You are not logged in. LOG IN NOW >

First POST: Exploitable

BY Micah L. Sifry | Friday, September 6 2013

  • The New York Times, The Guardian and ProPublica are jointly reporting a major new angle in the ongoing Snowden Saga: The National Security Agency has managed "to undermine the major tools protecting the privacy of everyday communications in the Internet age." Remember the war over public access to strong encryption and the government's call for the "Clipper Chip"? "Having lost a public battle in the 1990s to insert [the NSA's] own 'back door' in all encryption, it set out to accomplish the same goal by stealth," the Times reports. Here's the key graf from the Times' story:

    “For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

  • Important also to note: The documents this story is based upon, says the Times, "are among the more than 50,000 shared by the Guardian" with it and ProPublica. In other words, the constellation of journalistic institutions now working with what we might call the Snowden File has grown substantially.

  • Also important: "Intelligence officials asked The Times and ProPublica not to publish this article, saying it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful privacy tools."

  • The Guardian's report on the same material adds context that might make American readers take more notice. For one thing, the paper emphasizes this point: the NSA worked to "insert vulnerabilities into commercial encryption systems" that would be only known to it. And then it says why this matters.

    "Cryptography forms the basis for trust online," said Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society. "By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet."

  • More from Schneier here, with a call to internet engineers: "The US government has betrayed the internet. We need to take it back."

  • And here: "How to remain secure against NSA surveillance."

  • The Center for Democracy and Technology's senior staff technologist Joseph Lorenzo Hall responded to the news:

    “These revelations demonstrate a fundamental attack on the way the Internet works. In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it’s incredibly destructive for the NSA to add flaws to such critical infrastructure. The NSA seems to be operating on the fantastically naïve assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners. The NSA simply should not be building vulnerabilities into the fundamental tools that we all rely upon to protect our private information."

  • And then there's this: One NSA program was codenamed "Cheesy Name," with the purpose of "singling out encryption keys, known as 'certificates,' that might be vulnerable to being cracked."

In other news around the web:

  • Software guides to the GOP Data Center have been posted online. it's not clear if this is supposed to be open to public viewing, but a glance at the guides suggest that Republicans will get access to a suite of tools enabling them to create an organization profile, access voter data, pull a voter count out of the data using various criteria including household info and other user-generated tags, etc. From the introduction to the GOP Data Center:

    "GOP Data Center is an online application designed to allow users access to a variety of voter data. The application allows users to search for individual voter records and create lists using a variety of criteria including geography, party, vote history, and more. Access to the application and site permissions are determined by each State Republican Party. If you are interested in accessing GOP Data Center, please contact your State Party."

  • A conservative political action committee has asked the FEC for an advisory opinion to allow it to accept donations in bitcoin. Frank Wilkinson of Bloomberg, a sharp editorial observer of money in politics, predicts the commission will approve the request, and says it will "expand the parameters of a campaign finance system regime that is seemingly stretched to the breaking point."

  • Greenpeace USA's social media team explains how they used Facebook Insights to fine-tune their online outreach and increase their Facebook page's reach.

  • The New Republic critiques the Syrian presidency's official Instagram account.