All commonly used crypto algorithms can be broken in a handful of years, worst case, by anyone who has a moderately sized budget.
I don't think you understand the math involved here. To put it very simply, Moore's law has held pretty steady at doubling compute power (give or take) at 18 months to 2 years. I'll give you the benefit of the doubt and say we can lower that to 1 year.
Q: What would a secure algorithm need to do to keep up with a doubling of computer power every year?
A: Add single bit to the key length each year. Instead of a 256-bit key, you'd need a 257-bit key.
Today, assume a 256-bit key encrypted with algorithm X takes 1 year to brute force.
A 512-bit key encrypted with the same algorithm will take the same amount of time (1 year) to brute force *over*250*years*from*now assuming yearly doubling of compute power.
For any serious modern crypto system, key lengths are much longer, and the algorithms are more robust.
Those "heat death of the universe" estimates are assuming naive brute-force encryption. In the real world, that is not how it's done.
And that's specifically why I qualified that statement with "so long as the algorithm is secure" - because modern techniques are to find a weakness in the algorithm or implementation of the system. If a flaw is discovered in the algorithm, all bets are off. If a flaw is discovered in the implementation, all bets are off (example: Android bitcoin wallet using stupid method to generate random numbers, story last week).
If you want a good example of the difference between attacking an algorithm, and attacking the implementation, head over to ArsTechnica and read up on their password cracking stories. All of that is attacking the implementation of how passwords are stored, and how people choose passwords. And yet, with the big password disclosures, there are still some fraction of the lists that remain uncracked - because those passwords cannot be predicted using the methods and would still take absurdly long lengths of time to crack trying every possibility.
Barring huge advances in quantum computers or large number factorization, they're fine from brute force decryption. So long as the algorithm is secure, we're talking heat death of the universe timescales with current and reasonably predictable CPU speed increases.
Of course, that still leave the door open for rubber-hose decryption (otherwise known as 'Tell us the key or we'll keep beating you with this rubber hose.'). Which they're half a step away from using if they're willing to detain people only tangentially related to the case.
You mistake having smart people with the smart people being in charge (or being able to shape policy).
The NSA does have many incredibly intelligent people. Their crypto teams are some of the best in the world, both in terms of breaking crypto systems, and in coming up with crypto systems that are very difficult to break. They probably have many very smart analysts just like Snowden, who are genuinely trying to play by the rules as best they can.
But those people are the worker bees. They take their orders and direction from the bosses.
I'm still trying to get my head around this number.
Mathematically, even if you have thousands of analysts performing queries nonstop, this number is unlikely.
So, either there's tens or hundreds of thousands of analysts who have access to this data, or most of those queries are automated.
If that many people have access to it, then the low number of abuses is completely absurd and doesn't pass the laugh test. If those queries are automated, then they are extremely inefficient, repetitive, and bloated that the output has got to be utterly useless and full of false positives and probably letting all those important needles slip through.
I suppose it's also possible that the NSA has also redefined "query" to mean something that it doesn't in the normal use of the word among people who work with databases. I don't claim to be a DBA, but I did get stuck with maintaining a database with 150k records for a few months, and even I was only doing a dozen queries a day on it.
"the agency performs about 20 million such queries each month."
20... million... Wait. What?
Somehow this is supposed to make me feel better? This database is full of communication information of which >99% of is from perfectly innocent American citizens and foreigners who are absolutely no threat to the US. And yet that database is being queried 20 million times a month?
In what reality does this make even the tiniest bit of sense?
Big mistake by the government. If they wanted this kept quiet, its a huge tactical mistake that will be an all out strategic mistake.
We argued on the last story whether him having to shut down his business gave him standing to challenge this in open court. Now there's no question - he's being threatened by the government with imprisonment.
I wish I had gotten a comment entered into the record calling this clown the 2-bit hack lawyer that he is.
Just in case you were serious, I don't think you'd have a case for infringement. First, he's entering this into a court record, which is common sense fair use and recently confirmed by another case just recently written about here. Also, there's no copyright notice anywhere that I've seen on TD, and I find it unlikely you've registered your comments with the correct government agency you would need to in order to sue him. But them, I'm not a lawyer. Maybe you could hire one on Craigslist to make some bizarre case that makes a judge get a migraine.
Actaully, realizing my post was late to the party, I want to change my reasoning. I still think you've got the right theory, but...
I'm going to go with Hanlon's Razor now. "Never attribute to malice that which is adequately explained by stupidity."
Bennett is assuming malice against his 1-star review. You're assuming stupidity on the part of telco-astroturfing efforts. Therefore, I'm going with stupidity on the part of the telcos, who have been proven to engage in similar stupidity before.
No. Lavabit is a small company. So is SilentCircle. You're right, once a company is big enough, a CEO who tried to shut the company down to protect customers would be ousted by the board or shareholders.
So if you want secure email or cloud services, and can't/don't want to run it yourself, the only answer is small companies that are willing to do a "corporate seppuku" instead of appeasing the NSA.
Privacy Seppuku. This turns the game into whac-a-mole for the NSA. Just like copyright organizations trying to take down file sharing sites, the NSA wouldn't be able to stop it. As soon as they approach a company to try to get wide access to data, the company dies. But it's reborn a short while later with a new name, new domain, but same services running from the same (open source) software, on the same hosting provider (or maybe a different one, since there's lots of hosting providers out there). What is the NSA going to do, arrest the owner? Then they can fight it openly in a real court.
While possible, in actuallity it's not very likely. Because many of the major (Tier 1) backbones that are in the US are controlled by US companies, and those companies all peer with each other in many locations inside the US, it would take some seriously screwy routing for an email from the US to go elsewhere before coming back.
What is far more likely is that emails from other countries like Canada or other close neighbors will come into to the US before being sent back to their country of origin.
Now we're going to see the rage of the general public. That will get Senators and Representatives looking at this much deeper. Scooping up calls and emails to protect people from terrorists is one thing. Snooping on them about their taxes is something else entirely.
This also puts in perspective the stories back from April about the IRS having access to emails without warrants.
That piece has no technical details of how this would work in reality. It sounds more like a wishlist from some clueless exec in make-believe land.
Sure, Comcast could see someone downloading something via a torrent with DPI gear. But there's no way to "push" a popup to someone's system. There needs to be some software on the system going and looking for it. I suppose Comcast could open a hole on the cable modem/routers they control, but that still leaves OS firewalls to breach.
Mark my words, this globalized free trade fiasco is going to end very badly, for US.
The problem isn't that we have free trade - it's that we don't. The "free trade" agreements are negotiated in secret with technical advisors (lobbyists) from the largest corporation only after their own interests. Instead of promoting free trade, they promote protectionist type policies.
In a (real) free market with (real) free trade, trade imbalances would naturally work themselves out, as the relative exchange rate between the two countries would shift.
Well, this story is the answer to the question posed weeks ago: "If this information is being used, why hasn't it shown up in the evidence used in court cases?"
And if it's happening with the DEA, what other agencies are doing the same thing? I feel like I'm going into tinfoil-hat land here, but it's almost as if the NY Times story was "leaked" by someone knowing that information like this was going to come out and trying to get the opposite out first.