Thursday, September 5, 2013

Bullrun

The New York Times (via Nicolas Seriot):

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

Update (2013-09-06): Nate Anderson:

More practically, it will probably lead to increased spying, as other nation-states and hackers exploit the ways that NSA has degraded Internet encryption. Backdoors create security breaches exploitable by unintended users—remember the Athens Affair? A built-in backdoor meant for law enforcement was accessed by others to spy on some of Greece’s top leaders.

Bruce Schneier:

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

Matthew Green:

Bruce Schneier, who has seen the documents, says that ‘math is good’, but that ‘code has been subverted’. He also says that the NSA is ‘cheating’. Which, assuming we can trust these documents, is a huge sigh of relief. But it also means we’re seeing a lot of (2) and (3) here.

Bruce Schneier:

With all this in mind, I have five pieces of advice […] My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software.

Even though Mac OS X uses OpenSSL, etc., it counts as closed-source since you aren’t compiling it. And if you were….

4 Comments RSS · Twitter

Damn. I gullibly thought we won fair and square on Clipper Chip. I guess I missed the secret interpretation of the law.

Bruce Schneier on that same topic posted on the Wired yesterday:

"What Exactly Are the NSA’s ‘Groundbreaking Cryptanalytic Capabilities’?"
http://www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities

Instead of the NSA OS hardening guides we've been relying upon, I think we need Snowden hardening guides.

I wonder which OS X version was the last one with secure FileVault and DMG creation...

[...] idea that’s not addressed is whether there could be a backdoor in the AES library that they’re using. Actually, what I found most interesting about this [...]

Leave a Comment