NSA program to insert back-doors into crypto tools

[Brian Stirling]

Not long ago there was discussion about an NSA program to "help" with Android development and I, as well as others, suggested this was suspicious. Quite a few others laughed at this paranoia. Now this...

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

There was no specific comment on Android, but in light of this news story I'd guess at least a few of those that laughed are not laughing anymore...


Really, who's surprised by this? Who's OK with it?


Brian

 

[bearxor]

I'm not surprised by anything that comes out about the NSA, but I wasn't one of the ones laughing it off earlier, either.

Of course, you're just going to get the response I got.

People making a mountain out of a mole hill...
***Yawn***What else is new?

 

[Zodiark1593]

At the very least, we can still code our own encryption tools as needed without approval, nor knowledge of the government, though given the progress made by NSA, I'm wondering if the AES and PgP algorithms are already cracked.

 

[Graze]

Not long ago there was discussion about an NSA program to "help" with Android development and I, as well as others, suggested this was suspicious. Quite a few others laughed at this paranoia. Now this...

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

There was no specific comment on Android, but in light of this news story I'd guess at least a few of those that laughed are not laughing anymore...


Really, who's surprised by this? Who's OK with it?


Brian

Android is opensource. You could simply view the code that anyone contributes including any backdoors.

 

[NikolaeVarius]

Not sure exactly how Android is a crypto tool.

 

[Brian Stirling]

Not sure exactly how Android is a crypto tool.

When you send emails from your Android phone or tablet is there any encryption? If so, what's doing it?

If you surf the web and buy something from you Android phone or tablet is the transaction encrypted in anyway? If so, what's doing it?

There are crypto tools/code in Android and the NSA wants to make sure it's safe from prying eyes -- why else would they be lending assistance?

The reason the NSA and the larger government is getting away with stuff like this is because too many smart people can't imagine them having a bad intent. We get what we deserve...


Brian

 

[zerogear]

TrueCrypt D:

 

[Zodiark1593]

TrueCrypt D:

True, I thought it was closed source for the longest time. Better grab a copy of the source before Govt says no.

 

[Brian Stirling]

Android is opensource. You could simply view the code that anyone contributes including any backdoors.

And there's plenty of folks that could pour over the code in any other product.

Fact, the NSA and GCHQ are paying to make sure they have back-doors yet I've seen no report that anyone's found them yet. So, it looks like they are pretty smart about inserting these vulnerabilities. The fact that Android is open source means absolutely nothing and only offers the 'appearance' that back-doors can't exist.

There have been a number of cases where police/FBI types have been able to turn on the GPS of someones phone remotely -- how did they do that without some form of back-door?


Brian

 

[Bateluer]

The fact that Android is open source means absolutely nothing and only offers the 'appearance' that back-doors can't exist.

There have been a number of cases where police/FBI types have been able to turn on the GPS of someones phone remotely -- how did they do that without some form of back-door?

A back door and a security flaw aren't the same thing. Neither is it a back door when the carrier installs an app that allows this access. Most of the time, you can exploit the same system the feds used to turn on the GPS and microphone.

 

[WelshBloke]

Not long ago there was discussion about an NSA program to "help" with Android development and I, as well as others, suggested this was suspicious. Quite a few others laughed at this paranoia. Now this...

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

There was no specific comment on Android, but in light of this news story I'd guess at least a few of those that laughed are not laughing anymore...


Really, who's surprised by this? Who's OK with it?


Brian

I'm not sure how that article changes anything from the previous discussion.

If you are worried about back doors and deliberate security holes in a product then open source is still the safest as you can examine what happens as opposed to a closed source system where you really just have to trust the vendor.

 

[WelshBloke]

And there's plenty of folks that could pour over the code in any other product.

...

Really? Could you post the iOS or Windows Mobile source code for us to pick through then?

 

[Crono]

Data surveillance is the remedy that our government has chosen, and I say let us give them all they want.

 

[Graze]

And there's plenty of folks that could pour over the code in any other product.

Fact, the NSA and GCHQ are paying to make sure they have back-doors yet I've seen no report that anyone's found them yet. So, it looks like they are pretty smart about inserting these vulnerabilities. The fact that Android is open source means absolutely nothing and only offers the 'appearance' that back-doors can't exist.

There have been a number of cases where police/FBI types have been able to turn on the GPS of someones phone remotely -- how did they do that without some form of back-door?


Brian

Your tinfoil hat is a little too tight now!

You know at least with Android you get to view the code that's on your phone. With iOS and WP or any other close source OS you aren't allowed the luxury and don't know WTF you are using

 

[Brian Stirling]

Really? Could you post the iOS or Windows Mobile source code for us to pick through then?

How about this...


http://news.cnet.com/8301-13578_3-57601883-38/nsa-can-reportedly-tap-smartphone-users-data/


Brian

 

[Brian Stirling]

Your tinfoil hat is a little too tight now!

You know at least with Android you get to view the code that's on your phone. With iOS and WP or any other close source OS you aren't allowed the luxury and don't know WTF you are using

It's not tinfoil hat if it's true now is it!


Brian

 

[WelshBloke]

How about this...


http://news.cnet.com/8301-13578_3-57601883-38/nsa-can-reportedly-tap-smartphone-users-data/


Brian

Thanks for posting something entirely unrelated to my post. :thumbsup:

 

[thedosbox]

Not long ago there was discussion about an NSA program to "help" with Android development and I, as well as others, suggested this was suspicious. Quite a few others laughed at this paranoia. Now this...

The lack of technical understanding in this statement is hilarious given we're on a supposed tech forum.

The NSA's contributions to Android were on the SELinux kernel, which is peer reviewed by individuals across multiple organizations. In particular, they strengthened the security model.

The current revelation is to do with encryption standards used by commercial crypto toolls. Fortunately, their work was peer reviewed and found to be wanting:

http://arstechnica.com/security/2013/09/the-nsas-work-to-make-crypto-worse-and-better/

In particular, the portion of the standard in which they stuck their fingers is not commonly used:

If the NSA did indeed insert a backdoor into SP 800-90, it was a peculiar effort. Of the 401 validated implementations of SP 800-90, only 66 even implement the algorithm. While implementations of it do exist in common software—Microsoft added it to Windows Vista Service Pack 1, for example, and it can be found in OpenSSL and many Java libraries too—its slow performance means that it isn't ever likely to be a popular choice. Combined with the concerns about bias—known before the SP 800-90 was finalized—and the worries about NSA backdooring, and users are likely to be few and far between.

And there's plenty of folks that could pour over the code in any other product.

Please provide a link to a publicly available repository of the iOS code or Windows source.

 

[Graze]

It's not tinfoil hat if it's true now is it!


Brian

Yes I think we all have on our tinfoil hats now. But some of our hats may be tighter than others.

 

[Brian Stirling]

Thanks for posting something entirely unrelated to my post. :thumbsup:

I don't have the source code for them and you had to know that! Also, the referenced link indicates that the NSA has hooks into iOS.

You can play whatever game you wish but I merely pointed out that there is info that points to the NSA and GCHQ having access to several systems including Android and iOS and that the NSA has spent a good deal of money to major tech companies (unnamed) to make sure they had access.

In summary:

1. The NSA has apparently paid major tech companies to make sure they could get into Android, iOS etc.

2. That the NSA has provided guidance and assistance to develop encryption and security standards and that they have worked to make sure they were not so strong that they couldn't get in.

"Leading technologists said they felt betrayed that the NSA, which has contributed to some important security standards, was trying to ensure they stayed weak enough that the agency could break them. Some said they were stunned that the government would value its monitoring ability so much that it was willing to reduce everyone's security." (Reuters)

3. That they have inserted vulnerabilities to give them access.

"Documents provided to The Guardian, the New York Times and others by Snowden and published on Thursday show that the agency worked to insert vulnerabilities in commercial encryption gear, covertly influence other designs to allow for future entry, and weaken industry-wide standards to the agency's benefit."


So how do they insert vulnerabilities? Isn't an intentional vulnerability just another name for back-door?

Finally, you don't need source code to reverse engineer what code does. Back when the IBM PC came out the clone makers needed a copy of the BIOS but they couldn't just copy it so they had two teams of software engineers review it. One team poured over the code (not source but machine) and then described what each section did so that the second team, the virgins, would green code from the supplied descriptions from the first team. You don't need source code to do this.


Brian

 

[thedosbox]

I don't have the source code for them and you had to know that! Also, the referenced link indicates that the NSA has hooks into iOS.

Do you read, let alone understand the links you're posting?

NSA scripts allow the agency to access at least 38 iPhone features after the agency infiltrates the computer used to sync the device, Spiegel reported.

In other words they attack the PC - not the phone. Give me access to the computer that syncs with an iphone, and I could reconfigure it to do all sorts of things - just by running apple's own iphone configuration utility.

In summary:

You're drawing conclusions that aren't supported by your own links.

 

[Zodiark1593]

In other words they attack the PC - not the phone. Give me access to the computer that syncs with an iphone, and I could reconfigure it to do all sorts of things - just by running apple's own iphone configuration utility.

Physical access to a machine that is even remotely connected to your data is a security risk. Probably best to keep the physical machine with sensitive data under close watch, or in a very good safe, as even with full disk encryption, an adversary can still install keyloggers, or otherwise modify the bootloader.

 

[thedosbox]

Physical access to a machine that is even remotely connected to your data is a security risk. Probably best to keep the physical machine with sensitive data under close watch, or in a very good safe, as even with full disk encryption, an adversary can still install keyloggers, or otherwise modify the bootloader.

Precisely. In the case of the iphone configuration utility, it's designed to allow people to manage their devices from the PC - including pushing apps to the device. No secret NSA back door necessary.

 

[lothar]

The lack of technical understanding in this statement is hilarious given we're on a supposed tech forum.

The NSA's contributions to Android were on the SELinux kernel, which is peer reviewed by individuals across multiple organizations. In particular, they strengthened the security model.

The current revelation is to do with encryption standards used by commercial crypto toolls. Fortunately, their work was peer reviewed and found to be wanting:

http://arstechnica.com/security/2013/09/the-nsas-work-to-make-crypto-worse-and-better/

In particular, the portion of the standard in which they stuck their fingers is not commonly used:





Please provide a link to a publicly available repository of the iOS code or Windows source.

Get out of here with your common sense.
Of course people like Brian Stirling and bearxor will keep wearing their delusional tinfoil hats despite us providing evidence to the contrary.

 

[MrX8503]

Why is having a tinfoil hat farfetched when its been proven that the NSA surveillance is far reaching and illegal?