I don’t have to tell you that this isn’t the sort of “roundup” where you get to go, “Yipee-i-o-kyaaay!” It’s the sort where you go, “OMG, what will learn next about these creeping, peeping totalitarians?”
Some of the newest nooz:
Got a smartphone? NSA can get your data. Not yet a mega-scooping data project; they have to really want your particular data to get it. Mega-scooping? That comes next year, no doubt.
And when it comes it’ll be with the help of “Mr. Civil Rights” Obama himself. Seems two years ago the secret court, responding to a secret request, made another of its secret judgments removing various restrictions that formerly pretended to hold the NSA in check.
—–
I love what Bruce Schneier said in his call to action to his fellow engineers. Under the headline “The US government has betrayed the internet. We need to take it back” he states (oh so correctly) that it’s up to the engineers to fix this mess and up to insider-engineers to blow the whistle on the UberGov’s dirty dealings. He concludes:
Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don’t only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.
Dismantling the surveillance state won’t be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we’re going to be breaking new ground.
Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We’ve had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.
To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
Schneier also offers a few ways to stay safe. Well, safer, anyhow.
And fortunately, engineers and scientists are already at work on some fascinating stuff — even if at this point some of it is pretty science-fictional.
—–
I don’t in the least like the email I got from an acquaintance of mine. He wrote:
I posted the news about the NSA cracking common Internet encryption to a financial forum I’m on. This forum is full of people who rely on SSL (HTTPS) encryption for the security of virtually everything they do in the financial world. I expected a big discussion.
Not one person responded. Not one. We’re doomed.
This accords with what I’ve been noticing since that NSA shoe dropped. In the media, it’s all-Syria all the time (or Lamar Odom and his crack habit, depending on which level of media you heed). There’s next to nothing about this monumental threat to our financial security and personal privacy.
Okay, maybe only geeks understand the details. But don’t people see the ramifications?
Syria? A typical drum-beating diversion. “Hey, look! Over here! Blood! Bombs! Kill! Kill!”
Still, I don’t believe we’re doomed. I hope at least some of this is true.
—–
Speaking of geeks, I owe hat tips to several for finding some of the links for this post. You’ll find them still having a lively discussion on Friday’s “Other shoe drops” post.
One comment in particular would make me laugh if it didn’t make me cry. I was indignant because the NSA, in the latest Snowden docs to hit the presses, called every user of encryption (including, say, ordinary bank customers) “adversaries.” I didn’t know, but Chris pointed out, that in cryptography, the word “adversary” is a term of art with a very specific, limited meaning.
A meaning that happens not to describe encryption users at all. A meaning that nails the NSA right on its ugly little head.
So, since it’s obvious to any honest person that, in that sense the NSA is clearly the adversary, not us, this seems a good moment to remind ourselves of yet another definition of adversary. As Mark Call commented:
Funny the Nazi Stasi Army would call everyone ELSE ‘the Adversary’ – ’cause THAT term is usually reserved for, well, THE Adversary. THE Bad Guy — Ole Scratch, HaSatan, Lucifer, Beelzebub, Molech, and so on – the one Judas went to spend some quality time with, perhaps.
There’s more irony in that than meets the eye…
Yup. That definition fits the NSA pretty darned well, also.
—–
Now we’re in desperate need of an antidote to all this systemic poison. CUTE DOGGIES. And there they are, courtesy of Mama Liberty.
[Seems two years ago the secret court, responding to a secret request, made another of its secret judgments removing various restrictions that formerly pretended to hold the NSA in check.]
Claire, that’s putting it perfectly. Unfortunately Bruce Schneier sounds a bit naive:
“…the NSA has undermined a fundamental social contract…. we need to demand transparency, oversight, and accountability from our governments and corporations.”
There is of course no social contract, and good luck Bruce with those demands – at best they will cause govt to redouble efforts concealing their crimes. But he’s right, engineers do have some say in this, and can resist. I know, I’ve done it.
We need to not panic. This is government we are talking about – the same agency that gets everything wrong, and is best known as a way of flushing vast sums of money down the toilet for no good reason.
You’d better believe the open source guys are taking another look at their code due to these revelations. I’ll wager OpenBSD is getting a lot of traffic on their website lately, even if Linus Torvalds once called them “a bunch of masturbating monkeys”.
More signs of hope: http://www.businessinsider.com/keith-alexanders-sidekick-james-heath-2013-9
Mad scientists and evil geniuses always trip themselves up in the end. Now imagine an evil genius combined with a government bureaucracy …
[I posted the news about the NSA cracking common Internet encryption to a financial forum I’m on. This forum is full of people who rely on SSL (HTTPS) encryption for the security of virtually everything they do in the financial world. I expected a big discussion.
Not one person responded. Not one. We’re doomed.]
I’d guess most folks in the financial industry would say they don’t have any skin left in the privacy game. Given how tightly they’re regulated and the pervasive reporting they’re required to implement, the government already knows more about their dealings than it could learn by monitoring communications.
> Nazi Stasi Army
Umm, wasn’t the Stasi the East German secret police, post WW2?
http://en.wikipedia.org/wiki/Stasi
Yeah, so although they certainly used “Gestapo” tactics, the Stasi weren’t technically Nazi.
Let’s split hairs!
Bob Robertson — Can’t speak for Mark Call, but I’m pretty sure he was just in search of a clever acronym. And gotta admit, Nazi Stasi Army is a way more accurate description than National Security Agency. (Yeah, guys, rip security away from the entire Internet and help the world hate us; that’s surely the best way to get “national security.”)
Anyhow … Nazis, Communists … dime’s worth of difference? Okay, maybe a split hair’s worth of difference … 😉
In the interest of knowing who we’re up against, I highly recommend the entire Foreign Policy article about Keith Alexander:
http://www.foreignpolicy.com/articles/2013/09/08/the_cowboy_of_the_nsa_keith_alexander?page=0,0
As a by-God Texan, I am honor-bound to point out that cowboys don’t do what this guy does, and wouldn’t consider it, and would like as not shoot you if you suggested it.
LarryA — It wasn’t clear from my post (sorry). But my friend was actually talking about customers of financial services, not the companies. The people who didn’t bother to reply are ordinary people who are at risk of losing (or have already lost) the integrity of all their credit card, investment, and banking security. Yet they don’t seem to care.
Scott — DEE-freakin-SCUSTING!
And isn’t it odd how nobody ever, ever explains how creating a bigger haystack helps anybody find the needle?
If Alexander really is as naive and childish (Star Trek command room!) as he comes across, then he may be more like Marie Antoinette than Megamind or Lex Luthor. But that makes him even more dangerous.
My biggest takeaway from this, other than the monumental scope of violations privacy, liberty, etc., is just how massively it’s fucked up electronic security in general. The cost / time / effort involved in fixing this is huge. And, to some extent, I don’t know whether it will happen. Consider that for a lot of the traffic most people will really care about having encrypted, the destinations — banks, for example — will be under the govt’s thumb to keep using whatever broken protocols are currently in use. And I won’t hold my breath for Micro$oft and Apple to jump right on the task of cleaning up the holes either.
As a side note, I’ve read, here and there, in the past, about what a massive pile of suck IPsec is. Now I know why.
I have not looked into any of the available VPN offerings out there, but if I were, I’d be very curious whether they’re using IPsec tunnel mode.
But my friend was actually talking about customers of financial services, not the companies.
Ah.
However, the customers’ transactions are what many of those company reports give the government information about.
Make a few large-but-not-$10,000 deposits in your account and see if the IRS isn’t looking at you funny.
I wrote this article:
http://strike-the-root.com/appeal-to-nsa-engineers
I was looking around for information about IPsec and found the prior fiasco about FBI back doors. Most people (including Bruce Schneier) seem to have come to the conclusion it was more trolling than truth.
http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd
http://obfuscurity.com/2010/12/Deconstructing-the-OpenBSD-IPsec-Rumors
But that is different than the current questions, I’m guessing.
I haven’t seen the IPsec spec, but I worked extensively with the Fiberchannel spec and agree these modern specs can turn into massive lawyerly compilations. Not like the old days of (for example) the DEC Unibus where a small booklet and a few timing diagrams sufficed.
Interesting idea published in the Guardian; “How to foil NSA sabotage: use a dead man’s switch”
http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch
Seems kind of simple, but not effective if they are not notifying the owner of their snooping.
It isn’t just old backdoors. Irrespective of that, what I’ve heard from admins is that IPsec just sucks. Don’t know the specifics — just a general “stay away if you can” mentality.
Unibus! Most of my DEC hardware bashing was done on Q-Bus. But I did fiddle with a PDP 11/84 some. I guess some of the VAXen were Q-bus — Micro-Vax I think was. I think I have a PDP-11 Architecture handbook in a box someplace. I have the (dubious?) distinction of being able to put young whippersnappers in their place by mentioning configuring hardware with wire wraps. I used to be pretty sharp on DECnet. And I think it’d be cool to run RSX-11M+ in a VM on my PC.
Hey Jed, I might have you beat. I started working on computers back in – wait for it – 1969! 🙂 I was a repairman for the Marine Tactical Data System, kind of a truck-based AWACS. Most of that machine was logic built with transistors, resistors and diodes, heh.
Yeah I did a lot with Unibus and Vax and PDP-11s and RT-11 and RSX-11, not so much with Qbus. Also Data General Novas, some of which had only 4k of core memory (little magnetized donuts I think!). I still have a wire-wrap tool in the attic somewhere, and an O-scope and logic analyzer sitting in the basement.
I think time has passed me by…
Alan, that article was clever, but somehow I don’t think we will get anywhere with these legalistic tricks. Fighting in the courts is equivalent to fighting on the enemy’s chosen ground. People need to start revealing to the world when the FBI has messed with them, whether there is a gag order or not. War is coming; we might as well get used to the idea.
Yeah, Paul, I knew you were older than I. 😉
Nope, I haven’t messed with RTL or TTL stuff. Well, I do have an Arduino, so there’s some stuff like that, depending on what you’re building.
Most primitive thing I worked on was an IBM 360 in programming classes.