Most people who work in information security are accustomed to thinking
defensively: How can I prevent "bad things" from happening that would
damage computers or networks, or allow unauthorized people to view/alter
confidential information? We seldom are in a position to think
offensively: How would I attack or damage an opponent's systems or gain
access to information the opponent doesn't want me to see?
Edward Snowden's recent releases - mostly through Glenn Greenwald of The
Guardian - make it clear that the NSA is very much playing offense -
trying really hard to obtain copies of every bit of digital information
that US citizens (and those of many other nations) have created. Thus
the NSA gets copies of all phone calls (metadata, and probably call
content), emails, files in the cloud, communications on social networks
like Facebook, copies of physical letter envelopes. Several large US
based companies have been corralled into this effort, named Prism:
Yahoo, Microsoft, Apple, Google, AOL, Facebook, Twitter, Paltalk,
perhaps more that have not been revealed so far.
But what does the NSA not have access to unless the FBI physically
plants some kind of device or software bug on their targets' computers
and networks? [Note that the NSA targets are all US citizens plus many
in other nations.] As far as we know, the NSA cannot do direct searches
or copies of individuals' computer systems, home or business networks.
Why not? Because in many cases, users may create this data without it
ever being transmitted over the Internet. Imagine plotters in different
locations collaborating by creating local information, copying it to
USB thumb drives and mailing them to each other. Do we really imagine
that the NSA has not considered this?
So, if I were director of strategy at the NSA, I would want access to
that "last mile", the final refuge of Americans' digital privacy: files
stored on their personal computers, including smart phones. The
question is: How do I get it? I can't have the FBI break into every
house and business in the country, at least not yet ;) But what if I
could install spyware and/or botnet clients on every major operating
system? OK, how do I do that? There are a couple approaches, each with
advantages and disadvantages. I could try to bully Microsoft, Google,
Apple and some Linux vendors into installing the spyware/botnet software
via patches. These companies are already part of Prism, so in theory, I
could just extend the "Prism walls". But what if that's just too
obvious? What if the Prism companies successfully push back, or tie me
down for years with legal challenges?
So I move to plan B: I approach the major US anti-malware companies,
like Symantec, McAfee, ESET, more. Anti-malware software is installed
on almost every home and work PC/Mac computer. So I get National
Security Letters and force them into the Prism program. Then I require
them to add a "high quality (think Stuxnet) spyware/botnet client" that
is capable of reporting on and even sending copies of every file a user
possesses or reads via web access. If, or when, I'm found out, I can
always insist that this is totally for national security, to help catch
terrorists, and that citizens with nothing to hide have no reason to
worry. Isn't that what the East Germans and the Nazis said? [Note
that savvy tech users who monitor their outgoing connections should be
able to spot something odd going on, and even block it. That situation
could require more collaboration with Symantec, McAfee - Require them to
allow the NSA to access users' systems from Symantec, and McAfee IP
addresses.]
Ok, let's turn off Dr. Evil. As far as I know, the anti-malware
companies are not in the Prism program. But it could happen.... unless
we show a lot more resistance than we have been.
