In February of this year, Poul-Henning Kamp (a.k.a “PHK”) gave what now looks to be a peculiarly prescient presentation as the closing keynote to 2014’s FOSDEM.
In the presentation (PDF), PHK posits an NSA operation called ORCHESTRA which is designed to undermine internet security through a series of “disinformation” or “misinformation”, or “misdirection” sub operations. ORCHESTRA is intended to be cheap, non-technical, completely deniable, but effective. One of the opening slides gives ORCHESTRA’s “operation at a glance” overview as:
– Reduce cost of COMINT collection
– All above board
– No special authorizations
– Eliminate/reduce/prevent encryption
– Enable access
– Frustrate players
PHK delivers the presentation as if he were a mid-ranking NSA staffer intending to brief NATO in Brussels. But “being American, he ends up [at FOSDEM] instead”. The truly scary part of this presentation is that it could all be completely true.
What makes the presentation so timely is his commentary on openssl. Watch it and weep.
Thanks for this post, Mick. Really scary stuff. I recently voiced my suspiscions that the NSA had targeted SSL, as the potential intel derived from any compromise would be massive. Really bad news to come home from vacation to :(
The segment on talking points designed to steer discussions and sway public opinion their way is most interesting. The tactics of old school politics often go ignored in certain fields, but misdirection is as effective as ever. I’ve fought the self-signed certificate argument with a few self-aggrandizing security experts in the public forum too — likely to no avail.
The lack of sufficient auditing of code across virtually all major open source platforms provides real cause for concern. And perhaps another compelling reason for me to make the move to OpenBSD.
Hope you enjoyed the vacation….
I liked PHK’s rather ascerbic remarks about FOSS politics and methodology. For example he highlighted how the adversaries could manipulate the “witless volunteers” in the community to derail useful activity, or bury people in ridiculous GPL vs BSD licence arguments, or, as you point out, denigrate self-signed certificates as “useless” because as everyone knows, “secrecy without authentication is pointless!”
(Yes, I too have had arguments about SSCs – but I still insist on avoiding using a CA)
And since PHK is active in FreeBSD it was good to hear his lament about the lack of audit of its 20,000+ ports.
Good luck with the move to OpenBSD.
Back for a bit :)
I have two comments. First of all, the “many eyeballs thing” touted around as an argument for Open Source is questionable, because it assumes that said eyeballs are:
– interested (not always a given, and that reduces the “many” considerably)
– not attached to idiots
– not bleary or bloodshot from a good night out..
However, Open Source has in the case of discovery of such an exposure still massive advantages in that you can work on a fix yourself or commission any 3rd party to do so, and you can apply such a fix in a much shorter time (although I’d flag up possible quality risks here). This is an opinion also voiced by Jonathan S Shapiro (read Risks Digest 27.84 – he has much more theory underpinning the above).
The second comment is a bit more serious as it lifts out of the tech sphere. I agree with some of the psyops aspects of what is happening globally. I start coming across comments where individuals seem to have all but given up on privacy, seeing it as unobtainable “in the modern world” (read: they feel so powerless to influence matters they have turned sheep – which is partially what Jeremy Bentham’s “panopticon” concept was all about). Personally, I suspect this was one of the goals of this relentless, drip, drip, drip process of disclosure of events past and new. The press seems to be happy to collaborate in this insofar that it reports, but is strangely mute in the places where outrage should appear.
Privacy is like freedom: you have to fight to keep it. I, for one, am not giving up. As a matter of fact, it’s a source of delight to throw the occasional handful of nuts into the well oiled mechanisms of companies making a lot of money pretending they’re free (whereas the true payment is your privacy). The EU has thrown up a good barrier against US attempts to legalise their data acquisition (yet again AFTER the fact), let’s hope they don’t succumb to the usual mix of bribery, lobbying and straight blackmail traditionally as “negotiating” tactics (I assume there is enough data gathered on EU officials by now)..
Nice to see you back Peter.
I’ll have to disagree wth you about the “goals of this relentless drip, drip, drip process of disclosure”. I do not think that that the press are colluding in any way with any of the adversaries Snowden has reported on. On the contrary, I’m pretty sure that the administrations both here and the US (and their respective SIGINT agencies) would heartily like to see the last of the revelations. I recall reading somewhere (probably the Guardian) that Snowden very specifically chose to pass his material to responsible journalists who would sift, analyse and put context to the material over time – thus maximising the period in which the revelations would be laid before the public, rather than just dumping it all into a wikileaks type of bucket where it risked being a one (or two) day wonder. Moreover, the continued series of exposures of differing programmes of mass surveillance must leave the administrations wondering what is coming next. If everything had been dumped at once, it would have been closed up /very/ quickly – and probably before any serious journalistic commentary had been made.
Oh, I would not go so far to accuse any press of complicity with the above government aims, it just doesn’t seem that all this disclosure leads to anything more than a reaction at government level. The man in the street seems have passed a point where they just accept that yet another right is stripped off them as if it was never relevant in the first place..
I agree that the governments involved would love to see an end to this – normally, 2 weeks or so and it would have been forgotten. Julian Assange must be very jealous..