Snowden anniversary If there’s a positive to the disclosures by ex-National Security Contractor (NSA) contractor Edward Snowden, it’s that it’s been a disaster for technology and internet firms.
Yes, a positive.
In the last year we’ve learned the NSA has backdoors placed in the hardware that makes networks, the existence of massive funnels placed in internet and phone companies’ data centers to suck up vast amounts of data, and the breaking of internet encryption.
The effect of all this should be a raising of these companies’ games and a shaking of users’ complacency in relying on “free” products and in being too accepting of what they’re given and of standard “solutions.”
Already, tech and web companies are coming back. Caught with their pants down, they are now being given the time and money to pull them back up again.
Pre-Snowden it was generally assumed the government was carrying out some sorts of surveillance against key targets and that the bright boys and girls at the National Security Agency (NSA) could subvert security systems if they really wanted to.
Schneier: how far has the NSA really gone?
There had long been rumors of backdoors in operating systems and government malware-writing teams, but very little in the way of proof.
Snowden's leaks showed not only that security weaknesses are being built into software but also that the large companies to whom we entrust our data are helping in this – and they have been criminally lax about the security of users' data within their own organizations.
The first two leaks from the Snowden files – allegations that Verizon was handing over consumer metadata on mobile calls and the existence of the PRISM program – didn’t come a as a massive surprise to many. Caspar Bowden, Microsoft's former chief privacy adviser, has been warning about this kind of stuff for years after all.
Then, in August 2013, Snowden's secure email provider Lavabit shut down its service, with its chief, Ladar Levison, saying that he wouldn't "become complicit in crimes against the American people." Shortly afterwards Silent Circle, which had been offering a similar service, followed suit.
Both companies are prohibited by law from confirming the exact reason for their shutdown, but it's down to the use of existing legislation whereby the US government can force email providers to hand over encryption keys on national security grounds. Too bad for users of this kind of system, you might think, but the problems didn’t stop there.
It was the September 2013 leak about Project Bullrun that really set the cat among the pigeons. The documents Snowden released showed that the NSA was spending $250m a year to build security weaknesses into common code and had cracked many of the encryption systems commonly used online.
Bullrun appears to have started after September 11, 2001 and appears to have allowed the NSA to get around both VPN protections, SSL and HTTPS. For most internet users that's pretty much the entire ballgame.
As any security expert knows, intentionally introducing flaws into your products is a stupid move. Sure, it gives the intelligence community a backdoor into software, but there's no guarantee that someone else won’t discover the same flaw and start using it. In fact, the way code examination is these days, it's a virtual certainty that someone will do this.
Crypto and privacy guru Bruce Schneier is frank in his assessment of what this all meant for the internet. He told The Register:
From forcing Microsoft to make Skype more eavesdropping friendly and then not telling anyone, to demanding Lavabit's master encryption key and demanding that they lie about it, to creating fake Facebook servers on the Internet to hack into computers, to intercepting Cisco networking equipment in transit to install eavesdropping equipment, the NSA has completely subverted the internet.
Google won't change its business model and neither will the NSA
"The problem isn't that we know the NSA is doing these things,” added privacy expert Bruce Schneier. “The real problem is that we don't know what else the NSA is doing. Internet companies - hardware, software, service - simply cannot be trusted anymore."
A month later and more leaks exposed Project MUSCULAR, whereby the NSA augmented the data it was already collecting via the PRISM program with information obtained by tapping the interconnects between data centers run by Yahoo!, Google, Microsoft, and others – news which provoked a stream of profanities from the Chocolate Factory's engineers.
Chris Soghoian, principal technologist at the American Civil Liberties Union and a noted privacy researcher and activist, told The Register that the rogue sysadmin's actions had proved a catalyst for change.
"The leaks caused a lot of anger in these companies, and in particular with the security teams in these companies. These security teams have had a list of things they've wanted to do for years but budgets are limited and so they focus resources on the biggest threats," he told us.
"Now, it's my understanding that in the wake of the Snowden disclosures, that security teams have been given pretty much a blank check and can spend whatever they want to spend to protect the link between the user and the company."
However, Soghoian pointed out that this is only half of the solution. Google and others pay for "free" email systems by trawling through the data consumers give them and selling advertising based around that. That business model isn’t going to change any time soon, he warned, but as long as it's in place “the NSA will try to subvert it".
Soghoian: security folks can, and are, making things better
Snowden hasn’t given many interviews since going on the run, but one of the messages he has consistently put out is that good encryption is still safe from the prying eyes of the NSA. Yet even that isn’t a perfect solution.
In December 2013, a report from Reuters claimed that the NSA had deliberately weakened the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) that had been signed off by the National Institute of Standards and Technology, and had allegedly paid securo-firm RSA a $10m contract to add the system into its security products.
RSA has consistently denied that it accepted any money to include a weakened security protocol, but that didn’t stop some key members of the security community from boycotting the security company's annual show this year and setting up a rival TrustyCon get-together.
The row has led some to declare that common encryption standards are likely to be subverted and that the peer-review systems used to check out technology are broken, but in fact the reverse is true, Bruce Schneier says.
"The encryption vetting process is working fine. AES and SHA-3 are both stellar examples of a public process to choose a new encryption standard. I trust them both, and will continue to trust them," he said.
There is still a lot of secure software out there that will lock down computer communications. While Snowden's leaks have done a lot of damage to the computer security industry, that damage isn’t fatal by any means and may actually have been helpful in encouraging people in the industry to smarten up their practices and provide what privacy they can.
"There are a lot of people in the security industry who are taking a fresh look at the security technology we use and asking 'can we make this better?'," Soghoian said.
"In most cases the answer is 'yes'. The goal here isn’t to keep the NSA out, because realistically they will find a way in if they really care about you. The goal is to raise the cost so that bulk surveillance becomes impossible. If the NSA really cares about you they will show up, break into your house and install malware on your laptop.”
Go with the industry standard, though, and you're a sitting duck. “The default crypto used by everyone will not blind bulk surveillance," Soghoian said. ®