Spy Agencies Work To Weaken Privacy, Buy Back Doors Into Commercial Encryption

NSA logoU.S. GovernmentIt's no secret that intelligence agencies don't like encryption technology—at least, they don't like it in the hands of anybody other than themselves. The U.S. government classified encryption as "munitions" subject to export controls for years, only to be defeated by the amazing power of the Internet, books and people's brains to transport information across borders without regard to laws. Phil Zimmermann, the creator of PGP (and, more recently, a co-founder of Silent Circle), was even investigated for his efforts, though charges were never filed. Now comes word that the National Security Agency and the U.K.'s GCHQ have been busy at work cracking common online encryption systems, paying tech companies to build back doors into their security and even laboring in secret to weaken the accepted standards on which encryption is based.

The Guardian, the New York Times and ProPublica broke the latest revelations based on data from Edward Snowden. The following is excerpted from the Guardian story by James Ball, Julian Borger and Glenn Greenwald:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – "the use of ubiquitous encryption across the internet".

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

It's not news that the NSA and its counterparts have powerful computers and an interest in cracking encryption systems. Nor, unfortunately, is it news that many companies collaborate with these agencies in compromising their customers' security (though some have fought and continue to resist such efforts). It is interesting, though, to know that the NSA spent $254.9 million this year on a project that "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs." According to the NSA's own documents:

"These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact."

If you trusted your commercially sourced security software, stop.

What is really disturbing news is that the NSA has successfully highjacked the process of setting standards for encryption. "The agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006." The NSA was the sole editor for that standard.

Ultimately, this means that developers, activists and business people who are serious about privacy and liberty need to end cooperation with government bodies and work on open source security that can be scrutinized for exactly the sort of weaknesses and back doors the NSA and GCHQ have been so busily installing. Every effort to "help" that has been put forward by agencies like the NSA, including the Commercial Solutions Center (supposedly established to assess and encourage developments in cryptography) have instead been turned into tools for weakening privacy protections.

Companies that won't do that and that continue to collaborate with surveillance agencies, should be abandoned by members of the public who care about privacy, or who just resent increasingly presumptuous Big Brother.

Update: Was it just yesterday that I suggested the U.S. government is rotten to the core? Yes. Yes it was.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Paul.||

    . Phil Zimmerman, the creator of PGP (and, more recently, a co-founder of Silent Circle),

    And recently on trial for killing a black kid with Skittles! How could that not get mentioned?

    Oh wait... wrong Phil Zimmerman.

  • Paul.||

    But serially, wait up:

    S and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

    [...]

    Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

    I'm guessing the supercomputer angle is the least used, least successful, and only successful against known weak methods. My other guess is, like when the news says such-and-such a site or service got 'hacked' the reality is it got dumbassed: Someone called someone and said, "Open da door! Lemme in!" and someone opened the door and let them in.

    Not sure what to call it when the government demands a skeleton key to the servers' data. Gotta come up with a new name for that. Maybe 'governmented'.

  • ||

    "Assraped"

  • ||

    What did you call this? Your thirteenth birthday party?

  • ||

    My sixth birthday party.

  • ||

    I mean THIS. With link.

    But I doubt your answer changes.

  • SweatingGin||

    I'd gues we'll be finding a lot of random number generators suck in ways know to NSA.

  • ||

    I don't know the source of the speculation, but I've heard a lot of rumbling about some Intel HWRNGs being compromised.

  • SweatingGin||

    IIRC, there was speculation on the cypherpunks list.

    I believe software to use that RNG is in the Linux kernel, as well.

    Also of note-- the android SecureRandom call was anything but. I had chalked it up to a mistake, but... (That was found and used to compromise bitcoin wallets generated on android)

  • Stormy Dragon||

    More likely, they've compromised some of the CAs, so they can MITM any stream that was using them for key negotiation.

  • Bam!||

    The "ensure NSA control over setting of international encryption standards" refers to Dual_EC_DRBG.

  • SweatingGin||

    ... Hopefully.

  • SweatingGin||

    Just read the rest of that page, I'd read Schneier's 2007 article on it earlier today.

    So, no more trusting NSA crypto. Not sure how I feel about AES at the moment... Here comes a paranoid night.

  • Killazontherun||

    Its called, no one with serious money on the line would ever deal with your American based company.

  • SomeGuy||

    I think they are referring to HTTPS being useless when the US has those boxes that can fake keys installed in every ISP.

  • ||

    Why are there no heads rolling over this shit? As more and more comes out? Even symbolically (as in, fire the NSA Director and then just have the NSA keep doing its thing), there's been nothing. Couldn't Obama make this go (somewhat) away by firing a few people and promising to "force an internal review" or something? Why hasn't he done that? Because it would take a lot of heat off him and would thrill a lot of supporters who he's losing over this.

  • Juice||

    To be fair, he's a terrible president.

  • ||

    Yeah, I figure he's either too stupid and power hungry to back down (how dare those peons not want to be spied on!), or his administration is so incompetent that they just haven't even thought of it.

    This is also a case where it could be both.

  • mr simple||

    He's trying really hard to start lobbing missiles to distract people from this.

  • ||

    Yes, and mostly with success. Fortunately that is looking more and more like he is shooting himself in the dick. What a moron.

  • Killazontherun||

    His foreign policy team makes Cheney, Condoleeza, Powell and Rumsfeld look like the A-Team in comparison. Have you ever seen failure rewarded so well in your life?

  • Paul.||

    Why are there no heads rolling over this shit?

    I see no evidence that procedures haven't been followed. The public was resisting and not complying, so the batons came out. The Guardian article doesn't show the whole context that led up to the encounter.

  • RBS||

    Ah, so what they really need is more training.

  • Jordan||

    FYTW. Always FYTW.

  • ||

    This has already gone away.

    See Syria.

    The MSM has forgotten all about it.

  • ||

    Why aren't politicians, morally upstanding people that they are, fighting the people who illegally know everyone's secrets?

    I don't think you've through this through.

  • ||

    I'll through it through when I'm through throughing.

  • ||

    I need to drink and masturbate more.

  • BuSab Agent||

    Doesn't everybody?

  • ||

    I don't. I'm about maxed out on both.

  • BuSab Agent||

    Can't be.... you're still posting.

  • andarm16||

    Because the Republicans are raging a war on woman and gays (or the Democrats are launching a war on Children and the Unborn) Or someone killed a black teenager in Florida, or there's horse race politics for the 2016 presidential election, or those evil Republicans were trying to murder the poor through repealing ObamaCare, or some celebrity did something stupid, or some tin pan dictator poisoned his people, or there's some new scare that will have pedophiles raping your teenage daughter (or worse, your teenage daughter is getting high, or horror of all horrors is getting high while being sexually active (maybe even still involving pedophiles somehow)). Or a million other things that the state worshipers of the mainstream media wish to cook up.

  • Juice||

    Hell they tried to have a backdoor into all encryption back in the 70s.

    http://en.wikipedia.org/wiki/D.....the_design

  • Christophe||

    Actually, if you read that article, they helped make the encryption *stronger* against an attack that only they and IBM knew about. They actually were the good guys.

    This is what pisses me off. The NSA's role was in part to help secure the nation's communication, public, private and commercial. Now we know they abused that trust to weaken encryption systems.

  • Archduke Trousersenthusiast||

    The season is 0 minutes old and already I am annoyed by Cris Collinsworth.

  • ||

    That's what you get for watching the pregame show.

  • RBS||

    It's not just a pregame show, it's a preseason show. They have stuffed an entire offseason of idiocy into this thing.

  • RBS||

    Speaking of idiocy, why does Keith Urban have a southern accent when he sings when he's supposedly from Australia? That doesn't strike anyone as incredibly manufactured?

  • ||

    I would never listen to Keith Urban, so I have no idea.

  • RBS||

    Me either, he was just on this preseason show. It's absurd.

  • ||

    Well, only 8 or so minutes until your pain comes to an end.

  • Archduke Trousersenthusiast||

    somebody paid good money to be stuck under that Cleveland Browns helmet flag

  • ||

    Rain delay? What the fuck is this shit?

  • Paul.||

    Believe it or not, relatively normal.

    Singing is a form of imitation. It's why British pop singers of the 60s sounded black. No one thought it was strange then.

  • RBS||

    True. It's just as a southerner I find fake southern accents to be incredibly irritating.

  • Paul.||

    Seriously, check out Long John Baldry video.

    Don't know how old you are, but Baldry was as English as tea and crumpets.

  • RBS||

    Seriously, check out Long John Baldry video.

    That's actually kind of cool.

  • ||

    As a northerner, I find ALL southern accents to be incredibly irritating. :-o

  • RBS||

    Ha!

  • Killazontherun||

    Okay, Grandpa Kettle. That affectatious wheezing hiss doesn't make me want to shoot you and wipe out the Old Yankee bloodline from all of creation, no nothing that annoying at all. Why, its even . . . charming.

  • SIV||

    Damn Yankees

  • Killazontherun||

    As a Southerner I find the real ones even more so. Especially from the town a few miles to my west. They tend to breed the girls very cute there though.

  • ||

    What they lack in dialect, they make up for in their ability to produce beautiful women.

  • Tejicano||

    Well, the Beatles didn't sound black - but they definitely didn't sound like they were from Liverpool.

  • Paul.||

  • Archduke Trousersenthusiast||

    It's a left/right brain thing. It's like how people who stutter can sometimes sing with no issue.

  • Paul.||

    Yep.

  • Tejicano||

    James Earl Jones, in real life, stutters like you would expect he couldn't state his own name. When he takes on a role it drops off like water off a duck.

  • Archduke Trousersenthusiast||

    How can it already be dark in Baltimore?
    That must suck.
    The best part of summer here is that it's daylight until 9 or 10.

  • RBS||

    How can it already be dark in Baltimore?

    Racist!

  • Killazontherun||

    In June, July and August, yeah, but its September, and in these latitudes it is now dark outside. That is why I hate the Daylight Saving Time shit. It's already dark here before six by the time the Winter Solstice rolls around, why are you screwing with the little light I have in the evening to work around the house?

  • mr simple||

    Buy back doors? Why did they get rid of them in the first place?

  • ||

    Because Jim died.

  • Hugh Akston||

    The NSA totally ripped this idea off from Sneakers.

  • ||

    You know I could have been in the NSA, but they found out my parents were married.

  • ||

    "......indecipherable to criminals or governments."

    A distinction without a difference.

  • NSA Corey||

    Good stuff guys.
    Keep it coming.

  • PH2050||

    Hey if I take out my cell phone battery you guys can still hear me, right?

  • Paul.||

    Bushitler.

    Obamugabe.

  • Cytotoxic||

    On-topic: Brazil is pushing HARD to get its government comms away from NSA eyes. Dilma's pissed.

    By purchasing a new satellite, pushing bureaucrats in Brasilia to use secure email platforms and even building its own fiber-optic cable to communicate with governments in neighboring countries, Brazil hopes to at least reduce the amount of information available to foreign spies.

    http://www.reuters.com/article.....1420130905

  • Bam!||

    Echelon does nothing but intercept satellite communications.

    Secure email is fine unless the platform it's running on is insecure.

    U.S. has subs that specialize in undersea fiber optic tapping.

    Good looking evading them. In the modern world, if you want instant communication, it can be tapped.

  • JD the elder||

    "even building its own fiber-optic cable to communicate with governments in neighboring countries"

    "U.S. has subs that specialize in undersea fiber optic tapping."

    Um, you know that Brazil's neighbors are on the same continent, right? Unless the US also has special subs that tunnel through dirt too...

  • Eduard van Haalen||

    leave my back door alone, lol

    dirtyjokesareourspeciality.com

  • Fist of Etiquette||

    That's a pretty storng assertion, dude.

  • SIV||

    He's talking his book.

  • Mr Whipple||

    Neither has 2048-bit RSA public/private key. Personally, I use 4096-bit.

  • The Original Jason||

    If you trusted your commercially sourced security software, stop.

    How do we know that open source software isn't compromised by NSA volunteers?

  • JD the elder||

    Because it's open source, and you or anyone else can examine the source code. To get the real benefit of that, you do have to compile it yourself, of course; I think there have been cases where pre-packaged versions of open source software have been secretly modified.

  • A Secret Band of Robbers||

    OT: My best friend get the shit beat out of him by his family's assigned drunken asshole. The asshole was acting threatening toward his wife and kids, and my friend got in the way and got his jaw broken twice. He wasn't even trying to defend himself.

    If you read this and think "the asshole is probably a cop," that just shows what kind of cynical libertarian you are. He absolutely is NOT a cop anymore. No, he wasn't up to snuff, so he got a job with the TSA.

  • Generic Stranger||

    Please tell me that the TSAsshole at least got arrested.

  • A Secret Band of Robbers||

    Yes, he's in jail. I said he wasn't a cop.

  • Jake W||

    That doesn't automatically mean in jail.

  • brec||

    the consumer and other adversaries

    Yep.

  • Mr Whipple||

    ...Buy Back Doors Into Commercial Encryption

    Use open source. GnuPG.

    http://www.gnupg.org/

  • Mr Whipple||

    Seriously, you think Stallman went through all that shit just to be a dick?

  • LifeStrategies||

    "Update: Was it just yesterday that I suggested the U.S. government is rotten to the core? Yes. Yes it was."

    Yes, indeed - the establishment figures and many government agencies are all demonstrating this...

    Serious thanks to Snowden who is a true American hero!

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Progressive Puritans: From e-cigs to sex classifieds, the once transgressive left wants to criminalize fun.
  • Port Authoritarians: Chris Christie’s Bridgegate scandal
  • The Menace of Secret Government: Obama’s proposed intelligence reforms don’t safeguard civil liberties

SUBSCRIBE

advertisement