Comment by mort96
3 years ago
Weirdly, any time I've suggested that maaaybe being too trusting of a known bad actor which has repeatedly published intentionally weak cryptography is a bad idea, I've received a whole lot of push-back and downvotes here on this site.
Indeed. Have my upvote stranger.
The related “just ignore NIST” crowd is intentionally or unintentionally dismissing serious issues of governance. Anyone who deploys this argument is questionable in my mind, essentially bad faith actors, especially when the topic is about the problems brought to the table by NIST and NSA.
It is a good sign that those people are actively ignoring the areas where you have no choice and you must have your data processed by a party required to deploy FIPS certified software or hardware.
I'm working on a project that involves a customized version of some unclassified, non-intelligence software for a defense customer at my job (not my ideal choice of market, but it wasn't weapons so okay with it). Some of the people on the project come from the deeper end of that industry, with several TS/SCI contract and IC jobs on their resumes.
We were looking over some errors on the sshd log and it was saying it couldn't find the id_ed25519 server cert. I remarked that that line must have stayed even though the system was put in FIPS mode which probably only allowed the NIST-approved ECC curve and related this story, how everyone else has moved over to ed25519 and the government is the only one left using their broken algorithm.
One of the IC background guys (who is a very nice person, nothing against them) basically said, yeah the NSA used to do all sorts of stuff that was a bad idea, mentioning the Clipper chip, etc. What blew my mind is that they seemed to totally have reasonable beliefs about government surveillance and powers, but then when it comes to someone like Snowden, thinks their are a traitor and should have used the internal channels instead of leaking. I just don't understand how they think those same people who run NSA would have cared one bit, or didn't know about it already. I always assumed the people that worked in the IC would just think all this stuff was OK to begin with I guess.
I don't know what the takeaway is from that, it just seems like a huge cognitive dissonance.
I think the term "doublethink" was invented specifically for government functionaries like the IC guy you describe.
Being consistently and perfectly dogmatic requires holding two contradictory beliefs in your head at once. It's a skill.
It’s not doublethink to say the programs should have been exposed and that Snowden was a traitor for exposing them in a manner that otherwise hurt our country.
He could have done things properly, instead he dumped thousands of files unrelated to illegal surveillance to the media.
2 replies →
While I am skeptical of US domestic surveillance, Snowden leaked this information in the worst possible way.
Try internal whistleblower channels first. Not being heard? Mail to members of Congress? Contact congress? Contact the media?
Instead he fled to an adversary with classified material. That's not good faith behavior imo. Traitor
Regarding trying internal channels, Snowden says he tried this
> despite the fact that I could not legally go to the official channels that direct NSA employees have available to them, I still made tremendous efforts to report these programs to co-workers, supervisors, and anyone with the proper clearance who would listen. The reactions of those I told about the scale of the constitutional violations ranged from deeply concerned to appalled, but no one was willing to risk their jobs, families, and possibly even freedom
The fleeing to a foreign adversary part would have been completely avoidable if the US had stronger whistleblower protections. It's perfectly reasonable to see what happened to Chelsey Manning and Julian Assange and not want to suffer a similar fate.
5 replies →
Many government or government affiliated organizations are required to comply with NIST approved algorithms by regulation or for interoperability. If NIST cannot be trusted as a reputable source it leaves those organizations in limbo. They are not equipped to roll their own crypto and even if they did, it would be a disaster.
"Other people have no choice but to trust NIST" is not a good argument for trusting NIST. Somehow I don't imagine the NSA is concerned about -- and is probably actively in favor of -- those organizations having backdoors.
It's an argument for fixing NIST so that it is trustworthy again.
2 replies →
"Roll your own crypto" typically refers to making your own algorithm or implementation of an algorithm not choosing the algorithm.
Would you really want every random corporation having some random person pick from the list of open source cipher packages? Which last I checked , still included things like 3DES, MD5, etc.
You might as well hand a drunk monkey a loaded sub machine gun.
8 replies →
Another upvote from someone with many friends and colleagues in NIST. I hope transparency prevails and NISTers side with that urge as well (I suspect many do).
They could and should leak more documents if they have evidence of malfeasance.
There are both legal safe avenues via the IG process and legally risky many journalists who are willing to work for major change. Sadly legal doesn’t mean safe in modern America and some whistleblower have suffered massive retribution even when they play by “the rules” laid out in public law.
As Ellsberg said: Courage is contagious!