The NSA Forces Most Software Makers to Build Backdoors into Their Products

September 6th, 2013, 09:43 GMT · By Lucian Parfeni

One of the more troubling (though, again, not entirely surprising), revelations in the latest Snowden leaks isn’t that the NSA is working to break and bypass encryption or even that it mostly succeeds in doing that.   It’s that it works closely with most (presumably all) large software vendors to build backdoors and vulnerabilities into their products, ensuring that the NSA always has a way into your system and communications.   It can be assumed and should be assumed that all commercial encryption software, particularly that from companies in the US, has been compromised or is vulnerable.

The NSA spends some $250 million (€190 million) a year to try to coerce or convince companies to build backdoors accessible to the agency or to try to influence the design of their software so that it’s vulnerable to its attacks. This can be done with cash, the threat of ruining the business, or even without a company’s knowledge.   One document seen by Guardian and New York Times journalists claims that the NSA “actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.”

For example, the NSA’s program aims to “insert vulnerabilities into commercial encryption systems.” These vulnerabilities make it possible for the NSA to decrypt communications in real time or near real time.

“These design changes make the systems in question exploitable through Sigint [signals intelligence] collection… with foreknowledge of the modification. To the consumer and other adversaries, however, the systems’ security remains intact,” the document explains.   The big problem with this, apart from the fact that the US government can spy on everything you do, is that these vulnerabilities, if known, can be exploited by everyone – criminals, foreign governments, and so on.   The NSA hopes that these vulnerabilities remain a secret. But you can imagine that other governments aiming to break Internet encryption would try to discover these very vulnerabilities since it would be much easier for them to find and exploit the built-in backdoors than break the mathematics behind the encryption algorithms.   And, while we, the public, are only finding out about these capabilities now, even though the NSA has been caught red-handed altering commercial software before, China, Russia and everyone else has been operating under the assumption that these vulnerabilities are there waiting to be discovered.   The reports don’t mention any actual company collaborating with the US, but you can expect that any large US software vendor, particularly in the security market, has been compromised, and probably many foreign ones as well.

Your best choice is to stick to open source software and encryption protocols. There are some other ways of maximizing your defense against government snooping, and you can read more about that here.

Tags: , , , , , , , ,

Comments are closed.

%d bloggers like this: