this post was submitted on 13 May 2023
11 points (100.0% liked)

Technology

37730 readers
743 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
Los@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
TheRtRevKaiser@kbin.social
remington@beehaw.org
11
Open Source Software - developed by the NSA (code.nsa.gov)
submitted 2 years ago* (last edited 2 years ago) by tardigrada@beehaw.org to c/technology@beehaw.org
7 comments fedilink hide all child comments
 

Not sure whether that's a fake site or valid, but just stumbled upon it ...

top 7 comments
sorted by: hot top controversial new old
[–] A1kmm@lemmy.amxl.com 11 points 2 years ago

Yeah, the NSA has both an offensive and a defensive mission. The trouble is, they have previously exploited the trust they get from their defensive mission to advance their offensive mission.

For example, they pushed hard for the random number generator algorithm Dual_EC_DRBG to be included in lots of FLOSS and commercial crypto software, and I think people assumed they were pushing it because they knew something from a defensive side about the alternatives. Dual_EC_DRBG included large constants with no explanation where they came from, and warnings from independent researchers that certain number choices in generating parameters could mean it is unsafe. Snowden whistleblowing confirmed Dual_EC_DRBG was in fact a disguised PKRNG (encrypt the random seed with a public key to get the random output, in such a way someone with the private key - which the NSA had because they came up with the keypair - can decrypt the seed from random output and hence future 'random' output, e.g. future randomly generated crypto keys.

NSA also both has a mission to warn people about security vulnerabilities that put them at risk, and a tendency to hoard 0-days so they can use them against other people.

So it probably isn't too far fetched that they might include some kind of vulnerability in their FLOSS software. The Dual_EC_DRBG style is to find one that NSA can use but no one else can. Making sure you have other layers of defense is probably a good practice.

[–] possiblylinux127@beehaw.org 4 points 2 years ago (1 children)

The NSA funds tor and maintains many of the encryption standards

[–] rysiek@szmer.info 11 points 2 years ago (1 children)

The NSA does not fund Tor. Tor Project does get US government funding, but not from the NSA.

[–] heady@beehaw.org 5 points 2 years ago (1 children)

Spy agencies have a long history of funding projects through proxies, both government and private, so it's probably nearly impossible to prove the negative here. The positive remains unproven until there is a leak or declassification.

[–] rysiek@szmer.info 6 points 2 years ago

And in a meaningful way, it might be irrelevant where the money is coming from. The code is open, the papers it is based on are public, the protocol is right there to be inspected. And since it is used by activists and dissidents around the world, it's been looked at, a lot, by a lot of very smart people.

If NSA wants to fund a tool that is useful, safe, and not-backdoored, I don't have a problem with that. There are way worse ways for them to spend their insanely huge budget. And if the tool is backdoored, it doesn't matter where the funding is coming from.

So far, I have not seen a single piece of proof that Tor might be backdoored. If anyone has such a proof, please come forward, as a lot of people at-risk rely on it to stay safe!

[–] dax@beehaw.org 3 points 2 years ago* (last edited 2 years ago)

It's valid; in a time long long ago, I did some contracting work for them. I used NiFi before it was open sourced, as well as cloudbase/accumulo. I don't really have anything to share, but I can vouch for the site; it's legit.

And I really, really don't have anything interesting to share . Writing ETL in NiFi processors was the most god damned boring job I ever had. The only part that was fun was trying to replace it with Storm (also pre-ASF days) which actually was fun.