Like everyone else following the news about the Snowden papers, I’m aware of the basic facts. Bulk collection of phone metadata, and taps on Yahoo and Google’s backend servers are top on my internal list. But when I went to hear Bruce Schneier at the Real World Crypto Workshop last week at City University, my NSA acronym knowledge increased several fold: Foxacid, Egotistical Giraffe, TAO, QUANTUM (and its variations), CNE, Bull Run, and on and on.
According to Schneier, the documents are filled with these code names and abbreviations, with some representing the companies doing the black work for the agency–which is a well-guarded secret. It was mostly new information for me, but apparently well understood by this crypto academic audience.
On another channel I write about Advance Persistent Threats have changed the game for corporate security. What I learned at this CUNY workshop was that the crypto community has already processed this fact after Adi Shamir shook things up a year ago when he noted that “crypto is less important”. For Shamir, malware changes the rules of the games. Once APTs, either governmental or private, gets past corporate or personal firewalls–the NSA, by the way has already infected 50,000 computer worldwide– the crypto assumption that no one is watching employees create private keys and set up passwords are completely violated.
Th non-tech press and legacy media have mostly focused on the bulk collection of metadata. Fair enough, that is huge. On his blog, Schneier has a great rundown (based on reporting from Der Spiegel) of how some of the aforementioned acronyms are used in the field. The whole NSA campaign now becomes far more sinister–hacking, social phishing, malware,and hardware and software backdoors are all part of their black bag of tricks. These are the kind of exploits you expect from cyber criminals.The NSA does the same gig but with far more powerful technology and they’re looking at, in some cases, an enormous number of targets. But private, non-governmental hackers may not be far behind.
Or as Schneier put it in my favorite quote from the workshop: “Today’s secret NSA program, becomes tomorrow’s PhD thesis, becomes the next day’s hacker tools.”
With the NSA powers to influence standards, they may even have inserted backdoors to directly subvert certain encryption protocols. According to Schneier, it’s possible that they’ve found ways to break, under certain circumstances, elliptic curve-based cryptography. Another troubling possibility is that they’ve made some advances in breaking RC4. Schneier has no proof but he references some remarks made by Director of National Intelligence James Klapper (at about 18:00 minutes in the .wav file below).
Schneier made the point, though, that whenever possible, the NSA likes to get around crypto, rather than trying to break it, either through special zero-day exploits, or super-sophisticated attacks involving, for example, packet injection. The good news from Schneier is that strong crypto standards when applied to endpoint devices and also backend servers would go along way towards making it very difficult for the NSA to do massive collection of data.
There is an economic factor to all this. The NSA has a huge but not unlimited budget. While Schneier warned that the agency can always go after individuals–for example, by intercepting orders for computer parts and inserting backdoors–it can’t do this on a large scale. The problem is that public is not taking advantage of some obvious encryption for email and cloud documents, and the cloud providers–although this is changing– have been lax in enforcing encryption in their backend.
If we all were more crypto aware noted Schneier, the NSA would focus more on the bad guys and less on the public. According to him, “we’ve made bulk collection too easy” for the spooks.
I’ve made available a .wav file of the Schneier session. Well, worth listening to in its entirety– about 60 minutes.