The US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) are able to foil most, if not all, of the encryption that is used on the internet, according to The New York Times and The Guardian. The revelation comes from the information that was leaked by Edward Snowden earlier this summer (links to article at the bottom of the page).
I think npr.org summed up the situation quite nicely:
While the main premise of the story isn’t surprising — one of the main goals of the NSA is code-breaking, after all — the breadth of the program and some of the “trickery” described in the pieces are.
The trickeries involve:
- Inserting back doors and other weaknesses into encryption and other security tools
- Coercing companies into cooperating
- Surreptitiously installing software on computers to trap information before it’s encrypted
There’s much, much more, including actions that are the equivalent of hitting above the belt in the intelligence community, like designing gigantic clusters to break passwords, legitimately finding out weaknesses (that they themselves didn’t plant) in security software, and the like.
On the whole, though, it seems to me that even these “tricks” aren’t unexpected. I mean, it’s not as if we’re referring to alien technology. Coercion and the like – it’s the kind of stuff that governments have done since governments existed.
To me, more impressive is this fact: what security professionals and experts have said over the years have been proven true.
- Encryption works. Sure, the stories make it sound like it’s a moot point, but notice how many of the workarounds around encryption are designed to work around it. It’s because strong encryption poses a real problem.
- Backdoors will be found. The NSA championed a flawed encryption standard that was adopted in 2006. It was flawed because there was a backdoor on it, planted by the NSA. Cryptographers found the backdoor in 2007. Generally, weaknesses in encryption are found sooner or later, and usually sooner. Which is why I feel pretty comfortable with AES. Despite prodding and poking by security researchers all over the world, it still stands.
- Encryption is not a panacea for data threats. It’s been noted that encryption is not a magic bullet, no matter how strong it might be. Other ways to get around it will be found (obligatory xkcd comic).
So, secure your data with crypto. Use full disk encryption on your laptops with sensitive data. Check for that padlock on your browser. The government may be able to get past all of that, but frankly, there are more important reasons why you want encryption in place.
Related Articles and Sites: