This page has been archived and commenting is disabled.
NSA Director Admits that Sharing Encryption Keys With the Government Leaves Us Vulnerable to Bad Guys
US Senator Ron Wyden asked the new NSA boss - General Mike Rogers - at a Senate Intelligence Committee hearing today:
As a general matter, is it correct that anytime there are copies of an encryption key — and they exist in multiple places — that also creates more opportunities for malicious actors or foreign hackers to get access to the keys?”
NSA chief Rogers replied:
[It] depends on the circumstances, but if you want to paint it very broadly like that for a yes and no, then I would probably say yes.
- advertisements -
Palate cleanser:
A member of the Saudi royal family was arrested in Los Angeles on suspicion of trying to force a woman to perform a sex act on him, police said Thursday.
Los Angeles Police Department spokesman Drake Madison said Majed Abdulaziz Al-Saud, 29, was arrested Wednesday afternoon on three counts, with the main charge being forced oral sex of an adult. Al-Saud is a member of the royal family, according to the LAPD.
Police said the alleged assault occurred in the Beverly Glen area in West Los Angeles, and the alleged victim was a worker at the property.
Officers were sent to a Wallingford Drive home Wednesday afternoon on a report of a disturbance, but when they investigated further Al-Saud was arrested on suspicion of the alleged sex crime as well as on suspicion of battery and false imprisonment, police said.
Jail records show Al-Saud was booked Wednesday and was freed on $300,000 bail Thursday. His next court date is Oct. 19, according to records."
Well, there's money well spent.
What are the odds he fails to appear in court and the LAPD, FBI, DHS, CIA, Interpol etc.e say they have no idea on earth where he could be?...lol.
http://www.nbcnews.com/news/us-news/member-saudi-royal-family-arrested-l...
The last thing the Useless Snakes wants in that region is STABILITY, why do you think they fund terrorist groups that create CHAOS?
ZioNazis thrive on chaos.
Drop the random number genenrator method that is already vunerable now.
Go for an encryption key of length > data length instead so each data bit is uniquely encrypted by a unique key bit.
Break one bit has no bearing on breaking any other bit.
For the NSA comes the headache under such an encryption method a 10 letter statement can be any other 10 letter statement from different keys.
Now it gets interesting "I love you" is from one encryption key whilst another key says "I hate you".
Now each message generated if asked for the key you provide one of an infinite number of keys where the the key you give is for the message you wish them to see provided it makes sense any evidence used through a prosecution on this is only ever circumstantial evidence and quite easily refuted questioning only the key being used.
Kind of like it myself.
Got something better. Each byte is encrypted using a key in 1 million different ways and they are different each time you encode. So a 3 character word such as "not" gets encoded in 10^18 different ways. Will take some time to ever find out what THAT meant.
That is like double encription, sort of likee zip encrypting with two different zip programs and different keys. That was the old method, but when the also have your computer, then it is only a matter of time for them yo acces you computer and see the method. One has to have a unique input computer that never see the internt in any manner, only outputs and on the other side a input machine in the same manner.. no handshakinmg, just a disk transfer. How many people will put up with that? Aparently about none. Oh, the keys are handed over peronally and have a limited lifetime. This is the old fashion method. Of course there is snail mail and invisible ink...
What about whisper technology but don't do a George Michael careless whisper, oh no.
Total UTTER bullshit and misdirection.
They want you to use encryption so it "stinks" to their sniffer and you think you beat them.
Bullshit. Encryption works. Even if the NSA had some back-door in a particular encryption algorithm, or weakened a random number generator (Microsoft, cough), the NSA does not have the processing power to decrypt everything.
Snowden has stated as much, I've seen the same thing in .mil circles during my time there. Using decent encryption works. It's far easier to attack the people directly with social engineering than crack decent encryption.
The world has gone totally batshit crazy.
NSA want to watch everyone and also have the ability to plant damaging or malicious files on targeted computers.
What a fucking trick!
On a good day you can trust yourself.
Schizophrenia rules. LoL
Hey that's my saying!
Government is the bad guy. The great stupidity is that the government's reports can be trusted. The government lies to attack its perceived enemies. Bad guys external to government may exploit the government's tools.
"Everything the government says is a lie. Everything the government has it has stolen." Trust in government is for fools. Trust in religion is for the mentally deranged.
Trust in religion is for the mentally deranged...
If you have to depend on someone else to explain the plain teaching of Jesus then I have to agree. “Assuredly, I say to you, unless you are converted and become as little children, you will by no means enter the kingdom of heaven..." and regarding so called religious teachers / leaders: "Let them alone. They are blind leaders of the blind. And if the blind leads the blind, both will fall into a ditch.”...Matt 18:3 and 15:14.
Child like faith is not childish. I will not stand before the NSA, Mary, the / a pope, or even "St. Peter" on that day. I'll be called to account before Him. Buck up Buttercup.
jmo.
It lies through stolen teeth, and lies easily.
What type of encryption is being discussed? I've notice very few actually understand how encryption works. When public/private key encyption is used only the public key is ever available to the counterparty and can be freely published. The secret key is kept on your machine only and never shared. Both parties/computers use the others public key to encrypt the plaintext and only the person with the unique secret key on both ends can read it. Authentication is also facile: You simply sign using the secret key. Only your public key can decrypt the signature so anyone intercepting and attempting to change your message cannot do so (spoofing impossible). Unbreakable and requires no secure key exchange like like two way keys such as AES, for example. This is what happens on https sites where key pairs are generated by both parties and the secret keys are never exchanged or shared-new key pairs are generated each visit. Intercepting the encrypted message is useless since the secret key remains physically in your possesion. That's why the NSA and any government hates this algorithm. Make the key at least 2048 bits long and you'll need more time than the age of universe to crack it by brute force with the entire computing power of every machine on earth. Even 256 bits is sufficient to protect against anyone before they die.
It's funny how many "smart people" are so easily deceived.
Isn't it?
yes and no. PKI is computationally intensive. Virtually every implementation using PKI for communication immediately after key exchange via PKI, switches to a stream cipher. It's a shortcut.
http://www.allmusic.com/artist/steve-ferguson-mn0000413026
..."Steve Ferguson died of cancer on October 7, 2009 at his home in Louisville; he was 60 years old."...
.
Steve Ferguson (Brother Stephen and the Humanitarians) plays Outer Space Boogie
https://www.youtube.com/watch?v=QlTLr5aZ_jg
.
Steve Ferguson
Mama U-Seapa
samples of a great album by a great artist
that few have ever heard, strange the way
that happens.
http://www.allmusic.com/album/mama-u-seapa-mw0000175872
.
these links are offered for educational and informational
purposes only, no other meaning or purpose should be
inferred or surmised; standard disclaimer which applies
to all posts.
You know what would really be fun? Watching that tool define Good Guys.
Thanks, Geo.
information is power and access to information
is big business. the taxpayer pays the bills
for the gathering, hell, the individual "user"
of the technology pays for the surveillance and
data collection themselves. we are paying to
have our privacy sold to corporations.
get that, it is freakin' brilliant!
and the "officials" sell the access for personal
gain. the corporations love to eat it all up
and reward the loyal local success story dupes,
pimps and prestitutes. everyone is on stage
24/7 and no one is the wiser in the field of
cultural normalcy bias, mind control and entertaining
with the Jones's. soft control moving into hard up
confiscation, then incarceration.
wonderfully yokel deterioration impersonating
culture and civilization, what many call government,
but i take exception to every term and wonder
wtf.
If it's paid for by tax money, the information belongs to them.
Contoling access for a fee is theft.
As a general matter, is it correct that anytime there are copies of an encryption key — and they exist in multiple places — that also creates more opportunities for malicious actors or foreign hackers to get access to the keys?”
Yes. But why should we care? We aren't the ones at risk - you are. And every time you suffer a hit, that gives us more ammunition for increasing our budget...
The NSA works for corporations and they need to break into peoples stuff to steal from them as well as to steal from other corporations. There is a war going on but it is much larger than a war on nations or citizens of bankster occupied nations.
Kim.com's plan for a new Internet called Mega Net. He will not be a shareholder or owner.
https://www.youtube.com/watch?v=CE8vrIlP3Uo
Easy to use, 100% secure encrypted email based on one-time pads or 100% secure instant messaging based on arbitrarily long session keys for everyone.
And easy to use. It can't be so hard, so where is the public domain software? Brazil?
You cannot use OTP (one time pads) for computer based encryption, let alone something as goofy an implementation as email. You'd have to maintain potentially thousands of code book pairs, one for each corespondent you wish to talk to. Revocation and security of the code books poses extreme challenges as well. Generating the code books in a OTP is very intensive and requires a secure channel to exchange code books.
There is no practical implementation of a OTP outside of a manual message process, (a spy talking to their command while behind enemy lines). Anyone saying they have developed a OTP for a computer system or email is more than likely full of shit. It just doesn't work that way.
A OTP (One time pad) is generated ideally by using sets of quality dice, rolling a book full of random characters. That book of random characters is duplicated to create pair of books. When you want to send a message, you have a coordinated starting point in the key book, then translate "hello world" using the key book. The characters you've used are removed and destroyed after the message has been sent. Reuse of already used key book pages is a great way to get busted.
One time pads are hard to execute in practice. That's why they're only used in manual sneaky, super spy type manual process use cases.
You want encrypted email, use GnuPG.
With one-time pad, the software is trivial.
There are two big challenges though:
1) Building a hardware random number generator which is truly random, or as close as possible.
2) Getting the keys to your counter-party, securely. It has to be down physically ahead of time.
E.R.N.I.E. - the electronic random number indicator equipment was used with British Premium Bonds in the 1950s. A chip based on digital counting of thermal noise must be easy to make. Getting the keys to thye other party just involves handing over a chip. 16Gigabytes or so miniSD should be good for enough emails to wear out a thousand or more keyboards.
It just needs to be made into a product and sold for cash.
Open source encryption software may or may not be trivial, but it sure isn't easy to use for folks who aren't experts in encryption.
The NSA decided that offense was better than defense. Suckers.
Would that be Lookout Mountain, TN/GA/AL?
I figure that's a large enough tri-state are not to be giving much of anything away. Just curious.
Write your own encryption. Use AES - freely available. Exchange keys verbally, face to face, or use One Time Pads (once only!!). If you didn't write, don't trust it.
Writing your own encryption is a recipe for disaster. Only peer-reviewed algorithms and implementations should ever be used. They must also use reliable random number generators.
If you don't know what you're doing and are very very careful and exacting in running a OTP system (One time pad) you will be fucked. That's why they aren't typically used except in very small use cases. They're hard to run properly.
Anyone claiming to have an encryption product for a computer based on a one time pad is full of shit. Cough, Unseen.is, cough. It's a glorified Cesar cypher and the NSA will have your shit in 2.5 seconds or less.
Good encryption works. Snowden stated that fact. Don't use shitty encryption, unless you want everyone to know what you're doing.
There's plenty of open source projects out there based on good encryption, twofish, serpent, AES, or ideally a combination of multiple algorithms. Truecrypt is still alive and has been forked with a project based in Switzerland. I think that's still a good option.
I wouldn't use MS bitlocker or PGP unless you trust symantec or microsoft with your life. Personally I wouldn't trust those companies with a pack of cigarettes, and I don't even smoke.
Writing your own encryption is a recipe for disaster. Only peer-reviewed algorithms and implementations should ever be used. They must also use reliable random number generators.
I read the original note to mean you use a peer reviewed algorithm, but write the code yourself. Or, at least review it well. Some open source code tends to be a bit tangled. Checkout Sendmail and its support for X.400 and other old mail protocols, as well as a convoluted configuration setup. At some point, with code with that much historical baggage and convoluted setup becomes impossible to really check all possible configurations for sanity or safety.
If you believe that the simpler the code the safer it is, code it yourself. ,
The problem with coding it yourself, even if you're using an off-the-shelf algorithm (AES, Serpent, Twofish), is that many commercial software providers screw it up. The likelihood that you could screw it up with fewer resources available is high.
Using a piece of software that is heavily reviewed by the security community, especially for a number of years is far safer. Moxie Marlinspike has some good free tools, Truecrypt is still a viable tool, as are others like linux LVM disk encryption.
Yeah because the average guy can so totally construct a crypto system without leaving ways in for the NSA, I mean it's not like it's difficult or anything :(
Encryption is easily defeated on the hardware level nothing to do with software. Plenty of free code to copy paste, or for the truly stoopid: precompiled binaries.
proton mail dot com - end to end encrytion of email.
brought to you by the good people of CERN
"sorry, we've hit our capacity limit"
Yeah, it's in demand all of a sudden. They just made the service public. They were going to take steps to increase server space, but I guess it fills up pretty fast.
Damn nice service, though... if you can get it.
There is no such thing as privacy on the worlds biggest "party line" (old telephony term).
If you believe in encryption you might as well believe in the tooth fairy.
Wake up dumb people!
Power grab by the NSA (deep state) basically saying that they don't trust the hand that feeds it. So why should we? What level of classification would this entail? Are we then supposed to trust the NSA? Civil War 2.0.???
Sorry for all the questions, but... WTF?
S.N.A.F.U.
Define bad guys.
It really starts with asymmetry of power. If some agency or person has a asymmetric level of power against you and lack of accountability, you should be concerned about them.
That's a much easier test case vs enemy/friend and far more reliable.
Kinda, there is immoral, then there is amoral, somebody without any moral code to break, i.e. sociopaths.......
Terrorists tend to be very moral, in their own eyes. Same as anyone who fights for a noble cause.
.. and then there's the government and NSA, definitely not the good guys
The only bad guys are the NSA. Encryption is an illusion.
Don't be stupid!
Long self-published certificates, Novena and Tails.