The Guardian, ProPublica and the New York Times yesterday simultaneously published articles on the latest revelation to come out of the Edward Snowden documents and they are doozies. The articles reveal that the government has been very successful in trying to break the encryption codes that are used to protect all our data, like our medical records and bank accounts and everything else. And it reveals that US tech companies (both hardware and software) have colluded with the government to provide backdoor access to the government in order to gain that access. The result is a system where little or nothing in our lives is safe from the prying eyes of the government.
The Guardian article says that they had been asked to not publish this information but refused.
Intelligence officials asked the Guardian, New York Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read.
The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of internet users in the US and worldwide.
ProPublica explains why they decided to publish their piece anyway, saying that it is important for people to know how much their expectations of privacy have been betrayed and by whom.
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way.
…The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
…The N.S.A. hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
You can be sure that if only the feckless Times had this information, they would have complied with the government’s request, which is why I wrote that Snowden and his team have been brilliant in the way they have forced the establishment papers to also be more transparent.
The Guardian article describes in detail what was done by the NSA and how, with the goal being “for the US to maintain unrestricted access to and use of cyberspace”. The end users of the software and hardware (i.e., you and me) are tellingly referred to as “adversaries”. This is in fact accurate. The government does consider us to be enemies to be subjugated. Does anyone still think that all this has to do with just combating terrorism?
Here is some of what The Guardian article reveals:
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
…Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.
Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.
…The key component of the NSA’s battle against encryption, its collaboration with technology companies, is detailed in the US intelligence community’s top-secret 2013 budget request under the heading “Sigint [signals intelligence] enabling”.
…The documents show that the agency has already achieved another of the goals laid out in the budget request: to influence the international standards upon which encryption systems rely.
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
The documents reveal one of the most closely guarded secrets: the collusion of private companies with the NSA in breaching their customers expectations of confidentiality and how important the government felt that it was to keep the extent of the government’s subversion of privacy a secret.
A more general NSA classification guide reveals more detail on the agency’s deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices “to make them exploitable”, and that NSA “obtains cryptographic details of commercial cryptographic information security systems through industry relationships”.
The revelation that the NSA got US computer manufacturers to insert encryption backdoors into their hardware is bound to have negative impact on US companies business sales. Why would anyone in any other country use US-made computers, software, or its cloud services, knowing that those companies would be handing over their encryption keys to the US government?
The US government is always quick to condemn when other countries use the internet to spy on their own people. It now stands revealed as the worst perpetrator of that practice, one more charge of extreme hypocrisy to be added to all the rest. No wonder president Obama seems to be willing to move heaven and Earth to get his hands on him. I would hate to think what they would do to Snowden if they ever got to him.
The more revelations that emerge from Snowden, the more it becomes clear that he has provided an immense service to all of us and why he must be protected from Obama’s vindictiveness.
unbound says
So….they need to hack all the encryption schemes for metadata according to the government’s official story. Someone needs to hand them a current dictionary, because that’s not what metadata is…
Lassi Hippeläinen says
Nothing new under the Sun.
http://www.canadafreepress.com/index.php/article/1169
Some people also think that the NSA was behind the Greek case.
https://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005
Marcus Ranum says
A bit of reading between the lines:
It sounds like the NSA compromised a few of the big websites’ keys, either through insider jobs (“key purchase attacks”) or via other cracks in the keys. In the past there have been cracks in keys such as timing attacks* and flaws in random number sampling** I have long found it suspicious that Verisign and RSA were given a pass by NSA during the early days of the encryption wars. I have also found it suspicious that Verisign’s headquarters used to be practically across the street from CIA headquarters; there’s a significant revolving door there, as well. NSA has a history of involvement in the setting of standards, such as the involvement they had in ‘improving’ Crypto A.G.’s cipher products*** -- based on a rather odd lunch conversation with Carl Ellison in 1991, he published a paper at the rump session of one of the crypto conferences based on my hypothesis that it would be possible to develop applications that were indistinguishable on the outside from public key transactions, but which, in fact, used an embedded secret to produce key exchanges that were readable by the holder of the secret. There are other things to wonder about, such as why SSL is implemented to do all kinds of fancy stuff with certificates but still manages be be fairly easy to attack with a man-in-the-middle attack. It’s almost as if … the standard committee lost interest in producing a workable crypto layer as soon as RSADSI was going to be able to collect their license-rent and they had something that was half-assed but good enough to keep ordinary hackers out.
My guess is that the NSA pursued all of those options in parallel. There were any number of breaks in various web server implementations, that could have allowed an anti-cryptographic attack to be launched. A normal hacker would never bother with such an attack, but NSA might. The scenario looks like this: suppose a new buffer overflow attack is discovered in apache httpd, an exploit is crafted to be used against it which -- instead of calling out to a shell like a normal hacker attack would do -- instead dumps a core image of the running process’ memory, which would include the secret side of the public key pair which has to be kept decrypted in memory, in order to use. A few months later, the buffer overrun could be ‘outed’ in a normal patch and it would not need to be used. Having the secret side of the public key pair would allow anyone who had the complete SSL transaction to read it, even retroactively. Additionally, anyone at the target with system privileges could just ‘gcore’ the process that’s executing the server-side SSL and carry it out on a thumb drive.
(* One example was the discovery that you could tell a lot about the # of digits in one of the pseudoprimes by closely watching how long it took to perform the calculations in a signature)
(** One website used a poorly seeded pseudorandom number generator, which could be subjected to search -- it only had 32 bits worth of strength!)
(*** Improving them, so that NSA could trivially crack them but nobody else could)