For the past decade, the NSA has been busy thwarting encryption that millions of netizens count on to guard the privacy of their electronic communications. Based on NSA documents from whistleblower Edward Snowden, the New York Times, The Guardian and ProPublica published details of how the NSA has cracked, circumvented, or formed covert partnerships with software and hardware vendors to have backdoors built into their products.
After reading "hundreds of top-secret NSA documents," cryptographer Bruce Schneier gave five pieces of advice on how to best keep your electronic communication secure against the NSA. One of the most alarming revelations is that he felt the need to buy a new computer that "has never been connected to the internet" to use as an air gap. To transfer a file from his secure PC and his internet computer, he uses a USB stick.
You should still encrypt, even Snowden said it works before he added, "Properly implemented strong crypto systems are one of the few things that you can rely on."
Schneier agreed but also warned us to "be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well."
Meanwhile, cryptographer Matthew Green suggested the commercial encryption code that we should be most concerned about being weakened belongs to Microsoft. "If we're talking about commercial encryption code, the lion's share of it uses one of a small number of libraries. The most common of these are probably the Microsoft CryptoAPI (and Microsoft SChannel) along with the OpenSSL library." Green added:
Of the libraries above, Microsoft is probably due for the most scrutiny. While Microsoft employs good (and paranoid!) people to vet their algorithms, their ecosystem is obviously deeply closed-source. You can view Microsoft's code (if you sign enough licensing agreements) but you'll never build it yourself. Moreover they have the market share. If any commercial vendor is weakening encryption systems, Microsoft is probably the most likely suspect.
And this is a problem because Microsoft IIS powers around 20% of the web servers on the Internet -- and nearly forty percent of the SSL servers! Moreover, even third-party encryption programs running on Windows often depend on CAPI components, including the random number generator. That makes these programs somewhat dependent on Microsoft's honesty.
The Guardian previously reported that the NSA worked with Microsoft to allow the interception of users' private communications. The NSA obtained "pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service," added the New York Times. "Microsoft asserted that it had merely complied with 'lawful demands' of the government, and in some cases, the collaboration was clearly coerced. Some companies have been asked to hand the government the encryption keys to all customer communications, according to people familiar with the government’s requests."
In a different article, "The US government has betrayed the internet," Schneier wrote:
By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.
He said we need to take the internet back and called for engineers with insider knowledge to turn into whistleblowers. If you know about the NSA subverting products or protocols, Schneier asks you to come forward and tell the truth about such unethical activity. He has heard from five people, but he needs to hear from 50. "There's safety in numbers, and this form of civil disobedience is the moral thing to do."
Schneier also calls on people to innovate, "to re-engineer the internet to prevent wholesale spying," and to "make surveillance expensive again." In closing, he added, "To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it."
Image credit: TechFlash Todd via ResourceSpace
Like this? Here's more posts:
- 4 billion call records added daily to AT&T database for DEA phone surveillance
- Black Hat: Smart TVs are the 'perfect target' for spying on you
- School starts mass social media surveillance of students for their ‘safety’
- Privacy & security nightmares: Hacking smart toilets, smart toys, smart homes
- Researchers develop attack framework for cracking Windows 8 picture passwords
- Careful Windows Phone 8 users, connect to rogue Wi-Fi & hackers can steal passwords
- UK govt leak police destroyed Guardian hard drives to stop secret surveillance stories
- Is having your photo featured on Bing homepage enough reason to give up your rights?
- Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure
- Cautionary tales: Teen beauty queen and baby spied on via hacked cameras
- Microsoft Research: Secret tags in 3D-printed objects, hooked to the Internet of Things
- Black Hat: It's not 'tricky' for hackers to turn your phone into a SpyPhone
- Implanted RFID chips to implanted invisible headphones: Modded bodies and privacy
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited