Encryption, exposed as almost useless except to spys

Yesterday the New York Times, ProPublica, and the Guardian broke a major story. Several weeks ago, Glen Greenwald said there was much more to come based on the information obtained by Edward Snowdon. For several of those weeks we have had disturbing, yet relatively minor disclosures. Yet once again, Snowdon has providing something huge. From the Times: N.S.A. Able to Foil Basic Safeguards of Privacy on Web <read>

 Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.

According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping…

In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

To state the obvious, this should end the myth that encryption actually protects the secret vote, and vote integrity, if it really could have in the first place. Basically:

  • The NSA can hack almost any encrypted communications
  • They have coerced companys to put in back doors in software and hardware
  • They compromised encryption standards
  • The UK and other countries share in the secret and results
  • Edward Snowdon did not have authorized access to the information, yet was able to obtain it
  • Internet banking, purchases, stock trades, etc. are all exposed and vulnerable for the public and corporations

You can also listen to Glen Greenwald and Bruce Schneier on DemocracyNow!. <read/view>  They are providing further insights.  Not only that we have no reason to trust companies who claim useful encryption software, but that the holes created for the NSA are available to others for whatever purpose they might want. Some sophisticated users may be able to use open-source encryption and still protect their communications.

Perhaps worse, encryption standards have been hacked by the NSA, while scientists have been hoodwinked or compromised:

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort ‘a challenge in finesse.’

‘Eventually, N.S.A. became the sole editor,’ the memo says.

In the 90’s we had a battle in congress over the government requiring back doors in encryption hardware and software. The spies lost, the public won. But in the end we have learned that we cannot trust our government. We need, once again to become a nation of laws, as Greenwald pointed out in his book, published before he had met Edward Snowdon.

A follow-up story in the Times today: Legislation Seeks to Bar N.S.A. Tactic in Encryption <read>

An example of the usual response from the NSA. This is not news, everyone knows we do it, yet its really damaging.

A statement from the director of national intelligence, James R. Clapper Jr., criticized the reports, saying that it was “not news” that the N.S.A. works to break encryption, and that the articles would damage American intelligence collection.

The reports, the statement said, “reveal specific and classified details about how we conduct this critical intelligence activity.”

“Anything that yesterday’s disclosures add to the ongoing public debate,” it continued, “is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.”

But if intelligence officials felt a sense of betrayal by the disclosures, Internet security experts felt a similar letdown — at the N.S.A. actions.

It does hurt. It is the truth that hurts:

But the perception of an N.S.A. intrusion into the networks of major Internet companies, whether surreptitious or with the companies’ cooperation, could hurt business, especially in international markets.

“What buyer is going to purchase a product that has been deliberately made less secure?” asked Mr. Holt, the congressman. “Even if N.S.A. does it with the purest motive, it can ruin the reputations of billion-dollar companies.”

In addition, news that the N.S.A. is inserting vulnerabilities into widely used technologies could put American lawmakers and technology companies in a bind with regard to China.

Over the last two years, American lawmakers have accused two of China’s largest telecommunications companies, Huawei Technologies and ZTE, of doing something parallel to what the N.S.A. has done: planting back doors into their equipment to allow for eavesdropping by the Chinese government and military.

Both companies have denied collaborating with the Chinese government, but the allegations have eliminated the companies’ hopes for significant business growth in the United States. After an investigation last year, the House Intelligence Committee concluded that government agencies should be barred from doing business with Huawei and ZTE, and that American companies should avoid buying their equipment.

We will leave for another day, a discussion of the implications for voting integrity and democracy.


Leave a Reply

You must be logged in to post a comment.