Pages

Thursday, September 5, 2013

The NSA Is Destroying Trust Required For Use of Cyberspace

It was widely reported today by the AP and others that the NSA and the British GCHQ is undermining the efficacy of internet encryption.  The end result of their efforts will harm the world economy, as the trust needed for commerce in cyberspace is eroded.   Details are on the Guardian and ProPublica.  Even these reports are not complete, news agencies have admitted that they omitted details at the request of intelligence agencies.  ProPublica has the most detailed report; I recommend that every citizen read it all. Key issues and consequences are summarized here.

The NSA has deliberately weakened encryption standards.  This has introduced back doors that could be exploited by criminals and foreign intelligence services.  This undermines trust in America to lead standards making.

The NSA can decrypt SSL and VPN technologies, widely used to secure internet communications and conduct business on the internet.  How long before other countries who use criminal activity for their own benefit (China) take the same path to steal commercial information and money.

Firms that provide encryption technology to the NSA for evaluation are actually opening themselves to be influenced by the NSA into introducing back doors into their products.  How long will companies continue to use NSA resources to improve encryption, if it just results in new back doors.  How long will the world trust American technology companies.
A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships".

Ladar Levison may have summed up the damage to America's commercial interests best:
“Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”



2 comments:

  1. While computers were designed to break encryption, it is really about making the breaking of encryption too expensive to be practical. It is also pretty easy to make an encryption algorithm or data tokenization scheme.

    Consider this link, http://www.theslobs.org/view.aspx?loc=aHR0cDovL3RoZWxpYmVyYXRvcnRvZGF5LmJsb2dzcG90LmNvbS8yMDEzLzA5L3RoZS1uc2EtaXMtZGVzdHJveWluZy10cnVzdC1yZXF1aXJlZC5odG1sfFRoZSBOU0EgSXMgRGVzdHJveWluZyBUcnVzdCBSZXF1aXJlZCBGb3IgVXNlIG9mIEN5YmVyc3BhY2V8c25vd2RlbnxCLURhZGR50

    I made a custom encryption just for the hell of it on theSLOBs.org website.

    ReplyDelete
    Replies
    1. Agreed that custom encryption can be created, but it doesn't protect us when we have to use SSL to shop on line or when we encrypt email to communicate with someone else. It's impractical for the average person to use custom tools to protect themselves. In fact, it is exactly terrorists and criminals who have the incentive to do so. As a result, the NSA will be eavesdropping on average citizens. The standards of the internet itself need to have adequate security so that the average user can feel secure.

      Delete