Audio: Episode 253 of the Matthew Filipowicz Show

On today's show, we have encryption specialist and author Bruce Schneier here to discuss the latest NSA revelations including the NSA working with tech companies to insert weaknesses into their code.

Listen to the Audio on MatthewF.net

Transcript

Privacy PC published the following transcript of the interview.

- All right, joining me now here on the Matthew Filipowicz show is Bruce Schneier. Bruce is a security technologist and encryption specialist. He's written for the Guardian, the Economist, Wired and more. He's the author of 12 books; his latest is Liars and Outliers: Enabling the Trust Society Needs to Survive, all of which and more you can find at schneier.com. You can also find him on Twitter @Schneierblog. Bruce, thank you so much for being on this show today!

- Thanks for having me!

- All right. So, Bruce, you have been working with the Guardian and have seen many of the documents leaked by Edward Snowden. Last week the Guardian, along with the NY Times, reported on how the NSA has not only been breaking encryption, but also working with technology companies to insert weaknesses that the NSA can exploit. Do us a favor: describe for us in greater detail what the NSA has actually done here when it comes to encryption and why we should all be concerned.

- Sure. When we think of the NSA, we think of spying in general. We imagine them going out and spying on our enemies, right? We like when they do that, when they spy on foreign governments we don't like or the terrorists or militants, that they're going out and breaking in their systems and eavesdropping on them. That's the good part of what the NSA does.

But it turns out what they're doing in addition is breaking security for everybody, including all of us. So, instead of going to—and I'm making this up—China and eavesdropping on the Chinese systems, they are systematically putting vulnerabilities in commonly used software because the Chinese might use them.

So, for example, you might be using Microsoft Windows—and we don't know company names here, so I am just making them up for illustration—you might use MS Windows, Windows will include some security features. The NSA tries to break those features for everybody. And they do that not through advanced mathematics, but through cheating.

So they go to software and hardware vendors and get them to insert vulnerabilities not in the software being sold to China, but in all software being sold to everybody. So all the products we buy are potentially tainted. And they do this through several ways: they do this through agreements—asking nicely: "Can you please do this for us?" They do this through threatening: "Play with us nicely or we'll do these bad things to you". They do this, we believe, through national security letters: "We forced you to do this and you can't tell anybody". And this is probably the most amazing part of the documents: they occasionally do it through moles. The government has secret employees working in companies, in US companies, we think, that are deliberately subverting these systems. And the reason this is so bad is that it breaks the security for everybody, not just for the bad guys. We are all less secure, because the NSA has decided that its mission of eavesdropping is more important than all of our security on the Internet.

- Unbelievable. And you actually wrote that you've resisted saying this up till now, you're saddened by it, but the US has proven to be an unethical steward of the Internet. I mean, you've kind of described what that actually means, but so much of our lives are online now; the fact that so much of this is compromised, that every little thing, all of the programs have these weird backdoors that have been forced upon or hiddenly put into these programs. If you're even a business trying to run in the US, you should be furious about how the NSA is making your business less secure.

- And that's correct. We all trust the Internet for so many things: for personal things, for business things, our human rights groups trust the Internet, dissidents trust the Internet—everybody trusts the Internet. And to have it systematically weakened for this very narrow espionage purpose is just madness. We're ok with the NSA going after the bad guys, but leave us alone when you do it.

- Absolutely. So, you've written a couple of posts on trying to fix this. And two of them are very, very interesting, one when it comes to engineers themselves, because people who actually built the Internet and built the guts of the Internet and actually did all the coding—talk about what engineers could do, because I know that something you're working on right now is actually trying to get more engineers to come forward and actually talk about: if they were approached into being told to build some type of backdoor, what should engineers be doing right now?

- Sure. Now, to be said, I believe this is primarily a political problem, that the real solutions are going to be political. The NSA is exceeding its authority; its mission is taking over the rest of the government and they need to be put back. And it'll only happen through the President, through Congress, through the courts. So those are primarily the challenges against this.

And what I'm talking about is really kind of on the fringes. There's some stuff the engineers can do, but it really has to be political. I am an engineer and I speak to engineers, and the question we're going to ask is: "What can we do independently?"

And there are several things. The first one is transparency. We need to know which systems are good and which systems are tainted. Presumably, the NSA hasn't gotten to everything, so there are going to be some secure systems out there. So what I want is stories. People who have been in contact with the NSA, people who have agreed to make changes—I want them to step forward and say what they did. In some cases there will be employer agreements, but in many cases there won't. These people are not bound by government secrecy agreements, they don't have clearances; these are just normal programmers and, maybe, managers working in these companies who have been approached by government to add backdoors.

We want to hear their stories. And to that end I've heard a few of them. I know two of them were in the process of being published by different reporters. I have two more who have decided at this point they don't want to come forward, and one more that will but he's busy right now. I hope to get more.

- Well, I can't imagine why anyone wouldn't want to come forward.

- There's a lot of reasons you wouldn't want to come forward. You'll be embarrassed you did it; you don't want to embarrass your company; you're afraid of retribution from your peers—there's a lot of reasons why people would keep this quiet. I'm hoping that their safety in numbers; and the more people that do talk, the more people will talk.

There's other things we can do as engineers, and in my writings I called the Internet engineering a taskforce—they're basically geeks that run the Internet. They make the standards that make the Internet work to take up this charge.

And I'm not sure exactly what we can do. But I think, in one case, we have to figure out how to design systems that are resilient to that kind of tampering. So, certain systems are easy to tamper with; closed source systems are easy to tamper with, proprietary systems are easy to tamper with; systems that have random number generators are easy to tamper with. So the question is: what design principles can we come up with that are harder to tamper with? What protocols can we create that are harder to tamper with?

And we, as engineers, can make this a harder problem for the NSA. We can also go into all the existing systems and start looking at them. Let's find the problems. Again, I'm making this up; I don't know company names—Microsoft's Bitlocker. This is Microsoft's proprietary closed source hard drive encryption program. Were I the NSA, this would be a prime target for me. Is it tainted? We don't know. But if Microsoft will make the code for that system public, we can now look and we can figure it out.

- I'm talking to Bruce Schneier, a security technologist, encryption specialist and author. Let's talk about the political side of what needs to be done, because you also wrote very well about how the trust is gone, and the trust should be gone after all we've learned. I mean, really, we should not be trusting the NSA after all that's being revealed right now. They really are not trustworthy stewards when it comes to the Internet. You actually wrote on what is necessary is in a lot of ways full disclosure, not only that, but having a special prosecutor installed that would have access to all of the classified files. Talk about that, because that is something that actually should be pursued very vigorously by activists now.

- Well, this is actually interesting. The question is: "How do we restore trust?" We know the NSA has been doing all these things. We don't know what else they're doing. If they say: "This is all we're doing, there's nothing more," we don't believe them, because we know for a fact that Glenn Greenwald has another allegation. He's just waiting for the NSA to deny it so he can prove that they're lying. He's done this several times before; he's going to keep doing this.

It's kind of the same thing as trust in relationships. You know that if you betray a spouse, the only way you can regain trust is by telling that spouse absolutely everything. You hold back, you dribble the truth, it just makes it worse. This is kind of the same circumstance. The only way we can regain trust is if the NSA says: "Here, here is everything. We were wrong, we're sorry, please forgive us, here is the whole truth." And it's got to be the whole truth, because as soon as we feel they held back, we're not going to trust anything again, and it's much harder the next time.

And to that end we need—I've been using different metaphors: either a special prosecutor or a new Church Commission, or something like South Africa's Truth and Reconciliation Commission—some mechanism by which we can know what they're doing. We don't need to know operational details, we don't need to know the name of the Pakistani general circuit the NSA is listening to, we don't need to know the North Korean military channels—that's all operational secrets; we get that. But then programs, the methods, the things the NSA is doing in our name with our tax dollars, we kind of get to know. And that's important.

- Yeah, obviously, I think the side of that is not just them coming forward and saying: "Ok, that's it," but actually having a way to verify. I'm actually having someone from the public actually having access to it, to actually verify that they are telling the truth now. And also I would like to see those who broke the law actually be prosecuted for their crimes, but we don't really see that happening a whole lot. We saw tortures, breaking the international law, and no one was prosecuted for torture.

- Yeah, it's unlikely, and especially because there are very few laws actually broken. I think what's more likely happening is that, as we know, laws don't keep up with technology. So there's always a lot of grey area in law. And I believe the NSA is expanding its mission to fill all possible grey area. And I don't think there's real full law breaking: "Here is a law, let's break it." I think it's more like: "Here's a law, there are half a dozen interpretations, let's pick an interpretation that's more favorable to us." And since there's no actual real oversight, there's no counter-balance to that. So I think that's what's going on.

I want to make one more point before we close, and that's the international nature of this. When I talk about the US being the unworthy steward of the Internet, I mean something very specific. We're right now living in a very hard time for the Internet. There's a lot more nationalism. Countries like China, like Russia, Iran, Syria, Tunisia, Egypt are using the Internet for censorship, for surveillance, for propaganda, for telling what their citizens can and can't do.

These governments are using the Internet for very bad things. And the US has long been an example of how to manage the Internet properly, how to maintain a free and open Internet. And we've been fighting against what's known as the Cyber Sovereignty Movement, giving these countries more control over their national Internet. We want to keep the international Internet. What the US has done is undermine all of this work. We have emboldened those countries to do more against their citizens. And what they're doing is much, much worse than what we are doing. But we have now legitimized them. And that is a huge, huge shame.

- Before I let you go, I want to ask you one more thing, if that's all right. You actually wrote just the other day a really interesting post. That point actually needs to be made overall, because I think a lot of people necessarily may not be interested in this NSA story, the broad NSA story. But you actually tied it back to what's kind of going on in this country right now when it comes to jobs, which I found very interesting. And you actually wrote about how a lack of job stability in the economy is actually hurting the NSA's ability to keep secrets. Describe that, because I actually find that whole concept very, very true. So tell us about that.

- So, what I'm looking at is the number of whistleblowers we have and what that means for the national security apparatus. So, fundamentally, let's think about the way the intelligence used to work. Think of the World War II movies, the Cold War movies, where some bright young person would be selected when he was in college and he would be inculcated into the intelligence world. And he'd learn the secrets, so he had a job for life, and that's the way that community worked. You protect the government secrets, the government will protect you, you will learn the secret knowledge, you'll become one of us, and you will not betray us. It was very much a loyalty-based organization.

That kind of metaphor fails in the world of outsourcing and contracting and two-year employment and no job security, which is really what the current young generation knows about the world. So, when you look at Chelsea Manning, you look at Edward Snowden—Manning was 25, Snowden was 30. These people know there's no jobs for life. For these people there's no: "The government will take care of you." These people are much more likely to say: "This stuff is wrong, I'm going to expose it," simply because their world view is different. And I think that's a huge generational issue and something that's going to bite the NSA. There are millions of people with security clearances. I think that Manning and Snowden are the first of many.

- Bruce Schneier, security technologist, encryption specialist. He's an author of 12 books, the latest "Liars and Outliers: Enabling the Trust Society Needs to Thrive" you can find at schneier.com, you can find them on Twitter @schneierblog. Bruce, really, really interesting stuff, honestly, again, this is something, this ongoing story is so important, and actually having your encryption expertise on this is really, really great. Thank you so much for what you're doing and thanks for being on this show!

- Thank you!

Categories: Audio, Recorded Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.