Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages

from the time-for-a-medal? dept

One of the commonest accusations flung at Edward Snowden is that by revealing the massive scale of the NSA's global surveillance, he has tipped off terrorists that they are being watched all the time, and thus caused them to move to stronger encryption to protect their secrets. An article in Recorded Future would seem to support that claim:

Following the June 2013 Edward Snowden leaks we observe an increased pace of innovation, specifically new competing jihadist platforms and three (3) major new encryption tools from three (3) different organizations -- GIMF, Al-Fajr Technical Committee, and ISIS -- within a three to five-month time frame of the leaks.
And yet security expert Bruce Schneier not only doesn't think that's a problem, he believes Snowden has made it easier to break the encrypted communications of terrorists:
I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.
That's a great point. For obvious reasons, terrorists won't be able to draw on the knowledge and skills of the global crypto community when they create a new "home-brew" encryption program to replace an existing tool they fear may be compromised. Instead, they will be forced to depend on a limited circle of experts, who are likely to miss subtle or even not-so-subtle flaws in the new code. It's a good demonstration of how the open, collaborative approach that produces the best encryption tools makes it very hard to subvert the process for malicious purposes.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Michael, May 27th, 2014 @ 5:51am

    three (3) different organizations -- GIMF, Al-Fajr Technical Committee, and ISIS

    I'm pretty sure Archer will totally f*** up the one from ISIS.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    mikez (profile), May 27th, 2014 @ 5:54am

    english

    adding "est" to the end of a word doesn't make it so. I can't get past this first sentence. Please fix it.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 5:59am

    I kinda disagree with Bruce Schneier here. While the leaks probably did little to help terrorists (and the terrorist threat is way overhyped anyways) I also doubt it did much to hurt them. If the terrorists are stupid enough to try to create their own encryption algorithms after the leak I doubt they were smart enough to avoid being hacked before the leaks. It's not like the leaks made them any stupider.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 6:00am

    Re:

    C:\ ENTER PASSWORD
    GUEST

    No way! It can't be!

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    S. T. Stone, May 27th, 2014 @ 6:02am

    Re:

    And that's how terrorists get ants.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Josh in CharlotteNC (profile), May 27th, 2014 @ 6:23am

    Re:

    While the algorithm is a major part of any crypto system, the implementation of the algorith into the rest of the system is significant and often overlooked. And it's really easy to screw up either one and leave yourself a very insecure system.

    While we don't know for sure if any of the algos that are tainted by NSA involvement are genuinely at risk, the fear that they are could push groups into throwing out their whole systems and needing to replace them with something that may actually be less secure.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 6:25am

    adding "est" to the end of a word

    i might be wrong - r o n g  wrong - but i took it as a pun.

    god bless e snowden.  he has our back.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    madasahatter (profile), May 27th, 2014 @ 6:29am

    Re:

    I think Schneier's point is expert cryptography is very difficult to execute even by the experts. If the terrorists were using expert level cryptography via readily available tools then the NSA has a very difficult time breaking the encryption. However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly. The result will be pretty secure and probably not easy for to crack but it is not as strong as it could and thus more easily breakable by the NSA.

    I would not call the terrorist stupid, more likely technically ignorant. I know enough about cryptography to know one needs to use the best available tools and should not be trying to build your own unless you are one of the true cryptography experts. But, explain this to lay person.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    lfroen (profile), May 27th, 2014 @ 6:36am

    Re: Re:

    >> I would not call the terrorist stupid, more likely technically ignorant.
    And I would call _you_ ignorant. Your idea of "terrorists" comes from BS Hollywood movies, where "terrorist == batshit-crazy". Back to reality, you will find, that there's enough very well educated and technically competent people among those "terrorist organization". Reason is very simple - one man terrorist is another men freedom fighter.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    lfroen (profile), May 27th, 2014 @ 6:41am

    ... and since when Schneier become expert on terrorists?

    Last time I checked, Bruce Schneier was expert on cryptography. Did he ever saw real-life terrorist?

    Now, where did Mike get this patently stupid idea that "For obvious reasons, terrorists won't be able to draw on the knowledge and skills of the global crypto community"?! What, "terrorists" suddenly lost an ability to read? Or, I know - terrorists are stupid! Yes, and uneducated!

    Go back and read some real-world statistics: there's disproportionate amount of well educated people among all kind of extremist groups, jihadists included.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 6:51am

    Re: english

    Glad to know I am not the only one. I will openly admit I'm terrible when it comes to using proper English, but people just adding "est" to words is like nails on a chalk board. Ranks right up there with adding "er" to words. (Funer is not a word!)

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Michael, May 27th, 2014 @ 6:53am

    Re: english

    You are the naziest grammer critic ever.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 6:54am

    Re: Re:

    and I can just as easily argue that a terrorist who's into cryptography probably follows Bruce and read his comments and would take them into account to avoid not going with much stronger standards.

    Look, if I wanted to hide something from the government and I believed there maybe breaches in some standard encryption algorithms that the government is responsible for and I wanted to make my own encryption algorithm worst case scenario I would implement my encryption algorithm on top of the standard encryption algorithm that I trust best. So say I trust AES the best but not 100 percent. Say I create my own encryption algorithm from scratch. Say I had a document to encrypt. I'll first encrypt it with AES with one key and then I'll encrypt it with my personal encryption algorithm with a different key. My encryption strength is at least as strong as AES and potentially stronger. It's called layered security.

    But what I would really do (and since it's common sense I suspect the terrorists may think of the same thing) is forget the hassle of coming up with my own encryption cyphers that's likely insecure. I would either couple together two iterations of AES with different keys or couple together different standard encryption algorithms (ie: AES and RC6) with different keys. That way my encryption strength is at least as strong as the weakest of the two. If AES is secretly hacked I maybe protected by RC6.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 6:57am

    Re: english

    "Commonest" is listed in my Oxford dictionary as an adjective form of "common" (along with the more awkward "commoner"). The use here is correct.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Michael, May 27th, 2014 @ 6:59am

    Re: ... and since when Schneier become expert on terrorists?

    While spelling and grammer issues would point to him having written this - Mike didn't write the article.

    terrorists won't be able to draw on the knowledge and skills of the global crypto community

    If the terrorists (who tend to land on the more paranoid side of the fence) believe much of the crypto community has been compromized by the NSA forcing, infiltrating, hacking them, they will turn to what is ultimately a smaller group of cryptographers and likely to be of a lower quality. There is a chance they will come across some world-class cryptography, but the pool they have to select from is smaller if they want to avoid those that are on the NSA's radar and within their reach.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    John Fenderson (profile), May 27th, 2014 @ 7:05am

    Re: Re:

    "However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly."

    Rolling your own encryption is a bit like being your own lawyer. Only fools do it. However, it's not really because of lack of skills, it's because making good encryption is extremely difficult, and crypto has to be checked out by a lot of people to get any sense of confidence in it. This takes manpower and time (years). Most crypto ends up being weak in one way or another. The established crypto is amongst the small percentage that hasn't. Yet. Even current crypto is constantly being tested.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Michael, May 27th, 2014 @ 7:10am

    Re: Re: english

    "Commonest" is listed in my Oxford dictionary as an adjective form of "common" (along with the awkwardest "commoner"). The use here is correct.

    -fixed

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    azuravian (profile), May 27th, 2014 @ 7:11am

    Re: english

    Saying that someone is using grammar incorrectly doesn't make it so.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    avideogameplayer, May 27th, 2014 @ 7:37am

    There's always one way to avoid online tracking, go old school..

    Ham radios, telegraph, etc...

    How can you track tech that hasn't been used in years?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Michael, May 27th, 2014 @ 7:37am

    Re: Re: Re:

    Just having to go through that thought process is a huge burdon on a group.

    If you sprinkle a couple of real situations of attack on an already paranoid mob, you get - well, you get machines that take naked scans of people, long lines backing up in airports, unrest amongst the people most impacted, etc. The NSA may have tripped into the same tacticts that have impacted many of our lives.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    PaulT (profile), May 27th, 2014 @ 7:41am

    Re: ... and since when Schneier become expert on terrorists?

    "Bruce Schneier was expert on cryptography."

    Indeed. So why are you rejecting his knowledge of how hard it can be for even well-connected and highly experienced people to get it right? What resources do you think terrorists have access to that he may not have considered?

    "Did he ever saw real-life terrorist?"

    Saw? I now have an image of Schneier wearing a white mask on a tricycle, firing crytpo questions at someone tied up with rusty chains... Thanks, I guess?

    "What, "terrorists" suddenly lost an ability to read?"

    No, but since the main problem is in implementing the crypto, not reading the documentation, why does this matter?

    "Or, I know - terrorists are stupid! Yes, and uneducated!"

    Nobody's suggesting anything of the sort, if you bother to read the points actually being made.

    Look, it's quite simple. Not many people (and probably no one individual) have the level of expertise and experience require to do these things perfectly, let alone come up with solid algorithms in the first place. Since the entire reason for creating the new crypto is to avoid NSA tampering, they're also likely to be relying on a relatively limited set of peers for things like testing and locating flaws in the algorithms and software.

    They're not stupid, they're just likely to make some mistakes if they try to reimplement these things alone. If they do, then the resulting security they come up with is likely to be less secure than the other tools they would have depended on if the Snowden revelations didn't deter them from using them. It's not impossible for them to be creating cryto that's world class and better than the existing standard tools, it's just rather unlikely according to one of the experts in that field.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 7:51am

    Re: Re: english

    And you are the kelseyest.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 8:05am

    Re: Re: ... and since when Schneier become expert on terrorists?

    Externally they may express more paranoid views to their followers. Internally they are probably not as stupid as they seem.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    muhr, May 27th, 2014 @ 8:15am

    um...

    how dare you use a word like 'commonest'?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Michael, May 27th, 2014 @ 8:33am

    Re:

    They could just write notes to each other on the US constitution.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 8:38am

    Re: Re: Re: ... and since when Schneier become expert on terrorists?

    For a terrorist, not being paranoid is being stupid.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Michael, May 27th, 2014 @ 8:41am

    Re: Re: Re: Re: ... and since when Schneier become expert on terrorists?

    For a paranoid, not being a terrorist is irrelevant.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 8:55am

    Re: Re:

    "the implementation of the algorith into the rest of the system is significant and often overlooked."

    but that can also be layered.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    DB (profile), May 27th, 2014 @ 9:23am

    Home-grown encryption is very likely to end up with something like applying rot-13.. twice.

    Hmmm, I should run out and patent that before someone else does.

    For those that got the obvious joke but missed the subtlety: doubling up on your encryption provides only the protection of the most secure round. And if you use the same key it might actually leak bits. A good example is 'triple DES', which is mostly equivalent to DES with different S-boxes.

    A comment on devising your own encryption being equivalent to being your own lawyer: no, it's not even close. There is no secret method or logic in law. The NSA's internal approaches to cryptography are far more advanced than what is public. Presumably there are a handful of other places that have their own advances.

    It took outside people well over a decade to figure out that the government's tweak to IBM's S-boxes made it more secure rather than less, and they still aren't certain how they knew to change just those few bits instead of all of the boxes at once.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 9:29am

    Re: Re: english

    The correct spelling is grammar.

    /nazi

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Michael, May 27th, 2014 @ 9:31am

    Re:

    Protip: if your joke requires an understanding of encryption algorithms, you have probably narrowed the target audience a bit too much.

    There is no secret method or logic in law

    Probably no logic, but certainly secret interpretations.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    mikez (profile), May 27th, 2014 @ 10:46am

    Re: Re: english

    Sorry, but there's no entry for, or mention of "commonest" in the OED. "common" is an adjective. Searching for "commonest" takes you to the entry for "common" because they think that's what you're looking for.

    "most common" or "most commonly" would be appropriate.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    John Fenderson (profile), May 27th, 2014 @ 10:53am

    Re: Re: Re: english

    It's right here: http://www.oxforddictionaries.com/us/definition/american_english/common

    Check out the "Adjective" section.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Groaker (profile), May 27th, 2014 @ 1:21pm

    A word is a word because I say it is a word. The OED may very well have its uses, but when it "recognizes" a word, it is merely accepting that it has found it desirable to provide a definition for a word. One that has existed for some time before coming to the notice of the language martinets.

    Anyone can make up a word, and everyone should be encouraged to do so in as promiscuous a manner as possible.

    It is nice, in the original meaning of the word (ignorant from the Latin nescius,) to castigate others for their inventiveness. Otherwise nice would have never come to mean sexually loose, or the most common use today of "pleasant."

    One of the characteristics of a geek is a delight in playing with words. Grammar, spelling and typo nazis demonstrate their "fish out of water" status when the make their foolish complaints. Such comments might be included in the criteria for the "Spot the Fed" game.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 1:26pm

    unfortunately Mr Schneier, you forgot to add in the 'except for the security agencies that are supposedly looking for terrorists so as to keep all us thick, ordinary sheep nice and safe!' bit!

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, May 27th, 2014 @ 2:43pm

    Re:

    Anyone can make up a word, and everyone should be encouraged to do so in as promiscuous a manner as possible.

    Under the English banner, linguistic cromulentization marches ever onwards!

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    sml156, May 27th, 2014 @ 3:40pm

    It would be very easy for terrorists to get the best crypto just kidnap 4 of of the best people get two of them to write it or they will be killed and get the other two to decrypt it or they will be be killed, If the last two decrpt it get them to write new code and kidnap two more people

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Donglebert The Needlessly Unready, May 28th, 2014 @ 3:06am

    Re: english

    Commonest might be ugly, but it isn't incorrect.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Donglebert The Needlessly Unready, May 28th, 2014 @ 3:21am

    Re: Re: english

    "Common" is an adjective.

    "Fun" is a noun. It is also used as an attributive noun, which is similar to an adjective e.g. chocolate cake - chocolate and cake are both nouns, but chocolate is describing the type of cake works as an adjective.

    And yes, if you consider "fun" to be an adjective (which many people do), then "funner" and "funnest" are viable. Ask Steve Jobs.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Donglebert The Needlessly Unready, May 28th, 2014 @ 3:32am

    Maybe Snowdon is an NSA plant?

    Q: How to stop terrorists using open source crypto?
    A: Get the NSA to deny they've put in back doors.

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    John Fenderson (profile), May 28th, 2014 @ 8:15am

    Re:

    But it would be impossible for the terrorists to know if the crypto was written correctly.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.