Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Tue, Jul 16, 2013 at 5:04 AM, coderman wrote: >... > > in short: > > rather than considering just one or another type of attack, these > agencies should be assumed to be using all of them with the exploit > method tailored to the particular access needs and target difficulty > of every tasking.

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Mon, Jul 15, 2013 at 8:39 AM, The Doctor wrote: > ... > Why hire ninjas to backdoor a chip when you can have someone look for > 0-days? Cheaper and emminently practical. Oh, and already being done. these are complimentary methods. for some targets you may not care about stealth, or visible b

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Mon, Jul 15, 2013 at 7:27 AM, Eugen Leitl wrote: > On Fri, Jul 12, 2013 at 10:29:49PM +0300, ianG wrote: > >> Not to mention, Intel have been in bed with the NSA for the longest >> time. Secret areas on the chip, pop instructions, microcode and all >> that ... A more interesting question is w

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/13/2013 02:40 AM, William Yager wrote: > It's nice that you can be so cavalier about this, but if your > system's RNG is Cavalier? Maybe. Insightful? Yes. Seen in recent history? Absolutely. Why hire ninjas to backdoor a chip when you can

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Sat, Jul 13, 2013 at 01:43:49AM -0400, Patrick Mylund Nielsen wrote: > Heh, might as well just give up. http://cm.bell-labs.com/who/ken/trust.html > > (I know what you meant, just couldn't resist.) Certainly a classic, but these days you can really bootstrap your toolchain in a cleanroom quit

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Fri, Jul 12, 2013 at 10:29:49PM +0300, ianG wrote: > Not to mention, Intel have been in bed with the NSA for the longest > time. Secret areas on the chip, pop instructions, microcode and all > that ... A more interesting question is whether the non-USA > competitors are also similarly friendl

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 07/13/2013 04:20 AM, Peter Gutmann wrote: > Nico Williams writes: > >> I'd like to understand what attacks NSA and friends could mount, with Intel's >> witting or unwitting cooperation, particularly what attacks that *wouldn't* >> put civilian (and military!) infrastructure at risk should deta

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 13 July 2013 07:32, Peter Gutmann wrote: > William Yager writes: > > >no cryptographer ever got hurt by being too paranoid, and not trusting > your > >hardware is a great place to start. > > And while you're lying awake at night worrying whether the Men in Black > have > backdoored the CPU in

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Sat, Jul 13, 2013 at 2:17 PM, Patrick Mylund Nielsen wrote: > ... > "The fact is, even if you worry about some back door for the NSA, or some > theoretical lack of perfect 32-bit randomness, we can pretty much depend on > it. We still do our own hashing on top of whatever entropy we get out of

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Fri, Jul 12, 2013 at 3:29 PM, ianG wrote: > On 12/07/13 21:54 PM, Patrick Mylund Nielsen wrote: > >> On Fri, Jul 12, 2013 at 2:48 PM, James A. Donald > > wrote: >> >> On 2013-07-13 12:20 AM, Eugen Leitl wrote: >> >> It's worth noting that the maintainer o

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 13/07/13 09:43 AM, Noon Silk wrote: So what should everyone do? Risk analysis. Which starts with your business model. What you do is go talk to your customers and figure out what happens to them. Formally, you would figure out the frequency of these events, and multiply them by the d

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 13 July 2013 10:11, Peter Gutmann wrote: > and run > a self-test with known-good test vectors on startup, and ... well, you get the > picture. Amusing story: FIPS 140 requires self-tests on the PRNG. There was a bug in FIPS OpenSSL once where the self-test mode got stuck on and so no entropy w

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 13/07/13 09:32 AM, Peter Gutmann wrote: William Yager writes: no cryptographer ever got hurt by being too paranoid, and not trusting your hardware is a great place to start. And while you're lying awake at night worrying whether the Men in Black have backdoored the CPU in your laptop, you

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

Ben Laurie writes: >But what's the argument for _not_ mixing their probably-not-backdoored RNG >with other entropy? Oh, no argument from me on that one, mix every entropy source you can get your hands on into your PRNG, including less-than-perfect ones, the more redundancy there is the less the

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 13 July 2013 03:20, Peter Gutmann wrote: > Nico Williams writes: > >>I'd like to understand what attacks NSA and friends could mount, with Intel's >>witting or unwitting cooperation, particularly what attacks that *wouldn't* >>put civilian (and military!) infrastructure at risk should details

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

William Yager writes: >It's nice that you can be so cavalier about this, but if your system's RNG is >fundamentally broken, it doesn't really matter so much whether your other >stuff is well-programmed or not. Well I'm not sure what thread you're coming in from, but the current one was about th

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

Noon Silk writes: >A good point, of course. So what should everyone do? Look for things, and fix things, in order of likelihood of occurrence and exploitability. (Strong) Crypto is bypassed, not penetrated, so address that first. Once you've addressed all of those issues, then you can start

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 2013-07-13 3:43 PM, Patrick Mylund Nielsen wrote: On Sat, Jul 13, 2013 at 1:38 AM, William Yager > wrote: not trusting your hardware is a great place to start. Heh, might as well just give up. http://cm.bell-labs.com/who/ken/trust.html (I know what you m

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Sat, Jul 13, 2013 at 4:32 PM, Peter Gutmann wrote: > > William Yager writes: > > >no cryptographer ever got hurt by being too paranoid, and not trusting your > >hardware is a great place to start. > > And while you're lying awake at night worrying whether the Men in Black have > backdoored the

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

It's nice that you can be so cavalier about this, but if your system's RNG is fundamentally broken, it doesn't really matter so much whether your other stuff is well-programmed or not. At least if my web browser is remotely exploitable, it doesn't break my disk encryption software, GPG, SSH, eve

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

William Yager writes: >no cryptographer ever got hurt by being too paranoid, and not trusting your >hardware is a great place to start. And while you're lying awake at night worrying whether the Men in Black have backdoored the CPU in your laptop, you're missing the fact that the software that's

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Sat, Jul 13, 2013 at 1:38 AM, William Yager wrote: > not trusting your hardware is a great place to start. > > Heh, might as well just give up. http://cm.bell-labs.com/who/ken/trust.html (I know what you meant, just couldn't resist.) > > On Fri, Jul 12, 2013 at 7:20 PM, Peter Gutmann > wr

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

There are plenty of ways to design an apparently random number generator so that you can predict the output (exactly or approximately) without causing any obvious flaws in the pseudorandom output stream. Even the smallest bias can significantly reduce security. This could be a critical failure, and

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

Nico Williams writes: >I'd like to understand what attacks NSA and friends could mount, with Intel's >witting or unwitting cooperation, particularly what attacks that *wouldn't* >put civilian (and military!) infrastructure at risk should details of a >backdoor leak to the public, or *worse*, be s

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 2013-07-13 4:54 AM, Patrick Mylund Nielsen wrote: On Fri, Jul 12, 2013 at 2:48 PM, James A. Donald > wrote: On 2013-07-13 12:20 AM, Eugen Leitl wrote: It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

> > I would hope that talented folks at the NSA would be averse to embedding > backdoors in hardware (and firmware, and software) that they could lose > control of, especially in light of recent developments. Unfortunately it appears that for security reasons at least some chips are being backdoo

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

I think compromising microcode update signing keys would be the easiest path. Then you don't need backdoors baked in the hardware, don't need Intel's buy-in, and can target specific systems without impacting the public at large. This is a pretty interesting analysis showing that these updates are

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[BTW, when responding to a message forwarded, do please fix the quote attribution.] On Fri, Jul 12, 2013 at 2:29 PM, ianG wrote: > This thread has been seen before. On-chip RNGs are auditable but not > verifiable by the general public. So the audit can be done then bypassed. > Which in essence

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 12/07/13 21:54 PM, Patrick Mylund Nielsen wrote: On Fri, Jul 12, 2013 at 2:48 PM, James A. Donald mailto:jam...@echeque.com>> wrote: On 2013-07-13 12:20 AM, Eugen Leitl wrote: It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about tw

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Fri, Jul 12, 2013 at 2:48 PM, James A. Donald wrote: > On 2013-07-13 12:20 AM, Eugen Leitl wrote: > >> It's worth noting that the maintainer of record (me) for the Linux RNG >> quit the project about two years ago precisely because Linus decided to >> include a patch from Intel to allow their

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 2013-07-13 12:20 AM, Eugen Leitl wrote: It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about two years ago precisely because Linus decided to include a patch from Intel to allow their unauditable RdRand to bypass the entropy pool over my strenuous obj

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

- Forwarded message from Matt Mackall - Date: Thu, 11 Jul 2013 17:34:48 -0500 From: Matt Mackall To: liberationtech Subject: Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger" X-Mailer: Evolution 3.4.4-1 Reply-To: liberationtech On Thu, 2013-07-11 at 13:47 -0700, Andy I