Schneier on Security

Clive Robinson • March 15, 2014 6:09 AM

It puzzels me that the NSA should use, let alone use by prefrence, QUANTUM (mind you the Greatfirewall of China and others supposadly use similar).

It is easily detected and would not be difficult to defend against in many ways. Which begs the question of “reliance” and what the NSA do when the “sea state” changes, which it finaly appears to be.

The first thing to note is QUANTUM is “old tech” in computing terms it’s three to five generations behind, thus we need to think about how we would do similar today and more importantly how we would stop it.

As I and others have noted befor comments on this blog about similar attacks actually pre-date the TAO noticably enough that some have joked about copyright violation by the NSA.

And it’s an important observation for various reasons, because it indicates the NSA has limitations on what it can do that actualy ‘puts it behind the curve’ in the field, not ten or thirty years ahead as some would have you beleive under the Myths and Legands. The question is “Are those limitations real or imposed?[1]” and “Does it matter as long as they are in place?” as we are fighting todays enemy not tomorrows. But the age old question arises of “why fight if you are clever enough not to?”

You can only be attacked if you can be found, so sometimes the best defence is to put yourself out of harms way as Mr Greenwald observes in his article the problem is,

… the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption.

To do this the NSA have to first get the malware onto the target’s machine and contrary to “myth and legand” they are not omnipitent or omnipresent beings as this quote shows,

In many cases, firewalls and other security measures do not appear to pose much of an obstacle to the NSA. Indeed, the agency’s hackers appear confident in their ability to circumvent any security mechanism that stands between them and compromising a computer or network. “If we can get the target to visit us in some sort of web browser, we can probably own them,” an agency hacker boasts in one secret document. “The only limitation is the‘how.’”

And there is the crux of the NSA problem like vampire lore they can only cross your threshold if you invite them in, in some way. That is the NSA need to trick ‘the target computer into communicating with an NSA controled computer’ if it does not then the malware cannot be put onto the computer remotely.

I suspect this problem is not lost on the NSA, in the same way it’s not lost on the marketing industry. After all you can only send an RSVP invite if you know where to post it, so the only solution is to “broadcast it” in some method which might include leafleting every residence there is via “junk mail”. And it’s this later strategy the NSA appear to be addopting. Even so “junk mail” is known to have a poor return rate hence the prefrence for “targeted marketing”. At the end of the day all of these NSA aproaches are taken from the field of marketing which is all the cyber-crooks have done as well, so again the NSA is “behind the curve” on this as well.

Whilst “junk mail” is as a minimum a “refuse issue” riseing to anoying most of us know how to deal with it when it drops into our letter boxes, we rarely read it much less act on it. Thus the marketing approach can be defeted when it comes to our physical letter boxes. However due to the very poor state of our computer software the NSA can “post-a-roach” that climbes out of your letter box and scurries to the nearest cover to then attack your home. Again in the real world we have solutions –use a post office boxes and open your mail in a cafe etc– we need to translate this solution into an online equivalent.

As discused on this blog in the past there are many solutions to these various problems you can do individualy, however this still leaves the “upstream issue”. Currently the biggest upstream problem with the Internet is the “all roads lead to Rome” issue of it’s current physical construction and routing mechanisms with “choke points” located in the Five Eyes nations. Avoiding these choke points is by no means impossable but most –if not all– need “out of band” solutions that just don’t exist or are not practicle or flawed in some way. Until we solve the upstream issues the NSA does not need to be ahead of the curve, nor even on it, marginaly behind is just fine.

[1] The fact the NSA appears “behind the curve” is one I’ve thought about on a number of occasions and as has been pointed out by Nicholas Weaver often they hold themselves back by tripping over their own feet for various beauracratic or compartmentalisation issues.