Hacker News new | past | comments | ask | show | jobs | submit login

When I looked more into the SHAs and SELinux a while ago, I had always wondered why the NSA would create/sponsor these things.



Because NSA is chartered with assisting the USG and, as a knock-on effect, the US economy, with infosec. It's part of their job. Just like designing secure ciphers is part of their job, along with breaking them.


Bullshit.

"Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products. "


Obviously you're not an SELinux fan.


Why not leave it to the private sector?


Among other reasons, because the private sector sucks at it.


The latest SHA3 was determined in a competition amongst private sector contestants, won by Keccak. Schneier himself put up a candidate - Skein.

Edit: Then there's TrustedBSD (as opposed to SELinux)


SHA3 was a contest run by NIST, known to its friends by its other name, NSA.


Have you seen what passes for security, even in tech companies that sell primarily security?


Actual quote from the CTO of a company that makes some security-related software (it's a major selling point) for a specific sector. They probably have over a hundred million people using this stuff day-to-day, indirectly, and hundreds of direct, large customers. Security bypass can easily cost hundreds of thousands a month.

I had found a backdoor in their platform, so I asked if they had such basic holes, how they managed to write a large C-based app securely. Like, buffer overflows, for example.

CTO/head of development replied: "Buffer overflows? Probably not an issue, unless the network is really fast." Cringe.


The NSA is a schizophrenic organization. It is tasked with two opposing goals:

- To eavesdrop on the communications of foreign entities.

- To protect our own government from foreign entities that are doing the same.

It is the latter directive that has provided SELinux and AES.


There's nothing at all opposing about those goals. They're both natural by products of expertise in signals intelligence and cryptanalysis, and skill breaking security helps provide more secure systems by subjecting them to more sophisticated attacks.


True enough. It has only become schizophrenic lately because it is now eavesdropping on domestic communication as well.


Just as a clarification, NSA doesn't set those standards. Agencies like NIST set AES and SHA3 through open worldwide competitions. These standards then become parts of larger compliance guidelines like FIPS (Federal Information Protection Standard I think) that govern how the USG should protect its data.


NIST has like 2 cryptographers, doesn't it? The real guidance at NIST comes from NSA. If you think NSA is backdooring Suite B crypto, you can't trust NIST.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: