It would be wise for people to remember that it’s worth doing basic sanity checks before making claims like no backdoors from the NSA. strong encryption has been restricted historically so we had things like DES and 3DES and Crypto AG. In the modern internet age juniper has a bad time with this one https://www.wired.com/2013/09/nsa-backdoor/.
Usually it’s really hard to distinguish intent, and so it’s possible to develop plausible deniability with committees. Their track record isn’t perfect.
With WPA3 cryptographers warned about the known pitfall of standardizing a timing sensitive PAKE, and Harkin got it through anyway. Since it was a standard, the WiFi committee gladly selected it anyway, and then resulted in dragonbleed among other bugs. The techniques for hash2curve have patched that
It's "Dragonblood", not "Dragonbleed". I don't like Harkin's PAKE either, but I'm not sure what fundamental attribute of it enables the downgrade attack you're talking about.
When you're talking about the P-curves, I'm curious how you get your "sanity check" argument past things like the Koblitz/Menezes "Riddle Wrapped In An Enigma" paper. What part of their arguments did you not find persuasive?
yes dragon blood. I’m not speaking of the downgrade but the timing sidechannels
— which were called out very loudly and then ignored during standardization. and then the PAKE showed up in wpa3 of all places, that was the key issue and was extended further in a brain pool curve specific attack for the proposed initial mitigation. It’s a good example of error by committee I do not address that article and don’t know why the NSA advised migration that early.
The riddle paper I’ve not read in a long time if ever, though I don’t understand the question. As Scott Aaronson recently blogged it’s difficult to predict human progress with technology and it’s possible we’ll see shors algorithm running publicly sooner than consensus. It could be that in 2035 the NSA’s call 20 years prior looks like it was the right one in that ECC is insecure but that wouldn’t make the replacements secure by default ofc
Aren't the timing attacks you're talking about specific to oddball parameters for the handshake? If you're doing Dragonfly with Brainpool curves you're specifically not doing what NSA wants you to do. Brainpool curves are literally a rejection of NIST's curves.
If you haven't read the Enigma paper, you should do so before confidently stating that nobody's done "sanity checks" on the P-curves. Its authors are approximately as authoritative on the subject as Aaronson is on his. I am specifically not talking about the question of NSA's recommendation on ECC vs. PQ; I'm talking about the integrity of the P-curve selection, in particular. You need to read the paper to see the argument I'm making; it's not in the abstract.
Ah now I see what the question was as it seemed like a non sequitur. I misunderstood the comment by foxboron to be concerns about any backdoors not that P256 is backdoored, I hold no such view of that, surely bitcoin should be good evidence.
Instead I was stating that weaknesses in cryptography have been historically put there with some NSA involvement at times.
For DB: The brain pool curves do have a worse leak, but as stated in the dragon blood paper “we believe that these sidechannels are inherent to Dragonfly”. The first attack submission did hit P-256 setups before the minimal iteration count was increased and afterward was more applicable to same-system cache/ micro architectural bugs. These attacks were more generally correctly mitigated when H2C deterministic algorithms rolled out. There’s many bad choices that were selected of course to make the PAKE more exploitable, putting the client MAC in the pre commits, having that downgrade, including brain pool curves. but to my point on committees— cryptographers warned strongly when standardizing that this could be an attack and no course correction was taken.
The NSA changed the S-boxes in DES and this made people suspicious they had planted a back door but then when differential cryptanalysis was discovered people realized that the NSA changes to S-boxes made them more secure against it.
That was 50 years ago. And since then we have an NSA employee co-authoring the paper which led to Heartbleed, the backdoor in Dual EC DRBG which has been successfully exploited by adversaries, and documentation from Snowden which confirms NSA compromise of standards setting committees.
> And since then we have an NSA employee co-authoring the paper which led to Heartbleed
I'm confused as to what "the paper which led to Heartbleed" means. A paper proposing/describing the heartbeat extension? A paper proposing its implementation in OpenSSL? A paper describing the bug/exploit? Something else?
And in addition to that, is there any connection between that author and the people who actually wrote the relevant (buggy) OpenSSL code? If the people who wrote the bug were entirely unrelated to the people authoring the paper then it's not clear to me why any blame should be placed on the paper authors.
The original paper which proposed the OpenSSL Heartbeat extension was written by two people, one worked for NSA and one was a student at the time who went on to work for BND, the "German NSA". The paper authors also wrote the extension.
I know this because when it happened, I wanted to know who was responsible for making me patch all my servers, so I dug through the OpenSSL patch stream to find the authors.
I'm asking what the paper has to do with the vulnerability. Can you answer that? Right now your claim basically comes down to "writing about CMake is evidence you backdoored CMake".
> Right now your claim basically comes down to "writing about CMake is evidence you backdoored CMake".
This statement makes it clear to me that you don't understand a thing I've said, and that you don't have the necessary background knowledge of Heartbleed, the XZ backdoor, or concepts such a plausible deniability to engage in useful conversation about any of them. Else you would not be so confused.
Please do some reading on all three. And if you want to have a conversation afterwards, feel free to make a comment which demonstrates a deeper understanding of the issues at hand.
Sorry, you're not going to be able to bluster your way through this. What part of the paper you're describing instructed implementers of the TLS Heartbeat extension to copy data into an uninitialized buffer and then transmit it on the wire?
> What part of the paper you're describing instructed implementers of the TLS Heartbeat extension to copy data into an uninitialized buffer and then transmit it on the wire?
That's a very easy question to answer: the implementation the authors provided alongside it.
If you expect authors of exploits to clearly explain them to you, you are not just ignorant of the details of backdoors like the one in XZ (CMake was never backdoored, a "typo" in a CMake file bootstrapped the exploit in XZ builds), but are naive to an implausible degree about the activities of exploit authors.
If you tell someone you're going to build an exploit and how, the obvious response will be "no, we won't allow you to." So no exploit author does that.
Think the above poster is full of bologna? It's less painful for everyone involved, and the readers, to just say that and get that out of the way rather than trying to surgically draw it out over half a dozen comments. I see you do this often enough that I think you must get some pleasure out of making people squirm. We know you're smart already!
I think their argument is verkakte but I literally don't know what they're talking about or who the NSA stooge they're referring to is, and it's not so much that I want to make them squirm so much as that I want to draw the full argument out.
I think your complaint isn't with me, but with people who hedge when confronted with direct questions. I think if you look at the thread, you'll see I wasn't exactly playing cards close to my chest.
I don't make a habit of googling things for people when they could do it just as quickly themselves. There is only one paper proposing the OpenSSL heartbeat feature. So I have not been unclear, nor can there be any confusion about which it is. Perhaps we'll learn someday what tptacek expects to find or not to find in it, but he'll have to spend 30 seconds with Google. As I did.
Informing one's self is a pretty low bar for having a productive conversation. When one party can't be arsed to take the initiative to do so, that usually signals the end of useful interaction.
A comment like "I googled and found this paper... it says X... that means Y to me." would feel much less like someone just looking for an argument, because it involves effort and stating a position.
If he has a point, he's free to make it. Everything he needs is at his fingertips, and there's nothing I could do to stop him, nor would I want to. I asked for a point first thing. All I've gotten in response is combative rhetoric which is neither interesting nor informative.
Means, motive, and opportunity. Seems to check all the boxes.
There's no conclusive evidence that it wasn't purposeful. And plenty of evidence of past plausibly deniable attempts. So you can believe whatever lets you sleep better at night.
The NSA also wanted a 48 bit implementation which was sufficiently weak to brute force with their power. The industry and IBM initially wanted 64 bit. IBM compromised and gave us 56 bit.
Yes, NSA made DES stronger. After first making it weaker. IBM had wanted a 128-bit key, then they decided to knock that down to 64-bit (probably for reasons related to cost, this being the 70s), and NSA brought that down to 56-bit because hey! we need parity bits (we didn't).
We give a deterministic O(mlog2/3n)-time algorithm for single-source shortest paths (SSSP) on directed graphs with real non-negative edge weights in the comparison-addition model. This is the first result to break the O(m+nlogn) time bound of Dijkstra's algorithm on sparse graphs, showing that Dijkstra's algorithm is not optimal for SSSP.
I'm continually amazed by the asymptotic complexity of union-find, which is O(alpha(n)), where alpha(x) is the inverse of the Ackermann function (and n the number of sets you union). In other words, O(6) or so as long as your inputs fit into the observable universe.
There's definitely a divide on who sees what sort of algorithms. The subject of this article is in Graph Theory space, which a lot of us get even without trying (I dabbled in TSP for a while because it's a difficult distributed programming problem and I wanted to explore the space for that reason).
But if you're not implementing AI or game engines, some of the linear algebra space may be a road less traveled.
Americans can’t invest directly in Chinese companies and shouldn’t be obligated to host Chinese companies in their markets or be surprised when political whims ban them, since the lack of shared investment is political too. People clearly enjoy the content on there so the outcome is sad but it’s a complicated economic dynamic that is hard to grasp
> Americans can’t invest directly in Chinese companies
This is not true. You can trade onshore Mainland China stocks through the Hongkong Stock Exchange. There is a special programmed called "Northbound" and "Southbound" in the broker-dealer industry. (This also allows investors from Mainland China to trades Hongkong stocks.) Any big brokerage should offer access to the Hongkong Stock Exchange. There is even a weird special currency called "CNH" that is the Chinese RMB that is allowed to settled in Hongkong, so you don't need a brokerage account in Mainland China to trade.
That’s a good clarification as not all companies are tech related and there are companies eligible for trading. However northbound trading still follows all applicable laws and there’s no access to direct ownership in some amazing companies
Americans can definitely invest into most Chinese tech companies- the exception is direct investments into non-tech, licensed companies, that require a VIE structure, which enables Americans to still invest.
> Susquehanna, a global trading firm, first invested in ByteDance in 2012 and now owns roughly 15 percent of the company, a person familiar with the investment said. The Chinese arm of Sequoia Capital, a Silicon Valley venture capital firm, invested in ByteDance in 2014 when it was valued at $500 million. Sequoia’s U.S.-based growth fund later followed suit.
> General Atlantic, a private equity firm, invested in ByteDance in 2017 at a $20 billion valuation. Bill Ford, General Atlantic’s chief executive, has a seat on ByteDance’s board of directors. The company’s other notable U.S. investors include the private equity firms KKR and the Carlyle Group, as well as the hedge fund Coatue Management.
The funny thing is. China can talk about removing the U.S. dollar and trade when Yen. But they need a stable currency to convert between and so conversion is still done with the U.S. dollar. The U.S. dollar won’t be removed from trade in our life time.
China doesn’t let the RMB float freely, so trade still happens in dollars. Also, the American government buys a lot of treasuries, so it’s easy to save a few billion quickly when you need to, which isn’t really supported by any other currency…saving money by lending it to the USG conversely prevents it from re-entering your own economy and stoking inflation (China isn’t the only country to use the USA like that, Japan buys more treasuries than China usually).
I have been assuming that the ownership is in the Cayman company and it is analogous to the situation with VIEs.
The ownership would have no votes on controlling the company but only ownership for hypothetical dividends on profit from the cayman shell. If anybody knows otherwise please elucidate us.
Oddly enough Snapchat IPOd with stocks with zero control as well.
No one is restricted from "free exchange of ideas." TikTok can divest and stay in the US market just fine. It is an ownership question, not a freedom of exchange of ideas question. There is no constitutional right for a foreign entity to do unrestricted business in the United States.
US Congress likewise does not give a fuck what you think though, unless you are a US Citizen and even then you get a single vote. The US population at large has decided on this by their representative government.
It is worth noting that the Constitution itself states (interpreted as stating) that Constitutional rights only apply to US nationals/citizens (which the Constitution derives powers from) and only those residing within US sovereign jurisdiction.[1][2]
So you are correct, except this was decided at literally the most fundamental level of US governance instead of on Capitol Hill.
And a larger portion of the population doesn’t care that you can’t share cat and dance videos on an app labeled TikTok instead of an app labeled Instagram or Reels or X other copycats. TikTok was allowed to continue to exist as well as long as they divested from Chinese ownership
Listen, if they actually ban it, a copycat within the us will pop up, and the network will move there. I actually think it might be beneficial to change apps every now and then, it helps break the network effects that make apps "too big to fail".
All that will likely change is people will slowly move to a US alternative, one that's propagandized by the US and not china. You'll still be allowed to have whatever discussions you want on there, conservative qanon theories, or anarchist calls to action. The videos will go into the NSA database instead of china's, it'll train our algorithms instead of theirs, etc. The app will now be bound by US Law, for better or for worse. But if slow moving from an app is going to crush your political belief/circle/movement, you didn't have one to begin with.
Your second sentence is a gross misunderstanding and you might benefit from some therapy to be kinder to others. Regarding the first do you realize TikTok is not allowed in China and Byte Dance runs Douyin with a government safety system for content ? And secondly would you consider any government modifying a virality algorithm to still be a free speech platform?
Luckily recent openwrt releases, mainline Linux don’t use the proprietary driver that powers this daemon nor the vulnerable daemon. Since 2023 except for xiaomi routers they shouldn’t be affected I want to add
Usually it’s really hard to distinguish intent, and so it’s possible to develop plausible deniability with committees. Their track record isn’t perfect.
With WPA3 cryptographers warned about the known pitfall of standardizing a timing sensitive PAKE, and Harkin got it through anyway. Since it was a standard, the WiFi committee gladly selected it anyway, and then resulted in dragonbleed among other bugs. The techniques for hash2curve have patched that