[Cryptography] Hard Truths about the Hard Business of finding Hard Random Numbers
iang at iang.org
Sat Feb 1 03:04:13 EST 2014
On 31/01/14 05:26 AM, John Denker wrote:
> If we spent anywhere near as much
> securing Android as They-Who-Shall-Not-Be-Named have spent
> subverting it, the world would be a far different place.
This is to put the lie to the NSA's other role of helping to secure
industry, and their mandate to secure government. (And all the other
agencies as well.)
Question: when have they ever shared a compromise? They purchase
them by the pallet.
Question: when google sought out the help of the NSA about 2-3
years back because of the gmail hacks in the middle east (from memory)
how did the help go? Does a cold-hearted analysis in sunlight indicate
anything that google couldn't have figured out themselves? What else
came out of those discussions?
Question: when NSA is helping the IETF in their many and friendly
ways, how many of their tips end up being shown to be better and not
worse? The only one I know where we've proven positive results is the
DES s-boxes. Which triumph of industry assistance is mitigated by their
cunning plan to reduce the keyspace from 64 bits to 48 bits, thwarted by
IBM's resistance at 56 bits.
Question: Has the NSA provided any advice to (say) Linux RNG
authors over time? The history seems to indicate that some timely
advice might have helped, and the ROI in terms of helping servers
throughout their catchment area would be pretty good.
Indeed, if the NSA spent all that money on protecting the Android, we
would be in a better place. They'd still be able to do their traffic
analysis, they just wouldn't be able to post as many juicy slides saying
things like "if it's on there, we can get it..."
Right now, I think the NSA has a serious problem justifying their
budget. Not the level, the entire thing.
Show us the value, I'm not seeing it?
Meanwhile, their own records suggest they are more obsessed in
self-protection than anything else.
More information about the cryptography