The details about US NSA program Bullrun and SIGINT are now in public eyes. An atomic bomb is literally dropped. The real one dropped on Hiroshima forced Japan to end the war. This one is very different.
The documents released only gave a high level overview of programs funded by US and UK government intelligence units. Without details on how the agencies are able to decrypt commercial communication using de facto Internet encryption technologies SSL, HTTS and VPN, people feel worried about their privacy..
People start to ask “Are the Internet safe?” and they are right in asking this question. The documents show that there is systematic and long term planning to comprise encryption technology. Without the technical details, skepticism is spreading. However, without details and prove the encryption technologies is still our best defense against peeping eyes, from criminals or from gov. The atomic bomb I referred earlier is about the foundation of trust is destroyed. BUT not on the safety of Internet.
I like to highlight that the word “backdoor” is used a few times in the explanatory note on New York Times website. Backdoor is a very general concept and it is used by the reporter to help the public to comprehend the technical details. It does not mean there exists backdoor in commercial technologies. I think the better interpretation is the agencies has the ability and means if they need to.
An excellent write up by TrendMicro Security Blog offers similar views.
Below is a NYT reader’s (K. Liu) comment which I found is objective:
This article is nothing but a mess of generalities.
It mentioned PGP. It never mentioned whether PGP is still secure (it is). It mentioned the NSA internal e-mail that said “This can’t be good.” But did not elaborate.
As someone with extensive experience in cryptography and security, I want to point out a few things. Nobody, not even the NSA can arbitrarily crack anything. When done correctly, even if the NSA set every computer on the planet to work on brute-forcing an encrypted message, it won’t be done in the next million years. If the NSA is able to break into communications, it does so through less magical means, like using a National Security Letter to demand that data be handed over, stealing a key from a user, even having agents who physically pilfer keys and data. While the NYT does make mentions of these alternate methods, it muddies it all up and fails to draw distinctions.
E.g.: the weaknesses in NSA-sanctioned algorithms like AES and SHA that the article alluded to? Yes, those can make brute-force cracking go much faster, but the attacks aren’t practical because they will STILL take millions of years (if not much more).
The NSA story is important, and deserves the attention of the public. But the NYT does nobody a favor by presenting an article so fraught with technical ignorance that makes it sound like all encryption is down the drain (they’re not) or that no web transactions are private (most still are) and that the sky is falling (nope).