[Cryptography] TAO, NSA crypto backdoor program

ianG iang at iang.org
Tue Dec 31 03:17:16 EST 2013 

On 31/12/13 00:26 AM, John Kelsey wrote:
> It's not "have you no decency," it's "have you no limits?"  The answer is apparently no.  The Snowden dlsclosures and related disclosures have shown NSA attacking:
>
> a.  US government standards
> b.  US companies' networks
> c.  US companies' products
> d.  US citizens' computers and private communications
> d.  Allied governments
> e.  Foreign companies' networks
> f.   Foreign companies' products
> g.  Foreigners communicating inside their own countries
> h.  The UN and other NGOs
>
> etc.  The justification for this was terrorism, but apparently there's not much evidence that it stopped any terrorism (kinda like the TSA), and it looks like it's been used for all kinds of other stuff--fighting the drug war, tracking down whistleblowers, spying on journalists, economic espionage, spying on negotiators before hammering out treaties on stuff like intellectual property, etc.


The problem with this is that the NSA does what it is told -- by their 
political masters.  We were all around in the early 2000s, we all saw 
what the pressures were.

So, while we are probably all agreed that the terrorism was a false 
cassus belli, and still rolls on as a sort of Orwellian war chant, there 
isn't a lot the NSA can do about it until they are told to change their 
mission.


> At some point, probably ultimately originating in 9/11, they seem to have gotten the message that there *were* no limits on what they were permitted to do--at the very least, that message seems to have gotten to NSA and CIA.  We have seen open violation of the written laws in domestic spying scandals and torture scandals, and nobody faced any legal consequences but the whistleblowers.


Yes, 9/11 was without a doubt the cassus belli, without a doubt.  But 
also the seeds were sown earlier in the late 1990s.

I suspect they were told there were no limits.  Remember TIA, 
Poindexter, the Ideas market?


> The first response to this needs to be to send the message to them that there are limits, that rules and laws apply to them.  That message needs to have teeth--subpoenas, drastic budget cuts, congressional hearings, the whole bit.
>
> That isn't going to happen anytime soon--the leadership of the two big parties has zero interest in reiniing this stuff in.  Whether that's because of their genuine belief in the need for unlimited power for the spy agencies, or the *really detailed* files the spy agencies have on key members of both parties, I don't know.  But every time the spy agencies show that they can get away with *anything* and nobody faces any consequences, it becomes more plausible that there's something more than good salesmanship by the intelligence agencies going on.


The leaders in the USA are typically driven by one thing only -- 
campaign contributions.  These are driven by corporates.  And corporates 
in the Eisenhower's military-industrial complex are very powerful.

If you want to change the NSA, you have to battle the corporates that 
are clustered around.  Which is the above group.  Over the last half 
decade or so, they all added heavy weight cyber-warfare divisions, some 
have quipped it is now the military-industrial-cyberwar complex.

Which need to win contracts.  Which contracts will feed the politicians.


> The only way I see this happening is for there to be a popular movement against unlimited unaccountable intelligence agencies doing whatever they please in the US.  I would love to see this happen.  I'm kind-of worried that the way our media works, any such movement will be black-holed or marginalized or channeled into more acceptable-to-the-powerful issues.


I agree, the media is useless, pretty much wiped out as an independent 
force since 'embedding.'

But I would ask, what can a popular movement do against the above cycle 
of funds?  That's a rhetorical, I don't claim to know the answer...


> And that only deals with the first step that's needed.  The US is certainly not the only government doing this crap.  Figuring out how to resist nation-state level attackers will be hard even if we can ever get our own government not to be among the attackers.


That's where we can step in.  As far as we're all likely agreed, 
governments are likely all tarred with the same brush:  doing stuff 
outside the norms, unlimited budgets [0], probably illegal [1] and 
definitely out of control [2].

If so, they are a threat to us and to our users.  That's us, being the 
open and competitive community around the use of crypto & security tools 
to secure out users.

In the past, national security was a threat we typically declared as not 
one to mitigate.

I think that's changed.  Snowden has changed that.  I think we have to 
mitigate.  I think we have to fight.

The crypto wars are on again.



iang



[0] By unlimited budgets, I mean, huge & way in excess of ours.  We have 
to counter their huge budgets with our cunning and careful hacks.

[1]  The illegal part comes with the nature of spying and espionage; 
what they do to foreigners is illegal in the foreigner's country, and 
likely most others.  The home government gives a pass to the spy in her 
own country, but that only lasts inside the borders.  Outside the 
country, the spy is a spy, and can be punished with lifetime sentences 
or death in many cases.  C.f., the Italian rendition case.

 From our perspective, it is simple to unroll the politeness of 
espionage -- it's illegal in most contexts -- and to reject the 
sophistry of the TLAs if they are also out of control.  Therefore, we 
can consider it to be a valid threat to us and our people.  If you want 
to be polite to your own countryfolk, you can simply say, we're fighting 
every other TLA, not our own...

[2]  They crossed the line -- they set up secret and dangerous channels 
to feed national security intel to a wide range of agencies.  Once that 
happens, the national security resources of a nation are available to 
any political bureaucrat with a domestic enemy.  It's all in secret, 
it's all denied in court even under oath, so it's going to happen.  It 
probably already has.  Systemic corruption is inevitable.

More information about the cryptography mailing list