How The NSA Works Hard To Break Encryption Any Way It Can Spiegel has published a detailed article, relying mostly on documents that Ed Snowden leaked, looking at the many ways in which the NSA breaks encryption (and the few situations where it still has not been able to do so). As weve seen from previous leaks, the NSA stupidly treats encryption as a threat. And, sure, it is a threat to the way in which the NSA snoops on everything, but for the vast majority of users, its a way to protect their privacy from snooping eyes. The report does reveal that certain encryption standards appear to still cause problems for the NSA, including PGP (which you already use for email, right?), OTR (used in some secure chat systems) and VoIP cryptography system ZRTP. Phil Zimmermann, who helped develop both PGP and ZRTP should be pretty damn proud of his achievements here. As the report notes, the NSA has the most trouble around open source programs, because its much more difficult to insert helpful backdoors: Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism -- an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple -- show that the NSAs efforts appear to have been thwarted in these cases: No decrypt available for this OTR message. This shows that OTR at least sometimes makes communications impossible to read for the NSA. When it comes to non-open source systems, well, there the NSA has its ways in. In fact, the NSA seems rather proud of the fact that it can make cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable. The report also shows that VPNs are targeted by the NSA, and it has had a fair bit of luck in breaking many of them (especially those that rely on PPTP -- which has long been recognized as being insecure, but is still widely used by some VPN providers). However, it also shows that the NSA has been able to crack IPsec VPN connections as well. In short: your VPN probably isnt secure from the NSA if it wants in. The NSA also has apparently been able to crack HTTPS connections, and does so regularly: The NSA and its allies routinely intercept such connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to detect the presence of at least 100 password based encryption applications in each instance some 20,000 times a month. HTTPS is still a lot more secure against non-NSA-level hackers, but it certainly shows that its not a perfect solution. Another big reveal: the NSA has the ability (at least some of the time) to decrypt SSH (Secure Shell) which many of us use to access computers/servers remotely. Theres lots more in the article and in the many, many included documents (just a few of which are shown below). Its well worth reading. However, the key point is that the NSA is working very, very hard to undermine key encryption systems used around the internet to keep people safe. And rather than sharing when those systems are cracked and helping to make them stronger, the NSA is exploiting those cracks to its own advantage. That may not be a surprise, but for years the NSA has insisted that it is helping to make encryption stronger to better protect the public. The revelations from this article suggest that isnt even remotely close to true.Permalink | Comments | Email This Story
Posted on: Mon, 29 Dec 2014 23:51:50 +0000
Trending Topics
Recently Viewed Topics
© 2015