EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.26.14

Never Ever Use Coprocessors for Cryptology, Especially If Implemented in the United States

Posted in GNU/Linux, Hardware, Kernel, Security at 2:41 pm by Dr. Roy Schestowitz

Can you read the source code in this microchip?

AMD microchip

Summary: Why the hype about “accelerated” cryptology (like polygons rendering, but for cryptographic purposes) is a dangerous trap that should be shunned and perpetually avoided

THE QUICKEST and most convenient way to undermine all encryption is to weaken random number generation, e.g. lower the entropy, making keys more predictable and thus easily crackable by supercomputers (or even standard computers). This is effective against everything, including online financial transactions, simply because it cracks the very core components of today’s security: SSL, PGP, etc. My doctoral degree involved a great deal of work with entropy and my daytime job too sometimes involves it, so the subject is not foreign to me. I have been watching the NSA closely for a number of years, and always with great concern and suspicion. Now we know that the NSA compels (and even bribes) US companies to help undermine privacy, if not by direct handover of data (PRISM) then by making encryption too poor, setting up back doors, forcing companies to obey NSL/subpoenas, network wiretapping/DPI, or even a combination of all those things. No need for hypotheses anymore; there’s plenty of hard proof now.

Intel, a cleverly-named criminal company (serving the intelligence community), whose hardware-level random number generator (hidden in silicon) FreeBSD refuses to trust (OpenBSD too is historically very critical of Intel) is no longer the only x86 player seeking to manufacture consent (blind trust) for encryption with no source code, just minuscule circuits of semiconductors. AMD, another US company, is now following suit with ardware-level cryptology (i.e. cryptic algorithms for cryptology, which is a non-starter). This is bad just because AMD is a US company (FreeBSD did not single out the US); any company from any country should not be trusted with this type of task. It’s no better — and it is probably much worse — than proprietary software for one’s security. To quote Michael Larabel’s article about it: “Back in November was when patches first emerged for an AMD Cryptographic Coprocessor on Linux. This co-processor provides hardware encryption and other hashing functionality for the AES crypto API, AES CMAC, XTS-AES, and SHA cryptographic interfaces within the Linux kernel.

“Not much information is publicly known on this AMD Cryptographic Coprocessor but it’s believed to be part of AMD’s embedded ARM Cortex-A5 processor on upcoming server-class Opterons with TrustZone technology.”

“Have we learned nothing at all from Snowden’s explosive leaks?”So, Linux 3.14 will try to offload something so sensitive to proprietary code concealed in silicon. Bad idea. Very bad idea. Sure, it’s Linux, but it does open itself to some blobs (e.g. Microsoft’s hypervisor and more famously drivers for peripheral cards that handle graphics), firmware, and now peripheral, embedded-in-hardware proprietary algorithms. Have we learned nothing at all from Snowden’s explosive leaks? Just look what Microsoft has done (total complicity with the NSA). A new poll at FOSS Force asks: “Do you think Red Hat is cooperating with the NSA by building back doors into RHEL?”

The responses may surprise you. Only 42% say “No”. 28% say “I don’t know” and 30% say “Yes”. This relates to an article that alludes to Techrights. It was read by thousands and has been linked to by numerous news sites. I rarely ever comment in sites where identity cannot be verified (because of fakers), but this one challenged my claims and I had to respond. Here are my three replies:

It is not purely speculative. If you think that it is, then you must not have paid close enough attention.

I have been spending at least 2 hours per day since 2012 reading about the NSA. I knew what Snowden showed even before it was publicly known and I spoke about it with RMS on numerous occasions (he came to the UK to meet Assange and then myself, focusing on mass surveillance).

The truth of the matter just needs a little digging because the corporate press is not helping the general public find it out, just like it knowingly ‘buried’ a captured agent in Iran for several years (this leaked out in November).

Similarly, GNU/Linux sites did a very poor job covering (if at all) what happened in recent months regarding Linux. Let me summarise some facts (without links, as I don’t want to be put in the moderation queue again):

- Torvalds’ father said that the NSA had approached his son regarding back doors.

- Linux had a back door added to it about a decade ago. It got removed quickly afterwards and it wasn’t known who had added it. There was press coverage about it, but it was scarce.

- RSA received a bribe from the NSA to promote security standards with back doors.

- NIST and others had NSA moles and bogus (corrupt) peer review process to help usher in security standards with back doors.

- NSA is a large Red Hat client.

- The NSA sends patches to Red Hat, which in turn sends those for Linus Torvalds to put in Linux.

(the above two are now confirmed to me by Red Hat staff)

- BSD does not trust hardware-level random number generators, suspecting — quite rightly given the NSA’s track record — that it has too low an entropy.

- Several top-level Linux developers found vulnerabilities in Linux random number generation. They quietly (without much press coverage anywhere) addressed the issue (raising the entropy) a few months back. Only the latest kernel release has the fixes applied AFAIK (I don’t know if Greg K-H backported any of it because coverage is too scarce). To lay out the magnitude of this issue, it compromises SSL, PGP, etc. (pretty much everything with encryption, even passwords) not just at client side (desktop, tablet, smartphone) but also the server side (i.e. the Internet). This is huge! But the media hasn’t covered it.

Suffice to say, Red Hat has not done anything to convince me I was wrong. Instead, I notice that Red Hat staff is stalking me in LinkedIn and I see my article cited in several news sites which wrote about the issue in several languages (3 articles in Google News are in Spanish).

If you found holes in the above statements or if you want links attached, please request them and I will provide citations. I wrote about everything before, even years ago (NSA involvement in SLE* and RHEL I covered around 2007 or 2008).

I am frustrated to see people turning against the messenger rather than the message. I see a lot of the same done to Sam Varghese. We are making ourselves more vulnerable by refusing to listen to what seems uncomfortable.

Another reply:

I was thinking along the same lines — that Edward Snowden’s leaks (by the way, they’re not just his anymore, as anonymous people from the NSA reportedly leak more and more documents to be published under his name for their safety) can at some stage show encryption undermined at more levels (hardware level, or even kernel level). We already know that encryption was undermined at RSA and NIST by NSA moles, using bribes too. We also know that Linux (kernel) developers recently revised random number generators, after they had found a weakness.

Several state officials (in 6 state at the very least) now work to stop the NSA locally. Some call for a ban on companies that facilitate the NSA (that would include Red Hat), under the premise that they are complicit in crime. I am not kidding, watch the news this week (I don’t want to paste links here as the last time I did so my comment took half a day to appear).

Lastly, there are numerous E-mails sent from and to Red Hat. These further validated my suspicions.

I saw a lot of personal attacks (trying to discredit me or even remove links to my analyses). I even heard the usual personal attacks against Sam Varghese (which I expected from Red Hat because he dares to do real journalism, i.e. journalism that companies don’t like).

Trusting Red Hat should be based on its record, not emotional leanings and faith.

Don’t get me wrong. I was not offended by you and you oughtn’t be offended by my response. I am used to this type of divisive treatment (people trying to ostracise me) since the days I criticised Novell — only to be proven right throughout and at the very end (Novell gave its patents to Linux foes).

I hope you will wait patiently for more information and assess the facts based on their merit. Don’t rely purely/solely on what you read in OpenSource.com (Red Hat). I saw Novell doing its self-delusional spiel (IP “peace of mind”) and fortunately, at the end, Novell did not find enough fools to sell its lies to.

I have been frank in my analysis of Red Hat (on patents, build process, etc.) and if you want links for particular bits of my claims, just ask. I have a repository of tens of thousands of links I collect while researching. Sometimes people refuse to accept even a well-sourced claim because of cognitive dissonance — something I’ve had a lot of experience with when dealing with Microsoft spinners.

“Journalism is printing what someone else does not want printed: everything else is public relations.”

― George Orwell

Here is my original reply, challenging the counter-arguments:

This article starts with an incorrect assertion that I accuse “Red Hat of being in cahoots with the NSA.”

No, NSA is a big client of Red Hat (this was not just revealed but also confirmed to me by Red Hat staff some days ago, by E-mail) and it was also confirmed that NSA submits patches to Linux through Red Hat (think of NIST and RSA; we don’t even have NSA E-mail address to keep track of). Back doors can also be added outside the scope of source code, during a build process. My job involves dealing with this risk. I don’t think you read an essential earlier post:

http://techrights.org/2013/11/24/tpm-back-doors-patriot-act-etc/

This, in turn, links to proof that the NSA did try to put back doors in Linux, as noted by Torvalds the father. See:

http://techrights.org/2013/11/17/nils-torvalds-on-back-doors/

http://techrights.org/2013/09/20/linux-backdoor-question/

http://techrights.org/2013/09/25/surveillance-lawlessness/

Defending Red Hat makes sense, but mischaractering my position is a little unfair. I note that trusting Red Hat is not easy and based on articles I read half a decade ago, NSA was involved in the build process of Windows, OS X, SUSE, and Red Hat (only those 4 were mentioned).

The bottom line is this. Do not have blind trust in Linux. Not even access to source code is enough because the build process needs to be carefully checked and validated; moreover, Linux is joined with some proprietary code and even hardware-level code, so trust is seriously harmed. Now that we know about Red Hat’s relationship with the NSA we should ask ourselves if the NSA is once again trying to put back doors in Linux, or worse, maybe it already did. Letting blobs enter the pipeline helps the NSA achieve (but hide) what it already said it wanted to achieve.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. New EPO Protests Amid Nervous Breakdowns of Spanish EPO Employee (After Institutional Bullying by Battistelli's Goons), Spain Rejects the Unitary Patent (UPC)

    In the face of enormous pressure from non-technical Eurocrats like Battistelli, Spain remains strong and resists the Unitary Patent Court (UPC), which puts more power in the hands of an abusive body that grossly discriminates against Spaniards



  2. Only Half a Dozen Cuban Patents Filed at EPO, But Hugely Unpopular Battistelli Goes to Cuba to Garner Cheap Support

    Now that Spain is antagonising the EPO (and especially the UPC) the President of the EPO helps create some puff pieces in Spanish as he visits Cuba and neighbouring Spanish-speaking nations which are historically renowned for defunct governance and lawlessness (like the EPO itself)



  3. Nepotismo de la UPC, Abusos Políticos, y el Envolvimiento en la UPC de la Firma ¨Legal¨ que la OEP Contrato para Matonear a Techrights

    La Corte Unitaria de Patentes UPC, un sistema arregaldo esta siendo embestida por la gargant de Europa por la OEP. (Nos están metiendo la yuca). Sus grandes clientes (incluso extranjeros), con sus abogados de patentes para que todo el mundo los vea.



  4. Miembro del Parlamente Europe Resalta ¨Las Continuas Violaciones de los Fundamentales Derechos de los Empleados de la OEP¨

    Pregunta a la Comisión Europea de parte de la MEP Portuguesa Ana Gomes, publicado en el sitio del Parlamente Europeo.



  5. Links 11/2/2016: LibreOffice 5.1, HMRC and FOSS

    Links for the day



  6. Microsoft Continues to Use Software Patents to Extort/Blackmail Even More Companies That Use Linux, Forcing/Coercing Them Into Preinstalling Microsoft

    Acer is the latest large OEM to have become a victim of Microsoft's witch-hunt against Android/Linux preloaders, whom Microsoft is coercing into becoming Microsoft's carriers (or face litigation over software patents, with high legal fees if not injunctions or high damages upon secret settlements)



  7. EPO Brain Drain (Even Directors Fed Up With Team Battistelli) and Rumours About Battistelli Becoming President of the UPC

    Words heard through the grapevine of the European Patent Office (EPO), where staff is overwhelmingly against the managers and some people, including high-profile staff, add to the exodus



  8. More Than 20 Years in the Line: European Patent Office and Claims of European Convention on Human Rights Infringement Against Applicants/Stakeholders

    Gross incompetence and potentially an infringement of the European Convention on Human Rights at the European Patent Office (EPO), this time impacting an applicant (one of many in a similar position)



  9. UPC Nepotism, Political Abuses, and UPC Involvement From the Legal Firm That EPO Hired to Bully Techrights

    The Unitary Patent Court (UPC), a rigged system that is being rammed down Europe's throat by the EPO, its big clients (even foreign), and their patent lawyers laid bear for people to see



  10. Member of European Parliament Brings Up “Ongoing Violations of the Fundamental and Employment Rights of the Staff of EPO”

    Question to the European Commission from Portuguese MEP Ana Gomes, as published in the site of the European Parliament



  11. La Oficina Europea de Patentes Pretende que No Pasa Nada y Prepara una Feria de Vanidad

    La estrategia de relaciones públicas de la OEP cuya destructiva estrategia de patentes continua sin disminución (por ahora), se engancha en Colombia y se esfuerza en manufacturar el mito donde el público, examinadores de patentes, y aplicantes de patentes todos estan muy felices con la OEP.



  12. La ‘Internacional’ Commisión de Comercio Impone/Reenfuerza Patentes de Software para Establecer Otro Embargo

    La Comisión Internacional (sic) de Comercio se esta entrometiendo en competición de nuevo permitiendo a un gigante de los Estados Unidos Ciso en este caso, a potencialmente bloquear rivales (no importaciones del extranjero) usando patentes de software.



  13. Links 9/2/2016: Linux in Robotics, Hyperledger Project

    Links for the day



  14. Besieged Benoît Battistelli Mimics 'Damage Control' Tactics of FIFA or Blatter as More Judges Start Getting Involved in EPO Scandals

    Rumours and a new rant from Battistelli reinforce suspicions that actions are being organised behind the scenes, possibly as part of an upcoming, high-level campaign to unseat/dethrone Battistelli, who has become a reputational disaster to the European Patent Office (EPO), much like Sepp Blatter at FIFA



  15. Several Political Parties Directly Challenge the European Patent Office for Ignoring the Law, Not Obeying Court Orders

    Politicians make it crystal clear that the EPO, despite its unique status, cannot just raise its nose at the rulings of courts of law, definitely not in Dutch territory where the EPO operates



  16. Even the Legal Community is Upset at Benoît Battistelli for the Damage He Did to the EPO

    A recent article from lawyers' media (in German) speaks of the great damage (or mess) left by its current president, who has become somewhat of a laughing stock and growingly synonymous with farcical trials even in the circles of stakeholders, not just his own staff



  17. EPO Union (SUEPO) Getting Busted: “More and More People are Joining the Union, but Fewer and Fewer People Dare to Take on Leading Positions There.”

    The union-busting actions taken by EPO management in collaboration with Control Risks (for weak accusations against staff representatives) and FTI Consulting (for 'damage control') as described in a recent article, in the words of SUEPO lawyer Liesbeth Zegveld



  18. Microsoft's Copyrights- and Patents-Based Attacks on GNU/Linux Carry on

    The SCO case is still going on and Microsoft has just signed a patent deal with GoPro over its FOSS-based software, relating to “certain file storage and other system technologies”



  19. The EPO's Benoît Battistelli is the Dictator Who Can No Longer Dictate Like He Used to

    The European Patent Office's mechanism of oversight is starting to work just a little because, based on a new report from Juve, Battistelli is now reluctant to make proposals that would prove unpopular among delegates



  20. La Más Detallada Explicación (hasta ahora) de ¿Qué esta mal con la OEP?

    La insistencia de la OEP que permanece arriba de la ley no sólo est bajo fuego en los medios pero también esta siendo desafiada basado en personas familiares con la aplicabilidad de la ley a organizaciones internacionales.



  21. Links 8/2/2016: Vista 10 Nags Help GNU/Linux, Nautilus Updated

    Links for the day



  22. The European Patent Office “is Acting as Though the Law Does Not Apply to It.”

    An article from Nieuwsuur which provides the words of Liesbeth Zegveld (for SUEPO) and Guillaume Minnoye (for the European Patent Office), reaffirming the EPO's bizarre notion that it is above the law, even in the face of human rights violations and a court ruling against the EPO



  23. Microsoft-Connected FRAND Lobbying (Software Patents Against Free/Open Source Software) in Brussels

    Anti-Free/Open Source software (FOSS) talking points and FRAND (anti-FOSS) lobbying groups in Brussels as seen by proponents of FRAND, who also worked for Microsoft



  24. Latest Propaganda From the EPO's Management an Effort to Make the EPO the Tool of Megacorporations

    A quick roundup of some of the latest spin and paid-for (bought) coverage that helps introduce a distorted patent system whose beneficiaries are not European (or even people)



  25. 'Aversion to Change' Propaganda From the EPO Echoes or Parrots Lenin and Stalin

    The out-of-control EPO management is trying to fool the media by blaming staff representatives for getting fired, simply because they stood up to a highly abusive and megalomaniacal dictator



  26. The Gates Foundation Subjected to Criticism, But Over a Decade Too Late

    Reckoning and accepting the fact that even some in the media now openly speak about Bill Gates' corrupting influence in everything, including politics



  27. Links 8/2/2016: Zenwalk 8.0 Beta 2, Q4OS 1.4.7

    Links for the day



  28. SIPO (China's Patent Office) Taken Over by Patent Maximalists

    A look at China's race to the bottom (decline in quality) when it comes to patents, assuming quite wrongly that quantity is more important than quality and severe penalties for perceived infringement will spur innovation



  29. The Alice Case Continues to Smash Software Patents (This Time OpenTV's); Will the EPO Ever Pay Attention?

    The potency or the grip of software patents in the United States is quickly eroding, but the EPO continues to act as though software patents are legitimate



  30. EPO Staff Responds to Team Battistelli's Expansion to Include French Economic Propagandist on the Payroll

    With strings attached (like string puppets of Battistelli in various units including the Investigative Unit), can the new Chief Economist, who is French and paid by Battistelli, ever be trusted?


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts