[tor-talk] Fwd: Can You Trust NIST?

Luther Blissett lblissett at paranoici.org
Tue Oct 22 16:45:14 UTC 2013

On Fri, 2013-10-18 at 12:28 -0400, Tom Goldman wrote:
> NOTE: Sorry about sending that duplicate.
> Best regards,
> cl34r
> On Fri, Oct 18, 2013 at 10:13 AM, Tom Goldman <an0n102968 at gmail.com> wrote:
> > Recently, I stumbled upon a very interesting article at
> > http://spectrum.ieee.org/telecom/security/can-you-trust-nist
> >  Does this mean that Tor could technically be weakened by the NSA?
> >
> > Best regards,
> > cl34r
> >

Yes/No. Yes, the same thing that happened there could happen to Tor
source code during it's development, that upgrades and new standards can
contain bugs, even malicious ones. That's why public development is so
crucial. We need random joe to be able of studying tech development in
order to have any minimal assurance that those evil bugs are not
intentionally left there by the bugger who sees those bugs as features.

No, or rather I don't know, this specific compromise of SHA-3 is not
meaningful to Tor. If tor were to use these algo to encrypt the traffic,
it would be just a matter of changing the algo to safer one. But then we
need to know the state of cryto algo's nowadays against math knowledge
and computing processor power. I'm not knowledgeable enough to comment
on this, but having to decide on the lack of this knowledge I guess we
come to a need to rethink our "trustees" and support them somehow.

The other path is to devel your own cripto system which does not rely on
public available standards. That wouldn't mean it's unreversible, but
would mean it's not reversed yet by the time you start using it.
Security by obscurity they call it.

BTW, is there any consensus on kryptos sculpture meanings?

Do not forget that we are cattle on an animal farm which is managed and
handled mostly by machines. Machines do what they are/were told to. What
lies in between stdin and stdout and is not shown in stderr?

GPG: 0x48BE63E6

More information about the tor-talk mailing list