Comments: The NSA's breach of RSA Inc's crypto: what to do? Where do we stand? My Answer: avoid American crypto

[quote]Avoiding American-influenced crypto is just today's logic, based on what we know, today. The crypto industry is now in a crisis of trust. This is going to get worse.[/quote]

Quite so, lang, this is only the beginning of a fundamental change in the way that things are to be better done with virtual betas in the future. And those few words have been chosen very careful to try and accurately reflect and convey what is to be expected, for it is already launching programs with stealthy agents into all critical components and strategic elements of global remote command and virtual machine and SCADA control systems.

And things will be considerably better after they have finished being significantly worse for corrupt and corrupted systems admin of present day strife policies.

And fortunately, there is nothing nobody can do to stop the intelligent march of information progress and any and all who would be foolish and stupid enough to try, just merely identify themselves as persons of interest to be appropriately and summarily dealt with.

New Great Games have New Great Games Players and they be not guided nor mindful of stupid rules and regulations designed by generations with secrets to keep in order to profit from unfair and/or inequitable advantage with privileges.

Posted by amanfromMars at October 6, 2013 12:54 PM

A minor point here, is that this "Crisis of Trust" is maybe it's not just the NSA and/or American Cryptography. The NSA is merely the first major national Intelligence agency to get publicly caught at it.

I think it likely that all world's Major Intelligence agencies (China, Russia, Israel, etc.) are likely doing similar things and that all Crypto everywhere is currently suspect.

If you want to avoid US Crypto, where are you going to go? It's likely that everywhere else has similar or worse risks. Would you really trust a "international" Encryption algorithm that might has been influences by China, the KGB or lord knows who.

I think the only solution here is the hard way - fix the existing Cryptography so its done in an open and "proven" manner.

In any case, frankly, I don't think the possible weaknesses in NSA influenced cryptography are the "tipping point", there are so many non-cryptographic ways to get access to any target's data that even if we could wave a "magic wand" and make everyone's cryptography secure, we'd still be vulnerable to many kinds of attack/disclosure from various levels of attackers.

We are all vulnerable to un-patched systems, Zero day exploits, viruses, poorly designed infrastructure, hacked operating systems and hardware, Agents sent in as moles, infiltrated contractors, janitors and outsourcing, disgruntled ex-employees, bribery and list of way to get your data seems to be endless and almost nobody can afford to defend against the most well resourced and determined opponents.

If these vulnerabilities are true, for most people (99.999%+), how much worse is it that maybe one likely un-interested Intelligence agency may be able to read your emails and web browsing activity? Do you seriously think you could keep the NSA, China, the CIA or the FBI from figuring out your secrets if they wanted to?

If your answer is no, then nothing has changed for you.

On the other hand, should we be upset?
Yeah, damn right we should.

Should we ensure that US government agencies have to follow US law?
Yeah! It's about damn time.

Should this be an issue in determining who we re-elect next election?
Absolutely and lets make a big stink and educate everyone so they can make a similarly informed decision on who supported the NSA lying so much about this.

Posted by David Donahue at October 8, 2013 04:28 PM

David: Yes, all. It's very messy. But even though the current situation raises more questions than it answers, it is still my view that (a) we are in a crisis of trust in the security industry, and (b) the American product is now firmly enmeshed in that untrust space.

What to do? I don't recommend people switch from CAPI to the Chinese offering, or from JCE to GOST. These alternatives aren't reasonable and they don't exist.

Instead, I think it is time for the individual security practitioner to start taking more responsibility. Part of this responsibility for security is to realise that outsourcing components to big American name-brands no longer works. Is no longer taking responsibility for security.

When it comes to crypto protocols, the very space of the NSA breach, I have a simple suggestion: It's your job. Do it.

Posted by Iang (It's your job. Do it!) at October 9, 2013 03:48 AM

... As an example of the far reaching implications, Ylonen says that since the Snowden documents about the NSA were leaked, Finland stopped electronically communicating top secret material between embassies, preferring to courier this kind of information instead. ...

Posted by the ripples spread... at October 10, 2013 11:26 AM

PrivateSky was shut down at the beginning of the year after introducing a web-based version in beta and for Outlook and had "tens of thousands of heavily active users".

Brian Spector, CEO of CertiVox, told IT Security Guru: "Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data. We did it before Lavabit and Silent Circle and it was before Snowden happened.

"It is the same in the USA with FISMA, and it is essentially a national security warrant. So in late 2012 we had the choice to make - either architect the world's most secure encryption system on the planet, so secure that CertiVox cannot see your data, or spend £500,000 building a backdoor into the system to mainline data to GCHQ so they can mainline it over to the NSA.

"It would be anti-ethical to the values and message we are selling our customers in the first place."
...

Posted by Avoid British cryptography? at December 14, 2013 08:36 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55f497979f30) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.