"For what it's worth, this is about the point where I get
off the Snowden train. It's true that some of these
disclosures are of clear public interest. In particular,
I'm thinking about the details of NSA efforts to
infiltrate and corrupt the standards setting groups that
produce commercial crypto schemes."
If anything this new information should put more people on the Snowden train. In the 90s, legislation was proposed which would have put backdoors everywhere via the Clipper Chip. Back then, we voted against that bill and all was good. This new information is shocking because we've already told the government that backdooring things was unacceptable behavior, yet they've done so anyways. We should all be outraged by this because it clearly doesn't represent the interest of the people.
Kevin Drum (edited name) was relegated to an old guy who really doesn't get it when I read that paragraph. I understand the need to the NSA to have countermeasures and options - however this is in the public interest as it puts disclosure, privacy and breach laws in a very awkward position. It also asserts that there is no expectation of privacy within US borders on the Internet - that is unacceptable and complete bull shit. Soghoian said it best recently when he stated that it is not OK for the NSA to possess dragnet capabilities on all crypto.
Sorry Kevin, I think you've gotten off the wrong train - you landed in the land of complacency.
> It also asserts that there is no expectation of privacy within US borders on the Internet - that is unacceptable and complete bull shit.
Have you solved the problem of bright-line jurisdictional boundaries on the Internet? That doesn't just interest the NSA, it would surely interest tax agencies around the world.
The Clipper Chip didn't fail because of any vote, and a Congressional vote wasn't really necessary because it was intended to be a "opt-in" technology mainly for telcos and electronics manufacturers. It was never adopted due to backlash and criticism, but it's not as if they were explicitly banned from similar pursuits.
Of course, that isn't to say that this justifies recent actions or is really even relevant to the latest releases, but you made the connection.
I can't any record of a Congressional vote on the subject, only that its adoption was the subject of a proposed FIPS #185. I don't think your statement above is founded in fact.
It sounds like you're misunderstanding Kevin Drum's statement.
The sentences that you quoted are examples of leaks that Kevin Drum believes were in the public interest. Kevin supports these leaks because they are about what the NSA chooses to do, and are therefore necessary for public debate about US policy.
Kevin clearly distinguishes between leaking NSA behavior (as in your quote) and leaking NSA capabilities (which is in the following paragraph). The ability to decrypt certain types of encryption is the sort of technological advancement that we should expect military and intelligence agencies to make and to keep secret.
Here's the part where Kevin talks about specific Snowden leaks (about NSA capabilities) that he disagrees with:
"But the rest of it is a lot more dubious. It's
not clear to me how disclosing NSA's decryption
breakthroughs benefits the public debate much,
unlike previous disclosures that have raised
serious questions about the scope and legality of
NSA's surveillance of U.S. persons. Conversely,
it's really easy to see how disclosing them harms
U.S. efforts to keep up our surveillance on
genuine bad guys. Unlike previous rounds of
disclosures, I'm a lot less certain that this one
should have seen the light of day."
This latest leak reduces the NSA's effectiveness at whatever they are doing. That is a good thing if, and only if, the NSA does more harm than good.
It tells us nothing about whether the NSA does more harm than good. That is the key point that distinguishes this leak from previous leaks. This leak does more to reduce the NSA's effectiveness than to improve the quality of public debate about NSA policy.
(Previous Snowden leaks make me suspect that the NSA does do more harm than good... but I can disagree with Kevin's conclusion and still respect his position.)
It doesn't matter what the NSA does or has done with its capabilities. The NSA could be whiter than white, and but still be unsupportable and reprehensible, simply for building out the capabilities.
The vast majority of human history shows the powerful controlling the weak, usually through "legitimate" rule of convenient laws. Democracy, which inverts this with varying levels of effectiveness (the rich can still mostly buy their laws), is an aberration. But what the NSA has built is a turnkey system for an effective subversion of democracy: a database that can find anyone's dirty secrets, or, if necessary, plant the right kind of evidence.
It doesn't matter what the NSA has done so far. Sooner or later, someone with evil intent will use it. It's too much power, too centralized, too hidden, too tantalizing, for it not to be used.
And what is it all being built for? Stuff that is less risky than you getting in your car. There is zero existential threat to the USA from terrorism. It's not a credible excuse given the danger.
Exactly. It's probably one of the statements that is of most interest of the public because it is unescapable. When people learned about PRISM and cooperation of companies like Facebook and Google, they could choose to take their business elsewhere. With Lavabit, they could make an attempt at moving their data to legal jurisdictions beyond the reach of the United States government and its allies. However, with this new information, we now have learned that the very foundation of security in most of our software and hardware has been or may have already been compromised. This is as close as you can get to absolute dissolution of trust on the Internet and you need trust for markets to work; not only markets of goods and services but markets for the exchange of information and ideas.
Whether it is acceptable for the NSA to eavesdrop on private messages should not depend on whether those messages are protected by encryption. If I send an unencrypted email to a friend, is the NSA allowed to eavesdrop and get a copy of that email? That is a policy question that can be discussed and answered without any knowledge of the NSA's decryption capabilities.
If I was the NSA, I would flatly decline that we are doing any kind of eavesdropping at all. How would you prove we are eavesdropping? It is not like I am going to admit that information as evidence in a public court of law.
I think at this point we have to treat the NSA as guilty until proven innocent. Nothing they say, either to the public or publicly to our elected representatives Congress holds any water. How can we ever trust them again to be truthful?
Mostly true. (They won't deny EVERYTHING because that wouldn't be believable.)
If this argument is made convincingly in Congress, the NSA could lose funding, but that's a hard decision to make. Even if I am opposed to individual wars, that doesn't mean I would support complete disarmament. Foreign intelligence (and counter-intelligence) is an important part of any modern military. There needs to be public oversight without crippling US intelligence efforts. It's not clear how to accomplish that oversight. That is the discussion we really need to be having.
====
Edit: Looks like there is an official effort to increase oversight of the NSA. Quoting from a Sept 4 article on http://icontherecord.tumblr.com/
"On August 12, 2013 President Obama directed the establishment
of the Review Group on Intelligence and Communications
Technologies."
It should be noted that Mother Jones is generally regarded as a left-wing magazine - even by Wikipedia's description. [1]
From my understanding left-wing ideology has always placed the interest of the collective, represented by the state, over the interest of the individual. So the article and the author's conclusion seems to me completely in line with this way of thinking.
That's a very simplistic view of a very complicated history of political theories.
Anarchism, a doctrine that explicitly negates the State, is rooted squarely in the leftist camp as classically intended, and gives individuals freedom from being coerced in any collective action whatsoever.
You also have Libertarian Socialism, probably the most romantic of all leftist ideologies, which tries to bring collectivist and individualist theories together.
And then of course, the very source of the meaning of "left": the French Revolution, with its rights trifecta of freedom, fraternity and equality, which was born in complete opposition to the notion of the superiority of the State over individuals.
Saying "left-wing ideology has always placed the interest of the collective, represented by the state, over the interest of the individual" is like saying "right-wing ideology has always placed the interest of the rich, represented by the individual, to screw the poor, over the interest of society to improve as a whole" -- a simplistic mystification.
Depends on what you mean by "left". The Democrats are called left in the US, but clearly right-wing by much of the world's standards. It's a business party. If you mean leftists like the anarchist-influenced Occupy movement (like David Graeber [1] who popularized "We are the 99%"), well obviously there's many anti-statist leftists. (No one's going to accuse anarchists of being pro-state.)
Maybe Kevin Drum can provide the government a live encrypted feed of his family's bathroom and bedroom. I'm sure they will only crack the encryption if they think a bad guy is on the video.
Per the article the gains that were made in breaking existing systems have been made public, so all of that effort goes for naught as people move on to new systems (which requires all new efforts). Basically if you want to consider the "cost" (as in $$) of Snowden's leaks, this shows a bunch of budget $$s that were spent on the assumption that these broken systems would remain in use for a period of time. Since that assumption is removed, the $$s spent on breaking those systems won't be as useful as forecast, hence the cost estimate.
That said, at the big crypt-a-geddon moment, when Leon Panetta said [1] "It does not mean that the Department of Defense will monitor citizens’ personal computers. We're not interested in personal communication or in e-mails or in providing the day to day security of private and commercial networks. That is not our goal. That is not our job. That is not our mission." he was lying. Both by omission and by commission.
And perhaps the most painful aspect of Snowden's act is that by exposing this failure of integrity in the NSA, they will never again be able to take the "high road" of we need this to defend the nation.
We need to stop posting these non-technical ravings of people who haven't a clue. Kevin Drum can certainly have an opinion about the NSA (and he's mostly wrong, I think), but his musings about what the NSA can do is clearly uninformed.
He seems to believe that all commercial crypto is suspect; and there exists some other nebulous category called "strong crypto." D'oh! If only we had all been so smart enough to use this obviously better "strong crypto" instead of "commercial." It's meaningless. The NSA has it's hands in all the crypto cookie jars.
Exactly. The idea that the NSA has can break arbitrary SSL without access to source keys is an EXTRAORDINARY CLAIM that goes against most of what we know about the science of cryptography.
Just some managment type in the government saying a single time that the government has made "major breakthroughs" in cracking SSL does not meet the standard of ETRAORDINARY EVIDENCE.
He seems to be saying that it would be better (for the US) if the NSA continued to secretly spy on all the world's communications networks.
That's certainly one point of view, but it's not one I expected to see in Mother Jones, or on HN. Isn't the whole point of this uproar that we do not trust these unelected (by the US, never mind the global population) spooks with unfettered access to all communications?
I don't think he's saying it would be good for anyone for the NSA to continue snooping as they do. I think your first point is wrong, your last point is right, and the two are unrelated.
The issue isn't the fact that the NSA snoops. That's their job and it has value when their power to do so is used judiciously. The problem is that its not being used judiciously. Rather than singling out as few people as possible to root out the bad guys their just collecting everything they can. They don't need to do this and doing so opens up the possibility for huge abuses of power. That's the issue.
I think the article is right that the crypto revelations aren't pertinent to this discussion. I would even consider the crypto revelations a red herring. Is it important how the NSA spies on everyone? No, its only important to know that they do it at all when speaking in the context of how the Snowden leaks are important to creating a national debate and, hopefully, by some miracle, create reforms.
I think its reasonable that as a US citizen you're okay with the NSA being able to break crypto. You just want to be able to trust that they're using it against the bad guys and not you. Even now that we know they're probably using it against innocent civilians its more harmful to the NSA's ability to go after the "bad guys" when they legitimately do (and they still do serve that purpose) and isn't really helping the debate over whether their over collection of data is okay and how to reform that system.
I think its reasonable that as a US citizen you're okay with the NSA being able to break crypto. You just want to be able to trust that they're using it against the bad guys and not you.
This is very interesting and got me thinking. I think that yes, in principle I agree, but there are limits.
I draw a distinction between types of "breaking encryption". There's the standard kinda that "anyone" can do: social engineering, secret mathematical hacks, 0day exploits, brute force attacks, etc.
Then there's the special stuff that only organizations in the position of the NSA can do: putting backdoors in cryptosystems (and pressuring commercial vendors to do so), influencing development of new cryptosystems to make them weaker, etc.
I'm ok with the first set of methods, but not the latter. When you weaken a cryptosystem, you weaken it for everyone, not just the people you want to be able to spy on. Even if the NSA's activities were completely above-board and their power was used appropriately, weaker crypto that everyone uses means that no one can trust their crypto, whether it's to secure corporate communications, keep discussion of an unpopular idea secret, or just trust that when you access your bank's website, a random attacker can't use an NSA backdoor to steal your banking info.
I can't say this with any authority, but I imagine the NSA would do its damndest to make sure advantages gained from the second method are only enjoyed by the NSA. E.g., jealously guarding information about backdoors and influencing development in ways that only they can or know how to take advantage of.
The incentives are aligned; crypto that only the NSA can compromise is far more valuable to the NSA than crypto that anybody can crack.
Imagine a hypothetical world in which it's been revealed that the NSA is spying on the entire internet through the means we generally expected them too, i.e. an army of super-smart crypto people and access to more computing power than God. What would happen following this revelation?
I anticipate that there would be outcry similar to what we've seen, followed by efforts to block their access. Companies like Google, Apple, Microsoft, all the tech heavyweights, would lead the charge. I think there'd be a lot of newfound interest in moving from crypto that's "good enough" to crypto that's deeply over-engineered. 1024-bit AES variant, anyone?
Instead, the NSA has gained their access largely through influence. This is smart, considering their mission. Why crack good crypto when you can just bypass it, or at least ensure that the crypto is not so good? It's certainly way easier. As far as we know, there's still no realistic way for them to crack a solid implementation of things like AES, so it's really the only way.
Are Google, Apple, Microsoft, et al leading the charge for better crypto in our world? No, because they're hopelessly compromised. Nobody trusts them, because the NSA has subverted all of them.
I anticipate that any new crypto, whether algorithm, system, or implementation, involving the United States in any way will be completely shunned. The US's tech giants will be shut out of a lot of activities. A huge chunk of the US's tech dominance will shift elsewhere. This will hurt the US economy and the US's security.
In short, the question comes down to, how do you avoid NSA spying? And that depends on how the NSA spies. If they spied due to math and computers, then you avoid NSA spying with better math and better computers. If they spied by broadly subverting a huge number of companies and organizations, as appears to be the case, then you avoid NSA spying by avoiding the American tech industry. This is tremendously damaging.
We don't need just better crypto, but some way of doing encrypted computation in the cloud and anonymous routing. We need technological protection against the cloud vendors just as much as we need to protect the backbone from being spied on.
Certainly, they need to be reined in. Cracking crypto is their job. Sabotaging standards processes and forcing people to turn over data and gagging them with National Security Letters is very much no their job, and must be stopped.
Apologies; I deleted my comment because i realized it was not directly addressing your argument.
I will add that while I agree it will certainly be done- I was saying that Mother Jones is arguing the "how" shouldn't have been disclosed because all that we need to know is the "what"- because political avenues are the most suitable avenues for recourse, and do not need the "how".
No problem. Nothing wrong with tangents as long as they're understood as such.
Anyway, I still think the "how" is important. If the NSA was spying on everybody with sheer technical prowess, the political remedy would basically be, "Hey, you guys need to tone it down. Limit the spying to actual enemies." The techniques would be OK, they just need to be applied more carefully.
The way things are now, the techniques are unacceptable. The political remedy here needs to be, "Hey, you guys need to stop sabotaging crypto standards, forcing tech companies to hand over data, and threatening them with prison if they talk. Stick with the technical prowess stuff you're supposed to be doing."
>"Hey, you guys need to stop sabotaging crypto standards,
forcing tech companies to hand over data, and threatening
them with prison if they talk. Stick with the technical
prowess stuff you're supposed to be doing."
This is really a key point that can't be emphasized enough. Anyone who was paying attention in the 1990s knew that the NSA has a significant technological advantage over the U.S. private sector and the rest of the world, but even pretty serious civil libertarians were not concerned, because there was no possibility of dragnet spying on today's scale, and because most of us assumed -- rightly or wrongly -- that the NSA was for the most part keeping out of domestic affairs and politics (funding issues aside).
Now, it's abundantly clear that the NSA not only has inserted itself deeply into our political process, routinely cooperates with domestic law enforcement, bullies, coerces, and co-opts U.S. industry, and very likely spies on politicians and activist groups. For anyone who has studied modern history, this sets off major alarm bells.
I keep hearing "what's changed" from NSA stalwart defendants. My answer: everything.
I think its reasonable that as a US citizen you're okay with the NSA being able to break crypto
I think you have forgotten the phrase "absolute power corrupts absolutely." Humans with unchecked access to information (=power) will NEVER be completely trustworthy. Never. It is by definition. That's why we have checks and balances. That's why we had democracy. No one should be absolutely above democracy. But that's what today's NSA is.
You realize these guys (in the NSA) have been using intelligence resources to spy on their girlfriends and neighbors? How much more human and fallible does it get than that?
True. Even if NSA publicly shuts down mass surveillance, I wouldn't still be okay with knowing that someone can still invade my privacy without me getting even a hint. If they still get to keep their crypto powers, how can we be sure that they won't just keep doing it in secret. Just how can people trust these guys when they have already lied on the face of whole world. I feel so helpless and hopeless.
The same can be said for every method of communication in history. Security agencies have the technical capabilities to record your telephone conversations, read your mail, and listen to your private conversations. Yet we manage.
There are so many frightening powers out there, trying to prevent them from existing is a complete waste of effort. You simply cannot make it technologically impossible to shoot you with a bullet, or snoop in your house, or track your car. This is why gov't is regulated, and answers to the people. You simply cannot prevent everyone from having the technical capabilities to take the advantage of you.
So, IMO, forget about whether they can or they cannot. Even if you manage to prevent them from breaking strong crypto, if it can be done someone will do it. Focus on controlling what they do with it.
The thing that is fundamentally different about modern surveillance is how automated it can be. Governments have always been able to listen in on phone calls and physical mail, but the limitations of needing a person to actually do these things kept a check on the scope.
When every phone call can go through a voice recognition system and a set of filters to detect anyone talking about Topic X, that's a very different world. The NSA can't hire half the country to spy on the other half, but they can hire a few thousand people to build a computer system to spy on everyone.
> You realize these guys (in the NSA) have been using intelligence resources to spy on their girlfriends and neighbors? How much more human and fallible does it get than that?
And they get caught and fired for it. Such stories even made the WaPo pages pre-Snowden.
Are you saying that any government agency which ever has any civil servant misuse their position should be shutdown?
The problem with having the NSA break encryption in this manner is that it's not like they've discovered a 0day and are hacking into our enemies; instead, they've corrupted the encryption, exposing what were formerly considered secure comm methods. I'm pretty sure that these corrupted comm methods aren't only available to the NSA. This gives enemies of the US an idea of how to circumvent our encryption, thus exposing everyone who uses these comm methods to attack, whether they're US allies or enemies.
> I think its reasonable that as a US citizen you're okay with the NSA being able to break crypto.
Because the world is divided to US citizens or the bad guys? C'mon, there is a non-US world out there, who are not bad guys, but who've just lost every respect for the US tech sector.
I thought I had addressed that. But you said it perfectly. I guess the short version of what I'm saying is that there shouldn't be a problem with a spy agency spying. The problem is that they've violated their own citizen's rights and the human rights of all citizens around the world if they really do spy on 'everyone'.
I have to admit though, I'm okay (as a citizen of any country) with my government's spy agency violating the privacy rights of citizens and foreigners when it's done in a targeted way. There's a big difference between spying on a person and their network of connections because you've got some evidence to suggest something bad is coming from them and just collecting everything you can and looking for reasons to go after people after the fact. The former is how it should work, the latter is how its being described now.
You could say that technically he wants the NSA to secretly have the ability to secretly snoop on anyone but somehow not use it widely despite the complete lack of oversight, the fact that they have done each time they were given the option, etc.
> Isn't the whole point of this uproar that we do not trust these unelected (by the US, never mind the global population) spooks with unfettered access to all communications?
Yes, however some people think "the government" can do no wrong because it "works for the people." The government they support also happens to be fighting a "War on Terror" where terror can include personal opinions that are critical of the American government and her corporate pillars[1][2][3][4].
Many still see distrust of government as indicative of mental illness, where such distrust is born from paranoia and anarchist/libertarian propaganda.
“Every word that is spoken and sung here represents at least this one thing: that this humiliating age has not succeeded in winning our respect.”
-Hugo Ball
I think we (on HN) underestimate just how OK a large part of the US is about all of this stuff. "The terrorists" in many ways have already won: people are scared. My take on it is that a large part of the US populace (and also in other parts of the first world) believe that giving up what we on HN consider essential liberty is a fine trade-off for some extra security (real or imagined).
Yes, the Snowden disclosures have tipped many people (who were on the fence) toward an active dislike of what US intelligence agencies are doing, but I think there is still a very large percentage of people -- perhaps even still a majority -- who truly think all this makes them safer, and that the cost is worth it. I won't pretend to understand that point of view, but... there it is.
Do you think these initiatives are strictly done at the NSA level? At one point an elected official (being the top of the chain in the executive and the legislative) agreed to this stuff happening.
In what universe do we build a government where everyone is an "elected official"?
It's very valuable to see this reaction to the latest Snowden disclosures: I expect it will be common, and the tech community needs to be prepared to make it clear why this really does reflect another betrayal of trust.
Personally, I can't blame the NSA for trying to intercept and read lots of "suspicious" internet traffic: that's their job. Governments do this, and whether it's good or bad, it's expected. (I'm not happy about the degree to which the NSA seems to be stretching the rules against them acting domestically, nor am I happy about massive all-encompassing interceptions rather than targeted ones, but those are separate issues.)
So there really is a legitimate argument that these latest Snowden disclosures damage national security. The thing is, they also indicate that the NSA has been doing its expected work by actively weakening the protections that we (and large parts of the global economy) depend on. Their actions and strategies have also undermined global confidence in American technology companies. And those are factors that I think the average watcher (like the author of this article) may not recognize unless folks like us point it out.
That's not really the same issue as in these latest revelations, though. The latest bit really is fundamentally technical, and folks like the article author may only focus on the easier-to-understand national security interest and overlook the downsides of the NSA weakening public crypto.
You know, there's one very valuable piece of info that I don't think has been revealed anywhere yet, or I missed it:
Recall, for example, Glenn Greenwald's admission that he "almost lost one of the biggest leaks in national-security history" because Snowden initially insisted on communicating with strong crypto and Greenwald didn't want to be bothered to install it.
What exactly did Snowden insist Greenwald do, precisely? Whatever Snowden insisted on, it's guaranteed to be an NSA-proof method of communication. So it seems like it's an essential first step to figure out the details and train people to use it habitually.
PGP email. And Snowden has already specifically stated that a PGP/GPG encrypted document is safe from the NSA (assuming no one leaves around a plaintext or private key, anyway).
"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." - http://www.theguardian.com/world/2013/jun/17/edward-snowden-...
I appreciate your comment, thank you. May I ask for a source where you got your info? It's probably accurate, but it's good practice to insist that hearsay not be trusted on faith.
Second paragraph into the article describes Snowden's requirement to use PGP while contacting Greenwald at the least (although it's a tertiary source and very sparse in technical details).
Would anyone speculate on the technical details of what Snowden probably recommended Greenwald do, step by step? What steps would you recommend to Greenwald if you had been in Snowden's position?
It's not enough to merely tell people "install PGP." Snowden presumably went into meticulous detail about precisely how to be completely secure. Even something small like "here is the exact exe installer to download" is probably significant, because that would mean that specific installer is clean and free of NSA tampering.
Bear in mind that as soon as Snowden started communicating with Greenwald, he knew that he was going to flee the US within a short time period, after which there would be little damage in the NSA decrypting the historical communication logs. As such, knowing which mechanism he would choose for encryption that was required to be secure for only a few months might not be that useful.
A document properly encrypted with AES or similar modern methods would be considered "strong crypto" (using the article/'90s political terminology) and would be infeasible with current computing power to crack (assuming AES does not have a major vulnerability/backdoor, which has yet to be discovered by the top security researchers who depend on it).
As tptacek and others frequently say: "Crypto is hard to do right".
There is sufficient encryption technology to evade the NSA (at this point in time) but the social-engineering aspects and difficulty confirming a bug-free, secure implementation present the most issues.
Indeed, which is precisely why it's so valuable for us to figure out exactly what Snowden insisted on: it addresses every single one of the problems you mention, which is no small feat.
Going by [1] it seems like PGP.
"Snowden only wanted to communicate securely using PGP encryption, for which Greenwald didn’t have the proper software installed at the time."
In an interview with The Huffington Post, Greenwald acknowledged that he's no expert in using such technology and said that Snowden even provided a step-by-step email and video to help secure their communication.
I wish Greenwald would publish that step-by-step email. It's probably one of the most valuable HOWTOs ever written, because only Snowden (and his colleagues) know for a fact what steps are NSA-proof.
It could be minimum key size and such, or potentially a specific older version of GPG if NSA ever managed to get something into the codebase, but I suspect it's simple.
Glenn Greenwald is really not very technical at all, so I imagine it was really about getting GPG installed and an appropriate plug-in for his mail client. I actually bet most of the e-mail was spent explaining why he needed to do this, because even now people are still reluctant to use GPG. There's been no explosion in it's use. People are still lazy.
Schneier has pretty much outlined how to communicate with reasonable assurance of security while he is working on Snowden document: Use an air-gapped machine for your work, and a separate Internet-connected machine to send and receive documents encrypted offline.
But this is just the logical conclusion if you believe:
a) Crypto math works
b) The NSA has zero-day exploits for every system.
I'm not going to come out on either side on this yet, still thinking about it.
But to anticipate those who will say, "do you think the bad guys are really dumb enough to use basic encryption techniques?" -
The 1993 (failed) World Trade Center bombers were caught because they went back to the rental truck company to try to collect the deposit on the "stolen" truck.
They have children, though, and some of those children are probably smart, and might train their old men to use Tarsnap via Tor in order to transmit encrypted messages/photos/other data anonymously and securely.
I'd imagine the NSA is concerned about future intelligent adversaries who have finesse, which is why they stay as far as possible ahead of the curve.
(I'm trying to come up with an alternative to our standard explanation of "the NSA does this because it's a soulless governmental machine that wants access to the world's information for corrupt purposes.")
The point was more along the lines of "intelligent people are generated by being born, so it's a matter of time before we face an intelligent adversary" rather than "young people are intelligent."
I'd imagine the NSA is concerned about future intelligent adversaries who have finesse
I'd imagine the NSA already has such adversaries. Note how difficult it appears to be to track down members Al-Qaeda, and how relatively well-informed bin Laden's hiding scheme was. There are doubtless also other less-publicized malicious operations of the same breed.
> It's not clear to me how disclosing NSA's decryption breakthroughs benefits the public debate much, unlike previous disclosures
Well, that's the problem with trying to keep everything secret. If the majority of these "disclosures" were in the public interest - they should have been public knowledge. That would have made it far less likely for someone like Snowden to feel the need to "blow the whistle".
There is such a thing as a "presumption of trust", which the NSA has squandered. They likely had it before these leaks began, but now they have lost it, no-one listens even when they might have a good point.
The distinction which is the basis of this article between "commercial" and "strong" encryption seems confused. Kevin Drum in this post makes it sound as if commercial encryption is algorithmically weaker, which as a rule it is not, rather than just easier for the NSA to plant backdoors in by strongarming vendors.
The distinction matters here since we're meant to believe that most "bad guys.. figured that ordinary commercial crypto provided sufficient protection." But this translates to, they trusted Google, Microsoft et al. That seems less likely to me.
Disclaimer: I am not a cryptographer or security researcher. (On the other hand, given that I've done various kinds of antiwar political organizing and associated with members of Muslim Student Associations whose infiltration by NYPD later became a matter of public record, maybe I can speak as a government-classified "bad guy!" I should really do an FOIA request one of these days...)
All the latest revelations show is that corporate and consumer encryption is just corporate and consumer encryption. It's never going to phase a state sponsored intelligence organ. What they can't decrypt, they buy, what the cannot buy they subvert or cripple or backdoor.
In fairness, it would be grossly unprofessional if they did not. The three letter agencies take pride in their craft and part of their job is staying in front of any wide spread encryption technology.
"It's not clear to me how disclosing NSA's decryption breakthroughs benefits the public debate much,"
Backdoors, bought or coerced. If I obtain crypto capability, I expect it to be at least as good as advertised.
Or, in other words, they went to the public in the 90s and asked for Clipper. They were denied. So they went against the public and implemented what they were told, by their supposed masters, that they couldn't have.
If your dog is eating your children, is he your dog?
What does a 12 on a scale of 1 to 10 even mean? What criteria are they judging damages on?
So far, I do not think the NSA has lost any of the capabilities it previously had. I have not heard of any NSA backdoors being removed from existing software.
They're losing a lot of political capital, which should limit their ability to further expand their reach in the immediate future.
They're also an item of debate now, which could potentially result in loss of capability further on. At the next round of elections, Democratic candidates will likely have to defend an unpopular intervention in Syria, they'd rather not add to that pile a defence of some invented Federal right to unwarranted spying on everyone's communications; and it's a potentially easy target for small-government Republicans.
Republicans have, so far, not been willing to use the "big government" label to attack anything to do with military, police, or espionage - their "law and order" platform trumps their "small government" one.
In the bizarre logic of American politics, Republicans and Democrats are both pro-NSA, while the Greens and Libertarians are anti-NSA.
That's why I said "potential". Depending on how the wind blows, the small-gov platform could give them an easy angle, and if it doesn't, they're still the party of law and order, so it's a win-win. Dems have a harder job, for them it's a wedge issue.
The US Government and the NSA have made it painfully clear that there are two options for the US to participate in the global internet: capability to decrypt everything or an American version of China's Great Firewall.
The capability to decrypt everything is largely outside of their control, however they can exert pressure of ISPs, SSL certificate authorities, commercial software vendors, social networking services, and a variety of other organizations.
The rationale being that the US Government pressures those organizations to intentionally implement weaker security measures to facilitate the ongoing capabilities of the government's suspicionless surveillance systems.
Since this system of clandestine supportive relationships is potentially unreliable (since it is directly outside of their control and it relies on reciprocal partnerships) then it stands to reason that the simply revelation of these relationships could jeopardize the US Government's surveillance capabilities.
I think it means that while those weaknesses capabilities have not gone away, the data exposed to such, might evaporate (be moved away) from such exposure. Example, the claim that FSB is moving to typewriters.[1] Or criminals moving to other methods of communication, if they perceive the internet as inherently insecure.
> Nonetheless, this is truly information that plenty of bad guys probably didn't know, and probably didn't have much of an inkling about. It's likely that many or most of them figured that ordinary commercial crypto provided sufficient protection ...
> Now every bad guy in the world knows for a fact that commercial crypto won't help them, and the ones with even modest smarts will switch to strong crypto techniques that remain unbreakable.
If you accept that most bad guys were using commercial crypto and not strong crypto, NSA may have been tapping communications but now won't be able to
I wouldn't be surprised if it turned out that this switch will actually weaken opponents. Criminal masterminds are often not uber-hackers who can reliably roll their own encryption scheme, so to speak.
Sure there is. "Consumer" encryption products are almost all commercial, and therefore necessarily closed. And considering the NSA has demonstrated they're willing to coerce or subvert companies, that makes it awfully hard to trust commercial security products.
I think the former employee just wanted to stress how this is way worse for the NSA than their worst case scenario. It's just to draw attention, nothing else really...
The way I've understood the recent leak was that we know the NSA has been concentrating on breaking SSL, 4G and others but that the actual techniques haven't been revealed. Besides, I feel that it is very important to know that bank, internet, and wireless security have been comprised by at least one actor.
Article 12. (The Universal Declaration of Human Rights)
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Now this is quite a national-biased view (again).
On the other hand standards, protocols, and the trust in networks are an international affair as well. So what is probably a future damage viewed from a national side is a damage already caused from an international point of view.
we need facts, the list of compromised ciphers, the bugs they are exploiting etc.
I guess those NSA guys can't travel abroad, since spying is a felony in most countries.
One theoretic question : suppose that the nsa did manage to crack encryption using very advanced technology such as quantum computers. Would that seem outrageous as well ?
I don't think people would have reacted the same. On this subject i believe what piss people off is the mean rather than the result. Somehow people hoped for a smarter NSA, not for a meaner one.
But that's a bit naïve isn'it ? After all they're here to save lives in the end.
What is this strong crypto vs weak crypto he's talking about? Apparently strong crypto is more of a PITA I gathered that much. But weak crypto is no crypto. If you are going to go through the trouble of using any at all how much more annoying is it to use NSA proof methods? Has any well established crypto methodology been declared broken because of Snowden leaks?
Another shoot the messenger article. Somewhat they try to convince us that every single person ten miles around NSA is basically an archangel, incorruptible and honest, that work just for justice and fairness, and given by God the right of being over everyone else rights. And everyone in the other side must be punished, stripped of privacy and intellectual property and keep be unsafe while there are "bad" people around.
This really means that thousands (hundreds of thousands?) of people which ultimate goal is to get money, and have little to none auditing on what they do, some NSA employees, some from private companies, can access your trade secrets, your bank account, or whatever that can be used to blackmail you, and make any kind of profit from it, no matter from where you are, or who you are. And that won't be even noticed by the authorities (if they even care, they have the "state secret" wildcard) unless they become public on that (they noticed what Snowden did because he went public, on pourpose). And that also means that that information (that they are "careful" having it safe) on which vulnerabilities they introduced on pourpose on every kind of "secure" software, if ever leaks, get reverse engineered or found out by luck, will be exploited by the bad guys too.
Hanlon's razor is not an excuse for this kind of article anymore.
"and the protection used on fourth-generation, or 4G, smartphones."
This quote was particularly eye opening to me.
In the early 2000's I remember speaking to a Verizon engineer who said their encryption on CDMA was bulletproof. He went on to explain over the course of an hour how impossible it was to crack their encryption or even eavesdrop on their network.
"The security protocols with CDMA-IS-41 networks are among the best in the industry. By design, CDMA technology makes eavesdropping very difficult, whether intentional or accidental. Unique to CDMA systems, is the 42-bit PN(Pseudo-Random Noise) Sequence called “Long Code” to scramble voice and data. On the forward link (network tomobile), data is scrambled at a rate of 19.2 Kilo symbols per second (Ksps) and on the reverse link, data is scrambled ata rate of 1.2288 Mega chips per second (Mcps). CDMA network security protocols rely on a 64-bit authentication key(A-Key) and the Electronic Serial Number (ESN) of the mobile"
You know, it's really only an accident of history that human communication historically primarily took place through air vibrations (which are difficult to acquire, store, and query). Digital communication is a new medium with different principles of interpretation. It is stupidly cheap to algorithmically monitor and query digital comms on a mass scale. Why wouldn't it be done? If you think the NSA is the only institution in the world doing this you're an idiot. The only thing Snowden accomplished was demonstrating how large an undisciplined joke US intel is that a high school graduate with a narcissism complex could accomplish these leaks.
Here's an idea: if you don't want your neckbeard anime discussions pinged by the world's intel/ad agencies, don't digitize and broadcast them over the internet.
I have a question from the article that I hope someone here can answer... What's the difference between simple encryption and the "strong" encryption Snowden was insisting on? Truecrypt volumes?
Hopefully none. The information should be free to the public that paid for it. You can sit here and quiver over national security or how some "know better than others" and how they can be trusted with information that the public can't. But at the end of the day that is all verbal excriment, tax dollar paid information is property of the tax payers and anyone that argues against that is living with their head in the sand.
Snowden himself was quite clear in his initial interview that he was being selective with what he took (if not what he actually released to the journalists), in order to set himself apart from Manning's behavior.
> “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability,”
That's a statement designed to mislead.
"the adversary" certainly assumes that the NSA does what it does and acts accordingly.
Now, if "the adversary" is the general public, then the statement actually makes sense.
EDIT: The consumer is indeed part of "the adversary":
Extract of one of Snowden's documents: "These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." Taken from http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryp...
This so horribly misinformed or just naive. The "bad guys" should assume the sites can read their data or the NSA has the private keys or whatever ... I mean really? This is the straw that breaks the camels back ... That "bad guys" didn't known "the man" was actually serious about reading their data?
