Information Security, Ethical Hacking, website Security, Database Security, IT Audit and Compliance, Security news, Programming, Linux and Security.
Wednesday, 11 September 2013
Privacy is Dead. The NSA Killed it. Now What?
The NSA sees and knows everything we do online, it seems, and each time we adjust to the latest loss of privacy, the next revelation leaves us gasping again. Edward Snowden's exfiltrated NSA documents first pointed to PRISM, a program that was designed to capture information about terrorist communication but that clearly overstepped into monitoring innocent citizens. Pretty bad, huh?
But really, we thought, with such an absolute ocean of information, they couldn't really find anything about one single person... could they? It turns out that the XKeyScore tools lets analysts sift and sieve telecommunications data to find anybody, or anything, they want. And it doesn't stop there.
Secure Communication?
The simple urge to communicate privately is not in itself any evidence of wrongdoing (though some might argue otherwise). If you really, really want to communicate both electronically and securely, you'll need to use a very special service, like Lavabit, the service used by Edward Snowden and many others in the security community.
Alas, Lavabit is no more. Its owner abruptly shut down the service and destroyed its infrastructure. It's assumed that this was a response to a government demand for access; since such demands come with a gag order the owner couldn't offer details. A similar service offered by Silent Circle self-destructed shortly thereafter.
In terms of providing secure communication, these two services must have been doing something right... If you do seek a truly secure email service, you'll want to choose one that has no exposure in the U.S.
Encryption Isn't the Answer
The NSA has vast computational resources, good enough to break many cryptographic systems using brute force attacks or other computation-based attacks. However, it turns out they don't need to expend that kind of effort, due to some devious planning ahead. A project code-named BullRun with over ten times PRISM's budget has worked for years to ensure the NSA a back door into popular cryptographic systems, according to a report from The Guardian.
John Gilmore, a founder of the Electronic Frontier Foundation and (according to BoingBoing's Cory Doctorow) a "cypherpunk; significant contributor to GNU/Linux and its crypto suite; and all-round Internet superhero," reported in detail about the NSA's sabotage of the Internet Protocol Security (IPsec).
According to Gilmore's post, NSA agents explicitly lied to other members of security working groups and deliberately promoted an insecure IPsec standard. "To this day, no mobile telephone standards committee has considered or adopted any end-to-end (phone-to-phone) privacy protocols," said Gilmore. "This is because the big companies involved, huge telcos, are all in bed with NSA to make damn sure that working end-to-end encryption never becomes the default on mobile phones."
It's not clear exactly how far the NSA's subversion of popular crypto systems extends; we only know what's been revealed to date. And hey, you might think, maybe it's OK; they are the good guys, right? Well, perhaps. But when a cryptography algorithm or other security system has a back door built into it, you can guarantee the bad guys will find their way in.
Gilmore's account of the NSA's IPsec sabotage pointed out that they deliberately made it too complex for proper analysis; a promised simplification never happened. In practical fact, keeping the details of a security system secret or obscuring the details with complexity isn't effective. Open source cryptographic algorithms are subject to scrutiny from a world of experts, so in theory any flaw, weakness, or back door will be exposed... eventually.
Rock the Vote
It's clear that agencies of our government can monitor all of us in general, looking for trends, and can winkle out specific secrets beyond any individual's ability to hide. All I can think is, at least we're nominally a democracy. The stated aim of this surveillance is to head off the possibility of another horrific terror attack, not to actively invade the privacy of citizens. And yet, that could change. The giant corporations that exercise so much political power would surely love to get a handle on the NSA's technology, for example.
There's nothing you or I can do to put the genie back in the bottle. Universal electronic surveillance is here to stay, and we haven't seen everything yet. The best we can hope for is to keep the government in check by electing sane, sensible candidates. I know, I know, the fact that they want political office isn't a good indicator of mental stability, but make the best choice you can. And when someone like Edward Snowden lifts the curtain to let us know what's really going on, consider the possibility that he deserves our thanks.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment