If Privacy Doesn't Matter, Profits Do
by Dave Gonigam
The story begins with one of the most important documents spilled by Edward Snowden. Back in September of last year, we learned the NSA had cracked most of the Internet encryption protocols we take for granted. The little padlock symbol you see in your Web browser when you're on a "secure" site? The NSA can pick the lock. As long ago as 2000, the NSA "began collaborating with technology companies in the United States and abroad to build entry points into their products," The New York Times reported.
We pointed out the problem at the time: If it's easier for the feds to crack encryption codes, it's also easier for foreign governments... or terrorists... or organized crime... or run-of-the-mill hackers sitting in their boxers in mom's basement. Credulous cybersecurity "experts" sounded shocked: "We thought [the NSA] would never be crazy enough to shoot out the ground they were standing on," said Johns Hopkins cryptography professor Matthew Green, "and now we're not so sure."
The "blue-ribbon panel" appointed by President Obama to investigate "reforming" the NSA took notice.
It didn't go so far as to call the NSA "crazy," but on Dec. 18, 2013 it did declare the U.S. government should not "in any way subvert, undermine, weaken or make vulnerable generally available commercial software." Two days later, another Snowden bombshell: To achieve its aims of purposely degrading Web encryption, the NSA paid $10 million via a secret contract to RSA -- "one of the most influential firms in the computer security industry" as described by Reuters, which broke the story. "Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show." RSA is a subsidiary of publicly traded EMC Corp. For what it's worth, EMC shares have basically gone nowhere in 2013.
The key to effective cryptography is a random number generator. But the numbers coming from RSA weren't always random. "If the numbers aren't truly random," writes financial blogger and techno-whiz Karl Denninger, "you can compromise the encryption. "This is much easier than actually trying to break the code itself," he says, offering this pithy analogy: "Think of it as a safe with a big, thick door and a nasty, unpickable lock -- but because you want to break in, you get the owner to install a cheesy $20 screen door on the side of the vault."
RSA is telling its customers to stop using the compromised number generator... but the software doubtless remains in widespread use. The horse has already exited the barn. Or the safe with the screen door, as it were. Josh Thomas is "chief breaker" at the information security firm Atredis Partners. He was going to deliver a presentation to 15,000 people at a cryptography and security conference in San Francisco hosted every year... by RSA. "If the allegations are true, a company that's sole purpose to build trust -- and that's what cryptography is -- and they can't be trusted, then I don't want to be part of that," says Josh Thomas. But not now. Although there's a Chinese wall between the firm and the conference, "the problem is that they do share a name," Thomas tells the website Raw Story. "They are furthering the RSA brand. Everyone who gets on stage is furthering the credibility of the company." Nor is Thomas alone in pulling out. So is Mikko Hypponen, lead researcher for the Finnish computer security firm F-Secure. "You had kept on using the generator for years despite widespread speculation that NSA had backdoored it," he wrote in an open letter to RSA. As we suggested sometime ago, President Obama is likely to go along with the commission he appointed... and slam the back door shut.
We're only more convinced after the latest Snowden scoop. According to the German newsweekly Der Spiegel, the NSA has compromised the firewalls of almost every corporate computer network: "An NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as U.S. computer-maker Dell. "Another program," Spiegel reports, "attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies." And the crash reports you send to Microsoft whenever your Windows machine hiccups? That all ends up with the NSA too -- knowledge the agency could use to install malware to spy on you more directly.
The White House doesn't care a whit about your privacy. But it does care about whether the likes of Cisco and Microsoft remain competitive in the global marketplace.
The U.K. Independent has just pored over financial filings by Cisco and IBM... finding sales to the Asia-Pacific region falling $1.7 billion year-over year since the Snowden leaks began. "US companies have seen some of their business put at risk because of the NSA revelations," according to James Kelleher from Argus research. NSA spying -- at least in its current form -- is bad for American business.
Once the NSA is put on a bit of a leash, look for corporate IT departments to spend billions upgrading their systems to close the many and sundry back doors. Ditto for government agencies that might not care about the NSA, but do care about Russian and Chinese hackers. Such a move would fit right in with "Obama's secret war" -- a code name our research team is using to describe a host of seemingly unrelated events -- NSA spying, Chinese covert action and a $9 billion shakeup at one of the marquee firms in the cybersecurity sector.
© 2013 Agora Financial, LLC. All Rights Reserved.