Edward Snowden: why revelations matter

The range of spying by the NSA in the USA is mind-boggling. It makes 1984 look reasonable by comparison.

One example: the standards for random number generation were bent by the NIST under pressure from the NSA. This made ‘random’ numbers easier to guess, by perhaps a thousand or ten thousand times.

Those of you who remember the Netscape embarrassment, where it was found that random numbers generated by the browser were mostly concentrated in a few ranges, may know why this matters. Here’s some detail.

In setting up a secure (https for example) communication, the RSA algorithm plus a website’s security certificate, are used to start the process. Essentially the user’s browser sends the website a challenge message encrypted in that site’s public key. That the site can respond, encrypted in its private key, indicates that the site does indeed ‘know’ the private key – something that (supposedly) no other site knows.

Once this level of trust has been reached, the browser generates three random DES keys. (DES is a different encryption standard. You can look all of this up, I’m keeping this as short as I can.) The browser then sends these keys in a challenge message encrypted in the website’s public key. The website responds with a message encrypted / decrypted / encrypted (using DES) by the first / second / third key, respectively.

Since these three keys are only used for one session, it is pretty hard to break the triple-DES encryption. Since the messages used for setup are short and mostly random, there isn’t much information to try to break the RSA used by private/public keys and security certificates.

Unless, you have bent the randomizer so it isn’t very random. Then it’s easier to guess the DES keys used in https. If you are the US Government, you have computing power enough.

That means, every online transaction that you thought was secure, is not, if a government agency understanding the random number generator weakness has a record of the (encrypted) session’s messages and replies.

In short, no ‘safe secrets’ were really safe. The NSA could, if it chose, find out what you did last time you banked or shopped online. And if, like Bruce Schneier, you ‘encrypt everything’, you’ll have brought attention to yourself and likely are being decrypted right now.

Edward Snowden revealed this to us.

There’s more. The NSA introduced spyware into computers worldwide. This on top of tapping 70 million phone calls in France alone in the course of thirty days. You can read about this here. There’s nothing special about France; if you search about you’ll find that British, German, and Canadians were spied on too. Pretty much everyone.

Edward Snowden revealed this to us.

Finally, it appears that the NSA found a way to tap into computers that are not online. Devices were added to them (surreptitiously, I assume) that send radio signals. These computers can be listened to from the other side of the wall, for example.

While Snowden isn’t mentioned here, I’ll bet he revealed this to us as well.

I think Edward Snowden should be given citizenship in the country of his choice, and be received as a hero. I think that should apply even should he wish to live in the USA he has exposed as being much, much, bigger than ‘Big Brother.’

Leave a Reply

Your email address will not be published. Required fields are marked *