Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages
from the time-for-a-medal? dept
One of the commonest accusations flung at Edward Snowden is that by revealing the massive scale of the NSA's global surveillance, he has tipped off terrorists that they are being watched all the time, and thus caused them to move to stronger encryption to protect their secrets. An article in Recorded Future would seem to support that claim:
Following the June 2013 Edward Snowden leaks we observe an increased pace of innovation, specifically new competing jihadist platforms and three (3) major new encryption tools from three (3) different organizations -- GIMF, Al-Fajr Technical Committee, and ISIS -- within a three to five-month time frame of the leaks.
And yet security expert Bruce Schneier not only doesn't think that's a problem, he believes Snowden has made it easier to break the encrypted communications of terrorists:
I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.
That's a great point. For obvious reasons, terrorists won't be able to draw on the knowledge and skills of the global crypto community when they create a new "home-brew" encryption program to replace an existing tool they fear may be compromised. Instead, they will be forced to depend on a limited circle of experts, who are likely to miss subtle or even not-so-subtle flaws in the new code. It's a good demonstration of how the open, collaborative approach that produces the best encryption tools makes it very hard to subvert the process for malicious purposes.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bruce schneier, ed snowden, encryption, nsa, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'm pretty sure Archer will totally f*** up the one from ISIS.
[ link to this | view in chronology ]
Re:
GUEST
No way! It can't be!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
english
[ link to this | view in chronology ]
Re: english
[ link to this | view in chronology ]
Re: Re: english
"Fun" is a noun. It is also used as an attributive noun, which is similar to an adjective e.g. chocolate cake - chocolate and cake are both nouns, but chocolate is describing the type of cake works as an adjective.
And yes, if you consider "fun" to be an adjective (which many people do), then "funner" and "funnest" are viable. Ask Steve Jobs.
[ link to this | view in chronology ]
Re: english
[ link to this | view in chronology ]
Re: Re: english
[ link to this | view in chronology ]
Re: Re: english
/nazi
[ link to this | view in chronology ]
Re: english
[ link to this | view in chronology ]
Re: Re: english
-fixed
[ link to this | view in chronology ]
Re: Re: english
"most common" or "most commonly" would be appropriate.
[ link to this | view in chronology ]
Re: Re: Re: english
Check out the "Adjective" section.
[ link to this | view in chronology ]
Re: english
[ link to this | view in chronology ]
Re: english
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
While we don't know for sure if any of the algos that are tainted by NSA involvement are genuinely at risk, the fear that they are could push groups into throwing out their whole systems and needing to replace them with something that may actually be less secure.
[ link to this | view in chronology ]
Re: Re:
but that can also be layered.
[ link to this | view in chronology ]
Re:
I would not call the terrorist stupid, more likely technically ignorant. I know enough about cryptography to know one needs to use the best available tools and should not be trying to build your own unless you are one of the true cryptography experts. But, explain this to lay person.
[ link to this | view in chronology ]
Re: Re:
And I would call _you_ ignorant. Your idea of "terrorists" comes from BS Hollywood movies, where "terrorist == batshit-crazy". Back to reality, you will find, that there's enough very well educated and technically competent people among those "terrorist organization". Reason is very simple - one man terrorist is another men freedom fighter.
[ link to this | view in chronology ]
Re: Re:
Look, if I wanted to hide something from the government and I believed there maybe breaches in some standard encryption algorithms that the government is responsible for and I wanted to make my own encryption algorithm worst case scenario I would implement my encryption algorithm on top of the standard encryption algorithm that I trust best. So say I trust AES the best but not 100 percent. Say I create my own encryption algorithm from scratch. Say I had a document to encrypt. I'll first encrypt it with AES with one key and then I'll encrypt it with my personal encryption algorithm with a different key. My encryption strength is at least as strong as AES and potentially stronger. It's called layered security.
But what I would really do (and since it's common sense I suspect the terrorists may think of the same thing) is forget the hassle of coming up with my own encryption cyphers that's likely insecure. I would either couple together two iterations of AES with different keys or couple together different standard encryption algorithms (ie: AES and RC6) with different keys. That way my encryption strength is at least as strong as the weakest of the two. If AES is secretly hacked I maybe protected by RC6.
[ link to this | view in chronology ]
Re: Re: Re:
If you sprinkle a couple of real situations of attack on an already paranoid mob, you get - well, you get machines that take naked scans of people, long lines backing up in airports, unrest amongst the people most impacted, etc. The NSA may have tripped into the same tacticts that have impacted many of our lives.
[ link to this | view in chronology ]
Re: Re:
Rolling your own encryption is a bit like being your own lawyer. Only fools do it. However, it's not really because of lack of skills, it's because making good encryption is extremely difficult, and crypto has to be checked out by a lot of people to get any sense of confidence in it. This takes manpower and time (years). Most crypto ends up being weak in one way or another. The established crypto is amongst the small percentage that hasn't. Yet. Even current crypto is constantly being tested.
[ link to this | view in chronology ]
i might be wrong - r o n g wrong - but i took it as a pun.
god bless e snowden. he has our back.
[ link to this | view in chronology ]
... and since when Schneier become expert on terrorists?
Now, where did Mike get this patently stupid idea that "For obvious reasons, terrorists won't be able to draw on the knowledge and skills of the global crypto community"?! What, "terrorists" suddenly lost an ability to read? Or, I know - terrorists are stupid! Yes, and uneducated!
Go back and read some real-world statistics: there's disproportionate amount of well educated people among all kind of extremist groups, jihadists included.
[ link to this | view in chronology ]
Re: ... and since when Schneier become expert on terrorists?
terrorists won't be able to draw on the knowledge and skills of the global crypto community
If the terrorists (who tend to land on the more paranoid side of the fence) believe much of the crypto community has been compromized by the NSA forcing, infiltrating, hacking them, they will turn to what is ultimately a smaller group of cryptographers and likely to be of a lower quality. There is a chance they will come across some world-class cryptography, but the pool they have to select from is smaller if they want to avoid those that are on the NSA's radar and within their reach.
[ link to this | view in chronology ]
Re: Re: ... and since when Schneier become expert on terrorists?
[ link to this | view in chronology ]
Re: Re: Re: ... and since when Schneier become expert on terrorists?
[ link to this | view in chronology ]
Re: Re: Re: Re: ... and since when Schneier become expert on terrorists?
[ link to this | view in chronology ]
Re: ... and since when Schneier become expert on terrorists?
Indeed. So why are you rejecting his knowledge of how hard it can be for even well-connected and highly experienced people to get it right? What resources do you think terrorists have access to that he may not have considered?
"Did he ever saw real-life terrorist?"
Saw? I now have an image of Schneier wearing a white mask on a tricycle, firing crytpo questions at someone tied up with rusty chains... Thanks, I guess?
"What, "terrorists" suddenly lost an ability to read?"
No, but since the main problem is in implementing the crypto, not reading the documentation, why does this matter?
"Or, I know - terrorists are stupid! Yes, and uneducated!"
Nobody's suggesting anything of the sort, if you bother to read the points actually being made.
Look, it's quite simple. Not many people (and probably no one individual) have the level of expertise and experience require to do these things perfectly, let alone come up with solid algorithms in the first place. Since the entire reason for creating the new crypto is to avoid NSA tampering, they're also likely to be relying on a relatively limited set of peers for things like testing and locating flaws in the algorithms and software.
They're not stupid, they're just likely to make some mistakes if they try to reimplement these things alone. If they do, then the resulting security they come up with is likely to be less secure than the other tools they would have depended on if the Snowden revelations didn't deter them from using them. It's not impossible for them to be creating cryto that's world class and better than the existing standard tools, it's just rather unlikely according to one of the experts in that field.
[ link to this | view in chronology ]
Ham radios, telegraph, etc...
How can you track tech that hasn't been used in years?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
um...
[ link to this | view in chronology ]
Hmmm, I should run out and patent that before someone else does.
For those that got the obvious joke but missed the subtlety: doubling up on your encryption provides only the protection of the most secure round. And if you use the same key it might actually leak bits. A good example is 'triple DES', which is mostly equivalent to DES with different S-boxes.
A comment on devising your own encryption being equivalent to being your own lawyer: no, it's not even close. There is no secret method or logic in law. The NSA's internal approaches to cryptography are far more advanced than what is public. Presumably there are a handful of other places that have their own advances.
It took outside people well over a decade to figure out that the government's tweak to IBM's S-boxes made it more secure rather than less, and they still aren't certain how they knew to change just those few bits instead of all of the boxes at once.
[ link to this | view in chronology ]
Re:
There is no secret method or logic in law
Probably no logic, but certainly secret interpretations.
[ link to this | view in chronology ]
Anyone can make up a word, and everyone should be encouraged to do so in as promiscuous a manner as possible.
It is nice, in the original meaning of the word (ignorant from the Latin nescius,) to castigate others for their inventiveness. Otherwise nice would have never come to mean sexually loose, or the most common use today of "pleasant."
One of the characteristics of a geek is a delight in playing with words. Grammar, spelling and typo nazis demonstrate their "fish out of water" status when the make their foolish complaints. Such comments might be included in the criteria for the "Spot the Fed" game.
[ link to this | view in chronology ]
Re:
Under the English banner, linguistic cromulentization marches ever onwards!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Maybe Snowdon is an NSA plant?
A: Get the NSA to deny they've put in back doors.
[ link to this | view in chronology ]