Monthly Archives: September 2013

Compromised Trust

I remember back in the 90’s and early 2000’s when people all over the world were asking themselves if it was “safe” to put their credit card number on this internet thing. A few years later, this fear was forgotten. Now it has returned, as people are understanding how the fundamental technologies and most trusted names of the internet have been compromised for the sake of unlimited surveillance.

Last week’s Guardian disclosure that the NSA has broken internet encryption should not come as a surprise. We have a few academic experts like Bruce Schneier who speak publicly about these issues. In contrast, the NSA has budgets and personnel that outstrip anything in the public cryptography space. According to Schneier:

It’s very probable that the NSA has newer techniques that remain undiscovered in academia.

In spite of this, Schneier and others are advocating that people rely on encryption to stay ahead of this pervasive spying. I would say that is next to worthless, except in the short run, The NSA documents on the “Bullrun” program suggest they had a major breakthrough around 2010:

Cryptanalytic capabilities are now coming on line. Vast amounts of encrypted internet data which have up till now been discarded are now exploitable.

There have been a few cryptographic standards in use on the internet – DES, md5, AES. But basically, people use AES, for internet security, and it was widely adopted after the US government (the NSA, of course) recommended it for securing top secret government information. Just looking at the timeline, it is very likely that AES has been compromised by either brute force, or new mathematical algorithms that render most people’s assumptions about how hard it is to crack meaningless. Even the wikipedia article on AES refers to several attacks that have been public for years. It is highly likely that the NSA is far ahead of the public on this.

That still doesn’t mean that breaking into encrypted data is going to be computationally easy. It still might be an easier, more scalable route to compromise Certificate Authorities, put backdoors into hardware and basic operating systems- anything to grab the data before it is encrypted. Regardless of whether or not the NSA has broken AES, these other techniques may be easier.

So who can you trust? Open source is the best bet. If it’s open source, then everybody gets to look at it. Programmers all over the world can independently evaluate the source code, and presumably discover any backdoors or built-in compromises to security. But unfortunately, the problem goes deeper – you can’t really trust your hardware either. This post by Steve Blank discusses how the NSA has likely compromised intel hardware.

If the basic hardware that we all use is compromised, it would be easy to insert a keylogger at a level that is not detectable to the operating system, and send it out under the guise of the computer communicating with a server in the process of updating the cpu microcode. I’m sure there are diligent engineers clocking hours on wireshark right now trying to determine if and when suspicious information is leaving the computer.

We’ll get to the bottom of this. But it needs to happen now. It’s very important to understand that whatever the motives of the NSA and the current administration, these can change. Also, other intelligence agencies around the world can’t be far behind. What happens when governments with less noble intentions have this same kind of capability? We will need both legal and technological solutions on a global scale.

Our basic trust has been compromised, and it would be a sad thing, and an economic catastrophe, if we were to go back to the days where people feel they can’t trust this internet thing with their credit card information.

 

Collaboration

A few days ago, the Guardian interviewed former NSA chief Bobby Inman. I’ve always thought Inman was a sharp guy. I remember listening to tapes of Inman that I got from the Commonwealth Club back in the 1980s. I still recall his prediction that the “pace of change” would become a more and more significant factor in intelligence and technology. At the time I thought it was profound, and I think it still rings true today.

In his interview with the Guardian, Inman urged that people interested in revisiting laws on government surveillance should also look at private industry. According to Inman we need to:

look at privacy issues in the private sector, not just the government. I personally find it offensive that it’s fine for X corporation to have everything on you but not the government to know. That’s a basic don’t-trust-your-government argument, which I think erodes democracy

This is an interesting statement.

First, it ignores the important fact that it is the government that has a monopoly on the legal use of force. The reason why people should put government surveillance in a different category than private corporate surveillance, is that the government has different goals than private corporations. Private corporations exist to make a profit, governments have a variety of agendas, including launching wars, suppressing internal dissent, putting people in prison, etc. This was the reason the Fourth Amendment applies to government, not private corporations. I think Inman is intelligent enough to know he is being very misleading here and turning the traditional notion of “democracy” on its head.

Second, today’s disclosure by the New York Times that in a project called Hemisphere, the DEA pays ATT to retain all call records forever and share them with the government. This shows that the limits established on government snooping by the Fourth Amendment are clearly violated and undermined by this government-corporate partnership. Do prohibitions on government searches and snooping have any meaning if they are enabled and executed in secret partnership with private companies? If private companies keep vast databases of private data on American citizens, and the government accesses that in secret, where does the government end and the “private” corporation begin? Obviously, this collaboration is set up in a way to avoid both public scrutiny and constitutional restrictions. I suspect we’ll see more and more of this come out – where the government faces legal restrictions against certain actions, they just get a private company to do it for them, and then collaborate in secret.

I think Inman is right. To only look at the activities of the government, we miss what its important partners might also be up to. There is a collusion of interests here – government and private companies collaborating to keep tabs on all citizens at all times.

We used to call this fascism, now, we just sigh and hope it produces some well-paying jobs.