Reports in the Guardian and the New York Times claim that the NSA has cracked much of the encryption used on the Internet. Working in concert with their UK counterpart, the GCHQ, the NSA has used a variety of methods to gain access to data which should be unreadable by outsiders to the conversation. The basis for the reports are (of course) documents leaked by former NSA analyst Edward Snowden.
The New York Times and ProPublica each received over 50,000 documents from the Guardian. "Intelligence officials" asked The Times not to report the story because "…it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read." Times agreed to withhold some details, but ran the story because of the value of public debate. And it's hard to sympathize with the reasoning allegedly proffered by the intelligence officials.
There's some truly disturbing news in this story, but other parts of it aren't particularly surprising. These reports are not technical papers and a lot of relevant detail is left out, so it's hard to tell in many cases what exactly is being asserted.
Most of the NSA encryption cracks reported in the story do not take any special advantage of their legal position. They are attempting to subvert systems of targets in order to get around cryptography. It's a truism of attacks on cryptography that they are generally attempts to get around the cryptography rather than to break it directly, and this sort of activity goes on all the time by malicious actors the world over.
How do they do it? The old-fashioned way, using malware, social engineering and exploiting vulnerabilities. Just today, WebSense published a report that said that huge percentages of users in enterprises are still running old, vulnerable versions of Java and Flash. Any script kiddie could take it from there; you don't need to be the NSA to attack those people.
If you practice cryptography, or even security more generally, you know that you have to assume you are under attack and to provide a layered defense against those attacks. If the NSA is using black hat methods to compromise intelligence targets that they are legally permitted to surveil, then there may be a legitimate complaint about the law, but it's also the case that the target could and should have done more to secure their systems.
Through the back door?
One story in The Times sounds unambiguously disturbing:
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
You can bet that US technology companies are unhappy with this report, which will likely cost them business. But perhaps it should. If true — and I wouldn't assume it is completely true — it appears to be beyond the scope of compliance required under the Patriot Act. But the story indicates that this was a "request" of the company and not an order. Too bad the company isn't identified, which means that all US companies are tarred by the story and face another challenge selling abroad.
In another case, The Times story makes old news sound more sinister than it probably is:
At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.
Microsoft asserted that it had merely complied with “lawful demands” of the government, and in some cases, the collaboration was clearly coerced. Executives who refuse to comply with secret court orders can face fines or jail time.
The wording of this passage gives the impression that Microsoft might be providing a back-door to the NSA to allow them to sniff traffic to these sites unimpeded by encryption, but the statement is also consistent with what we have known for a long time, even before the initial Snowden disclosures: Microsoft and every other company in the US sometimes receives FISC (Foreign Intelligence Surveillance Court)-ordered requests for content belonging to specific individuals, and they comply with those orders by providing the unencrypted data to the government.
Microsoft stated very recently that they do not provide blanket back-door access to the government: "…we only respond to legal government demands, and we only comply with orders for requests about specific accounts or identifiers."
Many of you will, no doubt, wonder why we should take Microsoft at their word on this, but there's plenty of reason to do so. That same blog was written to announce Microsoft's motion in the FISC to allow the company to disclose information about the scope of their compliance with government requests and orders; a parallel motion was made by Google. Both companies do substantial business abroad and know that the credibility of their products is at stake.
This is one of those cases where a frequent criticism of large, multinational corporations — that they have no allegiance to their purported home countries — works to the individuals' benefit: Microsoft has obligations to their customers all over the world and wouldn't want to sacrifice those profitable relationships by cooperating with the US government any more than necessary.
Another story — once again not really news — describes a practice that Congress should make flat-out and unambiguously illegal: The NSA submitted to NIST (National Institute of Standards and Technology) a random number generation algorithm with a backdoor in it.
There's actually a technical term for this sort of vulnerability: Kleptography is the use of attacks built into a cryptographic system, i.e. a crypto backdoor. That's a great term.
The algorithm (Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator) was known as an NSA algorithm; being top experts in the field, the NSA had long been involved in cryptographic standardization. In 2007 the back-door was found and reported by Microsoft engineers. Those in the know quickly guessed that the NSA had tried to insert a back-door into the algorithm and the result was a clear loss of respect for and trust in the NSA in a field where they had made many positive contributions to the security of the US and its citizens. Great work guys.
Getting out of this mess
I'd like to think that a consensus is emerging among those not in the executive branch of the US government that more openness is necessary. Even if it hurts to admit that Snowden succeeded.
The first step is to allow US companies to disclose more about how they cooperate with the NSA and other US government agencies so that their customers can make informed trust decisions about them. Not to do this is to put US companies at a disadvantage they are legally prohibited from countering. Obviously, foreign competitors (from China perhaps) are no more inherently trustworthy, and that's all the more reason to be open about it: Let US companies say what their policies are and give aggregate data on their cooperation. Then make the point that this in fact makes them more trustworthy than competitors from other countries which are almost certainly under the same government pressures and which don't disclose the extent of it.
At bottom, we have to make a classic civil liberties trade-off here, to admit that being more open about our surveillance policies may make them less effective in some cases, but that we're willing to do that in order to preserve as much freedom as we can. That's the honest way to look at it.
The other big take-away from this story is that if you follow best practices, including using the latest protocols and updated software, you are very likely secure against attack both by criminals and the US government. With a valid warrant they may be able to get at you through cloud services, but they can't easily get at your own systems.