We have many emails this morning with questions about privacy and security. Given the news over the week-end, this is not surprising. A person with more than top secret security clearance at the NSA (the [American] National Security Agency) revealing secret capabilities is a very big deal.
If you haven’t already heard about this, let me suggest that you get information from as close to the source as possible. I have already observed news sources injecting bias. Most of that is due to ignorance, but some appears to be willful. Most reporters lack the background and will dish out what they have been spoon fed by some “expert”. There is often a heavy bias. Be careful what you believe. The real story is NOT the whistle blower! It is what he is talking about. The Guardian
The intent here is to provide some basic information about network security. It relates to email and your personal information on the Internet. Network security is a huge topic. Any opinion about what the NSA has done or may do in the future will be hopelessly naive without a reasonable understanding of what is possible.
The recent revelations have been no surprise to people involved with computer security. That the capabilities exist has been common knowledge for a long time.
Passwords
To get an idea how long it takes to crack a password, take a look at GeodSoft Password Cracking Time Calculator. The problem with this site is that it doesn’t mention what computing power is being brought to bear. The time it takes to crack the typical password with a typical desktop computer is about 2 days using brute force methods (trying every combination). Using dictionary words cuts that down to under an hour.
To consider what the NSA is capable of, you can divide that by at least 1 million. An article about passwords with more detail.
A good password provides adequate protection against criminal activity, but this is only true for 3 reasons: 1) most criminals are stupid, 2) smart criminals have an abundance of easy targets, 3) what you have that they want isn’t worth the trouble. If you make it hard, they will move on. If someone smart with access to a super computer wants to know your password, he can get it. You have no defense, unless you also have a super computer.
SSL and TLS – Secure web pages and email
SSL and TLS use public and private keys to provide encryption. The source computer provides a public key which the destination computer uses to encrypt what it sends and decrypt what it receives. It takes a lot of computing power to do this without the private key. It is in essentially the same class as very good passwords. For some (scary) detail please read this.
Many years ago in a college class on computer security, the instructor described a paper written in the late 1970s by a friend of his, a mathematician. She had used a PDP-11 to generate mathematical key signatures which could then be used to crack any encryption in existence within a few minutes. If you don’t know, a PDP-11 had considerably less computing power than your cell phone. When she was about to present the paper, she was quietly taken aside by some unexpected guests. The paper was never presented anywhere nor published and she moved on to other areas of research. It’s safe to say that the NSA and FBI know all about her work. It’s also safe to say they have expanded on it over the last 30 years.
SSL is excellent protection against common criminals and snooping individuals, but against the resources of a government or a consortium of smart criminals, it’s useless.
Implications
There are techniques which go beyond what is described above. The simplest to understand employ rotation schemes. They are based on the idea that if it takes 1 minute to crack a cipher, but the cipher is changed several times per second, in theory the system can’t be cracked. In practice, it boils down to the attacker simply needing several thousand times the computing power of the target. Too hard for criminals, relatively easy for governments. The NSA can protect its secrets. Individuals can’t.
Most likely you will see news stories about who has and has not given unfettered server access to the NSA. Google, Yahoo, Facebook and Microsoft, just to name a few, are loudly proclaiming that they have not. Given that the NSA has no need to be “granted” access, this is completely irrelevant. If they want access, they have it. It’s as simple as that.
Over the next few days you will hear various assertions being made about the safety of your personal information. You need to listen carefully because there are no absolutes. It is impossible to fully deliver on guarantees. Every case is relative.
Data Mining
This is the process of detecting patterns in data which have implications and then searching for other occurrences of the same patterns. It goes beyond seeing who a terrorist was in phone contact with. When an organization follows standardized procedures, their activities generate patterns. For example, a terrorist sleeper cell might be detectable from phone and Internet records without any advance knowledge of the individuals placing or receiving the calls, just from their frequency, duration and places of origination and termination.
The problem is that the target organization can be anything. That includes a group of individuals who might be seeking political change. Having identified such a group, counteracting it by co-opting its goals is a common political strategy. So is discrediting the individuals involved. Information is power.
Those are the facts. You can choose to believe or not believe how far the NSA has gone. You can choose to trust or not to trust the government of the United States.
It is a historical fact that no significant weapon ever developed has gone unused. Even nuclear weapons have been used without being fired in the same way a gun pointed at someones head is a weapon being used. I personally think it would be naive to believe that it’s all a mirage or that these capabilities will never be abused. It’s instructive to remember G. Gordon Liddy and why the American government has a division of power.
The question is what to do about it. Would you be interested in enhancements to protect your email privacy? To protect your on-line privacy? The integrity of your information on our servers?
You may be interested in learning more about The Tor Project
Please comment. If you are uncomfortable doing so in public, do so in private.
Thanks for your information and discussion of this current concern. It is helpful to have a sound and informed source provide this helpful overview.
Ron Price
Pretty scary stuff Dennis! I will certainly look more fully into this with the links you’ve provided. Many thanks!