National Insecurity: How The NSA Has Put The Internet And Our Security At Risk
from the epic-failure dept
The NSA and its defenders keep going back to the same argument over and over again in an attempt to justify its actions: that they're being done for the sake of "national security." Basically, they're claiming that if the NSA didn't stomp all over the 4th Amendment, undermine the internet and try to spy on everything possible, we'd all be less safe. As we've pointed out, however, the NSA never seems to do a simple cost-benefit analysis to see if the costs outweigh the benefits. It seems fairly clear they do not: the costs are huge, and the benefits of preventing exceptionally low probability events seem fairly low as well.But, really, the issue is that the NSA's actions aren't actually helping national security, but they're doing the exact opposite. They're making us significantly less safe. Bruce Schneier made this point succinctly in a recent interview:
The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone—including the good guys. It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they’re building the technical infrastructure for a police state.The folks over at EFF have dug into this point in much greater detail as well. Undermining internet security is a really bad idea. While it may make it slightly easier for the NSA to spy on people -- it also makes it much easier for others to attack us. For all this talk of national security, it's making us a lot less secure.
In trying to defend this situation, former NSA boss Michael Hayden recently argued that the NSA, when it comes across security vulnerabilities, makes a judgment call on whether or not it's worth fixing or exploiting itself. He discussed how the NSA thinks about whether or not it's a "NOBUS" (nobody but us) situation, where only the US could exploit the hole:
You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch -- it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.Of course, that ignores just how sophisticated and powerful certain other groups and governments are these days. As that article notes, the NSA is known as a major buyer of exploits sold on the market -- but that also means that every single one of those exploits is known by non-NSA employees, and the idea that only the NSA is exploiting those is laughable. If the NSA were truly interested in "national security" it would be helping to close those vulnerabilities, not using them to their own advantage.
This leads to two more troubling issues -- the fact that the "US Cyber Command" is under the control of the NSA is inherently problematic. Basically, the NSA has too much overlap between its offensive and defensive mandates in terms of computer security. Given what we've seen now, it's pretty damn clear that the NSA highly prioritizes offensive efforts to break into computers, rather than defensive efforts to protect Americans' computers.
The second issue is CISPA. The NSA and its defenders pushed CISPA heavily, claiming that it was necessary for "national security" in protecting against attacks. But a key part of CISPA was that it was designed to grant immunity to tech companies from sharing information with... the NSA, which was effectively put in control over "cybersecurity" under CISPA. It seems clear, at this point, that the worst fears about CISPA are almost certainly true. It was never about improving defensive cybersecurity, but a cover story to enable greater offensive efforts by the NSA which, in turn, makes us all a lot less secure.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: insecurity, nsa, nsa surveillance, security, vulnerabilities
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Hayden doesn't understand computing
Four acres of Crays may sound like a lot of computing horsepower, but it's not -- not any more. A botnet with tens of millions of systems has more CPU, memory, disk and bandwidth. Sure, it might be harder to program for the task at hand, but (a) it's free (b) it's scalable and (c) it's fault-tolerant (if properly organized).
Not only that: four acres of Crays might give you the desired answer in a day; the botnet might take a month. So what? Depending on just what the question was, the time difference might not matter. (Doubly so given that we're apparently discussing long-existing exploits.)
[ link to this | view in thread ]
[ link to this | view in thread ]
I've been wondering about these deals to purchase exploits since I first heard about them. Is there some sort of agreement or something that prevents these sellers from reselling the exact same exploit to the "bad guys" after selling it to the NSA?
Isn't it possible that one of the "bad guys" could use an exploit that the NSA is using to exploit the NSA itself?
[ link to this | view in thread ]
Big deal, NSA. -- What abou Microsoft, Apple, and Google OSs?
September 23, 2013 -- You're right up to date, Mike.
But as usual, you don't actually name any of the co-conspirator corporations. Schneier does: "We are seeing the NSA collecting data from all of the cloud providers we use: Google and Facebook and Apple and Yahoo, etc. We see the NSA in partnerships with all the major telcos in the U.S., and many others around the world, to collect data on the backbone. We see the NSA deliberately subverting cryptography, through secret agreements with vendors, to make security systems less effective. The scope and scale are enormous."
And here's Schneier directly refuting the dolts here who say that you can avoid Google: "Basically, the average user is screwed. You can’t say “Don’t use Google”—that’s a useless piece of advice."
"The Internet has become essential to our lives, and it has been subverted into a gigantic surveillance platform."
Well, I don't agree with "subverted"; it's designed from start for surveillance, from at least 1948! How did you think Big Brother's telescreens were going to work?
As I put that last:
Spying is the main 'business model' of the internet, especially for Google and Facebook.
[ link to this | view in thread ]
Re: Big deal, NSA. -- What abou Microsoft, Apple, and Google OSs?
[ link to this | view in thread ]
Re: Big deal, NSA. -- What abou Microsoft, Apple, and Google OSs?
I know that I should probably stop trying to make sense of what you say but, what do you mean with "three current big OSs"?
Android/Linux, iOS and Windows Phone?
MacOSX, Windows and GNU/Linux?
Ubuntu, Debian and Fedora?
...
Emacs?
In any event, GNU/Linux is a safe bet, especially if you stick with Free Software. You'll hate your life, but at least you'll be safe from "teh googles". And the likelihood that the NSA can subvert every possible combination of software, hardware and drivers is...unlikely, to put it mildly.
[ link to this | view in thread ]
Re:
One of the most relentless falsehoods pushed by some segments of the security community is that exploits are NOBUS, to use Hayden's terminology: they're not. They get independently discovered all the time, then kept, bought, sold, traded, shared, hoarded, announced.
[ link to this | view in thread ]
Making any sort of determination as to who else might exploit it comes down to dollars? That's odd. Is that really the only criteria, and does merely having the $ then make it ok to use the exploit? Isn't that part of the argument?
[ link to this | view in thread ]
Did anybody think this through?
Case 1: Let us assume that the NSA can't crack the market and find out exactly WHO is selling a sploit and WHERE they are.
NSA buys sploit. Pays premium "NOBUS" fee.
Question: Just how does NSA enforce the contract if they can't find the seller OR find out whether seller has sold the sploit to world+dog?
Case 2: Let us assume that NSA CAN crack the market.
Question: Can NSA afford to disappear sellers? After all, if people who sell keep disappearing from the market, there will eventually be no market.
Also, if NSA can crack the market, the sellers might be able to as well, in which case, "Don't sell to the NSA" becomes a new mantra.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Did anybody think this through?
That they cannot see more than one move ahead does not make me feel secure at all.
[ link to this | view in thread ]
I'd like to see them...
[ link to this | view in thread ]
Wait, I've heard this story!
But it was intended for good purposes: the music industry was hemorrhaging lots of money because fewer people were buying shiny discs.
Since that turned out so well, our own officials, looking out for our best interests, of course, did the same thing only on a much larger and massive scale. Take that Sony!
1. Start with a moral plan.
2. Do something really evil.
3. Publically yell how moral your goal is.
4. Repeat.
[ link to this | view in thread ]
Re: Hayden doesn't understand computing
[ link to this | view in thread ]
Backdoor
Suppose that NSA somehow added a vulnerability to a system, one that only they can exploit (for instance, exploiting it might need a key only the NSA has).
There is a backdoor here: if only the NSA can exploit the vulnerability, evil hackers can invade the NSA and exploit the vulnerability from there.
This applies to anything which ends up being isomorphic to Clipper-style key escrow. If you add a backdoor to a system that only a single actor can exploit, if that single actor can be invaded it turns into a backdoor that anyone can exploit.
[ link to this | view in thread ]
NSA spies on NSA oversight committees
Because the NSA can see their documents and emails too.
All the government email protected by careful encryption, is actually protected by NSA backdoored encryption.
Dumb.
[ link to this | view in thread ]
it is base on a data base teck that i invented
[ link to this | view in thread ]
Re:
The NSA fucks up Everybody's internet, including mine, in a far away foreign country. Do you think it's acceptable in the name of protecting yourself? If yes, how far can you go in that direction? What measures are considered "too far", and what about other countries doing the same in the name of defending themselves?
If you think you can fuck with a global infrastructure for your own benefit, then you don't deserve a leading role in it's administration.
[ link to this | view in thread ]