The network is hostile

Yesterday the New York Times and ProPublica posted a lengthy investigation based on leaked NSA documents, outlining the extensive surveillance collaboration between AT&T and the U.S. government. This surveillance includes gems such as AT&T’s assistance in tapping the main fiber connection supporting the United Nations, and that’s only the start.

The usual Internet suspects are arguing about whether this is actually news. The answer is both yes and no, though I assume that the world at large will mostly shrug at this point. After all, we’ve learned so much about the NSA’s operations at this point that we’re all suffering from revelation-fatigue. It would take a lot to shock us now.

But this isn’t what I want to talk about. Instead, the effect of this story was to inspire me to look back on the NSA leaks overall, to think about what they’ve taught us. And more importantly — what they mean for the design of the Internet and our priorities as security engineers. That’s what I’m going to ruminate about below.

The network is hostile

Anyone who has taken a network security class knows that the first rule of Internet security is that there is no Internet security. Indeed, this assumption is baked into the design of the Internet and most packet-switched networks — systems where unknown third parties are responsible for handling and routing your data. There is no way to ensure that your packets will be routed as you want them, and there’s absolutely no way to ensure that they won’t be looked at.
Indeed, the implications of this were obvious as far back as ARPANET. If you connect from point A to point B, it was well known that your packets would traverse untrusted machines C, D and E in between. In the 1970s the only thing preserving the privacy of your data was a gentleman’s agreement not to peek. If that wasn’t good enough, the network engineers argued, you had to provide your own security between the endpoints themselves.
My take from the NSA revelations is that even though this point was ‘obvious’ and well-known, we’ve always felt it more intellectually than in our hearts. Even knowing the worst was possible, we still chose to believe that direct peering connections and leased lines from reputable providers like AT&T would make us safe. If nothing else, the NSA leaks have convincingly refuted this assumption.

We don’t encrypt nearly enough

The most surprising lesson of the NSA stories is that 20 years after the development of SSL encryption, we’re still sending vast amounts of valuable data in the clear.

Even as late as 2014, highly vulnerable client-to-server connections for services like Yahoo Mail were routinely transmitted in cleartext — meaning that they weren’t just vulnerable to the NSA, but also to everyone on your local wireless network. And web-based connections were the good news. Even if you carefully checked your browser connections for HTTPS usage, proprietary extensions and mobile services would happily transmit data such as your contact list in the clear. If you noticed and shut down all of these weaknesses, it still wasn’t enough — tech companies would naively transmit the same data through vulnerable, unencrypted inter-datacenter connections where the NSA could scoop them up yet again.

There is a view in our community that we’re doing much better now, and to some extent we may be. But I’m less optimistic. From an attacker’s point of view, the question is not how much we’re encrypting, but rather, which valuable scraps we’re not protecting. As long as we tolerate the existence of unencrypted protocols and services, the answer is still: way too much.

It’s the metadata, stupid

Even if we, by some miracle, manage to achieve 100% encryption of communications content, we still haven’t solved the whole problem. Unfortunately, today’s protocols still leak a vast amount of useful information via session metadata. And we have no good strategy on the table to defend against it.

Examples of metadata leaked by today’s protocols include protocol type, port number, and routing information such as source and destination addresses. It also includes traffic characteristics, session duration, and total communications bandwidth. Traffic analysis remains a particular problem: even knowing the size of the files requested by a TLS-protected browser connection can leak a vast amount of information about the user’s browsing habits.

Absolutely none of this is news to security engineers. The problem is that there’s so little we can do about it. Anonymity networks like Tor protect the identity of endpoints in a connection, but they do so at a huge cost in additional bandwidth and latency — and they offer only limited protection in the face of a motivated global adversary. IPSec tunnels only kick the can to a different set of trusted components that themselves can be subverted.

‘Full take’ culture

Probably the most eye-opening fact of the intelligence leaks is the sheer volume of data that intelligence agencies are willing to collect. This is most famously exemplified by the U.S. bulk data collection and international call recording programs — but for network engineers the more worrying incarnation is “full take” Internet collection devices like TEMPORA.
If we restrict our attention purely to the collection of such data — rather than how it’s accessed — it appears that the limiting factors are almost exclusively technical in nature. In other words, the amount of data collected is simply a function of processing power, bandwidth and storage. And this is bad news for our future.
That’s because while meaningful human communication bandwidth (emails, texts, Facebook posts, Snapchats) continues to increase substantially, storage and processing power increase faster. With some filtration, and no ubiquitous encryption, ‘full take’ is increasingly going to be the rule rather than the exception.

We’ve seen the future, and it’s not American

Even if you’re not inclined to view the NSA as an adversary — and contrary to public perception, that view is not uniform even inside Silicon Valley — America is hardly the only intelligence agency capable of subverting the global communications network. Nations like China are increasingly gaining market share in telecommunications equipment and services, especially in developing parts of the world such as Africa and the Middle East.

While it’s cheap to hold China out as some sort of boogeyman, it’s significant that someday a large portion of the world’s traffic will flow through networks controlled by governments that are, at least to some extent, hostile to the core values of Western democracies.

If you believe that this is the future, then the answer certainly won’t involve legislation or politics. The NSA won’t protect us through cyber-retaliation or whatever plan is on the table today. If you’re concerned about the future, then the answer is to finally, truly believe our propaganda about network trust. We need to learn to build systems today that can survive such an environment. Failing that, we need to adjust to a very different world.

27 thoughts on “The network is hostile

  1. Note that Google (and possibly Yahoo as well) used leased lines for their inter-datacenter connections, so they thought they had reason to trust their security… If I understand correctly, ISPs were actually breaking contractual promises when they let the NSA snoop on these lines.

    (Not that this really matters, in the long run: in today's real world, anything outside your private datacenter must be assumed hostile.)

  2. And even if service providers use encryption between data centers and between servers and clients, what's to prevent the FBI and an agreeable judge (if you're lucky) from requiring the service provider to turn over their keys for that encryption – as they did with Lavabit?

    The only way to achieve actual security is for the service providers to be technically unable of decrypting the information – whether in motion or at rest.

  3. “someday a large portion of the worlds traffic will flow through networks controlled by governments that are … hostile to the core values of Western democracies” … err, like (as shown in this very article), the USA?

  4. Well as Isaac Newton said, “those who would give up liberty, to acquire a little safety, deserve neither liberty or safety.” Unfortunately today we live in an age of rampant terrorism and pedophilia, so a balance must be struck somewhere between, rather than without.

  5. I don't understand what do you mean by core value of Western democracy? How can you justify what the US government is doing?

    “a large portion of the world's traffic will flow through networks controlled by the US government that are, at least to some extent, hostile to the core values of Western”

  6. Your point about all the little internals that transmit over http is hugely important. Every bit of software I have written in the last decade has made some unencrypted outbound API calls over http. This is code running on servers. The same software could as well run on mobile devices or IOT devices, or cars, etc. so for all the faith we might put in SSL that's really only one part of the picture.

  7. I'm wondering how long it will be until the realisation sinks in that public IaaS computation clouds offer just as little security as Internet service providers – but without even the possibility of endpoint encryption. In the cloud compute model, your server's RAM, right down to the CPU cache, is not part of your organisation's security perimeter. It's part of the untrusted network.

    It would be extremely trivial for, eg, the Amazon AWS hypervisor to quietly scan every compute node's RAM for AD credentials or private keys. This would be no harder and no less plausible than an ISP taking a tap of the core Internet backbone. There would be an EXTREMELY strong intelligence and business case to make for installing this capacity, since anyone — such as, say, ISIS — can get a free AWS node to use for running web or chat servers.

    How many people run an Amazon AWS node and then connect it to a corporate AD domain? How many treat every keystroke they type on an AWS node as completely burned key material, never to be used again inside the firewall?

    Fun fact: Amazon hold a US DoD security clearance and host a private CIA cloud for the entire US intelligence community – a $600 million dollar contract as of last year (2014). That's a *very* large customer to tell 'sorry, we know ISIS are using our compute nodes, and we know you really really want to put taps on those nodes' RAM, but… well, that would just be wrong, so we won't.'

    http://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/

  8. Actually third worlds have to admit that the culture of “freedom”, which had been totally unique to the Western civilization, triggered the invention of today's computer-related technology. Chinese or Japanese could contribute to the field of technology to some extent, but there is no doubt that still the US and West is on the leading position. The problem is, incredibly large amount of attacks are directed to US today and no solution applied to this hostile reality. As seen in the leak of the nuclear-weapon, U.S. government is too sloppy to protect their covert information. This is not only about encryption. There could be problem with the access control itself. U.S. society, in my arrogant opinion, make too much public. Just think share good thing globally is nothing more than the hypocrisy which cause you trouble.

  9. Indeed, we need to make a new inter-networking system that is build with security as a core principle. A daring and interesting attempt at exactly that is Cjdns (nothing to do with dns): https://github.com/cjdelisle/cjdns
    While this is still highly experimental, it is a step in the right direction. I wish stuff like this would get more attention by professionals because it is certainly needed.

  10. Articles such as this continue to ignore the purpose of these “taps”. It is not to “spy” on the innocent. As long as criminals and terrorists use the internet to traffic in illicit activity, such things must be monitored to protect those same innocents. If not, then we'll hear the screams of anguish when some explosion happens somewhere and cry will be, “Why didn't the NSA and CIA know about this?!!” Talking out of both sides of their mouth. You have to go where the criminals are.

  11. My sister-in-law works on mobile telephony infrastructure in Kenya. Part of her job is (or was) to remove Cisco routers and replace them with Huwai routers.

    Given what we know about the MO of signals intelligence agencies (of all nationalities), I don't think it's particularly paranoid of me to wonder if (at least part of) the reason for her work is to support Chinese interception of Kenyan mobile telephony traffic.

  12. My Google tells me that is a paraphrase of the Benjamin Franklin quote, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

  13. Please help me understand how I can assume that on-site security equipment and software is non-hostile? (1) when Cisco CEO declares that Cisco is a Chinese company; (2) when most of the products being delivered have at least a significant % of sourced manufacturing and/or assembly in China; (3) when our own government is deploying tactics that feel increasingly like police state methods (all with good reason, of course);
    I must consider that the very solutions I use to protect my sites and systems are perhaps as hostile as the internet.
    Trust is absolutely gone.

  14. This is an essential point. The article sets the foundational issue properly but we need to follow through by being clear that protecting against wiretapping (using https or whatever) is only the beginning of very basic (an in relative terms, easy) hygiene.

    The intermediate notes /at the application level/ are all major points of vulnerability. So the article's reference to encryption at the 'end points' needs to mean the real origin and the final destination, not merely either end of a tcp connection (or the like.)

    This reduces to meaning that the serious focus must be on difficult problem of moving towards universal object encryption, not (merely) channel encryption.

  15. I think the issue is, how do treat a bad apple inside a pile of good apples? Do you pesticide all the apples, or only the bad ones? My common sense would be spare the good ones, Right? Well, we have all the tools to be smarter and be treated with a sense of pride and self-respect. I cannot see how one bad apple beat so many good ones.

  16. Almost no one connects AWS to a corporate AD domain. Something like 98% of AWS nodes run Linux.

    But your point is nonetheless valid.

  17. “We don't encrypt nearly enough.” Couldn't have said it better myself. It's time to encourage developers to build secure applications with strong application layer encryption. Reduce the circle of trust to just the application itself and don't trust any of the other elements at play. Crypteron (https://www.crypteron.com) is a developer friendly security platform that tries to make this easy. Disclaimer: I'm a co-founder at this company. Developers can add Crypteron's Java or .NET SDKs in minutes and not worry about where the data ends up or which corrupt agencies or telecoms have access to it.

    Keep up the great writing!

  18. Sure; that's why I'm sure you'd have no problem with the government reading everyone's paper mail and personal diaries and installing video cameras and microphones in all rooms in everyone's home, too. It's the only way to be sure. Such things must be monitored to protect the innocent. Otherwise we'll hear screams of anguish “Why didn't the NSA know about this?!!”

    Maybe you're happy living in a surveillance state to allegedly protect you from terrorists, but many people are not. And it's naive to think that the surveillance apparatus is ONLY used to catch terrorists, and not also used against e.g. journalists and social activists who are in disfavor with the government.

  19. Great piece. Any professional knew that privacy and security were thrown out of the window (what's in a word) the moment the computer was connected to the www and got popular. There's no such thing as a secure internet, and if it was, there's still no such thing as a secure personal computer. Same goes for tablets or smartphones. All that commercial software and apps for PC and phones is a hilarious joke. Fairytales. Real crypto still requires dedicated crypto hardware.

    Encrypting everything might be usefull to increase the workload for the spooks on metadata, kinda flooding their shop, but if you focus on someone, that person's privacy stands no chance. As they say in the Intel world, if you can't decrypt it, steal it from his PC or phone before he encrypts it. And the best thing of it, he'll never notice. Privacy and security were always a farce, only now it gradually becomes obvious (alas still only to a few). If you want privacy, don't use the internet or your PC, it's that simple.

  20. Well, even today, they don't know about it, and will continue not to know in the future, so why bother monitoring everyone? That's simply creating a police state.

    You can eavesdrop on innocent people, stupid or smart, but you can't eavesdrop on smart criminals, as they won't use the internet or smartphones for their critical stuff.

    An old saying in a new jacket: if you take away privacy for everyone, then only the criminals will have privacy. There's no excuse. NSA claimed preventing several attacks, until the congressional hearings on intel, and then they admitted it basically came to only one so-called case, which then turned out not to be.

    After any attack, Ignorant people will scream “why didn't they know”, let's monitor everything, let's put taps on anyone. F*ck privacy. Criminals know this. Therefore, smart people also know this It won't prevent anything. Mass surveillence will only prevent the ignorent from being scared, feeling more secure, living in utopia, and have given up what they were afraid of in the first place, seciruty.

Comments are closed.