I think most of us would be fine with the NSA doing what they do if it was targeted, like the police getting warrants to break privacy only in important cases for public safety.

The problem will always be mass interception. Not only domestically either, as there is nothing protecting any foreign communications being intercepted in the US (and I'm sure Five eyes+ bypasses these legal roadblocks whenever needed). Which is why the push for encrypt-everything is so important. But as we've seen repeatedly, even when investigating the president and his people, even the allegedly "significant domestic protections" offered by FISA are a joke and basically rubber-stamp.

WhatsApp and iMessage and other non-SMS communication as well as email providers finally adopting proper transit encryption probably has reduced the amount of this sort of unfiltered "intelligence" gathering by 90%+. But I'm sure there's still tons of mobile apps and websites which aren't doing things properly and are filling up their databases.

It's time to resurrect the one time pad (not referring here to 2 factor authentication (2FA), I should hope to include 2FA FIDO in a Sneakernetwork standard), but rather the process of generating random data, shared between only two people, for the purpose of the most primitive of systems of encrypted communication. Simplest, but most secure(!!!)

There is a lot of research in this area, and each issue can be addressed (for example, the risk of reuse can be solved in various ways).

What we need is a way to "sneakernetwork" our otp random data to our friends. Like a business card, only where it's a mutual otp between these friends. For most people, 99% of important communications could be handled this way, through only a single contact. Certainly one could easily text for life with a single SDHC card of otp. And an SSD could handle phonecalls. A lifetime of video calls (again, between the two parties) aren't out of reach either.

What we also need is a networking protocol that supports forwarding through the web of trust messages to parties known only at the fringes of one's social network. For example, connections of the 1st degree are sneakernetworked contacts. Like you visit your mother, you share an otp blob. Now, even if your mother is in another country you can never visit, you can always talk to her about politics or religion without any worries about oppressive authorities. But out from there, anyone who is in your mother's 1st degree network can be added to your own 2nd degree network, depending upon her permissions. This kind of p2p interworking.

Before you object that "real" encryption is also needed, I agree, "real" encryption in addition to otp (it needs to be throughout a well-designed sneakernetwork system). But otp is superior, and, if you have to choose, choose otp.

There is no reason why the security of assymmetric encryption should matter to ordinary (or the majority of extraordinary) people.

It might be different for you, but 100% of the people I've had important conversations with have been friends I know from life, family, which I unsurprisingly know from life, and financial institutions of various kinds, which have offices for physical contact.

And I know the very thought of otp makes some people ill. It reminds one of hack jobs. Yet there it is, as factual, the best encryption, perfectly suited to normal people, and with data capacities at the level where it's beyond practical. What we lack is adequate paranoia and vision in the tech community.

> WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The fact that they use awkward wording that contains words whose first letters that start with NSA (not secure as) is pretty suggestive that you are right.

Even just reading this article should show you that they kill you with kindness when they want to keep things hush-hush. If someone is developing a free tool, and are offered a retirement-tier payoff to stop, they're going to stop.

Does that mean they are only available because the 3 letter agencies can hack them?

Enclosing letters in paper the thickness of which has a million variations doesn't mean one of them is magically more secure than one made from two inch thick steel. The point of encryption is it's a standard that needs to be interoperable. Also, NSAs of this world aren't breaking modern ciphers. They're circumventing encryption by going for the keys: There's three choices

1) If communication system uses TLS-encryption (e.g. Telegram cloud messages), there's no need to break encryption, just hack server and read messages from there.

2) If the system uses E2EE where user has no way to verify fingerprints (e.g. iMessage, Confide), compromise the server legally or by hacking it, and perform undetectable MITM attacks.

3) If the system uses E2EE where fingerprints can be verified, hack the user's endpoint to steal their private keys and perform undetectable MITM attack (or just steal their chat logs or take screenshots).

So, to sum it up, the game when modern ciphers are used, is not with cipher security, but everything else around it.

For the easiest, you can just apply multiple encryption algorithms in succession (of course with different keys). Although the algorithm of AES is considered safe, it can be broken through a side-channel such as a backdoor, which secretly stores keys used somewhere. But if you apply another algorithm after AES, be it ChaCha20 or Blowfish, it can only gets reinforced.

Another trivial way to safely roll out your own encryption is to increase the number of rounds in ciphers that are considered safe. The increased number of rounds only strengthen the algorithm. And it's just changing a few magic numbers in the source code - you can get extra security for little expense of time.

Both methods provide esay-to-implement ways to safely 'invent' a new encryption algorithm without a proper knowledge of cryptography. If people start doing any of the above regularly, it would be a headache for those enjoying to exploit vulnerabilities in common crypto implementations.

The new fact is that the company was co-owned, then fully owned by the CIA.

Along the way, I wouldn't blame any reader for assuming that this is entirely new information.

Other countries programs aren't good or anything, but anyone who's deluded themselves into thinking the US is some kind of clean actor, not participating in this sort of stuff, or only using it for good is more optimistic than I could ever manage being.

It’s clear that the CCP is assembling a database of information on everyone in the developed world, not just in China, and that they intend to use it as part of their soft power arsenal (along everything else from economic incentives to Confucious Institutes).

The CCP is much more frightening and less accountable than the US Govt, especially as they reach parity in soft and hard power.

That really depends on the government, and how heavily they rely on domestic surveillance as an instrument of political control. It also depends on the geopolitical and diplomatic situation, and the risks that stem from that.

In China for instance, domestic surveillance is a clear threat any of its citizens that choose to be dissidents and advocate for change. For instance, I have friends there who are very angry about the coronavirus situation, but have to be careful about what they say and how they say it to avoid risking government attention. Even with an extremely dark and cynical view of the US government, that kind of threat is far less for US citizens.

Foreign spying can be dangerous to you, personally, but usually in a more indirect and collective way [1]. The most obvious example of this is war. If your country loses one to a more brutal and oppressive adversary, you'll likely find yourself is a worse, if not outright bad, position. On a smaller and more mundane scale, foreign industrial espionage could put you out of a job.

[1] You may be a target of foreign direct spying if you're friend of a dissident, a government employee, a government official, or have access to valuable technology or trade secrets, etc.

This is an incredibly foolish line of reasoning. Compromising the trust and sovereignty of individuals in the U.S. is an extreme risk, and it can come for anyone. The U.S. government at least will tend not to try undermining the U.S. economy except through specific policy initiatives; the Chinese government has a permanent interest in controlling the U.S. economy, and holding the threat of compromise over our heads.

No government is your friend, but there's really no comparing the abusiveness of the CCP, both at home and abroad, to the U.S. equivalent, and I'm honestly shocked that I ever have to remind people in the west of this.

[1] https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...

Wouldn't China/Russia make some noise if they had proof the Cisco was hiding something in their infra?

[0] https://www.nybooks.com/daily/2014/05/10/we-kill-people-base...

Also, I think quite a bit of telecomm traffic is encrypted by the telecomm carrier itself. For example I don't think my iPhone, by default, encrypts/decrypts SMS or voice calls on the device. To the extent text messages and mobile phone calls are resistant to dumb eavesdropping, that's provided by the mobile carrier. So having access into all the equipment at the carrier would be a nice centralized place to sit and observe/record.

A nation-state type actor can hoover up everything and retroactively decrypt.

Where is the self-interest in the US pressuring European (mostly EU) countries to use EU competitors?

"CIA owned CryptoAG in collaboration with the intelligence establishment of West-Germany"

[0] https://www.theregister.co.uk/2019/09/30/cyberbunker_cb3rob_...

Thank-you editors for our chronically uninformed electorate.

Though to be fair, I'm not sure if there are copyright issues involved, which might make such a guideline difficult.