How to React to the NSA Attack on Standard Cryptosystems

I found an article asking With crypto being insecure, whom do you trust? while reading through the news this morning.  It referenced the joint article from The New York Times and Pro Publica, Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.  The question is a good one: Who can you trust?  I have a few thoughts on the matter.

First thought: If this surprises you, you haven’t been paying attention.  The NSA’s job is to crack encryption and backdoor systems to gain actionable intelligence for the United States and make it difficult for its adversaries to do the same to the U.S.  Here is the actual mission from its website:

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.

Given some of the liberties taken with the Fourth Amendment in the past and this mission statement, I think it’s clear that the “Ends Justify the Means” argument has some advocates at NSA.

Second Thought: The notion of online privacy is obsolete.  We can argue it has never been viable.  Either way, you can’t trust your date to be private online.  Expect it to be the subject of a breach.

That leads me into my Third Thought.  All online transactions are now, more than ever, an exercise in risk management.  All electronic transactions are compromised.  How frequently will those compromises result in loss?  How big will that loss be?  This goes for personal and business transactions.  Make sure the benefit you get from the transaction is larger than the potential loss.

And now for my Final Thought on the matter: Now what?  My recommendation for maintaining privacy in this new age of certain breach is to go Old School.  If you have data that must remain private at all costs, grab a notepad and a pen.  As long as you don’t scan or photocopy the handwritten document, it won’t show up on Google.  If you need to talk to someone about something private, arrange a conversation with them rather than fling email at each other or calling on the phone.

In summary, here are my observations on NSA-compromised cyptosystems:

  1. If you are surprised, you haven’t been paying attention
  2. Online trust is obsolete
  3. All online transactions are now an exercise in risk management
  4. If you really want privacy, break out the pad and pencil

Leave a comment if you want to discuss further.

2 Comments

 Add your comment
  1. Commentary:

    1. I have nothing to add, I am not one of the surprised.
    2. I never thought there was any online privacy. I’ve been living my life under this assumption since the pre-Internet days.
    3. Strike the word online. Even paying cash, you are caught on web enabled video. Any credit card use is “online”….I think the word as used here provides false comfort to the less well-informed.
    4. is already broken….governments are already proficient at recovering physical evidence, grabbing your trash, reassembling shredded materials, etc. This was spycraft of decades gone by…Even the simple fact that you meet with certain individuals and the times you meet can erode such “privacy”.

    Call me a cynic, but there is really nowhere to hide. We just have to view the risks under different lenses and using different values than before. Change is not always good, but it is inevitable.

    • Numbers 3 and 4 are good points. We are constantly observed, which makes discretion a real challenge. And of course, all that footage is stored online somewhere for convenient searching. I still think you’re best shot at privacy is to retreat to the physical world. While it’s still possible to conduct surveillance, it’s not as easy as online surveillance. If they’re going to eaves drop, at least make them work for it.

Leave a Reply

%d bloggers like this: