[balabaster]

You would assume the versions of anything the NSA uses is significantly modified or different than the versions in public... these guys [allegedly] have the best cryptographers, mathematicians and programmers in the world on their payroll. You can assume that anything you have in your hands is either completely insecure or only trivially secure in comparison to anything the NSA has.

I'm willing to bet that the best security mechanisms you have at your disposal have been cracked, breached or otherwise compromised. I wouldn't be at all surprised to hear that they hold secret mathematical breakthroughs that render half or all of the encryption algorithms the public are aware of useless.

[DanBC]

> You would assume the versions of anything the NSA uses is significantly modified or different than the versions in public.

That's not something that I assume.

When I think about things like the Debian PRNG bug (https://www.schneier.com/blog/archives/2008/05/random_number...) I wonder if i) it was somehow planted by the NSA or ii) They knew about it, and fixed it in any internal uses, but didn't tell the world.

> You can assume that anything you have in your hands is either completely insecure or only trivially secure in comparison to anything the NSA has.

I'm not sure this makes much sense. You can probably trust the math, as far as we do trust the math. And that is "We don't yet know of any feasible attacks on this." Implementations of that math into algorithms and then code and then software on machines with real world users - well, yes, there are a whole slew of things that can go wrong and I guess NSA / GCHQ are aware of many of these and enjoy spotting the flaws in the wild.

Having said all that, if a person is worried about well funded government agencies coming after them then some crypto isn't much of a barrier. Even if the crypto is secure 'they' will find some way to get the information.

> these guys [allegedly] have the best cryptographers, mathematicians and programmers in the world on their payroll.

An anecdote to finish: Rivest Shamir and Adleman 'invented RSA' in 1977. It had been independently invented several years earlier, by Clifford Cocks. But he (although influenced by other people) did so alone. In his head. And had to remember it overnight. He wasn't in the office (GCHQ) at the time, and so wasn't allowed to write it down. (http://www.gchq-careers.co.uk/about-gchq/history/asymmetric-...) (http://www.wired.com/wired/archive/7.04/crypto_pr.html) (http://www.zdnet.com/gchq-pioneers-on-birth-of-public-key-cr...) (http://www.bbc.co.uk/news/uk-england-gloucestershire-1147510...)

The Wired article says

> But then Ellis came across a paper buried in the GCHQ's mountain of secret material. Written by an anonymous author, it described a project conceived by Bell Telephone toward the end of World War II. The scheme, labeled Project C43, was an ingenious method of analog voice scrambling that worked by the use of distortion.

To give some context to this, GCHQ have only just released some work by Turing, nearly 60 years after his death. Normal secrets are kept for 30 years. Thus, GCHQ's mountain of secret material is likely to contain some delicious nuggets.

[druiid]

Mathematical breakthroughs, yes. I know PhD level mathematicians who have gone to work for the NSA. They are very, very intelligent and capable people.

That said, I wouldn't let that stop you from using Selinux. They might have left easier methods around it available to them, but by now if there was a giant 'backdoor' in it, it would have been discovered by the community by now since it's not distributed as a binary blob. I hear these complaints every time there's a conversation about the NSA on here. Essentially the end-of-story take away should be that you need to use Selinux or comparable tools in a live environment.

[owenmarshall]

> I'm willing to bet that the best security mechanisms you have at your disposal have been cracked, breached or otherwise compromised. I wouldn't be at all surprised to hear that they hold secret mathematical breakthroughs that render half or all of the encryption algorithms the public are aware of useless.

Paradoxically, if that is true, I think it could work to strengthen the average American's privacy.

If the NSA has made significant advances in cryptography that allows them to read pretty much anything, the focus will undoubtedly be placed on "national interests" - intercepting and reading high-level communications from friends and enemies alike.

More importantly, though, the NSA would want to ensure everyone keeps using the encryption they know how to break. If a twenty-year old systems administrator discovered and leaked that the NSA can break AES, the NSA would lose that significant advantage.

So, at least in the short term, the NSA being able to read everything would likely mean they read nothing of mine!

[kylemaxwell]

Even so - the real question is whether the risk of the NSA (or some other well-funded highly-capable actor) having access to vulnerabilities in your system is greater or less than the risks of other actors exploiting the vulnerabilities in your system that the tools would prevent.

In other words: what's worse, the NSA having the ability to bypass SELinux, or everybody being able to exploit things that SELinux would have protected?

[thenmar]

That's a little silly though.

[jrochkind1]

What's silly? Thinking that when the NSA finds vulnerabilities in public software or algorithms, they keep them to themselves instead of advertising them? What, of course they do, it's silly to think they'd advertise them! That's their job.

[6d0debc071]

It depends, they have to keep in mind that they're setting up a risk that foreign adversaries will exploit the same flaws. You're trying to square the circle - you want to have your own country's infrastructure, not all of which is under your control, secure from attackers and at the same time have it open for control purposes. And inevitably trade offs have to be made.

The driving force behind encryption becoming widely acceptable, in business terms, for instance seems to have been e-commerce.

[jrochkind1]

How timely. From todays nytimes:

"N.S.A. Foils Much Internet Encryption" http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet...

Turns out the NSA has cracked a bunch of internet encryption, and, yes, they kept it a secret they had done so, as most would expect they would. Until Snowden.

[James_Duval]

Why? It happened during World War II, when the entirety of Bletchley Park was covered up. I can easily imagine this being the case.