Thursday, September 12, 2013

More Snoopy Dog

IMPORTANT!  YOUR PRIVACY!
Mark Minasi is a really smart guy who teaches computer techs lot's of helpful info. This month his newsletter has some information on the NSA. I have thought about using encryption to make my emails private from the govt's prying eyes. The information Edward Snowden revealed that the NSA has compromised a lot of the encryption out there.

The NSA Revelations:  Why Are We Even Talking About Syria?

Relax; before you ask, that headline isn't political, it's just amazement.  It's not a comment on the U.S. government, it's a bit of befuddlement about the U.S. print and electronic press.
Last Friday, I was having lunch with my friend Kathleen, as I owed her lunch for her kind video editing.  We were looking at CNN's iPad app browsing the news of the day, which, as we're American, was all about Syria, chemical weapons, and, as it's CNN, what color eye shadow Kim Kardashian is sporting these days.  Yes, Syria's a big story and the use of chemical weapons by anybody is terrible, but inasmuch as neither Mr. Obama, the UN or Mr. Assad are likely to ask my opinion on the matter, I just kind skimmed the stories and hoped for the best.
But then Kathleen pointed out an article, a kind of below-the-fold piece about some new revelations arising from the files leaked by former NSA contractor Edward Snowden.  Basically, the news -- which came from the Guardian, who's doing a great job shining a light on the particularly scary nuggets in the huge pile of stuff that Snowden has leaked -- said that basically the US National Security Agency (NSA) has, through a combination of dirty tricks, brute-force computing and clever math been able to nullify much of the encryption that we trust implicitly and that is essentially the bedrock of modern communications, privacy and commerce.  Some of the high points, vastly simplified, are:
  • If the NSA wants to examine or eavesdrop on anything you do on a Windows or Apple computer, it can easily install a Trojan that no anti-malware software can detect.  That lets them get even the most complex password, if it's stored on your system.
  • They have strong-armed some security vendors into putting back doors into their products.  One of those vendors is rumored to be Microsoft.
  • The NSA pretty much runs WireShark on every ISP, telecom and other communications provider in the country.
  • The NSA keeps a complete database of every email sent through US wires for the past few weeks -- they haven't storage for more yet -- and a simple app lets NSA analysts search to see not only who you've been emailing (the "metadata" that the NSA has already admitted to), but what you've emailed.
  • Some folks observe that the NSA has 11,000 mathematicians on their payroll, and that they may have found exploitable flaws in modern encryption schemes.  In other words, your private keys may not be all that private.
Here are a few links I found interesting:
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=1&
https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
http://www.theguardian.com/commentisfree/2013/sep/06/nsa-surveillance-revelations-encryption-expert-chat
http://www.popehat.com/2013/09/06/nsa-codebreaking-i-am-the-other/
There's more, but honestly that's not what I see as the most amazing thing here.  Instead, I've been amazed about how little response I've seen about this news.  Saturday morning, I turned on the news channels, expecting to hear more details, NSA denials, government reaction, people marching in the streets.  But all I heard was Syria and chemical weapons.  Sunday... same story, and today, 9 September 2013, no change.
Look, Syria's important, and there are strong arguments on both sides.  Whatever the American government does or doesn't do about chemical weapons in the next few weeks is important, and if you're reading this as an American citizen, then I strongly suggest that you get smart about it and share your opinion with your representative in Congress.  (You know, like when we all sent them emails telling them not to spend trillions on TARP.  Oh, wait, they ignored us.  Hmmm.  Never mind.) 
Seriously, I just want to suggest that the recent NSA revelations are important, very important, and to we IT pros in particular.  If SSL, certificates and VPNs are a joke, then all of us IT pros are out of business.  (Maybe it's time to brush up on your Linux skills... when you get the source code, you know there aren't any NSA backdoors.)  Snowden wasn't even an employee, he was a contractor, and he took this stuff out the door to leak it to the world... how long will it be before someone else with NSA information decides to arrange an early retirement by quietly selling NSA's spymaster tools, information, and keys to some bad guy?
Look, I don't have the answers.  I understand that it's a big old scary world and that every big country and probably a bunch of large non-governmental organizations are all trying to hack each other, and that whatever the NSA's up to, there are at least a few other players doing exactly the same thing.  But I really, really, really wish that every stakeholder from the most casual Internet user to the techiest IT pro were talking less about chemical weapons, and more about computational weapons.



No comments: