Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry
from the this-is-just-a-thought-experiment,-right?-right??? dept
As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.
Recently, there have been plenty of Techdirt stories about the authorities in the US and elsewhere making increasingly strident attacks on encryption, with claims that things are "going dark," and that Silicon Valley is foolishly aiding terrorism thanks to its "obsession" with privacy etc. etc. Against that background, it's easy to get swept up by a narrative that pits us, the freedom fighters, against them, the dark forces of repression, and to celebrate the occasional wins that come our way.
But suppose all this is just for show -- not so much security theater, but as privacy theater to divert our attention from what is really happening. That's one possible conclusion that cynics might draw after watching a brilliant presentation made back in 2014, and highlighted recently by a post on Boing Boing that includes a video of the talk and a link to the slides (pdf):
In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.
NSA's fictional operation achieves that by exploiting the way the computing industry works, with different challenges dealt with using completely legal means. For example, the "ABBA" program handles the following situation:
Somebody comes up with an idea that would make [communications intelligence] collection harder and/or more expensive
The novel solution is for the NSA to exploit "raw capitalism," and to "throw money at the problem" by playing the role of a friendly local venture capitalist that wants to turn the idea into a company. At the same time, the NSA finds a relevant patent held by one of its "friends" in the industry, and then asks those friends to send around their patent lawyers to the new startup it is funding, to get it shut down in a perfectly non-suspicious way.
The "QUEEN" program to tame the potentially dangerous world of open source is even more subtle. The NSA takes advantage of the open development process to place its own people within the system, so that they can subvert it using the following:
FUD
A key technique is to exploit the fact that free software is based on trust, and that once a coder is trusted as a result of building up a record of good work, nothing they do thereafter is subject to much scrutiny. That phenomenon potentially allows patches with strategic weaknesses to be included in key projects with massive knock-on effects. Kamp dubs the exploitation of this fact the "BOYS" program, whose "crown jewel" is OpenSSL. The impact of the "Heartbleed" vulnerability discovered in OpenSSL two years ago was so great and convenient that many wondered at the time whether it had been placed there by the NSA. That's just one indication that Kamp's witty re-imagining of recent computer history is not so far-fetched.
Play GPL vs BSD card
"Bikeshed" discussions
Soak mental bandwidth with bogus crypto proposals
Even assuming -- hoping -- that Kamp's talk is largely a thought experiment, it has an importance that goes beyond its undoubted entertainment value. By turning everything on its head, and showing how easy it would be for the NSA -- or other well-funded agencies -- to subvert today's computing industry in perfectly legal ways, it provides an important warning about what's wrong and what we need to do to address it. Unfortunately, as Kamp himself admits in his keynote speech, the problems are so deep and fundamental that fixing them won't be easy. But at least, thanks to him, we have been reminded that they exist, which is a start.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Privacy & Security on the Golden Frog Blog:
VyprVPN from Golden Frog is the world's fastest highly-secure VPN.
Get 25% off VyprVPN now »
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: nsa, sponsored post
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Why? Well, if you've compromised OpenSSL you pretty much have open access to all encrypted communications on the Web and in email. Almost everything that does SSL/TLS uses the OpenSSL library for it, and you know exactly what weakness was introduced and how to attack it.
See also Reflections on Trusting Trust, Ken Thompson, 1984.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Then again…
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
The biggest actual thing that Snowden revealed was simply this:
What the NSA is already doing is far worse than what I imagined they were doing.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
interesting sponsor
[ link to this | view in chronology ]
Re: interesting sponsor
Thanks for the heads up.
[ link to this | view in chronology ]
http://www.techpowerup.com/209925/nsa-hides-spying-backdoors-into-hard-drive-firmware
The fiasco over the NSA's involvement over the random number generator for encryption standards.
http://www.bbc.co.uk/news/technology-24048343
The NSA has been throwing money at this for a long time before the public even began to get a clue. The idea that Snowden revealed that the NSA was intercepting hardware in shipment to install backdoor hardware shows they have been at it long enough to be able to do this on an as needed basis. You'd be a fool to think it was only Cisco hardware when it was setup this way with an installment lab to do the work.
Common sense tells you it is much more wide spread than what you are hearing about.
[ link to this | view in chronology ]
Rather than "sponsored post" perhaps you can just say "spam".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Compromise is built right into to your microprocessor by NSA
See Intel Active Management Technology.
https://fsf.org/blogs/community/active-management-technology
AMD has a counterpart.
In a nutshell, the processor won't start (AMD) or will only run for 30 minutes (Intel) unless the 'active management' engine says everything is okay. That engine of invasion is a separate computer subsystem within the CPU that must be running an encrypted binary blob in order for 'everything to be okay'. To add injury to injury, the micoprocessor, under control of that engine, has direct hardware access to everything. The disk. The network.
So would Intel be a FON? (FON is an acronym from the slide deck.)
So do you think PCs are totally and completely compromised enough yet?
Paranoid yet?
Is this far, far worse than compromising the C compiler to secretly embed back doors into other programs as it compiles them?
And it's all right out there in the open. Under our noses. Right in front of God and everyone.
[ link to this | view in chronology ]
Re: Compromise is built right into to your microprocessor by NSA
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Even more likely
[ link to this | view in chronology ]
Re: Even more likely
So keep an eye on Russia, China, India, Japan, Israel and France everyone :)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Bond, James Bond
[ link to this | view in chronology ]
Re: Bond, James Bond
The survivors of atrocities perpetrated by any number of countries - notably Germany and Japan in WWII - might disagree with you. Quite vehemently, in fact.
As far as I can see, the only time the world's most vile monsters have trouble finding supporters and enablers is when they are clearly losing.
The rest of the time, there's no shortage of people willing to line up and swear that this or that atrocity is in everyone's best interests... and, equally, no shortage of people willing to pick up guns and machetes - or strap on bombs - and prove to the world just how much they love and believe in their favourite monsters.
For all their crimes - and they are crimes, I've no doubt of that - groups like the NSA and GCHQ are a long way from being the world's most evil organisations: they should have few difficulties in finding staff willing to commit exactly these kinds of crime and keep their mouths shut.
If the organisation uses a bit of sense and compartmentalises itself so that only a few can see the bigger picture, it becomes even easier.
The fact that Snowden and the other whistleblowers constitute less than 0.1% of those people who all had the same knowledge of criminal behaviour would seem to prove the point: this can be done, it has been done, it is being done.
Nobody wants to called a traitor. Nobody wants go to jail forever. Nobody wants to disappear and later turn up dead, assuming a recognisable body-part ever turns up at all.
[I'm waving and smiling to GCHQ, here. :D]
In fiction, as in the most paranoid, delusional fantasy, as in reality, the rules are all the same.
When your employer has the power to make you and your entire family vanish without a trace, or disappear into the justice system with allegations of terrorism or child abuse or some other damn thing, you keep your mouth shut.
Snowden is the rarest of exceptions.
The rest of us are exactly robots.
[ link to this | view in chronology ]
Case in Point: TrueCrypt
Just lean a little on potential funders, job done!
[ link to this | view in chronology ]
Re: Case in Point: TrueCrypt
Obviously they were given the choice of 'hey there, we know it's YOU that's working on this too-popular-and-definitely-too-easy-to-use encryption program for the last x years... Stop that, or else one of the following skeletons will come out of your closet...'
[ link to this | view in chronology ]
Re: Case in Point: TrueCrypt
"Loss" is an interesting word here. http://www.cryptogon.com/?p=48528 He was a brilliant programmer and a vicious cartel boss, who became a prized U.S. government asset.
[ link to this | view in chronology ]
They Lie about their service..
[ link to this | view in chronology ]
Selling out cheap...
[ link to this | view in chronology ]
Sponsored by Golden Frog
Seriously, I'll never understand why anybody thinks anything digital is in any way safe for anyone, at this point.
Golden Frog - and all it's competitors - are worth exactly nothing to anyone with more than basic media piracy in mind.
Based purely on what's in open view, via Snowden, et al:
• they're hoovering everything from every network;
• they've hacked the living shit out of every bit of kit in existence, either selectively or generally;
• they're free and clear to malware themselves direct access into every piece of equipment tangentially related to basically anyone they like, based on absolutely nothing at all;
• they're institutionally-built to have absolutely no regard for any kind of human rights - and especially not for privacy.
In the face of all that, how can any sane person imagine that there are any digital safe spaces anywhere? I take it as a given that all available VPN networks have probably been compromised by agencies for multiple governments.
I remember a time when such thinking was the recourse of the rampant paranoiac. Today, I consider it nothing more than standard operating procedure.
If you have real secrets to keep, then every phone and computer, every bit of equipment with a microphone or a camera, every last games console and smart TV: these things are The Enemy.
Only a fool thinks otherwise.
[ link to this | view in chronology ]
Re: Sponsored by Golden Frog
[ link to this | view in chronology ]
All the NSA really need do is be venture capitalists
This is basically what any of these Silicon Valley companies do (including Apple with iCloud), and because of the profit they get from their "advertising" encourages them to lol us with ineffective "security" to "protect our privacy" that hardly addresses the point.
And it's not as if the FOSS community have been all that effective in fighting the faulty client-server architecture that's been so favorable to the NSA. So maybe they do have spies there.
[ link to this | view in chronology ]
Re: All the NSA really need do is be venture capitalists
[ link to this | view in chronology ]
NO.
[ link to this | view in chronology ]