The security services of the US, UK, and Sweden have been actively working to plant backdoors into most commercial cryptography software. While intended to use for wiretapping business secrets, medical journals and bank transactions, those backdoors are also there for any other adversary. This is effectively a declaration of war from the security services against all of humanity.
The news broke this morning that the NSA (US), the GCHQ (UK), and the FRA (Sweden) have been actively working to subvert the cryptography that makes our society tick, by planting backdoors in most if not all commercial cryptography software. This means that these agencies have deliberately made all of us vulnerable as we conduct our banking business, as we go to the hospital, and as we talk privately online. Our society depends on our ability to keep secrets, and the deliberate planting of backdoors, the deliberate subversion of our infrastructure, is nothing short of a declaration of war. Even according to U.S. Generals.
“A cyber attack on the U.S. could be met with a conventional military response.”
— chairman of the Joint Chiefs of Staff, Army General Martin E. Dempsey
Disregarding the ridiculous use of the word cyber, which makes him sound as if he’s stuck in a 1970s steampunk novel, the statement from such an authority makes it crystal clear that an attack that tries to subvert communications infrastructure is considered a military attack. And this is the attack we’ve had, on a global scale, against all mankind, from the NSA, the GCHQ, and the FRA.
It is important to note that cryptography itself has not been breached, as erroneously reported by several oldmedia this morning. While the end effect can be the same, there is a crucial distinction between the NSA/GCHQ/FRA subverting implementations of cryptography, versus breaking the math itself. The security services have not broken cryptography, they have been subverting commercial cryptography products to be defective, using moles and other forms of pressure on technology companies to work with the NSA/GCHQ/FRA against their own customers and against mankind.
This difference is crucial as non-commercial cryptography products can be not defective. For example, look at this post from Theodore Ts’o this morning:
“I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction. […] Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea.” — Theodore Ts’o
This example is significant because all cryptography depends on good random number generators, and “/dev/random” is the random number generator for all GNU/Linux systems, probably including your Android phone – the technical term /dev/random can be read as “the random generator device”. It would appear that somebody sought to subvert all systems based on the Linux kernel to be vulnerable to the NSA/GCHQ/FRA. Fortunately, that failed due to the good judgment of one engineer here.
This subversion of our critical infrastructure doesn’t just let the NSA and its ilk listen in. It lets anybody listen in that has enough technical skill to discover the planted back doors – and there are plenty of people who have that skill. The security services, with the job of keeping us safe, have effectively trashed our security completely. Assume the worst criminals can eavesdrop with much more ease than the NSA were ever able to, thanks to this subversion and breach of trust.
We can safely assume that all American software is thoroughly Swiss-cheese compromised. If you’re running anything from Microsoft or Apple, you’re owned. They’re in your system, in your documents, and in your production. You were played for a fool and you need to switch to a free-software solution or stay owned.
However, cryptography itself has not been broken, as already stated. Oldmedia can’t tell this crucial difference, so I’ll leave it to the words of Edward Snowden, who can presumably be trusted on the matter:
“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” — Edward Snowden
Note how Snowden also makes the crucial distinction between cryptography itself, properly implemented cryptography, and the subverted commercial systems, “endpoint security”.
Bruce Schneier, one of the world’s leading security experts (if not the leading security expert), makes a similar observation:
“Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are” — Bruce Schneier
In a column in The Guardian, Schneier also ominously elaborates on why these services are the enemy of all mankind, and why this is the last opportunity to learn from history:
“Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian?” — Bruce Schneier
The declaration of war has already been made, the glove thrown, the first strike executed. It is up to us to not repeat the mistake of the families in Berlin in the winter of 1932, who still went weekend skating in the parks in denial.
I’m writing the NSA, the GCHQ, and the FRA in this article. That is since yesterday’s revelation in the Europarl hearing that the Swedish FRA is a key player in the ongoing NSA surveillance, having the code name Sardine. (I wrote about documents strongly suggesting that back in July.) When the EU gathered to discuss and protest against the NSA’s global spy network, you may recall that the UK and Sweden vetoed that discussion. Seeing how the UK and Sweden are part of the spy network, that comes as no surprise today, but is still incredibly shameful to the brink of treason. There is no further reason anybody in the EU could trust the ministers of those countries ever again on the matter.
Finally, the NSA, GCHQ, and the FRA are faceless legal constructs. But the people who have executed these attacks on humankind are just that, individual people. They are the people who work for these agencies. They are the ones who have declared war on humankind, individually, and they are the ones who must be made to answer for it.
They have a choice. They can come clean, as Snowden did, or they can remain an individual who declared war on humanity.
UPDATE — Techdirt makes the same observation: NSA, GCHQ admit that the public is the enemy.