I owe Richard Stallman one big huge apology. I'm truly grateful for Free Software (free as in freedom. You know, that thing the USA used to stand for) because it seems to be the only alternative right now. Microsoft and Apple can never be trusted again, ever.
Sorry Richard. You were right. Thank you for your unwavering commitment to freedom.
That's why he only runs a machine built in the free as in freedom PRC? Not to get jingoistic, but when do you expect to see an exposé on Chinese hardware and firmware manufacturer's backdoor analysis by the Ministry of State Security (MSS) – 国家安全部 in the People's Daily. Sometime after they have freedom of press I suppose.
Hö? What has Apple done? And why not include Google?
In the case of Microsoft there is still no proof/evidence for a NSA backdoor in Microsoft Windows (and would that not show up in the leaked Win2000 source code?)
And even the Snowden documents do not allege that (please correct me if I am wrong).
What the Guardian claimed was that Microsoft helped to give access to Outlook.com. The NSA is mostly interested in online services. And this is a far bigger issue, because there is no real alternative for that. Because even if you compile your own Linux distribution you still use Google Gmail (Ha!) or visit this hacker news forum, and you have to trust a third party with your data. And even if that trust is merited the NSA can just slurp up the datastream in the Internet provider datacenters.
> In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
> At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.
So the NSA has basically destroyed a business sector where the US had leadership. It may not be an immediate impact but this will clearly have an impact on US sellers of security products. Why would anyone trust one of them going forward? They won't. It'll take time. But I expect this sector to crash over the next twelve months, at least internationally at first.
> Why would anyone trust one of them going forward?
The same reason people trust the Dollar as a reserve currency. Yeah, it sucks, but better than any of the alternatives.
Fortunately, there exist open-source/public-domain alternatives for security products. (Doesn't mean that contributors can't be coerced with the equivalent of a Nation Security Letter, though.)
The only reason people trust the dollar is because if you refuse the dollar, the US military shows up and kills you.
How long until we find out that the "humanitarian aide" so heavily pushed WRT Syria, is an IMF debt loan requiring a central bank and fealty to the US dollar is the primary reason for the opportunity war being sought.
Somehow, I think foreign organisations have always known or at least suspected and taken appropriate measures to guard against NSA/GHCB/Echelon/ASIO whatever evesdropping. Even terrorist organisations. Its just the you and me everyday saps that have just found out. And there's not much we can do about it.
I was talking to a potential client 2 days ago, they provide SaaS to a number of clients, and up until now this has always included data storage.
One of the projects we discussed involved, for a specific customer, moving data storage off the current (US based) server and onto their customer's servers in their own country.
Anecdotal, but still I am really small fish on the far edge of the world, I cannot imagine the reaction where the bigger fish are swimming.
The difference between 'suspected that our confidential data may be compromised by a third party if you believe all the conspiracy theories' and 'know absolutely that our confidential data is being compromised by a third party as we speak' turns out to be pretty big, and worth a lot to international companies who value the commercial value of their private data.
The sick thing about this is that they named the two programs Edgehill [0] and Bullrun [1] after early battles fought in civil wars. I can't see how they will be able to maintain that this is still about terrorism or espionage from other countries. It seems to be nothing other than state-sponsored violence against citizens of the world; the bulk infringement of our right to privacy.
And did the whole security industry really not know what was going on? That's hard to believe. In general, I feel like my trust in the ecosystem has just been nuked from orbit.
Clearly a lot needs to be done to fix this. What kind of non-violent protest works? What kind of civil disobedience works? What are the best organic ways of organising people without getting shut-down? Do we have technology that is still secure, even if CAs are broken or even if hardware is backdoored?
It may be coincidence, but both Edgehill and Bull Run are locations in Virginia, where I imagine a lot of the DoD resides. I'm not saying they weren't named after the battles, but it's not like those names are exclusively related to civil wars.
Maybe I wasn't careful in my reading, but the linked articles don't really say anything other than "yeah the NSA is probably doing something really big". Which, is like, to be expected of the NSA.
If Schneier has inside information, it'd be nice to get a simple, straightforward, article describing what exactly is known about the NSA capabilities. Various people speculating doesn't provide a clear picture of anything.
My takeaway from today's articles: they've backdoored the software, they've backdoored the hardware, they have a database of stolen private keys, they've tapped all the cables, they have zero-days for pretty much everything.
Yes, that's the speculation, that they've been doing this, and that's not a new speculation either. At least on the keys, cables, and 0-days (and some folks believe Windows has been backdoored for a very long time). Backdooring, as noted, is a tricky problem for all parties if found. Even with Windows, I'd expect various people inside Microsoft could verify with independent builds. (If they compile the bootloader or crypto.dll and use a disassembly tool and the output is functionally different from what's on the ISO...)
But if there's solid evidence, why don't they publish it? If they really have broken into Google, then publish the details. I'm sure Google would like to know, too. If they've backdoored Windows, Office, VLC, whatever - same thing. Or are we talking more stuff like "we knew Debian couldn't generate keys properly"?
If it's just stating that the NSA possesses heavy offensive capabilities, well, yeah, you'd expect that. Actual evidence of an NSA-backdoored common software or hardware would be a major story. (Not saying it's not possible, just speculating gets us no where.) If Schneier and Greenwald want to be taken seriously, then step up and speak out. Generic "the NSA is powerful" isn't much help.
I don't believe this is the end of the disclosures. The gradual, step-wise release of information about the NSA's surveillance capabilities has been quite effective in two different ways.
First, it has kept the NSA in the headlines for almost three months now (quite a feat when you consider our cultural attention span is usually measured in fractions of days).
Second, it has let officials make denials and give reassurances come back to haunt them and tarnish then credibility when further disclosures are made (consider that Senator Feinstein, chair of the Intelligence Committee supposedly providing Congressional oversight of these surveillance programs, who spent weeks claiming said oversight was quite robust, admitted to not knowing about the internal NSA audit finding thousands of privacy violations).
I'm pretty confident there will be more disclosures. But given the realities of the news cycle and the political process, they are much more effective if they happen gradually.
They talk in the Times article about the government asking them not to publish at all, and them refusing but agreeing to omit some details in response to concerns that officials raised.
I don't know much about The Guardian, but The Times, for better or for worse, has always self censored based on its own perceptions of the trade offs. It considers itself a responsible part of the establishment -- the loyal opposition if you will. You aren't going to see a wikileaks-esque dump from them.
> Intelligence officials asked The Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others.
As we'd expect other other governments and possibly corporations to have. Find someone with access to whatever, perhaps with foreign relatives, offer them a world of money, problem solved. Or groom and plant someone. Corporate espionage exists, doesn't it?
Nothing actionable in this post. If they said "OpenSSL is backdoored, don't use it!" then great. But, "Some software somewhere has a security hole in it", is pretty unhelpful.
Who else thinks Bruce is going die in a mysterious car accident or elevator crash sometime soon?
I love his attitude towards this, however. He's right, we need massive civil disobedience, we need whistleblowers, and we need everybody who can contribute, to help dismantle this surveillance state apparatus.
I just wish I knew more about cryptography now, so I'd be in a position to do more to help.
I've got a copy of his book. I thought I'd never get around to it, but now I wonder. And I wonder if having purchased from Amazon means I'm now on some list at Fort Meade.
Maybe there should be some canon of crypto fundamentals, and everyone ought to buy a set, as protest / funding for research / "I'm Spartacus"!
Though at this point, I also wonder if he needs to publish a list of some kind of hash of the pages' images, so readers can verify the NSA hasn't been borking it at the printer.
I would really like to know which technologies they are talking about. How about the Microsoft discovery from 2007, that's got to be public knowledge by now, right?
"More than a century ago, A.-L. Sardou's New Dictionary of French Synonyms defined the nuances which must be grasped between fallacious, deceptive, impostrous, seductive, insidious, captious; and which taken together constitute today a kind of palette of colors with which to paint a portrait of the society of the spectacle. It was beyond the scope of his time, and his experience as a specialist, for Sardou to distinguish with equal clarity the related, but very different, perils normally expected to be faced by any group devoted to subversion, following, for example, this progression: misled, provoked, infiltrated, manipulated, usurped, inverted"
Unfortunately the technical details are layered underneath a bunch of fudging to make them layman-readable. Schneier doesn't even describe the attacks, just says that they're not mathematical. One would expect that this means the NSA has access to most if not all accepted SSL authorities and generates keys which they can utilize to sniff a connection at will. This is pretty much obvious, and any intelligence agency that HASN'T "compromised" SSL by gaining access to the master keys is probably very incompetent indeed.
That said, does someone have a brief rundown of the details from a technical perspective, so I don't have to read through several long news articles mostly filled with elementary explanations of basic concepts?
One-time pads are probably what they meant to say instead of simply symmetric crypto. One-time pads are unbreakable, but the issue is transmitting the key to the recipient. Public-key crypo is so widely used because it offers a solution to key distribution. But in terms of theoretical security, public key crypto isn't as secure as a one-time pad.
No he didn't mean that. Scheiner constantly talks about how mentions of OTP are a key red flag for snake oil crypto. Yes the math is impeccable, but the implementation challenges are enormous. As this leak confirms implementation is a much bigger problem than the math.
Because NSA is chartered with assisting the USG and, as a knock-on effect, the US economy, with infosec. It's part of their job. Just like designing secure ciphers is part of their job, along with breaking them.
"Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products. "
Actual quote from the CTO of a company that makes some security-related software (it's a major selling point) for a specific sector. They probably have over a hundred million people using this stuff day-to-day, indirectly, and hundreds of direct, large customers. Security bypass can easily cost hundreds of thousands a month.
I had found a backdoor in their platform, so I asked if they had such basic holes, how they managed to write a large C-based app securely. Like, buffer overflows, for example.
CTO/head of development replied: "Buffer overflows? Probably not an issue, unless the network is really fast." Cringe.
There's nothing at all opposing about those goals. They're both natural by products of expertise in signals intelligence and cryptanalysis, and skill breaking security helps provide more secure systems by subjecting them to more sophisticated attacks.
Just as a clarification, NSA doesn't set those standards. Agencies like NIST set AES and SHA3 through open worldwide competitions. These standards then become parts of larger compliance guidelines like FIPS (Federal Information Protection Standard I think) that govern how the USG should protect its data.
NIST has like 2 cryptographers, doesn't it? The real guidance at NIST comes from NSA. If you think NSA is backdooring Suite B crypto, you can't trust NIST.
Sorry Richard. You were right. Thank you for your unwavering commitment to freedom.