Time to pay attention. (related video)
Quick background on my perspective: Stories about Snowden himself are boring. Stories about his girlfriend, stories about his politics, and even speculations about his being an agent of Russian intelligence… Boring.
More interesting are the revelations themselves, painting an NSA whose general goal appears to be the interception and permanent storage of all human communication. Everywhere.
But how are they doing it? By obtaining covert access to Google’s servers? By convincing Microsoft to change Skype’s protocol from peer-to-peer to peer-to-Microsoft? By forcing Web site operators to hand over their SSL keys?
How pedestrian. I mean, this is the agency created as a direct response to the Allied experience during World War II, where without the code breakers, we might have lost. This is the quasi-military organization absorbing billions of dollars per year while remaining “non-existent” for decades.
Speculating about NSA’s capabilities, especially cryptological capabilities, has been a hobby horse of mine for a long time. But none of the Snowden revelations shed any light whatsoever. Fair enough, I figured. Maybe NSA reserves the serious codebreaking for more important things than reading my Email. Maybe the good stuff was above his pay grade.
…or then again, maybe not.
N.S.A. Able to Foil Basic Safeguards of Privacy on Web
This is a jaw-dropping article. I am mildly paranoid, but things even I would have called dumb conspiracy theories are being reported as fact in the New York Times. (Ideas like NSA blackmailing Congress are still dumb, but even that I have been forced to upgrade from “laughable” to “very unlikely”.)
Let’s start with DNI Clapper’s response:
The fact that NSA’s mission includes deciphering enciphered communications is not a secret, and is not news
Compare that to the three essential claims in the NYT article:
- NSA has practical attacks against SSL/TLS.
- NSA has convinced / paid / forced U.S. manufacturers to insert deliberate vulnerabilities into both hardware and software security products.
- NSA has infiltrated and undermined Internet standardization bodies, encouraging widespread adoption of vulnerable algorithms and protocols.
With due respect to Gen. Clapper, all of this is most definitely news.
I have a lot more to say, including my own wild-eyed speculations about (1). But I think I will make this multiple posts.
I will mention that (3) has touched off a bit of a firestorm among academic and professional cryptographers. If NIST cannot be trusted, we have a problem… And NIST can no longer be trusted.
Story of the week, if not the year.
P.S. The NYT graphic and (redacted) raw documents deserve close scrutiny.
The degree with which the NSA has had to compromise corporations and the standards bodies speaks to the overall strength of the cryptography itself. That being said, they’ve gone to such lengths to insert vulnerabilities that nobody can trust any software product. (Which may be why Greenwald’s partner was physically transporting data when he was detained.) The NSA has effectively transferred our focus of trust from software products, to the NSA itself. “This is all to keep us safe from terrorists.” etc.
So what if the intelligence is being used in other ways? We already know it’s being used against drug smugglers. What about political movements? (Occupy, Tea Party?) Or industrial espionage? IMO, that’s the next shoe to drop. (NSA has intervened in international commercial deals before.) The NSA has resorted to covert infiltration of telcos to insert software vulnerabilities already, why wouldn’t they also use their surveillance capability to further their mission? And if this helps drive profits up for their partner corporations, so much the better.
It pays to have friends in high places.
Nice piece. I have started using GnuPG for e-mail. I have been using Truecrypt for quite a while. I suggest we all try to encrypt as much of our communication as possible. If nothing else, that may slow NSA down a bit.
Sorry, my brain isn’t quite awake yet. GnuPG and Truecrypt are open-source shareware products. That means it’s difficult for NSA (or anyone) to sneak in back doors because there is a strong likelihood that one or more project members will notice. Mainly fyi.
SSL/TLS has been vulnerable to man in the middle attacks from day one. There’s so many ways, it’s embarassing:
– Just rely on the user clicking through “proceed” when shown an invalid certificate (will already catch 99%+ of targets).
– Register a credible domain name — internet companies ruined PKI infrastructure by using a plethora of domains themselves, so now it’s hard or too much hassle to check that say google-mail-server.com is owned by google or a hacker.
– There are 100s of certificate authorities who have their root certificate shipped with browsers and other clients, you only need to hack/buy/own the private key for any one of them to be able to sign your own certificates.
All this can be done by a determined lone hacker. If the NSA stole or simply asked for say microsoft’s certificate private key, it only gives them a tiny advantage compared to the lone hacker…
That they may have required companies to use broken random generators, or added hackable constants in protocols is interesting politcally — doing that without oversight in a democracy is creepy, and indeed a bit more than I’d have expected they do — but not so much technically. You could argue it’s a political error: the NSA may have sacrificed it’s political credibility for very little benefit.
What would be really interesting technically is if they broke AES or another state of the art block cypher, or really found a way to factor big prime numbers quickly ahead of the public math geeks. But so far there’s no sign of that.