The security services of the US, UK, and Sweden have been actively working to plant backdoors into most commercial cryptography software. While intended to use for wiretapping business secrets, medical journals and bank transactions, those backdoors are also there for any other adversary. This is effectively a declaration of war from the security services against all of humanity.
The news broke this morning that the NSA (US), the GCHQ (UK), and the FRA (Sweden) have been actively working to subvert the cryptography that makes our society tick, by planting backdoors in most if not all commercial cryptography software. This means that these agencies have deliberately made all of us vulnerable as we conduct our banking business, as we go to the hospital, and as we talk privately online. Our society depends on our ability to keep secrets, and the deliberate planting of backdoors, the deliberate subversion of our infrastructure, is nothing short of a declaration of war. Even according to U.S. Generals.
“A cyber attack on the U.S. could be met with a conventional military response.”
— chairman of the Joint Chiefs of Staff, Army General Martin E. Dempsey
Disregarding the ridiculous use of the word cyber, which makes him sound as if he’s stuck in a 1970s steampunk novel, the statement from such an authority makes it crystal clear that an attack that tries to subvert communications infrastructure is considered a military attack. And this is the attack we’ve had, on a global scale, against all mankind, from the NSA, the GCHQ, and the FRA.
It is important to note that cryptography itself has not been breached, as erroneously reported by several oldmedia this morning. While the end effect can be the same, there is a crucial distinction between the NSA/GCHQ/FRA subverting implementations of cryptography, versus breaking the math itself. The security services have not broken cryptography, they have been subverting commercial cryptography products to be defective, using moles and other forms of pressure on technology companies to work with the NSA/GCHQ/FRA against their own customers and against mankind.
This difference is crucial as non-commercial cryptography products can be not defective. For example, look at this post from Theodore Ts’o this morning:
“I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction. […] Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea.” — Theodore Ts’o
This example is significant because all cryptography depends on good random number generators, and “/dev/random” is the random number generator for all GNU/Linux systems, probably including your Android phone – the technical term /dev/random can be read as “the random generator device”. It would appear that somebody sought to subvert all systems based on the Linux kernel to be vulnerable to the NSA/GCHQ/FRA. Fortunately, that failed due to the good judgment of one engineer here.
This subversion of our critical infrastructure doesn’t just let the NSA and its ilk listen in. It lets anybody listen in that has enough technical skill to discover the planted back doors – and there are plenty of people who have that skill. The security services, with the job of keeping us safe, have effectively trashed our security completely. Assume the worst criminals can eavesdrop with much more ease than the NSA were ever able to, thanks to this subversion and breach of trust.
We can safely assume that all American software is thoroughly Swiss-cheese compromised. If you’re running anything from Microsoft or Apple, you’re owned. They’re in your system, in your documents, and in your production. You were played for a fool and you need to switch to a free-software solution or stay owned.
However, cryptography itself has not been broken, as already stated. Oldmedia can’t tell this crucial difference, so I’ll leave it to the words of Edward Snowden, who can presumably be trusted on the matter:
“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” — Edward Snowden
Note how Snowden also makes the crucial distinction between cryptography itself, properly implemented cryptography, and the subverted commercial systems, “endpoint security”.
Bruce Schneier, one of the world’s leading security experts (if not the leading security expert), makes a similar observation:
“Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are” — Bruce Schneier
In a column in The Guardian, Schneier also ominously elaborates on why these services are the enemy of all mankind, and why this is the last opportunity to learn from history:
“Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian?” — Bruce Schneier
The declaration of war has already been made, the glove thrown, the first strike executed. It is up to us to not repeat the mistake of the families in Berlin in the winter of 1932, who still went weekend skating in the parks in denial.
I’m writing the NSA, the GCHQ, and the FRA in this article. That is since yesterday’s revelation in the Europarl hearing that the Swedish FRA is a key player in the ongoing NSA surveillance, having the code name Sardine. (I wrote about documents strongly suggesting that back in July.) When the EU gathered to discuss and protest against the NSA’s global spy network, you may recall that the UK and Sweden vetoed that discussion. Seeing how the UK and Sweden are part of the spy network, that comes as no surprise today, but is still incredibly shameful to the brink of treason. There is no further reason anybody in the EU could trust the ministers of those countries ever again on the matter.
Finally, the NSA, GCHQ, and the FRA are faceless legal constructs. But the people who have executed these attacks on humankind are just that, individual people. They are the people who work for these agencies. They are the ones who have declared war on humankind, individually, and they are the ones who must be made to answer for it.
They have a choice. They can come clean, as Snowden did, or they can remain an individual who declared war on humanity.
UPDATE — Techdirt makes the same observation: NSA, GCHQ admit that the public is the enemy.
Great, now I’m on the United States of Assho*HRRM, America’s death list… This will not end. People will ignore it like usual, not care, go “I have nothing to hide”, and so on. The USA will become the ultra-totalitarian United States of Earth in maybe 30-50 years…
Maybe they’ll change that name to People’s United Democratic States of Earth, like usual…
you got that right! Even now that it is the encryption that “THEY” use not the ‘evil’ kind that “bad” people use they will continue on like nothing happened. my fellow subjects of the former USA are for the most part pathetic but then again so is most of the western/moderen world. The US is gone! DOA. It may have been on life support when GWB left but the damage done by the plant known as Barack is unimaginable. Carl rove’s wet dream. What a disgrace he has been. He speaks of damage done by E. Snowden but it can’t compare to the un-ending avalanche of lies that continue to be spewed by his administration only to be proven as lies soon after.
A more disgusting group of traitors has never existed! Can sheep revolt? Can they rise up in a bloody battle for basic rights? I doubt it but really hope so.
Hello you JBT’s You’re traitors to your country
You might want to add that plans for fiber between Finland and Germany are technically brilliant idea exept NSA has own spyfacility inside German borders… If that was only embassies as usual, it would’t be that a terrible broblem.
Humans create something, again something that is brilliant and really boon for human race.
Reaction from ‘mentally challenged’ is =
a: destroy it
b: spy on it
c: control it
There are actually several types of insanity on that behavior… And since it’s only metadata I won’t tell you how sick you are.
Bad World to live in…
I think the lesson here is to only use open source crypto and have it regularly audited by experts not in the pay of the NSA. Closed source “security through obscurity” never works.
“When the EU gathered to discuss and protest against the NSA’s global spy network, you may recall that the UK and Sweden vetoed that discussion. Seeing how the UK and Sweden are part of the spy network, that comes as no surprise today”
This is just insane. I’m without words.
At this point it has become clear and without a chance of doubt that those 2 guys are working together and have their own special agenda along with the US.
Saying that we should take anything they do or claim from now on with a grain of salt would be an understatement.
They have been caught in a conspiracy against everyone else and even voted to keep it a secret with a straight face. If it wasn’t for the leaks, they would still be giving us lies, they probably are still giving us lies actually and it’ just a matter of time until the next leak shows us how.
If I were Europe I’d do the only responsible thing I can think of, holding serious discsussions about this issues without the UK and Sweeden involved since they cannot be trusted.
Figure out how truly deep this conspiracy goes.
US wants to spie on its people? Their problem. But using international internet transit points and manipulating the international neutral bodies in charge of security to sabotage it all to have complete secret spies that know it all everywhere is really an aggressive thing against the rest of the world.
They compromise everyone.
What is affected more exactly? Is there a hardware random number generator in modern computers? Is the random number generator itself compromised, can programs use other (software) RNG’s in Windows, does Windows catch the message before it’s encrypted? Can programs use unsafe RNG’s in GNU/Linux? What do we know? What does OpenVPN use? What does PGP/GPG/Enigmail use?
Also, I think you are a bit too nice towards Google. They are an American company, and they do not have the best record when it comes to privacy. Be sure that Android contains spyware.
Forget Windows. You can install the free Gnu Privacy Guard (PGP) in Windows too, but it does not matter since the OS itself is compromised, they just use the backdoors Microsoft put in place for them and you are owned, theu get the cleartext even before any encrypton. If Microsoft, Google, Yahoo , Facebook and so on where decent companies, they would have done like Lavabit when NSA approached them, they did not so their software or services cannot be trusted. They just hide behind the law. The same could be said about Swedish ISPs when FRA approach them to supply data to their points of cooperation. Decent companies would fight, or close down their companies, but this wont happen, except maybe one or two really small companies that do not matter.
BTW. Rick has still to this day scripts from Google, Facebook and more on this very blog. That says a lot about how deep in the Niemuller hole most people are. When not even Rick can withstand the temptation to turn his blog into informing who visits it to them, for whatever reason, how can we ever even dream of any kind of substantial opinion to turn the tide?
HW with DMA > OS > encryption software.
One “foolproof” way would be 2 isolated machines, 1 online, 1 offline. The online one only sends/receives encrypted data. Encryption and Decryption done on the offline computer. That way, the cleartext could never be both read and sent to any third parties (without physical access).
Not foolproof if the offline machine uses a deliberately predictable random number generator or anything else that weakens the cryptography.
Yes you are right. Making good random numbers is important. But at least you don’t need to worry about any hardware / OS / software backdoors leaking the clear texts.
I don’t want to defend Google’s record on privacy, but their version of Android is free software. They could still hide backdoors in it, but it would be very risky to do so since there are literally hundreds of thousands of people who could find them.
But most people don’t get their Android directly from Google’s source code repositories, and there’s no telling what the phone vendors are hiding in their closed-source drivers and other bundled software.
I won’t dispute “Spyware in Android” as such, as I don’t have the knowledge. But one might think it is less likely, since 1) the Block-Letter organisations would need to secure the cooperation of the carriers, since the provisioning of virtually every phone’s operating software is carrier-specific, and the carriers already have a very extensive “Lawful Intercept” toolbox. There thus seems to be little to gain pwning the phones, compared to the risk of leaving evidence of the pwn on them.
But this is an educated guess at best.
Still no real answer to how it works.
Sad days for sure. Maybe someday the Free Software Movement of the 90s will become a Free Hardware Movement or a Free Infrastructure Movement.
I wonder if it’s a good idea to trust the accelerated AES instructions on recent Intel and AMD processors. I’ve always looked for that when buying computers, especially laptops, since I want to save a little bit of CPU time and battery power when using disk encryption, but now I’m thinking that it may be a good idea to disable it. The hardware isn’t selecting the keys and it can’t add any weaknesses or faults to the encrypted data since it needs to be compatible with all other AES implementations, but if it justs stores away the keys so that they can be recovered later using a secret instruction, that would be bad enough.
http://www.youtube.com/watch?v=nAJ0AE01Nqw#t=4455
Another good article from Rick.
But folks, amongst monsanto and the other evils, here’s another one which is extremely dangerous.
This just in!
http://www.youtube.com/watch?v=nAJ0AE01Nqw
Sorry for the timestamp, here’s the one without it.
So Rick, does this mean you will be removing your public key page since only those who have invested an enormous amount of time securing their (linux) systems will be able to communicate with you privately?
In other words, are you done with email?
PP FTW
That makes no sense. Why would someone stop using the world’s most used decentralised public key system because some implementations are not as secure as they might be? PGP doesn’t have any particular ties with email, except that the user IDs are email addresses (or at least look like email addresses). You can use it to encrypt and sign anything, not just email.
And it was apparently secure enough that no one in the US spying organisations found out what Snowden was talking to Poitras and Greenwald about before it was too late for them to act on it.
There are other issues, which I’ve tried to cover here.
Wayne
Manual “pingback” as your site does not seem to support it: http://integritetsnytt.wordpress.com/2013/11/16/amerikansk-dator-da-kan-du-vara-rokt/
Testing, ignore