What is Digg?Sponsored by Dragon Age: Origins
Join the Dragon Age: Origins development team on Facebook view!
facebook.com/DragonAgeOrigins - EA presents BioWare's new dark fantasy epic Dragon Age: Origins. '9/10' from Game Informer.
143 Comments
- Chewie67, on 11/16/2007, -2/+95Is the encryption standard open source?
If not, you have to assume there is a backdoor. - scallon, on 11/16/2007, -2/+49Sounds a bit like Digital Fortress to me...
- kaelyiesta, on 11/16/2007, -0/+36I believe the issue is not the implementation, but the theory(algorithm) itself. The theory is open to any scrutiny, so if there is a 'backdoor' in the math/logic, it will be found. If the algorithm has a weakness, then it will be discovered. They can't make us use flawed algorithms, so all we have to do is keep pushing for different ones by exposing the flaws and presenting proof of concept exploits.
The hardest part will be to force implementations to adapt. So the best way to go is to try finding the exploits early before the standard begins to be implemented.
But you are right that if the implementation of the encryption process itself is closed source, then it's silly to just hope that there is no back door in the code. - lead2thehead, on 11/16/2007, -1/+31Not true, my friend. The NSA is the largest employer of PhD'd mathemeticians in the world. They are gods when it comes to cryptography.
- OBKenobi, on 11/16/2007, -5/+34You may not believe there is a backdoor in Windows, but there is obviously at least a kill switch and a covert update mechanism in Vista. This was revealed through Microsoft's incompetence, when they had their little "server accidents" a few months back, how can you even deny it?
- Mejogid, on 11/16/2007, -4/+27Way to rip off xkcd...
- OBKenobi, on 11/16/2007, -9/+27It is childishly easy to defeat the monitoring techniques of any intelligence agency in the world. The NSA has been fighting a losing battle since computer technology became widely available. Other intelligence agencies don't even waste their time and resources trying to monitor the flow of all information throughout the world.
The obsolescence of the NSA will not be revealed to the public because the US government wants the rest of the world to think it is still in control. It is not in control, it is a giant waste of tax $$$. - p0ss, on 11/16/2007, -3/+20I'm sick the government shoving things up my backdoor! Its exit only people!
- ArrakisDune, on 11/16/2007, -2/+18http://forums.microsoft.com/Genuine/ShowPost.aspx? ...
Not sure if id call it a "kill switch", but Microsoft certainly have the ability to turn off specific OS features. I would not be in the least surprised if they could totally lock you out of the OS.
As for the "covert update", I assume he is referring to : http://windowssecrets.com/2007/09/13/01-Microsoft- ... - lead2thehead, on 11/16/2007, -4/+18Ugh... please RTFA. It does not rely on skeleton keys to work. The algorithm is a form of elliptical curve cryptography and the "skeleton key" numbers they're referring to are the coefficients for the curve. They were chosen because they provide the best performance in terms of the randonmess of the values it generated. Besides, these researchers are only theorizing that it *might* be possible. Until they actually come up with some proof to back this up, it is merely speculation.
- trghpy, on 11/16/2007, -17/+29Sounds about as broken as this administration.
I prefer to use the Steve Gibson method.
Hash a counter with AES and a long enough key and you'll get some damn good random numbers.
Encryption is about keeping things simple, using an algorithm which relies on skeleton keys to work right sounds like it was thought up pretty half assed. - DnasTheGreat, on 11/16/2007, -0/+12Um, did you even bother to look up anything before posting?
AES the cipher itself was designed by two Belgians.
http://en.wikipedia.org/wiki/Advanced_Encryption_S ...
And the cipher was chosen on open contest-like thing.
http://en.wikipedia.org/wiki/Advanced_Encryption_S ...
I suppose you could try to claim that the NSA rigged the competition and that Rijndael was designed by the NSA under the names of two known Belgian cryptographers, but that's quite stretched, even as conspiracy theories go.
And it's not like you can "open source" a cipher. If a cipher's algorithm is not published, the cryptographic community tends not to think very highly of it. The old security by obscurity thing. - VitriolAndAngst, on 11/16/2007, -0/+10You are both right and both wrong.
Lead2theHead is right, because the NSA is able to spy on a lot.
OBKenobi is right, because very little of the spying effects actual bad guys. This domestic spying is about keeping tabs on the political opposition and controlling the populace. The "ridiculously easy" way to get around spying? Steganography. I could put out my message to all my operatives, right in plane view. All I would need is some GIF images, somewhere on the page. The other agent has all these images and knows where to look. What the NSA and other cannot know, is what pixels on the image I have altered. When you find the difference between the original and the altered -- you have the data. You could do this with a video, an mp3, or perhaps alter the data in a live video game, and be chatting in real time.
Much of the Al Qaeda messages, were sent with old fashioned techniques -- they didn't even trust cell phones (for good reason). NOTHING that our Government has spent billions on has been aimed at stopping Al Qaeda. It was probably a major effort to even occupy enough of our air force and NORAD as it was to let them get a chance.
The government is tracking everything -- which is like adding more hay to find a needle in a hay stack. If you are a terrorist -- you aren't going to buy that fertilizer with a credit card -- you will steal it. - johnmckee, on 11/16/2007, -0/+10Wasn't there a big deal years and years and years ago when they were developing the first standard encryption standard for the US that the NSA asked IBM to change one little part of it. It set of years and years of discussion of why the change was requested and if they had put a backdoor in.
Then many years later they found a weakness in the original spec that the NSA had asked them to change and the change actually made the encryption stronger not put a back door in it. - theonlywizdum, on 11/16/2007, -2/+12128-10-93-85-10-128-98-112-6-6-25-126-39-1-68-78
- Crosshare, on 11/16/2007, -3/+13Beat me to it. Somebody has been reading a little too much Dan Brown. I still hate that book for all of the hate pieces about the EFF in it.
- Cherubim, on 11/16/2007, -1/+10And how many backdoors do you think are in Vista ? The NSA sure got its grubby hands on that OS before it got released.
- uptown, on 11/16/2007, -2/+11Be a beacon?
- digudown, on 11/16/2007, -2/+11So you know nothing about cryptography right?
- baalzebub, on 11/16/2007, -1/+10this is like the fox applying for a job as security at the local chicken coop...
- drtyfrnk, on 11/16/2007, -0/+9Was thinking the exact same thing
- kneeofwisdom, on 11/16/2007, -4/+13username: admin
password: password - cranium, on 11/16/2007, -1/+8DES, IIRC. Yep, that was before the government considered the people to be the enemy. Back then, the big concern was that if overseas hackers could break the encryption of our financial institutions they could bring down the whole economy in a hurry.
- EarlOfLade, on 11/16/2007, -3/+10That's not what you said last nite....
- Metal_Hurlant, on 11/16/2007, -0/+7I wish people would RTFA.
This isn't about DES or AES.
This is about a random number generator that the NSA came up with, that has a bunch of magic constants that may well have been hand picked to give someone a way to guess what your "random number" generator will output next after seeing a few generated numbers.
Usually, cryptographers make a point to pick magic constants that follow some recognizable patterns (Digits of PI, digits of e, that kind of thing), to avoid any accusations their constants were cherry-picked for some nefarious purpose.
Also, Bruce Schneier can losslessly compress random data by 50%, with his fists. ( http://geekz.co.uk/schneierfacts/ ) - jordanau, on 11/16/2007, -4/+11Did the guy research it, or just read "Digital Fortress"?
- lead2thehead, on 11/16/2007, -4/+10If the NSA plans to use this algorithm for their own data, there is NO WAY they would intentionally add a vulnerability. If you want to make sure your data is safe, use AES-256. That's what they use.
- micro506, on 11/16/2007, -1/+7You read Digital Fortress?
- TheShadowKnows, on 11/16/2007, -1/+6I was at NIST (then NBS) around the time the DES stuff went down, NSA definitely had the DES key shortened.
Here's the way the discussion went:
NBS: After much careful analysis, we believe the DES key should be 64 bits long.
NSA: No, the key only needs to be 56 bits.
NBS: But that wouldn't be secure. Most people couldn't crack it, of course, but someone with enough specialized hardware could potentially break the code. Our job is to create high quality national standards, and we'd be telling people their data is secure when in fact someone could spy on it. If this standard is supposed to be secure, the key really needs to be 64 bits.
NSA: We're telling you your position is the key only needs to be 56 bits.
NBS: (slowly comprehending) Oh....
People were upset about that one for a long, long time. - itsbob, on 11/16/2007, -0/+5how the heck did you figure out my login?!?!
- WeeBull, on 11/16/2007, -0/+5Identifying a back door in cryptography algorithm isn't as simple as looking for "if (backdoor == true) open the gates" and going "Ah-ha!"
A backdoor, if present, would be hidden in subtle side effect of the maths involved, an intentional weakness if you like. What has happened is that some respected researchers have identified a weakness in the system, and to exploit it you need to have an unknown set of numbers. The question is was it deliberate, and does someone know the numbers. Unfortunatley that's impossible to know, and so the whole standard must be called into question.
"The reason I don't believe they have knowingly put a back door into the *algorithm* is because it would compromise their own security."
You think the NSA wouldn't consider putting a backdoor in one algorithm and then use a different one? - toxicshok, on 11/16/2007, -0/+5no, it was from 64 bits to 56 bits.
- hollyminkowski, on 11/16/2007, -0/+5Bruce Schneier is brilliant!
I have his Applied Cryptography book and I recommend it to anyone
with an interest in crypto. - digudown, on 11/16/2007, -0/+5Do you even know what you are talking about http://en.wikipedia.org/wiki/Bruce_Schneier
- digudown, on 11/16/2007, -0/+5You are questioning Bruce Schneier's knowledge!!
- VitriolAndAngst, on 11/16/2007, -1/+6Sounds like he's never heard of Public Key, Private Key. If they build a back door -- it's their back door.
And I'm sure they don't use anything that is in the public domain.
I also find it likely that most of the stuff the Chinese hackers are getting are "tar babies" and it's only what they let them hack.
But other government agencies probably have worse securities than your average business -- totally clueless. The Bush administration could probably give two craps about a foreign invader. They are too busy treating the public like the enemy to care -- and if you actually wanted to hurt America, you would stand out of the way of the Bush government.
If some group like Russia broke in to Bush's computers -- what could they do? Provide us open governments? The only secrets they got are money transfers and bribes. Screwing up the battle plans might mean peace would break out somewhere.
There is no damn enemy people. Just business. Getting ***** to fall apart so they can make money and take power fixing it. - Wosat, on 11/16/2007, -2/+7In case anyone wants to look further into the Windows backdoor issue...
http://www.google.com/search?q=nsa_key+windows - Metal_Hurlant, on 11/16/2007, -0/+5The 40 bit DES thing was used in one of SSL's "exportable" (aka "breakable") cipher suite meant for non-US users to do their online banking with.
Good times. - schestowitz, on 11/16/2007, -3/+8
Everything you do with proprietary software totally exposes you. For your reading pleasure, I've just collected some references that I have.
http://www.schneier.com/blog/archives/2007/01/nsa_ ...
Microsoft could be teaching police to hack Vista
http://www.vnunet.com/vnunet/news/2150555/microsof ...
UK holds Microsoft security talks
http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm
Spy Master Admits Error
http://www.msnbc.msn.com/id/20749773/site/newsweek ...
FBI ducks questions about its remotely installed spyware
http://news.com.com/8301-10784_3-9747666-7.html
United States Government Online Watchdogs? Part of the war on terror?
http://www.whitedust.net/news/3984/United_States_G ...
Back doors in Windows XP...
http://www.youtube.com/watch?v=KGlNTEQ0RzM
Mother of all spyware...
http://news.softpedia.com/news/Forget-about-the-WG ...
Police eats your CPU cycles and disk space...
http://www.abanet.org/journal/ereport/jy13tkjasn.h ...
Will Microsoft Put The Colonel in the Kernel?
http://slashdot.org/article.pl?sid=07/07/14/043200
Austria OKs terror snooping Trojan plan
http://www.theregister.co.uk/2007/10/23/teutonic_t ...
Schäuble renews calls for surreptitious online searches of PCs
http://www.heise.de/english/newsticker/news/97755/ ...
Microsoft exec calls XP hack 'frightening'
http://news.zdnet.com/2100-1009_22-6218238.html
Duh! Windows Encryption Hacked Via Random Number Generator
"Editors Note: I believe this "loophole" is part of the Patriot Act, it is designed for foreign governments. Seriously, if you care about security, privacy, data, trojans, spyware, etc., one does not run Windows, you run Linux. "
http://www.linuxelectrons.com/news/general/14365/d ...
"Trusted" Computing
http://tuxdeluxe.org/node/164
Read on APIs here:
http://en.wikipedia.org/wiki/Jim_Allchin
How NSA access was built into Windows
http://www.heise.de/tp/r4/artikel/5/5263/1.html
NSA Builds Security Access Into Windows
http://www.techweb.com/wire/story/TWB19990903S0014
Encrypted E-Mail Company Hushmail Spills to Feds
http://blog.wired.com/27bstroke6/2007/11/encrypted ...
No email privacy rights under Constitution, US gov claims
http://www.theregister.co.uk/2007/11/04/4th-amendm ...
Why proprietary code is bad for security
http://wolfgang.lonien.de/?p=394
Beware of Skype
http://www.freesoftwaremagazine.com/node/2479 - Beylan, on 11/16/2007, -3/+7Wow, was that a Sneakers reference?
- chess007, on 11/16/2007, -3/+7Anyone in the security field who uses software that isn't open source is silly. Go Open and check the code.
- HerbSolo, on 11/16/2007, -0/+4That's the wrong question. If you want a secure system, you don't ask for proof for it being compromised, you ask for proof for it being safe.
- fluxion, on 11/16/2007, -1/+5unless they think the only people with access to that backdoor are people with the highest security clearances.
- MacSuxWindozSux, on 11/16/2007, -0/+3Thats not true. At one point encryption above 40bit was considered a non-exportable munition by the USA government.
Thats why the PGP creator had to go to court.
I did the research, you failed.
http://en.wikipedia.org/wiki/Pretty_Good_Privacy - Tossrock, on 11/16/2007, -1/+4Did you read the article or just skim it? The guy has authored books on cryptography, I think he knows what he's talking about.
- HerbSolo, on 11/16/2007, -0/+3i know, it's a rather long article, but if you don't read it, don't comment on it.
It's about Random-Number-Generation, which may compromise your key-generation process. There's no way of telling which RNG the NSA used for key generation just by looking at the Cryptosystem they are using. You don't need to "hack" AES-256, if you can predict the used keys. - Ghengis, on 11/16/2007, -0/+3That's really just security through obscurity. A sound algorithm can stand on it's own.
- grumpyrain, on 11/16/2007, -2/+5The algorithm or method used is indeed public, so if there is a back door to the encryption itself, it would be soon exposed. In terms of back doors, they are more likely to be related to key storage and management than the algorithm itself. The reason I don't believe they have knowingly put a back door into the *algorithm* is because it would compromise their own security. That does not mean that they have not put a back door into specific application, OS or hardware when it comes to managing the encryption keys.
- TripcodeMel, on 11/16/2007, -2/+5Digital Fortress was a terrible book.
HURR THE CODE WASN'T UNBREAKABLE IT WAS JUST REALLY REALLY REALLY REALLY HARD TO CRACK.
***** you for wasting three days of my life, Dan Brown. - MacSuxWindozSux, on 11/16/2007, -0/+3Hahahahah they never jailed him at all.
He did go to court because copies of his encryption program left the United States, and at the time encryption over 40bits was considered a non-exportable munition by the government.
While in court, what the PGP creator did was publish the source code in a book, where book distribution is protected by the 1st Amendment.
The charges were dropped and the law has since been changed. -
Show 51 - 100 of 143 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is