NSA Surveillance: Is There Any Way to Keep Web Communications Private?
Much, perhaps most of the information the data the intelligence agencies want is found through a back door into the target machine itself. After all, why go to the trouble of cracking encrypted material when you can get it in the clear? And this leads to the next question, which is, what’s actually safe on the Internet? As you’ve probably figured out by now, public e-commerce sites have almost certainly been compromised. Widely used VPNs have also been compromised, which means that the airline reservation system you use probably isn’t closed to intelligence agencies. Your public cloud provider, regardless of how secure it claims to be, probably isn’t. The next question is whether this matters to you. Chances are the NSA isn’t going to be watching you buy Ethernet cables from Amazon even though it can because the NSA has more important things to worry about. But suppose you try to buy ammonium nitrate on Amazon? This chemical is a critical component in the fertilizer used in commercial farming. But it’s also a critical component that terrorists use in making bombs. What then? This is where the much discussed back doors come in. If you’ve been reading my column for any period of time, you’re no doubt aware of the back doors in cellular switching equipment that have been blamed on Chinese telecom vendors Huawei and ZTE. But it’s alleged in some of the analysis of Snowden’s documents that the NSA has also built back doors in other equipment including server network interfaces. Not only would this allow traffic to be sent to an outside entity, it could do more.So can you protect your data? For most routine Internet activities the answer is you can’t. If you start looking for ammonium nitrate or you are communicating with co-conspirators in a terrorist attack plot, it’s possible that someone will find out. It could be through a back door; it could be through the retail vendor or the communication service you are working with; it could be somewhere else along the way. If you have really important data to protect, there’s almost nothing you can do short of encrypting your data before it ever reaches the computer that’s attached to the network. But even then you have to store those encryption keys someplace really secure, which also means not on a computer attached to the network. In short, your only real hope is that whatever you do is too boring to be interesting to any intelligence organization.
As Dr. Steve Weis, CTO of PrivateCore explained to me in an interview, these networking adapters have access to the memory of the computer to which they’re connected. This is the same place where the encryption keys are stored when that server is encrypting data. Thus it’s no great trick to harvest the keys, which is one place where intelligence agencies can get those keys I mentioned earlier.