General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsHoly Facting Shite -US and UK spy agencies defeat privacy and security on the internet
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security<snip>
NSA and GCHQ unlock encryption used to protect emails, banking and medical records
$250m-a-year US program works covertly with tech companies to insert weaknesses into products
Security experts say programs 'undermine the fabric of the internet'
Beta
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
This story has been reported in partnership between the New York Times, the Guardian and ProPublica based on documents obtained by the Guardian.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic "the use of ubiquitous encryption across the internet".
Through these covert partnerships, the agencies have inserted secret vulnerabilities known as backdoors or trapdoors into commercial encryption software.
the companies that sell and use encryption software know these backdoors exist and have been misleading consumers?
malaise
(268,931 posts)every year - what a fugging mess.
Thinkingabout
(30,058 posts)Luminous Animal
(27,310 posts)Luminous Animal
(27,310 posts)For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story it was in process well before I showed up but everything I read confirms what the Guardian is reporting.
At this point, I feel I can provide some advice for keeping secure against such an adversary.
The primary way the NSA eavesdrops on internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.
Leveraging its secret agreements with telecommunications companies all the US and UK ones, and many other "partners" around the world the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn't have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.
Luminous Animal
(27,310 posts)September 5, 2013, 4:57 p.m.
The latest Edward Snowden-powered exposé published by the New York Times, ProPublica and the Guardian is, to me, the most frightening. It reveals that the National Security Agency has moved beyond its historic role as a code-breaker to become a saboteur of the encryption systems. Its work has allegedly weakened the scrambling not just of terrorists' emails but also bank transactions, medical records and communications among coworkers.
Here's the money graf:
"The NSA hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the worlds most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."
I'd be disappointed if the NSA hadn't figured out how to do that hacking trick. But adding vulnerabilities to standard encryption techniques? That's just making the job easier for hackers to make sense of the scrambled data they steal.
The outrage is still pouring in from various advocacy groups. Here's a succinct condemnation by the Center on Democracy and Technology, one of the more centrist of these organizations:
"These revelations demonstrate a fundamental attack on the way the Internet works," senior staff technologist Joseph Lorenzo Hall wrote in a statement. "In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, its incredibly destructive for the NSA to add flaws to such critical infrastructure. The NSA seems to be operating on the fantastically naïve assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners."
Luminous Animal
(27,310 posts)Unfortunately for Cameron, and his American counterparts, the Guardian turned to the Times and ProPublica for assistance. The Times had previously come under scrutiny for the way it had covered--or, in the eyes of its critics, undercovered--the NSA story. Drawing perhaps the most influential news organization in the world more deeply into that story was likely not what American or British officials wanted.
The first results of that collaboration were published on Thursday, with major splashes on all three websites. In its piece, the Times wrote that it was publishing the story over government objections:
Intelligence officials asked The Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others.
Luminous Animal
(27,310 posts)For the Guardian: James Ball, Julian Borger, Glenn Greenwald
For the New York Times: Nicole Perlroth, Scott Shane
For ProPublica: Jeff Larson
http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption
This story has been reported in partnership between The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume or have been assured by Internet companies that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
Luminous Animal
(27,310 posts)But encryption is much more than that. Encryption is really the system that lets the Internet function as an important commercial instrument all around the world. Its what lets you enter your credit card number, check your banking records, buy and sell things online, get your medical tests online, engage in private communications. Its what protects the sanctity of the Internet. And what these documents show is not just that the NSA is trying to break the codes of encryption to let them get access to everything, but theyre forcing the companies that provide the encryption services to put backdoors into their programs, which means, again, that not only the NSA, but all sorts of hackers and other governments and all kinds of ill-motivated people, can have a weakness to exploit, a vulnerability to exploit, in these systems, which makes the entire Internet insecure for everybody. And the fact that its all being done as usual with no transparency or accountability makes this very newsworthy.
JUAN GONZÁLEZ: But, Glenn, going back to the mid-1990s in the Clinton administration, when the government tried to establish these backdoors into communications on the Internet, there was a public debate and a rejection of this. What has happened since then now in terms of how the NSA operates?
GLENN GREENWALD: Right, its interesting. If you go back to the mid-'90s, that debate was really spawned by the attack on Oklahoma City, which the Clinton administrationon the Oklahoma City courthouse by Timothy McVeigh, which the Clinton administration immediately exploited to try and demand that every single form of computer security or human communication on the Internet be vulnerable to government intrusion, that it allthat there be no encryption to which the governments didn't have the key. And as you said, a combination of public backlash and industry pressure led to a rejection of that proposal, and the industries were particularly incensed by it, because they said if you put backdoors into this technology, it will make it completely vulnerable. If anyone gets that key, if anybody figures out how to crack it, it will mean that theres no security anymore on the Internet.
And so, since the NSA and the U.S. government couldnt get its way that way, what theyve done instead is they resorted to covert means to infiltrate these companies, to pressure and coerce them, to provide the very backdoors that they failed to compel through legislation and through public debate and accountability. And that is what this story essentially reveals, is that the entire system is now being compromised by the NSA and their British counterpart, the GCHQ, systematic efforts to ensure that there is no form of human commerce, human electronic communication, that is ever invulnerable to their prying eyes. And again, the danger is not just that they get into all of our transactions and human communications, but that they are making it much easier for all kinds of other entities to do the same thing.
malaise
(268,931 posts)important link
Hutzpa
(11,461 posts)yes there are ways to carry out MITM attack, but there are also ways to prevent MITM attack on encryption.
People need to first understand the different levels of encryption before you can attempt to make such
grandiose statement.
Unless NSA is suggesting that protecting my privacy is an act of terror? I will take this as just another moment
of fear.
You have to understand the implication this statement has created which is the uncertainty of doing business online
because people will start to question their banks and other e-commerce corporation about their privacy and security.
You open up questions such as; how long before criminals can obtain this technology?
How long before the very same terrorist they claimed to protect us from obtain this technology?
These are just a few questions they will have to answer to if this is proven to be true.
If wanting Privacy is now considered an act of terror then we are now completely Fucked.