back to article ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

Two new encryption algorithms developed by the NSA have been rejected by an international standards body amid accusations of threatening behavior. The "Simon" and "Speck" cryptographic tools were designed for secure data to and from the next generation of internet-of-things gizmos and sensors, and were intended to become a …

  1. GnuTzu

    Pushy People are a Security Risk

    Yeah, it's that simple. The more you push, the more we infosec bods investigate you and the garbage you try to push through.

  2. Yet Another Anonymous coward Silver badge

    Inconceivable

    If you can't trust American spies to behave openly and honestly for the good of all Nations - who can you trust ?

    1. Voland's right hand Silver badge

      Re: Inconceivable

      You forgot the sarcasm tags.

  3. Anonymous Coward
    Anonymous Coward

    'a source that has compromised security-related ISO standards just a few years ago?'

    Reap the fucking whirlwind America!!! You sowed this shit simply by mushrooming your allies. Now from NSA slyness to Facebook + CA + Palantir sleaziness, we don't trust you anymore. Our once great ally is now dead! Frankly, you can trust China more than the US now. Because we know they can't be trusted, but they have an economic awareness of potential fallout too, so China is more cautious about being pushy!

    1. Yet Another Anonymous coward Silver badge

      Re: 'a source that has compromised security-related ISO standards just a few years ago?'

      Rather like hacking a european maker of sim cards so you can spy on everyones calls and then begging to be included in security arrangements once you leave the eu

  4. Pascal Monett Silver badge
    Thumb Down

    "the NSA started attacking the reputations of those experts"

    Really. Like trolls on Slashdot, then ?

    First they get all their shiny toys stolen from under their noses, now they reveal themselves as the fucking trolls they are.

    Well I do hope that this will long be remembered. Nothing proposed by the US should be approved for a very long time.

    Don't forget : it takes time to build trust, but only an instant to lose it.

    And you just lost, NSA.

    Big time.

    1. J. Cook Silver badge

      Re: "the NSA started attacking the reputations of those experts"

      "Trust is currency, earned in service and spent in betrayal." - Commodore Karl Tagon (handwritten annotation to ‘The Seventy Maxims of Maximally Effective Mercenaries’)

      The NSA lost my trust a long time ago.

    2. Doctor Syntax Silver badge

      Re: "the NSA started attacking the reputations of those experts"

      "Don't forget : it takes time to build trust, but only an instant to lose it."

      And even longer to rebuild it.

    3. Anonymous Coward
      Anonymous Coward

      Re: "the NSA started attacking the reputations of those experts"

      When some of the design choices made by the NSA were questioned by experts, Ashur states, the g-men's response was to personally attack the questioners, which included himself, Orr Dunkelman and Daniel Bernstein, who represented the Israeli and German delegations respectively.

      But what has NSA encryption got to do with Climate change?

      1. Spanners
        Boffin

        Re: "the NSA started attacking the reputations of those experts"

        But what has NSA encryption got to do with Climate change?

        Hypothetically, if scientists started to discuss Climate Change when using this "security", the NSA could pass the content on to the rich sociopaths in the USA who PRETEND that it is not real.

    4. Eddy Ito

      Re: "the NSA started attacking the reputations of those experts"

      Oh come now. Who has been foolish to trust the NSA in the past decade or three or six and half? They probably know full well that they can't lose what they don't have and figured they might as well be as boorish as they please. Remember, these are the guys who regularly lie to congress with impunity.

    5. asdf

      Re: "the NSA started attacking the reputations of those experts

      Sadly lack of trust can often be overcome with enough money so celebrate now but don't think they are going away any time soon.

      1. Alan Brown Silver badge

        Re: "the NSA started attacking the reputations of those experts

        "lack of trust can often be overcome with enough money"

        When it comes to politicians and other entertainers/con artists, yes.

        But in this area, being suspected of saying yes to enough money is itself grounds for losing trust.

  5. Alan J. Wylie

    The ciphers look as if they will remain in the Linux kernel

    http://lists.infradead.org/pipermail/linux-arm-kernel/2018-April/573548.html

    Eric Biggers points out that there is no alternative block cipher suitable for low power processors to support dm-crypt or fscrypt filesystem encryption, and the alternative is no encryption at all.

    Bruce Schneier's opinion is Personally, I doubt that they're backdoored

    1. A Non e-mouse Silver badge

      Re: The ciphers look as if they will remain in the Linux kernel

      I'd be interested to see Daniel Bernstein's opinion.

      1. Nick Kew

        Re: The ciphers look as if they will remain in the Linux kernel

        I'd be interested to see Daniel Bernstein's opinion.

        DJB offers us a cautionary tale.

        July 2008: big headlines in all the mainstream media (I heard it on BBC radio headlines): Internet address system is horribly broken and dangerous. CERT have it here.

        ... yet ...

        July 2001: DJB points out the same thing.

        Seven years, no-one listened. Except those of us who already believed DJB, and used djbdns for our own servers.

    2. arctic_haze

      Re: The ciphers look as if they will remain in the Linux kernel

      Let's wait for Linus Torwald's opinion ;)

    3. Anonymous Coward
      Anonymous Coward

      Do they have backdoors

      into Security Experts as well ?

      1. Dodgy Geezer Silver badge

        Re: Do they have backdoors

        ...just ask them to bend over....

  6. Norman Nescio

    Interesting times.

    The time to question someone's credentials is before you submit something to be evaluated by them, not afterwards, otherwise it is hard to dispel accusations of sour grapes.

    If you think the evaluation was performed poorly, you are free to raise cogently argued and well-evidenced objections, citing examples, rather than attacking the credentials of the evaluation team.

    With regard to the NSA, it is entirely possible that "Simon" and "Speck" are cryptographically sound (i.e. no cryptographic back door), but are vulnerable to poor implementations. It is suspected that the NSA supported the use of AES because it is easy to mistakenly make a software implementation vulnerable to side-channel attacks [1], [2], [3], especially as the Snowden papers reference NSA and GCHQ projects to subvert encryption (BULLRUN and Edgehill respectively [4]). It is worth remembering that Snowden said "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." The NSA and other agencies are suspected to have worked quite hard to enable poorly implemented strong encryption to be widespread.

    People are a great deal more aware of side-channels now, and look at using constant time algorithms, being careful about use of caches, making power consumption analysis more difficult, and using multiple sources of entropy, and not just a single hardware RNG provided on die by the manufacturer when generating required random numbers for nonces etc. Certifying an algorithm on its own is only one step of the process, as you also need to think about identifying implementation pitfalls to avoid.

    No doubt there will be recriminations and fall-out from this decision. It will be interesting to see what happens next, as low-power IoT things do need some form of good encryption available to them. The show will go on.

    1. Dodgy Geezer Silver badge

      Re: Interesting times.

      It would be counterproductive to include anything as blatent as a mistake in an encryption algorithm which is going to be studied by many independent cryptologists.

      But if you know that your codebreakers have skills in a particular area, it makes sense to suggest algorithms which may be more vulnerable to attacks using those skills rather than others...

      1. Michael Wojcik Silver badge

        Re: Interesting times.

        It would be counterproductive to include anything as blatent as a mistake in an encryption algorithm which is going to be studied by many independent cryptologists.

        A deliberate vulnerability in the algorithm isn't always necessary. Often the mathematics provide a way to insert a backdoor.

        That was the case with Dual_EC_DRBG. No one who knows how the stock curve parameters were arrived at has spoken up - and you couldn't trust anyone who did. If they're backdoored, the only way to find out is by a computationally-infeasible brute-force search (unless you have an algorithm, or very large and reliable QC, that breaks ECC, in which case we have bigger worries).1

        Cryptographers were suspicious of Dual_EC_DRBG because no one could tell whether it might be backdoored, and because it had no advantages over other CPRNGs.

        DES is another example. The NSA tweaked the S-Boxes to be resistant to differential cryptanalysis, which was not yet publicly understood. They didn't adjust them to resist linear cryptanalysis. Had they also not yet discovered linear cryptanalysis, or did they leave DES (mildly) vulnerable to it as a backdoor?

        1Of course the Dual_EC_DRBG specification tells you how to generate your own parameters, so there was never any reason for anyone to use the ones specified by NIST. Yet, somehow, RSA did in BSAFE. Incompetence or malice? We'll probably never know.

    2. Anonymous Coward
      Anonymous Coward

      Re: Interesting times.

      "low-power IoT things do need some form of good encryption available to them."

      You were doing so well till you made that particular claim..

      Back to basics:

      * Who says any of us *need* IoT things? 'need' and 'want' are different, remember.

      * Who says these things need implementations to be low power? What does 'low power' mean anyway in this context? E.g. x86-class power consumption? DAB-radio class power consumption? RFID-tag (or remote vehicle 'unlocking') class power consumption?

      * Who says these things need to be able to securely communicate sensitive data at reasonable speed?

      Examples welcome, but based on the recorded history of IoT stuff so far, and the demonstrable absence of "continuous product and service improvement", the less IoT stuff there is in critical roles in the world around us, the more secure (in some broader sense of the word 'security') most of us will be.

      1. bexley

        Re: Interesting times.

        A Nest smoke alarm is powered by AA batteries so low power consumption is desirable

        Philips hue remotes (light switches) are powered by cr2030 batteries....

        1. Michael Wojcik Silver badge

          Re: Interesting times.

          A Nest smoke alarm ... Philips hue remotes ...

          Yes, those are certainly two things that few people need.

      2. Stoneshop

        Re: Interesting times.

        * Who says any of us *need* IoT things? 'need' and 'want' are different, remember.

        I would consider your fridge ordering a fresh pint of milk to not require a particularly strong encryption, never mind that your fridge is mains-powered and not running on button cells. But for an implanted health-monitoring device (which these days also falls under the IoT label) you need as strong encryption as you can get while consuming next to nothing.

        1. Anonymous Coward
          Anonymous Coward

          "I would consider your fridge [..] to not require a particularly strong encryption"

          Are you sure? Fridges are the cause of many house fires. I wouldn't like one that could be manipulated from outside and pushed until it catches fire.

          1. Anonymous Coward
            Anonymous Coward

            Re: "I would consider your fridge [..] to not require a particularly strong encryption"

            "I wouldn't like one that could be manipulated from outside and pushed until it catches fire."

            Back in the 20th century, people in various fields used to understand the difference between something designed to be purely observed (e.g. a temperature sensor, a blood sugar monitor, vehicle speed sensor, etc), and something involved in some kind of control process (e.g. a thermostat controlling heating or cooling system, drug pump, vehicle braking system, etc).

            When did people start to get seriously confused about the difference between read-only access to systems and data (mostly harmless, except from a confidentiality point of view) with read-write (potentially catastrophic in some cases)?

            1. Anonymous Coward
              Anonymous Coward

              "When did people start to get seriously confused about the difference between"

              When software became the king of them all, so you if you can get control of a system you can feed the wrong sensor data to a control system because it's all software controlled, and make it work the wrong way. Weak or backdoored encryption can help to get into a system.

              1. Anonymous Coward
                Anonymous Coward

                Re: "When did people start to get seriously confused about the difference between"

                "When *crap* software became the king of them all" surely?

                Any file/storage/device accesscontrol system that couldn't distinguish between "no access", "read only" access, and "read write"access would have been laughed out of the industry in the late 20th century. Why are such systems now acceptable?

                "Weak or backdoored encryption can help to get into a system."

                So can total lack of meaningful access control in a 'modern' OS/application combination. Especially where the software and systems provideres seem more interested in slurping personal information than actually providing useful relevant and secure StuffThatWorks.

          2. J. Cook Silver badge

            Re: "I would consider your fridge [..] to not require a particularly strong encryption"

            "Fridges are the cause of many house fires."

            Primarily because no one ever bothers to clean around the working parts of it. (And before anyone points fingers, I'm guilty as charged; I did mine last year and pulled ~5 years of collected cat fur, dust, and other detrius off the running gear, which ran about two inches think in some parts. The prompt for this? The fan was making noise. It's running a lot better now. :) )

      3. Anonymous Coward
        Anonymous Coward

        Re: Interesting times.

        There are an awful lot of ip cameras floating around on the net. Remember the massive DDOS attack launched from them? The NSA probably wouldn't mind looking through them all to supplement the existing CCTV systems they have access to.

        Strongly encrypted streams sounds like a pretty good idea to me.

        1. Terje

          Re: Interesting times.

          And they also tend to have some form of external power supply and thus able to use decent encryption.

  7. Anonymous Coward
    Anonymous Coward

    The phantom downvoter strikes again?

    See: https://forums.theregister.co.uk/post/3488228

    1. Nick Kew

      Re: The phantom downvoter strikes again?

      Interesting. Of course, the phantom downvoter *could* be you, making a story for yourself. Have a downvote, in support of your thesis, and for posting anonymously.

      "Except one" in your post is meaningless: it could just be, for example, a post made after the "downvoter" had been and gone.

  8. John Smith 19 Gold badge
    FAIL

    Sounds like the NSA are playing the standards version of "security by obsecurity"

    Their behavior seemed suspicious.

    Was.

  9. Cynicalmark
    FAIL

    Serves them right...

    The ‘nonsuchagency’ got that which they deserved. Unfortunately both USA and Russia have blotted their copybook trying to run roughshod over us, the great unwashed engineer.

    Trust as said before is earned and not gained in schoolyard namecalling - maybe the upcoming Ivy League leavers will learn a lesson from this. When you are told no by the experts, no amount of temper tantrums or threats will faze any professional who knows their tomatoes. I.e. we couldn’t give one shit you are NSA, CIA or FBI - your power outside your borders is limited so up yours you bunch of bullying turds.

    Good on you to all those who told them where to get off.

  10. Anonymous Coward
    Anonymous Coward

    Gorillas and Elephants

    That's what NSA does gets the low down on you so they can undermine you later, ie. by challenging your qualifications. Hi paranoia - Do not trust any one - A secret is not secret if any others know it.

    Encryption :- many cannot see the Gorilla in the room and it's now dancing with the Elephant. so who needs encryption, few of us. Much electronics and security can be a distraction that costs individuals and countries much in order to 'cyber up' whilst the Gorilla just walks by the window.

    Do Not Put Valuables on the Internet.

    Convenience is the enemy of security, Overcome your need for convenience and you will be more secure.

    For encryption to truly work you need a new different one every time, and then it's for the short term, just to hold out until D-day.

    Linux:~ hahahahaha, there is so much junk in the Linux kernel you'd probably find DOS in there too.

  11. Kev99 Silver badge

    The "west", and I'm including Japan and SKorea here, are pushing like crazy to get your fridges, tellys, and crappers onto the internet. And which countries have limited or severely constrained internet access? Russia, China, NKorea. Notice anything peculiar? But remember, even tho' a net is just a bunch of holes held together with string it's perfectly safe to hold your privates.

    1. Tomato42
      Facepalm

      you really think that Ikea putting lightbulbs on the Internet is a part of some kind of conspiracy?

      your tinfoil is blinding me

      1. Yet Another Anonymous coward Silver badge

        You don't think that IKEA is some global plot to take over the world?

        Even the Milk Marketing Board fear them

        1. Voland's right hand Silver badge

          Even the Milk Marketing Board fear them

          I read THIS two days ago. You may change your mind after reading it.

          It explicitly mentions the 1st Battalion of Ikea corps too. No, not a joke either.

          1. phuzz Silver badge

            "It explicitly mentions the 1st Battalion of Ikea corps too. No, not a joke either."

            Errr, not a joke no, but it is fictional. The real giveaway is the text that says "Science Fiction" in the top left.

            Um, Voland old chum, you do understand the difference between fiction and reality right?

            1. handleoclast
              Coat

              Fiction and Re

              Um, Voland old chum, you do understand the difference between fiction and reality right?

              Two words: "President Trump."

              Which means we're all living in fiction now, because there's no fucking way this is reality. Not even reality heavily modified by megadoses of LSD.

            2. Voland's right hand Silver badge

              Um, Voland old chum, you do understand the difference between fiction and reality right?

              I do. I also understand how close can be fiction to reality when it is about the fallout from BrExit, Transatlantic Partnership treaty and a few other things.

              While the book is much weaker than the phenomenally brilliant Children of Time and nowhere as horrifying as Dogs of War, this is yet another place where Chaikovski's fiction is well rooted into the present. It is a possible future (and not a particularly far fetched one). Including the 1st Battalion of Ikea.

  12. Anonymous Coward
    Anonymous Coward

    Happened at OASIS too

    When I was co-chair of MQTT at OASID we had a small privately owned member company try to push these same two suspect standards into MQTT 3.1.1 on behalf of a third party. It all smelt very fishy. Seems that said company was being dangled a carrot n terms of juicy contracts.

    1. JassMan
      Pirate

      Re: Happened at OASIS too @AC

      You do realize that posting as AC is a bit pointless when you give so much info about your circumstances that you can only be 1 of 2 (possibly 3) people.

  13. Will Godfrey Silver badge
    Happy

    Very helpful NSA

    Now you've told us which professionals have some integrity - the ones you are trying to discredit.

    1. Yet Another Anonymous coward Silver badge

      Re: Very helpful NSA

      In my professional experience Israelis, especially Israeli academics, are easily pushed around by simple bullying.

      1. Anonymous Coward
        Anonymous Coward

        Re: Very helpful NSA

        "In my professional experience Israelis, especially Israeli academics, are easily pushed around by simple bullying."

        Given the extent to which the US and Israel are tied together on intel and military matters, a stand by one good man will not last. Israel receives (publicly) about $4bn a year in defence subsidies from the US. Add that to the fact that TLAs never ever admit they are wrong, and we can expect the Israelis to choose a different representative soon, somebody more acceptable to the lying, cheating, anti-democratic forces of the NSA and others.

      2. Alan Brown Silver badge

        Re: Very helpful NSA

        ".....are easily pushed around by simple bullying."

        In my experience they're also the ones who try to do it the most and kick up the most fuss when called out on it.

    2. Nick Kew

      Re: Very helpful NSA

      We already have the Kaspersky story. Now this: having DJB in the cast inspires confidence.

      But one day it'll be a double-bluff, they'll attack their own top spy to inspire trust. C.f. Mundt.

    3. Mike Moyle

      Re: Very helpful NSA

      "Now you've told us which professionals have some integrity - the ones you are trying to discredit."

      ...Unless that's what they WANT you to think, and making Ashur and Dunkelstein's credentials appear unassailable to the community by loudly and blatantly attacking them is just part of a longer-range plan...!

      (Note to self: Stop at grocery store on way home from work tonight -- Almost out of tinfoil!)

      1. Claptrap314 Silver badge
        Black Helicopters

        Re: Very helpful NSA

        https://www.youtube.com/watch?v=urglg3WimHA

  14. Sanctimonious Prick
    Coffee/keyboard

    Trust? Who?

    This is a very concerning news article!

    We/everything need(s) strong encryption that can be relied upon (trusted).

    Who do we trust to design the next generation of encryption for IoT?

    The Ruskies?

    I suggest we kidnap some smart people from North Korea to design and code the new standards! :)

  15. JassMan
    Boffin

    A certain T.May is going to pissed

    How dare those techy people at ISO prevent the free world from having exactly the kind of crypto she has been asking for since she was Home Secretary.

    1. Anonymous Coward
      Anonymous Coward

      Re: A certain T.May is going to pissed

      "the kind of crypto she has been asking for since she was Home Secretary."

      There seems to be a typo here, should have read

      ""the kind of crypto that spooks like Charles Farr have been asking for since people like May have been Home Secretary."

      'Twas Ever Thus.

  16. Anonymous Coward
    Anonymous Coward

    Amazingly, Edward Snowden has yet to comment on the rejection. ®

    Perhaps Snowden cannot comment because of a DDoS botnet from his microwave oven?

    1. Anonymous Coward
      Anonymous Coward

      Re: Amazingly, Edward Snowden has yet to comment on the rejection. ®

      Or because Eddy calls out bullshit when he sees it, but has no need to here because it has been amply dealt with.

  17. rmullen0

    NSA helped Microsoft "secure" Windows Vista

    Never forget that Microsoft worked with the NSA when designing Windows Vista. I vaguely remember Mark Russinovich saying something about fighting the "bad guys" or something like that. Yeah, right. Then, when Snowden leaked information about the NSA in 2013, he acted surprised. Nice act. With the cloud, things have only gotten worse.

    1. Mark 65

      Re: NSA helped Microsoft "secure" Windows Vista

      I have always wondered how “if they have physical access the game is over” and “secure cloud services” can live together. If you don’t control the hardware, the firmware, the virtualisation layer etc how secure can it really be, especially in a post spectre/meltdown world?

      1. Claptrap314 Silver badge

        Re: NSA helped Microsoft "secure" Windows Vista

        This is actually a solved problem, from the standpoint of business risk. In the US, there are major companies (like, really, really, big) whose sole business is to provide accounting & auditing services to other businesses. Likewise, law firms. These firms must keep customer data secured and isolated.

        AWS securing and isolating customer data is not a differentiator in the market, it is baseline to entering the market. As Google quickly found out.

        Of course, securing and isolating a NAS is different than securing and isolating a file cabinet. But the principle is the same.

        1. Alan Brown Silver badge

          Re: NSA helped Microsoft "secure" Windows Vista

          " there are major companies (like, really, really, big) whose sole business is to provide accounting & auditing services to other businesses."

          Yup

          "These firms must keep customer data secured and isolated."

          And so far, there have been some pretty spectacular fails. Those are just the ones we get to hear about.

  18. Anonymous Coward
    Anonymous Coward

    Well, as someone noted, that places the IoT at a dilemma. What's left for them to use to secure their communication's that isn't a power hog?

    1. Doctor Syntax Silver badge

      "that places the IoT at a dilemma"

      OTOH I don't think it places most of us in a dilemma in respect of IoT. We wouldn't trust it with or without encryption. In fact, without makes it easier for the users products to see that it's up to. It's the vendors who need to be trusted and anything that makes it easier for them to hide what they're up to is a good thing. For instance, would anyone have discovered that a smart TV was analysing the user's LAN and reporting back what files it found if the communication had been encrypted.

      1. Charles 9

        What makes you think it's actually the TV and not something else impersonating the TV without some kind of attribution, which encryption can provide?

        Like it or not, IoT is a thing, and more than likely an undead thing, meaning waiting for it to die may not be an option. Hell, it may even be nuke-proof.

        1. Stoneshop
          Boffin

          Nuke-proof IoT?

          That would require the stuff being built using valves (vacuum tubes). Which I wouldn't mind, but low-power and small they'd be not, even when using 5676es.

  19. Schultz

    Lightweight encryption

    I would expect that lightweight encryption could be very useful. Security is proportional to the cost of breaking in. It's not a binary function of unhackable versus hackable; your secure front door will just force the intruders to go through the windows or the walls.

    To maximize its effectiveness, lightweight encryption should be indistinguishable from heavyweight encryption. If the bad actor cannot predict the resources required to break in, it will raise his cost.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lightweight encryption

      Security is proportional to the cost of breaking in.

      As previously mentioned, if it is related to health implants, the cost would want to be sky high else there’s the old “his pacemaker failed” assassination vector.

  20. Dodgy Geezer Silver badge

    Now, where have we seen this before...

    ...When some of the design choices made by the NSA were questioned by experts, Ashur states, the g-men's response was to personally attack the questioners, ...

    Ah, yes. This is the standard practice in Climate Science...

  21. Dodgy Geezer Silver badge

    NSA are not the only secret organisation...

    . There is also the CIA. Who, rather like the UK's SIS, specialise in misinformation techniques.

    If I were looking to compromise the choice of a global crypto standard, using misinformation techniques, I might put a lot of resources into developing a really good algorithm. So much so that few other countries bothered to create one as good.

    Then, present it to the Standards Authority, and behave in such a way as to make them suspicious of my intentions, and reject it.

    Leaving the Standards Authority with no choice but to pick the far less good second-placer.

    Such an approach would be second-nature for the misinformation specialists. Do you remember the fake story going the rounds during the Falklands War about all the water on the island being infected with sheep-fluke? Which resulted in half the weapons resupply flights coming in from Argentina carrying nothing more deadly than water?

    1. Pascal Monett Silver badge

      Re: "Leaving the Standards Authority with no choice but to"

      go and create a proper encryption system.

      You seriously think that ISO is going to accept a 2nd-rate anything simply because they refused a potential 1st-rate one ? You're thinking bureaucrat.

      Think engineer. They're going to go and make another 1st-rate one, because Standards.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Leaving the Standards Authority with no choice but to"

        "You seriously think that ISO is going to accept a 2nd-rate anything simply because they refused a potential 1st-rate one ?"

        Office Open XML? MicroSoft's essentially impossible to implement "standard" version of Word's document format. Versus Open Document Format, although at least that's an ISO standard as well.

        1. Mark 65

          Re: "Leaving the Standards Authority with no choice but to"

          Word’s document format isn’t really a lingering concern for most although it is likely a security hazard.

        2. Alan Brown Silver badge

          Re: "Leaving the Standards Authority with no choice but to"

          "Office Open XML? "

          Which is a classic example of bureaucrat mentality at work.

    2. Stoneshop
      Devil

      Re: NSA are not the only secret organisation...

      Which resulted in half the weapons resupply flights coming in from Argentina carrying nothing more deadly than water?

      Please do look up the LD50 for dihydrogen monoxide, will you? A mere 6 liters. I don't know how much those planes carried, but I expect the cargo to have been sufficient for killing at least a hundred persons when administering it in the most effective way. Less effective would be freezing it into cubes of about 10 kg (2.38 jubs) each and hitting someone right on the noggin with that from sufficient height, or dropping the entire water container on a group, again from some height.

      Misinformation, my arse.

      1. Dodgy Geezer Silver badge

        Re: NSA are not the only secret organisation...

        Does that mean that if I own a lake the Americans are going to nuke me for having a weapon of mass destruction?

  22. eldakka
    Pint

    That was brave of them

    again voted against the standards at a meeting in the US

  23. Anonymous Coward
    Anonymous Coward

    Feel free to publish the plain text

    Kweiyang Markleysburg centimetre interweaved soken shisham Garling Zoellick clinograph exembryonate extrorse Bandello larum-bell Honorine mysids Landon Euryalida zootomical liverhearted atune Superior Huoh condolers L'Ouverture chacate termor Merri Tzapotec OOP northbound regnerable lactigenous volatilities nonpersuasive three-pound chemosterilant viscerating Frederico superseverely thioarsenic virologies

    1. Dodgy Geezer Silver badge

      Re: Feel free to publish the plain text

      I'm offended on behalf of the Rainbow Multi-Acronym fraternity, and I am going to sue...

  24. TrumpSlurp the Troll
    Holmes

    Why does each IoT device need strong encryption?

    Assuming that WiFi or wired is used within the home then all that is needed is a home IoT hub.

    This can then VPN to any external resource. It can also update any encryption as the standards evolve and firewall the IoT devices from external attack.

    You can take it as a given that there will be no long term support of individual devices (think Android mobile phones) so you need an isolation layer to protect your devices from the exploits as they emerge.

    Rasberry Pi should offer a good starting point.

    1. Stoneshop
      Big Brother

      Re: Why does each IoT device need strong encryption?

      How about you probably not wanting the not very strongly encrypted wireless communication between your implanted blood sugar level monitor and that IoT hub being captured by the neighbours' sprog's Furby Mk.IV, and relayed to someone who should not have access to that data?

      1. Mark 65

        Re: Why does each IoT device need strong encryption?

        There’s clearly two categories of IoT device here, medical implants and everything else. For the latter the OP makes a valid point. For health implants I’d argue they need to be very short range and engineered entirely different from a convenience widget.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why does each IoT device need strong encryption?

          That's an extremely good point.

          Medical devices, like medicine itself, have been too easily compromised by amoral commercialization and profiteering.

          Why do we even allow patents on pharmaceuticals (we came way too close to having one on the Human Genome)? Especially when so much of the basic research is done with government money? Why isn't the hardware, firmware, software of medical devices required to be open source? Why does the complete text of many international standards cost $1,000s to purchase? What about the siloing of important medical research by high priced medical journals?

          Of course even the best encrytion is useless if the idiot leadership of manufacturers have allowed hardcoded root passwords to be left in their products, as apparently many have.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why does each IoT device need strong encryption?

            I worked for a company that developed a blood sugar monitoring device that would be attached to the patient and communicate with a wireless device similar to a smart phone. They'd been working on it for a couple of years when I joined them and spent many many millions on the chip inside the device. There was a good mix of tech and medical expertise in the management board and while I am sure everyone wanted to get paid, the costs of development were high and someone has to pay for it.

            I'm a big fan of open source but the fact is government don't pay for much of anything anymore!

            I still don't understand why the BBC archive is kept from us since we the license payer, paid for it, dad's army yet again on repeat is all we can hope for (and the biggest sole reason against the license fee).

            Government bodies can't be trusted to do this stuff so private for profit is the only way.

            1. Anonymous Coward
              Anonymous Coward

              Re: Why does each IoT device need strong encryption?

              "Government bodies can't be trusted to do this stuff so private for profit is the only way."

              Incorrect, because private enterprise will never be interested in one-and-dones. No repeat business. For such long-term goals, it's either the government or bust.

            2. Anonymous Coward
              Anonymous Coward

              Re: Why does each IoT device need strong encryption?

              "I still don't understand why the BBC archive is kept from us since we the license payer, paid for it, dad's army yet again on repeat is all we can hope for (and the biggest sole reason against the license fee)."

              Almost fifteen years ago, the then Director General of the BBC announced pretty much what you describe. It was announced by Greg Dyke in the Richard Dunn Memorial Lecture at the Edinburgh TV Festival in August 2003, and due to be launched a year later.

              The realtity seems to be that the BBC-owned archive was eventually privatised (exclusively?) to the likes of Dave, Yesterday, etc (the ones which are part BBC owned?) and they were hoping no one would notice the previous commitment has sunk without trace. And in the post-Birt era, the "BBC" programmes were largely not owned by the BBC,

              Read all about the Creative Archive:

              http://news.bbc.co.uk/1/hi/entertainment/3177479.stm

              "Greg Dyke, director general of the BBC, has announced plans to give the public full access to all the corporation's programme archives.

              Mr Dyke said on Sunday that everyone would in future be able to download BBC radio and TV programmes from the internet.

              The service, the BBC Creative Archive, would be free and available to everyone, as long as they were not intending to use the material for commercial purposes, Mr Dyke added.

              "The BBC probably has the best television library in the world," said Mr Dyke, who was speaking at the Edinburgh TV Festival.

              "Up until now this huge resource has remained locked up, inaccessible to the public because there hasn't been an effective mechanism for distribution. But the digital revolution and broadband are changing all that. For the first time there is an easy and affordable way of making this treasure trove of BBC content available to all."

              [continues]

              The speech in full (in case the details matter):

              http://www.bbc.co.uk/pressoffice/speeches/stories/dyke_richard_dunn.shtml

  25. Claptrap314 Silver badge

    This

    What angered me most about the Snoden-revealed chicanery is the trillions lost due to the need for independent development of encryption techniques. (Not just direct costs, but the delays in dependent technologies as well as the lost due to cracking.)

    I probably ought to reach out to my political contacts and see about having the US just completely pull out of these kinds of things. The only customer that can trust the NSA today is the US government.

  26. Anonymous Coward
    Anonymous Coward

    How

    How is the most criminal tech company/gov gang having anything to do with something like this.

    As an honest American, I am angry that I have them to be ashamed of.

  27. MachDiamond Silver badge

    Not my cup of (Io)T

    I've lived long enough to have bought cool new toys that lose their shine a week after I get them home. The same goes for software to do things that I can do just as easily with a pencil and paper.

    Most of the IoT devices fall into my category as fun for a week until the realization hits that I've complicated some basic task to get features that are just useless. Not only useless, but are likely to be used against me in some way. Why do I need a thermostat connected to the internet? Why should I need to have the ability to monitor or adjust the temperature of the house from anywhere on the planet? I "might" leave the heater set when I leave on holiday, but to date, I've never done that. What that IoT thermostat does do is allow any miscreant that gets in to it run my AC up to ice age and enrich the electric company. I don't see anything wrong with my old fashioned programmable thermostat. About the only upgrade that would be handy is a switch to change over from standard to daylight saving time and back so I don't have to remember how twice a year. If it could set it's clock automatically, that would be a help too.

    The bulk of IoT that seems to be getting a big push into the market are self-installed spy devices. I'll stick with requiring the Man to put in their own bugs if they want to that bad.

    In recent news: A killer was caught through having a DNA profile done at an ancestry site. As interesting as it is to know about where your genes have been, it appears that at least one of those companies is happy to let the police rummage around in their files. Yes, I know, I'm paranoid. The bigger question, though, am I paranoid enough?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like