EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

01.26.14

Never Ever Use Coprocessors for Cryptology, Especially If Implemented in the United States

Posted in GNU/Linux, Hardware, Kernel, Security at 2:41 pm by Dr. Roy Schestowitz

Can you read the source code in this microchip?

AMD microchip

Summary: Why the hype about “accelerated” cryptology (like polygons rendering, but for cryptographic purposes) is a dangerous trap that should be shunned and perpetually avoided

THE QUICKEST and most convenient way to undermine all encryption is to weaken random number generation, e.g. lower the entropy, making keys more predictable and thus easily crackable by supercomputers (or even standard computers). This is effective against everything, including online financial transactions, simply because it cracks the very core components of today’s security: SSL, PGP, etc. My doctoral degree involved a great deal of work with entropy and my daytime job too sometimes involves it, so the subject is not foreign to me. I have been watching the NSA closely for a number of years, and always with great concern and suspicion. Now we know that the NSA compels (and even bribes) US companies to help undermine privacy, if not by direct handover of data (PRISM) then by making encryption too poor, setting up back doors, forcing companies to obey NSL/subpoenas, network wiretapping/DPI, or even a combination of all those things. No need for hypotheses anymore; there’s plenty of hard proof now.

Intel, a cleverly-named criminal company (serving the intelligence community), whose hardware-level random number generator (hidden in silicon) FreeBSD refuses to trust (OpenBSD too is historically very critical of Intel) is no longer the only x86 player seeking to manufacture consent (blind trust) for encryption with no source code, just minuscule circuits of semiconductors. AMD, another US company, is now following suit with ardware-level cryptology (i.e. cryptic algorithms for cryptology, which is a non-starter). This is bad just because AMD is a US company (FreeBSD did not single out the US); any company from any country should not be trusted with this type of task. It’s no better — and it is probably much worse — than proprietary software for one’s security. To quote Michael Larabel’s article about it: “Back in November was when patches first emerged for an AMD Cryptographic Coprocessor on Linux. This co-processor provides hardware encryption and other hashing functionality for the AES crypto API, AES CMAC, XTS-AES, and SHA cryptographic interfaces within the Linux kernel.

“Not much information is publicly known on this AMD Cryptographic Coprocessor but it’s believed to be part of AMD’s embedded ARM Cortex-A5 processor on upcoming server-class Opterons with TrustZone technology.”

“Have we learned nothing at all from Snowden’s explosive leaks?”So, Linux 3.14 will try to offload something so sensitive to proprietary code concealed in silicon. Bad idea. Very bad idea. Sure, it’s Linux, but it does open itself to some blobs (e.g. Microsoft’s hypervisor and more famously drivers for peripheral cards that handle graphics), firmware, and now peripheral, embedded-in-hardware proprietary algorithms. Have we learned nothing at all from Snowden’s explosive leaks? Just look what Microsoft has done (total complicity with the NSA). A new poll at FOSS Force asks: “Do you think Red Hat is cooperating with the NSA by building back doors into RHEL?”

The responses may surprise you. Only 42% say “No”. 28% say “I don’t know” and 30% say “Yes”. This relates to an article that alludes to Techrights. It was read by thousands and has been linked to by numerous news sites. I rarely ever comment in sites where identity cannot be verified (because of fakers), but this one challenged my claims and I had to respond. Here are my three replies:

It is not purely speculative. If you think that it is, then you must not have paid close enough attention.

I have been spending at least 2 hours per day since 2012 reading about the NSA. I knew what Snowden showed even before it was publicly known and I spoke about it with RMS on numerous occasions (he came to the UK to meet Assange and then myself, focusing on mass surveillance).

The truth of the matter just needs a little digging because the corporate press is not helping the general public find it out, just like it knowingly ‘buried’ a captured agent in Iran for several years (this leaked out in November).

Similarly, GNU/Linux sites did a very poor job covering (if at all) what happened in recent months regarding Linux. Let me summarise some facts (without links, as I don’t want to be put in the moderation queue again):

- Torvalds’ father said that the NSA had approached his son regarding back doors.

- Linux had a back door added to it about a decade ago. It got removed quickly afterwards and it wasn’t known who had added it. There was press coverage about it, but it was scarce.

- RSA received a bribe from the NSA to promote security standards with back doors.

- NIST and others had NSA moles and bogus (corrupt) peer review process to help usher in security standards with back doors.

- NSA is a large Red Hat client.

- The NSA sends patches to Red Hat, which in turn sends those for Linus Torvalds to put in Linux.

(the above two are now confirmed to me by Red Hat staff)

- BSD does not trust hardware-level random number generators, suspecting — quite rightly given the NSA’s track record — that it has too low an entropy.

- Several top-level Linux developers found vulnerabilities in Linux random number generation. They quietly (without much press coverage anywhere) addressed the issue (raising the entropy) a few months back. Only the latest kernel release has the fixes applied AFAIK (I don’t know if Greg K-H backported any of it because coverage is too scarce). To lay out the magnitude of this issue, it compromises SSL, PGP, etc. (pretty much everything with encryption, even passwords) not just at client side (desktop, tablet, smartphone) but also the server side (i.e. the Internet). This is huge! But the media hasn’t covered it.

Suffice to say, Red Hat has not done anything to convince me I was wrong. Instead, I notice that Red Hat staff is stalking me in LinkedIn and I see my article cited in several news sites which wrote about the issue in several languages (3 articles in Google News are in Spanish).

If you found holes in the above statements or if you want links attached, please request them and I will provide citations. I wrote about everything before, even years ago (NSA involvement in SLE* and RHEL I covered around 2007 or 2008).

I am frustrated to see people turning against the messenger rather than the message. I see a lot of the same done to Sam Varghese. We are making ourselves more vulnerable by refusing to listen to what seems uncomfortable.

Another reply:

I was thinking along the same lines — that Edward Snowden’s leaks (by the way, they’re not just his anymore, as anonymous people from the NSA reportedly leak more and more documents to be published under his name for their safety) can at some stage show encryption undermined at more levels (hardware level, or even kernel level). We already know that encryption was undermined at RSA and NIST by NSA moles, using bribes too. We also know that Linux (kernel) developers recently revised random number generators, after they had found a weakness.

Several state officials (in 6 state at the very least) now work to stop the NSA locally. Some call for a ban on companies that facilitate the NSA (that would include Red Hat), under the premise that they are complicit in crime. I am not kidding, watch the news this week (I don’t want to paste links here as the last time I did so my comment took half a day to appear).

Lastly, there are numerous E-mails sent from and to Red Hat. These further validated my suspicions.

I saw a lot of personal attacks (trying to discredit me or even remove links to my analyses). I even heard the usual personal attacks against Sam Varghese (which I expected from Red Hat because he dares to do real journalism, i.e. journalism that companies don’t like).

Trusting Red Hat should be based on its record, not emotional leanings and faith.

Don’t get me wrong. I was not offended by you and you oughtn’t be offended by my response. I am used to this type of divisive treatment (people trying to ostracise me) since the days I criticised Novell — only to be proven right throughout and at the very end (Novell gave its patents to Linux foes).

I hope you will wait patiently for more information and assess the facts based on their merit. Don’t rely purely/solely on what you read in OpenSource.com (Red Hat). I saw Novell doing its self-delusional spiel (IP “peace of mind”) and fortunately, at the end, Novell did not find enough fools to sell its lies to.

I have been frank in my analysis of Red Hat (on patents, build process, etc.) and if you want links for particular bits of my claims, just ask. I have a repository of tens of thousands of links I collect while researching. Sometimes people refuse to accept even a well-sourced claim because of cognitive dissonance — something I’ve had a lot of experience with when dealing with Microsoft spinners.

“Journalism is printing what someone else does not want printed: everything else is public relations.”

― George Orwell

Here is my original reply, challenging the counter-arguments:

This article starts with an incorrect assertion that I accuse “Red Hat of being in cahoots with the NSA.”

No, NSA is a big client of Red Hat (this was not just revealed but also confirmed to me by Red Hat staff some days ago, by E-mail) and it was also confirmed that NSA submits patches to Linux through Red Hat (think of NIST and RSA; we don’t even have NSA E-mail address to keep track of). Back doors can also be added outside the scope of source code, during a build process. My job involves dealing with this risk. I don’t think you read an essential earlier post:

http://techrights.org/2013/11/24/tpm-back-doors-patriot-act-etc/

This, in turn, links to proof that the NSA did try to put back doors in Linux, as noted by Torvalds the father. See:

http://techrights.org/2013/11/17/nils-torvalds-on-back-doors/

http://techrights.org/2013/09/20/linux-backdoor-question/

http://techrights.org/2013/09/25/surveillance-lawlessness/

Defending Red Hat makes sense, but mischaractering my position is a little unfair. I note that trusting Red Hat is not easy and based on articles I read half a decade ago, NSA was involved in the build process of Windows, OS X, SUSE, and Red Hat (only those 4 were mentioned).

The bottom line is this. Do not have blind trust in Linux. Not even access to source code is enough because the build process needs to be carefully checked and validated; moreover, Linux is joined with some proprietary code and even hardware-level code, so trust is seriously harmed. Now that we know about Red Hat’s relationship with the NSA we should ask ourselves if the NSA is once again trying to put back doors in Linux, or worse, maybe it already did. Letting blobs enter the pipeline helps the NSA achieve (but hide) what it already said it wanted to achieve.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Masking Abstract Patents in the Age of Alice/§ 101 in the United States

    There are new examples and ample evidence of § 101-dodging strategies; the highest US court, however, wishes to limit patent scope and revert back to an era of patent sanity (as opposed to patent maximalism)



  2. PTAB's Latest Applications of 35 U.S.C. § 101 and Obviousness Tests to Void U.S. Patents

    Validity checks at PTAB continue to strike out patents, much to the fear of people who have made a living from patenting and lawsuits alone



  3. France is Irrelevant to Whether or Not UPC Ever Becomes a Reality, Moving/Outsourcing de Facto Patent Examination to European Courts Managed in/Presided by France

    Team UPC is still focusing on France as if it's up for France to decide the fate of the UPC, which EPO insiders say Battistelli wants to be the chief of (the chief, it has already been decided, would have to be a Frenchman)



  4. Saint-Germain's Poisonous Legacy of "Toxic Loans": The Emperor’s New Investment Guidelines

    Details about a secret vote to 'gamble' the EPO's budget on "a diversified portfolio managed by external experts"



  5. Saint-Germain's Poisonous Legacy of "Toxic Loans": Cautionary Tale for the EPO?

    Preface or background to a series of posts about Battistelli's French politics and why they can if not should alarm EPO workers



  6. Links 22/5/2018: Parrot 4.0, Spectre Number 4

    Links for the day



  7. Chamber of Commerce Lies About the United States Like It Lies About Other Countries for the Sole Purpose of Patent Maximalism

    When pressure groups that claim to be "US" actively bash and lie about the US one has to question their motivation; in the case of the Chamber of Commerce, it's just trying to perturb the law for the worse



  8. Links 21/5/2018: Linux 4.17 RC6, GIMP 2.10.2

    Links for the day



  9. The Attacks on the Patent Trial and Appeal Board (PTAB) Have Lost Momentum and the Patent Microcosm Begrudgingly Gives Up

    The Patent Trial and Appeal Board (PTAB), reaffirmed by the Court of Appeals for the Federal Circuit (CAFC) and now the Supreme Court as well, carries on preventing frivolous lawsuits; options for stopping PTAB have nearly been exhausted and it shows



  10. Software Patenting and Successful Litigation a Very Difficult Task Under 35 U.S.C. § 101

    Using loads of misleading terms or buzzwords such as "AI" the patent microcosm continues its software patents pursuits; but that's mostly failing, especially when courts come to assess pertinent claims made in the patents



  11. António Campinos Will Push Toward a France-Based Unified Patent Court (UPC)

    Frenchmen at EPO will try hard to bring momentum if not force to the Unified Patent Court; facts, however, aren't on their side (unlike Team UPC, which was always on Team Battistelli's side)



  12. In Apple v Samsung Patents That Should Never Have Been Granted May Result in a Billion Dollars in 'Damages'

    A roundup of news about Apple and its patent cases (especially Apple v Samsung), including Intel's role trying to intervene in Qualcomm v Apple



  13. Links 20/5/2018: KDevelop 5.2.2 and 5.2.3, FreeBSD 11.2 Beta 2

    Links for the day



  14. Aurélien Pétiaud's ILO Case (EPO Appeal) an Early Sign That ILO Protects Abusers and Power, Not Workers

    A famous EPO ‘disciplinary’ case is recalled; it’s another one of those EPO-leaning rulings from AT-ILO, which not only praises Battistelli amid very serious abuses but also lies on his behalf, leaving workers with no real access to justice but a mere illusion thereof



  15. LOT Network is a Wolf in Sheep's Clothing

    Another reminder that the "LOT" is a whole lot more than it claims to be and in effect a reinforcer of the status quo



  16. 'Nokification' in Hong Kong and China (PRC)

    Chinese firms that are struggling resort to patent litigation, in effect repeating the same misguided trajectories which became so notorious in Western nations because they act as a form of taxation, discouraging actual innovation



  17. CIPU is Amplifying Misleading Propaganda From the Chamber of Commerce

    Another lobbying event is set up to alarm lawmakers and officials, telling them that the US dropped from first to twelfth using some dodgy yardstick which favours patent extremists



  18. Patent Law Firms That Profit From Software Patent Applications and Lawsuits Still 'Pull a Berkheimer' to Attract Business in Vain

    The Alice-inspired (Supreme Court) 35 U.S.C. § 101 remains unchanged, but the patent microcosm endlessly mentions a months-old decision from a lower court (than the Supreme Court) to 'sell' the impression that everything is changing and software patents have just found their 'teeth' again



  19. A Year After TC Heartland the Patent Microcosm is Trying to 'Dilute' This Supreme Court's Decision or Work Around It

    IAM, Patent Docs, Managing IP and Patently-O want more litigation (especially somewhere like the Eastern District of Texas), so in an effort to twist TC Heartland they latch onto ZTE and BigCommerce cases



  20. Microsoft Attacks the Vulnerable Using Software Patents in Order to Maintain Fear and Give the Perception of Microsoft 'Safety'

    The latest patent lawsuits from Microsoft and its patent trolls (which it financially backs); these are aimed at feeble and vulnerable rivals of Microsoft



  21. Links 19/5/2018: Mesa 18.0.4 and Vim 8.1

    Links for the day



  22. Système Battistelli (ENArque) at the EPO is Inspired by Système Lamy in Saint-Germain-en Laye

    Has the political culture of Battistelli's hometown in France contaminated the governance of the EPO?



  23. In Australia the Productivity Commission Decides/Guides Patent Law

    IP Australia, the patent office of Australia, considers abolishing "innovation patents" but has not done so yet (pending consultation)



  24. Fishy Things Noticed Ahead of the Passage of a Lot of EPO Budget (Applicants' Money) to Battistelli's Other (and Simultaneous) Employer

    Observations and odd facts regarding the affairs of the council in St Germain; it certainly looks like Battistelli as deputy mayor and the mayor (Arnaud Péricard) are attempting to hide something



  25. Links 18/5/2018: AsteroidOS 1.0 Released, More Snyk/Black Duck FUD

    Links for the day



  26. Today's EPO Financially Rewards Abuses and Violations of the Law

    Battistelli shredded the European Patent Convention (EPC) to pieces and he is being rewarded for it, perpetuating a pattern of abuses (and much worse) being rewarded by the European Patent Organisation



  27. So-Called 'System Battistelli' is Destroying the EPO, Warn Insiders

    Low-quality patent grants by the EPO are a road to nowhere but a litigious climate in Europe and an unattractive EPO



  28. Rise in Patent Trolls' Activity in Germany Noted Amid Declining Patent Quality at the EPO

    The UPC would turn Europe into some sort of litigation ‘super-state’ — one in which national patent laws are overridden by some central, immune-from-the-law bureaucracy like the EPO; but thankfully the UPC continues its slow collapse



  29. EPO's Battistelli Taking Days Off Work for Political 'Duties' (Parties) in His French Theatre Where He'll Bring Buckets of EPO Budget (EPO Stakeholders' Money)

    More tales from Saint-Germain-en-Laye...



  30. Links 16/5/2018: Cockpit 168, GCompris 0.91, DHCP Bug

    Links for the day


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts