The latest Edward Snowden bombshell comes courtesy of the New York Times, who in a report this week notes that the NSA has managed to defeat most of the most common encryption schemes available
using a wide variety of tactics. According to the documents received by the Times, the NSA has spent decades using supercomputers, "technical trickery," backdoors, court orders and behind-the-scenes persuasion to undermine major encryption tools.
To be clear good encryption remains often difficult or impossible to compromise using brute force. The NSA obviously doesn't need to kick down the door when they can walk in an open window however, and are utilizing software bugs and vulnerabilities, poorly designed crypto products, insecure networks, leaked keys, etc. From the Times:
The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
The Times notes that the NSA requested both the Times and other outlets running with this story not to publish, arguing that it would result in people developing new encryption standards:
Intelligence officials asked The Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others.
ProPublica, which also ran a story, has published a statement
explaining why they feel publishing this story was necessary. The Guardian's story
on this latest revelation also claim the government urged them not to publish their findings on encryption. Also noting in the Guardian report is a bit that notes the NSA recruits from telcos and telecom companies to aid them in inserting vulnerabilities worldwide:
To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for "human intelligence" refers to information gleaned directly from sources or undercover agents. This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry." "This enables GCHQ to tackle some of its most challenging targets," the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn."
The revelations piggyback on a report by the Washington Post late last month
highlighting the agency's previously-unknown (though assumed by many) ability to defeat most major encryption standards. As added reading, readers might want to check out Bruce Schneier's top five tips on securing yourself
in this brave new NSA surveillance age.