Goodbye, Encryption; Hello, FOSS

Few would deny that the world has changed since the National Security Agency’s PRISM surveillance program was revealed, and not for the better.

Here in the Linux blogosphere, FOSS fans have been mulling the implications ever since the unsettling news broke back in June, but just recently things have taken on an even darker cast.

Turns out not even encryption techniques can hold the NSA at bay, at least in general, leaving users of without much to defend them.

Now, vulnerability is — or should be — a familiar feeling to users of Windows, in particular. For those of us in Linux land, however, it comes as something of a shock. No wonder Slashdot blogger deepdive recently sought some clarification.

‘Can One Still Sleep Soundly’?

“I have a basic question: What is the privacy/security health of the Linux kernel (and indeed other FOSS OSes) given all the recent stories about the NSA going in and deliberately subverting various parts of the privacy/security sub-systems?” deepdive wrote.

“Basically, can one still sleep soundly thinking that the most recent latest/greatest Ubuntu/OpenSUSE/what-have-you distro she/he downloaded is still pretty safe?” deepdive added.

Translation: Are we still relatively safe on Linux, or has the NSA blown that advantage away? Does Linux still stand tall on security?

Linux bloggers have had no shortage of opinions to share.

‘The Benefit of Many Eyes’

“That begs the question, did Linux ever stand tall on security?” offered Hyperlogos blogger Martin Espinoza, for example. “I’d argue that only OpenBSD really makes it the leading priority, but I’ll still take Linux over anything closed source any day, and Linux definitely has the benefit of many eyes.”

Indeed, the NSA has not cracked good crypto; what it has done is inserted backdoors and such in closed software,” Google+ blogger Kevin O’Brien pointed out. “The key word here is ‘closed.’ That makes Linux even more important since anyone can view the code.

“I think that more people will be moving to Linux once this becomes clear,” O’Brien added.

To wit: “I am sure the code makers are doing their best to revise the code and improve it — I can’t say anything like this for any other OS,” agreed Google+ blogger Gonzalo Velasco C.

‘Move Into a Shack in the Woods’

“You have to give them credit: The NSA has put a lot of work into spying on us night and day,” began Linux Rants blogger Mike Stone. “If you want to be completely sure you’re not being spied on, sell everything you own and move into a shack in the woods with a heavy canopy, because they’re monitoring you if you don’t. If you’re not willing to go to that extreme, then you may have to just settle for reducing their field of view.”

Using a secure VPN and TOR will help, “but only if you’re not using an operating system that’s spying on you before your traffic even leaves your router,” Stone suggested. “It’s ‘known’ that Microsoft has worked with government agencies to circumvent their own encryption, so if you’re using a Microsoft operating system, you have no expectation of privacy. Microsoft will sell you out at the drop of a hat.”

As for Apple, “the NSA has mocked Apple customers and even referred to Steve Jobs as ‘Big Brother,'” he pointed out. “Even if both companies deny it to the ends of the Earth, how can you know for certain? The fact is, you can’t. That’s why open source is your best option.”

It’s “infinitely more difficult to hide your spy code when the code is open for everybody to read,” Stone said.

“You still have to be diligent about what you use,” he concluded. “If you want to be as sure as you can, I’d suggest the LFS Project, but many other Linux distributions can get you close. You may want to avoid the ones based in the United States, though.”

‘I Think We Are Doomed’

Chris Travers, a blogger who works on the LedgerSMB project, took a similar view.

“On one hand, for now, I think we are doomed to a lack of privacy in things like email,” Travers told Linux Girl. “There is too much information that is necessarily disclosed when emails are sent; same with social networking sites and the rest.”

In the NSA era, however, “open source and auditable systems are more important than ever,” Travers opined. “If we are to regain some semblance of privacy, we will not only need protocols designed to thwart these efforts, but we will need systems we can audit to ensure they haven’t been heavily compromised.

“This means that open source operating systems like Linux, BSD and so forth will be necessary for any environment that users wish to trust,” he concluded.

‘We’ll Have to Be Extra Careful’

The NSA has contributed a lot to the Linux kernel, such as through SELinux, Google+ blogger Alessandro Ebersol pointed out, “so, yes, I’m afraid they have put a hole in our beloved OS.

“Sure, when the community can watch and examine the code, it is always better, and even a needle can be spotted,” Ebersol added.

Windows, on the other hand, “phones home every week and spits its guts out to that company (and NSA),” he said.

“Oh well, we’ll have to be extra careful now and watch the logs closely,” Ebersol concluded.

‘Avoid Services Based in the US or UK’

“I really think people are overreacting, or rather reacting in the wrong way,” consultant and Slashdot blogger Gerhard Mack opined. “Everything we know tells us that the NSA works around encryption by demanding the information directly from service providers or finding a way to get their hands on the encryption key.

“The only person really saying otherwise is John Gilmore, but most of his arguments are that the IPSEC standard is terrible (nothing new), but there is no actual proof the NSA was behind it behind a bad standard or that they even needed to sabotage it in the first place,” Mack told Linux Girl. “His whining about NULL encryption was misplaced, since SSL has it too and any halfway-competent admin will disable weak ciphers.”

Meanwhile, “if the NSA did backdoor Linux, an expert from a nonaligned country would notice and take action,” he said. “It’s highly unlikely that a given conspiracy would include Russian and Chinese programmers as well.”

Bottom line? “If you are really worried about the NSA, the solution isn’t to avoid Linux, it’s to avoid hosting or using services based in the U.S. or the UK.”

‘The Human Element’

In fact, “Linux remains as secure as it ever was, which is to say that the security of any operating platform ultimately rests in the hands of the end user and his or her habits,” Google+ blogger Brett Legree pointed out. “Similarly, your privacy is dictated by your own habits and the habits of those with whom you share any and all information, be it verbally, in print, or by any digital means.”

The weakest link, in other words, “remains the human element,” he suggested.

“So, while Linux may continue to offer advantages for some people to assist with security and privacy, it is not a panacea,” Legree concluded.

‘How Many Have Done a Code Audit?’

“The weakest link is always the USER, not the OS!” Slashdot blogger hairyfeet told Linux Girl.

“For years Linux has had a false sense of security, mainly because of the ‘many eyes make bugs shallow’ myth, which a little common sense will invalidate easily,” hairyfeet suggested.

“Seriously, show of hands: How many have done a code audit of LibreOffice? Firefox? Chromium? The networking stack?” he asked. “Heck, how many here have done an extensive code audit on those bazillion little programs like screensavers and widgets and weather apps that always end up being packed into most desktop distros?

“I bet if we looked at all the distros and found what the 100 most common programs are and then look at how many of them have their source downloaded, not audited, just downloaded, with every release you MIGHT have 10 out of 100 — MAYBE,” hairyfeet predicted.

Meanwhile, “how do you think the NSA would get backdoors in?” he added. “What volunteer project is gonna turn down a great coder with years of exp that is willing to work for free and writes great code?”

At the end of the day, “it would be no harder for the NSA to stick a backdoor in Linux than it would be for any other OS, as having source doesn’t magically make the bad guys go away nor does it qualify Joe average programmer to do a security audit of the entire Linux OS, which just FYI, thanks to the insane release schedules, I seriously doubt you’d even get halfway through a single code audit before what you were auditing had been replaced by 3 new versions!” hairyfeet concluded.

‘The Government May Get a Message’

Last but not least, “the NSA problem is bigger than */Linux,” Robert Pogson suggested.

“The NSA probably has ways to tap into communications on the Web right in the chips of our Ethernet and Wifi ports, routers and almost any Web or cloud services,” Pogson explained. “There isn’t much */Linux or FLOSS can do about such corruption of the infrastructure of the Web except to pull the plug or set up a FLOSSWeb vertically integrated from ARMed chips and RAM to a private network for the non-USAian world.

“I don’t see that as feasible, but it just might be possible for the world to shun the USA and keep it offthe Internet until human rights are respected globally by the USA,” he added. “We aren’t anywhere close to that, but already I and many others are doing our best to use as little of the Web controlled by USA as possible.”

In short, “if enough of us shun U.S. businesses to affect the GDP,” Pogson concluded, “the government of the USA may get a message from its lobbyists from big business.”