[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] wake up tor devs
Ted Smith writes:
> There's a reason why the NSA has "Tor Stinks" presentations and not "I2P
> stinks" presentations.
I don't know of a good basis for estimating what fraction of NSA's
capabilities or lack of capabilities we've learned about. And even
when someone _working at NSA_ writes that attack X doesn't work or
doesn't exist, they may not know that attack Y achieves some of the
same goals. For example, there were press reports that there was
some major cryptanalytic breakthrough a few years ago and that it has
far-ranging implications*. I don't think the details have ever become
public; a best-case-for-cryptographic-privacy scenario might be that it's
"only" an operationalized, albeit expensive, attack against 1024-bit RSA
or DH (one of the possibilities considered in Matthew Green's analysis).
In any case, many people working on surveillance within NSA might not know
what the breakthrough is or how it works, and may still be assiduously
working on attacks that in principle are largely redundant with it.
(Their NSA colleagues may want them to be working on redundant attacks
because many of the existing attacks are described as "fragile" -- so
they want to have parallel ways to achieve some of the same stuff.)
Most of us don't work in highly compartmentalized organizations or
organizations that try to practice a very strict need-to-know rule.
So we might think that if someone in an organization says at some time
that something is easy, or difficult, or cheap, or expensive, that that
reflects the general attitude of all the parts of that organization.
(Like if somebody working at Intel said it was hard to fabricate
semiconductor devices in a particular way, or somebody working at Boeing
said it was hard to take advantage of a particular aerodynamic effect,
or somebody working at EFF said it was hard to sue the government under
a particular legal theory, you might tend to think these things were
basically true, as far as those people's colleagues knew.)
I think that's only approximately or indirectly true of people working
in an organization like NSA or GCHQ.
* Possibly relevant reporting and discussion includes
http://www.wired.com/2012/03/ff_nsadatacenter/all/
http://www.wired.com/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/
http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=1&
(including claims of widespread success at defeating cryptography,
partly on the basis of sabotaging it but at least partly on the
basis of "development of advanced mathematical techniques")
--
Seth Schoen <schoen@xxxxxxx>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk