[cryptography] [Cryptography] Equation Group Multiple Malware Program, NSA Implicated

ianG iang at iang.org
Tue Feb 17 11:46:44 EST 2015

On 17/02/2015 15:56 pm, Jerry Leichter wrote:
> On Feb 17, 2015, at 6:35 AM, ianG <iang at iang.org> wrote:
>>> Here's an interesting comparison.  Most academic cryptographers believe
>>> that the NSA has lost its lead:  While for years they were the only ones
>>> doing cryptography, and were decades ahead of anyone on the outside, but
>>> now we have so many good people on the outside that we've caught up to,
>>> and perhaps even surpassed, the NSA.  I've always found this reasoning a
>>> bit too pat.  But getting actual evidence has been impossible.
>> I'd rather say it this way:  we have circumstantial evidence that we are at about the same level for all practical purposes and intents.  As far as we are concerned.
> What evidence is there for this?

Snowden saying "encryption works."  EquationGroup use of RC4-6, AES, 
SHAs.  FBI complaining about going dark, we need backdoors - they only 
ever complain at that level as proxy for NSA, and same complaint is 
repeated in rapid succession in UK, DE.  Practically all the exploits so 
far disclosed are about hacking the software, hardware, nothing we've 
seen comes even close to hacking the ciphers.  Some of the interventions 
are about hacking the RNGs - which typically take the cryptanalysis to 
places where we can hack it.  Off-the-record comments I've heard. 
Analysis of released systems such as Skipjack.

It's all circumstantial.

>> There's a bit of a difference.  I'd say they are still way ahead in cryptanalysis, but not in ways that seriously damage AES, KECCAK, etc.
> Again, do you have any evidence?

There is the story about differential cryptanalysis - they released the 
first 4 volumes, but still haven't mentioned the other 4 ;-)

> It's not that I have evidence the other way.  We just don't know.

At one level, this all comes down to your model of science.  Typically 
we in the science world like to "know" stuff based on evidence from 
experiments, or similar facts that have been built up over time.  We are 
very careful to not let our imagination run away with us.

But this doesn't work with the spy business.  They will never let us run 
the experiment, they will not let us read the literature, and if we ever 
find enough to put 2+2 together, they'll run a deception campaign to 
break that logic.  Or lie.  Or they will remind us that "you don't know" 
or all of the above.

So we have to develop a better approach.  We can probably benefit from 
thinking of the question as a murder investigation - clues, hypotheses, 
correlations, etc.  We can't take it to a court of law -- they deny us 
that as well -- but we can form a view as to whodunnit.

Many won't accept that view, of course.  To them I say, you're dancing 
to their tune.

>  What concerns me is that most of the arguments are "faith-based" - the kind of arguments that support "open always wins":  No matter how big/smart you are, there are more smart people who *don't* work for you than who *do*, and in the long run the larger number of people, openly communicating and sharing, will win.  And yet Apple sold more phones in the US last quarter than all Android makers combined - the first time they've been in the lead.  It's not even clear how to compare the number of smart cryptographers inside and outside of NSA - and NSA has more funding and years of experience they keep to themselves.  This is exactly how organizations win over smart individuals:  They build a database of expertise over many years, and they are patient and can keep at it indefinitely.

Right.  I'm surprised Android sells any phones in USA market.  Although 
I understand that it is the only way to compete with Apple, it is also 
the weaker position.  Which comes out in a price insensitive market. 
OTOH, I'm surprised to see an iPhone in Africa ;)

>> In contrast, I'd say we are somewhat ahead in protocol work.  That is, the push for eg CAESAR, QUIC, sponge construction, is coming from open community not from them.
> Why would they push for new stuff out in the open world?

Maintenance of protocols is really hard, really expensive.  I know, I 
manage a 100kloc code base with several hard crypto protocols in it, and 
I'm drowning, perpetually.  Whatever we can do to get that into the open 
source world, the better.

> They *should* be pushing for it, because they *should* be putting more emphasis on defense of non-NSA systems.

Yes.  That is the huge mystery.  It's pretty clear the NSA is doing the 
non-NSA mission huge damage.  Yet no movement on the priorities, just 
blather about 'sharing' from Obama.  That's a mystery.

> But what we've seen confirmed repeatedly over the last couple of years is that they have concentrated on offense - and against everything that *isn't* an NSA system.

Right.  I think that we know, even though they won't release much 
evidence of it ;)

> (To the point where they've apparently even neglected defense of their own internal systems:  What Snowden did was certainly something they *thought* they had a defense against.)

No, I think that is unfair.

>>   In the 1990s we infamously blundered by copying their threat model;  now no longer, we have enough of our own knowledge and deep institutional experience to be able to say that's garbage, our customers are different.
> Actually, in that case, I think there's a simpler explanation:  Their models were really the only ones out there, because they'd been dealing with the problem for many years.  Industry hadn't - its needs for security models were, until the pervasive computerization of information, much simpler and in little need of formalization.

I absolutely agree.  In the day, I also learnt about CIA, and so forth. 
  Only as time went on did I start digging into the reasons as to why 
famous systems weren't doing what we had hoped they did, and find that 
the original threat and security modelling wasn't good, was 'borrowerd' 
without thought.

> There's precedent for this.  When large-scale industrial organizations came into being - a fairly recent development; Engels, Marx's friend, owned what was then one of largest factories in England, employing a few hundred people - they had to figure out how manage themselves.  They copied the only form of organizational structure for large numbers of people that then existed:  Militaries, which followed a style going back to Roman times.  Think about the traditional factory:  Large numbers of "workers" out on the floor; a much smaller number of ex-workers promoted to line management; and then a hierarchy of "professional managers" - with specialized training; almost never promoted from among the line workers - above them.  It's not coincidence that this looks exactly like the traditional army, with its privates, non-coms, and a professional officer corps.  New models for large corporations only started to arise in the late 1960's, with the development of so-called "knowledge organi
ations".  (The military has had to back-port some of these innovations as it, too, has become more knowledge/expertise based.)

Good story!

>> And our needs are pushing the envelope out in ways they can't possibly keep up with.
> They apparently haven't even tried, on the defense side - and I agree that we're probably out ahead because of this.  But they're certainly working hard on the offense side....

Yeah.  And their vested interest, following that priority, is to make 
things better for the offense side.  Which means dodgy software, dodgy 
security... for everyone including them.  Go figure.

>> In sum, I'd say they are ahead in the pure math, but you'd be hard pressed to find an area where it mattered.
> Maybe.  It's really impossible to say.  Two days ago, I would probably have agreed with you.  Now ... I'm not so sure.
>> E.g., as Peter & Adi and I are infamously on record for saying [0], the crypto isn't what is being attacked here.  It's the software engineering and the crappy security systems.
> *But attacking these security systems is exactly what they appear to be experts at!*

Exactly.  Forget the crypto, look at the security systems.  They are 
experts at this and they pay huge numbers of people to be expert at this.

What's the guess -- how many cyber warriors are there in employment in 
USA today?  100,000 ?


More information about the cryptography mailing list