I want to ask you the question. If Target announced that it was having a 50% off sale today and you could only use your credit card but they assured you that you could not get hacked, would you do it? My guess is no. Simply speaking, they have lost your trust in their ability to protect you.
Recently it was discovered that a line of routers coming from China had a backdoor that would allow somebody to hack into them. This isn’t the first time we’ve seen something like this coming out of China. If you were offered one of these routers, how comfortable would you be in using it? I think the answer is the same as before, they’ve lost your trust. You’re not going to use the router. With everything you’ve heard about state sponsored hackers from China, it’s doubtful you’ll trust anything coming out of China.
Before we get too deep into this, I want to say I’m not a security professional. This post is about trust, not security. My total knowledge of encryption and associated security comes from Udacity’s class on cryptography. I highly recommend the course if you’re interested in such things.
RSA was one of the big names when it came to encryption software and protocols. I say was because I think they just became the Target of encryption. It was recently revealed that they had taken $10 million to promote a flawed method for finding prime numbers that were used to generate security keys. They knew at the time that the method was flawed and their customer knew it was flawed. We can only assume their customer was promoting this method because it improved their ability to decrypt messages encrypted using this method.
I don’t even pretend to understand exactly how the prime numbers fit into security key generation. What I did learn is that is you don’t use a prime number you end up with multiple possible keys to decrypt your message. Instead of the one key you expected, there may be thousands of correct solutions to decrypt your message.
You won’t be surprised to learn that their customer was our NSA. Take a moment to think what this means. Are you going to trust RSA to come up with their latest encryption scheme? Is anybody going to trust RSA for their encryption needs in the future?
NSA was able to buy RSA’s cooperation in promoting and using a seriously flawed algorithm. That’s why I say they’ve become the Target of the security community. The community no longer trusts them. I don’t know if either company will survive their reputation. But the damage done is far worse. Just like you are wondering just who you can trust with your credit card, who is to say that NSA has not done this with a number of other companies that we trusted to provide security.
I know that the standard response to the spying done by NSA is that only the guilty have a reason to be concerned. I’m always amazed at how little thought goes into that response. By that logic, a high school football coach developing a playbook for his team is practically a master criminal.
There is nothing on my computer to suggest that I am planning to take over a third world country but I don’t feel comfortable with some government official reading the fiction that I write and wondering what kind of adolescent mind dreams up this tripe or worse, thinking I really am planning the siege of a nearby medieval town.
Of course, we all know from television that government employees are very selfless people who would never use their position for personal entertainment. It’s only a few of them that decide to become master criminals. OK, television may not be an exact reflection of reality but just like in the general population, there are bound to be a few bad apples working for the government. I’m not even including our Congressmen.
And we’re back to trust again. I don’t trust our government not to take some of my writing and post it as an example of the ten worst uses of commas and our government doesn’t seem to trust me not to attempt the siege of a nearby town.
It gets worse though. Now any company thinking of doing business with a US company has to worry about the possibility that the NSA will be spying on them. Already the international community is eying our ability to monitor our servers with distrust. If you are a US based cloud provider your business is already suffering. If you are a US based technology provider your business is at risk. How can somebody trust you to protect their information when your government is actively trying to weaken your ability to protect that data?
How much do you trust products coming from China now that you know their products have backdoors into your computer? How much can you trust US products?
© 2014 – 2019, Byron Seastrunk. All rights reserved.