The Black Budget Leaked - Threat Wire

Channel: What's the Big Deal? Published: 2013-09-08 1,281 words Source: auto_caption
Intelligence Operations & Secrecy

Transcript

The black budget leaked. Has the NSA broken your crypto? [music] Google and Microsoft want to make everything clear to the masses. And the SEA isn't spreading malware most likely. All that and more this time on Threat Wire. [music] Hello, welcome to Threat Wire.

I'm Darren Kitchen. I'm Shannon Morse. And this is your summary of what's threatening security, privacy, and internet freedom. And first off is Google and Microsoft. They have filed a lawsuit with the US government foreign intelligence surveillance court to allow them the right to publish stats on demanded surveillance of their customers.

They both petitioned the federal court, but the US stalled numerous times and kept asking for extensions. The Obama administration just released information that it'll be releasing its own statistics on national security requests, but the companies both want to release more stats and break down the number of requests that have to do with user content versus metadata. and with no more delays from the US government. Now, Google filed the motion under a first amendment right to publish information on how many requests they receive. But the FISA act was amended in '08 so that the government can place a gag order on any requests having to do with it.

Now, the companies have been attempting to release this kind of information ever since Prism began and and became in the public several months ago. Hey, you know, speaking of Prism, more Snowden leaks. And if you've been playing at home, that means drink. The latest actually outlines a $52.6 billion US intelligence budget of which 11 billion seems to be dedicated to an encryption program. The Washington Post details spending with the CIA, NSA, NRO, and the National Geospatial Intelligence Program taking some 68% of the black budget.

That's a taxpayer dollars that are secretly allocated to classified programs. So, harrah. Uh the leak indicates that the budget uh has actually grown 100% since 2004 with spending focused on data collection, analysis, management, and processing. So the five mission objectives identified by the document include warning US leaders about critical events, uh combating terrorism, stopping spread of illicit weapons, conducting cyber operations, and defending against foreign espionage. The document also reveals an 11 billion project employing some 35,000 people known as the consolidated cryptologic program.

And some actually speculate that such a well-funded program and well staffed program could actually bring on the so-called crypto apocalypse. You actually remember black hat earlier this year just last month uh you know there was a presentation warning of a time when factoring numbers and solving discrete log problems you know math uh will actually become so easy that modern day things like RSA and Diffy Helman and two of the leading technologies in asymmetric cryptography would be broken. Uh security expert Bruce Schneider has weighed in in August actually saying that yes breaking modern public key crypto systems has actually gotten easier over the years. He also goes on to explain that the effort to break these systems pretty much come down to four principles. I mean he he explained this way back in 99 that one computers get faster and two betterworked.

Three algorithms get more efficient and four fundamental advances in mathematics. So the first two follow Moore's law you know the one that transistors and IC's double every 2 years about. [music] Um and the other one algorithms those kind of happen in fits and starts. You've got little like uh you know little improvements, big improvements here and there, but fundamental advances in mathematics quote only come once in a while. But when they do come, the effects can be huge.

So could this consolidated cryptologic program be such an advancement? Well, the leaked documents the national uh intelligence director James Clapper actually wrote, "We are investing in groundbreaking crypto analytic capabilities to defeat adversarial cryptography and exploit internet traffic." Now, last year, James Banford, a notable national intelligence journalist, wrote that the NSA made an enormous breakthrough several years ago in its ability to to crypto analyze or break unfathomably complex encryption systems. Well, the Cryptologic program actually gets some $440 million for research technology aka toys. Uh so, you know, we could actually have seen such a breakthrough. The NSA has [music] uh both the advantage of you know discovering you know everything that has been published within academia and and [music] you know journals and papers as well as whatever their billions of dollars and their army of cryptographic researchers can come up with [music] in secret. Uh it wasn't actually that long ago that the NSA made the secret breakthrough that broke all sorts of academic and commercial security algorithms.

And that was in the 70s with a technique known as differential cryp analysis. Wasn't until the '9s or the early '90s that, you know, the security industry wised up. Now, Schneider points out that while it's possible that the NSA has newer crypto analysis techniques, quote, it's pretty easy to stay a few steps ahead of the NSA by using even longer keys. Now, this brings us straight to our comment of the week. Now, last week we asked you guys how you feel about Microsoft and the NSA and in your trust in Windows.

And our comment of the week comes from Zipi. Yeah. He wrote a Mac Shannon. Really? Tisk tisk. I think there's something to the Windows NSA collaboration.

However, uh how much one can only speculate. We do know that they, you know, changed Skype as part of what seems to be appeasing the NSA. So it I would expect that yes there are some teaming with Microsoft and others. However, what we need to he goes on to say that what we need to focus on is defunding the NSA and stripping them of their power. The rest will get sorted out.

I don't have a Mac today. Now this week we would like to know how you feel about modern public key encryption with rumors of cryp analysis breakthroughs. Do you feel that increasing key length is a sound solution or something else? Uh quantum computers, those are going to be fun. Now remember, you can find all the ways to subscribe at threatwire.org and get involved in our Google+ community for continued discussion with stories like these. Shannon from Germany.

The Syrian electronic army isn't one to redirect websites to malware infested pages, but when the New York Times was infiltrated, this was a possibility. So far, security researchers have not found any malware present on the SEA pages, but a spokesperson from the New York Times says, "At this time, we are still investigating." Now, the IP addresses used in the attack have been known to contain malware in the past, leading to some confusion on the topic. Also, Jeremy [music] decided to write in with the second story. The widely available exploit cake called Nutrino has a new exploit for a bug in Java 6, which is out of date, but still popularly used. Now, the threat was announced publicly on Twitter by a security analyst, but Oracle has chosen not to do anything since Java 6 is no longer supported.

So, how do you protect yourself? Well, for myself, you don't use Java. And if you must, make sure you keep it updated. Do you know there's still machines on the internet running NT4? There are. Isn't that wonderful? All right. And with all of that, I'm Darren Kitchenen.

I'm Shannon Moore. We'll see you on the internet. More. Where's your Mac? Not here. Where are all those? Linux.

Linux. Uh, Windows. Linux.