
NSA Revelations Cast Doubt on the Entire Tech Industry - Libertatea
http://www.wired.com/threatlevel/2013/09/tech-industry-tainted/
======
alan_cx
For me, all the revelations and confirmations of foil hat theories have
destroyed the joy the internet used to be. To me its now a dirty high tech
voyeur spy's dream.

As for the US part of this, yes, my country the UK, is up to its neck in it,
but, the part that is driving me away from the internet is the fact that
Americans think their laws apply to non-Americans, and if necessary, Americans
will force those laws on people who had no vote in it what so ever. Government
will be leaned on and pressured to hand their people over to a US legal system
I have zero faith in, and a penal system that borders a barbaric reinvention
of slavery. If that fails, the US will "render" people, or as the rest of us
call it, kidnap. To get my encryption keys, as a foreigner I genuinely fear
American torture.

Now, I suspect the likes of China also do or aspire to spy on us all in the
same way, but I don't feel the same risk of state kidnap, their laws, legals
system, etc.

The spying is one thing, to a point I can live with that and alter behavior to
compensate, but the idea I could break laws I don't agree with and have no
influence over, while getting no support from my government, or be kidnapped,
is frankly too much to accept. Even in typing this post I am self censoring.

As such, the internet has now become something I'm now very wary of. I almost
feel like the using the internet is the same as traveling to the US, which is
something I would never ever do. Its simply not worth the risk to my liberty
and freedom.

Sad, very sad.

~~~
mcphilip
The confirmation that there can be no expectation of privacy has destroyed a
lot of the joy of internet use for me as well. At a more pressing existential
level, it's making me despise working in web development. I may never work on
a project 'noteworthy' enough to warrant the NSA seeing some use in collecting
data from it, but I am firmly in the startup minded 30ish crowd willfully
slaving away the prime of my life making tools and sites that encourage people
to use and trust this byzantine conduit of an internet thoroughly infested
with spooks gleefully abusing power and destroying privacy more and more every
day.

Edit: perhaps research and training in security and seeing how I can
contribute on that front is the first step back towards being proud of my
work...?

~~~
johnchristopher
> Edit: perhaps research and training in security and seeing how I can
> contribute on that front is the first step back towards being proud of my
> work...?

Well. The open-source tools might be as easy as the professional tools to
taint.

Someone training for the CCNA/P-Security or any other certifications is still
using the same corrupted conduits :(

William Gibson said this about virtual lights (a novel which deals with bike
messengers and data): "In the future, information'll be more secure when
written on paper and transported by physical human hands than on the wired."

Which reminds me of this:
[http://news.bbc.co.uk/2/hi/africa/8248056.stm](http://news.bbc.co.uk/2/hi/africa/8248056.stm)
[http://www.bbc.co.uk/news/technology-11325452](http://www.bbc.co.uk/news/technology-11325452)

And there is work to do :
[http://en.wikipedia.org/wiki/IP_over_Avian_Carriers](http://en.wikipedia.org/wiki/IP_over_Avian_Carriers)

------
frio
Speaking as a foreigner, I now have very little trust for basically any major
US tech corporation. The NSA claims it deals responsibly with data relating to
US citizens: I'm not a US citizen.

I plan on spending the next few months moving most of my accounts back to
self-hosted, or at least hosted nationally.

~~~
criley2
If having your own government spy on you instead of the US, and if having US
spyware secretly installed doesn't bug you, then feel free to run.

But just remember: everyone is spying.

We're all in this together, and running from one nationality to another will
only change the name and face of who is watching you.

~~~
dominotw
> everyone is spying.

Gut feeling? Not all countries have can afford an expensive program like NSA.

~~~
mc32
Then, what you do, is what Cuba, Vietnam, Venezuela did/does, you organize
local watch committees. These bodies are set-up so that neighbors rat on
neighbors. No big budgets necessary. You trust on one and by and large, you
outwardly toe the party line.

~~~
tikums
Or maybe you do what Estonia does. False dichotomy?

------
devx
Even if Microsoft is telling the truth (very skeptical about it), you could
see how they can easily lie through their teeth with that statement " _We_
aren't _explicitly_ providing a backdoor for the NSA - but hey, if NSA knows
of a vulnerability in Windows that is very hidden, and we know about it, too,
then it's out of our hands, and NSA can do whatever".

This is also interesting, something someone posted on HN from Steve Gibson
back in 2006:

[https://www.grc.com/sn/sn-022.htm](https://www.grc.com/sn/sn-022.htm)

At this point I would really start with the presumption that at least Windows
and Intel's chips (possibly others, too) have backdoors in them, and that the
chances of that happening at this point is _higher_ than _not_ happening.

I'd also assume most routers have at least dormant backdoors in them. Jacob
Appelbaum has been saying for years that it's easier for manufacturers to just
build-in the backdoors in _all_ routers that they're making, because so many
countries demand them, and they just keep them "disabled" in the countries
that don't ask for them. It might be a good idea to start installing OpenWRT
firmware on your routers.

~~~
jgrahamc
I debunked that claim: [http://blog.jgc.org/2006/01/wmf-setabortproc-problem-
is-not....](http://blog.jgc.org/2006/01/wmf-setabortproc-problem-is-not.html)

Of course, it was still exploitable.

------
kenjackson
Many seem to be missing the worst part of this:

Services are forever tainted. And services are the most interesting part of
the puzzle.

Open source software that runs on the client is nice, but frankly I'm not as
concerned about the NSA having access to my desktop. Logging, parsing, and
analyzing client data of this sort opportunistically probably doesn't scale.
And it's easier for me to set up a system in my house where I can audit all
incoming and outgoing traffic (not that I'm going to do it, but I'm confident
that I could). The one exception to this is encryption software... more on
this later.

But it's hosted services where a lot of my interesting data lives, is
structured in a way that makes opportunistic scanning much easier, and there
is no way for me to audit it.

There's no way for me to know that GMail's servers don't have a backdoor. Or
likewise for Dropbox or Facebook or Citi or my Amazon, etc...

This means I have to encrypt everything stored on any service (which is why my
encryption software does need to be backdoor free). But most services store
data about me where I don't control if its encrypted or not (it's not easy to
encrypt voice calls from the end user perspective).

The end result is I already have fatigue, and I haven't even done any work
yet!

I think most people are going to rely on an old story:

"Two guys are walking through the woods when they run across a hungry bear. At
this point one of the men quickly ties his shoes. The other man says, 'Why are
you tying your shoes -- you can't outrun this bear!' To which the other man
says, 'I don't need to outrun the bear, I just need to outrun you.'"

Internet services are too valuable to not use. But it will be too much work
for 99.9% of the population to preserve their privacy. The lack of privacy
from the NSA will become the new normal. I have trouble seeing it playing out
in any other way.

~~~
Amadou
_Services are forever tainted. And services are the most interesting part of
the puzzle._

I see it as a plus. But I've been against the very concept of such services in
the first place. I think most centralization is unnecessary, that the reason
it is so common today is because it is a straight-forward business plan for a
company to insert itself as an intermediary between all of the users and thus
extract money (and therefore efficiency) from their interactions.

Facebook's the ultimate example. Their popularity is a result of people
needing a place to easily host and share their photos. But the cheaper storage
and bandwidth get, the less utility Facebook provides compared to a
distributed system. I think we are at a point today where high-end phones
could host all the content that the majority of people want to share. Combine
that with a little smart caching between "friends" so that their phones on
wifi can pick up the slack when the original host is cell-only and throw in a
distributed hash table for finding new "friends" and the value that facebook
provides users by centralization drops precipitously.

If these NSA revelations help kickstart a new (but actually old) paradigm
where each internet user is essentially self-hosting, then I believe that will
be a great boon in the long run.

~~~
bhauer
Precisely! If there is any silver-lining to the NSA revelations (and there
really is not a silver-lining, I'm just using it as a figure of speech), it is
that the pendulum is swinging back to self-control of data and applications.
I've for several years wanted to see a post-cloud model where an application
and data host I control runs singular application instances for me and all my
devices are merely views on those applications [1]. I call it personal
application omnipresence, and the "personal" aspect is of chief importance.

I see the current configuration of Internet services--what I call the "plain
cloud"\--to be a frustrating diversion, and one that passively or actives
suppresses the "personal" aspect of applications. As Amadou points out, the
plain cloud is facile because businesses can easily be intermediaries. _Oh, it
's so difficult to connect an always-on, secure, and self-controlled host to
the Internet to share your photos with family and friends? Don't worry! We'll
handle that for you. Oh and look, we also get all of your photos and data. But
don't you worry, we're good people. Trust us._

For years, it has irked me that so many have voluntarily forfeited control of
their data and applications out of convenience when alternative models that
would provide convenience without sacrificing control are fairly easy to
conceive. With equal R&D effort as the plain cloud has seen, these
alternatives could be realized.

I was angry when Google made their terms of service for Google Fiber disallow
home servers. I imagine Amadou was as well. (I don't have Google Fiber, but I
want it or something similar with reasonable TOS.) Preventing home servers is
just perpetuating the current narrow vision of centralized hosting, and that
notion is overdue for disruption. Obviously that's favorable to Google, but I
don't really care about what's good for Google.

Data centers in general should fear symmetric gigabit+ to the home. I know
that without a doubt if I had fiber to my home, I would pull my servers out of
my data center immediately and put a rack in my garage.

I want self-hosting demystified and mainstreamed. As the pendulum swings back
to self-control, anyone who is working to make "self-hosting" synonymous with
today's popular verb, "sharing" is posed to earn my business. The model should
be embraced by open source advocates. I even suggest Microsoft should leverage
the building momentum and be the first industry titan to champion
disintermediating the plain cloud [2].

[1] [http://tiamat.tsotech.com/pao](http://tiamat.tsotech.com/pao) [2]
[http://tiamat.tsotech.com/microsoft](http://tiamat.tsotech.com/microsoft)

------
ig1
From the documents published by the New York Times it seems that the NSA have
introduced backdoors into VPN and SSL hardware crypto chips. There aren't that
many major vendors who make such chips and undoubtedly people are going to be
trying to find them now.

The question is what's going to happen when the vendors are identified ? - I
can't imagine it'll be good for their customer base or their share-price.

Imagine you're a bank using vendor X's backdoored SSL acceleration. Say you're
involved in a lawsuit where a customer claims they didn't authorise a
transaction, now the customer can point to the fact that you're knowingly
using hardware which has backdoor which would have allowed a third party to
silently steal the users credentials.

This is a huge deal.

------
Cort3z
I can see Silicon Valley taking a big hit here. Being a foreigner I no longer
trust US based services. I think I will move all my data and Web apps off
Amazon, meaning no more Dropbox for me. Any website I have hosted on there now
I will find a way to get off these US servers.

I even see things like Facebook and Twitter taking hits with competitive
services hosted in "more secure countries" popping up.

At this point I feel Chinese based services is safer, and that is saying a
lot.

------
jgreen10
Strange policy to build an organization that could destroy the only industry
that is keeping your economy going.

~~~
ihsw
Not at all, they've made it quite clear that there are only two options: have
the capability to decrypt everything or create America's Great Firewall. They
couldn't give a rats ass about the economy.

Now that the cat's out of the bag I'm sure they will refocus their efforts on
shoring up the defence of every government communications network.

------
theoh
David Dampier's comment about cryptography in this article is a bit
surprising: “I don’t care what company is selling you encryption software.
Whatever they are going to sell you, it can be decrypted. There’s nothing that
is infallible.” Leaving aside the fact that a significant fraction of
cryptographic software that is free and open source (ssh, gpg, tls
implementations in browsers, etc.) the idea that any cryptography available to
an end user is breakable by an adversary like NSA is not supported by what we
know about current and historical progress in the mathematics of
cryptanalysis. Dampier's credentials on his academic home page are not that
relevant or convincing when it comes to cryptography proper. I would be more
likely to go with Bruce Schneier's opinion that cryptography is still secure
with appropriate key sizes: "Still, I trust the mathematics"
[https://www.schneier.com/blog/archives/2013/09/the_nsas_cryp...](https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html)

------
frank_boyd
> NSA Revelations Cast Doubt on the Entire Tech Industry

I'd say it's true for everything that's not open-source and doesn't allow for
proper public key encryption. (Assuming that public key encryption is still
holding up.)

~~~
nwh
It goes deeper than that.

If I owned any server hardware, chances are it would be in a rack in a
datacenter. What's to say somebody hasn't walked in, flipped a badge and taken
my SSL private keys? In fact, that's quite probable.

~~~
jaggederest
You're thinking too small scale.

Certificate Authorities are almost certainly compromised. Why bother with one
at a time when you can just force the vendor to hand the keys to the castle
over? Sign your own certs, MITM anyone you want.

~~~
nwh
MITM isn't the issue, we assume for the most part that the NSA is a passive
eavesdropper. Easier in that situation to sniff and decode with a stolen
secret, rather than rewriting traffic on the fly.

~~~
jaggederest
Right, but my point is that the CA is the central point of failure for all of
those scenarios.

~~~
nwh
Not really. For a passive attack the key would have to be stolen from a server
rather then the CA, who never sees the private key, rather only the CSR
(public key).

~~~
jaggederest
We're assuming under the current circumstances that it's backdoored,
basically. The NSA definitely doesn't want to have to go knock on doors to
collect those private keys.

------
rbc
I think the NSA revelations may also hurt data mining initiatives in the
private sector. At some point I think the privacy advocates that are
criticizing NSA access to private sector data, will turn their attention to
the services that hold the data. I believe there will be more pressure on
service providers to purge archived data, whether it be phone call meta-data
or other kinds of information.

------
DanielBMarkham
I don't think there's any doubt to it.

There are folks that made their fortunes and earn their livelihoods on the
net. These folks are going to defend what we built to their dying day. There
are governments and corporations, which believe they absolutely must have
whatever data they view as honorable (and this definition is surprisingly
flexible) in order to continue to privide their services.

Then there's the general public, including most reporters, who suspects
something is amiss but keeps hearing all kinds of contradictory opinions,
including calling out the folks who warned about these as tinfoil hat types.

Yeah sure, there's lots of noise and confusion, but doubt? I don't think so.

Note: I'm not trying to weave a conspiracy theory here. My only point about
existing players is that they're too _emotionally_ wrapped up in things that
took many years of hard work to see the situation objectively

------
soora
I will be interested to see how this plays out over the next few years. Will
these predictions match reality?

~~~
grandalf
It will indeed be interesting. One thing to consider is that we can assume the
US Government has enough information about most individuals and businesses to
cause significant harm, even if everyone (individuals and businesses) stopped
trusting tech companies tomorrow, the damage is done and an enormous trove of
intel has been captured.

This looming threat will only get worse as the government shifts its focus
from capturing data to utilizing it at scale.

------
Sami_Lehtinen
I've been wondering why WatchGuard firewalls require mandatory registration
before working. There they ask questions like, is this firewall being used to
secure important military site etc. Wtf, if I would use it to protect
important military / nuclear research lab etc... Do they really think I would
tell it? I'm sure that information is directly passed to "authorities" and
then they can bypass that firewall/vpn/ipsec to steal secrets whenever they
want to.

------
mcgwiz
Can Web of Trust/PGP be applied/adapted to client-server communication such as
that handled by HTTP? Conceptually, HTTPS built on PGP? Would new products or
services help the adoption of this (like a social network for PGP keys)?

Although it wouldn't solve all of the NSA techniques (social engineering,
acquiring pre-encrypted data) it would certainly be harder to track down (i.e.
steal, crack, coerce, subpoena, etc) tens of millions of keys rather than tens
of thousands.

------
wschorn
I feel like anybody with their ear even moderately to the ground knew the NSA
had encryption breaking techniques... Why else would higher-level encryption
be illegal?

~~~
seandhi
Which higher-level encryption is illegal?

~~~
taproot
None really anymore.

[http://en.wikipedia.org/wiki/Export_of_cryptography#Current_...](http://en.wikipedia.org/wiki/Export_of_cryptography#Current_status)
[http://www.xanthir.com/document/document.php?id=6e54a9d38b4a...](http://www.xanthir.com/document/document.php?id=6e54a9d38b4ae29c9edf2f5e8bd8d9963e30c83a0b3706599b6598266067057cb8a862da0b804bc270490848a9e8b2473d7c8d5b5c9585004449a144f73b7664#section1.6.0)

