nsa Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry

[Reefa]

Recently, there have been plenty of Techdirt stories about the authorities in the US and elsewhere making increasingly strident attacks on encryption, with claims that things are "going dark," and that Silicon Valley is foolishly aiding terrorism thanks to its "obsession" with privacy etc. etc. Against that background, it's easy to get swept up by a narrative that pits us, the freedom fighters, against them, the dark forces of repression, and to celebrate the occasional wins that come our way.

 

But suppose all this is just for show -- not so much security theater, but as privacy theater to divert our attention from what is really happening. That's one possible conclusion that cynics might draw after watching a brilliant presentation made back in 2014, and highlighted recently by a post on Boing Boing that includes a video of the talk and a link to the slides (pdf):

 

Quote

In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.

 

NSA's fictional operation achieves that by exploiting the way the computing industry works, with different challenges dealt with using completely legal means. For example, the "ABBA" program handles the following situation:

 

Quote

Somebody comes up with an idea that would make [communications intelligence] collection harder and/or more expensive

 

The novel solution is for the NSA to exploit "raw capitalism," and to "throw money at the problem" by playing the role of a friendly local venture capitalist that wants to turn the idea into a company. At the same time, the NSA finds a relevant patent held by one of its "friends" in the industry, and then asks those friends to send around their patent lawyers to the new startup it is funding, to get it shut down in a perfectly non-suspicious way.

 

The "QUEEN" program to tame the potentially dangerous world of open source is even more subtle. The NSA takes advantage of the open development process to place its own people within the system, so that they can subvert it using the following:

 

Quote

FUD

Play GPL vs BSD card

"Bikeshed" discussions

Soak mental bandwidth with bogus crypto proposals

 

A key technique is to exploit the fact that free software is based on trust, and that once a coder is trusted as a result of building up a record of good work, nothing they do thereafter is subject to much scrutiny. That phenomenon potentially allows patches with strategic weaknesses to be included in key projects with massive knock-on effects. Kamp dubs the exploitation of this fact the "BOYS" program, whose "crown jewel" is OpenSSL. The impact of the "Heartbleed" vulnerability discovered in OpenSSL two years ago was so great and convenient that many wondered at the time whether it had been placed there by the NSA. That's just one indication that Kamp's witty re-imagining of recent computer history is not so far-fetched.

 

Even assuming -- hoping -- that Kamp's talk is largely a thought experiment, it has an importance that goes beyond its undoubted entertainment value. By turning everything on its head, and showing how easy it would be for the NSA -- or other well-funded agencies -- to subvert today's computing industry in perfectly legal ways, it provides an important warning about what's wrong and what we need to do to address it. Unfortunately, as Kamp himself admits in his keynote speech, the problems are so deep and fundamental that fixing them won't be easy. But at least, thanks to him, we have been reminded that they exist, which is a start.

 

source

[humble3d]

With friends like DARPA, ET ALIA...

 

You can take that to the bank...

[steven36]

1 hour ago, humble3d said:

With friends like DARPA, ET ALIA...

 

You can take that to the bank...

The beginning  of NSA  began in World War 1  when they broke encryption on the German's  Radio transmissions , The US government has been breaking  encryption for like a 100 years .So its doubtful you could avoid the NSA  if you were under there radar.  So what makes  you think you're safe from them just because they invented the internet ? They are paid to collect the info Uncle Sam wants and they have almost 100 years of experience of doing it too.  

[dMog]

not just the usa...every country does and has done so since before the days of city states....the only thing different is technology has allowed an industrial revolution in collection of data

[steven36]

1 hour ago, dMog said:

not just the usa...every country does and has done so since before the days of city states....the only thing different is technology has allowed an industrial revolution in collection of data

The thing is i was around  on the internet  way back there before  all this encryption was used on the internet Now there set on encrypting 100% of the Web.

https://letsencrypt.org//2016/04/12/leaving-beta-new-sponsors.html

 

The NSA never bothered me even back  after 9/11  when they were in the chat rooms we were in catching the people responsible .  I never used encryption to avoid the NSA  I use it to avoid everyone else that collects data  . The NSA  is the lest of my worries I'm not a criminal but on the internet everything  collects data  not just the NSA  . So you're  much better off with it than without it .

 

LOL people worry about things like the Heartbleed bug and the NSA  when still much the internet they visit  is not encrypted  at all , Back before Snowden  no one even gave a shit about encryption  much .  Things are much better about being encrypted than they was but if you think  its going keep out the NSA  you're using it for the  wrong reasons  and you just have a false sense of privacy  . When you're in public it's technically impossible to have privacy , So  you should never do nothing on the internet you wouldn't do in public.  If you want privacy  disconnect  the internet and go do something without it in you're own home .

[vibranium]

How could this be true?

How could this NOT be true?