Passive Security Community Has Come Out of its Shell

Security people have taken a stand against NSA surveillance and the subversion of key technologies.

Security people like to call themselves a community, but until June some might say its greatest community achievement is turning Twitter into its own private and contentious echo chamber.

But since the Snowden leaks, there’s been a palpable change and a marked swell in stand-taking. Tweeters have become activists. Companies have shut down services, or shut their doors. People are mad—and to risk a cliché–don’t want to take it anymore.

Words such as transparency are part of the security lexicon, and the long-neglected and apparently subverted protocols, algorithms and standards supporting encryption technologies are no longer skeletons in the closet.

The NSA has done Americans—and “non-Americans”—wrong by collecting the metadata from our phone calls, tapping data center fiber links to monitor our Google searches and email messages, and trampling all over the First Amendment in the name of national security.

And in the process, they’ve stepped on the toes of the security community. They’ve trampled too into your backyard by crippling NIST standards development from the get-go, legally or otherwise coercing companies into giving up encryption keys, and hinting that they can hack their way into companies to steal them if necessary.

The response has been admirable. Google, Facebook, Microsoft, Twitter, LinkedIn and others have all petitioned the government to allow those foundational Internet companies to be more forthcoming about the national security requests for customer data they receive. By law they’re not allowed to provide specific data about National Security Letters, but they’re arguing to the highest courts that they should be able to, if for no other reason to demonstrate that they’re not complicit with the NSA or FBI in providing user data without a warrant.

Other technology companies, security firms such as Lavabit and Silent Circle have made their own stands. Lavabit, allegedly Edward Snowden’s secure email provider, shut its doors overnight after being forced to turn over the SSL keys for its service. Silent Circle, seeing the writing on the wall, did the same with its Silent Mail service.

And then you have grassroots movements such as the TrueCrypt audit which raised more money than it anticipated in order to look at oddities in the Windows binaries of the popular open source encryption product. It just might keep the movement going to peer inside other ubiquitous open source security software.

“One of the lasting impacts of the Summer of Snowden is that it’s radicalized members of the security community,” Chris Soghoian told Threatpost last month. “Some of these systems, we’ve long known weren’t good, but no one was incentivized do something. Now they’re asking tough questions and realizing that [the government saying] ‘Just trust us,’ doesn’t work. It’s funny watching peers who are more conservative and scientists who believe their only job is to publish papers—it’s funny watching them become active too.”

But is it helping? Are you tweeters-turned-activists just spitting into the wind?

Every time NSA Director Gen. Keith Alexander, or Director of National Intelligence James Clapper, sit before a Congressional committee to explain the agency’s surveillance activities, they’re quick to point out there is a legal basis for this activity. And by the letter of the law, they’re probably correct. There’s always a loophole. There’s always a crack to slither through unscathed. There’s always a way—and there’s certainly a will.

And not only are lawyers working against you, but powerful lobbies and perhaps misinformed lawmakers. For every USA FREEDOM Act that’s submitted for consideration, you have something such as the FISA Improvements Bill from Sen. Dianne Feinstein, the powerful chair of the Senate Intelligence Committee who supports NSA surveillance. While the Feinstein bill contemplates ratcheting back some of the NSA’s powers with regard to surveillance, it tacitly approves of metadata collection, for example, and would allow it to continue. This contrasts with the FREEDOM Act, which calls for the immediate and permanent suspension of bulk data collection.

NSA reform will be difficult to come by, rest assured of that. It’s probably fair to say most Americans still stand by that old chestnut that “I have nothing to hide, so what do I care if they monitor what I’m doing.” But the security community—yes you’ve become a community—knows better. There’s finally a call to action that has awakened passion in people who suddenly understand why it’s important to stand up and try to make a difference.

Image courtesy of Fibonacci Blue.

Suggested articles