It's not generally known that NSA happily prevents internet security of Americans including online banking, collaborating with technology companies and internet service providers to implant devices. UK Guardian article: "Intelligence officials asked the Guardian, New York Times and ProPublica not to publish this article" which appears to be based on Snowden provided material.
9/17/2013, "Revealed: how US and UK spy agencies defeat internet privacy and security • NSA and GCHQ unlock encryption used to protect emails, banking and medical records," UK Guardian, James Ball, Julian Border, Glenn Greenwald
• "$250m-a-year US program works covertly with tech companies to insert weaknesses into products
• Security experts say programs 'undermine the fabric of the internet'"
"The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments....
Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and--the most closely guarded secret of all--collaboration with technology companies and internet service providers themselves.
Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software....
"By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet." Classified briefings between the agencies celebrate their success at "defeating network security and privacy".
the past decade, NSA has lead [sic] an aggressive, multi-pronged effort
to break widely used internet encryption technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."
An internal agency memo noted that among British analysts shown a presentation on the NSA's progress: "Those not already briefed were gobsmacked!"
The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor "large amounts" of data flowing through the world's fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government.
The key component of the NSA's battle against encryption, its collaboration with technology companies, is detailed in the US intelligence community's top-secret 2013 budget request under the heading "Sigint [signals intelligence] enabling".
Funding for the program – $254.9M for this year – dwarfs that of the Prism program, which operates at a cost of $20m a year, according to previous NSA documents. Since 2011, the total spending on Sigint enabling has topped $800m. The
program "actively engages US and foreign IT industries to covertly
influence and/or overtly leverage their commercial products' designs",
the document states. None of the companies involved in such
partnerships are named; these details are guarded by still higher levels
Among other things, the program is designed to "insert vulnerabilities into commercial encryption systems". These would be known to the NSA, but to no one else, including ordinary customers, who are tellingly referred to in the document as "adversaries"....
Among the specific accomplishments
for 2013, the NSA expects the program to obtain access to "data flowing
through a hub for a major communications provider" and to a "major
internet peer-to-peer voice and text communications system".
Technology companies maintain that they work with the intelligence agencies only when legally compelled to do so. The Guardian has previously reported that Microsoft co-operated with the NSA to circumvent encryption on the Outlook.com email and chat
services. The company insisted that it was obliged to comply with
"existing or future lawful demands" when designing its products.
The documents show that the agency has already achieved another of the goals laid out in the budget request: to influence the international standards upon which encryption systems rely.
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document.
It shows the agency worked covertly to get its own version of a draft
security standard issued by the US National Institute of Standards and
Technology approved for worldwide use in 2006.
"Eventually, NSA became the sole editor," the document states.
The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its
British counterpart, Edgehill, is named after the first major
engagement of the English civil war, more than 200 years earlier.
A classification guide for NSA employees and contractors on Bullrun outlines in broad terms its goals.
"Project Bullrun deals with NSA's abilities to defeat the encryption
used in specific network communication technologies. Bullrun involves
multiple sources, all of which are extremely sensitive." The document
reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.
The document also shows that the NSA's Commercial Solutions Center,
ostensibly the body through which technology companies can have their
security products assessed and presented to prospective government
buyers, has another, more clandestine role.
It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".
A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products.
It cautions analysts that two facts must remain top secret: that NSA
makes modifications to commercial encryption software and devices "to
make them exploitable", and that NSA "obtains cryptographic details of
commercial cryptographic information security systems through industry
The agencies have not yet cracked all
encryption technologies, however, the documents suggest. Snowden
appeared to confirm this during a live Q and A with Guardian readers in
June. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said before warning
that NSA can frequently find ways around it as a result of weak
security on the computers at either end of the communication.
The documents are scattered with warnings
over the importance of maintaining absolute secrecy around decryption
capabilities. Strict guidelines were laid down at the GCHQ complex in Cheltenham, Gloucestershire, on how to discuss projects relating to decryption. Analysts were instructed: "Do not ask about or speculate on sources or methods underpinning Bullrun."
This informaton was so closely guarded, according to one document, that
even those with access to aspects of the program were warned: "There
will be no 'need to know'."
The agencies were supposed to be "selective in which contractors are given exposure to this information", but it was ultimately seen by Snowden, one of 850,000 people in the US with top-secret clearance. A
2009 GCHQ document spells out the significant potential consequences of
any leaks, including "damage to industry relationships"....
Somewhat less important to GCHQ was the public's trust which was marked as a moderate risk, the document stated....
Without attention, the 2010 GCHQ document warned, the UK's "Sigint utility will degrade as information flows changes, new applications are developed (and deployed) at pace and widespread encryption becomes more commonplace." Documents show that Edgehill's
initial aim was to decode the encrypted traffic certified by three
major (unnamed) internet companies and 30 types of Virtual Private
Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs....
Analysts on the Edgehill project were working on ways into the networks of major webmail providers as part of the decryption project. A quarterly update from 2012 notes the project's team "continue to work on understanding" the big four communication providers, named in the document as Hotmail, Google, Yahoo and Facebook, adding "work has predominantly been focused this quarter on Google due to new access opportunities being developed".
To help secure an insider advantage,
GCHQ also established a Humint Operations Team (HOT). Humint, short for
"human intelligence" refers to information gleaned directly from sources or undercover agents.
This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."
"This enables GCHQ to tackle some of its most challenging targets," the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn."
"Backdoors are fundamentally in conflict with good security," said Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union. "Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise."
This is because the insertion of backdoors in a software product,
particularly those that can be used to obtain unencrypted user
communications or data, significantly increases the difficulty of designing a secure product."
This was a view echoed in a recent paper by Stephanie Pell,
a former prosecutor at the US Department of Justice and non-resident
fellow at the Center for Internet and Security at Stanford Law School.
"[An] encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users," she states.
Intelligence officials asked the Guardian, New York Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read.
The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of internet users in the US and worldwide." image above from UK Guardian
Added: NSA must be broken up: "An agency that prioritizes intelligence gathering over security" is "increasingly putting us all at risk." NSA's "TAO
and its targeted surveillance mission should be moved under the control
of U.S. Cyber Command, and Cyber Command should be completely separated
from the NSA. Actively attacking enemy networks is an offensive military operation and should be part of an offensive military unit."
2/20/2014, "It's time to break up the NSA," CNN, Bruce Schneier
"The NSA has become too big and
too powerful. What was supposed to be a single agency with a dual
mission--protecting the security of U.S. communications and
eavesdropping on the communications of our enemies--has become
unbalanced in the post-Cold War, all-terrorism-all-the-time era.
the U.S. Cyber Command, the military's cyberwar wing, in the same
location and under the same commander, expanded the NSA's power. The
result is an agency that prioritizes intelligence gathering over security, and that's increasingly putting us all at risk.
It's time we thought about breaking up the National Security Agency.
speaking, three types of NSA surveillance programs were exposed by the
documents released by Edward Snowden. And while the media tends to lump
them together, understanding their differences is critical to
understanding how to divide up the NSA's missions.
The first is targeted surveillance.
This is best illustrated by the work of the NSA's Tailored Access Operations (TAO) group, including its catalog of hardware and software "implants"
designed to be surreptitiously installed onto the enemy's computers.
This sort of thing represents the best of the NSA and is exactly what we
want it to do. That the United States has these capabilities, as scary
as they might be, is cause for gratification.
second is bulk surveillance, the NSA's collection of everything it can
obtain on every communications channel to which it can get access. This
includes things such as the NSA's bulk collection of call records, location data, e-mail messages and text messages.
is where the NSA overreaches: collecting data on innocent Americans
either incidentally or deliberately, and data on foreign citizens
indiscriminately. It doesn't make us any safer, and it is liable to be
abused. Even the director of national intelligence, James Clapper, acknowledged that the collection and storage of data was kept a secret for too long.
The third is the deliberate sabotaging of security. The primary example we have of this is the NSA's BULLRUN program, which tries to
"insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communication devices." This is the worst of the
NSA's excesses, because it destroys our trust in the Internet, weakens
the security all of us rely on and makes us more vulnerable to attackers
the three: good, bad, very bad. Reorganizing the U.S. intelligence
apparatus so it concentrates on our enemies requires breaking up the NSA
along those functions.
and its targeted surveillance mission should be moved under the control
of U.S. Cyber Command, and Cyber Command should be completely separated
from the NSA. Actively attacking enemy networks is an offensive
military operation, and should be part of an offensive military unit.
Whatever rules of engagement Cyber Command operates under should apply equally to active operations such as sabotaging the Natanz nuclear enrichment facility in Iran and hacking a Belgian telephone company. If we're going to attack the infrastructure of a foreign nation, let it be a clear military operation.
Second, all surveillance of Americans should be moved to the FBI.
FBI is charged with counterterrorism in the United States, and it needs
to play that role. Any operations focused against US citizens need to be subject to US law, and the FBI is the best place to apply that
law. That the NSA can, in the view of many, do an end-run around
congressional oversight, legal due process and domestic laws is an
affront to our Constitution and a danger to our society. The NSA's
mission should be focused outside the United States -- for real, not
just for show.
And third, the
remainder of the NSA needs to be rebalanced so COMSEC (communications
security) has priority over SIGINT (signals intelligence). Instead of
working to deliberately weaken security for everyone, the NSA should
work to improve security for everyone.
and network security is hard, and we need the NSA's expertise to secure
our social networks, business systems, computers, phones and critical
infrastructure. Just recall the recent incidents of hacked accounts --
from Target to Kickstarter. What once seemed occasional now seems
Any NSA work to secure our networks and infrastructure can be
done openly--no secrecy required.
This is a radical solution, but the NSA's many harms require radical thinking.
It's not far off from what the President's [Obama] Review Group on
Intelligence and Communications Technologies, charged with evaluating
the NSA's current programs, recommended. Its 24th recommendation was to
put the NSA and U.S. Cyber Command under different generals, and the
29th recommendation was to put encryption ahead of exploitation.
have no illusions that anything like this will happen anytime soon, but
it might be the only way to tame the enormous beast that the NSA has
"Bruce Schneier is a fellow and lecturer at the Harvard Kennedy School. He is the author of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World."
Comment: I'm most grateful to Edward
Snowden for his service, but nothing
will change for the better. At one time, the average American on the
left and perhaps some of the journalists to whom Snowden sent
documents might've devoted themselves to this issue. But the left
today has joined totalitarian, pro-war globalists. They don't indulge in
side issues. They're giddy at the notion of all powerful FBI, CIA, and NSA,
able to do whatever they want, arrest anyone they want, and certainly answer no questions from
congress. Why would anyone want such a system? I see only one reason.
The left's highest priority is to silence the rest of us. (No more
"tolerance" and "inclusion.") The loss of some of their own
freedom is a price they're willing to pay for silencing us. The entire
US political class is on their side. Not a single one would stand up for
us. That would be like freeing the slaves.
Monday, May 28, 2018
US and UK spy agencies defeat internet privacy and security by collaborating with tech companies and internet service providers. Security experts have long suspected that NSA has been introducing weaknesses into security standards-UK Guardian, 9/17/2013, reporting from Snowden NSA documents
Posted by susan at 3:16 AM