National Insecurity: How The NSA Has Put The Internet And Our Security At Risk
from the epic-failure dept
The NSA and its defenders keep going back to the same argument over and over again in an attempt to justify its actions: that they’re being done for the sake of “national security.” Basically, they’re claiming that if the NSA didn’t stomp all over the 4th Amendment, undermine the internet and try to spy on everything possible, we’d all be less safe. As we’ve pointed out, however, the NSA never seems to do a simple cost-benefit analysis to see if the costs outweigh the benefits. It seems fairly clear they do not: the costs are huge, and the benefits of preventing exceptionally low probability events seem fairly low as well.
But, really, the issue is that the NSA’s actions aren’t actually helping national security, but they’re doing the exact opposite. They’re making us significantly less safe. Bruce Schneier made this point succinctly in a recent interview:
The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone—including the good guys. It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they’re building the technical infrastructure for a police state.
The folks over at EFF have dug into this point in much greater detail as well. Undermining internet security is a really bad idea. While it may make it slightly easier for the NSA to spy on people — it also makes it much easier for others to attack us. For all this talk of national security, it’s making us a lot less secure.
In trying to defend this situation, former NSA boss Michael Hayden recently argued that the NSA, when it comes across security vulnerabilities, makes a judgment call on whether or not it’s worth fixing or exploiting itself. He discussed how the NSA thinks about whether or not it’s a “NOBUS” (nobody but us) situation, where only the US could exploit the hole:
You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there’s a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think “NOBUS” and that’s a vulnerability we are not ethically or legally compelled to try to patch — it’s one that ethically and legally we could try to exploit in order to keep Americans safe from others.
Of course, that ignores just how sophisticated and powerful certain other groups and governments are these days. As that article notes, the NSA is known as a major buyer of exploits sold on the market — but that also means that every single one of those exploits is known by non-NSA employees, and the idea that only the NSA is exploiting those is laughable. If the NSA were truly interested in “national security” it would be helping to close those vulnerabilities, not using them to their own advantage.
This leads to two more troubling issues — the fact that the “US Cyber Command” is under the control of the NSA is inherently problematic. Basically, the NSA has too much overlap between its offensive and defensive mandates in terms of computer security. Given what we’ve seen now, it’s pretty damn clear that the NSA highly prioritizes offensive efforts to break into computers, rather than defensive efforts to protect Americans’ computers.
The second issue is CISPA. The NSA and its defenders pushed CISPA heavily, claiming that it was necessary for “national security” in protecting against attacks. But a key part of CISPA was that it was designed to grant immunity to tech companies from sharing information with… the NSA, which was effectively put in control over “cybersecurity” under CISPA. It seems clear, at this point, that the worst fears about CISPA are almost certainly true. It was never about improving defensive cybersecurity, but a cover story to enable greater offensive efforts by the NSA which, in turn, makes us all a lot less secure.
Filed Under: insecurity, nsa, nsa surveillance, security, vulnerabilities
Comments on “National Insecurity: How The NSA Has Put The Internet And Our Security At Risk”
They have done a cost benefit analysis and concluded that there is benefit to them and cost to us.
Hayden doesn't understand computing
If there’s a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think “NOBUS”
Four acres of Crays may sound like a lot of computing horsepower, but it’s not — not any more. A botnet with tens of millions of systems has more CPU, memory, disk and bandwidth. Sure, it might be harder to program for the task at hand, but (a) it’s free (b) it’s scalable and (c) it’s fault-tolerant (if properly organized).
Not only that: four acres of Crays might give you the desired answer in a day; the botnet might take a month. So what? Depending on just what the question was, the time difference might not matter. (Doubly so given that we’re apparently discussing long-existing exploits.)
Re: Hayden doesn't understand computing
What if the “someone else” has the services of a young Russian mathematician who has figured out a way to reduce that “four acres of Crays” to a single PC?
The fact that the NSA is actually weakening the security systems Americans depend on, leaving us vulnerable to attacks from thieves, foreign powers, foreign industrial espionage, scammers and anyone else who stumbles upon or actively seeks out those vulnerabilities is the real crime in all of this. They’ve not only attacked and undermined our Constitutional rights, they’ve actively aided and abetted the enemies. Treason, plain and simple.
Re: Re:
It bugs me that everybody talks about the poor Americans being spied upon.
The NSA fucks up Everybody’s internet, including mine, in a far away foreign country. Do you think it’s acceptable in the name of protecting yourself? If yes, how far can you go in that direction? What measures are considered “too far”, and what about other countries doing the same in the name of defending themselves?
If you think you can fuck with a global infrastructure for your own benefit, then you don’t deserve a leading role in it’s administration.
As that article notes, the NSA is known as a major buyer of exploits sold on the market — but that also means that every single one of those exploits is known by non-NSA employees, and the idea that only the NSA is exploiting those is laughable.
I’ve been wondering about these deals to purchase exploits since I first heard about them. Is there some sort of agreement or something that prevents these sellers from reselling the exact same exploit to the “bad guys” after selling it to the NSA?
Isn’t it possible that one of the “bad guys” could use an exploit that the NSA is using to exploit the NSA itself?
Re: Re:
Your thinking is dead on: nothing prevents an exploit seller from selling it to the US and China, for example. The likelihood that either would find out about the other is small, and even if they did, the exploit seller would have plausible deniability: “oh, someone else must have found it”.
One of the most relentless falsehoods pushed by some segments of the security community is that exploits are NOBUS, to use Hayden’s terminology: they’re not. They get independently discovered all the time, then kept, bought, sold, traded, shared, hoarded, announced.
Big deal, NSA. -- What abou Microsoft, Apple, and Google OSs?
Constantly left out of Mike’s NSA pieces is the fact that monopoly Microsoft puts out amazingly crappy products have numerous backdoors both by intent and not. Those flaws are essential to the surveillance state. In fact, all three current big OSs are designed to be taken over.
September 23, 2013 — You’re right up to date, Mike.
But as usual, you don’t actually name any of the co-conspirator corporations. Schneier does: “We are seeing the NSA collecting data from all of the cloud providers we use: Google and Facebook and Apple and Yahoo, etc. We see the NSA in partnerships with all the major telcos in the U.S., and many others around the world, to collect data on the backbone. We see the NSA deliberately subverting cryptography, through secret agreements with vendors, to make security systems less effective. The scope and scale are enormous.”
And here’s Schneier directly refuting the dolts here who say that you can avoid Google: “Basically, the average user is screwed. You can?t say ?Don?t use Google??that?s a useless piece of advice.”
“The Internet has become essential to our lives, and it has been subverted into a gigantic surveillance platform.”
Well, I don’t agree with “subverted”; it’s designed from start for surveillance, from at least 1948! How did you think Big Brother’s telescreens were going to work?
As I put that last:
Spying is the main ‘business model’ of the internet, especially for Google and Facebook.
Re: Big deal, NSA. -- What abou Microsoft, Apple, and Google OSs?
Door?s to your left. Mind your tinfoil hat.
Re: Big deal, NSA. -- What abou Microsoft, Apple, and Google OSs?
“In fact, all three current big OSs are designed to be taken over.”
I know that I should probably stop trying to make sense of what you say but, what do you mean with “three current big OSs”?
Android/Linux, iOS and Windows Phone?
MacOSX, Windows and GNU/Linux?
Ubuntu, Debian and Fedora?
…
Emacs?
In any event, GNU/Linux is a safe bet, especially if you stick with Free Software. You’ll hate your life, but at least you’ll be safe from “teh googles”. And the likelihood that the NSA can subvert every possible combination of software, hardware and drivers is…unlikely, to put it mildly.
When NSA or anyone else purchases exploits on the marketplace, they are also not necessarily the only purchasers (who may be other governments), and the seller may not be the only one with the information for sale.
Making any sort of determination as to who else might exploit it comes down to dollars? That’s odd. Is that really the only criteria, and does merely having the $ then make it ok to use the exploit? Isn’t that part of the argument?
Did anybody think this through?
Let’s assume that the NSA buys an exploit via one of the online marketplaces.
Case 1: Let us assume that the NSA can’t crack the market and find out exactly WHO is selling a sploit and WHERE they are.
NSA buys sploit. Pays premium “NOBUS” fee.
Question: Just how does NSA enforce the contract if they can’t find the seller OR find out whether seller has sold the sploit to world+dog?
Case 2: Let us assume that NSA CAN crack the market.
Question: Can NSA afford to disappear sellers? After all, if people who sell keep disappearing from the market, there will eventually be no market.
Also, if NSA can crack the market, the sellers might be able to as well, in which case, “Don’t sell to the NSA” becomes a new mantra.
Re: Did anybody think this through?
Apparently NSA managers are the type of strategists we WISH work only for our enemies.
That they cannot see more than one move ahead does not make me feel secure at all.
Meanwhile, Canada’s NISA information has been completely exposed http://www.cbc.ca/insecurity/declassified.html
I'd like to see them...
….install an exploit on my K&E log-log decitrig, by golly!
Wait, I've heard this story!
I seem to recall a private company.. I believe it starts with S. Yes, in order to stop evil piracy they loaded some malware on a shiny disc and I think it made computers easier for others to hide their own malware after this DRM was installed to unsuspecting customers’ computers. How evil.
But it was intended for good purposes: the music industry was hemorrhaging lots of money because fewer people were buying shiny discs.
Since that turned out so well, our own officials, looking out for our best interests, of course, did the same thing only on a much larger and massive scale. Take that Sony!
1. Start with a moral plan.
2. Do something really evil.
3. Publically yell how moral your goal is.
4. Repeat.
Backdoor
There is another level of weakening that people seem to be missing.
Suppose that NSA somehow added a vulnerability to a system, one that only they can exploit (for instance, exploiting it might need a key only the NSA has).
There is a backdoor here: if only the NSA can exploit the vulnerability, evil hackers can invade the NSA and exploit the vulnerability from there.
This applies to anything which ends up being isomorphic to Clipper-style key escrow. If you add a backdoor to a system that only a single actor can exploit, if that single actor can be invaded it turns into a backdoor that anyone can exploit.
NSA spies on NSA oversight committees
And all the encryption and protection, the agencies and watchdogs who oversee the NSA think they have, they don’t have.
Because the NSA can see their documents and emails too.
All the government email protected by careful encryption, is actually protected by NSA backdoored encryption.
Dumb.
it is base on a data base teck that i invented
The NSA lost it mine. My data base is an adapted data base. And it simple to use. When they mode the database for spying it was only to be use for spying on embassy and outher rmilletery bases. Not every one. Because the data set is too big for the search engin I envented . On avgrave.7 to 9 hours it would take to find a terriost plot in the data base. That why Boston bomber was able to set his bonds off. The NSA could find that needle it that world size hay sstack . Ps to the webmaster you web sight input for comment does not work right for android devices some error when ending my comments show us when rdeleating a letter