It’s that most wonderful time of the year, the time when everyone with access to an email machine puts together a list of the best or worst of whatever happened in the last 12 months. In the computer security world, there is no doubt that such a list would find NSA stories in places one through infinity times infinity. So rather than trying to rank the NSA revelations on any sort of scale, we’ve put together an admittedly simplified list of some of the more interesting NSA-related stories to emerge in 2013.
Least Surprising NSA Capability: Breaking/Subverting Crypto
A major part of the agency’s mission since its inception has been the development of cryptographic capabilities, both on the offensive and defensive sides of the fence. In this, it is the technological and logical descendant of the Black Chamber and the Office of Strategic Services, which operated nearly a century ago. Breaking and making ciphers has been a vital part of intelligence for thousands of years, and the advent of computer-based cryptography has had a profound effect on both of those functions. The NSA has been involved in the development of new protocols and cryptosystems for decades and it employs an unknown but presumably rather large cadre of cryptographers and mathematicians who also work on defeating existing systems. There have been suspicions, rumors and dark jokes about the agency having backdoored any number of encryption algorithms and products floating around the security industry for a long time, and some of the most outlandish of those conjectures have now been revealed as truth. The NSA reportedly subverted the development of a random-number generator known as Dual EC_DRBG that is used in a number of prominent crypto products. That maneuver gave the agency secret access to the affected products and caused RSA to warn developers to use a different RNG and even prompted NIST to issue guidance telling people to avoid Dual EC_DRBG, too. In addition, the NSA also developed a number of unspecified capabilities to defeat SSL, something that is perhaps even more worrisome. As concerning as these revelations are, they shouldn’t come as much of a surprise, given the NSA’s mission, its massive budget and its highly specialized staff of scientists, cryptographers and security experts. It’s what they do, and they’re really, really good at it.
Further reading: Simon Singh’s The Code Book, Steven Levy’s Crypto.
Most Surprising NSA Capability: Defeating the Collective Security Prowess of Silicon Valley
Some of the earliest leaks to emerge from the Edward Snowden cache described a program called PRISM that granted the NSA “direct access” to networks run by Google, Yahoo, Microsoft and many other companies. That direct access was quickly interpreted to mean that those companies were giving the agency data links to their servers through which the NSA could collect traffic on targets. The affected companies quickly rose up and denied this, and only later was it revealed that “direct access” came in the form of tapping undersea cables that carry unencrypted traffic between data centers around the world. That revelation triggered an immediate response from Google, Microsoft and Yahoo, who said that they would be encrypting that traffic in the near future, and some engineers from Google also had some choice words for the NSA’s in-house hackers. In the words of Google’s Mike Hearn, “The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.”
Further reading: How we know the NSA had access to internal Google and Yahoo cloud data.
Weirdest NSA Revelation: The Fort Meade Spy Tools Wish Book
The oddest bit of information to come out of the NSA drama was saved for the end of the year. Just this past weekend, Germany’s Der Spiegel reported the existence of a an internal catalog of hardware and software tools that the agency can provide. This is the Sears & Roebuck catalog of attack tools. Shoppers, which likely include internal NSA departments as well as other intelligence agencies, can buy malware for infiltrating various firewalls and routers, as well as more exotic products. “Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million,” Der Spiegel reported. Q would be jealous.
Most Interesting Quotes on the NSA Drama
“Trust the math. Encryption is your friend.” — Bruce Schneier in The Guardian
“Software is almost always broken, but standards — in theory — get read by everyone. It should be extremely difficult to weaken a standard without someone noticing.” — Matthew Green on the subversion of NIST standards
“We need to know what the hell has been going on here…There’s something totally crazy about this.” — journalist Carl Bernstein on the allegations that NSA has monitored the phones of European leaders
“That stealing your stuff thing, we did a lot of that [at the NSA]. Actually, I’d like to think we’re number one. But we stole stuff to keep you safe.” — Michael Hayden, former NSA director, speaking days before the first of the Snowden leaks emerged
“I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,” — U.S. District Court Judge Richard J. Leon in a ruling on the NSA metadata program
“We want to demonstrate that we have a front door, that we have transparency and we take it seriously. This is a huge step forward, and there’s more we have to do in terms of pushing information to the press.” — Gen. Keith Alexander, director of the NSA
Most Interesting People to Emerge From the NSA Story: Jacob Appelbaum and Matthew Green
The cast of characters who have been involved in various pieces of the NSA theatrics is staggering. From journalists to politicians to cryptographers to world leaders to judges to systems administrators in Hawaii. Each has played a part in the drama, but the most consistently interesting and informative people involved in one way or another have been Appelbaum and Green. Appelbaum is a long-time fixture in the security community, well-known for his activism on human rights and anonymity. But as part of the analysis of the Snowden documents, he has also written some of the stories on the revelations, including as a co-author of the piece in Der Spiegel on the NSA catalog. Green, a research professor at Johns Hopkins University, has produced some of the more illuminating and thoughtful analysis of the documents, especially when it came to the technical bits involving encryption and the NSA’s capabilities against various protocols and cryptosystems. If you need to know how to think about what’s going on and what it all means, you won’t find better sources than Appelbaum and Green.
Further reading: A Few Thoughts on Cryptographic Engineering