So you're still deriding ideas like this as "conspiracy theory nonsense," even a...

cdoxsey · on Feb 23, 2014

Extensive documentation does not exist. It's all conjecture and speculation.

We know the NSA spies on foreigners, we know they have relationships with tech companies to make that spying easier and therefore have access to all that information. We don't the extent of domestic use. We know they collect phone metadata. We know they have infiltrated software abroad, they deny having done it domestically. There's just a whole lot we don't know.

Here's something I do know: the government is not infallible. In fact, just the opposite. Sure Snowden revealed a lot about the NSA spying programs, but he also revealed another salient fact: their background check process was a joke. Like every other government agency they display an incredible degree of incompetence.

Sleeper agents at Apple inserting bugs into code in order to bypass security checks as part of some grand scheme to infiltrate the communications of millions of Americans... it's not even a good idea on the face of it, but even if they tried to pull this off they'd screw it up somewhere along the way. Human beings make mistakes. You guys are giving way too much credit to the NSA.

mpyne · on Feb 23, 2014

> extensive documentation that the NSA is, in fact, surreptitiously introducing security holes in software?

I've seen speculation to that, but not "extensive documentation", at least from the perspective of simply breaking all hardware.

Buying descriptions of existing vulnerabilities is not "introducing" them. Nor is haranguing companies into leaving in known vulnerabilities (though that is bad enough).

Even things like asking companies to use Dual EC DRBG is not "introducing security holes" in the way we understand it, as EC DRBG is actually secure against all adversaries except NSA.

Like, I'm re-reading the Guardian article now and it talks about the NSA "using supercomputers to brute-force encryption" as a strategy... hardly a jumping testament to the massive brokenness of the Web.

Going further to read the actual list of NSA practices helps confirm this a bit too.

For starters if you look at the description of their SIGINT Enabling Project it states that "To the consumer and other adversaries, however, the system security remains intact." (emphasis mine), which seems to be hinting at Dual EC DRBG (or at least, Snowden doesn't seem to have leaked any other NSA technologies that are broken only to NSA but resistant against other adversaries).

The one blurb I could find about deliberately introducing vulnerabilities had a very important caveat which everyone leaves out: "Insert vulnerability into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" (again, emphasis mine). The Guardian somehow left that out of their description of that bullet, I'm sure it was just an oversight.

In other words this is not mass introduction of simple exploitable but a seeming formalization of the types of corporate-government partnerships that led to things like the Siberian pipeline sabotage, to be used in specific targeted operations. Indeed the Guardian seems to confirm that in their description of the NSA Commercial Solutions Center.

Even Snowden has spoken up in support of the concept of targeted operations by U.S. intelligence agencies, so I'm not sure why this should be surprising; it's the kind of stuff we expect the U.S. to do to gear going to Iranian nuclear weapons facilities or Syrian C2 bunkers.

So even if we give the NSA credit for surreptitiously breaking crypto around the world, this particular method does not appear to match their style or even their own internally-held methods. It seems like the kind of thing NSA would take advantage of without revealing it, but not the kind of thing they'd intentionally add to a non-targeted iPhone. And, if they did add it, they'd add it to the flashed image, not the source, à la "Reflections on Trusting Trust".