How to React to the NSA Attack on Standard Cryptosystems

I found an article asking With crypto being insecure, whom do you trust? while reading through the news this morning.  It referenced the joint article from The New York Times and Pro Publica, Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.  The question is a good one: Who can you trust?  I have a few thoughts on the matter. First thought: If this surprises you, you haven't been paying attention.  The NSA's job is to crack encryption and backdoor systems to gain actionable intelligence for the United States and make it difficult for its adversaries to do the same to the U.S.  Here is the actual mission from its website:

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.

Given some of the liberties taken with the Fourth Amendment in the past and this mission statement, I think it's clear that the "Ends Justify the Means" argument has some advocates at NSA.

Second Thought: The notion of online privacy is obsolete.  We can argue it has never been viable.  Either way, you can't trust your date to be private online.  Expect it to be the subject of a breach.

That leads me into my Third Thought.  All online transactions are now, more than ever, an exercise in risk management.  All electronic transactions are compromised.  How frequently will those compromises result in loss?  How big will that loss be?  This goes for personal and business transactions.  Make sure the benefit you get from the transaction is larger than the potential loss.

And now for my Final Thought on the matter: Now what?  My recommendation for maintaining privacy in this new age of certain breach is to go Old School.  If you have data that must remain private at all costs, grab a notepad and a pen.  As long as you don't scan or photocopy the handwritten document, it won't show up on Google.  If you need to talk to someone about something private, arrange a conversation with them rather than fling email at each other or calling on the phone.

In summary, here are my observations on NSA-compromised cyptosystems:

  1. If you are surprised, you haven't been paying attention
  2. Online trust is obsolete
  3. All online transactions are now an exercise in risk management
  4. If you really want privacy, break out the pad and pencil

Leave a comment if you want to discuss further.