Friday, September 06, 2013

All our internets are belong to them

Today's NSALeak is a biggie: The NSA and GCHQ have backdoored many commercially available encryption applications, and are reading most of the encrypted traffic on the internet:
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – "the use of ubiquitous encryption across the internet".

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.


The New York Times has more here.

This of course was kept as a tightly-held secret, available to only a select few at the top of the "Five Eyes" (which includes New Zealand), because as with ENIGMA suspicion that the codes were compromised would cause people to change to more secure ones. Not to mention cause untold damage to the spies' commercial "partners". That quiet thud you heard was the US computer security industry following its cloud services industry and imploding.

Once again, we've been shown that the only software you can trust is open source software. If its secret, its compromised.

(The possibilities for abuse here are endless. And just as NSA agents were routinely using "LOVEINT", abusing NSA facilities to spy on their partners and prospective partners, its probably only a matter of time before we learn that they've also been abusing these powers to, I don't know, engage in credit card fraud to boost their personal lego collection or something. That's the sort of thing that happens when you have people who believe themselves to be above the law and shielded from accountability by secrecy)

Meanwhile, there's a local angle too: the New York Times says that senior people in the GCSB were cleared for this program. And the TICS Bill currently before Parliament will give the GCSB the power to micromanage network providers' procurement and design decisions - in other words, to force them to use insecure infrastructure with backdoors. Which, I guess, is one way of learning what they can hack: if GCSB supports it, it is compromised.