If you've been paying more than a gnat's hair's width of attention to All Things Internet in the past year or so, you'll know that the US and the UK have been spending the odd spare billion of taxpayers' hard-earned on a programme of indiscriminate surveillance of everything you, I and the dog do on-line.

(This is fine of course. I've nothing to hide. You're welcome to pop round and put a microphone in my toilet and a webcam in my bedroom — though I may demand the right to fit the same gear in your house first... That ok? And I reserve the right to point out that a couple of hundred thousand people have the same access to all your data that Edward Snowden had shortly before he walked out of a US government building in Hawaii with several gigabytes of leak. If he can do it, how many others? And do you trust them all? You do? Great! Now, please email your credit card numbers and a selection of explicit selfies to me. It's for your own good, honest.)

To cut a rapidly lengthening story down to something of vaguely manageable proportions, I confess that I'm a wee bit of a nerd, both by trade and inclination, and I've taken more than a passing interest in the various vulnerabilities that we're all subject to as soon as we pick up a phone or pop the lid of a laptop or fondle the touchscreen of a tablet or the like. There are a couple of very straightforward things we can do to protect ourselves which I'll rehearse before coming back to the headline horror.

First, anything that isn't open source must now be assumed to be compromised, by definition. Everything else (Microsoft Windows, Apple iOS, Google's Android services) is subject to this scenario:

Man (almost always) in dark suit knocks on door of software corp. Sincere and nice person answers. "Yes?"

"Sign here: I promise to open all my data to The Secret Policeman whenever he so desires or spend the rest of my natural life behind bars. And I promise not to tell anyone."

And off they go, hand in hand (willing or otherwise) to stuff a bunch of back door tricks into the products of said software corp so that Mr. Pervy Spy and his mates can get their fill of other people's naughtiness in service of whatever monstrous threat they claim to be saving us from this week. (Yes, Annoyed of Kansas, there are monstrous threats out there; but if your spooks are really saving you from them then why does no one have any evidence that snarfing all your data actually helps one iota? Data mining won't make you safer, though it may give a bunch of bored young spies aching wrists.)

This scenario has happened and is documented, straight from the horse's mouth as it were, in the NSA and GCHQ documents which Snowden heroically released to the world last year. So: any software you use that is closed source is in principle insecure.

Bummer.

For nerds like me, though, this wasn't really news — we already knew that closed source was A Bad Thing and have smugly enjoyed our schadenfreude in larger than usual quantities in recent times. We use open source software, and we therefore know that even when security holes are present they get discovered pretty quickly and, more to the point, fixed. Mr. Nasty Spook and his friends have a much harder time of it with open source.

Second thing: be careful which websites you use, make sure you use HTTPS when plugging in your credit card etc., secure your filespace with strong encryption, and use strong passwords (and lots of them). Ok, that's more than one thing. The point is that some basic hygiene goes a long way: the amount of resource that the spies need to deploy to steal all my data is vastly higher than that of my neighbour who's locked into a closed-source world and sets all their passwords to 123. Cue more schadenfreude for the nerds.

But it turns out that I'd missed a significant hole in this picture, to do with the way that HTTP works. HTTP, the hypertext transfer protocol, defines how web servers and their clients exchange data to deliver web pages to your browser (or phone app or etc.). HTTP is an unsecured protocol, and should never be used to transfer passwords or other sensitive data. For the latter we have HTTPS (HTTP Secure), which uses public key encryption to hide transactions from prying eyes.

Most of the time this works very well — we serve ordinary data (like this page) on HTTP (there's nothing to steal here) and sensitive data (like login pages or payment sites) over HTTPS. Unfortunately, there's one particular case where even viewing an otherwise innocuous page over HTTP can be dangerous, and that's when a powerful and unaccountable organisation (think NSA, GCHQ or your local equivalent) has access to the exchanges and ISPs that sit between you and the rest of the web. If you spend a lot of money on intercept and rewrite hardware, you can replace innocuous content in any HTTP stream with worms, viruses or used toilet paper. (Ok, I made the last bit up.)

The attack depends on the existence of weaknesses in the client browser, but given that said unaccountable agency has probably spread those liberally around your device of choice, that's not too much of a stretch.

Let's put this in simpler terms: no normal web connection over the original (and still very widespread) hypertext protocol is safe. Period.

That's quite surprising and irritating in and of itself, and if you're a computer engineer like me it is quite like finding someone slopping raw extrement around in a food factory: bloody irresponsible! (Please imagine a nerdy person foaming at the mouth and bouncing up and down at this point.)

But there's more! Worse! It turns out that there's actually a multi-million market in the hardware to pull this kind of invasive trick, and companies exist whose main business is selling man-in-the-middle hardware to be situated in IPXs and infect our computers, phones and tablets while we watch cat videos and the like.

Hey you! You're a suspect in a hypothetical crime — and we're crapping all over your computer just in case we might one day prove it! And while we're at it our friends down the road at Black Hat Computer Corp. are going to make a fortune or two in profits selling the hardware to taxpayer-funded agencies! (But we don't have the money to fund the health service, unfortunately.)

Morgan Marquis-Boire of the University of Toronto puts it like this:

While the scope of the NSA’s system may have surprised many in the public, it has been generally assumed that the best funded spy agency in the world would possess advanced capability. What is perhaps more surprising is that this capability is being developed by Western vendors for sale on the commercial market. CitizenLab.org

This means that anyone can buy hostile injection technology on the open market. Aside from governmental spying, any individual wealthy enough to buy an ISP is free to use the same technology to infect their customer machines at will.

I already thought the NSA, Five Eyes and the like were a poisonous canker on the body politic, but turns out that it's worse than I thought. So: we're now moving all our *.gate.ac.uk websites over to HTTPS (and if you run a webserver I suggest you do the same). Also consider using the HTTPS Everywhere browser plugin.

RIP HTTP.

This has been a public information broadcast.


Comments

comments powered by Disqus
comments powered by Disqus