Sunday, September 8, 2013

About That Secure "https"? Yeah... Not So Much

The story broke this weekend that the NSA forced providers to allow backdoor entry into the web based encryption that most online banking and shopping uses, allowing essentially total surveillance of the web.  In case you doubted, they can monitor every bank transaction, every purchase you make, if at any time the transaction goes over the internet.  Apparently, if you walked up to the counter in a store and bought on a credit card, they got the transaction. (I've always assumed this to be the case)  H/T to Denninger, among many, who also has some good comments.  Microsoft, it seems, allowed access to anything it encrypts back to Windoze 95 (I wonder if the monopoly charges and pressure on MS in that time period had anything to do with this?):

How did they get caught?  Someone built one of the service packs without stripping the symbols from the code, and right there where everyone could see it was "_NSAKEY."

Now Microsoft denied that this was in fact what the key was, but what they didn't do was release the source code in question to prove it.  No, they simply "asserted" that one should trust them because, well, they're Microsoft.
Wirecutter follows up with a link to techdirt saying the NSA and GCHQ Admit The Public is the Enemy.  Internal documents, referenced by the Guardian (UK) show the NSA refers to the public as "adversaries". 
Among other things, the program is designed to "insert vulnerabilities into commercial encryption systems". These would be known to the NSA, but to no one else, including ordinary customers, who are tellingly referred to in the document as "adversaries".
That's your government referring to you. Apparently not without some sense of humor, among the code names the NSA used internally for these programs were Manassas and Bull Run, a major battle in the (first?) civil war.  The UK GCHQ used the name Edgehill, the first major engagement of the English civil war, more than 200 years earlier. 
Now you can sweet talk and substitute words like some mealy-mouthed lawyer or government spokesman as long as you'd like.  You can say, as one commenter did, that it's simply NSA-speak that any code they attempt to break is from an adversary, and they don't mean you and I specifically.  This is in the tradition of "it wasn't rape rape": they don't mean adversary adversary.  Except that they do.  The whole program is based on violation of the 4th amendment, monitoring everyone as if they were a suspect in a terrorism case.  

It seems there's only one answer, tear down the agency.  I'm partial to the argument that we need an agency that performs the NSA's original mission - to monitor and, yes, spy beyond the water's edge.  Foreign only.  So we need a massive cancer-like surgery to remove the domestic side of the house while leaving the international side there.  Ain't gonna happen without serious disruption, if ever. 


  1. "Apparently, if you walked up to the counter in a store and bought on a credit card, they got the transaction. (I've always assumed this to be the case)"

    The difference there is that they know where you spent money and what you bought, but that's the only information transmitted over the tubes by a brick-and-mortar store. With more and more stores using computerized Point-Of-Sale systems that are also connected to the internet, those can presumable be hacked, but that's a separate thing.

    1. Sorry, that should have read "they know where you spent money and how much you spent, but not what you bought".

    2. Strangely, that's how I read it.

  2. "It depends on what your definition of IS is..."
    (or a similar statement)

    Where have we heard THAT before?