Tech Companies Speak Out About NSA Encryption Breaks And They're Not Happy

from the well-this-is-getting-interesting dept

It's been pretty obvious that the big telcos, AT&T and Verizon, have been working closely with the feds on all of the various surveillance operations. The big question, however, has been how closely the big tech companies have been involved -- with most of them issuing pretty strong denials, and some of the early reports of their involvement not standing up to much scrutiny. Late on Friday, reports came out that Google has actually been scrambling to encrypt the information that flows between its data centers to protect that particular attack vector from the feds:
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.

Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information...
That doesn't exactly sound like a willing partner in all of this. Still, part of the problem is that without any real transparency as to what the NSA is getting from companies, there are plenty of people who simply won't trust statements like this. Furthermore, the fact that last week's leaks revealed that the NSA actively recruits employees within companies to sabotage their security, suddenly it seems like even if some companies have the best of intentions, they now need to be on the alert for moles from the government within their companies. This is, frankly, insane. It's the kind of thing that wasn't supposed to happen in the US.

Indeed, both Microsoft and Yahoo have now spoken out about the revelations:
Microsoft said it had "significant concerns" about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared "substantial potential for abuse".
All of these responses still feel a lot weaker than they need to be, even recognizing that there may be gag orders involved. As we've said before, the potential downside for the US tech industry is huge, and they need to be doing more to stand up to the NSA, and that includes fighting back against these efforts and doing everything they can to reveal what they've been asked to do over the years.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 3:36am

    Congratulations NSA! You've managed to make everyone distrust the national industry that matters the most in the coming years.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 3:47am

    This is maybe 1 percent of what these companies should be doing. Just like with SOPA, where they actually offered quantifiable help, such as putting calls to action on their websites, and lobbying the government against it, this time I don't really see much of that.

    Where's Google (and Microsoft, and Apple, and Yahoo, and Facebook, and others) call to action to "Repeal the Surveillance State" and support Rush Holt's bill?

    http://holt.house.gov/index.php?option=com_content&task=view&id=1200&Itemid=18

    This is what they need to be doing, because in the end, if total surveillance is completely approved by laws, and if trying to protect against it is *outlawed*, then trying to encrypt stuff obviously won't do much good.

    So we need to fight this politically, too, and its our best chance, and their corporations' best chance to fight it politically, and support political actions such as repealing the Patriot Act and the FISA Amendments Act, *drastically* defunding (or eliminating) the NSA, and bills that say no agency should be able to spy on someone without a *regular* warrant from a *regular* judge (not this Star Chamber "Court" stuff)

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Headbhang, Sep 9th, 2013 @ 12:07pm

      Re:

      It would seem like the tech giants are of two minds about the issue, as if they don't really like it, but are also getting benefits from it. Seems consistent with the governments applying a two-pronged carrot+stick approach to gain their cooperation.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 3:47am

    Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

    Which will do no good if any of the following are true:

    - the encryption algorithms have been deliberately weakened by the NSA

    - the encryption software has been deliberately weakened by the NSA

    - the network/server hardware used has been backdoored by the NSA

    - the network/server software is accessible by NSA moles

    - the network/server hardware is accessible by NSA moles

    The problem is that there's no way to know which, if any, of these are true. Certainly the NSA's word is completely worthless: there's no point whatsoever in asking them ANY question as everyone knows that they lie. And asking staff is equally worthless, since those working for the NSA lie.

    It will take more --- much more -- than this token gesture on Google's part to actually secure their operation from the NSA. In my opinion, doing so will require completely rebuilding it from scratch (and doing so using compartmentalized teams with massive peer review), at a cost that I'm not comfortable trying to estimate this early on a Monday. I doubt Google will pay that price. So while I'm inclined to wish them well, I think anything short of that level of effort is absolutely doomed to fail.

     

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
     
    identicon
    beech, Sep 9th, 2013 @ 3:59am

    anticipating blue

    Well, since this is about Google and the nsa., I'm assuming its only a matter of time until blue shows up talking about psyops and the like. So, before he drops that then never looks at the thread again....

    ,
    Hey OotB. So, wtf is a psyop? You keep mentioning it but never give a clear comprehensive explanation of what you're alleging. All I ever hear about psyops is you coming in here and claiming every story proves your theory... So let's get ahead of this, what evidence (if any) COULD POSSIBLY disprove your hypothesis? Because that's the important partof hypotheses, testability.

    Thanks for your time

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 9th, 2013 @ 4:12am

      Re: anticipating blue

      Please. It's bad enough that we have to tolerate spamming psychopath ootb without someone provoking him. Until this site wakes up and blacklists this worthless asshole for life, please have some consideration for the rest of us and (a) never respond to him (b) immediately report all his comments so that, hopefully, his filth isn't inflicted on the rest of the site's users.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        beech, Sep 9th, 2013 @ 9:14am

        Re: Re: anticipating blue

        Blue has actually had some decent, relavent comments before. Reporting/arguing at him has done very little to curb his negative behavior, in fact feeling like a martyr probably encourages him more. so why not try to encourage good behavior? Help make cogent points that can actually be discussed.

        And as far as "provoking" goes, he has thus far declined to comment on this story at all...so apparently it wasn't much of a provocation at all.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      alternatives(), Sep 9th, 2013 @ 4:47am

      Re: anticipating blue

      So, wtf is a psyop?

      There is a new product called a "search engine" by an upstart called "google" and if you type in "define psyop" it will come back with the answer to your question.

      Where this becomes NSA fun is with this definition:
      PSYOPS or Psychological Operations: Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals.

      What is supposed to be the scope of the NSA efforts?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 9th, 2013 @ 4:49am

        Re: Re: anticipating blue

        That doesn't answer the question which is what does blue mean by 'psyop.'

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Smacky, Sep 9th, 2013 @ 5:28am

          Re: Re: Re: anticipating blue

          This particular psyop:


          Reporter: Sources say the NSA sees everything.

          NSA: No we don't, I mean, yes we do see everything, so don't try anything.

          Everyone Else: Shaking in the boots, as we tremble in the fearz. (Reality: NOT)

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 4:01am

    this maybe a daft thing to say but wouldn't the most important step to be taken first, be the one that identifies those people who started all this off in the first place? i mean, maybe it was the head of the NSA, maybe it wasn't. there has to be a certain number of extremely powerful, extremely wealthy people at the very top of the very highest tree that are actually giving orders of who should do what, to whom, how and for what reasons. no head of any agency or department can get all of the other heads of agencies or departments to simply do as he/she wants. those deciding the steps to be taken are the elite few that basically decide the fate of everyone and everything, everywhere. they are the ones that need discovering and exposing. everyone else are just pawns

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 9th, 2013 @ 4:18am

      Re:

      Most of the people there are either dead or have memories like a sieve. So we go after who we can (which are the NSA heads and the DNI, as well as Rogers and Feinstein.)

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      ChrisB (profile), Sep 9th, 2013 @ 6:20am

      Re:

      "extremely powerful, extremely wealthy people at the very top"

      What the hell are you talking about? You think that business has anything to do with this? Sorry, but this story doesn't fit into your 1% nonsense. This is government corruption, pure and simple. And the solution is reducing the size of government.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Anonymous Coward, Sep 9th, 2013 @ 7:09am

        Re: Re:

        So you think the military/industrial complex is completely innocent? Who the hell do you think is corrupting those in positions of power? Do you really think they came pre-corrupted?

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    Zakida Paul (profile), Sep 9th, 2013 @ 4:21am

    Tech companies caught with their pants down now looking to shift blame to government.

    Government caught with their pants down now looking to shift blame to everyone else.

    Who is telling the truth?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      silverscarcat (profile), Sep 9th, 2013 @ 5:05am

      Re:

      Neither is, but I still trust Google over the government.

      At least Google can't throw me in prison for jaywalking.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      ChrisB (profile), Sep 9th, 2013 @ 6:23am

      Re:

      You do understand that the NSA is a government organization, right? What do you mean, "tech companies got caught"? Got caught obeying the insane US laws? They are probably relieved that this came to light so they aren't (by penalty of law) forced to lie to everyone.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    me, Sep 9th, 2013 @ 4:26am

    At this point

    It's fair to say just about everything has beenc ompromised. A new encryption is needed and the paramount aspect of it would be to keep the NSA's hand s off of it from the get go of it's creation.

    Throw out the old book and institute a new one.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Zakida Paul (profile), Sep 9th, 2013 @ 4:40am

      Re: At this point

      Time to go old school mehinks.

      Stenography, microdots, book codes etc.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 9th, 2013 @ 4:51am

      Re: At this point

      I agree that we should keep the NSA's hands off the implementation and development but the rest is crazy talk.

      The "word on the street" is that the NSA can probably break 1024 bit RSA keys by brute force in a few days/hours. Stronger keys are unlikely to be broken in useful time by brute force alone, at least for now.

      AES with 254 bit keys still looks safe too according to some cryptographers and mathematicians. The general feel is that symmetric key algorithms with strong keys seem "safe" overall, unless there is some implementation error.

      Bear in mind that the NSA's attacks resort either to cheating (like sabotaging the implementation, forcing companies to hand over their private keys or even putting backdoors into their systems) or brute force, not attacking the underlying cryptographic theory, which, according to experts, is still sound.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        RyanNerd (profile), Sep 9th, 2013 @ 5:15am

        Re: Re: At this point

        As soon as Big Brother stopped calling RSA encryption "munitions" was when in my opinion they had reasonably cracked the encryption.
        The NSA fought tooth and nail against the export of the encryption method then suddenly without warning the fighting stopped... Just sayin.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Sep 9th, 2013 @ 6:33am

          Re: Re: Re: At this point

          Your link is broken.

          Nevertheless, in matters of security, you should stay away from the conspiracy nuts and stick to people that actually know what they are talking about. There is already enough fear, uncertainty and doubt clouding the issues..

          Here's something to get you started:

          https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Mr. Applegate, Sep 9th, 2013 @ 9:16am

            Re: Re: Re: Re: At this point

            "you should stay away from the conspiracy nuts and stick to people that actually know what they are talking about. "
            Except the "conspiracy nuts" have been proven right how many times in the last few months? and how many times have "the people that know" been proven wrong?

            Ooops! Might want to re-think that plan.

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              Chronno S. Trigger (profile), Sep 10th, 2013 @ 8:22am

              Re: Re: Re: Re: Re: At this point

              You know you're government has gone overboard when people start listening to the conspiracy nuts more then the experts.

               

              reply to this | link to this | view in chronology ]

  •  
    icon
    That One Guy (profile), Sep 9th, 2013 @ 4:39am

    Too little, but will it be too late?

    At this point, with the news that the security standards themselves have been compromised, and people in the companies are putting in backdoors for the NSA and others(because if the NSA thought of paying off some employees, you can bet many other groups have done the same), it's becoming more and more likely that the only trustworthy security is going to be one that is open source, something that programers, hackers and others can test and re-test to make sure it's secure, and that isn't tied to a particular company.

    Given that, it's hardly surprising that they are panicking, as between the leaks and the gag orders that prevent them from saying a word in their defense, any good-will or trust that the big companies had in regards to security or customer privacy is quickly fading away, and if they don't do something major, soon, they are likely to see their customers move on to greener, more secure pastures.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    quawonk, Sep 9th, 2013 @ 4:45am

    >>That doesn't exactly sound like a willing partner in all of this.

    No, it sounds like big tech companies trying to save face in the public eye. We not stupid enough to believe it are we? Anything less than public national exposure of all the requests and the people who made them, and linking to trusted encryption applications (if there are any left) on their homepages and telling people click here to install, will convince me they care about user privacy.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 9th, 2013 @ 4:58am

      Re:

      We'd have to do our part first and leash the NSA though. Presently they're more afraid of the government than they are of their consumers and with good reason.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    RyanNerd (profile), Sep 9th, 2013 @ 5:00am

    Not really shouting from the roof tops but it's a start...

    The telco's are silent because they're making a buck off the backs of American tax payers by partnering with the NSA.
    Other companies I give the benefit of the doubt since their CD player may be stuck on the John Mellencamp track I fight authority, Authority always wins.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 5:10am

    Where is the talk about the corruption of Pseudo random number generators?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      RyanNerd (profile), Sep 9th, 2013 @ 5:24am

      Re:

      d0N7 j00 W0RrY i'M 5Ur3 73h N54 I2 n07 3xPl0i7iN' pHL4W3D r4Nd0M Numb3R 93n3R470R2.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Sep 9th, 2013 @ 9:32am

      Re:

      That's an implementation detail. As soon as you start getting into implementation details, people's eyes glaze over and you lose them.

      However, you are pointing to a larger issue that I've seen nobody make about encryption yet: when there is talk about compromised encryption, what they're not talking about is some magic wand that causes the encryption to be decryptable with the same ease as the legitimate keyholder.

      What they are talking about is the inclusion of some deliberate weakness that makes cracking a particular message easier (or possible, when it wasn't before). Since crypto is a very specialized and rarified branch of mathematics, it's possible -- and has happened time and again -- to have a crypto algorithm weakened in such a way that it will go undetected without a major analysis effort on the part of crypto specialists.

      This is a warning for those who believe that open source keeps them safe from these types of shenanigans. It doesn't. You'll never spot the weakness by examining the code.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Andrew F (profile), Sep 9th, 2013 @ 5:31am

    Context

    As far as I know, both Snowden and Bruce Schneier (who has access to the full set of Snowden materials) still believe the fundamental math behind encryption is sound and that NSA is merely "cheating". https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

    Also worth noting is that most, if not all, of the "breakthroughs" by the NSA can merely be described by exploitation of publicly known vulnerabilities in encryption. http://arstechnica.com/security/2013/09/of-course-nsa-can-crack-crypto-anyone-can-the-question-is-ho w-much/

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 9th, 2013 @ 6:27am

      Re: Context

      If you have a hardware or software back door you do not need to break the encryption; you have direct access.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        art guerrilla (profile), Sep 9th, 2013 @ 7:21am

        Re: Re: Context

        yep, IF the spooks want you, you are -possibly EVEN IF a world-class hacker- toast...

        they put some keystroke logger on you, IT IS ALL MOOT... you are owned...

        THEY have become an evil FAR GREATER than a million terrorists; in fact, they are DEFINING all us li'l peeps AS TERRORISTS...

        well, talk about self-fulfilling prophecies: THEY act like scumbag terrorists in treating us like terrorists, and GUESS WHAT we are BEING FORCED to become to reclaim OUR gummint ? ? ?

        the bastards ! ! !

        art guerrilla
        aka ann archy
        eof

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 6:44am

    Moles

    These tech companies need to root out the moles in their organizations. Maybe a program they could call, "see something, say something".

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 7:52am

    Fool me once...

    Wolves in sheeps' clothing, sympathetically bleating.

    They desperately want new shiny (compromised) encryption implementations to restore peoples naivety. Sadly that will probably work.

    The Holt bill is interesting. Snowballs chance in hell of passing. Course it does seam like hell is freezing over lately. I'm holding out for the ultra secure flying pig based com systems.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    FM Hilton, Sep 9th, 2013 @ 2:11pm

    Follow the money

    Sure, the tech companies could be doing something more, better, stronger.

    But then they'd lose a valuable customer!

    How many millions of dollars does the NSA spend on getting this information? We don't know, and they won't tell us, but in the long run look at the bottom line, and all it says is "profit".

    Seems to be the guiding motive here.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 9th, 2013 @ 9:09pm

    I'll never trust Google, Apple, Microsoft, Facebook, Yahoo, and especially AT&T, Verison, Sprint.

    I will only trust Free and Open Source Software that I deploy and manage myself.

    If I really get paranoid, I'll run virtual machines or LiveCDs that are wiped from RAM after every reboot. With no persistent data saved to disk.

    The hardest thing for me is figuring out how to get around the cell phone dilemma. Even with Cyanogen firmwares, the hardware drivers are closed source and not under user control. That means the microphone, GPS and cellular modem can betray you at any moment.

    Most cellular modems have read/write access to RAM modules, or so I hear. All cellphones are insecure devices until open source hardware drivers are available.

    So yeah, I hate my cellphone. If I want to be reachable to family, friends and co-workers, I have to carry one though. I hate the fact it keeps track of all the places I've been for decades. I hate that the most.

    Guess I could try to find the GPS receiver and unsolder it from the PCB board. Who knows if the phone would work after that though.

    Would be easier to do with schematics, but those will never be released to the public.

    I really wish someone would create a Raspberry Pi smartphone!

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This