Page 1 of 2 The NSA war on Internet integrity
By Peter Lee
The US government has taken a pretty decent open network idea - the Internet - and turned it into a security nightmare.
In one of life's many ironies, the US was forced to degrade the security functions and overall integrity of the Internet because the US Constitution, law, and public and techie opposition combined to impede legal US government surveillance access to communications over the Internet.
Instead of accepting these limits, the US government sought to evade them - by weakening the encryption and security regimes that are at the heart of secure Internet communications for businesses and innocent civilians, as well as for the usual
suspects invoked to justify subversion of Internet privacy: terrorists, criminals, and pedophiles.
The role of US IT corporations in crippling the security and privacy functions of the Internet is an awkward and relatively unexplored question.
So far, the most overt naming and shaming has taken place concerning cooperation of the IT bigs in the National Security Agency's PRISM program - which involved controlled, legally colored access to unencrypted materials on corporate servers. Under PRISM, the NSA apparently installed equipment at corporate sites to process government requests for unencrypted user data if it involved people that the NSA was "51%" sure weren't US persons.
Included in the Snowden documents was a slide showing the accession of the US IT heavyweights to the PRISM regime, starting with Microsoft in 2007 and including Yahoo!, Google, Facebook, Youtube, Skype, AOL, and Apple. PRISM looked something like exploitation of the CALEA (Communications Assistance for Law Enforcement Act) mandated backdoors in US telecommunications equipment, albeit with the disturbing realization that these backdoors could be exploited by anonymous NSA analysts without a FISA court order for a week and, when the free week was up, upon resort to the notoriously rubber-stamp FISA court (without the need to show probable cause as is the case when applying to get a warrant to spy on a US citizen).
The Washington Post's Bernard Gellman spoke of NSA efforts to suppress the names of the nine companies named on the PRISM slide:
Speaking at a Cato Institute conference on Wednesday, Gellman said The Washington Post has a practice of talking to the government before running stories that may impact national security. According to Gelman, there were "certain things" in the PRISM slides that they agreed raised legitimate security concerns. But, he said:
The thing that the government most wanted us to remove was the names of the nine companies. The argument, roughly speaking, was that we will lose cooperation from companies if you expose them in this way. And my reply was "that's why we are including them." Not in order to cause a certain result, or to get you to lose your cooperation but if the harm that you are describing consists of reputational or business damage to a company because the public doesn't like what it's doing or you're doing, that's the accountability we are supposed to be promoting.
Gellman believes that it's because the names were released that many of those technology companies started to be vocal advocates of greater transparency about the program. While they "previously had very little incentive to fight for disclosure because it wasn't their information that was being collected and there was no market pressure," he said, these companies "are now, because they are suffering business damage and reputational harm, pushing very hard in public debate and in lawsuits to disclose more about how the collection program works," which current FISA Court orders prohibit them from telling the public about. 
The NSA Nine, perhaps alerted to the upcoming PR firestorm, went public with defenses that sought to give a picture of limited, by-the-book, almost grudging cooperation. There was a lot of generous reporting about the struggles of Google, Facebook, Yahoo! et al to buck their NSA gag orders so they could reveal to an eager world how hard they have struggled to protect user privacy. Also, the PRISM revelations were explained and excused in the public media since they involved responses to FISA court warrants with specific, identified targets and, for that matter, were targeting "non-US persons", ie non-US citizens residing outside the United States.
What IT professionals found more disturbing than government backdoors into corporate servers, however, was Snowden's revelations of the NSA's war on encryption.
As I describe in an article in the upcoming print edition of Counterpunch, the NSA has aggressively acquired capabilities and resources in pursuit of its goal to crack encrypted e-mail, virtual private networks (VPNs), and mobile device communications.
Possible corporate collusion in the apparent NSA campaign to undermine the integrity of encryption and, for that matter, degrade the systemic security functionality of the Internet has received relatively little attention.
It can be speculated that some US IT corporations may have cooperated with the NSA in weakening security standards, installing backdoors, and botching implementation, perhaps with the idea that these were vulnerabilities that probably only the NSA could exploit.
Some of the most egregious NSA shenanigans have been in the arcane area of fiddling with the random number generators that lie at the heart of encryption. If the randomness is compromised incrementally, cracking becomes easier. And the more networked computers an attacker has, and the more messages are stored for analysis, the more important the reduced randomness of the encryption becomes.
It can be seen how US corporations might go along with the US government's machinations in this area; after all, the possibility of a non-NSA actor acquiring all those capabilities to exploit random number generator flaws seems vanishingly small.
At least up until now, there seems to be a code of techie omerta (and maybe the well-founded fear of a lawsuit) that precludes calling out IT bigs for climbing into bed with the NSA on the encryption issue.
In the issue of undermining cryptography, it would seem that a finger could be pointed at RSA Corp. RSA was founded by the three academics, Ron Ravist, Avi Shamir, and Leonard Adleman, who created the RSA algorithm at the heart of many encryption schemes (currently ensconced at MIT, Weizmann Institute, and USC, respectively, the three are apparently not involved in the running of the eponymous corporation).
RSA made it into the news by being forced to withdraw one of its products after September 2013 Snowden reporting let it be known that a random number generating scheme, DUAL EC EBRG, had been compromised during the standards-writing process by the NSA.
What made the RSA climbdown particularly damning was that 1) ever since 2007, DUAL EC EBRG had been recognized by the crypto community as flawed; 2) although its inclusion in encryption products sold to the US government as an option is mandated, no self-respecting crypto-expert ever deployed it as the default random number generator; 3) except RSA, which was was chock-a-block with top flight cryptographers who presumably knew better.
A recent edition of National Public Radio's Science Friday program featured Philip Zimmerman, the father of PGP public key encryption (which provoked the all-out NSA war on encrypted communications), Stanford crypto authority Martin Hellman, and Matthew Green, the Johns Hopkins professor who was in the news after his university pressed him to delete a blog post about the crypto wars.
Host Ira Flatow asked Philip Zimmerman why RSA would have done such a thing. There was a long, awkward silence and some awkward laughter before Zimmerman slid into the passive voice/third person zone:
ZIMMERMAN: And yet RSA did a security - did use it as their default random number generator. And they do have competent cryptographers working there. So.
FLATOW: How do you explain that?
ZIMMERMAN: Well, I'm not going to - I think I'd rather not be the one to say.
FLATOW: But if someone else were to say it, what would they say?
ZIMMERMAN: Well, someone else might say that maybe they were incentivized. 
RSA is also responsible for another eminently crackable encryption standard, RC4.
The flagship RSA algorithm also has an unfortunate feature in its implementation in the Secure Socket Layer encryption at the heart of e-commerce and mobile device connections (to ensure privacy when connecting via a public WiFi hotspot). The encryption key used on the server side (ie the servers at Amazon, Visa, your bank, etc.) doesn't change.
Which means if someone stores the encrypted communications (presumably a capability that only the NSA has, thanks to its privileged position on the Internet backbones) and acquires the server side key (something that the NSA is apparently extremely aggressive about), the traffic can eventually be decoded and read.
Nevertheless, nobody has expressed an interest in getting in RSA's face for its possible role in implementing the NSA's weak encryption strategy or, for that matter, exploring Google's, Cisco's, Microsoft's, or Facebook's possible roles in enabling the NSA's acquisition of encryption keys.
This is despite - or because of - the fact that these are publicly traded corporations with vulnerable market capitalizations and accountable to their boards and stockholders and therefore compelled to engage with the media - unlike the NSA.
The collusion between industry and government which, I suspect, may lie at the heart of the NSA revelations, can only be defended if the NSA can claim to control the "resources and methods" and thereby provide legal and moral cover to the IT corporations that justify their cooperation with the thought that only the NSA can crack these systems with these tools, so it's OK.
Well, it's probably not OK.
Edward Snowden walked out the door with the keys to the kingdom. He's not revealing all the keys. But somebody else might.