Thursday, July 11, 2013

Microsoft Doesn't Care About Your Privacy


In new revelations by Glenn Greenwald it's been reported how Microsoft worked closely with government intelligence agencies to allow them unrestricted access to all user data, even allegedly encrypted communications.

5 comments:

  1. I'd be willing to bet some money that we will eventually find out Google did the same thing. (Heck, they already actively and publicly sought out NSA help some years back.)

    Three other notes worth keeping in mind:

    A. The Microsoft revelations involve Outlook mail service, not Windows itself. Whether or not Windows is truly compromised -- it may well be; the allegation has been made in the past and it wouldn't surprise me in the slightest -- is not specified.

    B. The earlier revelations show that pretty nearly EVERY service provider has been tapped by the NSA. (That is: the spying is on the transmission of messages, not locally on your machine.) You won't gain anything in particular by, say, switching from iOS to Android, because the spying is being done through the phone companies/e-mail servers/chat servers, not through the OS itself.

    C. If you start encrypting everything, the NSA will flag you. They can probably break your encryption, particularly if you're using one of the common packages like PGP, which they undoubtedly already have high-speed algorithms to tackle. (Of course, if they really want to interrogate you, that won't matter: https://xkcd.com/538/ )

    ReplyDelete
    Replies
    1. I agree. I'm not sure of the government's ability to break nearly all encryption though. From what I've read, one of the reasons they wanted to flag and keep all encrypted information was so they could practice breaking into it. Assuming this is accurate, it sounds to me like they are currently unable to bypass all encryption, so at the very least that is one line of defense - for now. I guess all we can hope is that the outcry will get these activities to stop before it gets to that point. And then, they'll probably try to restart the program again in secret and the whole thing will happen again!

      Delete
    2. I did a little basic work on public-key cryptography back in college -- nothing fancy or important or even terribly interesting, but I had to learn the basic principles. Anything publicly available which the NSA hasn't got completely cracked, they will have got streamlined for brute force and massively, massively parallelized, and any information which can be shared between attempts (say, as a trivial example, lists of primes to consider) will be.

      (Just as a not-entirely-related example: the hashing functions often used to encrypt passwords on websites which store credit card information are designed to be very fast to run. This is necessary because the servers which need to encrypt the passwords may have thousands of people logging in at once and can't afford to be tied up for seconds at a time with each one. In theory, this is justified because the function is computationally difficult, or maybe effectively impossible, to reverse. But this also means that a hacker who manages to obtain a list of hashed passwords can apply brute force very quickly, particularly using parallelized GPU acceleration, as with -- for example but not necessarily limited to -- OpenCL. (That's "CL", not "GL"; look it up.) For this reason, many hashing functions are no longer considered secure -- even consumer electronics are fast enough to brute force a hashed password in a matter of hours or days. Now: the NSA has acres of computers, they have the funding necessary to fabricate their own custom chips if need be and certainly to purchase top-of-the-line hardware if they don't build their own, and they hire people who understand cryptography and algorithmic complexity. If there is any mechanism which can be used to crack a password, they will have it.)

      Open source cryptography is probably actually at a slight disadvantage, because the algorithms are made public in direct mathematical form, which can help in analyzing the algorithms necessary to apply brute force. But closed-source programs would not necessarily create a significant obstacle, merely a slight extra delay. (Lacking access to the algorithm in mathematical notation, the proprietary program would be decompiled, and the CPU instructions needed to do the encryption would be discovered and duplicated, and that would automatically be enough for a brute force attack.)

      To say nothing of the fact that the NSA has been subtly influencing the selection of cryptographic algorithms for years; I will not be surprised when it is revealed that some public encryption tool or security layer uses a scheme which was actually suggested by the NSA and which they already had broken to the point of uselessness before making it public. If I were a sociopath and working for the NSA, that's certainly something I would have done.

      Delete
    3. Thanks for the info! That's very interesting (and scary). I'll have to look more into it.

      Delete
  2. V1car,

    I've been doing some reading and I recently listened to computer expert Steve Gibson's Security Now podcast about this issue. They claim (and I've read this elsewhere after looking into it) that the government is unable to bypass certain forms of encryption, one being Perfect Forward Secrecy.
    Supposedly, this form of encryption is nearly unbreakable. I think this fits well with what I mentioned before when I read how the government is simply collecting all encrypted traffic in order to do two things. 1. Study it and practice trying to crack it; and 2. collect it all so when/if the keys become available at some point they can then go back and unencrypt all of the traffic that particular key protected. What do you think of this?

    ReplyDelete

Thank you for considering to leave a comment. I highly value both positive and negative feedback but please abide by my comment policy at all times. If this is not done your comment may end up getting deleted. If you wish to leave a comment I usually respond to all of them, so if you'd like to begin a discussion please check back to see if I've responded.

If you'd like to subscribe to the comments you can find the links to do so along the right side of my blog.

Thanks.