Saturday, September 07, 2013

Crypto's Dance

[Alert Reader pointed out the correct name for the Google Maps program as developed by the US government is "Keyhole", not "Keystone".  Herewith corrected.  Thank you, AR.]

On the rational left, Edward Snowden is close to losing the support of Kevin Drum because the most recent revelation—that the government has all sorts of ways and means to break ordinary encryption—alerted the bad guys to start being more careful with their crypto.

And if you’ve lost Kevin Drum, there’s little left on the left but China Matters and the rest of the fringe!


Earlier today, in a post about the latest Edward Snowden leak, I wrote that "I'm a lot less certain that this one should have seen the light of day." After some further thought and conversation, I'm now a lot less certain I should have said that.
Here's the problem. The Guardian and New York Times stories basically revealed two things:
  • The NSA has been working to deliberately weaken commercial crypto standards and insert back doors that only they have privileged access to. This is horrific public policy for at least a couple of reasons. First, the NSA tried to do this publicly in the mid-90s with the Clipper chip and export restrictions on crypto technology, and they lost. Now they're covertly doing what Congress refused to let them do overtly. Second, deliberately weakening commercial crypto exposes everyone who uses it to possible interception from bad actors who manage to discover the NSA's handiwork. There's no way the NSA can guarantee that other groups won't learn the weaknesses it's introduced (indeed, it's already happened in some cases) or somehow get access to its back doors. I have no problem at all with the Times and the Guardian disclosing this, and I'd very much like Congress to put a stop to it. 
  • In addition, the NSA has been working to to improve its decryption capabilities in ways that don't degrade commercial crypto for anyone else. The details are unclear. It might involve new mathematical techniques. It might involve new computational techniques or improved computational power. It might involve old school hacking. It might involve stealing encryption keys or getting companies to give them up. It might involve the discovery of weaknesses that already exist. This is all stuff that NSA is chartered to do, and it does nothing to harm general use of commercial cryptography. However, revealing the extent of NSA's success in this area might indeed warn terrorists and others away from commercial crypto that they thought was safe, and thus degrade NSA's ability to track them. I have a hard time believing that the public interest in this outweighs the damage done to U.S. intelligence efforts.
As a practical matter, I’m not convinced that Snowden crossed the line.

The US interest in reading encrypted messages is well-known, as are its efforts to crack crypto.

The government has a publicly announced obsession with cracking crypto, which includes all sorts of projects to leverage the capabilities of networked computers, better software, and various cheats to brute force current weak cryptography.

US efforts to diddle with crypto, for instance by corrupting the open source algorithm used to generate random numbers for the keys to make encryption easier to crack, had already been reported.

If and when we get a quantum computer, it will be because the US government will spend a gazillion dollars developing the technology as the magic bullet for cracking 256 bit strong crypto.

Absent quantum computing, the government’s priority is to universalize chickenshit crypto—the kind of crypto that is breakable with a variety of tricks.  Industry is government’s willing handmaiden in this matter, as Glenn Greenwald’s piece in the Guardian reveals:

The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role. 
It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".
A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships".

Certainly, with B2B and consumer cloud computing via encrypted links on top of every tech company’s wet dream agenda, nobody wants to get tarred with the decryption brush, as a related British GCHQ guideline conveys:

A 2009 GCHQ document spells out the significant potential consequences of any leaks, including "damage to industry relationships".

"Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability," intelligence workers were told.

Excuse me, please step aside as Google—a key member of President Obama’s brain trust, supplier of Andrew McLaughlin to serve as the White House’s Deputy Chief Technology Officer, and the people who 1) bought Keyhole global imaging technology from the CIA 2) renamed it Google Maps and 2) sells the data back to the US government—runs squealing to the front of the line to announce its existential commitment to customer security and privacy:

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

Thank you, Google.  Let us continue.

More to the point, when somebody’s communications are targeted by the government, there are other tools available—like putting a keylogger on the computer—to find out what’s getting typed.

Add to that my personal suspicion that, if you encrypt your e-mail, you attract the special attention of the government on general principles and the investigatory gears start grinding, whether or not your encryption is broken.

So I would say if you are tippy-tappying at your computer with the expectation that encryption is keeping your communications—and you-- perfectly safe, you haven’t been paying attention.

So Edward Snowden’s most recent revelation serves only to give clues to the clueless.

What interested me is how quickly the “Internet freedom to connect” theme was submerged by the “national security” narrative.

Even though it is open to question who’s doing a sloppy job with the nation’s secrets: according to the Guardian, Edward Snowden was one of …850,000…individuals with top security clearance and he got a gander at this secret info.


Just in the United States.

It could also have been argued that Snowden did dissidents and activists a public service by alerting them that encrypted communications may not be secure.

As Kevin Drum pointed out, “bad guys” might be able to exploit the backdoors the government is slotting into systems in order to read encrypted communications.

As for the free world’s ability to manage and control these tools, does anybody remember the Google furor over hacked Chinese dissident e-mail accounts (which, as you undoubtedly recall, was the justification for Sergei Brin’s retreat in high dudgeon from the Chinese search engine market)?  I do:

Bruce Schneier, a well-known US cyber security expert, made waves in the IT community with an op-ed on CNN on January 23 asserting that the e-mail hacker had obtained the e-mail information by accessing Google's own internal intercept system - a program designed to enable Google to collect user information in response to US government demands.
If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.

If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.

This passage—from January 2010!—should evoke feelings of intense nostalgia for those halcyon days—of August 2013—when Snowden’s first revelations were pooh-poohed as “it’s just metadata”, just the “address on the outside of the envelope” a.k.a. no big deal.

Now it’s the whole fricking encrypted enchilada.

Therefore, ineluctably, the framing slides from “It’s no big deal, don’t pay attention” to “It’s a big frickin’ deal, it must be suppressed.”

But the idea that Chinese dissidents might be grateful for the heads up that encryption might not be secure (and, in fact, the FBI has infiltrated and subverted the precious TOR network for anonymizing communications), and be more careful as a result hasn’t gained any traction yet.

And how about the security of VPNs?

Documents show that [UK GCHQ’s] Edgehill's initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.

While we’re at it, given Snowden’s *ahem* impressive knowledge of the NSA’s decryption capabilities, would anybody care to walk back those “narcissistic naif who unwittingly had his hard drives drained by Russian and Chinese intelligence” memes that were spread in the early Snowden-bashing days?

No comments: