Is there anything people could paste onto the end of their emails which would ring bells at NSA and tie the agency into knots? Because that would be bad.
I would be incredibly surprised if the NSA were not attempting to break RSA. Outraged, even: If they’re not doing that, then a lot of folks at the NSA need to lose their jobs. That’s what we pay them to do.
I would also be incredibly surprised if they’ve had any significant success at all in that effort. Modern cryptographic techniques are really, really secure. I’m not talking “it would take a really big basement full of top-of-the-line computers to break it” secure; I’m talking “it would take a computer the size of the planet the lifetime of the Universe to break it” secure. Now, people don’t usually go to the effort of getting that much security, because it usually isn’t needed: Most people are fine with something that would take the NSA’s full efforts for a year, or so, because nobody (including the NSA) is going to put in that much effort. But if for some reason that’s not good enough, it really isn’t all that hard to just make your keys longer.
I have very little pity on anyone who’s foolish enough to use closed-source security software to begin with. And I really, really doubt that they’ve successfully exerted this “influence” on any open-source project of any significance.
Well, Al Qaeda has already figured out all they have to do is pick up the phone and say “do something special” and US embassies, which includes CIA, are brought to their knees.
All this NSA spying does is further erode Americans’ confidence in their own government, and damage our relationships with our legitimate foreign friends and partners, as well as global internet security.
I recall one cell or group that was using an nearly impenetrable e-mail system. They set up a user account on some board and shared the login. Mustafa would log in and draft a private message, then save it; Khalil would log in to the same account, read the draft, delete it, and write his own draft. Other than by raw packet-sniffing or having access to the user message base on the board, there was no way to trace or snoop the messages.
OTOH, I was just sent the following clip by a colleague:
In other words, ALL your mail, including paper mail, will be opened, scanned and stored while on its way to you.
We’re still discussing whether this is some Green Nazi program gone wrong, or just an open announcement that all staff, grad and student mail will be scanned.
Do you also make sure every single entity that you engage in secure communication with is using open-source security software? Because communications are vulnerable on either end.
It’s not just the content of individual communications that are compromised – it’s the basic infrastructure of fundamental functions such as confirming that a command purportedly issued by John Doe was in fact issued by John Doe. As I noted in the OP, the conclusion is that, through its interference with the development of robust security standards, the NSA has increased the nation’s (and indeed the world’s) vulnerability to any of a number of cyberattack nightmare scenarios.
No, they are not merely figuring out how to break the codes, they are making sure everyone can break the codes. They are deliberately sabotaging everyone’s security so that they, the Russians, or some two-bit con artist can find a vulnerability to exploit.
Everyone who has their algorithms and (more importantly) extraordinary computing capacity. I’d say that puts it out of reach for two-bit con artists, and maybe even most Russian organizations.
No, I’m not saying it’s a good thing. But I think you’re carrying the argument too far the other way, that NSA-approved security might as well be no security at all.
The NSA are incompetent losers. The only reason Russia doesn’t already have the algorithms is because Snowden is a better person than they are - it’s been months and these morons still don’t even know what Snowden took. If he was a genuine spy, their heads would be on pikes right now.
This article seems to imply that encrypted systems aren’t nearly as secure as we think:
http://www.theregister.co.uk/2013/08/14/research_shakes_crypto_foundations/
Who cares? The outside of your mail is something you cannot possibly believe is private: the flippin’ mailman has to look at it in order to deliver it to your intended recipient. As well as each and every intermediate mail handler in the system.
Do you believe that photographing the outside of the package will assist the NSA in extracting the 16384-bit private key encoded on the USB inside the package?
The answer is not “not quite.” It’s “No.”
The board favors anything done by democracy unless it involves religious people or the Supreme Court decrees it can’t be done.
Do you mean this message board? Because there seems to be quite a bit of disagreement in this very thread.
Anyway, I read that the NSA managed to put something compromising into some common security standard that was uncovered a few years ago by some Microsoft engineers. I sort of remember reading something about that, but I searched around and couldn’t find it.
Does anyone here know what the heck I’m talking about?
It wasn’t sneaky evil Muslims doing this, it was General Patraeus and the floozy he was boinking.
Revealing the algorithms is irrelevant to security. The revelation relevant to this thread is that the NSA finessed the implementation of the algorithms in various ways so as to introduce back-door access.
To use a simplified example: 256-bit AES is, if properly implemented, unbreakable in practice (i.e. if you designed a set of computers to break it, you would have to allow for issues such as “Zanzibar is going to get awfully crowded when I cover the rest of the planet with electronics” and “the cooling system will have to crank up to accommodate the increased heat when the sun turns into a red giant”). However, if a subverted implementation of AES always chooses “01010101010101…010101” for the first 248 bits, and the NSA knows this, it need only do a trivial search through the remaining 8-bit space (maximum 256 tries). Obviously, the actual tricks used are more subtle, but the principle is the same.
A little-known appendix to the Snowden disclosures describes the NSA’s frantic, as thus far futile, attempts to decipher the secret message explaining the relevance of this statement to this thread.
From the story linked in the OP (toward the end):
I suppose that another “challenge in finesse” will be to explain that when someone who now works as an engineer in a US-based tech company finds himself working days at Wal-Mart and evenings at Burger King (when the effect of nobody in their right minds trusting US-based security tech any more propagates through the economy), the shift from one job to two jobs is a net plus to the nation.
While it’s possible that Snowden is restraining himself due to his principles, I think it more likely that he’s just bluffing. He doesn’t have any particularly sensitive information, and never did, but was hoping to string people along for wealth, fame, and power by making them think he did.
He never claimed to have any information outside the core issue of the whistle-blowing (illicit NSA spying on American citizens). Such information is “particularly sensitive” in that it embarrasses the government, but not so much insofar as the NSA’s legitimate espionage and counter-espionage duties are concerned.
Some experts think that the only way to fix the damage is to rebuild the security infrastructure from scratch: