Was drinking in a bar in Espoo in 2012 or 2013 and heard this from someone at rovio.
At the time they used Riak db and basho were onsite and we asked why they didn't enable inter server encryption. "Because nsa pay us 10m not to".
Guess nsa pulled the Riak cluster protocol off the aws fibre.
Is there any reliable source for NSA paying Rovio other than this random bar discussion? Not that I don't believe you or that I'm naive about NSA and the power of money, but I looked around news in 2014 and the accusations against Rovio specifically are a bit different flavor. It seems that Rovio was oversharing data to ad networks (Millennial Media comes up a lot), and NSA likely slurped data from the advertising companies. This bar banter is suggesting that NSA had some kind of arrangement with Rovio directly instead, and Rovio willingly went along.
Or alternatively, do you feel the Rovio employee's blabbering was talking about an actual, real NSA deal with Rovio, or was it more like a bar joke and direct NSA co-operation was not really implied? (e.g. "we know our security is bad, but these ad companies pay us $XX million to not use encryption so it's sorta like NSA pays us to keep it that way sips beer").
I'm interested, because if that is an actual thing that happened, then that's an example of NSA paying a Finnish company $$$ to weaken their security, and the Finnish company willingly agreeing to that. Is it in NSA's Modus Operandi to approach and then pay foreign companies to do this sort of thing?
Your comment is describing it in few words, but to me it sounds like it maybe wasn't implying an actual NSA direct co-operation, more like someone doing bar banter and being entirely serious. But that's just me trying to guess tone.
(I'm Finnish. I want to know if Rovio has skeletons in their closet. So I can roast them.)
Ah yeah, I saw the propublica as well, it was one of the first articles I found when looking on the topic. I don't doubt at all that Angry Birds data was used by NSA, doesn't seem controversial.
The specific question I am interested in is: Did Rovio knowingly and willingly accept $$$ from NSA (directly or indirectly) to weaken their security? I.e. were they acting as a willing accomplice.
Because that part would be unusual for Finland (well, at least as far as I know). For US companies I wouldn't bat an eye at news like this.
Here is a nice talk by Byron Tau who has also written a book titled "Means of Control" detailing some of these flows covering ad tech companies, data brokers and how government contractors use them and serve as a key player to provide services to intelligence agencies.
I think they definitely knew that they are embedding code from US based ad agencies who might either be selling it to the NSA or just doing it in an insecure manner (plaintext protocols).
Mostly in such cases, direct involvement and paying dollars is a clear no-go for the intelligence agencies. They could instead be paying the ad agencies.
Also note that we are talking pre-Let's encrypt and TLS everywhere world, a lot of this traffic was also just plain text making it much easier to harvest.
Thanks for the resources. Got back to procrastinate on HN and checked the resources (briefly looked at transcript on the video, but found this article more interesting).
I've always assumed that some amount of unencrypted HTTP traffic is going to be slurped into archives, but I've been too lazy to really check an example and how does that look like in the real world. That BADASS system is an example, focusing on phones. I've also run mitmproxy in my home to learn and then I've wondered if the big agencies have something like that but much more scaled and sophisticated.
I've recently got into studying security, deobfuscated code, or decompiling, tried to find vulnerabilities or bad security, in websites and programs. I've found some, although not anything worth writing home about. I found a replay attack in one VSCode extension that implemented its own encrypted protocol, but it is difficult to use it to do real damage. Found a bad integrity check library (hopelessly naive against canonicalization attack) used by another VSCode extension. I've found something weird in Anthropic's Claude website after you log in, but because their "responsible security policy" is so draconian, I don't want to bother trying to poke it to research it further in case I earn their wrath.
Biggest bummer I found that a video game (Don't Starve Together) I had played for a long time with friends does not have any encryption whatsoever for chat messages to this day. (People gonna say private things in video game chats). The other video game I play in multiplayer a lot, Minecraft, has encryption (a bit unusual encryption but it is encryption).
That article gave me a bit of validation that I'm not a nut for giving shits about encryption and security, and being annoyed at ungodly amount of analytics I see in mitmproxy my laptop is blabbering about.
Lol, yeah, I also learned yesterday that there is apparently, NSA, National Security Authority. No, not the NSA this article is talking about and everyone knows about.
I will say I got confused a moment yesterday when googling on the topic here because when you put NSA and Finland in the same search, it would get topics about this other NSA that just happens to exist which I had never heard of before, and just happens to be Finland-associated.
On the other hand it would be a very cheap counter espionage measure if a small stream of such payments was enough to convince China et al that the NSA had not broken encryption.
Earth's oceans contain approximately 1.35 billion cubic kilometers of water. To raise this entire volume from an average temperature of 3.5C to boiling (100 C), we'd need roughly:
1.35 x 10^21 kg x 4,184 J/(kg C) x 96.5C is approximately 5.45 x 10^25 joules
That's 545 million exajoules or about 10,000 times humanity's annual energy consumption.
If you tried to brute-force AES-256 with conventional computers, you'd need to check 2^256 possible keys. Even with a billion billion (10^18) attempts per second:
2^256 operations / 10^18 operations/second is approximately 10^59 seconds. You'd need about 2.7 x 10^41 universe lifetimes to crack AES-256
At about 10 watts per computer, this would require approximately 10^60 joules, or roughly 2 x 10^34 times the energy needed to boil the oceans. You could boil the oceans, refill them, and repeat this process 200 trillion trillion trillion times.
For RSA-2048, the best classical algorithms would need about 2^112 operations. This would still require around 10^27 joules, or about 20 times what's needed to boil the oceans.
ECC with a 256-bit key would need roughly 2^128 operations to crack, requiring approximately 10^31 joules
It's enough to boil the oceans about 2,000 times over.
Quantum computers could theoretically use Shor's algorithm to break RSA and ECC much faster. But to break RSA-2048, we'd need a fault-tolerant quantum computer with millions of qubits. Current quantum computers have fewer than 1,000 stable qubits.
Even with quantum computing, the energy requirements would still be astronomical. Perhaps enough to boil all the oceans once or twice, rather than thousands of times.
That's assuming there's no attacks found in a given algorithm. If there is a feasible attack found, the math changes, sometimes dramatically. And we'll never know it because they sure as hell aren't gonna announce it.
Anyway, I'm not worried because governments don't need to crack encryption to do dastardly shit. They have far easier methods to get what they want.
Also just picking constants for encryption algorithms that are supposed to be "nothing up my sleeve" numbers, like the n first digits of pi.
DJB had a good talk about how many degrees of freedom you can still get picking such numbers and how much you can weaken crypto algorithms (even though not outright breaking them), but I can't find it at the moment
You need to account for the heat of vaporization if you plan on boil away and refilling the oceans for your brute force scheme, so you overestimate how many times you will boil away the oceans by a factor of 6 or something.
"... brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.
The "boiling the ocean" argument comes up every once in a while for some time now, just a lot more structured and number packed in the age of LLMs. There are even funny "security" levels based on this [0] like "lake security".
The picture they paint is very useful to help people grasp the scale of "worst case" brute forcing while being completely misleading on the effort needed to break encryption "somehow". Cracking the encryption isn't usually about brute forcing every possible combination, it's all about finding or building a flaw in the algorithm.
Bike thieves don't go through the 10000 combinations on your lock, scammers don't try every possible email password, etc.
Brute forcing a key finds you one answer at a time, hacking the algorithm finds you all answers at once. Without boiling the ocean.
An adversary with full Intel Management Engine (IME) access could intercept AES-NI instruction calls before execution, replacing them with compromised implementations that maintain superficial compliance with expected behaviors. The encryption would still function much like a funeral home makeup artist ensures the deceased appears lifelike. These direct instruction interceptions occur at a level below the operating system and hypervisor, making them essentially invisible to security monitoring.
The IME's DMA capabilities enable memory inspection without host awareness. Cryptographic keys residing in RAM become visible to this subsystem, essentially placing the combination to the digital vault in plain view of an entity designed never to be seen. One might say the keys to the kingdom are being displayed on a billboard visible only to those standing in another dimension. This extraction could happen before legitimate AES-NI operations even process the key material.
Random number generation becomes particularly vulnerable. By introducing subtle biases to hardware entropy sources like CPU thermal or timing sensors, an adversary could ensure generated keys fall within a predictable pattern while presenting all appearances of randomness.
Statistical tests would show nothing amiss, like a perfectly balanced coin that somehow lands heads 51% of the time over millions of flips, a mathematical miracle that passes unnoticed until the casino's bankruptcy. These manipulations would bias the PRNG to produce predictable entropy patterns that drastically reduce effective key space.
Microcode updates deployed through IME channels could modify AES-NI instruction behavior at its core, ensuring the cryptographic equivalent of building a vault door with steel exterior panels but papier-mache hinges. Everything looks secure until someone approaches from the correct angle. These updates could specifically target the AES-NI implementation to use reduced key space or introduce mathematical weaknesses into the diffusion properties of the algorithm.
Side-channel attack facilitation presents another avenue for compromise. The IME could enable precise timing measurements of AES operations, deliberately increase susceptibility to cache-timing attacks, and manipulate power states to enhance the effectiveness of power analysis techniques while appearing to function normally.
The most effective entropy reduction strategy would likely combine several approaches: replacing the AES-NI implementation with one that only explores a fraction of the key space, creating deterministic but seemingly random patterns for key generation, leaking key material via covert channels to the IME's persistent storage, and maintaining the outward appearance of full entropy while drastically reducing actual security margins.
Detection of such tampering remains virtually impossible given the IME's isolated execution environment.
Security researchers can only examine the results of cryptographic operations, unable to observe the process directly similar to trying to determine if someone has tampered with your food while blindfolded.
The mathematics of AES remain sound, of course. But mathematics requires faithful execution to maintain security guarantees, and therein lies the fundamental issue.
AES-NI itself doesn't provide an avenue for key entropy reduction, since it doesn't generate keys itself, or for exfiltration of stolen keys through the encrypted output, or for introducing mathematical weaknesses into the diffusion properties of the algorithm. If an AES implementation produces output that differs by even one bit from a correct AES implementation, then decryption will fail.
Non-constant timing would also be detectable, though as you say cache side channels are feasible. Power-side-channel key exfiltration is certainly feasible if the attacker can measure power consumption, but AES-NI isn't relevant to many threat models that permit power side channels; amd64 CPUs aren't used in smartcards.
But certainly the IME could steal AES or other cryptographic keys from memory, store them in its own storage, and leak them through some other channel.
This is an excellent comment, but I think it's worth pointing out some lacunae.
The most important one is that we're assuming that nobody finds a weakness in AES-256, so we have to brute-force it instead of taking some kind of shortcut. Historically speaking, that doesn't seem like a sure bet. (Some slight progress has been made on AES, but nothing practically useful yet: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#K...) Similar comments apply to factoring large semiprimes and ECDLP; algorithmic improvements could remove many orders of magnitude from these estimates.
Sometimes, even when weaknesses aren't known in the algorithms themselves, there are weaknesses in how they are applied. The Debian OpenSSL fiasco, which seems to have been accidental, may be the best-known example: all secret keys were generated with only 16 bits of entropy. Reusing IVs for OFB or CTR mode is also catastrophic.
A somewhat pedantic note is that you seem to be using two conflicting definitions of "boil the oceans" in different parts of your comment: to raise them to the boiling temperature while leaving them liquid, at first, and to convert them to vapor, later, since you talk about "refilling them". Converting them to vapor requires several times more energy than that. Also, you dropped an order of magnitude somewhere; raising the oceans to boiling requires 5.46 × 10²⁶ J, not 5... × 10²⁵ as you say. ("545 million exajoules" is correct.)
I used `cal_mean` from units(1) to do the calculation, which is based on the mean specific heat of water from 1° to 100°. I'm not sure that's correct for salt water, though, and in any case that's a minor error.
"about 10,000 times humanity's annual energy consumption" is wrong. 545 million exajoules is about a million years of humanity's energy consumption, which is only about 18 terawatts, excluding agriculture.
As gosub100 pointed out, on average you only have to try 2²⁵⁵ possible keys before finding the right one, not all 2²⁵⁶, but that's only a factor of 2.
10¹⁸ AES attempts per second does seem like a reasonable upper bound, but it's much faster than currently existing encryption hardware. 10¹⁸ Hz is the frequency of 0.3-nanometer X-rays with an energy of about 4000 electron volts. I feel like any computer hardware that is performing operations that fast probably cannot be made out of molecules or atoms. You might be able to build it on the surface of a neutron star or a black hole. Seth Lloyd's Nature paper from 02000 on the "ultimate laptop", "Ultimate physical limits to computation", explores some of the physical phenomena involved, and how fast they could possibly compute: https://faculty.pku.edu.cn/_resources/group1/M00/00/0D/cxv0B...
If we take 10¹⁸ Hz and 2²⁵⁶ cycles as given, it is true that one computer would need 10⁵⁹ seconds to finish the job (4×10⁵¹ years), which is indeed about 2.7 × 10⁴¹ times longer than the universe has existed so far (13.79 billion years). But it's worth pointing out that the universe's lifetime is not yet over; it is expected to continue existing much longer than that: https://en.wikipedia.org/wiki/Timeline_of_the_far_future lists various stages of its future evolution, including the end of star formation in 10¹²–10¹⁴ years, the last star burning out in 1.2 × 10¹⁴ years, 10³⁰ years until all the galaxies fall apart, 2×10³⁶–3×10⁴³ years until all protons and neutrons are gone (if protons decay), 10⁹¹ years until the Milky Way's black hole evaporates, and 10¹⁰⁶–2.1×10¹⁰⁹ years until the last black holes evaporate. If protons are stable, you could definitely build a computer that kept computing for the necessary 10⁵² years.
And (as you point out next!) you could use more than one computer. If you could somehow use 10⁵⁹ computers, you could finish the job in a second, rather than in untold eons. It depends on how many computers you can get!
"10 watts" is a somewhat handwavy estimate. Most of the computers around me, in things like my multimeter and my MicroSD card, use a lot less power than that, often a few milliwatts. (The fact that the MicroSD card doesn't have a monitor and keyboard is irrelevant to using it for AES cracking.) I'm currently working on a project called the Zorzpad, to build a self-sufficient portable personal computing environment on under a milliwatt, something that has become possible recently due to advancements in subthreshold digital logic.
But even a milliwatt may be an overestimate for AES cracking on classical hardware, because reversible logic may be able to drop power consumption by one or more additional orders of magnitude, and as far as we know, there's no lower limit (not even the ones Lloyd's article talks about apply). AES cracking is especially suited for reversible computing, which is why I used it as an example in this comment a week ago: https://news.ycombinator.com/item?id=43850835
It may be worth pointing out that 10⁶⁰ joules (which, despite the possible weaknesses above in its derivation, is certainly a plausible ballpark) is a large number not just measured against Earth, but measured against the Sun and indeed the energy output of the entire Milky Way galaxy.
It's even large compared to the available energy in the Milky Way. If you divide it by c² you get 1.2 × 10⁴³ kg. The Milky Way weighs 1.15 × 10¹² solar masses (https://en.wikipedia.org/wiki/Milky_Way) which turns out to be 2.29 × 10⁴² kg, which is 2.06 × 10⁵⁹ J. So even if you converted the entire galaxy into energy to power your AES crackers, you wouldn't get 10⁶⁰ J.
It's probably worth including AES performance numbers on currently available hardware. You'll still get galactic numbers demonstrating that AES-256 is not currently brute-forceable.
Thank you for this correction and additional perspective.
The Debian vulnerability was particularly bad. An AES key with 16 bits of entropy can be broken with the energy used by a single LED for a fraction of a nanosecond.
Reducing entropy covertly is probably the sole purpose of the so-called Intel Management Engine
I'm not sure the Debian vulnerability affected AES keys, but it definitely affected RSA keys.
A single LED is somewhere between 1 milliwatt and 1 watt, so in a tenth of a nanosecond it uses between 100 femtojoules and 100 picojoules. 2¹⁵ AES encryption operations currently require a lot more energy than that. I'm not sure how much, but it's a lot more.
How much does an AES encryption operation take? https://calomel.org/aesni_ssl_performance.html suggests AES-256-GCM runs at 2957 megabytes per second on each core of an "Intel Gold 5412U", which https://www.intel.la/content/www/xl/es/products/sku/232374/i... tells me is a 24-core CPU launched in Q1 of 02023 with a TDP of 185 watts. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard says the AES block size is 128 bits, so 2957MB/s is 185 million blocks per second per core. Dividing 185 watts by 24 cores of that gives 41.7 nanojoules per block. This is probably reasonably representative of energy requirements for current AES hardware implementations. It presumably doesn't include key setup time, and brute-force cracking will do more key setup than normal encryption, but it's probably in the ballpark, especially for dedicated chips ticking through closely related keys. In any case, key setup surely cannot take less than zero energy, so this represents a lower bound.
Running
openssl speed -elapsed -evp aes-256-gcm
on my own laptop (without -evp, I get "speed: Unknown algorithm aes-256-gcm"), I get 3900 megabytes per second for large block sizes, or 2300 megabytes per second running on battery power.
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
AES-256-GCM 353329.81k 1012347.01k 2190564.18k 3178319.19k 3791358.63k 3676427.61k
According to
cat /sys/class/power_supply/BAT0/power_now
I'm using about 12–16 million microwatts to do this, compared to about 6–8 watts when idle. So we can ballpark the AES energy consumption around 7 watts. Dividing that by 2300 megabytes per second, it comes out to about 49 nanojoules per block. This is reassuringly similar to the calomel numbers.
The number for 16-byte blocks is much lower, like 240 megabytes per second on battery and 360 megabytes per second on AC power. This probably tells us key setup takes about an order of magnitude more energy than encrypting a block, but maybe that's just because AMD was optimizing encryption speed over key setup speed.
2¹⁵ times 40 nanojoules is 1.3 millijoules. This is between 13 million and 13 billion times more than the energy used by a single LED for a fraction of a nanosecond.
Also, 2²⁵⁵ times 40 nanojoules is 2.3 × 10⁶⁹ J, a couple billion times larger than your estimate upthread. It's pretty amazing than in 67 nanoseconds my CPU can encrypt something such that it would require, as far as we know, the resources of billions of galaxies to decrypt without knowing the key.
The IME is probably a backdoor, but I don't think we have enough information to say clearly what kind of backdoor.
2¹²⁷ nanoseconds would be only 390 billion times longer than the universe has existed so far (13.79 billion years). If you wanted to crack AES-128 with brute force using one-billion-key-per-second cracking computers and could only wait a year, you would need 5.4 sextillion computers. If each of those computers weighed 100 milligrams, in the neighborhood of many current chips, their total mass would be 539 trillion tonnes (5.39 × 10¹⁸ kg, 539 exagrams).
That's only about a hundred thousandth of the mass of the Moon, and there are dozens of asteroids larger than this. Since it's clearly physically possible to disassemble an asteroid, or even the entire Moon, and build computers out of it, AES-128 should not be considered secure against currently known attacks. However, currently, it is not publicly known that the NSA has converted any asteroids into computers, and it seems unlikely to have happened secretly.
It's worth noting that when the NSA invented DES, they took a cipher from IBM and made it more resistant (to differential cryptanalysis, a technique that at the time wasn't known outside the NSA itself).
> NSA gave Tuchman a clearance and brought
him in to work jointly with the Agency on
his Lucifer modification. . . . NSA tried to
convince IBM to reduce the length of the
key from 64 to 48 bits. Ultimately, they
compromised on a 56-bit key.
> The cryptographic core of NSA's sabotage of DES was remarkably blunt: NSA simply convinced Tuchman to limit the key size to 56 bits, a glaring weakness.
> Whit Diffie and Marty Hellman wrote a paper explaining in considerable detail how to build a machine for $20 million that would break each DES key with an amortized cost of just $5000/key using mid-1970s technology. They predicted that the cost of such a brute-force attack would drop "in about 10 years time" to about $50/key, simply from chip technology improving.
> Diffie and Hellman already distributed drafts of their paper before DES was standardized. Did NSA say, oh, oops, you caught us, this isn't secure?
> Of course not. NSA claimed that, according to their own estimates, the attack was 30000 times more expensive: "instead of one day he gets something like 91 years".
The main source here is https://archive.org/details/cold_war_iii-nsa/cold_war_iii-IS..., "American Cryptology during the Cold War, 1945-1989", DOCID: 523696, REF ID: A523696, a declassified internal NSA history. Longer version of the quote above, originally classified TOP SECRET UMBRA, from p.232 (p.240/271)
> (S CCO) The decision to get involved with NBS was hardly unanimous. From the SIGINT standpoint, a competent industry standard could spread into undesirable areas, like Third World government communications, narcotics traffickers, and international terrorism targets. But NSA had only recently discovered the large-scale Soviet pilfering of information from U.S. government and defense industry telephone communications. This argued the opposite case - that, as Frank Rowlett had contended since World War II, in the long run it was more important to secure one's own communications than to exploit those of the enemy.
> (FOUO) Once that decision had been made, the debate turned to the issue of minimizing the damage. Narrowing the encryption problem to a single, influential algorithm might drive out competitors, and that would reduce the field that NSA had to be concerned about. Could a public encryption standard be made secure enough to protect against everything but a massive brute force attack, but weak enough to still permit an attack of some nature using very sophisticated (and expensive) techniques? NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately, they compromised on a 56-bit key.
This may sound like a paranoid conspiracy theory, but it is the point of view of an NSA insider, writing in 01998 for an audience of NSA cryptoanalysts and cryptographers to educate them on the history of cryptology during the Cold War. It is understandable that Schneier and others believed that the overall influence of the NSA on DES was to increase its security, because they did not have access to this declassified material when they formed those opinions; it wasn't declassified until July 26, 02013.
That's true, but the fact that NSA wanted to make brute force cheaper also suggests that they didn't have any particular offensive tricks up their sleeve (they had differential cryptanalysis but they used their knowledge defensively) like they did with Dual_EC_DRBG.
Yes; also, if they had had such tricks, they probably would have mentioned them in that document, perhaps in a following paragraph that was censored from the declassified version. But there seems to have been no such paragraph, further supporting your inference.
I like to tell myself that everyone at NSA is a fine upstanding patriot, and that the agency only ever does what is in the best interest of the American People, but that does feel naive at times. Like when they infiltrate international standards bodies to introduce backdoors.
Is downsizing the NSA something we're upset about?
It doesn't even really matter what character most of them have. Most information is on need to know basis for a reason so the one giving the orders can tell a tale about foreign terrorists while the grunts happily surveil the common man.
Wrong assumption. Lets imagine they could costslessly crack the encryption there. But as soon as they use any information gathered that way they risk leaking that they have this incredibly valuable capability. ... valuable and very fragile since people can easily change encryption schemes.
Better to pay every party you need to to have boring vulnerabilities and security shortcomings, so that any information leak doesn't need a capabilities revealing explanation.
So I think this gives you no information on their capabilities beyond bribing commercial players, which isn't exactly new. In the past (and presumably now) our intelligence apparatus has outright owned crypto/security companies in order to distribute backdoored technology.
And of course they have, they're not prohibited, it's highly effective, they'd be incompetent not to.
But knowing still gives you an advantage, even if you can't use it legally -- because you can still use it illegally.
LEO and Prosecutors will use "parallel construction" to construct a narrative about how information was obtained in a legal way even though it was clearly obtained illegally.
Or you could choose to only act on 5% (e.g.) of the information gleaned -- and that which could clearly be shown to be leaked by a third party.
Or say if you were tapping the information of a mob boss, you could leak the information to a competitor and let justice work it's way through the streets instead of the courts.
It's tricky, because you run the risk that any use risks disclosing the capability. Targets can even set traps. E.g. I caught irc opers spying on PMs by sending trap URLs where I secretly could see the access logs. Because great care was taken to make sure the URLs existed nowhere else when they got loaded it was a confirmation that the traffic was monitored.
Now perhaps a somewhat safer tool is to just use the cracking to determine the best targets to bribe or backdoor, but only allow the group with the cracking power to give the names of services to monitor at any cost.
Well, I mean IRC is typically a cess pool these days. So there's a very high likelihood that something may be scanning urls you send across. DCC was a thing back in the IRC days of old, but CGNAT pretty much ended that.
I think what's most interesting along this lines is what happened during WWII when the allies cracked the enigma. Suddenly, they knew what the nazis were sending to each other. Bletchley Park had to keep most of the intelligence secret to itself, because the nazis could get wind of it and changes the procedures to encryption -- particularly if some top secret attack was somehow thwarted out of the blue.
That's why I said the part about "parallel construction". During WWII if the allies captured a spy or a high ranking officer, then they could maybe act on one piece of information -- giving the allies the necessary plausible deniability by blaming it on the captured nazi officer.
I once asked a VP of engineering at a major ISP why they don't add a layer of encryption to their peering and customer connections to prevent spy agencies from tapping their fibre cables. I was expecting him to say it would be too expensive to upgrade all their network hardware given the amount of traffic. Instead he said: "our routers can already do that, but the government regulator stepped in and prevented us from turning it on."
That's pretty wild. Was it an "investment" of some sort, and then the CEO got a hint with a wink, that there is more where it came from if they don't enable any encryption. Anyone from Rovio who got less than $10m in their pocket willing to tell us a story?
If you're the NSA, you can tell Amazon, "Hey here's $1B. You're going to get some fiber outages, and we're also going to buy a bunch of compute from you at an exorbitantly high price you'll charge us. It's fine, we're the NSA. So when the outages happen, don't announce it. Also terrorism."
This is exactly why adversarial countries like China want to block large multinational social media and technology companies from their market. India saw facebook try to meddle in their elections. This is probably why the US should block TikTok, although there are further repercussions on free speech and the free market (something China ideologically doesn’t care about).
And the speech repercussions are more like the entire point of the ban. It's not even about trade or security. I'd be fine if they just said, we're banning this because it's from China.
I recommend reading the court's decision, it goes through all the relevant facts and statutes, how they apply, and more importantly it says that even if the higher standard of scrutiny would apply it would pass the test.
page 40, "The problem for TikTok is that the Government exercised its considered judgment and concluded that mitigation efforts short of divestiture were insufficient, as a TikTok declarant puts it, to mitigate “risks to acceptable levels.” "
According to the bill's sponsor, this is exactly what happened. The bill was dead until the Oct 7 Hamas attacks, then suddenly lawmakers were supporting it for speech reasons.
I still don't quite understand the free speech issue with banning one particular foreign media outlet or platform.
Banning TikTok would do nothing to hinder Americans' ability to say (almost) whatever they want without fear of government retribution. Anything you would have said on TikTok can still be said on Facebook for example, or your own website.
Same reason they can't shut down a newspaper for its opinions. The ban is the government retribution. They also pressure Facebook etc to hide or downrank what they want.
No it isn't. China has already admitted they hacked us all the major US telecoms to spy on American citizens, and shown no indication that they intend to stop doing that sort of thing. We simply can't trust them to install applications on devices that store the most sensitive secrets of our politicians, military leaders, and citizens.
See Volt Typhoon and Salt Typhoon for more information. China admitted that Salt Typhoon was them, and Volt Typhoon is relatively obvious. It's worth also noting that they used the backdoors that were put in place for CISA requests, which is a perfect example of why government mandated backdoors are a bad idea.
This is all true, but it's not the reason for the ban. Sen. Romney admitted it. The sponsor Rep. Gallagher and other lawmakers pretty much said it too.
If Americans are not ideologically opposed to being spied upon by corporations, there is no disconnect here. Americans have strongly signaled, through politics and actions, that they do not give a fuck about their privacy or information security, and ask any voter and they'll repeat some bullshit about "I don't care" or "nothing to hide".
But Americans do not want to be spied upon by a literal adversarial government which sets up police stations in other countries.
I don't want to be spied upon by my country, but currently Republicans want to use the force of the federal government to police and punish wrongthink, and Obama was a true believer in the US spy state, so they didn't exactly try to remove it.
It's hard to get America to undo a policy that was sold as "Kill the terrorists in our country" when those same voters have, 20 years later, enthusiastically supported another round of "kill the brown and muslims because they are terrorists" and want to deport people for tweets.
> What would banning 1 single app do when all of them do the same shit?
That feels like a facetious question. You may as well also ask, "Why we bother arresting the worst murderers when there will still be other murderers?"
> Same reason they can't shut down a newspaper for its opinions
It’s about ownership, not speech. If Bytedance refuses to change TikTok’s ownership, it gets banned for that reason. (Same way a foreign radio station would get banned for violating our ownership rules.)
> bill doesn't cover all apps owned by a foreign adversary. It has to be specifically TikTok or any other eligible app
The law (not bill) requires an interagency process for identifying further targets. It starts with TikTok. It does so because of TikTok’s ownership. Not speech. I say this as someone who worked on and whipped for the bill.
I apologize for not addressing your comment directly. The free speech issue related to a TikTok ban has to do with limiting the audiences that Americans are allowed to engage with. It's not about what they might say, but about what they might hear. The message it sends is:
> You're allowed whatever speech you want, so long as we have influence over the speakers and microphones that you use to do so.
That's going to have a chilling effect on what actually gets said.
I was using "using USD" as a stand-in for "using platforms run by people we can reliably bully into tampering with your speech if it becomes problematic," and also to suggest a bit of corruption on the side, which seems likely given that Zuckerberg and Trump are now buddies.
I don't like the ban, or the fact that the "TikTok bill" ended up granting broad new powers to the executive branch. I just read it a bit differently with regards to free speech.
When it comes to limiting the audience we can engage with, that would require a ban on talking to specific people rather than on a specific platform. Anyone that I may have engaged with on TikTok can still be engaged with on other platforms.
The fact that many of the biggest social media platforms are based in the US and that we saw clear evidence of both the US government's and the plstforms' willingness to collude is a huge problem. To me that's a separate issue than the TikTok ban, though they are in the same arena I suppose.
TikTok is the main place pro-Palestine viewpoints went viral. I don't know whether this is because of the demographics of users, or because US platforms were putting their thumb on the scale, or because TikTok was putting its thumb on the scale, or just randomly, but it is in fact the case.
So that's one quite mainstream opinion that would be suppressed if the government banned TikTok. No, you wouldn't be arrested for posting pro-Palestine stuff to Facebook (at least not under Biden...) but that's not the only way for the government to curtail speech.
Of course you can shout whatever you want alone in your bedroom — this is true even in North Korea or Iran. If the government goes out of its way to make it difficult to publicize certain opinions, it is widely considered to be an infringement on freedom of speech.
Imagine if they shut down CNN and MSNBC for being the most anti-Trump major TV stations. Wouldn’t you think that was an infringement, even if it wouldn’t stop individuals from speaking their mind on the topic?
> If the government goes out of its way to make it difficult to publicize certain opinions, it is widely considered to be an infringement on freedom of speech.
Banning a specific platform would only be making that difficult if there weren't other options. TikToj is one of many social media platforms, and given that industry's tendency to steal each others features and engagement models it isn't even particularly unique in what it offers.
All that said, I'm not a fan of almost any government involvement and would much rather them stay in their lane. I just see this one as an overreach problem rather that a violation of free speech.
If TikTok didn't exist, wouldn't you expect those Pro-Palestine viewpoints to appear somewhere else? The whole thing is unverifiable because we have no test/control, but it seems implausible that the platform was the only avenue for this particular speech.
> If TikTok didn't exist, wouldn't you expect those Pro-Palestine viewpoints to appear somewhere else
Not necessarily. It depends why they were primarily successful on TikTok, which we don't know. If it's because American platforms tend not to highly rank content that goes against the US's geopolitical ideology, then no, I wouldn't expect that.
Social media platforms rank content based on how profitable it is to them. There is no evidence to suggest otherwise. Maybe it would be unprofitable to resist censorship requests on behalf of US government, but the exact same pressure would be applied to TikTok.
If the pressure is a direct bribe, then TikTok could get in hot water with China for accepting that bribe. With a US corp, the US government can make any criminal liability go away.
Facebook has severely restricted the ability of Palestinian news outlets to reach an audience during the Israel-Gaza war, according to BBC research - https://www.bbc.com/news/articles/c786wlxz4jgo
This is the smoking gun of actual free speech violation rather than the US government banning a particular platform wholesale.
To be a first amendment violation this would technically have to involve the US government working to censor American's speech over Palestine. Functionally, though, this is a government censoring specific speech and feels very much like a free speech issue.
The companies themselves have free speech. It doesn't really matter how those viewpoints ended up highly-ranked on TikTok, it's their right to choose what they want to display, same with Facebook. And given what happened here, I don't expect Facebook to allow this stuff high-up even if they wanted to before.
Another thing we know is that the White House under Biden was pressuring FB and others to downrank anti-covid-vaccine content until a judge ordered them to stop.
TikTok has different censorship than Meta and Google platforms. More news about the genocide Palestine reached people through TikTok than other platforms that actively banned activitists and journalists reporting on Israel's warcrimes over the past 18 months.
TikTok used to be one of the few big platforms that didn't censor Israel criticism, though that has changed since Trump imperially overrode the law and unbanned them. It's insane the levels of 1st amendment violation and corruption that is OK now.
First amendment violations have always been accepted as long as they were inline with current administration. Since the administration has changed, so has the direction of those violations which just makes it appear like it is new now.
Any one company moderating speech isn't a first amendment violation though. The first amendment is entirely focused on the right to sleek freely without risk of government intervention, it says nothing of private corporation interventions.
I don't defend the practice, but it's a lot easier to hide "adversarial" bot armies on a foreign social network. We have bot armies on US social networks but they are well known and controlled by US interests.
What do not armies have to do with the first amendment though? My right to free speech isn't impeded by someone else standing up a bunch of bots online.
You can free-speech on any platforms that are not found to be hostile to the US, such as possessing the capability for foreign nations to influence US elections by coordinating bots to spread misinformation. Again that's the argument, I don't really agree with it because we do it ourselves. But that's a separate issue.
Banning TikTok would be so much more effective than any of the other products. The people that would see the same content on Facebook is a different audience than what is using TikTok. Planting those seeds of confusion on the younger TikTok audience will have a much better ROI than sowing those oats with the old farts left reading FB feeds.
The first amendment doesn't have anything to do with reach OE impact though.
The whole point is that a citizen can say whatever they want without the government stopping them, it has nothing to do with how many people can hear it or where it can be said.
Makes me wonder if the best inroad into influencing china is just direct bribes to government officials. You can’t do it the old fashioned way of propagandizing the population directly given restrictions on third party content, but I’m sure there are plenty of palms for want of greasing in the east same as there are here. Usually such restrictions on action are specifically to force a greasing of a palm anyhow in order to achieve that action than any outright ban.
Engagement-driven personalized “algo” feeds need to be banned in general, by any countries that don’t want to continue swinging rightward. I would feel a lot more confident about the future of liberal democracy if this were under serious discussion in at least some countries, but, afaik, it’s still not even now (it should have been years ago!) which is worrisome.
Rather than going through 1000s of app companies, why not go directly to the 100s of third party analytic companies?
From my research most all apps use some SDK which tracks users. Many apps use 3 or 4 for various marketing / product / business use cases. I've been tracking this on https://appgoblin.info/companies if anyone wants to check. Try looking at the "no analytics" found groups, which are just apps I haven't found evidence of 3rd party trackers, almost certainly they do use them.
I would like to see world where Angry Birds data at least stays on Angry Birds servers and have been working on building a part of that with OpenAttribution (https://openattribution.dev) to let app/game companies build their marketing pipeline with at least one less tracker in the app.
I think as compute is getting cheaper a lot of this should/can be self-hosted by at least larger companies so they have full control of their BI tools and the data underlying it.
2014? this is really old news, and there's no smoking gun in here. it's not like they are looking through your camera or listening to your mic, it's just "who is using this app" type stuff, and the NSA denies they target people who they are not seeking for other reasons
i'm not saying "believe the NSA" or the Five Eyes, but you already know how you think about that
They deny they target people they aren’t seeking for other reasons (uh, duh? This basically doesn’t say anything at all) but don’t deny mass collection, nor using your data to try to target others (or you, if “other reasons” come up!) or to build a general spying-on-everyone surveillance system.
But sure, I do believe them that they don’t bother to look at it unless they want to. Like… yes, that’s how looking works.
They absolutely did deny mass collection (among other things).
The most charitable interpretation of the claims would be that what NSA calls "collection", every other English-speaking human would call "analysis" (or -maybe- "post-collection preprocessing"). This horseshit was reported in many places at the time, but here's the first vaguely-reputable place I could find talking about this sort of thing today [0]:
> Take, for example, the definition of the term “collection.” What qualifies as intelligence collection is critical to the scope of intelligence activity because it determines when intelligence gathering begins. Although it never provides its own definition, EO 12333 repeatedly refers to collection as the beginning of the intelligence gathering cycle. The agencies themselves elaborate on EO 12333’s general guidance by defining collection in their internal procedures. As we chart in greater detail in our article, the Defense Department’s and the NSA’s definitions of collection vary significantly, even though the NSA is a subordinate agency of the Pentagon.
> The Defense Department defines collection as intelligence gathering at a much earlier point than the NSA’s. Under DoD 5240.01, the department’s current manual, “information is collected when it is received by a Defense Intelligence Component,” regardless of how that information is “obtained or acquired.” By contrast, the NSA’s current version of USSID 18 states that collection “means [the] intentional tasking or SELECTION of identified nonpublic communications for subsequent processing aimed at reporting or retention as a file record.” As a result, collection for the Defense Department’s purposes appears to involve no processing or action; information is collected as soon as it is received. For the NSA, however, collection begins only once the information has been “selected” and put to further use.
> ...Under the NSA’s attorney general guidelines, for example, vast amounts of intelligence could be gathered without technically being collected. This means that, on paper, none of the guidelines’ subsequent protections for or limitations on the use of that intelligence apply when the information is first received. In theory, the NSA’s guidelines might permit the agency to gather significant amounts of unprocessed intelligence and then store it indefinitely.
"who is using this app?" sounds like an innocent enough question until that person dies a moment later for reasons that surely had nothing to do with the app.
"There's no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for 50 of your Earth years, so you've had plenty of time to lodge any formal complaint and it's far too late to start making a fuss about it now."
What possible good is it to know who is using Angry Birds for an intelligence agency? Your explanation makes zero sense. The idea that they’d use it for spying is the only logical explanation.
>It wasn't clear precisely what information can be extracted from which apps, but one of the slides gave the example of a user who uploaded a photo using a social media app. Under the words, "Golden Nugget!" it said that the data generated by the app could be examined to determine a phone's settings, where it connected to, which websites it had visited, which documents it had downloaded, and who its users' friends were.
Sounds like those apps weren't using SSL, and NSA could eavesdrop on whatever API calls or telemetry it was sending? There's no real evidence that those apps are complicit, even though the article tries to imply that.
Was drinking in a bar in Espoo in 2012 or 2013 and heard this from someone at rovio. At the time they used Riak db and basho were onsite and we asked why they didn't enable inter server encryption. "Because nsa pay us 10m not to". Guess nsa pulled the Riak cluster protocol off the aws fibre.
Is there any reliable source for NSA paying Rovio other than this random bar discussion? Not that I don't believe you or that I'm naive about NSA and the power of money, but I looked around news in 2014 and the accusations against Rovio specifically are a bit different flavor. It seems that Rovio was oversharing data to ad networks (Millennial Media comes up a lot), and NSA likely slurped data from the advertising companies. This bar banter is suggesting that NSA had some kind of arrangement with Rovio directly instead, and Rovio willingly went along.
Or alternatively, do you feel the Rovio employee's blabbering was talking about an actual, real NSA deal with Rovio, or was it more like a bar joke and direct NSA co-operation was not really implied? (e.g. "we know our security is bad, but these ad companies pay us $XX million to not use encryption so it's sorta like NSA pays us to keep it that way sips beer").
I'm interested, because if that is an actual thing that happened, then that's an example of NSA paying a Finnish company $$$ to weaken their security, and the Finnish company willingly agreeing to that. Is it in NSA's Modus Operandi to approach and then pay foreign companies to do this sort of thing?
Your comment is describing it in few words, but to me it sounds like it maybe wasn't implying an actual NSA direct co-operation, more like someone doing bar banter and being entirely serious. But that's just me trying to guess tone.
(I'm Finnish. I want to know if Rovio has skeletons in their closet. So I can roast them.)
from an intelligence perspective, this is business as usual.
- Rovio sold data to ad companies (ad companies primarily based in the US)
- They used AWS (to which of course NSA has legal access)
- Data is not end to end encrypted, all metadata sits on servers in plain text and within AWS even moves from server to server in plain text
How much insight metadata can grant to someone like NSA is still wildly underrated.
- https://www.propublica.org/article/spy-agencies-probe-angry-...
Ah yeah, I saw the propublica as well, it was one of the first articles I found when looking on the topic. I don't doubt at all that Angry Birds data was used by NSA, doesn't seem controversial.
The specific question I am interested in is: Did Rovio knowingly and willingly accept $$$ from NSA (directly or indirectly) to weaken their security? I.e. were they acting as a willing accomplice.
Because that part would be unusual for Finland (well, at least as far as I know). For US companies I wouldn't bat an eye at news like this.
Here is a nice talk by Byron Tau who has also written a book titled "Means of Control" detailing some of these flows covering ad tech companies, data brokers and how government contractors use them and serve as a key player to provide services to intelligence agencies.
- https://www.interface-eu.org/events/background-talk-with-byr...
I think they definitely knew that they are embedding code from US based ad agencies who might either be selling it to the NSA or just doing it in an insecure manner (plaintext protocols).
Mostly in such cases, direct involvement and paying dollars is a clear no-go for the intelligence agencies. They could instead be paying the ad agencies.
Also note that we are talking pre-Let's encrypt and TLS everywhere world, a lot of this traffic was also just plain text making it much easier to harvest.
Some interesting insights from this piece: https://web.archive.org/web/20180719081149/https://theinterc...
Thanks for the resources. Got back to procrastinate on HN and checked the resources (briefly looked at transcript on the video, but found this article more interesting).
I've always assumed that some amount of unencrypted HTTP traffic is going to be slurped into archives, but I've been too lazy to really check an example and how does that look like in the real world. That BADASS system is an example, focusing on phones. I've also run mitmproxy in my home to learn and then I've wondered if the big agencies have something like that but much more scaled and sophisticated.
I've recently got into studying security, deobfuscated code, or decompiling, tried to find vulnerabilities or bad security, in websites and programs. I've found some, although not anything worth writing home about. I found a replay attack in one VSCode extension that implemented its own encrypted protocol, but it is difficult to use it to do real damage. Found a bad integrity check library (hopelessly naive against canonicalization attack) used by another VSCode extension. I've found something weird in Anthropic's Claude website after you log in, but because their "responsible security policy" is so draconian, I don't want to bother trying to poke it to research it further in case I earn their wrath.
Biggest bummer I found that a video game (Don't Starve Together) I had played for a long time with friends does not have any encryption whatsoever for chat messages to this day. (People gonna say private things in video game chats). The other video game I play in multiplayer a lot, Minecraft, has encryption (a bit unusual encryption but it is encryption).
That article gave me a bit of validation that I'm not a nut for giving shits about encryption and security, and being annoyed at ungodly amount of analytics I see in mitmproxy my laptop is blabbering about.
Misheard and it was RSA instead of Rovio? The numbers match... :-)
https://www.reuters.com/article/world/exclusive-secret-contr...
Perhaps $10M is the standard rate for this type of service?
Lol, yeah, I also learned yesterday that there is apparently, NSA, National Security Authority. No, not the NSA this article is talking about and everyone knows about.
I mean: National Security Authority, "Kansallinen turvallisuusviranomainen", which appears to be some office/people under Finnish foreign affairs: https://um.fi/national-security-authority-nsa-contact-inform...
I will say I got confused a moment yesterday when googling on the topic here because when you put NSA and Finland in the same search, it would get topics about this other NSA that just happens to exist which I had never heard of before, and just happens to be Finland-associated.
I’m actually comforted by the fact that NSA needed encryption turned off to spy.
On the other hand it would be a very cheap counter espionage measure if a small stream of such payments was enough to convince China et al that the NSA had not broken encryption.
Or it was simply cheaper than cracking it.
I was comforted by the idea that it is more expensive than $10m to crack encryption, but this was in 2013.
Earth's oceans contain approximately 1.35 billion cubic kilometers of water. To raise this entire volume from an average temperature of 3.5C to boiling (100 C), we'd need roughly: 1.35 x 10^21 kg x 4,184 J/(kg C) x 96.5C is approximately 5.45 x 10^25 joules That's 545 million exajoules or about 10,000 times humanity's annual energy consumption.
If you tried to brute-force AES-256 with conventional computers, you'd need to check 2^256 possible keys. Even with a billion billion (10^18) attempts per second: 2^256 operations / 10^18 operations/second is approximately 10^59 seconds. You'd need about 2.7 x 10^41 universe lifetimes to crack AES-256
At about 10 watts per computer, this would require approximately 10^60 joules, or roughly 2 x 10^34 times the energy needed to boil the oceans. You could boil the oceans, refill them, and repeat this process 200 trillion trillion trillion times.
For RSA-2048, the best classical algorithms would need about 2^112 operations. This would still require around 10^27 joules, or about 20 times what's needed to boil the oceans.
ECC with a 256-bit key would need roughly 2^128 operations to crack, requiring approximately 10^31 joules It's enough to boil the oceans about 2,000 times over.
Quantum computers could theoretically use Shor's algorithm to break RSA and ECC much faster. But to break RSA-2048, we'd need a fault-tolerant quantum computer with millions of qubits. Current quantum computers have fewer than 1,000 stable qubits. Even with quantum computing, the energy requirements would still be astronomical. Perhaps enough to boil all the oceans once or twice, rather than thousands of times.
That's assuming there's no attacks found in a given algorithm. If there is a feasible attack found, the math changes, sometimes dramatically. And we'll never know it because they sure as hell aren't gonna announce it.
Anyway, I'm not worried because governments don't need to crack encryption to do dastardly shit. They have far easier methods to get what they want.
Also just picking constants for encryption algorithms that are supposed to be "nothing up my sleeve" numbers, like the n first digits of pi.
DJB had a good talk about how many degrees of freedom you can still get picking such numbers and how much you can weaken crypto algorithms (even though not outright breaking them), but I can't find it at the moment
You need to account for the heat of vaporization if you plan on boil away and refilling the oceans for your brute force scheme, so you overestimate how many times you will boil away the oceans by a factor of 6 or something.
For more calculations about the use of (computational) brute force: https://www.schneier.com/blog/archives/2009/09/the_doghouse_...
"... brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.
is there a hall of fame for HN comments somewhere because i nominate this one
This is a pretty old pattern (meme?). E.g. also used way back (2004) to what it would take to fill a ZFS storage pool at its maximum size:
https://web.archive.org/web/20170802160910/https://blogs.ora...
Calculating how much work a brute-force attack on a cryptosystem would take goes back to the 01970s if not before.
Maybe this:
>highlights Particularly good comments from over the years
https://news.ycombinator.com/highlights
(via https://news.ycombinator.com/lists)
I want to steal this as a copypasta
The "boiling the ocean" argument comes up every once in a while for some time now, just a lot more structured and number packed in the age of LLMs. There are even funny "security" levels based on this [0] like "lake security".
The picture they paint is very useful to help people grasp the scale of "worst case" brute forcing while being completely misleading on the effort needed to break encryption "somehow". Cracking the encryption isn't usually about brute forcing every possible combination, it's all about finding or building a flaw in the algorithm.
Bike thieves don't go through the 10000 combinations on your lock, scammers don't try every possible email password, etc.
Brute forcing a key finds you one answer at a time, hacking the algorithm finds you all answers at once. Without boiling the ocean.
[0] https://asecuritysite.com/blog/2018-08-05_Boiling-Every-Ocea...
An adversary with full Intel Management Engine (IME) access could intercept AES-NI instruction calls before execution, replacing them with compromised implementations that maintain superficial compliance with expected behaviors. The encryption would still function much like a funeral home makeup artist ensures the deceased appears lifelike. These direct instruction interceptions occur at a level below the operating system and hypervisor, making them essentially invisible to security monitoring.
The IME's DMA capabilities enable memory inspection without host awareness. Cryptographic keys residing in RAM become visible to this subsystem, essentially placing the combination to the digital vault in plain view of an entity designed never to be seen. One might say the keys to the kingdom are being displayed on a billboard visible only to those standing in another dimension. This extraction could happen before legitimate AES-NI operations even process the key material.
Random number generation becomes particularly vulnerable. By introducing subtle biases to hardware entropy sources like CPU thermal or timing sensors, an adversary could ensure generated keys fall within a predictable pattern while presenting all appearances of randomness.
Statistical tests would show nothing amiss, like a perfectly balanced coin that somehow lands heads 51% of the time over millions of flips, a mathematical miracle that passes unnoticed until the casino's bankruptcy. These manipulations would bias the PRNG to produce predictable entropy patterns that drastically reduce effective key space.
Microcode updates deployed through IME channels could modify AES-NI instruction behavior at its core, ensuring the cryptographic equivalent of building a vault door with steel exterior panels but papier-mache hinges. Everything looks secure until someone approaches from the correct angle. These updates could specifically target the AES-NI implementation to use reduced key space or introduce mathematical weaknesses into the diffusion properties of the algorithm.
Side-channel attack facilitation presents another avenue for compromise. The IME could enable precise timing measurements of AES operations, deliberately increase susceptibility to cache-timing attacks, and manipulate power states to enhance the effectiveness of power analysis techniques while appearing to function normally.
The most effective entropy reduction strategy would likely combine several approaches: replacing the AES-NI implementation with one that only explores a fraction of the key space, creating deterministic but seemingly random patterns for key generation, leaking key material via covert channels to the IME's persistent storage, and maintaining the outward appearance of full entropy while drastically reducing actual security margins.
Detection of such tampering remains virtually impossible given the IME's isolated execution environment.
Security researchers can only examine the results of cryptographic operations, unable to observe the process directly similar to trying to determine if someone has tampered with your food while blindfolded. The mathematics of AES remain sound, of course. But mathematics requires faithful execution to maintain security guarantees, and therein lies the fundamental issue.
AES-NI itself doesn't provide an avenue for key entropy reduction, since it doesn't generate keys itself, or for exfiltration of stolen keys through the encrypted output, or for introducing mathematical weaknesses into the diffusion properties of the algorithm. If an AES implementation produces output that differs by even one bit from a correct AES implementation, then decryption will fail.
Non-constant timing would also be detectable, though as you say cache side channels are feasible. Power-side-channel key exfiltration is certainly feasible if the attacker can measure power consumption, but AES-NI isn't relevant to many threat models that permit power side channels; amd64 CPUs aren't used in smartcards.
But certainly the IME could steal AES or other cryptographic keys from memory, store them in its own storage, and leak them through some other channel.
Thanks LLM...
I don't think you'd be the first.
This is an excellent comment, but I think it's worth pointing out some lacunae.
The most important one is that we're assuming that nobody finds a weakness in AES-256, so we have to brute-force it instead of taking some kind of shortcut. Historically speaking, that doesn't seem like a sure bet. (Some slight progress has been made on AES, but nothing practically useful yet: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#K...) Similar comments apply to factoring large semiprimes and ECDLP; algorithmic improvements could remove many orders of magnitude from these estimates.
Sometimes, even when weaknesses aren't known in the algorithms themselves, there are weaknesses in how they are applied. The Debian OpenSSL fiasco, which seems to have been accidental, may be the best-known example: all secret keys were generated with only 16 bits of entropy. Reusing IVs for OFB or CTR mode is also catastrophic.
A somewhat pedantic note is that you seem to be using two conflicting definitions of "boil the oceans" in different parts of your comment: to raise them to the boiling temperature while leaving them liquid, at first, and to convert them to vapor, later, since you talk about "refilling them". Converting them to vapor requires several times more energy than that. Also, you dropped an order of magnitude somewhere; raising the oceans to boiling requires 5.46 × 10²⁶ J, not 5... × 10²⁵ as you say. ("545 million exajoules" is correct.)
I used `cal_mean` from units(1) to do the calculation, which is based on the mean specific heat of water from 1° to 100°. I'm not sure that's correct for salt water, though, and in any case that's a minor error.
"about 10,000 times humanity's annual energy consumption" is wrong. 545 million exajoules is about a million years of humanity's energy consumption, which is only about 18 terawatts, excluding agriculture.
As gosub100 pointed out, on average you only have to try 2²⁵⁵ possible keys before finding the right one, not all 2²⁵⁶, but that's only a factor of 2.
10¹⁸ AES attempts per second does seem like a reasonable upper bound, but it's much faster than currently existing encryption hardware. 10¹⁸ Hz is the frequency of 0.3-nanometer X-rays with an energy of about 4000 electron volts. I feel like any computer hardware that is performing operations that fast probably cannot be made out of molecules or atoms. You might be able to build it on the surface of a neutron star or a black hole. Seth Lloyd's Nature paper from 02000 on the "ultimate laptop", "Ultimate physical limits to computation", explores some of the physical phenomena involved, and how fast they could possibly compute: https://faculty.pku.edu.cn/_resources/group1/M00/00/0D/cxv0B...
If we take 10¹⁸ Hz and 2²⁵⁶ cycles as given, it is true that one computer would need 10⁵⁹ seconds to finish the job (4×10⁵¹ years), which is indeed about 2.7 × 10⁴¹ times longer than the universe has existed so far (13.79 billion years). But it's worth pointing out that the universe's lifetime is not yet over; it is expected to continue existing much longer than that: https://en.wikipedia.org/wiki/Timeline_of_the_far_future lists various stages of its future evolution, including the end of star formation in 10¹²–10¹⁴ years, the last star burning out in 1.2 × 10¹⁴ years, 10³⁰ years until all the galaxies fall apart, 2×10³⁶–3×10⁴³ years until all protons and neutrons are gone (if protons decay), 10⁹¹ years until the Milky Way's black hole evaporates, and 10¹⁰⁶–2.1×10¹⁰⁹ years until the last black holes evaporate. If protons are stable, you could definitely build a computer that kept computing for the necessary 10⁵² years.
And (as you point out next!) you could use more than one computer. If you could somehow use 10⁵⁹ computers, you could finish the job in a second, rather than in untold eons. It depends on how many computers you can get!
"10 watts" is a somewhat handwavy estimate. Most of the computers around me, in things like my multimeter and my MicroSD card, use a lot less power than that, often a few milliwatts. (The fact that the MicroSD card doesn't have a monitor and keyboard is irrelevant to using it for AES cracking.) I'm currently working on a project called the Zorzpad, to build a self-sufficient portable personal computing environment on under a milliwatt, something that has become possible recently due to advancements in subthreshold digital logic.
But even a milliwatt may be an overestimate for AES cracking on classical hardware, because reversible logic may be able to drop power consumption by one or more additional orders of magnitude, and as far as we know, there's no lower limit (not even the ones Lloyd's article talks about apply). AES cracking is especially suited for reversible computing, which is why I used it as an example in this comment a week ago: https://news.ycombinator.com/item?id=43850835
It may be worth pointing out that 10⁶⁰ joules (which, despite the possible weaknesses above in its derivation, is certainly a plausible ballpark) is a large number not just measured against Earth, but measured against the Sun and indeed the energy output of the entire Milky Way galaxy.
It's even large compared to the available energy in the Milky Way. If you divide it by c² you get 1.2 × 10⁴³ kg. The Milky Way weighs 1.15 × 10¹² solar masses (https://en.wikipedia.org/wiki/Milky_Way) which turns out to be 2.29 × 10⁴² kg, which is 2.06 × 10⁵⁹ J. So even if you converted the entire galaxy into energy to power your AES crackers, you wouldn't get 10⁶⁰ J.
It's probably worth including AES performance numbers on currently available hardware. You'll still get galactic numbers demonstrating that AES-256 is not currently brute-forceable.
Thank you for this correction and additional perspective.
The Debian vulnerability was particularly bad. An AES key with 16 bits of entropy can be broken with the energy used by a single LED for a fraction of a nanosecond.
Reducing entropy covertly is probably the sole purpose of the so-called Intel Management Engine
Happy to contribute!
I'm not sure the Debian vulnerability affected AES keys, but it definitely affected RSA keys.
A single LED is somewhere between 1 milliwatt and 1 watt, so in a tenth of a nanosecond it uses between 100 femtojoules and 100 picojoules. 2¹⁵ AES encryption operations currently require a lot more energy than that. I'm not sure how much, but it's a lot more.
How much does an AES encryption operation take? https://calomel.org/aesni_ssl_performance.html suggests AES-256-GCM runs at 2957 megabytes per second on each core of an "Intel Gold 5412U", which https://www.intel.la/content/www/xl/es/products/sku/232374/i... tells me is a 24-core CPU launched in Q1 of 02023 with a TDP of 185 watts. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard says the AES block size is 128 bits, so 2957MB/s is 185 million blocks per second per core. Dividing 185 watts by 24 cores of that gives 41.7 nanojoules per block. This is probably reasonably representative of energy requirements for current AES hardware implementations. It presumably doesn't include key setup time, and brute-force cracking will do more key setup than normal encryption, but it's probably in the ballpark, especially for dedicated chips ticking through closely related keys. In any case, key setup surely cannot take less than zero energy, so this represents a lower bound.
Running
on my own laptop (without -evp, I get "speed: Unknown algorithm aes-256-gcm"), I get 3900 megabytes per second for large block sizes, or 2300 megabytes per second running on battery power. According to I'm using about 12–16 million microwatts to do this, compared to about 6–8 watts when idle. So we can ballpark the AES energy consumption around 7 watts. Dividing that by 2300 megabytes per second, it comes out to about 49 nanojoules per block. This is reassuringly similar to the calomel numbers.The number for 16-byte blocks is much lower, like 240 megabytes per second on battery and 360 megabytes per second on AC power. This probably tells us key setup takes about an order of magnitude more energy than encrypting a block, but maybe that's just because AMD was optimizing encryption speed over key setup speed.
2¹⁵ times 40 nanojoules is 1.3 millijoules. This is between 13 million and 13 billion times more than the energy used by a single LED for a fraction of a nanosecond.
Also, 2²⁵⁵ times 40 nanojoules is 2.3 × 10⁶⁹ J, a couple billion times larger than your estimate upthread. It's pretty amazing than in 67 nanoseconds my CPU can encrypt something such that it would require, as far as we know, the resources of billions of galaxies to decrypt without knowing the key.
The IME is probably a backdoor, but I don't think we have enough information to say clearly what kind of backdoor.
> you'd need to check 2^256 possible keys
it's very unlikely you'd have to check the entire keyspace before you found it. On average it would be about half.
That reduces the runtime from 2.7 x 10^41 universe lifetimes to 1.35 x 10^41. I'm still not worried.
What if AES-128 is used? The expected keys to check then is just 2^64.
2¹²⁷ nanoseconds would be only 390 billion times longer than the universe has existed so far (13.79 billion years). If you wanted to crack AES-128 with brute force using one-billion-key-per-second cracking computers and could only wait a year, you would need 5.4 sextillion computers. If each of those computers weighed 100 milligrams, in the neighborhood of many current chips, their total mass would be 539 trillion tonnes (5.39 × 10¹⁸ kg, 539 exagrams).
That's only about a hundred thousandth of the mass of the Moon, and there are dozens of asteroids larger than this. Since it's clearly physically possible to disassemble an asteroid, or even the entire Moon, and build computers out of it, AES-128 should not be considered secure against currently known attacks. However, currently, it is not publicly known that the NSA has converted any asteroids into computers, and it seems unlikely to have happened secretly.
Example with smaller numbers:
2^10 / 2 = 512
512 is 2^9
So when dividing powers like this you decrement the exponent.
So no it's not 2^64 but more like 2^127
Dividing a loooong number with a small number has virtually no impact on the number.
My apologies for my flagrant error. Thank you for the correction and clarity.
When the NSA invented AES-256 they have a code they can input to just bypass it.
It's worth noting that when the NSA invented DES, they took a cipher from IBM and made it more resistant (to differential cryptanalysis, a technique that at the time wasn't known outside the NSA itself).
The NSA made it more resistant to differential cryptanalysis, but hundreds of times less resistant to brute-force attack; see http://cr.yp.to/talks/2022.11.10/slides-djb-20221110-nsa-4x3...
> NSA gave Tuchman a clearance and brought him in to work jointly with the Agency on his Lucifer modification. . . . NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately, they compromised on a 56-bit key.
https://blog.cr.yp.to/20220805-nsa.html
> The cryptographic core of NSA's sabotage of DES was remarkably blunt: NSA simply convinced Tuchman to limit the key size to 56 bits, a glaring weakness.
> Whit Diffie and Marty Hellman wrote a paper explaining in considerable detail how to build a machine for $20 million that would break each DES key with an amortized cost of just $5000/key using mid-1970s technology. They predicted that the cost of such a brute-force attack would drop "in about 10 years time" to about $50/key, simply from chip technology improving.
> Diffie and Hellman already distributed drafts of their paper before DES was standardized. Did NSA say, oh, oops, you caught us, this isn't secure?
> Of course not. NSA claimed that, according to their own estimates, the attack was 30000 times more expensive: "instead of one day he gets something like 91 years".
The Diffie and Hellman paper from 01977 is https://ee.stanford.edu/~hellman/publications/27.pdf.
The main source here is https://archive.org/details/cold_war_iii-nsa/cold_war_iii-IS..., "American Cryptology during the Cold War, 1945-1989", DOCID: 523696, REF ID: A523696, a declassified internal NSA history. Longer version of the quote above, originally classified TOP SECRET UMBRA, from p.232 (p.240/271)
> (S CCO) The decision to get involved with NBS was hardly unanimous. From the SIGINT standpoint, a competent industry standard could spread into undesirable areas, like Third World government communications, narcotics traffickers, and international terrorism targets. But NSA had only recently discovered the large-scale Soviet pilfering of information from U.S. government and defense industry telephone communications. This argued the opposite case - that, as Frank Rowlett had contended since World War II, in the long run it was more important to secure one's own communications than to exploit those of the enemy.
> (FOUO) Once that decision had been made, the debate turned to the issue of minimizing the damage. Narrowing the encryption problem to a single, influential algorithm might drive out competitors, and that would reduce the field that NSA had to be concerned about. Could a public encryption standard be made secure enough to protect against everything but a massive brute force attack, but weak enough to still permit an attack of some nature using very sophisticated (and expensive) techniques? NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately, they compromised on a 56-bit key.
This may sound like a paranoid conspiracy theory, but it is the point of view of an NSA insider, writing in 01998 for an audience of NSA cryptoanalysts and cryptographers to educate them on the history of cryptology during the Cold War. It is understandable that Schneier and others believed that the overall influence of the NSA on DES was to increase its security, because they did not have access to this declassified material when they formed those opinions; it wasn't declassified until July 26, 02013.
That's true, but the fact that NSA wanted to make brute force cheaper also suggests that they didn't have any particular offensive tricks up their sleeve (they had differential cryptanalysis but they used their knowledge defensively) like they did with Dual_EC_DRBG.
Yes; also, if they had had such tricks, they probably would have mentioned them in that document, perhaps in a following paragraph that was censored from the declassified version. But there seems to have been no such paragraph, further supporting your inference.
Is there a more efficient way? What's the state of the art?
Only slightly more efficient, 2²⁵⁴·³: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#K...
IDK, let's ask a mathematician. Oh, they all work for NSA.
Womp womp.
https://therecord.media/nsa-to-cut-up-to-2000-roles-downsizi...
I like to tell myself that everyone at NSA is a fine upstanding patriot, and that the agency only ever does what is in the best interest of the American People, but that does feel naive at times. Like when they infiltrate international standards bodies to introduce backdoors.
Is downsizing the NSA something we're upset about?
It doesn't even really matter what character most of them have. Most information is on need to know basis for a reason so the one giving the orders can tell a tale about foreign terrorists while the grunts happily surveil the common man.
Or when they walk out the door with gigabytes of secret data in their pocket.
If you can find a quantum computing solution it's at worst O(sqrt(n)).
There still seems to be a time factor, if not energy factor to computation.
Shor's algorithm for factoring prime numbers is at best O(log(n)^2 * log(log(n)))
[dead]
Wrong assumption. Lets imagine they could costslessly crack the encryption there. But as soon as they use any information gathered that way they risk leaking that they have this incredibly valuable capability. ... valuable and very fragile since people can easily change encryption schemes.
Better to pay every party you need to to have boring vulnerabilities and security shortcomings, so that any information leak doesn't need a capabilities revealing explanation.
So I think this gives you no information on their capabilities beyond bribing commercial players, which isn't exactly new. In the past (and presumably now) our intelligence apparatus has outright owned crypto/security companies in order to distribute backdoored technology.
And of course they have, they're not prohibited, it's highly effective, they'd be incompetent not to.
But knowing still gives you an advantage, even if you can't use it legally -- because you can still use it illegally.
LEO and Prosecutors will use "parallel construction" to construct a narrative about how information was obtained in a legal way even though it was clearly obtained illegally.
Or you could choose to only act on 5% (e.g.) of the information gleaned -- and that which could clearly be shown to be leaked by a third party.
Or say if you were tapping the information of a mob boss, you could leak the information to a competitor and let justice work it's way through the streets instead of the courts.
It's tricky, because you run the risk that any use risks disclosing the capability. Targets can even set traps. E.g. I caught irc opers spying on PMs by sending trap URLs where I secretly could see the access logs. Because great care was taken to make sure the URLs existed nowhere else when they got loaded it was a confirmation that the traffic was monitored.
Now perhaps a somewhat safer tool is to just use the cracking to determine the best targets to bribe or backdoor, but only allow the group with the cracking power to give the names of services to monitor at any cost.
Well, I mean IRC is typically a cess pool these days. So there's a very high likelihood that something may be scanning urls you send across. DCC was a thing back in the IRC days of old, but CGNAT pretty much ended that.
I think what's most interesting along this lines is what happened during WWII when the allies cracked the enigma. Suddenly, they knew what the nazis were sending to each other. Bletchley Park had to keep most of the intelligence secret to itself, because the nazis could get wind of it and changes the procedures to encryption -- particularly if some top secret attack was somehow thwarted out of the blue.
That's why I said the part about "parallel construction". During WWII if the allies captured a spy or a high ranking officer, then they could maybe act on one piece of information -- giving the allies the necessary plausible deniability by blaming it on the captured nazi officer.
You could leak the private key accidentally on purpose but that would be harder to plausibly deny involvement if that fact leaked.
I'm reminded of a certain XKCD comic[1]. The US government probably doesn't need to crack the encryption to get what they want.
[1]: https://xkcd.com/538/
I once asked a VP of engineering at a major ISP why they don't add a layer of encryption to their peering and customer connections to prevent spy agencies from tapping their fibre cables. I was expecting him to say it would be too expensive to upgrade all their network hardware given the amount of traffic. Instead he said: "our routers can already do that, but the government regulator stepped in and prevented us from turning it on."
That's pretty wild. Was it an "investment" of some sort, and then the CEO got a hint with a wink, that there is more where it came from if they don't enable any encryption. Anyone from Rovio who got less than $10m in their pocket willing to tell us a story?
"How do you get corporate secrets out of a software engineer? Sit them next to another engineer on a plane."
It's elegant. The other person can spill amazing secrets, but there's no way to prove it, so nobody will believe you second-hand.
Why wouldn’t they just give them DB access for the 10m? Id assume NSA would prefer the database to remain encrypted and have an admin account?
Deniability
If you're the NSA, you can tell Amazon, "Hey here's $1B. You're going to get some fiber outages, and we're also going to buy a bunch of compute from you at an exorbitantly high price you'll charge us. It's fine, we're the NSA. So when the outages happen, don't announce it. Also terrorism."
Plausible. You can always deny anything. It just might not be so plausible under scrutiny.
10M sounds like a nice executive bonus. I'm not saying it's a bribe -- I would never, ever do that.
This is exactly why adversarial countries like China want to block large multinational social media and technology companies from their market. India saw facebook try to meddle in their elections. This is probably why the US should block TikTok, although there are further repercussions on free speech and the free market (something China ideologically doesn’t care about).
And the speech repercussions are more like the entire point of the ban. It's not even about trade or security. I'd be fine if they just said, we're banning this because it's from China.
I recommend reading the court's decision, it goes through all the relevant facts and statutes, how they apply, and more importantly it says that even if the higher standard of scrutiny would apply it would pass the test.
https://media.cadc.uscourts.gov/opinions/docs/2024/12/24-111...
page 40, "The problem for TikTok is that the Government exercised its considered judgment and concluded that mitigation efforts short of divestiture were insufficient, as a TikTok declarant puts it, to mitigate “risks to acceptable levels.” "
>"I'd be fine if they just said, we're banning this because it's from China."
Some of us would understand that message, but that would be eternal fuel for a political fire. The Huawei debacle stumbled in serious opposition.
According to the bill's sponsor, this is exactly what happened. The bill was dead until the Oct 7 Hamas attacks, then suddenly lawmakers were supporting it for speech reasons.
I still don't quite understand the free speech issue with banning one particular foreign media outlet or platform.
Banning TikTok would do nothing to hinder Americans' ability to say (almost) whatever they want without fear of government retribution. Anything you would have said on TikTok can still be said on Facebook for example, or your own website.
Same reason they can't shut down a newspaper for its opinions. The ban is the government retribution. They also pressure Facebook etc to hide or downrank what they want.
>The ban is the government retribution.
No it isn't. China has already admitted they hacked us all the major US telecoms to spy on American citizens, and shown no indication that they intend to stop doing that sort of thing. We simply can't trust them to install applications on devices that store the most sensitive secrets of our politicians, military leaders, and citizens.
See Volt Typhoon and Salt Typhoon for more information. China admitted that Salt Typhoon was them, and Volt Typhoon is relatively obvious. It's worth also noting that they used the backdoors that were put in place for CISA requests, which is a perfect example of why government mandated backdoors are a bad idea.
This is all true, but it's not the reason for the ban. Sen. Romney admitted it. The sponsor Rep. Gallagher and other lawmakers pretty much said it too.
What would banning 1 single app do when all of them do the same shit? How does it help anyone to be spied by 1 less app?
If Americans are not ideologically opposed to being spied upon by corporations, there is no disconnect here. Americans have strongly signaled, through politics and actions, that they do not give a fuck about their privacy or information security, and ask any voter and they'll repeat some bullshit about "I don't care" or "nothing to hide".
But Americans do not want to be spied upon by a literal adversarial government which sets up police stations in other countries.
I don't want to be spied upon by my country, but currently Republicans want to use the force of the federal government to police and punish wrongthink, and Obama was a true believer in the US spy state, so they didn't exactly try to remove it.
It's hard to get America to undo a policy that was sold as "Kill the terrorists in our country" when those same voters have, 20 years later, enthusiastically supported another round of "kill the brown and muslims because they are terrorists" and want to deport people for tweets.
The popularity of TikTok in the US suggests Americans don't care about the adversarial govt spying either.
> What would banning 1 single app do when all of them do the same shit?
That feels like a facetious question. You may as well also ask, "Why we bother arresting the worst murderers when there will still be other murderers?"
> Same reason they can't shut down a newspaper for its opinions
It’s about ownership, not speech. If Bytedance refuses to change TikTok’s ownership, it gets banned for that reason. (Same way a foreign radio station would get banned for violating our ownership rules.)
The bill doesn't cover all apps owned by a foreign adversary. It has to be specifically TikTok or any other eligible app the US president has chosen to target. https://www.congress.gov/bill/118th-congress/house-bill/7521...
> bill doesn't cover all apps owned by a foreign adversary. It has to be specifically TikTok or any other eligible app
The law (not bill) requires an interagency process for identifying further targets. It starts with TikTok. It does so because of TikTok’s ownership. Not speech. I say this as someone who worked on and whipped for the bill.
The bill doesn't say anything about speech, but that was the reason it became law. Singling out TikTok made it convenient.
If you're going to tamper with US elections, you should at least have to spend USD to do so?
So are you saying that the free speech issue related to a TikTok ban is based only on what currency is used?
I apologize for not addressing your comment directly. The free speech issue related to a TikTok ban has to do with limiting the audiences that Americans are allowed to engage with. It's not about what they might say, but about what they might hear. The message it sends is:
> You're allowed whatever speech you want, so long as we have influence over the speakers and microphones that you use to do so.
That's going to have a chilling effect on what actually gets said.
I was using "using USD" as a stand-in for "using platforms run by people we can reliably bully into tampering with your speech if it becomes problematic," and also to suggest a bit of corruption on the side, which seems likely given that Zuckerberg and Trump are now buddies.
I don't like the ban, or the fact that the "TikTok bill" ended up granting broad new powers to the executive branch. I just read it a bit differently with regards to free speech.
When it comes to limiting the audience we can engage with, that would require a ban on talking to specific people rather than on a specific platform. Anyone that I may have engaged with on TikTok can still be engaged with on other platforms.
The fact that many of the biggest social media platforms are based in the US and that we saw clear evidence of both the US government's and the plstforms' willingness to collude is a huge problem. To me that's a separate issue than the TikTok ban, though they are in the same arena I suppose.
TikTok is the main place pro-Palestine viewpoints went viral. I don't know whether this is because of the demographics of users, or because US platforms were putting their thumb on the scale, or because TikTok was putting its thumb on the scale, or just randomly, but it is in fact the case.
So that's one quite mainstream opinion that would be suppressed if the government banned TikTok. No, you wouldn't be arrested for posting pro-Palestine stuff to Facebook (at least not under Biden...) but that's not the only way for the government to curtail speech.
Just so you know, the whole world except USA is pro palestine.
A lot of the US population is as well despite how our media frames it.
But a ban on TikTok isn't a ban on pro-Palestine speech. How does banning TikTok stop people from being able to say something in support of Palestine?
Of course you can shout whatever you want alone in your bedroom — this is true even in North Korea or Iran. If the government goes out of its way to make it difficult to publicize certain opinions, it is widely considered to be an infringement on freedom of speech.
Imagine if they shut down CNN and MSNBC for being the most anti-Trump major TV stations. Wouldn’t you think that was an infringement, even if it wouldn’t stop individuals from speaking their mind on the topic?
> If the government goes out of its way to make it difficult to publicize certain opinions, it is widely considered to be an infringement on freedom of speech.
Banning a specific platform would only be making that difficult if there weren't other options. TikToj is one of many social media platforms, and given that industry's tendency to steal each others features and engagement models it isn't even particularly unique in what it offers.
All that said, I'm not a fan of almost any government involvement and would much rather them stay in their lane. I just see this one as an overreach problem rather that a violation of free speech.
Why didn’t you respond to my hypothetical question?
Probably because it TikTok is a video first platform? Text doesn't really do it justice.
Could also just be a demographics thing
If TikTok didn't exist, wouldn't you expect those Pro-Palestine viewpoints to appear somewhere else? The whole thing is unverifiable because we have no test/control, but it seems implausible that the platform was the only avenue for this particular speech.
> If TikTok didn't exist, wouldn't you expect those Pro-Palestine viewpoints to appear somewhere else
Not necessarily. It depends why they were primarily successful on TikTok, which we don't know. If it's because American platforms tend not to highly rank content that goes against the US's geopolitical ideology, then no, I wouldn't expect that.
Social media platforms rank content based on how profitable it is to them. There is no evidence to suggest otherwise. Maybe it would be unprofitable to resist censorship requests on behalf of US government, but the exact same pressure would be applied to TikTok.
If the pressure is a direct bribe, then TikTok could get in hot water with China for accepting that bribe. With a US corp, the US government can make any criminal liability go away.
A company has to follow the local rules of a country. Was Microsoft bribed to censor the Tiananmen Square Massacre on Bing?
We forgot the Twitter files already?
[dead]
TikTok isn’t the only non-US social media platform. Why wouldn’t it show up elsewhere?
It is the only one that's widely used in the US, as far as I know.
> If TikTok didn't exist, wouldn't you expect those Pro-Palestine viewpoints to appear somewhere else?
Leaked data reveals Israeli govt campaign to remove pro-Palestine posts on Meta - https://news.ycombinator.com/item?id=43655603
Meta: Systemic Censorship of Palestine Content - https://text.hrw.org/news/2023/12/20/meta-systemic-censorshi...
Facebook has severely restricted the ability of Palestinian news outlets to reach an audience during the Israel-Gaza war, according to BBC research - https://www.bbc.com/news/articles/c786wlxz4jgo
This is the smoking gun of actual free speech violation rather than the US government banning a particular platform wholesale.
To be a first amendment violation this would technically have to involve the US government working to censor American's speech over Palestine. Functionally, though, this is a government censoring specific speech and feels very much like a free speech issue.
Free speech is a broader concept than just the first amendment, or any one specific legal code.
The companies themselves have free speech. It doesn't really matter how those viewpoints ended up highly-ranked on TikTok, it's their right to choose what they want to display, same with Facebook. And given what happened here, I don't expect Facebook to allow this stuff high-up even if they wanted to before.
Another thing we know is that the White House under Biden was pressuring FB and others to downrank anti-covid-vaccine content until a judge ordered them to stop.
> we know is that the White House under Biden was pressuring FB and others to downrank anti-covid-vaccine content
Kind of quaint in 2025.
TikTok has different censorship than Meta and Google platforms. More news about the genocide Palestine reached people through TikTok than other platforms that actively banned activitists and journalists reporting on Israel's warcrimes over the past 18 months.
TikTok used to be one of the few big platforms that didn't censor Israel criticism, though that has changed since Trump imperially overrode the law and unbanned them. It's insane the levels of 1st amendment violation and corruption that is OK now.
First amendment violations have always been accepted as long as they were inline with current administration. Since the administration has changed, so has the direction of those violations which just makes it appear like it is new now.
Any one company moderating speech isn't a first amendment violation though. The first amendment is entirely focused on the right to sleek freely without risk of government intervention, it says nothing of private corporation interventions.
If the government is telling companies what to do, how do you claim there's no government intervention?
Do you also think it's impossible to convict anyone for murder because it was the bullet killing the victim, not the person holding the gun?
The point is Trump extorted Tiktok into censoring speech he doesn't like in exchange for unbannig them.
> I still don't quite understand the free speech issue with banning one particular foreign media outlet or platform.
Half of America's exports is media to foreign countries, you're opening a can of worms.
if they can ban something then everyone else gets worried of being banned and everyone plays it safe.
I don't defend the practice, but it's a lot easier to hide "adversarial" bot armies on a foreign social network. We have bot armies on US social networks but they are well known and controlled by US interests.
What do not armies have to do with the first amendment though? My right to free speech isn't impeded by someone else standing up a bunch of bots online.
You can free-speech on any platforms that are not found to be hostile to the US, such as possessing the capability for foreign nations to influence US elections by coordinating bots to spread misinformation. Again that's the argument, I don't really agree with it because we do it ourselves. But that's a separate issue.
[dead]
Banning TikTok would be so much more effective than any of the other products. The people that would see the same content on Facebook is a different audience than what is using TikTok. Planting those seeds of confusion on the younger TikTok audience will have a much better ROI than sowing those oats with the old farts left reading FB feeds.
The first amendment doesn't have anything to do with reach OE impact though.
The whole point is that a citizen can say whatever they want without the government stopping them, it has nothing to do with how many people can hear it or where it can be said.
You seem to be under the impression that banning TikTok is about freedom of speech. That's why you're confused. Freedom of speech is just the PR spin.
I'd rather have social media reform and stronger algorithm controls for users vs banning meta's biggest competitor that actually does everything people are afraid of tiktok doing https://www.techradar.com/computing/cyber-security/facebooks...
If the US wants to stop meddling in their elections, they should block Facebook.
Now why would the powers that be want to ever abandon their reigns?
Did you mean to write "reins"? This is one rare sentence that works with both spellings, but means different things.
Makes me wonder if the best inroad into influencing china is just direct bribes to government officials. You can’t do it the old fashioned way of propagandizing the population directly given restrictions on third party content, but I’m sure there are plenty of palms for want of greasing in the east same as there are here. Usually such restrictions on action are specifically to force a greasing of a palm anyhow in order to achieve that action than any outright ban.
TBH the US should block Facebook it's just one party doesn't have the voter base and the other party is evil
Engagement-driven personalized “algo” feeds need to be banned in general, by any countries that don’t want to continue swinging rightward. I would feel a lot more confident about the future of liberal democracy if this were under serious discussion in at least some countries, but, afaik, it’s still not even now (it should have been years ago!) which is worrisome.
Rather than going through 1000s of app companies, why not go directly to the 100s of third party analytic companies?
From my research most all apps use some SDK which tracks users. Many apps use 3 or 4 for various marketing / product / business use cases. I've been tracking this on https://appgoblin.info/companies if anyone wants to check. Try looking at the "no analytics" found groups, which are just apps I haven't found evidence of 3rd party trackers, almost certainly they do use them.
I would like to see world where Angry Birds data at least stays on Angry Birds servers and have been working on building a part of that with OpenAttribution (https://openattribution.dev) to let app/game companies build their marketing pipeline with at least one less tracker in the app.
I think as compute is getting cheaper a lot of this should/can be self-hosted by at least larger companies so they have full control of their BI tools and the data underlying it.
But remember folks: China is spying you!
“And that’s why we need to ban TikTok” but not so they can stop influencing you.
“And why we need to stop you from supporting terrorists” but not because we are against your freedom to speak.
2014? this is really old news, and there's no smoking gun in here. it's not like they are looking through your camera or listening to your mic, it's just "who is using this app" type stuff, and the NSA denies they target people who they are not seeking for other reasons
i'm not saying "believe the NSA" or the Five Eyes, but you already know how you think about that
They deny they target people they aren’t seeking for other reasons (uh, duh? This basically doesn’t say anything at all) but don’t deny mass collection, nor using your data to try to target others (or you, if “other reasons” come up!) or to build a general spying-on-everyone surveillance system.
But sure, I do believe them that they don’t bother to look at it unless they want to. Like… yes, that’s how looking works.
They absolutely did deny mass collection (among other things).
The most charitable interpretation of the claims would be that what NSA calls "collection", every other English-speaking human would call "analysis" (or -maybe- "post-collection preprocessing"). This horseshit was reported in many places at the time, but here's the first vaguely-reputable place I could find talking about this sort of thing today [0]:
> Take, for example, the definition of the term “collection.” What qualifies as intelligence collection is critical to the scope of intelligence activity because it determines when intelligence gathering begins. Although it never provides its own definition, EO 12333 repeatedly refers to collection as the beginning of the intelligence gathering cycle. The agencies themselves elaborate on EO 12333’s general guidance by defining collection in their internal procedures. As we chart in greater detail in our article, the Defense Department’s and the NSA’s definitions of collection vary significantly, even though the NSA is a subordinate agency of the Pentagon.
> The Defense Department defines collection as intelligence gathering at a much earlier point than the NSA’s. Under DoD 5240.01, the department’s current manual, “information is collected when it is received by a Defense Intelligence Component,” regardless of how that information is “obtained or acquired.” By contrast, the NSA’s current version of USSID 18 states that collection “means [the] intentional tasking or SELECTION of identified nonpublic communications for subsequent processing aimed at reporting or retention as a file record.” As a result, collection for the Defense Department’s purposes appears to involve no processing or action; information is collected as soon as it is received. For the NSA, however, collection begins only once the information has been “selected” and put to further use.
> ...Under the NSA’s attorney general guidelines, for example, vast amounts of intelligence could be gathered without technically being collected. This means that, on paper, none of the guidelines’ subsequent protections for or limitations on the use of that intelligence apply when the information is first received. In theory, the NSA’s guidelines might permit the agency to gather significant amounts of unprocessed intelligence and then store it indefinitely.
[0] <https://www.lawfaremedia.org/article/what-does-collection-me...>
"who is using this app?" sounds like an innocent enough question until that person dies a moment later for reasons that surely had nothing to do with the app.
> old news
Vogon detected
"There's no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for 50 of your Earth years, so you've had plenty of time to lodge any formal complaint and it's far too late to start making a fuss about it now."
What possible good is it to know who is using Angry Birds for an intelligence agency? Your explanation makes zero sense. The idea that they’d use it for spying is the only logical explanation.
They call them "slippery slopes" for a reason. Why were they collecting this data at all, and why is it constitutional?
That document seems like a useful tool to get elected and then throw in the trash when you are in power.
My dude you can buy troves of data from Grindr, or really any popular “free” app. Advertisers eat this stuff up.
[flagged]
>It wasn't clear precisely what information can be extracted from which apps, but one of the slides gave the example of a user who uploaded a photo using a social media app. Under the words, "Golden Nugget!" it said that the data generated by the app could be examined to determine a phone's settings, where it connected to, which websites it had visited, which documents it had downloaded, and who its users' friends were.
Sounds like those apps weren't using SSL, and NSA could eavesdrop on whatever API calls or telemetry it was sending? There's no real evidence that those apps are complicit, even though the article tries to imply that.
SSL added and removed here ;-)
TikTok's CDNs also don't use SSL, unless that changed.
not using SSL means the app devs were either stupid, or they were complicit.
Detasking, minimization, FAA/PAA incidents database, etc., yeah right!
And don't forget that ad tech has grown more pervasive since then. The NSA is the least of your troubles these days.
Ad-tech does not put people in prison or deport them. The NSA does, via parallel reconstruction.
No it just takes the money out of their pocket and makes them addicted to things so it is Ok.
It is not okay, but it is not anywhere as bad as what the government does in the name of security.
The NSA does not do either of those things
[dead]
[flagged]
EMDASH DETECTED
EMDASH SPOTTED ON LINE 3
INITIALIZING GPTZERO.EXE
OUTPUT: “DON'T EVER USE AI AGAIN.”LibreOffice automatically inserts emdash when I press space after typing "-". :P
[flagged]