Tech Companies Speak Out About NSA Encryption Breaks And They're Not Happy
from the well-this-is-getting-interesting dept
It’s been pretty obvious that the big telcos, AT&T and Verizon, have been working closely with the feds on all of the various surveillance operations. The big question, however, has been how closely the big tech companies have been involved — with most of them issuing pretty strong denials, and some of the early reports of their involvement not standing up to much scrutiny. Late on Friday, reports came out that Google has actually been scrambling to encrypt the information that flows between its data centers to protect that particular attack vector from the feds:
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.
The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.
Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information…
That doesn’t exactly sound like a willing partner in all of this. Still, part of the problem is that without any real transparency as to what the NSA is getting from companies, there are plenty of people who simply won’t trust statements like this. Furthermore, the fact that last week’s leaks revealed that the NSA actively recruits employees within companies to sabotage their security, suddenly it seems like even if some companies have the best of intentions, they now need to be on the alert for moles from the government within their companies. This is, frankly, insane. It’s the kind of thing that wasn’t supposed to happen in the US.
Indeed, both Microsoft and Yahoo have now spoken out about the revelations:
Microsoft said it had “significant concerns” about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared “substantial potential for abuse”.
All of these responses still feel a lot weaker than they need to be, even recognizing that there may be gag orders involved. As we’ve said before, the potential downside for the US tech industry is huge, and they need to be doing more to stand up to the NSA, and that includes fighting back against these efforts and doing everything they can to reveal what they’ve been asked to do over the years.
Filed Under: encryption, nsa, nsa surveillance, tech industry
Companies: google, microsoft, yahoo
Comments on “Tech Companies Speak Out About NSA Encryption Breaks And They're Not Happy”
Congratulations NSA! You’ve managed to make everyone distrust the national industry that matters the most in the coming years.
This is maybe 1 percent of what these companies should be doing. Just like with SOPA, where they actually offered quantifiable help, such as putting calls to action on their websites, and lobbying the government against it, this time I don’t really see much of that.
Where’s Google (and Microsoft, and Apple, and Yahoo, and Facebook, and others) call to action to “Repeal the Surveillance State” and support Rush Holt’s bill?
http://holt.house.gov/index.php?option=com_content&task=view&id=1200&Itemid=18
This is what they need to be doing, because in the end, if total surveillance is completely approved by laws, and if trying to protect against it is *outlawed*, then trying to encrypt stuff obviously won’t do much good.
So we need to fight this politically, too, and its our best chance, and their corporations’ best chance to fight it politically, and support political actions such as repealing the Patriot Act and the FISA Amendments Act, *drastically* defunding (or eliminating) the NSA, and bills that say no agency should be able to spy on someone without a *regular* warrant from a *regular* judge (not this Star Chamber “Court” stuff)
Re: Re:
It would seem like the tech giants are of two minds about the issue, as if they don’t really like it, but are also getting benefits from it. Seems consistent with the governments applying a two-pronged carrot+stick approach to gain their cooperation.
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.
Which will do no good if any of the following are true:
– the encryption algorithms have been deliberately weakened by the NSA
– the encryption software has been deliberately weakened by the NSA
– the network/server hardware used has been backdoored by the NSA
– the network/server software is accessible by NSA moles
– the network/server hardware is accessible by NSA moles
The problem is that there’s no way to know which, if any, of these are true. Certainly the NSA’s word is completely worthless: there’s no point whatsoever in asking them ANY question as everyone knows that they lie. And asking staff is equally worthless, since those working for the NSA lie.
It will take more — much more — than this token gesture on Google’s part to actually secure their operation from the NSA. In my opinion, doing so will require completely rebuilding it from scratch (and doing so using compartmentalized teams with massive peer review), at a cost that I’m not comfortable trying to estimate this early on a Monday. I doubt Google will pay that price. So while I’m inclined to wish them well, I think anything short of that level of effort is absolutely doomed to fail.
Re: Re:
Exactly. This is like hearing that there’s a special master key for all e.g. Master Locks…and then running out to replace all the locks on your home with Master Locks.
Re: Re: Re:
Re: Re: Re:
That was a nice analogy
anticipating blue
Well, since this is about Google and the nsa., I’m assuming its only a matter of time until blue shows up talking about psyops and the like. So, before he drops that then never looks at the thread again….
,
Hey OotB. So, wtf is a psyop? You keep mentioning it but never give a clear comprehensive explanation of what you’re alleging. All I ever hear about psyops is you coming in here and claiming every story proves your theory… So let’s get ahead of this, what evidence (if any) COULD POSSIBLY disprove your hypothesis? Because that’s the important partof hypotheses, testability.
Thanks for your time
Re: anticipating blue
Please. It’s bad enough that we have to tolerate spamming psychopath ootb without someone provoking him. Until this site wakes up and blacklists this worthless asshole for life, please have some consideration for the rest of us and (a) never respond to him (b) immediately report all his comments so that, hopefully, his filth isn’t inflicted on the rest of the site’s users.
Re: Re: anticipating blue
Blue has actually had some decent, relavent comments before. Reporting/arguing at him has done very little to curb his negative behavior, in fact feeling like a martyr probably encourages him more. so why not try to encourage good behavior? Help make cogent points that can actually be discussed.
And as far as “provoking” goes, he has thus far declined to comment on this story at all…so apparently it wasn’t much of a provocation at all.
Re: anticipating blue
So, wtf is a psyop?
There is a new product called a “search engine” by an upstart called “google” and if you type in “define psyop” it will come back with the answer to your question.
Where this becomes NSA fun is with this definition:
PSYOPS or Psychological Operations: Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals.
What is supposed to be the scope of the NSA efforts?
Re: Re: anticipating blue
That doesn’t answer the question which is what does blue mean by ‘psyop.’
Re: Re: Re: anticipating blue
This particular psyop:
Reporter: Sources say the NSA sees everything.
NSA: No we don’t, I mean, yes we do see everything, so don’t try anything.
Everyone Else: Shaking in the boots, as we tremble in the fearz. (Reality: NOT)
this maybe a daft thing to say but wouldn’t the most important step to be taken first, be the one that identifies those people who started all this off in the first place? i mean, maybe it was the head of the NSA, maybe it wasn’t. there has to be a certain number of extremely powerful, extremely wealthy people at the very top of the very highest tree that are actually giving orders of who should do what, to whom, how and for what reasons. no head of any agency or department can get all of the other heads of agencies or departments to simply do as he/she wants. those deciding the steps to be taken are the elite few that basically decide the fate of everyone and everything, everywhere. they are the ones that need discovering and exposing. everyone else are just pawns
Re: Re:
Most of the people there are either dead or have memories like a sieve. So we go after who we can (which are the NSA heads and the DNI, as well as Rogers and Feinstein.)
Re: Re:
“extremely powerful, extremely wealthy people at the very top”
What the hell are you talking about? You think that business has anything to do with this? Sorry, but this story doesn’t fit into your 1% nonsense. This is government corruption, pure and simple. And the solution is reducing the size of government.
Re: Re: Re:
So you think the military/industrial complex is completely innocent? Who the hell do you think is corrupting those in positions of power? Do you really think they came pre-corrupted?
Tech companies caught with their pants down now looking to shift blame to government.
Government caught with their pants down now looking to shift blame to everyone else.
Who is telling the truth?
Re: Re:
Neither is, but I still trust Google over the government.
At least Google can’t throw me in prison for jaywalking.
Re: Re: Re:
Plus, at least we can avoid Google.
Re: Re: Re:
But they can willingly hand over the data that indicates or shows you jaywalking without telling you. I’m not sure exactly how that’s better.
Re: Re:
You do understand that the NSA is a government organization, right? What do you mean, “tech companies got caught”? Got caught obeying the insane US laws? They are probably relieved that this came to light so they aren’t (by penalty of law) forced to lie to everyone.
At this point
It’s fair to say just about everything has beenc ompromised. A new encryption is needed and the paramount aspect of it would be to keep the NSA’s hand s off of it from the get go of it’s creation.
Throw out the old book and institute a new one.
Re: At this point
Time to go old school mehinks.
Stenography, microdots, book codes etc.
Re: At this point
I agree that we should keep the NSA’s hands off the implementation and development but the rest is crazy talk.
The “word on the street” is that the NSA can probably break 1024 bit RSA keys by brute force in a few days/hours. Stronger keys are unlikely to be broken in useful time by brute force alone, at least for now.
AES with 254 bit keys still looks safe too according to some cryptographers and mathematicians. The general feel is that symmetric key algorithms with strong keys seem “safe” overall, unless there is some implementation error.
Bear in mind that the NSA’s attacks resort either to cheating (like sabotaging the implementation, forcing companies to hand over their private keys or even putting backdoors into their systems) or brute force, not attacking the underlying cryptographic theory, which, according to experts, is still sound.
Re: Re: At this point
As soon as Big Brother stopped calling RSA encryption “munitions” was when in my opinion they had reasonably cracked the encryption.
The NSA fought tooth and nail against the export of the encryption method then suddenly without warning the fighting stopped… Just sayin.
Re: Re: Re: At this point
Your link is broken.
Nevertheless, in matters of security, you should stay away from the conspiracy nuts and stick to people that actually know what they are talking about. There is already enough fear, uncertainty and doubt clouding the issues..
Here’s something to get you started:
https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html
Re: Re: Re:2 At this point
Except the “conspiracy nuts” have been proven right how many times in the last few months? and how many times have “the people that know” been proven wrong?
Ooops! Might want to re-think that plan.
Re: Re: Re:3 At this point
You know you’re government has gone overboard when people start listening to the conspiracy nuts more then the experts.
Too little, but will it be too late?
At this point, with the news that the security standards themselves have been compromised, and people in the companies are putting in backdoors for the NSA and others(because if the NSA thought of paying off some employees, you can bet many other groups have done the same), it’s becoming more and more likely that the only trustworthy security is going to be one that is open source, something that programers, hackers and others can test and re-test to make sure it’s secure, and that isn’t tied to a particular company.
Given that, it’s hardly surprising that they are panicking, as between the leaks and the gag orders that prevent them from saying a word in their defense, any good-will or trust that the big companies had in regards to security or customer privacy is quickly fading away, and if they don’t do something major, soon, they are likely to see their customers move on to greener, more secure pastures.
>>That doesn’t exactly sound like a willing partner in all of this.
No, it sounds like big tech companies trying to save face in the public eye. We not stupid enough to believe it are we? Anything less than public national exposure of all the requests and the people who made them, and linking to trusted encryption applications (if there are any left) on their homepages and telling people click here to install, will convince me they care about user privacy.
Re: Re:
We’d have to do our part first and leash the NSA though. Presently they’re more afraid of the government than they are of their consumers and with good reason.
Not really shouting from the roof tops but it's a start...
The telco’s are silent because they’re making a buck off the backs of American tax payers by partnering with the NSA.
Other companies I give the benefit of the doubt since their CD player may be stuck on the John Mellencamp track I fight authority, Authority always wins.
Where is the talk about the corruption of Pseudo random number generators?
Re: Re:
d0N7 j00 W0RrY i’M 5Ur3 73h N54 I2 n07 3xPl0i7iN’ pHL4W3D r4Nd0M Numb3R 93n3R470R2.
Re: Re:
That’s an implementation detail. As soon as you start getting into implementation details, people’s eyes glaze over and you lose them.
However, you are pointing to a larger issue that I’ve seen nobody make about encryption yet: when there is talk about compromised encryption, what they’re not talking about is some magic wand that causes the encryption to be decryptable with the same ease as the legitimate keyholder.
What they are talking about is the inclusion of some deliberate weakness that makes cracking a particular message easier (or possible, when it wasn’t before). Since crypto is a very specialized and rarified branch of mathematics, it’s possible — and has happened time and again — to have a crypto algorithm weakened in such a way that it will go undetected without a major analysis effort on the part of crypto specialists.
This is a warning for those who believe that open source keeps them safe from these types of shenanigans. It doesn’t. You’ll never spot the weakness by examining the code.
Context
As far as I know, both Snowden and Bruce Schneier (who has access to the full set of Snowden materials) still believe the fundamental math behind encryption is sound and that NSA is merely “cheating”. https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html
Also worth noting is that most, if not all, of the “breakthroughs” by the NSA can merely be described by exploitation of publicly known vulnerabilities in encryption. http://arstechnica.com/security/2013/09/of-course-nsa-can-crack-crypto-anyone-can-the-question-is-how-much/
Re: Context
If you have a hardware or software back door you do not need to break the encryption; you have direct access.
Re: Re: Context
yep, IF the spooks want you, you are -possibly EVEN IF a world-class hacker- toast…
they put some keystroke logger on you, IT IS ALL MOOT… you are owned…
THEY have become an evil FAR GREATER than a million terrorists; in fact, they are DEFINING all us li’l peeps AS TERRORISTS…
well, talk about self-fulfilling prophecies: THEY act like scumbag terrorists in treating us like terrorists, and GUESS WHAT we are BEING FORCED to become to reclaim OUR gummint ? ? ?
the bastards ! ! !
art guerrilla
aka ann archy
eof
Moles
These tech companies need to root out the moles in their organizations. Maybe a program they could call, “see something, say something”.
Re: Moles
How about GOVINT
Fool me once...
Wolves in sheeps’ clothing, sympathetically bleating.
They desperately want new shiny (compromised) encryption implementations to restore peoples naivety. Sadly that will probably work.
The Holt bill is interesting. Snowballs chance in hell of passing. Course it does seam like hell is freezing over lately. I’m holding out for the ultra secure flying pig based com systems.
Follow the money
Sure, the tech companies could be doing something more, better, stronger.
But then they’d lose a valuable customer!
How many millions of dollars does the NSA spend on getting this information? We don’t know, and they won’t tell us, but in the long run look at the bottom line, and all it says is “profit”.
Seems to be the guiding motive here.
I’ll never trust Google, Apple, Microsoft, Facebook, Yahoo, and especially AT&T, Verison, Sprint.
I will only trust Free and Open Source Software that I deploy and manage myself.
If I really get paranoid, I’ll run virtual machines or LiveCDs that are wiped from RAM after every reboot. With no persistent data saved to disk.
The hardest thing for me is figuring out how to get around the cell phone dilemma. Even with Cyanogen firmwares, the hardware drivers are closed source and not under user control. That means the microphone, GPS and cellular modem can betray you at any moment.
Most cellular modems have read/write access to RAM modules, or so I hear. All cellphones are insecure devices until open source hardware drivers are available.
So yeah, I hate my cellphone. If I want to be reachable to family, friends and co-workers, I have to carry one though. I hate the fact it keeps track of all the places I’ve been for decades. I hate that the most.
Guess I could try to find the GPS receiver and unsolder it from the PCB board. Who knows if the phone would work after that though.
Would be easier to do with schematics, but those will never be released to the public.
I really wish someone would create a Raspberry Pi smartphone!