Throughout the past few weeks we have seen numerous disclosures from former NSA contractor Edward Snowden regarding the massive surveillance apparatus that the United States government has brought to bear against civilians, foreign governments and even corporations. We have also heard allegations that the NSA have deliberately weakened open cryptographic standards. Perhaps the most worrying piece of information to come out of these disclosures is their program to systematically infect hardware.
The network appliances that route the majority of Internet traffic run closed source embedded router operating systems like Cisco’s iOS. If I were a government level adversary I would start with the switching fabric and routers rather than waste my time on the end points, especially considering we are now aware that through NSLs they were able to compel organizations to secretly disclose their SSL key and enable surviellance (as aside the gov’t seems to have angered Google or at least affected their bottom line as they are now speaking of implementing PFS).
If we go further – can we really trust any hardware? Certainly not hardware produced from, say 2000 onwards. I don’t state that as some magic number or some line in the sand. Moreover it is an educated guess based on both political climate (things didn’t start getting super crazy until post 9/11) and technological capabilities at the time. Perhaps we are dead wrong in this regard too. After all, they have been trying to destroy civilian privacy online for about as long as the Internet has been accessible to the average Joe. Everyone no doubt remembers the Clipper chip of the 1990s. Well, the NSA clealy realized that key escrow just wasn’t going to stand up to public scrunity. I wonder how the boffins within the US intelligence committee will justify their promotion given the fallout from the Snowden saga?
No doubt many US based IT companies will be reassessing whether it is appropriate for them to continue conducting their business from within the United States or whether a move overseas may better suit them operationally. The damage that this could do to the IT industry in the US is immeasurable. While many in the industry are in damage control some (like Lavabit and today CryptoSeal Privacy) are shutting up shop, refusing to supply a public with a product that they may be forced (via a secret FISA court hearing or a NSL) to backdoor or otherwise modify to bypass the very anonymizing features the customer is paying good money for. This is a very bad time for the US’s image abroad – and it is all of the government’s own making.