In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.
Kamp's fictional spy program supposes a budget of about a billion dollars, which is used to nudge venture capitalists, free software contributors, engineers and businesses into conduct that riddles the Internet's core protocols with exploitable security vulnerabilities.
The point, of course, is that the NSA doesn't need to run ORCHESTRA to get this to happen: it's the status quo. The perverse incentives of the business world and the methodological gaps in free/open source software create this situation all on their own, with no conspiracy needed.
But the fact that no one conspires to make this happen doesn't mean that no one exploits it. In the two years since Kamp's talk, we've seen crashes, exploits, leaks and breaches that involve exploits of the situations he described, and we're still in the early days of the exploited Internet — what's worse is we're building the Internet of Things on top of that messed up infrastructure, whose structural, economic, and social underpinnings are helpless to improve it.
It's an important and entertainingly presented talk that still resonates two years later — you could give this talk with updated examples today. I'd love to see Kamp make an annual series out of this, reporting on the last year's progress by ORCHESTRA.
It's a reminder of how helpless we are as a society at addressing crises that have no intentional actors behind them (and how hard we'll work to prevent relatively minor problems that are deliberately invoked). Climate change — which has and will kill orders of magnitude more people than terrorism — is a shrug-and-accept fact of life; terrorism (which isn't really any more showy and mediagenic than tsunamis, when you stop and think about it), dominates the news cycle at drumpfian scale. Traffic fatalities — which kill the shit out of people in the richest, safest countries in the world — are a distant worry — but the relatively minute terrorism fatalities turn the knob up to 11.
In the realm of information security, the North Korean hack of Sony makes everyone sit up and take notice, and hysterical warnings about Cyber Pearl Harbor grab headlines, but the lack of a budget to audit Openssl, the use of the CFAA and DMCA to frighten security researchers into silence about showstopper vulns, and the commercial practices of venture-backed IoT vendors whose data-handling is like something out of a French farce comedy are just part of the background noise.
(TOP SECRET/COMINT) NSAs operation ORCHESTRA has been a resounding success again this year. This year's status report will update decision makers and programme liasons on the goals, achievements and means of ORCHESTRA. This is the NATO headquarters, right? Cool! No, no, I was just surprised that nobody was in uniform today, but I guess it's the weekend, eh? That's so cool — I wish we were allowed to do that too. It's quite a crowd isn't it? I had no idea you had so many people with COMINT clearance over here… Amazing really. Anyway, lets get started, shall we?
(TOP SECRET/COMINT) [Slides/Freebsd]