On the rational left, Edward Snowden is close to losing the support of Kevin Drum because the most recent revelation—that the government
has all sorts of ways and means to break ordinary encryption—alerted the bad
guys to start being more careful with their crypto.
And if you’ve lost Kevin Drum, there’s little left on the
left but China Matters and the rest of the fringe!
But…
Earlier today, in a post about the latest Edward Snowden
leak, I wrote that "I'm a lot less certain that this one should have seen
the light of day." After some further thought and conversation, I'm now a
lot less certain I should have said that.
Here's the problem. The Guardian
and New York Times
stories basically revealed two things:
- The NSA has been working to deliberately weaken commercial crypto standards and insert back doors that only they have privileged access to. This is horrific public policy for at least a couple of reasons. First, the NSA tried to do this publicly in the mid-90s with the Clipper chip and export restrictions on crypto technology, and they lost. Now they're covertly doing what Congress refused to let them do overtly. Second, deliberately weakening commercial crypto exposes everyone who uses it to possible interception from bad actors who manage to discover the NSA's handiwork. There's no way the NSA can guarantee that other groups won't learn the weaknesses it's introduced (indeed, it's already happened in some cases) or somehow get access to its back doors. I have no problem at all with the Times and the Guardian disclosing this, and I'd very much like Congress to put a stop to it.
- In addition, the NSA has been working to to improve its decryption capabilities in ways that don't degrade commercial crypto for anyone else. The details are unclear. It might involve new mathematical techniques. It might involve new computational techniques or improved computational power. It might involve old school hacking. It might involve stealing encryption keys or getting companies to give them up. It might involve the discovery of weaknesses that already exist. This is all stuff that NSA is chartered to do, and it does nothing to harm general use of commercial cryptography. However, revealing the extent of NSA's success in this area might indeed warn terrorists and others away from commercial crypto that they thought was safe, and thus degrade NSA's ability to track them. I have a hard time believing that the public interest in this outweighs the damage done to U.S. intelligence efforts.
As a practical matter, I’m not convinced that Snowden
crossed the line.
The US interest in reading encrypted messages is well-known, as are its efforts to crack crypto.
The government has a publicly announced obsession with
cracking crypto, which includes all sorts of projects to leverage the
capabilities of networked computers, better software, and various cheats to
brute force current weak cryptography.
US efforts to diddle with crypto, for instance by corrupting
the open source algorithm used to generate random numbers for the keys to make
encryption easier to crack, had already been reported.
If and when we get a quantum computer, it will be because
the US government will spend a gazillion dollars developing the technology as
the magic bullet for cracking 256 bit strong crypto.
Absent quantum computing, the government’s priority is to
universalize chickenshit crypto—the kind of crypto that is breakable with a
variety of tricks. Industry is
government’s willing handmaiden in this matter, as Glenn Greenwald’s piece in
the Guardian reveals:
The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role.
It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships".
Certainly, with B2B and consumer cloud computing via
encrypted links on top of every tech company’s wet dream agenda, nobody wants
to get tarred with the decryption brush, as a related British GCHQ guideline
conveys:
A 2009 GCHQ document spells out the significant potential consequences of any leaks, including "damage to industry relationships".
"Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability," intelligence workers were told.
Excuse me, please step aside as Google—a key member of
President Obama’s brain trust, supplier of Andrew McLaughlin to serve as the
White House’s Deputy Chief Technology Officer, and the people who 1) bought
Keyhole global imaging technology from the CIA 2) renamed it Google Maps and
2) sells the data back to the US government—runs squealing to the front of the
line to announce its existential commitment to customer security and privacy:
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.
Thank you, Google.
Let us continue.
More to the point, when somebody’s communications are
targeted by the government, there are other tools available—like putting a
keylogger on the computer—to find out what’s getting typed.
Add to that my personal suspicion that, if you encrypt your
e-mail, you attract the special attention of the government on general
principles and the investigatory gears start grinding, whether or not your encryption
is broken.
So I would say if you are tippy-tappying at your computer
with the expectation that encryption is keeping your communications—and you--
perfectly safe, you haven’t been paying attention.
So Edward Snowden’s most recent revelation serves only to
give clues to the clueless.
What interested me is how quickly the “Internet freedom to
connect” theme was submerged by the “national security” narrative.
Even though it is open to question who’s doing a sloppy job
with the nation’s secrets: according to the Guardian, Edward Snowden was one of
…850,000…individuals with top security clearance and he got a gander at this
secret info.
850,000.
Just in the United States.
It could also have been argued that Snowden did dissidents
and activists a public service by alerting them that encrypted communications
may not be secure.
As Kevin Drum pointed out, “bad guys” might be able to
exploit the backdoors the government is slotting into systems in order to read
encrypted communications.
As for the free world’s ability to manage and control these
tools, does anybody remember the Google furor over hacked Chinese dissident
e-mail accounts (which, as you undoubtedly recall, was the justification for
Sergei Brin’s retreat in high dudgeon from the Chinese search engine market)? I do:
Bruce Schneier, a well-known US
cyber security expert, made waves in the IT community with an op-ed on CNN on
January 23 asserting that the e-mail hacker had obtained the e-mail information
by accessing Google's own internal intercept system - a program designed to
enable Google to collect user information in response to US government demands.
If this is the case, the e-mail
hack is more of an embarrassment for Google than anything else: an indication
that Google had not only created the application to enable governments to spy
on e-mail accounts, it had done such a poor job of protecting it that it could
be hijacked by malicious parties.
If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.
If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.
This passage—from January 2010!—should evoke feelings of
intense nostalgia for those halcyon days—of August 2013—when Snowden’s first
revelations were pooh-poohed as “it’s just metadata”, just the “address on the
outside of the envelope” a.k.a. no big deal.
Now it’s the whole fricking encrypted enchilada.
Therefore, ineluctably, the framing slides from “It’s no big
deal, don’t pay attention” to “It’s a big frickin’ deal, it must be suppressed.”
But the idea that Chinese dissidents might be grateful for
the heads up that encryption might not be secure (and, in fact, the FBI has
infiltrated and subverted the
precious TOR network for anonymizing communications), and be more careful as a
result hasn’t gained any traction yet.
And how about the security of VPNs?
Documents show that [UK GCHQ’s] Edgehill's initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.
While we’re at it, given Snowden’s *ahem* impressive
knowledge of the NSA’s decryption capabilities, would anybody care to walk back
those “narcissistic naif who unwittingly had his hard drives drained by Russian
and Chinese intelligence” memes that were spread in the early Snowden-bashing
days?
I'm using Kaspersky security for a couple of years now, and I would recommend this solution to everyone.
ReplyDelete