Big Brother Awards
quintessenz search  /  subscribe  /  upload  /  contact  
/q/depesche *
/kampaigns
/topiqs
/doquments
/contaqt
/about
/handheld
/subscribe
RSS-Feed Depeschen RSS
Hosted by NESSUS
<<   ^   >>
Date: 2000-09-06

Ad PGP-Sicherheitsloch: Handbuch NSA-Sabotage


-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

Nicht ganz taufrisch, aber sehr knapp und übersichtlich
zusammengefasst und mit allen nötigen Links - ein kleines
Round-Up des Wissens darüber, wie die NSA ihr nicht
genehme Software kompromittiert.

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
relayed by g'o'tz ohnesorge <gohnesorge@lh-
computertechnik.de>
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

A pocket guide to NSA sabotage

Doug Porter

The NSA engages in sabotage, much of it against American
companies and products. One campaign apparently occurred
at about the time when PGP's most serious vulnerability was
added.

To understand the whole story requires some background.

In Bruce Schneier's newsletter Crypto-Gram he told us last
year about Lew Giles, said to be an NSA saboteur wrecking
American privacy products in 1997. Schneier says that
according to several sources Giles went from company to
company, asking them to destroy the security of their own
products, and arranging cover stories to protect them.
According to Crypto-Gram sometimes Giles worked directly
with engineers, with no managers around. The sabotage was
always supposed to look like a mistake.

At about the same time, PGP introduced "key recovery" with
the hidden flaw recently covered worldwide, including
Schneier's own clear description in Slashdot. Other serious
vulnerabilities have been found in the PGP versions released
then. For example, just last May PGP was found to generate
weak keys on Linux and OpenBSD. The original report in
BugTraq says the bug was introduced in version 5.0,
released in 1997.

Undoubtedly most security bugs are just bugs. But it's also
very possible that some are backdoors.

CNN and Network World detailed how the NSA openly strong
arms companies, "leaning on software, switch and router
vendors" to make them "add a government-approved back
door into network gear." Companies working with the NSA,
however unwillingly, include Netscape, Sun, and Microsoft.
Chris Tolles of Sun says, "Everyone in Silicon Valley,
including us, has to have specific staff -- highly paid experts --
to deal with them." If everyone's dealing with them, are any
products secure?

Taher Elgamal, who wrote Netscape's so called "data-
recovery plan" as demanded by the spooks, said they didn't
have a choice. Exports are about half the income for these
businesses. In practice companies need NSA's permission
to export security products, except for "export grade" junk.
NSA only gives permission if the security is crippled in some
way.

Duncan Campbell reported in Interception Capabilities 2000
that NSA succeeded in compromising browsers from both
Microsoft and Netscape, as well as Lotus Notes. The
browsers' security was openly gutted by NSA's insistence on
reducing key sizes to whatever the NSA can easily crack at
the time. In the case of Lotus Notes the keys appeared to be
longer, but just enough of each key was secretly given to the
NSA.

Mit sehr vielen Links
http://cryptome.org/nsa-sabotage.htm
-.- -.-. --.-

- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by
published on: 2000-09-06
comments to [email protected]
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<   ^   >>
Druck mich

BigBrotherAwards


Eintritt zur Gala
sichern ...



25. Oktober 2023
#BBA23
Big Brother Awards Austria
 CURRENTLY RUNNING
q/Talk 1.Juli: The Danger of Software Users Don't Control
Dr.h.c. Richard Stallman live in Wien, dem Begründer der GPL und des Free-Software-Movements
 
 !WATCH OUT!
bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien
Wie OpenStreetMaps die Welt abbildet und was ein erfolgreiches Crowdsourcing Projekt ausmacht.