New Snowden documents are out. James Ball, Julian Borger and Glenn Greenwald report:
It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices “to make them exploitable”, and that NSA “obtains cryptographic details of commercial cryptographic information security systems through industry relationships”.
A quarterly update from 2012 notes the project’s team “continue to work on understanding” the big four communication providers, named in the document as Hotmail, Google, Yahoo and Facebook, adding “work has predominantly been focused this quarter on Google due to new access opportunities being developed”.
This GCHQ team was, according to an internal document, “responsible for identifying, recruiting and running covert agents in the global telecommunications industry.”
Ok, so this report is coming out from The Guardian, The New York Times, and ProPublica as a joint report of sorts — and of course the government asked they not publish this article (kudos to them for publishing it anyway).
From what I can tell, with the information being provided, GCHQ and the NSA are working with large software companies to build-in backdoors to encrypted software. This can/could/is/maybe running the gamut from VPN, HTTPS, SSL/TLS, and so on. Basically if the encryption tool is made by a large US or UK corporation there is a chance it has a backdoor built in for the spy agencies.
On top of that, as quoted above, it appears that Google was/is the top target (not surprising given the popularity and the amount of data Google holds on users). More importantly it sounds like GCHQ (maybe the NSA?) is putting spies into telecomm companies to compromise those networks from within…
Bruce Schneier, writing about how to stay secure in light of this new information (he has the original documents and has read through them), states:
What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
That’s Windows, Mac, Linux, iOS, or whatever. That’s incredibly unsettling.
Essentially, if the government wants in to your communications, your data, your computer, it’s likely going to get in. What’s unsettling about backdoors is that once they are found by others, they can, and will, be used by others. That’s incredibly dangerous for all.
Being in the U.S. this is not comfortable, but I can’t imagine being in a foreign country and seeing that most of the software you are using is U.S. made software and knowing that the NSA is specifically targeting foreign communications coming through the US.