Techies vs. NSA: Encryption arms race escalates

Nov 29, 2013 by Martha Mendoza

Encrypted email, secure instant messaging and other privacy services are booming in the wake of the National Security Agency's recently revealed surveillance programs. But the flood of new computer security services is of variable quality, and much of it, experts say, can bog down computers and isn't likely to keep out spies.

In the end, the new geek wars, between tech industry programmers on the one side and government spooks, fraudsters and hacktivists on the other, may leave people's PCs and businesses' computer systems encrypted to the teeth but no better protected from hordes of savvy code crackers.

"Every time a situation like this erupts you're going to have a frenzy of snake oil sellers who are going to throw their products into the street," says Carson Sweet, CEO of San Francisco-based data storage security firm CloudPassage. "It's quite a quandary for the consumer."

Encryption isn't meant to keep out hackers, but when it's designed and implemented correctly, it alters the way messages look. Intruders who don't have a decryption key see only gobbledygook.

A series of disclosures from former intelligence contractor Edward Snowden this year has exposed sweeping U.S. government surveillance programs. The revelations are sparking fury and calls for better from citizens and leaders in France, Germany, Spain and Brazil who were reportedly among those tapped. Both Google and Yahoo, whose communications lines were also reportedly tapped, have committed to boosting encryption and online security. Although there's no indication Facebook was tapped, the social network is also upping its encryption systems.

"Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever," wrote Yahoo CEO Marissa Mayer in a Nov. 18 post on the company's Tumblr blog announcing plans to encrypt all of its services by early next year. "There is nothing more important to us than protecting our users' privacy."

For those who want to take matters into their own hands, encryption software has been proliferating across the Internet since the Snowden revelations broke. Heml.is—Swedish for "secret"—is marketed as a secure messaging app for your phone. MailPile aims to combine a Gmail-like user friendly interface with a sometimes clunky technique known as public key encryption. Younited hopes to keep spies out of your cloud storage, and Pirate Browser aims to keep spies from seeing your search history. A host of other security-centered programs with names like Silent Circle, RedPhone, Threema, TextSecure, and Wickr all promise privacy.

Many of the people behind these programs are well known for pushing the boundaries of privacy and security online. Heml.is is being developed by Peter Sunde, co-founder of notorious file sharing website The Pirate Bay. Finland's F-Secure, home of Internet security expert Mikko Hypponen, is behind Younited. Dreadlocked hacker hero Moxie Marlinspike is the brains behind RedPhone, while Phil Zimmerman, one of the biggest names in privacy, is trying to sell the world on Silent Circle. Even flamboyant file sharing kingpin Kim Dotcom is getting in on the secure messaging game with an encrypted email service.

The quality of these new programs and services is uneven, and a few have run into trouble. Nadim Kobeissi, developed encrypted instant messaging service Cryptocat in 2011 as an alternative to services such as Facebook chat and Skype. The Montreal-based programmer received glowing press for Cryptocat's ease of use, but he suffered embarrassment earlier this year when researchers discovered an error in the program's code, which may have exposed users' communications. Kobeissi used the experience to argue that shiny new privacy apps need to be aggressively vetted before users can trust them.

"You need to be vigilant," he says. "We're two years old and we're just starting to reach the kind of maturity I would want."

Heml.is also encountered difficulties and angered users when its creators said they wouldn't use open source—or publicly auditable—code. And Silent Circle abruptly dropped its encrypted email service in August, expressing concern that it could not keep the service safe from government intrusion.

"What we found is the encryption services range in quality," says George Kurtz, CEO of Irvine, California-based CrowdStrike, a big data, security technology company. "I feel safe using some built by people who know what they are doing , but others are Johnny-come-latelies who use a lot of buzzwords but may not be all that useful."

Even so, private services report thousands of new users, and nonprofit, free encryption services say they have also see sharp upticks in downloads.

And for many users, encryption really isn't enough to avoid the U.S. government's prying eyes.

Paris-based Bouygues Telecom told its data storage provider Pogoplug in San Francisco that it needs the data center moved out of the U.S. to get out from under the provisions of U.S. law. So this month, PogoPlug CEO Daniel Putterman is keeping Bouygues as a client by shipping a multi-million dollar data center, from cabinets to cables, from California to France.

"They want French law to apply, not U.S. law," says Putterman, who is also arranging a similar move for an Israeli client.

Bouygues spokesman Alexandre Andre doesn't draw a direct connection with the Patriot Act, and says Bouygues' arrangement with Pogoplug is driven by concerns over performance and privacy. Andre says Bouygues wants the data stored in France, but it was up to Pogoplug to decide whether this would be done on Bouygues' own servers or Pogoplug's.

"There is a general worry in France over data security, and storing data in France permits us to reassure our clients," Andre says. The arrangement also helps improve the service's performance, Andre says, another reason for the move.

For Pogoplug, business is booming—it's garnered close to 1 million paid subscribers in its first year—and Putterman says the company is anxious to accommodate concerned clients. And this month, Pogoplug launched a $49 software package called Safeplug that prevents third parties, from the NSA to Google, from learning about a user's location or browsing habits.

But many warn that encryption offers a false sense of security.

"The fundamental designers of cryptography are in an arms race right now, but there are a series of weaknesses and missing oversights that have nothing to do with encryption that leave people vulnerable," says Patrick Peterson, CEO of Silicon Valley-based email Agari. And many that do work, bog down or freeze computers, forcing "a trade-off between security and convenience," he says.

In any case, most attacks don't happen because some cybercriminal used complicated methods to gain entry into a network, he adds.

"Most attacks occur because someone made a mistake. With phishing emails, it just takes one person to unwittingly open an attachment or click on a malicious link, and from there, cybercriminals are able to get a foothold," Peterson says.

In addition, experts agree that with enough time and money, any encryption can be broken. And already the NSA has bypassed —or altogether cracked— much of the digital encryption that businesses and everyday Web surfers use, according to reports based on Snowden's disclosures. The reports describe how the NSA invested billions of dollars, starting in 2000, to make nearly everyone's secrets available for government consumption.

Meanwhile, the U.S. government's computing power continues to grow. This fall, the NSA plans to open a $1.7 billion cyber-arsenal—a Utah data center filled with super-powered computers designed to store massive amounts of classified information, including data that awaits decryption.

Explore further: Yahoo vows to encrypt all its users' personal data (Update)

4.4 /5 (10 votes)
add to favorites email to friend print save as pdf

Related Stories

Report: NSA cracked most online encryption

Sep 05, 2013

The National Security Agency, working with the British government, has secretly been unraveling encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential ...

Growing backlash to government surveillance

Oct 13, 2013

From Silicon Valley to the South Pacific, counterattacks to revelations of widespread National Security Agency surveillance are taking shape, from a surge of new encrypted email programs to technology that ...

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

Heathicus
3 / 5 (4) Nov 29, 2013
Any encryption is better than no encryption. It helps to store your data properly. A lot of data is captured via social engineering. Read up on that too. It's crazy what people can do with billions of dollars.

This article is a reason ALL need to contact their state and federal level senators/representatives and tell them they do not support spying and to get support for a repeal of the PATRIOT act and all similar ones. Call, write a letter, and get your friends and family to do it. Read all about it on EFF.org.
Rick150
not rated yet Nov 29, 2013
All my computers contain lies and lie to trackers. Even a portion of my email and web traffic is lies. So how do the spooks know which is the truth? In the second world war it was the best method of keeping a secret was to make the enemy believe what was in the end crap. Lots of tools for doing this. A hint to the problem that is an issue for them is the complaint about having to sift through spam traffic.
wealthychef
not rated yet Nov 30, 2013
The NSA has "bypassed" much of the digital encryption being used? What does this mean exactly? The only way I can think of to bypass encryption is to get the data before it's encrypted, by hacking a computer and planting spyware, or doing the same after decryption on the other side.
overcurious
not rated yet Nov 30, 2013
Rick 150, you hit the nail on the head for the solution for now, seed all your emails and texts with "key words" used for their serches.
dtxx
1 / 5 (1) Nov 30, 2013
The only way I can think of to bypass encryption is to get the data before it's encrypted, by hacking a computer and planting spyware, or doing the same after decryption on the other side.


No, this is not true at all. There are always going to be flaws in the implementation of cryptography as well as the algorithms. Finding them and using them is difficult in some cases, but the NSA has a lot of time and energy to put into the process.

A classic example is WEP encryption that some people still use for their WiFi at home. WEP is flawed and you can break it in just a few minutes on a desktop computer. There was also a piece of malware that lived in the wild for several years that took advantages of a flaw in certificates, a closely related and important concept in this area. It was able to appear as a legitimate Windows Update signed by MS and was accidentally delivered to infected machines by MS themselves through the update function.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...