Schneier on Security

Nick P • September 12, 2013 9:34 PM

NSA isn’t to blame. It’s really that simple.

I think the situation has turned into such an NSA-bashing party that everyone’s forgotten why the situation exists, who the majority of stakeholders are, and what can/can’t be done against a surveillence state actor. Not to mention pushing all kinds of figurative comparisons making it seem like the NSA is massively robbing, injuring and/or murdering American citizens. I mean, come on… I’ll address the people that replied to me in the next post after I set the foundation in this one.

The Why: NSA’s Mission

I’m not going to totally blame the NSA here like everyone else is doing, nor make analogies that paint an unrealistic, deadly picture of the results. Before anyone talks legal or ethics, they need to look at what the NSA was required to do. Here is the “en ingles” version of their mission.

1. Gather every piece of vital information they can on foreign targets of interest.

(Ridiculously huge number, from crooks to business to government, across many mediums in many countries with a variety of security approaches.)

1. Do the same if their communications cross into US territory.

(Previously, there were very strict rules about exactly how to do this.)

[So far, we just have two requirements, a massive amount of technicians, little oversight and a huge budget. I said that was a bad idea but I was a minority. Moving on. Even back then, they were working toward intercepting everything with filters and automated analyses to make sense of it all. Echelon being a prime example that leaked. Yet, even with massive spying and alleged abuses in the 90’s, neither American people nor Congress pushed hard to reign in their power or establish strong oversight of expanding SIGINT activities. And federal courts did about nothing. Strike 1. ]

1. Acquire intelligence on anything that might lead to another 9/11 happening on US soil, even if it means spying on Americans.

[This was post 9/11. This let them turn their technology on Americans more often, although they had certain legal issues. Congress begins passing laws that remove legal obstacles and create plenty secrecy. American public majority supports the activity as in our interests for our safety, as they like trading off liberty to sleep better. Strike 2.]

1. Expanding on 3, more pushes for cyberwar readiness, streamlined intelligence sharing, greater visibility, rapid response that requires fewer filters and long-term analysis capabilities similar to commercial sector’s business intelligence apps.

[The Business Intelligence type apps and proposals go way back with software demos from CIA’s In-Q-Tel on specifics of a few apps for government use. That was public. Even if it’s a Special Access Program, a significant number of people in Congress would know they were tapping into phone, carrier and/or encrypted networks. Some of this leaks publicly many years ago. American public fails to use common sense test of “is more secrecy, money, spying, lying and lack of due process a good thing for citizens now or later?” Congress continues authorizing and funding the operations. Strike 3.]

I say that’s already all you need for a situation to occur much like recent revelations. This situation was the logical conclusion of a continuous series of events going back 10-20 years. Maybe more depending on who you asked. Every step of the way, the NSA’s modern activities got the blessing of Congress, the public, the important courts, Federal LEO’s, state LEO’s that could use the data, and the media. Sounds legal and endorsed enough to me. So, certain claims people are making don’t hold any water despite how often they’re repeated.

NSA didn’t do this: everyone else did with NSA acting as their authorized agent.

The How: Accomplishing the Mission

People have also been saying they hate all these methods NSA uses. I’m not going into them right now. You’ve probably heard of them. Yet, I’ve just illustrated their mission requirements. And they could be pretty sure if they missed another 9/11 the public wouldn’t say, “Well, they were using SSL and you people are only the NSA so it’s all good. Shit happens. Don’t worry about it.” Please… They were under enormous pressure over the decades to solve equally enormous problems associated with targets using crypto, domestically or foreign. 9/11 just added to it. And they tried several options.

1. They tried to get backdoors into systems. That was strongly opposed by the public.
2. They tried banning export of strong crypto and keeping useful systems from being published while allowing US use of ciphers that would stop most attackers. DES cracking got cheaper and the cypherpunks beat them at moving crypto out of the states.
3. They tried to allow stronger crypto, but with built-in escrow to provide them access. Cryptographers were also working on secure escrow back in the day. That was all shot down. (Maybe partly due to Bruce’s paper on the problems with it.)
4. They tried subverting crypto software by both big software companies and some crypto companies. Each subversion was for tech with widespread use by governments and companies. That worked to quite a degree till a few became public. Yet, subversion proved to be quite successful and each of those companies are still in the same business. (And I’m not talking about the recent leaks either: these were a long time ago.)

So, the NSA had a tough job mandated by the public and Congress. The job kept getting harder. EVERY proposal they made to deal with their problems through legal or technical means was shot down. The only solution was subversion, the one I’ve written here about for years. Matter of fact, NSA knew that the widespread use of low assurance software implementations and business processes meant subversion was easy for their organization. So, it worked in the past, it kept working, those in Congress cleared for it apparently kept OKing it, Americans kept demanding high effectiveness, and they saw opportunity to expand on the same strategy.

(Note: They also realized if they did it carefully they could embed subversions into otherwise effective security tech. So, public would get good ciphers, online banking, secure purchasing, safer email, network encryption, trusted boot, etc. It would stop most attackers. And NSA could still get in. In a dual-mission spy & stop spies organization, this would be seen as a Win-Win approach to subversion. And subversion was their only effective approach. And so 2+2 =…)

The Result

And so they subverted… everything. And they did it with “open” standards, too. If anything, they were only doing the exact job they were asked to do and did an extremely impressive job. I figured over the years they had done plenty of this stuff. Yet, after the leaks, even I was a bit impressed at how much they accomplished. They certainly had the budget for it but their management sucked. They must have really done a 180 over the past decade. They fixed big organizational issues first, then expanded capabilities, and then accomplished Mission Impossible.

I didn’t think they’d pull it off. I give them props and respect. But… what if “they” come after “us”?

The “Risk” To Individuals + Who Are The Stakeholders?

Practically nonexistent in over 99% of cases. (Yes, that stat was as made up as recent analogies.) The majority of Americans are the kind of people The Machines weren’t built to look into. The Machines were even used over time to benefit American activities and companies far as I know. They will use their capabilities in self-defence if government power is threatened by a minority player w/out public support. NSA also knows majority public pays their checks. That public is mostly OK with what groups NSA targeted so far. Many even demanded it at one point.

And the public get hit by lightening more often than NSA injures or kills them. And brake failures like in recent analogy? MUCH more dangerous than NSA to people in this country. THAT is something Joe Public might have experienced personally or heard via friends’ horror stories. Overall, NSA is one of the public majority’s… lesser concerns.

The Real Risk: A Fake Democracy

Many claim it’s been a fake democracy. Let’s ignore that angle for this debate. 😉 The biggest risk was (and is) that The Machines one party builds are used for evil reasons, by them or another party, that have a huge negative impact on the safety of Americans, the economy, the voting process, etc. Like nukes, capabilities like this are better to never be invented and a country will never “unbuild” them after they’re working. Further, they will get expanded continuously both technically and legally.

The very second Americans asked for NSA/LEO’s to develop near God-like omniscience in their intelligence capabilities, they brought all of this on themselves willingly. The long history of government power grabs, corruption and abuses of power should have clued them in. They weren’t cautious enough. Congress knew a bit better with all the dirt people could find on them. Those morons asked for an exemption for themselves, as if unaccountable watchers keep their promises over time. Now, The Machines are a risk to our democracy itself because they can be used against us in many ways and it would take huge effort by Congress to limit that. And Congress is apparently on their side.

Conclusion: NSA isn’t guilty or going overboard. They’re doing exactly what they’ve been required to do. And they’ve done it too well. They succeeded to the point that NSA’s legal, technical and HUMINT capabilities will make impractical for US citizens most INFOSEC defenses people are proposing right now. Congress and The Courts, who possess checks and balances, are partly responsible for this mess. The other part goes to the American people. If the three really want to, a combination of private and public action can change the status quo. Otherwise, NSA will just keep doing what they’ve been paid to do for decades.

Nick P • September 12, 2013 10:40 PM

Necessary clarification to original post: To people not familiar with my style, I’m an opponent of surveillance states and quite pro-democracy/privacy. I’m playing devil’s advocate on this debate as I have in some past debates. Those led to people coming forward with points that contributed plenty to the discussion. And to the disappearance of some points that were only harming it. Same goal here. My motivation is explained in the essay above. It also covers some things in the replies people gave me but I’ll respond to each anyway.

@ Arclight

Good points. I agree. Yet, the legal aspect can’t be ignored. If we don’t build in LEO capability, it will be forced on us. And existing practice allows them to force about anything on us. And maybe charge us if we don’t cooperate. Who knows. The legal issues must be resolved even as we make it technically harder on them.

@ NobodySpecial

Re: targetting everyone

They’ve been doing that for a long time, mostly foreigners, and information got out on it. They were limited mainly by technical capability rather than ethical restrictions. As I said in above essay, almost every legal decision and public choice pushed them in their natural direction of more SIGINT over time. And more domestic capabilities. And more automation. And more storage. The historical precedent is that such organizations only expand their power. It was to be expected.

And if any of those scenarios happen, the other enabled them and should share in responsibility.

@ Michael Brady

Re drones, rendition, etc.. And NSA is like a car (flying?) on the road with false speedometer reading

Again, how many Americans in a country of 378 million have been physically harmed or killed by NSA’s crypto defeating activities? And how many are expected to this year? None? Almost none? Less than lightening strikes and bee stings? Then why is it a cornerstone of a debate about individuals’ risk?

We can’t afford wild speculations in a debate this big. That will loose public’s confidence in us quickly. We must focus on solid risks that the public can understand. NobodySpecial was onto something mentioning IRS, just forgot to add “targeting conservatives.” It will take examples like that which scare or anger the public to get them to reign in NSA. If they will…

“Our lawfully elected representatives in congress have been lied to repeatedly about what the NSA has done, is doing, and intends to do. The FISA courts have been lied to or simply ignored by the alphabet agencies whenever the executive branch chooses.”

This is a fair point. It should have led to laws being passed by Congress repealing certain authorities, increasing monitoring, and maybe even giving a group like GAO power to reign them in. After all, NSA activities were kept in check (to quite an extent) for years. And Hoover’s FBI got reigned in. And CIA’s MKULTRA and other stunts got them reigned in quite a bit. And so on.

Also, the more the public was behind it and votes were threatened, the more the Congress acted. And we see many cases in local and state government corruption where courts were a big help. Mandating long prison sentences for proven corruption and using them would probably go a long way.

@ cowbert

re security by obscurity, risks of weakening standards

Yes, I agree. It’s why I’m not a fan of this activity, although I don’t totally blame NSA (see essay). The more dangerous of their methods leave or introduce vulnerabilities of the kind black hats can find. That’s dangerous. However, esoteric stuff embedded into hardware, root of trust subversions, and other such stuff isn’t so risky for us. They can be done in a way where the protections are pretty solid and the risk is very low for the public. I’m leaving out key details on that just to keep them from getting more ideas.

Matter of fact, I’d venture to guess two things:

1. The public is protected by harm via NSA endorsed methods vastly more than any harm that comes from using them.
2. The public, both in purchasing and operating choices, causes vastly more harm to themselves than NSA ever would.

Re: faith in mathematics

Oh come on, we both know that’s not true. Most people believe in certain security products and protocols because these were recommended by a source they trusted to some degree. Or they had no better options. Or a combo of both. Most people don’t know an elliptic curve from a discrete logarithm. The majority hates math. They are social, listen to their friends, and they like looking up reviews/recommendations.

@ Daniel

“I normally agree with you but I do not here”

I appreciate the compliment on the old posts. 😉 Far as this debate, I am playing devil’s advocate to stir things up as I said. It’s all good. Fire away.

“The question is not whether the vendors are pushing a false sense of security the question is whether people are in fact believing that falsehood. They are. ”

Actually, most of the issue has been that NSA and vendors are pushing subverted products. What individuals and companies believed about their security is an important, but secondary, attribute. And you’re right: they bought into it. And guess what, they did it for the security industry too.

The kind of complaint you have have could be directed at the entire marketing industry. They’ve been playing psychological games on people to get them to trust products and stuff forever. Politicians in US government are known for it, esp during elections. That NSA wouldn’t try to do the same thing to accomplish their protective and mandated mission (their perspective) would be… incompetent? 😉

Solution is better critical thinking for the general public. That requires better education strategies and investment. And the lack of it is also not NSA (or INFOSEC community’s) fault.

Re chilling affect:

” In Free Speech issues that is called the “chilling effect”. People’s behavior changes when they think someone is watching them or has the potential to watch them. That alone is a tangible harm. ”

Yes. This doesn’t negate my claim about where the responsibility for this mess lays, but it is a REAL problem. It’s also quite intangible. How to quantify it? How much effect does NSA revelations have on it over long term?

Remember, this is the country that loves plaintext email, convenience, credit card purchases, location enabled cellphones, social networking, trading personal info for free apps, etc. Oldest generation barely uses the computer and don’t trust it much with highly private information. Youngest generation, as Bruce pointed out, lived much of their lives in public. Middle groups are… in the middle I guess. If there’s really a chilling effect, I have no idea how to measure it. And I don’t see a resistance forming to it, which is my measure of how much public cares in a way that creates change.

So, it’s a real worry but I can’t say much of it in this country and its cultures.

@ Clive Robinson

“But you fail to take into acount the third qualifing sentance, … which is a little unfair”

I appreciate it. That sentence does make all the difference. If the risk was as great as what it was compared to, then you’d be seeing effects as great as what it’s compared to. We don’t. So, bad comparison. QED. 🙂

@ Thomas

The key failure of these analogies are that they compare (a) an “accidental” failure of a “safety” device causing “physical harm and damage” that “has affected” huge amounts of people (b) an “intentional” subversion of a “security” system that does its job, has done no “physical/economic harm” to huge amounts of people, and can “selectively target” in a way that “might harm” (e.g. drones, sabotage) and “might not harm” (e.g. precautionary intel gathering).

At least, these sound entirely different to me. And one causes so many provable problems there’s a bunch of shops nearby for preventative maintenance and post-repair trouble.

@ Alex R

I’ve often linked to a Bell paper [1] where he traces the process by which NSA/DOD got strong computer security started, incentivized private market to make many high assurance products, and then through stupidity (i think that was it…) killed off the entire market. Nowdays, they push medium assurance solutions. I’ve often bashed them here pointing out their own Orange Book, even though outdated, shows that the architecture and development methods of today’s endorsed solutions can’t even meet the self-protection requirement, much less prove no subversion.

They also had export restrictions back then on high security products. So, there was hardly a ROI. Low features, slow time to market, plus uncertain market = both NSA and commercial profit incentives killed off such products. I often joked they probably liked that they could hack into each tech and that most “security” they push is about “control.” Then, years later certain documents show they’ve subverted almost every system including in ways I’ve pointed out as risks. Go figure…

Worse, Schell, one of originators of Orange Book, has been presenting for years subversion as the greatest risk and promoting A1-class tech for it. Mainly his (GEMSOS). Regardless of his debatable marketing material, he turned out to be right about need for strong TCB and subversion resistant development.

In a nutshell, NSA is partly to thank for creating the INFOSEC industry and funding many good methods/principles for security engineering. These are in papers the public can read and use against them. They also later pushed solutions that were pretty good in general, but that they could hack. So, they’re kind of heros and villians in INFOSEC. It’s why I often claim NSA is comparable to multiple personality disorder or paranoid schizophrenic behavior. They’re just weird like that.

[1] For some reason, none of the links to his paper work on this blog after they go through preview. Weird. Just open Google, type these words: Bell Looking Back Addendum. PDF should be on top.

Nick P • September 13, 2013 2:01 PM

@ “response to nick p”

“Except there’s a clear difference. If a bug causing a weakness is introduced by carelessness, it can be discovered and fixed, due to marketplace pressure to improve one’s product. Or it might never be discovered and exploited by anyone. If a weakness is intentionally introduced by the NSA, it’s probably NOT going to be fixed, due to NSA pressure to keep the weakness, and it IS going to be exploited by the NSA and eventually by others.”

Does it make us more vulnerable?

You’re kind of mixing things with that. One class of bugs that NSA introduces (or leaves in) are the same kinds of bugs as those that developers produce on their own. And they can be detected by effort. That an attacker can use these against us is a legit gripe and risk to consider. However, a system with 4 vulnerabilities and a system with 8 are equally vulnerable to talented black hats who need 1 “sploit.” So, software norm vs NSA’s contributions = zero difference in practice to high end blackhats. Kind of depressing, eh?

So, my main challenge to the security community on this angle is “do we have data saying it happens often?” There is the Vodafone screwup and it’s great to use in this debate. I count it in favor of anti-govt-subversion. However, most people are just assuming a massive risk is there. I’m saying prove it with examples of it happening. I’d like to see more data so we can say empirically how bad NSA practice is or isn’t far as risk to users. Otherwise, although the concern is legitimate, most of what people say about it will be pure speculation. (read “bulls***”)

Myth: Each NSA subversion = widely vulnerable system

The other class of NSA subversions is relevant to claim that each NSA subversion = a sploit for black hats. This is a common misconception. The ECC RNG and CA subversions are examples of exemplar subversions that maximize benefit to NSA, while providing little risk to users. That ECC RNG would only be exploitable by NSA group with the magic numbers. It was a backdoor, but it didn’t create vulnerability that hackers everywhere could use. Likewise, a CA with good security practices presents a decent security layer against all sorts of black hats. If they give certs to NSA, it doesn’t negate the CA protection against other attackers or let others forge CA’s at a whim: it just gives NSA access. An NSA rootkit signed for TPM and customized for a device would give them access, but not allow compromise by black hats in the wild. And so on.

A subversion != vulnerability to blackhats. Must be judged case by case basis. Even though I’d rather them not be subverting everything, I’m not going to make up crap about how every subversion they do negates security or gives black hats a door into the system. That’s provably false in specific examples I gave and many more. If anything, I prefer them use such low risk subversion methods b/c at least the security still works against the people it was intended to stop.

Guess what? NSA told us how to stop them. And we didnt.

High assurance security engineering and development practices can prevent most bugs like this regardless of their source while making it easier to prove that to reviewers. And their economic properties make sense on a slow moving, high priority target like IPSec or S/MIME. I mean, why wouldn’t we be using such high-security practices for our most security critical stuff?

Irony is that “businessmen,” not INFOSEC, taught me what quality/security effects you get in these situations: “fast, good and cheap; choose two.” They should have known better than to go cheap on the most critical stuff. Yet, the market continually chose their roots of trust to be thrown together cheaply by unknowns, overcomplicated, and have little vetting. That low assurance practices and risky configurations led to constant hacks didn’t deter them. I’ve always said on this blog (& to businesses) that, without high security processes, security-critical systems would result in many residual flaws, esoteric attacks or subversion. And what happened? All three across the board. This time I hate to say I told them so.

“No one voted FOR the NSA to have all this power. They were voting naively for magic safety without being cognizant of possible results of this desire.”

Well said. Yet not as true underneath for two reasons: mission and character. More on that below.

“If people vote for someone who secretly does something you don’t like without telling you that’s their plan, how can you say that the people voted “for” that secret action? This is like asserting that Republican voters voted for Nixon to do the Watergate break-in simply because they voted to make Nixon president.”

“Aha… the NSA bears no responsibility for their illegal and unethical actions; they were “just following orders”, the classic defense for evil actions in a power hierarchy. Sorry, but for me the “just following orders” defense doesn’t hold much water here.”

What They Are

With most organizations I’d agree with you about “follow orders” excuse. NSA is an exception: they’re a quasi-military, intelligence organization serving executive branch, overseen somewhat by congress, & with laws/EO’s determining their mission. They were ordered to find any information pertinent to an attack on America (or beneficial to us) in communications flowing through America and foreign countries across many providers & using crypto. That’s the mission and a legal requirements. To me, that mission sounds exactly like “hack stuff all over the place to find important stuff, but filter and delete non-essential things.” That’s what they do for a while until post-9/11 requirements added mission creep. And now we’re here.

I think the NSA’s mission requirements are entirely relevant to a discussion about “did they go to far?” People wanted NSA to catch about anything of value. You can’t catch “everything of value” unless you intercept and analyse “everything.” You got a different set of methods for them that would be effective? By all means, propose them to NSA and Congress. I don’t, so I think the mission itself is the root cause of problems.

So, rather than just crying out for The Machines to be torn down, I say we re-evaluate NSA’s mission requirements, what we would blame them for, etc. And set in stone certain limits, oversight and even prison sentences for intentional violations. And, SOX-style, put risk on the Directors and senior management. If NSA’s current operational requirements lead to our risks, then we need to change those requirements rather than just gripe about how they meet them. All I’m saying.

Character

It’s good that you used the Nixon example. In the case of US LEO’s and TLA’s, they have a long history of bullshiting for more power and abusing it. NSA, particularly, tried to subvert America’s systems in public and semi-public ways several times before 9/11. They got negative press plenty of times. They also got investigated for Echelon which to me sounds like the same allegations and worries of today, just less numerous and pervasive. Then, this often guilty party says “just give us free reign, lots of money, more spy gear and less accountability we’ll protect you” and Congress+people say OK. And my jaw drops.

So, they start doing their mission. Then a leak comes out showing potential overstep. It’s tolerated. Then again and tolerated again. And so on until today with massive power, subversion and reach. Using your Nixon example, he would have done Watergate two or three times, then got re-elected with more power. Would you hold him totally responsible for his 3rd or 4th major act of misconduct? Or tell people voting for him they should have known better after Watergate, CryptoAGgate, and Echelongate? 😉

Full circle is problem and solution

So, I blamed Congress, taxpayers and courts for causing this. They gave NSA a mission that would require them to do devious stuff on a widespread basis. Every overreach was tolerated way too much. This was done despite the organization’s poor ethical character. (Comparable to Nixon, indeed.) Just as they caused the problem, it will take strong effort by The People, Legislative and Judicial branches to change it. The People can even influence Executive branch, which runs NSA, via their vote. The primary solution is there and anyone pretending otherwise needs to revisit the history of how this country successfully dealt with major problems in government. Hint: it wasn’t by focusing on crypto, faxes, typewriters or telephones.

Security community’s role in solving this

The security community has a role in this. I charge them to stop BSing and using low assurance methods. I know high assurance software development is a painstaking, boring thing to do. It also dictates using proven, old solutions (read: more boring) to avoid creating new problems. I myself have posted many design ideas for them to build on. Both academics and quality/security-centered companies have created concepts, designs, prototypes and products to build on (or emulate). So, no excuse for NSA’s job being so easy except laziness (and perhaps lack of knowledge sharing by veterans).

The most important thing’s are that INFOSEC professionals do these:

1. Use a high assurance development model
2. Use decentralized development with peer review and signed vetting.
3. Build a solution to each critical problem (e.g. signing, network encryption, endpoints, individual content distribution)
4. Gather and enhance best existing tech as interim solution.

5. Standardize behavior and interfaces, diversify implementations and hardware.

6. Ensure every activity involves people from several mutually suspicious countries, esp during review step.

7. Host in many countries with privacy protections who are buddy-buddy with main spying nations.

8. Rotate roles often among coders, reviewers, testers, etc.

9. Rotate among boring and more interesting jobs. Perhaps an incentive where a certain amount of high quality work on boring jobs nets community assignment to more interesting work.

10. Strong reputation system attaching to public keys things like location, specific problems found, specific problems created, etc. Will let people guage trust better, although process itself kills off majority of problems.

So, there you go, have at it.