I appreciate the explanation from schoen, I can grasp the argument more clearly.
I do believe that is an aggressive reading of the paragraph, out of its context, and that "malpractice" is unfair.
The paragraph you quoted is followed, after just a single intervening paragraph, by this, which I would argue speaks explicitly and accurately to your point:
---
A very important question remains: What exactly could WindsorBlue, and then WindsorGreen, crack? Are modern privacy mainstays like PGP, used to encrypt email, or the ciphers behind encrypted chat apps like Signal under threat? The experts who spoke to The Intercept don’t think there’s any reason to assume the worst.
“As long as you use long keys and recent-generation hashes, you should be OK,” said Huang. “Even if [WindsorGreen] gave a 100x advantage in cracking strength, it’s a pittance compared to the additional strength conferred by going from say, 1024-bit RSA to 4096-bit RSA or going from SHA-1 to SHA-256.”
Translation: Older encryption methods based on shorter strings of numbers, which are easier to factor, would be more vulnerable, but anyone using the strongest contemporary encryption software (which uses much longer numbers) should still be safe and confident in their privacy.
---
If someone read a sentence saying encryption users are unlucky that the U.S. government is buying supercomputers to crack encryption, which used RSA as an example of something the government wanted to crack, and concluded that this means RSA is broken, they would be cleared of this misreading within a few paragraphs, no?
We are diligent in our reporting, research, editing, and fact checking; this piece involved no small number of staffers doing all of those things and more. A term like "malpractice" we take seriously, but seems to have been tossed off a bit casually here.
"Don't think there's any reason to assume the worst"? We know there's no reason to assume the worst, or really even suspect it. RSA-4096? The 2048-bit moduli which are the industry standard today are hopelessly out of reach of conventional computers; your story implicitly makes a case that people might be at risk for using them. The difference between 2048 and 4096 is a lot of computing power for defenders.
There are other quotes in the article that are also presented without enough context to avoid misleading. For instance, you can see speculation in this thread about the utility of this system for breaking "signatures" on updates --- but again, that's only possible if the systems in question are already using weak cryptography.
I stand by my criticism of the article. The paragraph I quoted was poorly constructed, and I think the narrative subtext of the whole piece is "worry that the USG is going to subvert all mainstream cryptography". That narrative is extraordinarily harmful. As someone who has done some recent pro-bono training for at-risk people, it's hard enough to get people to adopt best practices without having to beat back concerns that all the effort is for naught.
I further agree with everyone else here who have pointed out that without the documents, or at least far more of them, or far more comments from experts than are present in the article, this story isn't providing much value. It's not exactly a secret that the USG IC invests heavily in compute for these purposes. What have we really learned here?
Again, the article states very clearly and explicitly that WindsorGreen should not impact people using strong crypto.
You criticize a reference to RSA-4096 as implying RSA-2048 is weak. That reference was made in a quote by bunnie huang, a security researcher, who, like us, was using it to illustrate a broader point, with no insinuation that 2048 is weak. The quote was surrounded by higher level paragraphs from us saying, again, that contemporary crypto should be safe from WindsorGreen.
If we were advancing that narrative — that crypto is useless or will soon be rendered useless — I can see why you'd be concerned. But you have to blow past explicit, lengthy blocks of text saying the opposite of that, and ignore them, to come to that conclusion.
(I'm also not sure why we'd promote that narrative when we ourselves put a lot of effort into crypto education, here's just from Micah Lee and the video team that works with him, only a portion of what I'm talking about: https://theintercept.com/staff/micah-lee/ )
I like Bunnie Huang as much as anyone here. Your publication chose to quote him in a manner suggesting that people should be adopting RSA-4096 because of NSA supercomputers. I think it's fair to criticize you for doing that.
I'm not sure why I'm meant to care about the work you've done to educate people about cryptography, or how that's germane to the discussion. I assume The Intercept is broadly supportive of cryptography. That doesn't mean you can't write a bad story about it, or even that your incentives will tend to keep you from doing that --- those incentives, after all, are mostly about growing a readership, just like any other publication.
It's eerie to read this thread - I know little about crypto, after reading the article, I thought the NSA was clearly planning to break all HTTPS traffic. Its unimpressive to watch whoever you are (author? Publisher? Someone who repeatedly implies they have a connection to The Intercept but doesn't explicate it?) to be argumentative with, frankly, poor excuses whenever someone points out its possible for someone to misread the article exactly the way I misread it.
I do believe that is an aggressive reading of the paragraph, out of its context, and that "malpractice" is unfair.
The paragraph you quoted is followed, after just a single intervening paragraph, by this, which I would argue speaks explicitly and accurately to your point:
---
A very important question remains: What exactly could WindsorBlue, and then WindsorGreen, crack? Are modern privacy mainstays like PGP, used to encrypt email, or the ciphers behind encrypted chat apps like Signal under threat? The experts who spoke to The Intercept don’t think there’s any reason to assume the worst.
“As long as you use long keys and recent-generation hashes, you should be OK,” said Huang. “Even if [WindsorGreen] gave a 100x advantage in cracking strength, it’s a pittance compared to the additional strength conferred by going from say, 1024-bit RSA to 4096-bit RSA or going from SHA-1 to SHA-256.”
Translation: Older encryption methods based on shorter strings of numbers, which are easier to factor, would be more vulnerable, but anyone using the strongest contemporary encryption software (which uses much longer numbers) should still be safe and confident in their privacy.
---
If someone read a sentence saying encryption users are unlucky that the U.S. government is buying supercomputers to crack encryption, which used RSA as an example of something the government wanted to crack, and concluded that this means RSA is broken, they would be cleared of this misreading within a few paragraphs, no?
We are diligent in our reporting, research, editing, and fact checking; this piece involved no small number of staffers doing all of those things and more. A term like "malpractice" we take seriously, but seems to have been tossed off a bit casually here.