Sam Doran

My little corner of the Internet

Thoughts on PRISM

I have been reading and collecting articles on PRISM since I first saw the news on Twitter last Thursday night. It’s a lot to take in and more is still coming out. I have a lot on my mind about this matter.

I believe Edward Snowden to be nothing less than a coward and a traitor. He is the same class of naive and misguided thinker as Bradley Manning. At least Bradley had the courage to face the consequences of his actions rather than flee the country.

That sounds harsh and narrow minded, but let me elaborate my stance a bit. I am a proud United States citizen. I swore an oath many years ago to defend this country and its people. Though I am no longer a member of the United States armed forces1, I still care about my country. I still believe it is worth defending and cherishing, both in and out of uniform. I do have quite a few friends who are actively serving in our armed forces, so that does influence my position. I worked for the United States Navy for several years designing the ACB12 versions of th Gun Weapons System not because I like to make things that kill people but because I believe America to be the least worst nation on earth.

“When I am abroad, I always make it a rule never to criticize or attack the government of my own country. I make up for lost time when I come home.”

– Winston Churchill

The fundamental problem I have with people like Edward Snowden is they lack character. They believe they have a moral duty to leak information that they agreed, possibly swore, to keep secret. In fact they lack both character and courage. It doesn’t take character to hand over information that is damaging to national security — it takes character to stay true to your word even when you have a moral conflict with the situation. Sure, he has a sob story about “leaving behind his family”, but really he is lamenting the consequences of his actions and wants people to feel sorry for him. It takes character and integrity to do the right thing when nobody is watching2. Obviously he was entrusted with valuable information on the assumption he would be an honorable custodian. Obviously he chose to show his true colors.

Before I move on, I need to address the fundamental issue at hand here: the government spying on its citizens. We have this feeling that the Orwellian future of 1984 is becoming a reality and it causes mass panic. It doesn’t help that governments spying on its citizens and conspiracy theories make for really juicy headlines resulting in lots of clicks.

It is a common, and incorrect, belief in this country that we have a right to privacy from the government. Privacy has been a hot topic for the last several years mostly in regards to Facebook and Google. The public was already weary of privacy concerns and this latest revelation about the NSA’s activities are the proverbial gas on the fire. The Constitution grants privacy from very specific acts of invasion by the government. It does not provide an overarching provision that every citizen is free from any and all forms of government monitoring. There are laws that establish more specific provisions, but in this land, the Constitution is supreme.3 The Constitution simply does not guarantee a right to privacy.

The issue of privacy becomes even more gray in the era of the Internet. While you are protected from physical search and seizure without a warrant, nothing prevents someone from sitting outside your house and writing down what times you come and go. What then prevents the government from watching the email traffic that leaves your house? How about just the raw packet flow as it leaves your house and enters a public utility line? Even if the data is encrypted (more on that later), a great deal of information can be gathered simply by watching the when and how much. The bulk of what the NSA is doing is collecting the metadata, not the contents of what is transmitted. The when, where, and to whom is really all that is needed to create actionable information. Gathering this data is in no way illegal and is not Constitutionally protected. If that doesn’t sit well with you, I’m sure China would be glad to have you as a citizen.4

What makes PRISM so unsettling is the slide showing major service providers as sources and claims in the article that the NSA has direct access to the data on the servers owned by Microsoft, Google, Yahoo!, and Apple. This is well beyond collecting metadata and is the most unsettling piece of the whole PRISM program. Based on the statements from the companies in question, I am guessing they don’t really know they are sources. This is all complete speculation on my part, but I would guess that the NSA has a beachhead inside each one of those organizations. The chart could also be renamed “How Long It Took Us to Hack Into Major Internet Companies”. Microsoft fell first, being the biggest target with the easiest infrastructure to exploit (they’re probably running Windows), and Apple being last because their server side data was not that interesting until the last few years when iCloud and Siri launched. They also probably have much better security in place since they are sitting on the Fort Knox of credit card information and regularly brag about that fact.

The legality of a government sponsored organization actively hacking into private companies for the purpose of gathering and possibly exfiltrating information sits squarely in the legal gray zone. I don’t get the impression these companies actively provide unlimited information to the NSA, but rather the NSA has the means to go in and take a closer look when they feel they have accurately narrowed down a target from the “publicly” available information floating across the wire. It’s not really breaking and entering in the letter of the law, but it sure seems like it violates the spirit of the law. That’s what has everyone upset.

The reason I think it’s rather naive to become outraged at the revelation that government spy agencies do in fact spy is because they are not using this information to actively oppress and censor the citizenry as Orwell described in 1984. They are using this information to protect us from people who want to kill us. If our government was hell bent on turning us into sheep, watching our every move and sending squads of dark clothed agents to come nab us in the night, then Edward Sparrow would be a hero in my book. But the reality is that he is a traitor who betrayed his country and helped the enemy to better avoid detection. Innocent people may very well die because Ed Sparrow wanted to prove a point.

My opinions are most certainly skewed by having worked in Defense and encountered members of the Intelligence community. They are not members of an oppressive government regime, willing to break any and all laws to read its citizens’ emails. They are soccer baseball moms and coach dads, operating in the gray area of the law with the mission of making a safe country for their families. They are smart and very intelligent people and I trust them, their intentions, their accountability, and their integrity.

Can we still trust encryption?

I can always count on the brilliant folks at Agile Bits to bring common sense to the incredibly opaque world of cryptography. They wrote an excellent article on PRISM as it relates to data encrypted in their 1Password Keychain Format.

“In judging NSA capabilities, we need to keep in mind that they have a history of discouraging the US government from using systems that the NSA could break.”

Up until I read that, I was always a bit suspicious of government backdoors into widely used encryption algorithms. But it is highly unlikely the NSA would mandate an algorithm for Top Secret information if they knew it had a flaw.5 Self preservation is a strong and very basic human trait. The algorithms are public and scrutinized by brilliant minds all over the world. The math is quite sound. The weakness lies in the key strength and the financial means of the entity that wishes to break the encryption.

Here is where I delve into wild speculation. I am quite sure the NSA has at its disposal enormous computing power since a very impressive cracking system can be built using COTS hardware and a limited budget.6 I would bet the NSA has some of the best brute forcing resources and tricks in the world. This means what it has always meant, really: the encryption is only as strong as the key used to secure it.

The revelation of PRISM doesn’t change anything in regards to how we encrypt data. We should be using 2048-bit SSL certificates, 256-bit AES, WPA2 AES, and RSA for SSH keys. The passwords we use to protect our digital information (the “keys”) need to be big — at least twenty characters. I have used Diceware for many years to generate strong and easily memorable passphrases that I have to type. For everything else, I generate random 20 character passwords and store them in 1Password. My 1Password keychain is protected with a seven word passphrase that isn’t stored anywhere but in my head. Apple announced iCloud Keychain today, making it dead simple to generate random passwords, store them in an encrypted keychain, and sync them to all your devices. The key strength is what matters if you want to keep the NSA from looking at your stuff.

The prevailing mentality of using cloud services, though, hasn’t changed at all in light of PRISM. The assumption was always, “If I put it in the could, assume it is being read by somebody”. Now, we’re pretty darn sure it’s being read by somebody so we better use strong keys. The only thing that I might change about how I store data in cloud services is using 30 character keys to encrypt it.

Update 2013-07-08 Steve Gibson on Security Now Episode 408 offers an excellent analysis of the NSA Prism program, including how it works technically and how it got its name. Start at 57:29 for an explanation of how the Internet works and how that in turn allows the Prism program to gather data.

  1. I was honorably discharged from the United States Air Force in February 2009 after serving six years as an aircraft mechanic on F-16, F-15, and F-22 aircraft.

  2. Insert “Who watches the watchmen?” reference here.

  3. We are the only country to hold so closely to a document in this way. Other countries think we are nuts for using a 200+ year old document as the absolute rule of law.

  4. That’s a joke.

  5. Unless they are confident they are the only ones who are even remotely close to being able to break it. That’s tinfoil hat wearing talk, though.

  6. Or you could just rent some Amazon EC2 instances, crack the password, then be done.