Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Foils Much Internet Encryption

Posted by timothy on from the do-your-taxes-buy-civilization? dept.

An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.

4 of 607 comments (clear)

  1. Re:Uh... okay by Hatta · · Score: 5, Interesting

    Cracking doesn't mean brute force. If you compromise the key, the encryption is just as surely cracked. Chances are what they really mean here is that they've compromised the certificate authorities that are trusted by default by most web browsers. Turns out self signed certificates really are more secure.

    GPG and SSH are probably safe as you generate your own keys on the local machine.

    --
    Give me Classic Slashdot or give me death!
  2. Lenovo? by steelfood · · Score: 5, Interesting

    From ProPublica:

    In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

    Who else remembers the debacle about the government no longer purchasing Lenovo computers? I remember some people saying that if the U.S. government is making all this fuss about it, they're probably the ones doing it.

    This seems to indicate those people are correct.

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  3. Re:Uh... okay by Hatta · · Score: 5, Interesting

    No need to compromise anything. They just need a single CA to be complicit with a court order to produce a certificate that signs an NSA-provided key for a specific site.

    That's what's meant by "compromise".

    Self-signed keys are not more secure. If a site goes from a self-signed cert to a signed cert with a different key, most browsers do not display any warning.

    If you remove the CAs from your list of trusted certificates, it would display a warning.

    Although you can install anti-MITM tools that produce a warning when the key changes, those tools would detect such a government MITM whether you're using a CA-signed cert or a self-signed cert

    Unless the NSA is forcing the CAs to compromise every single certificate they offer. They may not be, but it would be foolish to assume that they aren't.

    --
    Give me Classic Slashdot or give me death!
  4. Re: SSH? by 0111+1110 · · Score: 5, Interesting

    I think at this point it is safe to assume that all US or US ally based commercial software of any kind that is of some value to the NSA/GCHQ has been compromised. I would imagine that this will present a huge advantage to open source software in relevant fields. IMO any software company that allowed such backdoors deserves to go out of business. It also means that commercial anti-virus, firewall, and other security software has to be assumed to be backdoored for the NSA/GCHQ. This also gives Linux a huge advantage because it is not so dependent on high quality security software.

    --
    Quite an experience to live in fear, isn't it? That's what it is to be a slave.