Wednesday, March 08, 2017

Might As Well Be Burma-Shave Signs: The CIA Reads Everyone's Mail

     NSA was already reading everyone's mail -- and, perv-like, saving copies to reread later -- but they weren't sharing it with anyone (this, too, follows the behavior of a laundry-stealing perv; but I digress).  CIA was, it appears, miffed by this, and resolved to create their own cyberwar unit, only better, with dope and hookers.

     You will not be shocked to learn they succeeded.  If you've been following the news at all, you will also not be shocked to hear WikiLeaks* got a big old chunk of data about it, and is trickling it out, "redacted," they say, "to prevent the proliferation of cyber-warfare tools."  Or their source only supplied redacted material -- but that's just me being skeptical.  It doesn't matter: tell the global pool of hackers, crackers, white- gray- and black-hatted programmer-cowboys, that a vulnerability exists, and like really clever chimps at really powerful typewriters aping Shakespeare, they will find it -- and use it less than three minutes later.

     Let me tell you a little story about something I know (to his embarrassment) as "Stockman's Law:" years ago, decades back, when a computer on your desk talking to a howling acoustic-coupler modem and thence to powerful mainframes half a world away was a pretty new and shiny thing for most people, a talented young programmer and geek-of-all-work was assigned the job of coming up with a "bulletproof" way for his employer, a software company, to offer what we now know as "online support:" a way for you, the end user, to dial into a collection of user-experience reports, updates, and advice directly from the people who wrote the software.  It would be wonderful -- if it was unhackable.

     The young programmer -- and he was no slouch; he'd recently created a custom version of the computer language "C" for his employer, finishing only a little behind the release of "C+" -- took on this task with hope; after all, he'd got his start back when the clever students enjoying finding new ways to crash the nearby university's big IBM mainframe, doing so in the dead of night, and showing the console operators how they'd done it so the vulnerability could be remedied!† 

     He thought and he thought and everything he came up with -- had a hole in it.  Allow unrestricted public access to a computer, and people you don't want in it will get in.  Passwords are a trivial problem, given time  Even air-gapping didn't work, especially if media traveled both directions across the air-gap.  Nope, the only way to be mostly safe was to run the support system on an isolated computer from which nothing ever, ever came back to his employer's network -- and that still left the users vulnerable, especially if the support machine was used to distribute software.

     The general rule he evolved was this: "If you want to keep a computer safe, you cannot allow any form of unrestricted access.  If it is accessible, people you don't want in will inevitably get in."  That's Stockman's Law: if your computer has to be secure, it can have no network connection, no removable media, no unvetted users, no nothing but a display and HIDs -- and even that can be defeated by a malicious authorized user. And then what good is it?‡

     So, put it together: CIA can read your mail (and apparently can't keep their methods secret.  Tsk, what would Wild Bill Donovan have thought?)  NSA can read your mail.  Wanna bet our dear pals at GCHQ etc., not to mention Eurasian Russian and Eastasian Red Chinese intelligence agencies can't?

     Okay, now here's the payoff: tell me what's the big deal about Mike Pence or Hilary Clinton using unsecured servers or public e-mail providers?  They might as well paint two sides of the Capitol building with blackboard paint and scrawl messages on it with chalk!  Hell, it might even be more secure, if their handwriting is lousy enough and their messages sufficiently in-group cryptic.§

     It was true forty years ago and it is even more true now: If you want to keep something secret, don't put it where people can get at it.  Don't put it on a computer.  Two people can keep a secret -- if one of them is dead.
_______________________________
* Depending on who you talk to and when, WikiLeaks and Julian Assange are brave heroes or tools of the Russians.  Me, I think a little of both, plus a lot of self-inflated bravado propped up by wanna-be idealists who feed 'em leads and data-dumps.  Does Uncle Vlad really run 'em?  I don't know -- but I'll bet they make him laugh. And somehow they never take a leak in his pool.

† Yes, that was what we did back then, and the better schools allowed it in order to get cooperation from the crashers in creating a fix.  The less-good ones simply had to endure it.  I say "we" but it was only barely me; I was a high-school student at the time, winning science fairs, getting free trips to good colleges, and indulging my insomnia.  You can pick up quite a lot that way, especially from antisocial boys eager to impress.

‡ This depends on what you need it to do.  At work, I run a number of critical systems on nearly-isolated or fully-isolated networks: the computers on them talk to one another and to several [REDACTED] devices, but not to the outside world.  Alas, one of the more critical has a dual-NICed machine for grabbing data it must regularly poll from elsewhere; this is firewalled six ways from Sunday but it's still a hole.

 § WE READ YOUR MAIL
    WITHOUT FAIL
    DON'T YOU WORRY
    DON'T YOU FRET
    WE'LL ONLY STRIKE
    IF YOU'RE A THREAT
    --Central Intelligence

3 comments:

Ken said...

I think the reason they don't take a leak in Uncle Vlad's pool is that polonium is a lousy way to die.

rickn8or said...

"I say "we" but it was only barely me; I was a high-school student at the time, winning science fairs, getting free trips to good colleges, and indulging my insomnia. You can pick up quite a lot that way, especially from antisocial boys eager to impress."

Okay, that's a pretty air-tight alibi... this time. :) I've said all along if the Russians were capable of doing all the spying they've been accused of, they're capable of doing it without leaving their fingerprints all over it.

"I think the reason they don't take a leak in Uncle Vlad's pool is that polonium is a lousy way to die."

One public example serves "Pour encourager les autres."

Borepatch said...

I'm not at all convinced that NSA wasn't sharing. There are all kinds of reasons to think that they were sharing quite a lot.