> The NSA wants to be able to easly read all traffic from everybody so they can figure out who the 'bad' people are, inside and outside of the country.
I actually don't think the NSA cares about reading traffic from everyone; they know who their targets are, and no amount of software can replace good old-fashioned investigation.
> The NSA is not actually primarly protecting the people, its protecting itself first, the government second and third, maybe the people a little bit.
The NSA is a government agency tasked with the mission of intelligence gathering outside the US. Intelligence is far more valuable when you know something and others don't. Any widely-applicable exploit of a crypto algorithm would also make it easier for other countries to break encryption. The NSA has a huge advantage over those other countries' spy agencies in the form of resources; so to protect their exclusive ability to break encryption with brute force, they need to make sure the algorithms are sufficiently strong.
It's about maintaining an exclusive capability that other countries don't have. A spy could leak information about how to exploit a crypto backdoor to other countries and render your advantage useless. A spy can leak your strategy (spend an epic fuck-ton of money on datacenters for brute forcing encryption) all they want, but that won't help your enemies break arbitrary crypto.
>I actually don't think the NSA cares about reading traffic from everyone;
Im sorry but your assumtions are just wrong. We know from Snowden that they DO collect all the data and have suffisticated search and anlysis tools for things like social graphs.
They want to know with whom the targets talk. Thats why they are doing it.
> The NSA is a government agency tasked with the mission of intelligence gathering outside the US.
That does not stop them from doing it inside.
> Intelligence is far more valuable when you know something and others don't.
Backdoors in crypto or hardware are extremly hard to find and if you pit them in, you have a huge advantage for a long time or forever.
> The NSA has a huge advantage over those other countries' spy agencies in the form of resources;
Breaking encryption with brute force just does not work. We know from the snowden leaks that they almost never go after the crypto directly.
Even if they can break RSA 4096, try breaking all the millions of https connections a day. Its even worse if its not public key crypto.
Its hard enough collect the data without breaking encryption first.
You can also combine the too. They made sure that RSA used a weak default that they could break.
You haven't rebutted his argument by adding this extra detail. Much of the personal communications infrastructure of the Internet is housed in the US; foreign targets of US intelligence use these services. It makes sense that NSA wants access to that data, and that their mission is harmed by US Internet services that provide an easy-to-use refuge from surveillance for the country's adversaries.
(I'm not making a normative argument).
I don't know what you mean by "weak defaults in RSA". You mean RSA-1024? People use RSA-1024 because, especially during the time period where TLS began being rolled out to non-commerce websites, RSA-2048 was prohibitively expensive.
You mean the (very plausible) allegation that NSA paid RSA to backdoor BSAFE, their commercial RSA library, by using Dual_EC as their default RNG. But that doesn't help your argument much either: the targets that used BSAFE were much more likely to be foreign and much less likely to be large-scale US communications infrastructure, virtually none of which uses BSAFE-encumbered software.
Just a reminder to other readers: RSA was originally the company formed in the 80s to commercialize the RSA algorithm IP. But in the mid-90s, a hardware token company called SDTI bought them and took over the RSA name. Tokens and enterprise multifactor auth have been the mainstay lines of business at RSA ever since, not crypto libraries.
> The NSA is not actually primarly protecting the people, its protecting itself first, the government second and third, maybe the people a little bit.
I wouldn't put the people that high up the list. Remember that their programs haven't been shown to save a single person. Even with the insane amount of pressure that they had because of the Snowden revelations they couldn't come up with some sort weasel logic that allowed them to claim that hundreds of lives had been saved. They don't care for that.
The terrorists have been using encryption forever and will keep doing so even if it's outlawed in major western countries. Just the other day it was reported that ISIS has its own encrypted chat app. Attempting to fuck up encryption for the masses won't help anyone.
>Remember that their programs haven't been shown to save a single person.
To be fair, any attempt the NSA did make to justify itself to the public would immediately be dismissed as propaganda, fabrication or parallel construction and entrapment. And their job doesn't require public goodwill - the people they actually have to answer to have security clearances. So if they had ironclad evidence that their methods worked, there's no reason to reveal it to you or I, Snowden or otherwise.
The NSA wants to be able to easly read all traffic from everybody so they can figure out who the 'bad' people are, inside and outside of the country.
The NSA is not actually primarly protecting the people, its protecting itself first, the government second and third, maybe the people a little bit.