Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages

from the time-for-a-medal? dept

One of the commonest accusations flung at Edward Snowden is that by revealing the massive scale of the NSA's global surveillance, he has tipped off terrorists that they are being watched all the time, and thus caused them to move to stronger encryption to protect their secrets. An article in Recorded Future would seem to support that claim:

Following the June 2013 Edward Snowden leaks we observe an increased pace of innovation, specifically new competing jihadist platforms and three (3) major new encryption tools from three (3) different organizations -- GIMF, Al-Fajr Technical Committee, and ISIS -- within a three to five-month time frame of the leaks.
And yet security expert Bruce Schneier not only doesn't think that's a problem, he believes Snowden has made it easier to break the encrypted communications of terrorists:
I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.
That's a great point. For obvious reasons, terrorists won't be able to draw on the knowledge and skills of the global crypto community when they create a new "home-brew" encryption program to replace an existing tool they fear may be compromised. Instead, they will be forced to depend on a limited circle of experts, who are likely to miss subtle or even not-so-subtle flaws in the new code. It's a good demonstration of how the open, collaborative approach that produces the best encryption tools makes it very hard to subvert the process for malicious purposes.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bruce schneier, ed snowden, encryption, nsa, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Michael, 27 May 2014 @ 5:51am

    three (3) different organizations -- GIMF, Al-Fajr Technical Committee, and ISIS

    I'm pretty sure Archer will totally f*** up the one from ISIS.

    link to this | view in chronology ]

  • icon
    mikez (profile), 27 May 2014 @ 5:54am

    english

    adding "est" to the end of a word doesn't make it so. I can't get past this first sentence. Please fix it.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 May 2014 @ 6:51am

      Re: english

      Glad to know I am not the only one. I will openly admit I'm terrible when it comes to using proper English, but people just adding "est" to words is like nails on a chalk board. Ranks right up there with adding "er" to words. (Funer is not a word!)

      link to this | view in chronology ]

      • identicon
        Donglebert The Needlessly Unready, 28 May 2014 @ 3:21am

        Re: Re: english

        "Common" is an adjective.

        "Fun" is a noun. It is also used as an attributive noun, which is similar to an adjective e.g. chocolate cake - chocolate and cake are both nouns, but chocolate is describing the type of cake works as an adjective.

        And yes, if you consider "fun" to be an adjective (which many people do), then "funner" and "funnest" are viable. Ask Steve Jobs.

        link to this | view in chronology ]

    • identicon
      Michael, 27 May 2014 @ 6:53am

      Re: english

      You are the naziest grammer critic ever.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 May 2014 @ 6:57am

      Re: english

      "Commonest" is listed in my Oxford dictionary as an adjective form of "common" (along with the more awkward "commoner"). The use here is correct.

      link to this | view in chronology ]

    • icon
      azuravian (profile), 27 May 2014 @ 7:11am

      Re: english

      Saying that someone is using grammar incorrectly doesn't make it so.

      link to this | view in chronology ]

    • identicon
      Donglebert The Needlessly Unready, 28 May 2014 @ 3:06am

      Re: english

      Commonest might be ugly, but it isn't incorrect.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2014 @ 5:59am

    I kinda disagree with Bruce Schneier here. While the leaks probably did little to help terrorists (and the terrorist threat is way overhyped anyways) I also doubt it did much to hurt them. If the terrorists are stupid enough to try to create their own encryption algorithms after the leak I doubt they were smart enough to avoid being hacked before the leaks. It's not like the leaks made them any stupider.

    link to this | view in chronology ]

    • icon
      Josh in CharlotteNC (profile), 27 May 2014 @ 6:23am

      Re:

      While the algorithm is a major part of any crypto system, the implementation of the algorith into the rest of the system is significant and often overlooked. And it's really easy to screw up either one and leave yourself a very insecure system.

      While we don't know for sure if any of the algos that are tainted by NSA involvement are genuinely at risk, the fear that they are could push groups into throwing out their whole systems and needing to replace them with something that may actually be less secure.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 May 2014 @ 8:55am

        Re: Re:

        "the implementation of the algorith into the rest of the system is significant and often overlooked."

        but that can also be layered.

        link to this | view in chronology ]

    • icon
      madasahatter (profile), 27 May 2014 @ 6:29am

      Re:

      I think Schneier's point is expert cryptography is very difficult to execute even by the experts. If the terrorists were using expert level cryptography via readily available tools then the NSA has a very difficult time breaking the encryption. However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly. The result will be pretty secure and probably not easy for to crack but it is not as strong as it could and thus more easily breakable by the NSA.

      I would not call the terrorist stupid, more likely technically ignorant. I know enough about cryptography to know one needs to use the best available tools and should not be trying to build your own unless you are one of the true cryptography experts. But, explain this to lay person.

      link to this | view in chronology ]

      • icon
        lfroen (profile), 27 May 2014 @ 6:36am

        Re: Re:

        >> I would not call the terrorist stupid, more likely technically ignorant.
        And I would call _you_ ignorant. Your idea of "terrorists" comes from BS Hollywood movies, where "terrorist == batshit-crazy". Back to reality, you will find, that there's enough very well educated and technically competent people among those "terrorist organization". Reason is very simple - one man terrorist is another men freedom fighter.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 May 2014 @ 6:54am

        Re: Re:

        and I can just as easily argue that a terrorist who's into cryptography probably follows Bruce and read his comments and would take them into account to avoid not going with much stronger standards.

        Look, if I wanted to hide something from the government and I believed there maybe breaches in some standard encryption algorithms that the government is responsible for and I wanted to make my own encryption algorithm worst case scenario I would implement my encryption algorithm on top of the standard encryption algorithm that I trust best. So say I trust AES the best but not 100 percent. Say I create my own encryption algorithm from scratch. Say I had a document to encrypt. I'll first encrypt it with AES with one key and then I'll encrypt it with my personal encryption algorithm with a different key. My encryption strength is at least as strong as AES and potentially stronger. It's called layered security.

        But what I would really do (and since it's common sense I suspect the terrorists may think of the same thing) is forget the hassle of coming up with my own encryption cyphers that's likely insecure. I would either couple together two iterations of AES with different keys or couple together different standard encryption algorithms (ie: AES and RC6) with different keys. That way my encryption strength is at least as strong as the weakest of the two. If AES is secretly hacked I maybe protected by RC6.

        link to this | view in chronology ]

        • identicon
          Michael, 27 May 2014 @ 7:37am

          Re: Re: Re:

          Just having to go through that thought process is a huge burdon on a group.

          If you sprinkle a couple of real situations of attack on an already paranoid mob, you get - well, you get machines that take naked scans of people, long lines backing up in airports, unrest amongst the people most impacted, etc. The NSA may have tripped into the same tacticts that have impacted many of our lives.

          link to this | view in chronology ]

      • icon
        John Fenderson (profile), 27 May 2014 @ 7:05am

        Re: Re:

        "However, if they try to build their own tools to avoid any NSA backdoors, etc., it is likely they do not have the skills to do it correctly."

        Rolling your own encryption is a bit like being your own lawyer. Only fools do it. However, it's not really because of lack of skills, it's because making good encryption is extremely difficult, and crypto has to be checked out by a lot of people to get any sense of confidence in it. This takes manpower and time (years). Most crypto ends up being weak in one way or another. The established crypto is amongst the small percentage that hasn't. Yet. Even current crypto is constantly being tested.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2014 @ 6:25am

    adding "est" to the end of a word

    i might be wrong - r o n g  wrong - but i took it as a pun.

    god bless e snowden.  he has our back.

    link to this | view in chronology ]

  • icon
    lfroen (profile), 27 May 2014 @ 6:41am

    ... and since when Schneier become expert on terrorists?

    Last time I checked, Bruce Schneier was expert on cryptography. Did he ever saw real-life terrorist?

    Now, where did Mike get this patently stupid idea that "For obvious reasons, terrorists won't be able to draw on the knowledge and skills of the global crypto community"?! What, "terrorists" suddenly lost an ability to read? Or, I know - terrorists are stupid! Yes, and uneducated!

    Go back and read some real-world statistics: there's disproportionate amount of well educated people among all kind of extremist groups, jihadists included.

    link to this | view in chronology ]

    • identicon
      Michael, 27 May 2014 @ 6:59am

      Re: ... and since when Schneier become expert on terrorists?

      While spelling and grammer issues would point to him having written this - Mike didn't write the article.

      terrorists won't be able to draw on the knowledge and skills of the global crypto community

      If the terrorists (who tend to land on the more paranoid side of the fence) believe much of the crypto community has been compromized by the NSA forcing, infiltrating, hacking them, they will turn to what is ultimately a smaller group of cryptographers and likely to be of a lower quality. There is a chance they will come across some world-class cryptography, but the pool they have to select from is smaller if they want to avoid those that are on the NSA's radar and within their reach.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 May 2014 @ 8:05am

        Re: Re: ... and since when Schneier become expert on terrorists?

        Externally they may express more paranoid views to their followers. Internally they are probably not as stupid as they seem.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 May 2014 @ 8:38am

          Re: Re: Re: ... and since when Schneier become expert on terrorists?

          For a terrorist, not being paranoid is being stupid.

          link to this | view in chronology ]

          • identicon
            Michael, 27 May 2014 @ 8:41am

            Re: Re: Re: Re: ... and since when Schneier become expert on terrorists?

            For a paranoid, not being a terrorist is irrelevant.

            link to this | view in chronology ]

    • icon
      PaulT (profile), 27 May 2014 @ 7:41am

      Re: ... and since when Schneier become expert on terrorists?

      "Bruce Schneier was expert on cryptography."

      Indeed. So why are you rejecting his knowledge of how hard it can be for even well-connected and highly experienced people to get it right? What resources do you think terrorists have access to that he may not have considered?

      "Did he ever saw real-life terrorist?"

      Saw? I now have an image of Schneier wearing a white mask on a tricycle, firing crytpo questions at someone tied up with rusty chains... Thanks, I guess?

      "What, "terrorists" suddenly lost an ability to read?"

      No, but since the main problem is in implementing the crypto, not reading the documentation, why does this matter?

      "Or, I know - terrorists are stupid! Yes, and uneducated!"

      Nobody's suggesting anything of the sort, if you bother to read the points actually being made.

      Look, it's quite simple. Not many people (and probably no one individual) have the level of expertise and experience require to do these things perfectly, let alone come up with solid algorithms in the first place. Since the entire reason for creating the new crypto is to avoid NSA tampering, they're also likely to be relying on a relatively limited set of peers for things like testing and locating flaws in the algorithms and software.

      They're not stupid, they're just likely to make some mistakes if they try to reimplement these things alone. If they do, then the resulting security they come up with is likely to be less secure than the other tools they would have depended on if the Snowden revelations didn't deter them from using them. It's not impossible for them to be creating cryto that's world class and better than the existing standard tools, it's just rather unlikely according to one of the experts in that field.

      link to this | view in chronology ]

  • identicon
    avideogameplayer, 27 May 2014 @ 7:37am

    There's always one way to avoid online tracking, go old school..

    Ham radios, telegraph, etc...

    How can you track tech that hasn't been used in years?

    link to this | view in chronology ]

  • identicon
    muhr, 27 May 2014 @ 8:15am

    um...

    how dare you use a word like 'commonest'?

    link to this | view in chronology ]

  • icon
    DB (profile), 27 May 2014 @ 9:23am

    Home-grown encryption is very likely to end up with something like applying rot-13.. twice.

    Hmmm, I should run out and patent that before someone else does.

    For those that got the obvious joke but missed the subtlety: doubling up on your encryption provides only the protection of the most secure round. And if you use the same key it might actually leak bits. A good example is 'triple DES', which is mostly equivalent to DES with different S-boxes.

    A comment on devising your own encryption being equivalent to being your own lawyer: no, it's not even close. There is no secret method or logic in law. The NSA's internal approaches to cryptography are far more advanced than what is public. Presumably there are a handful of other places that have their own advances.

    It took outside people well over a decade to figure out that the government's tweak to IBM's S-boxes made it more secure rather than less, and they still aren't certain how they knew to change just those few bits instead of all of the boxes at once.

    link to this | view in chronology ]

    • identicon
      Michael, 27 May 2014 @ 9:31am

      Re:

      Protip: if your joke requires an understanding of encryption algorithms, you have probably narrowed the target audience a bit too much.

      There is no secret method or logic in law

      Probably no logic, but certainly secret interpretations.

      link to this | view in chronology ]

  • icon
    Groaker (profile), 27 May 2014 @ 1:21pm

    A word is a word because I say it is a word. The OED may very well have its uses, but when it "recognizes" a word, it is merely accepting that it has found it desirable to provide a definition for a word. One that has existed for some time before coming to the notice of the language martinets.

    Anyone can make up a word, and everyone should be encouraged to do so in as promiscuous a manner as possible.

    It is nice, in the original meaning of the word (ignorant from the Latin nescius,) to castigate others for their inventiveness. Otherwise nice would have never come to mean sexually loose, or the most common use today of "pleasant."

    One of the characteristics of a geek is a delight in playing with words. Grammar, spelling and typo nazis demonstrate their "fish out of water" status when the make their foolish complaints. Such comments might be included in the criteria for the "Spot the Fed" game.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 May 2014 @ 2:43pm

      Re:

      Anyone can make up a word, and everyone should be encouraged to do so in as promiscuous a manner as possible.

      Under the English banner, linguistic cromulentization marches ever onwards!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2014 @ 1:26pm

    unfortunately Mr Schneier, you forgot to add in the 'except for the security agencies that are supposedly looking for terrorists so as to keep all us thick, ordinary sheep nice and safe!' bit!

    link to this | view in chronology ]

  • icon
    sml156 (profile), 27 May 2014 @ 3:40pm

    It would be very easy for terrorists to get the best crypto just kidnap 4 of of the best people get two of them to write it or they will be killed and get the other two to decrypt it or they will be be killed, If the last two decrpt it get them to write new code and kidnap two more people

    link to this | view in chronology ]

  • identicon
    Donglebert The Needlessly Unready, 28 May 2014 @ 3:32am

    Maybe Snowdon is an NSA plant?

    Q: How to stop terrorists using open source crypto?
    A: Get the NSA to deny they've put in back doors.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.