💾 Archived View for gmi.noulin.net › mobileNews › 4917.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
rlp
SECURITY guards (at least the good ones) are paid to be paranoid.
Computer-security researchers are the same. Many had long suspected that
governments use the internet not only to keep tabs on particular targets, but
also to snoop on entire populations. But suspicions are not facts. So when
newspapers began publishing documents leaked by Edward Snowden, once employed
as a contractor by America s National Security Agency (NSA), the world s most
munificently funded electronic spy agency, those researchers sat up.
They were especially incensed by leaks published in September by the Guardian
and the New York Times, which suggested that American spooks (with help from
their British counterparts) had been working quietly for years to subvert and
undermine the cryptographic software and standards which make secure
communication over the internet possible. At that point , says Matthew Green,
a cryptographer at Johns Hopkins University, people started to get really
upset.
On November 6th a meeting in Vancouver of the Internet Engineering Task Force
(IETF), an organisation which brings together the scientists, technicians and
programmers who built the internet in the first place and whose
behind-the-scenes efforts keep it running, debated what to do about all this. A
strong streak of West Coast libertarianism still runs through the IETF, and the
tone was mostly hostile to the idea of omnipresent surveillance. Some of its
members were involved in creating the parts of the internet that spooks are now
exploiting. I think we should treat this as an attack, said Stephen Farrell,
a computer scientist from Trinity College, Dublin, in his presentation to the
delegates. Discussion then moved on to what should be done to thwart it.
We have the technology
As a sort of council of elders for the internet, the IETF has plenty of soft
power. But it has no formal authority. Because its standards must be acceptable
to users and engineers all over the world, it works through a slow process of
consensus-building. New standards, guidelines and advice take months or years
to produce.
Others, equally offended by the intelligence agencies activities, prefer not
to wait, and are simply getting on with the job of trying to restore confidence
in online security. As Bruce Schneier, a leading cryptographer, told the
conference, it seems spies cannot actually break most cryptographic codes.
Instead they try to work around them. One way is to subvert the standards and
software which implement cryptography. That is possible because, besides trying
to defeat the cryptographic efforts of others, the NSA also helps produce
ciphers for Americans to use. Those same cryptographic standards are then
employed all over the internet.
Researchers have therefore been warning users against employing anything that
might have been tampered with. RSA Security, a big maker of encryption
software, has advised its customers to stop using a random-number generator
widely believed to have been fiddled with by the spooks to make its output
predictable (random numbers are a crucial component of any cryptographic
scheme, but are notoriously hard to produce on a deterministic machine such as
a computer). And a group of Brazilian mathematicians has published a new set of
codes for use with elliptic-curve cryptography, a novel scrambling technique
that has been championed by the NSA. Anyone worried by the provenance of
NSA-supplied curves is free to use these new ones instead.
Even America s government is getting in on the act. The credibility of its
National Institute of Standards and Technology, which sets American
cryptographic standards with the help of the NSA, has been dented by Mr Snowden
s revelations. On November 1st it announced it would review the way it carries
out its work, in an effort to rebuild trust. The unspoken implication was that
it would try harder to stop spooks attempting to slip unreliable technology
past its vetting procedures.
Other security experts are re-examining existing products. Dr Green and his
colleague Kenn White are leading a forensic audit of Truecrypt, a popular
program that enciphers a user s hard disks but which displays some odd-looking
behaviour and has rather murky origins (it is open-source, but its designers
are anonymous, and are thought to live in eastern Europe).
Fixing cryptography is only part of the problem. Intelligence agencies can also
tap data cables, allowing them to capture unscrambled information being sent
between a user and a server, regardless of whether it is later encrypted.
Mr Snowden s leaks seem to have boosted the market for better ways of dealing
with this behaviour, too. Mike Janke, a former commando who now runs Silent
Circle, a firm that offers end-to-end encryption software (meaning all
messages are transmitted pre-scrambled), counts everything from corporations
worried about industrial espionage to the Dalai Lama among his customers. He
says that business is up about 400% since the summer of Snowden . In the wake
of Mr Snowden s revelations, his firm shut down its e-mail service and is
preparing a new one that will transmit all messages pre-scrambled, meaning that
only the recipient, not even the company itself, will be able to decode them.
We can rebuild it
Doubters will argue that persuading people to change their habits to make
themselves more secure will be hard. After all, many internet users fail to
take even basic precautions, like keeping their web browsers up to date. But,
by virtue of their market shares, the internet s biggest fish have the power to
change things unilaterally.
On October 30th the Washington Post reported that America s spies have bugged
private, unencrypted fibre-optic cables which carry bits and bytes between the
data centres in the worldwide networks of Google and Yahoo, without the
companies knowledge. Google, which, of course, must be able to read its
customers e-mail in order to inflict advertisements on them, nevertheless
relies on people trusting it to guard their data, observes Dr Green.
There s a lot of anger out there, says Christopher Soghoian, principal
technologist at the American Civil Liberties Union, a lobbying group. I ve
seen two blog posts by Google engineers in the last three days that contained
the words fuck you, NSA . Google has brought forward a programme to encrypt
traffic between its data centres, which should make life harder for spies.
Yahoo has promised similar measures and Twitter (a big social-media site) is
considering them.
Besides beefing up their internal security, many of America s big firms have
been lobbying Congress to rein the NSA in. But there is reason to think that
technological changes could run ahead of legal ones. In some leaked slides, the
NSA describes a lot of its programmes as fragile , Dr Green notes, suggesting
that it worries they can be thwarted without too much trouble. And techno-fixes
offer something laws do not. There are dozens of signals-intelligence agencies
in the world, some of which serve pretty unsavoury governments. Laws can affect
only one agency at a time. Cyber-criminals will, naturally, ignore them
entirely. But techno-fixes work against everyone.