Can something qualify as bombshell news if everyone already assumed it was true without quite knowing for a fact that it is? By that standard, it’ll be a page one splash if/when Israel finally confirms that it has nuclear weapons. Ahem:
N.S.A. Foils Much Internet Encryption: http://t.co/LvoMg0RJI5 || I knew this was happening back when I was a senior network engineer in '05.
— Jason B. Whitman (@JasonBWhitman) September 5, 2013
They can read basically everything, and you should have guessed that already from the gist of the previous 20-30 Snowden revelations. There are still a few codes they can’t break, apparently — Snowden must know some tricks to keep his own communications encrypted — but if, like most people, the extent of your anti-surveillance measures involves clearing cookies sporadically, rest assured that they won’t have trouble reading your “encrypted” e-mail if they want to.
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
The N.S.A. hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world…
Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware…
How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”…
[T]he agencies’ goal [in 2010] was to move away from decrypting targets’ tools one by one and instead decode, in real time, all of the information flying over the world’s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence.
The NYT doesn’t explicitly say that the NSA achieved its goal in that boldface bit but the whole thrust of the article is that their decrypting capabilities are, predictably, getting better over time. As with any story in this vein, you come away simultaneously alarmed and awestruck by what they can do and what they’re willing to do in the name of Total Information Awareness. I can’t do justice to it by quoting excerpts, in fact; you should take advantage of the Syria news lull and read it all, noting especially the part about how “back doors” created by the NSA into encryption programs might not remain exclusively the province of the NSA. In fact, I think the real news value of this one isn’t that the NSA is obsessed with cracking codes, which is essentially its job description, but the extent to which Congress has empowered it to intimidate tech companies and their employees into playing ball or else. “[I]n some cases,” the Times notes drily, “the collaboration was clearly coerced. Executives who refuse to comply with secret court orders can face fines or jail time.” That’s what made Lavabit’s decision to shut down so noteworthy. The next OS you install is quite likely to have NSA-built bugs inserted into it, which the manufacturer has no choice but to include in the package if it wants to stay on the feds’ good side. If Congress wants to revisit this subject, that’s a nice place to start.
One footnote: Both the Times and ProPublica stress that U.S. intel was very, very unhappy to hear that this story would be published, for fear that the bad guys would change their encryption methods to avoid NSA spying. Hard to believe after the past two months of NSA stories, though, that foreign governments and jihadis haven’t already figured out that routine digital communications are extremely vulnerable. Remember, Al Qaeda reportedly has tried to create its own proprietary encryption to keep their communications away from prying American eyes. Foreign states doubtless have more sophisticated measures, and the NSA probably has even more sophisticated ways of getting around them. There are no specifics about any of that in the NYT story, just the usual roll call of Google, Microsoft, Skype, etc, that you already assumed the NSA was fiddling with. The threat of meaningful enemy countermeasures seems low, at least to a layman.