Re: [Cryptography] Snowden fabricated digital keys to get access to NSA servers?
On 06/28/2013 04:00 PM, John Gilmore wrote: Let's try some speculation about what this phrase, fabricating digital keys, might mean. Here's one hypothesis to consider. a) The so-called digital key was not any sort of decryption key. b) The files were available on the NSA machines in the clear. c) The files were protected only by something like the Unix file protection mechanism ... or the SELinux Mandatory Access Controls. d) The digital key might have been not much more than a userID and password, plus maybe a dongle, allowing him to log in as a shadow member of some group that was supposed to have access to the files. === Crypto is great for protecting stuff while it is being transmitted or being stored offline ... but when the stuff is in active use, the temptation is to make a cleartext working copy. Then anybody who can attach a thumb drive and can get past the access controls can grab whatever he wants. It is against NSA policy to attach a thumb drive. I betcha some folks really want to know how he did that without getting caught. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden fabricated digital keys to get access to NSA servers?
On 06/28/2013 09:36 PM, Udhay Shankar N wrote: On Sat, Jun 29, 2013 at 4:30 AM, John Gilmoreg...@toad.com wrote: [John here. Let's try some speculation about what this phrase, fabricating digital keys, might mean.] Perhaps something conceptually similar to PGP's Additional Decryption Key [1]? If the infrastructure is in place for this, perhaps one might be able to generate a key on demand, with the appropriate access permissions. I read it to mean that the NSA is using some sort of defeatable cryptography in its own communications with contractors, presumably to enable internal snooping for purposes of monitoring contractors. If a contractor then discovers this system, and manages to cryptanalyze it (or somehow obtain a copy of the snooping software, though that's not strictly necessary to cryptanalysis) to figure out the corresponding method of how the snoopers from the NSA generate keys out of thin air for it, then he might use that method himself to get access to all the material that other contractors on that system are working with. It would be a ridiculously stupid methodology for the NSA to manage its security affairs this way, but if fabricated keys isn't a flat out lie, then it's the only thing I can think of that makes sense. And if it is a flat out lie, then lying to congress is fairly serious. 'Tho it wouldn't be the first time that's happened, either. Bear ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden fabricated digital keys to get access to NSA servers?
[John here. Let's try some speculation about what this phrase, fabricating digital keys, might mean.] My own, personal guess is that it is obfuscation which translates as using passwords or accessing a portal over SSL plus we're too embarrassed to admit that it was that easy. -- http://dropsafe.crypticide.com/aboutalecm ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
