International Standards Body Rejects Weakened IOT Encryption Methods Pushed By The NSA
from the bleak-days-for-Big-Surveillance dept
The NSA has again been outed for pushing compromised encryption standards. An early Snowden leak showed the agency paid RSA $10 million to promote a weakened encryption standard. RSA offered up a denial that didn't exactly contradict the evidence provided by the leaked documents. A few years later, NIST (National Institute of Standards and Technology) removed the Dual Elliptic Curve algorithm from its recommendations, citing its distrust of the agency pushing for its adoption: the NSA. Dual EC appeared to be deliberately weakened, reducing encryption-breaking efforts to a matter of seconds, rather than hours or days.
The NSA is once again at the center of an encryption controversy. This time the intended target of weakened encryption standards is the Internet of Things. As Kieran McCarthy of The Register reports, the NSA's hard-sell approach backfired, leaving its preferred attack vectors encryption algorithms locked out by an international standards body.
The "Simon" and "Speck" cryptographic tools were designed for secure data to and from the next generation of internet-of-things gizmos and sensors, and were intended to become a global standard.
But the pair of techniques were formally rejected earlier this week by the International Organization of Standards (ISO) amid concerns that they contained a backdoor that would allow US spies to break the encryption. The process was also marred by complaints from encryption experts of threatening behavior from American snoops.
Researchers report being attacked by NSA reps when its preferred algorithms were questioned. Some of the terms used to describe the NSA's reactions to criticism include "outrageously adversarial" and "bullying."
There appears to be no evidence researchers found a backdoor present in the encryption methods as originally delivered. The ISO's rejection was mostly based on the NSA's past untrustworthiness and its attempt to add backdoor-esque code to the IOT encryption software. The NSA's failure to gets its favored methods instituted as industry standards has apparently led to personal attacks on researchers opposing its efforts. That's not exactly going to swing crucial votes its way in upcoming standards decisions.
The NSA has remained silent as other US government agencies complain about criminals "going dark." It may join them if it continues to be shut out by standards bodies and software developers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, iot, nsa, trust
Companies: iso
Reader Comments
Subscribe: RSS
View by: Time | Thread
What the NSA looks for on IoT
[ link to this | view in chronology ]
Re: What the NSA looks for on IoT
[ link to this | view in chronology ]
Not an expert on U.S. law, but...
[ link to this | view in chronology ]
Re: Not an expert on U.S. law, but...
[ link to this | view in chronology ]
Re: Not an expert on U.S. law, but...
You can be prosecuted over a law that does not exist, a judge WILL allow the government to lie in court (but not you), and a law that is designed to protect you will be ignored without recourse.
[ link to this | view in chronology ]
Re: Re: Not an expert on U.S. law, but...
[ link to this | view in chronology ]
Re: Re: Re: Not an expert on U.S. law, but...
[ link to this | view in chronology ]
"I don't get it, why don't they trust us?"
A good reputation is a tricky thing, difficult to build up, trivial to destroy, and after all they got caught doing no-one at the NSA should be surprised that people who can see past the name and who know what they're talking about aren't willing to just take the NSA's claims and proposals at face-value.
This is very much a problem of their own making; if people don't trust them, it's because they've demonstrated it would be foolish to do so, and if they want to regain that trust it's going to be a long, difficult process, one in which 'insult people who question you' probably isn't going to help.
[ link to this | view in chronology ]
Re: "I don't get it, why don't they trust us?"
That's funny although I doubt it was intended as a joke.
The (insert letter agency here)couldn't care less about public image. Unless the nation showed up at their doors with pitchforks and torches demanding change, they are just going to continue railroading all over the Constitution tightening the noose around Freedom and Privacy.
Pressure and time.
[ link to this | view in chronology ]
Re: Re: "I don't get it, why don't they trust us?"
If "those pitchforkers and torchers" gave a fuck they would vote in people wanting to either dismantle or bring these agencies into the light.
the problem is, who has the balls? I keep telling everyone that their desires to create more and more government agency is only going to bite them or their children on the backs of their asses.
People usually ignore me and call me crazy. The real crazy is everyone else ignoring the problems they create.
if you think your vote matters, or your rights inside of this current government... well I hear there is a joke about a river in Egypt named after you.
It's amazing how many people believe we are a democracy when we never were, and still think they have a say when any of them can be dissapeared or arrested for anything and how fast their fellow citizens will forget about them the moment the police shoot their asses off, take their property, or systematically marginalize them with fines, laws, and harassment!
It is also amazing how many of them will turn to government for salvation after having watched it destroy others. Hmm.... like pigs to the slaughter!
[ link to this | view in chronology ]
Re: Re: Re: "I don't get it, why don't they trust us?"
If "those pitchforkers and torchers" gave a fuck they would vote in people wanting to either dismantle or bring these agencies into the light.
if you think your vote matters, or your rights inside of this current government... well I hear there is a joke about a river in Egypt named after you.
So if people cared they would vote, but voting doesn't actually do anything? Which is it, are people fools for voting or are they fools for thinking that voting actually does anything, who are they supposed to vote for/not vote for if none of the candidates match your exacting standards, and finally what is your alternative?
[ link to this | view in chronology ]
Re: Re: Re: Re: "I don't get it, why don't they trust us?"
"if you think your vote matters, or your rights inside of this current government... well I hear there is a joke about a river in Egypt named after you."
As long as you vote for a party... your vote was usurped... meaning it does not matter. Imagine how disenfranchised all the anti-trump republicans feel right now. It was not exactly a secret effort to get folks to "support the candidate that the party selects" regardless of your personal opinions. This is the first and default way your vote is made to not matter. I am sure the Democrats that voted for Bernie felt much the same way... generally fucked over.
If they want their votes to "matter again" they need to dump the parties, but that is often asking far too much. People would rather live with a known evil than to seek an unverifiable cure to that evil.
If they seek to have their rights respected in government then they also need to vote in people that will actually seek to secure them.
Neither of these are happening leading to my comment.
"who are they supposed to vote for/not vote for if none of the candidates match your exacting standards,"
Ah yea... making the best of what you got mentality... good to know you will not be seeing a solution to your problems then. You should take a note from your self and just take what you get then.
"and finally what is your alternative?"
Anything 3rd party... does not matter what, just so that it sends a message, I don't think the Republicans learned the lesson of how they got Trump yet... especially not the Democrats. Getting people on board is the hard part.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: "I don't get it, why don't they trust us?"
If they want their votes to "matter again" they need to dump the parties, but that is often asking far too much. People would rather live with a known evil than to seek an unverifiable cure to that evil.
Probably because parties are basically inevitable as far as I can see. 'I like ABC, and will generally support candidates that also like ABC. I will get together with those that also like ABC to support candidates of like mind. While these candidates might occasionally differ in that they like A and B but not C, more often than not they align with what I like, whereas the other candidates do not, so I will support 'my' candidate over the other one'.
Unless you can convince people that working together to achieve a common goal is counter-productive(good luck with that), parties are going to happen, and the focus should be more on keeping them aligned with the majority of people that identify with them, and less on the Sisyphean task of trying to get them to ditch them altogether and vote for an unknown.
Ah yea... making the best of what you got mentality... good to know you will not be seeing a solution to your problems then. You should take a note from your self and just take what you get then.
Swing and a miss, your response in no way answers my question as to what someone is supposed to do when none of the available candidates match the standards they and/or you set as 'acceptable', so I'll ask again.
If none of the candidates available are 'good', such that there are no 'good' just varying shades of 'bad', who should the person vote for, or should they vote at all?
Anything 3rd party... does not matter what, just so that it sends a message
So don't mindlessly vote for the two main parties, mindlessly vote for a third, no matter who it is, just to stick it to the first two? Oh yeah, that'll show 'em and could in no way backfire horribly.
If that is your proposed solution to the two-party problem it's not hard to see why people aren't taking your 'suggestions' seriously.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: "I don't get it, why don't they trust us?"
I can understand how people might think that, but party creates an exclusionary group and begins a division. That division is as intrinsic to human nature as bias and racism, which we currently understand should be fought against. Why create something that is intended to be exclusionary from he start? It will only fester until it becomes as much of a problem as racism? In fact the party fighting might as well be the new racism.
"Unless you can convince people that working together to achieve a common goal is counter-productive(good luck with that), parties are going to happen,"
I agree with you, you can't get people to stop being hateful, they NEED like it is important to their survival to group up and oppress others. If they can't do it by race, they will do it by party, if they can do it by party, they will do it by sports teams, if they can do it by sports teams, it will be by clans... get the point?
I think people that join groups to build their voice up are looking to create a problem because no matter what, a leader is going to come along and take advantage of the power of that group for wrongdoing and people will be too afraid to say anything against the group because as you have already seen how, the group you are in already hates other groups... would you want to invoke that upon yourself? You would become group-less and defenseless.
How is it that we can understand the problem inherent with racism but cannot resist creating parallels in party partisanship as a replacement? I think it is clear that humans are mostly more worried about oppressing others for their own gain vs gaining with those others.
Here is a hint... being a part of a group means you are NOT working together to achieve a common goal, you are in fact just working to achieve the leader's goal.
"If that is your proposed solution to the two-party problem it's not hard to see why people aren't taking your 'suggestions' seriously."
Then enjoy the problems you see, they are not going away.
The definition of insanity is to continue to do the same thing over and over but expecting different results.
You sir are saying, lets do this again... maybe it will be different next time. Good Luck... you are going to fail!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: "I don't get it, why don't they trust us?"
I agree with you, you can't get people to stop being hateful, they NEED like it is important to their survival to group up and oppress others. If they can't do it by race, they will do it by party, if they can do it by party, they will do it by sports teams, if they can do it by sports teams, it will be by clans... get the point?
If by 'point' you mean that joining with a group of like-minded people in support of common goals can only be because people just need some other to 'hate' and 'oppress', then yeah, I get it. I don't buy it for a second, but I get it.
Here is a hint... being a part of a group means you are NOT working together to achieve a common goal, you are in fact just working to achieve the leader's goal.
You must have been a riot to be around during school team/group activities.
Here's a hint in return: Just because you're a member of a group doesn't mean you're a mindless drone, or have no impact on the group.
You sir are saying, lets do this again... maybe it will be different next time. Good Luck... you are going to fail!
Not at all(nice strawman though), I'm saying that your solution is rubbish and you still haven't answered my question as to what someone should do when they don't live in the perfect universe you apparently do, where there is always a perfect candidate or at least a random third person to spitefully pick just to stick it to the two big ones.
[ link to this | view in chronology ]
Every Nation eats the Paint chips it Sesderves!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: "I don't get it, why don't they trust us?"
Where did I say you needed to be a mindless drone? It does not matter if you are mindful or mindless... as long as your effort contributes to the group then you are going to be okay. I am just saying that you have given up your individualism.
If you are a group, you are not an individual. Do not be surprised when people treat you just exactly as you treat yourself as a homogeneous person whose identity if that of the group... not of their self.
Can't have your cake and eat it too, no matter how much you need to delude yourself. Groups have been fighting for eons throughout world history. Maybe you should stop creating them? It only creates trouble, but like I said earlier... trouble is something people want, so they can oppress people with it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: "I don't get it, why don't they trust us?"
People "think" the cult is crazy, but not he people in the cult.
Same to be said of those in political groups. They think everyone else but them are the crazy ones!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: "I don't get it, why don't they trust us?"
Parties are not necessarily inevitable. Like minded people may band together, but the concept of political parties stand for something has already been quashed, the parties have reversed themselves, more than once. Lincoln was a republican, then. Today he might be a democrat, or maybe an independent. The label is the problem, it doesn't define a platform. It defines, as you point out, what the leaders want, at the time expressed.
This is why I have and will continue to express a desire to remove the concept of political parties, as well as platform from the parties/candidates. There should be a pre-election debate where the people define what the platform for the upcoming election will be, via a debate via the Internets, and maybe an actual pre-election election. Months, maybe a year or more in advance. The people propose platform issues, and then decide on, say the top ten, or twenty. Then the candidates get to put their positions with regard to that platform agenda on the table, creating an electoral platform agenda. The populace gets to decide which candidates meet their requirements on the majority of positions on the electoral platform. There should also be some ability to hold elected officials to their campaign rhetoric. Don't stand up to what you said in your campaign...lose power, exponentially until one is, oh how do we say it, un-elected. Maybe votes of confidence in political leaders would be a good idea. It exists in some parliamentary processes, but it might make us as unstable as some other countries are. Not that we are stable now.
The whole idea of platform created by political parties is what I think a number of the Founders found abhorrent to the idea of political parties. They made a mistake in allowing them. Would things be different now without political parties from the beginning? Most certainly. Would the be better? I am not sure, as the allure of power is powerful, and I think there would be a way to get corrupted even with this control.
[ link to this | view in chronology ]
Re: tl;dr
While I'm no fan of the party system, banning political parties would be inconsistent with the First Amendment's guarantee of free association. Do you really think we'd be better off without that?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: "I don't get it, why don't they trust us?"
After reading your previous statement, I would expect nothing else.
[ link to this | view in chronology ]
You wanna know what NSA stands for?
Fuck NSA, CIA and god fuck the USA.
[ link to this | view in chronology ]
Re: You wanna know what NSA stands for?
[ link to this | view in chronology ]
Re: Re: You wanna know what NSA stands for?
[ link to this | view in chronology ]
Re: Re: Re: You wanna know what NSA stands for?
https://www.investors.com/politics/commentary/best-run-states-are-heavily-republican-study-fin ds/
[ link to this | view in chronology ]
Re: Re: Re: You wanna know what NSA stands for?
[ link to this | view in chronology ]
Re: Re: Re: Re: You wanna know what NSA stands for?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: You wanna know what NSA stands for?
The best leader you will have is the one that tells you to solve your own problems and the proceeds to get the hell out of your way, but everyone hates those guys because they are heartless and all that.
The worst leaders are the ones that tells you to solve your own problems and proceeds to get all in your way.
The middle of the ground leaders help produce the worst leaders in the future by promising people things until they get enough power to finally tell them we never cared in the first place. The ride making you think they cared along the way was fun!
[ link to this | view in chronology ]
The problem is that we do trust them: we know exactly what to expect from them and their algorithms.
[ link to this | view in chronology ]
Different definitions of 'trust'
That's fair, though 'we can trust them to act in what they perceive to be their own best interests, no matter what it does to everyone around them' is usually not what people mean when they say someone is 'trustworthy.'
[ link to this | view in chronology ]
When people die, they go dark. They can no longer give info and that is some pretty strong defenses that doesn't get broken into. I mean it's been around far longer than encryption.
[ link to this | view in chronology ]
was it all just an act?
Maybe the currently adopted standards are compromised and speck and simon actually are safe. The NSA knows people won't trust them so they try to be aggressive so no-one will believe that Simon and speck is safe. Then when everyone adopts the new IOT standards the NSA can stay safe using Simon and speck while having easy access to all the other IOT devices that people think are safe.
No proof of anything but it's possible the NSA is pulling a double fakeout on all of us.
[ link to this | view in chronology ]
Re: was it all just an act?
Do you realize that an aluminum foil hat forms a resonant cavity, and the resonant frequency of that cavity falls into a frequency range allocated to the US government?
[ link to this | view in chronology ]
Re: Re: was it all just an act?
[ link to this | view in chronology ]
Re: Re: Re: was it all just an act?
[ link to this | view in chronology ]
Good job NSA!
What is next NSA? Will you teach your employees how to shoot themselves in the foot?
Do training in not revealing information when captured by the enemy, but using live cyanide capsules to make it more "real"?
Juggle chainsaws?
[ link to this | view in chronology ]
Yeah, they made this bed.
They get to lie in it. My sympathy knows bounds.
[ link to this | view in chronology ]
Technical discussion
linux-arm-kernel mailing list thread: [PATCH v2 0/5] crypto: Speck support
As the WikiTribune article points out:
Wikipedia: PRESENT · CLEFIA
[ link to this | view in chronology ]