The Complex

Pro-Assad Hackers Admit: We're Just 'Vandals'

Pro-Assad hackers are promising a massive counterattack online, if the U.S. military strikes Syria. But they also admit they may not be able to do more than muck up a couple of American websites.

The Syrian Electronic Army, a group of Bashar al-Assad loyalists that claims to number in the tens of thousands, has grabbed headlines for commandeering the Web sites of the New York Times and the Washington Post, as well as the Associated Press' Twitter feed. It's not the only hacker group operating in Syria, but it has the biggest profile and appears positioned to launch some kind of response should the United States attack Syria.

Exactly what form that response will take is unclear. So we decided to ask the group. Foreign Policy contacted the SEA via a Gmail account that the group is believed to use. While it was not possible to verify that the person who responded is in fact a member of the SEA, the account has been linked to the group's purported Twitter feed, and it has been shared with other journalists seeking interviews.

The SEA promised that it would respond to the use of military force by the United States.

"In the event of an all-out war, it becomes the responsibility of every Syrian national to stop or shorten the length of that war through any means necessary," the SEA said. The group claimed to have a "bank of targets and many surprises" at the ready should the United States attack.  But it did not name any specific targets or hint at what categories they might include.

To date, the SEA has shown no capacity for launching sophisticated strikes that would disable critical infrastructure or communications networks. The SEA acknowledged that "so far we have consigned ourselves to vandalism," and even offered that after years of civil war in Syria, many of its members "have lost almost everything and are hanging on by a thread..."

Foreign Policy asked the SEA whether it has any intentions -- or the capability -- to launch attacks that cause physical damage or more serious disruptions. 

"There were attempts to frame us for such an act by discredited media platforms but we have never announced such an attack," the SEA said, without specifying what those attacks were. "It's our opinion that these attacks are extremely complicated and require state-level espionage, as in Stuxnet. ... You can imagine what kind of budget that involves. That said, we don't give out any details about future attacks."

The SEA representative didn't come out and say it, but this appears to be an acknowledgement that the group doesn't have the resources to pull of an attack like the famous Stuxnet worm, which the United States and Israel are believed to have built to disable centrifuges in an Iranian nuclear facility. That would likely come as little surprise to experts, who have never credibly suggested that the SEA, on its own, could wreak that kind of havoc. But it was remarkable that the SEA would essentially concede the point, as well.

In previous interviews, the SEA has shown more bravado. In a recent exchange with Mashable, the group insisted "we will target all of it," referring to U.S. government targets and media organizations, should the U.S. military attack Syria. And someone claiming to be a top member of the SEA told ABC News, "All American sites will be our targets and we may be more destructive" than in previous acts of vandalism.

Experts have said that the SEA's attacks are getting more sophisticated and ambitious in recent months, and that this suggests some possible outside assistance from bigger groups or governments. But the SEA took issue with this characterization.

"We are not really sure whether this is an indication of racism or something else, why are Syrians considered primitive?" the SEA said. "We were the people who started civilization and gave the world the alphabet after all, is it so difficult to believe that we are just as capable in modern times?"

To emphasize the point, the SEA added, "Clearly, we don't need or want any help."

If what we've seen from the SEA so far amounts to the full extent of its capabilities, then major cyber attacks against U.S. targets may not be in store--at least not from this group. The SEA also sought to delineate any action it might take against U.S. government and media targets from attacks on the American public, which would arguably be more harmful.

"We don't want to hurt anybody and we have many American friends and many Syrians live in America and were founders of the [Syrian] nation so we have no animosity towards it," the SEA said.

"We distinguish between the American people, the majority of whom are on our side, and the American government which will is in fact their oppressors. We have a bank of targets, some of which will help these Americans who have had enough of their government finally bury it in the dumpster of history."

Bravado and bluster. But so far, no big bangs.  And it sure sounds like there aren't many coming.

National Security

Internet Encryption Guru on NSA Codebreak Revelations: We're Outmatched

The National Security Agency has managed to defeat the powerful commercial encryption technology that, for nearly two decades, individuals, corporations, activists, and governments around the world have used to keep their communications safe from the prying eyes of digital spies and intelligence organizations.

In short, this means that the NSA, the largest intelligence agency in the U.S. government, has the power to read huge troves of email and other encrypted communications that once would have appeared as a digital scramble, useless to government spies.

Citing classified documents provided by former NSA contractor Edward Snowden, the New York Times reported on Thursday that the agency has used "supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age."

In what amounts to a multi-front campaign against encryption technology and the people who develop and use it, "The NSA hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world's most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world," the Times reported.

Developers and experts had long assumed that the NSA was attempting to foil the strong encryption technology that has proliferated on the web in recent years. But some were still stunned by the scale and scope of the effort.

"All the things we thought were worst-case scenario are actually happening," said Nadim Kobeissi, the developer of Cryptocat, a web-based encrypted chat program. "There's no way it could get worse than this."

He was particularly alarmed to learn that, according to documents reported by the Times, the NSA is spending $250 million on a "Sigint Enabling Project," which "actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them "exploitable."

Kobeissi said that experts had believed that governments were working covertly to insert back doors and holes into systems to make them crackable by intelligence agencies. The Times revelations appear to confirm this is true.

Kobeissi also noted that, according to classified budget information recently leaked by Snowden, the U.S. government employs 35,000 people focused on cryptology, and spends $11 billion a year making and breaking codes.

On the other side of that effort are people like Kobeissi and a few dozen experts and researchers who comprise a community of coders trying to build open-source, open-access technology to protect private communications. Kobeissi admitted that they are outmatched by the NSA.

Mike Janke, the CEO and co-founder of the encrypted communications firm Silent Circle, said the new revelations show that the NSA has been successful at cracking "lower-level, low-hanging fruit" encryption like virtual private networks and Secure Socket Layer, two ubiquitous technologies. Janke said that stronger encryption systems, like the one his company uses, are still safe.

But this doesn't mean that stronger encryption can foil the NSA, Janke cautioned. The agency "has moved more to compromising platforms and hardware, instead of trying to break more sophisticated encryption schemes," he said. "That is why it is so important that we inform people that their platforms are the weakest link."

Documents previously released by Snowden show that the NSA has the authority to keep all the encrypted messages it collects for five years, until the agency can determine if the sender was an American citizen (and therefore afforded greater privacy protection under law), and until analysts can figure out whether the content of the message has any intelligence value.

The NSA has had to build a huge new facility in the Utah desert to store all the information it is collecting. What this latest revelation shows is a comparably massive effort to decrypt what's coming into the NSA's systems.

Intelligence officials asked the Times and ProPublica, which also received the documents, not to publish their stores because it could alert foreign governments to switch to new forms of encryption that are harder to collect and read, the Times reported.

This shows that while the NSA may have the upper hand in terms of money and manpower, the encryption battle is not entirely one-sided. Developers can always make stronger codes and more secure systems -- and they will.

"It is a constant race," Janke said. "Always improve the crypto and implementation of it to stay ahead of their billions of dollars of resources."