I thought everybody already knew that US corporations serve as an extension to the surveillance apparatus. Remember all the corporations fighting against the government's mandate at an artificially crippled maximum keysize of 40 bits, in order to allow continued surveillance in the 90s? Yeah, neither do I.
The claim is not "naive" as in "of course the NSA wouldn't want to exploit things, they're innocent angels", the claim is "naive" as in "they have better ways to exploit things."
Interpreting _NSAKEY as an NSA backdoor is similarly naive. First, it's named _NSAKEY. Surely they could name it something else. Second, its purpose was reverse-engineered, and it's capable of signing cryptography modules, same as the existing Microsoft key named _KEY. Anything that could be done through _NSAKEY could also be done through _KEY, so it would be easy for the NSA to just ask for a copy of _KEY such that nobody would notice. The conspiracy theory makes no sense - it's like saying "$politician is trying to take away our freedoms by pouring mind-control agents into the water" when $politician is just straight-up signing bills to take away your freedoms.
It was a debugging symbol that a Microsoft developer either negligently or heroically included in a public release... so that explains away the "nobody would be so stupid" argument. You are aware of how the Intel ME killswitch was located right? A commented xml file included with the flashing software helpfully informed anybody willing to look that a field was related to the NSA's High Assurance Platform program. This was after ten years of security researchers pointing at the fact that this was a backdoor. For whatever reason both Intel and the NSA were happy to let the public remain needlessly vulnerable all that time... But yeah, I'm just like one of those water fluoridation loons. The NSA wasn't at all hamfisted in the intentional weakening of elliptic curves and blatant RSA bribery, this isn't an obvious pattern emerging.
NSAKEY people have had over two decades to produce any evidence in support of their weird conspiracy theory, but strangely enough they’ve utterly failed to do so.
The demand for evidence in the wake of all the NSA leaks is laughable.[0] What does evidence of the NSAKEY being a backdoor look like to you, a provably malicious CSA shim, signed by the key, hand delivered by James Clapper?
I'll tell you what it looks like to me:
After the debug symbol is found, Microsoft gives a seemingly very stupid explanation for it[1]: "It is a backup key. Yeah, uhhhh... during the export control review - the NSA said that we had to have a backup key, so we named it after them..." After being challenged on the plausibility of their backup scheme they refuse to provide any further explanation.
Here is the funny part: Microsoft might be technically telling the truth about it being a "backup". Consider what else was going on around this period: ridiculous export controls on key-length, the clipper chip... and finally: government managed private-key escrow[2]. At that time the export regulations did not specify a backup requirement, and yet Microsoft claims otherwise. You know who else was talking a lot about backups? The Whitehouse, in its proposal for allowing the export of key-lengths above 56-bits - so long as applicants implement "key-recovery".[3] Somehow I don't think that we share the same definition of the word "backup".
Evidence of the NSAKEY being a backdoor includes some description of how the backdoor might work, backed up by a reference to the relevant Windows source code or its disassembly, both of which are easily available to researchers. What sort of backdoor is it? Does it provide remote access to Windows? Does it enable certain cryptographic modes that are disabled? Does it disable certain cryptograph modes that are enabled? Does it trigger key recovery, and if so, how?
Evidence of X does not include "X would have been done by Y, and Y did Z, and X and Z are both bad, so why wouldn't Y do X too." That is basically the definition of an ad hominem argument. Whatever else the NSA may have done, and however much it's reason to believe the NSA might have wanted to do this specific thing, it's not evidence of them doing this specific thing (and again I'm not sure what this specific thing is even supposed to be). And if anything, the lack of mention of NSAKEY in the leaks is a reason to believe that there wasn't anything there.
Evidence of X also does not include "Y refused to talk about X." That might be evidence that Y is suspicious and untrustworthy (or evidence that the person asking was a conspiracy theorist who wouldn't be satisfied by any explanation), but it's not evidence that Y actually did X.
So, that's my definition of evidence. I'll turn this around: what would evidence that NSAKEY was not a backdoor look like to you? Would anything convince you, or is your claim unfalsifiable?
> Evidence of the NSAKEY being a backdoor includes some description of how the backdoor might work...
It would only work one way with an API relying on a PKI with a single CA, zero transparency, and trusted keys named after spy agencies suddenly appearing out of nowhere. I'm gonna bail here, because I'm now not sure if you honestly don't know what the CAPI was in relation to the NSAKEY - or if you're trying to waste my time by getting me to explain the most basic principles of public key infrastructure.
Here is a basic principle of public key infrastructure: anything signed by one CA can be signed equally well by another, unless the code is designed to give one CA special permissions (like EV certs, in the HTTPS PKI).
You are wrong on the facts that there is a "single CA" - there is _KEY in addition to _NSAKEY.
So, this brings me back to the point I mentioned at the top of the thread: why didn't the NSA just demand a copy of the private key for _KEY instead of a separate key? A separate key always carried a risk, and also required a rebuild - handing over _KEY could have happened immediately. If _NSAKEY has special permissions, can you point me to where in disassembled CAPI code / leaked source these special permissions are implemented, and what they are?
Your conspiracy theory is "The NSA is evil and also stupid." This is a more complex and less likely, and less worrisome conspiracy theory than "The NSA is evil." If the only thing we have to worry about from the NSA is things bungled as badly as this alleged _NSAKEY backdoor and the actual Dual_EC_DRBG backdoor (which was noticed by cryptographers basically instantly), we have nothing to worry about. That doesn't seem like the rhetorical position you want to take.
It really feels like you’re trying to distract from the fact that you have no idea how the supposed NSAKEY backdoor works if it exists.
How would the signed payload to activate this backdoor be delivered? Where’s the code that receives it? Where’s the code that then processes that signed payload?
It’s not like this stuff is terribly hard to reverse, you’ll almost certainly be able to easily find all the symbols and probably even leaked source on various NT-related forums.
Yeah I don't think my comparison to fluoridated water is out of line. The entirety of the NSAKEY evidence is "it has NSA in the name." That's not even as strong as the evidence that fluoridated water has minimal health benefits and more risks than the government claims, which is weak evidence but at least it exists.
> The entirety of the NSAKEY evidence is "it has NSA in the name."
Your comparison is out of line because of ridiculous characterizations like this. Microsoft said that it was a backup key, which either means that they have the most poorly implemented scheme for backing up cryptographic materials ever devised, or they don't mean what most people think when they hear the word "backup". Microsoft then claimed that the backup was necessary for passing the export control review, which is a bold lie to tell since the Export Administration Regulations are available for review to everybody. One thing not included in the EAR that might influence Microsoft's conduct in trying to get permission from the USG to reach global customers: executive orders. The government had a hard limit at 56-bits and was proposing that anybody wanting to export crypto beyond that needed to participate in their push for private-key escrow, which they were calling "key-recovery". Recovery... sounds kind of like a backup plan...
I provided links in my response to the parent comment.
None of the links you provided are evidence. They're all signs that something, somewhere, is fishy, so why wouldn't this be fishy too. I can provide you higher-quality links about how we need to stop putting fluoride in the water.
At the very least, retract your claim about how people who don't want fluoride in the water are "loons," and then maybe we can have a good-faith conversation. But if you want to dismiss people with actual science backing their views as loons, I'll dismiss you as a loon, too.
This is one of those situations that makes me wonder at how obvious the right way to go is, and how unlikely that is to happen. Offense/defense costs are not even close to being symmetrical, it is insane that the USG would advance the state of the art in electronic warfare - while not even pretending to try and match the effort in defense. This is why we abandoned our biological weapons program, we were effectively developing the technology for incredibly cheap weapons of mass destruction that any banana republic could mimic... not unlike the rootkit leaks.
This, unfortunately, occurs so infrequently that it can safely be ignored by 99.9% of the economy. Businesses have really enjoyed having their cake and eating it too with the transition away from a highly involved acquisition process that generally resulted in a tailored solution that the USG owned, to the present COTS policy that allows them to then go on to sell software to people that have already effectively paid for it through taxes. While there was an impressive amount of bureaucracy and an infinitely self referential system of standards in the old method, it did lead to some pretty interesting side effects: Ada[0], IDEF[1], MIL-STD-498[2], etc.
The most recent liberation of useful taxpayer funded software that I can think of was over ten years ago, when NIST released NFIS2 - the fingerprint software that the FBI relied on. They of course had to be crappy about it and wrap it in export controls that limited its utility, but it was interesting to see all the work that internal development had done - very polished, with man pages going back to '97. Ah the memories: software classified as munitions, the clipper chip...
This is already a thing, and it is starting to look like an incredibly bad idea. Well over a year ago I had lunch with my financial advisor and he tried to sell me on a portfolio balanced on some kind of social responsibility metric (female board member ratio, carbon credits, etc). At the time I thought it was just a new way to separate morons from their money, but now I'm starting to think that the US markets are setting themselves up for a fungibility attack. I remember, many years ago, the debate on bitcoin tainting - keeping a register of illegally obtained coins (and leaf transactions) and refusing to accept them. That is obviously an attack on the utility of the currency - a unit of value.
So what is the metric here, what is the new unit of value? The best case outcome is a Tower of Babel pandemonium, worst case is an irreversible further consolidation of kingmaking power.
I'm surprised by the sympathy I'm seeing for this position. You people know that she is effectively complaining about fair use, right? This is not something that can be budged on, even in deference to the feelings of a "writer/feminist/educator". Fair use is the only thing that stands between us and massive intellectual property cartels guiding the public consciousness through selective enforcement. Wanna go back to network television? Because this is how you do it.
Fair use isn't a blanket excuse to do whatever you want. The key component is whether your use is transformative. If you copy something to criticize it, or make something that doesn't compete with the original, it's likely fair use. If you copy something just to have it, or build upon it, it's not. This is a new issue, but copying someone's tweets, just to create your own library of tweets is not really transforming anything, I don't see how this is fair use.
Google "Richard Prince copyright". This is not a new issue, not even close.
BTW... She is using a still[0] from a video that CNN owns the copyright to, and section 3 of their tos[1] explicitly forbids doing what she is doing - with the unnecessarily stated exception "as otherwise expressly permitted under copyright law". You really want to take that exception away from her? I can pretty easily argue that her use is transformative, can you? How does this differ from what she is complaining about?
How is the use of that photo transformative in anyway? Did she add to it? Is the piece about criticizing the photo (which would be transformative) or is she using it as part of an opinion news piece (which isn't)?
And btw, the Prince case is illustrative because the judge ruled that some of his pieces were transformative, but others were not, walking that gray line.
There is a good chance they subscribe to a blocklist, so you could be blocked by anyone of a thousand people. Image the old PGP web of trust, but for crafting perfect echo chambers. I wonder if anybody has ever done the math on that.
I'm curious, how are you defining "the like"? The list of people denied service looks a lot more like those you wouldn't want preceding your Coca-Cola ad buy. Why would Patreon care? Because payment networks care.
8chan
Encyclopedia Dramatica
BitChute
If you expand the scope beyond Patreon and include Paypal then you can throw in:
Wikileaks
Numerous Antifa chapters
World Socialist Web Site
As somebody who has been involved with bitcoin since 2012, I can tell you from first hand experience that when Visa declares you a persona non grata - a large number of businesses quickly do the same. Yes, the full list of Patreon service denials includes a lot of unsympathetic figures - but you'd be a fool to think that this behavior doesn't shift with the Overton window (welcome back to the world of crypto currency, Dwolla, betcha feel silly for screwing up that perfect opportunity Paypal gave you).
Wallstreet. My financial advisor tried to sell me on this new socially conscious index, years ago. Political correctness is great for business - very predictable, very manageable.
One literally defines the other, so no. Unless you are speaking from a universal perspective, which unfortunately isn't really part of the collective consciousness - and therefor inconsequential to daily life and the issue at hand.
They are completely orthogonal. Social good is the "quality" of being good for society. Political correctness is almost always a complete waste of time for any society.
I'd say the former, but it really doesn't matter - the point is the subjectivity of collective "good" and "correctness". Also, a lot of people are under the impression that these things are numerically based - the democratic tyranny of the majority... this is not the case. We see the same thing play out in the slow failure of competing interest to guard against lobbyist abuse, it is an issue of motivation - not quantity or legitimacy.
Ouch, feeding probabilistic models training data scored with a gradient of truthfulness tags generated by humans and all their biases... surely this won't end horribly and simply serve as a method to algorithmically institute the tyranny of the majority.
If you really want to do this (You really don't, I assure you - you'll hate the end result), you've got to reach back through the AI winter and drag the granddaddy of NLP, propositional logic, into modern AI development. We'll see this employed by lawyers long before journalists.
https://en.wikipedia.org/wiki/NSAKEY.
I thought everybody already knew that US corporations serve as an extension to the surveillance apparatus. Remember all the corporations fighting against the government's mandate at an artificially crippled maximum keysize of 40 bits, in order to allow continued surveillance in the 90s? Yeah, neither do I.