NSA & GCHQ Covertly Took Over Security Standards, Recruited Telco Employees To Insert Backdoors

from the not-so-secure dept

And the latest report on the Ed Snowden leak documents has come out and it's yet another big one: the NSA and GCHQ have basically gotten backdoors into various key security offerings used online, in part by controlling the standards efforts, and in part by sometimes covertly introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading, but a few key points are worth highlighting.

First, the NSA spends $250 million per year to "covertly" influence tech product designs. The report suggest two ways this is happening. First by infiltrating standards-bodies:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.
That's disturbing enough, but it gets worse. While the Guardian report suggests that unnamed tech companies are "collaborating" in inserting these kinds of backdoors, that's not entirely clear, because later in the document, they suggest that the NSA is recruiting covert operatives within telco firms to insert vulnerabilities:
To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for "human intelligence" refers to information gleaned directly from sources or undercover agents.

This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."

"This enables GCHQ to tackle some of its most challenging targets," the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn."
Did you get that? Rather than recruiting spies from, say, governments, the NSA and GCHQ are recruiting employees at telcos to help them suck up and access all your data.

All of this activity has apparently led to some major breakthroughs, allowing them to access plenty of data they didn't have access to previously. Just last week we'd written about major successes by the NSA having to do with encryption, and this report reveals more details:
"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."

An internal agency memo noted that among British analysts shown a presentation on the NSA's progress: "Those not already briefed were gobsmacked!" The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor "large amounts" of data flowing through the world's fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government.
Once again, we're seeing rather extreme behavior on the part of the NSA and GCHQ as they try to basically be able to dig into every possible communication.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 12:51pm

    so

    from every nation in the world DO NOT BUY AMERICNA SOFTWARE OR HARDWARE....sounds about right....and use open source where you can cause even if a back door exists it will get found out one day...

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Michael, Sep 5th, 2013 @ 1:00pm

    So this has also made it clear that there are unscrupulous telco employees that have access to back-doors allowing them to view what should be secure information.

    I'm sure none of them are abusing this.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    jakerome (profile), Sep 5th, 2013 @ 1:08pm

    This may not be the popular opinion here...

    See, this is a good example to use to explain why I am personally torn on some of these matters. And also reveal how some of the more extreme NSA actions have put "good" parts of the program in trouble.

    Personally and in theory (because the practice have proven the theory moot), I don't have a problem with the NSA having the capability of digging into any communications. My issue with the NSA has been how they have been exercising that capability-- with no oversight, no accountability, not even auditing. Storing vasts amounts of data, and using even the most tenuous excuse to collect & store more data even when a plain reading of the lie makes it clear that the NSA is spying on those they're prohibited from spying upon.

    There are good reasons for the NSA to have this capability, and if properly used could be properly employed to find the bad guys. Instead, we see the NSA abusing this power (which may, I concede, be an inevitable outcome of the program) to simply enlarge the haystack. As a consequence, the NSA ability to dig into any & all communications will be hurt, even as the haystack grows in other ways. Meanwhile, all the needles will have moved elsewhere.

    If the NSA wasn't so broadly overreaching elsewhere, I'm not sure that leaking this information *alone* would serve any purpose other than to harm the NSA's ability to perform its mission. However, we know how far beyond its mission the NSA has crept, and this simply provides more evidence that the NSA can crack just about any data on the internet.

    The program is brilliant in a way, and if they were just using it to narrowly target foreign or terrorist agents acting against the US, as a citizen I would support the program. In light of the whole mess, it's just more evidence that the NSA wants to vacuum up everything. Laws be damned.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    out_of_the_blue, Sep 5th, 2013 @ 1:08pm

    Oh, I'd assume TOP execs were the first bribed.

    Just on the odds.

    And I'd bet the "unnamed" are all well known here.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:14pm

    For anyone wondering about the 2007 weakness the NY Times article mentions, I'm guessing they're talking about this:

    http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1 115

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Internet Zen Master (profile), Sep 5th, 2013 @ 1:15pm

    I did say "earth-shaking" revelation in an earlier thread

    I just didn't expect it to be this soon!

    That said, this news is just... Wow. I'm kinda at a loss for words here.

    Though program names like Bullrun and Edgehill are much easier to remember and correctly identify than something as bland as PRISM.

    So...... how much outrage in America will this generate?

    The Zen Master says, "We'll see (but I hope there's a lot of it)."

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Michael, Sep 5th, 2013 @ 1:17pm

    Re: This may not be the popular opinion here...

    My issue with the NSA has been how they have been exercising that capability-- with no oversight, no accountability, not even auditing

    That is the problem with having this kind of power. It's human nature to abuse it. I am absolutely sure that the NSA never intended to use this ability for anything other than trying to find "the bad guy", but it is amazing how quickly "the bad guy" turns into "the guy that disagrees with us".

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:22pm

    Re: This may not be the popular opinion here...

    I don't have a problem with the NSA having the capability of digging into any communications.

    Think what could happen if Michael Bloomberg and Ray Kelly had direct access to NSA, it would not be pretty.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:24pm

    What good will the NSA had is gone. There may well have been a good reason at the start for infiltration but that good reason has been stomped in the mud and well trampled over. What remains, now guiding the NSA is rotten to the core along with the present administration supporting it.

    Every thing you have been told about what the NSA can not do, about how there are all sorts of safeguards and oversight, and how the NSA works it's data has all, every bit, been a pack of lies. They have violated the intent and the letter of law as well as the Constitution and the Bill of Rights and then claimed every thing was ok. That every thing was safeguarded. Well that might be the view of the NSA prior to the Snowden leaks. It sure isn't my view nor that of others I am hearing from.

    The dirty underwear has been partly exposed. There's plenty we don't know of still. None of those things being revealed are on track to be anything resembling what the US is supposed to be about. Human rights have been thrown out the window in favor of examining anyone's life under a microscope. It just keeps getting dirtier as more is exposed. It is far beyond the scope or the mandate of an agency charged with foreign spying. There is no way the entire population of the US are terrorist. There is no way that everyone's phone call is relevant to an investigation. Attempting to dance around the meanings of words by giving them new definitions does not change the actions. Those actions are exactly what they look to be.

    Again we just have more ammo that this agency and this government have been infected with a near rapid paranoia of every one and everything. It is time for this to come to a halt.

    No one ever guaranteed your personal safety. All that was ever given you was the right to freedom, liberty, and the pursuit of happiness. (along with the right to freedom of personal searches of your papers and correspondence without due process). Due process has turned out to be inconvenient. Legality has turned out to be burdensome. We have reached the point that criminal charges and indictments are in order.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:26pm

    Re: I did say "earth-shaking" revelation in an earlier thread

    Well, let's put it this way. A few weeks ago I mentioned how much of your online purchasing and transactions could be tracked by tracking your email. From the sound of this, they don't even need to resort to that, they've broken all the common secure connections people use for backing and online purchasing, and can monitor your activity directly.

    I really wish people speaking out against the NSA would make the point that this means that the NSA can monitor you accessing your bank account, as well as monitoring all of your online purchases. That might make it more real for people than the more generalized "the NSA has broken a bunch of common encryption methods."

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:27pm

    Skype

    How much was Microsoft paid to centralise Skype for NSA? A decentralised Skype was much harder to tap as their was no central control point.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    jakerome (profile), Sep 5th, 2013 @ 1:30pm

    Re: Re: This may not be the popular opinion here...

    Right. Which is why the NSA needs to stick strictly to its mission of being a foreign intelligence agency. The NSA should never spy on domestic communications, and they should never share that information with law enforcement unless it relates to a foreign/ terror threat.

    It is unclear if the NSA, as an organization, is capable of sticking to their assigned mission.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:31pm

    They compromised the STANDARDS?!?!

    We are so screwed.

    The NSA, in their arrogance and hubris, has deliberately enabled every phisher, every spammer, every scammer, every pedophile, every stalker, every thief, every extortionist, every blackmailer, every psycho on the planet who has basic security skills. Because if the standard is compromised, then every piece of software written to that spec is also compromised, and it's simply a matter of who can figure out a way to exploit it.

    The consequences of this are enormous. Is HTTPS affected? (probably) Is email affected? (definitely) Are VPN's affected? (probably) How about DNSSEC? (unknown) How about SSH? (unknown) How about BGP security? (probably)

    We are so screwed.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:33pm

    Re: Re: I did say "earth-shaking" revelation in an earlier thread

    Cash is king if you want to keep your spending private, at least until facial recognition is employed at every till.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:34pm

    Re: Skype

    Annnnnd this is why nobody, NOBDOY, should be using Skype. Ever.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Edward Teach, Sep 5th, 2013 @ 1:35pm

    Puts _NSAKEY to shame

    Aye, Mates, this revelation puts the old "_NSAKEY" Microsoft backdoor to shame.

    But what other consequences does this sort of backdooring have? The US Government has a notorious weakness for Microsoft products, products of ... arguable quality and fitness for service. Given that the US Gov sets de facto standards that essentially mandate MSFT software, can we trust MSFT software in the slightest?

    I'm going to need a while to apprehend the weakness of mind and morality that this revelation lays bare before us, Mates.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:40pm

    Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread

    Yeah, but the problem is that you can't really use cash online. And even if you use a credit card, it probably isn't as easy to get the information, or as complete information, as monitoring the transaction real time.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:45pm

    Re: Puts _NSAKEY to shame

    To answer your question: no. And that's without NSA tampering. Best practice is to ban all MSFT products from your operation and make it a termination offense to introduce them.

    Don't tell me it can't be done. I've been doing it -- quite successfully, by the way -- for a very long time. I save a ton of money, I don't have to deal with licensing issues, my security posture is tremendously improved, I have almost no interoperability issues, and I can laugh and laugh and laugh at all the chumps who are slaves to Redmond.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:45pm

    This is getting ridiculous

    From the NYT version of the story:

    In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

    So now we can't trust Dell, HP, or Apple to not ship root-kitted machines to their customers?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Rob, Sep 5th, 2013 @ 1:46pm

    Re: so

    Right, because there's no way the NSA could blackmail or bribe anyone in a non-American company.

    And your "one day" can be a long time. Firebird (SQL server, not mail client) was what, a year and a half with a hardcoded password, non-obfuscated?

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:51pm

    Re: Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread

    Online transactions create records due to the requirement for a delivery address. If you cannot use cash it will be recorded to the name on the card, or delivery name and address.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Internet Zen Master (profile), Sep 5th, 2013 @ 1:54pm

    Re: Puts _NSAKEY to shame

    Since all the cool kids are walking around with their iPhones/iPads/and other assorted iShit, I suspect they'd be more focused on breaking Apple's encryption than getting Microsoft to play ball these days.

    It should be noted that Microsoft's already been saying they'd explain themselves (probably in their usual "craptastic PR fiasco" fashion) but they can't because the NSA's got them gagged with the whole "you must cooperate with us because national security, and you can't tell anyone about under penalty of, well, whatever the harshest thing we can think of if you try and speak out" thing.

    Will it negatively affect Microsoft in the short-run? Depends on how much the average American thinks beyond "holy shit the NSA's breaking the Internet!1!" and what happens after that.

    I highly doubt this spells doom for Microsoft though.

    As the Zen Master says, "We'll see."

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 1:56pm

    Re: This is getting ridiculous

    N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.

    You figure they own the master cert keys that you are trusted by your browser (e.g. Verisign, etc.)? I suppose all they need is one.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Richard (profile), Sep 5th, 2013 @ 1:56pm

    Re: This may not be the popular opinion here...

    There are good reasons for the NSA to have this capability,

    NO NO NO.

    If the NSA has this capability then we have to assume that the bad guys have the capability too. The only safe option is for no-one to have this capability.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    br3n (profile), Sep 5th, 2013 @ 2:00pm

    tin foil hat?

    each new leak is worse than the last,when is the one coming about our personal bank records?
    br3n

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 2:02pm

    Re: Re: Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread

    Yes, hence my statement that you can't really use cash online.

    The rest was me pointing out that getting information from the credit card company would still likely be inferior to watching the transaction in the first place.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Atkray (profile), Sep 5th, 2013 @ 2:12pm

    Re: Re: Puts _NSAKEY to shame

    Depends on how much the average American thinks beyond "holy shit the NSA's breaking the Internet!1!"

    The average American won't get that far.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Josh in CharlotteNC (profile), Sep 5th, 2013 @ 2:24pm

    Re:

    The NSA and GCHQ are paying them.

    Who else is? The Russian FSB? The Chinese intelligence service? Organized crime?

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    John Fenderson (profile), Sep 5th, 2013 @ 2:30pm

    Re: Re: Re: This may not be the popular opinion here...


    It is unclear if the NSA, as an organization, is capable of sticking to their assigned mission


    Actually, this part is very clear. Years of history with them (as with the FBI and CIA) has demonstrated that they are not so capable, and will never be.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    AppleGal, Sep 5th, 2013 @ 2:33pm

    Re: Skype

    Apple's FaceTime used to be iPhone to iPhone, but now it goes through Apple's servers instead, so everything can be conveniently recorded for the NSA.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 2:43pm

    "Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document."

    This cannot be justified. Even if things like the Fourth Amendment didn't exist, it couldn't be justified. They're making us all less secure, not only from THEIR snooping, but from everyone else.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 2:45pm

    So much for AES and SHA algorithms. If the NIST recommends something, choose something else! Such as Free and Open Source Software.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 2:45pm

    Re: so

    That won't do much good when they have the international standards on encryption under their control.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 2:47pm

    Re:

    It's time to call the telcos, en mass.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    John Fenderson (profile), Sep 5th, 2013 @ 2:55pm

    Re: Re: so

    There's nothing that says you have to use any particular encryption scheme.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 3:17pm

    Re: This may not be the popular opinion here...

    "There are good reasons for the NSA to have this capability, and if properly used could be properly employed to find the bad guys."

    Definition of "bad guys" subject to editing and may include minor criminals, whistleblowers, journalists and politically active individuals.

    "The program is brilliant in a way, and if they were just using it to narrowly target foreign or terrorist agents acting against the US, as a citizen I would support the program."

    The NSA/GCHQ is the foreign agent acting against other countries.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 3:47pm

    Re: Re: so

    Firebird (SQL server, not mail client) was what, a year and a half with a hardcoded password

    "7 years, at least"—Firebird was based on Interbase which also had the backdoor; nobody noticed until it was open-sourced, and then it still took a while.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    arcan, Sep 5th, 2013 @ 4:37pm

    i think it is time to break out the guy fawkes mask. this isn't just outrageous, this is unacceptable.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 4:38pm

    Re: This may not be the popular opinion here...

    This is just wishful thinking - the oversight means revealing, revealing means decrease in efficiency. No oversight brings mess we're in now. And no, I do not trust government having power to access all my communication. It is just big brother.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 5:06pm

    Re:

    "Security by obscurity" strikes again...

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 5:11pm

    Re: This may not be the popular opinion here...

    "I don't have a problem with the NSA having the capability of digging into any communications."

    Not without specific court warrants.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    art guerrilla (profile), Sep 5th, 2013 @ 5:43pm

    Re: This may not be the popular opinion here...

    this bears repeating, as it is a lesson we need to learn over and over:
    ANY and ALL secret institutions WILL become corrupted...

    repeat:
    ANY and ALL secret institutions WILL become corrupted...

    you don't need to go any further than that...

    art guerrilla
    aka ann archy
    eof

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Patrick, Sep 5th, 2013 @ 6:04pm

    I can only imagine the fun they are having with the back door of the voting machines.

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Groove Tiger, Sep 5th, 2013 @ 6:43pm

    [channeling ootb...]

    Look, this is yet again another attempt by Masnicking Mike to distract us from the fact that Google lives in Endor. Google is a Wookie, why would a Wookie live in Endor! It makes no sense. Just like Techdirt makes no sense!
    ------------------
    Techdirt... LOOK AT THE MONKEY!

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    FM Hilton, Sep 5th, 2013 @ 7:10pm

    Another unpopular opinion

    I've been asking why we can't just shut down the whole fricking system outright, because it's pretty damned obvious that the NSA will never, ever stop doing this short of being shut down totally, and then the individuals prosecuted for all of it from top to bottom.

    Everyone who tries to justify this stuff under any guise is either a fool or part of the problem.

    "Give them an inch, and they'll take a mile."

    Until the NSA and the government is stopped in their tracks we will continue to wail and moan, bitch and complain about being hacked, spied and trolled by our government.

    And paying for it.

    We're the fools for not taking back our own power.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous, Sep 5th, 2013 @ 7:33pm

    Re: Re: This may not be the popular opinion here...

    Are you implying that the NSA are the "good guys"?

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Anonymous, Sep 5th, 2013 @ 7:36pm

    Re: Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread

    Yeah, but only a fool would make an online transaction.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Chris, Sep 5th, 2013 @ 10:04pm

    There's gonna be a lot of audits in the open source community soon.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    Uriel-238 (profile), Sep 6th, 2013 @ 12:19am

    Re: They compromised the STANDARDS?!?!

    This is the joy of open source, specifically Linus' law:

    Given enough eyeballs, all bugs are shallow.

    And that includes bugs wittingly added for ulterior purposes.

     

    reply to this | link to this | view in thread ]

  50.  
    icon
    Postulator (profile), Sep 6th, 2013 @ 1:31am

    One expects that in ten to twenty years time the US will find it has recreated itself as a technological backwater that nobody wants to do business with because it cannot be trusted.

    How long will it take to earn back some trust? How many governments are jumping right now to determine how quickly they can move away from US technology?

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    DannyB (profile), Sep 6th, 2013 @ 6:11am

    Re: Re: This may not be the popular opinion here...

    NO NO NO.

    You have to assume that both the bad guys and good guys have this capability. Wait. Nevermind about the good guys part. They become bad guys by simply having that capability and because of human nature.

    Instead, we should be using strong encryption for everyday communications, and digital signatures for authentication. Encryption keys need to be in the endpoint devices with encrypted bits passing through all intermediaries.

    The trust model of SSL with central certificate authorities is broken and needs to be fixed.

     

    reply to this | link to this | view in thread ]

  52.  
    icon
    DannyB (profile), Sep 6th, 2013 @ 6:32am

    Re:

    Open Source software is a different issue than choice of encryption algorithm.

    The book Applied Cryptography discusses this and many other subjects.

    I'll try to summarize several important points.

    To design a good algorithm requires talent, a background of attacking encryption algorithms, and scrutiny of other people with similar talent and background. (The background of attacking algorithms is probably the single most important prerequisite.) Anyone can design an algorithm they themselves cannot break, but that doesn't mean someone else cannot break it.

    In the early days of digital cryptography national governments had the only large enough pool of talented people to design great algorithms. (I'll call them the "secret group".) Eventually the "open group" of everyone else got large enough to design good algorithms.

    In order for an algorithm to get good scrutiny the algorithm must be known to everyone. There should not be any secrets -- including even magic numbers used in the algorithm with no explanation of why and how they were chosen. The openness is important only so that enough people can scrutinize the algorithm and see that it withstands analysis over a period of time.

    If an algorithm is kept secret, this doesn't mean it isn't secure, it may simply be 'open' to the "secret group" of people who scrutinize and analyze it. If that pool is large enough, then it really is 'open' in some sense and had sustained analysis over a period of time -- just in secret.

    If the NSA publishes an algorithm, and it contains no secrets, and has been studied for years by the open community, then it is probably safe to use.

    Remember the NSA has a dual mission.
    1. To spy on foreign bad guys
    2. To protect domestic "good" guys from being spied on

    Giving us good encryption algorithms, and giving us source code such as the SELinux patches, falls under number 2. Giving banks good encryption, for example, is in the national interest. Making sure ATMs can securely communicate with the bank is important. But it's always wise to remember the number 1 part of their mission. They may give us encryption that is just 'good enough' so that nobody but themselves (and possibly other major national efforts) can crack or even merely attack it.

     

    reply to this | link to this | view in thread ]

  53.  
    icon
    DannyB (profile), Sep 6th, 2013 @ 6:35am

    Re:

    Yeah, this puts electronic voting machines with no paper trail or possibility of recounts in a whole new light.

     

    reply to this | link to this | view in thread ]

  54.  
    icon
    Designerfx (profile), Sep 6th, 2013 @ 9:16am

    this wasn't covert

    do people not know what FIPS 140-2 is for?

    This is what's for. NSA takes the information, and breaks encryption on all OS's with it.

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    nasch (profile), Sep 6th, 2013 @ 9:48am

    Re: Re: Skype

    Annnnnd this is why nobody, NOBDOY, should be using Skype. Ever.

    What should we use instead?

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    John Fenderson (profile), Sep 6th, 2013 @ 10:24am

    Re: Re: Re: Skype

    Any of the many peer-to-peer alternatives, working through a VPN, would do. There are lots of them available, only a search away.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    An American, Sep 7th, 2013 @ 3:06am

    Uncle Sam

    The problem you (most Americans) do not understand is that Uncle Sam does not care about the information/intelligence about terrorists. If they did, they could have stopped the 9/11 or similar terrorist attacks. Uncle Sam needs such covers/excuses to legitimize its spying actives and its power of authority to dominate the world. This does not mean that the domination has to be by means of physical existence (which they are already) but by means of intelligence (the power of knowledge). Just think about this and of course there is more about it. Look from the government's point of view; it must know what the citizens are doing, what the companies are doing, what the enemies are doing, ad what the allies are doing etc...

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    Anonymous Coward, Sep 7th, 2013 @ 3:38pm

    Re: Re: Re: Skype

    Substitute "Google" for "Skype". Would you be asking the same question?

     

    reply to this | link to this | view in thread ]

  59.  
    icon
    nasch (profile), Sep 7th, 2013 @ 5:44pm

    Re: Re: Re: Re: Skype

    Substitute "Google" for "Skype". Would you be asking the same question?

    Possibly, though I'm more aware of alternatives to most Google services. Perhaps you read too much into my question. I wasn't trying to imply there no alternatives, I was curious if he had any recommendations.

     

    reply to this | link to this | view in thread ]

  60.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 5:11am

    Re: Re: Re: so

    Or that anyone you know has to use yours.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This