Just as the name Ed Snowden began to slide away from the headlines, there he goes and does it again. In the latest development of the ongoing scandal over the US government’s surveillance operations, a new leak shows that the NSA has long since had the capacity to crack a wide range of web encryption standards that were previously thought to be secure.
The revelations were published in a series of articles in The Guardian, The New York Times and ProPublica, disclosing a wide-ranging campaign by the NSA to shatter common encryption methods so they can gorge themselves on our data.
According to the NYT, the NSA has been so successful that it has “circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.”
Details on how the NSA get away with this are a bit scant, but the New York Times reports that the efforts began with a top secret program codenamed “Bullrun” in the 1990s, which was born after the Clinton administration lost its battle to have so-called Clipper chips installed on every machine, giving them a backdoor into people’s private communications. Bullrun quickly evolved, with the NSA developing a range of methods for circumventing encryption methods, allowing them to pry on email transmissions, bank networks, private computer networks, airlines and even the nuclear department of one, unnamed foreign nation.
Bullrun is a massive program, funded to the tune of $255 million in this year alone – approximately ten times what PRISM recieves – and has cost the US government more than $800 million since 2011. Sources in the intelligence community content that such expenditure is “necessary” to prevent terrorists and criminals from foiling the PRISM program.
(Nearly) Everything Has Been Compromised
The disclosures from Ed Snowden don’t just reveal how successful the NSA has been at cracking encryption – they also show how they’ve been able to apply pressure to bend tech companies to their will, forcing firms like Microsoft to undermine their own security principles. The result of this pressure is that, according to Snowden at least, the government has already installed the backdoors it eagerly wanted back in the 1990s.
In Microsoft’s case, the New York Times claims that the NSA now has “pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.” It’s not just Microsoft that’s submitted so willfully however – the NSA has also seen considerable success in its efforts to gain access to encrypted data from Google, Yahoo and Facebook, each of which caved in under considerable pressure.
However, the NSA hasn’t quite reached the level of all-seeing, all-powerful digital demi-god just yet – it seems that some forms of encryption remain secure, for example those used by Ed Snowden himself. Even so, the way things are going it’s unlikely to be long before the NSA gets what it wants.
Staying Under The Radar?
In light of these revelations, is it at all possible for the likes of you and me to keep our communications secure? You might think that there’s nothing the NSA can’t see, but according to computer security expert Bruce Schneier, there are a few tricks you can pull to throw a few spanners in the works.
In a follow up piece for The Guardian, Schneier wrote an excellent article about how the NSA’s encryption-busting tools work, and also gave some tips on how they can be avoided. It’s worth reading the full article for yourself, but in case you don’t have time here’s a few tips that should put off all but the most determined spies from snooping on your online business.
Hide: Scnheier advises use to “hide in the network” by implementing hidden services and using the Tor network to anonymize ourselves. Sure, the NSA does know how to track Tor users, but doing so is hard work – which means they’re a lot less likely to go to the trouble of doing so.
Encrypt your communications: Even though the NSA can bust them, once again its a question of whether or not it will go to the trouble of doing so. By using tools like Ipsec and TLS, your communications are far safer than if you just trust Gmail or Outlook.com’s standard security protocols.
Don’t trust commercial encryption software: And especially no programs that come from large vendors, as these have likely already been compromised by the NSA.
Use an ‘air-gap’: Basically, if you have something that’s really confidential, only work with it on a computer that’s never connected to the web, and transfer it in an encrypted state via a USB stick to a secondary computer if you need web access.
None of these tips are bullet proof, but so long as you genuinely do have nothing to hide, the NSA probably isn’t going to bother giving you more than a cursory glance at best – which means that your personal data and communications will remain exactly that – personal.