The USS Quad Damage

Security on the internet

I thought I'd write a bit about internet security since all the NSA stuff is going on.

The NSA, for some reason, has a lot of lore and black magic assumptions about it, even among (very) technical and rational individuals.

Something a lot of people might not realise is that the internet is a completely transparent protocol. Because the internet values simplicity, adding security was left to an application by application basis. That is, in the same way that someone can wiretap your phone by simply connecting up some proverbial headphones to the phone line outside your house, anyone in the path between your source and destination can simply read off the communications on your internet connection.

In fact, on the internet it’s even simpler. Because every one of your packets comes with the sender’s address on it, and these packets bounce around semi randomly on the big blob of computers that is the internet, these packets are even more clearly visible in some cases than a phone line, and a lot more convenient to snoop. This is what “deep packet inspection” really means, in essence — just taking a look at what’s in an internet data packet.

Let’s go through some examples. When you type in a web address on your browser, say, that request goes in the clear to a DNS server, who will then pass it in the clear to another DNS server, and all the DNS servers will laugh at you before eventually giving the IP address of the website.

Imagine ordering at McDonald’s for a buttsex burger and the guy at the counter repeats the order on the microphone, that’s what happens.

When you send an email, it’s sent in three stages: first you send it to your mail server, then your mail server sends it to the recipient’s mail server, and finally your recipient downloads it. All three of these are potentially in clear text. Everyone can read your email, assuming they are in the path between you and your destination. There are some caveats here. It is possible for you to download the email on an encrypted connection. It is possible four you to send an email on an encrypted connection, and it is possible that the sender and recipient are using encryption, or are on the same server. But relying on all three legs of the email journey being secure is difficult, especially when you add in the fact that the email must remain on the server temporarily while being processed.

Similarly with web browsing. Everything you browse is in the clear. The exception is when you use HTTPS. However, note that even when you do use it, to minimise costs and maximise speed, many parts of the transfer will still be in the clear. For example, when logging onto Gmail, everyone can still see the gmail logo being downloaded to your machine. Whether this is a security risk depends on the web application you’re using.

So where does this leave us then? It means the NSA and criminal organizations have a fair bit of access to an enormous amount of your data before we even start talking about any special powers the NSA might have. Worse, a lot of this isn’t in your control: it’s up to the various services you use on the internet that decide whether your data is worth being careful with. Add in the fact that a lot of these services are written by children our idiots with no serious background in security and things look pretty grim.

But let’s talk about those special powers. The NSA is claiming that its special powers are purely legal: that after getting a relevant warrant they are able to snoop on very specific pieces of data in very specific cases. Even in this case, every American company is now a potential source where your data can be shipped off to the government. If you aren’t American, this government is also not accountable to you. Worse, where there is a honey pot trail of data, an FTP server or even the NSA servers themselves, it attracts criminal gangs who want to use your data for nefarious purposes. That is, you’re not just trusting the NSA with your data, you are trusting that they and the companies they deal with will respect your data enough that it won’t be leaked.

However, a recent leak by Edward Snowden revealed that the NSA are overreaching even here: that they effectively have direct access to the servers of large American software companies, and have unfettered access to your data. Worse, that data is kept for a very long time, which makes NSA servers incredibly attractive to criminals and nefarious governments. If you believe Edward Snowden, the NSA treat their rights in a cavalier way, and generally shouldn’t even be trusted with the data in the first place, much less be trusted to keep it protected.

There’s a perception that the NSA are filled with extremely intelligent people, the best of the best, but Snowden himself does not appear to be especially talented, and the head of the NSA does not appear to have any extraordinary skills. Can he be trusted to identify and hire the best of the best? Further, even if the NSA is populated with the best mathematicians, how can we be sure that the operations group — the ones actually holding and securing that data — is similarly competent? And how can we be sure that their software developers are the best? If the mathematicians are coding then we have a lot to worry about!

Then there’s the speculation about what other powers they may have.

There’s additional legal measures which the NSA might have at disposal that are unknown to the general public. This might include having SSL keys to certificate authorities. These keys would allow the NSA to mimic or monitor secure connections, because they effectively have a forged signature for companies like Google. They might also have set up fake internet cafes similar to, or in conjunction with, the UK. However, it is wise to note that if you assume that other people have access to your unencrypted connections, connecting to an NSA owned internet cafe doesn’t make you any less secure than if the internet cafe was simply run by unscrupulous individuals. Simply put: there’s not a lot the NSA can achieve using legal means that a mafia cannot achieve using illegal means.

Then there’s the technical means the NSA has. The NSA, for some reason, has a lot of lore and black magic assumptions about it, even among (very) technical and rational individuals. When you ask them about the NSA the skills and wealth that are attributed to them are considered no less than magic. But what could the NSA’s resident wizards actually do?

First, they could hack SSL keys (illegally?). This would have the same effect as having legal access to private keys of certificate authorities, but instead having “broken into” the CA key systems. This affords them the same abilities: mimicing or potentially monitoring certain types of secure connections. They might also have a scrapbook of cracks for various devices under various configurations which allows them either to break into devices, or plant some sort of convenient root-kit to turn the device against their users.

They might also have clever ways to minimise the time to crack encryption where no security vulnerability exists. This might mean easy cracking of public encryption, or it might mean eventual cracking of symmetric key encryption. They might also simply be able to crack passwords. I’d be extremely surprised if cracking passwords isn’t the easiest method. In civilian circles, relatively modest hardware and some ingenuity along with a touch of brute force will net you most passwords in under an hour. Not surprising since so many people have relatively simple passwords. There might be a way to crack public key encryption, but this isn’t about being able to crack it realistically, but being able to crack it economically.

Nowadays, you measure these sorts of things in the power cost it takes to crack some encryption. If the NSA had to pay even a small amount of, say, $200 to decrypt your personal details, would they bother? I’m unsure. For symmetric key encryption, again, discounting any implementation vulnerabilities, I would guess the NSA couldn’t decrypt a communication for less than $2000, and that’s granting them these crazy magical abilities, which I personally do not believe they have.

In the end, the greatest weapon the NSA have is apathy. People simply do not value their security all that much, and companies do not value the security of their customers. This has probably given them more “free data” than any legal or technical measures could. That the NSA needs to have a legal framework means that they do not possess the kind of black magic many attribute to them. The legal ways the NSA accesses your data is really quite alarming, considering the trust we place in these American companies, and if Snowden is correct and they are arbitrarily collecting data, then that is even more alarming. In the end, however, if we are to rest easy knowing our data is secure, then we must value the security of our data. While I hope the entire Snowden incident will reduce the unchecked powers of the NSA, I hope most of all that it has all people re-evaluating how much they value their security.