http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Thursday 5 September 2013 15.00 EDT

US and UK spy agencies defeat privacy and security on the internet

• NSA and GCHQ unlock encryption used to protect emails, banking and medical records
• $250m-a-year US program works covertly with tech companies to insert weaknesses into products
• Security experts say programs 'undermine the fabric of the internet'

James Ball, Julian Borger and Glenn Greenwald

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

MORE

I mean, come on let that sink in.

I have to reread the philosopher that coined "inverted totalitarianism".

they were devices to allow masters access to the inner minds and expressed thoughts of slaves.

I don't know, here we are, spilling our inner most thoughts on the modern version of the party line.

Greetings, Agent Mike!

THIS is the main take-away from the article, which I found to be written in a rather obtuse style that has to be read with extra care.

Some other points:

Apple, Google and Microsoft (and anyone else in the NSA Prism list) are not to be trusted. In some cases they will even give what ought to be considered your encryption keys to the NSA.

The NSA leans on companies to insert backdoors-- and also vulnerabilities which, no doubt, are written to look like "honest mistakes" if/when they are ever discovered.

They have switched to collecting and sitting-on mountains of our data so they can go on fishing expeditions whenever someone gets a hunch (or an itch... or a vendetta).

Cutely-marketed, uber convenient apps and services are probably the most spy-ridden of them all.

The USA will start to feel a downturn in its tech sector because the NSA became a power-crazed monster.

Even when cyber attacks appear to be coming from certain countries or entities, there is no way to tell if they weren't enabled or caused by alterations the NSA made to routers and other sensitive equipment.

Because once they are encrypted by strong encryption there's no hope to be able to crack the message. The algorithms are specifically designed that way using what are called "trap door algorithms", mathematical functions which can be solved one way, but not the other.

These functions depend on mathematics known to have no analytical solutions in order to decrypt (e.g., factoring very large numbers, generally the product of two very large prime numbers).

These formulations are based on number theory (mathematics of whole numbers) and are easily extendable to any arbitrary complexity by merely making the keys longer.

It is not credible to claim that the NSA, or any organization, can crack the strong encryption used today.

I called bullshit on that meme a few weeks ago and got flamed. Turns out I was right. But there will still be posters who rely on theoretical or mathematical facts to pretend that corruption, cronyism and lots of processing power cannot possibly give the government access to their online cache of lolcats and home canning recipes.

Anyone who is determined to keep their head in a dark place (the sand or somewhere smellier) and insist that the math proves the NSA can't crack your security is in for a rude shock someday.

The NSA is watching. They don't seem all that concerned about what we're doing or when more people encrypt, which is totally not like them.

They have tech we probably haven't even dreamed about yet. I think it's a safe bet to say that they see everything we do, no matter how well we cover it.

Capability does not always mean something is happening. But the article points out that the NSA has managed to give themselves lots of inside tracks that enable them to more easily bypass or break encryption from a variety of sources and technologies. That blows up the mathematical argument, because it is based on the premise that the NSA HAS TO go through the tedious and time-consuming brute-force process. If they have back doors and other workarounds, then the mathematical argument falls apart.

I assume that I have no privacy online. Odds are they don't give two hoots in Hell about me or pay attention to me, but they could if they wanted to.

that there's really no such thing as "privacy" online, ever since I first logged on the internet in 1995.

I sometimes think that for a lot of folks out there, anonymity is the same thing as privacy. It's not.

The article quotes Snowden that the NSA probably cannot crack strong encryption-- this is corroborated by what the most esteemed cryptologists are saying. But there is more to security than the encryption itself.

(It is worth noting that journalists often use the term "crack" loosely.)

Its all the other possible avenues for grabbing our data that the NSA has become really good at. The article describes a heavy reliance on back doors and break-ins... they wouldn't need these if they could could crack strong encryption like RSA-2048 and AES-256.

In addition to encryption you must also have trustworthy vendors and the American corps are revealed to be treacherous.

Then our encrypted communications are too. That is my point. Practicality, not theory.

Lots of people just download what they find, and don't check the boards to see what builds are clean and which ones have been fiddled with.

That would seem to be a pretty rare occurrence.

And really, no one is a "casual" user anymore; virtually all of us need to use the Internet. Non-technical or novice users may be at a disadvantage, but the reality is that up until recently even technicians and analysts felt they didn't have the time to really pay attention to computer security. Now that is changing and users need to be mindful of this aspect of their suppliers' reputations.

If people can switch to Firefox based on word of mouth and good press, then there is hope that other open source projects can act as a beacon for them. They need to realize that open source needs to go all the way down to the operating system and even the firmware-- while proprietary products can be used more safely within transparent virtualized jails.

http://www.democraticunderground.com/1014587002

It is not a 'new day' for encryption, unless you mean US proprietary encryption products.

This is essentially the same as the NYT version of the story.

You're confusing "encryption" with "security", which is probably understandable since most journalists confuse the two constantly... like when they report on energy markets and cannot keep the difference between Watts, Watt-hours, BTUs, etc straight because they almost flunked the tiny amount of physics they were taught.

They also use the term "cracked" very loosely.

Their new "cryptanalytic" capabilities involve stealing (supposedly short-lived) session keys from people's computers using malware and backdoors. If those keys were re-used often, then they are bound to find other stuff within the accumulating mountains of data that they can conventionally decrypt using those keys. They also have a program where online services wilfully hand over keys for storage in a key database... i.e. the online services you put your trust into are ratting you out, and that is possible because you let them create and manage the keys instead of doing it on your own computers.

So there is no evidence they have cracked strong encryption (including RSA and AES). It is weaker encryption, mainly used on cellphones to save energy, that they can crack.

The backdoors are, however, extremely worrisome. The extent to which American app and service vendors will sell us out is revealed to be quite extensive. The only IT stuff people can trust anymore is open source-- that which can be easily examined and audited by academics, professionals, enthusiasts from any part of the world.

.... said correction and clarification of what the leaked documents say. It is true that a truly strong encryption algorithm cannot be realistically (realistic, done in a matter of hours or days while the info would be useful) broken, but that is not what they are up to. They installed back door weakness in the encryption methods, ways to get the message before it is encrypted and other similar subterfuges.

Truth be told, truly secure electronic communications are very difficult to come by. It is also clear from these leaks that most if not all of the big commercial providers of supposedly secure communications have been compromised.

Some say "open source" encryption is the safest as you can compile the code yourself. But unless you are a coder/mathematician it's hard to see how you could tell if the source code you downloaded was free of compromise.

Now that this has come out I have to wonder if this is what had everyone in a tizzy. It definitely a game changer.

That is a community effort of people working within nonprofit foundations which themselves collaborate with each other. Its out in the open and the critical infrastructure parts receive white hot scrutiny from all quarters.

The other aspect of this is that an operative cannot get away with much if they try to insinuate malware into an open source program. Plenty of techies do low-level monitoring of their Internet connections. If a machine is compromised, a separate network monitor can pick up suspicious activity. That is one of the primary ways that security researchers and firms become established: by finding unusual activity in computers and networks and reporting their findings. The difference is that the same techs or their associates can immediately delve into the open code to pinpoint any anomalies. With proprietary stuff, they are reduced to sending emails about odd behavior to the product vendor and hoping they get something more than a form letter or silence in response; sometimes the response is a legal threat.

The reason that backdoors and break-ins work for the NSA is because the general reluctance of proprietary vendors to address reports acts as a convenient cover.

I run down my 400 ft driveway and another 1000 feet to theirs, and go knock on their door and ask them if they'd like to come over for dinner. But I wink when I do it, and they know what I mean. NSA fucktards are useless.

All the Cribs in the World won't help.

I thought encryption was to protect yourself from thieves and criminals.


...Oh wait.

Hence the need for back doors and other hacks.

Compromised is compromised.

But if you are the guy responsible for keeping people out, or the guy responsible for trying to break in, I can assure you that the details matter.

Not good enough privacy (though Pretty Good Privacy is still good, just no longer good enough for the spooks.