Schneier on NSA's encryption defeating efforts: Trust no one

Some security professionals raise concerns about tech companies' potential cooperation with the surveillance agency

Bruce Schneier, security expert and author of 'Liars and Outliers': 'More security isn’t necessarily better. First, security is a always a trade-off,and sometimes security costs more than it’s worth. For example, it’s not worth spending $100,000 to protect a donut.'

Bruce Schneier, security expert and author of 'Liars and Outliers': 'More security isn’t necessarily better. First, security is a always a trade-off,and sometimes security costs more than it’s worth. For example, it’s not worth spending $100,000 to protect a donut.'

The U.S. National Security Agency's efforts to defeat encrypted Internet communications, detailed in news stories this week, are an attack on the security of the Internet and on users' trust in the network, some security experts said.

The NSA and intelligence agencies in allied countries have found ways to circumvent much of the encryption used on the Internet, according to stories published by The New York Times, ProPublica and the Guardian. The NSA, the British GCHQ and other spy agencies have used a variety of means to defeat encryption, including supercomputers, court orders and behind-the-scenes agreements with technology companies, according to the news reports.

The reports, relying on documents provided by former NSA contractor Edward Snowden, show that many tech companies are collaborating with the spy agencies to "destroy privacy," said cryptographer and security specialist Bruce Schneier. "The fundamental fabric of the Internet has been destroyed."

The new revelations should raise major concerns from Internet users over who they can trust, Schneier added. "I assume that all big companies are now in cahoots with the NSA, cannot be trusted, are lying to us constantly," he said. "You cannot trust any company that makes any claims of the security of their products. Not one cloud provider, not one software provider, not one hardware manufacturer."

It doesn't appear that the NSA is defeating encryption by brute force but by "cheating" by attempting to build backdoors into systems and strong-arm companies into giving it information, Schneier said.

Digital rights group the Center for Democracy and Technology echoed some of Schneier's concerns, with CDT senior staff technologist Joseph Lorenzo Hall calling the NSA's encryption circumvention efforts "a fundamental attack on the way the Internet works."

The NSA has been working for years to build backdoor vulnerabilities into encryption standards and technology products, the stories said. A representative of the NSA didn't respond to a request for comment on the stories.

Hall criticized those efforts. "In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it's incredibly destructive for the NSA to add flaws to such critical infrastructure," he said in an email. "The NSA seems to be operating on the fantastically naïve assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners."

The New York Times story this week, citing a Guardian report from July, said Microsoft has worked with the NSA to provide the agency with pre-encryption access to Outlook, Skype and other products.

Microsoft has repeatedly denied helping the NSA break encryption on its products. The company complies with legal court orders for information on its customers and will provide agencies with unencrypted customer information residing on its servers if ordered by a court to do so, a spokeswoman said.

Microsoft General Counsel Brad Smith, in a July blog post, detailed the way Microsoft responds to court surveillance orders.

"We do not provide any government with direct access to emails or instant messages," Smith wrote then. "Full stop."

CDT's Hall defended Microsoft's approach. "It seems pretty clear that Microsoft is legally compelled to do this and would not otherwise do it voluntarily," he said.

But Matthew Green, a cryptographer and research professor at Johns Hopkins University, suggested Microsoft is due for scrutiny on encryption security, if encryption has been compromised, as the recent news stories suggest. Most commercial encryption code uses a small number of libraries, with Microsoft CryptoAPI being among the most common, he wrote in a blog post.

"While Microsoft employs good (and paranoid!) people to vet their algorithms, their ecosystem is obviously deeply closed-source," Green wrote. "You can view Microsoft's code (if you sign enough licensing agreements) but you'll never build it yourself. Moreover they have the market share. If any commercial vendor is weakening encryption systems, Microsoft is probably the most likely suspect."

Microsoft IIS runs on about 20 percent of the Internet's Web servers, and nearly 40 percent of the SSL servers, while third-party encryption programs running on Windows depend on Microsoft APIs (application programming interfaces), Green noted.

"That makes these programs somewhat dependent on Microsoft's honesty," he said.

The good news for privacy-minded Internet users is that security researchers questioned whether the foundations of cryptography itself have been compromised. Some encryption protocols are vulnerable, but it's likely that the NSA is attacking the software that encryption is implemented with or relying on human mistakes, Green wrote.

"Software is a disaster," he added. "Hardware isn't that much better. Unfortunately active software exploits only work if you have a target in mind. If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors."

Any compromises are unlikely to be related to weakness in the underlying cryptography, added Dave Anderson, a senior director at Voltage Security.

"It seems likely that any possible way that the NSA might have bypassed encryption was almost certainly due to a flaw in the key management processes that support the use of encryption, rather than through the cryptography itself," he said by email. "So, is it possible that the NSA can decrypt financial and shopping accounts?  Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the PC World newsletter!

Error: Please check your email address.

Tags Dave AndersonVoltage SecurityU.S. National Security Agencyinternetbruce schneierprivacyGCHQJohns Hopkins UniversityMicrosoftsecurityJoseph Lorenzo HallEdward SnowdenBrad SmithCenter for Democracy and TechnologygovernmentMatthew Green

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?