Skip to content

Bruce Schneier – Explaining the latest NSA revelations – Q&A with internet privacy experts


Ball: There’s every reason to think this. The Washington Post mentioned in passing last week the use of ‘implants’, and the New York Times’ take on this story made reference to efforts against “encryption chips”.

Ball: GCHQ’s phrasing of beating “30” then “300” VPNs suggest it’s done on a case-by-case basis, rather than a blanket capability. It’s also worth noting that just because the NSA can, say, beat SSL in some (or many, or most) cases, it doesn’t mean they can do it all the time, especially as they often seem to circumvent rather than directly beat security. Tor also has its onion methodology. I think Bruce’s take – that Tor makes tracing you harder, rather than impossible – seems a sensible one.

Schneier: I wrote about this explicitly here. I believe we still can trust cryptography. The problem is that there is so much between the mathematics of cryptography and the “encrypt” button on your computer, and all of that has been subverted.

Schneier: I do not know. My guess is that the “breakthrough” is not related to MD5. The cryptanalysis of that was public, and the algorithm is only peripherally involved in confidentiality. And I would certainly suspect the entire CA root structure. Answer to “poisoned CA root question”: I don’t think we can. Answer to SSL questions: MD5 should have been purged years ago.

Schneier: 1. I believe that the algorithms are not fundamentally compromised, only the implementations. I talk about this more here.

2. I don’t know. I have no reason to believe that SonicWALL is secure.

3. This is an interesting question. I actually believe that AV is less likely to be compromised, because there are different companies in mutually antagonistic countries competing with each other in the marketplace. While the U.S. might be able to convince Symantec to ignore its secret malware, they wouldn’t be able to convince the Russian company Kaspersky to do the same. And likewise, Kaspersky might be convinced to ignore Russian malware but Symanetec would not. These differences are likely to show up in product comparisons, which gives both companies an incentive to be honest. But I don’t know.

4. I think it would be completely implausible for the NSA not to pursue both Android and iOS with the same fervor as the rest of the Internet.

  1. Some interesting observations. The ‘case by case’ leads me to think they’re underminingTLS/SSL by somehow acquiring private keys, but others at reckon the NSA has managed to bias a commonly-used PRNG (thereby making it more likely keys within a specific range are used).

    What does seem pretty definite is the discosed ‘breakthrough’ involved collaboration between the NSA and certain ‘industry partners’.


    • “Follow the money” or Cui bono? (Who benefits).

      Surveillance is big money, however if you undermine internet security, this could damage eCommerce and US cloud vendors. That old saying “shooting yourself in the foot” comes to mind.

      If more people want the code open to inspection, then industry loses, whereas a renaissance in open source would offer a happy ending for society.🙂


      • I came across another story today in Der Spiegel about the NSA having apparently compromised smart phones as well.

        Now I’m trying to get my head around how utterly shite the security is on practically everything made or hosted in the US.


      • The penny dropped for me, when I found out how data mining was invented.

        Able Danger invented datamining to hunt down Chinese sleeper cells. Data mining was a US military project to track us… to carry out surveillance on “nodes” – ie other people we’re in contact with.

        Congress gave funding – to spy on foreigners, ie FISA or the Foreign Intelligence Surveillance Act… it’s the loophole to fund DARPA datamining and surveillance projects.

        Next the US military were given a quarter of a BILLION for inram databases…so the tracking was live… in live time. Within 5 years of being developed this was in use by major US corporations such as Google. Have you heard of the US military handing over very expensive weapons before? So what’s the quid pro quo? Google collects data… that the US military/NSA can access – and in return the billions of US taxpayer funded development gets handed over to Google in a symbiotic arrangement.

        Yes, your head will be in a spin. However they should have realised that undermining encryption puts banking and ecommerce at direct risk. Anything which damages jobs and the economy is a bad move. The US and their Cloud industry is estimated to lose 35 Billion over this…. that’s BIG money – and a lot of US jobs that will disappear.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: