Government Secrecy and the Generation Gap

Big-government secrets require a lot of secret-keepers. As of October 2012, almost 5m people in the US have security clearances, with 1.4m at the top-secret level or higher, according to the Office of the Director of National Intelligence.

Most of these people do not have access to as much information as Edward Snowden, the former National Security Agency contractor turned leaker, or even Chelsea Manning, the former US army soldier previously known as Bradley who was convicted for giving material to WikiLeaks. But a lot of them do—and that may prove the Achilles heel of government. Keeping secrets is an act of loyalty as much as anything else, and that sort of loyalty is becoming harder to find in the younger generations. If the NSA and other intelligence bodies are going to survive in their present form, they are going to have to figure out how to reduce the number of secrets.

As the writer Charles Stross has explained, the old way of keeping intelligence secrets was to make it part of a life-long culture. The intelligence world would recruit people early in their careers and give them jobs for life. It was a private club, one filled with code words and secret knowledge.

You can see part of this in Mr Snowden’s leaked documents. The NSA has its own lingo—the documents are riddled with codename—its own conferences, its own awards and recognitions. An intelligence career meant that you had access to a new world, one to which “normal” people on the outside were completely oblivious. Membership of the private club meant people were loyal to their organisations, which were in turn loyal back to them.

Those days are gone. Yes, there are still the codenames and the secret knowledge, but a lot of the loyalty is gone. Many jobs in intelligence are now outsourced, and there is no job-for-life culture in the corporate world any more. Workforces are flexible, jobs are interchangeable and people are expendable.

Sure, it is possible to build a career in the classified world of government contracting, but there are no guarantees. Younger people grew up knowing this: there are no employment guarantees anywhere. They see it in their friends. They see it all around them.

Many will also believe in openness, especially the hacker types the NSA needs to recruit. They believe that information wants to be free, and that security comes from public knowledge and debate. Yes, there are important reasons why some intelligence secrets need to be secret, and the NSA culture reinforces secrecy daily. But this is a crowd that is used to radical openness. They have been writing about themselves on the internet for years. They have said very personal things on Twitter; they have had embarrassing photographs of themselves posted on Facebook. They have been dumped by a lover in public. They have overshared in the most compromising ways—and they have got through it. It is a tougher sell convincing this crowd that government secrecy trumps the public’s right to know.

Psychologically, it is hard to be a whistleblower. There is an enormous amount of pressure to be loyal to our peer group: to conform to their beliefs, and not to let them down. Loyalty is a natural human trait; it is one of the social mechanisms we use to thrive in our complex social world. This is why good people sometimes do bad things at work.

When someone becomes a whistleblower, he or she is deliberately eschewing that loyalty. In essence, they are deciding that allegiance to society at large trumps that to peers at work. That is the difficult part. They know their work buddies by name, but “society at large” is amorphous and anonymous. Believing that your bosses ultimately do not care about you makes that switch easier.

Whistleblowing is the civil disobedience of the information age. It is a way that someone without power can make a difference. And in the information age—the fact that everything is stored on computers and potentially accessible with a few keystrokes and mouse clicks—whistleblowing is easier than ever.

Mr Snowden is 30 years old; Manning 25. They are members of the generation we taught not to expect anything long-term from their employers. As such, employers should not expect anything long-term from them. It is still hard to be a whistleblower, but for this generation it is a whole lot easier.

A lot has been written about the problem of over-classification in US government. It has long been thought of as anti-democratic and a barrier to government oversight. Now we know that it is also a security risk. Organizations such as the NSA need to change their culture of secrecy, and concentrate their security efforts on what truly needs to remain secret. Their default practice of classifying everything is not going to work any more.

Hey, NSA, you’ve got a problem.

This essay previously appeared in the Financial Times.

EDITED TO ADD (9/14): Blog comments on this essay are particularly interesting.

Posted on September 9, 2013 at 1:30 PM β€’ 51 Comments


Gen Z β€’ September 9, 2013 2:22 PM

The revelations will hopefully teach the current and coming generations at least one thing:

Privacy is not a right.
It must be earned.

(By information security technology knowledge.)

I, for one, have always assumed this, like, I suppose, most security conscious folks and security professionals.

C.S β€’ September 9, 2013 2:38 PM

@Gen 2…

The revelations will hopefully teach the current and coming generations at least one thing:

Privacy is not a right.
It must be earned.

If I understand the article corrrectly, it’s not the “current and coming” generations that need to learn this lesson. Rather, it’s those same generations that are teaching this lesson.

It rather seems that it’s the oldest generation that somehow thought they could get lifelong loyalty and super secrecy just by demanding it. And – that’s even though they should be security professionals.

Perhaps their is some older generational bias leaking through regarding what can be expected and what must be earned?

Matt from CT β€’ September 9, 2013 2:56 PM

It rather seems that it’s the oldest generation that somehow thought
they could get lifelong loyalty and super secrecy just by demanding it.

No, I believe they had a fundamentally different view of loyalty and privacy.

Perhaps their is some older generational bias leaking through regarding
what can be expected and what must be earned?

The Greatest Generation which implemented many of the policies still in place were built on lifelong, personal relationships and a sense of personal privacy that were much stronger than in today’s generation.

The Boomers coasted accepting these relationships and privacy as the norm, while themselves undercutting it with extreme individualism.

If you’re taught not to care what others think, you have no, or a very weak, personal sense of privacy…you sure as heck will not have an institutional sense of privacy. Whatever is wrong, “It gets better!” So just let it hang out. What is valued is building up individuals, and what we have left to wither is our institutions (which continue by momentum, not by social acceptance of a contract).

This is part of a shift in culture that is broader than simply the disappearance of long term careers at single employers. You can see the same decline among civic and fraternal groups like volunteer fire companies and Freemasonry.

I also believe its a bit of a pendulum. In some ways, the kids just now coming out of school (late teens) have grown up in a hyper-programmed way that they don’t know how to function as individuals or without a schedule handed to them. They may naturally start to seek out and re-invigorate some of the fraternal organizations that withered while Boomers dominated and start to shift the pendulum back from extreme individualism and not giving a darn what anyone sees because you don’t care what they think back to a more communal effort and perhaps starting to value privacy again because they care more about the group’s opinion once more.

Matt from CT β€’ September 9, 2013 3:07 PM

If one wants to contrast “modernity” defined as valuing individuals maximizing their own happiness — something capitalism loves as they can psychologically influence people to trade money for advertised happiness — one can contrast it with the Amish who emphasize the giving up of individual will to the collective good of the community as the route to fulfillment.

The Amish don’t eschew technology, they just carefully evaluate what brings them closer as a family and community v. what technology they feel would drive them apart. You have to live near each other when relying on horse-drawn carriages, and you have to gather around a single gas lamp in the living room in the evening to read and play games when you do not have electricity in every room.

It would be fascinating to do some studies on how “modern” youth and Amish youth approach privacy differently.

We’re tilted too far to the individualism side now I believe, where the generational conflict over security and privacy is coming from. The Amish are probably tilted too far to the communal side for the comfort of most — including times they keep crimes too secret too often and should have sought the help of the authorities sooner.

def β€’ September 9, 2013 3:09 PM

Can you define or as clearly as possible mark out the boundaries of “what truly needs to remain secret”?

GmanTerry β€’ September 9, 2013 3:41 PM

I have yet to see anyone address the most troubling aspect of the NSA spying. The present, in power leader has now got 100% access to all information about the opposition party. He can read their mail, listen in on all calls he has access to all confidential data from reporters, judges, congressmen and senators. How can he lose? The only information the party in power does not have is mouth to ear communication and snail mail. Sorry to say this but “We had a Republic, but it appears that we have indeed lost it”.

Petréa Mitchell β€’ September 9, 2013 3:49 PM

Bruce, I admire all the work you’ve been putting in writing essays and helping the Guardian go through the Snowden documents. But I’ve got to call BS here.

There is no basis in the current understanding of situational psychology to claim such massive differences in action caused merely by being part of a different generational cohort. Indeed, one of the depressingly repeatable findings is that just about everyone, barring very specific training, will behave the same way given the same pressures.

Now, being a contractor versus a direct employee– that’s a different situation and may encourage different actions. But I expect that the main reason there weren’t so many massive leaks when the baby boomers were 25 or 30 is that it’s much easier to walk around with several gigabytes of data on a stick in your pocket than it would be to smuggle the truckloads of paper the same amount of information would have comprised back in the day.

Sky β€’ September 9, 2013 3:59 PM

There may be another factor at play: if you’re 30 now, you saw the Berlin wall falling that you were < 10 year old, meaning you didn’t live and feel the cold war. So maybe you put a different value on state secrets than the older generation, because those secrets don’t seem so important to you and, actually, what the government is doing feels completely wrong. So, you feel you need to say something.
After all, it’s difficult to take proper care of something you don’t value or even loathe.

stevelaudig β€’ September 9, 2013 4:05 PM

Since Reagan broke the social contract and began facilitating the economy to mine society by the constant draining of emotional value from ‘things’. The hollowing out has not merely been industrial but ethical and emotional. There is simply no longer any reason to be ‘loyal’ to a ‘government’ that is merely a tool of the corporations and has ceased to provide the basics: police and fire protection; education; infrastructure [both physical and spiritual in the sense of being a moral force]. Trust may be a renewable resource but only in the sense that groundwater is renewable. And the pols operate from day to day.

Sky β€’ September 9, 2013 4:07 PM

trying again….used wrong character…

There may be another factor at play: if you’re 30 now, you saw the Berlin wall falling that you were less than 10 year old, meaning, you didn’t live and feel the cold war. That is, you may not feel that certain secrets are so important and that your nation is under attack. You can actually think that what the government is doing is completely wrong, to the point that making it public seems the right way to go. This is not about FB or the like to me, but more about the perceived threat. It’s difficult to take proper care of something you don’t value or even loathe.

NobodySpecial β€’ September 9, 2013 4:57 PM

From stories of campus recruiting there seems to be a backlash by students ie potential recruits against the NSA.
It seems to have gone very quickly from cool place for the best mathematicians to work – to being more like trying to recruit chemists for a final solution to a little ethnic problem you are having.

thecaseforpeace β€’ September 9, 2013 4:59 PM

@def, @Bruce,

“Can you define or as clearly as possible mark out the boundaries of “what truly needs to remain secret?”

The current system of government secrecy and classification started with WWII and the project to develop the atom bomb. If you watch interviews with people who worked at White Sands, hardly anyone knew what they were actually doing. Many were horrified when they saw the resultant test. Then it was ineffectually used on 2 cities in Japan (we already won the war) killing thousands of civilians, and now the Enola Gay is enshrined in the Smithsonian.

Secrecy of governments is inimical to a free society, period! Conversely, for totalitarianism to flourish, it requires the fertile ground of state secrecy and compartmentalization. Prior to WWII only active military actions and maneuvers were considered secret.

Knowing the inside of the machine, I can say with absolute confidence that if the American public knew in total what acts the US government has committed (in secrecy) they would wretch in disgust, and a revolution would occur that very day.

Bruce, et al:

You are aware of the secret, now declassified programs committed in the 40s through the 70s right?

The army’s secret cold war experiments – spraying poor people mostly of color with radioactive particles in St. Louis and Corpus Christi

The US deliberate infection of Guatemalans with Siphilis to study the terminal effect… but .gov apologized, so it’s ok right? all water under-the-bridge…

That civil rights leaders and others were being spied on by the FBI, and in MLKs case, goaded to commit suicide?

That the US government and CIA were supplying the drug industry wholesale in Los Angeles in the 70s and 80s? All true, look them up! That’s not even counting the things the American public doesn’t know about or is too afraid to evaluate empirically based on facts rather than on emotion.

Do you really think anything has changed? You think the government just had a couple bad decades and doesn’t commit mass murder and crimes against humanity now? Really? How is that logical? It’s not. The best predictor of future (and current behavior) is historical action. Cognitive Dissonance anyone? Logic would argue that as secrecy has increased, so criminal activity by governments rises as well.

Governments have no business keeping secrets. allowing them to is extremely dangerous to your health (quite literally). The United States needs to go through an American glasnost and perestroika. The archives must be opened to sunlight, and the political prisoners released.

Clive Robinson β€’ September 9, 2013 5:11 PM

@ Bruce,

    Keeping secrets is an act of loyalty as much as anything else, and that sort of loyalty is becoming harder to find in the younger generations. If the NSA and other to have to figure out how to reduce the number of secrets

Keeping secrets is not of necescity an act of loyalty, it can as it was with the WWII generations be down to a sense of doing ones duty with respect to what would these days be seen as an idiom such as “stiff upper lip”. Having chatted to some of the heros of the time you find no bravado was involved, in fact they were more driven by the fear of being seen to be frightend or inadiquate and thus not being strong for those immediatly around them.

The sense of duty kept over 10,000 people who had worked at Bletchly quiet, to do this required the acceptance of others not to push a friend or spouse for details of “their little bit” and except there were secrets that would not be talked about. It was only in the 1970’s that some decided to say what had happened and what they did and thus open the door for others to do likewise.

That being said reducing the number of secrets is not the issue it’s the type of secrets being kept that needs to change or the type of people holding them.

As you’ve noted there was the ethos of matriculation to gold clock and doing right by your employer, provided they did right by you. This employer for life attitude started to break down in the 1970s when it became clear to some that employers were nolonger going to do right by their employees. In the UK very high inflation set the weekly waged paid by the hour above those who were saleried and middle class pain set in. The weekly waged discovered they had power at last partly because manufacturing had changed and a skills shortage encoraged job hopping to stay ahead of inflation. Or when job hopping was not an option strikes were frequent and this caused the governments of the time to make many mistakes and as a result three day weeks, black outs and shortages akin to rationing resulted with massive forign debt being accrued.

This further drove a stake between workers their employers and government, for the waged jobs for life were seen as middle classed. This caused further rifts. Then in the 1980’s Maggie Thatcher came to power determined to break the unions and set markets free. The result was “greed was good” and you grabed what you could as an individual. However Maggie Thatcher went to war against the unions and nearly lost to the miners, she then turned on Civil Service Unions and in the case of GCHQ workers dictated that they could not be members of a union nor be able to strike or carry out any kind of industrial action on pain not just of dismissal but imprisonment as well.

Thus these not particularly well paid civil servents knew that their employer had no loyalty to them and infact saw them as the enemy. The old order was dead.

Strangly though the problems Maggie Thatcher had with people supposadly leaking secrets to newspapers or to foreign governments were of her own making she insisted that the full force of the law be brought against people. However jurers and judges disagreed and “show of strength” trials turned into farce. As we now know Maggie Thatcher had started going mad, and saw enemies every where including in her most loyal supporters, and thus they turned on her and kicked her out of office.

But the damage was done it was not just the waged who knew the employer-employee covernent was broken it was the middle classes as well. Maggies “greed was good” caused changes in the banking sector, High St branches closed lending was now automated and fraud became common place, as did finding your old bank manager working on the fish counter in your local supermarket. Worse her insistance that Britain needed no manufacturing industry only service industries set Britain up to fail by establishing financial services as “to big to fail”.

Thus “loyalty” to an employer or anyone else for that matter is looked on as something quaint and old fashioned. Even in street gangs it’s not loyalty, but obediance through fear, you are in effect either a preditor or the pray and in many cases groups are as disfunctional as a troup off baboons. Often this political in fighting is so bad that almost any evil inflicted on those outside the group looks minor in comparison. Those of integrity quickly become colatarol damage and any “off message” behaviour no matter how minor is viciously and savagly repressed with lawyers using unethical behaviour to ensure that silence is obtained either by buying off or bankruptcy via civil action results.

Thus in many cases whistle blowing is just not a consideration as it has no survival value…

Brian β€’ September 9, 2013 6:44 PM

While I’d agree that the generational concept of a job/career has changed over the years, it seems more likely to work in the government’s favor than what Bruce is suggesting. Because while younger people might be less likely to expect loyalty or stability from their employer, the government is one of the few places left that’s at all capable of actually providing those things.

New college graduates have seen a lot of support for the idea of a work world where jobs are hard to get, wages can often be stagnant and employers can and will get rid of people at the drop of a hat. But then they see government agencies where people actually do build lifetime careers, your salary is likely to be able to increase over time and you’re not going to be summarily fired while the incompetent CEO gets a golden parachute. The younger generation’s cynical attitude towards employers isn’t necessarily a problem for the government, in fact it makes the idea of government employment that much more appealing because it offers an alternative.

Dirk Praet β€’ September 9, 2013 7:14 PM

@ Bruce

Keeping secrets is an act of loyalty as much as anything else, and that sort of loyalty is becoming harder to find in the younger generations. If the NSA and other to have to figure out how to reduce the number of secrets

However much I would like to believe so, I’m not convinced because the numbers are telling me a different story. Despite the huge amount of folks holding security clearances, I know of only two “new generation” whistleblowers, i.e. Edward Snowden and Pfc. Manning. Bill Binney, Thomas Drake, J. Kirk Wiebe, Sibel Edmonds, Gen. James Cartwright, John Kiriakou, Jeffrey Starling, Shamai Leibowitz and some others I forgot do not seem to fit the same profile.

Although I agree with overclassification being at the heart of the problem, too many secrets are much less of a problem than too many lies. Irrespective of loyalty or fear, there was little reason to go public for folks working at Bletchley Park or on the Manhattan Project. It also helps when you actually believe you are doing the right thing because you are contributing to defeat a well-defined, foreign enemy presenting a real and imminent danger (the nazis, Japan, the Soviet Union).

It becomes an entirely different story when you find out that the secrets you’re being entrusted with turn out to be unethical, immoral, illegal or unconstitutional. And that they keep on accumulating in a mindset where your targeted adversary for all practical purposes is not a small group of mostly incompetent terrorists, but the general public at large, everywhere.

Most people will choose to go along either for promises of reward (money, sex, power) or for fear of punishment (loss of job, imprisonment etc.) But the bigger the perceived immorality, the more likely someone sooner or later will blow the lid. I don’t believe this to be a function of age or changing societal context, but of values, determination and the courage to risk it all.

gmuslera β€’ September 9, 2013 7:14 PM

What about the non whisteblowers ones that have access to that info and just want to make a fast profit selling the backdoor access to basically everywhere in black markets or other governments? NSA only realized the Snowden case when he went public, and still took months to realize how he got that info.
5 millon (or even 1.5 millon, or the 500.000 from the private sector that have top secret level) people is just too much people, if even 0.1% (being very generous) of them are not fully trustable you have a big trouble in your hands, and will not know how big till it explodes somehow.
And the ultimate good in the current, global culture is money, not loyalty, nor being good, nor having a high morale. Too much people with the means, the motives, and the opportunity to take advantage of this.

I.Was.Privatised β€’ September 9, 2013 8:47 PM

@Brian – that’s the problem – these aren’t government jobs anymore – they are sub-contracted/outsourced/public-private-partnership/etc.

So when you thought you had a job for life with the government and you suddenly find yourself working for Blackwater/G4S/Serco, having your pay and benefits cut and being asked to train your offshore replacement – the loyalty gets a bit stretched.

Raging Bullrun β€’ September 9, 2013 9:36 PM

I hear people say that “1.5 million people with top-secret clearances is too many.” While that seems like a reasonable argument on the face of it, you have to remember that merely having a “top-secret” clearance doesn’t automatically mean you have access to any and every secret the government has. Things are generally compartmentalized (that’s where the “SCI” in TS/SCI” comes in) and can be even more strictly compartmentalized with code words. I am sure most of you know this.

The problem, imo, is not the number of people with “collateral” TS clearances, but the fact that the compartmentalization doesn’t appear to be working very well. Snowden is the best example we have of this. Sure, he may have a TS/SCI clearance, but I can guarantee he wasn’t cleared for code word programs like Bullrun. As the GCHQ slides said, Bullrun was so highly classified that there would be “no need to know” about its sources and methods (as an aide, this seems to be the case — it doesn’t appear Snowden got any technical details about how Bullrun really works on a low level, which is why Bruce, who has seen the documents, cannot say for sure if any crypto algorithm is compromised).

Previous leakers like Binney worked directly on (and were cleared for) the programs they leaked info about. It’s different with Snowden — it’s like he had access to a treasure trove of information that he wasn’t cleared for, which is quite disturbing.

So this is the NSA’s major problem. Somehow details about the highest level code word programs like Bullrun were accessible to a guy in Hawaii that worked for BAH. This is an epic failure of compartmentalization and I am quite puzzled as to how the NSA made such an error. Yes, even the NSA needs IT guys, but one would think such people would be specifically cleared for every single bit of data on the machines they work on.

I do think Gen. Alexander’s idea of having two people perform maintenance on a machine is a good one. It’s harder to compromise two people instead of one. It’s sort of the same concept involved with nuclear launch mechanisms.

In any case, I agree with Bruce that’s it’s going to be tougher in this day and age to keep secrets — much tougher. I don’t think it’s so much because of different social values of the younger generation as it is a matter of logistics. It’s just too easy to leak information now. One thumb drive that fits on a keychain can store all of the most sensitive data the USG has. If it were this easy decades ago, we would have certainly seen such leaks many times before. It’s much easier to sneak out of Ft. Meade or Langley with one thumb drive in your pocket than it is with a box full of papers stamped TS/SCI.

Also, leaks aren’t new. During the Cold War, leaks happened but the “leakers” generally weren’t concerned with “whistle-blowing” but rather were motivated by some ideological affiliation with a foreign government like the Soviet Union. That’s how the Russians got the bomb, after all (Rosenbergs, Klaus Fuchs, etc.). Nowadays, the motivations for stealing such information seem to be different. Yes, I am sure the Chinese and the Iranians probably steal information just as the Russians did, but that is to be expected in the world of spycraft. And if nation-states steal information, they most certainly wont advertise this fact to the world.

The difference now is that our “enemy” is no longer clearly defined. This results in NSA not focusing on just one country for intel, but on everyone including American citizens. This is disturbing to a lot of people including Ed Snowden. If the USA is spying on everyone, who does a potential leaker tell? He tells it to everyone, of course.

In the old days, people were gentlemen. They may have read the mail and listened to the phone calls of their clearly defined adversaries using all manner of dirty tricks, but the average citizen didn’t care about that and expected their government to be engaging in all manner of cloak and dagger things to the “enemy.” Now that the citizen is the “enemy”, I think you will see more of these leaks in the future. I firmly doubt Ed Snowden is the only guy at NSA with a conscience.

Anyhow, that’s just the opinion of one particular nobody looking at this whole thing from 30,000 ft.

NobodySpecial β€’ September 9, 2013 10:45 PM

@Raging Bullrun
“Now that the citizen is the “enemy” – the citizen was the enemy before, but he was a different citizen to the agents.

When the FBI ran campaigns against MLK, or the NYPD had “black” and “gay” desks they could rely on having no black or gay officers and no black or gay politicians – now it’s difficult to think of a group the NSA would be spying on that don’t also work there

Nick P β€’ September 10, 2013 12:01 AM

@ Raging Bullrun

I see some misconceptions in your post that many people run into on this topic.

” Sure, he may have a TS/SCI clearance, but I can guarantee he wasn’t cleared for code word programs like Bullrun. ”

Yes, he was cleared for it. That’s the point of his TS/SCI clearance. Like Dirk often points out, it’s more of a check on the person themself than anything else. TS/SCI people have been deeply investigated, profiled, etc compared to most. After clearance, you must possess a need-to-know for information to legally acquire it. However, people might run into information they don’t have a need to know for and the government would like no fallout to come of that. Hence, using TS/SCI cleared people for working around programs that might have TS or codeword stuff in it. Leading to…

It’s very important for anyone wanting to understand the access situation to read that article and understand those modes. They outline it very well. The only systems that are truly MLS mode are high assurance security systems (think B3/A1/EAL6/EAL7). There are very few of those and they’re likely to be locked-down, TEMPEST protected, and so on. Government just didn’t put too much effort into high assurance solutions b/c their drawbacks are extreme. Most systems government uses for classified programs are inherently too insecure for MLS mode so they run in System High or Compartmented mode. That means the admin and certain users might be able to bypass security with some skill. So they must be cleared for all information that passes through the system whether they have a need to know or not. Make sense?

Trickier still, Snowden was administering the system. There is no easy way (maybe no way at all) to allow someone to physically and logically administer machines w/out them being able to subvert them. That’s why most high security products in Common Criteria include both the “trusted administrator” and “physically secure” assumptions. (Look up the security targets I ain’t joking.) “Trusted” in security means can violate the security policy. Post 9/11 the government is all about sharing and crunching data. Tons of System High type systems means they have to trust the admins and many users. This system was probably system high so Snowden was a “trusted” part of the system, almost by nature.

Hence, it’s not compartmentalization that failed: it wasn’t even used really. Rather, NSA/DOD leadership failed. They kept ignoring their own policies for sufficient protection of highly classified information. They didn’t apply best practices for reducing the risk of malicious insiders. This is although they are one of few organizations with both the money and skill to do it. Years of incrementally removing restrictions, increasing sharing, reducing security of TCB’s, adding privileges… it all bit them in the ass when Snowden decided he had enough.

Compartmentalization still works, though, when it’s used. If you don’t think so, then name every subverted company or cryptosystem subversion technique the NSA uses. (Maybe it is in the doc’s…) Give me a technical spec of SCIP, Firefly or HAIPE that I can implement. Those are NSA’s versions secure voice, key exchange, and IPsec that are actually secure. Give me their Type 1 or TEMPEST evaluation process full details. Know why you can’t? Compartmentilazation was applied and has worked so far. πŸ˜‰

(Probably also why I still don’t know what that secret shuttle they sent up was doing. Maybe it’s in the Snowden documents too. Although, I figure it’s a SAP and compartmentalized so it will probably take me 40+ years to figure that out too.)

Figureitout β€’ September 10, 2013 12:12 AM

I think the “coolest” companies to work at are all the major tech. companies, google, apple, microsoft, intel, microchip, atmel, arm, ST, AT&T, Freescale, TI, Cisco, AMD, etc. The labs/equipment and sheer amount of fellow engineers/programmers at these companies would be fun, but being at a small company w/ some experience, access to leadership and almost basically running the company would be so much better. Gov’t will be uptight and paranoid (and probably underpaid), people work better being isolated from danger and can almost “live” in their work.

Clive Robinson
–There’s a man named “Joe”, used to supposadly set up radar antennas in Vietnam for the airforce, then do computer security for some nuclear sites in rural areas. You could tell he wanted to say the things he did, but he wouldn’t…no matter how hard I probed (which I only had a couple times). He’s since had a debilitating stroke, and I never got to talk to my grandfathers like I would now. At his old age, he was able to get my respect w/ the sheer strength of his handshake, at his age and even having veins reorganized in his body. I think he liked me b/c he recognized I respected him; people like him made the country strong. He would stare at the flag and salute it, he trusted his leaders to not be worthless imbeciles. Not even my grandmother would tell me what she did (doubt it’s much, but still I don’t know); in an area that supposadly has the highest number of PhD’s in the country, and some “explosive” history.

OfficerX β€’ September 10, 2013 1:32 AM

Excellent article, thanks. We always knew that security is a sociological problem in a technological context, this highlights a new aspect.

EPIC Files FOIA Suit to Determine If Tor Is Compromised β€’ September 10, 2013 3:03 AM


EPIC Files FOIA Suit to Determine If Tor Is Compromised

EPIC has filed a Freedom of Information Act lawsuit against the Broadcasting Board of Governors, a federal agency that oversees all U.S. civilian international media. EPIC seeks information about the federal government’s interest in the Tor network. Tor is a program designed to allow encrypted, anonymized online browsing and is used by many human rights organizations. Recent news reports indicate that the National Security Agency has targeted the communications of Tor users. In a related matter, EPIC has asked the Supreme Court to halt the NSA collection of domestic telephone records. For more information, see EPIC: EPIC v. BBG – Tor.

Nathan β€’ September 10, 2013 4:32 AM

I have nothing to add to this, other than to say that I’m really impressed with the depth and intelligence of all the commentators here.

I’m used to finding bickering and banal comments the end of blog posts, but each of the above has been intelligently considered and written.

I shall return here often.

Z.Lozinski β€’ September 10, 2013 5:25 AM

There has been a fundamental shift in attitudes to secrecy and the state since WW2, and it is probably important for all of us (including the NSA) to understand this, and the implications.

MRD Foot’s “History of SOE” makes interesting reading, as much for the attitude of the author. (The reason an apparently dull and boring academic historian listed the Special Forces Club in his Who’s Who entry is that he spent WW2 as an SAS officer). One interesting point he makes is that a number of very sensitive operations do not appear in the archives as a lot of the senior people involved β€œknew how to keep secrets”. He is also pretty blunt on the fate of double agents in the Resistance, and there wasn’t a lot of due process involved.

And yet, the WW2 sources I have read suggest that everyone involved accepted the effort and sacrifices involved and in the case of Bletchley Park and similar projects accepted the lifelong duty of confidentiality.

Not long after WW2, according to the historian Peter Hennessey, the British Cabinet was considering yet another proposal from the Home Office for mandatory ID cards. The then-head of MI5 opposed the proposal, saying in effect “no, we just fought a war against that sort of thing”. Willie Whitelaw (Margaret Thatcher’s Deputy Prime Minister in the middle of the P-IRA campaign) did pretty much the same thing in the 1980s.

During the Cold War, a similar attitude prevailed.

Something fundamental has changed since then. There were two classes of secrecy cases in the West in the 60s, 70s and 80s: real espionage (eg GCHQ’s Geoffrey Prime, the Walker family in the USA) and prosecuting the causes of political embarrassment (Watergate and the Pentagon Papers in the USA, ABC, Clive Poynting etc. in the UK).

Christopher Moran’s “Classified” (Cambridge 2012) makes the point that most of the control of secrecy and classification in the UK in the second half of the 20th century is about politics not security.

I think most people believe there are some things that should be kept secret – the launch codes for nuclear weapons are something most of us would wish to know are restricted to a small number of highly-trusted individuals of unimpeachable integrity. Note though, that this is not the same as revealing the fact that the USAF for many years ignored a direct Presidential order on the implementation of permissive action codes.

So is the issue that the political abuses of secrecy over the last 50 years have discredited some of the real reasons for classification? Protecting troops in the field is absolutely fine by me, covering Tony Blair’s posterior is not.

In which case, the best advice for the NSA and GCHQ directors would be: engage the body politic and say this is what we do and why, here is an honest assessment of the privacy vs security issues and here are the boundaries that the body politic needs to decide.

Fred Foobar β€’ September 10, 2013 5:55 AM

20-odd years ago there used to be advice in a booklet given to new staff (in the nuclear power industry) – Overclassification is as harmful as underclassification.

Clive Robinson β€’ September 10, 2013 6:59 AM

@ Fred Foobar,

    Overclassification is as harmful as underclassification

Wise advice especialy in areas where high impact physical effects can happen.

After all you don’t want a reactor coolant maintanece issue hidden to save political embarisment/fraud when the same issue could result in a core meltdown and explosion that could spread radio active material far and wide over a populated area.

If I remember correctly radio active material from Chernoble was kicking off radiation detectors in the UK’s Winscale nuclear plant. The area in between being all of northen Europe with a population in the hundreds of millions…

NobodySpecial β€’ September 10, 2013 7:48 AM

@Z.Lozinski – I think the change goes back further, at least since WWII.

The British govt kept the breakthroughs at Bletchley park secret and destroyed all the research on computers to keep secret the breaking of the Enigma. This was done so enigma machines could be given to allied countries without them knowing they were breakable.

So Britain gave away a lead in computers in order to be able to spy on New Zealand!

vas pup β€’ September 10, 2013 9:04 AM

“But then they see government agencies where people actually do build lifetime careers, your salary is likely to be able to increase over time and you’re not going to be summarily fired while the incompetent CEO gets a golden parachute.”
Just addition: Information regarding government jobs postings/opennings is open. Description is not vague as with private sector and included clearly: salary range (not that stupid game in private sector during job interview), job functions, job location, benefits, and basically lifetime careers included training when new skills required, not kick out as in private sector, and looks like fair game for employee in comparison with private sector. In this case loyalty to government as employer is reasonable. Same applied to private sector employer like Google where employees are treated as the most valuable company resource, not (forgive my language) as ‘used condoms’ – disposals as most other current private employers. To be loyal to such latter employers is just to have zero selfrespect and dignity.
Smart people could never be 100% loayal to anything or anybody.
Solution? Treat smart people good, but monitor their loayalty in progress.
Methods? Depends on organization, structure, risk of disloyalty.

Z.Lozinski β€’ September 10, 2013 10:55 AM


I think it is (much) more complicated than that.

So Britain gave away a lead in computers in order to be able to spy on New Zealand!

It is a matter of public record that New Zealand is one of the Five Eyes, so I would have to say “no” to that very specific example. (There are recent history books on the role of British security services and the end of empire though.)

Richard Aldrich’s recent book “GCHQ” makes the assertion that some of the Colossus machines were not destroyed. Aldrich says one went to Manchester University based on Ministry of Transport documents. I had hoped to check Aldrich’s statement with Maurice Wilkes, but sadly he died before I was able do this.

I would also observe that many of the people who went on to take major roles in British computing came from Bletchley Park and other wartime projects. (Turing, Wilkes, Mitchie etc.).

There are several books and declassified US government documents on the positive impact of the NSA on the computing industry in the USA. ERA, IBM Stretch/Harvest etc.

There is a major gap in what has been published on the impact of Bletchley Park and GC&CS/GCHQ on the British computing industry.

We return you to the original discussion thread.

anyone β€’ September 10, 2013 11:02 AM

Privacy is not a right.
It must be earned.

“rape victims have their selves to blame”
“arbeit macht frei”

Wonder if The Government has a “right” to privacy? If not then they should just hand over all details about their spying operations.

Dirk Praet β€’ September 10, 2013 5:15 PM

@ Nick P

OT: On MLS systems

Last week, I was contacted by someone from Trustifier following some comments we made on “need-to-know” in the “How many leakers came before Snowden” thread from August 29th.

With their Trustifier KSE System, they claim to have a solution for implementing scalable COTS MLS on Windows, Linux and other unices. It is described as a kernel level rule enforcer and drop-on wrapper technology providing MAC, MLS, ML-integrity and multi-domain separation designed to provide need-to-know and framed as default-deny insider threat protection.

An abstract on its capabilities can be found at . This is not an endorsement. I don’t know Trustifier and I haven’t had time to go through it all yet, but since this is your area of interest too, I thought I’d give you a ping.

Anon β€’ September 10, 2013 6:18 PM

This article seems weak on evidence. As Dirk points out, despite the large number of people with clearances, only two leakers seem to be of the new generation and Chelsea/Bradley manning would have been considered a textbook counterintelligence risk during the Cold War. Thus, Bruce really is extrapolating a theory/trend from a sample size of one.

Dirk Praet β€’ September 10, 2013 6:41 PM

@ Z.Lozinski

Christopher Moran’s “Classified” (Cambridge 2012) makes the point that most of the control of secrecy and classification in the UK in the second half of the 20th century is about politics not security.

Thanks for the pointer. That idea pretty much represents a similar gut feeling I was having but which I just couldn’t adequately phrase.

Raging Bullrun β€’ September 10, 2013 7:48 PM

@ Nick P

“Compartmentalization still works, though, when it’s used. If you don’t think so, then name every subverted company or cryptosystem subversion technique the NSA uses. (Maybe it is in the doc’s…) Give me a technical spec of SCIP, Firefly or HAIPE that I can implement. Those are NSA’s versions secure voice, key exchange, and IPsec that are actually secure. Give me their Type 1 or TEMPEST evaluation process full details. Know why you can’t? Compartmentilazation was applied and has worked so far. ;)”

That’s correct, and is what I said in my original post. It seems most of the documents Snowden has are those of the “general” type that don’t provide any low level details — all we have gotten thus far is “these programs exist and can accomplish XYZ.” Of course, merely knowing about the programs and what they can accomplish at a high level is enough to throw a wrench in things for the NSA.

Changing the subject slightly, have you ever taken a look at the internal crypto journals that NSA published on its site a while back? Many of the journals are heavily redacted and the latest versions they have released are from the mid 1990’s. In any case, there are still some interesting articles in there that weren’t redacted.

One of the most interesting entries, to me, was one from the March 1994 edition on page 12. One of the NSA guys was writing to his colleagues about his attendance of the ’92 Eurocrypt conference. Here’s a couple of his quotes:

“Three of the last four sessions were of no value whatever, and indeed there was almost nothing at Eurocrypt to interest us (this is good news!)”

“There were no proposals of cryptosystems, no novel cryptanalysis of old designs, even very little on hardware
design. I really don’t see how things could have been any
better for our purposes.”

One of the talks was about ECC, and the author of the NSA article had this to say:

“The allegation (almost certainly correct) that certain public-key systems might be implemented more securely
by using elliptic curves has produced the predictable spate of papers on elliptic curves. We were fortunate
to have only two such talks on the current agenda.”

Basically, he seems to be implying that “ECC is better” and “thank God most public researchers aren’t spending much time on it.”

Of course, this is from 1994, so things may have changed, but it appears the NSA had a lot of confidence in ECC. This fact actually lends credence to Bruce’s assertion that NSA is “subverting” various elliptic curve schemes. If you can’t break it, you subvert it. I am no cryptographer, but I think it is highly prudent that independent researchers take a hard look at the proposed NIST curves. Sorry, but I think with what we now know that it would be foolish to trust the NIST proposals. Actually, I think we should all just use Daniel J. Bernstein’s curve25519.

Nick P β€’ September 10, 2013 8:11 PM

@ Dirk Praet

Thanks for the link and update on them. I hadn’t thought of them in a while. They’ve been here before.

Rob Lewis, Trustifier’s main “evangelist,” came onto this blog years ago pushing Trustifier during our intense OS security discussions. I was heavily promoting separation kernels at the time so you’ll see that in discussions. Rob offered up Trustifier as a foundation to build on:

  1. They say their Trustifier “meta-kernel” combines with a regular OS to add robust MAC and other stuff.
  2. The metakernel essentially wraps the main kernel calls so all system calls go through it, allowing it to enforce security on them.
  3. The metakernel is assisted by other components for policy, auditing, etc. Plenty of security-critical functionality is in them too far as I can tell.
  4. The metakernel itself is formally specified, maybe with proofs, and is tiny.
  5. They built other solutions on top of it: “Ryu” application firewall that claimed to stop every attack you can think of; “sai” document or file thing for insider threat mitigation with an eye toward classified info or intelligence use. Ryu was available for purchase, the other was a prototype or something.

  6. One time a reference to Exokernels was made although it’s hard for me to imagine it’s done that way using unmodified legacy OS. It was only available for Linux at that time.

References: I can’t find their architectural PDF Rob gave me. Probably in archived storage. The diagrams on KSE look similar. Here’s one of their old docs they used to market it. You can see some security claims there.

Rob came back with specifics of an evaluation. Here’s my response to Rob in 2010. It was a breakdown of what risk areas I thought it had and why I think its DOD evaluation doesn’t represent what they say it does. Yet, I make it clear I think it’s a nice idea with plenty of potential value in the markets for products like Trusted Solaris and SELinux.

Another very brief reply to him here. Someone else (prob an employee) hit me back with a few points. Ironically, it actually seems to make my claims about them stretching the truth more accurate in that only the barest (metakernel) version passed Red Team, not Ryu or Sai they were pushing. Or maybe he was full of it. Who knows…

So, three years later, I came back to check on them as I honestly liked the concept. I figured they’d have gotten real far considering all their claimed success. What I found wasn’t so great. As a little tribute to Bruce, I decided to doghouse them. And, more time passes, they now have three main listed solutions, cloud options, and this gem…

“Trustifier HPCE is a FIPS-140-2 certifiable, mathematically verifiable, cryptographic library and application software.” It’s also up to 1TB/s, includes 20+ algorithms (incl SHA-3 and RSA 8192), has “military grade cryptography,” integrates with PKI, and integrates with biometrics.

Maybe I’ve been too harsh on them but, ignoring my security opinions, is there anything about that paragraph or their history that makes you feel uneasy about using Trustifier for critical business/govt systems? πŸ˜‰

Sam β€’ September 10, 2013 8:21 PM

I question Bruce’s basic assumption. Government employment (Civilian and uniformed, NSA/DOD) even now tends to be very long term employment.

And as far as contracting, take a look at how the giant defense contractors are all set up… They promote heavily from within, and you can see “20-year employee” sections of the parking lot to reward long-term employment. Or look at, say, where their leadership has been with the company for 30+ years.

It’s a very different world from the consumer technology world…

Nick P β€’ September 10, 2013 8:30 PM

@ Raging Bullrun

I didn’t know about that document. Thanks for bringing it to my attention. It WAS interesting. And I’m with you on what it might mean.

The NIST or IETF standards are probably subverted to varying degrees. Or the major certified implementations are. I’m also totally in agreement about considering Bernstein’s stuff. I’ve promoted his stuff in the past and recently his NaCl library. If you haven’t, you should look on NaCl web site where they talk about how they beat timing channels w/out performance issues. It’s relatively simple, brilliant, and turns common thinking about that on its head.

I also think we can look at how NSA protects their systems: I’ve always partly based what I trust on what they trust. They often use FIPS type algorithms with specific implementation requirements. Their their Type 1 key exchange algorithm (Firefly) is derived from the public Photuris protocol. They manage keys with a centralized, purpose built system (EKMS) that generates keys, labels them, revokes them, can send them over-the-air, and sends most critical one’s via dedicated key fill devices that use special ports. So, my theory is that non-weakened, open implementations of these should do plenty well for their various use cases. What you think?

Raging Bullrun β€’ September 10, 2013 10:25 PM

@ nick P

I agree. What likely happens is NSA sort of “steers” the community through it’s control of NIST to utilize certain weakened standards. The standards NIST pushes are in all likelihood secure unless you know precisely what to look for (and no one except NSA would). As the NSA said in the leaked Snowden documents, subverting NIST is an “exercise in finesse.” However, in the case of Dual_EC_DRBG, that finesse didn’t fool Neils Ferguson and his colleague (who both ironically work for Microsoft).

So, I suspect that even though NSA knows how to break a standard (like various ECC curves), they believe no one else can. The fact NIST standards are recommended and indeed used for classified government data seems to have hoodwinked a lot of people in the academic community. “Surely NSA wouldn’t compromise its own systems” they reckon. I submit that what they have done is quite brilliant — they can recommend them without hesitation for government systems which has the side benefit of lulling a lot of people into a false sense of security. After all, AES is used to protect government machines too! (No, I am not suggesting AES is weakened. I think NSA cares far more about public-keys, as without public keys, AES is useless for anything but data at rest).

The point I am making is that they aren’t compromising their own systems since they are the only ones with the sufficient knowledge to get in. There is no way for anyone to understand exactly why the recommended curves are bad just as there is no way for anyone but them to know what the “up my sleeve” numbers were for Dual_EC_DRBG. Simply knowing that Dual_EC_DRBG probably has a “skeleton key” doesn’t help you in discovering exactly what that key is. I suspect it would be the same for ECC curves.

This is why its imperative that the community start from scratch and rewrite the standards. There should be zero question in anyone’s mind why certain curves or constants are selected.

A lot of people have long suspected NSA shenanigans in relation to the standards bodies like NIST going all the way back to the old DES days. However, it has fallen out of fashion to be suspicious of NIST in recent years (probably because we know NSA strengthened the DES S-boxes and a lot of people use that as evidence that NSA is somehow honest).

As for RSA, DSA, El Gamal, I don’t know. It seems pretty obvious, though, that NSA knows something that we don’t about their strength. And they knew this as far back as 1994 as the Cryptolog article seems to suggest (where they said ECC is certainly more secure and were glad that the public researchers weren’t wasting much effort studying it).

I do think it is a fair assumption that 1024 bit keys are broken. If you think about it, a specialized ASIC chip (each chip would be orders of magnitude faster than the fastest commercial chips) made by someone with NSA’s budget would probably make short work of it. This is especially true if you consider that their factoring algorithms are almost certainly better than the GNFS and if you consider that NSA has the budget to run thousands of them in parallel. They have multiple millions to spend on such projects and far more manpower than all of the public cryptographers in the world combined.

I am actually surprised that “Cryptolog” article didn’t have redactions. It was pretty humorous to see this guy essentially making fun of most of the participants of Eurocrypt ’92. He did seem to hold Arjen Lenstra in high regard, however. And he seemed disappointed that Adi Shamir didn’t show up.

I think this is one of the problems with academic crypto research. The published papers are all over the place, and as the NSA guy said, most of the stuff is completely irrelevant to making and breaking codes. As he said “This stuff makes for good math or for good computer science or for good philosophy, but cryptology it is not.”

Academics are really just concerned about “publishing” no matter how relevant it is to the advancement of the field. This puts them at a huge disadvantage to NSA because NSA can be highly focused in its efforts at solving various problems. Academics have no such luxury, mainly because they are all independent and publish only on what catches their fancy at the time. They also have other obligations that get in the way of “focused efforts.”

Another problem is that academics are arrogant — they like to think “NSA is not smarter than us.” While this might be true on an individual basis, you must keep in mind that NSA has far more such people working for them than anyone else in the world combined. I wouldn’t be surprised if some of the well known public researchers are also working for the NSA. Yes, I said it.

Wheels within wheels. πŸ˜‰

Calin Chiorean β€’ September 11, 2013 2:46 AM

No worries, the “solution” is on the way. As stated here and I quote: “General Alexander also announced that 90% of his network admins will be replaced by automation of some sort. It’s a move that makes a lot of sense.” How this make sense? This is no fix, this is a short time patch which will last limited time.
You still need someone to take care of these “automation” tasks and they cannot do it without access to certain information.
The answer is mentality change, future understanding and willingness to change the actual behavior.
I understand that security is important, but I think to sacrifice mass privacy is a huge price to be paid. I don’t want to think at economic impact over years…

Clive Robinson β€’ September 11, 2013 3:28 AM

@ Raging Bullrun,

With regards weaking systems the NSA was doing it before it existed πŸ˜‰

That is many of the people who were founding members of the NSA had conciderable experiance in such things, likewise GCHQ.

If you look at the design of machine ciphers you find a lot of oddities that in some cases cannot be explained away.

One such is the percentage of weak keys to strong keys in field cipher equipment. It can be seen in some designs that getting the weak keys effectivly involved adding flaws by making designs more complex than they need otherwise be.

Now consider the following thought train,

Historical evidence shows that equipment will fall into enemy hands and they will use it and study it, this has been a known consideration for atleast a couple of thousand years as a minimum. Further it is known that an enemy will include anything it considers to be better in it’s own equipment. This is especialy true if the enemy regards it’s own technical abilities inferior, in which case it generaly just duplicates the equipment making only cosmetic changes.

There is no reason to suppose that crypto kit is treated any differently treated, in fact the available evidence suggests copying is the norm even if it was from an independant third party (in essence the German Enigma and the British Typex were sufficiently the same that a lightly modified Typex could be used to decode Enigma traffic).

So if the complication you add to your cipher equipment adds weaknesses you know that the chances are it’s going to end up in the enemy equipment unless their analytical skills are equal to, or better than your own.

But importantly because you designed the weakness you know which are strong keys and which are weak keys. Thus when you draw up your key settings to be used by your own troops you do not use the weak keys.

The enemy however will use keys from across the range of the keyspace and thus will use weak keys unknowingly. Thus if your design causes 25% of keys to be weak on average one in four enemy messages will be easily readable. When this is allied to other techniques such as traffic analysis and various types of plaintext analysis it makes decoding the other three out of four messages much simpler or in some cases not needed.

There is also a degree of evidence that the NSA provided “technical direction” to what was for many years the only successfull independent manufacturer of crypto equipment. Which supplied many governments with equipment and eventually came under suspicion and had a representative of the company arrested by a middle east nation…

With regards DES and it’s supposadly strengthand S-boxes go take a carefull look at the time line, it appears the strengthaning occured after not before the T-attack was found by the non NSA developers… Now maybe the T-attack was unknown to the NSA and they took it onboard. Or the T-attack was known to them and they realised they had been “wrong footed” and had to make amends.

What we do know from the design of the cipher for the infamous “Clipper Chip” is that it is very brittle/fragile and small almost insignificant changes decimate it’s security. To arive at such a design indicates a very proffound knowledge of how to hamstring ciphers which can only have come from years of practice…

As I’ve indicated in the past the NSA in effect rigged the NIST AES contest with considerable finess. The NSA must have known just how problematical side channels in practical implementations must be. Esspecialy in a cipher designed both for speed in software and minimum gates in hardware, they chose not to reviel this so AES is in effect only secure for “data at rest” which the last time I looked is all they certify it for in their own products/usage.

JeffH β€’ September 11, 2013 8:53 AM

I’m not sure it’s a matter of generation that has changed, but rather the world around us. Many people are simply disenfranchised with much of society. They see a government (doesn’t really matter which country) that really never seems to change no matter who you vote for; they see a police system that appears to spend more effort on covering their ass and petty political enforcement than pursuing real crime; they’ve been exposed to an information age where they are silently observed no matter what they do, and the observer (e.g. a search engine provider) often materially benefits from watching them. We’ve ceased to be customers and become commodities.

At the same time, we’ve been encouraged to share everything about ourselves, and then many are surprised that nobody in the rest of society actually cares about their pet cat. The Internet and its increasing presence in the bulk of society has allowed us to discover that the rest of the world also has a lot of idiots in it, not just down the street. I would predict an increasing level of cynicism in society as a result, as it’s rare to hear publicised such mundane matters as ‘politician did something useful today’, but you can bet a thousand websites blog about it when someone/something is going wrong.

Hard not to blame it on our various media, across the spectrum, for bringing us massive information overload from around the world where most of that information is selected to be depressingly negative because that sells and is ‘of interest’. I continue to find it amusing that some people actually think a free & open society with no secrets is a good thing, as though humanity has evolved to the point where we can be brutally honest.

You can’t recruit secret-keepers who have loyalty from a culture that believes that most of the world around it is going to hell in a handbasket, where their own private lives are on display to a bunch of companies, and that their peers and superiors are mostly incompetents who end up making silly statements that observers can see through and busily comment on.

Ignorance actually can be bliss – a shame we haven’t found a better alternative yet.

random_visitor β€’ September 11, 2013 9:04 PM

What are the chances that the iphone owner’s prints are on his own phone ?
isn’t that the same as putting the key under the rug in front of the door it opens ?

moo β€’ September 11, 2013 10:13 PM

@Nick P, about the NaCl library:

They claim to mostly avoid timing attacks by not allowing secret info to influence the branch predictor or instruction pointer, and by not using any data-dependent array indices.

That sounds good, but you also have to avoid any instructions with data-dependent execution latency. For example, integer division instructions on nearly all x86 chips have a variable latency that depends on the operands, so you have to be careful to not use integer division or modulo operations in the code. Its a good thing that integer multiply is fixed-latency on pretty much all modern CPUs!

Nick P β€’ October 31, 2014 10:26 AM

@ moo

Just saw your comment. Thanks for the tip. Hopefully I’ll remember it if I’m involved with a review of it. My method of dealing with timing channels for low level software is cycle accurate simulation with built-in covert channel analysis. Each instruction, group of them, or app can have a timing profile. The variances of different instructions show up when building the model and testing it on real hardware. The rest come from the model and informal analysis. Should catch stuff like that.

An alternative, taken by NSA’s modernization program, is to make a bunch of general purpose CPU’s for crypto algorithms that mitigate as many problems as possible. I’d guess they’d knock out what you describe in this process. Maybe, maybe not. Worth remembering for non-government projects attempting to do the same.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.