Ted Smith writes: > There's a reason why the NSA has "Tor Stinks" presentations and not "I2P > stinks" presentations.
I don't know of a good basis for estimating what fraction of NSA's capabilities or lack of capabilities we've learned about. And even when someone _working at NSA_ writes that attack X doesn't work or doesn't exist, they may not know that attack Y achieves some of the same goals. For example, there were press reports that there was some major cryptanalytic breakthrough a few years ago and that it has far-ranging implications*. I don't think the details have ever become public; a best-case-for-cryptographic-privacy scenario might be that it's "only" an operationalized, albeit expensive, attack against 1024-bit RSA or DH (one of the possibilities considered in Matthew Green's analysis). In any case, many people working on surveillance within NSA might not know what the breakthrough is or how it works, and may still be assiduously working on attacks that in principle are largely redundant with it. (Their NSA colleagues may want them to be working on redundant attacks because many of the existing attacks are described as "fragile" -- so they want to have parallel ways to achieve some of the same stuff.) Most of us don't work in highly compartmentalized organizations or organizations that try to practice a very strict need-to-know rule. So we might think that if someone in an organization says at some time that something is easy, or difficult, or cheap, or expensive, that that reflects the general attitude of all the parts of that organization. (Like if somebody working at Intel said it was hard to fabricate semiconductor devices in a particular way, or somebody working at Boeing said it was hard to take advantage of a particular aerodynamic effect, or somebody working at EFF said it was hard to sue the government under a particular legal theory, you might tend to think these things were basically true, as far as those people's colleagues knew.) I think that's only approximately or indirectly true of people working in an organization like NSA or GCHQ. * Possibly relevant reporting and discussion includes http://www.wired.com/2012/03/ff_nsadatacenter/all/ http://www.wired.com/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/ http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=1& (including claims of widespread success at defeating cryptography, partly on the basis of sabotaging it but at least partly on the basis of "development of advanced mathematical techniques") -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk