• Uriel238 [all pronouns]
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    They did this before with the eliptic curve cryptography, and we knew it had this problem before it was implemented as a standard.

    So if the NSA offers a standard, don’t trust it and include in your encryption software the option to use something different.

      • Uriel238 [all pronouns]
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        It was a big deal in the early 2010s so easy to web search. Techdirt had a lot of posts on it, so you might be able to search them for key words like eliptic, encryption, NSA, NIST, etc.

        Also at the same time, NSA was wooing penetration testers to sell them zero-day vulnerabilities rather than reporting them to appropriate public forums or software developers. Around this time large companies liked to sue white-hats for CFAA violations rather than paying the bounties for discovered vulnerabilities, deflecting said hats towards gray- and black- activities. Some would sell these vulnerabilities to other non-NSA interests, leading to ransomware epidemics and other fun hacker shenanigans.

        It’s a good time to be a hacker without scruples, especially since the NSA is continuing its surveillance efforts rather than securing communications of the free world. (The latter is – was? – the mission of the NSA in the 20th century.)