Forgot your password?
typodupeerror
United States Communications Government Privacy The Internet

Brazil Announces Secure Email To Counter US Spying 165

Posted by samzenpus
from the keep-your-eyes-on-your-own-paper dept.
Hugh Pickens DOT Com writes "Phys Org reports that Brazilian President Dilma Rousseff has announced her government is creating a secure email system to try and shield official communications from spying by the United States and other countries. 'We need more security on our messages to prevent possible espionage,' Rousseff said on Twitter, ordering the Federal Data Processing Service, or SERPRO, to implement a safe email system throughout the federal government. The move came after Rousseff publicly condemned spying against Brazilian government agencies attributed to the United States and Canada. 'This is the first step toward extending the privacy and inviolability of official posts,' Rousseff said. After bringing her complaints against U.S. intelligence agencies to the United Nations General Assembly last month and canceling a state visit to Washington, Rousseff announced that the country will host an international conference on Internet governance in April."
This discussion has been archived. No new comments can be posted.

Brazil Announces Secure Email To Counter US Spying

Comments Filter:
  • by Anonymous Coward on Monday October 14, 2013 @10:12AM (#45121809)

    Not me, no matter which government it is.

    • Especially not a federal government that uses Twitter to plan "secure e-mail"

      • Don't knock them: this is probably a PR stunt to keep pressure on the US to drop the spying, keep it in the news.

        I don't know if that's the most effective way Brazil could do such a thing. Threatening sanctions on the US for what seems like an act of war might be biting off more than Brazil could chew. Although with the economic apocalypse scheduled to happen on Thursday, maybe now would be a GREAT time to cut ties with the US.

        Anyway, maybe don't criticize, because I think she's on our side against
        • Re: (Score:3, Informative)

          by Anonymous Coward

          You're right it's a PR stunt, but it's not aimed at the US. The Brazilian Government is not so stupid as to think that it's even possible to create an email system that is secure from NSA spying; no networked system is 100% secure and certainly not from the NSA, who's budget is probably 10X SERPROs. Even if they did, they wouldn't coomunicate it through Twitter, they'd do it through their official channels through their embassy in DC or to our embassy in Rio.

          This was released on Twitter, though, which mea

          • by Anonymous Coward

            You are right at the spot on PR stunt target:upcoming elections, next year. And not to all Brazilian voters, but more specifically to her own party audience.
            But I disagree with " they're eclipsed by the US's superior position as the dominant power on the entire Western Hemisphere" being a reason for popularity crumbling. US dominance was always a established fact, but the current political party in Brazil holding the government, which has always being a critic of US, tried for the past 10 years to establish

    • by rvw (755107)

      Not me, no matter which government it is.

      Who want email hosted by the Federal Government? Maybe the government itself?!

      • by wagnerrp (1305589)
        Are you suggesting the federal government for a country as large as Brazil doesn't already have their own email servers?
        • Not ones that are secure enough that another federal government can't break into.

          Or did you miss the point of them doing this?

    • by gmuslera (3436) on Monday October 14, 2013 @10:23AM (#45121929) Homepage Journal

      The same federal government? And at least tries to provide an alternative to the email controlled by the US federal government (i.e. all the ones of companies that are US based or have their servers there).

      At least for braziians, is the lesser evil, else they will be empowerign the federal government [wikipedia.org] behind overthrowing democratically elected governments all around the world since last century, including the brazilian one [wikipedia.org], of course.

      • The same federal government? And at least tries to provide an alternative to the email controlled by the US federal government (i.e. all the ones of companies that are US based or have their servers there).

        At least for braziians, is the lesser evil, else they will be empowerign the federal government [wikipedia.org] behind overthrowing democratically elected governments all around the world since last century, including the brazilian one [wikipedia.org], of course.

        You were moderated Troll, but you are correct. Come on mods.

        • Being correct and being a troll exist on separate, unrelated axes.
        • by jc42 (318812)

          gmuslera wrote:

          At least for braziians, is the lesser evil, else they will be empowerign the federal government behind overthrowing democratically elected governments all around the world since last century, including the brazilian one, of course.

          You were moderated Troll, but you are correct. Come on mods.

          Note that gmuslera was modded an "insightful, informative troll". I've been trying for such a moderations for years and never succeeded. I've gotten "insightful troll" and "informative troll", yes, but I've never got all three for a single post.

          So I think gmuslera should be roundly congratulated on this achievement. ;-)

          (And I also think he made a good point. Anyone in Latin America who trusts any American government agency is a fool, and quite ignorant of history. Either that, or they're on the tak

    • by Anonymous Coward

      Which part of "to try and shield official communications from spying" you haven't understood?

    • by the_B0fh (208483) on Monday October 14, 2013 @11:45AM (#45122921) Homepage

      You may want to re-read it again. She wants to create a secure email system *FOR THE GOVERNMENT AGENCIES* not for home users.

      They have to use it, by law, once it is set up.

      • If they are using Yahoo and Google for government email, they have a bigger problem than just the NSA spying on them.

        • by the_B0fh (208483)

          You have been living under a rock for the past few months? Are you unaware of the fact that NSA is reportedly reading other govt's email, and I'm not talking about yahoo/google email?

          • First the NSA intecepting SIGINT isn't a suprise, it's on their web-site as half of what they do, go there and read their mission statement. The only surprise is that they are able to do it as well as they are doing it.
            Secondly having a secure email system is a seperate issue from having your Emails intercepted; in fact if you don't automatically assume that everything you say or do is being observed and intercepted by the "bad-guys(tm)" your unlikely to do what it takes to maintain a secure system.

            It's nat

    • If you work for the government, you must use the email system your employer provides.

      shield official communications

  • by seven of five (578993) on Monday October 14, 2013 @10:15AM (#45121841) Homepage
    Unless they can invent their own crypto hardware and software from scratch guaranteed to have no backdoors, I am skeptical about the prospects for success.
    • Re: (Score:3, Insightful)

      by jbolden (176878)

      Algorithms for crypto are well known the math is public and not very complex. Brazil does have programmers and number theorists. Why can't they do this?

      • by wiggles (30088) on Monday October 14, 2013 @10:27AM (#45122003)

        Depends on whether or not you believe the NSA has proven P=nP

        • by jbolden (176878)

          :-) Exactly. The NSA ain't magic.

        • by Anonymous Coward

          I've got it! n=1

        • by Xest (935314)

          As a semi-related aside, I'm intrigued. Where is the NSA finding all these uber-mathematicians and developers to carry out some of the feats it's supposedly carrying out?

          I've often noticed the mindset of some of the smartest people in society is often at odds with that blind patriotism required to agree with the NSA's goals of total surveillance as a good idea. It's not like this is World War II where the likes of Turing were happy to go breaking cryptography and stuff because they were fighting the Nazis t

      • But you haven't addressed the GP's hardware statement...

        • by jbolden (176878)

          There are two types of hardware:

          a) hardware for key storage, generation... Those are likely quite secure and in any case easy to build
          b) Crypto acceleration hardware. Those are fine as they tend to do sequences.

          That is do something like:
          a) software uses RSA to generate AES key
          b) crypto hardware applies AES key to part of the binary
          c) repeat (a-b) as needed.

          There is not going to be a backdoor because the keys aren't being generated from the hardware.

    • by Nerdfest (867930)

      Since PGP based email encryption will solve their problem quite nicely, their chances of success are pretty much guaranteed. I'm hoping their not trying to come up with something where the government can read everyone's messages though, as that will end poorly.

      • by rvw (755107)

        Since PGP based email encryption will solve their problem quite nicely, their chances of success are pretty much guaranteed. I'm hoping their not trying to come up with something where the government can read everyone's messages though, as that will end poorly.

        As the NSA can do already you mean, as they monitor all traffic at the exchanges? This is for the government, not for the people. Maybe the develop something open source that can be used by others as well, and that doesn't have to be hosted and monitored by the governement.

        • by wagnerrp (1305589)
          If you're using asynchronous encryption like PGP, then it doesn't matter what the hell they're monitoring. They either have to spend enough computing power to break the encryption, or they have to compromise the private key on your computer.
          • Nah, they'll just use one of those encryption breaking machines that matches the key one digit at a time on a big display.

            • Breaking the password hash on Windows NT/9x/2k/XP (Not Vista onwards) actually does work like that. But it's seven characters at a time, not one.

          • Isn't that what they've already admitted to doing?

            Attacking the problems at both ends.

          • But this is an office encryption system. Users are stupid, so they can't keep their own key - they'd forget the passphrase, or not keep a backup copy.

            • There is so much essential functionality missing from key management and encrypted e-mail, that it is in a barely usable state. For the Brazilian government, or any government for that matter, to provide end-to-end email encrytption for their own workers, so much more needs to be done.

              Name me even one mail client or plug-in that can search encrypted messages, the body not just the metadata. Or how about re-keying stored messages? Federal employees often have an obligation to archive communications, bu

    • by Anonymous Coward

      We will just use FLOSS and end-to-end encryption. It will raise the bar considerably.

      The NSA will still have a very easy time to spot-spy on the brazilian government, though, because of Microsoft and Cisco.

      The chinese also have a very easy time doing that, because of ZTE and Huawei.

      • by click2005 (921437) * on Monday October 14, 2013 @11:04AM (#45122403)

        If I was the NSA I'd get anti-virus vendors to add backdoors. Its software that routinely accesses all your files at odd hours of the night.

        • by Anonymous Coward

          Then they should shift toward Linux or one of the BSD's...

        • by AmiMoJo (196126) *

          Actually there is evidence that they are worried about anti-virus software on machines they hack, except presumably for US brands which are basically elaborate trojans. In some of the slides that Snowden leaked they show how their automated attack servers usually back off immediately if anti-virus software is detected on the target PC because they don't want their malware and exploits to be detected and analysed by their targets. Even a clueless MBA who is their for-profit target is likely to notice his AV

        • If I was the NSA, I'd set up a shell and SELL A-V warez

  • by jeffb (2.718) (1189693) on Monday October 14, 2013 @10:16AM (#45121849)

    I'm sure the NSA is happy to see lots of people adopting popular systems that include NSA backdoors (explicit or implicit), and would rather not see lots of new systems that don't natively support NSA access.

    However, I'm also sure that building a system that effectively blocks the NSA is a pretty tall order. You need algorithms that the NSA can't crack, and you need personnel that the NSA (and affiliated agencies) can't suborn.

    I'm sure it'll be quite straightforward to develop a system that seems secure from NSA snooping. Something that provides actual security, rather than empty reassurance? That's a taller order.

    • by Marxist Hacker 42 (638312) * <seebert42@gmail.com> on Monday October 14, 2013 @10:26AM (#45121973) Homepage Journal

      Here's one. Take a list of crypto algorithms not recommended by the NSA (there are hundreds). Create an interface object, that calls underlying overloaded crypto algorithms at random, with a secret signature that only the library knows for which crypto algorithm was used. On decrypt, check the signature, and decrypt using the correct algorithm. Regularly seed honeypot false information messages through the system, and if any honeypot is acted upon by an outside agency, remove that encryption scheme from the DLL, re-randomize the crypto list, and release a new DLL to all authorized systems- can use the opportunity to add new routines in as well.

      • by swillden (191260) <shawn-ds@willden.org> on Monday October 14, 2013 @11:03AM (#45122387) Homepage Journal

        with a secret signature that only the library knows for which crypto algorithm was used

        Heh. Typical amateur security protocol design... can't even make it to the end of the second sentence of the description without handwaving some security through obscurity.

        More importantly, your proposal addresses the part of the problem that isn't a problem -- the ciphers -- and ignores all of the rest, which is where the cracks show up: key management, protocol design, implementation quality and personnel. Much better to pick a small number of well-respected ciphers and then focus on all of the rest. You're still likely to fail against an adversary like the NSA, assuming they really care to put the effort in to read your mail, but you can make them work for it, and you can limit the amount of data they can get.

      • Here's one. Take a list of crypto algorithms not recommended by the NSA (there are hundreds). Create an interface object, that calls underlying overloaded crypto algorithms at random, with a secret signature that only the library knows for which crypto algorithm was used. On decrypt, check the signature, and decrypt using the correct algorithm. Regularly seed honeypot false information messages through the system, and if any honeypot is acted upon by an outside agency, remove that encryption scheme from the DLL, re-randomize the crypto list, and release a new DLL to all authorized systems- can use the opportunity to add new routines in as well.

        Yeah, you do that. That sounds like the spaz's solution to security. There is no solution that cannot be broken, this one more trivially than most. The only technique that cannot be cracked is to use code words. They can only be guessed, not solved.

      • by cdrudge (68377)

        If your signature specifies what algorithm was used, and your library can read that signature, then so can other libraries. You really haven't made your encryption more secure, you've just obscured it slightly...more like putting a padlock inside of a lockbox with a key.

    • by rvw (755107)

      I'm sure the NSA is happy to see lots of people adopting popular systems that include NSA backdoors (explicit or implicit), and would rather not see lots of new systems that don't natively support NSA access.

      However, I'm also sure that building a system that effectively blocks the NSA is a pretty tall order. You need algorithms that the NSA can't crack, and you need personnel that the NSA (and affiliated agencies) can't suborn.

      I'm sure it'll be quite straightforward to develop a system that seems secure from NSA snooping. Something that provides actual security, rather than empty reassurance? That's a taller order.

      With mandatory PGP you can make quite a good start. Then it depends on the storage systems, how secure they are. Then there is the social hacking, bribing employees, etc.

    • by Kjella (173770)

      So it's a tall order but the NSA doesn't have infinite resources nor infinite clout particularly not outside of US jurisdiction. Infiltrators are always possible but also high-risk endeavors with huge political consequences. You can at least try to make the risk/reward ratio seem unappealing. After all, the current standards were made when strong encryption was neither computationally feasible nor publicly available. The main downside is that people don't want to carry around their encryption keys so I thin

  • The irony (Score:3, Insightful)

    by sl4shd0rk (755837) on Monday October 14, 2013 @10:23AM (#45121931)

    If this trend continues [ibtimes.com] the only people which the NSA will be able to spy on will be Americans. Precisely the populace it said it would not be spying on in the first place.

    • by cpghost (719344)
      They are actually taking this very seriously in Germany. Today, they announced more concrete steps to keep e-mail traffic inside Germany (provided you don't use US-based email providers). Businesses in particular are very concerned about the NSA and GCHQ large-scale spying on their trade secrets. Of course, they should encrypt end-to-end (e.g. PGP), but preventing the big data flows from traversing known NSA/GCHQ taps is already one tiny step in the right direction.
      • by robmv (855035)

        And that is something they should have been done always, not only for security reasons, but optimizations. I am tired, for example, to see that connections from a South America subsidiary of Telefónica, in order to access another network on the same country, jumps to Spain, thne USA, then go back to the source country, awful

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Ultimately they don't really care who they spy on, or even if they spy at all. What they care about is landing a budget worth hundreds of billions of dollars.

      At the top of the power pyramid, it doesn't matter where the money goes. What matters is that it passes through your hands, giving you the chance to leverage that cash flow for personal gain. A person who desires such power over other (supposedly equal) human beings cannot logically be "working for" the same people he tramples on. He works purely in se

  • The US could have helped Brazil by exposing cronyism and kickbacks, which is why they lag economically, much to the puzzlement of Western scientists who point out they are as large as the US in size and population, with even more resources, said scientists deliberately putting on blinders that it's about government and its abuse like a mafia, not resources, that determines the wealth of a civilization.

    • I dislike how folks jump on the Government Bad train automatically...

      Brazil has problems with it's economy. Might it be the crippling poverty? The Favelas? The drug crime perpetuated by American noses? Might it be the LACK of a stable government, as Brazil has gone through periods of autocratic, military, and democratic rule, supposedly aided by the CIA back in that military coup in 60's I might add. Nope nope.... Having the US prop up a bunch of !@#$ers that put in place crony practices just because they

    • by fnj (64210)

      ... as large as the US in size and population, with even more resources

      In some strange alternate universe that might be true. It would be more true to say the size is comparable, the population is 2/3, and the proven resources are largely trivial. Brazil grows vast amounts of sugar cane to process it into a (very poor) substitute for gasoline and diesel fuel for motor vehicles. As it is, Brazil's economy outweighs that of all other latin american countries, and it is a net external creditor. Unemployment is

      • by higuita (129722) on Monday October 14, 2013 @01:07PM (#45123809) Homepage

        right, everybody knowns that all resources you will ever need is oil, gas and coal !!!! let me guess... you are from the USA, right!?!

        and by the way, having less production doesn't mean that they are at the max production, actually mean that they had little investment on the past. Only in the last few years they have invested more in prospecting new reserves and extracting then. For sure there is still many places not even tested that can be full of oil and gas... can you say the same thing on the USA?

  • Probably it will rely a lot on proprietary software/hardware (Brazil manufactures very little in the way of networking/communications equipment, and our government is addicted to proprietary software) with their own backdoors. Besides, our government spies on social movements, unions etc... so they are not innocent at all. Finally: given the deep shit that this government is into, it will likely run over schedule and budget and will eventually be scrapped.
  • Brazil wants to centralize "secure" email, run by the government. How long until the Brazilian government itself decides it wants a back door? I'm betting it will happen before the first end user signs up.

    Any centralized system, once it reaches a critical mass, will become a very attractive target to the spies. Only decentralized systems--where NO ONE has the master key--have half a chance. A PGP-type system could come close, if somebody could figure out how to make it easy enough for non-technical user

    • by foma84 (2079302)
      Since nobody in the thread seems to get it: it's not even in TFA, it's in TFS: the Brazilian Govt wants a secure system for the Brazilian Govt official (ie internal) communications. They probably will, at some point, offer this new system to their citizens (for obvious reasons), but that's not the intended goal, for now.
  • Who thinks the NSA can't breach Brazilian security?

    And what is more... who thinks the Brazilians won't peek into the email of users?

    So what does this actually accomplish? Stupidity.

  • ...that the Brazilian Government will move from hosting its mail on Google to private servers...

    • by cpghost (719344)

      ...that the Brazilian Government will move from hosting its mail on Google to private servers...

      ... and those private servers will be hosted on an Amazon cloud?

  • Brazil keeps forgetting about something I like to call the rest of the world. It's easy to find. Grab and atlas and look at everything that isn't labeled "USA". Give or take your talking about roughly 200 countries that have an interest in spying as it is in the interest of every government to know what is going on with every other government.

    Now figure that your system magically works against the NSA with faerie dust and a good dose of anti-US propaganda. Nevermind the technicalities, just go with it for a

  • First thing the federal email system will do is determine how to snoop on email messages.... hehe

  • ....."Brazil? Where did that come from? And isn't that a place full run down stacked-box neighborhoods?" I dunno.......Brazil just doesn't give me the impression that its the kind of place I'd expect to have really great security as far as technology (or anything really) is concerned.
  • Let's hope that they use PGP or S/MIME and that this motivates other ISPs to roll it out as well. This would hopefully motivate GMail to at least make it compatible in some way. (I mean checking signatures etc)

    • by cpghost (719344)
      GMail is already PGP and S/MIME compatible. Just avoid their webmail interface and use their IMAP server with your own MUA like, e.g. Thunderbird + Enigmail or some PGP-enabled app if you're mobile. Other providers are also PGP and S/MIME compatible, like, e.g. Yandex Mail via IMAP, if you prefer the KGB (or whatever they call themselves today) to the NSA snooping your mails. Same with other free mail providers: most of them offer IMAP/SMTP, and once you've got that, you're green to go with PGP and S/MIME.
  • The first free country that offers secure webmail to the world will quickly become the most beloved country on earth.

    They should charge enough to make it profitable, of course and then let anybody on earth sign up.

    Let's say, for example, that - I don't know - Finland maybe, rolled out a secure webmail system. Unlike a private corporation, what's the US gov't going to do, threaten to invade Finland over too much freedom?

  • Can they read it? Yes, they can. Now that doesn't mean there is always someone out there reading your email. With millions of people on the Internet, our individual messages likely get lost in a crowd. But you've got to realized that once email leaves your system, it may sit on another computer hundreds or thousands of miles away, and you have no control over who has access to it. What if that computer has a liberal security policy, or is full of security holes? The best thing to do is realize that your email is not going to be secure and avoid transmitting sensitive material, as already recommended in Chapter 3. Even if no one reads your email in transit, the recipient could forward the message on to whomever he or she pleases.

    It is possible to physically "tap" networks, just like tapping phone lines. And if someone is able to do that, he can read anything going across those wires. But all hope is not lost: There are ways to make your email more secure. One is to encrypt it before it leaves your computer. Encrypt means simply that it's encoded into something that no one else can read without the proper key. Upon receipt, the message must be decrypted on the the recipient's machine.

    The Internet Companion: A Beginner's Guide to Global Networking, Tracy LaQuey, 1993, p.122.

  • by AlienSexist (686923) on Monday October 14, 2013 @03:08PM (#45125219)
    NSA bribes [google.com] a Brazilian IT worker involved in the Brazilian Federal Secure Email System.
  • How will it be secured? Client-to-client encryption using GPG or similar product? Or just TLS-protected communications for cleartext messages?

    And how do they address NSA ability to compromise clients?

  • All nations and all companies need to think hard about their communication
    strategies.

    Back in the old dot dash days companies had thick code books and
    code protocols.

    Nations like Japan in WWII had serious codes for their navy (Purple)
    and the Germans had Enigma.

    Cracking them was key to the outcome of the war and almost
    exposed the attack on Perl in time to act.

    Any nation needs some control over their communications.

    The troubling bit to many might be the man in the middle attacks
    where web content is rewritten or

When you make your mark in the world, watch out for guys with erasers. -- The Wall Street Journal

Working...