ProPublica

Journalism in the Public Interest

Cancel

Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security

Newly revealed documents show that the NSA has circumvented or cracked much of the encryption that automatically secures the emails, Web searches, Internet chats and phone calls of Americans and others around the world. The project, referred to internally by the codename Bullrun, also includes efforts to weaken the encryption standards adopted by software developers.

« Return to Story

Sort by: Oldest Newest  1 2 3 >

dr. joe doty

Sep. 5, 2013, 2:44 p.m.

“And they went and did it anyway, without telling anyone”

Nothing like an out of control agency funded by taxpayers in an alleged democratic setting.

Time to retire the generals, fire the private contractors and shutter the agency.

Richard Kerr

Sep. 5, 2013, 2:56 p.m.

The NSA is “winning” the war against cyber security, and the American people are losing. The losses to America are more devastating than it would appear at first.  The vast digital library that the NSA has assembled that includes virtually every digital trace of every American and many people throughout the World, has effectively dealt the United States out of one of the most promising businesses of the future, cloud computing. The credibility of America has been permanently trashed, and the last shred of trust that the World has held in the values supported by Americans has been lost. Yes, the NSA and its own selfish agenda has won, the rest of us have lost.

Ziggy Pope

Sep. 5, 2013, 2:59 p.m.

Cannot agree with Dr. Joe Doty more. Close them up.

ConcernedCitizens

Sep. 5, 2013, 3:12 p.m.

Questions

1)  Does NSA provide Monsanto or other corporations data upon request? In other words, are corporations able to request or purchase data about American citizens?

2) Has NSA (or its employees) ever provided Monsanto or other corporations data upon request? In other words, have corporations ever been able to request or purchase data about American citizens? Is this legal or illegal?

Alex Warofka

Sep. 5, 2013, 3:19 p.m.

I’m disappointed that the media organisations involved chose to honour the requests of the intelligence community and not release details of the specific encryption technologies the NSA has the ability to decrypt. With financial information, medical records, and proprietary information all transmitted over the internet only with the understanding that encryption protects it from prying eyes, these details are of undeniable public interest. If the NSA has the ability, how do we know that other governments or malicious individuals have not also developed such capabilities?

@ConcernedCitizens: How is this even tangentially related to Monsanto?

Leo Cotnoir

Sep. 5, 2013, 3:19 p.m.

This is a complicated issue. On the one hand, law-abiding citizens of the US and other countries rely on Internet encryption to protect financial and other personal information. On the other, Internet encryption allows groups like al Qaeda the communicate freely without free of being intercepted. It is worth remembering that had the US and the UK not been able to break German and Japanese encryption systems during World War II the outcome of that conflict might have been very different. It seems to me that it is in the US national interest for NSA to be able to access encrypted Internet communications, so long as they do so only in accordance with US law.

The questions that need answers now are who fed this information to Snowden and why. It seems unlikely that he would have been able to access such a tightly compartmented program on his own.

Rich Jones

Sep. 5, 2013, 3:20 p.m.

Please post the full documents so that other individuals and organizations may also analyze these documents without editorialization.

Misan

Sep. 5, 2013, 3:21 p.m.

At ConcernedCitizens-

Yes, Monsanto has had access for a while. Exxon is another company that has had access to the electronic communications of anyone critical of their organization. If anyone speaks out against any high-level corporation, they are labeled a terrorist and are treated as such.

Leo Cotnoir

Sep. 5, 2013, 3:27 p.m.

Would those who believe that NSA has provided Monsanto and Exxon-Mobile access to the communications of US citizens please cite their source(s) for this information?

K. Liu

Sep. 5, 2013, 3:34 p.m.

As Bruce Schneier puts it, “They’re doing it primarily by cheating, not by mathematics.”

It’s an important distinction that I’m afraid was grievously muddled in this reporting. E.g., encryption protects an e-mail message as it travels from your computer to Gmail’s server. The NSA cannot read that message because it is encrypted. The NSA instead sends a National Security Letter demanding that Gmail hand over that message. This is like saying that an armored car can’t be hijacked, but the government can then legally require that the bank receiving that shipment hand it over after it had arrived. That’s not breaking encryption (hijacking an armored card). That’s avoiding it (get it after it’s been unloaded).

Another example: so what if I encrypt a file and then send it to my friend? The NSA can’t break that encryption, period. What it can do is get the key from me or my friend. It might coerce it out of us, it might trick us into revealing it, it might spy on us as we enter the key, but the one thing it can’t do is force it open by brute force. So if I encrypt a file and then die, and the only place where that key was stored was in my mind, then that file can never be decrypted. Ever.

It’s alarming that the NSA is doing what it’s doing, but it’s also important to know exactly how the NSA is doing this. The article gives the impression that these are technical attacks against encryption itself. They are not (the weaknesses in the NSA-sanctioned AES algorithm that was alluded to simply means that even with every computer on the planet working on it, a brute force attack will now take trillions of years instead of trillions of centuries). Instead, they are about NSA pursuing back channels to try to avoid the problem of encryption because encryption itself has not been and cannot be broken.

Why is this distinction important? Because encryption still works. The PGP (or GPG) that the article mentioned? That still works. Yes, the NSA can still “cheat” and demand the unencrypted message, but when the only holders of the unencrypted message is the sender who created the message and the recipient who decrypted the message, that’s a far more difficult “cheat” to pull off than if they could just send a NSL to a third party.

Chris Wood

Sep. 5, 2013, 3:34 p.m.

All governments must realize that there are 10’s of thousands of 12 year old boys and girls that when challenged can communicate with each other and break into any system.  Their minds have no restrictions. Gates and Allen may have been among the first to do so, others also look at the challenge.

Janet Innes_Kirkwood

Sep. 5, 2013, 3:48 p.m.

Right just the great White Fathers of the Anglo-American Five Eyes had a need to know everything in the entire world sort of like an all-knowing Jesus. The problem is that these guys are stupid because once you tilt your hand it is rather obvious and then you just watch what the boys and girls club does with this. They gave themselves all the advantages and told us they were all winners because they were all so much smarter than everybody else. They have shot the US Internet and information industry in the foot as well as undercut our standing and moral authority in the world. I wonder how many real terrorists they actually caught compared to how many they have made? However we are known to be number one in incarceration and war, and we have the over bloated military police spy industry to show for it coupled with the usual decline in the population’s standard of living. Gee not very exceptional in the empire department after all…. Even the UK poodle club is trying to jump off this sinking ship. Which way is land boys and girls???

JDM

Sep. 5, 2013, 3:54 p.m.

So… can the NSA decrypt SSL, or not?

This article actually conveys very little about what the government can do—just a generalized suggestion that it’s “a lot.”

MRW

Sep. 5, 2013, 3:57 p.m.

I agree with Rick Jones. Don’t protect these perps.

“Please post the full documents so that other individuals and organizations may also analyze these documents without editorialization.”

MikeSiesel

Sep. 5, 2013, 3:59 p.m.

I suppose we could all buy an older computer, keep it offline, and compose lengthy messages in Lorem Ipsum, format in PDF, and then double-triple encrypt, and dump them on SkyDrive. I have the service but don’t use it.

Let them crunch that gobbledygook. It’s an old strategy. Overload the enemy with useless data. Too bad the enemy is our own government. Not that it’s a surprise.

MRW

Sep. 5, 2013, 4 p.m.

@ConcernedCitizens,

You wrote:
————————-
Questions

1)  Does NSA provide Monsanto or other corporations data upon request? In other words, are corporations able to request or purchase data about American citizens?

2) Has NSA (or its employees) ever provided Monsanto or other corporations data upon request? In other words, have corporations ever been able to request or purchase data about American citizens? Is this legal or illegal?
————————-

Yes, the going price in 1995/96 for NSA data from their operatives (on the QT of course) was $25,000. That was the minimum. I was in the room. That was the domestic minimum.

ejk

Sep. 5, 2013, 4:01 p.m.

i second that.  The article raises alarms without giving specifics.  The cat is out of the bag.  Tell us what they can crack for our own safety

Ron

Sep. 5, 2013, 4:11 p.m.

Thank you NSA. You have just destroyed the US computer and internet industry. No foreign buyer will ever trust us enough to buy our equipment or services.

This was a major part of our economy. I sure hope that the 6 terrorist you claim you caught were worth destroying a multi-billion dollar industry.

bob

Sep. 5, 2013, 4:18 p.m.

It appears that the only way to stop this out of control agency is for a foreign government such as Brazil to sue the NSA for breaching their privacy laws, as our government has pretty much allowed them to run roughshod over the Constitution and whatever expectations for privacy we previously had.  And then they developed the Patriot Act to force compliance and make people who did not wish to participate disappear…

BC

Sep. 5, 2013, 4:20 p.m.

All these “revelations” about the NSA in the press have only demonstrated how so very little today’s news outlets, whether traditional or online, bother with genuine investigative journalism. The NSA is not this huge Enemy-of-the-State boogeyman filled with sinister, masterful ne’er-do-wells—it’s just another U.S. agency that’s still recovering from gross mismanagement during the Bush years, and filled with basically bureaucratic geeks who are more concerned about job security than anything else. And any discussion with people familiar with the NSA would tell you that (or you can just look up Thomas Drake’s characterization of the NSA under Bush’s people.) Yeah, they are pretty good at cracking encryption, but they are hardly the only ones (go look up what the Russian company, ElcomSoft, has been doing over the years), but…foreign governments, terrorist groups, criminal organizations, and even just tech savvy folk know that most if not all of what the NSA cracks are older or bug-ridden encryption protocols and that it really isn’t that hard to substitute in somewhat more up to date, less buggy, and vastly stronger encryption software and techniques. This is why you are not seeing a whole lot of success against targets that you would expect the NSA to really go after. They may cast a very big net, but the fish they are after know how to eluded it.

DJ Matthew Reece

Sep. 5, 2013, 4:21 p.m.

Well…the worst part of this is that corrupt federal agents use this to cover their tracks and avoid accountability.  I have personal experience in this with a CIA named Dennis Ende. Check my blog for the story…mu phone hacked and tapped illegally ... djmatthewreece.blogspot.com
100% true story…

D. RonSons

Sep. 5, 2013, 4:22 p.m.

The original source and purpose of what became the internet was a military/intelligence system. Still is. The fact that it was turned into a commercial and public utility does not change that. Additionally, use of commercial operating systems for command and control of things like the electrical grids and intelligence operations, given that no individual or group has really understood the whole thing for about 30 or 40 years, everything is vulnerable, and anything can be cracked, as was pointed out 40 years ago, is foolish. Current encryptions can’t be cracked unless you have the key. And absolutely anything worth anything can be bought.

Brian Fleury

Sep. 5, 2013, 4:41 p.m.

What I got out of this article is the need to make The NSA’s key collection obsolete. If every individual that uses encryption simply generates a new 4096-bit private-public key pair on a regular basis and tightens up security on their systems, secure communications can be restored.

Same can be done for symmetric keys—just like passwords they should be changed regularly.

It is also necessary to stop using commercial proprietary operating systems. Open source ensures that one knows there are no back-doors installed in their encryption software or their desktop.

I have to find my old copy of PGP 2.6.2 source and rebuild. That version should still provide Pretty Good Security. Thanks, Phil!

Your real name

Sep. 5, 2013, 4:54 p.m.

Informative writing.  On the other hand, in terms of the big picture, what on earth do you *expect* the NSA to be doing, if not cracking codes and monitoring communications ?  In spite of the current collaborative effort credits, it looks like ProPublica has been working on the story the longest.  It would be interesting to see the a similar long term project for other agencies.

jplatter

Sep. 5, 2013, 4:56 p.m.

As with the IRS scandal there will always be people or groups In the government that disagree with your beliefs or views and they will use this technology to there ends no matter What the safe guards.

Cdelairre

Sep. 5, 2013, 4:59 p.m.

The points made in this article are good ones with some minor exceptions. For one thing, they are not in a position to assess the potential damage release of such information may have, or the lives they may put at risk. Secondly, if they were genuine in there attempts to kick off a National debate, they could reveal elements of the programs without a complete compromise of the programs. Third, if the Government wanted to discuss the release of information in a legal context, ie restraining order, (due process of law), they have precluded this possibility. Ultimately, it is probably the Jurisdiction of the Supreme Court to assess the balance of interests at play here. I am very curious about the information, but could wait for the proper balance of interests to be weighed by appropriate Parties. As it is, they are setting the stage for the release of information that they in only their judgement,  have decided is in “our” best interest, who gave them that Right. When terrorist attacks that could have been foiled by this technology occur, and they report on the carnage, will there be any acknowledgement that they may have some of the blame, I think not, they will just sell more newspapers.
In my opinion the Press needs to go through the steps, this is far to important an issue for a unilateral decision on their part, a delicate balance of Free Speech and Security are at stake.

Wendy Schwartz

Sep. 5, 2013, 5:02 p.m.

Just for fun: What if Snowden was a plant to try to scare everybody off the internet in order to stop the increasing public transparency. Wouldn’t that be brilliant?

Sam Spade

Sep. 5, 2013, 5:03 p.m.

Half of the problem, if not all of it, is in the hidden content of the code we run.  The solution for this is obvious:  Only run open-source programs.  Ditch Microsoft and Apple, go with Ubuntu.

It won’t solve all the problems, but it’s a start.

Jim

Sep. 5, 2013, 5:04 p.m.

And this is how al-Qadea (or however it’s spelled this week) wins - toss out an occasional fear bomb then sit back and watch us destroy ourselves in response.

Wendy Schwartz

Sep. 5, 2013, 5:06 p.m.

....also does this mean the new iPhone is just a loudspeaker straight to the feds?

Leo Porteur

Sep. 5, 2013, 5:08 p.m.

@Leo Cotnoir:
I’m afraid your are mixing arguments here. There is a clear difference between engaging a war-time enemy and spying on the general public and commercial interests.

Real Citizen

Sep. 5, 2013, 5:08 p.m.

We need ethical independent privacy advocates like Dick Cheney and Mike Tigas to examine the Constitutionality of such programs…

The Other Ron

Sep. 5, 2013, 5:13 p.m.

Why didn’t you answer the more important question of whether the NSA shares with the FBI?

“the American manufacturer agreed to insert a back door into the product before it was shipped”

Thanks, PP for destroying the American tech h/w industry.

@Wendy Schwartz “....also does this mean the new iPhone is just a loudspeaker straight to the feds?”

Only if the NSA shares with the FBI.  From what I’ve read, though, about the FBI’s inability to crack TrueCrypt, the answer seems to be no.

warren swil

Sep. 5, 2013, 5:17 p.m.

Shocking!
But, of course, I am not shocked.
The US government has broken the rules on privacy thousands of times.
We wrote about it when The Guardian and others published a story on Aug. 16: NSA broker rules on privacy thousands of times

http://warrenswil.com/2013/08/16/a-massive-story-nsa-broke-rules-on-privacy-thousands-of-times/
Thank you, Edward Snowden, for telling us something we REALLY need to know.
Is anyone in the US paying attention with the all-Syria-all-the-time news broadcasts?
I doubt it.
In the (K)now blog
http://warrenswil.com/

Thomas Jefferson

Sep. 5, 2013, 5:22 p.m.

The KGB of the Cold War could only have fantasized about the secret domestic spying of the NSA. It is J Edgar Hoover of several magnitudes with several cherries on top!
Hail to the United Police States of America!
Zig Heil! Zig Heil!

John Dingler, artist

Sep. 5, 2013, 5:22 p.m.

Notice that the otherwise excellent article—because it informs us of the NSA’s ubiquitous, surreptitious, and anti-4th Amendment spying—is written from the point of view of the success of the NSA. It instead should have been written from the point of view of the abridgment of 6th Amendment freedoms. Therefore, the article puts the NSA in a good light, wrongly.

Steve

Sep. 5, 2013, 5:26 p.m.

“Many users assume — or have been assured by Internet companies —
that their data is safe from prying eyes. . .”

In other news, many users believe in the Tooth Fairy, Santa Clause,
and Atlantis.

Sheesh.

Steve

Sep. 5, 2013, 5:26 p.m.

Yeah, I know it’s “Claus.”

So sue me.

Debt Suspension Rights

Sep. 5, 2013, 5:28 p.m.

If collected data is not transferred to competing interests nor used against the entity being spied upon in public, the effect is not as bad.

The Other Ron

Sep. 5, 2013, 5:37 p.m.

“Hail to the United Police States of America!”

How inordinately naive are you that the agency tasked with code breaking is… breaking codes?  Sheesh…

The Other Ron

Sep. 5, 2013, 5:41 p.m.

“They’re doing it primarily by cheating, not by mathematics.”

Good for them!  (Last I checked, the world didn’t run on the Marquess of Queensberry Rules.)

Leo Cotnoir

Sep. 5, 2013, 5:44 p.m.

MRW,

If you were really in a room where NSA employees sold access to Monsanto and did not report it to the proper authorities you are guilty of a felony. Perhaps you might with to reconsider your accusations.

Sama

Sep. 5, 2013, 5:44 p.m.

Jim - yes indeed. Osama has won from the grave. I wonder if Bin Laden foresaw the aftermath of 9/11, the ripples of paranoia that have emanated from that day and how the government would exploit peoples fears. This country is now the scariest place on Earth, doubtless trending toward a police state and with an overbearing government hell-bent on picking up every jot of information about every individual on the planet. It’s nothing short of psychotic. The inmates running the madhouse.

Leo Cotnoir

Sep. 5, 2013, 5:46 p.m.

I wonder whether anyone, besides me, posting here has every worked at NSA. Judging by the insanity of most of the comments, I rather doubt it.

Wendy Schwartz

Sep. 5, 2013, 5:48 p.m.

the real crime is when the taxpayer public are IRS targeted, have their emails “not get through”, and are generally screwed with if they speak up. There are over 200 people in Washington who can request and use agency data and they have no involvement with law enforcement.  They are “senior campaign staff” but they have the power to get, and use, anything they want for retribution on behalf of big campaign backers.

Pops

Sep. 5, 2013, 5:54 p.m.

Dear ProPublica!
Please tell me and your readers, how does a Government know you are going to publish a story before you publish it? Are you secretly forced to do it? Do you voluntarily do it? Do they have complete access to your systems, and/or personal?
Inquiring minds won’t to know?

Leo Cotnoir

Sep. 5, 2013, 5:54 p.m.

Wendy, if you snug up that tinfoil hat you’ll be just fine.

Wendy Schwartz

Sep. 5, 2013, 5:59 p.m.

Here is the scenario that frightens me: Eric Schmidt at google went nuts today because Valleywag outed his private N.Y. sex den. Does he call investor Ray Lane and say “get ‘em” and then Ray calls Valerie Jarret and says : “I want every blogger on Valleywag audited by the IRS and I want a copy of all their hard drives!”?

Leo Cotnoir

Sep. 5, 2013, 6:07 p.m.

Wendy, that would be illegal and I doubt that anyone at NSA or any other Federal agency would go along with it. Nixon tried something very similar and you might recall that he was forced to resign.

Billy Gramcracker

Sep. 5, 2013, 6:16 p.m.

America - “Home of the Free” really??????. Brave…not so much. “Home of Cowards and Scoundrels” Amen!!!!!

Commenting is not available in this section entry.
This article is part of an ongoing investigation:
Surveillance

Surveillance

ProPublica investigates the threats to privacy in an era of cellphones, data mining and cyberwar.

Get Updates

Stay on top of what we’re working on by subscribing to our email digest.

optional

Our Hottest Stories

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •