Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry
Recently, there have been plenty of Techdirt stories about the authorities in the US and elsewhere making increasingly strident attacks on encryption, with claims that things are “going dark,” and that Silicon Valley is foolishly aiding terrorism thanks to its “obsession” with privacy etc. etc. Against that background, it’s easy to get swept up by a narrative that pits us, the freedom fighters, against them, the dark forces of repression, and to celebrate the occasional wins that come our way.
But suppose all this is just for show — not so much security theater, but as privacy theater to divert our attention from what is really happening. That’s one possible conclusion that cynics might draw after watching a brilliant presentation made back in 2014, and highlighted recently by a post on Boing Boing that includes a video of the talk and a link to the slides (pdf):
In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers’ European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.
NSA’s fictional operation achieves that by exploiting the way the computing industry works, with different challenges dealt with using completely legal means. For example, the “ABBA” program handles the following situation:
Somebody comes up with an idea that would make [communications intelligence] collection harder and/or more expensive
The novel solution is for the NSA to exploit “raw capitalism,” and to “throw money at the problem” by playing the role of a friendly local venture capitalist that wants to turn the idea into a company. At the same time, the NSA finds a relevant patent held by one of its “friends” in the industry, and then asks those friends to send around their patent lawyers to the new startup it is funding, to get it shut down in a perfectly non-suspicious way.
The “QUEEN” program to tame the potentially dangerous world of open source is even more subtle. The NSA takes advantage of the open development process to place its own people within the system, so that they can subvert it using the following:
Play GPL vs BSD card
Soak mental bandwidth with bogus crypto proposals
A key technique is to exploit the fact that free software is based on trust, and that once a coder is trusted as a result of building up a record of good work, nothing they do thereafter is subject to much scrutiny. That phenomenon potentially allows patches with strategic weaknesses to be included in key projects with massive knock-on effects. Kamp dubs the exploitation of this fact the “BOYS” program, whose “crown jewel” is OpenSSL. The impact of the “Heartbleed” vulnerability discovered in OpenSSL two years ago was so great and convenient that many wondered at the time whether it had been placed there by the NSA. That’s just one indication that Kamp’s witty re-imagining of recent computer history is not so far-fetched.
Even assuming — hoping — that Kamp’s talk is largely a thought experiment, it has an importance that goes beyond its undoubted entertainment value. By turning everything on its head, and showing how easy it would be for the NSA — or other well-funded agencies — to subvert today’s computing industry in perfectly legal ways, it provides an important warning about what’s wrong and what we need to do to address it. Unfortunately, as Kamp himself admits in his keynote speech, the problems are so deep and fundamental that fixing them won’t be easy. But at least, thanks to him, we have been reminded that they exist, which is a start.