How many nails does that coffin need?

  • @OsrsNeedsF2P
    link
    6
    edit-2
    2 years ago

    My father used to work at Bell Labs, validating encryption and stuff. A sketchy little company with a lot of influence was trying to get something certified, and everything was checking the boxes. It was during the second review stage that my father and his coworker realized the random number generator, while a legit one, wasn’t actually the one the documentation specified. They attempted to fail the certification on that premise, but were overruled. They raised the issue internally, and were both laid off a week later. The entire branch of Bell Labs shut down the next month. About a decade later, the coworker of my father found out that the “sketchy little company” was an arm of the CIA, and they were doing similar things to the IPv6 spec.

    • @toneverends
      link
      42 years ago

      Shenanigans galore in gnupg:

      The cryptographers who wrote the paper […] note that the Libgcrypt maintainers at one point rejected a fix that would have thwarted the extraction of key information: “However, the maintainers refused a patch to switch from sliding windows to fixed windows; they said that this was unnecessary to stop the attacks.”

      Breaking Libgcrypt RSA via a side channel

    • @brombek
      link
      32 years ago

      “C was originally developed at Bell Labs by Dennis Ritchie”, this all adds up now :)

      Was lack of overflow checks, no buffer bounds checks, weak error handling and null terminated strings a CIA con job? :D

      • @OsrsNeedsF2P
        link
        42 years ago

        Bell Labs did a lot of good work, but there will always be people who “aren’t CIA but are friends with people in the CIA” and who are “suspiciously enthusiastic” about adding a feature that makes no sense

    • @Stoned_Ape
      link
      12 years ago

      Can you give a little bit more information what branch that was, and what the time frame it is we’re speaking about? Thank you very much.

      • @OsrsNeedsF2P
        link
        22 years ago

        Asked for the details - here they are:

        The original OpenSSL, 2004. Being certified by IBM Domus lab Ottawa. US navy paid for the certification and the US army for the coding (or vice versa). It needed FIPS-140 certification which technically didn’t cover the random number generator. They passed all the tests, but when asked about the random number generator algorithm since the comments didn’t match the code, “everything went to shit”

  • @brombek
    link
    62 years ago

    So integer underflow, no bounds checking on buffer read, ignoring error codes, null terminated strings. Classic C :)