Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM).
This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic.
However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach.
Graham faults the Tor Project for the poor uptake of its new version, though as an Ars Technica commenter points out, popular GNU/Linux distributions like Debian and its derivative Ubuntu are also to blame, since they only distribute the older, weaker version. In either event, this is a wake-up call that will likely spur both the Tor Project and the major distros to push the update.
Yesterday's revelations about the NSA's ability to decrypt 'secure' communications were taken by many to mean that the NSA had made fundamental mathematical or computing breakthroughs that allowed it to decrypt securely enciphered messages. But it's pretty clear that's not what's going on.
Mostly, the NSA has spent $250,000,000 per year on a program of sabotage, through which they have inveigled proprietary hardware and software companies, as well as standards bodies, into deliberately introducing back-doors into their technology. This is much more frightening than the idea that the NSA has made profound mathematical breakthroughs -- such breakthroughs might stay within the NSA's walls for years or decades. But a program of systematic sabotage against common crypto tools means that anyone of sufficient skill and attentiveness is likely to discover and exploit those same back-doors -- that means that organized crime, totalitarian states, and other entities even less savory than the NSA should now be assumed to have full access to the financial system, government databases, and other sensitive systems.
But the good news is that, as the ProPublica article mentioned (quoting whistleblower Edward Snowden), "Properly implemented strong crypto systems are one of the few things that you can rely on." That means that free/open source security tools like Tor (which can be publicly inspected for sabotage) can indeed be trusted, where they use state-of-the-art crypto, and implement it well.
It's not surprising to learn that 1024 RSA/DH can be broken by spending huge sums on brute-force computation -- that was already public knowledge prior to yesterday's revelations. But crypto is asymmetrical: it is much, much easier to make crypto stronger than it is to break crypto through brute force. Merely by switching to 1025-bit RSA/DH keys, the Tor Project could double its security. Switching to 1030-bit RSA/DH keys increases the difficulty 64-fold. And by switching to more secure ciphers like elliptical curve Diffie-Hellman, Tor becomes vastly more secure still.
Yesterday, Congress voted to bar the FCC from ever making a rule that limits how your ISP can spy on you and sell your data, without your permission.
You might think that when companies impose crappy, abusive terms of service on their customers that the market could sort it out, by creating competition to see who could offer the best terms and thus win the business of people fed up with bad actors.
John Deere is notorious for arguing that farmers who buy its tractors actually “license” them because Deere still owns the copyright to the tractors’ software; in 2015, the US Copyright Office affirmed that farmers were allowed to jailbreak their tractors to effect repairs and modifications.
Maybe it’s entirely because of podcast ads, but drag-and-drop tools like Squarespace have gotten immensely popular in recent years. While it’s definitely a great tool for any non-coders who want to get a small website up and running quickly, managing content with a primarily visual interface can become a pain once you have more than […]
When you can’t wait for the world’s longest meeting to end, the mindless leg bouncing makes your boredom obvious and just annoys everybody else. Everyone knows the TPS reports need the damn cover sheet, but some sadistic colleague keeps forgetting, probably on purpose just to eat into your lunch hour. Enough is enough!While serving a […]
What could be more fun than a slingshot that shoots tiny airplanes? A slingshot that shoots tiny glowing airplanes of course! These toy planes are outfitted with ultra-bright LEDs, so you can fly all night without losing them in the trees.Whether you are a regular-sized child, or an overgrown adult one, these light-up flyers offer […]