A larger research budget than the entire open cryptographic community? Maybe. But it's not just about budget. A lot of the smartest cryptographers don't work for the NSA anymore, because they like to publish their research, and/or because industry pays better.
If you haven't broken the algorithm, a "larger hardware budget" really isn't helpful at all. Key sizes are big enough that the laws of physics prevent you from brute-forcing them. From Bruce Schneier: "If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter." http://www.schneier.com/blog/archives/2009/09/the_doghouse_c...
If they've made a huge breakthrough on quantum computers, they could break the popular public-key algorithms, but could only halve the effective key size of symmetric algorithms.
> Key sizes are big enough that the laws of physics prevent you from brute-forcing them
A lot of it still boils down to password guessing. The limitation is in the user's choice of password, not the laws of physics.
Given the techniques listed here http://arstechnica.com/security/2013/05/how-crackers-make-mi... (e.g. generating password guesses with Markov chains) suprisingly long and un-obvious passwords are found without brute-forcing the whole space. In other words, you have to pay attention to a whole lot of lateral things to actually be secure. The mathematical properties of the key-space don't matter if your OS has been backdoored and a keystroke logger installed.
That's only true if you have a copy of the user's encrypted private key. You've got that if you've confiscated his hard drive, but it doesn't go over the wire. The key itself is random.
A keylogger bypasses the whole thing but so far nobody's accusing the NSA of hacking lots of domestic computers, and that would definitely do away with the excuse that "we didn't know he was in the U.S."
> That's only true if you have a copy of the user's encrypted private key. it doesn't go over the wire.
I know several people who have put all of their (strong) website passwords in a 1password/keepass/truecrypt file covered by a password that they can remember and type; and then put that on dropbox. Over the wire. I am assuming that this is compromised now.
> nobody's accusing the NSA of hacking lots of domestic computers
I am sitting in front of a domestic computer that is not in the US. The line about "but only for non-americans" is no reassurance whatsoever to the world.
I was familiar with both those stories, and neither is about the NSA hacking into domestic computers (by which I mean, computers in the USA, which is "domestic" for the NSA). Voluntary cooperation by firms is not the same as the NSA surreptitiously installing keyloggers.
And yet you were arguing a few comments up that the keyspace that 1password etc use was too large to ever crack. But you have to remember some master password. Your crypto is only as strong as the weakest part.
> domestic computers (by which I mean, computers in the USA)
I'm sorry, I thought that you meant "computers in people's houses". In the USA or not, I could not care less.
> Voluntary cooperation by firms is not the same as the NSA surreptitiously installing keyloggers
The keyloggers is a logical endpoint of what they would do with the 0-day exploits mentioned in the two articles. Not directly related to the "cooperation by firms"
If you haven't broken the algorithm, a "larger hardware budget" really isn't helpful at all. Key sizes are big enough that the laws of physics prevent you from brute-forcing them. From Bruce Schneier: "If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter." http://www.schneier.com/blog/archives/2009/09/the_doghouse_c...
If they've made a huge breakthrough on quantum computers, they could break the popular public-key algorithms, but could only halve the effective key size of symmetric algorithms.