Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry
from the this-is-just-a-thought-experiment,-right?-right??? dept
As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.
Recently, there have been plenty of Techdirt stories about the authorities in the US and elsewhere making increasingly strident attacks on encryption, with claims that things are “going dark,” and that Silicon Valley is foolishly aiding terrorism thanks to its “obsession” with privacy etc. etc. Against that background, it’s easy to get swept up by a narrative that pits us, the freedom fighters, against them, the dark forces of repression, and to celebrate the occasional wins that come our way.
But suppose all this is just for show — not so much security theater, but as privacy theater to divert our attention from what is really happening. That’s one possible conclusion that cynics might draw after watching a brilliant presentation made back in 2014, and highlighted recently by a post on Boing Boing that includes a video of the talk and a link to the slides (pdf):
In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers’ European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.
NSA’s fictional operation achieves that by exploiting the way the computing industry works, with different challenges dealt with using completely legal means. For example, the “ABBA” program handles the following situation:
Somebody comes up with an idea that would make [communications intelligence] collection harder and/or more expensive
The novel solution is for the NSA to exploit “raw capitalism,” and to “throw money at the problem” by playing the role of a friendly local venture capitalist that wants to turn the idea into a company. At the same time, the NSA finds a relevant patent held by one of its “friends” in the industry, and then asks those friends to send around their patent lawyers to the new startup it is funding, to get it shut down in a perfectly non-suspicious way.
The “QUEEN” program to tame the potentially dangerous world of open source is even more subtle. The NSA takes advantage of the open development process to place its own people within the system, so that they can subvert it using the following:
FUD
Play GPL vs BSD card
“Bikeshed” discussions
Soak mental bandwidth with bogus crypto proposals
A key technique is to exploit the fact that free software is based on trust, and that once a coder is trusted as a result of building up a record of good work, nothing they do thereafter is subject to much scrutiny. That phenomenon potentially allows patches with strategic weaknesses to be included in key projects with massive knock-on effects. Kamp dubs the exploitation of this fact the “BOYS” program, whose “crown jewel” is OpenSSL. The impact of the “Heartbleed” vulnerability discovered in OpenSSL two years ago was so great and convenient that many wondered at the time whether it had been placed there by the NSA. That’s just one indication that Kamp’s witty re-imagining of recent computer history is not so far-fetched.
Even assuming — hoping — that Kamp’s talk is largely a thought experiment, it has an importance that goes beyond its undoubted entertainment value. By turning everything on its head, and showing how easy it would be for the NSA — or other well-funded agencies — to subvert today’s computing industry in perfectly legal ways, it provides an important warning about what’s wrong and what we need to do to address it. Unfortunately, as Kamp himself admits in his keynote speech, the problems are so deep and fundamental that fixing them won’t be easy. But at least, thanks to him, we have been reminded that they exist, which is a start.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Privacy & Security on the Golden Frog Blog:
VyprVPN from Golden Frog is the world’s fastest highly-secure VPN.
Get 25% off VyprVPN now »
Filed Under: nsa, sponsored post
Comments on “Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry”
how did they hack it and why would they do that
Re: Re:
How? To take OpenSSL as an example, by putting a competent developer in a position to contribute useful patches. After a couple of years his work’ll pretty much be accepted as-is unless a bug points to his code. Then he can slip in non-obvious weaknesses at strategic points that make the channel vulnerable (at least to anyone with the NSA’s resources).
Why? Well, if you’ve compromised OpenSSL you pretty much have open access to all encrypted communications on the Web and in email. Almost everything that does SSL/TLS uses the OpenSSL library for it, and you know exactly what weakness was introduced and how to attack it.
See also Reflections on Trusting Trust, Ken Thompson, 1984.
Re: Re: Re:
In the past, I’ve found that people are generally pretty trusting. It usually only takes 6-8 months of active participation and 10 solid commits to a project, and you can do whatever you want, within reason. Any intentional bugs introduced after that can be excused as accidents, as long as they don’t happen too regularly. And even though we’re dealing with open source, at this level, you’ve got a limited body of reviewers available, and can usually select who you want to do the review. If you select someone you’re pretty sure won’t catch the bug….
Re: Re: Re: Re:
Or who don’t get the exotic math well enough to catch the effects of a change, eg. the NSA’s “tweaks” to the prime256v1, secp384r1 and secp521r1 curves for the elliptic-curve algorithms in OpenSSL.
Re: Re:
with NDA’s. for more control and power over everyone and everything?
Then again…
…maybe not. Give me 500 words on ‘maybe not’ by 3:00 this afternoon.
As Snowden has proven, if we’re openly discussing it, that and more has already been happening for quite awhile.
Re: Re:
See “Soak mental bandwidth with bogus crypto proposals”
Re: Re:
Yes. That.
The biggest actual thing that Snowden revealed was simply this:
What the NSA is already doing is far worse than what I imagined they were doing.
Re: Re:
Indeed. A Cow may know far more about this topic than a non cow (AnonCow). Snowden was only one of MANY leakers who have proven this. For example, had NSA broken PKI in the mid 1990s (e.g. perhaps via a successful DARPA project to develop topological quantum neural computation) then everything NSA has done since would be the perfect cover. We know from the history of the Ultra Secret what a spy agency must do to conceal it’s ability to decrypt. NSA’s behavior fits this pattern.
interesting sponsor
given this: https://cryptome.org/2014/09/giganews-fbi.htm
Re: interesting sponsor
Oh snap!
Thanks for the heads up.
I tend to think you are right about the entire industry already being hacked. My guidelines for thinking that is Kaspersky’s discovery on hard drives…
http://www.techpowerup.com/209925/nsa-hides-spying-backdoors-into-hard-drive-firmware
The fiasco over the NSA’s involvement over the random number generator for encryption standards.
http://www.bbc.co.uk/news/technology-24048343
The NSA has been throwing money at this for a long time before the public even began to get a clue. The idea that Snowden revealed that the NSA was intercepting hardware in shipment to install backdoor hardware shows they have been at it long enough to be able to do this on an as needed basis. You’d be a fool to think it was only Cisco hardware when it was setup this way with an installment lab to do the work.
Common sense tells you it is much more wide spread than what you are hearing about.
I understand the idea of sponsored stories, it’s like selling ad space that ad blockers can’t easily get rid of. But why run such a speculative piece, which appears to be mostly intended to scare people into buying their product?
Rather than “sponsored post” perhaps you can just say “spam”.
Re: Re:
If I got paid to repost a repost of a repost from 2014 I don’t think it would matter what random internet commenters thought.
Re: Re: Re:
Well, I guess they gotta do something, considering the whole Apple decryption thing died almost as soon as they got their crowd funding money in. You know that money is working hard to improve Techdirt!
Well, we do know they are actively messing with hardware at least during the transportation phase. And many conspiracy nuts ended up being right lately. So, yeah..
Re: Compromise is built right into to your microprocessor by NSA
Now NSA could be messing with hardware long before the transportation phase. Or much later, once you have committed thoughtcrime.
See Intel Active Management Technology.
https://fsf.org/blogs/community/active-management-technology
AMD has a counterpart.
In a nutshell, the processor won’t start (AMD) or will only run for 30 minutes (Intel) unless the ‘active management’ engine says everything is okay. That engine of invasion is a separate computer subsystem within the CPU that must be running an encrypted binary blob in order for ‘everything to be okay’. To add injury to injury, the micoprocessor, under control of that engine, has direct hardware access to everything. The disk. The network.
So would Intel be a FON? (FON is an acronym from the slide deck.)
So do you think PCs are totally and completely compromised enough yet?
Paranoid yet?
Is this far, far worse than compromising the C compiler to secretly embed back doors into other programs as it compiles them?
And it’s all right out there in the open. Under our noses. Right in front of God and everyone.
Re: Re: Compromise is built right into to your microprocessor by NSA
The ME (management engine) should be a major concern as well, it has the ability to access everything.
They’ve got you so distracted with the concept of compromised software, you haven’t noticed they spy on you with compromised hardware (100% truth).
Re: Re:
They operate at all levels: compromised servers, compromised userland, compromised software, compromised OS, compromised hardware, and of course, compromised people.
Even more likely
NSA and other agencies could place people on the inside who worked directly for them. That Apple engineer who developed the code for iOS 9? Really works for the NSA; Apple is his side job.
Re: Even more likely
A government that can place a man on the moon can place a software bug in a piece of code.
So keep an eye on Russia, China, India, Japan, Israel and France everyone 🙂
We need more open-source hardware.
Bond, James Bond
It always seems most far-fetched that the “organization” has an unlimited supply of yes-men who are extremely good and follow orders like robots. The kind of people who are willing to bend the rules are the ones you are most likely to have problems with, and there’s always going to be a Snowden or two in the mix, not to mention a crazy like G. Gordon Liddy.
Re: Bond, James Bond
“It always seems most far-fetched that the “organization” has an unlimited supply of yes-men who are extremely good and follow orders like robots.”
The survivors of atrocities perpetrated by any number of countries – notably Germany and Japan in WWII – might disagree with you. Quite vehemently, in fact.
As far as I can see, the only time the world’s most vile monsters have trouble finding supporters and enablers is when they are clearly losing.
The rest of the time, there’s no shortage of people willing to line up and swear that this or that atrocity is in everyone’s best interests… and, equally, no shortage of people willing to pick up guns and machetes – or strap on bombs – and prove to the world just how much they love and believe in their favourite monsters.
For all their crimes – and they are crimes, I’ve no doubt of that – groups like the NSA and GCHQ are a long way from being the world’s most evil organisations: they should have few difficulties in finding staff willing to commit exactly these kinds of crime and keep their mouths shut.
If the organisation uses a bit of sense and compartmentalises itself so that only a few can see the bigger picture, it becomes even easier.
The fact that Snowden and the other whistleblowers constitute less than 0.1% of those people who all had the same knowledge of criminal behaviour would seem to prove the point: this can be done, it has been done, it is being done.
Nobody wants to called a traitor. Nobody wants go to jail forever. Nobody wants to disappear and later turn up dead, assuming a recognisable body-part ever turns up at all.
[I’m waving and smiling to GCHQ, here. :D]
In fiction, as in the most paranoid, delusional fantasy, as in reality, the rules are all the same.
When your employer has the power to make you and your entire family vanish without a trace, or disappear into the justice system with allegations of terrorism or child abuse or some other damn thing, you keep your mouth shut.
Snowden is the rarest of exceptions.
The rest of us are exactly robots.
Case in Point: TrueCrypt
How about the loss of the TrueCrypt developers as a case in point???
Just lean a little on potential funders, job done!
Re: Case in Point: TrueCrypt
Potential funders weren’t leaned on… the developers themselves were… It’s not so hard to find something compromising on anyone, or else, tempt them into a compromising position.
Obviously they were given the choice of ‘hey there, we know it’s YOU that’s working on this too-popular-and-definitely-too-easy-to-use encryption program for the last x years… Stop that, or else one of the following skeletons will come out of your closet…’
Re: Case in Point: TrueCrypt
the loss of the TrueCrypt developers
“Loss” is an interesting word here. http://www.cryptogon.com/?p=48528 He was a brilliant programmer and a vicious cartel boss, who became a prized U.S. government asset.
Seriously? More Golden frog spam?
They Lie about their service..
Glynn Mody
Selling out cheap…
Sponsored by Golden Frog
Oo, a VPN! That’ll be useful against a multinational intelligence network with a near-infinite budget and virtually-unlimited world-wide surveillance capabilities. 😀
Seriously, I’ll never understand why anybody thinks anything digital is in any way safe for anyone, at this point.
Golden Frog – and all it’s competitors – are worth exactly nothing to anyone with more than basic media piracy in mind.
Based purely on what’s in open view, via Snowden, et al:
• they’re hoovering everything from every network;
• they’ve hacked the living shit out of every bit of kit in existence, either selectively or generally;
• they’re free and clear to malware themselves direct access into every piece of equipment tangentially related to basically anyone they like, based on absolutely nothing at all;
• they’re institutionally-built to have absolutely no regard for any kind of human rights – and especially not for privacy.
In the face of all that, how can any sane person imagine that there are any digital safe spaces anywhere? I take it as a given that all available VPN networks have probably been compromised by agencies for multiple governments.
I remember a time when such thinking was the recourse of the rampant paranoiac. Today, I consider it nothing more than standard operating procedure.
If you have real secrets to keep, then every phone and computer, every bit of equipment with a microphone or a camera, every last games console and smart TV: these things are The Enemy.
Only a fool thinks otherwise.
Re: Sponsored by Golden Frog
Very well said. I’m one of the technorati who has been saying exactly this for 20+ years. People used to think I was a raving paranoiac on the topic, until it was repeatedly proven to be true and correct. Yes, now this is standard operating procedure anytime real OPSEC is needed.
All the NSA really need do is be venture capitalists
Sure they could sabotage projects (which may be a great plan B), but all they really need to do is join the Silicon Valley venture capitalists in funding companies who convince the rest of us to hand our data straight into the NSA’s laps for the company to benefit from “advertising” fees.
This is basically what any of these Silicon Valley companies do (including Apple with iCloud), and because of the profit they get from their “advertising” encourages them to lol us with ineffective “security” to “protect our privacy” that hardly addresses the point.
And it’s not as if the FOSS community have been all that effective in fighting the faulty client-server architecture that’s been so favorable to the NSA. So maybe they do have spies there.
Re: All the NSA really need do is be venture capitalists
And their biggest ally in keeping the client server model are the ISPs, who make it difficult and against TOS to set up a home server.
According to it’s terms of service, Golden Frog “cooperates fully with law enforcement agencies”, providing identifying information, and does “not divulge the fact of the investigation to the member”.
NO.