We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

The future will be Open Source… and it will probably be illegal

There is an interesting article in the Guardian titled US and UK spy agencies defeat privacy and security on the internet:

  • NSA and GCHQ unlock encryption used to protect emails, banking and medical records
  • $250m-a-year US program works covertly with tech companies to insert weaknesses into products
  • Security experts say programs ‘undermine the fabric of the internet’

The second point is to me the most interesting as it suggest that open source is really the only way to fight back against this and as a result, I fully expect Open Source to eventually become illegal in the more panoptic parts of the world.

The first point however will be the driver of effective and widespread counter measures. The internet is simply too important to too many economic interests to allow the US and UK governments to have the ability to embed what will be catastrophic weaknesses in its underpinning architecture


26 comments to The future will be Open Source… and it will probably be illegal

  • A cowardly citizen

    I would take a government that fears its citizens less than it values being the global economic superpower. It’s a shame China’s government persists in pretending to be Communist.

  • Laird

    Zerohedge had an article on this today, too. I can’t imagine that anyone is surprised by the revelations. I think “Tyler Durden” (I assume that’s a pseudonym) sums it up well: “The full grotesque details of just how far an out of control, totalitarian state in absolute fear of civil liberty and privacy will go to spy on all of its citizens can be read here. None of it should be a surprise to anyone at this point. The good news is that like every collapsing totalitarian, centrally-planned regime in the final stages of its fear-driven lifecycle, this can only continue for a little longer.” One can only hope.

  • Through covert partnerships with tech companies

    Gives a whole “new” meaning to the word ‘partnership’, doesn’t it.

  • The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

    This stuff already is open source.

    Need to know more about what, specifically, they can do.

    Worst case, they have already got weaknesses in the open source libraries and can read everything with ease.

    Or maybe they can only brute force specific messages at great cost.

    Do we have to start again with new implementations of encryption algorithms? How do we stop such efforts being infiltrated?

    Each of these revelations has me re-evaluating my levels of optimism and cycnicism, and not for the better.

  • Laird, the only people not surprised by this are nutcase conspiracy theorists. Everyone thought SSL, used correctly, was sound.

    I’m not even sure I believe it now, as written. This is like reading that there really were aliens at Roswell.

  • Sam Duncan

    Rob, I think we have to make a distinction between having “capabilities against” and explicit backdoors. My guess is that the former means the NSA has more computing power than most of us thought. The fact that it’s still seeking the latter from proprietary technologies and service providers suggests, though, that it doesn’t have enough to make interception of encrypted traffic trivial. Indeed, the NYT version of the story quotes some of the internal documents as saying that encryption is still a problem, and that’s very much the motivation for inserting these backdoors.

    So while open source, perhaps accompanied by even stronger encryption, might not foil them completely, it can’t hurt. There’s already talk around the interwebs of an audit of the SE (“Security Enhanced”) Linux code, much of which is the NSA’s work (which always struck me as suspicious). You can’t do that with Microsoft’s security subsystems.

  • PersonFromPorlock

    A proposal: an app that generates and appends random number strings to e-mails. Eavesdroppers can’t decode it because there’s nothing there to decode, but they also can’t be sure there’s nothing there and stop trying. Should increase their computer time no end and make them much less eager to listen to everyone.

    The random number string can be clearly labled as such so that the app can automatically discard it at the receiving end, if desired. Eavesdroppers will not be able to ignore it, however.

  • Nick (nice-guy) Gray

    The only way for the NSA to do its’ job will be for every computer on the net to be part of the NSA network. Do we really have any proof as to who owns what part of the systems we use? Could the NSA have bought up shares in all the companies, or does it intend to do so in the future?

  • jdgalt

    I’m part of three different open source projects, and I don’t see how any of them could continue to function if they made any attempt to vet their contributors.

    Two of them, at least, do have in-house people who go over and approve each contribution. That could do the trick, assuming those people themselves (1) aren’t moles and (2) don’t get made some kind of “offer they can’t refuse” by a nasty government somewhere.

    Perhaps we’ll just have to return the favor by sending more moles like Snowden into government agencies. It’s too bad he wasn’t able to cover his tracks and stay in.

  • I predict a return to sneakerware.

  • Myno

    There will also be an increase in the use of one time pads.

  • a_random_guy

    As I understand the situation, encryption is just fine as long as we manage to avoid NSA-sabotaged methods, which open source is pretty good at doing.

    The problem is: it’s all too easy to get around encryption.

    Example (SSL): Your typical browser will accept any certificate signed by an authority that it trusts; it doesn’t care if the certificate changes, as long as the new one is also trusted. So: The NSA forces some trusted CA to sign off on a faked certificate, and can then play “man in the middle” on your secure Internet connection.

    Example (file encryption, secure email): If your passwords and keys are compromised, the best encryption in the universe is worthless. There are lots of ways (key-loggers, root-kits, hidden cameras, etc.) to get hold of your keys and passwords.

  • I’ve got an idea. We can put confidential stuff onto memory sticks and carry it in our pockets. Oh.

  • Laird

    Colonel Shotover, that might work until the British government detains you at Heathrow Airport for 8 hours and then confiscates your hardware!

    Simon Black thinks that the NSA is Lying, overstating its capabilities in a disinformation campaign. “The NSA wants people to think that they have this capability. . . . It’s in the NSA’s interest for people to think that the agency is almighty. I don’t buy it. These people are seriously vile. But they don’t have superpowers.” That’s certainly a possibility, and I don’t know enough about encryption or the internet to be able to form an opinion. What do others here think?

  • Laird, have you read Rob’s link?

  • They sell tiny low-profile usb sticks in tesco. I bet they are easier to get through customs than a kilo of heroin.

  • bloke in spain

    One of the precautions to snooping I’ve taken is almost all of my mail now goes through non-english language mail providers. Seems to me, countries that don’t particularly have any fondness for the US/UK are unlikely to be sharing data with them.

  • Richard Thomas

    Bloke: You might be surprised where some of that traffic goes. I’m sure it’s no longer as much the case but I believe traffic from the UK to certain areas of the world used to route through the US simply because the US had the most and best connections to everywhere. You may also find that your non-US providers host in the US due to the high availability of hosting and cloud services here. Indeed, a recent story was of companies looking to move their datacenters out of the US due to the recent NSA “revelations”. (I use quotes because anyone who didn’t have a strong idea this kind of thing was going on is naive)

  • Laird: I need to sit and think and do some Bayesian probability analysis on that one. That the NSA are overstating their capabilities intuitively sounds more likely than that they have successfully executed such an intricate conspiracy.

    Then again it is perhaps not successful if they have been caught.

  • Laird

    Rob, I’m not sure this is actually a probability analysis problem, but have at it anyway. In any event, the fact that they have been “caught” (assuming, of course, that that wasn’t itself part of their intricate scheme; how deep does this rabbit hole go?) doesn’t necessarily mean that they haven’t been “successful”. If they truly have that capability does it really matter much if we know it or not?

  • If they truly have that capability does it really matter much if we know it or not?

    Yes, very much so, because this is not a race that ever ends and thus it is not a race ‘they’ can ever definitely ‘win’ once and for all… provided enough people know they are indeed in a race.

  • Toastrider

    They sell tiny low-profile usb sticks in tesco. I bet they are easier to get through customs than a kilo of heroin.

    They used to be called thumbdrives; now you could call them thumbNAIL drives. I’ve got a 16 gig Sandisk one that looks like the wireless receiver for a Logitech cordless mouse. The USB jack is larger than the drive itself.

    Hiding it would be child’s play. RF scanners aren’t gonna pick it up. You -might- pick it up with a metal detector, but I doubt it like hell; there ain’t much metal there to start with. You’d have to literally strip search the guy, his clothing, his luggage… and that’s assuming he hasn’t swallowed it or something. Hell, you could probably put it in a fake car key fob or something easily.

  • Dale Amon

    It has been suspected for over a decade that NSA had a back door in Microsoft products, ever since someone did a troll through an MS binary and found an NSA text label that appeared to be a hook for something. If you are an American company, especially if you are listed, and they come after you with offers you can not refuse… there is really no choice even for CEO’s who are libertarians. Now in cases where companies are closely held, especially those which are owned by a sole proprietor, there is at least the option to give one last futile gesture, like the cartoon poster of the mouse standing tall before the eagle swooping in on it… In other words, you can simply write off *ALL* American software corporations as a security risk.

    So we see our government destroying yet another industry in its sick battle to control everything. They wrecked the satellite industry; now they are trying to destroy the software industry.

    All I can say is, for the moment at least, BUY NON-AMERICAN.

  • Laird

    “there is really no choice even for CEO’s who are libertarians”

    Depends upon who they are. If someone like Bill Gates or Larry Ellison, with a very high public profile, had come out publicly when first approached by the NSA to build in “back doors” they would have perhaps incurred the enmity of the government but it would not have had the courage to criminally charge them with anything. Similarly with Zuckerberg and Mayer (Facebook and Yahoo, respectively), who today are whining about the bad press they’re getting over cooperating with the NSA in sharing customer data: had they come out publicly complaining about the requests there would have been no repercussions. Some mid-level programmer? Sure. But not such high-profile executives. They simply lacked the courage to challenge the government (or, more likely, were willing accomplices and now don’t like the fallout).