NSA’s Keystone Kops Play Kryptos Kristmas Kwiz at Our Peril
The Cloud is not secure. This not-surprising news is among the revelations from further exploration of the Snowden archives in an article posted at Spiegel.
Among the investigation’s conclusions: the U.S. government and its allies—the so-called Five Eyes alliance, made up of the secret services of Britain, Canada, Australia, New Zealand and the United States—”pursue a clear goal: removing the encryption of others on the Internet wherever possible.”
Very little web and other electronic communication is secure. Those advertising themselves as such, including Skype (“Sustained Skype collection began in Feb 2011,”), websites designated as “https”—the final “s” standing for “secure”, and VPN “Virtual Private Networks”—are not.
The good news is that some forms of encryption remain secure. The bad news is that even encrypted data that remains secure today has no guarantee of remaining so: intelligence agencies capture and store everything indefinitely, so when in the future spies are able to crack today’s encryption they can go back and decrypt stored information.
Describing NSA’s BULLRUN decryption program
“for the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” and “vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.” Decryption, it turns out, works retroactively – once a system is broken, the agencies can look back in time in their databases and read stuff they could not read before.
Among the publicly available services that remain difficult-to-impossible for NSA and Five Eyes to crack:
• Heavily encrypted email service providers like Zoho
• The TOR network for surfing the web
• Truecrypt, a program for encrypting files on computers
• A protocol called Off-the-Record (OTR) for encrypting instant messaging
• The instant messaging system CSpace
• A system for Internet telephony (voice over IP) called ZRTP
Open-source technologies such as these are especially effective at thwarting spies: “Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.”
The startling take-away that ought to capture all of our attention is the fact that the NSA actively and purposely sets out to weaken encryption standards by “every means available.”
One method is consciously weakening the cryptographic standards that are used to implement the respective systems. ...NSA agents travel to the meetings of the Internet Engineering Task Force (IETF), an organization that develops such standards, to gather information but presumably also to influence the discussions there.
NSA/CSS [National Security Agency/Central Security Service] makes cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable. ...
Cryptographic systems actively weakened this way or faulty to begin with are then exploited using supercomputers. ...
In other cases, the spies use their infrastructure to steal cryptographic keys from the configuration files found on Internet routers. ...
An important part of the Five Eyes’ efforts to break encryption on the Internet is the gathering of vast amounts of data.
If all else fails, the NSA and its allies resort to brute force: They hack their target’s computers or Internet routers to get to the secret encryption—or they intercept computers on the way to their targets, open them and insert spy gear before they even reach their destination, a process they call interdiction.
The tension between government’s tendency to overstep its bounds and the right of the people to go about our lives and businesses in peace is the excellent reason that we are supposed to be living under a Rule of Law, and the motivation behind the Founders’ writing and ratifying the Constitution only after it had been amended with the Bill of Rights.
There are many and valid reasons for us to be able to communicate and store information securely from the government’s prying eyes, and the fact that our governments are actively undermining that ability should alarm everyone—not only on a rights basis, but, increasingly, on strictly utilitarian grounds.
The fact that large amounts of the cryptographic systems that underpin the entire Internet have been intentionally weakened or broken by the NSA and its allies poses a grave threat to the security of everyone who relies on the Internet—from individuals looking for privacy to institutions and companies relying on cloud computing. Many of these weaknesses can be exploited by anyone who knows about them—not just the NSA.
Beyond data, virtually every facet of out lives is now controlled by electronics: our power systems, our communications, our supply chains, and for many, even the thermostats in our homes. Imagine the consequences of hackers being able to exploit the vulnerabilities our “security” agencies are actively creating.
When you can’t turn your heat on in the dead of winter, then can’t make an emergency call, or start your car because hackers—or the government—have taken control of your systems, it will make the fallout from “The Interview” seem like child’s play.
Speaking of play, what do spies who have been spending all year actively undermining encryption do for fun at Christmastime? They play “Kryptos Kristmas Kwiz,” challenging one another to solve numerical and alphabetical puzzles. Winners receive “Kryptos” mugs.