Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages
from the time-for-a-medal? dept
One of the commonest accusations flung at Edward Snowden is that by revealing the massive scale of the NSA’s global surveillance, he has tipped off terrorists that they are being watched all the time, and thus caused them to move to stronger encryption to protect their secrets. An article in Recorded Future would seem to support that claim:
Following the June 2013 Edward Snowden leaks we observe an increased pace of innovation, specifically new competing jihadist platforms and three (3) major new encryption tools from three (3) different organizations — GIMF, Al-Fajr Technical Committee, and ISIS — within a three to five-month time frame of the leaks.
And yet security expert Bruce Schneier not only doesn’t think that’s a problem, he believes Snowden has made it easier to break the encrypted communications of terrorists:
I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.
That’s a great point. For obvious reasons, terrorists won’t be able to draw on the knowledge and skills of the global crypto community when they create a new “home-brew” encryption program to replace an existing tool they fear may be compromised. Instead, they will be forced to depend on a limited circle of experts, who are likely to miss subtle or even not-so-subtle flaws in the new code. It’s a good demonstration of how the open, collaborative approach that produces the best encryption tools makes it very hard to subvert the process for malicious purposes.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: bruce schneier, ed snowden, encryption, nsa, surveillance
Comments on “Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages”
three (3) different organizations — GIMF, Al-Fajr Technical Committee, and ISIS
I’m pretty sure Archer will totally f*** up the one from ISIS.
Re: Re:
C: ENTER PASSWORD
GUEST
No way! It can’t be!
Re: Re:
And that’s how terrorists get ants.
english
adding “est” to the end of a word doesn’t make it so. I can’t get past this first sentence. Please fix it.
Re: english
Glad to know I am not the only one. I will openly admit I’m terrible when it comes to using proper English, but people just adding “est” to words is like nails on a chalk board. Ranks right up there with adding “er” to words. (Funer is not a word!)
Re: Re: english
“Common” is an adjective.
“Fun” is a noun. It is also used as an attributive noun, which is similar to an adjective e.g. chocolate cake – chocolate and cake are both nouns, but chocolate is describing the type of cake works as an adjective.
And yes, if you consider “fun” to be an adjective (which many people do), then “funner” and “funnest” are viable. Ask Steve Jobs.
Re: english
You are the naziest grammer critic ever.
Re: Re: english
And you are the kelseyest.
Re: Re: english
The correct spelling is grammar.
/nazi
Re: english
“Commonest” is listed in my Oxford dictionary as an adjective form of “common” (along with the more awkward “commoner”). The use here is correct.
Re: Re: english
“Commonest” is listed in my Oxford dictionary as an adjective form of “common” (along with the awkwardest “commoner”). The use here is correct.
-fixed
Re: Re: english
Sorry, but there’s no entry for, or mention of “commonest” in the OED. “common” is an adjective. Searching for “commonest” takes you to the entry for “common” because they think that’s what you’re looking for.
“most common” or “most commonly” would be appropriate.
Re: Re: Re: english
It’s right here: http://www.oxforddictionaries.com/us/definition/american_english/common
Check out the “Adjective” section.
Re: english
Saying that someone is using grammar incorrectly doesn’t make it so.
Re: english
Commonest might be ugly, but it isn’t incorrect.
I kinda disagree with Bruce Schneier here. While the leaks probably did little to help terrorists (and the terrorist threat is way overhyped anyways) I also doubt it did much to hurt them. If the terrorists are stupid enough to try to create their own encryption algorithms after the leak I doubt they were smart enough to avoid being hacked before the leaks. It’s not like the leaks made them any stupider.
Re: Re:
While the algorithm is a major part of any crypto system, the implementation of the algorith into the rest of the system is significant and often overlooked. And it’s really easy to screw up either one and leave yourself a very insecure system.
While we don’t know for sure if any of the algos that are tainted by NSA involvement are genuinely at risk, the fear that they are could push groups into throwing out their whole systems and needing to replace them with something that may actually be less secure.
Re: Re: Re:
“the implementation of the algorith into the rest of the system is significant and often overlooked.”
but that can also be layered.
Re: Re:
I think Schneier’s point is expert cryptography is very difficult to execute even by the experts. If the terrorists were using expert level cryptography via readily available tools then the NSA has a very difficult time breaking the encryption. However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly. The result will be pretty secure and probably not easy for to crack but it is not as strong as it could and thus more easily breakable by the NSA.
I would not call the terrorist stupid, more likely technically ignorant. I know enough about cryptography to know one needs to use the best available tools and should not be trying to build your own unless you are one of the true cryptography experts. But, explain this to lay person.
Re: Re: Re:
Re: Re: Re:
and I can just as easily argue that a terrorist who’s into cryptography probably follows Bruce and read his comments and would take them into account to avoid not going with much stronger standards.
Look, if I wanted to hide something from the government and I believed there maybe breaches in some standard encryption algorithms that the government is responsible for and I wanted to make my own encryption algorithm worst case scenario I would implement my encryption algorithm on top of the standard encryption algorithm that I trust best. So say I trust AES the best but not 100 percent. Say I create my own encryption algorithm from scratch. Say I had a document to encrypt. I’ll first encrypt it with AES with one key and then I’ll encrypt it with my personal encryption algorithm with a different key. My encryption strength is at least as strong as AES and potentially stronger. It’s called layered security.
But what I would really do (and since it’s common sense I suspect the terrorists may think of the same thing) is forget the hassle of coming up with my own encryption cyphers that’s likely insecure. I would either couple together two iterations of AES with different keys or couple together different standard encryption algorithms (ie: AES and RC6) with different keys. That way my encryption strength is at least as strong as the weakest of the two. If AES is secretly hacked I maybe protected by RC6.
Re: Re: Re: Re:
Just having to go through that thought process is a huge burdon on a group.
If you sprinkle a couple of real situations of attack on an already paranoid mob, you get – well, you get machines that take naked scans of people, long lines backing up in airports, unrest amongst the people most impacted, etc. The NSA may have tripped into the same tacticts that have impacted many of our lives.
Re: Re: Re:
“However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly.”
Rolling your own encryption is a bit like being your own lawyer. Only fools do it. However, it’s not really because of lack of skills, it’s because making good encryption is extremely difficult, and crypto has to be checked out by a lot of people to get any sense of confidence in it. This takes manpower and time (years). Most crypto ends up being weak in one way or another. The established crypto is amongst the small percentage that hasn’t. Yet. Even current crypto is constantly being tested.
adding “est” to the end of a word
i might be wrong – r o n g? wrong – but i took it as a pun.
god bless e snowden.? he has our back.
... and since when Schneier become expert on terrorists?
Last time I checked, Bruce Schneier was expert on cryptography. Did he ever saw real-life terrorist?
Now, where did Mike get this patently stupid idea that “For obvious reasons, terrorists won’t be able to draw on the knowledge and skills of the global crypto community”?! What, “terrorists” suddenly lost an ability to read? Or, I know – terrorists are stupid! Yes, and uneducated!
Go back and read some real-world statistics: there’s disproportionate amount of well educated people among all kind of extremist groups, jihadists included.
Re: ... and since when Schneier become expert on terrorists?
While spelling and grammer issues would point to him having written this – Mike didn’t write the article.
terrorists won’t be able to draw on the knowledge and skills of the global crypto community
If the terrorists (who tend to land on the more paranoid side of the fence) believe much of the crypto community has been compromized by the NSA forcing, infiltrating, hacking them, they will turn to what is ultimately a smaller group of cryptographers and likely to be of a lower quality. There is a chance they will come across some world-class cryptography, but the pool they have to select from is smaller if they want to avoid those that are on the NSA’s radar and within their reach.
Re: Re: ... and since when Schneier become expert on terrorists?
Externally they may express more paranoid views to their followers. Internally they are probably not as stupid as they seem.
Re: Re: Re: ... and since when Schneier become expert on terrorists?
For a terrorist, not being paranoid is being stupid.
Re: Re: Re:2 ... and since when Schneier become expert on terrorists?
For a paranoid, not being a terrorist is irrelevant.
Re: ... and since when Schneier become expert on terrorists?
“Bruce Schneier was expert on cryptography.”
Indeed. So why are you rejecting his knowledge of how hard it can be for even well-connected and highly experienced people to get it right? What resources do you think terrorists have access to that he may not have considered?
“Did he ever saw real-life terrorist?”
Saw? I now have an image of Schneier wearing a white mask on a tricycle, firing crytpo questions at someone tied up with rusty chains… Thanks, I guess?
“What, “terrorists” suddenly lost an ability to read?”
No, but since the main problem is in implementing the crypto, not reading the documentation, why does this matter?
“Or, I know – terrorists are stupid! Yes, and uneducated!”
Nobody’s suggesting anything of the sort, if you bother to read the points actually being made.
Look, it’s quite simple. Not many people (and probably no one individual) have the level of expertise and experience require to do these things perfectly, let alone come up with solid algorithms in the first place. Since the entire reason for creating the new crypto is to avoid NSA tampering, they’re also likely to be relying on a relatively limited set of peers for things like testing and locating flaws in the algorithms and software.
They’re not stupid, they’re just likely to make some mistakes if they try to reimplement these things alone. If they do, then the resulting security they come up with is likely to be less secure than the other tools they would have depended on if the Snowden revelations didn’t deter them from using them. It’s not impossible for them to be creating cryto that’s world class and better than the existing standard tools, it’s just rather unlikely according to one of the experts in that field.
There’s always one way to avoid online tracking, go old school..
Ham radios, telegraph, etc…
How can you track tech that hasn’t been used in years?
Re: Re:
They could just write notes to each other on the US constitution.
um...
how dare you use a word like ‘commonest’?
Home-grown encryption is very likely to end up with something like applying rot-13.. twice.
Hmmm, I should run out and patent that before someone else does.
For those that got the obvious joke but missed the subtlety: doubling up on your encryption provides only the protection of the most secure round. And if you use the same key it might actually leak bits. A good example is ‘triple DES’, which is mostly equivalent to DES with different S-boxes.
A comment on devising your own encryption being equivalent to being your own lawyer: no, it’s not even close. There is no secret method or logic in law. The NSA’s internal approaches to cryptography are far more advanced than what is public. Presumably there are a handful of other places that have their own advances.
It took outside people well over a decade to figure out that the government’s tweak to IBM’s S-boxes made it more secure rather than less, and they still aren’t certain how they knew to change just those few bits instead of all of the boxes at once.
Re: Re:
Protip: if your joke requires an understanding of encryption algorithms, you have probably narrowed the target audience a bit too much.
There is no secret method or logic in law
Probably no logic, but certainly secret interpretations.
A word is a word because I say it is a word. The OED may very well have its uses, but when it “recognizes” a word, it is merely accepting that it has found it desirable to provide a definition for a word. One that has existed for some time before coming to the notice of the language martinets.
Anyone can make up a word, and everyone should be encouraged to do so in as promiscuous a manner as possible.
It is nice, in the original meaning of the word (ignorant from the Latin nescius,) to castigate others for their inventiveness. Otherwise nice would have never come to mean sexually loose, or the most common use today of “pleasant.”
One of the characteristics of a geek is a delight in playing with words. Grammar, spelling and typo nazis demonstrate their “fish out of water” status when the make their foolish complaints. Such comments might be included in the criteria for the “Spot the Fed” game.
Re: Re:
Under the English banner, linguistic cromulentization marches ever onwards!
unfortunately Mr Schneier, you forgot to add in the ‘except for the security agencies that are supposedly looking for terrorists so as to keep all us thick, ordinary sheep nice and safe!’ bit!
It would be very easy for terrorists to get the best crypto just kidnap 4 of of the best people get two of them to write it or they will be killed and get the other two to decrypt it or they will be be killed, If the last two decrpt it get them to write new code and kidnap two more people
Re: Re:
But it would be impossible for the terrorists to know if the crypto was written correctly.
Maybe Snowdon is an NSA plant?
Q: How to stop terrorists using open source crypto?
A: Get the NSA to deny they’ve put in back doors.