When the Guardian claimed, based on the stolen Snowden files, that the NSA was tampering with the very standards of encryption, they won over many more conservative geeks who weren't wild-eyed and rabid like Jacob Appelbaum and those in the hacker set. They tapped into a sense of both superiority and paranoia that all geeks have about themselves and code -- it was a brilliant social hack (I continue to maintain that most of what Snowden has produced is a giant social hack, from the con of 25 of his fellow employees to give him their passwords (!) to providing single slides or partial documents or plumbing sketches or outlines in lieu of hard, solid content deliberately, so as to incite hysteria that is hard to then shut up while the facts are parsed.
They claimed that through secret partnerships with commercial firms like Google or Facebook or Microsoft or Intel, the NSA was exploiting vulnerabilities or getting themselves private keys to decode texts:
But security experts accused them of attacking the internet itself and the privacy of all users. "Cryptography forms the basis for trust online," said Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society. "By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet." Classified briefings between the agencies celebrate their success at "defeating network security and privacy".
Once again, it's only Bruce Schneier -- the cybersecurity expert who always leaned toward defense of hacker culture and objectives and who has now fully embraced them by joining the board of Electronic Frontier Foundation.
The long Guardian article never supplies anything like proof -- and hasn't learned -- like the Washinton Post's Bart Gellman and his geek sidekick Ashkan Soltari -- to make impressive, complicated geeky diagrams. They do claim there was something in...2006:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
"Eventually, NSA became the sole editor," the document states
That was when the New York Times published their famous article after waiting on it for some time.
Yet we're not told what it was, exactly. What kind of weakness? Where?
Something like that TLS handshake issue with the mobile app data heading first before the handshake? (No doubt that was devised to reduce latency -- after all, it's only communicating information about the phone and the app, and most users aren't going to find that a big deal -- so the handshake to validate the ID and the server comes later, so what? Only a geek could care if the lag meant the NSA could jump in the middle, because most people don't think they'll be bothered by the NSA.)
Despite the absence of any real proof, or any explicit walk-through of any actual case of weakening, this is now taken as an article of faith.
In a talk for the Silicon Valley cult agitprop factory TED, the famous Mikko Hyponnen, the Finnish cybersecuity dude, claims that the NSA has deliberately sabotaged encryption algorithms, in order to weaken them.
He postures on stage that he is angry, or rather, tells people they should be angry, and that the NSA is "wrong" and "rude" (like...a schoolboy who has been caught at a prank?). @TedChris is thrilled to pieces and tries to amplify the "anger" motif.
But Mikko cites no proof of this claim that NSA tampered with the algorithms. (He also fails to mention the hacking of his own country by Russia -- his reply to me about this -- that the news story I cited from November 8 came after the taping of his TED talk -- is singularly lame, given that a guru like him should have known of such a huge hack of his country ages before the news came out.)
Again: I haven't seen a single second source (outside the Snowden Brotherhoold) validate this claim of tampering. I totally get that it is possible, and a concern. What I don't see is replication of the claim. A couple of slides and a few Googlers do not constitute validation -- that's partial and speculative, like Greenwald's initial story.
The reason I don't buy it is simple: I see that Matthew Green is still not conceding it. All the Snowden geeks can do then is call him names; Greenwald implies he's a pussy because he then won't take the same set of Snowden materials they are all looking at and comment on them. But you know, that's because he isn't a journalist, and couldn't hide behind journalism, doing that...
Mikko spouts the theory that the USG deliberately spread malware to undermine Microsoft -- a country hacking itself, he says. Oh, come now. You're not worried about the Chinese and Russians?!
Mikko makes the outrageous claim that Skype was secure before it was sold to Microsoft, that it had end-to-end encryption and was safe. But that's ridiculous. One of the top cybersecurity gurus in NYC whom I happened to discover used to be horrified years ago, long before the sale to Microsoft, that I let Skype on my system because he found it full of flaws and vulnerabilities -- everyone knew about its backdoors. The Belarusian secret police had Skype conversations before the Microsoft sale. Please. Let's not be children here.
It's really annoying when people like him who are technical experts then spout political nonsense wrapped around it and think that their scientific knowledge is enough to validate their political views and manipulations. For example, his silly notions of the "existential" problem of the war on terrorism as being fake. He needs to check in with Madrid, or London or Moscow just on his continent if he doesn't want to contemplate our 9/11.
Then he says this -- which is very appealing to the countries of Europe: "I'd much rather have a domestic Big Brother than a foreign Big Brother" -- i.e. the US, running the cloud industry or search, via Google.
It's actualy especially appealing to countries with big powerful neighbours like, oh, even Russia, but not only Russia -- under the pretext of saying they need to hide from the Great Satan America, they can actually do the hiding from the places they really need to hide from -- Russia and China. Say, if that's how they have to sell it to domestic audiences, let them.
Despite Eric Schmidt's touching faux belief in old-fashioned borders remaining after he gets done Internetizing things, and even land valuation, the reality is that there aren't borders as there once were, that lots of artificial distinctions get made, and in fact, there's a very real question of whether absolute encryption by each individual government will become a demand that countries of the world will get met, on their own, if international bodies won't accept this.
That is, international standards may remain, but there will be encryption with locally-devised algorithms that keep out others like barbed-wire fences and mined fields. Will this be possible?
I'm not sure it's the worst idea at all --- and at this point, if we're talking Big Brothers, I'd rather have EU countries that are individual Big Brothers than a global Big Brother that Russia and China invade, and I'd rather have individual EU Big Brothers than groups like Anonymous or WikiLeaks or Occupy become the absolute-encrypted Big Brothers (they call themselves Little Brothers; they'll be big in a heart-beat with that unaccountable power -- and in fact already are.)
Obviously, if the global contenders for Big Brother role are China or Russia or America, I'd pick America because I think it will have far more freedom and accountability (as it already has running the Internet; one could argue, if you accept Snowden (and I don't), that the free American system produced a Snowden which then remedied the unfree aspects of the system -- no Snowden would appear in China or Russia. So there.)
Really, it's a war about encryption. Would you rather have script kiddies encrypting, or the EU? I'll pick door no. 2.
Mikko makes a nod to the rights of law-enforcement to pursue crime. But he think this is wildly exaggerated, and he thinks that a) NSA is dredging ALL communications of everybody everywhere and therefore b) this harms privacy and doesn't.
There's no concept of the combing of selected streams as being "not intrusive."
"You show me your search history, and I will find something incriminating in five minutes," he says, and yet doesn't take his laser-stare off the NSA for all that, and put it on Google, which is of course, at fault for retaining these searches -- something that the EU privacy tsars are always fighting Google about in lawsuits and deals.
So, what to do about this awful thing with this big Orwellian over-reaching monster called the NSA which has done these terrible things? Why, Snowden isn't to blame for harming the US cloud industry (which we don't know is ruined yet, actually) any more than Al Gore is to blame for global warming. (He like those cheering in the audience obviously think not only is there nothing to debate about global warming, even if everyone agrees, that there's nothing to debate about what the response should be.)
"The solution is open source," he says. Ahh, there we go. The cult of open source. And let me remind you of the distinctly authoritarian culture that comes with that cult, even if you are forced to use open source on this very Internet, just like you can't get away from American-manufactured cloud stuff -- although Mikko urges everyone to try.
Except...the standards of encryption of NIST are open and any eyes can see and complain about them. So have they looked and found then those evil back doors and weakenings they think exist? Well?
NIST noted that it has worked closely with the NSA to help develop encryption standards, due to the NSA's expertise in this area. NIST is also required to consult with the NSA by U.S. legal statute. But the agency noted that its process for vetting encryption algorithms is an open one, in which anyone can review and comment on the work being done.
"If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible," the statement read.
And the geeks are still debating about what this really all involves and really, there isn't proof from Snowden and Greenwald. All there is, is a lot of advocacy group hysteria, not facts.
Even in making their hysterical pleas, Global Voices is forced to say they don't know:
These revelations imply that the NSA has pursued an aggressive program of obtaining private encryption keys for commercial products—allowing the agency to decrypt vast amounts of Internet traffic sent by users of these products. They also suggest that the agency has attempted to put backdoors (well-hidden ways to access data) into cryptographic standards designed to secure users’ communications. Additionally, the leaked documents make clear that companies that manufacture these products have been complicit in allowing this unprecedented spying to take place, though the identities of cooperating companies remain unknown.
Many important details about this program, codenamed Bullrun, are still unclear. What communications are targeted? What service providers or software developers are cooperating with the NSA? What percentage of private encryption keys of targeted commercial products are successfully obtained? Does this store of private encryption keys (presumably procured through theft or company cooperation) contain those of popular web-based communication providers like Facebook and Google?
I really do highly recommend reading the geek Twitter interchanges with Matthew Green et. al. closely to see the dynamics involved. Note: Appelbaum is no longer working with the Guardian (small wonder there, as he accused them of sitting on Snowden stories). We don't know if that means if he is still working with Greenwald (seems not) or if Snowden has ditched him (I'll bet he has.)
Some are using the argument now -- trying to appeal to what they think are "a state's best interests," that you can't allow the NSA to introduce back doors, and industry should resist this, because otherwise terrorists and criminals exploit them.
Well, sure, every day, spammers and virus-spreaders exploit software and make everyone's life miserable, even outside the dynamics of Snowden/NSA and the US cloud industry versus people like Mikkol and his consulting clients in the EU.
I'm not buying this argument now because:
o you haven't proved that the NSA did this tampering
o you haven't proved that non-state actors have this capacity
o you haven't indicated any other way for law enforcement to do its legitimate duty.
It's that last part that troubles me more than anything -- Mikko like so many is far too casual about how exactly the police can track hackers like Snowden if the Lavabits of the world deny even federal agents with warrants, and even judge's orders. What is the plan now?
We're supposed to let the Lavabits of the world decide who they think are criminals and who aren't? Really, guys? Again, door no. 2.
Recent Comments