Schneier on Security
A blog covering security and security technology.
« Big Brother Prison |
| Voting Problems in Congress »
February 2, 2006
What Can the NSA Do?
Interesting white paper from the ACLU: "Eavesdropping 101: What Can The NSA Do?"
See also this map.
EDITED TO ADD (2/4): Barry Steinhardt of the ACLU responds to some criticism.
Posted on February 2, 2006 at 2:21 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Any guess as to how effective a well implemented VPN is against this snooping? Say AES-128 or 3DES plus the rest of the appropriate infrastructure for auth, key exchange, etc. Can the NSA crack AES?
In a way, this isn't new. The NSA has been eavesdropping on everyone for decades. All the ACLU article says is that NSA has kept up with the times - as electronic communications have become more widespread and sophisticated, so the NSA has expanded its capability. And, of course, 9/11 and the "War on Terror" have been a godsend for agencies like NSA - it gets them lots more budget and lots more more manpower.
The stuff about sending the FBI to investigate schoolteachers sounds like standard poor-quality use of intelligence, as if the NSA has got sloppier as the volume has increaded. Law-enforcement types tend to come from a limited range of backgrounds, and don't always understand how wide is the distribution of innocent human activity. Someone behaving outside their idea of the norm is suspicious. Better-quality evaluation of the information, by better-quality people, would get them back to the high standard that they had when they were trawling for Russian spies, eliminate a lot of these dumb leads and let them concentrate on the bad guys who are undoubtedly out there - not just terrorists but narcos and other organised crime.
The trouble is that NSA has created a perfact apparatus for detecting thought-crime, such as the KGB would have given their ears for in Stalin's time. The NSA isn't using its capability to target deviant thinkers yet, but under a future administration, driven by a future Joe McCarthy, who knows?
I will just quietly remind the world of J. Edgar Hoover...
Since Martin Luther King's widow just died, I think it's kind of interesting that nobody is mentioning Democrat icons Robert & John F. Kennedy's wiretapping of Martin Luther King's phone lines. If what Bush is doing is indeed illegal, why does it matter more now? I'm not saying it doesn't, but I'm just not conviced it was illegal. I don't really like it either, but I don't like lots of legal things.
@Josh - leaving aside the details of the actual incidents in question, that argument comes down to "somebody got away with something illegal in the past, so why should we care that someone else is breaking the law now?".
"Can the NSA crack AES?"
Maybe not, but they can get at the plaintext in other ways (e.g. ask you to 'voulentarily' hand over the keys or get a free tropical holiday).
Handbook of Computer Communications Standards: DoD Protocol Standards, Volume 3, William Stallings, MacMillan, 1988, ISBN 0-02-948072-8.
Page 47, figure 2-7, Formats of some IP fields.
"Reserved for future use".
Page 49, figure 2-9, Security option format.
"The transmission control code provides a means to segregate traffic and define controlled communities of interest among subscribers".
Where is the "what you can do about what the NSA can do" white paper, without redaction?
Sad that this basic thing has not sunk in for everyone: the bypass of the FISA court is what makes it illegal, the wiretapping itself is not the issue. The court overwhelmingly issues in favor of the requester. Bypassing it is arrogant, illegal, and smacks of hubris.
What if you WANT a free tropical holiday?
I refuse to accept that the NSA can blanket break every crypto system currently in use with minimal resources. I'm sure they can break many things that we civvies cannot, but I doubt it's cheap even for the NSA.
Given that, and the hub-bub about illegal wiretaps, why aren't more citizens frustrated that good crypto hardware and software is hard to use and come by? Surely there's a market here.
Of course, the market is responding with cheap imitations of real crypto. My new wireless phone has over 10,000,000 combinations. Whooop-dee-doo. That's crackable in what,
Digital technology is cheap. Why is there no good interoperability standard for end-to-end crypto phones? Why do email clients require users to understand crypto rather than just working?
Yes, these problems are hard, but they're all solvable, and have been for years.
AES is the strongest link in the chain. NSA will attack the weakest: passwords, comms protocols, trusted dictionary services, etc. When your browser goes to www.schneier.com, how do you know that the address resolves to the real server and not an NSA operated proxy? NSA can also attack routing, so even numeric addresses are no defence. You may trust SSL certificates, but you are only trusting Verisign not to issue a forged SSL certificate to the NSA.
Trust is everywhere, and that's the problem.
Why the focus on technology-based attacks?
It's _so_ much easier to knock on someon's door at 3 am and 'request their assistance on a matter of national security'.
Does your cleaning crew have access to your infrastructure?
Does everyone in your office know better than to [do whatever it is that people do that turns PC's into worm-farms]?
You're rightly avoiding the strongest link in the chain, but you're not attacking the weakest ones: people.
I don't know if I should laugh or cry. I going to laugh I think...
>why aren't more citizens frustrated that good crypto hardware
>and software is hard to use and come by?
It's a network effect; good crypto is only useful if your friends have and use it too. Besides, NSA and friends will do what it takes to discourage widespread adoption, as crypto use is so rare that using it is a big red flag saying "COME LOOK AT ME!" This signaling effect is no doubt used to determine "persons of interest".
Maybe NSA still can not crack AES and the like completely, but their ability of calculation is unbelievable. I believe they can crack it by using brutal force.
>Why is there no good interoperability standard for end-to-end crypto phones?
Three simple letters: N S A.
Seems to me that Executive Order 12333 trumps FISA.
The kind of wiretapping that Bush et al are accused of became clearly illegal in 1978 -- after the Kennedy administration. There are many people who believe that the Kennedys' actions were immoral and possibly illegal, but at the time it was definitely in the gray area.
The FISA of 1978 created rules whereby a secret warrant is required to tap phone calls to or from US citizens, even if they are international.
A lot has happened since the days of Kennedy to better define and restrict what authority figures can do vis-a-vis wiretaps. What the Kennedys did was wrong, but the argument that it was illegal would have been much harder to make at the time. What Bush did is (a)far more ubiquitous, and (b)far harder to claim as being in a gray area of the law.
"Sad that this basic thing has not sunk in for everyone: the bypass of the FISA court is what makes it illegal, the wiretapping itself is not the issue. The court overwhelmingly issues in favor of the requester. Bypassing it is arrogant, illegal, and smacks of hubris. "
They can't get a court authorization because they DON'T KNOW who they will be listening to for much of this.
This is truly Orwellian. Think about the advance in computing power, and imagine what will be possible in 10/20 years....
Illegality aside in recent events, I don't know why people are so shocked, aside from the fact that so many are so ignorant.
This is not so much different from the situation in most corporations. If you don't want something repeated or used against you, don't put it somewhere recordable. In most corporations, this means that conspiracy and chewing out are usually done by phone, not by e-mail. Everybody knows if it's in writing, it's recorded and out of your hands.
The difference is that the NSA has the ability to record your speech, etc. as well. Surprised? No.
What's frustrating regarding the whole legal argument in the mass media is the fact that I know that the NSA doesn't really care too much about what I have to say or most people, but someone MIGHT use those resources poorly. I also know that they can't listen to everything at the same time. So the arguments for being able to do so without oversight are kinda moot. I get really annoyed with the 'man on the street' interviews that suggest that they could hear the right words at any one point in time. Um, not unless they were either a.) lucky as in lottery-winning lucky or b.) aware of the person anyway. If they were aware, FISA would take care of it all.
I hate to sound like a conspiracy theorist nut but I always wondered why cryptos had the disclaimer "Cannot be exported outside the U.S." I attributed it to the FBI/NSA/guys in charge putting a special back door into each of these so that they could easily decipher any and all encrypted information within.
I highly doubt this is the case, I just found the "disclaimer" a little odd. It's also possible they have teams of people tasked with cracking new forms of encryption as they are introduced. They probably have the funding, staff and intelligence. I suppose since they're the ones holding most of the keys, it goes without saying that they should know exactly what these keys unlock.
Personally I'd rather just sound like a nut who has too much time on his hands to think about this stuff.
"They can't get a court authorization because they DON'T KNOW who they will be listening to for much of this."
They can still get a court authorization for up to 72 hours afterward, if the Attorney General deemed it an emergency (http://www.law.cornell.edu/uscode/html/uscode50/usc_sec_50_00001805----000-.html)
So if they get a hot tip that some terrorist is calling John American in 5 minutes, they can listen and then apply for the warrant afterward. This will most likely be approved, but the point is that the court has oversight to prevent abuse of this power. The warrant application also requires fairly extensive justification for using this type of eavesdropping.
The president keeps insisting that it was legal because Congress granted him the right to use force to fight terrorists after 9/11, but the law says he can skip getting the warrants for no more than 15 days after Congress declares war.
Here's an except from an article written by a former member of the President's Foreign Intelligence Advisory Board.
According to the author, the intelligence services were in a bit of a catch-22, they couldn't prove it was a bad guy without the tap, and they couldn't get the tap without proving it was a bad guy.
One irony of today's debate is that so many liberals are now defending FISA. Previously, a common complaint from the ACLU and others was that the secret federal court that issues warrants for foreign intelligence surveillance in this country had become a "rubber stamp" for the executive branch. Out of the thousands of applications put forward by the Department of Justice to the panel over the years, only a handful had ever been rejected. Instead of a check on executive authority, the court had become complicit in its activities-or so it was said.
And to a certain extent that has been the case. Yet the reason for the high percentage of approvals has less to do with deference to executive judgment
than with FISA's standard for obtaining a warrant when it involves surveillance of an American citizen or an alien residing legally in the United States. Before the government can get a warrant, the Justice Department must put together a case to present before the court stating the "facts and circumstances relied upon . . . to justify [the attorney general's] belief that the target is an agent of a foreign power" or "engages . . . in international terrorism." And the FISA judges can only grant the warrant when "there is probable cause to believe that the target" is engaged in espionage or terrorism. In short, before the government can collect intelligence on someone by breaking into his house or tapping his phones, it had better already have in hand pretty persuasive evidence that the person is probably up to no good. FISA is less about collecting intelligence than confirming intelligence.
Yes, the network effect is a big deal. Crypto use isn't all -that- rare, though. Https is a pretty common protocol that doesn't flag the user as potentially a criminal. Why are people unwilling (theoretically) to send their credit card numbers over the Skinterweb unencrypted, yet have no qualms about doing the same over the phone.
The answer? People think that phone lines are secure. I've heard of many corporations that refuse to use the Internet to transport data and instead use leased lines because they are "secure".
Even the network effect can be mitigated by a single standard for voice communications. The standard can even take into account the network effect. Imagine a box (phone) that says "secure" if both callers have the box and "insecure" if one or the other caller doesn't have the box. I know, there's an authentication problem that I haven't solved here, but that's solvable! With what I described, you can talk to people securely if they have it, and insecurely if they do not. It's not like this would be expensive to add to, say, a cell phone, which already has enough processor and software to do realtime crypto (and often do, but in a weak fashion) operations on.
Please tell me how the NSA could really stop such a standard from being formulated.
> One irony of today's debate is that so many liberals are now
> defending FISA.
I don't know too many liberals who are defending FISA.
I think most of them are saying, "You're not even following this!"
I personaly could care less what uncle sam does. I personaly also disagree and don;t wnat to be spied on, but as long as they keep the commies out of my backyard, I don't care. I am personaly strongly against Bush. However, I am under the impression that good people have nothing to fear and that bad ones do.
Good people don;t go home and talk to their cousin about overthrowing governments or blowing up world trade centers. Bad people do and this is how you catch them.
It takes a weasel to catch a rat, and that's exactly what GW Bush is. We all elected his monkey ass....
The war on terror is a great exuse to pump money into agencies that were dying financialy. As long as they come up with a cure for cancer and still allow me to own guns 12 years from now I don't give a good damn what they do with my tax money. (lower gas prices would be nice too, but i wont ask for too much)
CIA, FBI, NSA, IRS... All are just ackronyms that take my tax money and nothing less. You wanna know what america's problem is????
People like me.. and there are a lot of people who feel just like i do.
No - they can't get warrants for this because it is ongoing, large scale automated wiretapping done via computers.
They are simulataneously listening to all of the tens of thousands of phone calls currently going on between the US and Saudi Arabia. These phone calls are then fed into computers, with voice recognition software flagging any phone calls with certain keywords like bomb. Those are then flagged for human attention, and NSA agents play back the recorded conversation. This is an ongoing thing, long term, and they might only get computer hits on one of a million phone calls surveilled.
So when this initially came out and Bush's response was that they couldn't get warrants, that the technology wouldn't allow it, it was because this is being done on a massive scale via automation.
They can't even list all the people they've listened to. Nor do they care about the bulk of them.
Now - do they get warrants for the millions of phone calls fed through the computers? Or only warrants for the ones flagged and reviewed by a human? What if the goverment argues that they don't need a warrant unless a human reviews the call? If that legal argument flies, where does that leave us 20 years from now when computers are powerfull enough to listen & analyze to all US phone calls simultaneously? This, today, is the precedent that could lead to that.
> They are simulataneously listening to all of the tens of thousands of
> phone calls currently going on between the US and Saudi Arabia.
It wouldn't suprise me in the least if this is true. This is, however (any way you slice it) not legal.
And, in all of the "justifications" for the NSA program that I've heard, this is exactly what they're saying they're *not* doing. All of the references I've heard from Mr. President are that they know that one guy at one end is an Al Quaeda member.
Actually, I don't think I'm a bad person, and I do talk to people about what it would take to overthrow the US government. In the US, we are granted the right to overthrow the goverment in various ways. The primary method is via elections. The second method is via the second amendment, should the government attempt to prevent its citizens from periodically overthrowing it with peaceful means via said elections.
Does the fact that I discussed this theory with my brother over a telephone make me a bad person? Personally, I intend on overthrowing the US government during the next election. How about you? Do you think the CIA or NSA should be monitoring that conversation?
The only surprising thing to me is that because of recent US domestic politics, this has suddenly become an issue. There is nothing here that we didn't either know or assume years ago. In fact, all the available evidence is that the NSA's capabilities are *dramatically* less effective than they were in 1996, and in 1996 they were significantly less effective than they were in 1986.
This has pros and cons, but on the basis of my reading of Sun Tzu, I would say that on balance it makes the world a more dangerous place.
On the pro side: all you folks who think the NSA are monitoring your phone calls: they aren't. They don't even have resources to monitor all the known *really* bad guys at once, and every month they are falling further and further behind.
There was a talk in December on the NSA wiretap scandal at the CCC hackers' conference in Berlin (ccc.de/congress/2005). The Europeans had to strain to understand why it was a scandal, because they know that even though it's illegal under German law to wiretap them, NSA is free under US law to wiretap any of them at any time, collect all the traffic analysis info about all their calls, etc. And the German government does nothing about it, even though one of NSA's major listening posts is in Germany at Bad Aibling. Ditto the UK, and many other governments. European hackers broadly expect NSA to be tapping anybody they damn well please, laws or no laws, constitutions or no constitutions, rights or no rights. So why is it a big deal that out of 5 billion people in the world, another 300 million US citizens are now under NSA surveillance? It's not as if we-the-people-of-the-US have ever had any serious influence or control over what NSA does anyway.
I suspect that the only reason Congress keeps funding NSA thru the "black budget" is to give the Congresspeople a modicum of control against being blackmailed, the way they were blackmailed by phone taps and bugs under J. Edgar Hoover for 40 years. If NSA's funds were cut off, NSA could quite handily fund themselves, either by skimming the world's financial markets, or by playing the stock market using all the inside information in the world. (Who knows? A good chunk of that credit card fraud that the companies accept as a "cost of doing business" might be NSA. And perhaps the big secret about the black budget is that it costs the taxpayers $0 per year.)
NSA is a monster. If the people who blew up the WTC and the Pentagon had been more interested in taking down the US as an unaccountable superpower, rather than in stirring up the US Government to become a totalitarian menace to its own citizens, they would have dropped one of those planes on Ft. Meade. It would have struck a larger blow for the freedom of the world than the one they dropped on the Pentagon.
and that's why i say, hey man, nice shot
You want something that will blow your mind? Plug into your search engine: ODIN + NSA and see what you get.
Can the NSA break DES? Of course. Can they break AES? Good question as all we can do is speculate. 10yrs ago they had 5 acres of underground computers (that's what I read anyway). How many more supercomputers do they have now, 10 yrs later? Does a quantum computer exist? We'll never know. If I had to guess if they can break AES I would say they could possibly break 128-bit since it is only certified up to the secret level. 192-bit and 256-bit if used properly probably stop them cold. I think they rely more on passphrases, trojans and tempest to get encryption keys.
The NSA, while a menace to citizens, is necessary by default in the world, and condition of our country, we are now faced with. The technical advantage we enjoyed in the past, is slowly shrinking in regards to the other computer savey countries of the world. We have an easily infiltrated border, and the terriorists of the world are not coming, they are here now. The fox is in the hen house already so how do you fix it, blow up the coop? No you flush out the fox and call in the hounds.
In other words, you must monitor and control everything because you effectively opened the flood gate and let anyone, both the fox and the lamb, in to your country and everyone is by default now suspect.
Question: Given the fact that you now have foxes in your midst, how do you facilitate a more secure USA?
1) Close the flood gate.
Get control of the borders in any and all manners that work. You can not impose laws and tackle the immigration and Homeland Security issues before stopping the onslaught. A 30 foot wall, fences, more guards, electronic surveillance, electric fence, mote, all the above, what ever it takes. (Sorry Mexico, grow some cahones and fix your own government/country so you don't have to go elsewhere to make it, like Americans have had to do for the last 200+ years. Oh, and sorry if you don't like to look at the fences, that's just to bad.
2) ID everyone.
If you breath, and you are in the US, you get ID'd. Create a US ID card for everyone. Link to DMV databases US wide for starters, link to INS and IRS for comparison. All true citizens are already in two of the three already. Require imigration status for anyone getting a drivers license, applying for food stamps or welfare, applying for college grants or loans, anywhere that interfaces to the American public benefits arena, attrition will handle the rest. Yes, there will be conflicts and some blameless people will be caught up.
3)Reduce the possible foxes.
If you don't belong here, (i.e have appropriate, legal credentials and/or the promiss of gainfull employment) you will face deportation, voluntary exodus, attrition via inforcement of alien hiring laws. (Exceptions via proof of gainfull employment, and a US citizen sponsor, can be grounds for front of the line imigration filing and acquisition for seasonal work permits). Yes, there are jobs that sadly unemployed Americans won't stoop to that must be filled.
Do these steps and you will have a more secure USA. Not perfect, but far better than staying the current course.
The NSA isn't the only person doing this. Ever heard of Carnivore or Magic Lantern, the FBIs software used to intercept internet communications and there keylogger software that they install on your computer WITHOUT your permission and WITHOUT your knowledge. By the way FBI, people have thought of a way to bypass "Magic Lantern" which you use as a keylogger to get encryption keys from peoples computers. All you have to do is encrypt software on one computer(not with internet) and then burn to disc and send from other computer. Also, we know Norton Antivirus is configured not to detect "Magic Lantern". All we have to do to get rid of it is reformat the hard drive. If you are saying that it will transfer itself over to the other computer when we reformat, we take a magnet to the **** thing, the oldest trick in the book. Have you heard of the software called "Hijack This". There is NO way to bypass it. People can also check the hard drive for your files and delete them. Now you say you have a process that locks the files. All people have to do is use a program called Unlocker and kill the **** process. Also, how will you even get it on my computer? I guess you would send an infected attachment in an email and claim you my friend sending me some pictures. People can easily see it says Example.exe instead of Example.jpeg. Anyway if you do get it on here people can use the methods I mentioned above or let their firewalls take care of it. If you say you can delete the firewall, I can see you did that and take out "Magic Lantern" AND also all someone has to do is get a hardware firewall which is usually built into routers and then someone simply configures it to block the port your program uses and monitor all the packets with a separate computer to see what is going in and out.
DES has been cracked, AES I think is secure. Its the size of the key - they can't crack 192/256. That's what I hear, anyways. There's also a time to crack it, which is not insignificant, but as mentioned, they get sneaky to cheat something, and then they don't have to crack it. Then, there's all that data to go through.
So long as you don't have a sniffer on your machine, via FBI/NSA in conjunction with your browser or O/S, then you can encrypt there, and decrypt on a likewise secure machine on the other side.
@Joe "Can the NSA crack AES?"
Broadly AES is cleared for general USG use to the SECRET level. While this doesn't directly tell us about NSA's capability it does represent an assessment of the US's advesaries capability.
BF Skinner: Hey you are late to the party...
More importantly why am I so late 8)
If, you are still reading after five years...
As BF Skinner notes the NSA do aprove of AES to secret and above
But there is a Big BUT... "ONLY FOR DATA AT REST".
Which in layman's terms means the algorithm is OK but most if not all implementations on general purpose computer hardware (like a PC motherbaord) have serious issues to do with side channels leaking either plain text or key related information to the local network and beyond.
The leaking of keybit information across the network was demonstrated about a month after AES got the kiss of approval by NIST/NSA.
Due to the way NIST held the AES competition the code that was submitted by all enterants for evaluation was optomised for speed on any given platform. And due to various issues of optomising in this way side channels were almost guaranteed to be opened. As the NSA must have known this optomised for speed code was put in virtualy every product developed to use AES for sometime afterwards. The result was crypto libraries and run time code that had sidechannels, and a lot of that code is still running today.
The three main areas I would expect the NSA to be playing in to get around effective crypto algorithms are,
1, Standardised Plain-text.
2, Side channels.
The serious side effects of each area is increasing. For insatance a small defect in a standard will stay in place for a very very long time. Even if a new standard is released the old standard will still be included for compatability reasons. Due to usability issues "fallback" to the old insecure mode will not get flaged up to users, so a man in the middle attack can easily force both sides to think the other side is a legacy implementation and drop silently down to the insecure mode...
Now consider that some infrastructure equipment (like the electricity power meter in your home) is designed for a minimum life expectancy of 25years... Which means legacy support has to be around for atleast 25years after the discovery of the security weakness...
But if the fault is put in carefully then the choice is between crossing your fingers and carrying on or not playing...
In many respects this problem exists with AES and multiuser connected systems.
So if you are going to use AES for encrypting data you want to send to other people and you don't want to take the side channel risk, then use a standalone computer not connected to any network to do the encryption / decryption and ensure you have appropriate systems in place to ensure that no "air gap crossing" exploits are on the media you use for transfering the data...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.