Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance. The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual …
NSA and extended Randomness.
The salient point is that the NSA acted to dilute security on an encryption standard and that's just the one we know about ..
They used to be a respected source of news but these days they scrabble to print any old unsubstantiated biased crap to try and justify their existence. The general news is bad enough but anything even slightly technical seems to be churned out by Stephen Fry.
Moving On ...... and Sharing the Spoils
The paper referenced in the El Reg article is available for reading here ..... http://cryptome.org/2014/03/DualECTLS.pdf ..... and it has generated this response, which has been sent in an email to its generous host. Its subsequent publication, or not as they case may be, provides additional sensitive information in the fields being explored and quite quietly cleared of wanton imperfections/exclusive perversions which be rendering designedly inequitable personalised advantage to failed organs and organ grinder monkeys.
Our analysis strongly suggests that, from an attacker’s perspective, backdooring a PRNG should be combined not merely with influencing implementations to use the PRNG but also with influencing other details that secretly improve the exploitability of the PRNG. This paper does not attempt to determine whether this is what happened with Dual EC, and does not explore the difficult topic of defending against such attacks, beyond the obvious advice of not using Dual EC. …….. http://cryptome.org/2014/03/DualECTLS.pdf
You may like to share and advise all with either a need or a wish to know, that there is no defence against such an attack improving upon the exploitability of a discovered systemic vulnerability. And one is therefore at the mercy of, ideally, the good graces of the smart attacker/crack hacker/cryptographic code breaker and/or maker.
And on the reverse side of that COIN coin, the damage that can be done whenever one encounters an agent with malicious intent is catastrophic beyond compare and simple remedy ….. thus the wisdom in ensuring that effective security systems admin in this particular and peculiar field is afforded every luxury desired/all credit facilities required, lest the human temptation to maximise capital gain entertains the dark web side to ……. well, we are talking carefully around Great Game lead, are we not ….. and Virtually Remote Mankind Management? And one imagines, that be an extremely attractive capability and readily available utility to intelligence agencies and server providers anywhere.
Re: Moving On ...... and Sharing the Spoils
And a leading question here now being asked of austere Blighty’s perceived to be intelligent security service providers, whether spooky public MI5/MI6/CESG/GCHQ troughers or stealthy shadowy unknowns from the private supply sector, is whether they have such a leading universal ability, for there be no credible evidence anyway worldwide, and most certainly not even at home whenever one consider the politically bankrupt state of the nation, of them using it at all effectively to create a Greater IntelAIgent Games Play and better, mutually advantageous beta realities via these strengthening sterling virtual means and cyber memes, which are now to be found everywhere in SMARTR IntelAIgent Systems with Global Operating Devices …… Seriously Clever NEUKlearer HyperRadioProActive Media Machinery?
And who would be being handsomely paid to provide that, and/or commission that from others? What be their name and email address, or is it a vital critical and strategic post which be criminally vacant?
Has it been outsourced to across the pond where Wall Street is destroying everything? Would that be akin to treason?
Re: Moving On ...... and Sharing the Spoils
What have both of you been drinking or do you revel in wanton syntax errors as some kind of badge?
Both of you don't make sense but at least the OP was mostly quoting.
Don't attack AIMessengers, Run with ITs Flows
do you revel in wanton syntax errors as some kind of badge? .... Metrognome
No. That would be misleading and subversive and perverse, Metrognome, and counter-productive.
Did you read and understand the paper and recognise the exploitable vulnerabilities cited and in need of secure protection, or did you find it, like I suppose many would, just presently too difficult a struggle too far ahead of the mainstream and abandon it for the false hope and cold comfort that a slaves' ignorance provides and sustains?
Re: Don't attack AIMessengers, Run with ITs Flows
Just your insistence of stringing together unnecessarily long sentences that render them an unreadable nonsense. One way to demonstrate a deep understanding of any topic is the ability to explain it succinctly and in layman's terms.
However, your tirade had nothing to do with topics or issues that are difficult to grasp, just sentences that are badly put together and strewn with faux-smart leet-speak.
Agreeing to disagree and moving on to an alternate position allows progress to flourish
I agree, Metrognome. Keeping it stupendously simple [KISS] is the way to go, both practically and virtually almost every time so that all can comprehend
if they have good brains that work at all well what is being said/shared. [Some folk, as we surely know, have severe learning difficulties and some are brain damaged, and thus are expectations of their understanding of things considerably curtailed]
However, whenever there are sensitive and better kept most secretive issues to be explored and/or discussed, is it, IMHO, always wiser to ensure that not all, nor even many, understand what is uncovered. To target a very particular and/or peculiar audience/mindset, is it necessary to only rattle a few choice doors and not bother all of the rest with something which it may be much safer to exclude them for the present from knowing. Done for all the right reasons, would that be a gracious kindness selflessly afforded, methinks.
I have a sneaking suspicion that aMfM1 employs such language to distance his prose from their usual day-day syntax in order to avoid recognition.
Feel free to correct me on this amfm1
edit: ok you beat me to it :)
I think you missed the Point.
ER only made it easier to crack. Okay, by 16 bits, but Dual Elliptic Curve Deterministic Random Bit Generator is still crackable with relative ease. Unlike the other 3 algorithms in the standard, which are still "computationally unfeasible".
Exploding The Myth
I keep finding myself repeating this same old adage over and again when it comes to this whole area:
"Never ascribe to malice that which can adequately be explained by incompetence."
The intelligence services' "pivot" away from defense and to offense could easily be explained as a result of their recognition that they just weren't competent enough (or possibly too lazy) to provide a credible defense.
Reports like this only confirm that these people never really were "the smartest guys in the room", and more than their political patrons.
Ask yourself this, what could a seriously competent, non-governmental, university based, "cyber defense" cooperative do with a quarter-trillion dollars a year in funding? If the answer is, "better than the existing intelligence services", then I think someone needs to reconsider their budget priorities for the next decade.
When a thread in a string is a rope, only a hope peddling dope realises it not as a lifeline.
Ask yourself this, what could a seriously competent, non-governmental, university based, "cyber defense" cooperative do with a quarter-trillion dollars a year in funding? If the answer is, "better than the existing intelligence services", then I think someone needs to reconsider their budget priorities for the next decade. …. Anonymous Coward, Exploding the Myth
Such a cooperative base with grand university of life masters piloting and targeting programs and/or pogroms would easily be funded with a quarter-trillion dollars a year and if serially seriously competent in base cyber defense protocols, very likely to be able to arrange all funding for IT and themselves from vulnerable markets.
And if they want to be smarter in the future, and not want to be found lacking in all vital virtual fields of security and protection, would existing intelligence services be first to engage and offer whatever be needed to be seeded. Such a quantum leap though may be an available bridge too far for all too many of them with their current skewed priorities in maintaining the present to support the past and the status quo arrangements …. with old former and failing establishment command controllers/command and control orders/secret clubs/shadowy organs.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market