After NSA Backdoors, Security Experts Leave RSA for a Conference They Can Trust and other Texts

nsa-rsa

Source: Electronic Frontier Foundation

We thought we won the Crypto Wars, the fight to make strong encryption accessible to all, in the 1990s.<a class="see-footnote" id="footnoteref1_mrtrhpx" title="In the 1990s EFF led the fight to protect users’ ability to have strong, uncompromised encryption.

In collaboration with leading academics, industry trade associations, and politicians from all over the world, we defeated President Clinton’s “Clipper Chip”—a proposal to compel companies to give the government backdoor keys into commercial encryption technologies. We also defeated export regulations that effectively prevented the development and distribution of strong encryption—encryption free from deliberate weaknesses or backdoors.” href=”https://www.eff.org/deeplinks/2014/01/after-nsa-backdoors-security-experts-leave-rsa-conference-they-can-trust#footnote1_mrtrhpx”>1 We were wrong. Last month, Reuters broke news about a deal struck between the popular computer security firm RSA and the National Security Agency. RSA reportedly accepted $10 million from NSA to make Dual_EC_DRBG—an intentionally weakened random number generator—the default in its widely used BSAFE encryption toolkit.

 

RSA encryption tools are an industry standard used by large tech companies and individuals alike, to protect hundreds of millions of people by encrypting our daily online interactions. We trust RSA’s encryption every time we rely on the security of our communications, including our email, financial and e-commerce transactions, medical and legal records, web searches, airplane traffic communications, text messages, and phone calls. Without trustworthy encryption, safe business transactions are impossible and speech is chilled.

 

The allegation of the $10 million RSA/NSA deal compounded with leaks earlier in the year about NSA’s efforts to sabotage global cryptography has lead some speakers to withdraw from the 2014 RSA Conference in San Francisco, which attracts some 25,000 attendees each year. Nine speakers have canceled their coveted slots and many have chosen to speak instead at TrustyCon, an alternative conference started this year to provide a platform for speakers who protest RSA and NSA’s long-standing collaboration.

 

At the same time and around the corner from the RSA Conference in San Francisco, TrustyCon is a “Trustworthy Technology Conference” organized by DEF CON, EFF, and iSEC Partners. All proceeds from TrustyCon will be donated to the Electronic Frontier Foundation to support our work against illegal and unethical government surveillance all over the world.

 

A Shortlist of Rockstars

 

Those who abandoned their speaking gig at the RSA conference are a shortlist of rockstars in the world of Internet security, including privacy lawyer and EFF Special Counsel Marcia Hoffman; Chris Soghoian, a principle technologist at the ACLU’s Speech, Privacy and Technology Project; and Jeff Moss, founder of DEF CON. The idea behind the alternative event is to underline the importance of “the technical, legal and ethical underpinnings of a stronger social contract between users and technology.”

 

Chief security researcher at F-Secure Mikko Hyppönen wrote an open letter to RSA explaining his reasons for speaking at TrustyCon instead. “I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA,” wrote Hyppönen. He also noted the NSA’s over-broad targeting of non-Americans: “I’m a foreigner. And I’m withdrawing my support from your event.”

 

RSA’s Non-denial

 

RSA issued a statement in response to the allegations of NSA collaboration, without actually denying the core of the allegations. RSA allegedly accepted NSA cash to make the NSA-influenced flawed random bit generator the default in their popular encryption products back in 2004. In 2007 researchers from Microsoft demonstrated how dangerously easy it is to break Dual_EC_DRBG. But even after that demonstration, RSA never made a move to change the default generator in BSAFE. Here’s an excerpt from RSA’s non-denial issued two days after the Reuters report:

 

“Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”

 

Even if RSA didn’t “know” that the encryption standard offered by NSA was intentionally flawed, that does not negate the fact that the weakness was revealed in 2007, never fixed, and remained the default. Nor does RSA deny that there was a $10 million deal. Besides, if their goal is to “strengthen commercial and government security,” the company can easily argue that collaboration with NSA is part of an overall effort to strengthen government security, eclipsing commercial security needs in the process.

 

The Next Crypto Wars

 

The revelation of RSA’s collaboration with the NSA is not the first disclosure to show that the agency has started a new and unwelcome chapter in the Crypto Wars. In September 2013, the public learned about one of the NSA’s most closely guarded secret programs, codenamed BULLRUN. That program began after government attempts to compromise encryption lost in the courts, Congress, and in public opinion; NSA’s solution was to bypass democratic mechanisms and undermine our infrastructure anyway. With a mix of tactics that include the infiltrating and coercing of security companies to include weaknesses in their products, NSA’s efforts focused on breaking Secure Sockets Layer and Virtual Private Networks, standards that users worldwide trust and depend on to ensure that their messages and transactions make it to the intended recipient and that recipient alone—not the NSA.

 

Taken together, these reports make clear that this next chapter of the Crypto Wars will be about ensuring that our services and technology are worthy of our trust. That’s a goal that TrustyCon and EFF share.

 

We are heartened and honored, then, that proceeds from TrustyCon will be donated to EFF, and we support all users as we continue to fight the NSA in our two court cases, through opposition to terrible legislation, in the development of freedom-enhancing software, and around the world in the promotion of the 13 International Principles on the Application of Human Rights to Communications Surveillance.

 

EFF will be at TrustyCon and hope to see many of you there. In the meantime, take a moment to speak out. All three branches of the U.S. government have sharply criticized NSA mass spying. It is crucial that we all demonstrate our outrage right now. Here’s how:

 

  1. Use and promote the use of open source encryption, like HTTPS Everywhere, to provide secure channels over insecure networks: https://www.eff.org/https-everywhere
  2. Oppose Sen. Feinstein’s fake fix that aims to codify into law some of the worst aspects of NSA spying: https://eff.org/fakefix
  3. Support the 13 Principles and help pressure policymakers around the world to reject overly broad mass surveillance: https://necessaryandproportionate.org/take-action/eff

 

The NSA Is Building the Country’s Biggest Spy Center

nsa

by James Bamford (Threat Level)

The spring air in the small, sand-dusted town has a soft haze to it, and clumps of green-gray sagebrush rustle in the breeze. Bluffdale sits in a bowl-shaped valley in the shadow of Utah’s Wasatch Range to the east and the Oquirrh Mountains to the west. It’s the heart of Mormon country, where religious pioneers first arrived more than 160 years ago. They came to escape the rest of the world, to understand the mysterious words sent down from their god as revealed on buried golden plates, and to practice what has become known as “the principle,” marriage to multiple wives.

Today Bluffdale is home to one of the nation’s largest sects of polygamists, the Apostolic United Brethren, with upwards of 9,000 members. The brethren’s complex includes a chapel, a school, a sports field, and an archive. Membership has doubled since 1978—and the number of plural marriages has tripled—so the sect has recently been looking for ways to purchase more land and expand throughout the town.

But new pioneers have quietly begun moving into the area, secretive outsiders who say little and keep to themselves. Like the pious polygamists, they are focused on deciphering cryptic messages that only they have the power to understand. Just off Beef Hollow Road, less than a mile from brethren headquarters, thousands of hard-hatted construction workers in sweat-soaked T-shirts are laying the groundwork for the newcomers’ own temple and archive, a massive complex so large that it necessitated expanding the town’s boundaries. Once built, it will be more than five times the size of the US Capitol.

Rather than Bibles, prophets, and worshippers, this temple will be filled with servers, computer intelligence experts, and armed guards. And instead of listening for words flowing down from heaven, these newcomers will be secretly capturing, storing, and analyzing vast quantities of words and images hurtling through the world’s telecommunications networks. In the little town of Bluffdale, Big Love and Big Brother have become uneasy neighbors.

The NSA has become the largest, most covert, and potentially most intrusive intelligence agency ever.

Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.

But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”

For the NSA, overflowing with tens of billions of dollars in post-9/11 budget awards, the cryptanalysis breakthrough came at a time of explosive growth, in size as well as in power. Established as an arm of the Department of Defense following Pearl Harbor, with the primary purpose of preventing another surprise assault, the NSA suffered a series of humiliations in the post-Cold War years. Caught offguard by an escalating series of terrorist attacks—the first World Trade Center bombing, the blowing up of US embassies in East Africa, the attack on the USS Cole in Yemen, and finally the devastation of 9/11—some began questioning the agency’s very reason for being. In response, the NSA has quietly been reborn. And while there is little indication that its actual effectiveness has improved—after all, despite numerous pieces of evidence and intelligence-gathering opportunities, it missed the near-disastrous attempted attacks by the underwear bomber on a flight to Detroit in 2009 and by the car bomber in Times Square in 2010—there is no doubt that it has transformed itself into the largest, most covert, and potentially most intrusive intelligence agency ever created.

In the process—and for the first time since Watergate and the other scandals of the Nixon administration—the NSA has turned its surveillance apparatus on the US and its citizens. It has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas. It has created a supercomputer of almost unimaginable speed to look for patterns and unscramble codes. Finally, the agency has begun building a place to store all the trillions of words and thoughts and whispers captured in its electronic net. And, of course, it’s all being done in secret. To those on the inside, the old adage that NSA stands for Never Say Anything applies more than ever.