Bonum Certa Men Certa

Never Ever Use Coprocessors for Cryptology, Especially If Implemented in the United States

Can you read the source code in this microchip?

AMD microchip



Summary: Why the hype about "accelerated" cryptology (like polygons rendering, but for cryptographic purposes) is a dangerous trap that should be shunned and perpetually avoided

THE QUICKEST and most convenient way to undermine all encryption is to weaken random number generation, e.g. lower the entropy, making keys more predictable and thus easily crackable by supercomputers (or even standard computers). This is effective against everything, including online financial transactions, simply because it cracks the very core components of today's security: SSL, PGP, etc. My doctoral degree involved a great deal of work with entropy and my daytime job too sometimes involves it, so the subject is not foreign to me. I have been watching the NSA closely for a number of years, and always with great concern and suspicion. Now we know that the NSA compels (and even bribes) US companies to help undermine privacy, if not by direct handover of data (PRISM) then by making encryption too poor, setting up back doors, forcing companies to obey NSL/subpoenas, network wiretapping/DPI, or even a combination of all those things. No need for hypotheses anymore; there's plenty of hard proof now.



Intel, a cleverly-named criminal company (serving the intelligence community), whose hardware-level random number generator (hidden in silicon) FreeBSD refuses to trust (OpenBSD too is historically very critical of Intel) is no longer the only x86 player seeking to manufacture consent (blind trust) for encryption with no source code, just minuscule circuits of semiconductors. AMD, another US company, is now following suit with ardware-level cryptology (i.e. cryptic algorithms for cryptology, which is a non-starter). This is bad just because AMD is a US company (FreeBSD did not single out the US); any company from any country should not be trusted with this type of task. It's no better -- and it is probably much worse -- than proprietary software for one's security. To quote Michael Larabel's article about it: "Back in November was when patches first emerged for an AMD Cryptographic Coprocessor on Linux. This co-processor provides hardware encryption and other hashing functionality for the AES crypto API, AES CMAC, XTS-AES, and SHA cryptographic interfaces within the Linux kernel.

"Not much information is publicly known on this AMD Cryptographic Coprocessor but it's believed to be part of AMD's embedded ARM Cortex-A5 processor on upcoming server-class Opterons with TrustZone technology."

"Have we learned nothing at all from Snowden's explosive leaks?"So, Linux 3.14 will try to offload something so sensitive to proprietary code concealed in silicon. Bad idea. Very bad idea. Sure, it's Linux, but it does open itself to some blobs (e.g. Microsoft's hypervisor and more famously drivers for peripheral cards that handle graphics), firmware, and now peripheral, embedded-in-hardware proprietary algorithms. Have we learned nothing at all from Snowden's explosive leaks? Just look what Microsoft has done (total complicity with the NSA). A new poll at FOSS Force asks: "Do you think Red Hat is cooperating with the NSA by building back doors into RHEL?"

The responses may surprise you. Only 42% say "No". 28% say "I don't know" and 30% say "Yes". This relates to an article that alludes to Techrights. It was read by thousands and has been linked to by numerous news sites. I rarely ever comment in sites where identity cannot be verified (because of fakers), but this one challenged my claims and I had to respond. Here are my three replies:

It is not purely speculative. If you think that it is, then you must not have paid close enough attention.

I have been spending at least 2 hours per day since 2012 reading about the NSA. I knew what Snowden showed even before it was publicly known and I spoke about it with RMS on numerous occasions (he came to the UK to meet Assange and then myself, focusing on mass surveillance).

The truth of the matter just needs a little digging because the corporate press is not helping the general public find it out, just like it knowingly ‘buried’ a captured agent in Iran for several years (this leaked out in November).

Similarly, GNU/Linux sites did a very poor job covering (if at all) what happened in recent months regarding Linux. Let me summarise some facts (without links, as I don’t want to be put in the moderation queue again):

- Torvalds’ father said that the NSA had approached his son regarding back doors.

- Linux had a back door added to it about a decade ago. It got removed quickly afterwards and it wasn’t known who had added it. There was press coverage about it, but it was scarce.

- RSA received a bribe from the NSA to promote security standards with back doors.

- NIST and others had NSA moles and bogus (corrupt) peer review process to help usher in security standards with back doors.

- NSA is a large Red Hat client.

- The NSA sends patches to Red Hat, which in turn sends those for Linus Torvalds to put in Linux.

(the above two are now confirmed to me by Red Hat staff)

- BSD does not trust hardware-level random number generators, suspecting — quite rightly given the NSA’s track record — that it has too low an entropy.

- Several top-level Linux developers found vulnerabilities in Linux random number generation. They quietly (without much press coverage anywhere) addressed the issue (raising the entropy) a few months back. Only the latest kernel release has the fixes applied AFAIK (I don’t know if Greg K-H backported any of it because coverage is too scarce). To lay out the magnitude of this issue, it compromises SSL, PGP, etc. (pretty much everything with encryption, even passwords) not just at client side (desktop, tablet, smartphone) but also the server side (i.e. the Internet). This is huge! But the media hasn’t covered it.

Suffice to say, Red Hat has not done anything to convince me I was wrong. Instead, I notice that Red Hat staff is stalking me in LinkedIn and I see my article cited in several news sites which wrote about the issue in several languages (3 articles in Google News are in Spanish).

If you found holes in the above statements or if you want links attached, please request them and I will provide citations. I wrote about everything before, even years ago (NSA involvement in SLE* and RHEL I covered around 2007 or 2008).

I am frustrated to see people turning against the messenger rather than the message. I see a lot of the same done to Sam Varghese. We are making ourselves more vulnerable by refusing to listen to what seems uncomfortable.


Another reply:

I was thinking along the same lines — that Edward Snowden’s leaks (by the way, they’re not just his anymore, as anonymous people from the NSA reportedly leak more and more documents to be published under his name for their safety) can at some stage show encryption undermined at more levels (hardware level, or even kernel level). We already know that encryption was undermined at RSA and NIST by NSA moles, using bribes too. We also know that Linux (kernel) developers recently revised random number generators, after they had found a weakness.

Several state officials (in 6 state at the very least) now work to stop the NSA locally. Some call for a ban on companies that facilitate the NSA (that would include Red Hat), under the premise that they are complicit in crime. I am not kidding, watch the news this week (I don’t want to paste links here as the last time I did so my comment took half a day to appear).

Lastly, there are numerous E-mails sent from and to Red Hat. These further validated my suspicions.

I saw a lot of personal attacks (trying to discredit me or even remove links to my analyses). I even heard the usual personal attacks against Sam Varghese (which I expected from Red Hat because he dares to do real journalism, i.e. journalism that companies don’t like).

Trusting Red Hat should be based on its record, not emotional leanings and faith.

Don’t get me wrong. I was not offended by you and you oughtn’t be offended by my response. I am used to this type of divisive treatment (people trying to ostracise me) since the days I criticised Novell — only to be proven right throughout and at the very end (Novell gave its patents to Linux foes).

I hope you will wait patiently for more information and assess the facts based on their merit. Don’t rely purely/solely on what you read in OpenSource.com (Red Hat). I saw Novell doing its self-delusional spiel (IP “peace of mind”) and fortunately, at the end, Novell did not find enough fools to sell its lies to.

I have been frank in my analysis of Red Hat (on patents, build process, etc.) and if you want links for particular bits of my claims, just ask. I have a repository of tens of thousands of links I collect while researching. Sometimes people refuse to accept even a well-sourced claim because of cognitive dissonance — something I’ve had a lot of experience with when dealing with Microsoft spinners.

“Journalism is printing what someone else does not want printed: everything else is public relations.”

― George Orwell


Here is my original reply, challenging the counter-arguments:

This article starts with an incorrect assertion that I accuse “Red Hat of being in cahoots with the NSA.”

No, NSA is a big client of Red Hat (this was not just revealed but also confirmed to me by Red Hat staff some days ago, by E-mail) and it was also confirmed that NSA submits patches to Linux through Red Hat (think of NIST and RSA; we don’t even have NSA E-mail address to keep track of). Back doors can also be added outside the scope of source code, during a build process. My job involves dealing with this risk. I don’t think you read an essential earlier post:

http://techrights.org/2013/11/24/tpm-back-doors-patriot-act-etc/

This, in turn, links to proof that the NSA did try to put back doors in Linux, as noted by Torvalds the father. See:

http://techrights.org/2013/11/17/nils-torvalds-on-back-doors/ http://techrights.org/2013/09/20/linux-backdoor-question/ http://techrights.org/2013/09/25/surveillance-lawlessness/

Defending Red Hat makes sense, but mischaractering my position is a little unfair. I note that trusting Red Hat is not easy and based on articles I read half a decade ago, NSA was involved in the build process of Windows, OS X, SUSE, and Red Hat (only those 4 were mentioned).


The bottom line is this. Do not have blind trust in Linux. Not even access to source code is enough because the build process needs to be carefully checked and validated; moreover, Linux is joined with some proprietary code and even hardware-level code, so trust is seriously harmed. Now that we know about Red Hat's relationship with the NSA we should ask ourselves if the NSA is once again trying to put back doors in Linux, or worse, maybe it already did. Letting blobs enter the pipeline helps the NSA achieve (but hide) what it already said it wanted to achieve.

Recent Techrights' Posts

Digital Sanitation Good Practices
leave behind Microsoftism
10 Days Ago Richard Stallman Gave a Long Interview in French (linuxfr.org)
English translation
Science, Not Fast Food/Junk Food
The commercial exploitation of users won't stop until users exercise full control over their software or - more broadly - their computing (including data)
[Video] Dr. Richard Stallman at Technické Univerzitě v Liberci
New/via libre-liberec.cz
 
The Term "AI" is Not New and What Today's Media Calls "AI" Isn't Even AI
Only the hype was new... and totally artificial
Gemini Links 18/10/2025: "Planetary Rings", Steam, and PSU Replacement
Links for the day
Defeating LLM Abuse (State-of-the-Art Plagiarism) in the Area of Linux and GNU, Free Software, BSD, Security and So On
The aim is to get them to stop using LLMs to rip off other people's work
Links 18/10/2025: Russell Vought in Charge, US Government Leans to Russia Again
Links for the day
Credit Where It's Due: LinuxConfig.org Quit Doing LLM Slop, Back to Original and Real Articles
We waited for a while to say this, now it seems conclusive
Of Note: UbuntuPIT Aware of Critics of Slop, Adds Disclosure of Use of LLMs
We appreciate the honesty
Links 18/10/2025: Madagascar's President Flees and ICE Arrests Protest Comedian Robby Roadsteamer
Links for the day
Richard Stallman Near the European Patent Office (EPO) in 3 Days From Now
It'll be a good opportunity for patent examiners to listen, ask questions, and maybe greet him in person
From Scholar to Booster of Slop (and Even Slop in His Own Blog)
We're going to keep an eye on future posts of his
End of Vista 10 Also Good News for the BSDs
There are many news sites that recommend trying GNU/Linux this month
What's Wrong With Liking Parrots or Birds as Pets?
They'd demonise people for speaking about freedom, no matter what they say or do
The Free Software Foundation, Which Has Appointed a 43-Year-Old President, is Looking to Add Another Board Member (or Treasurer)
expect the FSF to add more people
Richard Stallman Confirms Next Week's Talk at Technical University of Munich, We Urge EPO Staff to Attend
That's probably late enough for EPO staff to attend after work
Gemini Links 18/10/2025: Notifications and Geminaut
Links for the day
Many Red Hat People Are Leaving, But It'll Be Framed Publicly as Leaving IBM
Similarly, IBM layoffs (or "RAs" as they're called) include Red Hat layoffs
Expect More Waves of Microsoft Layoffs This Month (at Least Two Rounds Confirmed Already)
From what we can gather, assuming the recent rumours about XBox are true, there will be at least 3 waves of Microsoft layoffs this month alone
Security Issues in Cisco and Jenkins Passed Off as "Linux" Problems
Fear, Uncertainty, Doubt (FUD) tactics
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, October 17, 2025
IRC logs for Friday, October 17, 2025
Slopwatch: LinuxSecurity, Linux Journal (Slashdot Media), UbuntuPIT, and Google News (Noise)
egregious plagiarism
Links 17/10/2025: Better Answers Sought After Air Crashes, "China Fans Patriotic Sentiment as Trade War With U.S. Heats Up"
Links for the day
Security is Desirable, But Not When the Term Security is Misused to Imply Centralisation of "Trust" (Whose?)
'Security' is not an excuse for vendor lock-in
Links 17/10/2025: Fentanylware (CheeTok) Causing Problems, Japanese Government Blasts Slop
Links for the day
The Linux Foundation Seems to Have Turned Linux.com Not Only Into a Spamfarm But Also LLM Slopfarm
it's polluting the Web, even important domains like Linux.com, with spam and LLM slop
Links 17/10/2025: UK’s Largest Breach Penalty and Windows TCO Examples
Links for the day
Go Watch Video About Librephone, Get Microsoft Ads
Very ethical company...
Campaign of Defamation Against the People Who Built NixOS (and Are Now Pushed Out From Their Own Project)
We've already grown familiar with - and resistant to - such tactics
Links 17/10/2025: Nestlé Crisis, Canada Post Versus 'Gig Economy' [sic] and Vista 11 Breaks Itself
Links for the day
Tux Machines Has Helped Separate Opinions/Analysis From News
In September 2023 we decided to split things apart and not repeat links in both sites
Tux Machines Has Improved Navigation of GNU/Linux and BSD News
Some more 'wiring' work
What a World Would Look Like If Everyone Used Free Software Only
Freedom is what matters, not "Open".
The Media Helps Microsoft, Amazon and Others (GAFAM and Beyond) Lie About Mass Layoffs Amid Valuation Bubble
The media, instead of saying that there's an "AI bubble" crashing the economy might instead choose the narrative of "jobs replaced by AI"
Bad Tempered? You Might Have Just Given Away That You're Losing the Argument
Brett Wilson LLP is fully aware that it is being investigated
Richard Stallman (RMS) is a Target of Defamation Campaigns Because of His Views on Software (But Politics Are the Excuse for Defaming Him)
Here in this site we try to refrain from politics, except in Daily Links
End of Vista 10 and Rise of GNU/Linux as Client Side Operating System
It seems certain GNU/Linux will grow in popularity over time
Taking Stock of a Week's Worth of EPO Leaks
We remain committed to exposing EPO corruption as long as it keeps happening
Mathieu Parreaux claims FINMA knew since day one
Reprinted with permission from Daniel Pocock
Calumny, Libel, Joerg Jaspert & debian-private untouchable cyberbullies
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, October 16, 2025
IRC logs for Thursday, October 16, 2025
Techrights Turns 19 in 3 Weeks
coverage of suppressed topics and protecting all sources/whistleblowers
International E-Waste Day Same Day as End of Vista 10
message from Akira Urushibata
The EPO's Central Staff Committee Presents Evidence That Staff Compensation Lowered While the Office Increases Income by Illegally Granting Invalid Patents
These people become millionaires by doing illegal things
Second or Third Wave of Microsoft Mass Layoffs in October 2025, This Time Portugal
Those are just the ones we know about, there may be several more
'Help Net Security' (helpnetsecurity.com) May Have Become a Slopfarm as Well
Zeljka Zorz, Editor-in-Chief at Help Net Security, was reported to us
Gemini Links 17/10/2025: Rant About Network Solutions, Strange Anomaly on Lagrange
Links for the day
EPO Staff Representation Lacks Social Dialogue With Relevant Management, Controversial and Sometimes Illegal Policies Implemented Without Necessary Input
"In this open letter, the CSC requests that the President submits an agenda item in the next available General Consultative Committee (GCC) meeting on setting up regular meetings between the CSC and the higher management of DG1."
Links 16/10/2025: Political Leftovers and Gemini Protocol Links
Links for the day
Lies Need to be Corrected
the Court never invited us
Slopwatch: Guardian Digital (linuxsecurity.com), Slashdot, Google News, and More
Maybe one day, once the bubble pops completely, Google News will just outright delist all slopfarms
Lufthansa Modern Slavery, Joerg Jaspert (ganneff) & Debian NSB Softwareentwicklung charade
Reprinted with permission from Daniel Pocock
Links 16/10/2025: US Starting More Trade Wars With China, CIA War on Venezuela
Links for the day
SUSE Blog is Still LLM Slop, Marketing Manager at SUSE Cannot Write
Would you buy from a company or seek support from a company that cannot even write (or fakes writing)?
Pretend You're Not Dead: Microsoft Spent Almost Two Decades Rebranding Things as "Cloud, Then "AI", Now "XBox" and "Quantum"
"AI" bubble pops, Microsoft harping about "quantum" already
IBM Allegedly Found New Tricks for Silent Layoffs: LPI, Then MIS (Not PIP)
Remember that "Red Hat layoffs" won't be reported after the bluewashing
Links 16/10/2025: Red Lines and Feeding of Microsoft Trolls
Links for the day
MIT as a Propaganda Mill of GAFAM, Paid by GAFAM
"the news" today
Links 16/10/2025: Lies Euphemised as ‘Dueling Versions of Reality’ and Microsoft "Open" "Hey Hi" Resorts to Porn as No Business Model Was Found
Links for the day
The Local Staff Committee Munich (Representation of the EPO's Staff) Explains When Cluster of Pregnancies May Result in Reduced Pay
"...even one week of part-time working is sufficient to reduce the salary you perceive during the entirety of your maternity leave."
Another Black Eye for 'Secure Boot', Microsoft Media Tries to Blame "Linux"
It enables Microsoft to remotely control computers, even computers that don't run Windows and never had any Microsoft software installed
Slopwatch: UbuntuPIT, linuxsecurity.com, and Various Slopfarms in Google News Attacking "Linux"
A new survey of the Web said that the majority of the Web is now slop (that's being said in the news this week)
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, October 15, 2025
IRC logs for Wednesday, October 15, 2025
Links 16/10/2025: Increased Use of Social Control Media Surveillance in US, French Rage Over Pensions
Links for the day