September 07, 2013

Clicks, Hacks, and Flacks: Reflections on Hypocrisy and NSA

At some point, you've probably seen one of those "best of" compilation shows on television. "World's Funniest Commercials" -- "TV's Best Bloopers" -- "Most Hilarious Pratfalls" -- you know the drill.

One thing you can usually depend upon is that only the very first edition of such shows is actually worth watching. By the time you get to "World's Funniest Commercials 2" producers are already likely digging around through the "not so funny" stuff that they rejected the first time around. But lack of quality has never been a major detriment to getting additional rounds of such shows on the air. After all, it's the eyeballs that count, and if people will watch trash ... well, it's still money in the bank.

Oddly enough, we've been seeing a similar effect -- in a much more serious vein -- in the entire Snowden/NSA saga.

The earliest Edward Snowden documents and stories deployed by UK's "Guardian" and associated outlets were the most dramatic and compelling -- albeit heavily contaminated with out of context, hyperbolic exaggerations and outright falsehoods.

But man, did they ever put a valuable publicity spotlight on these newspapers, increasing their exposure dramatically.

Since then, we've seen a continuing dribbling out of new documents and stories, each generally somewhat less dramatic, lacking even more context, and increasingly foggy even on claimed details.

So in essence, as this entire process is dragged out for maximum eyeballs and clicks, we're already down to "Snowden's Greatest Hits 42" -- or something like that. The most interesting stuff -- however accurate or not -- was published weeks ago. Does Guardian have more purported "Snowden bombshells" salted away ready to pop out on the proverbial rainy day? Perhaps. But it seems decreasingly likely.

You've probably also noticed that the degree of attention and at least claimed outrage has been ramping down as additional Snowden docs hit the scene.

Part of this can likely be attributed to simple "revelation fatigue" -- but even starting from a fairly pathetic baseline, the quality of this stuff seems to be falling off ever more, as news outlets try to figure out how to squeeze every last click out of supposedly revelatory articles that in most cases discuss matters that have been widely known for years or even decades.

Much of what we're seeing now basically repeats concerns expressed in magazine cover stories from as far back as 1970 (e.g., "Newsweek": "Is Privacy Dead?").

In a piece a few days ago, "The New York Times" breathlessly reported on DEA access to a decades deep cache of AT&T phone call metadata -- the same program that the Times reported on in, hmm ... 2006!

So not only are we now getting the "not so best of" stories, we're actually getting reruns touted as world premieres.

The latest in the "Captain Renault" school of outrage -- "I'm shocked! Shocked to find that NSA has been cracking codes!" -- is particularly nebulous.

Related stories make general claims of NSA efforts to subvert TLS/SSL, and assert (without naming any names) that unspecified "technology companies" have been participating in this effort.

Of course there's no reasonable way for tech firms to retort such vague accusations, even if the government wasn't so intent on using national security laws to try prevent companies from demonstrating their innocence through releasing more data regarding what the government actually is demanding from them.

"So when did you stop beating your wife? Just give me the date, please."

What lends an even more bizarre air to all this is the reality that most people and a great many firms have been demonstrating for years that they don't care one nit about security anyway, forget about the NSA and foreign intelligence services of all stripes conducting much the same research and surveillance (though in cases like China and Russia, with massive domestic political targeting and explicit censorship regimes that are not in the NSA's bailiwick even on the worst of days).

The vast majority of people don't encrypt their email at all. It's too complicated, too incompatible, or they figure their messages are too mundane for anyone else to care about them. They're generally pretty much correct on points one and two, and for most of us probably on point three as well.

Short crypto keys that we knew were too weak to be useful continue to be used, even many major sites still don't provide the basic protections of SSL and STARTTLS, password files are stored in the clear or ineptly hashed and subject to mass attacks, laptops are carried around unencrypted full of sensitive personal information ... and as radio DJs used to say: "The hits just keep on coming!"

And what of the underlying security of our commonly used encryption systems?

Especially with shorter keys, it's no surprise that they're vulnerable to one extent or another -- no NSA-inspired backdoors even required. We live in a world where ever faster parallel number crunching and key math breakthroughs could potentially render most popularly used crypto comparatively useless -- in certain contexts at least.

And much like our captain friend mentioned above from "Casablanca," we've known for ages that the codebreakers of NSA and the rest of the globe's intelligence agencies have been busy trying to break codes faster than anyone else can create them. That (along with trying to design more powerful codes for their own countries' use) is a key (no pun intended) part of their charters.

It has also long been understood that these agencies have influenced crypto design in ways that might create backdoors. Remember the Data Encryption Standard (DES) S-Box controversies? I sure do!

We do have some advantages now.

Whether haters and tinfoil hat types want to believe it or not, there are firms like Twitter, Google, and others, who have been at the forefront of deploying available crypto, both between their servers and users, and increasingly now between their disparate data centers as well -- and who routinely push back against overly broad government data demands.

Also, key encryption algorithms are available now that do not rely on relatively inscrutable S-Boxes and such, but rather on well known math and open sourced code.

Does any of this mean that we should be oblivious to serious mission creep at NSA, and the associated failure of Congress and the executive branch to exercise appropriate oversight, command, and control over NSA, CIA, or any other agencies?

Of course not. There are indeed alarming aspects to this entire situation, replete as it is with dissembling politicians and a federal government apparently hellbent on blocking even a modicum of real transparency regarding these operations.

Without appropriate oversight and transparency, the risks of serious purposeful abuses (such as already confirmed illegal "leakage" of intelligence data to the criminal justice system) are a major concern indeed. And a whole array of other potential abuse vectors -- most of which we have no reason to believe have yet actually occurred -- may also come into play when oversight and transparency are matters of lip service rather than honest dedication.

But all the concerns and complaints about NSA and their doppelgangers in other nations are in reality just icing on the cake -- a cake built from a recipe of gross disinterest in basic computer security protocols and procedures -- some of which have been known since the dawn of computing.

While concentrating on dramatic NSA stories may be good for news sites' clickthrough rates, they aren't necessarily helping address the broader issues surrounding computer security and privacy -- the vast majority of which can't be reasonably blamed on NSA.

Whom to actually blame, then?

Gaze into the mirror -- and point at the answer.

Yet again, Pogo was right.

--Lauren--

Posted by Lauren at September 7, 2013 10:22 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein