Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages

from the time-for-a-medal? dept

One of the commonest accusations flung at Edward Snowden is that by revealing the massive scale of the NSA’s global surveillance, he has tipped off terrorists that they are being watched all the time, and thus caused them to move to stronger encryption to protect their secrets. An article in Recorded Future would seem to support that claim:

Following the June 2013 Edward Snowden leaks we observe an increased pace of innovation, specifically new competing jihadist platforms and three (3) major new encryption tools from three (3) different organizations — GIMF, Al-Fajr Technical Committee, and ISIS — within a three to five-month time frame of the leaks.

And yet security expert Bruce Schneier not only doesn’t think that’s a problem, he believes Snowden has made it easier to break the encrypted communications of terrorists:

I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.

That’s a great point. For obvious reasons, terrorists won’t be able to draw on the knowledge and skills of the global crypto community when they create a new “home-brew” encryption program to replace an existing tool they fear may be compromised. Instead, they will be forced to depend on a limited circle of experts, who are likely to miss subtle or even not-so-subtle flaws in the new code. It’s a good demonstration of how the open, collaborative approach that produces the best encryption tools makes it very hard to subvert the process for malicious purposes.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages”

Subscribe: RSS Leave a comment
41 Comments
Donglebert The Needlessly Unready says:

Re: Re: english

“Common” is an adjective.

“Fun” is a noun. It is also used as an attributive noun, which is similar to an adjective e.g. chocolate cake – chocolate and cake are both nouns, but chocolate is describing the type of cake works as an adjective.

And yes, if you consider “fun” to be an adjective (which many people do), then “funner” and “funnest” are viable. Ask Steve Jobs.

Anonymous Coward says:

I kinda disagree with Bruce Schneier here. While the leaks probably did little to help terrorists (and the terrorist threat is way overhyped anyways) I also doubt it did much to hurt them. If the terrorists are stupid enough to try to create their own encryption algorithms after the leak I doubt they were smart enough to avoid being hacked before the leaks. It’s not like the leaks made them any stupider.

Josh in CharlotteNC (profile) says:

Re: Re:

While the algorithm is a major part of any crypto system, the implementation of the algorith into the rest of the system is significant and often overlooked. And it’s really easy to screw up either one and leave yourself a very insecure system.

While we don’t know for sure if any of the algos that are tainted by NSA involvement are genuinely at risk, the fear that they are could push groups into throwing out their whole systems and needing to replace them with something that may actually be less secure.

madasahatter (profile) says:

Re: Re:

I think Schneier’s point is expert cryptography is very difficult to execute even by the experts. If the terrorists were using expert level cryptography via readily available tools then the NSA has a very difficult time breaking the encryption. However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly. The result will be pretty secure and probably not easy for to crack but it is not as strong as it could and thus more easily breakable by the NSA.

I would not call the terrorist stupid, more likely technically ignorant. I know enough about cryptography to know one needs to use the best available tools and should not be trying to build your own unless you are one of the true cryptography experts. But, explain this to lay person.

lfroen (profile) says:

Re: Re: Re:

> I would not call the terrorist stupid, more likely technically ignorant.
And I would call you ignorant. Your idea of “terrorists” comes from BS Hollywood movies, where “terrorist == batshit-crazy”. Back to reality, you will find, that there’s enough very well educated and technically competent people among those “terrorist organization”. Reason is very simple – one man terrorist is another men freedom fighter.

Anonymous Coward says:

Re: Re: Re:

and I can just as easily argue that a terrorist who’s into cryptography probably follows Bruce and read his comments and would take them into account to avoid not going with much stronger standards.

Look, if I wanted to hide something from the government and I believed there maybe breaches in some standard encryption algorithms that the government is responsible for and I wanted to make my own encryption algorithm worst case scenario I would implement my encryption algorithm on top of the standard encryption algorithm that I trust best. So say I trust AES the best but not 100 percent. Say I create my own encryption algorithm from scratch. Say I had a document to encrypt. I’ll first encrypt it with AES with one key and then I’ll encrypt it with my personal encryption algorithm with a different key. My encryption strength is at least as strong as AES and potentially stronger. It’s called layered security.

But what I would really do (and since it’s common sense I suspect the terrorists may think of the same thing) is forget the hassle of coming up with my own encryption cyphers that’s likely insecure. I would either couple together two iterations of AES with different keys or couple together different standard encryption algorithms (ie: AES and RC6) with different keys. That way my encryption strength is at least as strong as the weakest of the two. If AES is secretly hacked I maybe protected by RC6.

Michael (profile) says:

Re: Re: Re: Re:

Just having to go through that thought process is a huge burdon on a group.

If you sprinkle a couple of real situations of attack on an already paranoid mob, you get – well, you get machines that take naked scans of people, long lines backing up in airports, unrest amongst the people most impacted, etc. The NSA may have tripped into the same tacticts that have impacted many of our lives.

John Fenderson (profile) says:

Re: Re: Re:

“However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly.”

Rolling your own encryption is a bit like being your own lawyer. Only fools do it. However, it’s not really because of lack of skills, it’s because making good encryption is extremely difficult, and crypto has to be checked out by a lot of people to get any sense of confidence in it. This takes manpower and time (years). Most crypto ends up being weak in one way or another. The established crypto is amongst the small percentage that hasn’t. Yet. Even current crypto is constantly being tested.

lfroen (profile) says:

... and since when Schneier become expert on terrorists?

Last time I checked, Bruce Schneier was expert on cryptography. Did he ever saw real-life terrorist?

Now, where did Mike get this patently stupid idea that “For obvious reasons, terrorists won’t be able to draw on the knowledge and skills of the global crypto community”?! What, “terrorists” suddenly lost an ability to read? Or, I know – terrorists are stupid! Yes, and uneducated!

Go back and read some real-world statistics: there’s disproportionate amount of well educated people among all kind of extremist groups, jihadists included.

Michael (profile) says:

Re: ... and since when Schneier become expert on terrorists?

While spelling and grammer issues would point to him having written this – Mike didn’t write the article.

terrorists won’t be able to draw on the knowledge and skills of the global crypto community

If the terrorists (who tend to land on the more paranoid side of the fence) believe much of the crypto community has been compromized by the NSA forcing, infiltrating, hacking them, they will turn to what is ultimately a smaller group of cryptographers and likely to be of a lower quality. There is a chance they will come across some world-class cryptography, but the pool they have to select from is smaller if they want to avoid those that are on the NSA’s radar and within their reach.

PaulT (profile) says:

Re: ... and since when Schneier become expert on terrorists?

“Bruce Schneier was expert on cryptography.”

Indeed. So why are you rejecting his knowledge of how hard it can be for even well-connected and highly experienced people to get it right? What resources do you think terrorists have access to that he may not have considered?

“Did he ever saw real-life terrorist?”

Saw? I now have an image of Schneier wearing a white mask on a tricycle, firing crytpo questions at someone tied up with rusty chains… Thanks, I guess?

“What, “terrorists” suddenly lost an ability to read?”

No, but since the main problem is in implementing the crypto, not reading the documentation, why does this matter?

“Or, I know – terrorists are stupid! Yes, and uneducated!”

Nobody’s suggesting anything of the sort, if you bother to read the points actually being made.

Look, it’s quite simple. Not many people (and probably no one individual) have the level of expertise and experience require to do these things perfectly, let alone come up with solid algorithms in the first place. Since the entire reason for creating the new crypto is to avoid NSA tampering, they’re also likely to be relying on a relatively limited set of peers for things like testing and locating flaws in the algorithms and software.

They’re not stupid, they’re just likely to make some mistakes if they try to reimplement these things alone. If they do, then the resulting security they come up with is likely to be less secure than the other tools they would have depended on if the Snowden revelations didn’t deter them from using them. It’s not impossible for them to be creating cryto that’s world class and better than the existing standard tools, it’s just rather unlikely according to one of the experts in that field.

DB (profile) says:

Home-grown encryption is very likely to end up with something like applying rot-13.. twice.

Hmmm, I should run out and patent that before someone else does.

For those that got the obvious joke but missed the subtlety: doubling up on your encryption provides only the protection of the most secure round. And if you use the same key it might actually leak bits. A good example is ‘triple DES’, which is mostly equivalent to DES with different S-boxes.

A comment on devising your own encryption being equivalent to being your own lawyer: no, it’s not even close. There is no secret method or logic in law. The NSA’s internal approaches to cryptography are far more advanced than what is public. Presumably there are a handful of other places that have their own advances.

It took outside people well over a decade to figure out that the government’s tweak to IBM’s S-boxes made it more secure rather than less, and they still aren’t certain how they knew to change just those few bits instead of all of the boxes at once.

Groaker (profile) says:

A word is a word because I say it is a word. The OED may very well have its uses, but when it “recognizes” a word, it is merely accepting that it has found it desirable to provide a definition for a word. One that has existed for some time before coming to the notice of the language martinets.

Anyone can make up a word, and everyone should be encouraged to do so in as promiscuous a manner as possible.

It is nice, in the original meaning of the word (ignorant from the Latin nescius,) to castigate others for their inventiveness. Otherwise nice would have never come to mean sexually loose, or the most common use today of “pleasant.”

One of the characteristics of a geek is a delight in playing with words. Grammar, spelling and typo nazis demonstrate their “fish out of water” status when the make their foolish complaints. Such comments might be included in the criteria for the “Spot the Fed” game.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »