N.S.A. Foils Much Internet Encryption

And you thought your encryption was safe? Maybe.......but then, maybe not.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Hmmmm..... Bullrun. That's one I hadn't seen an explanation next to. (updates side list. )

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”

Source

Gobsmacked? lol..... Yes.. Indeed... I believe I know precisely how they felt. For the very same reasons.

I'd always suspected why the NSA had raised 10 kinds of stink about PGP ..then suddenly...dropped it's objections as if never having had any issue at all with it. Yup.... They cracked the nut. Just about all of them, by the sound of it. Doesn't that just make everyone feel warm and fuzzy? Ahem......

reply to post by wrabbit2000

feel warm and fuzzy?

Warm and fuzzy indeed, I can feel the warm glow of their monitoring equipment focused one me now.

I fear this is just the tip of ice-berg. Usually monitoring technology develops in tandem with Privacy technology, but I think since the true scale of this invasion of privacy was secret for so long, the privacy industry is severely lagging. Perhaps we will see a resurgence of this industry.

I tore the "do not remove under penalty of law" tag off my mattress...

The NSA crawled out from under my bed.

Paranoid much Uncle Sammy?

PGP was originally discovered by GCHQ in the 1950's but was hidden away due to national security so after 50-60 years i'd expect it to be open for those in the security business who know the exploits

reply to post by wrabbit2000


It's pretty safe to say that if you don't want anything recorded, don't let it leave your lips or fingertips.

reply to post by wrabbit2000

But the agency was concerned that it could lose the advantage it had worked so long to gain, if the mere “fact of” decryption became widely known. “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability,” a GCHQ document outlining the Bullrun program warned.

So I guess what we have to do with email is to use a 256bit encrypted text file attachment secured with at least a 20 digit random generated alpha-numeric password then locked further with a really big pass-key.

Oh did I say that out loud?

reply to post by Bassago


....and of course, they will detect the fact it's triple coded, folded 52 times upon itself against physics and then wrapped up inside an enigma. That, naturally, will bring them knocking and looking, without having seen or cared what was inside the puzzle box even their computers said "WTF?!" on.

Can't win for losing when Big Brother is everywhere, I suppose. Perhaps a lot can be said for hiding in plain site and randomness by sheer numbers.

Originally posted by Bassago
reply to post by wrabbit2000

 

But the agency was concerned that it could lose the advantage it had worked so long to gain, if the mere “fact of” decryption became widely known. “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability,” a GCHQ document outlining the Bullrun program warned.

So I guess what we have to do with email is to use a 256bit encrypted text file attachment secured with at least a 20 digit random generated alpha-numeric password then locked further with a really big pass-key.

Oh did I say that out loud?

I like that idea. Perhaps we should put a simple text file that just says "congratulations on cracking this file" with a troll-face picture.

Everyone already knew any computer could be hacked, didn't they?

Bruce Schneier believes it is more by subverting the underlying cryptography than math. Here is his take.

He thinks good encryption is still good.

The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there's a lot of bad cryptography out there. If it finds an internet connection protected by MS-CHAP, for example, that's easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.

Link to Bruce Schneier essay on this subject

NSA did nothing. SInce when did government accomplish anything on its own? Government always relied on contracts with the private sector to get things done.

No doubt they had help from all the internet biggies.

And just like other govenment actions this will hurt the good people and the bad guys will find other ways.

Image if just one big internet company like Google said no to government. Image if they told government that they will shut down if threatened and actually did. Do you think they would be down for long? Government would be shocked and may even be put in their place for once.

But don't hold your breath - they won't stop the cash flow for one minute proving they really don't care about their customers at all. They should just dump all that privacy verbage.

reply to post by wrabbit2000


Think the insurance files are really insurance files?

They are actually part of an operation to make people think incryption is not compromised. (My logic figures).

The only true incryption is where only you have the code and only you have the key.

My thinking is that cyberterrorist's are either going to knock the NSA offline or will infiltrate it to use it for their cause. It's out there right now for all to know about so I see the very thing meant to protect us from terrorism actually helping them to achieve their aims. Rely to much on technology and your bound to be disappointed.

reply to post by Maxatoria

PGP was originally discovered by GCHQ in the 1950's but was hidden away due to national security so after 50-60 years i'd expect it to be open for those in the security business who know the exploits

I hate to be this person, but this is categorically incorrect on all fronts. Firstly PGP or Pretty Good Privacy was not 'discovered' as it is a computer system and not some kind of element, it was created by Phil Zimmerman and first released in 1991. Governments the world over have specialized in code-breaking activities for years, look at how much effort was put in to breaking the Germans various crypto systems during WWII. To think that in an age of spreading technology the federal government of the US as well as others around the world wouldn't spend billions to keep ahead of the game is simply foolish.

reply to post by joer4x4

Image if just one big internet company like Google said no to government. Image if they told government that they will shut down if threatened and actually did. Do you think they would be down for long? Government would be shocked and may even be put in their place for once.

Google is a US company and has been shown to be 100% in collusion with the federal government in its spying program, chances are good the ONLY reason Google hasn't had monopoly charges brought against it by its competitors in the various markets is because they are being shielded from such by the feds in exchange for their cooperation with PRISM.

reply to post by ManOfHart


Your comment made me think of obamacare.

R&D part of the budget snowden released re utah data center looks suspiciously low. The budget breakdown leads me to suspect NSA may be implementing a 'perfected' qcomputing core facility that will have widespread real time capabilities.

Automated drones-health care related real time behavioral analysis for O'care etc. Latter might be the first large project that's going to be done with it domestically

reply to post by Helig


I agree!

reply to post by sjorges2002


From the other thread.
post by GArnold

Interesting. Bradford's article makes it sound as if Crypto will be the core goal of Utah but maybe your right that it will be used for other purposes.

A while ago I read an article that stated Snowden impersonated high level officials electronically. With compartmentalization etc that he had to get around maybe he had to decrypt their user keys/pwords/usernames... I cant imagine that a computer tech would be able to see unencrypted usernames and 'passwords' in a security conscious place like the NSA or their contractors. I think NSA might already have a functioning, smaller qcore prototype and snowden may have gotten access to it thru his role at BAH. Humint techniques, keyloggers and things like that would have been easy to track down and require physical access which I dont believe he had. Using the computers available today it would take a long time to break NSA encryption- he worked for that contractor only 2yrs or so.

Snowden is holding back on info, there is a good reason he ran when he did and I dont think we have heard it yet.

I cant help wondering if the hastings death and snowden are somehow linked.

reply to post by Helig


After a quick check the basic theories behind pgp were first done by us Brits in 1973 but was hushed up until the Americans discovered it on their own in 1977 and took the credit i was thinking of something else in the 1950's where the Russians were using WW2 enigma tech and its why until the 1960's we still were using the same stuff as in WW2 since we'd never told the Russians we could crack the enigma code they thought it was still secure