Dept. of Holy Crap: The NSA stuff is worse than you thought.

Apparently, the NSA, in their zeal to listen to everyone, has been successfully inserting back doors into encryption protocols for years, ProPublica has learned.

How’d they learn this?

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Thank you, Edward Snowden. Back doors are horrible ideas, because they invariably fall to nefarious use. Even, as we’ve seen, inside supposedly trusted organizations like the NSA.

Among the technologies compromised by the NSA is SSL, which you rely on every day to keep your browser traffic safe when banking, shopping, or accessing other private services online. I am reminded of what former Lavabit CEO Ladar Levison wrote when he shut down his secure email service out of the fear that the spooks would infest it: “Without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”

The Feds are, obviously, not happy about the publication of this information, but you know what? Fuck them. This is security apparatus run wild, and it must be both disclosed and stopped. ProPublica, for their part, published a clear and well reasoned article detailing why they chose to publish:

The story, we believe, is an important one. It shows that the expectations of millions of Internet users regarding the privacy of their electronic communications are mistaken. These expectations guide the practices of private individuals and businesses, most of them innocent of any wrongdoing. The potential for abuse of such extraordinary capabilities for surveillance, including for political purposes, is considerable. The government insists it has put in place checks and balances to limit misuses of this technology. But the question of whether they are effective is far from resolved and is an issue that can only be debated by the people and their elected representatives if the basic facts are revealed.

[…]

There are those who, in good faith, believe that we should leave the balance between civil liberty and security entirely to our elected leaders, and to those they place in positions of executive responsibility. Again, we do not agree. The American system, as we understand it, is premised on the idea — championed by such men as Thomas Jefferson and James Madison — that government run amok poses the greatest potential threat to the people’s liberty, and that an informed citizenry is the necessary check on this threat. The sort of work ProPublica does — watchdog journalism — is a key element in helping the public play this role.

Finally: What to do now?

Good question. It’s not completely clear which implementations have been compromised by the NSA, but Bruce Schneier has a great bit in the Guardian today about placing this in perspective, and about what you can do to keep your own data safe from prying eyes — even eyes ostensibly on the same side as you are. The gist is this:

First, Properly implemented strong cryptography still works as advertised. The NSA doesn’t have special math it can deploy; trap-door algorithms are still trap doors. Multiplication is and will remain orders of magnitude easier than factoring.

Second and no less important: Open source security software is better. The NSA has obviously been influencing proprietary solutions, and will continue to do so; with open source software, though, an army of privacy-advocate neckbeards are perusing every commit. This is a good thing.

Bruce has, obviously, more concrete suggestions; go read the bit.

Comments are closed.