A few months ago, I took a great deal of abuse here for suggesting that there was an NSA backdoor.
US and UK intelligence have reportedly cracked the encryption codes protecting the emails, banking and medical records of hundreds of millions of people.
Disclosures by leaker Edward Snowden allege the US National Security Agency (NSA) and the UK’s GCHQ successfully decoded key online security protocols.
They suggest some internet companies provided the agencies backdoor access to their security systems.
The NSA is said to spend $250m (£160m) a year on the top-secret operation.
BBC News – Snowden leaks: US and UK ‘crack online encryption’
OT but as a soccer buff I thought u might enjoy this http://www.bloomberg.com/news/2013-09-06/u-s-soccer-team-gets-snowed-by-costa-rica.html
Now that the NSA -leaks have freak out everyone and their mother, and people are turning to VPN providers to provide even some amount of privacy, they are starting to attack VPN providers.
It is getting harder and harder to pay VPN providers when Visa, Mastercard, PayPal, Payson etc. are refusing payments to them. I guess it doesn’t take long before they’ll all have to call it quits.
After that there is no way of doing anything on the internet that doesn’t leave a permanent record in some central database that is ready for data mining if you happen to become an influential politician.
How do I know that our politicians are making decisions because they think it is the right thing to do, and not because they don’t want to see their emails to a prostitute in Bryssels become public?
Welcome to the future.
We know who you are and we know where you live.(and we know a lot more) Greenpeace knew about The Backdoor
No encryption is foolproof. With time and computing power all can be broken. But getting the keys to the PSK ones sure makes it a lot easier.
I don’t believe we are dealing with a classic “backdoor” here (like the Clipper chip). The cryptographic systems that are supposedly being compromised are at their core protected by commercial FIPS Level 3 hardware security modules (HSMs) that for business/operational reasons backdoor attacks would be too hard to cover up.
My reasoning: the real key security is software based and the code is actually released to trusted 2nd parties who look for exactly this type of thing; the code can be reverse engineered by a 3rd party (e.g. researchers at Cambridge University regularly do this to look for vulnerabilities); the 2 most popular PKI HSM vendors develop their software in Canada and the UK and I can speak for the Canadian vendor (my former employer) that keeping this quiet would be extremely difficult (too many non-US citizens in the loop, including evaluation labs, and certification agencies); there are too many symmetric encryption vendors/products/technologies in use to cost effectively tap all the installed devices; etc.
The NSA and GCHQ could attack the supply chain by intercepting the devices (especially the PKI HSMs where the really important keys are stored) as they are shipped from the “trusted” manufacturer to end-customer and compromising them (not farfetched since this has been done with PIN pads). However there are countermeasures in place to make this very difficult to hide without the cooperation of the manufacturer, bonded couriers, security officers, and IT personnel for many-many organizations — too many civilians involved for a successful conspiracy. Also any modifications would be pretty easy to find in a security audit.
NSA+GCHQ could be exploiting vulnerabilities (aka bugs) that the commercial cryptographic developers/manufacturers don’t know about. They have more/better cryptographers and white hats at their disposal so they would be able to find them. But again this approach offers a small window of vulnerability since sooner or later these flaws become public. The current approach to open cryptography (e.g. AES and the recent hash algorithm contest) minimize (zero?) the chance of a fundamental vulnerabilities making it into the wild.
There is a possibility of co-opting the relatively few trusted third parties (e.g. Verisign) to get them to actively violate their published security procedures. I can think of an NSA-grade attack that would work if the TTP played ball — but if it became public the TTP would be put out of business (being trusted is mandatory e.g. a Dutch CA had to close up shop last year for sloppy security). TTPs don’t serve the whole market so it wouldn’t compromise all the data implicated in the NYT article but it would expose a lot of it.
Co-opting e-mail providers, ISPs, and telecomms companies networks could work but it would rely on everybody involved keeping quiet, providing intimate access to their networks, and basically violating all their security mechanisms. Also a lot of these folks use TTPs for their key management and if they don’t play ball the service provider probably won’t have access to all the keys you need to read all the data.
I personally think they are simply tapping the tier-1 network pipes and exploiting operational weaknesses (some that aren’t public), applying some sophisticated software/hardware, and leveraging their massive computing power. IMHO: the Googles of the world are probably passively cooperating by not publicizing this but not actually actively providing the data.
“Cracking” a code is not even remotely similar to entering a system via a “Back Door” .. High level programmers (myself included) typically put Back Doors in code as a means of entry for debugging the software.. The Back Door is almost always removed before the software is released to the general public. Of course..sometimes it isn’t..
Nevertheless .. “Cracking” the code as the NSA Super Computers do is Nothing like entering a system via Back Door..
I remember reading about this matter ca. 2000. Just Google “NSA and back door” and see how far back the results go.
Treat email as public information. If you’re not encrypting it at source, which almost nobody does, a lot of people can potentially read it along its travel path.
This is just a ploy