We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Samizdata quote of the day

If you read the catalogue of spy tools and digital weaponry provided to us by Edward Snowden, you’ll see that firmware on your device is the NSA’s best friend. Your biggest mistake might be to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity courtesy of incompetence of the worst degree from manufacturers, and competence of the highest degree from a very wide range of such agencies

Mark Shuttleworth

18 comments to Samizdata quote of the day

  • Gary

    So I am being asked to believe that the state is dramatically more competent than the market. I think the onus rests with you to prove that one.

  • Jaded Voluntaryist

    Does something like the “Blackphone” use a more secure firmware?

    In any case, it’s a tricky one. The sorts of things I use my smartphone for mean that a truly secure phone wouldn’t be practical. I keep my to-do list and calendar on itn using google to sync between multiple devices. I use google maps to navigate to lots of different places. Heck, I even find googles much criticised “search bubble” very useful, since a google search on the phone finds the sorts of things I’m interested in by the time I’ve typed the 3rd character.

    If the NSA wanted to know all about me, the place to look would be google’s servers – not my phone. If I could have the same level of functionality with true anonymity, I’d take it. But realisticly speaking, useful features like a search engine that learns your preferences can only come about when data is being stored somewhere.

    I suppose the real problem is not that data is stored, but that the NSA feels entitled to (and gets) any and all data that is stored anywhere. The only effective way to guard against them is not to store anything.

  • Runcie Balspune

    The only effective way to guard against them is not to store anything.

    I’m sure everyone is in here somewhere:

  • ajf

    Wow, this website is very popular in Pakistan apparently…is this some kind of internet trick?

  • So I am being asked to believe that the state is dramatically more competent than the market. I think the onus rests with you to prove that one

    No, this is a fundamental misunderstanding of the situation. Profound naivety in fact.

    The way the state (specifically the US and UK states) have been so effective is by keeping the full reach of their projects, capabilities and willing to spy on quite literally the entire world a secret. Thus crappy firmware is actually to be expected . To be fit-for-purpose, it just has to enable the gizmo to work. The market has to actually have a commercial imperative to react to some development beyond “does my cordless electric tooth brush work?” Y/N? What Shuttleworth is doing is saying the “Yes it works and is also enabling people to read your e-mail by enabling various hitherto unexpected attacks.” 😉

    In short, what Shuttleworth (and Snowden et al) are doing is putting this idea in enough people’s heads to generate the demand to create the market imperatives for non-crappy firmware.

    “The market” only gives a fuck about end user security if there is a commercial reason to care about it. Thanks to Snowden and precisely these sort of awareness raising remarks by folks like Shuttleworth, we may indeed get to the point where we see a commercial imperative to make your products “non-NSA-ready”… only then do we have a market-vs-state dynamic. But that is a process that is only just starting and do not think the state will just lie back and let it happen without a fight.

  • Dyspeptic Curmudgeon

    Clarke’s 3rd Law: Any sufficiently advanced technology is indistinguishable from magic.

    Grey’s Law: Any sufficiently advanced incompetence is indistinguishable from malice.

    Curmudgeon’s Corollary: And sufficiently advanced malice is indistinguishable from incompetence.

    Ie. If they are completely incompetent, you will think they are doing it on purpose.
    But if they really intend to mess with you, you will think they are just a bunch of morons.

    Take your pick. You can’t have both!

  • Rob Fisher (Surrey)

    The original article and discussion is worth a read. BIOS and system management mode sound particularly scary.

    I hope Mark Shuttleworth gets somewhere with his phone ambitions; open hardware, firmware and software might one day be possible.

  • Rob Fisher (Surrey)

    (Until then only Richard Stallman is safe)

  • long-lost cousin

    How is even he safe? Is emacs NSA-proof? Did GCHQ not use the word “GNU?”

  • Richard Thomas

    Here’s my thought on the issue. I don’t deny it as a possibility but in the case of firmware, competing companies *are* pulling that stuff out out of their competitors products and analyzing it all the time. Now, potentially all companies doing such may not be willing to reveal that they have found such vulnerabilities because the NSA has them in the bag also but the temptation to release will be there. It only takes one announcement and it’s a PR disaster (unfortunately, the government and its agencies have found out that they don’t need to give a damn about PR. Just brazen it out and nothing will happen).

    So what will tend to happen is targeted manipulation of firmware (and hardware and software) after production where your target is unlikely to be looking closely at the product and will just rack it up and plug it in.

    Of course, there are always ways to add vulnerabilities that look like bugs rather than subversion but they are likely to be found and patched and therefore less reliable.

  • Fraser Orr

    >the state is dramatically more competent than the market

    You know that was my immediate reaction too. However, I thought about it a little and recognized that it was really more a instinctive libertarian reaction against the state. States are really just a special kind of market and behave in the same way as other markets. The difference is that the incentives are different than they appear to be, or are different than we are told they are.

    Take for example the IRS. The IRS are pretty good at collecting debts. Their incentive was to collect as much money as possible, balanced against the disincentive of pissing off enough people that politicians had to do something to save their cushy jobs. We are told the incentives are to collect taxes fairly and accurately to fund the government. But that isn’t the real incentive structure at all. As is evidenced by the fact that 50% of phone inquires to the IRS give incorrect advice, usually in favor of the government.

    Similarly the motivations of the intelligence communities are always toward collecting more data. The disincentive is the same — getting spanked by the public and curtailed by fearful or posturing politicians. However, the reaction to the Snowden thing — which is to say lots of bluster and no real action — tells them that they need to continue doing the same thing, or even more, because they really won’t get spanked.

    I think it is a mistake to believe governments are bad at everything. They are are really good at the things that matter to them, it is just those things are rarely beneficial to you or me. For example, politicians have something like a 92% re-election rate here in the USA. That is a pretty impressively high number in a gallows humor sort of a way. I wish I could hit my goals at a 92% success rate.

  • PersonFromPorlock

    I’m starting to wonder if the ability of everyone to uncover shameful facts about everyone else won’t result in the disappearance of shame: “Yeah, I’m a kiddy-diddler. So what?”

    The alternative appears to be paralysis.

  • Laird

    PFP, I wonder if paralysis isn’t a good thing.

  • William the Conker

    “The market” only gives a fuck about end user security if there is a commercial reason to care about it.

    Yes, yes YES! This’s right on the nose! If cheap crappy insecure firmware makes the device run, just because the NSA is using that cheap crap to hack your life, if the device continues to run, as things stand right now BOTH the company AND their customers DO NOT GIVE A SHIT. Why? Because most customers don’t even know what the hell firmware even is! Some kinda bra?

    So just blithely saying “state stoopid, market smart, nothin’ to worry about” oh good lord where to start? Props to Shuttleworth, we need a whole lot more of this kind of talk. Until customers demand it, companies ain’t going to change jack shit, because that cost money. THAT is how the your market really works out there in the real world. Create the demand and then, and only then, will the market get smart. Only then does the NSA really start to have a problem.

  • Toolkien

    Do people really think the state will let the market produce anything it can easily defeat? If so, people haven’t been paying close enough attention. The state only allows technology out in the market place in measures it allows – from concentration of alcohol to locks it can pick. If you’re in demand for anything the state can’t easily defeat you’ve placed a big “surveille me especially close” sign on your back. Large technology corporations have long ago sold their souls for the “right” to consolidate and have over site of the products they can market, as overseen by the justice department. If someone does come up with truly locked streaming/storage, the state will employ someone under threat of a cage to help them defeat it anyway. The market can only do so much against even incompetent Force. Once people have given up political liberty and allowed evil Forces to bloom beyond a certain tipping point, the only way back is through the inevitable collapse of the state and only after a bloodletting of persecuted minorities.

  • Julie near Chicago

    PfP nails it. Once “everybody does it” gets to the point of “and everybody knows everybody does it, including the gritty details for each individual,” then “it” becomes part of the wallpaper. Whether this is a good or a dreadful thing depends on what “it” is.

    If “paralysis” happens instead, people have no room to maneuver, to “be themselves,” by definition.

    This is Totalitopia, where only the invisible can survive.

  • DC:

    Simon’s Law:
    It is unwise to attribute to malice alone that which can be attributed to malice and stupidity.

  • Because most customers don’t even know what the hell firmware even is! Some kinda bra?

    I believe it is the stuff that fits inside the bra.