Stross on NSA network sabotage


#1

[Permalink]


#2

This is why full disclosure should observed and security holes closed.


#3

Mr Stross's argument is that the NSA's obstruction (or the US Government's obstruction via. laws that treated encryption like munitions) created an Internet (and therefore all of IT) that is broken by design.

Which is polemic. BS. Crapola.

The problem can be summed up by a variation of the golden triangle - Good + Cheap + Secure (pick any two).

IT Systems are COMPLICATED. Individual computers are COMPLICATED. Networks of computers are HIDEOUSLY COMPLICATED.

If you're old enough and have a narrow enough focus, you might recall when there were competing network technologies and even competing network designs - before TCP/IP swamped everything. From Europe and institutional technology arenas (the PTT or the government Postal-Telegraph-Telephone organizations) came ISO (and OSI) via CCITT. X.25. IBM's SNA. Dec's DECnet. And more. A lot of technologies were proposed, and a even attempted. X.400 is the OSI e-mail protocol. It never had a chance against UUCP and BITNET - much less SMTP - due to it's complexity and dependency on X.500 - which people pretty much gave up on when LDAP arrived. I don't recall if X.500 was also supposed to be an alternative to DNS either.

Early attempts to deploy technologies that tried to address complex security and access control issues usually failed due to their own complexity - and in the meantime, the early internet through the RFC process and later through the IETF kept on creating simple new things that worked and often fixed (or tried to) fix things that didn't work out as intended. (SMTP is a mess - but the X.400 solution would pretty much abandon anonymity and aliases and require everyone to have Government ids to post anything on whatever network might have evolved from that.

There is ALWAYS pressure to get something out there that mostly works, mostly good enough. Businesses are under tremendous pressure to produce distinctive products - not just put more gloss on the horse carriages they built ages ago.

The NSA didn't encourage buffer overflows. Or SQL injection attacks. Or Cross-Site-Scripting attacks. These are (largely) input validation errors - easy to make by novice programmers (and there's so MANY of them.)

There is SO VERY MUCH SOFTWARE OUT THERE. And more, and more, and more, and more.

And people want it cheaper and cheaper. But complexity is a cost of it's own (and more and more software just adds to the complexity!) Understanding the software is expensive - whether it's (free) Open Source or proprietary and requires a license fee (or subscription.)

And we also want stability - so that the foundations under us don't shift while we built OUR next big thing... but stability means that bugs don't necessarily get fixed - or are (expensively) fixed multiple times over. (I.e.: RedHat applies bug fixes, Ubuntu applies bug fixes, Apple, IBM, etc... all apply bug fixes to their variation of a piece of code.)

Yes, networks make computers (and the bugs in their software) more accessible - and more network based applications mean that there is more software and more bugs. But most of the threat has nothing to do with the NSA spying (not that the spying isn't deeply disturbing.) It has to do with the nature of project and product design - and the fact that people WILL use a product in unanticipated ways, for good and for ill - and the systemic outcome is emergent behavior.

So, my argument might be summed up as: IT is Broken By Design, but that isn't the NSA's fault - they're just a carrion eater on the side of the road waiting for juicy bits to eat.


#4

How appropriate for Charlie. When Mr. Stross finally "ingests" Bitcoin, he'll understand the monumental error of deriding it.

That moment is coming for this proflic yet tragically misinformed author, and I can't wait to witness the cognitive dissonance when it does.


#5

Having just reread his criticisms of BitCoin to check, I don't see anything that he talked about here being something that would cause him to suddenly forget those flaws he listed.

I honestly don't see a tangible relationship between criticizing a very poorly designed crypto-currency and disapproving of the NSA's subterfuge.


#6

While your extended argument on the complexity of IT systems and why there will always be security holes is valid as far as it goes, the bit I quoted above doesn't follow from that. We know for a fact that the NSA spent billions of (taxpayer) dollars trying to undermine efforts to make IT systems more secure. This is indisputable at this point.

Is the NSA the only source of vulnerabilities in IT systems? No, of course not -- but I don't think anyone ever claimed it was. The NSA makes the problem worse by trying to ensure that vulnerabilities aren't fixed. You point out quite effectively why it's so difficult to patch these vulnerabilities even without a shadowy spy organization interfering with the process. I don't see how that can possibly be taken as a justification for the NSA making it even more difficult to do so.

Stross designed and coded web applications for years before he became a sci fi author; he does have some idea of what he's talking about.


#7

.What?


#8
We should also note Steward Brand's 1999 comment: the internet could “easily become the Legacy System from Hell that holds civilization hostage. The system doesn’t really work, it can’t be fixed, no one understands it, no one is in charge of it, it can’t be lived without, and it gets worse every year.”

(Quote from a comment in the article) I found this to be quite interesting and believable. Stross makes the point that he doesn't think we've got the juice to fix the errors before they're hardcoded into the very fabric of this thing that's making it's way into everything we do and everywhere we go.
So next time my grandmother squawks about being around when cars or planes or TVs were developed--HA! Big deal Grams! What did you guys do with that shit? Get in to some big stonkin wars and destroy the environment? You suck! You know what else?!? I'm watching porn right now on my glasses!
Then maybe I'll push her over for some LOLs.


#9

Is the NSA the only source of vulnerabilities in IT systems? No, of course not -- but I don't think anyone ever claimed it was.

The crux of so many false arguments. Trump up a misrepresentation of the views of others and then start a disingenuous, insulting tirade from there.


#10

Yeah, the NSA is like having some tupperware storage full of flies to neaten up body art instead of pretending at professional exams for people crossing customs with laptops including Win98 restore images and hustling companies for key escrow and (longhaul firms for) unwashed metadata...that encompasses data...in case their DBA is the least bit humid in the ears...let me work that illo. up. What?

There is a such thing as causality, even if what an official could be expected to do in the face of international collaboration and treaty (accosting all travelers, slaving them to ponder Freud in destiny before Proust...in Mandarin from Maine) compares piecewise poorly to Caligula the Senator's. Compliance performs excellently on what it is measured with.


#11

This topic was automatically closed after 5 days. New replies are no longer allowed.