Stung by revelations of ubiquitous surveillance and compromised software, the internet’s engineers and programmers ponder how to fight back
SECURITY guards (at least the good ones) are paid to be paranoid. Computer-security researchers are the same. Many had long suspected that governments use the internet not only to keep tabs on particular targets, but also to snoop on entire populations. But suspicions are not facts. So when newspapers began publishing documents leaked by Edward Snowden, once employed as a contractor by America’s National Security Agency (NSA), the world’s most munificently funded electronic spy agency, those researchers sat up.
They were especially incensed by leaks published in September by the Guardian and the New York Times, which suggested that American spooks (with help from their British counterparts) had been working quietly for years to subvert and undermine the cryptographic software and standards which make secure communication over the internet possible. “At that point”, says Matthew Green, a cryptographer at Johns Hopkins University, “people started to get really upset.”
On November 6th a meeting in Vancouver of the Internet Engineering Task Force (IETF), an organisation which brings together the scientists, technicians and programmers who built the internet in the first place and whose behind-the-scenes efforts keep it running, debated what to do about all this. A strong streak of West Coast libertarianism still runs through the IETF, and the tone was mostly hostile to the idea of omnipresent surveillance. Some of its members were involved in creating the parts of the internet that spooks are now exploiting. “I think we should treat this as an attack,” said Stephen Farrell, a computer scientist from Trinity College, Dublin, in his presentation to the delegates. Discussion then moved on to what should be done to thwart it.
We have the technology
As a sort of council of elders for the internet, the IETF has plenty of soft power. But it has no formal authority. Because its standards must be acceptable to users and engineers all over the world, it works through a slow process of consensus-building. New standards, guidelines and advice take months or years to produce.
Others, equally offended by the intelligence agencies’ activities, prefer not to wait, and are simply getting on with the job of trying to restore confidence in online security. As Bruce Schneier, a leading cryptographer, told the conference, it seems spies cannot actually break most cryptographic codes. Instead they try to work around them. One way is to subvert the standards and software which implement cryptography. That is possible because, besides trying to defeat the cryptographic efforts of others, the NSA also helps produce ciphers for Americans to use. Those same cryptographic standards are then employed all over the internet.
Researchers have therefore been warning users against employing anything that might have been tampered with. RSA Security, a big maker of encryption software, has advised its customers to stop using a random-number generator widely believed to have been fiddled with by the spooks to make its output predictable (random numbers are a crucial component of any cryptographic scheme, but are notoriously hard to produce on a deterministic machine such as a computer). And a group of Brazilian mathematicians has published a new set of codes for use with elliptic-curve cryptography, a novel scrambling technique that has been championed by the NSA. Anyone worried by the provenance of NSA-supplied curves is free to use these new ones instead.
Even America’s government is getting in on the act. The credibility of its National Institute of Standards and Technology, which sets American cryptographic standards with the help of the NSA, has been dented by Mr Snowden’s revelations.
Go deeper with Bing News on:
Internet security
- Physical and cyber security threat convergence still evolving
These tactics are on the rise; threat actors can leverage physical penetration techniques to overcome advanced cyber security controls ... access to the corporate network through the wireless internet ...
- Menlo Security Cloud Security Platform Receives FedRAMP® Authorization
Menlo Security, a leader in cloud security, today announced that the Menlo Security Cloud Security Platform powered by a patented Isolation Core™ has received Authorization to Operate (ATO) at the ...
- The most common online security myths debunked
Online passwords are the most misunderstood aspect of online security and debunking myths around protecting them has never been so important.
- Plan now for the internet’s transformation by the metaverse and Web3
How Web3 and the metaverse will transform the internet for individuals and companies alike, and what companies should do to prepare now.
- Binance.US Awarded ISO, IEC Accreditation for Adequate Security Measures
At Binance.US, they claim to focus "fiercely" on protecting the integrity and confidentiality of their customers' information.
Go deeper with Google Headlines on:
Internet security
[google_news title=”” keyword=”Internet security” num_posts=”5″ blurb_length=”0″ show_thumb=”left”]
Go deeper with Bing News on:
Computer security
- Computer Security for Consumer Market 2023 Industry Growth Status, CAGR Value, Emerging Trends, and Leading Players Forecast to 2029
Latest [102 Pages] “Computer Security for Consumer Market” Research 2023-2029 demonstrates top countries data, ...
- CISA establishes new office to ‘operationalize’ supply chain security
CISA’s new office is looking to move beyond guidance and policies to help agencies move out on security their IT supply chains.
- Why enterprises trust hardware-based security over quantum computing
Quantum computing is being realized, but its limitations in cybersecurity are prompting organizations to adopt hardware-based security.
- Hackers steal 10 million customer details from JD Sports
If you've purchased trainers from sports fashion retailer JD Sports in the past, your personal details could now be in the hands of hackers.
- Best Online Master’s Degrees In Computer Science [Year]
As business and society become increasingly tech-integrated, computer science (CS) has emerged as an essential field of study. Earning a master’s in computer science can help you launch or advance a ...
Go deeper with Google Headlines on:
Computer security
[google_news title=”” keyword=”computer security” num_posts=”5″ blurb_length=”0″ show_thumb=”left”]