[simonvc]

Was drinking in a bar in Espoo in 2012 or 2013 and heard this from someone at rovio. At the time they used Riak db and basho were onsite and we asked why they didn't enable inter server encryption. "Because nsa pay us 10m not to". Guess nsa pulled the Riak cluster protocol off the aws fibre.

[adeon]

Is there any reliable source for NSA paying Rovio other than this random bar discussion? Not that I don't believe you or that I'm naive about NSA and the power of money, but I looked around news in 2014 and the accusations against Rovio specifically are a bit different flavor. It seems that Rovio was oversharing data to ad networks (Millennial Media comes up a lot), and NSA likely slurped data from the advertising companies. This bar banter is suggesting that NSA had some kind of arrangement with Rovio directly instead, and Rovio willingly went along.

Or alternatively, do you feel the Rovio employee's blabbering was talking about an actual, real NSA deal with Rovio, or was it more like a bar joke and direct NSA co-operation was not really implied? (e.g. "we know our security is bad, but these ad companies pay us $XX million to not use encryption so it's sorta like NSA pays us to keep it that way sips beer").

I'm interested, because if that is an actual thing that happened, then that's an example of NSA paying a Finnish company $$$ to weaken their security, and the Finnish company willingly agreeing to that. Is it in NSA's Modus Operandi to approach and then pay foreign companies to do this sort of thing?

Your comment is describing it in few words, but to me it sounds like it maybe wasn't implying an actual NSA direct co-operation, more like someone doing bar banter and being entirely serious. But that's just me trying to guess tone.

(I'm Finnish. I want to know if Rovio has skeletons in their closet. So I can roast them.)

[leftcenterright]

from an intelligence perspective, this is business as usual.

- Rovio sold data to ad companies (ad companies primarily based in the US)

- They used AWS (to which of course NSA has legal access)

- Data is not end to end encrypted, all metadata sits on servers in plain text and within AWS even moves from server to server in plain text

How much insight metadata can grant to someone like NSA is still wildly underrated.

- https://www.propublica.org/article/spy-agencies-probe-angry-...

[adeon]

Ah yeah, I saw the propublica as well, it was one of the first articles I found when looking on the topic. I don't doubt at all that Angry Birds data was used by NSA, doesn't seem controversial.

The specific question I am interested in is: Did Rovio knowingly and willingly accept $$$ from NSA (directly or indirectly) to weaken their security? I.e. were they acting as a willing accomplice.

Because that part would be unusual for Finland (well, at least as far as I know). For US companies I wouldn't bat an eye at news like this.

[leftcenterright]

Here is a nice talk by Byron Tau who has also written a book titled "Means of Control" detailing some of these flows covering ad tech companies, data brokers and how government contractors use them and serve as a key player to provide services to intelligence agencies.

- https://www.interface-eu.org/events/background-talk-with-byr...

[leftcenterright]

I think they definitely knew that they are embedding code from US based ad agencies who might either be selling it to the NSA or just doing it in an insecure manner (plaintext protocols).

Mostly in such cases, direct involvement and paying dollars is a clear no-go for the intelligence agencies. They could instead be paying the ad agencies.

Also note that we are talking pre-Let's encrypt and TLS everywhere world, a lot of this traffic was also just plain text making it much easier to harvest.

Some interesting insights from this piece: https://web.archive.org/web/20180719081149/https://theinterc...

[adeon]

Thanks for the resources. Got back to procrastinate on HN and checked the resources (briefly looked at transcript on the video, but found this article more interesting).

I've always assumed that some amount of unencrypted HTTP traffic is going to be slurped into archives, but I've been too lazy to really check an example and how does that look like in the real world. That BADASS system is an example, focusing on phones. I've also run mitmproxy in my home to learn and then I've wondered if the big agencies have something like that but much more scaled and sophisticated.

I've recently got into studying security, deobfuscated code, or decompiling, tried to find vulnerabilities or bad security, in websites and programs. I've found some, although not anything worth writing home about. I found a replay attack in one VSCode extension that implemented its own encrypted protocol, but it is difficult to use it to do real damage. Found a bad integrity check library (hopelessly naive against canonicalization attack) used by another VSCode extension. I've found something weird in Anthropic's Claude website after you log in, but because their "responsible security policy" is so draconian, I don't want to bother trying to poke it to research it further in case I earn their wrath.

Biggest bummer I found that a video game (Don't Starve Together) I had played for a long time with friends does not have any encryption whatsoever for chat messages to this day. (People gonna say private things in video game chats). The other video game I play in multiplayer a lot, Minecraft, has encryption (a bit unusual encryption but it is encryption).

That article gave me a bit of validation that I'm not a nut for giving shits about encryption and security, and being annoyed at ungodly amount of analytics I see in mitmproxy my laptop is blabbering about.

[belter]

Misheard and it was RSA instead of Rovio? The numbers match... :-)

https://www.reuters.com/article/world/exclusive-secret-contr...

[financetechbro]

Perhaps $10M is the standard rate for this type of service?

[adeon]

Lol, yeah, I also learned yesterday that there is apparently, NSA, National Security Authority. No, not the NSA this article is talking about and everyone knows about.

I mean: National Security Authority, "Kansallinen turvallisuusviranomainen", which appears to be some office/people under Finnish foreign affairs: https://um.fi/national-security-authority-nsa-contact-inform...

I will say I got confused a moment yesterday when googling on the topic here because when you put NSA and Finland in the same search, it would get topics about this other NSA that just happens to exist which I had never heard of before, and just happens to be Finland-associated.

[fiatpandas]

I’m actually comforted by the fact that NSA needed encryption turned off to spy.

[starspangled]

On the other hand it would be a very cheap counter espionage measure if a small stream of such payments was enough to convince China et al that the NSA had not broken encryption.

[danielheath]

Or it was simply cheaper than cracking it.

[hx8]

I was comforted by the idea that it is more expensive than $10m to crack encryption, but this was in 2013.

[greenavocado]

Earth's oceans contain approximately 1.35 billion cubic kilometers of water. To raise this entire volume from an average temperature of 3.5C to boiling (100 C), we'd need roughly: 1.35 x 10^21 kg x 4,184 J/(kg C) x 96.5C is approximately 5.45 x 10^25 joules That's 545 million exajoules or about 10,000 times humanity's annual energy consumption.

If you tried to brute-force AES-256 with conventional computers, you'd need to check 2^256 possible keys. Even with a billion billion (10^18) attempts per second: 2^256 operations / 10^18 operations/second is approximately 10^59 seconds. You'd need about 2.7 x 10^41 universe lifetimes to crack AES-256

At about 10 watts per computer, this would require approximately 10^60 joules, or roughly 2 x 10^34 times the energy needed to boil the oceans. You could boil the oceans, refill them, and repeat this process 200 trillion trillion trillion times.

For RSA-2048, the best classical algorithms would need about 2^112 operations. This would still require around 10^27 joules, or about 20 times what's needed to boil the oceans.

ECC with a 256-bit key would need roughly 2^128 operations to crack, requiring approximately 10^31 joules It's enough to boil the oceans about 2,000 times over.

Quantum computers could theoretically use Shor's algorithm to break RSA and ECC much faster. But to break RSA-2048, we'd need a fault-tolerant quantum computer with millions of qubits. Current quantum computers have fewer than 1,000 stable qubits. Even with quantum computing, the energy requirements would still be astronomical. Perhaps enough to boil all the oceans once or twice, rather than thousands of times.

[0xbadcafebee]

That's assuming there's no attacks found in a given algorithm. If there is a feasible attack found, the math changes, sometimes dramatically. And we'll never know it because they sure as hell aren't gonna announce it.

Anyway, I'm not worried because governments don't need to crack encryption to do dastardly shit. They have far easier methods to get what they want.

[cenamus]

Also just picking constants for encryption algorithms that are supposed to be "nothing up my sleeve" numbers, like the n first digits of pi.

DJB had a good talk about how many degrees of freedom you can still get picking such numbers and how much you can weaken crypto algorithms (even though not outright breaking them), but I can't find it at the moment

[rightbyte]

You need to account for the heat of vaporization if you plan on boil away and refilling the oceans for your brute force scheme, so you overestimate how many times you will boil away the oceans by a factor of 6 or something.

[swyx]

is there a hall of fame for HN comments somewhere because i nominate this one

[microtonal]

This is a pretty old pattern (meme?). E.g. also used way back (2004) to what it would take to fill a ZFS storage pool at its maximum size:

https://web.archive.org/web/20170802160910/https://blogs.ora...

[r721]

Maybe this:

>highlights Particularly good comments from over the years

https://news.ycombinator.com/highlights

(via https://news.ycombinator.com/lists)

[j_bum]

I want to steal this as a copypasta

[chokma]

For more calculations about the use of (computational) brute force: https://www.schneier.com/blog/archives/2009/09/the_doghouse_...

"... brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

[kragen]

This is an excellent comment, but I think it's worth pointing out some lacunae.

The most important one is that we're assuming that nobody finds a weakness in AES-256, so we have to brute-force it instead of taking some kind of shortcut. Historically speaking, that doesn't seem like a sure bet. (Some slight progress has been made on AES, but nothing practically useful yet: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#K...) Similar comments apply to factoring large semiprimes and ECDLP; algorithmic improvements could remove many orders of magnitude from these estimates.

Sometimes, even when weaknesses aren't known in the algorithms themselves, there are weaknesses in how they are applied. The Debian OpenSSL fiasco, which seems to have been accidental, may be the best-known example: all secret keys were generated with only 16 bits of entropy. Reusing IVs for OFB or CTR mode is also catastrophic.

A somewhat pedantic note is that you seem to be using two conflicting definitions of "boil the oceans" in different parts of your comment: to raise them to the boiling temperature while leaving them liquid, at first, and to convert them to vapor, later, since you talk about "refilling them". Converting them to vapor requires several times more energy than that. Also, you dropped an order of magnitude somewhere; raising the oceans to boiling requires 5.46 × 10²⁶ J, not 5... × 10²⁵ as you say. ("545 million exajoules" is correct.)

I used `cal_mean` from units(1) to do the calculation, which is based on the mean specific heat of water from 1° to 100°. I'm not sure that's correct for salt water, though, and in any case that's a minor error.

"about 10,000 times humanity's annual energy consumption" is wrong. 545 million exajoules is about a million years of humanity's energy consumption, which is only about 18 terawatts, excluding agriculture.

As gosub100 pointed out, on average you only have to try 2²⁵⁵ possible keys before finding the right one, not all 2²⁵⁶, but that's only a factor of 2.

10¹⁸ AES attempts per second does seem like a reasonable upper bound, but it's much faster than currently existing encryption hardware. 10¹⁸ Hz is the frequency of 0.3-nanometer X-rays with an energy of about 4000 electron volts. I feel like any computer hardware that is performing operations that fast probably cannot be made out of molecules or atoms. You might be able to build it on the surface of a neutron star or a black hole. Seth Lloyd's Nature paper from 02000 on the "ultimate laptop", "Ultimate physical limits to computation", explores some of the physical phenomena involved, and how fast they could possibly compute: https://faculty.pku.edu.cn/_resources/group1/M00/00/0D/cxv0B...

If we take 10¹⁸ Hz and 2²⁵⁶ cycles as given, it is true that one computer would need 10⁵⁹ seconds to finish the job (4×10⁵¹ years), which is indeed about 2.7 × 10⁴¹ times longer than the universe has existed so far (13.79 billion years). But it's worth pointing out that the universe's lifetime is not yet over; it is expected to continue existing much longer than that: https://en.wikipedia.org/wiki/Timeline_of_the_far_future lists various stages of its future evolution, including the end of star formation in 10¹²–10¹⁴ years, the last star burning out in 1.2 × 10¹⁴ years, 10³⁰ years until all the galaxies fall apart, 2×10³⁶–3×10⁴³ years until all protons and neutrons are gone (if protons decay), 10⁹¹ years until the Milky Way's black hole evaporates, and 10¹⁰⁶–2.1×10¹⁰⁹ years until the last black holes evaporate. If protons are stable, you could definitely build a computer that kept computing for the necessary 10⁵² years.

And (as you point out next!) you could use more than one computer. If you could somehow use 10⁵⁹ computers, you could finish the job in a second, rather than in untold eons. It depends on how many computers you can get!

"10 watts" is a somewhat handwavy estimate. Most of the computers around me, in things like my multimeter and my MicroSD card, use a lot less power than that, often a few milliwatts. (The fact that the MicroSD card doesn't have a monitor and keyboard is irrelevant to using it for AES cracking.) I'm currently working on a project called the Zorzpad, to build a self-sufficient portable personal computing environment on under a milliwatt, something that has become possible recently due to advancements in subthreshold digital logic.

But even a milliwatt may be an overestimate for AES cracking on classical hardware, because reversible logic may be able to drop power consumption by one or more additional orders of magnitude, and as far as we know, there's no lower limit (not even the ones Lloyd's article talks about apply). AES cracking is especially suited for reversible computing, which is why I used it as an example in this comment a week ago: https://news.ycombinator.com/item?id=43850835

It may be worth pointing out that 10⁶⁰ joules (which, despite the possible weaknesses above in its derivation, is certainly a plausible ballpark) is a large number not just measured against Earth, but measured against the Sun and indeed the energy output of the entire Milky Way galaxy.

It's even large compared to the available energy in the Milky Way. If you divide it by c² you get 1.2 × 10⁴³ kg. The Milky Way weighs 1.15 × 10¹² solar masses (https://en.wikipedia.org/wiki/Milky_Way) which turns out to be 2.29 × 10⁴² kg, which is 2.06 × 10⁵⁹ J. So even if you converted the entire galaxy into energy to power your AES crackers, you wouldn't get 10⁶⁰ J.

It's probably worth including AES performance numbers on currently available hardware. You'll still get galactic numbers demonstrating that AES-256 is not currently brute-forceable.

[greenavocado]

Thank you for this correction and additional perspective.

The Debian vulnerability was particularly bad. An AES key with 16 bits of entropy can be broken with the energy used by a single LED for a fraction of a nanosecond.

Reducing entropy covertly is probably the sole purpose of the so-called Intel Management Engine

[gosub100]

> you'd need to check 2^256 possible keys

it's very unlikely you'd have to check the entire keyspace before you found it. On average it would be about half.

[MichaelDickens]

That reduces the runtime from 2.7 x 10^41 universe lifetimes to 1.35 x 10^41. I'm still not worried.

[greenavocado]

Is there a more efficient way? What's the state of the art?

[nullc]

Wrong assumption. Lets imagine they could costslessly crack the encryption there. But as soon as they use any information gathered that way they risk leaking that they have this incredibly valuable capability. ... valuable and very fragile since people can easily change encryption schemes.

Better to pay every party you need to to have boring vulnerabilities and security shortcomings, so that any information leak doesn't need a capabilities revealing explanation.

So I think this gives you no information on their capabilities beyond bribing commercial players, which isn't exactly new. In the past (and presumably now) our intelligence apparatus has outright owned crypto/security companies in order to distribute backdoored technology.

And of course they have, they're not prohibited, it's highly effective, they'd be incompetent not to.

[bb88]

But knowing still gives you an advantage, even if you can't use it legally -- because you can still use it illegally.

LEO and Prosecutors will use "parallel construction" to construct a narrative about how information was obtained in a legal way even though it was clearly obtained illegally.

Or you could choose to only act on 5% (e.g.) of the information gleaned -- and that which could clearly be shown to be leaked by a third party.

Or say if you were tapping the information of a mob boss, you could leak the information to a competitor and let justice work it's way through the streets instead of the courts.

[nullc]

It's tricky, because you run the risk that any use risks disclosing the capability. Targets can even set traps. E.g. I caught irc opers spying on PMs by sending trap URLs where I secretly could see the access logs. Because great care was taken to make sure the URLs existed nowhere else when they got loaded it was a confirmation that the traffic was monitored.

Now perhaps a somewhat safer tool is to just use the cracking to determine the best targets to bribe or backdoor, but only allow the group with the cracking power to give the names of services to monitor at any cost.

[emmelaich]

You could leak the private key accidentally on purpose but that would be harder to plausibly deny involvement if that fact leaked.

[deafpolygon]

I'm reminded of a certain XKCD comic[1]. The US government probably doesn't need to crack the encryption to get what they want.

[1]: https://xkcd.com/538/

[CrossVR]

I once asked a VP of engineering at a major ISP why they don't add a layer of encryption to their peering and customer connections to prevent spy agencies from tapping their fibre cables. I was expecting him to say it would be too expensive to upgrade all their network hardware given the amount of traffic. Instead he said: "our routers can already do that, but the government regulator stepped in and prevented us from turning it on."

[rdtsc]

That's pretty wild. Was it an "investment" of some sort, and then the CEO got a hint with a wink, that there is more where it came from if they don't enable any encryption. Anyone from Rovio who got less than $10m in their pocket willing to tell us a story?

[xori]

"How do you get corporate secrets out of a software engineer? Sit them next to another engineer on a plane."

[frollogaston]

It's elegant. The other person can spill amazing secrets, but there's no way to prove it, so nobody will believe you second-hand.

[arealaccount]

Why wouldn’t they just give them DB access for the 10m? Id assume NSA would prefer the database to remain encrypted and have an admin account?

[radicaldreamer]

Deniability

[bb88]

If you're the NSA, you can tell Amazon, "Hey here's $1B. You're going to get some fiber outages, and we're also going to buy a bunch of compute from you at an exorbitantly high price you'll charge us. It's fine, we're the NSA. So when the outages happen, don't announce it. Also terrorism."

[dylan604]

Plausible. You can always deny anything. It just might not be so plausible under scrutiny.

[bb88]

10M sounds like a nice executive bonus. I'm not saying it's a bribe -- I would never, ever do that.