Every year, there is, between christmas and new-year, a hacker conference called the Chaos Communication Congress. I went twice, when it was still in Berlin (now it is in Hamburg) and it was always interesting. One important topic of the conference is computer security, with various teams showing weaknesses in the systems around us. The general situation has always been bleak: as computer security is generally not a priority, softwares and devices are full of bugs that can be exploited.
The highlight of the 2013 edition of the conference was certainly the presentation by Jacob Applebaum giving an overview on the various tools and technique deployed by the NSA to monitor, basically everybody. The same information was published in the newspaper spiegel. The underlying theme is that hacking, that was in the mythological days the realm of the lone hackers, was taken over first by the criminal and now by the military, be it the NSA, or the equivalent in various other countries: China, Malaysia or Ethiopia. All these organisations use complete hacking suites, that not only attack the victim, but the network infrastructure, and any people around them, the computer equivalent of carpet bombing. The situation is not bleak anymore, it is bad.
The NSA infrastructure is also meant to monitor the communication of every person, regardless of their citizenship or legal status, everybody is suspect and computer algorithm are the judges. Of course, the system is not only used for thwarting terrorists, but also spying on US allies (Angela Merkel‘s phone was hacked and used to spy on her), and those who remember Echelon will agree that the new NSA system is probably also used for industrial espionage, like the old one was.
People tend to react with news of surveillance programs by claiming that they are not interesting enough to monitor, they fail to see that with the economies of scales that can be achieved, they can be hacked and monitored for a few cents. At that price, everybody is interesting. Remember that most web services are so cheap they can be paid for using ads. Also computer systems are based on the guilt by association paradigm, so if you ever where somehow in contact with somebody interesting (muslim, activist, IT-student, etc.), you are interesting. If you read this blog, you were in contact with data from a high profile target, so you probably became interesting. Sorry about that.
Traditionally, the CCC has little direct impact outside of the computer security world, this year was a bit different. The leaked NSA slides show that they have access to manufacturer specific weaknesses, either because those manufacturers did a sloppy job, or because they cooperated and added them. This forced those companies to respond to those claims, generally to say that they did not cooperate with the NSA (except by their own incompetence), and stating that these methods are akin to criminal hacking.
Coming from US companies, those denials do not mean that much, as they could well be under some legal order to lie. Still it is interesting to see an organisation that is supposed to protected US interest forcing top US companies to basically fall on their swords, damaging their reputations.
What will happen this year? The problem seems to have gotten to big to ignore, the NSA found all these juicy weaknesses and did not have them fixed, so there will be a rush to find them, in the good case by security researchers, in the bad by criminal organisations or corporations that sell espionages kits. Depending on who finds the first, this means either a PR nightmare, or a massive hacking, not a good prospect either case.
So I suspect two things will happen, first the PR offensive of various IT corporations will increase, second they will quietly beef up security, this will probably be very discreet, maybe increased bug reward programs. This would also probably mean that new releases will slow down – designing secure systems is hard – but I can live with that.