Friday, September 6, 2013

Why I Think the NSA Is Lying

By Simon Black

Singapore

"At what point do we just start calling these guys the Stasi," asked a friend of mine over coffee today.
He was, of course, referring to the latest news out of the Guardian-- the same British paper that published Edward Snowden's original whistleblowing interview.

First the world learning that the NSA's PRISM program monitors almost ALL Internet traffic, worldwide. Now the Guardian reports that the NSA and its British counterpart GCHQ have 'cracked codes' across the Internet that were once thought uncrackable.

Dropbox, for example, is a popular file storage and sharing tool that allows users to upload Gigabytes worth of files to their servers. And they claim that their security protocols encrypt the file transfers from end to end.

(Of course, Dropbox's privacy policy also states very plainly that they will happily give up your data to any law enforcement agency that comes asking for it...)

But the NSA claims to have cracked HTTPS and Secure Socket Layer protocols which encrypt digital communications.

And of course, it's been leaked that Microsoft is firmly in bed with the NSA, providing the agency with backdoor access to users of Microsoft Outlook.

Perhaps this is what Lavabit CEO Ladar Levison meant when he said, "If you knew what I knew about e-mail, you might not use it."

(Lavabit was a secure email provider that recently shut itself down rather than "become complicit in crimes against the American people.")

I have to tell you, though, I'm deeply suspicious some of the NSA's assertions.

They seem to be claiming that they have cracked nearly everything, and that they have backdoor access to privacy software. But this is practically impossible.

A lot of encryption software used today is actually 'open source'. This means that the software code is freely available to anyone.

GNU Privacy Guard (GPG) is a great example. GPG is an open-source, free alternative version of Phil Zimmerman's original PGP software. And it's widely used to encrypt files and emails.

But because GPG is open-source, the software code is available for anyone to view, inspect, and modify. If there were any backdoor access for the NSA, thousands of people would see this.
Not to mention, to penetrate a single 2048-bit encryption key can take anywhere from thousands of years to tens of millions of years, even with the fastest supercomputers.

Consequently, it's IMPOSSIBLE for the NSA to have cracked everything. And my assessment is that this is an intimidation campaign.

The NSA wants people to think that they have this capability.

And if everyone thinks that the NSA is Big Brother's Big Brother, all-seeing and all-knowing, then not only will everyone be terrified, but everyone will simply stop using encryption.

After all, why bother going through the hassle of encrypting/decrypting if the NSA can still read the contents of your email?

It's in the NSA's interest for people to think that the agency is almighty. I don't buy it. These people are seriously vile. But they don't have superpowers.

When done properly, email encryption is still a good option. And there are a number of open-source tools out there to consider using.

You can read about several of them in our free report-- How to Give the NSA the Finger. And for members of our premium service, Sovereign Man: Confidential, you'll soon receive a step-by-step guide specifically for email encryption. More to follow on this.

Have a great weekend.

Simon Black is Senior Editor  at SovereignMan.com. Follow Sovereign Man on Facebook, Twitter, Google+

6 comments:

  1. If you subscribe to the view of monopolies that suggests over time their costs rise and the quality of their performance declines, then the idea that the NSA is overstating their capabilities makes a lot of sense.

    ReplyDelete
  2. I wanted to clear up a few misconceptions Simon Black advanced in his article, "Why I think the NSA is lying." For some background, I have worked on the technical side of the "Information Security" industry and have for about 15 years.

    Simon said, "GNU Privacy Guard (GPG) is a great example. GPG is an open-source, free alternative version of Phil Zimmerman's original PGP software. And it's widely used to encrypt files and emails.
    But because GPG is open-source, the software code is available for anyone to view, inspect, and modify. If there were any backdoor access for the NSA, thousands of people would see this.
    Not to mention, to penetrate a single 2048-bit encryption key can take anywhere from thousands of years to tens of millions of years, even with the fastest supercomputers."

    This is a common misconception. The "many eyes" argument doesn't mean what Black says it does. Consider the following train of thought:

    All software has bugs. Some of these bugs have been present since the very first version of an application, others are introduced over time as new code is integrated into a project. A decent backdoor in code is never obvious. They don't come with with comments saying, "Back door here," presenting an obvious access mechanism. Instead, backdoors look exactly like the kinds of subtle security flaws that accidentally plague software.

    When analyzing a bug, it's impossible to determine intent. All you can tell is that it's a bug whose impacts include some kind of unintended program flow with security implications.

    Open source projects, by nature, have lots of contributors. Since released open source projects have always unknowingly possess bugs which will be discovered later, we can be sure that assurance processes are imperfect.

    This means it would be possible for an organization to submit new features and patches to a project which contain intentional vulnerabilities that are indistinguishable from subtle technical or logical flaws through a sock puppet identity. These vulnerabilities would then end up in release versions of software such as GPG.

    Black continued, "Consequently, it's IMPOSSIBLE for the NSA to have cracked everything. And my assessment is that this is an intimidation campaign."

    From a quantitative standpoint, this is untrue. There are a limited number of popular implementations of software functions like cryptography which are popular. For example, GPG relies on a library called "libgrcypt" as does much other software. If a subtle weakness or vulnerability was included into GPG and wasn't noticed some time, all software which uses libgcrypt would be similarly vulnerable.

    Similarly, OpenSSL is a popular encryption library that implements a number of different encryption algorithms for the SSL/TLS encryption protocol. SSL/TLS is used for network encryption such as visiting a "secure" website and for some VPNs. Many popular software applications such as VPN clients and servers, and web browsers and web servers use OpenSSL. There are about ten popular implementations of SSL/TLS which, between them, comprise most encrypted network traffic. Nine are open source projects. One is Microsoft who has already been identified as working with the NSA in this regard. (http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data)

    (continued)

    ReplyDelete
  3. In other words, known flaws in even most of the would give easy access to communication via applications that use these libraries. Worst case (for us), it could mean easy access to most encrypted communication. The NSA doesn't have to crack everything, they just have to know of flaws, perhaps because they introduced them, in a majority of the smaller number of commonly used crypto libraries.

    Another related risk is their knowing of flaws in the algorithms implemented by all these libraries, perhaps because they intentionally introduced a subtle weakness into an international standard. It also doesn't consider that they could have copies of the "Root Certificates" issued by the most popular US-based SSL/TLS "Certificate Authorities" for the kinds of attacks described by privacy researchers Christopher Soghoian and Sid Stamm several years ago in a paper "Certi ed Lies: Detecting and Defeating Government Interception Attacks Against SSL" (http://cryptome.org/ssl-mitm.pdf)

    Also, I would advise caution in following the linked-to guide entitled "DIGITAL PRIVACY BLACK PAPER" in the expectation of protecting one's security and privacy from state actors to any great extent. Unfortunately I don't know of any guide that is similar but "better," my professional distrust informs me that such a thing may not be possible. Private sector operational security against state actors in the current environment is a very tricky endeavor.

    ReplyDelete
    Replies
    1. "The NSA doesn't have to crack everything, they just have to know of flaws, perhaps because they introduced them, in a majority of the smaller number of commonly used crypto libraries."

      Exactly, "SELinux"...developed by the NSA...now resides in the the newer kernel's of every branch of linux.

      You can get away from it...but you have to go backwards to do so.

      Delete
    2. Your points are all spot-on. There another mistake Simon makes. He mentions that to "penetrate a single 2048-bit encryption key can take anywhere from thousands of years to tens of millions of years, even with the fastest supercomputers."

      I think this also represents a flawed understanding of SSL/TLS. The 2048 bit keys are only used for the asymmetric encryption used for authentication and key exchange. The key exchange is to allow a secret key to be negotiated for a symmetric protocol like 128 or 256 bit AES. This is the key size of the actual data exchanges. While theoretically still strong, they are still much weaker than the 2048 bit keys. If there are weaknesses covertly programmed into the standard, the message packets can be saved and decoded by some algorithm at a later time.

      Also, one of the things these guys do is build "covert channels" into a data stream. Almost anything that can be modulated in some way can be used to pass 1s and 0s piggybacked on the data stream. The data stream is much slower, obviously, than the main stream, but it could be used to pass the actual transmission key or other data about the end users.

      About 20 years ago, the standard for resisting covert channels was 1 bit per second. In other words, for your system to be secure, it was supposed to be analyzed and proven to resist covert channels to allow no more than 1 bit of information per second to cross covertly (yes, I know that's unprovable BS, but that was the supposed "standard"). That's they way these guys think, so if they've affected base code, I'd bet they've built these kinds of channels into the code, and they could be very difficult to detect.

      Delete
  4. I love the Open Source movement, but a man has to know his limitations.
    Open source can't protect you if the possibility exists that the program you are running does not match the source code.
    Also, in the case of an encryption standard that the NSA has had anything to do with, the betrayal is in the design of the methodology. Any correct implementation will be compromised.
    It was discovered recently that Google had a "bug" in a random number generator that shipped with Android that just happened to weaken whatever encryption software that relied on it. The ultimate outcome was positive, but it does illustrate that the evil-doers think - correctly - that they can corrupt just about anything.

    ReplyDelete