[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Sun Sep 8 19:50:33 UTC 2013

With regards to the 10$ snake oil security product versus the real one
at $100:  since the NSA can break both,  they are both worth worth $0 in
terms of privacy.

>From a business/corporate point of view, there are two aspects:

1- Image: If your weak security has allowed a data breach to become
public (such as TJ-Maxx) then you have damage to your image. But TJ-Maxx
has survived and average person forgot about millions of credit card
numbers having been stolen from its databases.

If the NSA snoops on your systems to see what kind of underwear Ossama
Bin Ladin buys and where he has them delivered,  there is nothing your
company can do about it. Either you don't know it is happening and NSA
will never make it public (no image problem), or you got a warrant and
were forced to do it (some image problem, but you can say your hands
were tied and shift blame to NSA)

2- Real cost: if you're a bank, and someone intercepts a letter of
credit or payment transaction to find out how much a corporate customer
pays for widgets, that customer can sue you for breach of
security/confidentiality (since its competitors now know what deal he
has negotiated to buy those widgets). The lawsuit against the bank has
real costs (not only lawyers, but settlement as well). It becomes easier
to cost justify security when you can put real costs to not having security.

So risk management is an important factor in both cases.

BUT, when you get to general public, the equation changes:

For the general public, a burglary is a good analogy. You can easily put
value to the stolen TV set and replace it. But this isn't what happens
when the NSA spies on your private communications and you have no real
measurable damage.

The damage you get is akin to losing your family pictures or the feeling
of having been violated because someone came into your home and rummage
through all your personal stuff and not knowing exactly what they will
do with your personal items and why they stole them. Putting a value to
this is next to impossible.  Risk managememnt becomes impossible, except
at the politival level.

If the NSA intercepts private emails between a husband and his mistress,
the husband can't know if the NSA will ever use this against him. This
fear remains because the NSA night hold on to these emails for a long
time (or might not).

And at the political level, Obama made it clear in a recent speech that
he hopes this will blow over and that he will be able to convince
americans that the NSA is doing good things. Their political staffers
evaluated the risk that this might backfire and figured it wouldn't.
This has nothing to do with selection of technology to guard against the
NSA' it is all about political public opinion.

Here is what the politicians forget:
Because the economy is moving to the internet, losing trust in the
internet is akin to losing trust in the banking system.

I am not sure network operators have much of a choice. Sure, someone
like Bell Canada will hopefully review their no-peering policy in Canada
(forcing so much traffic to route via USA), but for other networks there
isn't much they can do to prevent NSA from accessing any/all data while
in transit.

What is really needed is for an intelligent debate by politicians on the
need to preserve trust in the internet and whether preventing a couple
of bombs is really worth the loss of trust and freedom due to
implementation of measures worse than what "1984" predicted.

Since intelligent debate by politicians is impossible, the other way to
change things is to seriously deprive any politician who supports
excessive spying by NSA of any money and chance to be re-elected.

Imagine the good publicity AT&T and/or Verizon would get if they were to
announce that they are ceasing all political contributions to any party
or individual politician who supports the indiscriminate data collection
done by NSA.

And this might be enough to tilt the table and get politicians to start
to criticise the NSA and call for measures to limit its spying.

More information about the NANOG mailing list