Secure messaging app Threema and NIST SP 800-90A

Recently the RSA, a major US computer security firm, told its customers that a random number generator, Dual EC DRBG (NIST 800-90A) used in its software may contain a NSA backdoor and advised it’s customers to discontinue its use: Deliberately flawed? RSA Security tells customers to drop NSA-related encryption algorithm. As this is one of a number of random number generators used in elliptic curve cryptography used in secure messaging app Threema we contacted the Kasper Systems to check this wasn’t a known flaw in their service, see their response below:

Image

While not revealing the random number generator used, it does offer some reassurance that this particular vulnerability isn’t included in the software. Further details of the encryption used can be found in the Threema FAQ.

Microsoft, a trojan horse?

The latest release of the Snowden files published today by the Guardian, “Revealed: how Microsoft handed the NSA access to encrypted messages“, show the extent that Microsoft (and subsidiary Skype) have been collaborating with the NSA. Giving access to encrypted emails, video calls, cloud storage and presumably anything else they wanted. Microsofts defence is that they were legally compelled; completely forgetting the fourth amendment which reads:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

I’m not a lawyer but the FISA court warrants authorising the collection of the data did not specify the person being searched or what the probable cause was; therefore unconstitutional. I’m happy to be corrected in the comments section 🙂

Given more civilians are killed in countries participating in Prism by the police than terrorists you might be forgiven for thinking the blanket analysis and perpetual storage of every private communication is a little disproportionate. An explanation is that the data gathered is being used for more than the prevention of terrorist attacks.

A possibility is that the American government has been monitoring global communications as a mass act of industrial espionage, to gain an advantage from both its allies and enemies alike. This is just a theory but if you’re responsible for a business outside of the US are you happy that the IT your using could be being used to share your intellectual property, gauge your negotiating position (as the US/UK have done in trade negotiations), gain the contact details of prospective clients?

Imagine the advantage a politically well connected US bank would have over its German or British counterpart simply because they’re naively using their competitors national office software and email programs (Outlook/Hotmail). Likewise could an Airbus PowerPoint sales pitch be used to Boeings advantage?

It might now be time to seriously consider installing one of the many easy to use Linux distributions such as Ubuntu, Linux Mint, or Trisquel all of which can be downloaded for FREE and burnt to a DVD for install. All include a LibreOffice which functions in a very similar way to MS Office 2007 (no ribbons).

Send your iPhone messages via Wickr, and short: MSFT, GOOG, AAPL, YHOO