Article in CounterPunch Magazine on NSA Encryption Follies

Also, Snowden Derangement Syndrome and Andrea Merkel’s Phone

I have an article in the current subscription-only CounterPunch magazine on the NSA encryption follies.  

The takeaway from the article is that, thanks to fiddling by the NSA and its corporate partners, Internet security is a jury-rigged omnishambles.  It’s as if the National Transportation Safety Board, with the garages and auto parts suppliers playing along, had undermined the safety standards for brakes and facilitated the insertion of multiple points of failure in the braking system, and then encouraged everybody to drive down the Information Superhighway at 120 miles per hour in order to give more business to the auto repair industry.

With the powers vested in me by the Internet, I command everyone to subscribe…now!  Here’s the link.

The piece has a different take on the NSA’s surveillance excesses than what readers are probably accustomed to.

Edward Snowden’s core concern, and the basis of a lot of the coverage, is anxiety over the massive scope of NSA surveillance.  It looks like the US government never abandoned the goal of Total Information Awareness, articulated during the George W. Bush era by John Poindexter, and simply decided to implement it clandestinely.  NSA wants it all: metadata, unencrypted data, encrypted data, the correlations, whatever.  

Even for those of us who have “nothing to hide and nothing to fear” a.k.a. nobody, this raises the specter of the Panopticon state, where the hidden eye may be everywhere and anywhere, and the subject is pre-emptively cowed into compliance by the fear of being observed.

I have to admit I already feel that way, to a degree.  I look at the computer on my desk and see it as a window in—to me—as well as a window out onto the WWW.

Not just for the US government which, quite frankly, I don’t think devotes a lot of time to worrying about me.  Also for Google.  For instance, the web ads aren’t mass advertising like TV commercials; they are targeted ads based on my Google searches.  Instead of telling me what’s out there, they are trying to get inside me and push my buy buttons based on what they think what’s in there.  Instead of surfing the web, I’m getting enmeshed in my personalized web of preconceptions and plans, spun courtesy of Google, Facebook, etc.  And for botnets.  I assume I’ve got one.  Maybe just one.  I hope so.  Recently, the FBI and Microsoft took down a botnet infecting 2 million computers.  I look at my computer as a device on loan to me from the botnet when it isn’t using the CPU cycles for its own nefarious ends.

The NSA and the US IT industry have a shared interest in exploiting me as a data asset.  The information, services, and connectivity benefits of the Internet is just the honey pot that lures us in.  Just like newspapers and magazines are advertising circulars with just enough journalism and entertainment to get us to crack open the pages.

If we want to restore our digital privacy, it’s going to take a new network: new hardware, new software, new protocols, and billions of dollars (without any government and corporate subvention!).

Good luck with that.

Short of that, enhanced transparency and accountability from the entities degrading the security functionality of the Internet might help.

It looks like the only way we’re going to get that is via whistleblowers.

When the Edward Snowden revelations hit, my first reaction was Wow.  Somebody’s really stuck it to the Man.

However, on some liberal and conservative sections of the Intertubes, something that I call Snowden Derangement Syndrome erupted.  It was as if Snowden had posted dirty pictures of him having sex with mom.  Some seemed to take the position of Don’t you understand?  We’re the Man.  Edward Snowden is sticking it to us!

Well, my general take is that Edward Snowden is a whistleblower, not a spy.  It’s not my job to help the Man sideline, discredit, silence, or incarcerate whistleblowers in order to make His job easier.

Of course, there has been a persistent bubbling of efforts to discredit Snowden along the lines of naif/narcissist/traitor.  Things quieted down when the carefully managed revelations of NSA domestic surveillance undercut the Snowden as hysterical dingbat narrative, but hotted up again with the reports on US spying on allies.  You know, hurts American interests, old news, everybody does it and, in Mike Rogers’ iteration, Europe should be grateful because Nobody Does It Better than the US of A.

These people obviously lost the Lord Acton memo about the corrupting nature of power—including the power bestowed on the NSA by an open-ended and generously funded mandate, secrecy, and sufficient legal impunity to initiate and perpetuate massive, compounded clusterfucks beyond the reach of congressional oversight.

Consider this revelation about the bugging of Andrea Merkel’s phone:

The Economic Times writes the “high-ranking” NSA official spoke to Bild am Sonntag on the condition of anonymity, saying the president, “not only did not stop the operation, but he also ordered it to continue.”

The Economic Times also reports the official told Bild am Sonntag that Obama did not trust Merkel, wanted to know everything about her, and thus ordered the NSA to prepare a dossier on the politician.

I don’t think that’s Edward Snowden talking.  Maybe it’s the Acela Babbler, Michael Hayden, passing on third-hand tittle-tattle.  Maybe Keith Alexander is sticking the boot in as he stomps off into retirement.  

In any case, that high level gossip, my friends, is probably more damaging to US diplomacy than the Snowden revelations, and also an indication of the culture of impunity and malice that seems to permeate the upper levels of the NSA and is now directed at President Obama for his equivocal defense of the agency.

Angela Merkel is probably seriously pissed that the NSA tapped her phone--and bragging about it.  In July, Merkel, an East German native who has tried to draw a clear, bright line between the security excesses of East Germany and practices in the West, had defended NSA surveillance as qualitatively different from the Stasi since the NSA was interested in protecting American security.  By that reading, Merkel has been considered a security risk for over a decade.

The revelation has done Germany the favor of alerting it to the fact that its communications security technology—in which it has reposed a high level of confidence—has been compromised.

As discussed in this article from Spiegel, German government communications were supposedly protected by world-class non-USA encryption and security products delivered by ex-Stasi technicians rolled into a company called Rohde & Schwarz.  The implication of the bugging of Merkel’s phone is that the US government has suborned and compromised Germany’s own data security apparatus.  Since Rohde & Schwarz is also a NATO supplier, perhaps the prospect of NATO contracts might have enticed them to hand over the goodies.  Or maybe the NSA hacked and fiddled its way in without corporate assistance from R&S.

For whatever reason, one can speculate that the NSA has done as good a job of fucking up German and NATO secure communications as it has done with overall Internet security.

Ungraceful Degradation

The NSA war on Internet integrity

[This piece appeared at Asia Times Online in a slightly different form on October 15, 2013.  It can be reproduced if China Matters is credited and a link provided.  This article is a companion piece to an article appearing in an upcoming issue of CounterPunch magazine, which discusses the NSA's across-the-board, intensive commitment to overcoming the greatest obstacle to its surveillance activities--and the bulwark of Internet system integrity for commercial and individual users: the access of non-state actors to strong encryption products.  Interested readers can subscribe to CounterPunch Magazine at this link: http://store.counterpunch.org/subscriptions/ ]

The US government has taken a pretty decent open network idea - the Internet - and turned it into a security nightmare.

In one of life's many ironies, the US was forced to degrade the security functions and overall integrity of the Internet because the US Constitution, law, and public and techie opposition combined to impede legal US government surveillance access to communications over the Internet.

Instead of accepting these limits, the US government sought to evade them - by weakening the encryption and security regimes that are at the heart of secure Internet communications for businesses and innocent civilians, as well as for the usual suspects invoked to justify subversion of Internet privacy: terrorists, criminals, and pedophiles.

The role of US IT corporations in crippling the security and privacy functions of the Internet is an awkward and relatively unexplored question.

So far, the most overt naming and shaming has taken place concerning cooperation of the IT bigs in the National Security Agency's PRISM program - which involved controlled, legally colored access to unencrypted materials on corporate servers. Under PRISM, the NSA apparently installed equipment at corporate sites to process government requests for unencrypted user data if it involved people that the NSA was "51%" sure weren't US persons.

Included in the Snowden documents was a slide showing the accession of the US IT heavyweights to the PRISM regime, starting with Microsoft in 2007 and including Yahoo!, Google, Facebook, Youtube, Skype, AOL, and Apple. PRISM looked something like exploitation of the CALEA (Communications Assistance for Law Enforcement Act) mandated backdoors in US telecommunications equipment, albeit with the disturbing realization that these backdoors could be exploited by anonymous NSA analysts without a FISA court order for a week and, when the free week was up, upon resort to the notoriously rubber-stamp FISA court (without the need to show probable cause as is the case when applying to get a warrant to spy on a US citizen).

The Washington Post's Bernard Gellman spoke of NSA efforts to suppress the names of the nine companies named on the PRISM slide:

Speaking at a Cato Institute conference on Wednesday, Gellman said The Washington Post has a practice of talking to the government before running stories that may impact national security. According to Gelman, there were "certain things" in the PRISM slides that they agreed raised legitimate security concerns. But, he said:
The thing that the government most wanted us to remove was the names of the nine companies. The argument, roughly speaking, was that we will lose cooperation from companies if you expose them in this way. And my reply was "that's why we are including them." Not in order to cause a certain result, or to get you to lose your cooperation but if the harm that you are describing consists of reputational or business damage to a company because the public doesn't like what it's doing or you're doing, that's the accountability we are supposed to be promoting.

Gellman believes that it's because the names were released that many of those technology companies started to be vocal advocates of greater transparency about the program. While they "previously had very little incentive to fight for disclosure because it wasn't their information that was being collected and there was no market pressure," he said, these companies "are now, because they are suffering business damage and reputational harm, pushing very hard in public debate and in lawsuits to disclose more about how the collection program works," which current FISA Court orders prohibit them from telling the public about. [1]

The NSA Nine, perhaps alerted to the upcoming PR firestorm, went public with defenses that sought to give a picture of limited, by-the-book, almost grudging cooperation. There was a lot of generous reporting about the struggles of Google, Facebook, Yahoo! et al to buck their NSA gag orders so they could reveal to an eager world how hard they have struggled to protect user privacy. Also, the PRISM revelations were explained and excused in the public media since they involved responses to FISA court warrants with specific, identified targets and, for that matter, were targeting "non-US persons", ie non-US citizens residing outside the United States.

What IT professionals found more disturbing than government backdoors into corporate servers, however, was Snowden's revelations of the NSA's war on encryption.

As I describe in an article in the upcoming print edition of Counterpunch, the NSA has aggressively acquired capabilities and resources in pursuit of its goal to crack encrypted e-mail, virtual private networks (VPNs), and mobile device communications.

Possible corporate collusion in the apparent NSA campaign to undermine the integrity of encryption and, for that matter, degrade the systemic security functionality of the Internet has received relatively little attention.

It can be speculated that some US IT corporations may have cooperated with the NSA in weakening security standards, installing backdoors, and botching implementation, perhaps with the idea that these were vulnerabilities that probably only the NSA could exploit.

Some of the most egregious NSA shenanigans have been in the arcane area of fiddling with the random number generators that lie at the heart of encryption. If the randomness is compromised incrementally, cracking becomes easier. And the more networked computers an attacker has, and the more messages are stored for analysis, the more important the reduced randomness of the encryption becomes.

It can be seen how US corporations might go along with the US government's machinations in this area; after all, the possibility of a non-NSA actor acquiring all those capabilities to exploit random number generator flaws seems vanishingly small.

At least up until now, there seems to be a code of techie omerta (and maybe the well-founded fear of a lawsuit) that precludes calling out IT bigs for climbing into bed with the NSA on the encryption issue.

Crypto's Dance

[Alert Reader pointed out the correct name for the Google Maps program as developed by the US government is "Keyhole", not "Keystone".  Herewith corrected.  Thank you, AR.]

On the rational left, Edward Snowden is close to losing the support of Kevin Drum because the most recent revelation—that the government has all sorts of ways and means to break ordinary encryption—alerted the bad guys to start being more careful with their crypto.

And if you’ve lost Kevin Drum, there’s little left on the left but China Matters and the rest of the fringe!

But…

Earlier today, in a post about the latest Edward Snowden leak, I wrote that "I'm a lot less certain that this one should have seen the light of day." After some further thought and conversation, I'm now a lot less certain I should have said that.

Here's the problem. The Guardian and New York Times stories basically revealed two things:

• The NSA has been working to deliberately weaken commercial crypto standards and insert back doors that only they have privileged access to. This is horrific public policy for at least a couple of reasons. First, the NSA tried to do this publicly in the mid-90s with the Clipper chip and export restrictions on crypto technology, and they lost. Now they're covertly doing what Congress refused to let them do overtly. Second, deliberately weakening commercial crypto exposes everyone who uses it to possible interception from bad actors who manage to discover the NSA's handiwork. There's no way the NSA can guarantee that other groups won't learn the weaknesses it's introduced (indeed, it's already happened in some cases) or somehow get access to its back doors. I have no problem at all with the Times and the Guardian disclosing this, and I'd very much like Congress to put a stop to it. 
• In addition, the NSA has been working to to improve its decryption capabilities in ways that don't degrade commercial crypto for anyone else. The details are unclear. It might involve new mathematical techniques. It might involve new computational techniques or improved computational power. It might involve old school hacking. It might involve stealing encryption keys or getting companies to give them up. It might involve the discovery of weaknesses that already exist. This is all stuff that NSA is chartered to do, and it does nothing to harm general use of commercial cryptography. However, revealing the extent of NSA's success in this area might indeed warn terrorists and others away from commercial crypto that they thought was safe, and thus degrade NSA's ability to track them. I have a hard time believing that the public interest in this outweighs the damage done to U.S. intelligence efforts.

As a practical matter, I’m not convinced that Snowden crossed the line.

The US interest in reading encrypted messages is well-known, as are its efforts to crack crypto.

The government has a publicly announced obsession with cracking crypto, which includes all sorts of projects to leverage the capabilities of networked computers, better software, and various cheats to brute force current weak cryptography.

US efforts to diddle with crypto, for instance by corrupting the open source algorithm used to generate random numbers for the keys to make encryption easier to crack, had already been reported.

If and when we get a quantum computer, it will be because the US government will spend a gazillion dollars developing the technology as the magic bullet for cracking 256 bit strong crypto.

Absent quantum computing, the government’s priority is to universalize chickenshit crypto—the kind of crypto that is breakable with a variety of tricks.  Industry is government’s willing handmaiden in this matter, as Glenn Greenwald’s piece in the Guardian reveals:

The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role. 

It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".

A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships".

Certainly, with B2B and consumer cloud computing via encrypted links on top of every tech company’s wet dream agenda, nobody wants to get tarred with the decryption brush, as a related British GCHQ guideline conveys:

A 2009 GCHQ document spells out the significant potential consequences of any leaks, including "damage to industry relationships".

"Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability," intelligence workers were told.

Excuse me, please step aside as Google—a key member of President Obama’s brain trust, supplier of Andrew McLaughlin to serve as the White House’s Deputy Chief Technology Officer, and the people who 1) bought Keyhole global imaging technology from the CIA 2) renamed it Google Maps and 2) sells the data back to the US government—runs squealing to the front of the line to announce its existential commitment to customer security and privacy:

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

Thank you, Google.  Let us continue.

More to the point, when somebody’s communications are targeted by the government, there are other tools available—like putting a keylogger on the computer—to find out what’s getting typed.

Add to that my personal suspicion that, if you encrypt your e-mail, you attract the special attention of the government on general principles and the investigatory gears start grinding, whether or not your encryption is broken.

So I would say if you are tippy-tappying at your computer with the expectation that encryption is keeping your communications—and you-- perfectly safe, you haven’t been paying attention.

So Edward Snowden’s most recent revelation serves only to give clues to the clueless.

What interested me is how quickly the “Internet freedom to connect” theme was submerged by the “national security” narrative.

Even though it is open to question who’s doing a sloppy job with the nation’s secrets: according to the Guardian, Edward Snowden was one of …850,000…individuals with top security clearance and he got a gander at this secret info.

850,000.

Just in the United States.

It could also have been argued that Snowden did dissidents and activists a public service by alerting them that encrypted communications may not be secure.

As Kevin Drum pointed out, “bad guys” might be able to exploit the backdoors the government is slotting into systems in order to read encrypted communications.

As for the free world’s ability to manage and control these tools, does anybody remember the Google furor over hacked Chinese dissident e-mail accounts (which, as you undoubtedly recall, was the justification for Sergei Brin’s retreat in high dudgeon from the Chinese search engine market)?  I do:

Bruce Schneier, a well-known US cyber security expert, made waves in the IT community with an op-ed on CNN on January 23 asserting that the e-mail hacker had obtained the e-mail information by accessing Google's own internal intercept system - a program designed to enable Google to collect user information in response to US government demands.

If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.

If this is the case, the e-mail hack is more of an embarrassment for Google than anything else: an indication that Google had not only created the application to enable governments to spy on e-mail accounts, it had done such a poor job of protecting it that it could be hijacked by malicious parties.

This passage—from January 2010!—should evoke feelings of intense nostalgia for those halcyon days—of August 2013—when Snowden’s first revelations were pooh-poohed as “it’s just metadata”, just the “address on the outside of the envelope” a.k.a. no big deal.

Now it’s the whole fricking encrypted enchilada.

Therefore, ineluctably, the framing slides from “It’s no big deal, don’t pay attention” to “It’s a big frickin’ deal, it must be suppressed.”

But the idea that Chinese dissidents might be grateful for the heads up that encryption might not be secure (and, in fact, the FBI has infiltrated and subverted the precious TOR network for anonymizing communications), and be more careful as a result hasn’t gained any traction yet.

And how about the security of VPNs?

Documents show that [UK GCHQ’s] Edgehill's initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.

While we’re at it, given Snowden’s *ahem* impressive knowledge of the NSA’s decryption capabilities, would anybody care to walk back those “narcissistic naif who unwittingly had his hard drives drained by Russian and Chinese intelligence” memes that were spread in the early Snowden-bashing days?