Has the NSA broken PGP encryption?

[Cain]

Lots of speculation buzzing due to this article: http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1

Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world's communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital "pocket litter." It is, in some measure, the realization of the "total information awareness" program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans' privacy.

But "this is more than just a data center," says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: "Everybody's a target; everybody with communication is a target."

...

In the process—and for the first time since Watergate and the other scandals of the Nixon administration—the NSA has turned its surveillance apparatus on the US and its citizens. It has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas. It has created a supercomputer of almost unimaginable speed to look for patterns and unscramble codes. Finally, the agency has begun building a place to store all the trillions of words and thoughts and whispers captured in its electronic net. And, of course, it's all being done in secret. To those on the inside, the old adage that NSA stands for Never Say Anything applies more than ever.

...

The data stored in Bluffdale will naturally go far beyond the world's billions of public web pages. The NSA is more interested in the so-called invisible web, also known as the deep web or deepnet—data beyond the reach of the public. This includes password-protected data, US and foreign government communications, and noncommercial file-sharing between trusted peers. "The deep web contains government reports, databases, and other sources of information of high value to DOD and the intelligence community," according to a 2010 Defense Science Board report. "Alternative tools are needed to find and index data in the deep web ... Stealing the classified secrets of a potential adversary is where the [intelligence] community is most comfortable." With its new Utah Data Center, the NSA will at last have the technical capability to store, and rummage through, all those stolen secrets. The question, of course, is how the agency defines who is, and who is not, "a potential adversary."

...

According to Binney—who has maintained close contact with agency employees until a few years ago—the taps in the secret rooms dotting the country are actually powered by highly sophisticated software programs that conduct "deep packet inspection," examining Internet traffic as it passes through the 10-gigabit-per-second cables at the speed of light.

The software, created by a company called Narus that's now part of Boeing, is controlled remotely from NSA headquarters at Fort Meade in Maryland and searches US sources for target addresses, locations, countries, and phone numbers, as well as watch-listed names, keywords, and phrases in email. Any communication that arouses suspicion, especially those to or from the million or so people on agency watch lists, are automatically copied or recorded and then transmitted to the NSA.

The scope of surveillance expands from there, Binney says. Once a name is entered into the Narus database, all phone calls and other communications to and from that person are automatically routed to the NSA's recorders. "Anybody you want, route to a recorder," Binney says. "If your number's in there? Routed and gets recorded." He adds, "The Narus device allows you to take it all." And when Bluffdale is completed, whatever is collected will be routed there for storage and analysis.

According to Binney, one of the deepest secrets of the Stellar Wind program—again, never confirmed until now—was that the NSA gained warrantless access to AT&T's vast trove of domestic and international billing records, detailed information about who called whom in the US and around the world. As of 2007, AT&T had more than 2.8 trillion records housed in a database at its Florham Park, New Jersey, complex.

Verizon was also part of the program, Binney says, and that greatly expanded the volume of calls subject to the agency's domestic eavesdropping. "That multiplies the call rate by at least a factor of five," he says. "So you're over a billion and a half calls a day." (Spokespeople for Verizon and AT&T said their companies would not comment on matters of national security.)

After he left the NSA, Binney suggested a system for monitoring people's communications according to how closely they are connected to an initial target. The further away from the target—say you're just an acquaintance of a friend of the target—the less the surveillance. But the agency rejected the idea, and, given the massive new storage facility in Utah, Binney suspects that it now simply collects everything. "The whole idea was, how do you manage 20 terabytes of intercept a minute?" he says. "The way we proposed was to distinguish between things you want and things you don't want." Instead, he adds, "they're storing everything they gather." And the agency is gathering as much as it can.

Once the communications are intercepted and stored, the data-mining begins. "You can watch everybody all the time with data- mining," Binney says. Everything a person does becomes charted on a graph, "financial transactions or travel or anything," he says. Thus, as data like bookstore receipts, bank statements, and commuter toll records flow in, the NSA is able to paint a more and more detailed picture of someone's life.

The NSA also has the ability to eavesdrop on phone calls directly and in real time. According to Adrienne J. Kinne, who worked both before and after 9/11 as a voice interceptor at the NSA facility in Georgia, in the wake of the World Trade Center attacks "basically all rules were thrown out the window, and they would use any excuse to justify a waiver to spy on Americans." Even journalists calling home from overseas were included. "A lot of time you could tell they were calling their families," she says, "incredibly intimate, personal conversations." Kinne found the act of eavesdropping on innocent fellow citizens personally distressing. "It's almost like going through and finding somebody's diary," she says.

...

Sitting in a restaurant not far from NSA headquarters, the place where he spent nearly 40 years of his life, Binney held his thumb and forefinger close together. "We are, like, that far from a turnkey totalitarian state," he says.

...

Meanwhile, over in Building 5300, the NSA succeeded in building an even faster supercomputer. "They made a big breakthrough," says another former senior intelligence official, who helped oversee the program. The NSA's machine was likely similar to the unclassified Jaguar, but it was much faster out of the gate, modified specifically for cryptanalysis and targeted against one or more specific algorithms, like the AES. In other words, they were moving from the research and development phase to actually attacking extremely difficult encryption systems. The code-breaking effort was up and running.

The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. "Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it," he says. The reason? "They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption."

[Cain]

For those wondering about the technological breakthrough that might have allowed this...well, more than a few people have pointed fingers in this direction:

http://security.blogs.cnn.com/2012/03/16/intelligence-goes-private-the-case-file-on-joan-dempsey/

"I think that's a huge growth area in intelligence, the big data analysis kinds of things, quantum computing which, I mean, we're a few years away from realizing real quantum processing and quantum computing. And I mean these are areas that are going to have profound effect on every aspect of our lives, but certainly on the intelligence.

And this http://www.nytimes.com/2012/02/28/technology/ibm-inch-closer-on-quantum-computer.html

On Tuesday, I.B.M. researchers will present experimental results that they say put them close to solving this problem, both by lengthening the lifetime of the quantum bits of information and by quickening the pace of computation. The presentation will take place at a meeting of the American Physical Society in Boston.

"In the past, people have said, maybe it's 50 years away, it's a dream, maybe it'll happen sometime," said Mark B. Ketchen, manager of the physics of information group at I.B.M.'s Thomas J. Watson Research Center in Yorktown Heights, N.Y. "I used to think it was 50. Now I'm thinking like it's 15 or a little more. It's within reach. It's within our lifetime. It's going to happen."

[Juana]

Holy shit.

[minuspace]

Of course they have nuclear submarines...

[Bebek Sincap Ratatosk]

(For anyone that doesn't already know here's a rundown of crypto stuff)

Modern cryptosystems encrypt with a key measured in bits. Each bit is a 1 or 0. So AES, for example has a 256-bit key space, there are 2^256 possible keys for any ciphertext. All current cryptosystems, therefore are vulnerable to brute-force, that is trying all the possible keys until they find the right one. We have known for a long time that enough resources (or  quantum breakthrough) would shorten the time needed to find the right key.

On the upside, that means the cryptosystems themselves are still secure. That is, there aren't any vulnerabilities that would shortcut the process of brute-forcing the keyspace. Only someone with enough resources to try all of the keys can decipher the ciphertext. This has always been the case. In 1996, 56-bit DES (keyspace 2^56 long) was broken by a distributed project that bruteforced the keyspace in about 4 months. A couple years later, we could brute force the keyspace in a matter of hours, even with civilian hardware.

Anyone with enough resources can brute-force any cryptosystem. Its long been assumed that the NSA would be the first to get those resources.

[minuspace]

(vague continued)
What we are essentially talking about is the factoring of prime (because) numbers.  In order to complete the computational operation via brute force, we run through a series of calculations.  Before quantum computing, these operations could be considered, discretely, to end after a (very long) number of calculations.  The extent of these calculations would make obtaining the plain text pointless.  Either the energy needed or the time taken would exceed that given to our solar system.  This is not true of quantum computing...

/modified: or the frequency analysis of big data (without changing keys etc.)

[MMIX]

I wish I was surprised

[Doktor Howl]

I guess it's time to ramp up the emails & phone calls.

See you spags in Gitmo.

[Doktor Howl]

"The more we do to you, the less you seem to believe we are doing it."
- Dr. Joseph Mengele

[Nephew Twiddleton]

"The more we do to you, the less you seem to believe we are doing it."
- Dr. Joseph Mengele

[Cardinal Pizza Deliverance.]

Look at it this way: They really care about us and want to do this for us, for our own good. It's in our best interest. Shouldn't we be more grateful to all those people sacrificing so much of their time to make sure we stay on that straight and narrow? And if we all end up in Gitmo or the internet is somehow taken down or we're crushed beneath the weight of useless bureaucracy, well. That's just what was necessary for the smarter, richer, better people to make us all safe and happy.

Smile now, the gun turrets are swiveling this way.

[Doktor Howl]

Look at it this way: They really care about us and want to do this for us, for our own good. It's in our best interest. Shouldn't we be more grateful to all those people sacrificing so much of their time to make sure we stay on that straight and narrow? And if we all end up in Gitmo or the internet is somehow taken down or we're crushed beneath the weight of useless bureaucracy, well. That's just what was necessary for the smarter, richer, better people to make us all safe and happy.

Smile now, the gun turrets are swiveling this way.

In all seriousness, they do it because they can.  They need no other reason.  Besides, we PAY them for it.

[Doktor Howl]

Also, it occurs to me that we pay bankers to steal from us.  So a little snooping isn't much to complain about.

[Doktor Howl]

In fact, we could compare what's going on to paying one neighbor to peek through our windows to make sure we're not up to anything bad, and pay another neighbor to borrow tools and never give them back.

[Cardinal Pizza Deliverance.]

I never paid my mom to read my diary. She did it for free. And I didn't pay her . . . well I guess I did, kinda, . . . to take my birthday money and buy booze with it. So really, same shit different day?