Slashdot Mirror
Google Speeding Up New Encryption Project After Latest Snowden Leaks
coolnumbr12 writes "In a new leak published by the Guardian, New York Times and ProPublica, Edward Snowden revealed new secret programs by the NSA and GCHQ to decrypt programs designed to keep information private online. In response to NSA's Bullrun and GCHQ's Edgehill, Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies. Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,' meaning that all servers and fiber-optic lines involved in delivering information will be encrypted."
Although impenetrable to Government spying I doubt it would be impenetrable to Google, who would not think twice of harvesting all data sent though this encryption method.
Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies.
Ahhhh hahahah hahaaaaaaaaaaaaaa!
If Google cares about security, then why does it insist that companies synchronize passwords with their Google Apps domains using unsalted MD5 checksums?
Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless.
Because when those government agencies can walk in the door with a secret warrant and demand the keys, there is nothing Google can do.
The US lawmakers have essentially made crypto in America irrelevant when any party knows the keys.
The rest of the world needs to be stepping up their game, but all of their governments want the same ability to spy.
I fear the US has more or less decided that the entire world should be operating on less security to protect their interests. And I'm not sure why everybody is playing along with that.
Lost at C:>. Found at C.
Google, the very company swinging the door wide open for the NSA, implementing a program to lull people into the illusion that their data is secure. Yeah, like I'd trust anything they'd produce.
They'll never regain the trust of their users, along with Microsoft, Apple and all of the other bend-over-backwards in the US.
For an entity like Google (large, technically sophisticated; but most of their worthwhile data probably count as 'business records' for the purposes of nigh-limitless subpoena-under-cover-of-darkness powers, do the feds really bother sucking on the fiber when they could just flash a badge and get what they want?
If so, actually-working-encryption should create an interesting little jump in the number of information demands (whether they are the kind that Google is allowed to talk about, and whether it will be 'Google received 123,345 demands last year, and only one this year! (The one demand was "We want all of it.") are different questions).
If they already aren't sucking on the fiber because doing it through Legal is easier, this probably isn't bad security practice; but won't really slow the feds down much. They certainly don't have an aversion to genuinely covert behavior; but they also have crazy expansive 'legal' abilities to obtain information (and, especially when paid, often plenty of help from the companies who have the data...)
I don't see how a new encryption effort helps. Anytime you trust a third party to handle your data in the cloud, you are open to having that data compromised because somebody else codes it, somebody else builds it, somebody else deploys it, somebody else administers it, etc. Many who fell for the charming upstart company with the motto "Don't be evil" the first time around feel burned, and there is no technical solution to that problem.
I read TFA, and I wish I hadn't. It's just a fanboi gushing about how awesome Google is.
What it fails to mention is the fundamental tension between developing encryption technology and Google's business model of pervasive surveillance.
Quotations from Google executives such as:
fail to convince me. I am sure Mr. Grosse means what he says, but his actual ability to follow through on his personal honor is limited. It's the Almighty Dollar that is ultimately calling the shots at Google, or any company.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Given that the reports of the Snowden NSA documents indicate that the NSA worked with willing private sector companies, why should anyone believe that this is nothing more than a public relations push by Google? I think Google is trying to restore trust by appearing to be doing something while in fact being just as open and cooperative with the NSA as it has always been. I will believe that there is some pushback by private companies when there are actual public (not secret) court cases brought by the government to force them to do something. Until then I call shenanigans.
Does this include subpoenas and disavowed backdoors for the NSA?
I will believe it when it really gets tested.
Is Google even allowed to pursue such an undertaking? What's to stop the NSA from requiring access by design? It's not as if Google could say anything about it if this were the case.
Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,' meaning that all servers and fiber-optic lines involved in delivering information will be encrypted."
Which is meaningless in the face of a subpoena or national security letter or a a wrench. Anything Google does suffers from the problem of trusting a third party. Even if Google's solution were 100% effective technologically, they still are a third party and cannot be trusted 100% to not give the keys out.
Google has gotten lots of $$$$ from the NSA and the CIA and is in complete bed with them. Google gives -everything- to the NSA and CIA
Things that make you go HMMMMM...
http://gizmodo.com/confirmed-nsa-paid-google-microsoft-others-millions-1188615332
http://www.infowars.com/googles-deep-cia-and-nsa-connections/
http://www.pcworld.com/article/217550/google_watchdog_white_house.html
http://www.theregister.co.uk/2013/06/10/palantir_denies_powering_prism_spy_system/
http://www.wired.com/threatlevel/2012/05/google-nsa-secrecy-upheld/
http://www.prisonplanet.com/nsa-funds-new-top-secret-60-million-dollar-data-lab.html
The Truth is a Virus!!!
You mean "any third party". For peoples communication to be "secure" they need to keep a private key and others need to use their public key to send data. This of course blocks Google from reading it as well. This is a problem for Google because they like to have the machines read your email to build a profile for targeted advertising. Using secure crypto not only blocks governments, it blocks Google. Unless their plan is as you suggest where Google has the keys, in which case you are correct that it does nothing to prevent spying.
It's bad for Google to allow the NSA to mine the data passing through their servers but it's OK for Google to mine that data to spoon feed me ads they deem more relevant so they can charge their advertisers more?
So let me get this straight....
Google are a party to this whole Prism et al. spying network. They lie in the same bed.
And now they're going to work on new encryption. Yeah, right.
Google are compromised from the word go. Starting from the top three people in the company.
Untrustworthy two-faced liars.
If Google wanted to impress me, they'd include a spot to paste a GPG public key in gmail and auto-encrypt all mails with it on the client side for gmail users or at the entry point of their network for all other mail users. As it stands Google is very much part of the problem, not very much part of the solution.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
uses the obselete since a decade RC4 as the encryption algorithm for its httpS.
Potential would-be leakers of top secret government data should be required to undergo ongoing in-depth screening tests and at all times should have testicles plugged into a high voltage circuitry that could be immediately switched on for anyone attempting to leak documents.
If the "end-to-end" is correctly implemented, i.e.: not like in the bad definition in the summary (fiber optics and server encrypted), but like usually understood for privacy (i.e.: decrypted form only exist on end-point totally controlled by end users), google, nsa or any other man in the middle doesn't matter.
That requires 2 important details:
- sound encryption.
The maths behind current encryption seem sound. But the implementation must be good too. NSA has notoriously interfered undercover with lots of software development team, leading to bad implementation which could leak data or have predictible key due to broken random generator, etc.
Opensource is a lot less likely to be tainted as errors are much easier to spot. You don't know what NSA could have hidden in closed source software whithout the knowledge of the software vendors themselves.
- secure environment.
There's no point in having the most perfect encryption ever if the NSA could simply bypass it and use a hidden backdoor or abuse an exploit to break into and simply tap the clear message from one of the end points.
Skype EULA clearly states that they are ready to conform with local law about collaboration with law enforcement (could probably be even implementing wire-taping point). Also I think by now backdoors inside Windows are more or less accepted to be existing in our post-Snowden world.
Again, opensource software, both user application and the OS on which they are running, would be more difficult to abuse, as backdoors and exploitable bugs would be easier to observe.
But in a theoretical pefrect wold of rainbow, unicorns, perfect crypto implementation and secure machine, you can then use safely an untrusted network and untrusted servers: data that will transit through them will be always encrypted and meaningless.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You'll be on one end and the NSA is on the other, ready to forward to your intended receiver. Seriously can we still trust google with anything?
When I read TFA, and it states that ...
In response to NSA's Bullrun and GCHQ's Edgehill, Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies
As if nobody knows the cozy relationship between the founders of Google (and Google Inc. itself) and Uncle Sam.
The only way we can be sure that something that is truly important to us does not fall into the hands of NSA is to NOT put it online, period.
Muchas Gracias, Señor Edward Snowden !
It bet a fiver that its no real encryption. Lock the front door, but the back door is wide open. Literally back door. 1000:1 that the NSA will read all "encrypted" traffic as if it wouldn't be encrypted via a master key or such a weak encryption that it is laughable.
NEVER TRUST GOOGLE. NEVER. NOT ONCE.
Don't get SCROOGLED!
Sure, NSA has been farming Google's queries and emails and all the other stuff unencrypted. And for Google's PRISM link, they need a warrant if its for a USA citizen. (Well at least if they think it is, at least 51%). That means nothing to us non US citizens. (I'm a brit, my countries spy agency even spies on me for the NSA and the politician who signed off on it, William Hague, traitor to his country, is 'Sir William Hague' not 'Traitor William Hague'!).
So Google's encrypting data forces them to get a warrant, well sort of, and only for USA people.
Except NSA has also been getting warrants that let it get the keys to the certs, and also has access to the cert authorities, and it also has backdoors into the encryption itself, making the encryption meaningless. A PR stunt. "Accidental" gathering of American data still continues and for most of the world the same "massive deliberate" capturing of our data, private, political, news, business secrets the lot, continues unabated.
Android is still rooted, MS Phone is still rooted. Google's services are still part of the surveillance machine, willing or not.
It's a token response, but the real solution is to avoid letting your important communications transit the US, or US based services.
I've cancelled VPN's, webservers, Skype, stopped using Google, email has been moved. These are *real* measures that can be taken, not *PR Stunt* measures.
... If nothing else that means no more "accidental" gathering of the data of Americans in breach of the 4th amendment ...
Oh c'mon, baby, don't tell me that you still believe in the fairy tales they tried to feed us !!
When they walk into Google's office with a warrant, that's the end of it.
It won't be used for a "targeted snooping", but rather, the warrant will be one that requires Google to hand over every-single-thing they have.
It's a secret court, and every-single-thing is clouded under national secrecy. You think them spooks gonna be satisfied with a warrant that asked for snooping on ONE GUY ?
Please man, please wake the fuck up !
The situation we are facing right now is way WAY worse than what George Orwell could ever think of when he wrote "1984".
Re-secure customer trust, new backdoor provided eventually, that is how it goes!
That is it..... there is no reason to trust them about anything they say.... anyone that knows history and what they did should know this!
TFA is pretty short on technical details, but this sounds like it's end-to-end between Google datacenters, not customers. So when the NSA comes a-knocking with the inevitable secret court order to hand over keys, they'll be right back to capturing everything and filtering on the NSA side.
0 1 - just my two bits
old and derelict .. that's not being done anymore . just an annoyance specially since you contribute nothing to the discussion. grow up . those days are over.
Why does this matter if they put wedge layers in all of the OS's and capture plaintext keystrokes?
I don't think people outside the US really care if US companies use 10,000 bit quantum spiral elliptical gluon encryption with a half twist of lemon. If the NSA comes to those companies with the Open Sesame court orders then it doesn't matter. This is a massive opportunity for non-US companies to say, "We ignore any pressure from the US." Along with their governments to say, "If a local company gives data to the US government then they go to jail." Put these two together and people will start flocking to their service (assuming it is roughly equal to the US one) so create euromail.eu or whatnot and you've got customers.
Right now is the time to have a marketing shtick where you tell people that you spend all day every day thinking up ways to keep the NSA away from their data.
Also this is the time for Linux to strike. The key is that there are two assumptions being made by most people out there. First is that any US company with closed source software has been strong-armed into leaving a back door. Second is that the NSA have broken any common encryption scheme. So if you use the common ones they might as well be plaintext. But if you are able to use opensource obscure encryption schemes then you stand a chance.
d00ds and d00dettes : forget it . totally . .. just forget it . .
forget about there be ever privacy on the net. it's a washout. the only way we'll ever see a semblance of privacy is by throwing the governments out and putting new people in there that will change the laws and the ways of the country. In other words we need to clean the house and that will never happen.
Forget it , forget about your privacy , you elected the scum to office and they f***** you right up the a**. There's no way out of this , the net is totally compromised there is neither any way to make it even reasonably secure to use. Companies will try to convince you otherwise , but they are the spies opening your mail.
Trust them ? " I wont spy on you , promised " . it's over
So we are led to believe that up to this point they were writing everything on a postcard and mailing from one server to another?
Why are they suddenly so concerned about people or the NSA reading that postcard?
So, Google is voluntarily giving up the ability to scan our e-mail for adwords?
Have gnu, will travel.
I wonder what the consequences could be for the Internet at large.
Apparently there are backdoors in popular encryption software programs. That in itself should be alarming: if the NSA knows about it, who says the underworld hasn't found out about it already? Or is now directly searching for backdoors, knowing that they exist?
The NSA is after your privacy - which is a very bad thing, but something that doesn't hit most people directly.
Cybercriminals are usually after your money. If encryption is not secure, they can easily start listening in on credit card transactions done "securely" over HTTPS.
They can also start to intercept financial orders, decrypt them, alter them (i.e. payment redirected to another recipient, while still sending the intended recipient a "transaction accepted" reply), and sending them on correctly encrypted so the payment processor is none the wiser; after all it's encrypted so it's true. And it's going to be really hard for the intended recipient to file a complaint.
It won't be the end of the Internet as we know it, but there are some serious considerations to make.
Without actual concrete... well *anything*, we can't ascertain how useful/useless their situation is.
By and large, existing cryptographic schemes and protocols are also resilient against government surveillance. The fundamental problem is that one of the 'trusted' parties is generally not to be trusted. It's actually remarkably similar to why DRM is an utterly unfeasible beast if the consumer is really set on compromising the 'protection'. Cryptography allows Alice and Bob to talk without Carol being able to snoop. But if Bob and Carol are working together, there is no scheme that allows Alice to safely talk to Bob. This is the 'compromise' NSA has achieved, not some technical feat, and one that cannot be effectively mitigated by technical advances beyond what is currently available. This is about behavioral/procedural issues, not cryptographic ones at this point.
Because Google can be trusted.
But the end-points would still be known... Essentially, leaking your entire address book...
:)
Sure, there's TOR and similar ideas, but requires trusting third party servers, that might very well be NSA hubs as well...
And forget about running your own TOR instance unless you want the police to come knocking on your door, we've heard about that on slashdot before...
When the NSA scandals came out and I started actively criticizing the NSA, the first thing I noticed was my Google's default https connection changed to be http. I'm sure it previously switched to https (and my country domain) instead it now switches to unencrypted http.
So now when I visit Google it redirects me to an unencrypted search, instead of the encrypted one. I wonder if that's the experience of everyone? If you type google.com into the URL bar do you get a http: or https connection?
Even if its an error of my memory, it's made me aware that my searches are being logged in a giant database by a crook in a military uniform.
Anything they do will be tainted. Google is in the NSA's pocket and can never be trusted. Nobody can.
not those actually spied on. Google is Evil.
As I stated in another post Google has a vested economic interest in restoring public faith to their cloud offerings. To do this they would need to eliminate any access they may have to the unencrypted data. In a perfect world Google would take something like gpgp and add there own key server and integration and automation with Google's services. This would likely be limited to chat and email given that A.)Google makes a lot of money off of adsense and B.) It would be difficult to implement an interactive web site for which the content was unreadable by the servers producing it.
The perversity of the Universe tends towards a maximum. - O'Toole's Corollary
There are two reasons why Google, Yahoo, Microsoft, and the rest of the gang are doing things like this. Because #1) Nobody wants to do business with anyone that willingly gives its user information to the NSA. That means a lot of money will be lost in the future by those ignoring / blocking google. #2) They can still make money out of this by setting up the system so that the government can't steal info anymore but have to pay for it as they do with Verizon etc... So if they create an even stronger encryption, they could make it so that the government will have no choice but to pay to play.
This is brilliant on Google's side and I applause them for being so clever, but I really wish that the NSA would lose all of their funding already.
Shall we get MicroShafted instead?
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Why? Oh...an AC commnet...never mind.
Considering that they're part of the people providing the current unshielded data to the NSA, can you even TRUST their claims on this?
Support TLS 1.2 and TLS-SRP in your browser.
Encryption is mostly a matter of trust; the technological aspect is of comparatively minor consideration.
End-to-end encryption is meaningless if there's backdoor. The NSA can compel Google to install a backdoor and then gag them. Google cannot tell you about it. For all we know, they are already sending every search you execute to the NSA's analysis servers. I'd bet on it. And they cannot tell us. It doesn't matter if you have HTTPS Everywhere, because it's meaningless as the data becomes cleartext, by necessity, once it reaches the server.
Any time you need to trust a third-party without full disclosure, you can be sure that your data is not secure. And how do you know it's full disclosure? They could just be claiming full disclosure and be gagged from telling you about a backdoor. They could release the complete source code, then add in the backdoor, at the NSA's behest, after the release and you could not possibly know about it.. Hell, even if it were some local software, fully open source, and they gave you a checksum, and you compiled it yourself, and the compiler was open source, you still might not know about it.
It's not just privacy that's dead; it's trust.
It's quite simple. If they are really truly committed to securing our data, and regaining our trust, they could implement client-side PGP encryption, make it INTEGRAL to gmail (step EVERY user through setting up a pub/priv key pair when joining gmail, and MAKE them use it).
We should all email this Eric Grosse guy and demand client-side PGP plugins for their webmail service. Hell, with their army of programmers they can make a plugin work with gmail, hotmail, yahoo mail, Thunderbird, Outlook ... hell anything and everything.
There is no excuse, they can and must do this otherwise they're just playing lip service to security.
Let's see if they are willing to offer the level of security Lavabit did. If not, they're bullsh**ting us, pure and simple.
They can just fund this guy who ALREADY has a plugin for Chrome that is pretty slick for PGP within webmail [Mailvelope]:
https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke?hl=en
What new leak? Wasn't Snowden allowed into Russia on the condition that he would stop leaking? What's going on here?
the only thing you have a chance to be nsa-free would be something without any US involvement
SSH and SSH Fingerprint DNS entry have YEARS of existence. Still don't know why create another encrypt protocol.
Why not use ssh over http?
It looks like Google wants me to trust them. Good luck with that, you never-do-evillers, you.
To be truly end-to-end, Google will only have access to the encrypted forms. And that's what they'd store on their servers. Though they'd still have to have the metadata required for delivery. But then how are they going to scan everything for the keywords that drive their targeted ads? That's their bread & butter, innit?
makmak yur yur!!
:snurf glah ork:
oki wan wan beg url zevlang
?Moegla on dena dub dub,
Not necessarily. This could well be something secure against everyone but Google. Of course, if Google is able to decrypt it, they may be required to share the information with various governments, but perhaps they expect due recompense in some form.
Nobody seem to doubt that Google will be able to decrypt it. That's not what "end-to-end" should mean, but that's what people seem to believe it will mean. And proving that this is wrong, if it is, will be quite difficult.
I think we've pushed this "anyone can grow up to be president" thing too far.
... like SpiderOak, I'm not all that interested.
... is trying to encrypt traffic so the government can't spy on us?
Well gee, thanks.
By forcing people to use their real names Google is doing most of the dirty work of the spying agancies already.
In a documentary I watched this week a group of hackers managed to destroy one of Wired's reporters digital life by using old fashioned social engineering and a deeper knowledge than most about how some companies authenticate users (hint: some of the darlings of the IT world makes pretty dumb decisions regarding *your security* read and weep: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/).
Google is providing people intent on malfeascence with the first identifying information that they will link with an specific person : his real name.
Google can do many things to increase security and privacy, but they are much simpler thatn re-inventing the encrypting wheel.
Major contracts have been canceled or put on hold as nobody trusts any company based in the US. Google has to make us believe it. Fluf won't go as far
Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies.
Unless they give them the keys to the kingdom in secrecy... wouldn't surprise me one single bit.
Good. What encryption was Google using before? AES? If so, I find it hard to believe that anyone (or anything) can break an AES encryption.