It’s no fun being a cynic, thinking that everything is bad and getting worse. It’s easy–especially in the security community–but it’s not fun. But, in light of the latest in the interminable string of revelations about the NSA’s efforts to eat away at the foundation of the security industry, the only alternative available is the equivalent of believing in unicorn-riding leprechauns.

The security community didn’t invent the concept of fear, uncertainty and doubt, but it has perfected it and raised it to the level of religion. It’s the way that security products are marketed and sold, but it’s also the way that the intelligence community justifies its extra-legal and, in some cases, unconstitutional, data-gathering practices. Just as vendors use the specter of catastrophic hacks, data loss and public embarrassment to push their wares, the NSA and its allies have used the dark shadow of 9/11 and global terrorism to justify their increasingly aggressive practices, some of which have now been shown to have deliberately weakened some of the fundamental building blocks of security.

The most damning bit of string in this ball is the news that the NSA likely inserted a back door into a key cryptographic algorithm known as DUAL EC DRBG. That’s bad. What’s worse is that RSA on Thursday sent a warning to its developer customers warning them to immediately stop using the random number generator and select a new one when using the company’s BSAFE crypto libraries.

While this is the most recent, and probably the worst, piece in all of this, the steady accumulation of evidence over the last three months makes it difficult to come to any conclusion other than this: nothing can be trusted.

More to the point, we don’t know whether anything can be trusted. And that’s actually far worse than knowing that products X, Y and Z are compromised. If you know that, you can avoid those products. But now that we have direct evidence that the NSA is in fact actively working to undermine certain cryptographic protocols and partnering with technology vendors to produce certified pre-owned software and hardware, the big question is, what’s not broken?

Unfortunately, the answer is, we just don’t know.

In a much simpler and less cynical time–say, May–we thought that our intelligence agencies were in the business of spying on our enemies. Then came the first Edward Snowden leaks, and we discovered that the NSA was collecting all of our phone records. You know, just in case. Then we hear that the agency also vacuuming up much of the Internet traffic flowing through U.S. pipes because BOO! terrorism. But we still have encryption. As long as we can encrypt our email and Internet traffic, we’re safe from snooping, right? Oops. Turns out the NSA is in that henhouse too, working to weaken standards and crypto algorithms and also has some capabilities to circumvent things such as SSL.

And now, into this environment of accusation and innuendo comes the news that the attack on Belgian telco Belgacom revealed earlier this week reportedly was the work of the British spy agency GCHQ. The connection to NSA? GCHQ apparently used exploit technology developed by the NSA.

And on and on and on.

So we’ve come to the point now where the most paranoid and conspiracy minded among us are the reasonable ones. Now the crazy ones are the people saying that it’s not as bad as you think, calm down, the sky isn’t falling. In one sense, they’re right. The sky isn’t falling. It’s already fallen.

Image from Flickr photos of David Sedlmayer

Categories: Cryptography, Government

Comments (10)

  1. YouKnowMeAlready

    “..difficult to come to any conclusion other than this: nothing can be trusted.” The NSA almost certainly didn’t want this outcome – the goal was to soak it all up and peel off the bad guys’ comms. Now ‘The Terrorists’ will resort to other means, while we’re left with compromised infrastructure for the Chinese, Russians and domestic competitors to exploit.

  2. Alison

    So, can you tell me this: Is there any reason to pay for security software if nothing secures my computer? Is Kaspersky saying that it can do nothing to protect my computer? What do you suggest?

  3. Dr. Hilliard Haliard

    Does any of this really matter? Google has already been reading all your email and insists that you should have no expectation of privacy with their services. Unless you’re doing something illegal, you have no problem, or at least nothing is different from the way it’s always been. I doubt the NSA is much interested in your bizarre sexual fetishes or other embarrassing things you like to do in your spare time.

  4. McCain

    If Google reads my email, it does so because I have decided to use Google’s email service. I get free email service and they get whatever information they choose to harvest from my exchanges. Furthermore, Google has obligations related to its published terms of service, etc.

    The U.S. government is reading my email because I happen to be a human and wish to communicate with other humans via computer. Furthermore, it is doing so with no terms of service — published, implied, acknowledged or otherwise.

    And while it is possible that the government may not find my sexual predilections as interesting as I find them, there remains the matter of my right to privacy.

    The greatest shock to me in this windstorm of NSA disclosures is not that the government is engaged in all these shenanigans — or even that they appear to have succeeded so thoroughly. To me the greater shock is an apparently-common view that it’s OK as long as they don’t bother me and my loved ones.

    He who sacrifices freedom for security deserves neither.

  5. elfboi

    While you cannot trust commercial security companies anymore, you can still trust free software, because with open source encryption, everybody can read the source. As long as there are enough expert eyeballs on the source, and you either build the binaries yourself or download them from a trustworthy repository, you can keep all you secrets safe.
    However, you need strong encryption and secure protocols, which means that you have to convince your partners to use the same security measures as you. Basically, you have to learn all the details about how things work, you can’t leave it to some company to provide the services for you.

    • alison

      I assume you can see my email address–gmail–and I’m learning-slowly, but surely (I hope surely comes before the blindside). Appreciate the attitude: gotta learn, gotta do for yourself. Thanks for the response.

  6. Jan

    The NSA has inserted backdoors in algorithms. Algorithms are concise and generally self-contained. Backdooring an algorithm is hard, and it is done in PUBLIC. Open source software is way less concise than an algorithm, and the attempts have have been caught (e.g. Linux kernel, November 2003) have been subtle in the extreme. There is no count of successful multi-part backdoors. There is especially no assurance that the binary code shipped by vendors contains only the source that it is derived from. A backdoor that uses “buggy” code to activate hidden CPU and chipset “features” will be almost impossible to find.

  7. Mike Yoder

    Great post, and I agree. I’m not quite as far down the path of trusting _nothing_ as you are, though.

Comments are closed.