Slashdot Mirror
Google's Encryption Plan To Stifle NSA's Dragnet Will Raise the Stakes
CWmike writes "Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments — started last year, but accelerated in June following the NSA leaks — is as much about economics as data encryption, experts say. Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained. However, the agency does evaluate the tactic it uses by weighing the cost with the value of the information obtained. 'The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical,' Bruce Schneier, a renowned security technologist and cryptographer, wrote in The Guardian. 'They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.' The NSA's capabilities for cracking encryption are not known outside the agency. However, the most secure part of an encryption system remains the 'mathematics of cryptography,' Schneier said. The greater weaknesses, and the ones mostly likely to be exploited by governments in general, are the systems at the start and end of the data flow. 'I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks.' Is this about citizen's rights, or a business decision (some might say an existential issue) for Google? Does it matter, and will it make a difference?"
Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained.
- yeah, it's an arms race alright. It's a kind of a race where if Google doesn't give the NSA what NSA wants, Google's employees and management will find itself on the wrong side of a gun.
MY OTHER COMMENTS
This has been going on FOREVER... There is always a better mouse trap .. or cheese ;-)
Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments
So.. the only organisation conducting invasive surveillance of my Internet activity will be Google? I'm most relieved.
So that the NSA dogs won't eat them so easily.
Certain content delivery networks already do this. For decades.
I find it hard to believe that Google was really not encrypting its non-client ingress/egress traffic.
Kriston
The plain text is still not legally protected under a NSL/hidden self-signed "court" at the advertising keyword end.
The metadata is still not legally protected under a NSL/hidden self-signed "court" as sent.
The mathematics of cryptography is great PR along the tube but reality sets in at the end of the tube again.
http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html
STORMBREW and FLYING PIG show some insights into router and covert data redirection, the use of fake security certificates and the results been unencrypted.
Also note the bypassing (man-in-the-middle) ability via security certificates aspect.
Domestic spying is now "Benign Information Gathering"
So big corporate will start using SSL for everything.. so? All it'll take is 1 email from and the ssl keys to unlock all that data will be sent with no one allowed to talk about it. What we need is a method to encrypt sessions using 2048+ encryption that even with the private key of a server you wont be able to decrypt and we need to get rid of expensive 3rd party key signers so that everyone uses it. If people didn't have to pay $300US to have a certificate signed then maybe every computer on a network would get ssl keys, rather than a single SSL decrypter on the border of the network.
A technological solution will never work. The NSA had court orders and gag orders. While the NSA doing this does not shock or bother me the idea that you can stop them with technology is just silly. Human spies will get around that as they always have.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
xk yrcxL juT0GA bFg3t0 kAqzsVn mIgfTCCy cg/X fnn+0 Nak0Q06 yHtOsP z2g8x hYakbH nWPY tydK NWkhB OncZJOnA RAQ6q9Szmd oS9b zVIf0F XAVB3TG 7Iqgk axXzkCA7bls3 /wdMYX9etlxUbf UXhdxtuxJnpT 2S0VoVI4 h53cnAAhe8jzCOK5q VBUXSsjXK0MDBAC IPH5t pJekxd+ fZtF4dHqE otrXPcslPECi3 BZELAEsntoAHRS/ hYtQU FF Z
Is cheap money for the assholes lobbying your tax payer money. Best bang for their buck. They have to do the least amount of work to make up the results they want. And on the side they can sell/leak to a black market of all your preferences. Wait its not so black anymore... all employers require you to bend over backwards for background checks.
Yep all that google traffic is encrypted, shame about that. But we have a commercial license to all our users data. How much you want to pay to have us analyze it for you?
To me it was obvious from the start that Google was founded with borrowed search algorithms that had been honed for a different purpose: finding connections in intercepts. So now they are trying to sell that they will have crypto that is out of reach from an agency that they are in bed with? They PAY Google some undisclosed excessive amount to provide information. It is a profit center. I'm not even sure if Google is really a public company. (The name may have come from a joke about 'G'overnment 'OOGLing' )
Why would anyone believe they are on the publics side?
"Civilization is the progress toward a society of privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men."
~ Ayn Rand
READY.
PRINT ""+-0
"Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.'"
No it isn't. China wanted you to backdoor in China and you left China, USA wanted you to backdoor in the USA and you complied Eric. It's not an arm race when a secret letter is all it takes to get your data. Just after PRISM leaks, we learned they started to demand the keys too. In effect expanding surveillance of your services to 100% coverage while reducing the use of PRISM. Is *that* an arms race? No, it's a PR scam. It would let you Google, Microsoft, Facebook, Yahoo pretend surveillance had reduced (in PRISM) when in fact it had become total (via intercept).
Also don't kid us that it's only for terrorism. All the NSA does when it wants to spy on anyone, is stick an agent provocateur on the form to post a threat. That gives it the excuse it needs to then spy on everyone in the forum, and their friends and families using the 3-steps deep rule. Twenty million queries a month!
How about you come clean on Cloud Print? That data goes through your servers and can be matched to users data, I bet you give NSA that too?
It's entirely about PR, trying to regain lost trust, WHILE THE STASI ARE STILL LIVING IN YOUR HOUSE. The best defense is to not visit your house!
I will believe Google is genuinely against NSA's encryption breaking scheme only when Google moves ALL their servers OUTSIDE of the United States of America.
No point of talking about "upping the stakes" when the same old thing - a secret warrant demanding full disclosure - can happen anytime.
Muchas Gracias, Señor Edward Snowden !
A lesson from the consumer OS side - Lower cost and usable by not adding expensive features like good encryption until a real issue makes the press.
Some regimes, monarchies and communist countries might have been swayed by that aspect too - trunk telco network has local rules and no encryption was allowed.
Rapid global uptake of the brand is protected..
Domestic spying is now "Benign Information Gathering"
The NSA can force Google to give them access. The encryption isnt to prevent NSA access. The encryption is to reestablish customer confidence. Also maybe to provide better security against other countries such as China.
The NSA's pockets are orders of magnitude deeper than Google's!
The question comes down to, "How to Buy Off Google."
In terms of "Buy" it comes down to:
1) cash (dollars preferred)
2) drugs (Cocaine and Heroin are by far the drugs of choice at Google)
3) gold (Ah, the Midas Touch, always opens doors)
4) prostitutes (Google's Top Management like 2 to 3 year old boys for sexual intercourse and sex favors).
Crypto skills are actually a rarity in this day and age with so much money (in various forms) drifting about.
What is the point of having a big castle, with a moat, several feet inch walls and all that stuff if you then, quite literally, give away the keys to the castle?
Slashdot. Unreadable news to annoy nerds. - wonkey_monkey
If you were to truly develop a form of encryption that not even you can break without the password, would that be legal in the U.S.A.? I mean I know we have GPG etc on a personal level, but lets say google actually used open source software to implement this (and there is no question of google building in a backdoor) would this even be legal?
I don't believe google would build in encryption they themselves couldn't not decrypt instantly, but in that hypothetical situation. Would it be legal?
If the NSA remains vigilant and Google does nothing to avoid it, they will slowly stagnate as users switch to smaller "networks." Google is all about the network effects of their products, and that same network is highly valuable to the NSA and its ilks. The only real way to defeat it is to compartmentalize the networks into much smaller segments such that associations are much harder to make.
Much more difficult to do once the cat is already out of the bag, and it destroys much of the collectivism that makes the internet (and /.) a fun place to go, but hey... it's a nice day outside...
As long as the data is in the u.s. and subject to government subpoena this is meaningless. Depending on how google is structured they could move their data centers outside the u.s. and not have it subject to secret orders. Switzerland would be a great place as they have strict data protection laws.
But Google CAN'T be encrypting a lot of data and rolling out SSL on all of their services.
Just last night here on Slashdot the crooks informed us that while "3 strikes" laws reduced torrent traffic, all those stolen movies and software must have moved to SSL. The increased SSL traffic can't be because the #1 internet company in the world expanded it's use of SSL. It HAS to because penalties for unlawful actions dont work. That's what fits the storyline they want to tell!
I wish I could be more articulate, but I'm too drunk at the moment.
Cocksucking bastards.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
it has more to do with the type of encryption than anything
1024 bit keys are not all the same and some are vulnerable
There are serious questions about random key generators that are used and encryption schemas that only a few people in the world really understand well enough to know whether or not they are back doored
Most likely those encrypted content delivery networks became targets just like the tor sites. Fine if you are hiding your data from business competitors, not so much if you were hiding from nsa
The real point here is not Google giving the NSA your information or not, they are an US based company, they must comply and give all the information requested by the NSA. And, if the used internal encryption is good enough, the only way to get that information will be directly from Google, then Google's will know what the NSA got from them, and they could eventually control (delaying, giving partial or even fake information) what they NSA gets, or store that information for future use (in the case that law gets curious about what is that justice that is everyone talking about)
That don't make Google a friend, but at least a potential enemy of our biggest enemy, and is something to be respected.
If my taxes pay for the NSA and using encryption will cost the NSA more money to decrypt. Then I'll have to give up more of my money to them decrypt my messages?
and what they will do with what they know about me from about 1000 different channels, digital, clickstream, email text, inbound, outbound, print, video, audio, call records, transaction histories, demographic data, geneological histories, all carefully indexed and archived and MapReduce'd and data mined for moment-by-moment behavorial patterns.
Have you ever bought anything from Google as a consumer? No? Then how do you think they keep 35,000 pampered employees on the payroll with a million servers running 24x7 answering search queries from around the world?
The NSA, after all, is a bunch of guys with comfortable guaranteed (?) lifetime careers working for the Federal Government. How good can they be?
Tit bar. Lol!
D81100101133233132611010100D8 11001011CBFFD711001101254377317110110
11CC11111111D711010011326326D 911011111335FF11011001331CE11011010330
D311001000316313CEFFD8323111 11111314FF336DC1101110132311010000FFE
111100011375E211010011327FFC9 11010010C831011000101322D811001001312
10100011314C910111000111111113 27CF1101001032511010010DD31711011001C
A1111111111010100D9377DA11001 100313334FFE111011111340AF11010110326D
51111111131511011001D03371101 0011D3336DE11010011DD11111111D01110000
011001111336377D5110110103773 16CA32711010110FF11010010DD33411011111
DDE111100110337377CD11011000 3211101111037633111001010CD377326110110
01D3D830711010111377325D8110 0110011111111E011001010334FF311DB1101111
111111111D33071101010011001011 37711010110D5317B111111111CC110111111100
0010323377
This is like a large company in a corrupt state trying to evade road blocks where officials loot the trucks.
I find it interesting that there was a general consensus that the BREACH SSL attack had no simple fix because the Internet could not handle the load if everyone turned off gzip HTML compression. While acknoewleding that bandwidth and computation resources are different, I am surprised that a simple fix for BREACH was dismissed, yet hoards of resources are being thrown at transport encryption.
The NSA keep trying the same old trick. They want to orchestrate mass adoption of a system that appears secure but isn't. Somewhere in the technology stack there's a backdoor allowing the NSA access to the plaintext. We know what the NSA's two agendas are and its a huge conflict of interests for them to release a encryption system that they cannot themselves break. Even if the code appears secure they have rigged modern hardware to leak keys through side channels. _Of course_ Google's new system will be backdoored and _of course_ Google will be gagged. Google can never be trusted again. No matter what they say. The NSA are behind this. They are trying to provide a solution through Google because they fear people will move to develop a variety of encryption algorithms and products which will be expensive to analyze and break and automate surveillance of. Obscurity != Security but its fucking expensive.
This must be a PR effort. How can the NSA order Google and others to let them in and have the data they want, but then just let Google go ahead and freeze them out again? It makes no sense.
The only way to guarantee your privacy is to use open source end-to-end encryption software on open operating systems. All closed systems with physical ties to the U.S will eventually be compromised by NSA and other gov branches.
Signature intentionally left blank.
All it takes is for congress mandating PRISM compliance and certification all under the guise of reducing the burden of the tax payer. Mark my words. What Google is attempting to do will backfire!!! Government = demigod. Nothing is more powerful than Government in an age of men and their organizations; including corporations.
Soon we will all see a citizens accept EULA for all new smartphones that their device has been branded PRISM compliant with a super fast NSA backdoor for enhanced performance and protecting the homeland. Thank you for your cooperation. NEXT -->
Life is not for the lazy.
This is good business for Google.
If matters stay as they are now, users will leaving by droves when a non-american alternative present itself (and it will appear. people will not miss this opportunity). Rather than trying to defend it's data, Google must win back users trust or it wont stay in business for long.
The same can be said for most big american software and internet companies.
... factories that make $5 wrenchs. I heard they are set to make a killing soon.
Google is going to confuse the NSA?
This is a joke and amounts to nothing but a smoke screen. We now know that Google is an active partner of the NSA and the U.S. government...we should treat them *as* the NSA. What does any of this matter when Google has whole division(s) dedicated to preparing data for use by the NSA. They'll give keys, they'll give data, they'll give metadata, they'll give educated guesses, they'll prepare 3D topographic maps about that data.
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
What we need is a liberal minded organization that funds spying on the NSA/FBI/politicians for the people. People inside both corporations and the government leaking information and an organization which can take action on that (like the ACLU and the EFF). Then we need to out the politicians, judges, law enforcement, etc which are violating our rights.
This may not be legal although if we facilitate the media to do our bidding like other major corporations there may be some success. However we would have to do this at a massive scale and probably destroy a few hundred to thousand peoples carriers and organizations in the process. The reason remember being there is an insane percentage of the worlds wealth control by a small elite group of people. Without disrupting these organizations and attacking them head on they will inevitably win the war against us.
They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.
This notion is very sound when it's the party doing the surveillance that is bearing the cost. The relationship of the taxpayer and the NSA is not like that. Making things more expensive for them, is simply making things more expensive for ourselves, the citizens, as whatever the costs are or become, we are forced to pay them. In that respect, the NSA definitely is not "limited by the same economic realities as the rest of us".
The real problem is how to make sure that the "good guys" get access to top-of-the-line technologies and the "bad guys" seeking 72 virgins don't get access to them. The only reason the NSA can justify its actions is because you are spending all this time fighting the NSA instead of making it easier to lock on the "bad guys" without infringing on the rights of the "good guys".
Frankly, I think people spend way too much time bashing their own government which (at the end of the day) does have legitimate reasons for needing to intercept a lot of this traffic. If you don't trust what they do with that data, solve *that* problem, but making it more difficult for anyone (even if they're trustworthy) to protect our citizens is a bad idea. Period.
From the post:
" 'They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.'"
It's just that the rest of us is actually paying the NSA bills. If they simply need more money it's out of everyones pockets. Make the surveilance illegal(no wait, it already is) or just bend over, at least you save everyones money by surrendering.
If a corporation wants to hide all activity of its users behind encryption so that no government can access potential threats, then it will need an Army, a Navy, an Air Force, lots of Marines, a Coast Guard, a National, State, and Local Militia and some Intelligence of its own, oh, and a whole lot of arsonal_not to mention, a continent of its own.
More likely, this will just be used to gain trust of more enlightened users as a selling strategy for a company that already has no qualms with spying.
You can encrypt all you like, if there's a backdoor made for people to access, it's meaningless.
I'm not seeing how this would provide enough security from not just the NSA but Anyone Else spying on My stuff.
a) Phobou tous Danaous kai dra pherontas.
and
b) Quidquid id est, timeo Danaos et dona ferentes.
... should be left in the capable hands of bankers, insurers, airline operators, tech geniuses (specially if they have any experience running companies about 2000) and all other shrewd business people.
Lest not forget farmers which are great at administering subsidies and other varied industries that have become very adept at pork barrel politics, ensuring juicy subsidies and bailouts from the incompetent government come their way as soon as this is needed to boost their bonuses.
IANAL but write like a drunk one.
... going to fight the surveillance state?
In *our* behalf?
Allow me the following outburst. Ha,ha,ha.
IANAL but write like a drunk one.
You're thinking that the NSA know they're inimical. They, in the main, believe they are the good guys.
Even the Nazi SS didn't turn to gassing the Jews until many years later. The early versions of the concentration camps (invented and popularised by the British Army in Africa nearly a century earlier) were no worse than a decent prison. But the move to gas chambers was done one small salami step at a time. They got used to concentration camps, got moved to making the conditions worse, got used to that, got used to working the inmates to death, got used to pushing them to die, got to the idea of outright killing them in droves.
It wouldn't have worked with other than a tiny minority if they'd gone straight from the 1930's version of the concentration camps to the 1943 version of places like Dachau.
Similarly, if the war is escalated slightly, each step up becomes the new norm and you can keep most of your people with you with each step if you make them small enough.
So it won't go from "demanding with legal threats" to "shooting US employees in the head" because nobody in the NSA will see the change from one to the other as keeping them in the "Good Guys" side.
If people are inclined to choose other more secure options for email, Google could lose customers. Furthermore, if Google isn't privy to your unencrypted traffic in some way, there's no info to collect for targeted advertising. So Google has some motivation to take charge of the encryption...
You know, all those people who are vilified for being traitors and warrant summary execution for their crimes of spying on the US government.
Criminals and terrorists do not have a problem getting around the NSA
No, intelligent criminals and terrorists do not have a problem getting around the NSA. The fact remains that many are not intelligent because in many societies intelligent people can do better for themselves by working as part of society and even the intelligent crooks and terrorists probably have to work with incompetent ones so their plans will probably become accessible to the NSA.
The issue with NSA surveillance is not that it doesn't achieve its stated aim - it undoubtedly does - the issue is whether this is an acceptable means to achieve that aim - and for many of us it is most certainly not.
So what if its encrypted, if you have the keys are are legally required to hand them over when asked to?
If information wants to be free, why does my internet connection cost so much?
Well, really TP's witches do.
The witches congregate despite being as individual as paranoid feral cats because they need other people around to remind them they are human. "Going to the Bad" (as in a Gingerbread House style witch) happens to the powerful witch who decides they don't need to talk to people over the small things in their lives (like "How are your bunions? I'll help lamb your sheep. I'll wash your arthritic feet." etc) and loses track of what being a human means.
And that requires some loss of privacy for everyone, otherwise you never know humans, you only know ciphers who move and do things without you understanding.
As one writer put it, humans become "creatures that swarm and multiply" and you the mere observer.
While Americans might be pissed off about this, they're not doing much about it. The rest of the world is looking on and asking hard questions about how much reliance we want on American based companies, given what that means for our data and the US Government's desire to spy on it.
Google doesn't have much of a choice but to try and fight this - to roll over is just to do serious damage to their international business interests. Same for any big service provider. If you're in Europe and you need to do something securely, would you even think about getting services from an American company anymore?
Not a chance. If they're not careful, the NSA is going to destroy the competitiveness of some very big companies.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Gotta love a proofread summary:
'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained.
Ok, that makes sense...
However, the agency does evaluate the tactic it uses by weighing the cost with the value of the information obtained.
Whoa. That changes everything. Damn.
William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.
This strategy was already deployed in Orwell's book where Winston thought he was acquiring subversive materials but was really following the party surveillance plan. We trust google because...? They are a for profit company with massive marketshare. Google is merely providing the illusion of due diligence.
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
Security theater
Google will use its information on you to serve you ads for Toyota.
The Government will use its information on you to profile your behaviour to determine if your views are a threat to whatever political policy is in play at the time, and if so you will be deemed a "radical" and be placed on watch lists.
Google is against anything that makes people not trust Google, including the NSA. Google would happily keep all your data secret, except from their own advertising algorithms. but Google would also sell your data to the NSA for what they consider "fair market value", which given the preceeding is a lot higher than the NSA wants to pay for it.
Google pays a computational price for encrypting your data, but it's worth it if either
(a) the NSA is now forced to buy your data from Google, instead of stealing it like they currently do, or
(b) people trust Google more as a result.
Google wants to publish the number of NSLs it receives to (a) make people feel more confident and (b) make the NSA, DEA, FBI, etc. evaluate more carefully the data they request. Why is (b) good for Google's bottom line? I think, if the agencies are spending more personnel time on the data they request, that data appears even more important, so Google can charge more for the data the agencies really want, while incurring less risk.
Google is still a company, but it's a company run by a founder. Founders almost always make them behave much less like psycopaths than Wall St CEOs.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
.. and do it often.
If enough of us do it in many ways it will be very expensive for anyone to tell real actions from generated actions
Several plugins will do this from your browser. What are you waiting for?
If they are in bed with the NSA, then you caqn't trust ANYTHING they say.
I've never understood why encryption isn't already built in to everything we do in modern technology. As far as I am concerned the network card in your computer should generic a one-time public/private key pair for EACH connection it is making or receiving. The public key is transmitted to the other network device which uses it to encrypt the data to get sent back. Once a connection is closed the keys, salts, and other information is destroyed.
It would take a little extra computation on the hardware to make it happen, but the storage requirements for keeping the keys is minimal since each key would, in theory on exist for a few minutes before a connection is closed, and in the case of web traffic, a few seconds.
We could do a way with all sorts of things, like OS level encryption if it was built in by default - or keep it, and add a 2nd level of complexity to the data.
Google cannot be trusted. Any new encryption they come up with, will have an NSA backdoor.
Too little too late google you might as well be the NSA your so in bed with them now in our eyes
No, Switzerland would not be a great place; while they normally like to just sit back and watch shit happen around them, they are deeply interested in upholding the status quo, and they're one of those countries within Europe that I believe is not going to put up much resistance at all once the exported totalitarianism from the USA gets here (and sails, unopposed, right through the UK and then into the Mainland).
Valid question, especially since every upgrade also dumped you with a tab to noScript's homepage.
I haven't had that happen for some time now though, so - assuming my updater isn't broken - it seems they've cut back on the upgrades.