We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Privacy? What privacy?

With yet another long international flight stretching ahead of me, I finally have time and boredom enough to write a good deal more on network security issues than I have in the past. I have been at least peripherally involved in the area (self defense of my own and customers business networks) for quite some time.

There has been a sea change in the threat model over the last few years. The underworld of the Gibson novel has come to pass although things are perhaps not so dramatic as in the stories. Reality does not fit neatly between two covers.

I recently wrote about a possible case of industrial scale industrial espionage. There is much evidence in security literature that this is occuring and KGB/FSB bugged Russian hotels are not the only place one need worry. Everyone is getting into the game. For those who might be interested in such things I recommend a Dartmouth paper “CyberWarfare: An Analysis Of The Means And Motivations Of Selected Nation States”, Bilko And Chang, December 2004.

While reading Bilko and Chang a number of other strands of thought came together. It puts a whole new light on the recent move of major internet equipment suppliers into Chinese production facilities. Among these, two are of particular note.

  • IBM Thinkpads: the laptop of choice of many network professionals.
  • Cisco Routers: These are ubiquitous in the infrastructure of the Internet from major backbone to small office.

Then there is the Lynn debacle. Michael Lynn gave a presentation at DEFCON this last summer in which he showed beyond a shadow of a doubt Trojans can be inserted into Cisco backbone routers… and by extension most other brands as well. His slide presentation was not of a specific exploit but of a generic method.

Cisco and ISS, the company from which he had just resigned, went totally over the top. They sent a crew to the DEFCON to remove pages from the programs. Afterwards they threatened to sue Michael Lynn unless he agreed to allow their forensics people to cryptographically wipe anything to do with the the research from his disk drives. They sent nasty letters to all and sundry who posted his slide set. They tracked down and took possession of every bit of video of the session they could get their hands on. Despite their best efforts to pull a “1984”, they failed.

It was not just failure, it was total, abyssmal, embarrasing, hang-your-head you idiot failure. Instead of a few interested hackers and security analysts with copies stored in dusty corners of the internet they made it a slashdot affair. Absolutely everyone has the document now. I will not post a link here because if you really are interested you already have a copy and if you do not you can find it easily enough.

Another reason these actions were foolish on the part of Cisco brings me back to the central point of this article. The Cisco heap smash attack described by Michael Lynn was only an improvement on already published literature… and it may have already been implimented… by Chinese hackers.

The Dartmouth report suggests the Chinese hacker community is at least partly state organized. Of particular interest is page 36:

In addition, with increased “out-sourcing” to China in recent years, there is the risk that software companies could deliberately embed back-doors in the programming code which would render the software vulnerable to intrusion. The presence of a software “time bomb” might not be detected until it is too late.

Do not get me wrong. I have nothing against China… at least so long as they keep their hands off Formosa. China is not the only player in this game. It would be difficult to find a global or regional power that is not.

The United States is one of the bigger fiddlers on the net: Cisco and others purportedly gave NSA a backdoor; and then there are the quite official and public FBI ‘CALEA’ wiretap requirements on all new hardware and software.

Whether an individual or a nation, the idea so many people are trying so hard to capture and archive your life is repugnant and something to be avoided if possible. The desire of States to force the equivalent of listening devices into commercial software is one of those risks which can be avoided… by using open source instead of closed systems. Actions have consequences and the result of statist meddling is to make proprietary software less viable in any market where the users are aware of and care about privacy.

This is not just personal pontification on my part. It is already happening:

Sensing a power shift, multinational companies and governmental bodies such as the European Union are beginning to insist that Microsoft provide open interfaces–that is, public descriptions of its software that let other programs interoperate with it. China, in particular, is determined to avoid dependence upon proprietary American software. It is concerned about trade disputes, about building its own software industry, and also about vulnerability to “back doors” that could be used for espionage. This last fear is not entirely irrational. Although there are no publicly known cases of espionage against China involving software, other technologies have been so employed. Five years ago China purchased a new, unused Boeing jet and hired U.S. contractors to refit it in Texas as China”s
equivalent of Air Force One. Upon taking possession of the plane, Chinese security officers found that it harbored more than two dozen highly sophisticated, satellite-controlled listening devices, hidden everywhere from the bathrooms to the headboard of the presidential bed.

If the proprietary closed source of corporate entities have government backdoors, then any who care about privacy or security will migrate to open source. Backdoors will be found and removed. If any government tries to make such removal ‘illegal’, they will be ignored and there is nothing they can do about it.

Just ask the lawyers from Cisco.

References:

  1. CyberWarfare: An Analysis Of The Means And Motivations Of Selected Nation States, Bilko And Chang, December 2004.
  2. National Security in Network Age — An Interview
  3. The Internet surveillance cash cow
  4. Exploiting Cisco with FX
  5. Router Flaw Is a Ticking Bomb
  6. Cisco tries to silence researcher
  7. Cisco, ISS file suit against rogue researcher
  8. Cisco Security Upgrades
  9. Security researcher faces scrutiny, FBI probe
  10. Cisco Seeks to Quiet Software Flaw Talk
  11. Update 2: Cisco, Security Researcher Settle Dispute
  12. How Linux Could Overthrow Microsoft

Correction: One of our readers pointed out that the conference at which Lynn spoke was the Black Hat conference, not DEFCON as I said above.

4 comments to Privacy? What privacy?

  • Robert Alderson

    Dale,

    Thanks for the explanation of what is happening in online security. It makes interesting reading.

    I do not regard the situation as being particularly bad. All previous methods of communication have been open to intrusion by government; couriers, mail, telephone. Two factors reduced the ability of the government to become a panopticon. Firstly the sheer volume of communication they must check, secondly the ability of people to employ encryption or communicate only in person. Both of these factors still apply.

    Secure open-source technologies are a new, third factor which further complicate government attempts to inspect everything. The internet is not going to be the totally private and secure means of communication hoped for but it will be more private and secure than post or telephones.

  • rosignol

    Don’t forget about this little gem…

    http://en.wikipedia.org/wiki/NSAKEY

  • Things like this make me think it’s time to start asylums for the protection of the sane. Yes, I said sane.

    To gain admittance, you’d have to be significantly brighter than average. A sense of humor, while not absolutely required, would be a major marker of sanity. So would the ability to listen to others who think differently from you and acknowledge they might sometimes be right. Some ability at mathematics would also be at least a marker of sanity. Of course, a certain mental flexibility and ability to learn would also be necessary as well.

    Dale, you would definitely qualify. So would many other libertarians — as well as people of a wide variety of political philosophies. Enthusiasts for totalitarian control would of course be not, no matter what opinions they voiced.

    These sane asylums could be gradually expanded. In some countries they might eventually become dominant.

    I think I’m being facetious. I’m not sure, though.

  • anonymous

    Lynn’s presentation was at Blackhat(www.blackhat.com), not DEFCON.