Re: NSA foils much internet encryption
-Original Message- From: IBM Mainframe Discussion List On Behalf Of DASDBILL2 Of course they didn't use the Heartbleed bug for at least the last two years. How do I know? Because the NSA said they weren't even aware of it, so how could they possibly have used it? “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong, the agency said in a statement to NBC News. And if you believe that, I have some oceanfront property in Leadville that I'd like to sell you. :-) -jc- Only problem with this official statement is that the statement did not provide the highly parsed legalese definition of at least the following words and/or phrases: NSA, aware, recently, so-called, public, report, otherwise, wrong. Bill Fairchild [snip] ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
The NSA employs able people entirely capable of discovering the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability. It says, however, that it was not aware of this particular vulnerability; and I believe it. There is 1) no need to impute omniscience to the NSA; moreover, 2) it did not deny knowledge of any [other] vulnerability in OpenSSL. I suspect that there are a number of other such vulnerabilities, and if the NSA had knowledge of one or more of them its incentive to look for more would be much diminished, indeed exiguous. In the light of what we know about NSA capabilities, it would of course be prudent to assume that it can decrypt instances of the use of any and all of the packaged up, widely used key-based encryption schemes; and it would be imprudent not to do so; but this is very different from the sophomoric cynicism implicit in the notion that it is reading all of the encrypted signals it is squirrelling away. Worse, it gets the problem wrong. This problem, as always, is that of finding the significant in a welter of banal insignificance. It may well be true that the works of Shakespeare are to be found somewhere in the keyboard outputs of those monkeys, but the problem of finding them is still a daunting one. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
NSA used the Heartbeat bug for at least the last two years. http://www.motherjones.com/politics/2014/04/heartbleed-bug-internet-security-ssl On Thu, Dec 5, 2013 at 5:41 PM, Paul Gilmartin paulgboul...@aim.com wrote: On Thu, 5 Dec 2013 15:19:55 -0600, Mike Schwab mike.a.sch...@gmail.com wrote: Microsoft finally woke up. http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/05/microsoft-u-s-government-is-a-potential-security-threat/ Microsoft is trying to change the terms of the NSA debate � literally. The company is labeling any government effort to spy on its online communications as evidence of an advanced persistent threat, a term that's so far been reserved to describe foreign espionage units such as the one allegedly operated by the Chinese military. Related: http://techcrunch.com/2013/11/05/apple-slips-in-warrant-canary-to-warn-users-of-future-compliance-with-patriot-act-section-215-information-requests/ ... and my vocabulary is enlarged. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
I was watching the screen roll by on Bloomberg and it said CISCO, Juniper and Android were affected. 2/3 of Internet was quoted. In a message dated 4/11/2014 3:33:36 P.M. Central Daylight Time, mike.a.sch...@gmail.com writes: NSA used the Heartbeat bug for at least the last two years. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
Of course they didn't use the Heartbleed bug for at least the last two years. How do I know? Because the NSA said they weren't even aware of it, so how could they possibly have used it? “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong, the agency said in a statement to NBC News. Only problem with this official statement is that the statement did not provide the highly parsed legalese definition of at least the following words and/or phrases: NSA, aware, recently, so-called, public, report, otherwise, wrong. Bill Fairchild - Original Message - From: Mike Schwab mike.a.sch...@gmail.com To: IBM-MAIN@LISTSERV.UA.EDU Sent: Friday, April 11, 2014 3:33:26 PM Subject: Re: NSA foils much internet encryption NSA used the Heartbeat bug for at least the last two years. http://www.motherjones.com/politics/2014/04/heartbleed-bug-internet-security-ssl On Thu, Dec 5, 2013 at 5:41 PM, Paul Gilmartin paulgboul...@aim.com wrote: On Thu, 5 Dec 2013 15:19:55 -0600, Mike Schwab mike.a.sch...@gmail.com wrote: Microsoft finally woke up. http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/05/microsoft-u-s-government-is-a-potential-security-threat/ Microsoft is trying to change the terms of the NSA debate � literally. The company is labeling any government effort to spy on its online communications as evidence of an advanced persistent threat, a term that's so far been reserved to describe foreign espionage units such as the one allegedly operated by the Chinese military. Related: http://techcrunch.com/2013/11/05/apple-slips-in-warrant-canary-to-warn-users-of-future-compliance-with-patriot-act-section-215-information-requests/ ... and my vocabulary is enlarged. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
Apple's lawyers are very clever. As lawyers all know, show them a law (e.g., Section 215 of the USA Patriot Act) and they will show you a loophole (e.g., warrant canary). Bill Fairchild Franklin, TN N.B. : I have never received an order under Section 215 of the USA Patriot Act. I would expect to challenge such an order if served on me. - Original Message - From: Paul Gilmartin paulgboul...@aim.com To: IBM-MAIN@LISTSERV.UA.EDU Sent: Thursday, December 5, 2013 5:41:59 PM Subject: Re: NSA foils much internet encryption On Thu, 5 Dec 2013 15:19:55 -0600, Mike Schwab mike.a.sch...@gmail.com wrote: Microsoft finally woke up. http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/05/microsoft-u-s-government-is-a-potential-security-threat/ Microsoft is trying to change the terms of the NSA debate � literally. The company is labeling any government effort to spy on its online communications as evidence of an advanced persistent threat, a term that's so far been reserved to describe foreign espionage units such as the one allegedly operated by the Chinese military. Related: http://techcrunch.com/2013/11/05/apple-slips-in-warrant-canary-to-warn-users-of-future-compliance-with-patriot-act-section-215-information-requests/ ... and my vocabulary is enlarged. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
On Fri, 6 Dec 2013 14:58:36 +, DASDBILL2 wrote: Apple's lawyers are very clever. As lawyers all know, show them a law (e.g., Section 215 of the USA Patriot Act) and they will show you a loophole (e.g., warrant canary). Perhaps the DoHS lawyers are also clever. I wonder whether they'd be able to construe any affirmative step taken by an Apple executive to smother the canary in the event of a Section 215 warrant as a violation of the gag order. N.B. : I have never received an order under Section 215 of the USA Patriot Act. I would expect to challenge such an order if served on me. - Original Message - From: Paul Gilmartin Sent: Thursday, December 5, 2013 5:41:59 PM On Thu, 5 Dec 2013 15:19:55 -0600, Mike Schwab wrote: Microsoft finally woke up. http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/05/microsoft-u-s-government-is-a-potential-security-threat/ Related: http://techcrunch.com/2013/11/05/apple-slips-in-warrant-canary-to-warn-users-of-future-compliance-with-patriot-act-section-215-information-requests/ -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
There is a large legal literature of omisses, instances of omissis. The upshot is that failing to do something that is positively required is actionable but that negative omissis, failing to renew a guarantee, offer a refund, make paint in the color burnt umber, etc.,etc., is not. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
Why did the NSA even bother to get a internet tap, when they could have just re-routed packets through their servers? (Maybe the extra delay is causing our messages to be re-sent creating duplicate messages?) http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/ Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the U.S. and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice. And this may not be the first time it has occurred — just the first time anyone has noticed. On Mon, Oct 7, 2013 at 5:16 PM, Paul Gilmartin paulgboul...@aim.com wrote: On Mon, 7 Oct 2013 16:53:28 -0500, Mike Schwab wrote: http://www.bbc.co.uk/news/technology-24429332 NSA using old versions of Firefox to infect PCs in order to identify TOR users. Will virus scanners detect such infections, or has NSA arranged that the scanners themselves have an Acquired Immune Deficiency? NSA unable to break TOR itself. GO TOR developer U.S. Navy (who needed a secure way to share messages with submarines). -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
Microsoft finally woke up. http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/05/microsoft-u-s-government-is-a-potential-security-threat/ Microsoft is trying to change the terms of the NSA debate — literally. The company is labeling any government effort to spy on its online communications as evidence of an advanced persistent threat, a term that's so far been reserved to describe foreign espionage units such as the one allegedly operated by the Chinese military. more at the link -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
On Thu, 5 Dec 2013 15:19:55 -0600, Mike Schwab mike.a.sch...@gmail.com wrote: Microsoft finally woke up. http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/05/microsoft-u-s-government-is-a-potential-security-threat/ Microsoft is trying to change the terms of the NSA debate � literally. The company is labeling any government effort to spy on its online communications as evidence of an advanced persistent threat, a term that's so far been reserved to describe foreign espionage units such as the one allegedly operated by the Chinese military. Related: http://techcrunch.com/2013/11/05/apple-slips-in-warrant-canary-to-warn-users-of-future-compliance-with-patriot-act-section-215-information-requests/ ... and my vocabulary is enlarged. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
http://www.bbc.co.uk/news/technology-24429332 NSA using old versions of Firefox to infect PCs in order to identify TOR users. NSA unable to break TOR itself. GO TOR developer U.S. Navy (who needed a secure way to share messages with submarines). On Wed, Sep 25, 2013 at 8:23 AM, John Gilmore jwgli...@gmail.com wrote: The WIRED piece Mike Schwab provided a link to recounts things that are commonplaces within the crypto community; but it is a useful brief conspectus for others. Worth remembering is that these situations are always layered. Duiring the Korean War it was usual for the Chinese to plant two or more sets of booby traps in positions they abandoned. The first were easy to find, but not flagrantly so. The second were not. The notion was that finding the first set would make the [chiefly American] UN Forces less careful, more likely to miss the second. Or again, as the late Malcolm Muggeridge once observed, malignly, The Americans' CIA is an amateurish sort of organization, but it will provide excellent cover for a professional one if they ever decide to establish it. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
TOR is in fact quite a good one, but it is only incidentally an encryption scheme. It is a superb mechanism for preserving the anonymity of the origin of an internet communication and/or, at the expense of a little complication, obscuring its actual [intermediate] destination as opposed to its notional/nominal final one. Without wishing to be repetitive---I have made what is essentially this same point here before---it is not necessary to break, say, an email encryption scheme if the content of an email can be filched before it has been encrypted at its source or after it has been decrypted at its sink; and the NSA or another such agency might well wish to identify TOR users to this end. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
The WIRED piece Mike Schwab provided a link to recounts things that are commonplaces within the crypto community; but it is a useful brief conspectus for others. Worth remembering is that these situations are always layered. Duiring the Korean War it was usual for the Chinese to plant two or more sets of booby traps in positions they abandoned. The first were easy to find, but not flagrantly so. The second were not. The notion was that finding the first set would make the [chiefly American] UN Forces less careful, more likely to miss the second. Or again, as the late Malcolm Muggeridge once observed, malignly, The Americans' CIA is an amateurish sort of organization, but it will provide excellent cover for a professional one if they ever decide to establish it. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
The the implications of the post by J.P. are entirely correct; but the post itself is---I don't mean this pejoratively---a little naif. Naivety is intended to caricature the point :) The NSA cannot be expected to advocate the use of an encryption scheme that it has not already broken, and this behavior does not seem to me to be villainous. Why should it act against its interests? Because of the constitution? (naivety again;) Would just like to add what I've heared from several sources: Crypto is mostly solid, but implementations are weak. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
ip4w...@gmail.com (J.P.) writes: Would just like to add what I've heared from several sources: Crypto is mostly solid, but implementations are weak. re: http://www.garlic.com/~lynn/2013l.html#55 NSA foils much internet encryption http://www.garlic.com/~lynn/2013l.html#56 NSA foils much internet encryption How a Crypto Backdoor Pitted the Tech World Against the NSA http://www.wired.com/threatlevel/?p=85661 other recent refs http://www.garlic.com/~lynn/2013m.html#0 UK NHS £10bn project failure http://www.garlic.com/~lynn/2013m.html#2 UK NHS £10bn project failure recent posts about long ago and far away realizing that there were 3 kinds of crypto 1) the kind they don't care about, 2) the kind you can't do and 3) the kind you can only do for them. http://www.garlic.com/~lynn/2013d.html#1 IBM Mainframe (1980's) on You tube http://www.garlic.com/~lynn/2013g.html#31 The Vindication of Barb http://www.garlic.com/~lynn/2013i.html#69 The failure of cyber defence - the mindset is against it http://www.garlic.com/~lynn/2013k.html#77 German infosec agency warns against Trusted Computing in Windows 8 http://www.garlic.com/~lynn/2013k.html#88 NSA and crytanalysis we had been brought in to small client/server startup as consultants because they wanted to do payment transactions on their server; the startup had also invented this technology called SSL they wanted to use, the result is now frequently called electronic commerce. somewhat as a result of having worked on electronic commerce, in the mid-90s we were invited to participate in the x9a10 financial standards working group which had been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments. the result was the x9.59 financial transaction standard. other experience from the 80s was the internal network (larger than arpanet/internet from just about hte beginning until sometime late '85 or early '86) http://www.garlic.com/~lynn/subnetwork.html#internalnet which required all links to be encrypted ... in the mid-80s comment was that the internal network had more than half of all link encryptors in the world. there was usually lots of problems with national govs. over encryption ... especially when links cross national boundaries (and argument that helped was that the link went solely from one corporate location to another). old reference to internal network passing 1000 nodes 30yrs ago ... and a list of all corporate locations that had one or more new nodes added during 1983. http://www.garlic.com/~lynn/2006k.html#8 in any case, the experiences help motivate the direction of x9.59 to be purely authentication and didn't require encryption to hide information. I've periodically commented that the current payment paradigm has problem that account information is effectively used for authentication ... which requires that it be kept confidential and never be divulged ... while at the same time, the same information is required in dozens of busines processes at dozens of business processes at millions of locations around the globe. As a result, I've periodically commented that even if the globe was buried under miles of information hiding encryption, that it would stop information leakage. In any case, one of the things x9.59 standard did was slightly tweak the current paradigm and separate authentication informaion from business processes information ... eliminating the requirement for information hiding encryption in order to achieve the retail payment integrity (which would then also eliminate the major use for SSL in the world today ... aka hiding account information in electronic transactions). In some of the old key escrow meetings ... I would stress that exposing authentication keys was a fundamental security violation ... however there were some quarters that would complain that people might cheat and use authentication keys for encryption purposes. -- virtualization experience starting Jan1968, online at home since Mar1970 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
l...@garlic.com (Anne Lynn Wheeler) writes: locations around the globe. As a result, I've periodically commented that even if the globe was buried under miles of information hiding encryption, that it would stop information leakage. re: http://www.garlic.com/~lynn/2013m.html#10 oops, finger slip ... that should be wouldn't stop information leakage -- virtualization experience starting Jan1968, online at home since Mar1970 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/ On Mon, Sep 16, 2013 at 3:37 PM, John Gilmore jwgli...@gmail.com wrote: The the implications of the post by J.P. are entirely correct; but the post itself is---I don't mean this pejoratively---a little naif. The NSA cannot be expected to advocate the use of an encryption scheme that it has not already broken, and this behavior does not seem to me to be villainous. Why should it act against its interests?We are a long way from Henry Stimson's, Gentlemen do not read each other's mail; and there is no going back.. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
“NIST would not deliberately weaken a cryptographic standard.” (But the NSA wouldn't let a cryptographic standard out the door unless they could decode it. - Mike Schwab). http://www.scientificamerican.com/article.cfm?id=nsa-nist-encryption-scandal Computer scientists for years suspected that such a backdoor existed in Dual_EC_DRBG. Security researchers from Eindhoven University of Technology in the Netherlands noted in May 2006 that the algorithm was insecurehttp://www.propublica.org/documents/item/786216-cryptanalysis-of-the-dual-elliptic-curveand that an attack against it was easy enough to launch on “an ordinary PC”. The following year two Microsoft engineers flagged Dual_EC_DRBG as potentially containing a backdoor (pdf)http://rump2007.cr.yp.to/15-shumow.pdf, although they stopped short of accusing NIST and the NSA of inserting it there intentionally. NIST denies the accusationshttp://www.nist.gov/director/cybersecuritystatement-091013.cfm, pointing out on its Web site that the agency is “required by statute” to consult with the NSA and stating, “NIST would not deliberately weaken a cryptographic standard.”* Yet that is exactly what appears to have happened. Documents provided by Snowden show the spy agency played a crucial role in writing the standard that NIST is now cautioning against using, the *New York Times* reportedhttp://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/?_r=0. NIST published the cryptography standard in 2006, and the International Organization for Standardization (ISO) later adopted it for its 163 member countries. Despite Dual_EC_DRBG’s known flaws, prominent tech companies including Microsoft, Cisco, Symantec and RSA include the algorithm in their product’s cryptographic librarieshttp://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.htmlprimarily because they need it to be eligible for government contracts, cryptographer Bruce Schneier https://www.schneier.com/ says. It is up to the private sector companies that buy these products to decide whether to enable the algorithm, something they are unlikely to do in the case of Dual_EC_DRBG, according to RSA’s Juels. On Tue, Sep 17, 2013 at 6:15 AM, Shmuel Metz (Seymour J.) shmuel+...@patriot.net wrote: In 8913686268300756.wa.ip4workgmail@listserv.ua.edu, on 09/16/2013 at 10:56 AM, J.P. ip4w...@gmail.com said: NSA is pushing ecliptic curves NSA is into astronomy? -- -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
In 8913686268300756.wa.ip4workgmail@listserv.ua.edu, on 09/16/2013 at 10:56 AM, J.P. ip4w...@gmail.com said: NSA is pushing ecliptic curves NSA is into astronomy? -- Shmuel (Seymour J.) Metz, SysProg and JOAT Atid/2http://patriot.net/~shmuel We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
:) Maybe this gets their attention back? (hopefully few of the list usual readers also:) Been reading a bit on the subject, and one detail caught my eye... ... NSA is pushing ecliptic curves since 2009 as the next best thing (guess why;) (http://www.nsa.gov/business/programs/elliptic_curve.shtml) Now, whats that crypto that IBMers are always mentioning on the security conf. in Montpellier? ECC? :) Cheers! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
ip4w...@gmail.com (J.P.) writes: Maybe this gets their attention back? (hopefully few of the list usual readers also:) Been reading a bit on the subject, and one detail caught my eye... ... NSA is pushing ecliptic curves since 2009 as the next best thing (guess why;) (http://www.nsa.gov/business/programs/elliptic_curve.shtml) Now, whats that crypto that IBMers are always mentioning on the security conf. in Montpellier? ECC? :) longer than that ... technical director in the Information Assurance Directorate had me give a talk in his assurance panel at IDF in trusted computing track ... gone 404 but lives on at wayback machine http://web.archive.org/web/20011109072807/http://www.intel94.com/idf/spr2001/sessiondescription.asp?id=stp+s13 as well come in to give a talk to the other technical directors in the information assurance directorate. I was looking to get better than EAL4+ evaluation on a chip ... but NIST pulled the ECC evaluation criteria just before AADS chip strawman evaluation ... had to settle for EAL4+ because ECC was baked into the silicon of the chip. Since 90s, I was semi-facetiously saying I would take a $500 milspec chip, aggressively cost reduce it by 2-3 orders of magnitude (eventually under dollar) while improving security. IA had presence in the X9 financial industry standards meetings ... and there were references to rifts between IA and SIGINT ... but for all I know that may have just been misdirection. as an aside ... old reference to early jan92 meeting in ellison conference room http://www.garlic.com/~lynn/95.html#13 part of our ha/cmp product ... some past posts http://www.garlic.com/~lynn/subtopic.html#hacmp end of jan92, cluster scaleup is transferred and we are told we can't work on anything with more than four processors ... significant contributor in decision to leave. two of the other people mentioned in the Ellison meeting later leave to go to small silicon valley client/server startup. We are then brought in as consultants because they want to do payment transactions on their server, the startup had also invented this technology called SSL they want to use ... the result is now frequently called electronic commerce. we have to map SSL technology to payment transactions as well as establish a lot of security deployment and use requirements. almost immediately, several of the requirements were violated ... accounting for many of the exploits that continue to this day. part of the work required developing something called payment gateway (interface between internet and payment networks that ecommerce servers interacted with) ... we've periodically claim it was the original SOA ... some past posts http://www.garlic.com/~lynn/subnetwork.html#payments I was given final authority on everything between ecommerce servers and payment gateways ... but could only recommend operation between ecommerce servers and browser clients (partially accounting for dropping several security requirements). -- virtualization experience starting Jan1968, online at home since Mar1970 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
re: http://www.garlic.com/~lynn/2013l.html#55 NSA foils much internet encryption other trivia ... ECC original invented Miller at IBM Yorktown http://en.wikipedia.org/wiki/Victor_S._Miller followed by Koblitz at UofW http://en.wikipedia.org/wiki/Neal_Koblitz Miller had been in the Yorktown 801 group http://en.wikipedia.org/wiki/IBM_801 ... some old email mentioning 801 http://www.garlic.com/~lynn/lhwemail.html#801 unrelated old crypto email http://www.garlic.com/~lynn/lhwemail.html#crypto I had been at IBM San Jose research ... and had lots of latitude to do things around San Jose ... including allowed to play disk engineer in bldgs. 1415 ... some past posts http://www.garlic.com/~lynn/subtopic.html#disk and support world-wide online salesmarketing HONE in palo alto ... some past posts http://www.garlic.com/~lynn/subtopic.html#hone also past posts mentioning original sql/relational http://www.garlic.com/~lynn/subtopic.html#systemr however, I was blamed for online computer conferencing ... some past posts http://www.garlic.com/~lynn/subnetwork.html#cmc on the internal network (larger than the arpanet/internet from just about the beginning until late '85 or possibly early '86) in the late 70s and early 80s ... folklore is that when executive committee was told about online computer conferencing (and internal network), 5of6 wanted to fire me. some past posts about internal network http://www.garlic.com/~lynn/subnetwork.html#internalnet possibly as part of punishment, the made me report to Yorktown ... but allowed me to livework in san jose ... although I had to commute to ykt a couple times a month. recent posts realizing in the late 80s that there were three kinds of crypto http://www.garlic.com/~lynn/2013k.html#77 German infosec agency warns against Trusted Computing in Windows 8 http://www.garlic.com/~lynn/2013k.html#88 NSA and cryptanalysis -- virtualization experience starting Jan1968, online at home since Mar1970 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
The the implications of the post by J.P. are entirely correct; but the post itself is---I don't mean this pejoratively---a little naif. The NSA cannot be expected to advocate the use of an encryption scheme that it has not already broken, and this behavior does not seem to me to be villainous. Why should it act against its interests?We are a long way from Henry Stimson's, Gentlemen do not read each other's mail; and there is no going back.. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
On 16 September 2013 16:04, Anne Lynn Wheeler l...@garlic.com wrote: re: http://www.garlic.com/~lynn/2013l.html#55 NSA foils much internet encryption other trivia ... ECC original invented Miller at IBM Yorktown http://en.wikipedia.org/wiki/Victor_S._Miller followed by Koblitz at UofW http://en.wikipedia.org/wiki/Neal_Koblitz Miller had been in the Yorktown 801 group http://en.wikipedia.org/wiki/IBM_801 Miller is also co-inventor of one the two variations of compression algorithm called LZW. Strangely, if perhaps not unusually, two groups separately invented and separately received patents on the algorithm, and in each case the third initial is W, but in one case Welch and in the other Wegman (the IBM one). IBM's LZW is implemented by terse (AMATERSE and friends), while the other is the base for UNIX compress and the GIF file format. While they are not immediately interoperable, they are essentially the same thing. The Wikipedi article is perhaps a little confusing/confused on this. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
NSA foils much internet encryption
More Snowden documents have been reviewed by the New York Times, which this afternoon concluded that begin extract The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. end extract This is not very different from the standard informed conjectures about what the NSA and its counterparts elsewhere can do. It is important that the readers of airline magazines disabuse themselves of the notion that they can keep secrets from these agencies using off-the-shelf technology. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
-Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Gilmore Sent: Thursday, September 05, 2013 2:43 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: NSA foils much internet encryption More Snowden documents have been reviewed by the New York Times, which this afternoon concluded that begin extract The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. end extract This is not very different from the standard informed conjectures about what the NSA and its counterparts elsewhere can do. It is important that the readers of airline magazines disabuse themselves of the notion that they can keep secrets from these agencies using off-the-shelf technology. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NSA foils much internet encryption
But I have heard that they quit monitoring IBM-MAIN, RACF-L, ASSEMBLER-L, et al. Too much stress. On 9/5/2013 2:42 PM, John Gilmore wrote: More Snowden documents have been reviewed by the New York Times, which this afternoon concluded that begin extract The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. end extract This is not very different from the standard informed conjectures about what the NSA and its counterparts elsewhere can do. It is important that the readers of airline magazines disabuse themselves of the notion that they can keep secrets from these agencies using off-the-shelf technology. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
