Before the software was released, Ray Ozzie and Kauffman openly described what they were doing at an RSA conference. This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.
Also worth reading barrkel’s comment a couple comments down…
Effectively and in short, you were prohibited by the US government from shipping strong encryption in any internationally distributed product. Which generally meant everything commercial.
Despite open source implementations of strong encryption existing (e.g. PGP et al.).
Now, no one bats an eye if you ship the most secure crypto you want. Then, it was a coin flip as to whether you'd feel the full weight of the US government legal apparatus.
It was a crazy, schizophrenic time.
Still is. To this day, we have to debate and justify ourselves to these people. They make us look like pedophiles for caring about this stuff. They just won't give up, they keep trying to pass these silly laws again and again. It's just a tiresome never ending struggle.
And that's in the US which is relatively good about this. Judges in my country were literally foaming at the mouth with rage when WhatsApp told them they couldn't provide decryption keys. Blocked the entire service for days out of spite, impacting hundreds of millions.
Should they even be considered 'judges' if they lack that authority?
Q-Anon is a current right wing conspiracy group that claims powerful democrats are trafficking children, the "we must protect our kids from XYZ" justification crosses political lines. But they aren't alone.
Back in the 90s there were a few years of "the satanic panic", where there were wild claims made about daycare centers doing unspeakable things to children, things that beggar belief just from a logistical perspective. People spent years in prison over this. There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.
Back in the 80s Tipper Gore, wife of then senator Al Gore, drove a campaign to label and censor music to "protect the children."
eg, children were coached into giving answers and making up scenarios. for instance, one child claimed that they were taken in an airplane and flown to a secret location with clowns and sex, then flown back to the class in time for their 2pm pickup. Stories about ritual animal sacrifice in their daycare room, stories about children being murdered even though none were reported missing.
> There was no whiff then of it being a conservative cause -- it mixed the usual conspiracy theory dynamics along with the Christian moral panic dynamics.
Yes, and? The point is to repay lies and ad hominem with lies and ad hominem.
If opponents of strong encryption want a good-faith argument, they are free to admit that the actual reason strong encryption is "bad" is because it stops them from attacking and spying on everyone in the world, but I doubt they'll take that option.
That just weakens your own position.
The CD was a globally-legal image, and export-controlled strong crypto came on the floppy in countries where it was allowed.
But today it seems fundamentally obvious that once a single copy is leaked, it's all over... was that not true in 2000?
Filesharing at that time was just wild, by the way. It was far too easy to set up your client such that you were sharing the entire contents of your computer with the whole internet. More often than not, this was done by the kids in the family on the same machine where mom and dad had their work stuff plus their private finances.
So of course the files were leaked. If you were intending to share something illegal to distribute outside the US, you could easily get plausible deniability just by sharing everything on your computer and feigning ignorance.
This is beautiful.
Serial Port recently tried to set one up!
Even in the late 90s, 128kbps ISDN connections were not unheard of, and 256kbps DSL was rolling out as well.
Mostly off-topic, but your use of rhyme is reminiscent of https://www.youtube.com/watch?v=up863eQKGUI
To me, there are only two plausible explanations for the change:
1. The three letter agencies gave up on backdooring cryptography.
2. The three letter agencies successfully subverted the entire chain of trust.
Only one of them is consistent with a workforce consisting of highly motivated codebreaking professionals available working for many decades with virtually unlimited resources and minimal oversight.
The other is what people want to believe.
3. NSA realized that "frontal assaults" against encryption were a lot less fruitful than simply finding ways to access info once it has been decrypted.
Would have to search for the quote, but Snowden himself said exactly that, something along the lines of "Encryption works, and the NSA doesn't have some obscure 'Too Many Secrets' encryption breaking machine. But endpoint security is so bad that the NSA has lots of tools that can read messages when you do." And indeed, that's exactly what we saw in things like the Snowden revelations, Pegasus, and I'd argue even things like side-chain attacks.
Plus, I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means. In the case of something like TLS root certificates that makes sense, but there are many, many forms of cryptography (like cryptocurrency) where no keys are any more privileged than any other keys - there is no "chain of trust" to speak about in the first place.
There's a reason many corporate information security programs don't go overboard with mitigations for targeted, persistent, nation-state level attacks. Security is a set of compromises, and we've seen time and time again in industry that this sort of agency doesn't need to break your encryption to get what they need.
Not saying there couldn't be a targeted supply chain attack (that's essentially what was revealed in some of the Snowden leaks, e.g. targeting networking cables leased by big tech companies), but I don't believe there is some widely dispersed secret backdoor, even if just for the reason that it's too hard to keep secret.
Any analysis I could or should do?
Interesting, how would an X86 instruction with hardcoded 256-bit key would be detected? IIRC it's really hard to audit the instruction space for CISC architecture.
But I cannot believe they resisted the temptation to use that opportunity to get such an easy access to so many devices.
Consequently, if there is an ME-subversion, it's only deployed / part-replaced for extraordinary targets. Not "every system."
But it has been a while that I read about it and I never took it apart myself, so maybe what I wrote is not possible for technical reasons.
Otherwise, you need something in your OS to ship data back and forth between the ME and whatever NIC you have.
This seems like as good a short-form intro as any: https://blogs.cisco.com/learning/security-in-network-design-...
But when targeting a random individual in a hurry, I think it would be handy to just use the build in backdoor.
You're right though, I guess I didn't mean to say that NSA would give up on or would not want back doors into widely deployed crypto algorithms, but even with Dual_EC_DRBG the suspicions were widely known and discussed before it was a NIST standard (i.e. I guess you could say it was a conspiracy, but it wasn't really a secret conspiracy), and the standard was withdrawn in 2014.
For one thing, they're interdicting hardware and inserting hardware implants:
Consequently, they still have highly motivated and talented cryptanalysts and vast resources, but they're attacking widely-deployed academically-sound crypto systems.
Hypothetical encryption-breaking machines (e.g. large quantum computers) are too obviously a double-edged sword: who else has one? And given that possibility, wouldn't you switch to algorithms more secure against them?
In reality, the NSA's preference would likely be that no-such machine exists, but rather there are brute-force attacks that require incredibly large and expensive amounts of computational resources. Because if it's just a money problem, the US can feel more confident that they're near the top of the pile.
Which probably means that their most efficient target has shifted from mathematical forced decryption to implementation attacks. Even the strongest safe has a weakest point. Which may still be strong, but is the best option if you need to get in.
Anyway, just suggesting something that wouldn't require quantum cryptography.
If that did exist, you'd still have to get packets out through an unknown network, running unknown detection tools. Possible, but dicey over the intermediate term.
Who's to say they didn't just plug a box in, run a fake workload on it, and put all network traffic it emits under a microscope?
Similarly, most consumer devices have a few zero-days each year, if not more, so if you really want to decrypt someone's stuff, you just need to wait a few months.
I think that both your explanations are probably incorrect though. It's a bit of "neither" in this case.
They continue to backdoor all sorts of stuff (they recently were marketing and selling backdoored "secure" cell phones to crooks), and most chains of trust are weak enough in practice.
I don't understand why you think ACME means this. Can you explain?
The attacker could sign with their own key instead, but this is trivially observable to the target (they don’t end up with a correct cert, and it all gets logged in CT anyways.)
If the owner watches CT logs they will know about it (and you may need to jump through some more hoops once the target tries to renew their cert), but you get a lot of info in the meantime.
However, even with the full MITM here, this attack assumes that the attacker can proxy plaintext to the host. I'm not aware of many sites that allow sensitive actions (e.g. logging in) over HTTP anymore.
(And, as you note, this is detectable via CT. But it's fair to point out that many/most smaller operators probably aren't bothering to monitor public CT logs for unexpected issuances.)
I am now able to get a new certificate issued with ACME using the DNS-01 challenge. I set up one of my own servers as a proxy, HTTPS terminated with this new cert. I then have it proxy to the existing site (by IP address.) I then change the site's DNS to point to my own server. The users are no wiser, but I am able to intercept all traffic.
I interpreted the original comment that started this thread to imply an attack on ACME itself, not the fact that ACME can't detect the difference between someone who legitimately controls a domain and someone who illegitimately controls a domain. As far as I know, that's considered a more general defect in the Web PKI, one that predates ACME substantially.
Short of blocking the very essence of digital data spread and transactions, the three-letter agencies and the giant governments behind them realized that there was no way to effectively put that particular genie back in the bottle without fucking over too many other extremely well-connected commercial interests.
Thus, while they didn't entirely give up on their bullshit, and keep looking to find arguments for privacy subversion, they realized that roundabout methods were a usable practical course.
That's where we stand today: a world in which there's no obvious way to block something that's so cheaply easy to share and securely be applied by so many people, but governed by technocrats who do what they can to subvert meanwhile.
The fundamental math of crypto is secure, regardless of any conspiracy theories. AES-256, for example, can't just be broken by some secret Area 51 alien decoder ring. The mathematics of good modern crypto simply crush any human computing technology for breaking them regardless of budget. However, the agencies also know that in a complex world of half-assed civilian security and public habits, they still have enough methods to work with without delving into political firestorms.
The only true solution to distribution / piracy is for the file to be so big as to be inconvenient.
Which is why mp3 was such a game changer.
(this is speculation, I have no actual knowledge on this)
The most surprising thing to me is that, in speaking in the past several years with younger entrepreneurs, they're not even aware of the obligation to file for an export license for any/all software containing crypto (such as that submitted to the App Store).
I've not yet seen a case in which a mass market exemption isn't quickly granted, but devs still need to file - and re-file annually.
As in, currently.
Essentially Apple built a system so you have to agree to export restrictions with every single build you upload to Apple.
Or, we are currently experiencing a brief oasis of freedom in between extended periods of encryption lockdowns and controls.
If you wanted to build in the U.S. you had to produce two versions of your product, one with “full encryption” and one with encryption hobbled.
Or you could go build one version somewhere else and import it into the U.S.
Also you couldn’t just ship products with a spot where crypto went and remove the crypto. API designs had to go through mental gymnastics to allow crypto without explicitly adding crypto. Which is why you have odd constructs that take strings as arguments and give you encryption back. Sometimes.
And since new languages copy patterns from old to remain familiar, these APIs are still frequently some of the most patience-testing.
Really boils my piss given a lot of it, upon inspection, just used OpenSSL under the hood.
Also, always makes you wonder, why the standards the OS ships with are exempt...
I’ve mostly used this to unpack ZyXEL firmware updates (reference below to this), but it also works on a lot of other stuff if you can get a partial plaintext. Some file formats headers might work.
The author states it correctly. Here is the text from the author
"The idea was that they got permission to export 64 bit crypto if 24 of those bits were encrypted for the NSA's public key. The NSA would then only have the small matter of brute-forcing the remaining 40 bits to get the plaintext"
Here is the text from the RSA conference.
1st off please don't publish my name on your site. I'm too lazy to
set up another cheezy mail acct.
Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from
your site. I have a close friend who is a developer for Iris (the
people who make Notes for lotus.) I sent him the file I downloaded and
asked him what the deal was, and here's his response:
Here's the necessary info to truly understand the issue here; a speech by Ray
Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is
that notes provides superior exportable encryption technology when compared to
other US products on the market. For anyone (but the NSA) to crack our
international encryption keys they must crack a 64 bit key, the same as with a
US encryption key. In the international version we take 24 of the 64 bit
encryption key and encrypt the 24 bits with the NSA's public key and send it,
encrypted strongly, along with the encrypted message. This means the NSA can
decrypt with their key and have 24 of the 64 bit key. They still have to break
the remaining 40 bits. 40 bit key encryption has been the max for exportable
encryption and that is what all other US exportable encryption providers
That limit has just been raised to 56 bits and we are incorporating that as I
type. In the worst case: the NSA's private key is compromised, the 40 bit
portion of the key still must be cracked. So we haven't weakened the security
of international encryption, but actually made it equal to the US security (to
everyone but the NSA). We are proud of this arrangement because we have found
a way to make Notes as secure as the US government will allow for our
international customers. If we hadn't used this technique all of the
international notes encrypted data would be with only a 40 bit key. As it
stands, the 64 bit key used in both US and international encryption is
It's too bad the author of this article choose to attack Lotus Notes without
considering the options the US government provides. We could have just
shipped 40 bit encryption like MS, Netscape, etc. and leave our international
customers with weak encryption but we didn't. Oh well, you can't make everyone
understand, this confusing and frustrating stuff. I hope this helps.
Some previous discussions all mentioning Lotus Notes in the title:
4 years ago
8 years ago
10 years ago
NSA's Backdoor Key from Lotus Notes (2002) - https://news.ycombinator.com/item?id=21859581 - Dec 2019 (87 comments)
NSA's Backdoor Key from Lotus Notes - https://news.ycombinator.com/item?id=9291404 - March 2015 (51 comments)
NSA's Backdoor Key from Lotus Notes - https://news.ycombinator.com/item?id=5846189 - June 2013 (85 comments)
I think these qualify.
But the 'MiniTruth' thing... Wow,just wow...
Context: The Ministry Of Truth in the 1984 novel is the service dedicated to propaganda, in which the whole society is drowned. Everything about the society they live in is a lie...
It just blows away any hope of good intention from their part.
The last time I read about something so cynic, suggesting so much contempt for the people they pretend to serve, with such carelessness, is when it was revealed que FTX internal chatroom was called 'Wirefraud'.
My memory around this is fuzzy and I can't seem to find the original source.
Later, in 2019, a 795 bit key was factored with CPU time that "amounted to approximately 900 core-years on a 2.1 GHz Intel Xeon Gold 6130 CPU. Compared to the factorization of RSA-768, the authors estimate that better algorithms sped their calculations by a factor of 3–4 and faster computers sped their calculation by a factor of 1.25–1.67."
So assuming the better algorithms transfer to smaller numbers, someone who knows how to use them (factoring big numbers seems significantly harder than just running CADO-NFS and pointing it at a number and a cluster) could probably do it in a couple months on a couple dozen modern machines.
For example, using the "795-bit computations should be 2.25 times harder than 768-bit
computations" from the publication accompanying the second factorization, we could assume 900/2.25 = 400 Core-years of the Xeon reference CPU (which is 6 years old by now) would be needed to break the smaller key with the modern software. Two dozen servers with 64 equivalently strong cores each would need slightly over 3 months. Not something a hobbyist would want to afford just for fun, but something that even a company with a moderate financial interest in doing could easily do, provided they had people capable of understanding and replicating this work.
Edit: Okay, I see it now. 64 bits of cipher of which 24 bits of that cipher are set to a value derived from a 760 bit pubkey.
With no context, I don't know why this is front page news today. Am I missing something?
HN considers dupes to be stories with significant discussion repeated within a year. (Items with little or no discussion can be resubmitted a few times.)
Stories reshared after a year are reposts, and are perfectly fine, though its appreciated to have the item's original publication year included in the title.
Also, on closer inspection the story is from 1997 https://catless.ncl.ac.uk/Risks/19.52.html#subj1
Bringing these articles to light is of great utility to those of us who do not consider the NSA state of affairs to be, in any way, tolerable.
I don’t approve of their actions but turning the hyperbole up to 11 doesn’t help. There are millions of people in China who’d love to be only that repressed, for example.
Did you miss the fact that the NSA is literally violating the human rights of billions of people (including the Chinese), while China in the meantime has brought a billion people out of poverty conditions into their new middle class?
>There are millions of people in China who’d love to be only that repressed, for example
I seriously doubt you understand the nature of this fallacy. Meanwhile, how many families live under a broken bridge in the USA, just because Mom got cancer? Those 1,000 black-ops CIA sites around the world - you know for sure what they are being used for, eh? No torture?
Seriously, get a grip. The moral authority you claim is a fallacy.
You don't think military invasions & communist dictatorships constitute "wholesale violation of human rights at a massive scale"?
If the NSA is spying on people, that's an invasion of their privacy, but it is nothing in comparison to those other violations
Furthermore, they're part of a larger intelligence apparatus that has absolutely committed very large and very harmful violations of civil liberties. The NSA's sister org, the CIA, was overthrowing democratically elected left-wingers in South America for decades, replacing them with brutal dictators and tyrants that gave both Hitler and Stalin runs for their money. The CIA wrote the book on how to do so, arguably even moreso than the KGB did. In fact, the reason why Russia today is so effective at information warfare and covert propaganda is specifically because they learned from observation.
 Not(?) to be confused with Russia Today
Yes, the purpose of the NSA is to violate human rights at scale. No, this is not a tolerable situation for those of us in the free world.
And yes, the USA is still the worlds worst violator of human rights, bar none. The NSA is why.
Russia is invading a sovereign country right now. Civilians are getting killed. You'll hopefully agree that getting killed is a human rights violation?
Saudi Arabia is invading Yemen.
North Korea is running a giant state apparatus that lets one man lord it over tens of millions; all his whims are satisfied while they go literally hungry.
Venezuela is ruled by a dictator - millions are hungry and poor. Families torn apart by mass emigration.
China has 1.5 BILLION people in economic and political pseudo-slavery. They don't really own anything and are more or less forced to go along with the government.
But boo-hoo, the NSA can read your texts, so they're the ultimate bad guy?
He recently have a good talk at VCF, too: https://youtube.com/watch?v=Ig_5syuWUh0