Stung by revelations of ubiquitous surveillance and compromised software, the internet’s engineers and programmers ponder how to fight back
SECURITY guards (at least the good ones) are paid to be paranoid. Computer-security researchers are the same. Many had long suspected that governments use the internet not only to keep tabs on particular targets, but also to snoop on entire populations. But suspicions are not facts. So when newspapers began publishing documents leaked by Edward Snowden, once employed as a contractor by America’s National Security Agency (NSA), the world’s most munificently funded electronic spy agency, those researchers sat up.
They were especially incensed by leaks published in September by the Guardian and the New York Times, which suggested that American spooks (with help from their British counterparts) had been working quietly for years to subvert and undermine the cryptographic software and standards which make secure communication over the internet possible. “At that point”, says Matthew Green, a cryptographer at Johns Hopkins University, “people started to get really upset.”
On November 6th a meeting in Vancouver of the Internet Engineering Task Force (IETF), an organisation which brings together the scientists, technicians and programmers who built the internet in the first place and whose behind-the-scenes efforts keep it running, debated what to do about all this. A strong streak of West Coast libertarianism still runs through the IETF, and the tone was mostly hostile to the idea of omnipresent surveillance. Some of its members were involved in creating the parts of the internet that spooks are now exploiting. “I think we should treat this as an attack,” said Stephen Farrell, a computer scientist from Trinity College, Dublin, in his presentation to the delegates. Discussion then moved on to what should be done to thwart it.
We have the technology
As a sort of council of elders for the internet, the IETF has plenty of soft power. But it has no formal authority. Because its standards must be acceptable to users and engineers all over the world, it works through a slow process of consensus-building. New standards, guidelines and advice take months or years to produce.
Others, equally offended by the intelligence agencies’ activities, prefer not to wait, and are simply getting on with the job of trying to restore confidence in online security. As Bruce Schneier, a leading cryptographer, told the conference, it seems spies cannot actually break most cryptographic codes. Instead they try to work around them. One way is to subvert the standards and software which implement cryptography. That is possible because, besides trying to defeat the cryptographic efforts of others, the NSA also helps produce ciphers for Americans to use. Those same cryptographic standards are then employed all over the internet.
Researchers have therefore been warning users against employing anything that might have been tampered with. RSA Security, a big maker of encryption software, has advised its customers to stop using a random-number generator widely believed to have been fiddled with by the spooks to make its output predictable (random numbers are a crucial component of any cryptographic scheme, but are notoriously hard to produce on a deterministic machine such as a computer). And a group of Brazilian mathematicians has published a new set of codes for use with elliptic-curve cryptography, a novel scrambling technique that has been championed by the NSA. Anyone worried by the provenance of NSA-supplied curves is free to use these new ones instead.
Even America’s government is getting in on the act. The credibility of its National Institute of Standards and Technology, which sets American cryptographic standards with the help of the NSA, has been dented by Mr Snowden’s revelations.
Go deeper with Bing News on:
- McAfee Brings Its Internet Security Solutions on Flipkarton January 6, 2020 at 9:08 pm
These include McAfee's award-winning security solutions like McAfee® AntiVirus, McAfee® Internet Security and McAfee® Total Protection. This also includes features that protect devices against malware ...
- Internet of Things (IoT) Security Market 2018-2027 Is Expected To Expand At A Robust CAGR Of 41.3%on January 2, 2020 at 2:50 am
Internet of Things (IoT) security refers to the safety of connected devices and networks in the Internet of Things (IoT). Internet of Things (IoT) security offers wide range of endpoint security such ...
- BluePrint Data Celebrates "Perfect 2020 Vision for Internet Filtering and Security"on January 2, 2020 at 12:05 am
This 20-year history offers them a unique perspective for a “Perfect 2020 Vision of Internet Filtering and Security.” BluePrint Data believes all users of the Internet have a right to an open, free, ...
- Internet Security Market Research Report Forecast to 2024: Big Market Researchon December 30, 2019 at 8:59 pm
Global Internet Security Market Report added by bigmarketresearch.com offers industry size, share, growth, trends and forecast analysis up to 2024. Keyword Market Report also covers top key players, ...
- Entercom Dealing With Another Internet Security Challengeon December 22, 2019 at 5:20 pm
Despite newly beefed up security measures following the last breach ... No word yet about when things will return to normal as the Internet team is working to once again secure the ENTERCOM Internet ...
Go deeper with Google Headlines on:
Go deeper with Bing News on:
- Download AV-Comparatives real-world test into how well different security products defend against APTson January 12, 2020 at 2:34 pm
The report is free to download from AV-Comparatives’ website. If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find ...
- Microsoft contractors reviewed Skype, Cortana audio with ‘no security measures’on January 11, 2020 at 1:58 pm
“I heard all kinds of unusual conversations, including what could have been domestic violence. It sounds a bit crazy now, after educating myself on computer security, that they gave me the URL, a ...
- Report: Skype audio recordings were reviewed in China with ‘no security’on January 10, 2020 at 3:47 pm
It sounds a bit crazy now, after educating myself on computer security, that they gave me the URL, a username and password sent over email. The worker told the Guardian that they’d been hired with ...
- Contractor reveals “crazy” lack of security around the review of Skype and Cortana voice recordingson January 10, 2020 at 12:27 pm
The contractor reviewed thousands of recordings each day, including some sensitive ones. “It sounds a bit crazy now, after educating myself on computer security, that they gave me the URL, a username ...
- Citrix vulnerability: Concerns mount over as-yet unpatched security flawon January 10, 2020 at 9:04 am
Craig Young, a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT), has examined this flaw further in a recent blog post. He estimated that less than a third ...