New Jersey Congressman Seeks To Bar NSA Backdoors In Encryption 200
Frosty P writes "Congressman Rush D. Holt, a New Jersey Democrat, has proposed legislation (summary, full text) that would prohibit the agency from installing 'back doors' into encryption, the electronic scrambling that protects e-mail, online transactions and other communications. Representative Holt, a physicist, said Friday that he believed the NSA was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced. 'We pay them to spy,' Mr. Holt said. 'But if in the process they degrade the security of the encryption we all use, it's a net national disservice.'"
Pointless posturing (Score:5, Insightful)
A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*
Re: (Score:2, Insightful)
A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*
Well, it is politics. And who knows, maybe he's just offering up another law the government will pass and then ignore, all the while telling us that it has restrained their efforts.
At this point I'd need independent verification of a weather report if it was supplied by our government.
Re: (Score:3)
It's why the government invented windows that open.
Re: (Score:2)
It's why the government invented windows that open.
im 100% sure that if governments invented windows not only would they not open, they would be made out plywood not glass.
Re: (Score:3)
A lot of taxpayer dollars go into providing that "free" weather data - about $5.1BN this current fiscal year (FY 2013). [noaa.gov]
Re:Pointless posturing (Score:5, Informative)
Whoa, now. While it's true that the NSA has a history of disregarding the law, it's bad to fall into the trap of believing that there's no point to creating such laws at all.
What do you want Congressman Holt do? Rip off his shirt and physically attack James Clapper? That's not going to help curtail the powers of the NSA and you know it. Congress creates laws. That's what they're supposed to do. If you think the law is a good idea, then proposing the law isn't "pointless posturing," it's Congress' job.
It's easy to get so lost in cynicism that you stop believing that forward progress is possible. But it's an ugly fact that many of the NSA's recent activities have had explicit Congressional approval. Revoking that approval is an essential step to fixing the situation, and Congressman Holt should be applauded for attempting to do so.
Re:Pointless posturing (Score:5, Insightful)
I would like our current laws to be enforced. If the NSA is violating the law, those responsible should be prosecuted. If they aren't enforced, then there is literally no point in creating new laws.
Re:Pointless posturing (Score:5, Insightful)
I would like our current laws to be enforced.
As John Oliver said on the Daily Show when these stories started to break:
"Mr. President, no one is saying you broke any laws, we're just saying it's a little bit weird you didn't have to."
Re:Pointless posturing (Score:5, Insightful)
Any law that the NSA violates puts them at risk in court, and this could be especially hazardous as political climates change.
If the law isn't being enforced, that is the direct fault of the the President of the United States. He is in charge of enforcement, especially of executing laws related to national security. Don't weaken the law simply because the President fails to act.
Re: (Score:3, Interesting)
Try suing the NSA, good luck.
Hell, try suing the IRS or even ATT for that matter, and for pretty much anything
And blame it on the president? WTF? Are you a silver spoon fed child?
Re: (Score:2)
Re: (Score:2)
What? Source?
The Constitution of the United States [archives.gov]
Re: (Score:2)
Why would the government send people who want to give the government more power to jail? Unless the public catches wind of the corruption and there's enough backlash, that simply isn't going to happen.
Re: (Score:2)
You are stupid.
Your mom.
I am so tired of people saying the president is directly responsible.
I'm so tired of people believing that he has no responsibility. He directs general NSA policy and focus, and he directs the executive branch. The only way I could remove his responsibility is if both the NSA and the White House were directly contradicting him.
What you're suggesting is that the President doesn't actually control the executive branch.
Re: (Score:3)
It is rare that laws can restrain government in areas that approach national security. First there are problems with statutes of limitations as usually things are discovered too late for legal remedy. Then there is an issue as to who prosecution should be focused. Since the president directs the armed forces there is a certain power of office that demands action when it involves threats to national security. Then there is the simple fact that ways to get around the laws are known to government age
Re:Pointless posturing (Score:5, Insightful)
I would like our current laws to be enforced
And... Enforcement is the job of the Executive Branch, not Congress. Lots O' luck.
Re:Pointless posturing (Score:4, Insightful)
And... Enforcement is the job of the Executive Branch, not Congress. Lots O' luck.
Congress has the ultimate tool of enforcement in the form of impeachment.
Yeah. I said it. What Obama's administration has done (and his predecessors) far surpasses anything Nixon did in the realms of violating the law and covering it up. This includes a fair number of congress critters also.
Note the "and his predecessors": This is NOT a partisan issue. The whole lot should be thrown in jail.
Re: (Score:2)
Contempt of Congress is
Re: (Score:2)
Contempt of Congress is enforcable by the House Seargent-at-Arms. The House could arrest James Clapper, bring him to the House, try him, and imprison him for lying before Congress. That is entirely within their powers.
Re: (Score:2)
Contempt of Congress is enforcable by the House Seargent-at-Arms. The House could arrest James Clapper, bring him to the House, try him, and imprison him for lying before Congress. That is entirely within their powers.
They turned the Congressional Prison into conference rooms about 50 years ago. Subsequent to Congress turning in their balls, apparently.
Re: (Score:3)
I would like our current laws to be enforced. If the NSA is violating the law, those responsible should be prosecuted. If they aren't enforced, then there is literally no point in creating new laws.
Hahaha. You are so naive.
Just look what happened In NZ. Spies have been found guilty of breaking laws, but police won't lift a finger, because of missing "criminal intent".
They are all, literally, laughing at us.
Re: (Score:2)
Re: (Score:3)
Whoa, now. While it's true that the NSA has a history of disregarding the law, it's bad to fall into the trap of believing that there's no point to creating such laws at all.
What do you want Congressman Holt do?
Demand accountability under the existing laws, and if he can't get that, impeach whoever is the head of the branch of government that runs the NSA.
Re: (Score:2)
Maybe that would be a good start, since nothing else seems to be working. They might also boo and kick out Obama when he next tries to address Congress, because ultimately the president is responsible for this.
Re: (Score:2)
Re: (Score:2, Insightful)
Well all the good congressman and his peers need to do is de-fund the NSA and their activities. No Bucks, no retards spying on everybody but you see it's no secret that the intelligence committees in the House and Senate have members who create rules themselves and classify information, denying basic information to the rest of their congressional counterparts. [commondreams.org] Not only do you have the NSA spying on everybody, you have the committees keeping it a secret from the rest of congress! What a great and open sys
Re: (Score:3)
It's time to do three things in this country. 1) Introduce term limits for congress. Sorry, Feinbitch, McShame, you're time is up and it's clear you don't have the best interests in mind for our country. 2) Change campaign funding legislation and limit all contributions to $1000 from any company or private party. 3) We need to re-introduce Stocks (not the wall street kind) [wikipedia.org] in DC and start putting these assholes in them for a week or two, I'm sure it will be a boost to the local economy in terms of travel and vendors selling rotten tomatoes.
I'm sure these changes will make you feel good and all... but you do realize these would all be Amendments to the Constitution - right?
1) Term limits - no mention of any kind of limit at all, not even ORIGINALLY for the President. The 22nd amendment isn't even that old.
2) Funding limits - I'd like to see that too, but it turns out petitioning the government is a FIRST amendment right, and it sucks to be not as wealthy/organized as lobbyists, but that isn't UNconstitutional for them. Recently upheld in the C
Re: (Score:2)
Re: (Score:2)
Everyone has the right to petition the government, but I don't agree that the first amendment guarantees the right to tuck a wad of cash into the petition with a "ps. There's more where that came from if you do as I say" at the end. Interpreting the first amendment as a "right to bribe government officials" is a willful misinterpretation as far as I'm concerned.
And I don't see what the eighth amendment has to do with stocks either. The word "unusual" in that amendment is unfortunately vague. Our current sys
Re: (Score:2)
That would be the most toothless law ever.
No prosecutor would even think of trying to go against the NSA unless he's willing to spend the rest of his life somewhere in the outback of Alaska.
Re: (Score:2, Insightful)
The NSA is an agency out of control. To lie to the people is expected of an intelligence agency - to lie to Congress is another matter entirely.
Re: (Score:2)
A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*
"There's this about cynicism. It's the universe's most supine moral position. If nothing can be done, then you're not some kind of shit for not doing it, and you can lie there and stink to yourself in perfect peace." (Paraphrased from "Borders of Infinity", Lois McMaster Bujold.)
If there are laws in place that clearly prohibit certain activities, and the NSA (or whoever) continues to practice those activities in defiance of the law and lie about it, there will be more people in the know who will be faced wi
Re: (Score:2)
Re: (Score:2)
Yes, it does take years to get government thugs to obey the very thing which gives them any power at all, but I was aware of that.
Re:Pointless posturing (Score:5, Informative)
A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*
Your cynicism has run away with your sense.
The NSA has clearly been breaking the law, but they've been doing it through a series of rationalizations, and they've just been edging over the line, not just ignoring the law completely. Specifically, they have redefined the word "collection" to mean "reading", which allows them to hoover up all the information they can get access to and then only later have to decide what they can legally look at and what they can't. And, of course, once they have the data, mistakes are inevitably made or in some cases they may even decide flat out that there is sufficient justification to ignore the law "in this case". And of course there has been no law at all against installing back doors, just a tension with the other mission of the NSA, which is to ensure the security of US signals. Again, some rationalization can allow them to get past that.
That's the kind of thing that it's very easy for good people who feel like they're working for the higher good to do. They can easily tell themselves that they're following the law except in isolated cases where it really, really matters because they have really, really good reasons.
A law like this would be different, because backdooring systems must be done well in advance of any specific case where the backdoor would be used, making it extraordinarily difficult to rationalize it... and also making violations abundantly clear. To really make certain, the law should apply severe criminal penalties to anyone who knew about and didn't report the violation.
I would like to see the law also require them to quietly go about closing all of the backdoors/weaknesses they've already put in place.
Another change to the law that I think would be very useful is to explicitly clarify the definition of "collect". Granted that it's impossible in many cases not to collect a little extra data alongside the stuff that you're really trying to grab, but that could be addressed by specifying data retention limits in the law. Perhaps they should only have 24 hours to evaluate the origin/destination of captured data, and then be required by law to discard anything that they can't substantiate as being lawful for them to collect. Another suggestion I've heard would allow the NSA to capture everything they want, but would require them to immediately escrow all of it with a court or other agency, from whom they could request the pieces they can show they should have access to. That court or agency would, of course, have as its primary job to ensure the NSA doesn't cross the lines.
Re: (Score:2)
So people who say that the government is violating constitutional rights look like nuts? Free speech zones, the TSA, the NSA spying, protest permits, etc. The government does many things that violate the constitution, and it does so quite openly to such a degree that there is practically no room for debate.
Re: (Score:2)
You mean like FISA? There's the problem: It is a one-sided argument. Just like when the NSA and DHS self-review their right to act.
No, not like FISA. There needs to be opposing counsel.
Re: (Score:2)
The real question is, what does Congressman Rush D. Holt (D) NJ have to hide from the NSA?
Re: (Score:3)
If they had a hint of something extra in their hardware/software why did they not notice, speak up, go to a conference?
It seems as if the world fell for the hardware and software exports without saying too much...over many years, so many staffing changes...
All just too happy to install the new devices/upgrade and let their own govs trust it?
Re: (Score:3)
Just be thankful they don't feel the urge to explain what 'scrambling' is.
(Somehow everybody knows what 'scrambling' is. From birth.)
Re: (Score:3)
Is there encryption that works like "scrambling"? (i.e. requiring the decryption of the entire message because information about each character is spread out to the whole thing?)
From what I've read (not much, so I'm probably totally off base), I think such encryption would be pretty ideal, and maybe is naive explanation of what's going on in each block of a block cipher, but would be murder on cpu for any message larger than a small email...
Re: (Score:2)
Yes.
Re:Pointless posturing (Score:4, Informative)
Yes, that's called an All-or-nothing Transform. It's computationally cheap but not yet used very widely.
Re: (Score:2)
...says the Anonymous Coward...
Locks? (Score:5, Insightful)
Re: (Score:3)
If the NSA can get through a Backdoor, how do you know if a competitor or enemy is not getting in though the same backdoor?
You don't. It is as simple as that.
There are some at the NSA who really do try to make encryption which is really good... hence why it would be used for military applications as it can't be as easily decrypted. Still, it doesn't hurt to get the best guys in the business to at least try cracking this stuff.
There are quite a few non-classified papers that have been authored by NSA employees over the years, and their work has been used for improving cryptography tools by people who have a clue about this stu
Re: (Score:3)
Simply put, if the NSA thinks that a particular encryption method is vulnerable, you should be paying attention very closely and likely be shifting to something else.
And Bruce Schneier is saying [schneier.com] that since the NSA is encouraging you to use elliptic curve encryption, that's an indication that you shouldn't use it.
So don't use what they recommend, and don't use what they don't recommend. Makes the choice easy, doesn't it?
Re: (Score:2)
Yes, the choice is easy. Don't trust anything the NSA says. They can lie to congress with impunity, what does that tell you?
If Bruce thinks elliptic curve encryption is suspect due to the NSA's statements, I'll defer to his experience and expertise.
There are plenty of encryption algorithms that are considered secure by the security community and non-NSA affiliated cryptographers. Those are all perfectly good choices based on their own merits.
Re: (Score:2)
So don't use what they recommend, and don't use what they don't recommend. Makes the choice easy, doesn't it?
There's always the gripping hand...
NSA: Don't use ROT-13!
User 1: Ah, good advice. That's not secure.
NSA: Use elliptic curve encryption!
User 1: Ha! I know your tricks; you've already compromised that encryption, haven't you? I won't use it!
User 2: What about symetric-key encryption?
NSA: Shhhhh!
The NSA is interested in people using encryption /it/ can break but others cannot. This helps maintain its mo
Re:Locks? (Score:5, Interesting)
The NSA is interested in people using encryption /it/ can break but others cannot. This helps maintain its monopoly on secrets, which is the source of its power (that it may also be useful in protecting American businesses and interests from foreign penetration is a bonus). Therefore it will point you towards stronger tools if it can, so its advice is not totally without merit.
The kinds of people that publish non-classified papers about encryption by the NSA also know damn well that there are other very smart people around the world who do not work for the NSA, the U.S. federal government, or even give a damn about America.
Seriously, where do you come up with this crap?
Yes, if you see something published by the NSA, perhaps take it with a grain of salt and do your own kind of analysis. Learn a bit about mathematics first and understand not just that they have pontificated about some sort of algorithm but understand why they came to those conclusions. If not yourself, then at least find somebody who you can trust.
There are secure encryption methods that are being used, and there is a good reason why the NSA wants to be assisting with the larger cryptographic community in developing secure forms of communication. Don't get into this kind of conspiracy theory bullshit and claim that they have some kind of mystical powers that simply don't exist. The NSA doesn't have any sort of monopoly over the concept, and of course neither did the Germans with the Enigma machine. In fact, it would have helped the Germans in World War II to have at least discussed their design with a few mathematicians prior to spending so much effort building the device rather than being so damn clever that some of the design ideas actually backfired and made it easier to crack that encryption method.... not that the guys at Bletchley Park complained if German engineers made their job easier.
NSA agents aren't gods. They are good at what they do because they are professionals who do encryption on a full time basis and have received advanced training in mathematics. It is sufficient training that some of those people could teach mathematics as a professor at almost any university in the world, yet they choose to use their efforts to understand encryption in regards to the country they serve. That doesn't make them sinister, just patriots... patriots that know there are people just like them in other countries around the world.
Besides, all encryption, from any point in history, has always been an issue of how much effort must be applied in order to break the code, not the question as to if the message can be read at all. If you need the services of a server farm covering a hundred acres working for a month in order to crack a message, you've done your job. The NSA isn't going to be applying that kind of brute force decryption effort on love letters between you and your girlfriend.
Re: (Score:2)
The NSA isn't going to be applying that kind of brute force decryption effort on love letters between you and your girlfriend.
I know it's a stale meme and I can hardly believe I'm using it;
[Citation needed]
Re: (Score:2)
The NSA isn't going to be applying that kind of brute force decryption effort on love letters between you and your girlfriend.
I know it's a stale meme and I can hardly believe I'm using it;
[Citation needed]
I'd like to say it is common sense. Think about it for a bit.... and then grin if that secret love letter has been decrypted knowing that you are personally responsible for a billion dollars or so of federal money being spent to have some overweight and aging guy read that letter in the basement of the NSA headquarters. While the NSA may seem like it has unlimited funds, it can only do something that stupid so many times while messages that really matter are sitting in the queue that may be something impo
Re: (Score:2)
There are secure encryption methods that are being used, and there is a good reason why the NSA wants to be assisting with the larger cryptographic community in developing secure forms of communication. Don't get into this kind of conspiracy theory bullshit and claim that they have some kind of mystical powers that simply don't exist.
Yeah, like putting back doors in most of the security used on the internet. They're not magical...wait...what was that article about again?
They want to be able to read what ever the enemy produces. You don't seem to recognize that the for the NSA we're the enemy. The real secure methods they won't let the public have. They keep those secret for internal use only. If they publicized them the enemy (you know, the public) would have access to them.
Learn a bit about mathematics first and understand not just that they have pontificated about some sort of algorithm but understand why they came to those conclusions. If not yourself, then at least find somebody who you can trust.
Do you know how many people in the world have the level of math
Re: (Score:2)
Yeah, like putting back doors in most of the security used on the internet. They're not magical...wait...what was that article about again?
They want to be able to read what ever the enemy produces. You don't seem to recognize that the for the NSA we're the enemy. The real secure methods they won't let the public have. They keep those secret for internal use only. If they publicized them the enemy (you know, the public) would have access to them.
These back doors that you are complaining about where something that was openly discussed as a matter of public policy when it happened. It became legislation where the United States Congress (not the NSA) required these backdoors through legislation and made it criminal for telecommunications companies to even object. Furthermore, that these companies had to go out of their way and hire programmers and electrical engineers to explicitly put these back doors into their equipment.
If you are bitching about
Re: (Score:2)
And there is nothing that scares me more than a rabid patriot who will do anything "for the cause."
It's the very definition of "Fascist."
Re: Locks? (Score:4, Insightful)
There are very few absolutes in life, if any, and it is probable that one can be absolutely sure that they were not spying on law abiding citizens in their own country when intercepting German messages.
The NSA is spying on its citizens in the name of preventing a terrorist attack, right? Ok, so at best they'll save a few thousand lives at the cost of billions of dollars while violating laws and rights.
That doesn't really seem worth it to me. If the goal is to save a few thousand lives we could certainly spend the money better.
Simple educational programs for drivers would save more lives.
Re: (Score:2)
That doesn't make them sinister, just patriots... patriots that know there are people just like them in other countries around the world.
Did you just call people who help violate the constitution... patriots? No, they are absolute scum for working for such an organization.
Yup, I did. The blame for the violation of the Constitution goes up to the top of the food chain on that particular point..... meaning the guy who held a huge party that cost close to a billion dollars, televised on every network when it happened, where he swore an oath that his specific and indeed only job duties was to "preserve, protect, and defend" that very Constitution you are asserting here were violated. The NSA works for that guy, and he can relieve them and indeed the entire agency of their job
Re: (Score:2)
This is why their domestic spying is unforgivable. As soon as they started doing that, they created a conflict of interest. It is their mission to protect th U.S. and it's Citizens from spying, but it spies on th citizens and so wants to weaken their resistance to spying.
They have lied to the people, to Congress, and the courts. At this point, they are useless. Nothing they say about anything can be trusted.
Re: (Score:2)
The world was paying attention, to what they thought was export grade quality cryptography - protected by law/bad press if faulty and the makers stock price and a lot of other legal/coding hopes.
The US did not seem to be "dogfooding" its own networked military applications, just always drawing bulk data inwards to very secure sites for fu
Re: (Score:2)
They walk a fine line, making/trying to insure only they can break it. And yes, things do leak out. A few posts ago mentioned backdoors in hardware, and how it was never covered in the news. But it is. I specifically remember a certain chip being found out about, and blam, the story disappeared. To many, NSA does a good job, they know how to
Re: (Score:2)
You can use encryption. That's pretty common for botnet malware, their owners have the same issue, they want your computer, but they don't want to open it to the competition. In fact, some of them will even patch the vulnerability that allowed them access, so others can't take over the machine.
Re: (Score:3)
This raises another important issue : powerful, well resourced adversaries - security professionals often don't seriously considered trying to guard against them, or even that it's worth trying... which is why we're so pathetic regarding the NSA threat.
There are many powerful adversaries out there - national intelligence agencies of all stripes, powerful private intelligence agencies (eg. the mercinary company Blackwater is getting into this), organised crime, media organisations, even coalitions/alliances
Re: (Score:2)
"If the NSA can get through a Backdoor, how do you know if a competitor or enemy is not getting in though the same backdoor?"
And to put in Palinese:
"How's that hopey Cloudy thing looking NOW?"
Re:Locks? (Score:4, Interesting)
You can also use the same sort of mathematics that makes DH, ECDH, RSA and ECDSA possible to design secure-looking moduli or curves (in the case of ECDH and ECDSA) that are secure as long as you don't know the parameters used to generate the curve. It's basically DSA/DH but with three factors instead of the usual two.
Both parties know the curve (it's a published standard), and one party (the guy with the private key) has both factors of the configuration parameter, the other party knows only the composite of the two secret factors (the public key). Now the exchanged nonce can be obtained by either the party with the private key or the party with the curve factors (the NSA).
It is speculated that some published curves for ECDSA, have been designed in such a way that some aspect of their generation that is only known to the NSA allows elliptic curve solutions to be rapidly reduced. It is at least well known by cryptographers that certain curves are insecure in any usage, and that other curves might be designed to be trivially reduced only with some knowledge of the parameters used to generate them. What is not known is whether designing curves in such a manner doesn't also make them weak to other yet-to-be-discovered reduction methods.
Interesting tidbit: there is no theory of security* for either ECDSA, RSA or DH, faith in all of these public key cryptographies rests solely on the lack of a theory of insecurity for them and the belief that if it were easy to create a theory of insecurity, someone would have published one by now (and some partial reductions of RSA have been published, prompting the necessity of using larger RSA keys than previously thought necessary)
* For commonly used symmetric block ciphers, theories of security exist, that is there is good mathematical reason to believe they are secure and not merely presumption.
100 points for effort (Score:5, Insightful)
but if you're worrying about the reputation of US companies, you're too late.
Re:100 points for effort (Score:5, Insightful)
Yesterday's news marks the very first day for what will become a very bad time for American closed source security products. It would almost have been better for them if Snowden had been able to leak the actually collaborating and subverted companies names rather than just the generalization "all major ones" - because as it stands now, big or small, they are all equally guilty and will suffer the democratic process their customers voting with their feet/wallets abandoning their backdoored closed source products. They all gave guarantee's of being secure before and the PR departments are working overtime to try and maintain the illusion, but it is a hopeless battle now... trust once lost is veery hard to recuperate.
but if you're worrying about the reputation of US companies, you're too late.
Especially when there is an army of politicians - all ONE of them AFAIK - calling this out.
Re: (Score:2)
The backhaul to the data centers will be more encrypted... read on for the hint
I wonder what the spying output will be like from the backdoored closed source products over the years? A lot of attempts at misinformation, past time/joke/junk use and drop in actionable gossip.
Re: (Score:2)
On the software side there may be open source alternatives, but for industrial strength infrastructure har
Net Loss (Score:2)
Re: (Score:2)
Already illegal? (Score:2)
Isn't it already illegal under the USC Title 18, Section 1030 subsections (a)(2)(A) and (C) , (a)(6)(A)?
To answer my own question, it most certainly would except for this little gem:
USC Title 18, 1030(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
See they're "lawfully authorized" or so they clai
Three-fourths of state legislatures (Score:2)
Unfortunately, we're stuck with a problem of who's watching the watchers unless we want to modify the Constitution to allow State governments to go after Federal officials for issues like this.
I think you hit upon how it'd happen: "modify the Constitution". Three-fourths of state legislatures can go after the feds. They can call a convention, propose an amendment, and ratify it.
Re: (Score:2)
The big brands/contractors and the sub committees trying to correct or shape the public record.
Nobody would be prosecuted but the mystique would fall and be replaced by the best telco/crypto/CS "quote of the day".
The endless fun we could have with the resident sockpuppets on slashdot too
This is a stupid idea. (Score:4, Informative)
This is a stupid idea. The 1976 consultation between the NSA and IBM over DES resulted in a stronger DES. The NSA couldn't disclose what it knew about how to easily attack the DES as it was originally proposed, and it took about 8 years for an academic researcher to understand why the original algorithm was actually weaker than the one with the proposed NSA modifications.
They are doing some rather asshole things at the moment (at the behest of the Federal Government - "We were just following orders"), but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.
Re: (Score:2)
If congress passes laws specifically targeting that behavior, then it can be stopp
Re:This is a stupid idea. (Score:5, Interesting)
but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.
So the NSA did not screw with Dual_EC_DRBG [wired.com] in the NIST standard? Or is it just that any hardware which implements Dual_EC_DRBG is going to be rejected without explanation when it is submitted for FIPS 140 [wikipedia.org] certification?
Re: (Score:2)
The concern isn't with them introducing weaknesses into the mathematical descriptions, but implementations. It's possible for an expert to find a deliberate weakness in an algorithm - it's much harder when the weakness is buried deep in the silicon somewhere, or a few bytes of machine code in an obstrucated binary. It's not only possible but likely that they have pressured some US software and hardware vendors to introduce such weaknesses. It wouldn't be that hard to, for example, sneak a deliberately weak
Re: (Score:2)
The 1976 consultation between the NSA and IBM over DES resulted in a stronger DES.
Yes and no.
They did fix the S boxes to make the algorithm resistant to differential cryptanalysis, but the original Lucifer cipher had 128-bit keys and a 128-bit block size. The NSA reduced the key size to 56 bits and the block size to 64 bits.
Re: (Score:2)
That's only partially true. NSA provided two changes to the original IBM Lucifer cipher: different S-Boxes (which made it more secure), and shorter keys (which made it less secure). The evidence is that they strengthened it enough to keep it just out of reach of everyone else who might attack it, while keeping it vulnerable enough for them. All the evidence shows that they're probably doing the same thing right now by putting in backdoors that only they can exploit (and there are some subtle ways to do this
Re: (Score:2)
They are doing some rather asshole things at the moment (at the behest of the Federal Government - "We were just following orders"), but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.
Perhaps. I wonder, though, if the NSA hasn't suffered a little "mission shift". Theoretically, their mission is twofold: To spy on the signals of the rest of the world, and to ensure the security of US signals. In the past, that latter part also included securing not just government communications, but civilian communications which were relevant to national security. I once worked on a purely private-sector project which had NSA oversight because it was considered critical to the well-being of the US finan
This would work as well as the war on drugs (Score:2)
And keeping guns out of the hands of criminals
And keeping the borders secure
the real problem (Score:2)
When bad guys use encryption to conceal their activities, we need to be able to decrypt it. Crippling the NSA is not the answer. The real problem is oversight. FISA is little more than a rubber stamp for whatever the intelligence services want to do. We need stronger oversight to protect the privacy of law abiding citizens, not a weaker ability to catch bad guys.
Re: (Score:2)
Not invading countries full of religious psychos would probably go a long way to not requiring the NSA in the first place.
Re: the real problem (Score:3)
Religious psychos don't need an invasion to provoke them. They kill people simply for disagreeing with them.
Re: (Score:2)
True enough. But on their own they are weak and marginalized and little threat.
When they do manage to provoke an invasion, that strengthens their hand immensely. The death and destruction and poverty inflicted gives them a generation of recruits and donors they would not otherwise have. And now we have jihadi armies, from Libya to Syria and on over to Afghanistan, created by US foreign policy and interventions.
Re: (Score:2)
They don't fly aeroplanes into buildings without a far better reason than that.
Re: (Score:2)
Re: (Score:2)
When bad guys use encryption to conceal their activities, we need to be able to decrypt it.
The people in the NSA (and the government in general) are the "bad guys." Anyway, why are you so worried about a nonexistent threat? The government is more of a threat to you (as in, your individual liberties, and if you're one of the few who make them angry, your well-being) than these fabled "bad guys" who use encryption.
Crippling the NSA is not the answer.
Yes, it is; they're human garbage.
The real problem is oversight. FISA is little more than a rubber stamp for whatever the intelligence services want to do.
That's only part of the problem. You'll never have effective oversight unless the public can always see what they're doing, and even then, the public mig
Question? (Score:4, Insightful)
Re: (Score:2)
Actually, I believe the answer is yes. This is subject, however, to the House Rules, which are decided upon by the House itself. I believe this means the House Rules Committee.
P.S.: This actually may no longer be true, but it was true around 1875 (plus or minus quite a bit). And I've never heard that it changed. In the actual case the Representative eventually resigned to allow the Governor to appoint a replacement for the benefit of his party.
Blackstone/Franklin Ratio (Score:2)
All we need to do is settle on whether it is better to let 10 guilty men go free then one innocent suffer (William Blackstone) or 100 (Benjamin Franklin).
Right now, we are leaning toward the philosophy of Pol Pot: 'It is better that ten innocent men suffer than one guilty man escape.'
Remember the Huawei ban? (Score:4, Insightful)
If you want an example of how getting a reputation for even the potential of embedded backdoors in your products can bite you, recall the ban imposed on Huawei network products by the US and Australia's National Broadcast Network. These revelations about the NSA's activities and US companies who roll over for them will definitely hurt sales of US products. I'll bet there are some marketing campaigns already being mulled over that would say, "Unlike our US competition, we aren't subject to demands from the NSA, and if they ever approach us, we'll tell them where to stick it." At least, that's what I'd be considering if I were a foreign telecom manufacturer.
Re: (Score:2)
You are, of course, assuming that there are any major foreign telecom/computer networking manufacturers that haven't already rolled-over for the NSA in order to secure access to the very lucrative US telecom/computer networking markets...
Re: (Score:2)
Even if they haven't they are using specs out of committees that have potentially been influenced,
Basically what these revelations have done is destroyed any trust in crypto systems in use today.
Re: (Score:2)
If the software it runs is not open source and controlled by the user it cannot be trusted. Period.
It doesn't make a rat's ass difference where it's made and by who. The British government is in on this too. Do you trust the Germans, Chinese, French, Taiwanese?
Simple Question (Score:2)
If, as Rep. Holt apparently wishes, the NSA were to stop intercepting and decrypting electronic communication, what exactly is the point of the organization?
Their mission:
First the Stick, THEN the carrot. (Score:4, Insightful)
Thanks for your efforts. But please remember that you have other, more effective tools at your disposal. The NSA has shown themselves a master in creative interpretation of law. Any new law will be twisted to their purposes. Then there will be years of appeals in the courts. Before you attempt new laws, you should immediately reassert Congress's most basic and irresistible power: The power to control the purse.
Your first act should be to slash the NSA's budget in half.
It is like working with a mule. First, you have to get their attention. As you slash their budget, explain that many of the NSA's actions have been dishonest. They have created long term problems for the rest of the country. And they have been spending their budget in ways that congress does not approve.
After you slash their budget, ask them to give the complete Congress a full accounting of how they intend to spend their remaining budget. Give them a week.
If they waffle or present an incomplete accounting, then cut their remaining budget in half.
Don't worry about the NSA. They have tens of billions of budget. You can cut their budget in half several times and they will still be able to support their best analysts. Their hardware is cheaper and more powerful than ever before. Even after the cuts, they will be as effective as any time in the past few decades. But, the cuts will remove their ability to dominate entire industries. And they will not be able to use that support to justify their illegal and unethical acts. And that is a good thing.
Above all, don't let the executive branch deter you. Controlling budget is your natural, constitutionally mandated role. Congress has been shirking their duties lately. The Black Budget has been a shameful abrogation of your responsibilities. Controlling the budget of the executive branch is your job. Don't let anybody talk you out of it.
It may take several rounds of budget cuts, but eventually they will come back in line. Then you can use law to guide them.
Re: (Score:2)
Everything may seem normal but the historic hints about backdoors in equipment is not new. I wonder how many govs over the years played the "insecurity" side by pushing junk info back out and waiting to see a hint of it in the US press?
Privitise the enforcement... (Score:2)
Re: (Score:2)