Interesting article in the Guardian.
Of course, anyone involved in any news story will have some idea of the quality and accuracy of reporting, and even if the reporting is accurate, there is no doubt some usefulness in these agencies spreading FUD (Fear, Uncertainty and Doubt) by saying they can crack stuff that they cannot.
Ultimately any security system is crackable, what matters is whether that takes micro seconds (and so is done on every message monitored) or takes until the sun burns out, or somewhere between. The key to any security is ensuring data stays secure long enough not to matter, or in a way that it is not worth the effort and cost of cracking it.
The claims in the article are quite varied...
At one point it is claims they have worked to have control over setting of international encryption standards. This would suggest that they have influenced the actual standards used in a way to dumb them down in some way to make them easier to crack. My understanding is that this did happen in the design of GSM encryption where, at a late stage, changes were made at the insistence of governments to dumb down some of the protocols. However, open standards would be very difficult to dumb down like this - they are designed in an open and public forum.
Then they talk of the use of supercomputers to break encryption with "brute force". This seems unlikely, and is where the cost of breaking a message is high, so has to be very targeted. In practice you can't just brute force encryption, but anything with a user chosen password can be, as people are stupid when it comes to picking passwords. Again, this would be somewhat targeted.
Then they talk of the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves. This is not entirely clear. Obviously encryption is end to end, and so if you access a secure web site, anyone working with the site owner can access everything without cracking any encryption. I am not sure how working with ISPs fits. If you are using end to end email encryption then this will have no effect.
And finally: Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software. This is interesting. The key word here is "commercial". There are lots of non-commercial, open-source, widely checked and validated systems for encryption and you use them every day. The most popular web servers in the world are apache based, which is open source. One of the key email encryption systems is PGP which is still available open source (GPG). Open source means that anyone can see every line of the source code, and can see any back doors that have been added - there are a lot of very smart people all over the world that make a point of checking this stuff.
What they seem to miss in the article is one simple thing that is widely believed to be happening. The provision of certificate authority keys to the NSA, GCHQ, etc. This allows man-in-the-middle attacks on https without warnings on your browser as they can create valid certificates for their interception systems on the fly and decrypt your traffic just as the endpoint could. This is risky to use as it is something that could be detected.
There is one final point which is rather odd. A team has been working to develop ways into encrypted traffic on the "big four" service providers, named as Hotmail, Google, Yahoo and Facebook. This basically makes no sense. These are web based services that use https. For any form of legal interception they simply need to work with those companies, via their hosting governments, to request the data from them. They do not need to decrypt anything.
The real messages here are, use open source software, you have to trust the endpoint, use GPG to send encrypted emails wherever possible so that it is normal and not a sign of "hiding something".
As some of you know I use JLCPCB a lot for my PCBs. Why not UK? We do use UK manufacturers for our FireBrick products, but for the small che...
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us...
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...