Monday, September 9, 2013

With crypto being insecure, whom do you trust?

Posted on 09 September 2013.
 
 
 
Last week's revelation that the NSA has for years now concentrated on subverting the encryption that protects commerce and banking transactions, sensitive data, e-mails, phone calls, web searchers and so on would have not come as such a shock were it not for the array of questionable methods they used.

Between the hacking and the forcing Internet and telecom firms to collaborate and to allow the NSA to create back doors into the companies' products and services, the biggest blow by far was that the agency has influenced the US NIST and the International Organization for Standardization to adopt an intentionally weakened encryption standard.

But there is one person that has not been surprised by the disclosure. John Gilmore, one of the founders of the Electronic Frontier Foundation and a major contributor to a number of free software projects and to GNU/Linux has shared his insider knowledge about the influence NSA employees exerted over the IPSEC IETF standards committee.

"Every once in a while, someone not an NSA employee, but who had longstanding ties to NSA, would make a suggestion that reduced privacy or security, but which seemed to make sense when viewed by people who didn't know much about crypto," he wrote in a message to the Cryptography mailing list.

He noted that "the resulting [IPSEC] standard was incredibly complicated -- so complex that every real cryptographer who tried to analyze it threw up their hands and said, 'We can't even begin to evaluate its security unless you simplify it radically'," but that the simplification never happened.

Finally, he said that there were situations where NSA employees lied to standards committees and that, among other things, it resulted in poor and easily breakable cellphone encryption standards.

In the meantime, Der Spiegel reporters have come out with a new claim backed by leaked NSA documents: the agency is able to access user data (contact lists, SMS traffic, notes, GPS data) from iPhones, BlackBerry devices and smartphones running Google's Android OS.

"The material contains no indications of large-scale spying on smartphone users, and yet the documents leave no doubt that if the intelligence service defines a smartphone as a target, it will find a way to gain access to its information," they write.

And, as another blow to the credibility of the Foreign Intelligence Surveillance Court, recently declassified materials have revealed that it allowed the NSA to retain intercepted US communications for six years instead of five (and more if "special circumstances" warranted it), and that the agency was allowed "to query the vast majority of its email and phone call databases using the email addresses and phone numbers of Americans and legal residents without a warrant."

Lastly, it has been revealed that the NSA has intercepted phone calls and emails of the current Brazilian president Dilma Rousseff, and the state-controlled Petroleo Brasileiro as well as Google Brazil.

What's even more interesting is that in the documents, the reasons for the spying were listed as political, diplomatic AND economic, and that clashes with the oft repeated statement by the NSA and US Department of Defense that they don't engage in economic espionage.

Ultimately all of these revelations have, as Bruce Schneier has correctly pointed out, resulted "in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA," and have created a fertile ground for conspiracy theories.

Users don't know who to trust anymore, and even advice, insights and explanations from well-regarded security and cryptography experts are contradictory in some points - most likely because not all have had the chance to peruse all the leaked documents and are forced to conjecture based on the limited information they do have access to.




No comments:

Post a Comment