Open Rights
Group International - The latest revelations from the Guardian give good
evidence of why they have recently been the target of government harassment,
and also why this is entirely unjustified.
Their reports
of NSA and GCHQ attacks on fundamental Internet security really matter. These
are the basics of trust on the Internet; they are the reason you trust your
bank, your credit card payments or Virtual Private Networks not to leak this
information to criminals, blackmailers or governments.
Thus the real
impact will not just be about security, it is about economics.
Of course we
all expect for NSA/GCHQ to try to break encryption systems from time to time,
it's their job. The problems arise when they make us all vulnerable as a
result.
From the
Guardian article, it appears they use threats and secret orders given to
commercial companies to insert backdoors that must now undermine our trust in
very common software products. They covertly insert vulnerabilities that weaken
security of technical systems for everyone, not just their targets.
The idea that
this won't be abused by yet unknown parties can only be naïve optimism, plain
stupidity or complete disregard for anything other than the NSA and GCHQ's
mission.
How it works
This isn't
about breaking the maths - at least not usually - it's about exploiting the
'joins' between the pieces of software, introducing flaws in the implementation
of cryptology, and more general 'backdoors' to the communications, which don't
rely on the cryptology. Schneier gives some good examples.
Basically, the NSA asks companies to subtly change
their products in undetectable ways: making the random number generator less
random, leaking the key somehow, adding a common exponent to a public-key
exchange protocol, and so on. If the back door is discovered, it's explained
away as a mistake
The agencies
seem to be doing this directly with companies and standards bodies, on a very
wide basis. Many of the exploits are better thought of as exploiting software
vulnerabilities.
Thus their
strategy relies on people trusting big companies, or not paying attention to
the work of standards bodies choosing security protocols. READ FULL ARTICLE AT OPENRIGHTSGROUP.ORG