The NSA and Open Source: Operation ORCHESTRA (and an epic JYA review)

Here’s a wonderful example of clever thinking.

Asked to brief some unnamed European intelligence agency on the NSA’s operations, a muddle-minded young American takes a wrong turn and ends up briefing a European open-source conference on the NSA’s operations against open source projects.

Or, at least, that’s the premise of FreeBSD developer Poul-Henning Kamp’s talk at FOSDEM’14.

The talk is brilliantly conceived, explaining how more or less the entire Internet infrastructure is (probably) compromised through clever — and completely legal! — means. Means which are so simple, they wouldn’t even show up in Snowden’s documents.

For example, under the heading of codename QUEEN, he describes how to disrupt open source projects’ consensus building and prevent them from implementing real security. Take the business of self signed certificates warnings in browsers, or X.509 — a wonderful case of QUEEN in action!

Or, in the case of operation BOYS, what do you do when you need to park someone with skills in a two-bit cover company somewhere? Have them contribute to open source projects, of course!

After all, “I work for this nonprofit, they just want their email to work, I have plenty of time to contribute…” is a wonderful excuse, and a wonderful way to quickly get a position of trust.

Towards the end of the talk he makes the point that it sucks so many of Snowden’s files haven’t been or may not be released. This is true, but in the process he’s missing the point somewhat.

Even Snowden didn’t have a full view of the NSA’s capabilities. Seeing the full docs would still give an incomplete picture, and woe to anyone who sees the full docs and thinks “OK, that’s it, there’s no attack on MY configuration listed here so I must be secure!”

(or even worse, “this presentation from a few years ago from one particular department calls my configuration secure, so I’m good!”)

What the open source community and everyone else for that matter needs to do is exactly what Poul-Henning Kamp did with this talk.

Start thinking about the “known unknowns” and “unknown unknowns.” Realizing that we don’t and may never know the full extent of the agencies’ capabilities, still try to anticipate them, and develop defenses.

Ironically enough, this is exactly the game intelligence agencies have been playing with their adversaries for hundreds of years.

An epic book review by JYA.

%d bloggers like this: