Forgot your password?
typodupeerror

+ - How worried should we be about NSA backdoors in open source and open standards? 1

Submitted by quarrelinastraw
quarrelinastraw (771952) writes "For years, users have conjectured that the NSA may have placed backdoors in security projects such as SELinux and in cryptography standards such as AES. However, I have yet to have seen a serious scientific analysis of this question, as discussions rarely get beyond general paranoia facing off against a general belief that government incompetence plus public scrutiny make backdoors unlikely. In light of the recent NSA revelations about the PRISM surveillance program, and that Microsoft tells the NSA about bugs before fixing them, how concerned should we be? And if there is reason for concern, what steps should we take individually or as a community?

History seems relevant here, so to seed the discussion I'll point out the following for those who may not be familiar. The NSA opposed giving the public access to strong cryptography in the 90s because it feared cryptography would interfere with wiretaps. They proposed a key escrow program so that they would have everybody's encryption keys. They developed a cryptography chipset called the "clipper chip" that gave a backdoor to law enforcement and which is still used in the US government. Prior to this, in the 1970s, NSA tried to change the cryptography standard DES (the precursor to AES) to reduce keylength effectively making the standard weaker against brute force attacks of the sort the NSA would have used.

Since the late 90s, the NSA appears to have stopped its opposition to public cryptography and instead (appears to be) actively encouraging its development and strengthening. The NSA released the first version of SELinux in 2000, 4 years after they canceled the clipper chip program due to the public's lack of interest. It is possible that the NSA simply gave up on their fight against public access to cryptography, but it is also possible that they simply moved their resources into social engineering — getting the public to voluntarily install backdoors that are inadvertently endorsed by security experts because they appear in GPLed code. Is this pure fantasy? Or is there something to worry about here?"
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

How worried should we be about NSA backdoors in open source and open standards?

Comments Filter:
  • Before that systems where so expensive the NSA only had to contact a few US or EU coders, hardware makers and experts.
    The NSA was also aware for Soviet ships and other Soviet efforts to collect information via optical phone links.
    In the end the NSA seems to have said we need the strong encryption, we can get to the users and their US based OS/servers.
    I really dont know why people think the US government displays any incompetence at all - the FBI and CIA might make the press, every other agency in the DoD

"Our vision is to speed up time, eventually eliminating it." -- Alex Schure

Working...