider word salad, but every now and then posted something that would really take you places through abstract profundity.
tavalon
(27,985 posts)Random Thoughts.
Aerows
(39,961 posts)because I agreed with you. I even offered my opinion on why that was true, too. So send forth the beer and travel money.