The Guardian, New York Times and Pro Publica are running a similar story about the latest NSA news. Here’s the what’s new summary from ProPublica:
- The NSA has secretly and successfully worked to break many types of encryption, the widely used technology that is supposed to make it impossible to read intercepted communications.
- Referring to the NSA’s efforts, a 2010 British document stated: “Vast amounts of encrypted Internet data are now exploitable.” Another British memo said: “Those not already briefed were gobsmacked!”
- The NSA has worked with American and foreign tech companies to introduce weaknesses into commercial encryption products, allowing backdoor access to data that users believe is secure.
- The NSA has deliberately weakened the international encryption standards adopted by developers around the globe.
As with most of the Snowden revelations, this one comes from a PowerPoint talking about the program, so there’s some vagueness about exactly what has been accomplished. That vagueness is intentional because this program is “five eyes” secret, meaning only specially cleared analysts from the US, Canada, the UK, Australia and New Zealand can access it. The PowerPoints were apparently created to brief others at a lower security level about the basics of the program. All three news organizations have also agreed not to publish any details that could compromise the NSA’s operation.
So, the big question that is only hinted at in the stories is whether the non-commercial protocols that encrypt internet traffic, SSL/TLS, which is used by the HTTPS protocol that secures web traffic, has been compromised to the point where the five eyes can read any encrypted web traffic that they can intercept. One of the UK slides published by the Guardian seems to hint so, but it’s not clear to me that they have from what I read. That would be a huge revelation if true. HTTPs is used by every so-called secure website, including banks, web email providers and web service providers like Salesforce.
Mino
Honestly, it would seem to be a first-order target if you want to “follow the money” in terrorism.
Face
The NSA is a spy agency. Full stop. Isnt breaking codes one of their charter responsibilities? Isnt that Spy Games 101? Whats the big surprise supposed to be here?
srv
This confirmation, along with Snowden being able to pull docs like this from his position serve as a great service to the US public.
Hopefully, those bombs in Syria won’t achieve their intended purpose of distracting us from the wizards behind the curtain.
RobertDSC-PowerMac G5 Dual
Funny, after reading years of Tom Clancy novels with bits like these “revelations” mixed in, I thought this capability was common knowledge.
Enhanced Voting Techniques
That might explain why the Russian FSO is buying typewriters.
cvstoner
If the NSA has weakened the various security protocols and related processing hardware by installing backdoors and hacking servers, then you can bet that the Chinese, with their notoriously effective espionage network, have discovered these backdoors and hacks as well. So, not only does the NSA now have unrestricted access to all information passed and/or stored on the Internet, but probably the Chinese as well.
I don’t think it is outrageous to suggest that the Internet is now officially broken as a means of trusted commerce. The repercussions of this will be quite far reaching and profound.
Comrade Dread
I’m sure I’ll be called an Obot and asked why I hate liberty, but I don’t see what the problem is with an intelligence agency trying to break encryption or asking developers to build in a way to decrypt suspected files legally.
I always assumed law enforcement could access this stuff.
srv
@Face: This isn’t about codes. It’s about fracking standards and gov’t mandated back doors.
Good luck when someone else exploits those to clean out your bank accounts.
Belafon
@cvstoner: The internet was never secure.
//
And yet, the NSA still has to get a warrant to do anything. They still have to talk to a judge.
eldorado
the surprise, if you will, is large portions of the technology stack haven’t been ‘broken’ in some clever way so much as they have been sabotaged.
Chyron HR
@srv:
Did Obummer personally order thousands of civilians gassed, or was Assad just doing him a “solid”?
Zifnab25
Well, it would also be more obvious to spot, given that if an exploit for https was publicly identified, every teenager script kiddie with a laptop would use it, and the industry would just abandon the protocol.
Back doors built into an OS like Apple or Windows would be less visible and could be rotated or switched on and off with all the periodic “update” patches that you are all but compelled to download every month or so.
mistermix
@RobertDSC-PowerMac G5 Dual: Everyone knows that the NSA tries to break encryption, it’s the details that matter. SSL/TLS, and https, is considered unbreakable with current technology. If the NSA did break it, then that’s a very big deal. It will result in huge amounts of money spent and big revisions to fundamental Internet protocols.
srv
@cvstoner: For the Chinese to not be involved, the NSA would have to be smart enough to design the SoC for the Chinese fabs to not grok it.
That would seem to be quite a gamble.
Botsplainer
@cvstoner:
So you’re abandoning your Platinum Membership to ChickswithDicks.com because the NSA might know?
How many Amazon customers are going to abandon convenience because the NSA knows what they buy? Quit Netflix streaming? Drop iTunes?
Belafon
@Belafon:
Also, if the NSA has cracked them, then some kid sitting in his parent’s basement probably cracked it years ago. Though maybe he’s now working for the NSA. Encryption was always a matter of when it would be broken, not if.
cvstoner
@Face:
This is not a surprise so much as a verification of the worst fears of those who rely on the Internet to securely transfer and store information, such as the global financial community, and any B2B network.
This would be like electricity no longer being a viable means of transferring and storing energy.
Botsplainer
@cvstoner:
Oh. So criminals who launder vast fortunes are going to have to struggle with different methods?
weaselone
@srv:
@cvstoner:
You two do realize that back doors can be made as or even more difficult to hack than the security protocols and supporting hardware itself, right?
cvstoner
@Belafon:
The NSA might, but the Chinese certainly don’t.
Anya
@Face: I was about to say that.
I don’t think a single person on the planet will be shocked to learn that a spy agency is breaking codes and encryptions. The issue is, do they illegally spy on Americans? So far no one presented any concrete evidence that this happens.
Gin & Tonic
@Belafon: They still have to talk to a judge
Who never says “no.”
Comrade Jake
Something tells me the internets are going to be barrels of fun today.
Enhanced Voting Techniques
One thing I do like about Snowdon leeks – the lack of real details on anything. Just all these hints. Maybe it’s because I’ve been working on resumes and cover letters but that does seem a bit like “The NSA has secretly and successfully worked to break many types of encryption, ” is weasel words for “we did it once, er in house” or something like that.
weaselone
@Botsplainer:
Even that’s an overstatement. The NSA only has the potential to know what they buy. It’s very unlikely that the NSA is actually checking up on most peoples purchase history.
Gin & Tonic
@Belafon: Also, if the NSA has cracked them, then some kid sitting in his parent’s basement probably cracked it years ago
You don’t know anything about math, do you?
cvstoner
@Botsplainer:
Yup. And how many financial institutions and B2B enterprises who relied on the Internet as a secure means to cheaply transfer information and manage their global operations are going to now have to reevaluate the Internet as a viable means of doing this?
This is much bigger than you or me.
Mino
@Belafon: That is not certain. Seems to be a lot of in-house subpoenas floating around. And certain work-arounds.
Keith P.
@Face: The surprise would be if they are able to crack SSL or public key encryption in general (SSL uses PKE to start off with so that it can “securely” transmit non-PKE keys for the bulk of the traffic), and if they can break 1024 bit encryption, as the conventional wisdom has been that 1024-bit (what banks use IIRC) is so much more complex than the more common 256-bit that it would take thousands of years to crack.
cvstoner
@weaselone:
I don’t think the Chinese have really had a problem cracking backdoors. The NSA is not the only game in town.
Anya
@srv: Apparently, those bombs are distracting us from a lot of things: Snowden’s revelations, Benghazi, the failure of Obama care, Fast and Furious, IRS scandal, etc. The merger between firebagers and teabaggers is complete.
cvstoner
@Keith P.:
Agreed, except that they have subverted the process by capturing the information at the encryption/decryption points. The problem is not only have they potentially cracked the encryption, but they have subverted the whole encryption process.
cvstoner
@Gin & Tonic:
Well, this is certainly an area in which the Chinese have shown an aptitude.
cleek
unsurprising.
i mean, completely and totally, unsurprising.
nobody who has followed this stuff should be a bit surprised by any of this.
joes527
@Botsplainer: If you haven’t done anything wrong, you have nothing to worry about. Now were did I put my soma….
lojasmo
Next from Snowden: Sky is blue, and water is wet.
Details at eleven.
Belafon
So, do you think this will make everyone switch to Linux?
weaselone
@cvstoner:
Your comment really has no baring as to whether the back doors the NSA had put in makes the security protocols and hardware easier to exploit by the Chinese spy agencies.
joes527
What amuses me is how all the voices that reacted to the earlier revelations with: “Duh. Use encryption.” have been replaced with voices saying: “Duh. Everyone knows encryption has been compromised.”
lojasmo
@joes527:
I don’t recall that. What I do recall is people saying things like “whoever expects privacy while using electronic communications is a fucking idiot.”
mk3872
Not surprised. This is what spy agencies do. I’m glad to find out that our country’s spy agency appears to be quite extraordinary in their abilities.
One thing that is AGAIN not mentioned in this posting: The NSA requires a WARRANT to monitor actual communications that may or may not be encrypted.
Oh the HORROR!
cvstoner
@mistermix:
And who, exactly, are you going to trust to rewrite these protocols that the NSA can’t strong arm into just reinserting a backdoor?
Emma
@Gin & Tonic: He may not and I certainly don’t but I have two members of my extended family who do and I’d bet money that either one of them, given time and incentive, could crack any encryption going.
ANY encryption system short of a one-time pad can be broken, period.
And Russian typewriters? Get a hold of the ribbon. I read that one in a novel written in the 1940s. And don’t tell me human beings aren’t bribable. That is the easiest way to crack a secure system anyone knows of.
daveNYC
Cracking codes is one thing, working to weaken encryption is something totally other. Not to mention that all someone has to do to read all sorts of internet traffic is to get the backdoor info from the NSA. Not something some script kiddie can do, but China and Russia have professional spy agencies who do things like that for a living. So good job with that one NSA peeps.
cvstoner
@mk3872:
The NSA is not the only game in town. If the NSA can do it, then the Chinese have probably figured it out, too, or stolen the technology from the NSA.
Dr. Squid
The NSA was created in 1952 to break codes. Where’s the wrongdoing in that? Why all the arm flapping from the usual tinfoil hatters?
Oh wait, I see, it’s only bad now because, well, Vile Obama.
cvstoner
@daveNYC: Exactly.
Botsplainer
@joes527:
Is mentioning Soma the final upstroke or downstroke fap in a paranoid loon life failure circle jerk?
joes527
@Belafon: So there are problems with Linux too.
1) Binary distributions could have _anything_ built into them.
2) Even if you build everything from source, have you reviewed the entire source base? Would you spot an exploit of you were looking at it? Me neither.
3) Even if you build from source, how do you know that the exploit isn’t in the toolchain?
Keith P.
@cvstoner: That’s scary, because with SSL, the presumption is that there can’t be a man in the middle due to the encryption being done point-to-point (as opposed to something like standard encrypted email, where the server does the encryption, leaving the client-to-server link unsecure).
Belafon
@Gin & Tonic: A few things. And I know what you’re getting at: Throw enough computing power at the problem and it will eventually be broken. I was being a bit tongue-in-cheek, though sometimes the right creativity for solving these problems may come from an unexpected place. Plus, the processing capability for this kind of problem can be found by putting a few high end graphics cards together: A few hundred processors all solving the same problem.
mk3872
@cvstoner: Very likely, same with the Russians. Anyone who is surprised that this activity occurs in large nations like ours is fatally naive.
Gin & Tonic
@cleek: If, as is implied, they influenced the standards-setting process to intentionally weaken SSL, then at least one of the problems introduced by this (yes, surprising) revelation, is that everyone will now be wondering who was the mole. The authors of the various IETF drafts that went into creating the standard are well-known, and their affiliations at the time were/are well-known. Nobody is listed as working for the government. So which of the authors were they leaning on, and how? The whole process of creating Internet standards has always been very public, intentionally. This throws the entire process into question.
The Moar You Know
@Botsplainer: Here’s the real problem. Yeah, all those things are trivial – probably to most people anyway – but the real issue, the real problem, is that the global financial system runs on these protocols. It probably shouldn’t, and never should have been designed that way in the first place, but here we are.
If these protocols have been deliberately backdoored, someone’s going to find that backdoor and exploit it. If a private bad actor/rouge state gets that knowledge, you easily could wake up one day to a situation where the world’s money has all gone. And no way to know who had what (you think a bank is going to take your word for it?) and no way to put it back the way it was.
As far as the rest of it goes, I have gone under the assumption that since the September 11 attacks that all communications were being monitored, and am constantly shocked that most people didn’t think this would or could happen.
Gin & Tonic
@Emma: He may not and I certainly don’t but I have two members of my extended family who do and I’d bet money that either one of them, given time and incentive, could crack any encryption going.
Bullshit.
Scott S.
(A) Why should I be freaked out about this?
(B) If I should be freaked out about this, what should I be doing? Do I need to get off the Internet, burn my computer, and flee to a remote cabin in the Canadian Rockies?
(C) If I burn my computer, tear out my phone lines, stop sending Christmas cards, and stop talking to anyone without turning on the faucet or switching on a white noise generator to foil the NSA’s super-microphones, do I also need to stop using my telepathic powers? Please don’t tell me the NSA is employing rogue telepaths, too!
Starfish
For all of you unsurprised people, how unsurprised will you be when someone uses these backdoors to use web banking to empty your bank account?
Suffern ACE
@srv: so these revelations have now exposed us regular folks to the whims of gangsters?
Belafon
@Starfish: You mean as compared to the person who takes my debit card at the restaurant off into a secret room to “pay my bill”?
Gin & Tonic
@Keith P.: as opposed to something like standard encrypted email, where the server does the encryption,
Not necessarily true. PGP/GPG encrypts/decrypts at the MUA (client.)
Citizen_X
@daveNYC:
Thank you. These are not the Nazi U-boat codes we’re talking about here, these are encryption standards used for commerce worldwide. (Some of which may start routing around the US, eh?) I’d like my measly bank account not cleared out by some Russian hacker, thank you very much.
The Moar You Know
@weaselone: Since the Chinese make most of the chips, computers and routing equipment in the world – even the NSA runs on Chinese hardware – I think you can take it as a given that the existing backdoors, mandated by CALEA, been exploited by the Chinese for far longer than the US.
Betty Cracker
Okay, I don’t know dick about encryption technology, etc., but I do know that many organizations — including the United States government, Bank of America, etc. — have spent years and billions of dollars to encourage consumers to behave as if it were possible to securely view, share and conduct transactions involving sensitive financial data and medical histories, etc., via electronic communication conduits.
Much of the information used to make that case concerned the development and widespread adoption of supposedly secure encryption protocols (which I’ll admit are as mysterious to me as sorcery). Is that all a load of bullshit that we non-IT people are just too goddamned dumb to understand, so we only have ourselves to blame for buying that hooey? Or are all you “yawn, known, burger” folks saying that there are secure platforms for certain types of transactions and that this latest “revelation” concerns only platforms people use to pass around LOLCats, etc.?
Emma
@Starfish: As surprised as I would be now when a waiter can lift my credit card number by swiping it through a handheld device before submitting it to a cashier for service. Or get a hold of supposedly private information like your SS# to steal your whole identity.
Ash Can
OMG THE GOVERNMENT KNOWS MY SOCIAL SECURITY NUMBER OMGWTFBBQ HEAD FOR THE HILLS
raven
@Enhanced Voting Techniques: I like leeks in potato soup my damn self.
Omnes Omnibus
@The Moar You Know:
So, Fight Club here we come?
Xantar
@Starfish:
I’ll be just as surprised as when somebody breaks into my apartment and steals my collection of Legend of Zelda action figures. Nothing is 100% secure, and hopefully there are ways to either catch the criminals or get your stuff back (or both).
Belafon
@joes527: Unless you are talking about someone like Linus Torvolds and the rest of the Linux source group working for the NSA, I’m gonna have to go with trusting the coders. They did, a while back, prevent a code submission from being applied to the kernel that was explicitly designed to create a backdoor.
pluege
what’s amazing about their “five eyes” secret stuff is that a low or mid level grunt such as Snowden would be able to get his hands on it without them knowing. Chutzpah, arrogance, ubber stupidity, self-absorption all come to mind. The people running super secret security in the US should not be – they may be psychologically perverse enough, but they’re sure not smart enough.
Scott S.
And, I suppose, more seriously, if what we’re really upset about is financial shenanigans — well, what the hell are we supposed to do about that? It’s not like we weren’t all ridiculously defenseless against financial shenanigans already.
The banks can already clean out your bank account and vanish to Aruba, and no one will do anything about it, other than giving the banks more money. Amazon can already see anything I’ve got on my Kindle and delete all of it. My ISP certainly has a file of every site I’ve ever looked up. Some schmuck can plug a card reader in at the local gas station, and Russian gangsters will have my credit card number tomorrow. This was all true today, yesterday, and a year ago.
What the fuck am I supposed to do about it, other than scream “Grarr, Obama BETRAYOR!” and promise to vote for Rick Santorum next time?
Jeremy
So I guess the emos are going to keep talking about the NSA to the end of time which will not lead to any reforms. But at least we get to talk about how Obama and the rest of the government are monsters while ignoring more important domestic issues.
Suffern ACE
@Jeremy: the government has been pretty good about ignoring those domestic issues on its own.
Gin & Tonic
@Citizen_X: (Some of which may start routing around the US, eh?)
There’s the rub. Companies outside the US will be increasingly leery of storing data in the US, moving data through the US or using products of US companies, and I think the IT business infrastructure will respond appropriately, to the detriment of US business and to the benefit of, I don’t know, Finland? Switzerland? Netherlands? Not really sure where, but somebody will respond.
Citizen_X
@Omnes Omnibus:
Long as I can hear the Pixies when it all comes crashing dow…SHIT, iTUNES IS DOWN TOO!
srv
@Belafon: And those coders wrote the firmware for that memory or network controller that the NSA designed and the Chinese manufactured?
Obamatons: Yeah, it’s always been about Obama here.
Omnes Omnibus
@Citizen_X:
Vinyl, baby. Vinyl.
MomSense
@Anya:
Drudge is calling it Libertarians (fire and teabaggers) vs. Authoritarians and I don’t know if you have noticed that during this NSA debate there have been a lot of accusations of being an authoritarian.
Gin & Tonic
@Scott S.: What the fuck am I supposed to do about it,
You have elected representatives who make laws. Did you talk to them about, say, PATRIOT Act re-authorization when that vote came up? If they voted to reauthorize, did you support their opponent in the next election cycle?
The Sheriff's A Ni-
@Gin & Tonic:
“Well, you dotted your ‘i’s and crossed your ‘t’s and everything looks in order, but I’m afraid I’m going to have to turn down this warrant request because I can’t look like a prosecutor’s stooge.”
srv
@MomSense: Ever wonder how you get to 72% without a lot of authoritarian Democrats?
I guess it was just the 27%’ers that were against that success.
magurakurin
@Citizen_X:
you do know that Edward Snowden is living in Russia now, right?
JMG
This revelation surprises only because of its stupidity, not its intent. The NSA wishes to spy on all forms of human communication. It of course does not affect me personally. But if I was, oh, head of a Fortune 500 company and now knew that there was a means through which others could access all my trade secrets and confidential communications, it would totally bother me. And I would take steps to address that problem.
It’s only a matter of time before it is discovered that NSA employees are using this capability to feather their own nests.
The Sheriff's A Ni-
@The Moar You Know:
Ooh, I saw that movie too! Does this mean we can hire Bruce Willis to kill the bad guy and bring us our money back?
magurakurin
@Omnes Omnibus:
It seems more like Ice Nine for money.
MomSense
@Omnes Omnibus:
You do realize that you just broke the first rule, right?? Shhhhhh.
Just Some Fuckhead, Thought Leader
Maybe Balloon Juice can host an “Ask the NSA” series so we can better understand how lucky we are to have them looking out for us.
joes527
@Scott S.: Good point. But there is something positive that you can do. Whenever there is a revelation that makes you feel uncomfortable, put your hands over your ears and sing out: LALALALALALALALA I CAN’T HEAR YOU.
Jeremy
@Suffern ACE: No not really. Republicans have been good at it and many emos who continue to whine and complain about the NSA, but provide no solution or plans to reform the programs.
Last I checked Dems have been talking about an array of domestic issues and presenting ideas.
Emma
@pluege: Here I agree with you. Stupid, arrogant people shouldn’t be in charge of anything more important than cleaning toilets for the government.
Unfortunately that means we need a mostly new Congress, to start with.
mistermix
@Gin & Tonic: This is also what I was concerned about.
cleek
@Betty Cracker:
a lot of the things the NSA has done here are things that only the NSA can do because it has the weight of the US government behind it. for example, no Chinese hacker group is going to be able to get Microsoft or Apple into adding backdoors into their operating systems. the NSA can do that because they have the legal authority to do it and no company can say no. of course the Chinese govt can get Chinese hardware manufacturers to compromise their hardware, so…
as far as the protocols go… it’s reasonable to trust that the protocols themselves are secure. what you have to take for granted is that the software you use has:
1. implemented the protocols correctly
2. isn’t ‘leaking’ your data in some way outside of the protocols. ex. the PGP program for secure email has had a few vulnerabilities related to how data is shuffled around in the computer’s memory/disks. the actual encryption/decryption stuff is secure. but the program itself could be manipulated into giving up your info on the side.
and good thieves will just steal your banking data right from the bank (when they grab data for all the bank’s customers)
Jeremy
@Gin & Tonic: Exactly ! If you don’t like something call your reps. Sitting on a blog complaining about the NSA 24 /7 doesn’t create change.
The Sheriff's A Ni-
@Gin & Tonic: That’s actually a legitimate concern.
Honestly, though, after the merry adventures of Lulzsec and the Syrian Electronic Army, I’m not sure why anyone would be surprised that the NSA is also actively looking into putting a back door into everything. There’s a lot of hackers out there looking for an edge, whether for profit, ‘national security’, or just for the lulz. Forget it, Jake. Its the internet.
MomSense
@Jeremy:
No, it’s all good now because the Russians have all the stuff that Snowden stole and I trust Putin to look out for my best interests.
Jane2
@cleek: Perhaps not surprised, but not as blase about it all as many BJ commenters are.
Liberty60
@Belafon:
HAHAHAHAHAHAHAHA!
Scott S.
@Gin & Tonic: Yes, hi, I’m a Texan. My elected reps ignore the fuck out of me. I’d actually be keen for any other ideas.
Jane2
@Citizen_X: This.
Scott S.
@joes527: So… to summarize, you don’t actually have any suggestions at all, right?
kindness
Who will buy American products now? Who in their right mind would buy hardware or software knowing that all the data they store is accessible by others?
The only sales pitch that makes sense is that buying from Russian or Chinese sources probably guarantees the very same thing but with different eyes looking over your data.
Damned if we do, damned if we don’t. My beef is that our corporate overlords went along with this. There was no good reason to weaken the security protocols. Only bad ones. And they went with the bad reasons.
Soonergrunt
@cvstoner: Carrier pigeons, dude. The communication wave of the future.
cleek
@Liberty60:
don’t tell anyone, but i’ve heard rumors that the government has had the capability to listen in on phone conversations since the day the phone was invented.
the scoundrels!
Gian
@cvstoner:
this just makes me angrier that the bankers have by and large skated on crashing the economy.
Alex S.
@Enhanced Voting Techniques:
Maybe snail mail is going to make a comeback…
I wonder if, if I ever run for public office, my internet history will be used against me…
Randy P
The NSA exists for two reasons. One, they’re SUPPOSED to break other people’s security. Two, they’re supposed to ensure ours, both government and commercial. If their actions have made us more vulnerable to dedicated cyber attackers such as the Chinese government, as commenters are suggesting, that would be the part of the story that concerns me.
Emma
@MomSense: This is the thing that makes me crazy. All of a sudden tons of people that are at least moderately intelligent and well-educated are kissing the behind of a former KGB agent with delusions of tsarhood and who is in bed with the most reactionary form of Christianity short of the Southern Baptists.
On a similar tracks, tons of people that are at least moderately intelligent and well-educated seem to have never read or encountered a single example of what governments do to each other and their own citizens. And who believe that because it was invented using a computer and billions of numbers it can’t be broken by another computer using billions of numbers.
Soonergrunt
@Starfish: would that be more or less work than the person or persons unknown who compromised my bank card in July and tried to purchase over $1,000 at Walmarts in Arkansas and Mississippi while I was at Comic-con in San Diego?
Bob In Portland
Anyone remember the Promis software mini-scandal from the edges of the Iran-contra? Danny Casolaro? Inslaw? Thirty years ago.
Omnes Omnibus
@kindness: Is there any hardware or software that has been developed or built, from start to finish, by non-American hands?
Anya
@MomSense: They’ve always used the same slurs and innuendoes against President Obama. Both groups were suspicious of his motives and assumed that he was a pretender who did not share their values. The only thing that set them apart was what they griped about, but now, it looks like the Snowden thing seem to have united them.
Liberty60
@cleek: Capability is one thing- the broken system of oversight is the real issue.
When you have a rubber stamp approving anything put in front of them, what point is there in having a 4th Amendment?
hoodie
The main concern I see here is the potential monkeying with the standards boards and what that could do to chill those efforts, but the stories are kind of murky as to what this entails. The rest is pretty unsurprising. All those worried about a Russian mobster draining a bank account are barking up the wrong tree. If that happens, they should bitch to the financial institution that would have such poor monitoring that it couldn’t detect such behavior. There’s more to security than encryption, and relying solely on encryption in that context is like relying solely on the TSA to prevent a terrorist attack on an airline. Do you not get fraud alerts from your credit card company? Beyond that, a sophisticated criminal enterprise will take 3 cents from your account and the accounts of a few hundred million others. Even then, they likely will get caught — by the NSA.
Robert Sneddon
The NSA has always had the go-ahead to spy on 96% of the world’s population no questions asked, no warrants required, anything goes. Suddenly the American people discover that they MIGHT be a target of interest to this group of stalwarts defending the American Way of Life from communists, socialists, atheists, civil rights activists and other foreign undesirables and it’s pearl-clutching time while the victims stumble backwards to a conveniently-located fainting couch.
As for encryption, anyone here remember the DES saga? Three-pass 256-bit encryption as a standard imposed by US Government fiat, tough to break with the hardware available to Joe Public twenty years ago but trivial today. The fact that an unlimited budget, several large buildings filled with hardware and advances in mathematical theory of numbers can crack modern 1024-bit encryption isn’t too much of a surprise. I doubt it’s being done trivially, it might take the entire NSA a day or two to break one SSL key used for one message transaction by brute force. If they can crack 1024-bit SSL in real-time then they really have something impressive up their sleeves in terms of pure mathematics but I doubt it as the rest of the world would have it too soon enough — see the elliptical function stuff for a worked example of how a “secret” method of cracking a weak key got out into the wild.
Belafon
@cleek: And think about who’s been handling the mail for 200+ years, or controlling who gets what part of the electromagnetic spectrum.
Suffern ACE
@Alex S.: well there’s a reason Obama passed me over for Treasury Secretary. You post some snarky comments about the return of the gold standard and the next thing you know you’re disqualified….
Betty Cracker
@cleek: Thank you for taking the time to explain it — I really appreciate it. I’m not so much worried about someone stealing my paltry savings or accessing my unremarkable medical history but rather the implications if it’s true that encryption protocols have been intentionally compromised. So what’s your take on that? True? Bullshit? Significant? Not?
Belafon
@srv: You know, if the NSA is that good, then I would have to say that Snowden was allowed to escape with all of the information he got so that it would distract people from the real capabilities of the NSA, such as their ability to hack your alarm clock and shut it off before that very important interview.
joes527
@Jeremy:
A blog comment on the uselessness of blog comments. [slow clap]
Chyron HR
@Alex S.:
Clearly you aren’t aware that the USPS (or as I like to call it, “Obama’s NKVD”) enters the “metadata” on your letters into a government database and tracks where they’re going.
VOR
The NSA probably has not cracked widely used encryption protocols. Although they do spend a LOT of money annually on R&D for encryption. Instead, they are compromising the encryption at the source by inserting back doors or subtle weaknesses.
One possible repercussion is a move by non-US governments and companies away from US computer and network products. We have already seen that the NSA is tracking phone and internet traffic passing through US and UK lines. These revelations could damage sales of US products and services internationally resulting in harm to the US economy.
catclub
@Belafon: BSD
joes527
@Chyron HR: That’s nothing. I hear that they have a secret program (codename: STEAM) for getting a peek at the content of your letters.
srv
@Omnes Omnibus: Well, the Soviets cloned the IBM System/360. But I was told by someone who saw them that they were painted red.
I’m sure there will never be any Aldrich Ames or Hanson equivalent in the chip foundry biz.
Emma
@VOR: I would think other governments are hard at work right now trying to duplicate any NSA success with their own manufacturers. And it’s not only governments. How much electronic stuff is now made in China? Or India? Or some other third-world hell where a thousand dollars will buy a family financial independence for life?
Nothing’s really going to change because the system as it is serves our financial masters really well.
Gin & Tonic
@Betty Cracker: Significant if true.
FlipYrWhig
This spy agency is FULL OF SPIES! What do we do? They have eyes that see and ears that hear and brains that remember and THEY’LL USE IT ON ALL OF US!
Belafon
@VOR: Cisco already built backdoors for China, remember? Cisco isn’t hurting.
Shakezula
Really? The agency that has a museum on cryptology, the only public museum on intelligence, on its grounds?
Mind. Blown.
Liberty60
We the people rightfully give our government the power to:
1. Tap our phones;
2. Read our mail;
3. Confiscate our property;
4. Imprison anyone;
5. Kill anyone;
Except all of this power is meant to be safeguarded by due process, including a way for us to know what they are doing, and contest it.
When the government can start to do things without our knowledge,how can we the people control it, stop it, or even protest our innocence?
What we have now is secret courts issuing secret ruling, secret spy programs, secret threats against those who participate, and the self-prioclaimed right of the government to secretly render any American citizen to a foreign country outside the reach of law.
You still think we are being overly alarmed?
FlipYrWhig
@Liberty60: Yes, quite overly.
piratedan
@Betty Cracker: give it the 24-48 hour rule…. plus it’s the Guardian, who have already established themselves as blurring the lines between possible and reality on this theme more than once.
Belafon
@Liberty60: And I’ll ask the question that has been asked before: When the police go to a judge to follow someone, does the person being followed get to contest it? How often are warrants contested?
catclub
@Belafon: “does the person being followed get to contest it? How often are warrants contested? ”
Wasn’t that exactly the case for emails in the media – emails of journalists? They do get warning in that case.
I bet Goldman Sachs gets pre-notice.
gogol's wife
@FlipYrWhig:
This is what I think when I see the screaming NYTimes headlines.
And if there’s another 9/11, it will be because Obama weakened the intelligence services.
Gin & Tonic
@piratedan: Well, it was jointly published by them, the NYTimes and Pro Publica, the last of which has generally shown to be careful and trustworthy.
cleek
@Betty Cracker:
i’m skeptical. the protocols are public, and are studied by mathematicians, computer scientists and cryptographers all over the world. if there are obvious vulnerabilities, they’ll be spotted (hopefully before widespread implementation). the NSA can make suggestions which might contain hidden exploits, but so can anyone else. the cryptography community works hard to find weaknesses, and when they’re spotted, the findings are published. it’s a competitive thing.
if they have weakened something like HTTPS/SSL it would be a big deal. and i’d be more surprised that other people hadn’t found the weakness than i would be that the NSA had weakened it. HTTPS/SSL are public standards, and the software which handles SSL is open source. bad guys have had their eyes on them as long as they’ve been out. if there were holes, i think we would have known already.
i suspect that the talk about NSA compromising protocols is going to end up being something about the NSA having weaseled its way into the companies who handle digital certificates (which HTTPS relies on). we all use those certificates to verify that our computers are talking to who we think they are. if the NSA could get in the middle of that, they could effectively impersonate other computers. but even that isn’t necessary: there are commercial products which do effectively the same thing. you always have to trust the network you’re on.. can’t always do that, though.
Omnes Omnibus
@srv: That was hilarious.
piratedan
@Liberty60: as opposed to the government that 100 years ago sat quietly while employers were killing their employees over the right to form a union? Yeah, methinks you’re equated could with will.
1) with a warrant
2) that’s why those envelopes are sealed
3) you mean your bank, right?
4) once convicted
5) somehow, I don’t see soldiers roaming our streets shooting people indiscriminately, but I can’t speak for your neighborhood… maybe I just live in a nicer part of town.
You want to affect change, work locally for good people… start with your school board, county commissioner, city council… that’s where change starts.
Liberty60
@Belafon: Are you talking about a real judge or the FISA court?
Look secrecy is the most dangerous power we give the government- and yes, it is necessary part of law enforcement and foreign relations.
But there is a reason we [should] be cautious and extremely skeptical about how much we grant- even with the most sensitive law enforcement programs, eventually it has to be brought in front of the public and given a public hearing, where all the facts are laid out.
None of which describes what the NSA is doing. And as we have seen, the blurring of the lines between “terrorism” and ordinary criminal offsense , between national secruity and local policing is happening.
Gin & Tonic
@Belafon: IANAL, but it’s my understanding that if you are detained or arrested on the basis of that warrant, your attorney can find out it existed, and why, and can contest the basis on which it was issued. None of which are possible under FISA.
me
@cleek:
Well, they do try but you’re probably right.
Belafon
@catclub: Well, in order to get something from someone, you have to give them the warrant. It would be a little tough to get it from them otherwise. On the other hand, when the government wants to hear what the CEO has to say, they probably don’t walk up to him and say “here, would you hold this recorder the next time you have a private conversation?”
That was also what I think one of the original points of this scandal was: Who owns the fact that you called Pizza Hut last night?
srv
@catclub:
Nope:
http://bigstory.ap.org/article/govt-obtains-wide-ap-phone-records-probe
And people keep wondering why the Snowman story hasn’t died after all this time…
Clue.
Gin & Tonic
@piratedan: you mean your bank, right?
Uh, look up Kelo v City of New London.
Cacti
Per Pew Research…
Over 6 times as many Americans are worried about protecting their information from hackers and criminals (33%) than protecting it from the government (5%).
If you read Balloon-Juice, you’d think it was more like 95% for the latter.
Socoolsofresh
Love how some of you guys won’t actually read the article because of the names associated with it, and then come and not surprisingly mis-interpret the revelations and downplay it. Basically the backbone of the internet is broken and some of you guys are acting like it is no big deal. Seriously, what would make it a big deal to you? It seems like nothing would.
Always a nothingburger with you nutbars, just because you might think it could hurt the current administration. Love how your knee jerk reaction is ‘no big surprise!’. That is always your reaction.
Also, love the people who are like, the internet always has had no privacy so nothing you can do about it! Uh, not exactly true, and also, why can’t we do anything about it? So are we to not do any financial stuff on the internet now? And is that supposed to be no big deal?
Soonergrunt
@srv: Don’t forget to add Snowden to that list. Just because some of his “revelations” make it into print, does not mean he’s not a sellout spy like Ames and Hanson.
ericblair
@Emma:
I don’t know if it does: IT security and reliability are non-sexy non-revenue-generating expenses to companies, and get short shrift all the time. A lot of executives would rather roll the dice, book more profit, and cross their fingers that they’ll be gone by the time the shit hits the fan. Some of the attacks in the last few weeks may have had a vaccine-like effect on companies to get them to wake the fuck up and harden their networks and data centers.
cleek
@Betty Cracker:
also… i’m just a programmer with some crypto experience, definitely not an expert. crypto is a very complex field, and a lot of it is miles above my head. so, grain of salt, etc..
if you want to know what actual cryptographers and security people think about this stuff, read Bruce Schneier.
piratedan
@Gin & Tonic: with the history of this story, we’ve had roughly two months of noted misrepresentation of the facts, omission of key elements and imho a certain amount of idiocy about cult of personality and little examination of actions., My own personal experience is that if you keep kicking the dog, after a while, the dog is going to be a tad suspicious if you raise your leg.
The NSA spies, that’s what they’re paid to do, in many cases spying is reliant on data, where do you get the data? In the old days, it was done in person (humint), these days its mostly signals (although humint is slowly being established again). The calculations and search criteria that are used to ferret out the key critical elements are complex and have to be analyzed by a human element. The way that we all touch upon each other is also complex, imagine a net over your life and all of those interactions….and then someone making an evaluation on all of those interactions…. when is the online purchase of a baseball jersey just a financial transaction or does this mean that somehow I’m now tied into and complicit in the biogenesis scandal…..it’s all about context and with many of these stories they do a magnificent job of confusing “could” with “do”.
Omnes Omnibus
@Gin & Tonic: I would be more concerned about civil forfeitures related to criminal cases (seizing your house because you made calls relating to a pot deal while sitting at your kitchen table) than eminent domain (taking your property for a public purpose and providing you with compensation – yeah, Kelo was stretching it, but still…).
Higgs Boson's Mate
It will be interesting to see how long it takes the next Republican president, and there will be one sooner or later, to find another John Yoo to provide a legal justification for using all of this nifty surveillance capability whenever, wherever, and however it chooses.
Cacti
@Soonergrunt:
Snowden is a patriotic whistleblower in the best traditions of Benedict Arnold and Julius and Ethel Rosenberg.
Kurzleg
@Face: The issue I see is the insertion of back door vulnerabilities to encryption. This would seem to undermine the trust factor necessary for online purchasing and internet banking.
Eric U.
my bank just sent me a notice that I could try their new secure login — that requires an app. I have been thinking it would be really nice if they would offer a service like gmail or paypal where you have to enter a number in that they sent to your cellphone. But no, they have to use a (probably defective) app that doesn’t run on my computer.
@Higgs Boson’s Mate: the Cheney admin was doing all this without any legal justification, so congress passed laws to make it legal. I am pretty sure that the next republican administration will do whatever they want, legal or no.
Kurzleg
@cvstoner: that’s my concern/conclusion as well. I’m not worried about “the Chinese” per se but rather bad actors who steal financial information, etc.
FlipYrWhig
@Liberty60: OK, in a non-snarky way, I would probably respond by saying that we need to think more about the meaning of privacy in a digital world where we’re all continually leaving trackable traces behind us. But IMHO there’s a qualitative difference between “the government is amassing information on us” and “the government is querying that information and using it against us.” I don’t feel like my Internet traffic is the equivalent of the stuff in my house, and I just don’t feel the same sense of violation.
piratedan
@Gin & Tonic: no, I’m sure that you have already and that’s it’s your touchstone that serves as the foundation of your opinion. Find me a similar example in each county in every state and then get back to me as to whether this more than a one trick pony where you have one incident and that’s the equivalency of the sky is falling.
Barry
@Belafon: “Encryption was always a matter of when it would be broken, not if. ”
Yes, but it ‘when’ means ‘right now’ as opposed to ‘in five years’, there’s a huge difference.
catclub
@me: Interesting.
I found this line in the wikipedia article intriguing:
“which describes the weakness, does contain a method of generating a new keypair which will repair the backdoor if it exists.”
Then just count on some organizations not generating the keypair that fixes the problem.
This also sounds like what the NSA is described to be doing. Not breaking SSL/TLS, but weakening the generation of traditional keys, which are encrypted by SSL/TLS.
If AES has already been broken by NSA, that would be a big deal.
Belafon
@Gin & Tonic: If that’s the issue, then yes, sign me up for fighting it. If a warrant can be contested, then yes, even the FISA warrants should be contested.
I’m just not going to get all that excited about the technical issues. To me, it’s like arguing drones are bad because they are drones. The internet is not secure. What cryptography offers as security is the hope that the other person will get bored and move onto someone else before they figure yours out.
Barry
@Belafon: “And yet, the NSA still has to get a warrant to do anything. They still have to talk to a judge. ”
Bull f-ing sh*t. (1) Most of what they do is highly classified, so they don’t. (2) When they decide to go before a judge, they go before a highly selected, very small set of judges, who as far as we know have a 99% approval rate.
catclub
@Eric U.: My bank sends an additional access code to my gmail account when I login.
gmail is the lynchpin for lots of stuff.
srv
@Soonergrunt: Snowden is obviously a bit more than a haX0r (or the NSA’s sec is run by the clown car brigade), but he’s not designing back doors, chip obfuscations, firmware or compilers.
The Russians are probably more interested in the laptops than the content.
Jockey Full of Malbec
Part of what’s so frustrating about these articles is the complete, utter lack of technical content. Even “techie” blogs like ars technica have been terrible on this issue.
Are they claiming that the NSA has broken Elliptic Curve Cryptography? Because I utterly refuse to believe that (the discrete logarithm algorithm used is mathematically sound for at least a couple more decades).
Are they claiming that the SSL protocol has been broken? Because SSL 2.0 has been known to be broken for quite some time. That wouldn’t be news.
Socoolsofresh
Only here and at Little Green Footballs are people treating this like it is no big deal. You guys are sure in the majority over this one!
Betty Cracker
@cleek: Thank you so much, Cleek. I sincerely appreciate your willingness to provide your perspective. Your points about the open source / competitive-collaborative nature of protocol development WRT the process’s vulnerability to deliberate compromise make a lot of sense. Thanks!
Belafon
@Barry: We do formal reviews at my company before doing major work. Before we do those reviews, we get together in groups, formalize ideas, knock out a bunch of kinks, make changes based on what we think will pass the formal review, and then finally do the review. By then, we generally get a pretty high approval rate with very few changes.
Barry
@mk3872: “One thing that is AGAIN not mentioned in this posting: The NSA requires a WARRANT to monitor actual communications that may or may not be encrypted.”
This has been covered. You might want to ask somebody who knows what’s going on.
Cacti
@Socoolsofresh:
And another 5-percenter pops in.
srv
@Omnes Omnibus:
google: site:balloon-juice.com Darrell FISA 2005
Weeks of fun-time. Probably the first Tbogg Unit in there somewhere.
Belafon
@Barry: Five years from when?
chopper
@srv:
the lizard men will never fool me again.
cvstoner
@weaselone:
I would consider any backdoor, by definition, to be a weakening of security. And if the Chinese haven’t figured out how to hack them out right, they have proven over and over again that they have the ability to just steal the information.
Dr. Squid
@Belafon: http://dilbert.com/strips/comic/1996-01-11/
Socoolsofresh
@Cacti: I see you have been keeping up on your LGF articles! Good for you man! Keep your echo chamber sealed tight dude! Don’t worry man, you and this administration are never wrong! It’s just others who must be sort of racist!
me
@catclub: I don’t think anyone actually uses that PRNG though so that, at least, shouldn’t be a huge deal. As for AES, if the algorithm (not specific implementations) were weakened or broken, that probably would have been noticed before now. Bruce Schneier thinks they may have a practical attack on RC4 which no one should be using as it’s been theoretically broken for some time but some web sites may still.
Cacti
@chopper:
The so-called chemical weapons strike in Syria is just a false flag to distract us from the righteous reporting of Glenn Greenwald.
Just ask Glenn.
dollared
@Higgs Boson’s Mate: This. And all the lying sacks of shit on this thread alone,who said “just use encryption, moron!” when the rest of us said that the NSA spying was 1) unconstitutional and 2) bad for business.@Belafon: @Botsplainer:
cleek
@Socoolsofresh:
i’m glad you’re here to tell us how dumb we all are, again. sometimes we forget.
hoodie
@cvstoner: So your point is what, exactly? Are you saying that, even if the Chinese can’t find the backdoors, they’re so smart they’ll get in anyway? If the Chinese are obviously the Masters of the Universe, does it matter what the NSA has done, whether in reality or your fevered imagination?
srv
@chopper: Relevant
Cacti
@Socoolsofresh:
Well, The Pew Internet and American Life Project found that 61% of respondents were worried about keeping their online information private from hackers, criminals, and advertisers, vs. 5% from the government.
Maybe you could call and tell them to unskew their polls, because all of your favorite blogs think it’s the most important thing ever, Governor Romney.
Belafon
@dollared: Please, please, find a place where I said “use encryption.” As I’ve said above, I only consider encryption as secure as the attention span of the hacker. I also don’t think that the government is ever going to waste resources on most of us because we’re boring as shit, and it takes more power than the universe to run around trying to find “bad” things without knowing them in advance (that is, unless someone solves P=NP). I also think that most people freaking out over it have no clue how much they have given up already because they don’t understand technology. I also think that if you aren’t going to trust the process we call the government at some point, then you might as well go move to one of those places where you know they are spying on you, so that your fears are well founded. I also think I have written enough sentences that start with “I”.
mk3872
@Barry: No need. The NSA requires warrants from FISA to search the data. See? That was easy …
Socoolsofresh
@cleek: Well, your first comment on this thread basically summed up many a BJ thinker around here, so I guess you are right at home.
weaselone
@cvstoner:
While it’s technically true that providing another way in is weakening security, there’s a big difference between leaving an open back door which seems to be what many are insinuating and installing a steal reinforced door with a better lock than the main entrance.
Villago Delenda Est
People, come on!
These are Powerpoint Slides. They talk in glowing generalities, Not in detail, and the devil is always in the detail.
Try not to panic over stuff that’s already known if you’ve been paying attention.
sparrow
@Belafon: HAHAHAHAHAHAHA. No.
Chyron HR
@Socoolsofresh:
Anybody with an office job care to report what percentage of their co-workers are deeply concerned about the NSA? How about people who participate in book clubs, sports teams, or in any other way have regular contact with a random selection of the US population?
Oh, sorry, I forgot, actual contact with actual people doesn’t count, just editorials posted on Daily Kos and FDL. My bad!
Socoolsofresh
@Cacti: Well, most polls say people are against intervention in Syria, but that didn’t stop your cheerleading for it. I guess you will take whatever poll suits your argument.
Tommy
ages ago I worked with some of the largest telecom companies in the world. The division that sold to the DoD. It wasn’t really even a secret, and I believe the engineers I worked with, that the companies gave the feds a backdoor into all their products.
Villago Delenda Est
@Chyron HR:
It’s interesting that Schoolsoflame tsk-tsks people about being in the LGF echochamber from his perch in the Infowars echochamber.
dollared
@Tommy: Actually, I product managed a security product for one of the world’s largest software companies. And there was no back door, as of 2007. I know that for a fact, as opposed to your baseless supposition.
joes527
@Barry:
Knows what is going on? Or knows the official story?
Because I’m pretty sure that anyone publicly talking about what is really going on is either lying or leaking. The people who know what is going on are not legally permitted to tell you.
Villago Delenda Est
@Tommy:
Here’s the thing about the backdoors: as someone has previously mentioned, they’re a known path into the system custom made for someone else, and not general knowledge. This does not mean that they are made of tissue paper…indeed, they often have stronger protections than the main entrance.
Socoolsofresh
@Chyron HR: Haha ya no one cares except Daily Kos and FDL! So true man, keep telling yourself that!
dollared
@Belafon: Oh, so you’re in the “it will only happen to hippies and Jews” camp?
MomSense
I am more freaked out by the fact that Snowden brought all of this information to the Chinese and the Russians than I am about NSA capabilities.
I don’t know if any of you have any experience with doing business with China but they steal things all the time.
I’m starting to think that the same people who are freaked out about the NSA are the ones who have been reading about the sex and drugs exploits of Taibbi, and Ames and think Russia is much cooler than it really is.
srv
@Chyron HR: BJ is just old folks with pets, IT-ish folks or unemployed post-docs with too much time on their hands.
Now, if they started spying on pets, or droning them, all hell would break loose.
@Villago Delenda Est:
Even Pat Lang was linking to infowars last week. Says Obama is dropping bombs on Monday.
Socoolsofresh
@Villago Delenda Est: Heh indeed. Not really about buying gold and Alex Jones but you can assume whatever. My tsking comes from people direct quoting lgf, yours comes based on assumption. Pretty par for the course around here.
burnspbesq
@cvstoner:
The omnipotent, omniscient Chinese Hacker Army exists only in your and Tom Clancy’s imaginations.
When the major banks start disclosing in SEC filings that their online payment processing infrastructure has been compromised, I’ll start to worry. Not before.
Higgs Boson's Mate
@sparrow:
Linux has come a long, long way in usability since the days when running it required that you compile it yourself. My take is that Linux, like Windows and MacOS, is overkill for the vast majority of users.
Kurzleg
@Randy P: But the problem is that they’re supposed to break the security of foreign governments and foreign non-governmental groups, not that of its own citizens. Maybe this is a problem inherent in the nature of the internet and there’s no way to get around it, but in their quest to have all-encompassing information they’ve made all of us more vulnerable to one degree or another. Plus, as Bruce Schneier pointed out today, “Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian?”
Belafon
@srv: I hadn’t heard of Pat Lang before this week. Go read his wikipedia page. The comment about Iran made me cringe.
Gin & Tonic
@piratedan: http://www.newyorker.com/reporting/2013/08/12/130812fa_fact_stillman
Tommy
@dollared: These would be the three questions I’d ask you. Did your firm have a government division? Did they sell directly to the DoD? Did you have a security clearance?
Bobby Thomson
@Chyron HR: Nobody in the real world ever mentions this stuff, other than Republicans making jokes. No one cares about it at all one way or the other, which is why I have to laugh at the people who think every damn thing the White House does is aimed at distracting people from paying attention to this. No one is.
Chyron HR
@Kurzleg:
Yes, England is truly a fascist hellhole. I see the Pure Progressives and their Tea Party Patriot allies have found more common ground.
Central Planning
@Soonergrunt:
And, they are already IP-enabled: A Standard for the Transmission of IP Datagrams on Avian Carriers
Yatsuno
@srv:
And yet…here you are. How DO you stand to be on the level with us poor proles?
Jockey Full of Malbec
@Keith P.:
The SSL hole is a ‘man in the middle’ attack.
Briefly, when you open an SSL session, the two parties (Alice and Bob, traditionally) have to agree on an encryption key without sending it in the clear. First, they will try to authenticate each other (ie Alice is really Alice, Bob really is Bob). Then they will try to negotiate a secret key for their transaction.
Without getting too technical– Alice selects a random number, and uses her private key to generate another number which is then sent ‘in the clear’ to Bob. Bob then performs another computation using this number and Alice’s PUBLIC key to come up with Alice’s secret number. This secret number will then serve as the actual encrypt/decrypt key for an algorithm like AES or similar.
This happens every time you place an order on Amazon, for example. And the best browsers would be using ECC or RSA algorithms– algorithms which are (when properly used and implemented, anyway) unbreakable with current technology. You’d literally need every computer on earth, running until the sun dies, to brute-force it.
The SSL 2.0 protocol has a hole in it, however– there’s a window where, AFTER Bob has convinced Alice he’s actually Bob, but before a common key has been derived, Bob is allowed to say “hey, I had a problem, let’s renegotiate our keys!”
A clever eavesdropper (traditionally called Eve) can exploit this design flaw to essentially take Bob’s place in the conversation, without having to forge Bob’s credentials.
This has been a known issue with SSL 2,0 for at least a year, but (as usual) browsers and apps have been slow to move up to the new SSL 3.0 standard.
Higgs Boson's Mate
@Gin & Tonic:
Now that is truly some fucked up shit. Interesting that it seems quite popular in some of the states that brag about their low taxes.
Kurzleg
@Chyron HR:
“England” is a good example of a surveillance country?
joes527
@Central Planning: Yeah, well, your ping time is going to suck.
Central Planning
@Robert Sneddon:
Just to be accurate (ok, pedantic): it’s 3DES and it’s 168-bit.
Chyron HR
@Kurzleg:
So you wouldn’t object if the NSA set up a network of surveillance cameras that literally cover every public area, 24/7? Noted.
Enhanced Voting Techniques
@kindness:
You mean beyond that American hardware will work and not just randomly die like the cheep Chines stuff?
joes527
@Kurzleg: From what I understand, yes. Cameras everywhere. Software monitoring the images and noting the movement of individual vehicles (and probably using facial recognition to note the movement of individual people)
They are also good at standing in lines.
srv
@Belafon: Not seeing where he’s wrong about Iran.
If you can get around the Honorable South, War of Northern Aggression, teaparty commenters, and his occasional conspiracy stuff (I think it’s mostly his age showing), it’s sometimes informative. Also raven’s favorite blogger.
He’s pretty anti-wingnut. Hated Bush, hates Wingnuts, hates most Dems. Big fan of General Dempsey.
Robert Sneddon
@Central Planning: IPAvian is also subject to substantial packet loss due to man-in-the-middle attacks with a shotgun.
joes527
@Enhanced Voting Techniques: What American hardware isn’t cheep Chinese stuff inside?
fuckwit
@Jockey Full of Malbec: Thank you for explaining this! There’s also another hole, which I’ve both exploited for development purposes myself, and which the carriers exploit as a regular policy for caching: servers don’t check the client’s certificate. If your browser accepts the certificate, you can insert a man-in-the-middle in SSL, by terminating the SSL connection in the middle, decrypting, and reencrypting. It’s easy. I do it all the time to debug SSL connections. The carriers have installed browsers on people’s phones that accept the carrier’s certificate in addition to, say, your bank’s. So, the carrier is actually decrypting your “secure” connection, reading and caching your data, and then re-encrypting and sending that to the bank. I can think of quite a few ways to exploit this as an attack, and even more for someone with resources like the NSA to do so.
fuckwit
@Jockey Full of Malbec: Thank you for explaining this! There’s also another hole, which I’ve both exploited for development purposes myself, and which the carriers exploit as a regular policy for caching: servers don’t check the client’s certificate. If your browser accepts the certificate, you can insert a man-in-the-middle in SSL, by terminating the SSL connection in the middle, decrypting, and reencrypting. It’s easy. I do it all the time to debug SSL connections. The carriers have installed browsers on people’s phones that accept the carrier’s certificate in addition to, say, your bank’s. So, the carrier is actually decrypting your “secure” connection, reading and caching your data, and then re-encrypting and sending that to the bank. I can think of quite a few ways to exploit this as an attack, and even more for someone with resources like the NSA to do so.
Belafon
@Enhanced Voting Techniques: As I pointed out before, Cisco already provides ways for governments to get into their routers, so that they could sell to the Chinese, and they do not seem to be hurting for business.
Bobby Thomson
How was the play, Mrs. Lincoln, indeed.
Omnes Omnibus
@Gin & Tonic: Again, to nitpick: Civil forfeitures, which are truly fucked up, have nothing to do with Kelo, an eminent domain case.
Central Planning
@dollared:
There was no back door that you knew of. Where did you get the compiler that you used? How do you know that wasn’t compromised?
Check out this article from ScienceBlogs. joes527 mentioned it earlier… how do you ensure your tools are secure?
piratedan
@Gin & Tonic: hey it’s epidemic! again, you want things to change, you start locally. The item you cited is TEXAS. They have an express lane for killing people, these are the people that we witnessed just a month ago roll back womens rights to the 1920’s and you expect me to be surprised by legal malfeasance? Besides, this is more closely related to the ill gotten “war on drugs” than the NSA issue, you want to be pissed at the government, that’s your perogative, it’s a big ass target that’s hard to miss, but if you want to pile this onto the NSA conversation that we’re having, I find that it’s a reach.
Central Planning
@joes527: True. It’s been tested:
catclub
@Villago Delenda Est:”they often have stronger protections than the main entrance. ”
Port knocking!
Enhanced Voting Techniques
@Villago Delenda Est:
Yes, this all reads like some department head’s presentation to make his little empire sound like the best thing since slice bread to his bosses come budget time.
chopper
@Socoolsofresh:
Hey look, the fat kid’s back.
pseudonymous in nc
@Face:
That they deliberately weaken security technologies for their own ends, at times through legal coercion? Stealing keys has a history to it; backdoors and deliberate weakening of algorithms is novel.
And those kinds of practices are way more likely to blow back in unpredictable and nasty ways.
dollared
@Tommy: Yes, yes and no. And the last one didn’t matter because I audited the code in the publicly released version.
Jockey Full of Malbec
@fuckwit:
Yep– decrypted stuff sits in memory, where someone clever can get at it.
It doesn’t help that the “modern” languages like Java, C# and Objective-C (used to develop apps for Android, WinMo and iOS, respectively) are all dynamic languages with unbounded garbage collection. That decrypted block just sits there in RAM until the GC gets around to releasing it (and, even then, it generally doesn’t overwrite the block, it just “forgets” where it is).
Users are, in theory, responsible for their own security. But in practice they are utterly dependent on good developer practice (in short supply when you’re talking about $3 apps), and good operating system security (industries driven by market share and profit aren’t wired to optimize for security).
One of the upsides of this whole kerfuffle is that now, at last, the public will be applying pressure on these companies to do better. Expect to start seeing words like “SECURE!” on Microsoft, Google’s and Apple’s PowerPoints anytime now…
Enhanced Voting Techniques
@joes527: Please explain that to three chip manufacturers who I just applied to jobs at today based in San Jose, CA.
Anya
@Just Some Fuckhead, Thought Leader: You’re so cute.
catclub
@Jockey Full of Malbec: “and uses her private key to generate another number which is then sent ‘in the clear’ to Bob.”
Why doesn’t she use Bob’s public key to send it to Bob?
Bob turns around and uses her public key, so she should know his as well, shouldn’t she?
Botsplainer
@dollared:
Which segment of bloated commercial security near-malware did you write that made my computer run as fast as molasses on a subzero day (when it wan’t crashing the whole thing)?
Socoolsofresh
@chopper: Heh heh. Reality would show you that this is so far off, but I wouldn’t let that get in the way of your fantasies. Keep on contributing that keen intellectual discussion you always provide!
joes527
@Enhanced Voting Techniques: Cool. What piece of usable technology is built entirely (or even primarily) of components that they design and manufacture in the US? Not snarking. Actually want to know if the tide has turned that far.
chopper
@Socoolsofresh:
you’re even FATTER? jesus, this is getting better by the minute. grotesquely morbidly obese. the mind reels.
Jockey Full of Malbec
@catclub:
Public/Private key algorithms (called the asymmetric algorithms) are SLOW. So even today it’s not practical to use them to encrypt/decrypt bulk data. You’d never be able to do Netflix streaming in real time, for example.
A cipher like AES is symmetric– the same key is used to encrypt and decrypt (think of WW2, where Alice and Bob would have to keep secret codebooks to select today’s key, but it would be disastrous if the enemy got their hands on those codebooks).
Symmetric algos are MUCH faster. So the general practice now is to use the slow algorithm to derive a secret one-time key for the fast symmetric algorithm, and then use that.
? Martin
@me:
That’s how I read all of this as well. RC4 is the common thread here, and it’s been considered insecure for some years, but it’s still pretty commonly used. That’s not so damning as a result, nor is it surprising, really. Maybe it’ll get the community off of its ass and finally deprecate RC4.
The more damning are the backdoors. We know that routers have encryption back doors, because Congress mandated it. But the backdoors in commercial products is much more troubling. But anyone relying on proprietary encryption has always been asking for this.
But I think there’s a major misunderstanding here as well. Even if RC4 is that compromised, it doesn’t mean they are decrypting traffic in realtime. That capacity would be known – RC4 is not so flawed an algorithm that you can bypass brute force, and the NSAs computing power isn’t so large that they can brute force this stuff on a whim. It just means that they have the option of decrypting select traffic, and the ability to do it in a reasonable time frame to them – probably on the order of days.
Remember, encryption is rated in terms of how long it will take to break. No encryption is foolproof – it’s merely expensive. Really strong encryption is expensive to the point of impossibility (more computing power than exists on earth to break within a lifetime). These ratings change over time – flaws in the encryption weaken it and make it easier to break (RC4), and the cost of computing declines – sometimes dramatically due to breakthroughs. So RC4 will only get cheaper to break, and that days will turn to hours then to minutes then to seconds and eventually realtime (probably decades from now).
Thlayli
And the usual pattern repeats again…
Guardian: “EXPLOSIVE! NEW! REVELATION!”
Glennbots: “OH NOEZ THE SKY IS FALLING CEILING CAT IS WATCHING ME MASTURBATE MAKE IT STOP MAKE IT STOP MAKE IT STOP!!!!!!!!!1!!”
Adults: “Well, actually this isn’t all that explosive. And not even all that new.”
Glennbots: “YOU’RE JUST SAYING THAT TO DEFEND EVIL LORD OBAMA, YOU AUTHORITARIAN LICKSPITTLES!!”
And so on, and so on….
chopper
@Thlayli:
you have to admit, the fact that the NSA has broken some encryption algos is pretty shocking news. it’s like finding out that NASA launched a rocket. it’s insane! that isn’t supposed to happen!
Socoolsofresh
@chopper: Exactly right, you are such a genius!
Gin & Tonic
@Omnes Omnibus: Never said they did.
FlipYrWhig
@chopper: NASA LAUNCHED A ROCKET AND THERE WAS CAPABILITY OF PUTTING BACTERIA ON THAT ROCKET AND THEN I DIED FROM THE BACTERIA WELL ALMOST
Socoolsofresh
@Thlayli: No, it’s more like, BJ commenters: NOTHINGBURGER! IT ALWAYS IS! LET’S MURDER GG!
Gin & Tonic
@piratedan: Not “piling this into the NSA conversation.” You objected to Liberty60’s comment about government being able to “confiscate our property.” I’m pointing out examples where government can and does confiscate property, using more than one legal theory.
dollared
@Botsplainer: Thanks for the revenue! It just took about 50M users for me to get a large enough share to pay for the kids college…..
Hated the security business. Never met a bunch of more self-important (and less sophisticated) people than the software engineers who thought they were keeping all of us safe.
Which is why I don’t trust the people in government who are telling they are keeping us safe.
Betty Cracker
Okay, y’all are forcing me to go full-tapioca Broder:
BOTH SIDES DO IT!
Yes, the “sky-is-falling-authoritarian-lick-spittle” people are annoying prats. But I’m tempted to (metaphorically, of course!) punch the “nothing-to-see-here-OMG-how-could-you-not-know-this-you-ignorant-tech-tard” people in the neck too sometimes.
The Other Chuck
@cleek:
Actually that’s quite possibly the weakest link. There’s a reason we don’t use SSL 1.x anymore after all. The algorithms aren’t perfect either — RC4 is quite probably broken entirely — but we’ve suspected it for some time, there’s a choice of algorithms available, and switching between them isn’t even hard. AES has been pretty thoroughly analyzed, and there still doesn’t seem to be any problem with it. The NSA doesn’t really enjoy the monopoly on top mathematicians the way it did 40-odd years ago, so I’m willing to continue believing it’s unbroken.
max
@? Martin: But I think there’s a major misunderstanding here as well. Even if RC4 is that compromised, it doesn’t mean they are decrypting traffic in realtime. That capacity would be known – RC4 is not so flawed an algorithm that you can bypass brute force, and the NSAs computing power isn’t so large that they can brute force this stuff on a whim. It just means that they have the option of decrypting select traffic, and the ability to do it in a reasonable time frame to them – probably on the order of days.
Right. Exactly. They can decrypt any SSL traffic they can capture (and they can capture all of it in allied countries) eventually. They can’t do so on the fly, because there is no known elegant master crack for SSL. The known vulnerabilities and the ability of the NSA to be the man in the middle at all points (‘They have seized the commanding heights of the internet!’ };) ) gives them a large universe of other methods of penetration (including pwning a shitload of certs) which allows them to hit anybody they want, AND to roll SSL if needed. I’d only dispute the SSL crack time – I expect they can unroll it in hours rather than days. PGP probably takes a very very long time, if it can be done at all.
All of this is the reason they want to stack targeted traffic for five years.
@MomSense: I don’t know if any of you have any experience with doing business with China but they steal things all the time.
Yes, and the very highest upper echelons of the NSA are run by morons, which means they have set up no internal network security, which means that any one initially granted access can snag anything they want. (This being the avenue Snowden used.) Given that the Chinese are always looking to steal and have been since long before 911, then the probability that the Chinese (and the Russians) and penetrated the NSA networks from the inside is very high. So it’s unlikely Snowden could give them much they don’t know. All that would matter if the NSA surveillance networks were highly useful for hacking the Russians or the Chinese, but they’re not because the NSA doesn’t have the listening posts. The networks are primarily useful against people in the US and allied countries.
As a bonus, both the Russians and the Chinese have well-developed skills acquired through long practice in interception and surveillance, so they are basically going to ‘get’ the NSA capabilities anyways, so nothing he’s given them is going to be anything but old hat.
If Snowden had been snagging information into the NCA communication networks, that would be problem, but that’s not run by the NSA anyways. (Thank God.)
max
[‘Why they haven’t sacked Alexander yet is a mystery.’]
NR
@Thlayli: Actually, the pattern is this:
Guardian: New revelation about the NSA spying on citizens.
Obots: NOTHINGBURGER!!! SNOWDEN AND GREENWALD ARE ASSHOLES! THEY SOLD AMERICA OUT TO THE RUSSIANS AND THE CHINESE OH MY GAWD!!!!!!!!
Adults: Um, the real issue is the NSA and how their spying on citizens is getting out of hand….
Obots: STFU FIREBAGGER!!!!! WHY DON’T YOU GO MARRY PUTIN IF YOU LOVE HIM SO MUCH????!!?!?!? YOU’RE ONLY SAYING THESE THINGS BECAUSE RON PAUL TOLD YOU TO!!!!!!!
And so on, and so on….
Just Some Fuckhead, Thought Leader
@Anya: Right?
piratedan
@Gin & Tonic: my bad, about mixing you two up
dollared
@Betty Cracker: The tech tards’ fallacy can be found right here – they are begging to be allowed into Jay Rosen’s Church of the Savvy.
http://archive.pressthink.org/2007/08/14/rove_and_press.html
As someone who had the privilege of explaining to the German government exactly why they could trust my company’s products, while handing them source code, I can tell you that most of the “savvy” here do not actually *know* anything when they talk about assumptions of back doors in everything.
ericblair
@Betty Cracker:
There’s such a thing as rational threat assessment. The government has nuclear weapons that they could launch at me in half an hour and I don’t have a nuclear-proof house, but I’m not up at nights worrying about it. In terms of data security, I’m far more at risk by some hacker getting my credit card numbers and SSN from a dipshit sysadmin who fell for a whaling attack than I am from Teh Gubmit hacking my encrypted communications for I have no idea what reason.
If there’s one point where we do want shit to stop with regards to the government, it’s the drug war. If the DEA and other law enforcement is misusing information and lying about it to courts, shit needs to stop and people need to get punished.
Tripod
What about the banksters?!
me
@The Other Chuck: Agreed AES looks solid for the time being. Much scarier would be a practical attack on 2048-bit RSA (the algorithm, not MITM or bad PRNG) which, while unlikely for now, isn’t outside the realm of possibility.
Betty Cracker
@ericblair:
Reeeeally? Garsh!
dollared
@Betty Cracker: “Rational Threat Assessment:” = “They will only use their unlimited powers against hippies, negroes and Jews, so no problem for me.”
Kurzleg
@Chyron HR:
I can do without the snark. I’d forgotten about the cameras. I’d say this is one example of creep toward authoritarianism. May not be there now, but there’s potential.
cvstoner
@Belafon: @Central Planning: @burnspbesq: @weaselone: @hoodie: @Kurzleg: @Gian: @mk3872: @Keith P.: @mistermix: And anyone else following this thread:
First, I have a master’s degree in network security, so I know a little about what I am about to say.
That being said, the NSA has done a great disservice to the concept of security in two fundamental ways. The first is in the way they purposely weakened the encryption algorithms that formulate the baseline security of Internet traffic. It is one thing to be able to engage in brute-force attacks and other cryptanalytic means to crack a code. Indeed, the long history of cryptography can be summed up as one of the encryptors trying to stay a step or two ahead of the cryptanalysts. This is why new algorithms come out as weaknesses become exposed, the keystrength of the cyphers is periodically upped, and so on. However, by inserting backdoors into the algorithms, the NSA has made the whole concept of encryption strength a moot point. Who cares what the cypher strength is if a backdoor exists to subvert it?
Second, and more importantly, what the NSA has done is destroy faith in the encryption business as a whole. I heard people today suggesting we rebuild the Internet to make it more secure. Really? And who do you trust now to rebuild it? By using its power to coerce computer manufacturers, communications companies, software developers, ISPs, and everyone else in the encryption pipeline to build backdoors into their systems, the NSA has made the whole encryption industry defunct. Quite literally, the only person you can trust now to develop a safe encryption algorithm is yourself, using software you have developed, on hardware you have constructed, on a communications channel over which you have full control. Nobody has that kind of control. Not even the government.
So what, you might say? Who cares if the NSA can look at your stuff? And to a point, you might be right. But many businesses have utilized the concept of a secure Internet as a critical part of their business infrastructure. Financial institutions and many others depend on being able to send their information across the global Internet in a secure fashion. Indeed, a fundamental part of the whole concept of “the cloud” requires a secure infrastructure. For all intents and purposes, faith in that system is now dead.
This is a big deal. Everyone will be effected as people and companies that took a secure Internet for granted are forced to reevaluate that faith. And all for what? Do you really feel safer now? I know I don’t.
Chyron HR
@NR:
You forgot the part where the adults accuse the people who disagree with them of fantasizing about getting raped by “Dear Leader”.
No sarcastic use of boldface and capital letters because, you know, this is an actual argument put forth by Mr. Greenwald.
johnny aquitard
This undermines many of our privacy rights. I don’t mean Facebook or Gmail, where there is no expectation of privacy, I mean everything where we do have a rightful expectation of privacy.
Medical records. I use MyChart. That’s no longer a private communication between me and my health providers.
Banking. Your transactions are open now.
Law. Forget about client/attorney privilege. And we already have learned that the NSA is handing over data other federal agencies in their war on drugs who fabricate stories about how they got the evidence. This makes a shambles of our legal system. How can there be justice when the prosecution literally is making up shit about the case?
A free press and ultimately free speech. We lose that when the 4th estate is compromised. How does a reporter going to keep his sources confidential? How does a reporter expose government wrongdoing when that government is able to intercept all communications. This must surely make it extremely difficult to do any sort of major investigation.
The maddening thing is so many people are OK with this because they think this keeps them safe.
They have traded the best parts of an entire society for an imagined security from a few dozen people armed with boxcutter knives.
Joey Maloney
@Scott S.: If I should be freaked out about this, what should I be doing?
Press Enter.
weaselone
@NR:
Fail. This story doesn’t even mention the NSA spying on Americans. It’s about the NSA’s capacity to break encryption and its collaboration with commercial firms to put back doors in their encryption products.
chopper
@Socoolsofresh:
well, i am compared to some fat kid getting punched in the face repeatedly. i’m sure all that head trauma has lowered your IQ quite a bit.
cvstoner
@dollared:
That may be true. But given the ability of the NSA to coerce you into silence, why would the German government believe anything you say at this point?
cleek
@The Other Chuck:
i think Mr Snowden demonstrated pretty well that the weakest link by far is likely to be the people who run the systems. if a malicious or incompetent insider can walk out the door with all the data on a thumb drive, you’ve got bigger problems than a theoretically-broken encryption algorithm.
cvstoner
@johnny aquitard: Good to see someone who gets it.
cleek
@ericblair:
tomorrow’s gg expose: we have information suggesting that the DOD is targeting US citizens for possible nuclear strikes!!!
NR
@Chyron HR: Thank you for proving my point. You Obots are the only ones in this discussion who are talking about Greenwald. The story was about the NSA.
NR
@weaselone:
For the purpose of spying on Americans. Fail yourself.
weaselone
@NR:
There, fixed that for you. It’s technology. It can be used to enable spying on both foreigners and also on Americans. That it was developed primarily to spy on Americans is not supported by the articles in question.
cleek
@NR:
you didn’t happen to notice the by-line on the Guardian article, did you?
bemused senior
Please read this Guardian column by Bruce Schneir: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
He has seen the Snowden documents and is working with the Guardian to review their articles.
johnny aquitard
@kindness:
It is likely they had little choice. The NSA hits them with ‘national security’ powers and what are they going to do?
Reminded me of in mid-oughts when the Patritiot Act and nat’l security was being used to get what books people were reading at public libraries. I had read about librarians who were compelled to hand over those lists and then put under a gag order to keep silent about it. Play ball or go to jail. IIRC some libraries responded by not keeping records. They traded some organizational effectiveness to preserve patrons’ privacy.
As with the librarians, if one of these tech company employees contacted a reporter in an attempt to expose what the NSA was doing, well the guy better do it face-to-face and hope the reporter never communicates with anyone other than face-to-face about his identity else he will be found out. And hope every other person involved in the story does likewise. Fat chance, that.
Kinda makes exposing such conspiracies very risky, I’d say.
We absolutely need privacy in communications (“secure in our papers”, etc) to function as a free society.
taylormattd
@cleek: IT IS A DEEP REVELATION OK??
My god. A story about a fucking spy agency breaking encryption. At least mistermix hasn’t gone full srv yet.
taylormattd
@johnny aquitard: I think you’ve managed to leap about 50 or 60 steps beyond what was on any of the powerpoint slides.
burnspbesq
@Kurzleg:
Been there recently? There’s a high-res surveillance camera on what seems like every corner.
burnspbesq
@johnny aquitard:
Actually, you need to brush up on the state of the law regarding the attorney-client privilege. The theoretical possibility that NSA could brute-force the encryption on stuff that I upload to a server in Switzerland for backup doesn’t vitiate the privilege. All that is required is that I take reasonable steps to safeguard the privilege. The bigger threat to the privilege is leaving privileged documents on your desk when you go home at night, knowing that the cleaning service and a whole host of other people have access to your desk while you’re gone.
johnny aquitard
@taylormattd: Seems like a lot of people here made that leap years ago, judging from their responses of “well duh”.
fuckwit
@cvstoner: Good analysis, but you’ve always needed to trust every step in a chain of technology in order to fully trust the results. That’s not new.
The word “secure” is overbroad, and, I think, should not be used by itself. Secure from what or whom, specifically? That matters a lot, and in fact I think matters more than anything.
If your bank traffic is secure from Bulgarian haxx0rs and the Russian Mafia, then you’re good. Doesn’t matter to most people if the NSA can read it, only if some thug-ass is going to charge $2k of TV equipment to your stolen credit card at a massive electronics store in Moscow or wherever.
If your computer and web server and router network are secure from skript kiddiez running pen-testing distros, then you’re good. It’s secure from the threats you are most likely to face.
If your corporate data is secure from Chinese competitors and Anonymous mayhem-makers, then you are good. If they can steal your IP and clone your products, or deface your website, then that’s not secure enough; nut if the NSA can read it, do you really have to report that on your quarterly earnings statement?
My old man used to say “locks don’t stop dishonest people, locks just keep honest people honest”. It’s true about network security too: it’s a deterrent, not an absolute. If it makes the attack from a specific type of attacker too expensive to be worth more in effort than whatever it is you have that they might want, then that is “secure”.
So I think you’ve got this a little too broad. Secure doesn’t mean anything without qualifiers: against WHOM, specifically, and for what level of their effort. Yes those things change, it is a cat-and-mouse game, and then your security should change.
I have always operated under the expectation that whatever a national three-letter agency, especially a US, Chinese, Russian, British, or Israeli one, wants to get, they will get. I rest assured only because I keep as much encrypted as I can, and don’t have anything that’d be worth their even minimal effort to come get.
Zerotense
@JMG:
Yes, but when that’s revealed there’ll be plenty of commentators to “meh” it and tell us how naive we are to be surprised by this because the NSA has been doing this in movies for years.
jayackroyd
@cleek: Indeed. he says he’s been working with GG. As he says, it would be surprising if encryption itself has been cracked.
Jockey Full of Malbec
@bemused senior:
Ut oh.
No more government contracts for Bruce…
johnny aquitard
@burnspbesq:
Seems like it’s not so much about brute-forcing the encryption but by-passing it altogether.
Either way, would you not be concerned about your communications with your clients being read by other parties?
You say the privilege is still in effect. How, exactly? If the DEA or some other entity just read your communications with your client courtesy of the NSA, doesn’t that mean — what’s the legal beagle word here? — mean that de facto that it’s not?
That they can means you don’t have what you think you have.
Why should I believe an attorney who is defending me from some government accusation when he assures me that even though the NSA can access everything he transmits via phone or email, that what we discuss remains private.
Maybe I totally do not understand this client/attorney privilege, but I thought certain of my discussions as a client with my attorney are supposed to be confidential.
Andrey
And now my comments are getting eaten. Wonderful.
jayackroyd
@cleek: I just reread the safecracking chapter in Surely You’re Joking Mr Feynmann. Everybody should read that. it’s the simplest, clearest explanation of why security systems fail. Inevitably fail.
johnny aquitard
@johnny aquitard:
Memo to myself: If I ever need an attorney to defend me against the government (which IANALand all, but that means any criminal case as well as any civil case the government might have a stake in), make sure to ask them why they think their communications are secure.
From the NYT: “The [NSA] has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.”
Sentient Puddle
@cvstoner:
What the hell is a backdoor to an encryption algorithm supposed to even look like? Is there some unique and special key that I can feed to AES to decrypt any given ciphertext, or something just as ludicrous?
Maybe it’s a failure of imagination on my part, but this reads as damn near nonsensical to me. I simply do not buy the notion that someone could sneak a backdoor into our current encryption standards without it being found by now. There’s too many people hammering on these algorithms (including plenty with no interest in helping the US government) to keep any vulnerabilities quiet.
Ted & Hellen
@piratedan:
Because my local school board has a direct say in the operational aspects of the NSA. Got it.
We have an allegedly Democratic president and administration, but it’s my local school board I should focus on.
Nimrod.
vitaminC
Edward Snowden is so arrogant, and Glenn Greenwald is so shrill!
…
Was there something else we should take away from this?
Ted & Hellen
@Socoolsofresh:
Pay attention to the nyms. The hard core, brain dead Bots are really the same 20/25 kool kids over and over and over again. They like to type the term “we” a lot to promote the idea that they are an overwhelming majority here.
STFU is their primary battle cry.
lojasmo
@Starfish:
My bank account is insured.
Pat
“Snowden’s revelations are old news!”
“Snowden’s a traitor for leaking secrets”
Which is it now? Good loyalists must keep their story straight.
CVS
@Sentient Puddle:
Perhaps I misspoke a bit. The basic algorithm is sound, which is why the NSA cannot run a direct brute force attack against encrypted data with a strong key. This is why they have elected to attack the implementation instead of the underlying algorithms.
There are only two or three source code libraries that are used by the majority of encryption software. It would seem that the NSA has either worked with or coerced the vendors of these libraries to weaken the encryption. Since these code libraries are either closed source and/or extremely complex,independent verification against this kind of weakening is either impossible or extremely time consuming.
The NSA has also approached the communications companies to receive the information directly.
Matthew Green has a more elegant description here : http://blog.cryptographyengineering.com/2013/09/on-nsa.html
Pat
I’m willing to bet dollars to donuts that the commenters here laughing at how silly we plebes are for assuming the internet is secure haven’t conducted a non-electronic transaction for over $100 themselves in the last 5 years.
Bill Arnold
@Emma:
There is also what has long (very long) been known as “rubber hose cryptanalysis”.
(AKA torture, if the euphemism isn’t clear.)
Ruckus
@cleek:
Not actually a rumor. Of course you knew that.
I used to be in charge of my ship’s internal communications when I was in the navy. That means the old style mechanical phone switches and switchboard. We could listen into any conversation on the ship, including those coming into the ship when in port and plugged into the outside world phone system. And if we could listen, we could record. And this was the exact same technology used by the phone companies at the time, late 60’s early 70’s.
Bill Arnold
@Emma:
While this is true, I still have some practical faith in large key symmetric-key crypto algorithms that have been vetted by the public crypto community, which is a lot more talented than the public community 40 years ago. Shared keys are kinda vulnerable from a physical security standpoint though.
Public key crypto, not so much. RSA, at least, seems like cheating. (I could be wrong, this is just gut level paranoia.)
As always, the protocols and systems built around these algorithms are a lot less disciplined and they and the endpoints (computers, phones, etc) are where the vulnerabilities are usually found. That, and people insisting on using short passphrases with not much information content.
different-church-lady
@cvstoner:
Another service Snowden has given to humanity!
jayackroyd
@different-church-lady: @cvstoner
I’m not sure what you mean by this. The “internet” is not secure. It’s a communications protocol. What is or is not secure is 1) the traffic, through encryption and 2) the devices that store and transmit the traffic. The revelation here is the people in charge of the devices that store and transmit the traffic have been compromised. Not the encryption methodologies, but the implementations have left the government keys to the back door of the devices and, perhaps, have crippled their encryption methods because they were told to do so by the government.
It’s not even secure or not secure so much as the user being deceived about the security of his or her communication,. If we knew windows provided a back door on every device, we’d use more open air devices. It’s a pity really. Worse than spam, and spam is pretty bad.
Bill Arnold
@Robert Sneddon:
I actually do remember that saga quite well. Basically DES was a good cipher, possibly strengthened by the NSA to make it more resistant to differential cryptanalysis-like attacks (not known to civilians at the time), but they insisted on a short key, 56 bits, so that they could do key exhaustion when needed. Sort of “nice cipher, key is too long, please shorten it”. Eventually civilian hardware became able to do the key exhaustion.
Triple DES with three independent keys is still used and probably still practically unbreakable. (I wouldn’t trust EDE with two independent keys (K1 == K3) any more though, except maybe for short-term security, or as a time lock picked by Moore’s Law and time.)
Key length in block ciphers (DES, AES 256) is not the same as key length in public key systems. Shorter is OK if the only practical attack is key exhaustion. It is reasonably straightforward to estimate how much effort key exhaustion requires.
[Disclaimer: not a cryptographer/cryptanalyst.]
Bill Arnold
@Betty Cracker:
Not speaking for cleek. Hard to say without additional information. There is a thriving civilian academic and industrial computer security and cryptography/cryptanalysis community and their attention will be seriously focused on public standards now. I would expect some interesting publications in the next year or two. (What they find might have nothing to do with the NSA.). In the meantime I would start distrusting https a little more.
Bill Arnold
@cleek:
In particular, this entry addresses the current issues directly.
Bill Arnold
@dollared:
OK, I have to ask out of curiosity. How deep was the auditing by you (or your team)? (And did the German government report any vulnerabilities?)
Jonothan8
There’s a great book about the New Zealand end of the Echelon programme called ‘Secret Power’ by Nicky Hager, which I would recommend.
I'mNotSureWhoIWantToBeYet
Meh.
The US government has had export controls on encryption tools for a long time. When the Internet took off, they had to revise the rules to allow companies to export things. They revised those rules in 2000:
Why would they be interested in looking at certain encryption products before sale?!? I wonder… ;-)
It seems that even back then, they felt they had ways of dealing with those types of encryption products. Key lengths didn’t seem to be an issue in products that they were already allowing to be exported.
As others have said, the NSA cracks codes and collects foreign intelligence. Nobody should be surprised that they, actually, know how to do that.
FWIW.
Cheers,
Scott.
Dude in Princeton
@Belafon: So I guess they “still had to get a warrant” and “talk to judge” to spy on their romantic interests.
The education system in this country really is broken, isn’t it?
Central Planning
@cvstoner:
I have a master’s in software engineering. In the discussion on this thread, I don’t think it matters.
Anyway, I wasn’t really disagreeing with you. That was really my point (besides flashing my master’s creds too). Plus, this thread is probably dead so nobody will see it anyway.
The Gray Adder
P = NP?
I'mNotSureWhoIWantToBeYet
@The Gray Adder: P = NP:
IOW, it’s an important but relatively esoteric math problem.
HTH.
Cheers,
Scott.
marshall
@joes527:
Almost anything built specifically for the DOD (as opposed to commercial technology the DOD happens to buy). They tend to insist on it.
marshall
@Emma:
Don’t be so sure. The Russian one-time pads were, for example, created by having secretaries type randomly. Trouble is, people are bad at typing randomly, so the Russian OTPs were not really random. Nothing is known publicly, but I would not bet my life that the Russian OTP was never broken using that.
Of course, the Verona breaks occurred because the Russians were re-using OTPs, which is a total violation of security protocols, and made a break easy. But then, the Enigma break occurred because the Germans were not using the Enigma properly. And the Lorenz break occurred because the Germans were not using that system properly. There is a pattern here, which is why I do not regard even (say) ECC as unbreakable. The math might be secure, but the implementation could have holes, and it is the implementation that counts.