Tech Companies Speak Out About NSA Encryption Breaks And They're Not Happy
from the well-this-is-getting-interesting dept
It's been pretty obvious that the big telcos, AT&T and Verizon, have been working closely with the feds on all of the various surveillance operations. The big question, however, has been how closely the big tech companies have been involved -- with most of them issuing pretty strong denials, and some of the early reports of their involvement not standing up to much scrutiny. Late on Friday, reports came out that Google has actually been scrambling to encrypt the information that flows between its data centers to protect that particular attack vector from the feds:Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.That doesn't exactly sound like a willing partner in all of this. Still, part of the problem is that without any real transparency as to what the NSA is getting from companies, there are plenty of people who simply won't trust statements like this. Furthermore, the fact that last week's leaks revealed that the NSA actively recruits employees within companies to sabotage their security, suddenly it seems like even if some companies have the best of intentions, they now need to be on the alert for moles from the government within their companies. This is, frankly, insane. It's the kind of thing that wasn't supposed to happen in the US.
The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.
Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information...
Indeed, both Microsoft and Yahoo have now spoken out about the revelations:
Microsoft said it had "significant concerns" about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared "substantial potential for abuse".All of these responses still feel a lot weaker than they need to be, even recognizing that there may be gag orders involved. As we've said before, the potential downside for the US tech industry is huge, and they need to be doing more to stand up to the NSA, and that includes fighting back against these efforts and doing everything they can to reveal what they've been asked to do over the years.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, nsa, nsa surveillance, tech industry
Companies: google, microsoft, yahoo
Reader Comments
The First Word
“Re: Re: Re: Re: At this point
Except the "conspiracy nuts" have been proven right how many times in the last few months? and how many times have "the people that know" been proven wrong?Ooops! Might want to re-think that plan.
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Where's Google (and Microsoft, and Apple, and Yahoo, and Facebook, and others) call to action to "Repeal the Surveillance State" and support Rush Holt's bill?
http://holt.house.gov/index.php?option=com_content&task=view&id=1200&Itemid=18
This is what they need to be doing, because in the end, if total surveillance is completely approved by laws, and if trying to protect against it is *outlawed*, then trying to encrypt stuff obviously won't do much good.
So we need to fight this politically, too, and its our best chance, and their corporations' best chance to fight it politically, and support political actions such as repealing the Patriot Act and the FISA Amendments Act, *drastically* defunding (or eliminating) the NSA, and bills that say no agency should be able to spy on someone without a *regular* warrant from a *regular* judge (not this Star Chamber "Court" stuff)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Which will do no good if any of the following are true:
- the encryption algorithms have been deliberately weakened by the NSA
- the encryption software has been deliberately weakened by the NSA
- the network/server hardware used has been backdoored by the NSA
- the network/server software is accessible by NSA moles
- the network/server hardware is accessible by NSA moles
The problem is that there's no way to know which, if any, of these are true. Certainly the NSA's word is completely worthless: there's no point whatsoever in asking them ANY question as everyone knows that they lie. And asking staff is equally worthless, since those working for the NSA lie.
It will take more --- much more -- than this token gesture on Google's part to actually secure their operation from the NSA. In my opinion, doing so will require completely rebuilding it from scratch (and doing so using compartmentalized teams with massive peer review), at a cost that I'm not comfortable trying to estimate this early on a Monday. I doubt Google will pay that price. So while I'm inclined to wish them well, I think anything short of that level of effort is absolutely doomed to fail.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
anticipating blue
,
Hey OotB. So, wtf is a psyop? You keep mentioning it but never give a clear comprehensive explanation of what you're alleging. All I ever hear about psyops is you coming in here and claiming every story proves your theory... So let's get ahead of this, what evidence (if any) COULD POSSIBLY disprove your hypothesis? Because that's the important partof hypotheses, testability.
Thanks for your time
[ link to this | view in chronology ]
Re: anticipating blue
[ link to this | view in chronology ]
Re: Re: anticipating blue
And as far as "provoking" goes, he has thus far declined to comment on this story at all...so apparently it wasn't much of a provocation at all.
[ link to this | view in chronology ]
Re: anticipating blue
There is a new product called a "search engine" by an upstart called "google" and if you type in "define psyop" it will come back with the answer to your question.
Where this becomes NSA fun is with this definition:
PSYOPS or Psychological Operations: Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals.
What is supposed to be the scope of the NSA efforts?
[ link to this | view in chronology ]
Re: Re: anticipating blue
[ link to this | view in chronology ]
Re: Re: Re: anticipating blue
Reporter: Sources say the NSA sees everything.
NSA: No we don't, I mean, yes we do see everything, so don't try anything.
Everyone Else: Shaking in the boots, as we tremble in the fearz. (Reality: NOT)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
What the hell are you talking about? You think that business has anything to do with this? Sorry, but this story doesn't fit into your 1% nonsense. This is government corruption, pure and simple. And the solution is reducing the size of government.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Government caught with their pants down now looking to shift blame to everyone else.
Who is telling the truth?
[ link to this | view in chronology ]
Re:
At least Google can't throw me in prison for jaywalking.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
At this point
Throw out the old book and institute a new one.
[ link to this | view in chronology ]
Re: At this point
Stenography, microdots, book codes etc.
[ link to this | view in chronology ]
Re: At this point
The "word on the street" is that the NSA can probably break 1024 bit RSA keys by brute force in a few days/hours. Stronger keys are unlikely to be broken in useful time by brute force alone, at least for now.
AES with 254 bit keys still looks safe too according to some cryptographers and mathematicians. The general feel is that symmetric key algorithms with strong keys seem "safe" overall, unless there is some implementation error.
Bear in mind that the NSA's attacks resort either to cheating (like sabotaging the implementation, forcing companies to hand over their private keys or even putting backdoors into their systems) or brute force, not attacking the underlying cryptographic theory, which, according to experts, is still sound.
[ link to this | view in chronology ]
Re: Re: At this point
The NSA fought tooth and nail against the export of the encryption method then suddenly without warning the fighting stopped... Just sayin.
[ link to this | view in chronology ]
Re: Re: Re: At this point
Nevertheless, in matters of security, you should stay away from the conspiracy nuts and stick to people that actually know what they are talking about. There is already enough fear, uncertainty and doubt clouding the issues..
Here's something to get you started:
https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html
[ link to this | view in chronology ]
Re: Re: Re: Re: At this point
Ooops! Might want to re-think that plan.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: At this point
[ link to this | view in chronology ]
Too little, but will it be too late?
Given that, it's hardly surprising that they are panicking, as between the leaks and the gag orders that prevent them from saying a word in their defense, any good-will or trust that the big companies had in regards to security or customer privacy is quickly fading away, and if they don't do something major, soon, they are likely to see their customers move on to greener, more secure pastures.
[ link to this | view in chronology ]
No, it sounds like big tech companies trying to save face in the public eye. We not stupid enough to believe it are we? Anything less than public national exposure of all the requests and the people who made them, and linking to trusted encryption applications (if there are any left) on their homepages and telling people click here to install, will convince me they care about user privacy.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not really shouting from the roof tops but it's a start...
Other companies I give the benefit of the doubt since their CD player may be stuck on the John Mellencamp track I fight authority, Authority always wins.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
However, you are pointing to a larger issue that I've seen nobody make about encryption yet: when there is talk about compromised encryption, what they're not talking about is some magic wand that causes the encryption to be decryptable with the same ease as the legitimate keyholder.
What they are talking about is the inclusion of some deliberate weakness that makes cracking a particular message easier (or possible, when it wasn't before). Since crypto is a very specialized and rarified branch of mathematics, it's possible -- and has happened time and again -- to have a crypto algorithm weakened in such a way that it will go undetected without a major analysis effort on the part of crypto specialists.
This is a warning for those who believe that open source keeps them safe from these types of shenanigans. It doesn't. You'll never spot the weakness by examining the code.
[ link to this | view in chronology ]
Context
Also worth noting is that most, if not all, of the "breakthroughs" by the NSA can merely be described by exploitation of publicly known vulnerabilities in encryption. http://arstechnica.com/security/2013/09/of-course-nsa-can-crack-crypto-anyone-can-the-question-is-ho w-much/
[ link to this | view in chronology ]
Re: Context
[ link to this | view in chronology ]
Re: Re: Context
they put some keystroke logger on you, IT IS ALL MOOT... you are owned...
THEY have become an evil FAR GREATER than a million terrorists; in fact, they are DEFINING all us li'l peeps AS TERRORISTS...
well, talk about self-fulfilling prophecies: THEY act like scumbag terrorists in treating us like terrorists, and GUESS WHAT we are BEING FORCED to become to reclaim OUR gummint ? ? ?
the bastards ! ! !
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
Moles
[ link to this | view in chronology ]
Re: Moles
[ link to this | view in chronology ]
Fool me once...
They desperately want new shiny (compromised) encryption implementations to restore peoples naivety. Sadly that will probably work.
The Holt bill is interesting. Snowballs chance in hell of passing. Course it does seam like hell is freezing over lately. I'm holding out for the ultra secure flying pig based com systems.
[ link to this | view in chronology ]
Follow the money
But then they'd lose a valuable customer!
How many millions of dollars does the NSA spend on getting this information? We don't know, and they won't tell us, but in the long run look at the bottom line, and all it says is "profit".
Seems to be the guiding motive here.
[ link to this | view in chronology ]
I will only trust Free and Open Source Software that I deploy and manage myself.
If I really get paranoid, I'll run virtual machines or LiveCDs that are wiped from RAM after every reboot. With no persistent data saved to disk.
The hardest thing for me is figuring out how to get around the cell phone dilemma. Even with Cyanogen firmwares, the hardware drivers are closed source and not under user control. That means the microphone, GPS and cellular modem can betray you at any moment.
Most cellular modems have read/write access to RAM modules, or so I hear. All cellphones are insecure devices until open source hardware drivers are available.
So yeah, I hate my cellphone. If I want to be reachable to family, friends and co-workers, I have to carry one though. I hate the fact it keeps track of all the places I've been for decades. I hate that the most.
Guess I could try to find the GPS receiver and unsolder it from the PCB board. Who knows if the phone would work after that though.
Would be easier to do with schematics, but those will never be released to the public.
I really wish someone would create a Raspberry Pi smartphone!
[ link to this | view in chronology ]