NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Clicks, Hacks, and Flacks: Reflections on Hypocrisy and NSA

       Clicks, Hacks, and Flacks: Reflections on Hypocrisy and NSA


At some point, you've probably seen one of those "best of" compilation
shows on television. "World's Funniest Commercials" -- "TV's Best
Bloopers" -- "Most Hilarious Pratfalls" -- you know the drill.

One thing you can usually depend upon is that only the very first
edition of such shows is actually worth watching.  By the time you get
to "World's Funniest Commercials 2" producers are already likely
digging around through the "not so funny" stuff that they rejected the
first time around.  But lack of quality has never been a major
detriment to getting additional rounds of such shows on the air.
After all, it's the eyeballs that count, and if people will watch
trash ... well, it's still money in the bank.

Oddly enough, we've been seeing a similar effect -- in a much more
serious vein -- in the entire Snowden/NSA saga.

The earliest Edward Snowden documents and stories deployed by UK's
"Guardian" and associated outlets were the most dramatic and
compelling -- albeit heavily contaminated with out of context,
hyperbolic exaggerations and outright falsehoods.

But man, did they ever put a valuable publicity spotlight on these
newspapers, increasing their exposure dramatically.

Since then, we've seen a continuing dribbling out of new documents and
stories, each generally somewhat less dramatic, lacking even more
context, and increasingly foggy even on claimed details.

So in essence, as this entire process is dragged out for maximum
eyeballs and clicks, we're already down to "Snowden's Greatest 
Hits 42" -- or something like that.  The most interesting stuff -- 
however accurate or not -- was published weeks ago.  Does Guardian have 
more purported "Snowden bombshells" salted away ready to pop out on the
proverbial rainy day?  Perhaps.  But it seems decreasingly likely.

You've probably also noticed that the degree of attention and at least
claimed outrage has been ramping down as additional Snowden docs hit
the scene.

Part of this can likely be attributed to simple "revelation 
fatigue" -- but even starting from a fairly pathetic baseline, the quality 
of this stuff seems to be falling off ever more, as news outlets try to
figure out how to squeeze every last click out of supposedly
revelatory articles that in most cases discuss matters that have been
widely known for years or even decades.

Much of what we're seeing now basically repeats concerns expressed in
magazine cover stories from as far back as 1970 (e.g., "Newsweek": "Is
Privacy Dead?").

In a piece a few days ago, "The New York Times" breathlessly reported
on DEA access to a decades deep cache of AT&T phone call metadata --
the same program that the Times reported on in, hmm ... 2006!

So not only are we now getting the "not so best of" stories, we're
actually getting reruns touted as world premieres.

The latest in the "Captain Renault" school of outrage -- "I'm shocked!
Shocked to find that NSA has been cracking codes!" -- is particularly

Related stories make general claims of NSA efforts to subvert TLS/SSL,
and assert (without naming any names) that unspecified "technology
companies" have been participating in this effort.

Of course there's no reasonable way for tech firms to retort such
vague accusations, even if the government wasn't so intent on using
national security laws to try prevent companies from demonstrating
their innocence through releasing more data regarding what the
government actually is demanding from them.

"So when did you stop beating your wife?  Just give me the date,

What lends an even more bizarre air to all this is the reality that
most people and a great many firms have been demonstrating for years
that they don't care one nit about security anyway, forget about the
NSA and foreign intelligence services of all stripes conducting much
the same research and surveillance (though in cases like China and
Russia, with massive domestic political targeting and explicit
censorship regimes that are not in the NSA's bailiwick even on the
worst of days).

The vast majority of people don't encrypt their email at all.  It's
too complicated, too incompatible, or they figure their messages are
too mundane for anyone else to care about them.  They're generally
pretty much correct on points one and two, and for most of us probably
on point three as well.

Short crypto keys that we knew were too weak to be useful continue to
be used, even many major sites still don't provide the basic
protections of SSL and STARTTLS, password files are stored in the
clear or ineptly hashed and subject to mass attacks, laptops are
carried around unencrypted full of sensitive personal information ...
and as radio DJs used to say: "The hits just keep on coming!"

And what of the underlying security of our commonly used encryption

Especially with shorter keys, it's no surprise that they're vulnerable
to one extent or another -- no NSA-inspired backdoors even required.
We live in a world where ever faster parallel number crunching and key
math breakthroughs could potentially render most popularly used crypto
comparatively useless -- in certain contexts at least.

And much like our captain friend mentioned above from "Casablanca,"
we've known for ages that the codebreakers of NSA and the rest of the
globe's intelligence agencies have been busy trying to break codes
faster than anyone else can create them.  That (along with trying to
design more powerful codes for their own countries' use) is a key (no
pun intended) part of their charters.

It has also long been understood that these agencies have influenced
crypto design in ways that might create backdoors.  Remember the Data
Encryption Standard (DES) S-Box controversies?  I sure do!

We do have some advantages now.

Whether haters and tinfoil hat types want to believe it or not, there
are firms like Twitter, Google, and others, who have been at the
forefront of deploying available crypto, both between their servers
and users, and increasingly now between their disparate data centers
as well -- and who routinely push back against overly broad government
data demands.

Also, key encryption algorithms are available now that do not rely on
relatively inscrutable S-Boxes and such, but rather on well known math
and open sourced code.

Does any of this mean that we should be oblivious to serious mission
creep at NSA, and the associated failure of Congress and the executive
branch to exercise appropriate oversight, command, and control over
NSA, CIA, or any other agencies?

Of course not.  There are indeed alarming aspects to this entire
situation, replete as it is with dissembling politicians and a federal
government apparently hellbent on blocking even a modicum of real
transparency regarding these operations.

Without appropriate oversight and transparency, the risks of serious
purposeful abuses (such as already confirmed illegal "leakage" of
intelligence data to the criminal justice system) are a major concern
indeed.  And a whole array of other potential abuse vectors -- most of
which we have no reason to believe have yet actually occurred -- may
also come into play when oversight and transparency are matters of lip
service rather than honest dedication.

But all the concerns and complaints about NSA and their doppelgangers
in other nations are in reality just icing on the cake -- a cake built
from a recipe of gross disinterest in basic computer security
protocols and procedures -- some of which have been known since the
dawn of computing.

While concentrating on dramatic NSA stories may be good for news
sites' clickthrough rates, they aren't necessarily helping address the
broader issues surrounding computer security and privacy -- the vast
majority of which can't be reasonably blamed on NSA.

Whom to actually blame, then?

Gaze into the mirror -- and point at the answer.

Yet again, Pogo was right.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein 
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
nnsquad mailing list