Sunday, February 22, 2015

Superfish, Snooping, Snowden: threads in the same rope.

Note: I've been meaning to get back to blogging; my intent was to do that by blogging about code-review tricks for client acceptance testing of projects written in dynamic languages.  But instead, it is InfoSec politics that brings me back (disillusioning, but not surprising).

Image credit:
Flickr user Imamon via Wikimedia Commons
The Edward Snowden documentary just won an Oscar; the Superfish snafu at Lenovo hit the fan; all within a week.  Here, there is reasonable juxtaposition beyond coincidence.  Both contexts reflect an unspoken asymmetry of power that threatens the autonomy of people to truly self-govern.

There are sensible common threads between Snowden's motives disclosing American and British security (NSA/GCHQ) overreach and the recent controversy over spyware known as "Superfish".  These threads weave with others in the hangman's rope around the neck of our democracy.

Superfish, as used by Lenovo, installed a devilish man-in-the-middle (MITM) attack vector on many thousands of PCs from the factory.  This eliminates all real encryption safety for many unsuspecting victims doing normal everyday things like email and online banking.  Superfish means is that Lenovo PC users on any network could have even lame script kiddies sitting near you at Starbucks stealing your bank credentials.  That wasn't by design, but the people who created this are not exactly NSA-stealthy™ (to be fair, there are US-based firewall vendors who also promote TLS MITM features hijacking PCs inside an organization -- slimy but usually legal).

Superfish was originally designed to help multi-national corporations spy on you the consumer.  Both Lenovo and the Superfish authors even tried something a line suggesting euphemistically that "getting spied on is good for you" (before Lenovo back-peddled after the US Department of Homeland Security warned Lenovo users about this).

Snowden's critique of the US/UK security apparatus great overreach and the InfoSec community's reaction to Superfish are similar in this way: we do and should react with deep suspicion to large and powerful organizations spying on us, without any accountability, with paternalistic defense. 

When these organizations are corporate, we can use the market to show our disgust.  If the power asymmetry in the market prevents effective resolution, we often have tort law and statutory protections to fall back on.  This is grease for a working free market, even one where the vast majority of consumers are ill-informed and out-gunned when it comes to their own information security and safety online.  And in a civic sense, we should have similar (or better) checks and balances for institutions of government spying on their own citizens (directly, indirectly, or in some fuzzy gray area).  The problem is that there has been no effective oversight on either need, constitutionality, or effectiveness of many of the NSA programs.

And we have a FISA court unilaterally appointed by John Roberts, not a singing vote of confidence that the FISA courts alone are sufficient oversight.  Perhaps such worry about oversight would be academic, but in "real life" we have seen abuse: by DOJ of secrets doctrine in civil cases where it is clearly unwarranted; we have seen journalists (like Laura Poitras) harassed in the course of their Constitutionally-protected public service for years.

Some of what Snowden did could be brought into question in terms of necessity or effectiveness.  But we needed Snowden.  Our political machine had no actions or discourse of substance after Binney or Klein revelations.  The reason we needed Snowden's "punch to the gut" was precisely the absence of accountability to the public.  We also understand there are correlations between spying and censorship, both by observing nation-states elsewhere engaged in both, and by looking reflexively on our sense of freedom.

The British people needed Snowden to head off the repeating specter of the Snooper's Charter (and we Americans should be wary of how cozy Obama has been to Mr. Cameron on this specific matter after Charlie Hebdo attacks, keeping James Comey's attacks on smartphone encryption in mind).  Let's not let ignorant politicians outlaw effective encryption (as if that really could work, hah!); we need more (and, long-story, more effective) encryption -- not less.

Already having the context of Citizens United, one-billion dollars of dirty money from powerful interests already buying pieces of the 2016 election -- we should have this sense that powerful interests have eroded some semblance of our democracy.  Do we let the MNCs and APTs / TLAs (state-spy-agencies) spy on us without impunity, oversight, recourse, and inclusive discussion? 

Are we resigned in all of these contexts to letting the powerful treat democracy like cattle for slaughter?  If so, we might as well throw in the towel on democracy and embrace the notion that We the People can no longer be the "popular" in popular sovereignty: we are, online and IRL, totally freakin' 0wn3d.