How the NSA has destroyed trust

How the NSA has destroyed trust

Summary: Because we know that the NSA has attempted, and in some cases succeeded in making vendors and other third parties complicit in their data collection, it's hard to completely believe vendor denials anymore. It's the vendors who are the biggest victims here.

SHARE:
61

RSA Security has denied that they took money from the NSA to use a backdoored random number generation algorithm in their products. Do you believe them?

As security guru Bruce Schneier shows, you just can't trust anyone anymore about these things. This is perhaps the most poisonous and damaging outcome of the NSA's activities in recent years (or at least of the disclosure of those activities).

NSA.logo.Upside-Down

As a general rule, I look on tech companies as victims in this scandal. In fact, they're far bigger victims that nearly any individual civilian for exactly this reason. A large part of what tech companies sell, particularly in the security business, is trust. As Schneier shows, trust is essential in any functioning society, but computer security is so complicated that you simply have to trust the vendors you deal with.

This is why many of these companies have been suing the government in the FISA court for permission to disclose more about their level of cooperation with government data collection. They need for their customers to be able to trust them, and as things stand, the companies are not allowed to refute many of the most extreme allegations.

As for the RSA allegation, I think it may be logically impossible for them to refute the charge, even if it's false. They would have to prove a negative, i.e. that they didn't have this secret contract. Even if the NSA officially denied it, and even if an audit of RSA's contracts didn't find it, would you say that proves it didn't happen? If they had intentionally backdoored their products, it would be ruinous to RSA's reputation; the only reasonable thing to do might be to lie about it and place their fate in the ambiguity of it all.

There's a lot of argument about whether the NSA's tactics have actually prevented much terrorism or otherwise aided the security of the United States. We're not allowed to know the details of that. What we do know is that the NSA has weakened the security of the tech industry, that of many tech companies in particular, subverted the security of an industry standard, and given the whole world reason to mistrust US authorities and companies. Something needs to be done, although it won't work quickly. Trust can be destroyed in short order; it takes a long to establish, perhaps even longer to re-establish.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

61 comments
Log in or register to join the discussion
  • Far worse

    We don't trust the NSA, the US Government or the global industries in Technology, Finance and Energy.

    We need to reclaim our privacy, freedom of choice, financial stability and control of multinational corporations.

    Nothing less than a reset is going to satisfy me.

    The victim is The People!

    America has progressively lost its way since the end of WWII.

    Is ZDNET going to run a campaign against? No because you media people are part of the propaganda problem.
    jacksonjohn
    • Far worse

      not only we can not trust a word coming from the USA but also we all are worried about murders, killing, intimidating, terrorism made by USA, just one example among thousands:

      General Wesley Clark, retired 4-star U.S. Army general: "We’re going to take out 7 countries in 5 years: Iraq, Syria, Lebanon, Libya, Somalia, Sudan & Iran.." (about ten days after 9/11: “We’ve made the decision we’re going to war with Iraq.” This was on or about the 20th of September. I said, “We’re going to war with Iraq? Why?” He said, “I don’t know.” He said, “I guess they don’t know what else to do.” So I said, “Well, did they find some information connecting Saddam to al-Qaeda?” He said, “No, no.” He says, “There’s nothing new that way. They just made the decision to go to war with Iraq.” He said, “I guess it’s like we don’t know what to do about terrorists, but we’ve got a good military and we can take down governments.” And he said, “I guess if the only tool you have is a hammer, every problem has to look like a nail.”)
      Jiří Pavelec
      • and ...

        Let's see. We did go to war against Iraq, he was correct about that.
        The rest however ... so he was correct in 1 out of 7, yeah, it sounds like he is just the person on which to build a belief system regarding the intent and actions of our government.
        Tumbleweed_Biff
    • Trust

      What a dirty filthy word. Why do you need trust? So it can be betrayed? Why do you insist on believing trust in god so why do you think its OK to trust anything else like religion or so called "leaders" when experience teaches that you can not? Even those who claim to destroy order really mean they want to reclaim in their own name. The truth is trust is not necessary. The truth will do. No need to invent weird and wild imagination to thrive on chaos. Chaos in nations between nations and war. Victim eh that will never change because you are a victim of you own expectations. Show me the damage. I will clue you in: your satisfaction is not at stake it is human lives at stake. How many do you want to sacrifice? Paranoid is not living in a state of fear it is simply unfounded fear you are not tuned in to what you should be afraid of. I see the chaos being created deliberately with foreknowledge of consequence. But wait perhaps you were ignorant of how things work? Everyone for the most part is ignorant of how things work instead they form expectations of what it should be ignoring reality. The security of the world depend on ignorance. There are nuclear weapons and chemical biological weapons and people who intend to use them. Intend to. That is what the NSA is, not about not your infidelities or messages to you drug dealer. Its about war. Making war and preventing war. You are being used. Get up to speed and find out what is real for your self if you are concerned do not rely on others.
      Altotus
      • It's hard to find a load of malarky like you just posted.

        But, you did, and it is, in fact, a load of malarky, encapsulated in a foaming-at-the-mouth rant. I sure as hell would never, ever, in a billion years, trust you and those of your ilk.
        thetwonkey
        • NSA scandal and shame was a great victory for Linux and FLOSS

          Now we know that in Linux and Open Source Software we have to and should trust.

          People - if clever at all - should abandon ecosystems of Microsoft, Apple and Google. Microsoft and Apple are the worst.
          Frankie1965
          • @Frankie1965

            So, you check every line of code and compile it yourself?

            Some of the backdoors, like the PRNG "bug" that the NSA released is an algorithm that is also used in open source software. Like most closed source applications, an open source project would have to be pretty sill to use it (it is slow and inefficient). But if you (or the people behind your distribution) don't configure properly, you could end up using it.

            Open Source gives the ability to check, but very few do and even fewer compile their OS and applications themselves. They just take it for granted, that the people behind the distribution haven't added any back doors of their own and use the public source code 'as-is', and that somebody with enough mathematical knowledge has been through that code and hasn't found any problems with it.

            Just look at Ubunzu and its Amazon deal. That wasn't malicious in the NSA sense, but it did break users trust, wasn't opt-in, did breach some data protection legilastion and was open source...

            Open Source is a little more trustworthy, but it isn't 100% safe, unless you check and compile that code yourself - and you happen to be an expert programmer and, for things like crypto and PRNG, you are one of the best mathematical minds on the planet.
            wright_is
        • Its absolute madness.

          Take the bad, make it sound worse, declare a conspiracy, blame the political party you hate, even if they didn't bring the problem to life.

          If the party you like is in power, say they are doing things right and would do more if it wasn't for the commies on the other side complaining, if the party you don't like is in power claim the commies are stealing your privacy.

          Fear the terrorist, whine about your privacy, distrust the big companies, and again, throw your duly elected government under the bus, unless of course its the party you like then defend every move they make and every thought they express like its your religion.

          Have no real concern for reality; scoff at the fact checkers, and blame your position in life on everyone but you. The homeless guy down the road probably played a big part in making your life so rough. NOT.

          A word to the wise; never properly state your position on anything political, if the party you hate starts doing things at some point the way you have clearly stated would be best way, it will be so much harder to call them commies that are ruining your country at some point in the future.

          Remember, no matter how each party does things or runs things, its the name of the party that counts, not their ideals, their ways of actually doing things, their track record or their methods. Heaven forbid the opposing side ever gets credited for doing anything right.

          You know, its exactly like everything around ZDNet, you chose your OS of choice and NEVER EVER admit your choice has any drawbacks or that the other side has a single solitary thing about it that's good.
          Cayble
          • RE: Cayble comments

            Ditto.
            rroacm
          • And?

            For the non-partisans, who look at what the government is doing? Usually it doesn't make much difference which "party" is in power, they are still sponsored by big business and the industrial military complex.

            I prefer to look at what the Government, or in this case what the NSA is doing, outside the control of the government, andcompare it to the constitution and laws that are already in place. If what is going on contravenes existing law or the constitution, then it is wrong, regardless of which party is in power.

            And as a Johnny Foreigner, I have even less rights than those being abused by the NSA against its own citizens and businesses.

            The biggest problem, for me, is the way the Patriot Act, FISA and FISC work, in conjunction with the NSA. The way the NSA is "bugging" the big cloud providers makes it, for all intents and purposes, illegal to use a cloud service with ANY footprint in the USA.

            It isn't good for the American economy, it isn't good for international relations and it isn't good for the cloud. If the NSA / US Government isn't careful, the USA and US businesses will become the pyriah of international commerce and people will look to home-grown web services, which never leave their home borders.

            In Germany many of the ISPs and mail providers have put in encrypted communication between mail servers and guarantee that E-Mail to other addresses with providers in Germany never leave the national borders for "E-Mail made in Germany".

            Likewise small cloud services which have multiple co-los in the country, but no internationally based servers are promoting themselves as safer alternatives to Google, Apple, Microsoft and co.
            wright_is
      • Hyperbole.

        "Why do you need trust?"

        Because I live in a world with other people - some trustworthy, some not. And in order to be functional in this world, I need to trust some of those people.

        "So it can be betrayed?"

        Sometimes it is, sometimes it isn't.

        I don't treat betrayal as something harsh emotionally, but good luck regaining my trust. I will act accordingly.

        "Why do you insist on believing trust in god so why do you think its OK to trust anything else like religion or so called 'leaders' when experience teaches that you can not?"

        Experience is not quite so stark. There are many nuances, and detail can be important.

        This is quite the hyperbole here.

        "The truth will do."

        Indeed it does - and the truth brings with it trust. So why deny trust?
        CobraA1
    • What constitutes a "reset"?

      Just wondering.
      John L. Ries
    • The people are the victims?

      Of what or whom?
      More than anything, the people are the victim of corporate representation in government. Corporations should not have any place in a government of the people, by the people, for the people. The vast majority of people working for the government are honest hardworking people. The ones who are the problem are the politicians who profit from the decisions they render and laws they create most commonly against the best interests of the people they are supposed to serve. The NSA performs a crucial service for the welfare of this country as well as others around the world. The saying goes that evil will succeed as long as good men do nothing ... the NSA is the "good men" acting to stop evil.
      Tumbleweed_Biff
      • Thats fine

        You just go ahead and believe that they are the "good men" aaand I'll just continue to believe they are a major part of the "Evil Empire".
        Perhaps the truth lays somewhere in the middle, personally I think it is at one end or the other but the way the law is being worded we may never really know 'til 50 years has passed.
        Tonydid
  • Backdoors and other stupidity

    Assuming the NSA forced the installation of backdoors into software there is one very serious flaw. The NSA assumes no one else is smart enough or lucky enough to discover them and if they do they will be a white hat. What if the say the Chinese or Russian spy agency found them? They would use them to gain access to whatever network they wanted to target. I personally assume that others have sufficient talent and intelligence to find these backdoors and are currently using them.
    Linux_Lurker
    • RE:

      Windows 8.x has a backdoor with unknown potential that's been publicized, although it didn't get widespread coverage. Maybe because Windows 8.x is so awful in so many ways, nobody really cared if it was backdoored or not. I will never use any piece of software with a known backdoor in it.
      Lapithes
      • news to me

        I think I follow these things pretty closely and I know nothing of a backdoor in Win8. Could you supply any references?
        larry@...
        • RE:

          Google it
          Lapithes
        • TPM

          "The Office for Information Security (BSI) later clarified the government’s position, and did say the use of TPM 2.0 and Windows 8 (TPM is used in other non-Windows machines, including Chromebooks, making the claims even more questionable) meant the user had to deal with “a loss of control over the operating system and the hardware used”. This could lead to greater risk for the federal government and critical infrastructure, it said.

          But the body said it had not warned the general public nor government bodies against using Windows 8.

          It said “the newly established mechanisms can also be used for sabotage by third parties”, but appeared only to be talking generally about vulnerability exploitation. There was no suggestion of a purposeful backdoor, as Zeit had hypothesised, even if the BIS does have problems with TPM.

          Microsoft has responded to the kerfuffle first by denying it has ever provided such access to users’ data and by talking up the security benefits of TPM 2.0. It suggested government departments would be wise to use the security protections it provides by default. But for those governments who want to gain back control of their machines, they can go with OEMs who make Windows PCs without TPM.

          “Since most users accept defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated. We believe that government policies promoting this result are ill-advised,” a spokesperson said.
          RobinHahn
        • Key in all this is MS's response:

          "Microsoft has responded to the kerfuffle first by denying it has ever provided such access to users’ data and by talking up the security benefits of TPM 2.0. It suggested government departments would be wise to use the security protections it provides by default. But for those governments who want to gain back control of their machines, they can go with OEMs who make Windows PCs without TPM."

          --First we lie about what we're doing.
          --Then, if that doesn't work and we're found out, we quickly say "LOOK OVER THERE!"

          Works for the Coalition, here in Oz. And SOME people are generally thick enough to fall for it.
          RobinHahn