GLaw
Guest
|
Authored by GLaw on Sept 6, 2013 14:08:36 GMT
|
|
stegu
Veteran Member
Posts: 15
|
Authored by stegu on Sept 6, 2013 14:57:51 GMT
As someone already noted in the comments to that article, it is common cryptographic lingo to refer to almost everyone as "adversaries". When designing encryption schemes, everyone but the rightful recipient is an "adversary", and when designing methods to crack an encryption scheme, anyone using that scheme is an "adversary". The term is cynical, but common.
I found this recent revelation in the NSA wire-tapping scandal news very, very disturbing, but it had little to do with their use of the word "adversary". What I found more objectionable and cynical was the names of the programs: civil war battles. That makes it evident that they are indeed regarding their own citizens as the enemy and feel the need to spy also on domestic Internet traffic.
However, even with complete disregard to the wording and naming of things, this mess is still extremely ugly.
|
|
GLaw
Guest
|
Authored by GLaw on Sept 6, 2013 15:43:43 GMT
|
|
Cm
Guest
|
Authored by Cm on Sept 7, 2013 8:43:16 GMT
IIRC, I seem to remember reading/hearing that after WWII Churchill was rather keen that the goings ons at BP were kept secret, especially as the British Government of the time were interested in selling Enigma machines (or other such encrypting devices) to our allies without letting them know we could decrypt them. IIRC not all the colossi were destroyed - one or two were kept for such purposes.
Again the US has to copy someone else...
|
|
celtichackr
Veteran Member
Hacker, geek, all around technoaddict. Amateur Scientist (well except for those pesky degrees).
Posts: 51
|
Authored by celtichackr on Sept 7, 2013 13:44:10 GMT
Interesting, but I believe the IBM computer also cracked the Enigma machines. Not sure the US gov't shared that info with anyone at the time either. So much for sharing. Which is why you should never trust what you can't see.
I steer clear of proprietary stuff, although I must confess I don't scan the source code of every app I use. If I ever reach that point, I'll build my own compiler, compile it by hand, and use that to compile everything else. BTW, the first program I ever wrote was a compiler.
You may ask why I wouldn't trust compiling a compiler from the existing compiler. But how can you know that a compiled compiler doesn't have a Trojan buried in it? You can't. You can't trust anything that's already compiled, even if the source is available. Nor can you trust an OS that you compile yourself, unless you also KNOW, the compiler you are using doesn't have a Trojan in it.
|
|
squib
Veteran Member
Posts: 27
|
Authored by squib on Sept 8, 2013 10:28:29 GMT
Cm's right but when he said 'allies' I think he meant with the exception of the US as the NSA already knew all about Colossus. See, the section titled “The American information” just over half way down the page. www.codesandciphers.org.uk/lorenz/rebuild.htmAs for the techniques developed at BP for braking codes... Alan Turing himself told them. www.turing.org.uk/scrapbook/ukusa.htmlHowever, the NSA went for the specially designed ENIAC as a computer of choice.
|
|
stegu
Veteran Member
Posts: 15
|
Authored by stegu on Sept 8, 2013 10:32:57 GMT
Perhaps there is an emerging market for an OS that has a bootstrap sequence to make every step along the way transparent? A bootstrap code that is fully open and which you enter yourself from some trusted and human-readable medium like paper tape, a plain C compiler with very limited capabilities, also stored on paper tape, just enough to compile a more capable compiler from some other trusted source you can inspect, and then you need to compile every part of your system from source, like Gentoo Linux.
But in that case, how could you trust the hardware not to do things you don't want? How do we know the CPU is not snooping on us by providing a back door into our trusted code? Should we also build our own hardware, and how would we as individuals be able to control that process all the way down to the silicon level?
There will always be attack vectors for those who really, really want to invade our privacy and have vast resources to spend. "Trusted computing" is a balance to strike between paranoia and convenience of use. I think most people are much too far off to the convenient side right now, though.
|
|
celtichackr
Veteran Member
Hacker, geek, all around technoaddict. Amateur Scientist (well except for those pesky degrees).
Posts: 51
|
Authored by celtichackr on Sept 8, 2013 16:25:55 GMT
The problem with Gentoo is, it still uses a compiled compiler to start the whole process off.
You really need to read up on the the writing of the Father of C, to know why you can't trust anything you haven't written yourself.
But you're right, as far as you go. But you've gone a bit too far, perhaps. The only way to be 100% sure you build what the sourcecode says you're building is to work it all out on paper and then enter in the binary code for the compiler into a file, and make it executable. then you have a known secure compiler to start with.
Furthermore, "Trusted Computing" is already known to be a backdoor. Perhaps you've missed that. I could build you a secure computer, but it wouldn't be as tiny as today's, nor likely as fast. I could build logic gates from discrete parts, but not everyone is a Computer Engineer. I'm sure I still have a functioning copy of SPICE around, but there are also more modern tools.
Nothing is 100% secure, and likely never will be. Unless everyone rolls over and we all get implants to control us.
Lastly, yes, the general populace could care less about the wild rantings from us crazy tin-foil hat techies. I see people's eyes glaze over when I mention these topics.
|
|
celtichackr
Veteran Member
Hacker, geek, all around technoaddict. Amateur Scientist (well except for those pesky degrees).
Posts: 51
|
Authored by celtichackr on Sept 8, 2013 16:26:53 GMT
PS, I don't trust the hardware, why do you?
|
|
stegu
Veteran Member
Posts: 15
|
Authored by stegu on Sept 8, 2013 21:30:56 GMT
You misunderstood a large part of post, it seems. Yes, of course there is a problem with Gentoo, because it does not bootstrap from scratch, you need to trust both the hardware, the default kernel, some basic binary utilities and the compiler to get it up and running. I do not trust the hardware completely. Why would I? The hardware is made by companies that are just as likely as the software vendors to be bribed and coerced into creating backdoors for the NSA. I put "trusted computing" in quotes to show that it is a misnomer, but I did not (heaven forbid) mean to refer to the abomination that has that brand name as being somehow secure or safe. A computer that requires everything I run to be signed by Microsoft (or any other opaque entity, for that matter) is a computer I would never trust with anything important.
Even entering binary executables by hand into a file does not make you safe. You need to execute it on a platform that can load a file and run it, and that platform can be compromised. We will never be safe from snooping as long as we depend on computers in almost everything we do, but I think it is time to stop being quite as gullible and naive as most people have been until now, myself included.
|
|
|
Authored by wayneborean on Sept 9, 2013 19:41:30 GMT
I'm working on an analysis of the implications of NSA spying. There are a variety of things that I don't think anyone is considering properly. Will post a link when it is done. Wayne madhatter.ca
|
|
celtichackr
Veteran Member
Hacker, geek, all around technoaddict. Amateur Scientist (well except for those pesky degrees).
Posts: 51
|
Authored by celtichackr on Sept 9, 2013 21:56:25 GMT
I think I understood most of your post, but my response was a bit mungled. Certainly, if the hardware is borked nothing is safe. It is possible to build secure hardware, but as you said, unless you control the process you can't know if a backdoor is there. So, the only solution is to build opensourced fab facilities. Like the 3D printers. Then anyone could build from scratch, to any spec they wanted and use opensource "standard" interfaces so it can communicate to other machines. The problem there of course, is that's a lot of work, and likely to be more way more expensive than those huge facilities. But, I could actually design such a system all the way down to generating your own silicon wafer boules. Depending on how paranoid paranoid is. It would be a big project. There is a lot of details that need handling. Some parts could be built fairly cheaply. There's got to be plenty of old tube TVs still out there, which could be scavenged for electron guns, etc. I doubt I could design a fab plant to match Intel's current SOA in transistor density. I'd be surprised if I could easily match AMD's. Well at least not without a ton of research. But of course, I like the way RasPi think, RISC. Of course, then you also have to worry about compatibility with current distros. Or roll your own. Paranoia can be exhausting. I look forward to the Mad Hatter's post. To see if I'm not considering something. I have a pretty low trust rating, so I'd be mildly surprised. While, I may take much more risks than my paranoia comfort level, it doesn't mean I'm trusting. It just means I try to exist in society. Were I to act on my actual level of paranoia, I'd have been off the grid a long time ago.
|
|
GLaw
Guest
|
Authored by GLaw on Sept 9, 2013 23:47:17 GMT
I look forward to the Mad Hatter's post. This.
|
|
|
Authored by wayneborean on Sept 10, 2013 3:11:51 GMT
I look forward to the Mad Hatter's post. This. OK, here it is. I would love to get feedback on it. NSA Spying Scandal – An Analysis
Note that there's several things I can't directly prove. However I do know human nature. Hell, I was a salesman for too many years. Wayne madhatter.caPS: Possibly this should go under Newspicks or Off-Topic as well. Wasn't sure, if someone thinks it should please put it there.
|
|
celtichackr
Veteran Member
Hacker, geek, all around technoaddict. Amateur Scientist (well except for those pesky degrees).
Posts: 51
|
Authored by celtichackr on Sept 10, 2013 18:43:28 GMT
Hahaha, wow! You got me! I'd never considered the competitive advantage perspective.
As for the trust of American software, hardware, that was a forgone conclusion.
Something American agencies have just started thinking about, ie Lenovo. Although, I think there's a different reason for that than the public explanation. After all, it's all made in either China or Korea now. All the more reason to buy Samsung products, and with Apple going more and more to Chinese products.
If I have to have spyware in my hardware, I'd be more comfortable with South Korean trojans, than Chinese trojans. But, of course South Korean trojans may be NSA sponsored. Maybe it's time to start fabbing my own. I seriously need to take a look at this. Not that I have anything to worry about, it's just the creepiness factor.
But, I know, what I'm doing this weekend. Installing CM on all two of my android devices. Might brick my Samsung SIII in the process.
I wonder what trojans are in my RazPis?
|
|