Techie Code of Omerta For Colluding With NSA

With RSA, a big and respected name (actually initials) in cryptography, currently getting flayed in the public press for taking $10 million from the NSA and, in return, embedding a dodgy, NSA-compromised random number generator a.k.a. DUAL EC EBRG in its products (RNGs help generate encryption keys; a compromised RNG yields a limited, more crackable set of keys), a few observations:

First, as is probably recalled, the compromised character of the NSA RNG was revealed in a previous tranche of the Snowden documents in September, and an embarrassed RSA quickly issued a recommendation that users cease using that particular RNG.

Second, even back in October, there were rumblings about possible financial considerations playing a part in RSA's willingness to include the RNG in its products.  Here's a snip from a piece I wrote at the time:

[On a recent episode of Science Friday] Ira Flatow asked Philip Zimmerman [creator of the PGP open-key e-mail encryption system] why RSA would have done such a thing. There was a long, awkward silence and some awkward laughter before Zimmerman slid into the passive voice/third person zone:

ZIMMERMAN: And yet RSA did a security - did use it as their default random number generator. And they do have competent cryptographers working there. So.

FLATOW: How do you explain that?

ZIMMERMAN: Well, I'm not going to - I think I'd rather not be the one to say.

(LAUGHTER)

FLATOW: But if someone else were to say it, what would they say?

ZIMMERMAN: Well, someone else might say that maybe they were incentivized. 

Maybe Mr. Zimmerman had an advance peek at the relevant Snowden documents.  I think it more likely that he had already heard some tittle-tattle in his high tech circles but was not interested in calling down a corporate and legal sh*train upon himself by openly accusing the RSA of taking government money (interesting legal question: is it slanderous to allege that a US corporation engaged in a legal transaction with the US government?).

Third, Blame the Suits!  Per the Reuters expose:

No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.

"The labs group had played a very intricate role at BSafe [the product line that was compromised by the RNG], and they were basically gone," said labs veteran Michael Wenocur, who left in 1999.

Actually, outside security analyst Bruce Schneier and others had raised serious concerns about DUAL EC EBRG in 2007 in a public forum and, as Zimmerman pointed out, RSA had competent cryptographers in the building.  DUAL EC EBRG was provided as only one option, albeit the default, and security-savvy users would be able to select another, better RNG.  And RSA cryptographers could further console themselves with the awareness that, even if Clueless Enduser kept DUAL EC EBRG as a default, probably the only entity with the message collection and analysis capability to exploit it effectively was America's own NSA.

In other words, it wasn't just RSA Chief Executive and Designated Villain Art Coviello sneaking down into the lab and inserting the lethal code while the techies obliviously shipped the compromised product.

Fourth, I think there is a growing awareness that a significant element of the Snowden story is the collusion between Big Tech and the NSA, fueled by the awareness that both sides want the same thing: a thoroughly backdoored Internet open to individual data profiling and surveillance penetration (and tolerate the resultant security breaches as cost of doing business/collateral damage).

I wonder if the story will get any more traction, since there are sizable vested economic, political, and ideological interests extending all the way to the Oval Office that are engaged in perpetuating the image of a benign, democratic/populist information order dedicated to information security.  The constituency interested in seeing Google and the other tech giants share the blame for ruining the Internet--and in the process evaporating a few hundred billion dollars of personal wealth, market cap, and stock options--is, on the other hand, powerless and vanishingly small.

Inside the tech industry, the attitude seems to be one of damage control i.e. media initiatives to convince the public that the Internet companies care about YOU and hate helping out that nasty old government.   As to the question of whether a corporate Snowden will emerge, the attitude seems to be, as Phil Zimmerman--a genuine and battered hero of the encryption wars in the 1990s--put it: "I think I'd rather not be the one to say."  Maybe the code of omerta lives on in the tech industry.

Fifth, I find it amusing and somewhat irritating that, ever since I wrote about RSA in October, I am bombarded with RSA pop-up ads on my own blog and across the web.  It's the Internet equivalent of a golden retriever that pursues me down the street driven by the irresistible urge to sniff the seat of my trousers.  Make it stop!

Ungraceful Degradation

The NSA war on Internet integrity

[This piece appeared at Asia Times Online in a slightly different form on October 15, 2013.  It can be reproduced if China Matters is credited and a link provided.  This article is a companion piece to an article appearing in an upcoming issue of CounterPunch magazine, which discusses the NSA's across-the-board, intensive commitment to overcoming the greatest obstacle to its surveillance activities--and the bulwark of Internet system integrity for commercial and individual users: the access of non-state actors to strong encryption products.  Interested readers can subscribe to CounterPunch Magazine at this link: http://store.counterpunch.org/subscriptions/ ]

The US government has taken a pretty decent open network idea - the Internet - and turned it into a security nightmare.

In one of life's many ironies, the US was forced to degrade the security functions and overall integrity of the Internet because the US Constitution, law, and public and techie opposition combined to impede legal US government surveillance access to communications over the Internet.

Instead of accepting these limits, the US government sought to evade them - by weakening the encryption and security regimes that are at the heart of secure Internet communications for businesses and innocent civilians, as well as for the usual suspects invoked to justify subversion of Internet privacy: terrorists, criminals, and pedophiles.

The role of US IT corporations in crippling the security and privacy functions of the Internet is an awkward and relatively unexplored question.

So far, the most overt naming and shaming has taken place concerning cooperation of the IT bigs in the National Security Agency's PRISM program - which involved controlled, legally colored access to unencrypted materials on corporate servers. Under PRISM, the NSA apparently installed equipment at corporate sites to process government requests for unencrypted user data if it involved people that the NSA was "51%" sure weren't US persons.

Included in the Snowden documents was a slide showing the accession of the US IT heavyweights to the PRISM regime, starting with Microsoft in 2007 and including Yahoo!, Google, Facebook, Youtube, Skype, AOL, and Apple. PRISM looked something like exploitation of the CALEA (Communications Assistance for Law Enforcement Act) mandated backdoors in US telecommunications equipment, albeit with the disturbing realization that these backdoors could be exploited by anonymous NSA analysts without a FISA court order for a week and, when the free week was up, upon resort to the notoriously rubber-stamp FISA court (without the need to show probable cause as is the case when applying to get a warrant to spy on a US citizen).

The Washington Post's Bernard Gellman spoke of NSA efforts to suppress the names of the nine companies named on the PRISM slide:

Speaking at a Cato Institute conference on Wednesday, Gellman said The Washington Post has a practice of talking to the government before running stories that may impact national security. According to Gelman, there were "certain things" in the PRISM slides that they agreed raised legitimate security concerns. But, he said:
The thing that the government most wanted us to remove was the names of the nine companies. The argument, roughly speaking, was that we will lose cooperation from companies if you expose them in this way. And my reply was "that's why we are including them." Not in order to cause a certain result, or to get you to lose your cooperation but if the harm that you are describing consists of reputational or business damage to a company because the public doesn't like what it's doing or you're doing, that's the accountability we are supposed to be promoting.

Gellman believes that it's because the names were released that many of those technology companies started to be vocal advocates of greater transparency about the program. While they "previously had very little incentive to fight for disclosure because it wasn't their information that was being collected and there was no market pressure," he said, these companies "are now, because they are suffering business damage and reputational harm, pushing very hard in public debate and in lawsuits to disclose more about how the collection program works," which current FISA Court orders prohibit them from telling the public about. [1]

The NSA Nine, perhaps alerted to the upcoming PR firestorm, went public with defenses that sought to give a picture of limited, by-the-book, almost grudging cooperation. There was a lot of generous reporting about the struggles of Google, Facebook, Yahoo! et al to buck their NSA gag orders so they could reveal to an eager world how hard they have struggled to protect user privacy. Also, the PRISM revelations were explained and excused in the public media since they involved responses to FISA court warrants with specific, identified targets and, for that matter, were targeting "non-US persons", ie non-US citizens residing outside the United States.

What IT professionals found more disturbing than government backdoors into corporate servers, however, was Snowden's revelations of the NSA's war on encryption.

As I describe in an article in the upcoming print edition of Counterpunch, the NSA has aggressively acquired capabilities and resources in pursuit of its goal to crack encrypted e-mail, virtual private networks (VPNs), and mobile device communications.

Possible corporate collusion in the apparent NSA campaign to undermine the integrity of encryption and, for that matter, degrade the systemic security functionality of the Internet has received relatively little attention.

It can be speculated that some US IT corporations may have cooperated with the NSA in weakening security standards, installing backdoors, and botching implementation, perhaps with the idea that these were vulnerabilities that probably only the NSA could exploit.

Some of the most egregious NSA shenanigans have been in the arcane area of fiddling with the random number generators that lie at the heart of encryption. If the randomness is compromised incrementally, cracking becomes easier. And the more networked computers an attacker has, and the more messages are stored for analysis, the more important the reduced randomness of the encryption becomes.

It can be seen how US corporations might go along with the US government's machinations in this area; after all, the possibility of a non-NSA actor acquiring all those capabilities to exploit random number generator flaws seems vanishingly small.

At least up until now, there seems to be a code of techie omerta (and maybe the well-founded fear of a lawsuit) that precludes calling out IT bigs for climbing into bed with the NSA on the encryption issue.