This was actually going to be the first thing I posted when I read this link.
tptacek repeatedly assured everyone that this was absolutely not a big deal and meant nothing because nobody in their right mind uses the standard.
Except whoops, one of, if not the, largest players in the field. I'm sure he'll have a bunch of really great replies that manage to simultaneously say why this still isn't a big deal and passive-aggresively insult our knowledge of the situation. I look forward to reading what he has to say.
To be fair, the insanity of anyone using it was never called into question. We agree it shouldn't be used. As we all know, science has yet to establish any correlation between sanity and what companies are actually doing in the real world for security.
Edit: Actually, I take that back. I have no problem believing that RSA Security are perfectly sane. Would we be completely shocked if the reason they chose a questionable default was due to coercion from the spooks? Only NSA has the keys, so it's a pretty safe backdoor.
You know, props to China, had to go through the work of owning RSA's seed server last year just to level the playing field. They get so derided in the media for doing that, but it seems unfair when the other team has a backdoor. Who is the real "Advanced Persistent Threat"?
Sorry, that was worded incorrectly. I meant that we all agree it was insane to use it. The contention was over whether or not it was in use, not whether it is a good idea to use.
I should have said calling into question the insanity, will edit.
I don't understand his constant line in the sand on this issue (amongst other things). You basically illustrated exactly how he structures his arguments on this topic.
If I was smart enough to understand what this comment meant, I'd respond to it. Maybe you could clarify? I can't find a way to reconcile it with its parent comment in a way that gives me anything to discuss.
You seem to have already addressed it in another comment:
>Thanks for the link. I would have just gone on confirming my own biases without it.
This is incredibly evident in your comments on Dual_EC and sometimes happens on other comments as well. You draw a line in the sand and argue around it constantly, eventually bleeding into passive-aggressive attacks on the knowledge of others.
I find it valuable to hear from others outside of my industry (which is not crypto) who have no expertise in that field. They often have a fresh and agnostic look at something. Do you think all these comments slinging mud at you - however inaccurate they may be - were born from nothing?
> I have a different explanation for why I always seem to be at odds with people on NSA topics, but I'll wait to provide it.
I'm very interested in that actually. I'm often curious what shapes people's perspectives on these issues, particularly if it doesn't align with any obvious incentives. I always thought that you must have family in law enforcement or something, but I'd love to know the actual reason.
* NSA topics are heavy on computer security issues and legal issues.
* I'm professionally involved in computer security, like you, and have an an amateur interest in the law (I'm considering law school at some point).
* Message board nerds have a lot of weird, wrong beliefs about computer security and the law.
There is a political difference between me and HN: I'm not an anarcho-capitalist (that silly "world's smallest political test" thingy puts me dead center in "left liberal"). But politics have little to do with where I end up on the NSA threads; it's things like not understanding (or really, having even skimmed) NIST crypto standards, or not taking the time to understand what the 4th Amendment means. The things that get me into "trouble" here have more to do with taking the time to actually read primary sources than anything else.
We probably disagree about NSA a lot less than you think we do.
An interesting data point from the boilerplate about the RSA in a press release [1]:
"With approximately a billion RSA BSAFE-enabled applications in use worldwide, more than nine million RSA SecurID authentication users and almost 20 years of industry experience, RSA Security has the proven leadership and innovative technology to address the changing security needs of e-business and bring trust to the new, online economy."
I know this submission has been flagged off the front page, but I'm curious on your opinion if this number is misleading.
Let me just say that when my brain tries to survey the landscape for products that use crypto, it mentally discounts all the SecurID tokens; it doesn't occur to me to think about the RSA in-house products that use BSAFE. So yes, there's another group of deployed products that use commercial crypto libraries, because they're sold by a company that also owns a commercial crypto library.
My reasoning about this mostly comes from the fact that products usually don't use commercial crypto libraries.
Oh man, you DELETED your comment! I was replying and lost it, so it will be reproduced here due to quoting, as it is important to me that your backpedal of the century be committed to the historical record.
--
First off, my comment wasn't out of spite or anything. I would call it a friendly jab. I'm guilty of reaching temporary frustration in some previous discussions with you over civil liberties and privacy, which may have colored a few comments, but I totally respect you and don't generally disagree with you on technical matters. I'm not even going to pretend I have a leg up on you anywhere related to security. I'm sure when the day comes that there is an obscure subtopic of security for which this is the case, it will quickly become known though! (The civil liberties issues are another story, because your opinion is in fact wrong on all issues related to civil liberties, along with seemingly everybody in your "must read" list. Yes, that's a joke. Kind of.)
> Nobody does use it. How important a product do you think this is? Isn't it basically a commercial packaging of rsaref?
> Name a piece of crypto technology that you or, say, Moxie Marlinspike or, I don't know, Jacob Appelbaum relies on that uses Dual_EC.
I don't know who uses it, but that's kind of the point. I don't think anyone can really have a good idea of who uses it or who ships it as a default, we can just know who doesn't. It's in the standard, so my assumption is that it's not unlikely that someone chose it, perhaps in a proprietary implementation in corners of the internet that are not the most obvious. The fact that RSA sell it strongly reinforces my suspicion that it's in more places than you think.
> What's frustrating are the people who insist on taking the wrong message away from what I'm saying. I'm not defending Dual_EC. I imagine that I have the exact same perspective on it that Matthew Green does.
I don't think anyone thinks you're defending it (I certainly don't), just that you think that it's not a concern worthy of paying attention to. On the other hand, Matthew Green seems rather disturbed by the recent revelations. The interest in this topic involves more than a specific backdoor that got into a widespread implementation and who isn't likely affected by that particular instance.
> Also: how was this comment helpful? Yours will obviously be the top comment on this thread, and it's basically about, what are the implications of this blog post on the 'tptacek HN persona?" Is that all you have to talk about?
Yes, that was all I had to talk about. It was just a casual comment, and I didn't intend nor expect it to be the top. But I did have a point:
You are the most well-known commenter around here. and everybody looks to you for crypto and security expertise. Sometimes you get rather adamant about whichever position you adopt, which might mix opinion in with fact from time to time. You know what you're talking about dan you're usually right. However, forces that govern our universe guarantee that if one makes bold and authoritative claims on the internet that turn out to be less than correct, the strength of the claim and the number of times it is repeated are proportional to the promptness with which someone else will present something to challenge the claim. (Edit: I wrote this before noticing all of the top comments in this thread came to say the same thing. Come on, you have to chuckle...) I know you understand this because you do it all the time :P Do you want to hear about my 100% undetectable rootkit?
Anyway, I just disagreed with your dismissive comments on other threads as though it's nothing that we need to discuss. I get why one of your missions is to be the Outrage Police, but I think you're overzealous about it from time to time. I know, I'm sure I'm overzealous with my pitchfork as well...
> How many threads have you and I managed to find something to argue about in information security and privacy? How many times have I top-commented a thread about you? I don't because wow, is that ever boring.
I'm not really sure why you're making it personal. For one thing, I'm not important enough to get a top comment about in a thread I haven't yet posted in ;) I don't think I have a habit of dominating those discussions, nor do I think I have enough credibility to do. It probably has more to do with that than being boring. But why do your questions take for granted that your commenting habits are the benchmark for appropriate behavior? Is that not just a tad arrogant?
> Later edit: BSAFE is apparently used in some way by some popular consumer electronics products that I've never taken a close look at, so I was wrong about that. My point about the pervasiveness (or lack thereof) of Dual_EC stands.
I deleted my comment because I was just helping you make this thread be about me, which is the most boring thing you could possibly make it out of.
I have no idea what the "100% undetectable rootkit" thing is about; if you're referring to the talk me, Nate Lawson, and Peter Ferrie did about Joanna Rutkowska's "Blue Pill", our talk made the exact opposite claim --- that virtualization did not make rootkits undetectable.
Look: you don't offend me. I do not mind if you think I'm wrong about stuff. I'm just frustrated because I like Matthew Green's blog, and your comment hijacked the thread. I'm sure you didn't mean it to, but it was obvious to me that it would.
No, you might want to re-read what I said about the rootkit thing. I'm saying you understand the compulsion to "call out" a bold claim. The joke was supposed to be me claiming that I have an undetectable rootkit, and you will then be sent on a highly publicized mission to debunk that, which was in fact referring to the Blue Pill Drama. That's actually where I first heard of your company, and when I first came to HN and saw your name, I recognized you as "the rootkit debate guy with the company that I sometimes accidentally call Monsanto". </joke explainer>
I'm a bit surprised that you aren't just saying "haha, ok, looks like I called that one wrong." You actually say that you don't care if I think you're wrong. You are not a good sport, sir.
I don't feel like I detracted from Matthew Green's blog by commenting on an unrelated site. Also, I'm going to play the "everybody else came here to say the same thing" card to dodge any guilt.
But who are you kidding? Every crypto thread on HN is about you, whether you like it or not. Most HN readers hit the comments like before seeing the article, just to see what you have to say about it. I know because I'm one of them. That's not a complaint either, I rely on the expertise of others to balance claims put forth in articles being circulated, and you and marshray are awesome commenters for that reason, because you kind of act as a bridge between academic crypto people and non-crypto security people.
Also: that's not why we did the Blue Pill talk. It drives me a little nuts that people (incl. Joanna Rutkowska) thought it was.
We did the talk because it was a fun talk. All the code for that talk was kernel code, much of it coding directly to MSRs, looking for fiddley places where the presence of a hypervisor would queer measurement results. And we came up with a bunch of cool ideas! And, it turns out we're (mostly) right. But it seems like all people wanted to pay attention to was the drama.
Anyways, I'm explaining things because I can't resist explaining them, not because this is an important issue for us to work out.
But I also expressed the view that no one would have used this. I guess it makes a lot more sense now: It seemed weird to put it in the standard, as no one was going to just use it. I'd been guessing that they hoped that it would be made an option and then they could do some negotiation attack to force it. I was missing a more obvious explanation: Someone was already willing to ship it, but they wanted the plausible denyability of it being a standard, because it looked too suspect otherwise.
To be fair to tptacek, he was far from the only crypto person saying that...and for good reason. In the absolute best case the algorithm was known to at least be slow and complex to implement, two things that don't usually lead to widespread adoption. The news that RSA had it as the default is interesting regardless.
I'm surprised by this. We look at a lot of stuff. OpenSSL is far and away the most common crypto library we see. Commercial crypto libraries are way, way down the list, after "reimplemented all of elliptic curve by hand".
Thanks for the link. I would have just gone on confirming my own biases without it.
That, I think, is indicative of this community. I come across it a lot, and there are some insanely high profile, non-US organizations that rely on it. SAP being an example that I'm ok with mentioning.
