Informatikaria eta ikertzailea
Elhuyar Hizkuntza eta Teknologia
Throughout the first half of this year we have written three articles on the security of communications on the Internet, clarifying how we can guarantee confidentiality, authentication and anonymity. Most people do not use the advanced methods exposed in them to surf the Internet completely anonymously, digitally sign emails or encrypt. However, we know that web services that require passwords or current account numbers, web services that allow sending emails or teleconference programs use cryptography to ensure the privacy of our communications. Specifically, asymmetric cryptography or public key cryptography is commonly used, considered as very safe, which ensures that third parties will not be able to detect such communications and access our information.
Any third party is not, but governments are not any. They have more resources and not just computer. Instead of trying to break these cryptographic methods, it is easier to apply directly to these services. The former employee of the information and security agencies CIA and NSA of USA, Edward Snowden announced the PRISM program in May of this year to the newspapers The Guardian and The Washington Post, demonstrated with some internal transparencies of NSA, which were published in June. This program allows NSA to access all customer data from 9 large internet companies since 2007. And these companies are not any: Microsoft, Yahoo!, Google, Facebook, Paltalk, Youtube, AOL, Skype and Apple (and was about to enter the Dropbox program).
All these companies have refused to provide their customers' data to NSA. But the US government. He has assured the existence of the program: on the one hand, he has taken to the courts of Snowd accusing him of the charges of espionage and theft of government property (Russia has given him political asylum and currently lives) and, on the other, has wanted to reassure the citizenship saying that it is only used to read the communications of foreigners.
In June, Snowden released the Tempora program through The Guardian. This program is a program of the British security agency GCHQ (equivalent to the NSA), similar to the PRISM program, which brings together communications and citizen information. In addition, they inform NSA. And during the months of July and August, Snowden released the XKeyscore system through two articles published in the newspapers The Sydney Morning Herald and O Globo. This NSA software allows the search and analysis of data and information of foreign origin on the Internet. The governments of Australia and New Zealand also participate.
Snowden's leaks have brought a long rope. Since the month of May, Snowden himself has published monthly a new scandal, but once powders, it seems that the paranon has spread and the media have launched many other speculations about it.
In view of the fact that NSA has access to the data of all these large companies of the PRISM program and that they deny that they inform, in September rumors were opened that, perhaps, the NSA found an error in cryptography with public keys and used to decrypt traffic via HTTPS. If that were true, that is, if there was really an error in cryptography by public key, and that error became known, and the necessary resources for the test were accessible to anyone or almost anyone (and not only for NSA), it would be incredible: you could not guarantee the confidentiality of communications on the web, anyone could see passwords, numbers of current accounts and messages... The web that we know would disappear.
Fortunately, it seems like this is not. There are several reasons to think that cryptography with public keys is safe and that NSA gets information through certain implementations or bad practices of some companies (for example, the use of older versions of software repaired after error detection, the use of too short keys or unsafe storage of private keys); if things are done well, the method remains safe. In addition, the voluntary delivery of information by companies and misrepresentation seems a much more likely option than the breakdown of asymmetric cryptography. If not, they would not be requesting data from many other companies.
Another rumor opened in September pointed out that the NSA was able to open a certain back door in the method of creating random numbers of the Linux operating system, the most used on Internet servers. In cryptography with public keys, the private key is formed by two primary numbers obtained randomly. Total computer randomness is impossible, but in general there are ways to get a relatively high randomness that are used in cryptography. However, if that randomness was reduced or that randomness responded to familiar patterns, it would be easier to imagine a private key.
Some of the Linux contributors showed their concern that one of the Linux random sources could be the MORAND, a function that generates random numbers in the Intel microprocessor using hardware. According to them, being the creation of random numbers via hardware, it could not be inspected and it really did what they said. When they met the PRISM, etc., many joined two and two and thought that perhaps Intel chips did not do what they said, but implement an algorithm that knew NSA. In this way, Inteli and the Linux rear door allowed NSA to obtain private keys for most of the web services. It seems too conspiratorial, doesn't it? However, some of the Linux contributors stopped collaborating and there was a request for withdrawal from Change.org's MORAND Linux. But Linus Torvalds, inventor of Linux and general coordinator of today, responded harshly claiming that this was nothing more than a random source and accusing of spreading unjustified fears.
For its part, the weekly Der Spiegel also published in September that, based on Snowden's papers, NSA had access to all transactions made through Visa and other credit cards. You cannot know if that is true. But almost every week new suspicions and theories emerge.
Of course, this interception of digital communications is carried out in the name of security. But, normally, the one who is on the wrong path takes measures and knows how to keep messages and activity in secret. And in the end, those who spy on governments are us, we are simple citizens. Many will say it gives him the same, that he is not doing anything wrong. But access to our digital communications is a serious violation of privacy; in the analog world, it is equivalent to opening and reading letters or clicking and listening to phone calls. Wouldn't we accept it?
For this reason, since the PRISM was released, associations and organizations in favor of civil rights, freedoms and privacy are opposing it, raising awareness and mobilizing society and teaching ways to avoid PRISM and protecting the privacy of people. For example, the Prism-break.org website shows some ways to prevent NSA from accessing our communications and data. It is basically about following the guidelines we gave in the articles of this series mentioned at the beginning (use of HTTPS, mail encryption via GPG or PGP, use of digital signature and anonymous navigation via Tor), as well as replacing the services or software of the companies included in the PRISM program with other alternatives. In the case of software, they always recommend free software, since the source code is the only means to be sure of what the software does.
As for the operating systems of computers, Linux is the only one that is reliable. And as for phones, variants of Android that Google does not control or Firefox OS that we told you the previous month. iOS and Windows Phone have no alternative, recommend not to buy Iphone and Smartphone with Windows. To navigate there are Firefox, Tor browser and others (but not Explorer, Chrome, Safari or Opera). As a mail program we have Thunderbird and if we want MyKolab web mail and other services like Gmail, Outlook or Yahoo! If so, it is recommended to use the additive for Mailvelope Firefox that implements GPG. Among the search engines is recommended the use of Duck Duck and other services instead of the most common and in the case of OpenStreetMap maps. And on the web we can find recommendations for other types of services.
But at the same time, NSA wants to prevent us from escaping from their clutches. They have managed to close some web services that keep our emails directly encrypted, for example. Lavabit, the service used by Snowden, was closed down by its owners because the U.S. government wanted to force them to provide data for their customers. Another similar service, Silent Circle, has closed because being in the US. It was not trusted that it could offer a totally safe service. These types of services are outside the US, Switzerland, etc.
It seems that to some extent the Snowd theme has served to draw attention to the importance of privacy, and the use of alternative, anonymous and cryptographic services mentioned above has experienced a remarkable increase in recent months. That the knowledge of this digital espionage of citizenship serves, at least, to agitate our consciences and, beyond seeking alternatives, to begin to force the administrations that should be at our service to abandon these practices.