Post AJbb1DDAOKWX7sFkOm by jtlong@fosstodon.org
 (DIR) More posts by jtlong@fosstodon.org
 (DIR) Post #AJSUssnC4nytKk6tDE by mike@fosstodon.org
       2022-05-14T23:50:34Z
       
       0 likes, 0 repeats
       
       The NSA has assured everybody that there are no backdoors in their fancy new encryption, and of course we all believe them because they're the NSA and they would never EVER lie to us. Ever. 🙄 Honestly, I don't know much about this and the new encryption they're working on probably warrants a look. I just have a hard time believing an organization like the NSA is going to create something they can't get through considering their line of work. Am I just being paranoid?https://www.bloomberg.com/news/articles/2022-05-13/nsa-says-no-backdoor-in-new-encryption-scheme-for-us-tech
       
 (DIR) Post #AJSVeyAJP4jPtgqwc4 by renatoram@fosstodon.org
       2022-05-14T23:59:20Z
       
       0 likes, 0 repeats
       
       @mike well, they have been caught at least a couple of times in the past so... I'll wait for the really paranoid to take a look (like, say, the OpenBSD folks)
       
 (DIR) Post #AJSWK9tGiMdm8QWOdE by Anfeald@fosstodon.org
       2022-05-15T00:06:46Z
       
       0 likes, 0 repeats
       
       @mike have you read Snowden's book?
       
 (DIR) Post #AJSX1COjGf5KMblC52 by takloufer@fosstodon.org
       2022-05-15T00:14:33Z
       
       0 likes, 0 repeats
       
       @mike in short its a complex history. On the one hand they did try shady things w a std in the past, otoh they did good work for a long time both before and after. Their tasks are counterintel as well, and in this area that meant ensuring quality crypto for US use & infrastructure. Anyhow, real crypto experts in academia ought to judge if something's fishy or not here, its not on obvious thing just based on who they are.
       
 (DIR) Post #AJSXK0owXGs1xYzaoy by wholesomedonut@fosstodon.org
       2022-05-15T00:17:56Z
       
       0 likes, 0 repeats
       
       @mike I would trust them to act in their own interest as an organization; and therefore I’d only trust them to not include back doors into anything they do if and only if it served those interests at a larger scale.
       
 (DIR) Post #AJSaGDh5203oabCKTw by RL_Dane@fosstodon.org
       2022-05-15T00:50:52Z
       
       0 likes, 0 repeats
       
       @mike Wow, AES is twenty years old now, isn't it? 😯
       
 (DIR) Post #AJScPLBakFFsL9wjLM by sudoedit@fosstodon.org
       2022-05-15T01:14:56Z
       
       0 likes, 0 repeats
       
       @mike I've always read that the NSA has 2 primary missions. 1 is Foreign Signals Intelligence and the other is cyber defense. At least in theory their mission to defend American computer systems, should disincentivize them from purposely weakening our defenses... SELinux is a good example.However they have done some shady shit over the last few decades so who knows.
       
 (DIR) Post #AJSiFmIHhdU3F8ts24 by yojimbo@hackers.town
       2022-05-15T02:20:24Z
       
       0 likes, 0 repeats
       
       @mike I doubt you're bring too paranoid. They have excellent mathematicians working for them and are capable of hiding much badness; Dual EC DRBG being the canonical example that they are happy to lie and manipulate even Americans during their mission.How you choose to trust a government and powerful secretive organisations that refuse to be scrutinised by the public is ... up to you.
       
 (DIR) Post #AJSsAcSxoWGMrB4f3o by fivespeed@fosstodon.org
       2022-05-15T04:11:33Z
       
       0 likes, 0 repeats
       
       @mike This line from the article is what matters to me:"...the final standard will also be open to scrutiny for any weakness or flaws."To be sure, assurances from the NSA are not good enough. But if trusted experts in the field get behind it, I would feel somewhat better.
       
 (DIR) Post #AJSwPRmYDd8PsgYtP6 by RyuKurisu@fosstodon.org
       2022-05-15T04:59:03Z
       
       0 likes, 0 repeats
       
       @mike who can forget "Export Grade Encryption"? https://securitipedia.com/terms/e/export-grade-cryptography/ 😏👍
       
 (DIR) Post #AJSwvLulZN00wxcNpA by michel_slm@floss.social
       2022-05-15T00:05:56Z
       
       0 likes, 0 repeats
       
       @renatoram @mike when they suggested changes to DES it actually made it stronger (though it also means the NSA's knowledge of crypto was far ahead of the public state of the art at the time). That was a long time ago though, and their track record is more questionable now.Though SELinux was surprisingly OK
       
 (DIR) Post #AJSwvMMltFOuLoikTY by mike@fosstodon.org
       2022-05-15T05:04:47Z
       
       0 likes, 0 repeats
       
       @michel_slm @renatoram I'm glad you mentioned this. For some reason I had it in my head that SELinux was the CIA, not the NSA, which was wrong. This increases my optimism at least a little bit.
       
 (DIR) Post #AJSwxY8d5qthRL9NJY by mike@fosstodon.org
       2022-05-15T05:05:14Z
       
       0 likes, 0 repeats
       
       @Anfeald I haven't. I really should.
       
 (DIR) Post #AJSx8EXgI6HjqjxjGq by mike@fosstodon.org
       2022-05-15T05:07:08Z
       
       0 likes, 0 repeats
       
       @sudoedit SELinux is a good point. I admit I had it in my head that SELinux came from the CIA, not the NSA. Not sure why that is, but that was wrong. Being corrected about SELinux does improve things at least a little bit in my head.
       
 (DIR) Post #AJTC4YWjXqcHz9DvM0 by fnord@fosstodon.org
       2022-05-15T07:54:34Z
       
       0 likes, 0 repeats
       
       @mike I'm pretty sure you're mostly talking to fellow paranoiacs :ac_greetings: but I agree. I don't think their shenanigans are in the standard necessarily (though it should be verified) but definitely in the implementations. Implementation is where the wiggle room is, are easy to excuse as a simple error, "bad defaults" etc... And as the article states, NSA is sitting on better crypto, would be weird if they weren't.
       
 (DIR) Post #AJTGN9hYT9W0JEPSWO by renatoram@fosstodon.org
       2022-05-15T08:42:45Z
       
       0 likes, 0 repeats
       
       @mike @michel_slm I was thinking about the "officially suggested" Elliptic Curve to use for encryption (NIST something) that was found to be veeery subtly deterministic.DES was 56bit and thus weak by gvt mandate (it had been designed stronger), but that might predate NSA proper (and it was supposed to be mandatory for US business, but gov/mil would NOT use it).And 3DES (the supposed upgrade) is vulnerable to the birthday attack cryptanalysis.SELinux is fussy but good, agreed.
       
 (DIR) Post #AJUKEBdWV2Oyg9SjzM by whynothugo@fosstodon.org
       2022-05-15T21:00:39Z
       
       0 likes, 0 repeats
       
       @mike Sounds like Facebook saying they care about your privacy.
       
 (DIR) Post #AJVyZAWzzj2iemvlOy by richards@fosstodon.org
       2022-05-16T16:07:21Z
       
       0 likes, 0 repeats
       
       @mike definitely something that I will wait to see how people much smarter than me feel about it. But I wouldn’t trust any 3 letter agencies word when it comes to encryption.
       
 (DIR) Post #AJbb1DDAOKWX7sFkOm by jtlong@fosstodon.org
       2022-05-19T09:11:45Z
       
       0 likes, 0 repeats
       
       @mike Pretty Sure somebody would get fired if they did NOT put a back door in it. ;)
       
 (DIR) Post #AJhOFNhw1wInHIpXii by rjacobson@fosstodon.org
       2022-05-22T04:16:54Z
       
       0 likes, 0 repeats
       
       @mike The historical behavior of the NSA is the only meaningful data we have to evaluate their trustworthiness. That data speaks pretty loud and clear.
       
 (DIR) Post #AJhhqESJI3DwQXo72e by underlap@fosstodon.org
       2022-05-22T07:56:29Z
       
       0 likes, 0 repeats
       
       @mike We may as well take the NSA's statement with a pinch of salt anyway because I don't know how they could prove the algorithm doesn't have backdoors. At best they could claim that they don't currently know of any backdoors, but that could change tomorrow if someone discovered one. 😉