Jul 23 2014

Snowden Calls On Employees To Leak Company Secrets

During the Hackers On Planet Earth (HOPE) conference, Edward Snowden and Daniel Ellsberg called on insiders (employees) to spill corporate and government secrets.  Snowden is calling for the development of encryption and obfuscation tools to make this easier. The goal is to anonymously expose malfeasance without any repercussions. They believe that people should be able to do this without paying any price and without being held accountable. Superficially this all sounds like a good idea, but who gets to decide what should be leaked or stolen and what constitutes improper behavior?  What else could be leaked or stolen?

Snowden is talking about tools like Dark Mail, Tails, Tor, and SpiderOak, just to name a few.  Tools like these can be used to obscure user activity and transmit data in the dark. That is a good thing if you are going about your own private business, but it could be a really bad thing if someone is stealing your intellectual property.  This is extremely devastating when used in combination with privilege escalation or improperly managed privileges.  This combination is similar to what Snowden used to take down the NSA. Insiders claim that the NSA’s internal security and privilege management technology is stuck in 2003. OK, not many people will feel sorry for the NSA, but if it can happen to one of the most advanced spy agencies it can happen to anyone.

There is a problem with individuals taking it upon themselves to be judge, jury, and executioner.  We already have a name for this and it is called vigilantism.  Have you ever been in argument with someone who claims that they know what is right?  Whenever you ask them how they know they are right the answer is usually something like “because I am right.”  Not everyone is cutout to be a self-proclaimed vigilante.  Is it ok to make your company’s secret sauce or other IP public knowledge because you feel it gives them an unfair competitive advantage?  Maybe someone is unhappy with their employer for other reasons and they think exposing company trade secrets is a fitting punishment. The point is that there could be disastrous unintended consequences when these decisions are left to faceless vigilantes alone.

vig

People should have the courage of their convictions to stand by their accusations.  If you feel so strongly that you have witnessed injustice then take a stand. Don’t throw anonymous accusations around.  If no one is ever held accountable for anything they say or do the floodgates will open. It is no coincidence that the most vicious and nasty comments are on unmoderated internet forums. Thankfully, you will have a hard time finding so many people (trolls) that would say such things to your face. When there is no accountability, thoughtful and civilized behavior goes out the window.

There should be some sort of process to investigate the validity of these claims before they are distributed to the public. There may never be a perfect standard for this.  Arguably, we already have some mechanisms in place to deal with complaints like this. However, it is not in anyone’s best interest to have individuals secretly and anonymously giving away all their employer’s trade secrets as they alone see fit.  The accused should at least have a chance to address the accusations before they are made public.  These accusations could inflict irreparable damage even if they are unfounded. Once something is made public it can never be made private again.

Everyone has their own opinions about Snowden.  Bringing up his name is a good Rorschach test to discern one’s political views, age, or the way they feel about institutions in general. At this point it is almost like a religious or political debate and is difficult to discuss in polite company. I think this is beside the point and there are more interesting things to discuss here.  This is not about Snowden; it is about the next Snowden wannabe. Even if you think Snowden is a hero, will you think the same of the Snowden inspired vigilantes to follow? Would you trust them to police your actions?

This isn’t just about exposing malfeasance. It is about anything and everything being externalized to anyone.  One person’s accusation of wrong doing is someone else’s security breach or loss of intellectual property.  It is the end of some secrets and the beginning of other more harmful secrets. There will be unintended consequences galore. The Gatling gun was actually invented by Dr. Gatling to save lives.  It was supposed to be a weapon so devastating that people would not bother fighting. Instead it was one of the most deadly weapons ever invented.

No matter what anyone thinks about the merits, these tools and techniques are the future and businesses must adapt to them.  Once these tools are widely distributed they can and will be used for virtually anything.  They will be used for corporate and government espionage.  They will be used to destroy companies.  A company’s entire intellectual portfolio will be secretly transmitted to its competitors.  Years of research and millions of dollars will be lost.  Credit card numbers and account information will be stolen. It only takes one attack to devastate a business.  This is the sword in the next iteration of the sword v shield battle.  

John Walsh by John Walsh Software Engineer, Core Development
John Walsh is a Software Engineer and a member of R&D at SSH Communications Security where he has focused on core product development and technical support. John has over 10 years of experience in software design in the IT security industry. Prior to joining the company, he worked at IBM where he designed and developed a number of key software features for security products such as LDAP, Firewall, and Java Cryptography. John holds a BS in Computer Science from Binghamton University as well as an MS in Management Information Systems from Marist College.