c nerd blog — PKI & PGP

schengen

The Snowden affair has shown our data spies are unfortunately rather leaky.

What I find particularly damming is that the NSA didn’t know Snowden had happened until the press reports appeared. If their internal monitoring didn’t spot him, why think it would have worked for anyone else? Even worse, the CIA did spot him, but he was employed by the NSA all the same. If one guy under suspicion can get inside the NSA and collect so much information without being spotted, then so can others.

It is a job of foreign spies to extract information from their counterparts. The NSA will certainly have been targetted. Some agencies have the reputation of being very good. Given what’s happened, I think it’s safe to presume a number of other countries will have also got a lot of information from the NSA.

Indeed, my post–hoc suspicion is the Russian reaction is, at the root, ‘we’ve been expecting something like this for years’. I wonder if half the reason they’re protecting Snowden is because they consider the real fault to lie entirely with the NSA for being quite so awful at protecting themselves.

Some countries have security agencies with a reputation for passing knowledge on to their commercial friends. Some security agencies own commercial operations. Some have direct connections with criminal organisations. All this leaves me confident many of the techniques revealed by Snowden are already being used, or soon will be. In trying to make Americans more safe, The NSA have actually made everyone, everywhere, less safe.

The NSA even weakened internet security. They made everyone, everywhere, a little less safe by doing that, too.

schengen

I expect that, over the next few months and years, internet criminals and other baddies—the great majority who wouldn’t have known about the NSA’s hackery until Snowden—will use the leaked information to jack up significantly the quality of their maldoings. All it takes is one or two particularly adept criminals to break in to some commercial organisation and mass steal users’ identity information. In this, we are all potential victims, we are all at greater risk of wrongdoing. Snowden has also made everyone, everywhere, less safe—but at least now we know.

We’re all going to have to up our password quality, stop reusing passwords, and anyone in anyway dependent on credit should probably get themselves some identity theft protection (here’s a UK resource). The risk of becoming a victim is still pretty unlikely, but it’s increased significantly.

Snowden also suggested that, although many computer companies and some technologies are compromised (by both nefarious trickery and court orders), the underlying math is good.

To me, all this means that I have to tighten up my own internet security, and that I should put together something that is not based on any particular company’s technology. I think I have to go open source, knowing that open source software can be checked by anyone who can read it, not just the people who wrote it. Unlike many people, I can walk some way in that direction. Mind you, it’s taken me ages to do what a half–competent unix admin would have done in a morning.

But it really needs a genuinely trusted power, perhaps the power of a trusted government, to make this possible for most people. Does Mrs. Merkel want to take Germany in that direction? Probably not. It may need a small power to do so.