Fire Your Congressperson
One of the recent bombshells regarding the documents leaked by Snowden is that the NSA had basically subverted large swaths of the Internet. Some important bits:
- A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made “vast amounts” of data collected through internet cable taps newly “exploitable”.
- The NSA spends $250m a year on a program which, among other goals, works with technology companies to “covertly influence” their product designs.
- The secrecy of their capabilities against encryption is closely guarded, with analysts warned: “Do not ask about or speculate on sources or methods.”
- The NSA describes strong decryption programs as the “price of admission for the US to maintain unrestricted access to and use of cyberspace”.
- A GCHQ team has been working to develop ways into encrypted traffic on the “big four” service providers, named as Hotmail, Google, Yahoo and Facebook.
I need to be clear about this. This is irresponsible behavior on an incredible scale. This needs to be stopped. The potential for abuse by governments is enormous… but even if you trust the U.S. government you need to understand that the NSA is engineering weaknesses into the software that you use, every day, to enable them to possibly, maybe, someday, listen in on some bad actor’s communications.
They do this at the cost of fundamentally weakening the security in a way that can be exploited by other governments, or individuals.
If you put a back door in BitLocker, it’s only secret until somebody finds out about it. And as good as the NSA is, there are people with software skills and engineering chops and logic analyzers and lots of spare time on their hands who have a very large incentive to find these exploits.
Technical people see them, all the time. I’m on the security announce list for four major operating systems and numerous distributions, and there are security vulnerabilities announced every week. They’ve been announcing them for years.
It’s almost a statistical certainty that some of those exposed bugs weren’t mistakes, but deliberate attempts to engineer weaknesses into important pieces of software that have cost the information technology sector likely hundreds of millions of dollars of work-hours to bring down working systems, patch them (probably in many cases with software that has a new exploit in it), and put them back on the network.
I posted voting records about the Patriot Act and the NSA warrantless wiretapping program back at my old blog for years. As I mentioned before, here at the League, I’ve been following the story of the U.S. government’s sustained attack on the Internet’s security for a decade now. A lot of it has been speculation.
We now know that the speculation hasn’t even been the worst-case. As Matthew Green said in his blog post:
All of this is a long way of saying that I was totally unprepared for today’s bombshell revelations describing the NSA’s efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it’s true on a scale I couldn’t even imagine. I’m no longer the crank. I wasn’t even close to cranky enough.
I was crankier than Matt, and I *still* wasn’t cranky enough.
This is important. This is more likely to affect you – to already have affected you! – than you realize.