New Snowden revelation: In case you hadn’t already guessed, the NSA can crack most of your encrypted data too

posted at 6:41 pm on September 5, 2013 by Allahpundit

Can something qualify as bombshell news if everyone already assumed it was true without quite knowing for a fact that it is? By that standard, it’ll be a page one splash if/when Israel finally confirms that it has nuclear weapons. Ahem:

They can read basically everything, and you should have guessed that already from the gist of the previous 20-30 Snowden revelations. There are still a few codes they can’t break, apparently — Snowden must know some tricks to keep his own communications encrypted — but if, like most people, the extent of your anti-surveillance measures involves clearing cookies sporadically, rest assured that they won’t have trouble reading your “encrypted” e-mail if they want to.

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world…

Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware…

How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”…

[T]he agencies’ goal [in 2010] was to move away from decrypting targets’ tools one by one and instead decode, in real time, all of the information flying over the world’s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence.

The NYT doesn’t explicitly say that the NSA achieved its goal in that boldface bit but the whole thrust of the article is that their decrypting capabilities are, predictably, getting better over time. As with any story in this vein, you come away simultaneously alarmed and awestruck by what they can do and what they’re willing to do in the name of Total Information Awareness. I can’t do justice to it by quoting excerpts, in fact; you should take advantage of the Syria news lull and read it all, noting especially the part about how “back doors” created by the NSA into encryption programs might not remain exclusively the province of the NSA. In fact, I think the real news value of this one isn’t that the NSA is obsessed with cracking codes, which is essentially its job description, but the extent to which Congress has empowered it to intimidate tech companies and their employees into playing ball or else. “[I]n some cases,” the Times notes drily, “the collaboration was clearly coerced. Executives who refuse to comply with secret court orders can face fines or jail time.” That’s what made Lavabit’s decision to shut down so noteworthy. The next OS you install is quite likely to have NSA-built bugs inserted into it, which the manufacturer has no choice but to include in the package if it wants to stay on the feds’ good side. If Congress wants to revisit this subject, that’s a nice place to start.

One footnote: Both the Times and ProPublica stress that U.S. intel was very, very unhappy to hear that this story would be published, for fear that the bad guys would change their encryption methods to avoid NSA spying. Hard to believe after the past two months of NSA stories, though, that foreign governments and jihadis haven’t already figured out that routine digital communications are extremely vulnerable. Remember, Al Qaeda reportedly has tried to create its own proprietary encryption to keep their communications away from prying American eyes. Foreign states doubtless have more sophisticated measures, and the NSA probably has even more sophisticated ways of getting around them. There are no specifics about any of that in the NYT story, just the usual roll call of Google, Microsoft, Skype, etc, that you already assumed the NSA was fiddling with. The threat of meaningful enemy countermeasures seems low, at least to a layman.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

I feel safer.
/

CW on September 5, 2013 at 6:42 PM

How is everyone enjoying Obama’s Police state?

Galt2009 on September 5, 2013 at 6:47 PM

We simply must sacrifice the 4th Amendment (and derivative liberties) or the terrorists win!

Jeddite on September 5, 2013 at 6:48 PM

One footnote: Both the Times and ProPublica stress that U.S. intel was very, very unhappy to hear that this story would be published, for fear that the bad guys would change their encryption methods to avoid NSA spying.


ENOUGH of the government HORSESH|T !!!

The terrorists that matter ALL have state-of-the-art, government-level intelligence support and information.

The terrorists have known for YEARS the NSA could defeat any commercially available encryption system.

Any chance Hot Air could be slightly less credulous of fairy tales being “leaked” by the intelligence community?

PolAgnostic on September 5, 2013 at 6:49 PM

The now the Obama administration’s NSA commits espionage against American citizens in mass and in depth, and without any scintilla of probable cause, and when someone (Snowden in this case) reveals this then that person, according to the Obama administration, is guilty of … … … espionage. .. … and, oh yes, a traitor, of course, It would be as if someone revealed that some officers in the local police department were dealing drugs and then the police department charged them with … … … dealing drugs. What is needed is a way to curtail the anti-American, anti-patriotic, anti-Bill-of-Rights, anti-natural rights, and I might add almost totally, if not totally, ineffective against terrorists, NSA, America’s version of East Germany’s STASI and the Keystone Cops..As an American version of the East German Stasi, the N-Stasi-A is most excellent. As anything that protects our security it is all but if not utterly worthless.

The vital question is not “Oh look, there’s Snowden”, but to what degree should the Bill of Rights be eviscerated and within America’s own borders, such as we have of borders? I say it should not be at all and I am certain that to a man, the Founding Fathers would wholeheartedly concur. But I do want to thank the Founding Fathers for all the sacrifices they made however much they now seem to have been in vain.

With it’s warrantless 24X7 spy programs the NSA is committing non-stop acts of war on the United States Constitution and hence the American nation and people and is maliciously and with forethought pre-judging all American citizens as guilty until never proven innocent, so it is really a criminal organization itself and every employee working for it is therefor a member of a criminal organization. May they all have nightmares of Nuremberg … every .. single .. night.

VorDaj on September 5, 2013 at 6:51 PM

Question authority.

Flange on September 5, 2013 at 6:56 PM

[T]he agencies’ goal [in 2010]

 
2010?
 
2010…
 
So does anyone know who appointed the heads of that agency during 2010?

rogerb on September 5, 2013 at 6:57 PM

If the NSA can crack some encryption and not others, then they will want people to believe one of two things:

a) Your encrypted communications are safe

or

b) No encryption will protect you, so you might as well not try

The one thing they would not want is for you to know which encryptions they can easily break and which ones they can’t, because that might lead to people making good choices to keep their communications secret.

So I’m not at all convinced that the NSA is unhappy with this story. As long as people are not well enough informed to know which encryption is more secure than others, the advantage is to the NSA. A story saying the NSA has broken ALL encryption leaves people no smarter about how to hide their communication.

There Goes the Neighborhood on September 5, 2013 at 6:59 PM

What they should crack is their brains…about the constitution.

Crack all you want, outside the USA.

Inside…you are illegal thugs.

Schadenfreude on September 5, 2013 at 7:01 PM

RWM, another eye to capture…for Axie

Schadenfreude on September 5, 2013 at 7:02 PM

Good read, thanks Allah. ; )

Bmore on September 5, 2013 at 7:03 PM

Schadenfreude on September 5, 2013 at 7:02 PM

Just sent it. ; )

Bmore on September 5, 2013 at 7:04 PM

Perhaps you weren’t a member of the Bush/Cheney apology choir during the time they were actually (not hypothetically)subverting the constitution…
 
Maybe you were outraged by the NSA’s warrantless wiretapping.
 
But maybe, like so many here, you were a full throated cheerleader then?
 
verbaluce on March 7, 2013 at 5:54 PM

 
(Formatted for ease of laughing at.)

rogerb on September 5, 2013 at 7:06 PM

Why did they force Levinson / Lavabit into shutting down if they could just decrypt it offsite?

Seems to me they need co-operation with companies. Levinson wasn’t willing to do that

tetriskid on September 5, 2013 at 7:09 PM

rogerb on September 5, 2013 at 7:06 PM

rogerb, glad I ran into you here. Have something for you.

Bmore on September 5, 2013 at 7:10 PM

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Since there is no chance the government would read anything containing the above text I think I’m able to speak freely for the rest of this post.

Members of the Greatest Generation went to war and gave up their lives to protect our liberty and we, their successors, give up our liberty to protect our lives. We are not worthy of their sacrifice.

alchemist19 on September 5, 2013 at 7:14 PM

Why did they force Levinson / Lavabit into shutting down if they could just decrypt it offsite?

Seems to me they need co-operation with companies. Levinson wasn’t willing to do that

tetriskid on September 5, 2013 at 7:09 PM

maybe access issue?

dmacleo on September 5, 2013 at 7:15 PM

Don’t use ISP based encryption to protect your email and pictures.

When I received some cryptanalysis training I learned that you can’t protect anything forever, that a dedicated person with enough resources will eventually decrypt your material. The point is to make it as difficult, expensive and time consuming as possible.

Terrorists probably stopped sending each other email pr texts and if they call each other they probably use “burner” phones. The NSA doesn’t give a damn about them any way. They don’t stop terrorists when they are served up on a platter like the Marathon bombers or Nidal Hassan.

This is about watching US.

dogsoldier on September 5, 2013 at 7:17 PM

rogerb, glad I ran into you here. Have something for you.

Bmore on September 5, 2013 at 7:10 PM

Love that blog!

Schadenfreude on September 5, 2013 at 7:21 PM

This is a bigger story than Allahpundit understands because he doesn’t understand encryption very well.

Typical AES encryption with a strong password is unbreakable, even by the NSA. They’d have to guess the password. If you have a strong enough password, even at billion of guesses per second, it would take BILLIONS of years to guess it. Even if the NSA decryption can make guesses a million times faster than everyone else, those billions of years merely shrink to thousands of years.

But if the NSA has secret backdoors into the encryption programs themselves, that means that the password doesn’t matter. The NSA can open it up whenever it wants. The only thing stopping them is that if they open something up that was supposed to be unbreakable, then adversaries will know that encryption software is compromised and either switch to a different one that is safer (maybe one with an open source code) or write a new one themselves.

None of this matters if youre not a terrorist, but cops could ask the NSA to unlock a computer for them, and concoct some lie to claim they got the password a different way, then it is up to the NSA to take the risk or not.

kaltes on September 5, 2013 at 7:27 PM

This is about watching US.

dogsoldier on September 5, 2013 at 7:17 PM

This about controlling us. Dissenters are soon going to be among the disappeared.

This is why the NSA needs to be defunded in the upcoming budget battles. They are not providing national security by domestic spying, they have repeatedly lied, and they haven’t stopped. They need to be shut down.

Happy Nomad on September 5, 2013 at 7:27 PM

Wait until Snowden releases the backdoor passwords to Windows and Mac OS and home routers. That’s when the SHTF.

slickwillie2001 on September 5, 2013 at 7:27 PM

“[I]n some cases,” the Times notes drily, “the collaboration was clearly coerced. Executives who refuse to comply with secret court orders can face fines or jail time.”

Via Obama’s SS guard, also known as the I.R.S.

Welcome to the new normal, brought to you by hope & change.

Oxymoron on September 5, 2013 at 7:30 PM

Schadenfreude on September 5, 2013 at 7:21 PM

As do I. My falling off to sleep read as of late. He’d best get busy writing., I’m caught up at his joint.

Bmore on September 5, 2013 at 7:36 PM

I’ve been saying this for years, only to be sneered at by just about everyone, who say that the encryption scheme they use is utterly secure and uncrackable.

Thanks for the vindication, Mr. Snowden.

LegendHasIt on September 5, 2013 at 7:42 PM

Oh, I almost forgot to ask. Did we figure out yet if Snowden is a hero or a traitor?

Bmore on September 5, 2013 at 8:13 PM

Meaningful “enemy” countermeasures would refer to ordinary people who want privacy.

That’s what this is about. The government machine is leftist and uses its power to harass the Tea Party etc.. Ordinary people want privacy so they can talk freely. The government taxes them to pay for measures to destroy their privacy.

David Blue on September 5, 2013 at 8:15 PM

Oh, I almost forgot to ask. Did we figure out yet if Snowden is a hero or a traitor?

Bmore on September 5, 2013 at 8:13 PM

Whistle-blower / good guy. he said he was warning of real abuses. He was.

David Blue on September 5, 2013 at 8:16 PM

Bmore on September 5, 2013 at 7:10 PM

 
Shucks.

rogerb on September 5, 2013 at 8:34 PM

As usual, it is more or less decent folk the Feds will bully.

It is not a free country.

That time is long gone.

Sherman1864 on September 5, 2013 at 8:37 PM

How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored.

Hardly… they just got them from Verisign.

For those that generated self-signed certs I’m willing to bet that’s crippled in some manner.

Skywise on September 5, 2013 at 8:52 PM

I’ve always said that if I were the NSA I would have long ago recruited some talent whose specialty is convincing the Tinfoil Hat Brigade that XYZ Encryption (actually made by the NSA to have a back door for the NSA) is NSA-proof. When the CP distributors, drug gangs, and other outlaws hear the tinfoilers like XYZ, and start using XYZ, blammo. All social engineering, not necessarily hackery.

Sekhmet on September 5, 2013 at 10:15 PM

If you want secure communications, nothing beats old-fashioned tradecraft. If they want to read your communication badly enough, they have to pay someone to stake your/your correspondent’s ass out. You can see that guy poking around for your dead drop. You can’t see some NSA geek reading yours and a hundred other folks’ email.

Sekhmet on September 5, 2013 at 10:23 PM

Sekhmet on September 5, 2013 at 10:15 PM

Yep, ditto. I’ve espoused the same theories. Mostly to derision.

LegendHasIt on September 5, 2013 at 10:39 PM

When the CP distributors, drug gangs, and other outlaws hear the tinfoilers like XYZ, and start using XYZ, blammo. All social engineering, not necessarily hackery.

Sekhmet on September 5, 2013 at 10:15 PM

except the NSA isnt allowed to go after any of those people, only terrorists. child porn and drug dealers don’t threaten national security.

kaltes on September 6, 2013 at 4:09 AM

That means Cloud computing is not so secure after all, although I never thought it was anyway and quite vulnerable to critical failures.

Keep your data away communications computers. Encypt/Decrypt on computers that are not connected so the keys are away from snooping. There are many things you can do protect yourself.

Alternately flood the web with encrypted encryptions just make them work for it.

TerryW on September 6, 2013 at 9:08 AM

There Goes the Neighborhood on September 5, 2013 at 6:59 PM

Well, you can get a pretty good idea of what they think is good enough for government work ‘crypto’ for secure comms by looking at that set of NIST documentation.

Net-net: RSA has been broken.

Cipherprime on September 6, 2013 at 12:55 PM