The latest in the string of dirty secrets oozing out of the agency:
Remember all the buzz about the possibility of an “electronic Pearl Harbor”? Well, it turns out that the NSA has been clipping random wires in the radar installation while running a blower fan to swirl tinfoil in front of the dishes.
They just want to protect us from ourselves! Can’t you see that the TRUE enemy of the American people is the American people?
I find it extraordinary this is remotely legal.
But then I thought the same about bank lending.
And invading countries on bogus pretexts and killing hundreds of thousands of civilians without any accountability.
What do I know.
Wait for either “Privacy: I don’t think it means what you think it means” (somewhat Orwellian) or “Privacy: It is naive to expect it” (somewhat Kafkaesque).
However, judging from Syria related debates, the thread will focus on the most innocuous aspect of OP and run for miles.
What I find very odd is the willingness on this board [of so many] to accept government behaviour. This really is not about ‘being American’ or some related indoctrination, it’s about the rights of citizens in a modern society and effective democracy. That’s all - not flag-draping my-govmint-right-or-wrong stupidity.
I’m still shocked that others are shocked about this. What do you think they use tens of thousands of people and hundreds of millions of dollars of computers for? Playing solitaire?
I thought the idea of the NSA hoovering up every byte from communications that they could get their hands on was understood. Maybe not legal, maybe not liked, but expected.
That was fast.
Me, too, since it’s been pretty well known that the NSA has blocked or limited every encryption scheme that didn’t have a trapdoor or key. Why do you think the RSA algorithm t-shirt was “illegal”?
In theory, NSA was prevented from snooping and sweeping domestically.
Theory, practice, patriot act, all that.
This is obviously completely unacceptable.
That said, the reports I’ve read bring out a little of the skeptic in me.
It’s being stated that they’ve used influence to covertly introduce weaknesses into encryption standards used by software developers worldwide.
These standards are, by definition, open and available to anyone. There are people all over the world, including amateurs and university computer science departments, constantly looking for weaknesses and trying to improve those standards. The idea that the NSA could “covertly introduce weaknesses” into those standards strikes me as questionable at best. Even if they could manage to do this, they’d be risking global financial chaos if the weaknesses were discovered, as is likely.
Honestly, to me this sounds like a Hollywood version of the government and the NSA as omnipotent entities that can do anything and fool anyone. It’s like the version of the government believed in by 911 truthers and moon landing hoaxers.
Anyone agree with me? Am I off base here? Is this just bad reporting?
So is most of what the last 12 years have wrought WRT privacy and security. Welcome to 2013, Rip. 
This is not news to anyone who’s been paying attention since at least, oh, Bamford’s Puzzle Palace.
If you own the only ten-ton hammer in the world and don’t advertise the fact, most people would feel pretty safe with lockboxes that can’t be cracked with a five-ton hammer. NSA has ALWAYS had a basement full of ten-ton hammers and has guided security development to keep what is commercially and publicly available within their cracking range. This is, again, not news.
ETA: That is, any encryption can be cracked if you have big enough computers. University types may feel safe knowing it takes X teraflops to crack a particular prime-based algorithm; NSA just smiles, with their basement full of petafloppers.
So they didn’t just make sure they could read people’s emails and credit card transactions, they did it in a way that makes it a little bit easier for anyone to read your emails and credit card transactions. If spying on us all is evil, then weakening security standards is evil[sup]2[/sup], IMO.
You raise some good points about why this would be a terrible idea. But at this point, I don’t have any faith that the NSA would care about such concerns.
The standards themselves may be sound; the way the NSA gets around that is by subverting the implementions of those standards:
[QUOTE=Bruce Schneier]
The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there’s a lot of bad cryptography out there. If it finds an internet connection protected by MS-CHAP, for example, that’s easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.
As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.
(emphasis added)
[/QUOTE]
As for risking global financial chaos – this is an agency of the same government that caused global financial chaos a few years ago with its see-no-evil attitude toward Wall Street shenanigans.
Not true. Trivially, One-time pads and universal hash functions are completely secure in terms of simply being cracked by “big enough computers.” No matter how big, or how fast, those methods are unconditionally secure from computer decryption.
But even forgetting those special cases, if I create an 16384-bit key, and encrypt something, and avoid factoring and discrete logarithms-based cryptography, any computer, no matter how big, runs into basic physics problems concerning how information storage and computation works if trying to brute-force that key.
Now, admittedly, that 16384-bit key is unwieldy for use as a session key. But it’s perfectly workable for encrypting an e-mail.
Are you talking about private key cryptography? Because if so, you of course have the problem of how you get the key to the person who will be reading the email.
I think there are two separate issues here:
The revelations that the NSA has been using its resources to figure out how to break codes should not be a surprise to anyone. That’s what its purpose is, that’s what it is funded to do, everybody knows that.
The revelations that the NSA has been using that capabilty not just on “foreign” messages but on Americans is the really troubling thing, and the thing that is possibly illegal.
It’s not just that, though. I mean, even if the NSA were only trying to read the communications of foreigners, the techniques they’re using (adding backdoors, weakening encryption protocols or their implementations) makes communication less secure for Americans, too.
Ideally, foreigners who aren’t suspected of being terrorists or criminals wouldn’t have the privacy of their communications infringed on either (even if it’s legal under U.S. law for the NSA to do so).
Sure. Private courier, on a USB stick. Or US Mail – the NSA isn’t opening people’s physical mail, are they?
Well … funny you should mention that. The answer is ‘not quite’:
They have not restricted themselves to passively “figuring out how to break codes”. They have strong-armed vendors of security software into deliberately making their products weaker than they could have made them, in order to enable the NSA (and anybody else who knows where to find the deliberately-introduced weakness) to crack them more easily. In other cases, they have stolen the ‘master keys’ used in commercial security software through clandestine means, rather than forcing those companies to cooperate “voluntarily”.
Even if one would believe that they did this with the intent of snooping on foreigners using American-made software, and that any American users of such software are merely unintentional collateral damage, that’s still an awful lot of collateral damage.
Wasn’t one of the conditions of Snowden’s asylum in Russia that he stop telling the press more stuff about the NSA?
I hope for his sake that this is something he let slip months ago and the Times just held on to it in anticipation of a slow news day.