NSA and GCHQ have placed backdoor into cryptographic products

A new leak by NSA whistleblower Edward Snowden reveals that the NSA and the UK-based GCHQ have been collaborating with software and hardware developers to cripple the efficiency of commercial encryption products. According to the report, the agencies have co-operative relationships with specific industry partners to insert backdoors and other weaknesses into commercial security and cryptography products to further their efforts at total information capture. The news suggests that commercial security software that does not provide compete source code access is not to be trusted, but open-source software doesn't provide total security either because these agencies can use a network of supercomputers to perform brute-force attacks against encrypted data. Full details at Bit Tech.

The revelation has privacy advocates and security experts up in arms, but such things have long been rumoured: the NSA was accused of inserting a backdoor into Microsoft's Windows operating system which gave it full and unrestricted access to users' files, even when encrypted - a claim that Microsoft has denied for years.

Snowden's leak also tells of efforts, under the unlikely codename Project Cheesy Name, to identify potentially weak Secure Socket Layer (SSL) certificates for brute-force cracking attempts - which, if successful, would allow the NSA to run servers that pretend to belong to the owner of the certificate, or decrypt in real-time any captured traffic destined for the real servers.

In a separate feature for the Guardian, security expert Bruce Schneier offers advice for protecting yourself against such all-encompassing spying: use of encryption, even if weakened; use of anonymising services such as Tor; automatic suspicion of any closed-source commercial packages, especially those from larger US-based companies; and the use of public-domain, source-based encryption systems.