Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Speeding Up New Encryption Project After Latest Snowden Leaks

Posted by samzenpus on from the keep-your-eyes-on-your-own-paper dept.

coolnumbr12 writes "In a new leak published by the Guardian, New York Times and ProPublica, Edward Snowden revealed new secret programs by the NSA and GCHQ to decrypt programs designed to keep information private online. In response to NSA's Bullrun and GCHQ's Edgehill, Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies. Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,' meaning that all servers and fiber-optic lines involved in delivering information will be encrypted."

22 of 248 comments (clear)

  1. Not impenetrable to Google by riT-k0MA · · Score: 4, Insightful

    Although impenetrable to Government spying I doubt it would be impenetrable to Google, who would not think twice of harvesting all data sent though this encryption method.

    1. Re:Not impenetrable to Google by ArsenneLupin · · Score: 4, Insightful
      ... and then hand it on to the NSA.

      Don't forget, gmail.com is part of Prism!

    2. Re:Not impenetrable to Google by Anonymous Coward · · Score: 2, Insightful

      ... and then hand it on to the NSA.

      Don't forget, gmail.com is part of Prism!

      google == bigbrother

  2. Meaningless ... by gstoddart · · Score: 5, Insightful

    Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies

    Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless.

    Because when those government agencies can walk in the door with a secret warrant and demand the keys, there is nothing Google can do.

    The US lawmakers have essentially made crypto in America irrelevant when any party knows the keys.

    The rest of the world needs to be stepping up their game, but all of their governments want the same ability to spy.

    I fear the US has more or less decided that the entire world should be operating on less security to protect their interests. And I'm not sure why everybody is playing along with that.

    --
    Lost at C:>. Found at C.
    1. Re:Meaningless ... by six025 · · Score: 5, Insightful

      It's far from perfect, but at least Google are trying to do something and it's better than the current status quo.

      It's an admirable goal, but it comes down to trust. How does Google know, or more importantly how do we know, that someone from the NSA has not embedded themselves in the implementation team in order to weaken the encryption or insert a back door?

      At this point it's kinda like introducing time-travel as a plot device to the Star Trek cannon. Once time travel is introduced, absolutely anything is possible. In terms of encryption, hence forth it will be very difficult to trust anything related to computing.

      Peace,
      Andy.

    2. Re:Meaningless ... by Xest · · Score: 5, Insightful

      You're obviously unaware of what's been going on so I'll give you a brief summary.

      The NSA and GCHQ have been spying on absolutely everyone by listening in on and intercepting all data going to and from companies like Google. They haven't been going into these companies with a warrant for everyone, they've been doing all this without a warrant.

      If this no longer works such that they're forced to go in with a warrant then that's still forcing them to take an extra costly and time consuming step that they don't take currently.

      That's WTF I am on about.

    3. Re:Meaningless ... by Xest · · Score: 4, Insightful

      Agreed but if you're of the opinion that nothing can be trusted anymore so there's no point trying then you might as well just resign yourself to the fact that it's all over, the spy agencies have won and just let all your data be public.

      But I think it's still worth fighting, and every little bit of effort no matter how small - such as forcing them to get someone into Google, and getting that person to risk detection puts a lot of extra pressure on these agencies and contrary to popular belief they do not have infinite resources. There are only so many developers they can afford to buy off, only so many spies they can train to plant, and the more they have the more chance there is of one getting caught red handed further embarrassing the shit out of the agencies and their programmes.

      The point is simply that there is far more of us, and far fewer of them, and every attempt at frustration no matter how small, every successful encryption attempt that they can't deal with no matter how trivial is something that takes up their relatively limited manpower. Just one person producing a blob of what they deem suspicious or interesting data is potentially enough to take out a number of their analysts for a few days at a time as they try to deal with it.

      There are far more people with far more skills capable of producing far more data that frustrates their operations than they can possibly hope to deal with, hence why sitting down crying defeat and doing nothing is exactly what they want. This effort by Google no matter how much of a token gesture is just one simple example of something that has the scope to greatly frustrate the NSA's efforts and if all tech company's and a bunch of individuals to boot followed their lead then it'd have a measurable impact on the ability of their program to perform blanket spying.

      Even the requirement to obtain just one warrant is going to take an agent out of the field and into the realm of paperwork for likely a half day or day.

      Then at the end of it all, when it turns out that billions are being poured into this program yet the likes of Boston are still happening, there's going to reach a point where someone says "We need to stop funding this white elephant", because that's how politics works.

    4. Re:Meaningless ... by FriendlyLurker · · Score: 3, Insightful

      Ahh, so Clapper says they only collect the data [1] but do not actually inhale it.

      Next you will be trying to convince us all that access to the gathered intelligence data is strictly controlled and only after [secret] court approval, for terrorism related reasons only.

      [1] Probably because American's have been expelled from various countries various times for economic spying, so James Clapper cannot very apply the default PR script which is to deny it ever happens... as you are trying to lead us to believe applies in this case... cold fjord.

  3. Skip TFA by SirGarlon · · Score: 5, Insightful

    I read TFA, and I wish I hadn't. It's just a fanboi gushing about how awesome Google is.

    What it fails to mention is the fundamental tension between developing encryption technology and Google's business model of pervasive surveillance.

    Quotations from Google executives such as:

    "This is a just a point of personal honor," Grosse said. "It will not happen here."

    fail to convince me. I am sure Mr. Grosse means what he says, but his actual ability to follow through on his personal honor is limited. It's the Almighty Dollar that is ultimately calling the shots at Google, or any company.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
  4. Is Google allowed to do this? by mschaffer · · Score: 3, Insightful

    Is Google even allowed to pursue such an undertaking? What's to stop the NSA from requiring access by design? It's not as if Google could say anything about it if this were the case.

  5. End-to-end by DrYak · · Score: 5, Insightful

    If the "end-to-end" is correctly implemented, i.e.: not like in the bad definition in the summary (fiber optics and server encrypted), but like usually understood for privacy (i.e.: decrypted form only exist on end-point totally controlled by end users), google, nsa or any other man in the middle doesn't matter.

    That requires 2 important details:

    - sound encryption.
    The maths behind current encryption seem sound. But the implementation must be good too. NSA has notoriously interfered undercover with lots of software development team, leading to bad implementation which could leak data or have predictible key due to broken random generator, etc.
    Opensource is a lot less likely to be tainted as errors are much easier to spot. You don't know what NSA could have hidden in closed source software whithout the knowledge of the software vendors themselves.

    - secure environment.
    There's no point in having the most perfect encryption ever if the NSA could simply bypass it and use a hidden backdoor or abuse an exploit to break into and simply tap the clear message from one of the end points.
    Skype EULA clearly states that they are ready to conform with local law about collaboration with law enforcement (could probably be even implementing wire-taping point). Also I think by now backdoors inside Windows are more or less accepted to be existing in our post-Snowden world.
    Again, opensource software, both user application and the OS on which they are running, would be more difficult to abuse, as backdoors and exploitable bugs would be easier to observe.

    But in a theoretical pefrect wold of rainbow, unicorns, perfect crypto implementation and secure machine, you can then use safely an untrusted network and untrusted servers: data that will transit through them will be always encrypted and meaningless.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  6. The relationship between Google and Uncle Sam by Taco+Cowboy · · Score: 4, Insightful

    When I read TFA, and it states that ...

    In response to NSA's Bullrun and GCHQ's Edgehill, Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies

    ... I laugh !

    As if nobody knows the cozy relationship between the founders of Google (and Google Inc. itself) and Uncle Sam.

    The only way we can be sure that something that is truly important to us does not fall into the hands of NSA is to NOT put it online, period.

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:The relationship between Google and Uncle Sam by LordLimecat · · Score: 4, Insightful

      Google has been one of the best in this regard, both in the consistency and the tenacity of their resistence. For instance, unlike Yahoo and MS, Google famously has repeatedly refused to work with the Chinese government when they request details on dissidents.

      I dont want to sit here advocating for Google as if they have no faults, but I find it hillariously counterproductive that people would go after Google of all things for not being "for the consumer" enough. Who besides google works closely with the EFF, particularly with the ChillingEffects site? Who besides google has shown the guts to say "get a warrant" to unofficial government requests?

      People seriously are going to read "Government compels businesses to disclose information via FISA court order", and take away "gee these businesses sure have a cozy relationship with the govt"?

    2. Re:The relationship between Google and Uncle Sam by gmuslera · · Score: 4, Insightful

      The problem is that no matter how good intentions you are willing to attribute to the Google company (or that they really have), how good is that encryption, they are under US law, they must follow their (secret laws) orders, and don't tell us that they are following them. In practice, from the outside, is almost as bad as i.e. Microsoft, you can only trust in what they release in fully open source form (Chromium, android AOSP), but not web services or binary programs like Chrome. Adding a level of encryption more a placebo than something that does a real difference.

      Want to recover lost market? Move to other country, one outside US and snooping allies laws. That will do more on giving the impression that you care about your users privacy than adding encryption in a place where you have the give the unencrypted content anyway.

    3. Re:The relationship between Google and Uncle Sam by interkin3tic · · Score: 3, Insightful

      Sometimes, I think Google should change their motto to "Be totally evil, support big brother in shitting on the constitution, and worship Satan." Not because I think that's their goal, just because I think it would be better PR. Google seems to catch a lot more flak than any other tech company, and I think it's because people are always looking to tear down someone for hypocrisy. They should lower expectations,

    4. Re:The relationship between Google and Uncle Sam by swillden · · Score: 4, Insightful

      Well, only if you ignore that early Snowden-leaked slide from the NSA presentation that showed Google to be one of the earlier companies they had direct access to....

      Or if you believe Google, who consistently insist they didn't provide said access, and whose insistence is consistent with the rest of their actions. My guess is that the NSA was tapping Google's network connections. Remember that back in 2008 (when the slide said PRISM started getting Google data) Google hadn't yet started using SSL by default on everything.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:The relationship between Google and Uncle Sam by SuricouRaven · · Score: 3, Insightful

      Eventually businesses have to comply with government demands, as refusal to do so results in either official action (Executives being jailed for obstruction of justice) or unofficial sanctions (made-up charges of tax evasion for minor paperwork errors, overly destructive raids ceasing hundreds of servers while investigating something suitably scandalous like child porn).

      Google has put up a lot more resistance than most companies would or have.

  7. Re:Oh come on! by jones_supa · · Score: 4, Insightful

    They'll never regain the trust of their users, along with Microsoft, Apple and all of the other bend-over-backwards in the US.

    Give it a year or two, and no one will even remember the NSA/Google scandal anymore. Sadly.

  8. US Trust is gone by EmperorOfCanada · · Score: 5, Insightful

    I don't think people outside the US really care if US companies use 10,000 bit quantum spiral elliptical gluon encryption with a half twist of lemon. If the NSA comes to those companies with the Open Sesame court orders then it doesn't matter. This is a massive opportunity for non-US companies to say, "We ignore any pressure from the US." Along with their governments to say, "If a local company gives data to the US government then they go to jail." Put these two together and people will start flocking to their service (assuming it is roughly equal to the US one) so create euromail.eu or whatnot and you've got customers.

    Right now is the time to have a marketing shtick where you tell people that you spend all day every day thinking up ways to keep the NSA away from their data.

    Also this is the time for Linux to strike. The key is that there are two assumptions being made by most people out there. First is that any US company with closed source software has been strong-armed into leaving a back door. Second is that the NSA have broken any common encryption scheme. So if you use the common ones they might as well be plaintext. But if you are able to use opensource obscure encryption schemes then you stand a chance.

  9. Re:Google, Money, Mouth by CRCulver · · Score: 4, Insightful

    If Google wanted to impress me, they'd include a spot to paste a GPG public key in gmail and auto-encrypt all mails with it on the client side for gmail users or at the entry point of their network for all other mail users.

    Auto-encrypting it on the client side would be extremely insecure, because Google or an adversary could inject Javascript code to capture the message while it is still plaintext. The only way to securely use GPG with webmail is to type the message in a text editor, encrypt and only then paste the cipertext into your webbrowser. Ideally people would stop using webmail and go back to dedicated e-mail applications, but the cat's already out of the bag (and even e-mail has been superseded in many people's lives by Facebook messages).

  10. Consequences for the Internet at large by wvmarle · · Score: 4, Insightful

    I wonder what the consequences could be for the Internet at large.

    Apparently there are backdoors in popular encryption software programs. That in itself should be alarming: if the NSA knows about it, who says the underworld hasn't found out about it already? Or is now directly searching for backdoors, knowing that they exist?

    The NSA is after your privacy - which is a very bad thing, but something that doesn't hit most people directly.

    Cybercriminals are usually after your money. If encryption is not secure, they can easily start listening in on credit card transactions done "securely" over HTTPS.

    They can also start to intercept financial orders, decrypt them, alter them (i.e. payment redirected to another recipient, while still sending the intended recipient a "transaction accepted" reply), and sending them on correctly encrypted so the payment processor is none the wiser; after all it's encrypted so it's true. And it's going to be really hard for the intended recipient to file a complaint.

    It won't be the end of the Internet as we know it, but there are some serious considerations to make.

  11. Start by fixing chrome by WaffleMonster · · Score: 3, Insightful

    Support TLS 1.2 and TLS-SRP in your browser.