3. Backdoors everywhere seem highly unlikely
I'm not so sure about all those NSA backdoors claimed to exist. In one of Bruce Schneier's most recent articles, he states:
My guess is that most encryption products from large U.S. companies have NSA-friendly backdoors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors.
Bruce has long been a hero to me. I consider him one of my foremost teachers, and I'm better at what I do because I pay attention to what he writes and thinks. But his supposition that "most" encryption products have backdoors is utter, unsubstantiated speculation.
I believe a few might, but "most" strains credibility. I haven't known or talked to one person who has confirmed the existence of an intentionally built, hidden backdoor for use by the NSA or any other spy agency. This rumor has circulated for decades and I don't believe it. Some recent NSA documents allude to the idea in a general way, but again we have no detail, with no vendor names or products. If Bruce's statement were true, shouldn't we have seen the evidence for at least one backdoor by now?
Then there's the motive question. What incentive does any company have to allow any government agency to install a backdoor in any product? Once the backdoor was found, it would decimate the product and the company. It isn't worth the risk in a capitalist society.
Further, we have real-life evidence of vendors finding possible NSA backdoors, which vendors universally eschewed. Around the release of Windows Vista and Windows Server 2008, a Microsoft cryptologist was instrumental in discovering that a random-number-generator cipher, called Dual EC_DRGB, likely had a backdoor or at least a very useful cryptographic weakness. The NSA had instructed NIST to require Dual EC_DRGB in all computers sold to the U.S. government. That requirement stood -- although no one I'm aware of has implemented it.
There you have it: A major vendor was involved with implementing a hidden backdoor, and when a flaw was independently discovered, the finding was publicly released to the world. It's the exact opposite of the cloak-and-dagger scenario currently imagined.
4. It's the law, stupid
Most of what has been occurring is allowed by law. We need to change those laws. That's long overdue. In fact, you'd be amazed at all the things law enforcement doesn't need a warrant for -- even a sample of your DNA. If you don't like what the NSA or law enforcement does, then work to change the laws.
You don't even have to do it by yourself. Several independent organizations are working on your behalf. My favorite is the Electronic Privacy Information Center. Check out the website. Pick one or more issues to get involved in and get started. If you don't have the time, donate money.
The only thing that bothers me more than law enforcement violating my privacy is how many ordinary Americans don't care. I'm much angrier about that than whether or not the NSA can read my crypto.
5. Crypto isn't the weakest link
What really gets me is how many risk managers are spinning every available cycle and resource on trying to find out about purported crypto weaknesses, when they should be spending every available second fixing the easy stuff. Encryption has never been and will never be the weakest link.
I don't like the fact that my own government -- or any government, for that matter -- is allowed to spy on me. I don't want them in my metadata. I don't want them in my financial transactions. I don't want them in my garbage. But the truth is I fear most what's right in front of me every day -- what really matters to the majority of risk management -- and it isn't even close to the NSA cracking encryption.
This story, "5 reasons I'm not too upset over Cryptogeddon," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.