Tech Companies Speak Out About NSA Encryption Breaks And They're Not Happy

from the well-this-is-getting-interesting dept

It’s been pretty obvious that the big telcos, AT&T and Verizon, have been working closely with the feds on all of the various surveillance operations. The big question, however, has been how closely the big tech companies have been involved — with most of them issuing pretty strong denials, and some of the early reports of their involvement not standing up to much scrutiny. Late on Friday, reports came out that Google has actually been scrambling to encrypt the information that flows between its data centers to protect that particular attack vector from the feds:

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.

Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information…

That doesn’t exactly sound like a willing partner in all of this. Still, part of the problem is that without any real transparency as to what the NSA is getting from companies, there are plenty of people who simply won’t trust statements like this. Furthermore, the fact that last week’s leaks revealed that the NSA actively recruits employees within companies to sabotage their security, suddenly it seems like even if some companies have the best of intentions, they now need to be on the alert for moles from the government within their companies. This is, frankly, insane. It’s the kind of thing that wasn’t supposed to happen in the US.

Indeed, both Microsoft and Yahoo have now spoken out about the revelations:

Microsoft said it had “significant concerns” about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared “substantial potential for abuse”.

All of these responses still feel a lot weaker than they need to be, even recognizing that there may be gag orders involved. As we’ve said before, the potential downside for the US tech industry is huge, and they need to be doing more to stand up to the NSA, and that includes fighting back against these efforts and doing everything they can to reveal what they’ve been asked to do over the years.

Filed Under: , , ,
Companies: google, microsoft, yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Tech Companies Speak Out About NSA Encryption Breaks And They're Not Happy”

Subscribe: RSS Leave a comment
44 Comments
Anonymous Coward says:

This is maybe 1 percent of what these companies should be doing. Just like with SOPA, where they actually offered quantifiable help, such as putting calls to action on their websites, and lobbying the government against it, this time I don’t really see much of that.

Where’s Google (and Microsoft, and Apple, and Yahoo, and Facebook, and others) call to action to “Repeal the Surveillance State” and support Rush Holt’s bill?

http://holt.house.gov/index.php?option=com_content&task=view&id=1200&Itemid=18

This is what they need to be doing, because in the end, if total surveillance is completely approved by laws, and if trying to protect against it is *outlawed*, then trying to encrypt stuff obviously won’t do much good.

So we need to fight this politically, too, and its our best chance, and their corporations’ best chance to fight it politically, and support political actions such as repealing the Patriot Act and the FISA Amendments Act, *drastically* defunding (or eliminating) the NSA, and bills that say no agency should be able to spy on someone without a *regular* warrant from a *regular* judge (not this Star Chamber “Court” stuff)

Anonymous Coward says:

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

Which will do no good if any of the following are true:

– the encryption algorithms have been deliberately weakened by the NSA

– the encryption software has been deliberately weakened by the NSA

– the network/server hardware used has been backdoored by the NSA

– the network/server software is accessible by NSA moles

– the network/server hardware is accessible by NSA moles

The problem is that there’s no way to know which, if any, of these are true. Certainly the NSA’s word is completely worthless: there’s no point whatsoever in asking them ANY question as everyone knows that they lie. And asking staff is equally worthless, since those working for the NSA lie.

It will take more — much more — than this token gesture on Google’s part to actually secure their operation from the NSA. In my opinion, doing so will require completely rebuilding it from scratch (and doing so using compartmentalized teams with massive peer review), at a cost that I’m not comfortable trying to estimate this early on a Monday. I doubt Google will pay that price. So while I’m inclined to wish them well, I think anything short of that level of effort is absolutely doomed to fail.

beech says:

anticipating blue

Well, since this is about Google and the nsa., I’m assuming its only a matter of time until blue shows up talking about psyops and the like. So, before he drops that then never looks at the thread again….

,
Hey OotB. So, wtf is a psyop? You keep mentioning it but never give a clear comprehensive explanation of what you’re alleging. All I ever hear about psyops is you coming in here and claiming every story proves your theory… So let’s get ahead of this, what evidence (if any) COULD POSSIBLY disprove your hypothesis? Because that’s the important partof hypotheses, testability.

Thanks for your time

Anonymous Coward says:

Re: anticipating blue

Please. It’s bad enough that we have to tolerate spamming psychopath ootb without someone provoking him. Until this site wakes up and blacklists this worthless asshole for life, please have some consideration for the rest of us and (a) never respond to him (b) immediately report all his comments so that, hopefully, his filth isn’t inflicted on the rest of the site’s users.

beech says:

Re: Re: anticipating blue

Blue has actually had some decent, relavent comments before. Reporting/arguing at him has done very little to curb his negative behavior, in fact feeling like a martyr probably encourages him more. so why not try to encourage good behavior? Help make cogent points that can actually be discussed.

And as far as “provoking” goes, he has thus far declined to comment on this story at all…so apparently it wasn’t much of a provocation at all.

alternatives() says:

Re: anticipating blue

So, wtf is a psyop?

There is a new product called a “search engine” by an upstart called “google” and if you type in “define psyop” it will come back with the answer to your question.

Where this becomes NSA fun is with this definition:
PSYOPS or Psychological Operations: Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals.

What is supposed to be the scope of the NSA efforts?

Anonymous Coward says:

this maybe a daft thing to say but wouldn’t the most important step to be taken first, be the one that identifies those people who started all this off in the first place? i mean, maybe it was the head of the NSA, maybe it wasn’t. there has to be a certain number of extremely powerful, extremely wealthy people at the very top of the very highest tree that are actually giving orders of who should do what, to whom, how and for what reasons. no head of any agency or department can get all of the other heads of agencies or departments to simply do as he/she wants. those deciding the steps to be taken are the elite few that basically decide the fate of everyone and everything, everywhere. they are the ones that need discovering and exposing. everyone else are just pawns

ChrisB (profile) says:

Re: Re:

“extremely powerful, extremely wealthy people at the very top”

What the hell are you talking about? You think that business has anything to do with this? Sorry, but this story doesn’t fit into your 1% nonsense. This is government corruption, pure and simple. And the solution is reducing the size of government.

Anonymous Coward says:

Re: At this point

I agree that we should keep the NSA’s hands off the implementation and development but the rest is crazy talk.

The “word on the street” is that the NSA can probably break 1024 bit RSA keys by brute force in a few days/hours. Stronger keys are unlikely to be broken in useful time by brute force alone, at least for now.

AES with 254 bit keys still looks safe too according to some cryptographers and mathematicians. The general feel is that symmetric key algorithms with strong keys seem “safe” overall, unless there is some implementation error.

Bear in mind that the NSA’s attacks resort either to cheating (like sabotaging the implementation, forcing companies to hand over their private keys or even putting backdoors into their systems) or brute force, not attacking the underlying cryptographic theory, which, according to experts, is still sound.

Anonymous Coward says:

Re: Re: Re: At this point

Your link is broken.

Nevertheless, in matters of security, you should stay away from the conspiracy nuts and stick to people that actually know what they are talking about. There is already enough fear, uncertainty and doubt clouding the issues..

Here’s something to get you started:

https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

Mr. Applegate says:

Re: Re: Re:2 At this point

“you should stay away from the conspiracy nuts and stick to people that actually know what they are talking about. “

Except the “conspiracy nuts” have been proven right how many times in the last few months? and how many times have “the people that know” been proven wrong?

Ooops! Might want to re-think that plan.

That One Guy (profile) says:

Too little, but will it be too late?

At this point, with the news that the security standards themselves have been compromised, and people in the companies are putting in backdoors for the NSA and others(because if the NSA thought of paying off some employees, you can bet many other groups have done the same), it’s becoming more and more likely that the only trustworthy security is going to be one that is open source, something that programers, hackers and others can test and re-test to make sure it’s secure, and that isn’t tied to a particular company.

Given that, it’s hardly surprising that they are panicking, as between the leaks and the gag orders that prevent them from saying a word in their defense, any good-will or trust that the big companies had in regards to security or customer privacy is quickly fading away, and if they don’t do something major, soon, they are likely to see their customers move on to greener, more secure pastures.

quawonk says:

>>That doesn’t exactly sound like a willing partner in all of this.

No, it sounds like big tech companies trying to save face in the public eye. We not stupid enough to believe it are we? Anything less than public national exposure of all the requests and the people who made them, and linking to trusted encryption applications (if there are any left) on their homepages and telling people click here to install, will convince me they care about user privacy.

John Fenderson (profile) says:

Re: Re:

That’s an implementation detail. As soon as you start getting into implementation details, people’s eyes glaze over and you lose them.

However, you are pointing to a larger issue that I’ve seen nobody make about encryption yet: when there is talk about compromised encryption, what they’re not talking about is some magic wand that causes the encryption to be decryptable with the same ease as the legitimate keyholder.

What they are talking about is the inclusion of some deliberate weakness that makes cracking a particular message easier (or possible, when it wasn’t before). Since crypto is a very specialized and rarified branch of mathematics, it’s possible — and has happened time and again — to have a crypto algorithm weakened in such a way that it will go undetected without a major analysis effort on the part of crypto specialists.

This is a warning for those who believe that open source keeps them safe from these types of shenanigans. It doesn’t. You’ll never spot the weakness by examining the code.

Andrew F (profile) says:

Context

As far as I know, both Snowden and Bruce Schneier (who has access to the full set of Snowden materials) still believe the fundamental math behind encryption is sound and that NSA is merely “cheating”. https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

Also worth noting is that most, if not all, of the “breakthroughs” by the NSA can merely be described by exploitation of publicly known vulnerabilities in encryption. http://arstechnica.com/security/2013/09/of-course-nsa-can-crack-crypto-anyone-can-the-question-is-how-much/

art guerrilla (profile) says:

Re: Re: Context

yep, IF the spooks want you, you are -possibly EVEN IF a world-class hacker- toast…

they put some keystroke logger on you, IT IS ALL MOOT… you are owned…

THEY have become an evil FAR GREATER than a million terrorists; in fact, they are DEFINING all us li’l peeps AS TERRORISTS…

well, talk about self-fulfilling prophecies: THEY act like scumbag terrorists in treating us like terrorists, and GUESS WHAT we are BEING FORCED to become to reclaim OUR gummint ? ? ?

the bastards ! ! !

art guerrilla
aka ann archy
eof

Anonymous Coward says:

Fool me once...

Wolves in sheeps’ clothing, sympathetically bleating.

They desperately want new shiny (compromised) encryption implementations to restore peoples naivety. Sadly that will probably work.

The Holt bill is interesting. Snowballs chance in hell of passing. Course it does seam like hell is freezing over lately. I’m holding out for the ultra secure flying pig based com systems.

FM Hilton (profile) says:

Follow the money

Sure, the tech companies could be doing something more, better, stronger.

But then they’d lose a valuable customer!

How many millions of dollars does the NSA spend on getting this information? We don’t know, and they won’t tell us, but in the long run look at the bottom line, and all it says is “profit”.

Seems to be the guiding motive here.

Anonymous Coward says:

I’ll never trust Google, Apple, Microsoft, Facebook, Yahoo, and especially AT&T, Verison, Sprint.

I will only trust Free and Open Source Software that I deploy and manage myself.

If I really get paranoid, I’ll run virtual machines or LiveCDs that are wiped from RAM after every reboot. With no persistent data saved to disk.

The hardest thing for me is figuring out how to get around the cell phone dilemma. Even with Cyanogen firmwares, the hardware drivers are closed source and not under user control. That means the microphone, GPS and cellular modem can betray you at any moment.

Most cellular modems have read/write access to RAM modules, or so I hear. All cellphones are insecure devices until open source hardware drivers are available.

So yeah, I hate my cellphone. If I want to be reachable to family, friends and co-workers, I have to carry one though. I hate the fact it keeps track of all the places I’ve been for decades. I hate that the most.

Guess I could try to find the GPS receiver and unsolder it from the PCB board. Who knows if the phone would work after that though.

Would be easier to do with schematics, but those will never be released to the public.

I really wish someone would create a Raspberry Pi smartphone!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »