NSA & GCHQ Covertly Took Over Security Standards, Recruited Telco Employees To Insert Backdoors
from the not-so-secure dept
And the latest report on the Ed Snowden leak documents has come out and it's yet another big one: the NSA and GCHQ have basically gotten backdoors into various key security offerings used online, in part by controlling the standards efforts, and in part by sometimes covertly introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading, but a few key points are worth highlighting.First, the NSA spends $250 million per year to "covertly" influence tech product designs. The report suggest two ways this is happening. First by infiltrating standards-bodies:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.That's disturbing enough, but it gets worse. While the Guardian report suggests that unnamed tech companies are "collaborating" in inserting these kinds of backdoors, that's not entirely clear, because later in the document, they suggest that the NSA is recruiting covert operatives within telco firms to insert vulnerabilities:
"Eventually, NSA became the sole editor," the document states.
To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for "human intelligence" refers to information gleaned directly from sources or undercover agents.Did you get that? Rather than recruiting spies from, say, governments, the NSA and GCHQ are recruiting employees at telcos to help them suck up and access all your data.
This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."
"This enables GCHQ to tackle some of its most challenging targets," the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn."
All of this activity has apparently led to some major breakthroughs, allowing them to access plenty of data they didn't have access to previously. Just last week we'd written about major successes by the NSA having to do with encryption, and this report reveals more details:
"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."Once again, we're seeing rather extreme behavior on the part of the NSA and GCHQ as they try to basically be able to dig into every possible communication.
An internal agency memo noted that among British analysts shown a presentation on the NSA's progress: "Those not already briefed were gobsmacked!" The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor "large amounts" of data flowing through the world's fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, gchq, nsa, nsa surveillance, standards, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
so
[ link to this | view in chronology ]
Re: so
And your "one day" can be a long time. Firebird (SQL server, not mail client) was what, a year and a half with a hardcoded password, non-obfuscated?
[ link to this | view in chronology ]
Re: Re: so
"7 years, at least"—Firebird was based on Interbase which also had the backdoor; nobody noticed until it was open-sourced, and then it still took a while.
[ link to this | view in chronology ]
Re: so
[ link to this | view in chronology ]
Re: Re: so
[ link to this | view in chronology ]
Re: Re: Re: so
[ link to this | view in chronology ]
I'm sure none of them are abusing this.
[ link to this | view in chronology ]
Re:
Who else is? The Russian FSB? The Chinese intelligence service? Organized crime?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This may not be the popular opinion here...
Personally and in theory (because the practice have proven the theory moot), I don't have a problem with the NSA having the capability of digging into any communications. My issue with the NSA has been how they have been exercising that capability-- with no oversight, no accountability, not even auditing. Storing vasts amounts of data, and using even the most tenuous excuse to collect & store more data even when a plain reading of the lie makes it clear that the NSA is spying on those they're prohibited from spying upon.
There are good reasons for the NSA to have this capability, and if properly used could be properly employed to find the bad guys. Instead, we see the NSA abusing this power (which may, I concede, be an inevitable outcome of the program) to simply enlarge the haystack. As a consequence, the NSA ability to dig into any & all communications will be hurt, even as the haystack grows in other ways. Meanwhile, all the needles will have moved elsewhere.
If the NSA wasn't so broadly overreaching elsewhere, I'm not sure that leaking this information *alone* would serve any purpose other than to harm the NSA's ability to perform its mission. However, we know how far beyond its mission the NSA has crept, and this simply provides more evidence that the NSA can crack just about any data on the internet.
The program is brilliant in a way, and if they were just using it to narrowly target foreign or terrorist agents acting against the US, as a citizen I would support the program. In light of the whole mess, it's just more evidence that the NSA wants to vacuum up everything. Laws be damned.
[ link to this | view in chronology ]
Re: This may not be the popular opinion here...
That is the problem with having this kind of power. It's human nature to abuse it. I am absolutely sure that the NSA never intended to use this ability for anything other than trying to find "the bad guy", but it is amazing how quickly "the bad guy" turns into "the guy that disagrees with us".
[ link to this | view in chronology ]
Re: This may not be the popular opinion here...
Think what could happen if Michael Bloomberg and Ray Kelly had direct access to NSA, it would not be pretty.
[ link to this | view in chronology ]
Re: Re: This may not be the popular opinion here...
It is unclear if the NSA, as an organization, is capable of sticking to their assigned mission.
[ link to this | view in chronology ]
Re: Re: Re: This may not be the popular opinion here...
Actually, this part is very clear. Years of history with them (as with the FBI and CIA) has demonstrated that they are not so capable, and will never be.
[ link to this | view in chronology ]
Re: This may not be the popular opinion here...
NO NO NO.
If the NSA has this capability then we have to assume that the bad guys have the capability too. The only safe option is for no-one to have this capability.
[ link to this | view in chronology ]
Re: Re: This may not be the popular opinion here...
[ link to this | view in chronology ]
Re: Re: This may not be the popular opinion here...
You have to assume that both the bad guys and good guys have this capability. Wait. Nevermind about the good guys part. They become bad guys by simply having that capability and because of human nature.
Instead, we should be using strong encryption for everyday communications, and digital signatures for authentication. Encryption keys need to be in the endpoint devices with encrypted bits passing through all intermediaries.
The trust model of SSL with central certificate authorities is broken and needs to be fixed.
[ link to this | view in chronology ]
Re: This may not be the popular opinion here...
Definition of "bad guys" subject to editing and may include minor criminals, whistleblowers, journalists and politically active individuals.
"The program is brilliant in a way, and if they were just using it to narrowly target foreign or terrorist agents acting against the US, as a citizen I would support the program."
The NSA/GCHQ is the foreign agent acting against other countries.
[ link to this | view in chronology ]
Re: This may not be the popular opinion here...
[ link to this | view in chronology ]
Re: This may not be the popular opinion here...
Not without specific court warrants.
[ link to this | view in chronology ]
Re: This may not be the popular opinion here...
ANY and ALL secret institutions WILL become corrupted...
repeat:
ANY and ALL secret institutions WILL become corrupted...
you don't need to go any further than that...
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
Oh, I'd assume TOP execs were the first bribed.
And I'd bet the "unnamed" are all well known here.
[ link to this | view in chronology ]
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1 115
[ link to this | view in chronology ]
I did say "earth-shaking" revelation in an earlier thread
That said, this news is just... Wow. I'm kinda at a loss for words here.
Though program names like Bullrun and Edgehill are much easier to remember and correctly identify than something as bland as PRISM.
So...... how much outrage in America will this generate?
The Zen Master says, "We'll see (but I hope there's a lot of it)."
[ link to this | view in chronology ]
Re: I did say "earth-shaking" revelation in an earlier thread
I really wish people speaking out against the NSA would make the point that this means that the NSA can monitor you accessing your bank account, as well as monitoring all of your online purchases. That might make it more real for people than the more generalized "the NSA has broken a bunch of common encryption methods."
[ link to this | view in chronology ]
Re: Re: I did say "earth-shaking" revelation in an earlier thread
[ link to this | view in chronology ]
Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread
[ link to this | view in chronology ]
Re: Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread
The rest was me pointing out that getting information from the credit card company would still likely be inferior to watching the transaction in the first place.
[ link to this | view in chronology ]
Re: Re: Re: Re: I did say "earth-shaking" revelation in an earlier thread
[ link to this | view in chronology ]
Every thing you have been told about what the NSA can not do, about how there are all sorts of safeguards and oversight, and how the NSA works it's data has all, every bit, been a pack of lies. They have violated the intent and the letter of law as well as the Constitution and the Bill of Rights and then claimed every thing was ok. That every thing was safeguarded. Well that might be the view of the NSA prior to the Snowden leaks. It sure isn't my view nor that of others I am hearing from.
The dirty underwear has been partly exposed. There's plenty we don't know of still. None of those things being revealed are on track to be anything resembling what the US is supposed to be about. Human rights have been thrown out the window in favor of examining anyone's life under a microscope. It just keeps getting dirtier as more is exposed. It is far beyond the scope or the mandate of an agency charged with foreign spying. There is no way the entire population of the US are terrorist. There is no way that everyone's phone call is relevant to an investigation. Attempting to dance around the meanings of words by giving them new definitions does not change the actions. Those actions are exactly what they look to be.
Again we just have more ammo that this agency and this government have been infected with a near rapid paranoia of every one and everything. It is time for this to come to a halt.
No one ever guaranteed your personal safety. All that was ever given you was the right to freedom, liberty, and the pursuit of happiness. (along with the right to freedom of personal searches of your papers and correspondence without due process). Due process has turned out to be inconvenient. Legality has turned out to be burdensome. We have reached the point that criminal charges and indictments are in order.
[ link to this | view in chronology ]
Skype
[ link to this | view in chronology ]
Re: Skype
[ link to this | view in chronology ]
Re: Re: Skype
What should we use instead?
[ link to this | view in chronology ]
Re: Re: Re: Skype
[ link to this | view in chronology ]
Re: Re: Re: Skype
[ link to this | view in chronology ]
Re: Re: Re: Re: Skype
Possibly, though I'm more aware of alternatives to most Google services. Perhaps you read too much into my question. I wasn't trying to imply there no alternatives, I was curious if he had any recommendations.
[ link to this | view in chronology ]
Re: Skype
[ link to this | view in chronology ]
They compromised the STANDARDS?!?!
The NSA, in their arrogance and hubris, has deliberately enabled every phisher, every spammer, every scammer, every pedophile, every stalker, every thief, every extortionist, every blackmailer, every psycho on the planet who has basic security skills. Because if the standard is compromised, then every piece of software written to that spec is also compromised, and it's simply a matter of who can figure out a way to exploit it.
The consequences of this are enormous. Is HTTPS affected? (probably) Is email affected? (definitely) Are VPN's affected? (probably) How about DNSSEC? (unknown) How about SSH? (unknown) How about BGP security? (probably)
We are so screwed.
[ link to this | view in chronology ]
Re: They compromised the STANDARDS?!?!
Given enough eyeballs, all bugs are shallow.
And that includes bugs wittingly added for ulterior purposes.
[ link to this | view in chronology ]
Puts _NSAKEY to shame
But what other consequences does this sort of backdooring have? The US Government has a notorious weakness for Microsoft products, products of ... arguable quality and fitness for service. Given that the US Gov sets de facto standards that essentially mandate MSFT software, can we trust MSFT software in the slightest?
I'm going to need a while to apprehend the weakness of mind and morality that this revelation lays bare before us, Mates.
[ link to this | view in chronology ]
Re: Puts _NSAKEY to shame
Don't tell me it can't be done. I've been doing it -- quite successfully, by the way -- for a very long time. I save a ton of money, I don't have to deal with licensing issues, my security posture is tremendously improved, I have almost no interoperability issues, and I can laugh and laugh and laugh at all the chumps who are slaves to Redmond.
[ link to this | view in chronology ]
Re: Puts _NSAKEY to shame
It should be noted that Microsoft's already been saying they'd explain themselves (probably in their usual "craptastic PR fiasco" fashion) but they can't because the NSA's got them gagged with the whole "you must cooperate with us because national security, and you can't tell anyone about under penalty of, well, whatever the harshest thing we can think of if you try and speak out" thing.
Will it negatively affect Microsoft in the short-run? Depends on how much the average American thinks beyond "holy shit the NSA's breaking the Internet!1!" and what happens after that.
I highly doubt this spells doom for Microsoft though.
As the Zen Master says, "We'll see."
[ link to this | view in chronology ]
Re: Re: Puts _NSAKEY to shame
The average American won't get that far.
[ link to this | view in chronology ]
This is getting ridiculous
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
So now we can't trust Dell, HP, or Apple to not ship root-kitted machines to their customers?
[ link to this | view in chronology ]
Re: This is getting ridiculous
You figure they own the master cert keys that you are trusted by your browser (e.g. Verisign, etc.)? I suppose all they need is one.
[ link to this | view in chronology ]
tin foil hat?
br3n
[ link to this | view in chronology ]
This cannot be justified. Even if things like the Fourth Amendment didn't exist, it couldn't be justified. They're making us all less secure, not only from THEIR snooping, but from everyone else.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The book Applied Cryptography discusses this and many other subjects.
I'll try to summarize several important points.
To design a good algorithm requires talent, a background of attacking encryption algorithms, and scrutiny of other people with similar talent and background. (The background of attacking algorithms is probably the single most important prerequisite.) Anyone can design an algorithm they themselves cannot break, but that doesn't mean someone else cannot break it.
In the early days of digital cryptography national governments had the only large enough pool of talented people to design great algorithms. (I'll call them the "secret group".) Eventually the "open group" of everyone else got large enough to design good algorithms.
In order for an algorithm to get good scrutiny the algorithm must be known to everyone. There should not be any secrets -- including even magic numbers used in the algorithm with no explanation of why and how they were chosen. The openness is important only so that enough people can scrutinize the algorithm and see that it withstands analysis over a period of time.
If an algorithm is kept secret, this doesn't mean it isn't secure, it may simply be 'open' to the "secret group" of people who scrutinize and analyze it. If that pool is large enough, then it really is 'open' in some sense and had sustained analysis over a period of time -- just in secret.
If the NSA publishes an algorithm, and it contains no secrets, and has been studied for years by the open community, then it is probably safe to use.
Remember the NSA has a dual mission.
1. To spy on foreign bad guys
2. To protect domestic "good" guys from being spied on
Giving us good encryption algorithms, and giving us source code such as the SELinux patches, falls under number 2. Giving banks good encryption, for example, is in the national interest. Making sure ATMs can securely communicate with the bank is important. But it's always wise to remember the number 1 part of their mission. They may give us encryption that is just 'good enough' so that nobody but themselves (and possibly other major national efforts) can crack or even merely attack it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Look, this is yet again another attempt by Masnicking Mike to distract us from the fact that Google lives in Endor. Google is a Wookie, why would a Wookie live in Endor! It makes no sense. Just like Techdirt makes no sense!
------------------
Techdirt... LOOK AT THE MONKEY!
[ link to this | view in chronology ]
Another unpopular opinion
Everyone who tries to justify this stuff under any guise is either a fool or part of the problem.
"Give them an inch, and they'll take a mile."
Until the NSA and the government is stopped in their tracks we will continue to wail and moan, bitch and complain about being hacked, spied and trolled by our government.
And paying for it.
We're the fools for not taking back our own power.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
How long will it take to earn back some trust? How many governments are jumping right now to determine how quickly they can move away from US technology?
[ link to this | view in chronology ]
this wasn't covert
This is what's for. NSA takes the information, and breaks encryption on all OS's with it.
[ link to this | view in chronology ]
Uncle Sam
[ link to this | view in chronology ]