So, we’re on the cusp of 2014, and I was going to write a yearly review of some of the things I’ve done, places I’ve been etc. I might do that later, but right now I thought I’d draw your attention to this absolutely terrifying talk on the scope of the NSA and GCHQ’s surveillance and information warfare capability, by Jacob Applebaum.

It’s fairly long, and somewhat technical, but in short, every paranoid fantasy that we in the IT security world have had, appears to be true, and it gets much much worse…

Militarisation of the Internet

The full capabilities of what has been deployed, in the wild, against ordinary citizens is still coming to light, but here are some highlights, in no particular order:

  • Computer hardware and components have been compromised on mass; including wireless cards, hard drive firmware, Ethernet cables (!!)
  • Your ADSL router can be used to spy on you (natch), but also to perform attacks on those geographically near you, and routinely is.
  • Practically every piece of communication infrastructure has been subverted, which can put lives at risk (for example, the box they use to pretend to be a cell tower and record activity while, say, spying on the Ecuadorian embassy or flying over a city in a drone, doesn’t appear to route 999/112/911 calls).
  • Ordering hardware over the internet? There’s a good chance it has been intercepted and bugged without your knowledge.

The list goes on, seriously, watch the video…

Yes, you are owned

So, some of the capability discussed doesn’t fall under “mass surveillance”. Flying a drone over your house, intercepting your mail, or giving you Cancer so that they can read what’s on your computer screen (and you were worried about the back scatter X-ray at the airport), doesn’t scale. These techniques would likely only be deployed against people of interest – security researches, journalists, democracy advocates, Muslims etc, and then, only if they couldn’t get you another way.

Of course, they almost certainly already have you.

The back doors placed in the computer hardware and software products that every one of us owns need only be switched on, and then they can record your entire life (and keep it for 15 years). Even if you believe that the NSA/GCHQ will never abuse this capability, by accident or design, the documentation presented proves that some of these back doors have been discovered and exploited independently. It is therefore the height of naivety (and I’d go so far to say it’s criminal negligence) to assume that foreign governments, criminals or terrorist organisations won’t be able to use the same exploits to similar effect.

I’m scared, what can I do?

Not a lot at the moment, but the first step to finding a solution is admitting you have a problem.

The fact that many of these exploits could not have been created without the criminal complicity of various US companies is worth noting (it would be good to have a full list), and if you’re in charge of purchasing decisions, it might be worth boycotting these companies. Few things will affect change faster than the market punishing this kind of collaboration.

It’s clear that proprietary software and hardware is a major problem, especially in networking equipment, so the importance of projects like the open router project can not be over stressed. You may also like to consider the surveillance capability of any new hardware you buy, and perhaps you might want to leave your cell phone at home or not buy that internet connected TV?

I also think that detection of these attacks needs to be looked at more closely, and developing new forensic tools for widespread use should be a priority, since raising the risk of detection has a herd immunity/deterrence effect. I think that the fact that the bad guys seem to love RC6 encrypted UDP is interesting, and it is something that we can start actively looking for, and report anything suspicious.

Remember, a secure internet secures everybody, and we as technologists have a moral obligation to do everything we can. This means developing tools and technologies to protect people, and helping our less technical friends and family to use them to protect themselves, and it means building countermeasures against these sorts of attacks into the architectures and platforms we build.

It also means not collaborating with organisations that seek to attack our freedom, saying no to that NSA/GCHQ recruiter, and it means blowing the whistle when you see abuses taking place.

Be safe out there.

For the past few weeks I have included the following message in my email signature:

IMPORTANT NOTE, PLEASE READ:

Unless this email is encrypted, it will
almost certainly be read by multiple unknown
third parties; archived, processed and any
information contained in the email used for
purposes unknown.

If this makes you uncomfortable, please
read up on OpenPGP and email encryption. I
am happy to help you get started.

Please also read my data jurisdiction
statement:
http://mapkyc.me/158prCK

This is to draw attention to the fact that nearly all traffic that crosses UK and US borders is intercepted and read by the government, and in the case of the US, used for economic as well as political espionage.

If this makes you uncomfortable, and it should, especially if you’re using email for business, you should look at implementing email encryption throughout your company, and training your staff accordingly.

surveillance-cameras-400 The NSA/GCHQ spying scandal is far reaching in both scope and the damage it has done to our liberal democracies. It is primarily a political problem, as well as being an IT security issue.

It is also, and this gives me some hope that we can beat this thing, an economic problem.

One important thing that the recently leaked black budget tells us, is what the government considers to be a reasonable price tag for the mass surveillance of every man, woman and child on the planet.

$250 million dollars per year (British figure not known at time of writing, but likely to be in a similar ballpark), is not a particularly large amount of money, and is a figure based on a number of storage and processing assumptions.

Much of the internet traffic is unencrypted and so can be processed live, the contents not stored. Encrypted traffic carries an extra processing and storage overhead; encrypted messages are kept until they can be broken, and processing resources spent trying to break them. Even if some of the algorithms used have been deliberately weakened, there is still a significant number of messages they can’t break.

The $250m/y budget is calculated based on estimates based on these assumptions.

Raising the cost of doing business

What does all this mean?

Well, what this means is that we, the citizens, have a very real way of changing the economics of mass surveillance programs like PRISM and TEMPORA, and significantly increase the price tag. Hopefully, to a level where it becomes politically and economically impractical to run them.

These programs are budgeted and resourced based on the assumption that relatively few people use hard encryption (HTTPS having been compromised), so if there was a marked increase the level of encrypted traffic going over the network, it follows that there would need to be a corresponding increase in resource expenditure in order to maintain the same level of capability. To a point, hopefully, where they are unable to keep up.

Every time you use encryption you help increase the cost of the program, and provide herd protection to your fellow citizen. Even if that encryption has been deliberately weakened, there is still a net gain for the good guys, since some processing resources will still be spent.

Additionally, since they feed data collected through various pattern analysis algorithms (in order to better profile us and to optimise resource allocation), if a significant portion of the dataset were to become unavailable, we can dramatically screw around with the baseline calculations, which may act like a force multiplier.

What I’d like to see

We need to dramatically increase the amount of encrypted traffic on the internet at large (remember, it seems that the security services have been compromising the implementations of algorithms, and sometimes the hardware and RNGs they depend on, not the algorithms themselves. Backdoors will be fixed – in free software implementations at least – and compromised hardware replaced or worked around).

I would like to see everybody making a pledge that everything they send over the internet will be encrypted. As technologist we need to take the lead on this; we have the moral duty to help protect our users, which means designing systems and networks so that they are resilient to subversion and surveillance, and to help people without technical knowledge protect themselves (friends don’t let friends use cleartext, as I’ve discussed before).

Remember, every time you send an encrypted message, you – in a small way – help protect everyone else on the planet.