Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry

from the this-is-just-a-thought-experiment,-right?-right??? dept

Post sponsored by

Golden Frog

As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.


Recently, there have been plenty of Techdirt stories about the authorities in the US and elsewhere making increasingly strident attacks on encryption, with claims that things are "going dark," and that Silicon Valley is foolishly aiding terrorism thanks to its "obsession" with privacy etc. etc. Against that background, it's easy to get swept up by a narrative that pits us, the freedom fighters, against them, the dark forces of repression, and to celebrate the occasional wins that come our way.

But suppose all this is just for show -- not so much security theater, but as privacy theater to divert our attention from what is really happening. That's one possible conclusion that cynics might draw after watching a brilliant presentation made back in 2014, and highlighted recently by a post on Boing Boing that includes a video of the talk and a link to the slides (pdf):

In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.
NSA's fictional operation achieves that by exploiting the way the computing industry works, with different challenges dealt with using completely legal means. For example, the "ABBA" program handles the following situation:
Somebody comes up with an idea that would make [communications intelligence] collection harder and/or more expensive
The novel solution is for the NSA to exploit "raw capitalism," and to "throw money at the problem" by playing the role of a friendly local venture capitalist that wants to turn the idea into a company. At the same time, the NSA finds a relevant patent held by one of its "friends" in the industry, and then asks those friends to send around their patent lawyers to the new startup it is funding, to get it shut down in a perfectly non-suspicious way.

The "QUEEN" program to tame the potentially dangerous world of open source is even more subtle. The NSA takes advantage of the open development process to place its own people within the system, so that they can subvert it using the following:

FUD

Play GPL vs BSD card

"Bikeshed" discussions

Soak mental bandwidth with bogus crypto proposals
A key technique is to exploit the fact that free software is based on trust, and that once a coder is trusted as a result of building up a record of good work, nothing they do thereafter is subject to much scrutiny. That phenomenon potentially allows patches with strategic weaknesses to be included in key projects with massive knock-on effects. Kamp dubs the exploitation of this fact the "BOYS" program, whose "crown jewel" is OpenSSL. The impact of the "Heartbleed" vulnerability discovered in OpenSSL two years ago was so great and convenient that many wondered at the time whether it had been placed there by the NSA. That's just one indication that Kamp's witty re-imagining of recent computer history is not so far-fetched.

Even assuming -- hoping -- that Kamp's talk is largely a thought experiment, it has an importance that goes beyond its undoubted entertainment value. By turning everything on its head, and showing how easy it would be for the NSA -- or other well-funded agencies -- to subvert today's computing industry in perfectly legal ways, it provides an important warning about what's wrong and what we need to do to address it. Unfortunately, as Kamp himself admits in his keynote speech, the problems are so deep and fundamental that fixing them won't be easy. But at least, thanks to him, we have been reminded that they exist, which is a start.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


VyprVPN from Golden Frog is the world's fastest highly-secure VPN.
Get 25% off VyprVPN now »


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    hacker66 (profile), 13 Apr 2016 @ 9:59am

    how did they hack it and why would they do that

    reply to this | link to this | view in chronology ]

    • icon
      TKnarr (profile), 13 Apr 2016 @ 10:16am

      Re:

      How? To take OpenSSL as an example, by putting a competent developer in a position to contribute useful patches. After a couple of years his work'll pretty much be accepted as-is unless a bug points to his code. Then he can slip in non-obvious weaknesses at strategic points that make the channel vulnerable (at least to anyone with the NSA's resources).

      Why? Well, if you've compromised OpenSSL you pretty much have open access to all encrypted communications on the Web and in email. Almost everything that does SSL/TLS uses the OpenSSL library for it, and you know exactly what weakness was introduced and how to attack it.

      See also Reflections on Trusting Trust, Ken Thompson, 1984.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Apr 2016 @ 11:09am

        Re: Re:

        In the past, I've found that people are generally pretty trusting. It usually only takes 6-8 months of active participation and 10 solid commits to a project, and you can do whatever you want, within reason. Any intentional bugs introduced after that can be excused as accidents, as long as they don't happen too regularly. And even though we're dealing with open source, at this level, you've got a limited body of reviewers available, and can usually select who you want to do the review. If you select someone you're pretty sure won't catch the bug....

        reply to this | link to this | view in chronology ]

        • icon
          TKnarr (profile), 13 Apr 2016 @ 11:45am

          Re: Re: Re:

          Or who don't get the exotic math well enough to catch the effects of a change, eg. the NSA's "tweaks" to the prime256v1, secp384r1 and secp521r1 curves for the elliptic-curve algorithms in OpenSSL.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Apr 2016 @ 6:27pm

      Re:

      with NDA's. for more control and power over everyone and everything?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Apr 2016 @ 10:10am

    Then again…

    …maybe not. Give me 500 words on 'maybe not' by 3:00 this afternoon.

    reply to this | link to this | view in chronology ]

  • identicon
    AnonCow, 13 Apr 2016 @ 10:13am

    As Snowden has proven, if we're openly discussing it, that and more has already been happening for quite awhile.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Apr 2016 @ 11:11am

      Re:

      See "Soak mental bandwidth with bogus crypto proposals"

      reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 13 Apr 2016 @ 1:08pm

      Re:

      Yes. That.

      The biggest actual thing that Snowden revealed was simply this:

      What the NSA is already doing is far worse than what I imagined they were doing.

      reply to this | link to this | view in chronology ]

    • identicon
      NotACow, 17 Apr 2016 @ 10:35am

      Re:

      Indeed. A Cow may know far more about this topic than a non cow (AnonCow). Snowden was only one of MANY leakers who have proven this. For example, had NSA broken PKI in the mid 1990s (e.g. perhaps via a successful DARPA project to develop topological quantum neural computation) then everything NSA has done since would be the perfect cover. We know from the history of the Ultra Secret what a spy agency must do to conceal it's ability to decrypt. NSA's behavior fits this pattern.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Apr 2016 @ 10:24am

    interesting sponsor

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Apr 2016 @ 10:32am

    I tend to think you are right about the entire industry already being hacked. My guidelines for thinking that is Kaspersky's discovery on hard drives...

    http://www.techpowerup.com/209925/nsa-hides-spying-backdoors-into-hard-drive-firmware

    The fiasco over the NSA's involvement over the random number generator for encryption standards.

    http://www.bbc.co.uk/news/technology-24048343

    The NSA has been throwing money at this for a long time before the public even began to get a clue. The idea that Snowden revealed that the NSA was intercepting hardware in shipment to install backdoor hardware shows they have been at it long enough to be able to do this on an as needed basis. You'd be a fool to think it was only Cisco hardware when it was setup this way with an installment lab to do the work.

    Common sense tells you it is much more wide spread than what you are hearing about.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    Whatever (profile), 13 Apr 2016 @ 10:39am

    I understand the idea of sponsored stories, it's like selling ad space that ad blockers can't easily get rid of. But why run such a speculative piece, which appears to be mostly intended to scare people into buying their product?

    Rather than "sponsored post" perhaps you can just say "spam".

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Apr 2016 @ 10:50am

      Re:

      If I got paid to repost a repost of a repost from 2014 I don't think it would matter what random internet commenters thought.

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        icon
        Whatever (profile), 13 Apr 2016 @ 5:32pm

        Re: Re:

        Well, I guess they gotta do something, considering the whole Apple decryption thing died almost as soon as they got their crowd funding money in. You know that money is working hard to improve Techdirt!

        reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 13 Apr 2016 @ 10:42am

    Well, we do know they are actively messing with hardware at least during the transportation phase. And many conspiracy nuts ended up being right lately. So, yeah..

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 13 Apr 2016 @ 1:18pm

      Compromise is built right into to your microprocessor by NSA

      Now NSA could be messing with hardware long before the transportation phase. Or much later, once you have committed thoughtcrime.

      See Intel Active Management Technology.

      https://fsf.org/blogs/community/active-management-technology

      AMD has a counterpart.

      In a nutshell, the processor won't start (AMD) or will only run for 30 minutes (Intel) unless the 'active management' engine says everything is okay. That engine of invasion is a separate computer subsystem within the CPU that must be running an encrypted binary blob in order for 'everything to be okay'. To add injury to injury, the micoprocessor, under control of that engine, has direct hardware access to everything. The disk. The network.

      So would Intel be a FON? (FON is an acronym from the slide deck.)

      So do you think PCs are totally and completely compromised enough yet?

      Paranoid yet?

      Is this far, far worse than compromising the C compiler to secretly embed back doors into other programs as it compiles them?

      And it's all right out there in the open. Under our noses. Right in front of God and everyone.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Apr 2016 @ 6:31pm

        Re: Compromise is built right into to your microprocessor by NSA

        The ME (management engine) should be a major concern as well, it has the ability to access everything.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Apr 2016 @ 10:48am

    They've got you so distracted with the concept of compromised software, you haven't noticed they spy on you with compromised hardware (100% truth).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Apr 2016 @ 11:13am

      Re:

      They operate at all levels: compromised servers, compromised userland, compromised software, compromised OS, compromised hardware, and of course, compromised people.

      reply to this | link to this | view in chronology ]

  • identicon
    Ragnarredbeard, 13 Apr 2016 @ 10:52am

    Even more likely

    NSA and other agencies could place people on the inside who worked directly for them. That Apple engineer who developed the code for iOS 9? Really works for the NSA; Apple is his side job.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Apr 2016 @ 11:16am

      Re: Even more likely

      A government that can place a man on the moon can place a software bug in a piece of code.

      So keep an eye on Russia, China, India, Japan, Israel and France everyone :)

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Apr 2016 @ 11:34am

    We need more open-source hardware.

    reply to this | link to this | view in chronology ]

  • identicon
    Anon, 13 Apr 2016 @ 11:35am

    Bond, James Bond

    It always seems most far-fetched that the "organization" has an unlimited supply of yes-men who are extremely good and follow orders like robots. The kind of people who are willing to bend the rules are the ones you are most likely to have problems with, and there's always going to be a Snowden or two in the mix, not to mention a crazy like G. Gordon Liddy.

    reply to this | link to this | view in chronology ]

    • icon
      DocGerbil100 (profile), 13 Apr 2016 @ 5:13pm

      Re: Bond, James Bond

      "It always seems most far-fetched that the "organization" has an unlimited supply of yes-men who are extremely good and follow orders like robots."

      The survivors of atrocities perpetrated by any number of countries - notably Germany and Japan in WWII - might disagree with you. Quite vehemently, in fact.

      As far as I can see, the only time the world's most vile monsters have trouble finding supporters and enablers is when they are clearly losing.

      The rest of the time, there's no shortage of people willing to line up and swear that this or that atrocity is in everyone's best interests... and, equally, no shortage of people willing to pick up guns and machetes - or strap on bombs - and prove to the world just how much they love and believe in their favourite monsters.

      For all their crimes - and they are crimes, I've no doubt of that - groups like the NSA and GCHQ are a long way from being the world's most evil organisations: they should have few difficulties in finding staff willing to commit exactly these kinds of crime and keep their mouths shut.

      If the organisation uses a bit of sense and compartmentalises itself so that only a few can see the bigger picture, it becomes even easier.

      The fact that Snowden and the other whistleblowers constitute less than 0.1% of those people who all had the same knowledge of criminal behaviour would seem to prove the point: this can be done, it has been done, it is being done.

      Nobody wants to called a traitor. Nobody wants go to jail forever. Nobody wants to disappear and later turn up dead, assuming a recognisable body-part ever turns up at all.

      [I'm waving and smiling to GCHQ, here. :D]

      In fiction, as in the most paranoid, delusional fantasy, as in reality, the rules are all the same.

      When your employer has the power to make you and your entire family vanish without a trace, or disappear into the justice system with allegations of terrorism or child abuse or some other damn thing, you keep your mouth shut.

      Snowden is the rarest of exceptions.
      The rest of us are exactly robots.

      reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 13 Apr 2016 @ 11:51am

    Case in Point: TrueCrypt

    How about the loss of the TrueCrypt developers as a case in point???

    Just lean a little on potential funders, job done!

    reply to this | link to this | view in chronology ]

    • identicon
      Manok, 14 Apr 2016 @ 4:06am

      Re: Case in Point: TrueCrypt

      Potential funders weren't leaned on... the developers themselves were... It's not so hard to find something compromising on anyone, or else, tempt them into a compromising position.

      Obviously they were given the choice of 'hey there, we know it's YOU that's working on this too-popular-and-definitely-too-easy-to-use encryption program for the last x years... Stop that, or else one of the following skeletons will come out of your closet...'

      reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 14 Apr 2016 @ 6:39am

      Re: Case in Point: TrueCrypt

      the loss of the TrueCrypt developers

      "Loss" is an interesting word here. http://www.cryptogon.com/?p=48528 He was a brilliant programmer and a vicious cartel boss, who became a prized U.S. government asset.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 13 Apr 2016 @ 3:07pm

    Seriously? More Golden frog spam?
    They Lie about their service..

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 13 Apr 2016 @ 3:13pm

    Glynn Mody

    Selling out cheap...

    reply to this | link to this | view in chronology ]

  • icon
    DocGerbil100 (profile), 13 Apr 2016 @ 6:01pm

    Sponsored by Golden Frog

    Oo, a VPN! That'll be useful against a multinational intelligence network with a near-infinite budget and virtually-unlimited world-wide surveillance capabilities. :D

    Seriously, I'll never understand why anybody thinks anything digital is in any way safe for anyone, at this point.

    Golden Frog - and all it's competitors - are worth exactly nothing to anyone with more than basic media piracy in mind.

    Based purely on what's in open view, via Snowden, et al:

    • they're hoovering everything from every network;
    • they've hacked the living shit out of every bit of kit in existence, either selectively or generally;
    • they're free and clear to malware themselves direct access into every piece of equipment tangentially related to basically anyone they like, based on absolutely nothing at all;
    • they're institutionally-built to have absolutely no regard for any kind of human rights - and especially not for privacy.

    In the face of all that, how can any sane person imagine that there are any digital safe spaces anywhere? I take it as a given that all available VPN networks have probably been compromised by agencies for multiple governments.

    I remember a time when such thinking was the recourse of the rampant paranoiac. Today, I consider it nothing more than standard operating procedure.

    If you have real secrets to keep, then every phone and computer, every bit of equipment with a microphone or a camera, every last games console and smart TV: these things are The Enemy.

    Only a fool thinks otherwise.

    reply to this | link to this | view in chronology ]

    • icon
      energyscholar (profile), 17 Apr 2016 @ 10:43am

      Re: Sponsored by Golden Frog

      Very well said. I'm one of the technorati who has been saying exactly this for 20+ years. People used to think I was a raving paranoiac on the topic, until it was repeatedly proven to be true and correct. Yes, now this is standard operating procedure anytime real OPSEC is needed.

      reply to this | link to this | view in chronology ]

  • icon
    Adrian Cochrane (profile), 13 Apr 2016 @ 6:27pm

    All the NSA really need do is be venture capitalists

    Sure they could sabotage projects (which may be a great plan B), but all they really need to do is join the Silicon Valley venture capitalists in funding companies who convince the rest of us to hand our data straight into the NSA's laps for the company to benefit from "advertising" fees.

    This is basically what any of these Silicon Valley companies do (including Apple with iCloud), and because of the profit they get from their "advertising" encourages them to lol us with ineffective "security" to "protect our privacy" that hardly addresses the point.

    And it's not as if the FOSS community have been all that effective in fighting the faulty client-server architecture that's been so favorable to the NSA. So maybe they do have spies there.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Apr 2016 @ 11:11pm

      Re: All the NSA really need do is be venture capitalists

      And their biggest ally in keeping the client server model are the ISPs, who make it difficult and against TOS to set up a home server.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Apr 2016 @ 7:34pm

    According to it's terms of service, Golden Frog "cooperates fully with law enforcement agencies", providing identifying information, and does "not divulge the fact of the investigation to the member".

    NO.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.