What do people who work in digital security think about the NSA revelations? And how concerned should the rest of us be? Those are a couple of the topics this week on the GeekWire radio show, as we get our security gang back together to discuss the new realities of the world in the midst of the Edward Snowden leaks.
Listen to the episode above or directly via this MP3 file. Joining us in the studio are..
- Dave Peck (@dangerdave), one of the founders of Cloak, a Seattle startup that helps computer and device users protect themselves on public wireless networks.
- Eric Butler, a freelance software developer (@codebutler) known for creating Firesheep, a tool that demonstrated just how easy it can be to hijack someone’s online accounts on open wireless networks.
- Christopher Budd (@christopherbudd) of security firm Trend Micro, who previously worked for a decade on Microsoft’s Security Response team and also contributes to GeekWire.
And are a few of the highlights from our discussion.
What has surprised you most and what have you learned from the NSA surveillance leaks?
Peck: Government intelligence agency overreach is nothing new. What’s new today is the extent and pervasiveness of our electronic communications, and therefore the extent of potential overreach that they’re able to achieve.
Budd: I think I’ve learned from this that even the NSA can’t solve the admin problem on networks. Looking at this as a data breach, and reading between the lines, Snowden was a contractor … who had admin access across multiple servers, and he used that access to suck down the documents on a thumb drive. For me this goes a long way to prove that security is hard. A federal government agency focused on security, with basically unlimited budget, could not find a way on their network to compartmentalize (data) and keep contractors from having admin access.
Butler: The most concerning thing that I’ve seen is this idea that the NSA is collecting all this Internet traffic and they might not even be analyzing it right away, they might not even be able to, it might be encrypted, but just having this massive vault … that does make me think that everything I do online could someday be exposed, and that’s very concerning.
Has it changed how you communicate online?
Butler: I think I’ve always been careful what I say online. I generally assumed that conversations always leak out. But it’s made me think, whenever I’m chatting with someone — especially if I’m talking about this subject — sometimes I wonder, do I want a digital record of this? That’s really troubling to think that I have to think about that, and be worried about my own government.
Budd: I’ve not really changed. But to be fair, I’ve not ever put anything up there that I could not stand to lose control of. And this is one thing that drives me nuts about the coverage around NSA. Everyone is talking about what NSA and GCHQ are doing, for obvious reasons. These are not the only governments that have intelligence gathering. We know the Russians, the Chinese, the Iranians — basically every country has some intelligence operation.
Which is the bigger threat to our privacy and security: rogue hackers grabbing credentials out of the air in a coffee shop, or government surveillance?
Butler: The bigger threat in terms of what is most likely to cause a person a problem is still probably the coffee shop. But the potential for damage is so much greater when we’re talking about the NSA, and there are a few examples. We’ve heard about this program called LOVEINT — this is such a common problem in the NSA they gave it this name. This is people in the NSA basically spying on former love interests. It just sounds like the worst nightmare to have someone in the government who can see everything you’re doing stalking you.
Can we trust the government without full transparency about what they’re doing?
Peck: I absolutely believe it’s possible, but unfortunately, in the current climate, in the context of the Snowden disclosures, it’s very difficult. I suppose our government and these leaks have done a lot to undermine our trust in the entire system, in all directions. So it’s going to take a long time to repair that damage.
Are we now safer online because of what the government is doing?
Butler: The answer is definitely not, because what the NSA is doing is weakening the security of the Internet to let themselves in. By doing this, by possibly compromising crypto standards, by possibly placing backdoors into hardware or software, they are opening us up for attack from anyone else. They’re really accomplishing the opposite of what they claim their goal is.
Peck: I think this culture of uncertainty is so dangerous that overall it’s a net loss for us.
Budd: I think everyone in the security industry will agree that anything that weakens cryptography via vulnerability is a threat to everybody. Someone will find it. … I don’t think it’s a question of, are we safer online because of this. It’s a question of, are we safer. … Greater security in the physical world may require a little less security online. But at the end of the day we just don’t know because there’s not an accounting in terms of effectiveness.