back to article Reports: NSA has compromised most internet encryption

The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological theft, spycraft, and collaboration with major technology companies, according to new reports. In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their …

COMMENTS

This topic is closed for new posts.

Page:

      1. sunnyskies
        Big Brother

        Re: GCHQ are doing their job

        Indeed.

        When Hermann Goering formed the Gestapo in the early 1930s, he stated that "he who is of good-will has nothing to fear from the secret State police". He did not deny that mail was being opened, telephones tapped and "disaffected persons" being shadowed.

        1. amanfromMars 1 Silver badge

          @sunnyskies Re: GCHQ are doing their job

          Indeed.

          When Hermann Goering formed the Gestapo in the early 1930s, he stated that "he who is of good-will has nothing to fear from the secret State police". He did not deny that mail was being opened, telephones tapped and "disaffected persons" being shadowed. .....sunnyskies Posted Friday 6th September 2013 06:03 GMT

          Quite so. However, the corollary of that may not be so true, sunnyskies ...... "Secret State police have nothing to fear from they of good-will"

          Indeed, it may very well be that they have everything to fear from that which they ignore and/or dismiss and become so terrified and terrorised by events they monitor and mentor to become paralysed and useless in every form of their being.

    1. Apdsmith

      Re: GCHQ are doing their job

      Dephormation,

      I suspect the answer to your question is "When it became easier to treat us *all* like criminals than think about targeting specific individuals."

      My worry is the old Franklin quote - I suspect that although hoovering up every damned thing has been sold to The Powers That Be as cheaper than performing competent analysis (not that I'm qualified for such, but that's not the point) it's actually not as effective as believed, leaving us all worse off for very little benefit.

      Which to be fair would be about par for a government program conducted in utmost secrecy.

      Ad

    2. MrXavia

      Re: GCHQ are doing their job

      I seriously doubt they are bothering to MITM attack everyone, and the 'black boxes' that idiot MP wanted are not implemented (YET) so no need to get TOO paranoid yet.. and while I get WHY they want to just grab it all into a DB, it does not mean we should be doing it.. We in this country started modern democracy and freedom, we should honour it by not eroding freedom!

      As famously was said by Ben Franklin..

      Those who give up their liberty for more security neither deserve liberty nor security

    3. Intractable Potsherd Silver badge

      Re: GCHQ are doing their job @dephormation

      It is becoming clear that the powers that be are very frightened of the population. We *are* "the adversary" from their point of view.

  1. Anonymous Coward
    Anonymous Coward

    Backdoors in systems you say ?

    Now I wonder if that includes Windows ?

    Bet your ass it does.

    Glad I use Linux.

    Smug Mode.

    1. Anonymous Coward
      Anonymous Coward

      Re: Backdoors in systems you say ?

      Yes, you're perfectly safe with Linux. Sleep tight, sweet dreams.

    2. Anonymous Coward
      Anonymous Coward

      Re: Backdoors in systems you say ?

      Don't forget that even if you use Linux pr other allegedly trustworthy software, if you're running it under a hypervisor and your hypervisor is part of the NSA Fan Club, whatever is in memory on your Linux box is, in principle, visible to the NSA.

      Also, anybody know what's *really* inside vPRO/AMT etc?

    3. Dan 55 Silver badge
      1. Ian Reissmann

        Re: Backdoors in systems you say ?

        Gosh: open source has bugs ?!

        The point many people (such as Bruce Schneier) are making is that NSA are probably relying on things like back doors and poor security practices to ensure they can breach people's privacy. Open source is much less likely to be vulnerable to these as we know what goes into open source.

    4. tom dial Silver badge

      Re: Backdoors in systems you say ?

      It may or may not include Windows 7 (or 8). It almost surely includes Cisco routers. See:

      https://www.rfc-editor.org/rfc/rfc3924.txt

    5. Anonymous Coward
      Devil

      @AC

      You do realize that a project, enabled by default in the kernel, is called SE Linux and it originates from the NSA itself.

      You were saying?

      FreeBSD suddenly became so much more appealing...

      1. Charles 9 Silver badge

        Re: @AC

        You do realize that by making it a LInux instead of say a BSD the code must be open-sourced (GPL license requires it) and able to be analyzed. And the links of the chain needed to produce the kernel from source (like the compiler) could be obtained from places outside US control. SELinux was something they put in for their OWN benefit, to cover their OWN butts, because as the article notes, anything used here could be turned against them. Thing is, SELinux is a rather complicated way of doing things (no root user), so it's not for everyone.

      2. Paul Crawford Silver badge

        Re: @AC

        The whole point about SElinux (or apparmor, for that matter) is to deal with the problem of internal trust between processes that run with root privileges, or (like web browser or PDF reader) are likely attack routes. That is a big problem in ANY computer system. It is open sourced, so you or anyone else can check it!

        Like the fools who say AES is back-doored because the US use it, it completely misses the point. They want good security for themselves and US gov, as much as they want to break others, as they know Russia, China, etc will be doing the same in return.

        1. robmobz

          Re: @AC

          The old problem between COMSEC and SIGINT.

          If you can read it then so can they but if they cannot read it then neither can you.

  2. Frank Rysanek

    clean OS and hardware is possible

    I believe Linux is generally pretty safe against spyware. That would be a good plaform for an endpoint OS, getting rid of keyloggers and the like. As for clean hardware... suppose that Intel's on-chip IPMI/AMT is compromised. Suppose that the AMT-related autonomous backdoor exists even in Intel CPU and chipset variants that do not openly support AMT (for the sake of sales segmentation). There are other brands of CPU's, without inherent support for IPMI/AMT. And, based on what I've seen so far, I don't think such a backdoor would be very useful and reliable, given how buggy IPMI/AMT is...

    1. Don Jefe

      Re: clean OS and hardware is possible

      Be that as it may, it amounts to fuck all if everything coming and going to the clean OS and hardware is wide open to surveillance. Save yourself some money and hassle and just buy NSA Compliant COTS gear with a decent warranty.

  3. Anonymous Coward
    Anonymous Coward

    Hmmm........... SELinux not so SE, then?

    And I thought Bamford had gone bonkers when he recently said crypto was broken.

    I understand someone wants to have a quick noisy shufty in Arabia to bury this news...

  4. Destroy All Monsters Silver badge

    Dat Citation!

    http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

    "Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters."

    Yesss, master....

    Oh well, time to short cloud providers, then.

  5. h3

    So the real problem with Huawei / ZTE was that they wouldn't agree to this sort of thing.

    1. Suricou Raven

      Or a simple assumption that if the NSA is resorting to pressuring American manufacturers into the use of backdoors, then it's likely their Chinese counterparts are doing exactly the same.

  6. Marketing Hack Silver badge
    Big Brother

    How charming!

    I haven't read the NYT article, but CNBC has a really good piece on this that lists Snowden-leaked NSA/GCHQ documents revealing:

    1. How they use their position to water down/penetrate encryption standards as they are made

    2. How they occasionally work with hardware manufacturers to ship back door-laden gear being sold to "targets of interest" (You've got a Dell! It's the same one that Kim Jong-Un ordered!!)

    3. How the GCHQ is working towards penetrating 300 VPN streams

    4. How the NSA's program to help IT product/service providers validate the security of their offerings is also used to engineer NSA-friendly vulnerabilities into those offerings

    5. How the NSA got slapped down in their effort to openly insert a trap door into IT gear with their 90s "Clipper chip" program, and has since been working on a multi-pronged approach to do the same thing surreptitiously.

    It's a good read:

    http://www.cnbc.com/id/101012478

    LYING BASTARDS!!!

  7. XioNYC
    Mushroom

    Change of tactics

    As the NYT noted "Many... rely on such protection every time they send an e-mail, **buy something online**... use a phone or a tablet on a 4G network." (emph. added).

    If you want better privacy, start arguing that the NSA is impeding free trade.

    1. Don Jefe

      Re: Change of tactics

      The financial impact argument is already building steam over here in DC. Even some of the usual government is always good toadies I deal with have talked about "privacy specific" briefings and sales seminars where they're being instructed on how to address clients concerns about US government access to data in their products.

      Of course they all blame Snowden for making their sales jobs harder. Not the government for doing it in the first place. Jackasses.

  8. dan1980

    What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people.

    Now, sure, much of the problem is with the government co-opting mainstream tech companies to force them to use their talent pool to work for the NSA (effectively) but surely much of the unpalatable spying is being effected by IT people hired by and working directly for the NSA - with knowledge of what they are doing.

    Right?

    How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?

    1. Anonymous Coward
      Anonymous Coward

      @dan1980 23:59

      "What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people."

      Why? 5 minutes looking at the OS/mobile phone/processor/anything arguments on The Reg's forums shows that IT people have strong opinions at both ends of an argument. It's no doubt the same for ethical/legal concerns, too.

      Plus, presumably people in the spook world get to play with some cool tech. Geek goggles might make the job more attractive. And in the current climate, having a job at all ...

    2. Anonymous Coward
      Anonymous Coward

      "How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?"

      You don't think a threat of a company getting tagged for ESPIONAGE wouldn't hurt them? If you make an algorithm you can't crack, we have to assume you're helping THE ENEMY (their thought, not mine).

    3. Suricou Raven

      Some of them might me genuine paranoid patriots, believing that the NSA's spying ability is essential to preserve the safety of their country.

      Others might be in it for the money. Well-paid work is hard to find. Do you want to respect freedoms for all people, or do you want to pay the rent? Choose.

    4. Anonymous Coward
      Anonymous Coward

      How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else?

      I would suggest that they are maybe the best and brightest of those who are willingly to destroy the privacy and freedoms of everyone else in order to play with cool technology.

      The best and brightest engineers may actually be engaged in other, more socially useful, activities.

    5. Anonymous Coward
      Anonymous Coward

      Getting paid shed loads to fight the enemy. That's the usual pitch.

    6. This post has been deleted by its author

    7. Anonymous Coward
      Facepalm

      because it is fun and challenging.

      That's why.

    8. Intractable Potsherd Silver badge

      @dan1980

      Obviously, it isn't just Google that has "rogue engineers" ...

  9. dssf

    Section 31 of the FUture might be impressed with its PAST

    Which is our PRESent....

    Just because I'm paranoid doesn't mean they're NOT watching...

    That will become the normalized sentence....

  10. dssf

    This'll kill a lot of erections..

    Imaigine how many of those m4m sites and phone apps must have a$$load$ of automated agents and the occasional "sampling" human in them. They could be in there just wasting time of those dripping like a dog looking for someone who'll never respond.

    Your sex chats/quest are being enterrupted to prevent acts you WOULD have committed....

    Of course, if that is real, then the NSA and GCHQ will be literal cock-blockers impeding flow of goods and services, hahahah

    1. Don Jefe
      Alien

      Re: This'll kill a lot of erections..

      Man, I've got no idea what you're wanting, but if you take your list of demands to amanfrommars and have him relay the information to us in a human readable format someone here might be able to help you.

  11. Schultz

    Back doors

    So now we know why the US is so afraid of possible back-doors in Chinese hardware. They probably succeeded to get their own bask-doors installed and realized that when they can do it, others can do the same.

    Maybe 'trust' will become an important factor in the future of electronic manufacturing. How to ensure that the infiltrated NSA, GCHQ, or Chinese agent can't subvert the hardware or software of the whole company? How to reassure the customers about it?

    Companies like Kapersky might be able to offer code audits (are they independent enough?), small companies could start building simple but secure devices for communication, things will get much more complicated that they are today. Welcome to the future of the internet -- thanks, NSA, for robbing our delusions about the internet we have.

    1. T. F. M. Reader Silver badge

      Re: Back doors

      "Companies like Ka[s]persky might be able to offer code audits (are they independent enough?)"

      They are Russian - what do you think? No, I do not mean to disparage them, they may be decent people, but it is even easier to exert pressure on a company in Russia than in the US/UK.

    2. Davehhhhh
      Unhappy

      Re: Back doors

      Good point - we worry about the NSA snooping on journalists with this tech (especially after the UK Home Secretary said it was OK to use terrorist legislation to get data off David Miranda) but of course there are powerful governments with a poor track record on human rights who could already be exploiting these back doors and no doubt in time some of the many contractors will roll off these programs into private security consultancies who work from some rather dubious regimes around the world.

      The next time there are reports of journalists or dissidents being tortured or murdered in Russia, China or some repressive Middle East state perhaps the people arguing that this program to systematically undermine the security of the internet is just for bad guys will stop and wonder how those journalists and dissidents came to be compromised.

  12. Mikel

    On trusting trust

    Don't.

    1. jake Silver badge

      @Mikel (was: Re: On trusting trust)

      Indeed. See mine from April 2009:

      http://forums.theregister.co.uk/forum/containing/470655

  13. json
    Black Helicopters

    Which begs the question..

    we cant really be anonymous even with comments here right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Which begs the question.. @json 03:10

      "we cant really be anonymous even with comments here right?"

      That's always been my presumption.

      "Anon, for obvious reasons" - always makes me snort.

      Oh, I was going to say it should be "raises the question", but on second thought realised you're right :)

      1. Anonymous Coward
        Windows

        Re: Which begs the question.. @json 03:10

        "Anon, for obvious reasons" - always makes me snort."

        Ditto, but the anon icon merely makes it difficult to know who posted something on here, it does not hide your ID from site admins/NSA etc etc. It is a smoke cloak and nothing more.

        More irksome is its use when someone says something a bit risqué or inflammatory then hides behind anon.

        Cowards.

        1. Anonymous Coward
          Anonymous Coward

          Re: Which begs the question.. @json 03:10

          I got a complete de haut en bas telling off from an AC the other day.Personally I feel that I may be not the nicest person out, but if I felt the need to hide behind AC, I shouldn't write it.

          1. WaveyDavey

            Re: Which begs the question.. @json 03:10

            "De haut en bas" - I consider myself pretty literate, but that was a new one to me - what a lovely phrase. Added to vocab store - thank you.

            1. Anonymous Coward
              Anonymous Coward

              Re: Which begs the question.. @json 03:10

              Thank my French teacher.

      2. Anonymous Coward
        Alert

        Re: Which begs the question.. @json 03:10

        Posting as AC is only marginally effective anyway. It only takes a few minutes to determine who it is (whose handle anyway) with a high level of confidence.

        I've also always wondered why AC's always use the Fawkes mask instead of any icon they want. I've sent a few emails to El Reg about both things but never heard anything back.

        1. Anonymous Coward
          Anonymous Coward

          Re: Which begs the question.. @json 03:10

          Don't tell me! You just send an email to the site editor and ask 'Who posted the anon comment on 6 Sep 2013 at 10:22?" Now that's a back door.

        2. richard 7

          Re: Which begs the question.. @json 03:10

          AC's can only use the mask, all other icons are unavailable to them. Try an AC post, dont even need to post, the icons get greyed out.

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019