NSA Backdoors In Open Source and Open Standards: What Are the Odds? 407
New submitter quarrelinastraw writes "For years, users have conjectured that the NSA may have placed backdoors in security projects such as SELinux and in cryptography standards such as AES. However, I have yet to have seen a serious scientific analysis of this question, as discussions rarely get beyond general paranoia facing off against a general belief that government incompetence plus public scrutiny make backdoors unlikely. In light of the recent NSA revelations about the PRISM surveillance program, and that Microsoft tells the NSA about bugs before fixing them, how concerned should we be? And if there is reason for concern, what steps should we take individually or as a community?" Read more below for some of the background that inspires these questions.
quarrelinastraw "History seems relevant here, so to seed the discussion I'll point out the following for those who may not be familiar. The NSA opposed giving the public access to strong cryptography in the '90s because it feared cryptography would interfere with wiretaps. They proposed a key escrow program so that they would have everybody's encryption keys. They developed a cryptography chipset called the "clipper chip" that gave a backdoor to law enforcement and which is still used in the US government. Prior to this, in the 1970s, NSA tried to change the cryptography standard DES (the precursor to AES) to reduce keylength effectively making the standard weaker against brute force attacks of the sort the NSA would have used.Since the late '90s, the NSA appears to have stopped its opposition to public cryptography and instead (appears to be) actively encouraging its development and strengthening. The NSA released the first version of SELinux in 2000, 4 years after they canceled the clipper chip program due to the public's lack of interest. It is possible that the NSA simply gave up on their fight against public access to cryptography, but it is also possible that they simply moved their resources into social engineering — getting the public to voluntarily install backdoors that are inadvertently endorsed by security experts because they appear in GPLed code. Is this pure fantasy? Or is there something to worry about here?"
Re:Back doors are so 90s (Score:5, Funny)
Backdoors are passé.
And so is proper Unicode support...
Bitcoin? (Score:5, Funny)
Obviously I haven't read the literature enough to know how it works or why it's impossible... But it would be really funny if it turned out that Bitcoin mining was actually the NSA's attempt at crowdsourcing brute-force decryption...
Re:This is stupid (Score:5, Funny)
Belgium - The more awesomer part of the Spanish Netherlands!
Re:This is stupid (Score:4, Funny)
It's all Greek to me
origins of linux (Score:3, Funny)
there's a story i heard about the origins of linux, which was told to me a few years ago at a ukuug conference by a self-employed journalist called richard. he was present at a meeting in a secure facility where the effects of "The Unix Wars" were being exploited by Microsoft to good effect. the people at the meeting could clearly see the writing on the wall - that the apx-$10,000s cost of Unixen vs the appx-$100s of windows would be seriously, seriously hard to combat from a security perspective. their primary concern was that the [expensive] Unixen at least came with source: microsoft was utterly proprietary, uncontrolled, out of control, yet would obviously be extremely hard to justify *not* being deployed in sensitive government departments based on cost alone. ... so the decision was made to *engineer* a free version of Unix. one of the people at the meeting was tasked with finding a suitable PhD student to "groom" and encourage. he found linux torvalds: the rest is history.
now we have SE/Linux - designed and maintained primarily by the NSA.
the bottom line is that the chances of this speculation being true - that the NSA has placed back-doors in GNU/Linux or its compiler toolchain - are extremely remote. you have to bear in mind that the NSA is indirectly responsible for securing its nation's infrastructure. adding in backdoors would be extremely foolish.
Re:This is stupid (Score:4, Funny)
Seriously, right? They probably don't even know you guys invented spaghetti and kung fu.
I for one think the Belgs are awesome.
Re:This is stupid (Score:3, Funny)
http://www.gergely.risko.hu/debian-dsa1571/random4.jpg [risko.hu]
Re:Yep (Score:4, Funny)
AES ... is the sole most attacked cypher in history, and remains secure.
The 128-bit version remains secure. The 256 and 192-bit versions are believed secure but have shown cracks (they should really have had a couple more encryption rounds).
The 256/192-bit versions are just re-fiddlings of the 128-bit version, made to fulfill the NIST requirements for key sizes. This was largely a waste of time since 128-bits can't be brute-forced with any imaginable technology.
(My advice to any potential cryptograpy coders out there is to stick with the 128 bit version).
Re:This is stupid (Score:2, Funny)
So, you're illiterate and proud of it. Cool.
So, you're a dick, and don't know it. Awsome.
Re:This is stupid (Score:4, Funny)
So, you're illiterate and proud of it. Cool.
So, you're a dick, and don't know it. Awsome.
I think he probably knows.