NSA Foils Much Internet Encryption

An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.

Let us endeavour to create better encription

[ackthpt]

For awesome powa

Re:Let us endeavour to create better encription

[The+Grim+Reefer]

For awesome powa

Hasn't the majority of the internet already applied that twice?

Re:Let us endeavour to create better encription

[NettiWelho]

Hmm... I have a creeping feeling the NSA has already introduced a vulnerability into the rot13! If you click on encrypt twice the original contents are revealed!

Re:Let us endeavour to create better encription

[snowraver1]

You actually have to do it three times to be secure - like 3DES

Re:Let us endeavour to create better encription

[slashmydots]

Yes, rot13 is huuuuge lol. But for one way encryption similar to hashes, they just run it through Google translate to 5 different languages, at least one of which is asian-based and one of which is latin-based. Studies have shown that whole letters encrypted with 5-layer google translate method are impossible to return to its original form, making it vastly superior to MD5 and SHA256.

Re:Let us endeavour to create better encription

[Austerity+Empowers]

We can all participate in this research!

http://translationparty.com/

Re: Let us endeavour to create better encription

[flyingfsck]

You jest, but I have been wondering about adding a large block of urandom data at the bottom of each of my email messages, just to give the NSA grief.
***255DES*** =-w%(:RvO R-*_fTM)[=vz?"{|T***EOT***

SSH?

[Phibz]

I wonder if their list includes SSH

Re:SSH?

[Yaur]

The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered. But there are so few details in the story its hard to know how technically competent the staff who reviewed the documents and therefore how serious the threat is.

Re:SSH?

I wonder if their list includes SSH

OpenSSL came from SSLeay, which was created outside of the US specifically for this reason.

Its not a technical attack in the first round;

    The long, strong arm of the NSA
    July 27, 1998
    Web posted at: 4:15 PM EDT
    http://edition.cnn.com/TECH/computing/9807/27/security.idg/

    [..]

    It's gotten to the point where no vendor hip to the NSA's power will
    even start building products without checking in with Fort Meade first.
    This includes even that supposed ruler of the software universe,
    Microsoft Corp. "It's inevitable that you design products with specific
    [encryption] algorithms and key lengths in mind," said Ira Rubenstein,
    Microsoft attorney and a top lieutenant to Bill Gates. By his own
    account, Rubenstein acts as a "filter" between the NSA and
    Microsoft's design teams in Redmond, Wash. "Any time that you're
    developing a new product, you will be working closely with the NSA,"
    he noted.

    [..]

    Clearly wary of granting the government supervision over its products,
    Microsoft has stubbornly refused to submit a data-recovery plan, even
    though the Redmond giant already includes a data-recovery feature in
    its Exchange Server.

    "The Exchange Server can only be used when this feature is present,"
    Rubenstein said. "Because we haven't filed a product plan, it's harder
    for us to export this than for companies that have filed plans."

    [..]

Re:SSH?

[lgw]

I'd wager that the fundamental flaw in HTTPS is that the government has the private keys direct from the CAs. The protocol is flawed in the key management (as most are).

Re:SSH?

[jasno]

Yeah, I figured they can always classify the private keys as business records and request them via subpeona. Nothing in the law prevents it.

Re:SSH?

[MightyMartian]

Yes, it goes without saying that the supreme weakness of key-based encryption is that you're only as secure as the security of the signing keys themselves.

The proper way to do it is to have your CAs sitting on a non-network connected computer sitting in a secure location, with as few individuals having access as possible. Obviously that's not 100%, as the NSA could still show up with a warrant, but you're going to know when you've been compromised, which is, really, the whole point behind proper key management.

Re:SSH?

[lister+king+of+smeg]

Unless you exchange private keys offline, manually, preferably not using any temporary electronic storage means, the NSA has your keys.

um you never exchange privet key's you only share public keys.

Re:SSH?

[amorsen]

The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered.

You do not need to break RSA or AES to break a lot of VPNs. I.e. if you use aggressive mode IKEv1 PSK (typically plus XAUTH, but that does not actually help), the shared private key can be recovered by offline attacks. NSA supercomputers should have no problem handling most keys. Alternatively, if certificates are used, many organizations buy premade certificates including secret keys instead of going through the trouble of generating their own secret keys. That means the NSA only has to compromise the few certificate vendors.

And this is just the passive attacks the NSA can do. If they actively interfere, they can use downgrade attacks or (for HTTPS) the various TLS vulnerabilities or use proper fake vendor certificates or all sorts of other mischief. That is harder to pull off unnoticed of course.

Very little equipment supports IKEv1 with "raw" RSA keys (no certificates), even though that takes the whole PKI problem away and avoids aggressive mode. I'm only aware of (free|open|libre|strong)SWAN and RouterOS. IKEv2 is almost non-existent, and what little equipment supports it tends to only support the equivalent of IKEv1 main mode with PSK or certificates -- precisely the areas where IKEv1 is already good enough.

For those of us who use proprietary encryption acceleration: how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).

Re:SSH?

[bloodhawk]

Why would anyone ever exchange private Keys???? The system does not work that way.

Re:SSH?

[IamTheRealMike]

Certificate authorities never see private keys so you are dead wrong about that. What's more, even if a rogue CA was minting bad certs on the fly to attest that the NSA was really foobar.com, that would have been noticed. Remember that secrecy is something they value insanely highly. They wouldn't ever do something so easily noticed and the articles do not imply any kind of CA compromise.

In fact if you read all the stories (they overlap largely but not entirely) you can get a vague picture of what's going on. Firstly, they record all encrypted traffic in case they can decrypt it later. Secondly, they have a database of public to private keys, populated via any means they can. Thirdly, they obtain keys in lots of ways (hacking, subversion, bogus court orders, brute forcing old/weak keys etc) but they don't seem to have a magical solution to all strong crypto. The closest that the leaks come to this is discussion of some amazing cryptoanalytic breakthrough, which could possibly mean they're able to break some kinds of RSA? Perhaps they're ahead of Joux et al by some years?

Regardless, what it is, it can't be a solution to all crypto, because these governments apparently asked the newspapers not to publish on the grounds that people might switch to stronger systems that worked.

Re:SSH?

[Score+Whore]

A) The NSA probably directly runs half of the CAs and thus own the root keys that come configured in your browser.
B) Absent some fancy crypto skills, having the CA root key only allows them to MITM connections. Doesn't help with decrypting a captured stream.

Re: SSH?

[MightyMartian]

To fully secure our VPN, I've now built a CA on a non-Internet connected machine which sits behind lock and key. I use it to create SSL certificates for our VPN routers. I'm not building these Certs for Joe Average to connect to my servers, I'm building them so I can be sure that communications between my VPN endpoints is secure, and by securing the CA I can be certain that the likelihood of anyone, including the NSA, can break into my VPN tunnels with any kind of non-local exploit is low to nil.

Re:SSH?

Bruce Schneier should be technically competent enough for you, see his articles today at the Guardian.

http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

Re:SSH?

[sneakyimp]

I'm more inclined to trust Bruce Schneier who says "I trust the mathematics," than the authors of this sensationalist NYTimes article. To me, it seems like they completely lack any nuanced understanding of the information flow and its vulnerabilities and are merely depending on whatever third-hand analysis they might have gleaned from reading other amateur blogs.

I agree that going to the service providers (e.g., google, yahoo, apple, phone companies, etc.) or building a backdoor into the software is a good way to go about it, but I hardly think that means that the NSA is "winning the war on encryption."

Re: SSH?

[mspohr]

From the article it sounds like the NSA has compromised most commercial VPN software (and is working on the rest) with backdoors, etc.
Do you use commercial (non open source) VPN software? If so, it doesn't matter that your keys are secure.

Re:SSH?

[sneakyimp]

Mod parent up. Nobody talking about this even seems to have the vaguest understanding of encryption.

Re:SSH?

[mspohr]

The article states that they are working with commercial software vendors to insert back doors, vulnerabilities, etc. into their software. This is much easier than trying to break RSA or AES by brute force.
I think we have to assume that all commercial software has been compromised and is vulnerable.
Only trust open source software where the code has been audited carefully.

Re: SSH?

[vux984]

This case self signed certs would be safer.

Self signed certs have always been safer when used properly.

In a closed controlled enterprise environment self-signed certs are fine, and reasonably easy to do well.

Using them properly on the public internet however is pretty much impossible. Keys with a chain of trust to a 3rd party certificate authority (e.g. verisign, comodo, et al) are exactly that ... chains of trust. Can I trust that verisign hasn't be compromised by your average hacker? Probably, for the most part yes. Can I trust that verisign hasn't rolled over and opened its legs for the NSA? No. I can't.

But having the average https site switch over to self-signed certs to avoid using NSA-compromised-verisign isn't a solution as I have no convenient way to verify when i enter their web address that I haven't been presented with a MITM site (hosted by a hacker... or even by the NSA which is the whole reason we dumped Verisign certs for self-signed in the first place...)

Re:SSH?

[gutnor]

Certificate authorities never see private keys

Theoretically, in practice average Joe buy their certificate and private keys from a third party. And obviously if you use any type of hosted environment, you must provide the private key.

Even big companies do not run their own datacenter nowadays, hell even Banks do not run everything onsite so I wouldn't be surprise me if the NSA did not already have the majority of the SSL private keys.

Re:SSH?

[Cramer]

To be 1000% clear... all a CA does is sign keys generated by others. They never see the private server key(s). Having the CA signing certificates doesn't give you the magic ability to decode a site's traffic; it only allows you to pretend to be that site. (assuming you can get the users traffic to come to, or through, you. and that other steps (fingerprint validation, serial number checking, etc.) aren't being used.)

Re:SSH?

[Frobnicator]

I'm more inclined to trust Bruce Schneier who says "I trust the mathematics," than the authors of this sensationalist NYTimes article

I trust the math, even though I don't understand it.

I don't necessarily trust the people who coded the math into a program.

I don't necessarily trust the computer that is running the program.

Re:SSH?

[mi]

My old boss was employee 7 at Verisign and he says he was there the day they came for the keys.

The silver lining in this sad story is that the algorithm used by SSL itself is still unbreakable to the NSA. They wouldn't have needed the keys otherwise. So asymmetric crypto is still sound — if used properly — and privacy-minded people can still use it to communicate...

Re: SSH?

[0111+1110]

I think at this point it is safe to assume that all US or US ally based commercial software of any kind that is of some value to the NSA/GCHQ has been compromised. I would imagine that this will present a huge advantage to open source software in relevant fields. IMO any software company that allowed such backdoors deserves to go out of business. It also means that commercial anti-virus, firewall, and other security software has to be assumed to be backdoored for the NSA/GCHQ. This also gives Linux a huge advantage because it is not so dependent on high quality security software.

Re:SSH?

[IamTheRealMike]

It's here: http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html?ref=us

Re: SSH?

[mspohr]

With closed source, you don't know if it's secure and you can't verify that it's secure and now we have these NSA documents which state that they have already compromised the most popular commercial security software and they are working on compromising the rest of it.
With open source, you don't have a guarantee that it's secure but you do have lots of knowledgeable people looking at the code (especially now) and you yourself can audit the code. It has a much higher chance of being secure.
You're right, "a security solution with a destroyed reputation is no solution at all"... and the NSA just destroyed the reputation of all commercial security software.

Re:SSH?

[swillden]

Certificate authorities never see private keys

Theoretically, in practice average Joe buy their certificate and private keys from a third party.

Um, no, Joe average does not. Joe doesn't understand where his keys come from, but the CA doesn't provide them.

The public/private key pair is generated on Joe's computer. Most CA's issue certificates through a web-based form, and that form triggers the browser to generate the key pair locally. Then the public key is placed in a certificate request and uploaded to the CA. Some time later the CA signs the public key and produces the resulting public key certificate, which is downloaded.

The private key never leaves the user's computer until they move it somewhere else (e.g. to install it in their web server).

Re:SSH?

[Marillion]

My suspicion is that they can monitor the AES key negotiation during SSL handshake. I've heard enough experts say they still trust AES. But if you as a government agency can compel a company to disclose their private RSA/DSA key then snooping SSL is easy. SSL uses the RSA/DSA public to encrypt the session symmetric encryption key. If you know the RSA/DSA private key, then you can easily decrypt that session key and then snoop the communication.

Re: SSH?

[skids]

That is assuming the NSA doesn't send developers into OSS environments to insert cleverly obfuscated and plausibly deniable vulnerabilities. OSS is spread pretty thin in many areas. Some products you would think would have a team of tens of developers have more like 4, and there is a good probability there will be a deficiency in either expertise or time.

Uh... okay

[cryptizard]

I believe the "working with industries to install backdoors" part, but the cracking internet standards encryption? Nope. The report doesn't even say what they are supposed to have cracked, only some nebulous "widely used internet encryption". Do they have a ton of computation power? Yes. Do they have some magical break on AES that no one in academia knows about or can even fathom? No. Just some FUD.

Re:Uh... okay

[Hatta]

Cracking doesn't mean brute force. If you compromise the key, the encryption is just as surely cracked. Chances are what they really mean here is that they've compromised the certificate authorities that are trusted by default by most web browsers. Turns out self signed certificates really are more secure.

GPG and SSH are probably safe as you generate your own keys on the local machine.

Re:Uh... okay

[cryptizard]

I don't know that it is necessarily true, but I wouldn't bet my life that they don't have a backdoor on at least one root CA. Remember, you don't need all of them, just one can do a lot of damage.

Re:Uh... okay

[cryptizard]

No, no and no. It would take a SIGNIFICANT theoretical break on encryptions to bring them within the realm of brute force capability. Even 80 bits of security is considered well outside of the reach of existing machines, and AES has at least 128 bits. Remember, every bit doubles the amount of time it takes to brute force. It would take all the computers in the world billions of years to brute force one key.

Re:Uh... okay

[dgatwood]

No need to compromise anything. They just need a single CA to be complicit with a court order to produce a certificate that signs an NSA-provided key for a specific site. Then, they can freely MITM that site. SSL is swiss cheese as security goes, because certs are automatically trusted if signed by a CA, are never stored, and their designated requirements are never checked when determining whether a new key should be trusted or not. In short, SSL is a train wreck.

Self-signed keys are not more secure. If a site goes from a self-signed cert to a signed cert with a different key, most browsers do not display any warning. Although you can install anti-MITM tools that produce a warning when the key changes, those tools would detect such a government MITM whether you're using a CA-signed cert or a self-signed cert. By contrast, a CA-signed cert makes it much harder to perform a MITM attack the first time a user goes to your site, effectively limiting such attacks to those who can convince a CA to give them a cert for your site. Guess which is more likely.

Re:Uh... okay

[Hatta]

No need to compromise anything. They just need a single CA to be complicit with a court order to produce a certificate that signs an NSA-provided key for a specific site.

That's what's meant by "compromise".

Self-signed keys are not more secure. If a site goes from a self-signed cert to a signed cert with a different key, most browsers do not display any warning.

If you remove the CAs from your list of trusted certificates, it would display a warning.

Although you can install anti-MITM tools that produce a warning when the key changes, those tools would detect such a government MITM whether you're using a CA-signed cert or a self-signed cert

Unless the NSA is forcing the CAs to compromise every single certificate they offer. They may not be, but it would be foolish to assume that they aren't.

Re:Uh... okay

[IamTheRealMike]

There's nothing in the articles that implies this. Backdooring a CA only helps if several things hold:

1) They can not only intercept but also rewrite traffic on the fly. Possible, but if so, not yet mentioned in any leaks.

2) They're willing to take the chance that someone might notice.

So an operation against a single site, definitely possible. But they are clearly desperate to grab everything, all the time! Their whole MO is not targeted investigations but to spy on everyone simultaneously. You can't use a rogue CA to do that. They'd be detected immediately, if only by geeks setting up SSL for their new personal VPS and suddenly noticing the CA their browser gets isn't the one they installed.

The problems with SSL are not that CAs exist. The model holds against the global adversary who wants to decrypt everything. The problems with SSL are almost certainly more prosaic - many websites can be automatically hacked and their keys stolen without the owners ever knowing. In the default config that allows you to then decrypt all past traffic as well. Some implementations will use old, weak keys that were strong once upon a time but have since become obsolete. Some implementations will have bad random number generators. Some implementations will run on VPS providers and are subject to side channel attacks by colocated VMs. Some keys can be subpoenad and others can be obtained by covert agents. And of course you still leak traffic metadata even when SSL works perfectly.

There are lots of ways to attack SSL that will work some of the time, and that's exactly what the leaks imply - they can beat encryption sometimes but they don't have a magic skeleton key to everything.

Re:Uh... okay

[cryptizard]

Note that no-one has been able to prove there are no efficient solutions to integer factorisation or discrete logs - maybe the reason those proofs is so elusive is because it doesn't exist.

That's because it's impossible to prove such a statement without also proving that P != NP. There is very little hope in constructively showing the difficulty of these problems, we just say "smart people have been working on integer factorization for thousands of years and they haven't figured out a way to do it, so we can trust it for now." It's not foolproof, but it's the best we can do.

Re:Uh... okay

[epine]

It's kind of like the "eye of sauron" thing. They may not be omnipotent and able to target everyone at once, but once their eye turns your way there's little you can do about it short of jumping into a volcano.

Did you sleep through the end of the movie? You can't watch everybody all of the time. It ends up becoming a resources issue, and the NSA has finite resources after all (despite spending their secret funds at 100x typical levels of government efficiency).

A central prong in this campaign is to discourage the vast majority of people from even trying to make their communications secure so that they do have enough resources to watch everyone who poses any threat at any level pretty much all the time.

Re:Uh... okay

[mspohr]

I think you can assume that most "popular" commercial encryption software has been compromised.
Bruce Schenier has a good article in The Guardian on how to protect your computer:
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
From the article:
With all this in mind, I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Re:Uh... okay

[shentino]

I'm sure part of the NSA's task isn't just compromising root CA's, but shutting down those who refuse to cooperate.

You may recall that even though lavabit shut down voluntarily the feds are still after them trying to get them busted on contempt charges for pulling the plug on themselves.

More technical discussion

[veg_all]

From Bruce Schneier Here and here.

Also a nice call to arms here.
"I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better."

Re:More technical discussion

[stenvar]

but the US has proved to be an unethical steward of the internet. The UK is no better

Any nation would prove to be an unethical steward of the Internet: power tempts and corrupts, whether it's the power to control the Internet, the power to wage war and kill people, the power to mess with the economy, or the power to hand out "benefits" to people.

The only solution to any of these problems is to rely on decentralized mechanisms that can't be controlled and corrupted by central authorities, and to limit the power of governments as much as possible and to the absolute minimum.

Re:More technical discussion

[stenvar]

(1) We need to adopt technologies that are secure no matter what the government wants.

(2) We need to reduce and devolve the power of government in general in all areas: defense, federal police, welfare, health care, monetary policy, economic policy, etc. And that needs to happen in both the US and Europe.

And the crucial details.. missing

[hydrofix]

All articles are missing the crucial details; namely which cryptographic algorithms have been successfully cracked and under which parameters. Guardian writes:

The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions [...] .

Yet, the article does claim this:

"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

But they also quote Snowden that:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said before warning that NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.

Maybe we still have some hope?

Re:And the crucial details.. missing

[Laxori666]

Could they have just Man-in-the-Middle'd a whole ton of HTTPS connections? If they get certificates signed by the right authorities and have access to backbone routers, can't they just read HTTPS as if it were not even encrypted?

Re:And the crucial details.. missing

[hydrofix]

Yes, but this could show up with tools like SSL Observatory, which has recorded millions of certificates from different web sites as seen by hundreds of thousands of Chrome and Firefox users globally. They would risk eventually exposing themselves, and the CAs who signed those bogus certificates for NSA would get nuked from all browsers, which is the absolute worst thing that can happen to a CA. If they use fake certs and MITM, it would have to be very elusive, and carry a calculated risk of exposure.

Re:And the crucial details.. missing

[steelfood]

There are literally hundreds of places to attack encrypted communications. The encryption algorithm itself is just one component in a chain that must be and remain secure. The NSA only needs to compromise one part of that chain to compromise the entire system.

It can be a mathematical breakthrough. It can be an implementation flaw. It can be an implementation flaw of any related--however loosely--system. It can be an embedded individual on one end. It can be a specific external device. It can be a component--however marginal--of a device. It can be a (secret) court order. It can be a xkcd-style baseball bat to the knee to one or both parties. It can be negotiated with one or both parties.

The founders knew this. They understood that an individual with limited resources had no chance against the government who would have relatively unlimited resources (the government's resources is the country itself, so it really is Person vs. United States), and the only way to prevent, stop, or avoid such a scenario is for the government to check and balance itself. Those checks and balances have (mostly) failed. We as individuals have no recourse.

There's always hope, but you'd be deluding yourself if you think there's any chance.

Trojan

So I'm left with the impression that the NSA will add features in return for improved access.

SELinux comes to mind as a gift from the NSA to the Linux community. A gift with a hidden payload.

Hmm.... We can call it Trojan Linux. Ribbed for your pleasure. The ultimate in back door penetration.

perspective

[geekoid]

the NSA has done over a 100,000,000 million legal searches.
From all the leaked records, 22,000 are questionable. Those 22,000 lie everywhere between needing a judicial interpretation, to blatant breech.
The leaks also show NSA's number one whistle blower to the courts is the NSA. They report them and correct them.

Not to excuse there blatantly illegal searches, but to thing the whole system is some corrupt entity that s out to get everyone is simply wrong.
No evidences supports that at all.we have a lot of hope becasue none of the evidences shows it to be nearly as bad as the media claims. And certainly nowhere near where the chicken littles on /. claim.

Re:perspective

[JanneM]

That's like saying almost all sex they've ever had was consensual and legal, so we really shouldn't blame them for the few cases of rape they committed.

eveBot intercepts aliceCopter!

[Thud457]

surely there should be a ripe market niche for some smart geek to 3D print arduino-controlled quadcopters to facilitate key exchange. hmmmm... hold on, still a few bugs to be worked out...

Re:eveBot intercepts aliceCopter!

[the_B0fh]

Just don't use paypal to get funding...

I call bullshit

[JoeyRox]

The NSA can crack 4096-bit PGP keys? I doubt it. Seems like FUD to dissuade people from even attempting to use encryption

Re:I call bullshit

You can make keys longer than that too.... google on how to patch gpg for large keys.

I personally use a 16384 key for weaker stuff, and a 32768 bit key for more serious things.

The 4096 bit ceiling was purely for computational speed. Any higher back in the day would take over a day to generate the key. Took my machine 4 hours to make the 16384 key with modern hardware but this is significantly more secure than 4096.

Protip, you can still work with unpatched clients as long as your key is 16384 or less. You can go higher but only then with everyone you communicate with having the patched client. That's why I stick to 16384 for compatibility but go larger when serious.

Re:I call bullshit

[Rich0]

The NSA can crack 4096-bit PGP keys? I doubt it. Seems like FUD to dissuade people from even attempting to use encryption

There is no mathematical proof that 4096-bit PGP keys are secure. You can only say that known algorithms cannot find a key in a practical amount of time on known computational hardware.

You don't know if an algorithm exists that would allow the keys to be factored in a short period of time. You also don't know if somebody has developed a practical quantum computer - it is already known that one would allow certain encryption systems to be trivially broken.

For every mathematician publishing articles about cryptography in the public space, there are probably 100 much-better-paid ones publishing articles in internal NSA publications. The NSA is by far the largest employer of mathematicians on earth - and they hire the best and the brightest they can find.

Lenovo?

[steelfood]

From ProPublica:

In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

Who else remembers the debacle about the government no longer purchasing Lenovo computers? I remember some people saying that if the U.S. government is making all this fuss about it, they're probably the ones doing it.

This seems to indicate those people are correct.

Raw document

[Rytis]

The raw document provides some more details but remains not especially explicit.

"The fact that NSA/CSS has some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies".

Capabilities are defined here as NSA/CSS ability to exploit a specific technology. This may encompass acquiring and processing plaintext data and/or acquiring, decrypting and processing encrypted data.

Re:Works for me

[kilfarsnar]

So do you want the NSA to break Syria's encryption about their chemical weapons attacks?

Or do you prefer we not know that the Syrian government uses chemical weapons to kill civilian populations, affecting public policy?

Which social contract would you prefer government to break? the "Government shouldn't know private activities of foreign governments" or "Government shouldn't allow foreign governments to kill civilians"?

If your privacy is important, then you think that means your government shouldn't monitor foreign communications, correct? And that means you think it's ok for foreign governments to kill civilians as they please? And if you think foreign governments should be allowed to kill civilians, then I guess you don't donate to charity either? Why would you want to help other people, after all?

You can pick either charity or privacy, but you can't have both. Sorry. That's because bad guys have power, and you need more power to overcome those bad guys for the purposes of charity.

So charity or privacy? What's it going to be?

Won't somebody please think of the civilians!

All else aside, if you think the NSA breaks codes in order to prevent civilian casualties, or for "charity", you have another thing coming. They do it to provide intelligence to the US government to facilitate furthering its national interest, in whatever form that may take. And if you think civilian casualties or chemical weapons are the actual reason we are considering whether or not to attack Syria, you have yet another thing coming.

Re:Works for me

[aaaaaaargh!]

"Government shouldn't allow foreign governments to kill civilians"?

Incidentally, that policy also applies to the Syrian government versus the US. Cos', you know, the US is a foreign government and airstrikes would surely also kill civilians.

Also, your entire post is a false dichotomy.

Where random number gen "flaws" come from.

[Animats]

There are a surprisingly large number of public key generators with weak random number generators:

• "Debian OpenSSL Package Random Number Generator Weakness"
• "Flaw Found in an Online Encryption Method"
• "NetBSD Intel Hardware Random Number Generator (RNG) Failure Encryption Weakness "
• "PasswordSafe 3.0 weak random number generator allows key recovery attack"

And those are the ones we know about.

For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.

Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.

Expectation of privacy?

[whoever57]

The agencyâ(TM)s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americansâ(TM) e-mails or phone calls without a warrant.

I can see (although I don't necessarily agree with) the argument that we have no expectation of privacy on metadata, but surely there is an expectation of pricacy on encrypted data. Surely the fact that the user has encrypted his data (or knows that it will be) provides an expecation of privacy that would invoke a 4th amendment protection.

Re: Works for me

[tolkienfan]

How did the NSAs ability to decrypt most of the encrypted communications of the world prevent Syria's chemical attack on its own people?
Or even help after the fact, for that matter?
How is helping Syria's people even part of the NSAs charter?

Deniability has been improved

[jacobsm]

Now that we know the NSA can intercept and decrypt any message, doesn't it also mean that they can change the message to whatever they want, re-encrypt it, and pull it out in a court of law as evidence?

If they do, or even if they don't, I can now say they did, and they can't prove they didn't.

Re:Works for me

[Dishevel]

How about the NSA do its fucking job.

Spy on foreign governments and foreign citizens. They need to stay the fuck away from Citizens of the United States of America. Spying on Americans is what other governments are for.

The NSA is operating far outside of its charter. Put them straight.

Re:Works for me

[mendax]

Actually, you will get neither if the NSA is able to read all encrypted communication. Simply put, if the government has the ability to penetrate all encrypted communications, there will be no privacy. If there is no privacy the government will eventually degenerate to a tyranny. Given a choice between a tyranny and dead Syrians, I choose the dead Syrians. I don't like the idea of people being killed by their government but I'd rather have the Syrian government killing Syrians than the American government killing Americans, something which will eventually happen if we lose our civil rights.

Don't doubt for a minute that there are forces in the government that are working toward that. They're mostly not evil people and most don't really understand what the ramifications of what they are doing, but history does repeat itself and there is plenty of history that demonstrates what happens when a government can do whatever it wants. Orwell's "1984" is fiction, not history, but it is based upon history and basic psychology. If we want to retain our civil rights, we need to fight and struggle for them, both in the courts and in civil disobedience if necessary.

Re:Works for me

[mi]

So do you want the NSA to break Syria's encryption about their chemical weapons attacks?

I'd like us to continue treating encryption as weapons and regulate its export accordingly. Unfortunately, it is not really possibly — any enemy worth the designation would be able to get it anyway, because moving an algorithm is much easier than a gun. And, unlike guns, you only need to move an algorithm once.

So charity or privacy? What's it going to be?

I wish I had sufficient confidence in my own government to be able to sincerely pick charity... Unfortunately, I do not. If the President can already ask the IRS to hurt opposition's finances, what's to prevent him from asking the NSA to look into the opposition's e-mails? The sort of thing, that got Nixon to resign is barely an issue with today's Americans...

However, according to an earlier article about Snowden's interaction with journalist(s), PGP (with sufficiently large keys) is still unbreakable even to the NSA — at least, as far Snowden was aware:

This past January, Laura Poitras received a curious e-mail from an anonymous stranger requesting her public encryption key. For almost two years, Poitras had been working on a documentary about surveillance, and she occasionally received queries from strangers. She replied to this one and sent her public key — allowing him or her to send an encrypted e-mail that only Poitras could open, with her private key — but she didn’t think much would come of it.

So that's, what a particularly private person should be using for all of his communications...

Re:THIS...

[mspohr]

This has nothing to do with liberal or conservative and everything to do with the power of government.
From Bruce Schneier:
Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

Re:Works for me

[mcl630]

Though I sympathize with the gist of your position, I must question this particular argument:

If there is no privacy the government will eventually degenerate to a tyranny.

Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, wouldn't it be harder to subdue the electoral process, for example?

You would make it much, much easier to "subdue the electoral process". If you're currently the party in power and facing re-election, you first kill everyone who donates money to the opposition--everybody stops giving them money, hampering their campaign. Then you kill anyone who's given any hint that they might vote for the opposition. You and your cohorts get re-elected. Rinse and repeat, and eventually nobody dares form an opposition party, much less support one. If anybody says or does anything that remotely sounds like rebellion, you kill them too. Your party stays in power indefinately, the only things that might end your reign are a split in your party, or killing off so many people that there not enough people left to work and your economy collapses.

Re:Works for me

[mirix]

Yeah, 'accidental' civilian deaths, or deaths from 'necessary collateral damage' are so very noble and just.

In Serbia the US/NATO 'accidentally' bombed a farmers market, two hospitals, the Chinese embassy, civilian radio/TV stations, bridges on the wrong side of the country with civilians on them, etc. Also random factories that weren't military-related industry (eg. tobacco) - Interestingly the tobacco factory got bought by Phillip Morris a couple years later...

Chemical weapons are abhorrent, absolutely. But unless use is widespread, picking winners and causing more death and destruction isn't ideal, neither.

HTTPS forward secrecy to the rescue

[wytcld]

Your can configure your HTTPS server to use forward secrecy. Forward secrecy uses one-time keys, generated by between the website and the browser for the single session. Most modern browsers support it. But it generally requires compiling the latest version of OpenSSL and the compiling Apache 2.4.x against that, not using the Apache 2.2.x versions that are standard in most of the Linux distros. More detail also here.

If you set up your webserver this way, and your visitors use the right browsers, they NSA's having good copies of the site's certificates won't gain them much. At least that's what Ivan Risti's saying. On TLS/SSL stuff, there may be no one better.

Re:HTTPS forward secrecy to the rescue

[heypete]

Forward secrecy is supported in Apache 2.2.x in the form of ephemeral Diffie Hellman key exchange ("DHE"). This works out-of-the-box on Debian and Ubuntu servers (I run a few Debian/Ubuntu servers, and have those options enabled) without needing to recompile anything.

Apache 2.4.x is require for use of elliptic curve ephemeral Diffie Hellman ("ECDHE"), which provides greater protection with shorter key lengths (e.g. a 256-bit EC key is equivalent to a 3072-bit discrete log key, but Apache 2.2.x uses a baked-in set of DH parameters that's only 1024-bits long). EC is also a lot faster than discrete log DH which is useful in certain environments.

Re:NIST 2006

[letsief]

No, the article wasn't referring to AES. AES was developed by a pair of Belgian cryptographers as part of an open competition. The NSA approves the use of AES to protect Top Secret information. They didn't put a back door in AES.

The article was referring to the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), published as part of SP800-90. The DRBG uses a set of constants, like many crypto algorithms. The NSA, as the designer of the DRBG, selected the constants. Microsoft researchers noted that if the constants were carefully chosen, the NSA could predict future outputs of the DRBG. Despite what the New York Time article says, the NSA probably didn't do that. No one was going to use this DRBG anyway, except for the NSA and their partners, so they would have very little reason to sneak in a backdoor. Still, it's a bad property to have in a crypto algorithm. You should really explain the provenance of any constants used in a crypto algorithm, and there was no explanation of how the Dual EC DRBG constants were selected.

The NSA must serve us, not attack us.

[dweller_below]

As a security professional, one of my greatest threats is the Exploit Marketplace. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is the greatest driving force optimizing the Internet for Attack, instead of Defense. Now, it looks like the Exploit Marketplace was justified, founded and sustained by the NSA. We have learned that the NSA has enormous budgets devoted to purchasing exploits. Today we learn:

"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."

So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.

If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.

The other chilling revelation is the names of these programs:

"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."

The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.

• * The NSA must be stripped of it's ability to create exploit.
• * The NSA must be stripped of it's ability to purchase exploit.

If we survive as a nation of liberty, the NSA must serve us, not attack us.

Re:Works for me

[Zak3056]

Perhaps we shouldn't have provided the Syrians with the precursor chemicals to make weapons in the first place.

Your position is laughable. You have the precursor chemicals to make weapons under your kitchen sink. It's basically impossible to have any kind of modern industrial base without them.

People like you are why I can't buy fucking cold medicine anymore.

Re:FREEEEEEEDOM!

[cluedweasel]

The Guardian article refers to it as a "10 year program" which would put it's inception in the Bush Jr. years. As for the EU is better argument, it looks like my own country's government was a prime mover in this. Way to go guys.

expanding on this post.

[Wycliffe]

Expanding on the above post, if the US is installing and/or exploiting bug related backdoors in
commercial software it would take relatively few to reach 99+% coverage.
If you can get the OS's you're set as you can hit 99% with less than a half dozen.
Likewise with cellular providers, handset makers, virus scanners, printer (driver) manufacturers,
cpu manufacturers, router manufacturers, email clients, web browsers, office suites, etc....
Take any category of software or hardware most of which are dominated by only a few major players
and if you can get your foot in the door with any of them then you have control of the computer or
device. I'm not sure that linux even has that much advantage as there are few if any people who
compile everything from scratch and even if they do, how hard would it really be to get an
undocumented bug inserted into one of several hundred programs that run on a typical computer.
If they're willing to throw enough time, money, and power behind it, there is no way someone can
avoid being eavesdropped on.

Re:Works for me

[marcosdumay]

You can't do much with the knowledge that a government wants you dead.

But a government can do a lot with the knowledge that you want it replaced.

Re:Works for me

[DocHoncho]

So because there are scary bad men out there the government should be able to do whatever the fuck it wants to be able to catch them? Even if that includes massively violating the privacy of every citizen (never know who's a scary bad man!!) in the country? Even if it includes building a massive database filled with who the fuck knows what that never, ever, gets erased? You know how they say the internet forgets nothing? This is even worse, since random fruit loops on the internet don't have access to your phone records, your banking records, your phone calls, your location and every niggling little detail of your entire life! If you think it's bad that /b/ can access something stupid you said on your blog and troll you even if you delete it, just wait until some scary bad men, I mean trusted public servants, get ahold of all that juicy personal information that those stalwart do-gooders of the NSA put together for them, they'll have a field day! Accidently piss off some bureaucrat at the DMV? He'll just call his cousin at the Ministry of Love and they'll whip up some charges doubleplusquick then off to the Re-education centers (actually, that's too expensive, off to the work camps, more than likely).

If you really think it's just "metadata" you're deluded. All this stuff that's coming out used to sound like the fever dreams of the loony fringe, and god damn does it suck having to listen to them smugly say "We told you so."

The real concern

[Taco+Cowboy]

While you guys are cracking jokes on ROT13, a letter to NYT ( http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0 ) caught my attention

- - - B Missouri Reader
        Missouri

On the one hand, âoeIn the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,â but on the other hand the liberties of Americans are at risk by such programs.

In other words, we face a situation where the strongest, most secure nation can no longer be a nation that guarantees the rights of its citizens.

Privacy is not simply a convenience, but it is intimately linked to free speech and to the future prospects for democracy in America. Key elements of the Constitution provide a framework where incumbents can be challenged in free elections, ensuring that better ideas and better leaders will become available to guide the nation. But nobody can win an election against an incumbent with unlimited access to the communications of its rivals. We're not there yet, but the trend is in that direction.

It is high time that members of both parties in Congress get off of their high horses and address this growing threat to our democracy. Technical and legal hurdles must be cleared, and it may even be necessary to make significant changes in the way the internet works. But time passes very quickly in the technology world, and the clock has already been ticking for quite a long time."