nsa

You are currently browsing articles tagged nsa.

NSA today, FRA tomorrow.

October 15, 2008 in censorship, democracy, privacy by Daniel Nyström | No comments

Nagios - Only the NSA monitors more... From Whurley on Flickr - http://flickr.com/photos/whurley/
Photo: whurley on Flickr.

Power without oversight equals abuse!

From The NY Times – “Panel to Study Military Eavesdropping” (4-page article):

WASHINGTON — The chairman of the Senate Intelligence Committee, Senator John D. Rockefeller IV, said Thursday that the committee would investigate claims by two military eavesdroppers that they routinely listened in on private calls home from American military officers, aid workers and journalists stationed in Iraq.

Former intelligence officers were interviewed by ABC News and by James Bamford, above, who has written a book about the National Security Agency due to be published next week.

Mr. Rockefeller, Democrat of West Virginia, called the accusations “extremely disturbing.”

“Any time there is an allegation regarding abuse of the privacy and civil liberties of Americans it is a very serious matter,” he said.

More references:
ABC NewsExclusive: Inside Account of U.S. Eavesdropping on Americans
UPI.comSpy agency accused of improper listening
Reuters.comU.S. probes claims officials eavesdropped on calls

Apparently the US’s multi-billion surveillance system is used to wiretap personal calls, and joking around about them. Will our system be used in the same way? For sure, power without oversight equals abuse. This is worth repeating.

Found this news first on Bruce Schneier‘s blog.

Tags: , , , ,

Remember the Dual_EC_DRBG problems…

December 18, 2007 in cryptography, security, standards by Daniel Nyström | No comments

… reported by Dan Shumow and Niels Ferguson about 4 months ago?

I did a quick post about it here after reading about it at Bruce Schneier’s blog.

The problem is that NSA submitted an elliptic curve algorithm for inclusion in a new NIST standard for random number generation which contains certain constant values whose origin is unknown. Might not sound as something important but as discovered earlier this could open up the possibility for a “secret key” which could allow for unlocking of encrypted data. The fact that NSA submitted this (much slower than the others) algorithm also helps stir up the crypto community.

Not much has since been reported on the issue, until yesterday (by Schneier again).

The big news is that the flawed PRNG is to be shipped with SP1 for Windows Vista. It is not going to be the default PRNG, but it is still going to be included as an option to developers.

Why is this a problem? Well,

First, you are damn sure going to have to look real close at any application you employ to secure your data as you are in the hands of the developers of the applications. More or less, you will have to request the source code if you really want to be sure, and even then it can be a real hassle to find any references to the offending algorithm.

Second. Why did they implement a flawed algorithm found by their own analysts? Yes, Dan Shumow and Niels Ferguson is employed by Microsoft. Specially as they have been urgently patching other PRNG flaws in their OS’s recently. Some say this is to meet the whole NIST standard, but come on, who would implement a crypto technology that is flawed. I mean, that kind of breaks the whole idea of cryptography in the first place.

Third, what if Microsoft issues a patch or security update which silently sets Dual_EC_DRBG to the default PRNG ? Then all your data could be read by “someone”. Do you trust MS? This leads me to the…

Final point. Who has the skeleton key? NSA? Microsoft? Someone else?

Tags: , , ,