The Sky is Not Falling–It’s Fallen

It’s no fun being a cynic, thinking that everything is bad and getting worse. It’s easy–especially in the security community–but it’s not fun. But, in light of the latest in the interminable string of revelations about the NSA’s efforts to eat away at the foundation of the security industry, the only alternative available is the equivalent of believing in unicorn-riding leprechauns.

It’s no fun being a cynic, thinking that everything is bad and getting worse. It’s easy–especially in the security community–but it’s not fun. But, in light of the latest in the interminable string of revelations about the NSA’s efforts to eat away at the foundation of the security industry, the only alternative available is the equivalent of believing in unicorn-riding leprechauns.

The security community didn’t invent the concept of fear, uncertainty and doubt, but it has perfected it and raised it to the level of religion. It’s the way that security products are marketed and sold, but it’s also the way that the intelligence community justifies its extra-legal and, in some cases, unconstitutional, data-gathering practices. Just as vendors use the specter of catastrophic hacks, data loss and public embarrassment to push their wares, the NSA and its allies have used the dark shadow of 9/11 and global terrorism to justify their increasingly aggressive practices, some of which have now been shown to have deliberately weakened some of the fundamental building blocks of security.

The most damning bit of string in this ball is the news that the NSA likely inserted a back door into a key cryptographic algorithm known as DUAL EC DRBG. That’s bad. What’s worse is that RSA on Thursday sent a warning to its developer customers warning them to immediately stop using the random number generator and select a new one when using the company’s BSAFE crypto libraries.

While this is the most recent, and probably the worst, piece in all of this, the steady accumulation of evidence over the last three months makes it difficult to come to any conclusion other than this: nothing can be trusted.

More to the point, we don’t know whether anything can be trusted. And that’s actually far worse than knowing that products X, Y and Z are compromised. If you know that, you can avoid those products. But now that we have direct evidence that the NSA is in fact actively working to undermine certain cryptographic protocols and partnering with technology vendors to produce certified pre-owned software and hardware, the big question is, what’s not broken?

Unfortunately, the answer is, we just don’t know.

In a much simpler and less cynical time–say, May–we thought that our intelligence agencies were in the business of spying on our enemies. Then came the first Edward Snowden leaks, and we discovered that the NSA was collecting all of our phone records. You know, just in case. Then we hear that the agency also vacuuming up much of the Internet traffic flowing through U.S. pipes because BOO! terrorism. But we still have encryption. As long as we can encrypt our email and Internet traffic, we’re safe from snooping, right? Oops. Turns out the NSA is in that henhouse too, working to weaken standards and crypto algorithms and also has some capabilities to circumvent things such as SSL.

And now, into this environment of accusation and innuendo comes the news that the attack on Belgian telco Belgacom revealed earlier this week reportedly was the work of the British spy agency GCHQ. The connection to NSA? GCHQ apparently used exploit technology developed by the NSA.

And on and on and on.

So we’ve come to the point now where the most paranoid and conspiracy minded among us are the reasonable ones. Now the crazy ones are the people saying that it’s not as bad as you think, calm down, the sky isn’t falling. In one sense, they’re right. The sky isn’t falling. It’s already fallen.

Image from Flickr photos of David Sedlmayer

Suggested articles

Black Hat and DEF CON Roundup

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.