The NSA violated our rights because they didn’t understand their own systems; it wasn’t intentional, it was incompetence. Or so they say. My guess is it was a combination of both, but the emphasis now is on the NSA covering its own ass, so of course they’re going to deny everything. That’s certainly consistent with the pattern of behavior so far.
…the mathematics underpinning crypto is still basically sound. These attacks instead depend on implementation flaws, bad passwords, weak algorithms, corporate cooperation, and, perhaps, backdoors.
Implementation weaknesses in any encryption product are always a concern, and most often not indicative of anything malicious. Open source or otherwise well audited systems stand a good chance of having those flaws identified and corrected.
The writer says as much:
Is it possible that the NSA can go far beyond the state of the art, breaking even encryption believed to be secure? Sure. It can’t be ruled out. But it’s not the only interpretation of the information that’s been leaked so far—and if experts remain confident that the basics of cryptography are all still sound (a belief that appears to be shared by Snowden himself), it’s arguably not even the most likely one.
Good points made. He takes a more moderate stance, arguing that the NSA might be engaging in run of the mill hacking. If correct, that is less alarming. As is often the case, I think the truth is probably in the middle, but at this point there is much uncertainty, and hence, reason to not relax too much on this subject. After all, if efforts to reduce security are as bad as some fear, then our data and running operating systems are all less secure, posing a very serious and systemic problem.
To make an analogy, we need local police to protect us from each other, but we also need legislation to protect us from police (they don’t police themselves, after all). Similarly, we need the NSA to spy on others and collect intelligence, but we also need curbs on what the NSA can do. Why? So they do not become a “rogue agency” (more so than at present); so that other nations trust us (including our own private sector tech companies); so that they don’t target Americans (who, unlike non-Americans, can be picked up by domestic law enforcement like the FBI).
The argument isn’t for abolition of the NSA, but for clarification and accountability. Their focus on “national security” may very well make us all less secure.
Schneier makes good points regarding a) generation gap of whistleblowers, and b) over-classification of secrets and its consequences.
Mr Snowden is 30 years old; Manning 25. They are members of the generation we taught not to expect anything long-term from their employers. As such, employers should not expect anything long-term from them. It is still hard to be a whistleblower, but for this generation it is a whole lot easier.
A lot has been written about the problem of over-classification in US government. It has long been thought of as anti-democratic and a barrier to government oversight. Now we know that it is also a security risk. Organizations such as the NSA need to change their culture of secrecy, and concentrate their security efforts on what truly needs to remain secret. Their default practice of classifying everything is not going to work any more.