Been reading Techdirt for a few weeks and have become a fan. Decided to sign-up today to add a comment here.
I am really worried that Gemalto's comments can be deceiving. Gemalto claims that because of the "proprietary encryption" that carriers have wrapped around SIM encryption, the NSA "would not be able to connect to the networks and consequently would be unable to spy on communications". I have 2 problems with this: 1) The Intercept article indicated that the agency could pick up signals over the air and decrypt them without the carriers' awareness. This would mean that the spying would not require the NSA to connect to the carrier's network. So the first part (being unable to connect to the network) could be true but the second part (consequently be unable to spy) be false. 2) The idea of proprietary encryption is problematic for two reasons: (1) There are open-source encryption schemes which have no known vulnerability; why use a proprietary encryption? (2) because the same phone is usually able to roam on several carrier's networks, these encryption schemes can't be held secret by a single carrier.
Finally, Gemalto may be unaware of a successful key exfiltration. The hacking attempts that Gemalto stopped are no indication that there weren't others undetected. Honestly I'm more inclined to believe the NSA/GCHQ's interior documents when they claim to have "the entire network" of Gemalto, or to have capture millions of keys. Gemalto has a strong financial incentive to minimize the problem.
Techdirt has not posted any stories submitted by xytar.
(untitled comment)
I am really worried that Gemalto's comments can be deceiving. Gemalto claims that because of the "proprietary encryption" that carriers have wrapped around SIM encryption, the NSA "would not be able to connect to the networks and consequently would be unable to spy on communications". I have 2 problems with this:
1) The Intercept article indicated that the agency could pick up signals over the air and decrypt them without the carriers' awareness. This would mean that the spying would not require the NSA to connect to the carrier's network. So the first part (being unable to connect to the network) could be true but the second part (consequently be unable to spy) be false.
2) The idea of proprietary encryption is problematic for two reasons: (1) There are open-source encryption schemes which have no known vulnerability; why use a proprietary encryption? (2) because the same phone is usually able to roam on several carrier's networks, these encryption schemes can't be held secret by a single carrier.
Finally, Gemalto may be unaware of a successful key exfiltration. The hacking attempts that Gemalto stopped are no indication that there weren't others undetected. Honestly I'm more inclined to believe the NSA/GCHQ's interior documents when they claim to have "the entire network" of Gemalto, or to have capture millions of keys. Gemalto has a strong financial incentive to minimize the problem.
Techdirt has not posted any stories submitted by xytar.
Submit a story now.