Re: [projectvrm] Re: NSA foils much Internet encryption

[Katherine Kern < >]

"This can only lead to loss of trust with the public, and surely do little to catch wrongdoers, who will already be employing stronger methods."

It also has a chilling effect on business.

Who is responsible for weighing the costs and benefits of these consequences?   

Time for a new governing motto: "Just because you can doesn't mean you should."

K-

From: David Sallis < "> >
Date: Friday, September 6, 2013 5:54 AM
To: Patrick Devine < "> >
Cc: 'ProjectVRM list' < "> >
Subject: Re: [projectvrm] Re: NSA foils much Internet encryption

Thanks Patrick - our posts crossed.

The difference the recent news makes in my mind is that rather than being simply vulnerable to attack (as we have known for a while) these protocols can be and are, it now seems, read routinely in bulk.

The question this raises for me is why the agencies should focus on attacking these protocols, which, although weak, have served the general, innocent, public reasonably well.  This can only lead to loss of trust with the public, and surely do little to catch wrongdoers, who will already be employing stronger methods.

regards

David

On 06/09/2013 10:35, Patrick Devine wrote:

" type="cite">

Many of the vulnerabilities in SSL (or the way it is implemented) have long been known through the work of Moxi Marlinspike.

 

http://en.wikipedia.org/wiki/Moxie_Marlinspike  

 

Regards

Patrick

 

From: David Sallis [ ">mailto: ]
Sent: Friday, September 06, 2013 11:23 AM
To: 'ProjectVRM list'
Subject: Re: [projectvrm] Re: NSA foils much Internet encryption

 

Some new info seems to have been added to The Guardian report, including:

"The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking."

We have of course known for some years that these have vulnerabilities, but the report suggests that they are now, or soon will be, routinely crackable.  I suppose this is much more likely to affect the average innocent Internet user than the master criminal, who presumably would be more savvy.

Also:

Snowden appeared to confirm ... during a live Q&A with Guardian readers in June. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on,"

David

On 06/09/2013 09:53, David Sallis wrote:

Here's The Guardian's report, with nice quote from Bruce Schneier.
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Does anyone have any info on which particular aspects of Internet cryptography are the subjects?  There was a specialist on the news here in London just now - it was not a very technical interview, but the impression given was that it was SSL.  It would be good to know some specifics about the full extent of it.

David


On 05/09/2013 21:37, John Conaghan wrote:

Sorry if this is old news to you guys. Link and summary of article below.

 

John Conaghan

 

 

http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?emc=edit_na_20130905&_r=0

 

N.S.A. Foils Much Internet Encryption

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

 

 

 

 

 

Qredo Ltd is a limited company registered in England and Wales (registered number 7834052).  This e-mail and any attachments are confidential, and are intended only for the named addressee(s).  If you are not the intended recipient you may not copy, disclose to anyone else or otherwise use the content of this e-mail or any attachment thereto and should notify the sender immediately and delete them from your system.