Washington’s BlogMaking Us All Less Safe In the Process
Norway’s largest newspaper (Aftenposten) reports today that British spies pressured the developers of cellphone standards in the 1980s to intentionally weaken the cellphone’s encryption:
The British argued that the key length had to be reduced [the longer the key length, the stronger the encryption]. Among other things they wanted to make sure that a specified Asian country should not have the opportunity to escape surveillance.
***
We are still now having an encryption that is about 1000 times weaker than originally planned.
That means that it probably would have taken longer time for NSA and others to crack the encryption, and a certain amount of eavesdropping would have been avoided.
In other words, hackers can break into cellphone calls much more easily because the British spied intentionally made the encryption 1,000 times weaker than it otherwise would have been.
This isn’t the only example of Western spy agencies destroying security.
The NSA paid leading encryption company RSA $10 million to weaken its encryption algorithm. Many other encryption companies have probably also accepted a deal with the devil. As ProPublica reports:
The N.S.A. has been deliberately weakening the international encryption standards adopted by developers.
New Scientist reports:
The internet is full of holes. The spy agencies in the US and UK have forced technology suppliers to deliberately weaken security measures in the online computing systems that everyone uses. As a result they may have compromised everybody’s security – since the vulnerabilities can be exploited by anybody who discovers them.
***
One of the leaked documents reveals that the NSA and GCHQ aim to “insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets”. An “endpoint communications system” simply means a computer, tablet or cellphone.
A top expert in the ‘microprocessors’ or ‘chips’ inside every computer – having helped start two semiconductor companies and a supercomputer firm – says:
He would be “surprised” if the US National Security Agency was not embedding “back doors” inside chips produced by Intel and AMD, two of the world’s largest semiconductor firms, giving them the possibility to access and control machines.
***
[The expert] said when he learned the NSA had secured “pre-encryption stage” access to Microsoft’s email products via the PRISM leaks, he recognised that “pretty much all our computers have a way for the NSA to get inside their hardware” before a user can even think about applying encryption or other defensive measures.
Documents leaked by Edward Snowden show that the NSA targeted:
Firewalls from Juniper Networks, hard drives from Western Digital, Seagate, Maxtor and Samsung, networking gear from Cisco and Huawei, and servers from Dell [as well as other equipment.]
NSA also encourages large internet companies to delay patching vulnerabilities, to allow the NSA time to exploit them. See this and this. In other words, the NSA encourages companies to allow vulnerabilities to remain unfixed.
And the NSA started building in backdoor access to all Windows software by 1999.
Whenever the NSA or GCHQ creates a “backdoor”, it allows all sorts of bad guys in to exploit it.
Spying makes us vulnerable to hackers and other bad guys:
- IT and security professionals say spying could mess up the safety of our internet and computer systems
- The Electronic Frontier Foundation notes:
“By weakening encryption, the NSA allows others to more easily break it. By installing backdoors and other vulnerabilities in systems, the NSA exposes them to other malicious hackers—whether they are foreign governments or criminals. As security expert Bruce Schneier explained, ‘It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.’”
- Schneier provides details:
“[NSA spying] breaks our technical systems, as the very protocols of the Internet become untrusted.
***
The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn’t between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it’s between a digital world that is vulnerable to all attackers, and one that is secure for all users.
***
We need to recognize that security is more important than surveillance, and work towards that goal.”
- Another expert on surveillance and cybersecurity – Jon Peha, former chief technology officer of the FCC and assistant director of the White House’s Office of Science and Technology – says that the NSA’s spying program “inevitably makes it easier for criminals, terrorists and foreign powers to infiltrate these systems for their own purposes”
- “The risk is that when you build a back door into systems, you’re not the only one to exploit it,” saidMatthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”
- The inventor of the World Wide Web agrees
- The stakes are high:
“A team of [10] UK academics specialising in cryptography has warned … that ‘by weakening all our security so that they can listen in to the communications of our enemies, [the agencies] also weaken our security against our potential enemies‘….
The biggest risk, they imply, is that civilian systems and infrastructure – perhaps including physical systems such as the power grid – could become vulnerable to attack by state-sponsored hackers who are capable of exploiting the same ‘backdoors’ in software that have been planted there by the western agencies.”
- And the NSA’s big data collection itself creates an easy mark for hackers. Remember, the Pentagon itself sees the collection of “big data” as a “national security threat” … but the NSA is the biggest data collector on the planet, and thus provides a tempting mother lode of information for foreign hackers
The NSA and GHCQ’s mucking about has made us all less safe …