Who needs the NSA? FLOSS is bad enough.

Here’s a half-hour talk (with 15min of Q&A at the end) from FOSDEM 2014, an open-source software conference held annually in Brussels. But I know you won’t watch it, so here’s the summary.

NSA operation ORCHESTRA has had a successful first year of operation. With a budget of $1B, and breaking no laws (or even using FISA courts or other questionable methods), they have successfully:

  • kept the majority of Internet traffic unencrypted, so that it can be read by anyone
  • centralized previously-decentralized technologies (e.g. Skype) under companies friendly to the NSA (e.g. Microsoft)
  • created a system of finances that encourages outside influences on proprietary software and transparent bribery
  • created a system of patent expectations that allows companies friendly to the NSA to squelch smaller players that might create disruptive technologies
  • encouraged poor community policies and practices in Open Source projects to help derail useful work through arguments about licenses, naming conventions, and bikeshedding

The joke is that ORCHESTRA doesn’t exist (as far as we know). The software community has been doing this by itself, without encouragement or aid, for years.

“kept the majority of Internet traffic unencrypted, so that it can be read by anyone”

Internet traffic is unencrypted largely because it is expensive to encrypt things. Well, this isn’t true, as one could always self-sign a certificate for one’s webserver and then be able to guarantee that the number of parties in the session does not change in the middle of your transaction. This doesn’t happen because a browser connecting to unencrypted sites displays no warning. But a browser connecting to a site with a self-signed certificate shows a big nastygram that is difficult to understand, let alone bypass:connectionIsUntrusted

Emails are unencrypted because using encryption software on email is difficult, not interoperable, and ceases to work as soon as you want to send email to someone who isn’t capable of decrypting your message. In short: if Amazon can’t encrypt their shipping notification when they send it to you, then it won’t work.

Generic traffic is unencrypted or badly-encrypted (which is, in some cases, worse) because encryption is hard, and the premier tool for using it, OpenSSL, is so poorly documented and has such awful default settings that you’re as likely to encrypt your cat as you are your chat.

(This is where Mozilla could step up with its Mozilla Open Source Support program and offer cash incentives to improve the software and documentation and fund needed audits of the codebase.)

“centralized previously-decentralized technologies (e.g. Skype) under companies friendly to the NSA (e.g. Microsoft)”

Skype, once bought by Microsoft, centralized its encrypted communications under Microsoft’s servers. This aided in the directory service and NAT-busting parts of the protocol, sure, but also provided a single target for subpoenas and other court orders.

As Apple is helping make the public aware, it is beginning to seem as though the safest course is to code things so that even the dev can’t read them.

created a system of finances that encourages outside influences on proprietary software and transparent bribery”

The entire system of Venture Capitalism is rife with abuse and corruption. That funding isn’t coming from the NSA is incidental as VCs come in and drop $10k on a startup in exchange for influence and a piece of the pie. If your funding is coming from someone who thinks you should pivot away from usable crypto, you aren’t going to argue with the paycheque.

Also, if you are the NSA and need an easy way to pay an informant, you can say to her “Tell your boss you quit to form a startup. We’ll set you up in the Valley with $1M in investment. Just surf the web for a year or two.” Easy rewards, perfectly legal.

“created a system of patent expectations that allows companies friendly to the NSA to squelch smaller players that might create disruptive technologies”

Software patents in the United States are an easy tool for larger companies to prey on smaller ones. If you are a small company that patents something that amazingly doesn’t infringe on other patents, a large company, friendly to the NSA, can scoop them up and squelch the startup in a fit of managerial pique. If the patent does infringe on a friend-of-the-NSA’s patents, the small company is squished under the lawyers’ boots.

“encouraged poor community policies and practices in Open Source projects to help derail useful work through arguments about licenses, naming conventions, and bikeshedding”

Here’s the kicker for Mozilla and others trying to make a difference in the Open Source space.

The NSA doesn’t need agents provocateurs to derail conversations. Well-meaning contributors do all the time.

The GCHQ don’t need to distract us with fights about licensing or superficial changes. Users do that all the time.

CSIS agents aren’t sowing doubt about what is better to stop us from doing what is good. Our own internal voices shout quite loudly enough.

…so, what do we do? Well, a good start for those of us in Open Source communities, is to think before we type. Bikeshedding slows us down, but software quality is an imperative. Licensing just doesn’t matter as much as you think it does and is as personal a choice as one’s toenail polish colour.

The next step is to realize that these are generally not technological problems. They are political. They are social. They are human. Developers and technical managers and architects might be some of the best people to understand these problems, but not the best people to solve them.

We need outside help. We need politicians who agree to be helped to understand these complex issues and take action. We need community managers who understand the needs of the project and the needs of humans and how to step between or step away. We need each individual to actively and sincerely stop sucking at talking to others because the harm we’re doing reaches beyond the mailing list and affects users.

We have seen the enemy, and it is us. It is also them. But we can fix “us” so that we are able to fight “them”. I think.

:chutten

 

Advertisements