A couple of things that bugged me from this writeup (these may be attributable to Anderson instead of Snowden):
1:
Homegrown crypto is routinely problematic, but properly implemented crypto keeps the agency out; gpg ciphertexts with RSA 1024 were returned as fails. is later followed by The NSA is even more cautious than the FBI, and won’t use top exploits against clueful targets unless it really matters. Intelligence services are at least aware of the risk of losing a capability, unlike vanilla law enforcement.
Reconciling these statements is disquieting. Snowden has never seen a successful decrypted RSA-1024 intercept. But he also believes that the good stuff is kept under wraps, which is what everyone else who understands SIGINT thinks as well.
2:
We can push back a bit by blocking papers from conferences or otherwise denying academic credit where researchers prefer cash or patriotism to responsible disclosure, but that only goes so far.
Well, that, and the whole thing about how publishing papers isn't merely an exercise in making the authors feel better, but also how science works.
3:
People who can pay for a new kitchen with their first exploit sale can get very patriotic; NSA contractors have a higher standard of living than academics.
I have a problem with casual innuendo about how vulnerabilities are expensive because exploiters pay so much for them. In fact, ever-increasing dollar amounts for serious vulnerabilities is what you want to see: if there's a liquid market for vulnerabilities, the last thing you want is for serious ones to be cheap. This is highly specialized engineering work; whether Ron Paul likes it or not, it commands a high rate.
A simpler response: lots of people have made enough off vuln sales to replace kitchens without ever selling them to anyone who would exploit them.
I do have a moral problem with people who sell vulnerabilities to (a) the USG or (b) people who exploit them. I do not love the emergence of vuln markets. But I am not willing to tar everyone who earns a living doing this work as an NSA shill.
Moreover: all reverence for Snowden stipulated and set aside: nobody has ever made a claim for his expertise in vulnerability research or sales. Can we be clearer about why we're meant to carefully consider his take on it?
•:
Generally, this reads a lot like STRATFOR to me. It starts out with facts and stuff that appears verifiable/falsifiable, but it trends into a sort of geopolitical/legal LARPing exercise.
Regarding your first point, there's some confusion between active exploits (i.e. botnet infections, etc) and passive intercepts. They are indeed cautious about using exploits and botnet platforms (I don't think that makes any of it right).
Absolutely NSA & GCHQ should be able to crack RSA-1024: it is not magical, and it is definitely well within their budget, but it still isn't particularly cheap timewise, so unless something is really super important, it's not going to join the crypt attack queue for supercomputing resources, and they would not be waving it around too widely.
By comparison, we know RC4 is toast. We have a rough sketch of the attack (though please correct me if any of this is wrong): passive; returns plaintext from ciphertext, with either no or a few bytes of known plaintext header at most; runs in software on blades and other places at mass-intercept scale in real-time, so we have an upper bound on its complexity (and it's very low compared to RSA-1024).
We don't know many technical details about the attack yet. RC4 is a peculiar beast, quite unlike semi-modern or modern ciphers like AES or Salsa20/ChaCha20: huge state; crappy diffusion; several known weaknesses, but no public break yet. I can't wait to find out more: this is one of the few areas NSA actually are ahead, as the public sphere definitely know RC4 is too wobbly to use, but still quite some way off decrypts of it. Whatever technique is used may well not be applicable to ciphers of a more modern design (but what about Spritz?).
If you've been using RC4, ever, this should give you pause. Think about what's ever gone out using it. Think about what someone could have recorded - likely did record. Do you need to be changing any passwords?
If you're still using or accepting RC4 anywhere for any reason (ahem, Mozilla, Google, Microsoft?), for heaven's sake, get your arses in gear. You're not beating the attackers, you're now only limiting the damage. Given the RFC and everything, and the internal discussions you've been having, I personally would be loathe to consider any further delay ethical before action. Please do remember Holmes' Law of Reverse-Engineering: what one can invent, another can discover.
If your TLS client tried stronger cipher suites before weaker ones (which only MSIE does, and it considers only RC4 weak), you can get TLS 1.0 with RSA key exchange, AES-256-CBC encryption, HMAC-SHA1 authentication with that server. That's not secure (only TLS 1.2 with PFS and AEAD is secure).
Quoting Eran Tromer, a Tel Aviv University CS prof who wrote his dissertation on custom code-breaking hardware: "Realistically, right now, breaking 1,024-bit RSA should be considered well within reach by leading nations, and marginally safe against other players."
"these may be attributable to Anderson instead of Snowden"
The blog post is a write-up of a conversation between "a group of cryptographers from industry and academia" and Snowden, one of whom was Ross Anderson.
There are things that were said during this conversation that you disagree with. Why do you assume that they were all said by Snowden (or Anderson). There were several others present ("As well as over a dozen cryptographers there was at least one lawyer and at least one journalist familiar with the leaked documents"), who could have been the source for these particular remarks.
"I do have a moral problem with people who sell vulnerabilities to (a) the USG or (b) people who exploit them."
Just for the sake of pedantry, category (a) is definitely contained in category (b). Just because it's not usually for money, doesn't mean it's not an exploit.
> Secret laws are pure poison; government lawyers claim authority and act on it, and we don’t know about it.
"Secret laws" are not laws. It is the equivalent of "because I said so", and that is simply a fascist edict.
@CombiHack points out:
> If “ignorance of the law is no excuse”, then the law MUST be publicly available. [..] Alternatively (less preferable):
If “secret laws are laws”, then ignorance of the law MUST be a complete defense. End of story.
I have immense respect for the author, and I know these are just notes, but the tone of technologists who talk about Snowden is very annoying.
We know certain technologies like Tor and OTR are safe because of the weight of scientific research that support them, and the immense effort of the developers. Not because someone said so at an event. Statements like "gpg ciphertexts with RSA 1024 were returned as fails" are totally meaningless.
I wish people had more confidence in good old science (like Anderson's works) than glamorous events like this. You should all check out Security Engineering by the same author, it's free! www.cl.cam.ac.uk/~rja14/book.html
I mean, that scientific research includes a bunch of timing attacks which shows that if someone can manipulate both the entry and exit points (like the NSA can), they can deanonymize TOR users. The TOR team specifically state that a "global" adversary (like the NSA) is beyond the scope of threats they are trying to protect against.
There is no theoretical guarantee that the NSA cannot break TOR, the question is whether they have actually got the engineering in place to do so. And the Snowden leaks showed they didn't, at least not in 2013, although they were working on it.
Tor has been the subject of a decade of extensive research by the computer security community. OTR on the other hand, is showing its age, and I don't know any cryptography experts who are entirely comfortable with its design or the choice of crypto algorithms and key sizes that it uses.
1:
Homegrown crypto is routinely problematic, but properly implemented crypto keeps the agency out; gpg ciphertexts with RSA 1024 were returned as fails. is later followed by The NSA is even more cautious than the FBI, and won’t use top exploits against clueful targets unless it really matters. Intelligence services are at least aware of the risk of losing a capability, unlike vanilla law enforcement.
Reconciling these statements is disquieting. Snowden has never seen a successful decrypted RSA-1024 intercept. But he also believes that the good stuff is kept under wraps, which is what everyone else who understands SIGINT thinks as well.
2:
We can push back a bit by blocking papers from conferences or otherwise denying academic credit where researchers prefer cash or patriotism to responsible disclosure, but that only goes so far.
Well, that, and the whole thing about how publishing papers isn't merely an exercise in making the authors feel better, but also how science works.
3:
People who can pay for a new kitchen with their first exploit sale can get very patriotic; NSA contractors have a higher standard of living than academics.
I have a problem with casual innuendo about how vulnerabilities are expensive because exploiters pay so much for them. In fact, ever-increasing dollar amounts for serious vulnerabilities is what you want to see: if there's a liquid market for vulnerabilities, the last thing you want is for serious ones to be cheap. This is highly specialized engineering work; whether Ron Paul likes it or not, it commands a high rate.
A simpler response: lots of people have made enough off vuln sales to replace kitchens without ever selling them to anyone who would exploit them.
I do have a moral problem with people who sell vulnerabilities to (a) the USG or (b) people who exploit them. I do not love the emergence of vuln markets. But I am not willing to tar everyone who earns a living doing this work as an NSA shill.
Moreover: all reverence for Snowden stipulated and set aside: nobody has ever made a claim for his expertise in vulnerability research or sales. Can we be clearer about why we're meant to carefully consider his take on it?
•:
Generally, this reads a lot like STRATFOR to me. It starts out with facts and stuff that appears verifiable/falsifiable, but it trends into a sort of geopolitical/legal LARPing exercise.