Flutterby™! : NSA SIGINT Enabling

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics


2015-09-03 16:08:55.219753+00 by Dan Lyke 3 comments

New York Times: Documents reveal the NSA campaign against encryption. From the documents:

The SIGINT Enabling Project actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs. These design changes make the systems in question exploitable through SIGINT collection (e.g., Endpoint, MidPiont, etc.) with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact.

Emphasis mine, so that I could call out: Do they believe the bullshit they write? I wonder how many of the exploits that we're discovering have been inserted by the NSA, discovered by the scammers and crackers, and are now our problem?

Among the goals stated for the project for FY2013:

Reach full operating capability for SIGINT access to a major Internet Peer-to-Peer voice and text communications system.

ie: probably Skype. And:

Complete enabling for ■■■■■■■■ encryption chips used in Virtual Private Network and Web encryption devices.

Careful with your hardware VPN devices, kids.

[ related topics: Children and growing up broadband Invention and Design Consumerism and advertising Net Culture Graphic Design Cryptography New York ]

comments in ascending chronological order (reverse):

#Comment Re: NSA SIGINT Enabling made: 2015-09-04 01:05:13.01261+00 by: spc476

Can the NSA, through force of (their) law, have a backdoor inserted into a product? And if later, that backdoor is discovered, could the company be held as breaking the law for fixing the backdoor?

#Comment Re: NSA SIGINT Enabling made: 2015-09-04 04:54:03.247718+00 by: Dan Lyke

The exploits so far have been subtler than that. Bugs in random number generators that lead to predictable keys, things like that. It isn't obviously a back door. I suspect that legal doesn't really matter here, these are either getting inserted by influencing individuals or standards bodies, or via blackmail. Legal challenges might happen with open source, where there's an audit trail, but here it's one employee, who may not even remember the design decisions that led to a given flaw.

#Comment Re: NSA SIGINT Enabling made: 2015-09-08 19:25:25.966189+00 by: meuon

I've heard stories where the "feature" was introduced by a "greybeard" with attitude and influence over other coders to use certain settings and feature sets. The influencer isn't really documented, and the original coder fades out of the project, thinking they did a good job. These decisions and "features" stick around for a long time.