RIP, information security, done in by backdoors and secret deals

Another day, another revelation about massive government data collection on citizens domestic and abroad, including (but not limited to) phone calls, Internet transactions, backdoors in encryption algorithms, man-in-the-middle attacks. Heck, for all we know, the NSA is probably behind the BGP hijacking that’s been happening sporadically. Now we’ve learned that the NSA has been paying information technology vendors for backdoors.

In all of the tech press talking about new operating systems, new hardware, new processors, as well as advancements in storage, networking, and even security, this is the elephant in the room: Under no circumstances can we trust a piece of network hardware or software again, unless the code is available for inspection from stem to stern. From the code on the ASICs to the BIOS, OS, and the application itself, we need to see it. Every iota of trust has vanished.

[ Also on InfoWorld: Track a hack: Find out who’s hitting your servers | Keep up with key security issues with InfoWorld’s Security Adviser blog and Security Central newsletter. ]

What’s the point of security anymore?

Protection against barbarians is one easy answer, but that’s fairly easily handled. Firewalls, IDS, and network monitoring generally work well for those of little skill and a penchant for destruction.

But security used to be all about protecting corporate assets, intellectual property, negotiations, plans, and strategies. We lock down remote access with two-factor authentication. We have extensive audit trails of data and network access. We construct complex rules to permit users to access only the data that they should access, thereby reducing the potential for data loss. What does any of that matter if domestic and foreign governments are collecting that data anyway, using backdoors in the very tools we employ to protect ourselves?

When we deploy a strict new security plan, we do so in order to tighten down access to sensitive information. Nowhere in those plans or in the documentation from the software and hardware vendors does it say that by implementing their solution, we tacitly allow an external entity to access our network and our data — yet that’s exactly what’s happening.

Why bother securing anything other than basic firewalling and IDS anymore? What, exactly, are we protecting? If our efforts to secure our networks and our data have the adverse effect of permitting exactly the type of data leak we’re fighting against, it would seem that there is no reason to do so.

This is a big problem, to put it mildly. The security industry is built on trust. We trust our commercial firewall vendor. We trust our certificate authority. We trust our encryption vendor, most of all.

We have to trust them. We have no other choice. We can’t see their code, and we can’t independently verify that they are on the up-and-up. We have to take their word that the service or software they provide is not only secure, but that they haven’t purposefully allowed unknown third parties to gain backdoor access to our network through their products. Until recently, this was the turf of conspiracy theorists. Though we all knew it was possible, we never thought it was actually occurring. Now we know better.

Now we know that we can’t trust any commercial, closed source software any more — none of it. Not a single piece of hardware and software is currently trustworthy, and they’ll forever more be suspect. This has changed the game, altering the security landscape permanently and horrifically. There’s absolutely no way for any commercial, closed source vendor to regain that trust, no matter how much or how often they claim otherwise. The big one, of course, was the fact that RSA accepted millions to allow the NSA backdoor access to its security products. How anyone can continue to do business with RSA baffles me.

It’s not just RSA. It’s also certificate authorities and other failed guardians of Internet security. With more revelations coming out in a steady stream, it seems more likely than not that any major technology company has been compromised in one way or another. The NSA’s list of exploits is extensive, and there are even embedded backdoors in commercial products like Dell PowerEdge servers. But hey, Dell apologizes for the inconvenience. The full list includes companies such as Apple, HP, Cisco, Huawei, Juniper Networks, Microsoft, Maxtor, Seagate, Samsung, and Western Digital, along with products ranging from network hardware to servers to hard drives.

If you run Dell servers, you have no way of knowing what the BIOS on those servers could be doing. You bought them, brought them into your data center, and placed sensitive and mission-critical data on them — because you trusted Dell. The same goes for the disks in your servers and storage arrays, not to mention your routers and firewalls. You can’t trust them.

There’s that word again: Trust. As I’ve beaten to death in this piece, that’s gone, and nothing will replace it unless and until we open-source everything in the stack, from the absolute top to the absolute bottom. If we get there, then we may once again find ourselves requiring network security. Lacking that level of clarity and openness, however, there’s no point. It’s an impossible task when your tools are designed to work against you.

This story, “RIP, information security, done in by backdoors and secret deals,” was originally published at InfoWorld.com. Read more of Paul Venezia’s The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.