When the government is caught with their hand proverbially in the cookie jar – violating no less than the Constitution – you’d expect a platitude about what will be done to fix the situation, a kind of bureaucratic “mea culpa” if you will.
Sadly the US government has not provided a coherent and rational explanation as to why their covert intelligence agency was spying on the telephone calls and internet data of millions of perfectly law abiding Americans, and let us not forget the “Five Eyes” and the violations of a plethora of other nation’s countrymen.
Nope. We are told only that it is “us” – the IT security professionals, the journalists, the whistleblowers – who are at fault, or perhaps even a little misguided. The White House spin may even paint us as unpatriotic when the reverse is clearly the case. The official response has been one of confusion (“did we do that? I don’t have that information? Oh, that’s classified.”), minimization (“we are only collecting metadata”) and even flat out ridicule of those of us who would dare question a government that has effectively gone rogue and turned its spying apparatus on its people.
We must stop being naive and begin treating the Internet as an insecure place where all our data may be intercepted without our knowledge and kept for an indeterminate amount of time (and perhaps used to populate some kind of database on who you are based on your search habits, time of use, email contacts etc). This means that we need to get wise and stop using the Internet for tasks that we wouldn’t want our neighbors or business competitors to see.
Encryption is the key to solving this problem as it is clear that any political due process would be ineffective. But when major software companies are in bed with the US government, how can we even trust our operating system let alone our mail client, crypto software etc. Open source software projects have not been immune to subversion although the availability of source code for scrutiny serves as a disincentive for obvious modification (assuming people actually compile the software rather than download a binary; also it would be wise to mention the potential for an evil compiler aka a Thompson attack). The waters get murkier when we start looking at the potential for “bad” hardware. That RAID controller has DMA access and a nice little embedded OS of its own – imagine what it could do?
There are no clear answers here, unfortunately, just more questions as the paranoia and distrust reach higher and higher levels.
At a minimum we should be avoiding closed source operating systems and open source OS distributions with a commercial agenda. None of us can audit the entire kernel of, say Linux or FreeBSD so ultimately you have got to trust something. But you can build rings around your kingdom, so to speak and try and take a mutually distrustful approach to engineering any solution.
The problems with encryption are multilevel, and the average web surfing mortal for whom ICT is not their normal line of work is going to strugle.
And lets be honest if web browser code cutters are anything to go by app coders are going to go out of their way to ensure crypto never becomes usable or reliable even for themselves let alone any one else who has the misfortune to use their products.
We know the CA architecture is broken beyond use let alone reliability or security, and in those twenty years nobody has put anything resembeling serious effort into reesolving the issue.
But it’s not just the Apps that are broken beyond redemption, it’s many of the protocols and standards as well. For well over fifty years the supposed “trade representatives” of the Five Eye nations have in fact been the tools witting or otherwise of the Intel organisations of those countries. They propose and vote for methods to be put into standards that in one way or another weaken the security of the system they are for and in the same measure weaken the privacy of those who use the systems beyond anything most would consider reasonable.
But worse as seen in NZ such intel orgs actually consider themselves above the elected governments because they feel that not just the politicos but those that vote for them can not be trusted in any way shape or form.
And those at the top of these intel orgs know that with a few nudges and old boy network contacts will leave to join the boards of various companies to get 8000USD/hour or higher dispensing “wisdom”. The reality is they have effectivly been on the take for years befor hand ensuring the right companies etc get the contracts that will pay for their retirment positions…
The power of such arangments will ensure that just about every closed source app of any note will get “fixed” in some way favorable to the intel orgs. If the company is small and not playing ball they will either get an offer they cannot refuse from a major player that is compliant or if that fails a smiler offer from a judge that might well be preceaded by a SWATING of the persons home and family (as has already been seen). And big companies that won’t play will get hit with “insider trading” or similar.
Cleaning out this embeded coruption will be difficult, and if to many people start practicing OpSec that works befor this then you can be reasonably sure that legislation will come along to prevent it, such is the nature of the beast.
So first we need –as good horror stories tell us– strong sunlight and silver bullets to bring them down.
Absolutely Clive. I always appreciate your experience and insight.