What NSA sabotage does to security

Princeton computer science profession Ed Felten has an excellent explanation of what it means to security to have the NSA actively sabotaging cryptographic standards and tools. As he points out, the least secure situation is to believe that you are secure when you are not — a car without breaks can be driven slowly and cautiously, if you know the brakes are shot. But if you don't know the brakes are out, you're likely to discover the fact the hard way.

In security, the worst case—the thing you most want to avoid—is thinking you are secure when you're not. And that's exactly what the NSA seems to be trying to perpetuate.

Suppose you're driving a car that has no brakes. If you know you have no brakes, then you can drive very slowly, or just get out and walk. What is deadly is thinking you have the ability to stop, until you stomp on the brake pedal and nothing happens. It's the same way with security: if you know your communications aren't secure, you can be careful about what you say; but if you think mistakenly that you're safe, you're sure to get in trouble.

So the problem is not (only) that we're unsafe. It's that "the N.S.A. wants to keep it that way." The NSA wants to make sure we remain vulnerable.

NSA Apparently Undermining Standards, Security, Confidence

(Image: Adjustments, a Creative Commons Attribution (2.0) image from greeblie's photostream)