Isn't the much simpler explanation that, for particular servers, they either have permission (e.g. companies have agreed to hand over the encryption keys or allow monitoring of the data after it is unencrypted on arrival) or some other means (man-in-the-middle attacks, server backdoors, hacking vulnerable software) to bypass the encryption entirely without you knowing? For instance, I find the idea that they would direct huge amounts of computing power to crack individual keys implausible given the previous example methods are so much easier.
Every time you hack a server or strongarm an engineer you risk detection. Breaking a widely used key would be mostly invisible and seems to better fit the description of capabilities described in their documents.
When you introduced the cascading vulnerability at the most fundamental level, you have a key to everything. Society, humanity even, would be best off scuttling any fundamental technology and everything that has not been thoroughly and fully vetted by multiple diverse and counter-interested groups of individuals. Remember, the most fundamental protocols and technologies were built on and with government funding, which directly injects the interests of long-view organizations.
Excuse my ignorance in this -- is there any verifiable evidence that such a fundamental cascading vulnerability exists, and was the result of an NSA action, or are you speaking in hypotheticals?
Or you could simply lie and tell people it's been thoroughly and fully vetted by multiple diverse and counter-interested groups of individuals. Those claims won't undergo the same scrutiny. They can't - otherwise it'd be vetting all the way down.
It is surely easier to target and then hack specific engineers at VPN and certificate authorities, then steal their private keys and bingo, a great little lookup key database.
> they either have permission (e.g. companies have agreed to hand over the encryption keys or allow monitoring of the data after it is unencrypted on arrival)
No, because nobody would do that and the NSA has no legal authority with which to force that. Companies wouldn't agree to this because they have everything to lose and nothing to gain. It's not like the NSA could even offer them favors in exchange, as the entire thing is ultra-classified. Also there's exactly zero chance this would ever be able to be kept secret. Companies can't even keep their products secret for the few months it takes from prototypes to launch, there's no way in hell the NSA would trust them to keep this secret for years. The first sys admin forced to do this would instantly talk about it.
> some other means (man-in-the-middle attacks, server backdoors, hacking vulnerable software) to bypass the encryption entirely
The article talks about this. That's definitely possible, but it's much more targetted and doesn't fit the scale that the Snowden leaks suggested the NSA was achieving.
> No, because nobody would do that and the NSA has no legal authority with which to force that. Companies wouldn't agree to this because they have everything to lose and nothing to gain.
Not claiming I'm well read up on this but wasn't a big part of the leaks that companies were cooperating with the NSA in secret?
"Gellman wanted to be the first to expose a top-secret NSA program called Prism. Snowden’s files indicated that some of the biggest companies on the web had granted the NSA and FBI direct access to their servers, giving the agencies the ability to grab a person’s audio, video, photos, emails, and documents."
The telcos (AT&T, Verizon, etc...) were cooperating, but that also fell under existing wiretap laws-ish and was known-ish. There had been rumors about it for years, there have been photos of mysterious governement vans of equipment showing up at sites, special locked rooms, etc... Those companies also haven't denied it.
However there is none of that for any of the other companies listed under Prism. Later leaks from Snowden suggest that the companies listed in Prism did not know they were part of Prism (places where inter-dc traffic was being spliced, that sort of thing).
Also just practically speaking with how fast companies rise & fall in this area doing this on a per-company basis wouldn't scale. Like when would you expect the NSA to approach, say, WhatsApp? Or Snapchat?
No, the prism leaks show that the NSA had access to data. It is often implied by various commentators that the access was facilitated by the companies, but there's no evidence to support that.
> No, because nobody would do that and the NSA has no legal
> authority with which to force that. Companies wouldn't agree
> to this because they have everything to lose and nothing to
> gain.
You might say the same thing about every social engineering victim ever. Nothing to gain, why do they help? Someone asked for help / seemed like the had the authority / was afraid for no reason.
Additionally, from my experience, monitoring after decryption isn't too hard to pull off. It takes a lot of time, money, and expertise to secure the inside and egress of the network and there is very little pressure on most companies to exert themselves to defend at those layers. Further, most networks aren't properly segmented and the attacks that tend to gain access to one machine (like a windows or mac laptop) on a network can be pivoted to access more restricted places. Given how open companies tend to be (practicing zero opsec), it's even very easy to know who to attack and have reasonable estimations about their machine's worth inside a network.
The ECI leaks mention that the FBI "compels" U.S. firms to "SIGINT-enable" their stuff for FISA purposes. So, they must have some authority over at least some U.S. companies. If it's classified, they also can (and have) use secrecy orders.
Then, they pay them too. Many companies, esp govt contractors, were more than happy to help for tens of millions.
For the servers outside, the case that happened in Greece after the Olympic games as an example of something much, much bigger but conceptually still more an immense "wrench" than a "cryptanalytic" approach:
I always considered the "crypto nerd's imagination" panel in the comic to be that the NSA have computational and/or cryptanalysis breakthroughs and super computers so far ahead of anyone else that they can crack almost anything. My guess is that in reality things are much plainer and they can rely on cooperation and server hacks.
They very well may. For all we know, some of the Snowden revelations are distractions from some breakthrough, designed to protect the real secrets.
The scale out of the NSA capabilities may have become an issue -- adversaries have figured out that the US knows too much, as people get blown up when they pick up the phone.
