Stung by revelations of ubiquitous surveillance and compromised software, the internet’s engineers and programmers ponder how to fight back
SECURITY guards (at least the good ones) are paid to be paranoid. Computer-security researchers are the same. Many had long suspected that governments use the internet not only to keep tabs on particular targets, but also to snoop on entire populations. But suspicions are not facts. So when newspapers began publishing documents leaked by Edward Snowden, once employed as a contractor by America’s National Security Agency (NSA), the world’s most munificently funded electronic spy agency, those researchers sat up.
They were especially incensed by leaks published in September by the Guardian and the New York Times, which suggested that American spooks (with help from their British counterparts) had been working quietly for years to subvert and undermine the cryptographic software and standards which make secure communication over the internet possible. “At that point”, says Matthew Green, a cryptographer at Johns Hopkins University, “people started to get really upset.”
On November 6th a meeting in Vancouver of the Internet Engineering Task Force (IETF), an organisation which brings together the scientists, technicians and programmers who built the internet in the first place and whose behind-the-scenes efforts keep it running, debated what to do about all this. A strong streak of West Coast libertarianism still runs through the IETF, and the tone was mostly hostile to the idea of omnipresent surveillance. Some of its members were involved in creating the parts of the internet that spooks are now exploiting. “I think we should treat this as an attack,” said Stephen Farrell, a computer scientist from Trinity College, Dublin, in his presentation to the delegates. Discussion then moved on to what should be done to thwart it.
We have the technology
As a sort of council of elders for the internet, the IETF has plenty of soft power. But it has no formal authority. Because its standards must be acceptable to users and engineers all over the world, it works through a slow process of consensus-building. New standards, guidelines and advice take months or years to produce.
Others, equally offended by the intelligence agencies’ activities, prefer not to wait, and are simply getting on with the job of trying to restore confidence in online security. As Bruce Schneier, a leading cryptographer, told the conference, it seems spies cannot actually break most cryptographic codes. Instead they try to work around them. One way is to subvert the standards and software which implement cryptography. That is possible because, besides trying to defeat the cryptographic efforts of others, the NSA also helps produce ciphers for Americans to use. Those same cryptographic standards are then employed all over the internet.
Researchers have therefore been warning users against employing anything that might have been tampered with. RSA Security, a big maker of encryption software, has advised its customers to stop using a random-number generator widely believed to have been fiddled with by the spooks to make its output predictable (random numbers are a crucial component of any cryptographic scheme, but are notoriously hard to produce on a deterministic machine such as a computer). And a group of Brazilian mathematicians has published a new set of codes for use with elliptic-curve cryptography, a novel scrambling technique that has been championed by the NSA. Anyone worried by the provenance of NSA-supplied curves is free to use these new ones instead.
Even America’s government is getting in on the act. The credibility of its National Institute of Standards and Technology, which sets American cryptographic standards with the help of the NSA, has been dented by Mr Snowden’s revelations.
Go deeper with Bing News on:
Internet security
- Bridgecrew shifts cloud security all the way left with real-time scanning and fixes in VS Codeon March 4, 2021 at 8:13 am
Bridgecrew, the DevSecOps company that automates cloud security, today announces they've shifted their security scanning and fixing technology even further left with a new Visual Studio Code (VS Code) ...
- Cyber Security: 45% of Indian Online Users Hit by Local Threats in 2020on March 4, 2021 at 7:07 am
The share of attacks hosted by servers in India was 0.19 per cent -- that is over 77 lakh incidents in the January-December 2020 period, which puts India in the 18th place worldwide.
- Cyber threats more serious than ever, says founder of Chinese internet security firmon March 4, 2021 at 6:26 am
Cyber threats are now more serious in the digital era, posing a new challenge to cybersecurity, Zhou Hongyi, founder of Chinese internet security firm Qihoo 360, said Thursday. Cybersecurity is not ...
- New intermediary rules jeopardize the security of Indian internet userson March 3, 2021 at 2:13 am
Proposed Indian internet regulations threaten to undermine computer security and provide a troubling example for other backsliding democracies looking to crack down on online speech.
- How Can Freelancers Ensure Internet Safety and Online Security At Work?on February 26, 2021 at 10:50 pm
Freelancers have a tough time managing their internet security online. They need to use appropriate tools and precautions to ensure maximum data safety. Freelance ...
Go deeper with Google Headlines on:
Internet security
Go deeper with Bing News on:
Computer security
- Smashing Security podcast #217: Would you cuddle this revolting robot? – with Robert Llewellynon March 3, 2021 at 8:54 am
Actor, presenter and writer Robert Llewellyn, famous for playing the part of Kryten in the science-fiction comedy "Red Dwarf," joins us as we discuss robots gone rogue, electric vehicle ...
- New intermediary rules jeopardize the security of Indian internet userson March 3, 2021 at 2:13 am
Proposed Indian internet regulations threaten to undermine computer security and provide a troubling example for other backsliding democracies looking to crack down on online speech.
- Microsoft Wants Passwords To Die Quickly As Azure Nudges Towards Biometric Securityon March 2, 2021 at 10:50 am
The concept of using passwords for computer security has been around for 60 years, and Microsoft believes it's high time we abandon them.
- Nervous System: Computer Crime and Punishmenton March 2, 2021 at 4:21 am
This month's history of cybersecurity looks back to the formation of the CFAA, where there was broad agreement that computer crime was a serious and growing menace to the nation’s security, but that ...
- Computer Security Market Next Big Thing | Major Giants Honeywell , Cybercon , MAVERICKon February 23, 2021 at 4:48 am
Latest added COVID-19 Global & China Computer Security Market research study by HTF MI offers detailed product outlook and elaborates market review till 2026. The market Study is segmented by key ...