32 Comments

Summary:

Who thought subverting not only widely-used security mechanisms, but the security standards-setting process itself, was a good idea?

Dear stupid, stupid NSA,

I’ve got to hand it to you: as an agency set up with the task of breaking codes and spying on people, you seem to be doing a pretty sterling job.

You and your counterparts in the UK, Australia, Canada and New Zealand (and possibly elsewhere) are able to monitor most of the communications flowing around the world. You appear to have successfully subverted the American web services that everyone uses, and you’ve used the value and size of the U.S. market to bring all manner of internet backbone providers and hardware vendors on-side too.

Now we also know that you have – in your own words — “some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies.” So even if it takes a fair amount of effort (unlike your indiscriminate data-trawling techniques), that’s basic internet security out the window then. Nicely done.

We’re still pretty sure that strong encryption is safe (Edward Snowden said so, and he’s yet to be proven wrong on this stuff), but even there it’s not unreasonable to suspect you can muscle your way in if the situation merits it.

Again, well played, maybe.

Subversive insecurity

However, you’ve not stopped at codebreaking – you have also made sure that vulnerabilities have been inserted into “commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets.”

Here’s where the stupidity creeps in: you actively work to “influence policies, standards and specifications for commercial public key technologies” and “shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by” yourselves.

In other words, instead of just building a better lockpick, you are trying to make sure that all locks are faulty by design.

What is so jaw-droppingly idiotic about your actions is that you have not only subverted key elements of modern cryptography, but you have also appointed yourself as the guardian of the knowledge that the resulting vulnerabilities exist. And if your own security systems were up to the task, then those secrets wouldn’t be sitting in the offices of The New York Times and ProPublica.

One must possess a panglossian view on things to assume that Edward Snowden was the first person out of the many thousands in his position to make away with such material. He brought it to the public, and without that move there’s a good chance you wouldn’t have even known he took it. So who else has it? Bet you have no idea. So well done; you’ve probably put your own citizens at risk.

But let’s ignore that distinct likelihood for a moment, and concentrate on the aftermath of Snowden’s revelations.

One must have standards

If the first tranche of those revelations will hit the U.S. web services and cloud economy hard — estimates vary as to how hard, and only time will tell – then the crypto scandal is going to do the same to the U.S. security industry. In fact, it’s probably going to hurt more. Most people have too much invested in American web services to pull out on short notice; it’s relatively trivial in many cases to switch security services.

Of course, the implications aren’t only glum for U.S. firms. There are enough hints in your leaked documents to suggest that you got to some foreign firms too. And as you seem to have influenced the standards-setting process (sometimes cack-handedly) the global security industry must now think about starting from scratch.

Sadly for you, this time round your influence will be vastly diminished: it’s going to be much harder to insert your demands into the finished product. As far as the rest of the world is concerned, the forum provided by the U.S. National Institute of Standards and Technology will now carry less weight. And because the security industry will now shift to open source – there is no other option if the new standards are to be trusted – installing hidden backdoors will be nearly impossible.

But what’s really going to hurt is the U.S.’s slow loss of control over the internet itself. As crypto guru Bruce Schneier wrote on Thursday:

“I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA’s actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.

“Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country’s internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can’t be dominated or abused by any one country.”

Just because the U.S. invented the internet doesn’t mean it gets to maintain the level of control it now exercises forever. Particularly when you’ve now forced everyone to think about re-engineering it.

Oh, and by the way, whether or not you do succeed in cracking the encryption protecting 4G communications by the end of this financial year, as you have predicted, you can probably expect U.S. influence in international telecommunications standards-setting to take a knock too.

So in summary, you’ve blown it – and not just for yourselves. Good luck readjusting in the coming years!

Yours etc,

David

You’re subscribed! If you like, you can update your settings

  1. erm, the US didn’t invent the internet (niether did al Gore). Other than that, great letter!

    1. Well, if you see the internet as we know it as starting with ARPANET, then it did, surely?

      1. Lots of great names here, most of them Americans http://en.wikipedia.org/wiki/List_of_Internet_pioneers. I don’t think there was much flag-waving in those days though. International pioneers like Louis Pouzin and Donald Davies were happy to share their work globally, as were great Americans like Jon Postel and Vint Cerf.

    2. But Al Gore was part of the Clinton/Gore administration that was a proponent of the push for the Clipper Chip in the 1990s which it backed away from … but as Bruce stated, the government has broken its social contract with its citizens which dates back to the Clipper Chip. How much do you now trust Apple, Inc, given Gore has had a Board of Directors seat for some time? Will Apple be providing the NSA with a backdoor for all things related to security around the forthcoming fingerprint sensor on the next iPhone? Tim Cook hasn’t ever heard of PRISM yet Al Gore is on his BOD? Yeah right!

    3. Really? Who did, then? Or do you not want to say because people may be able to definitively say you are incorrect?

    4. Al Gore never said he invented the internet. That is idiotic hyperbole that his detractors use in an attempt to make fun of him. He did work through legislation to help give rise to the internet. The US actually did invent the internet. The internets backbone was built onto ARPANET. We also own allof the TLD’s for the web. It is arguable whether or not that is a good thing.

  2. Good job, David!!!

  3. If reading my mundane mails and looking at who I call helps them prevent some terrorist from flying an airplane into a building, read away!

    1. That plastic education gave you a great understanding of obedience, erm, law and order.

    2. I think you are forgetting about the secrets you need to keep secret – your cash card pin, 401K access codes, etc. I could go on about all the important secrets that everyone needs to keep but let’s start with access to your money.

    3. This isn’t all that difficult to think through … Imagine you are a politician or important business leader. Also imagine that you have some proclivities that you would prefer are not publicly known … say a mistress. Now imagine that the NSA, or someone else with access to these databases, wants you to do something … like say give them access to your internet trunk lines or help pass a law increasing survelance, or granting additional spectrum licesnses … whatever. Would a threat of disclosure change your behavior? If your answer is yes, then this is a big deal … simple.

  4. It would be extremely naive for anyone to think and assume that any of this is going to hamper NSA’s ability to get in making loopholes in new communication devices and network and encryption standards.

    They have the money, willingness, covertness, smartness and above all, ruthlessness to get all this done, time and time again.

    The only real alternative is for each country to develop its own manufacturing companies and standards and invest as heavily in R&D, as they would on their armed forces.

    1. I completely agree. Have a mobile phone?, credit card?, commuter card?, toll pass?, use the internet?, Facebook? LinkedIn? While it might sound like tin-foil-hat territory, Big Data = Big Brothers … not one, but many. It will be very interesting to see how all of this shakes out … hopefully competition between multiple Big Brothers will keep them all in check to some degree … but collusion has been known to happen.

      Imagine if Anthony Weiner was targeted for surveillance by his telco due to his stance about some proposed telco legislation and that is how his sexting was discovered … wouldn’t that be interesting. Not saying it happened, but could it have?

    2. It would be much more naive to assume that all cryptography and cryptographic systems are equally vulnerable to attack by the government. If you have your files protected by a 52 character symbolic key, no one without a quantum computer is getting it (except after you have opened it). If you lock people out or self-destruct data after three tries, even that isn’t cutting it. The main danger is in transit, but I think thr above examples show that goverment agency is not equal to omnipotent cryptanalyst, unles you also believe that Obama is a ten-foot alien lizard.

  5. Dennis D. McDonald Friday, September 6, 2013

    On a positive note then we can say that Snowden by his ability to do what he did has revealed a major security flaw in the NSA’s approach and that NSA efforts were possibly compromised long before Snwoden’s actions. Doesn’t it then make sense that NSA should now reveal what it knows about what other countries are doing — not only Russia and China but what our “friends” are doing as they gleefully moth promote anti-USA-technology marketing messages?

  6. I’d like to see our reaction if it was China or North Korea, or Russia or Canada or Belieze that was doing this. No big deal right?

  7. You still have Intel, Qualcomm , ARM , Cisco and many smaller players able to open doors. Just the mentioned players cover just about everything and you don’t see any of them denying any and all collaborations with security agencies , that in itself is alarming. It is a great marketing opportunity to distance yourself from this mess, yet nobody is doing it.
    It’s also funny how if a person is in a foreign country he/she are subject to the local laws , if his packets are in a foreign country his traffic is not subject to local laws and they can be abused in any way.
    A digital aggression against billions of people should be a matter for the iCC it is a crime against humanity and due to it’s scale the biggest in history in fact.

    1. right, in addition to ‘open computer’ the world needs to create an ‘open CPU’ (hello patent laws) and build it on some ‘open’ factory in an ‘open’ country. it is so sad…

  8. Jacques Cousteau Friday, September 6, 2013

    Very well put!

  9. Very well said.

    What you said about US web services and cloud economy is very true. Turning away from US based solutions will be a slow but steady process here in Europe. When looking for new software solutions software that uses European servers will be preferred in the future. The damage has been done and it looks like nobody in the US gov cares about its consequences.

  10. Dear NSA.

    Congrats. Your greed has now destroyed the US IT and web industry. Thanks to your paranoia, now everyone on the planet will think long and hard before buying an IT product or service from any US company. The fact that you have subverted the legal system and prevented our companies from even telling their customers that the products have been compromised is the icing on the cake.

    On the other hand, you have now inspired others around the world to work hard to create better, uncompromised, products that they will be soon be selling.

    Good work, NSA, Good work. You have managed to do more damage to the US than bin Laden could ever dream of.

    1. I agree completely. I am really surprised that this has not been discussed as much as it should.

      The NSA actions have started a slow but certain decline of the US tech/web/internet industries and influence. Just as an example, I have friends who are professionals and are bound by codes of ethics to protect their clients data to the best of their abilities. Well, many of them have begun to move their businesses from US based companies. You could say that no services are truly and completely safe, but knowing that the US government might be able to access your data is enough to force them legally to act and find an alternative.

    2. This.

      We played (with the help of our own NSA) right into their hands (the terrorists).

      1. This is such an important point. I worked for many years on electronic medical records systems. Secure storage and transmission of data is both an ethical and a *legal* requirement in this area. Encyrption of records is one of the hallmarks of HIPAA compliance. How is it possible now to be HIPAA compliant when some/many/most/all commercial encryption products are compromised? (Not to mention routers, firewalls, operating systems, etc.) We are way too far down the road towards a coordinated national electronic medical records regime to stop, but the whole effort is predicated on trust in the integrity of various technologies that the NSA has in fact compromisted. I think the fallout is going to be really, really ugly as people realize that their systems are actually not compliant with some of the ethical-legal standards they are required to follow.

Comments have been disabled for this post