Petre Peter December 28, 2017 9:29 AM

@ Clive Robinson 10q

It seems that if the system is not vulnerable to DoS it’s vulnerable to Eve; if it’s not vulnerable to Eve it’s vulnerable to DoS.

Sancho_P December 28, 2017 5:27 PM

“… — after all, why would the government spy on itself?” (M. Green)

Clearly it hurts.
Clearly it hurts NOBUS + USG.

There is only one entity that wants to hurt NOBUS + USG.
Occam’s razor:
The Russians did it.
As they were meddling in the 2016 election. Not to forget the DNC, Mirai, …
OMG! But wait:

Occam + 1:
The USG wanted it (but never used it), hoping the NO-NOBUS (e.g. the Chinese copymasters) think it was an improvement and use it?

hmm December 28, 2017 6:31 PM

Meh. This isn’t an R or D issue, this isn’t US vs Russia or China, Trump vs the factual world.

The I.C. has been given the bailiwick to collect ALL communications that it feasibly can.
It is decided that the security risk for you, end user, is less than their benefit.

Rutkowska is right, blind trust is a failed model.

Whisper not her name... December 29, 2017 8:47 AM

@Prince Humperdink:

The lesson–which should not be a new lesson–is that Johanna is once again way ahead of the curve.

Way ahead of which curve?

Nick P, would have a lot more to say on just how far behind she realy is. He has called her out many times. Others would point out she has not said anything she could not have learned from this (and one or two other) security blogs. She is not the “One eyed man in the kingdom of the blind”, but a self promoting sales person with expired “best before” goods.

Gweihir December 29, 2017 8:40 PM

Caught red-handed. Again. It seems the NSA has gotten pretty incompetent of late. One factor surely is bureaucracy, but I do hope that many of the really competent people they had took a cold hard look at what they were actually doing and who benefited and left.

curiouscat December 31, 2017 4:10 AM

does anyone else notice and wonder why with it so widely and well known about mass data collection and for a long while now, why has and is almost all network traffic being encrypted with aes? how much traffic was and is encrypted with any of the other amazing and beautiful ciphers? take a look at consumer encryption i.e. certificates, they are now almost exclusively aes.

Garrett January 2, 2018 4:37 PM

Out of curiosity, would this have been a real vulnerability if the actual implementation fed the extra bits from a separate CSPRNG?

hmm January 3, 2018 2:40 AM

What if it generates a predictable rainbow-tablesque artifact that is easily guessed “first” in purpose-built cracking algorithms operated by different divisions of the same folks?

I mean duh right.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.