Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry

from the this-is-just-a-thought-experiment,-right?-right??? dept

Post sponsored by

Golden Frog

As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.

Recently, there have been plenty of Techdirt stories about the authorities in the US and elsewhere making increasingly strident attacks on encryption, with claims that things are “going dark,” and that Silicon Valley is foolishly aiding terrorism thanks to its “obsession” with privacy etc. etc. Against that background, it’s easy to get swept up by a narrative that pits us, the freedom fighters, against them, the dark forces of repression, and to celebrate the occasional wins that come our way.

But suppose all this is just for show — not so much security theater, but as privacy theater to divert our attention from what is really happening. That’s one possible conclusion that cynics might draw after watching a brilliant presentation made back in 2014, and highlighted recently by a post on Boing Boing that includes a video of the talk and a link to the slides (pdf):

In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers’ European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.

NSA’s fictional operation achieves that by exploiting the way the computing industry works, with different challenges dealt with using completely legal means. For example, the “ABBA” program handles the following situation:

Somebody comes up with an idea that would make [communications intelligence] collection harder and/or more expensive

The novel solution is for the NSA to exploit “raw capitalism,” and to “throw money at the problem” by playing the role of a friendly local venture capitalist that wants to turn the idea into a company. At the same time, the NSA finds a relevant patent held by one of its “friends” in the industry, and then asks those friends to send around their patent lawyers to the new startup it is funding, to get it shut down in a perfectly non-suspicious way.

The “QUEEN” program to tame the potentially dangerous world of open source is even more subtle. The NSA takes advantage of the open development process to place its own people within the system, so that they can subvert it using the following:


Play GPL vs BSD card

“Bikeshed” discussions

Soak mental bandwidth with bogus crypto proposals

A key technique is to exploit the fact that free software is based on trust, and that once a coder is trusted as a result of building up a record of good work, nothing they do thereafter is subject to much scrutiny. That phenomenon potentially allows patches with strategic weaknesses to be included in key projects with massive knock-on effects. Kamp dubs the exploitation of this fact the “BOYS” program, whose “crown jewel” is OpenSSL. The impact of the “Heartbleed” vulnerability discovered in OpenSSL two years ago was so great and convenient that many wondered at the time whether it had been placed there by the NSA. That’s just one indication that Kamp’s witty re-imagining of recent computer history is not so far-fetched.

Even assuming — hoping — that Kamp’s talk is largely a thought experiment, it has an importance that goes beyond its undoubted entertainment value. By turning everything on its head, and showing how easy it would be for the NSA — or other well-funded agencies — to subvert today’s computing industry in perfectly legal ways, it provides an important warning about what’s wrong and what we need to do to address it. Unfortunately, as Kamp himself admits in his keynote speech, the problems are so deep and fundamental that fixing them won’t be easy. But at least, thanks to him, we have been reminded that they exist, which is a start.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

VyprVPN from Golden Frog is the world’s fastest highly-secure VPN.
Get 25% off VyprVPN now »

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry”

Subscribe: RSS Leave a comment
TKnarr (profile) says:

Re: Re:

How? To take OpenSSL as an example, by putting a competent developer in a position to contribute useful patches. After a couple of years his work’ll pretty much be accepted as-is unless a bug points to his code. Then he can slip in non-obvious weaknesses at strategic points that make the channel vulnerable (at least to anyone with the NSA’s resources).

Why? Well, if you’ve compromised OpenSSL you pretty much have open access to all encrypted communications on the Web and in email. Almost everything that does SSL/TLS uses the OpenSSL library for it, and you know exactly what weakness was introduced and how to attack it.

See also Reflections on Trusting Trust, Ken Thompson, 1984.

Anonymous Coward says:

Re: Re: Re:

In the past, I’ve found that people are generally pretty trusting. It usually only takes 6-8 months of active participation and 10 solid commits to a project, and you can do whatever you want, within reason. Any intentional bugs introduced after that can be excused as accidents, as long as they don’t happen too regularly. And even though we’re dealing with open source, at this level, you’ve got a limited body of reviewers available, and can usually select who you want to do the review. If you select someone you’re pretty sure won’t catch the bug….

NotACow says:

Re: Re:

Indeed. A Cow may know far more about this topic than a non cow (AnonCow). Snowden was only one of MANY leakers who have proven this. For example, had NSA broken PKI in the mid 1990s (e.g. perhaps via a successful DARPA project to develop topological quantum neural computation) then everything NSA has done since would be the perfect cover. We know from the history of the Ultra Secret what a spy agency must do to conceal it’s ability to decrypt. NSA’s behavior fits this pattern.

Anonymous Coward says:

I tend to think you are right about the entire industry already being hacked. My guidelines for thinking that is Kaspersky’s discovery on hard drives…

The fiasco over the NSA’s involvement over the random number generator for encryption standards.

The NSA has been throwing money at this for a long time before the public even began to get a clue. The idea that Snowden revealed that the NSA was intercepting hardware in shipment to install backdoor hardware shows they have been at it long enough to be able to do this on an as needed basis. You’d be a fool to think it was only Cisco hardware when it was setup this way with an installment lab to do the work.

Common sense tells you it is much more wide spread than what you are hearing about.

DannyB (profile) says:

Re: Compromise is built right into to your microprocessor by NSA

Now NSA could be messing with hardware long before the transportation phase. Or much later, once you have committed thoughtcrime.

See Intel Active Management Technology.

AMD has a counterpart.

In a nutshell, the processor won’t start (AMD) or will only run for 30 minutes (Intel) unless the ‘active management’ engine says everything is okay. That engine of invasion is a separate computer subsystem within the CPU that must be running an encrypted binary blob in order for ‘everything to be okay’. To add injury to injury, the micoprocessor, under control of that engine, has direct hardware access to everything. The disk. The network.

So would Intel be a FON? (FON is an acronym from the slide deck.)

So do you think PCs are totally and completely compromised enough yet?

Paranoid yet?

Is this far, far worse than compromising the C compiler to secretly embed back doors into other programs as it compiles them?

And it’s all right out there in the open. Under our noses. Right in front of God and everyone.

Anon says:

Bond, James Bond

It always seems most far-fetched that the “organization” has an unlimited supply of yes-men who are extremely good and follow orders like robots. The kind of people who are willing to bend the rules are the ones you are most likely to have problems with, and there’s always going to be a Snowden or two in the mix, not to mention a crazy like G. Gordon Liddy.

DocGerbil100 (profile) says:

Re: Bond, James Bond

“It always seems most far-fetched that the “organization” has an unlimited supply of yes-men who are extremely good and follow orders like robots.”

The survivors of atrocities perpetrated by any number of countries – notably Germany and Japan in WWII – might disagree with you. Quite vehemently, in fact.

As far as I can see, the only time the world’s most vile monsters have trouble finding supporters and enablers is when they are clearly losing.

The rest of the time, there’s no shortage of people willing to line up and swear that this or that atrocity is in everyone’s best interests… and, equally, no shortage of people willing to pick up guns and machetes – or strap on bombs – and prove to the world just how much they love and believe in their favourite monsters.

For all their crimes – and they are crimes, I’ve no doubt of that – groups like the NSA and GCHQ are a long way from being the world’s most evil organisations: they should have few difficulties in finding staff willing to commit exactly these kinds of crime and keep their mouths shut.

If the organisation uses a bit of sense and compartmentalises itself so that only a few can see the bigger picture, it becomes even easier.

The fact that Snowden and the other whistleblowers constitute less than 0.1% of those people who all had the same knowledge of criminal behaviour would seem to prove the point: this can be done, it has been done, it is being done.

Nobody wants to called a traitor. Nobody wants go to jail forever. Nobody wants to disappear and later turn up dead, assuming a recognisable body-part ever turns up at all.

[I’m waving and smiling to GCHQ, here. :D]

In fiction, as in the most paranoid, delusional fantasy, as in reality, the rules are all the same.

When your employer has the power to make you and your entire family vanish without a trace, or disappear into the justice system with allegations of terrorism or child abuse or some other damn thing, you keep your mouth shut.

Snowden is the rarest of exceptions.
The rest of us are exactly robots.

Manok says:

Re: Case in Point: TrueCrypt

Potential funders weren’t leaned on… the developers themselves were… It’s not so hard to find something compromising on anyone, or else, tempt them into a compromising position.

Obviously they were given the choice of ‘hey there, we know it’s YOU that’s working on this too-popular-and-definitely-too-easy-to-use encryption program for the last x years… Stop that, or else one of the following skeletons will come out of your closet…’

DocGerbil100 (profile) says:

Sponsored by Golden Frog

Oo, a VPN! That’ll be useful against a multinational intelligence network with a near-infinite budget and virtually-unlimited world-wide surveillance capabilities. 😀

Seriously, I’ll never understand why anybody thinks anything digital is in any way safe for anyone, at this point.

Golden Frog – and all it’s competitors – are worth exactly nothing to anyone with more than basic media piracy in mind.

Based purely on what’s in open view, via Snowden, et al:

• they’re hoovering everything from every network;
• they’ve hacked the living shit out of every bit of kit in existence, either selectively or generally;
• they’re free and clear to malware themselves direct access into every piece of equipment tangentially related to basically anyone they like, based on absolutely nothing at all;
• they’re institutionally-built to have absolutely no regard for any kind of human rights – and especially not for privacy.

In the face of all that, how can any sane person imagine that there are any digital safe spaces anywhere? I take it as a given that all available VPN networks have probably been compromised by agencies for multiple governments.

I remember a time when such thinking was the recourse of the rampant paranoiac. Today, I consider it nothing more than standard operating procedure.

If you have real secrets to keep, then every phone and computer, every bit of equipment with a microphone or a camera, every last games console and smart TV: these things are The Enemy.

Only a fool thinks otherwise.

Adrian Cochrane (profile) says:

All the NSA really need do is be venture capitalists

Sure they could sabotage projects (which may be a great plan B), but all they really need to do is join the Silicon Valley venture capitalists in funding companies who convince the rest of us to hand our data straight into the NSA’s laps for the company to benefit from “advertising” fees.

This is basically what any of these Silicon Valley companies do (including Apple with iCloud), and because of the profit they get from their “advertising” encourages them to lol us with ineffective “security” to “protect our privacy” that hardly addresses the point.

And it’s not as if the FOSS community have been all that effective in fighting the faulty client-server architecture that’s been so favorable to the NSA. So maybe they do have spies there.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...