Not sure whether that’s a fake site or valid, but just stumbled upon it …

  • A1kmm@lemmy.amxl.com
    link
    fedilink
    arrow-up
    10
    ·
    2 years ago

    Yeah, the NSA has both an offensive and a defensive mission. The trouble is, they have previously exploited the trust they get from their defensive mission to advance their offensive mission.

    For example, they pushed hard for the random number generator algorithm Dual_EC_DRBG to be included in lots of FLOSS and commercial crypto software, and I think people assumed they were pushing it because they knew something from a defensive side about the alternatives. Dual_EC_DRBG included large constants with no explanation where they came from, and warnings from independent researchers that certain number choices in generating parameters could mean it is unsafe. Snowden whistleblowing confirmed Dual_EC_DRBG was in fact a disguised PKRNG (encrypt the random seed with a public key to get the random output, in such a way someone with the private key - which the NSA had because they came up with the keypair - can decrypt the seed from random output and hence future ‘random’ output, e.g. future randomly generated crypto keys.

    NSA also both has a mission to warn people about security vulnerabilities that put them at risk, and a tendency to hoard 0-days so they can use them against other people.

    So it probably isn’t too far fetched that they might include some kind of vulnerability in their FLOSS software. The Dual_EC_DRBG style is to find one that NSA can use but no one else can. Making sure you have other layers of defense is probably a good practice.

  • unsaid0415@szmer.info
    link
    fedilink
    arrow-up
    9
    ·
    2 years ago

    I once followed instructions to generate (pirate) a license key for a server motherboard to unlock more features. This entailed reading a binary file with Ghidra, was kinda spooked that it’s NSA software AND it’s available on github

      • heady@beehaw.org
        link
        fedilink
        arrow-up
        4
        ·
        2 years ago

        Spy agencies have a long history of funding projects through proxies, both government and private, so it’s probably nearly impossible to prove the negative here. The positive remains unproven until there is a leak or declassification.

        • rysiek@szmer.info
          link
          fedilink
          arrow-up
          5
          ·
          2 years ago

          And in a meaningful way, it might be irrelevant where the money is coming from. The code is open, the papers it is based on are public, the protocol is right there to be inspected. And since it is used by activists and dissidents around the world, it’s been looked at, a lot, by a lot of very smart people.

          If NSA wants to fund a tool that is useful, safe, and not-backdoored, I don’t have a problem with that. There are way worse ways for them to spend their insanely huge budget. And if the tool is backdoored, it doesn’t matter where the funding is coming from.

          So far, I have not seen a single piece of proof that Tor might be backdoored. If anyone has such a proof, please come forward, as a lot of people at-risk rely on it to stay safe!

  • dax@beehaw.org
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    2 years ago

    It’s valid; in a time long long ago, I did some contracting work for them. I used NiFi before it was open sourced, as well as cloudbase/accumulo. I don’t really have anything to share, but I can vouch for the site; it’s legit.

    And I really, really don’t have anything interesting to share . Writing ETL in NiFi processors was the most god damned boring job I ever had. The only part that was fun was trying to replace it with Storm (also pre-ASF days) which actually was fun.