Slashdot Mirror
NSA Foils Much Internet Encryption
An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.
I believe the "working with industries to install backdoors" part, but the cracking internet standards encryption? Nope. The report doesn't even say what they are supposed to have cracked, only some nebulous "widely used internet encryption". Do they have a ton of computation power? Yes. Do they have some magical break on AES that no one in academia knows about or can even fathom? No. Just some FUD.
I'd wager that the fundamental flaw in HTTPS is that the government has the private keys direct from the CAs. The protocol is flawed in the key management (as most are).
Socialism: a lie told by totalitarians and believed by fools.
Just don't use paypal to get funding...
Any nation would prove to be an unethical steward of the Internet: power tempts and corrupts, whether it's the power to control the Internet, the power to wage war and kill people, the power to mess with the economy, or the power to hand out "benefits" to people.
The only solution to any of these problems is to rely on decentralized mechanisms that can't be controlled and corrupted by central authorities, and to limit the power of governments as much as possible and to the absolute minimum.
There are a surprisingly large number of public key generators with weak random number generators:
And those are the ones we know about.
For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.
Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.
How did the NSAs ability to decrypt most of the encrypted communications of the world prevent Syria's chemical attack on its own people?
Or even help after the fact, for that matter?
How is helping Syria's people even part of the NSAs charter?
Spy on foreign governments and foreign citizens. They need to stay the fuck away from Citizens of the United States of America. Spying on Americans is what other governments are for.
The NSA is operating far outside of its charter. Put them straight.
Why is it so hard to only have politicians for a few years, then have them go away?
This has nothing to do with liberal or conservative and everything to do with the power of government.
From Bruce Schneier:
Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
I don't read your sig. Why are you reading mine?
I trust the math, even though I don't understand it.
I don't necessarily trust the people who coded the math into a program.
I don't necessarily trust the computer that is running the program.
//TODO: Think of witty sig statement
With closed source, you don't know if it's secure and you can't verify that it's secure and now we have these NSA documents which state that they have already compromised the most popular commercial security software and they are working on compromising the rest of it.
With open source, you don't have a guarantee that it's secure but you do have lots of knowledgeable people looking at the code (especially now) and you yourself can audit the code. It has a much higher chance of being secure.
You're right, "a security solution with a destroyed reputation is no solution at all"... and the NSA just destroyed the reputation of all commercial security software.
I don't read your sig. Why are you reading mine?
While you guys are cracking jokes on ROT13, a letter to NYT ( http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0 ) caught my attention
- - - B Missouri Reader
Missouri
On the one hand, âoeIn the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,â but on the other hand the liberties of Americans are at risk by such programs.
In other words, we face a situation where the strongest, most secure nation can no longer be a nation that guarantees the rights of its citizens.
Privacy is not simply a convenience, but it is intimately linked to free speech and to the future prospects for democracy in America. Key elements of the Constitution provide a framework where incumbents can be challenged in free elections, ensuring that better ideas and better leaders will become available to guide the nation. But nobody can win an election against an incumbent with unlimited access to the communications of its rivals. We're not there yet, but the trend is in that direction.
It is high time that members of both parties in Congress get off of their high horses and address this growing threat to our democracy. Technical and legal hurdles must be cleared, and it may even be necessary to make significant changes in the way the internet works. But time passes very quickly in the technology world, and the clock has already been ticking for quite a long time."
Muchas Gracias, Señor Edward Snowden !