Author

Topic: [VOTE] Did gov agencies promote MD5 as secure when they knew it was not? (Read 643 times)

newbie
Activity: 14
Merit: 0
Nobody is probably going to argue that Microsoft does not strictly follow U.S. government cryptography security standards.
http://i2.kym-cdn.com/photos/images/original/000/430/877/271.gif

Microsoft does not strictly follow any standards. Everybody knows that.

Something like 99.999% of people would disagree with you.

Microsoft is like a withered limb of the U.S. government.
legendary
Activity: 4522
Merit: 3183
Vile Vixen and Miss Bitcointalk 2021-2023
Nobody is probably going to argue that Microsoft does not strictly follow U.S. government cryptography security standards.


Microsoft does not strictly follow any standards. Everybody knows that.
newbie
Activity: 14
Merit: 0


https://support.microsoft.com/en-us/kb/2862973

Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013

More information

    The referenced change for February 2014 that is discussed in Advisory 2862973 applies only to certificates that are used for the following:
        server authentication
        code signing
        time stamping
    Other certificate usages of the MD5 signature hash algorithm will not be blocked.
    In regards to code signing, we will allow signed binaries that were signed before March 2009 to continue to work, even if the signing cert used MD5 signature hash algorithm

----
https://technet.microsoft.com/library/security/2862973

----

Nobody is probably going to argue that Microsoft does not strictly follow U.S. government cryptography security standards.

A timeline.

1) As of 2012 MD5 is accepted for some pretty secure applications as per government standards.

2) May 2012, the Flame malware is discovered in Iran. The malware seems to have been a collaborative effort of several intelligence agencies.

3) The online image of md5, including Wikipedia pages and various other sites is changed to suggest that there was no official backing for md5. It is almost like the government never heard of it.

4) Sha is now the public face of U.S. cryptography. A next gen option of Keccak is being discussed but anyone who uses a search engine can find that it seems to have been built with deliberate flaws.

-----

I'm not against spies stealing from other spies.

I'm against mafia gangster scum who say "Here is a reliable unbroken security system bacfked by the government", knowing full well it is broken.


legendary
Activity: 1512
Merit: 1000
MD5 was known to be insecure since ages. I don't know if governments ever recommended it, but companies like Cisco never did since the late 90's.
newbie
Activity: 14
Merit: 0
If any government did recommend MD5 for security purposes then just point to the recommendation.

Are you saying Microsoft went against U.S. government recommendations in 2012 by using md5?
legendary
Activity: 1284
Merit: 1001
Sorry, my fault. I forgot for a moment how silly conspiracies the participants of this forum will believe. MD5 was discovered to be flawed for security purposes in the 90ies, I thought you meant that they knew before it was publicly known. The Flame malware was discovered in 2012, and practical attacks had been proven many years before that. This is just a lazy programmer who couldn't be bothered to use properly secure systems, and it was taken advantage of. It's the same reason why hackers find and exploit errors in software on a regular basis.

Anyway, that's completely irrelevant for your question, which is what I commented. If any government did recommend MD5 for security purposes then just point to the recommendation.
newbie
Activity: 14
Merit: 0
You can't prove that no government agency ever did this, you can only prove that they did. If there is evidence of this then all you have to do to prove it is to show the evidence.

It sounds like you are being deliberately obtuse.

Did the Flame malware actually exist? Or was it a fiction put out by the Iranians?

If it existed, was it produced by governments that promoted md5 as secure?

Should the altcoin community be 'okay' with using algorithms that are likely flawed, as long as the only governments that can profit from the flaws are our own?

Are 'other' governments ahead or behind us in terms of cutting edge crypto?

Is your point that 'governments' have some higher ethics that justify their having full rape access to cryptocurrencies?
legendary
Activity: 1284
Merit: 1001
You can't prove that no government agency ever did this, you can only prove that they did. If there is evidence of this then all you have to do to prove it is to show the evidence.
newbie
Activity: 14
Merit: 0
One person voted "there is evidence they did not".

In other words while they were distributing the Flame malware they were unaware that the malware had an md5 crack?

Or is the argument that the Flame malware did not actually exist?

My mind is boggled by how far people are bending over to patronize these agencies. They lied about md5 but now they are telling the truth about sha?
newbie
Activity: 14
Merit: 0
I am trying to get a clear answer on this.

From what I understand...

MD5 was widely respected until an Iranian computer company discovered malware that involved an md5 crack. They gave samples to Kaspersky who then analyzed it.

The question. Did major government agencies promote MD5 as 'secure' to the public just so they could play malware games with their political enemies?

I'm not 'pro Iranian' nor anti either.

Ultimately my curiosity is whether or not those responsible in government would tell the public about flaws in cryptography.
Jump to: