Of Trust, The NSA, And Poisoning The Banquet
from the nobody-but-us dept
Two of the sharpest commentators on the implications of Snowden's leaks are the security expert Bruce Schneier, and the science fiction writer Charlie Stross. By an intriguing coincidence, both have recently written highly-readable columns that not only discuss the same issue -- the damage the NSA has wrought on the Internet -- but even employ the same key metaphor. In his "Internet Subversion," Schneier writes:
What we trusted was that the technologies would stand or fall on their own merits.
His metaphor for what this has produced is striking:
We now know that trust was misplaced. Through cooperation, bribery, threats, and compulsion, the NSA -- and the United Kingdom's GCHQ -- forced companies to weaken the security of their products and services, then lie about it to their customers.
This mistrust is poison.
He points out the terrible consequences of that weakened security:
There is a term in the NSA: "nobus," short for "nobody but us." The NSA believes it can subvert security in such a way that only it can take advantage of that subversion. But that is hubris. There is no way to determine if or when someone else will discover a vulnerability. These subverted systems become part of our infrastructure; the harms to everyone, once the flaws are discovered, far outweigh the benefits to the NSA while they are secret.
In his own piece, "The Snowden leaks; a meta-narrative," Stross picks up on that theme, and emphasizes one particularly important implication:
At every step in the development of the public internet the NSA systematically lobbied for weaker security, to enhance their own information-gathering capabilities. The trouble is, the success of the internet protocols created a networking monoculture that the NSA themselves came to rely on for their internal infrastructure. The same security holes that the NSA relied on to gain access to your (or Osama bin Laden's) email allowed gangsters to steal passwords and login credentials and credit card numbers. And ultimately these same baked-in security holes allowed Edward Snowden -- who, let us remember, is merely one guy: a talented system administrator and programmer, but no Clark Kent -- to rampage through their internal information systems.
Stross then turns to the same metaphor that Schneier employed:
The moral of the story is clear: be very cautious about poisoning the banquet you serve your guests, lest you end up accidentally ingesting it yourself.
These two posts on the same topic are part of a growing awareness that the harm caused by spy agencies subverting key elements of the Internet is not only a much more serious problem than many people realize, but a long-term one that will be very hard to fix. It looks like we'll be forced to swallow the NSA's poison for a while yet.