Reports: NSA has cracked much online encryption - CNN.com
From the article:
The U.S. National Security Agency has secretly succeeded in breaking much of the encryption that keeps people's personal data safe online, according to reports by The New York Times, The Guardian and ProPublica.
The reports, produced in partnership and published Thursday, are the latest to emerge based on documents leaked by former NSA contractor Edward Snowden to Britain's Guardian newspaper.
According to the reports, the NSA, alongside its UK equivalent, Government Communications Headquarters, better known as GCHQ, has been able to unscramble much of the encoding that protects everything from personal e-mails to banking systems, medical records and Internet chats.
The agencies' methods include the use of supercomputers to crack codes, covert measures to introduce weaknesses into encryption standards and behind-doors collaboration with technology companies and Internet service providers themselves.
Again, Snowden is 'revealing' domestic surveillance information that most of us [who were] in the bid'ness already know about. If corporations aren't complying with government warrants then the government simply hacks them. This evidence is not legally admissible in court, but it can get the ball rolling in a criminal investigation.
Most applied crypto is fatally broken. We don't know if current methods are vulnerable or not, so we just look at what methods have withstood the test of time... which is pathetic.
Developers need to keep a few rules in mind:
- Passwords/keys should never be stored raw; only store them as part of an authentication signature
- MD5 hashing is obsolete and only good for bit verification. Replace it with sha256. Use sha512 for the most secure information.
- The NSA has approved AES as the standard but there are even better asynchronous encryption algorithms. AES is still great if you use a big key (256+ bits) with a highly-random IV.
- Don't use alphanumeric keys: they represent only a fraction of each byte. If you need to store it as text, encode it to base64 (or hex, but base64 is smaller).
- Randomly salt your hashes and IV your async cypher. When in doubt, do both (data can always be salted).
- Just remember that your database or connections with clients can always be stolen/snooped on, but if your crypto is good enough, it shouldn't matter. SSL is okay for protecting your connection but you need a good service with a good key. Fuzzy isn't aware of any keyholderk like VeriSign, that has released keys to the government... yet.
- Most importantly, slow down your crypto. The NSA uses brute force methods (trying as many variations as possible) and this takes time. Using a complex algorithm is good, but layering it is even better (a hash of a hash of a hash, etc.) Just keep in mind that it takes a lot of overhead for servers, which of course must use the same process, so don't get carried away with the iterations and only use it for special authentication. Fuzzy's slowest hashing method has about 8,000 iterations of SHA512, with a new salt for each iteration.
For users:
- Don't use dictionary words.
- Adding numbers helps a lot; if your spouse might know that your password may be "veronica", they probably won't know that it could be "veronica9713". Of course, personal names should be avoided altogether.
- Choose 'secret' questions that your spouse doesn't know (your mother's maiden name) and the government can't look up (what hospital you were born in)
- Don't use the same password for every site.
- Think: "length, complexity, variation, variety," as in, make your passwords long, make them complicated, update them often, don't recycle them.
- If you're curious, here is Microsoft's password checker that can tell you how secure your password is.
Silly Wuzzy: don't you know that surveillance done by corporations is part of FREEDOM®?
Fuzzy's explanations of technical points in this thread (I've been re-reading through it) have been useful.
And I'll just cite
this cartoon ("You're not the customer: you're the product") again for anyone who missed it the first time.
People get so upset when the government snoops on them but don't seem to care if corporations do. Maybe it's the opt-in/opt-out nature of websites, but people still choose to freely offer private information to corporations without a complaint. Now that they know much of the information can be seen by the government, maybe they'll be a bit more responsible.