[Cryptography] NSA and cryptanalysis

[Perry E. Metzger]

On Mon, 2 Sep 2013 14:45:00 -0400 Phillip Hallam-Baker
<hallam at gmail.com> wrote:
> > Do we know they produced fake windows updates without assistance
> > from Microsoft?
> 
> Given the reaction from Microsoft, yes.
> 
> The Microsoft public affairs people have been demonstrating real
> anger at the Flame attack in many forums.

But of course, sufficiently paranoid people might contend that
perhaps the Microsoft people who complained might not have been
briefed by the ones who cooperated.

The problem with all such exercises is that they involve too many
layers of recursive paranoia, but do not pay off with useful
information that tells me how to act going forward.

In the current case, the fact that they *could* potentially suborn
process inside a vendor is an interesting thing to consider when
doing design, and whether they *have* is less interesting to me.
Clearly, as things like bad vendor drivers updates have been sent out
using stolen keys in the past, and clearly vendors might simply make
mistakes in the future.

From there, I can consider whether the "someone at vendor signs bad
updates" security model component is productive to defend against or
not, and how one might defend against it. (In the current case, I'd
say only typed assembly language offers an interesting defense
against bad binaries that get executed in kernel mode, regardless of
why they are bad. Using typed assembly language effectively of
course requires that the code be written in a high level language
with strong typing to be preserved in the delivered machine code in
the first place.)

I leave speculation to pundits, and prefer to write code and design
protocols.

Perry
-- 
Perry E. Metzger		perry at piermont.com