The NSA spying beat goes on: Encryption’s broken promises

Happy Friday, we’re here to crush whatever hopes and dreams you may still have had about online privacy. New reports by the New York Times, ProPublica and the Guardian, based on the Edward Snowden leaks, say the NSA and the U.K. equivalent GCHQ have been able to crack most encryption and other online safeguards.

“Cryptography forms the basis for trust online,” said encryption guru Bruce Schneier, who worked with the Guardian and read the leaked documents. “By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the Internet.”

Some key points from the reports:

• What the governments are doing requires a certain level of cooperation — voluntary or not — from Internet companies and Internet service providers. In some cases, vulnerabilities are baked in to technology so they’re more easily accessible.

The Sigint Enabling Project, at a cost of $250 million a year, “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to exploit them, according to the NYT.

The Guardian says the GCHQ has been working to nose its way into encrypted content from Google, Facebook, Yahoo and Hotmail. The GCHQ supposedly has planted spies inside Internet companies.

This decryption program is separate from the previously disclosed (and acknowledged) Prism program, which involves the scooping up of online communications from large Internet companies. Spending on Prism was reported to be about $20 million a year.

• If the government can work around supposed safeguards, who else can?

“Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise,” says the ACLU’s Chris Soghoian, according to the Guardian.

• The government asked the NYT and ProPublica not to publish their reports, citing the possibility that “bad actors” will change their communication methods as a result. But both decided to publish, citing the following reasons:

The NYT:

The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful privacy tools.

ProPublica:

The potential for abuse of such extraordinary capabilities for surveillance, including for political purposes, is considerable.

• What can we do? Are our communications hopelessly and “perpetually insecure,” as the Electronic Frontier Foundation laments? Schneier says he’s not completely impressed with the NSA’s supposed superpowers: “They are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.” He lists ways people can continue to try to protect themselves online, including continuing to use encryption but being wary of commercially available encryption software. In an op-ed in Wired, he suggests increasing key lengths used for encryption — that math is still on the side of the people.

 

Photo: The National Security Agency building at Fort Meade, Md.  (Associated Press archives)

 

Tags: , , , , , , , , , , , ,

 

Share this Post



 
 
 
  • Lee Colby

    Whats new about this? NSA has always been working to crack encryption codes. Indeed that’s one of their big jobs that they hire smart people to do. Check out Cyber Careers at NSA.gov/careers. In most communications standards meetings they have a NSA representative dressed in a nice suit with a crew cut to monitor what ideas (especially encryption) are being fomented for new communications systems. Obviously that’s just the tip of the iceberg. If we want to protect our country from groups who want to destroy us being able to break encryption algorithms is necessary and indeed is advertised as a ‘Sport’ on their website to attract smart people who want to protect out country.

  • Doug Pearson

    Schneier “suggests increasing key lengths used for encryption” and I think that’s a great idea. Also, the characters used in the key should not be limited to just letters and digits.

    There is a problem, however. Many web sites and applications that want me to use a password limit the number of characters and the character types used.

    I’ve been told (don’t know how valid) that a simple, easy to remember or find, and far more effective password can be found by going to any book you like, choosing any page you like, and copying the first full-length row of type–spaces, punctuation marks and all. This will give you a password of about 50 to 100 characters.

    Furthermore, (“book you like”) it might even be easy to remember without the need to put it on a Post-It note stuck to your computer terminal.

    But how many web sites and applications allow it? How good are they at keeping an equally secure encrypted match with which to verify your password?

    Many a slip between cup and lip.

 
 
Menu Title