[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re : Crypto AG: The NSA's Trojan Whore?


This stuff has been on and off the list for quite some time now. I think
the general opinion is that you cannot trust any software that does not
come with full source code. Especially operating systems ( read :
Windows ).

Furthermore, hardware could be untrustworthy. 

As an example of the latter just imagine a keyboard chip that takes the
serial data signal, ANDs it with the clock and runs the current-limited
output through a metal loop on the die or couples it to an outside trace
that is not likely to be filtered. Instant keyboard transmitter. Short
range but probably usable. Try it outside the chip, I'll bet an old AM
radio will pick it up pretty well. If you have better receivers try 1x,
3x, 5x ... clock carrier frequencies.

What sort of other things would you design into an OS or a CPU or
peripheral chips if you wanted to snoop? Let the OS do the keysnoop for
you and send it off through the network? Keystrokes seem like the
obvious choice because they are low-bandwidth and have a high
information content but someone who's smarter can probably think of all
kinds of other stuff to send. ls -al > G-buddy. You know, keystrokes are
so low in bandwidth that I bet a receiver/recorder could be placed on
your premises, say behind an outlet for power, and checked
surreptitiously only when needed - how long would it take you to fill a
1Gb drive from your keyboard?

I don't think that there can be real security unless you use embedded
systems ( unknown to the OS and Host HW ) for critical roles and
maintain two machines - one clean in a cage, the other on-line and
without any sensitive information. Use sneakernet between the two using
media that you can readily analyse.

If I can think up a feasible method to do something in 5 minutes it was
probably already done a long time ago and the people who do this stuff
full-time have probably taken the field to amazing heights. They seem to
be able to get cooperation from commercial companies too.

Snooping probably won't be done wholesale, too expensive in terms of
manpower, and I don't know anyone who needs real security but, in
principle, everyone should have it.


Crypto AG: The NSA's Trojan Whore?

Are people familiar with this document?

Why shouldn't NSA have implanted this kind of back-doors
in various software and operating systems as well?

It seems to have worked so very well in the past.