Views: 6101|Replies: 12

The US government has betrayed the internet. We need to take it back [Copy link] 中文

Rank: 6Rank: 6

Post time 2013-9-7 18:42:32 |Display all floors

The BRICS should look at and initiate an alternative internet to assist the peoples of the World ....
Both Russia and China are capable of providing this world wide service to mankind ....

                              ----------------------------------//------------------------------

The US government has betrayed the internet. We need to take it back

The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it

Bruce Schneier
The Guardian, Thursday 5 September 2013 20.04 BST

'Dismantling the surveillance state won't be easy. But whatever happens, we're going to be breaking new ground.' Photograph: Bob Sacha/Corbis

US Government and industry have betrayed the internet, and us.

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that requires political intervention.

But this is also an engineering problem, and there are several things engineers can – and should – do.

One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.

We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I've just started collecting. I want 50. There's safety in numbers, and this form of civil disobedience is the moral thing to do.

Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.

The Internet Engineering Task Force, the group that defines the standards that make the internet run, has a meeting planned for early November in Vancouver. This group needs to dedicate its next meeting to this task. This is an emergency, and demands an emergency response.

Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.

Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.

Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.

Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.

Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.

To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.

Use magic tools Report

Rank: 6Rank: 6

Post time 2013-9-7 19:11:16 |Display all floors

NSA Cracking Encryption with Supercomputers


Michael Winter
USA Today
September 5, 2013

U.S. and British intelligence agencies have cracked the encryption designed to provide online privacy and security, documents leaked by former intelligence analyst Edward Snowden show.

In a clandestine, decade-long effort to defeat digital scrambling, the National Security Agency, along with its British counterpart, the Government Communications Headquarters (GCHQ), have used supercomputers to crack encryption codes through “brute force” and have inserted secret “back doors” into software with the help of technology companies,The Guardian,The New York Times and ProPublicareported Thursday.

The NSA has also maintained control over international encryption standards.


As the Times points out, encryption “guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world.”

The American Civil Liberties Union, which has filed a federal suit challenging the government’s collection of telephone communications data, immediately called the NSA’s efforts to defeat encryption “recklessly shortsighted” and are making the Internet less secure for all.

In a statement, the ACLU said the actions will “further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.”

“The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions and commercial secrets,” said Christopher Soghoian, principal technologist of the ACLU’s Speech, Privacy and Technology Project. “Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the Internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance.”

The spy agencies have focused on compromising encryption found in Secure Sockets Layer (SSL), virtual private networks (VPNs) and 4G smartphones and tablets. The NSA spent $255 million this year on the decryption program — code named Bullrun – which aims to “covertly influence” software designs and “insert vulnerabilities into commercial encryption systems” that would be known only to the agency.

The documents leaked by Snowden, who has been granted temporary asylum in Russia, do not name specific companies or encryption technologies, and refer to customers and users as “adversaries.”

The NSA calls its decryption efforts the “price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.”

A 2010 memo describing an NSA briefing to British agents about the secret hacking said, “For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

The GCHQ is working to penetrate encrypted traffic on what it called the “big four” service providers — Google, Yahoo, Facebook and Microsoft’s Hotmail.

One document shows that by 2012, the British agency had developed “new access opportunities” into Google’s systems.

Major tech companies did not immediately respond. In the past, they have said they cooperate with government agencies only as prescribed by law.

The NSA says code-breaking is fundamental to its mission of protecting national security by deciphering communications from terrorists, spies or other U.S. adversaries.

During the 1990s, the agency fought unsuccessfully to have a secret government portal included in all encryption protocols.

Experts and critics say that while “back doors” may help intelligence gathering, they weaken the Web’s overall security and trust, and could be used against Americans.

“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” Matthew Green, a cryptography researcher at Johns Hopkins University, told the Times. “Those back doors could work against U.S. communications, too.”

Bruce Schneier, a security technologist, examined the documents before they were published and authored an analysis for the Guardian. He told USA TODAY that they are the biggest revelations yet from the documents leaked by Snowden and said they show NSA has “subverted” much of the Internet and tech companies that form its backbone.

Use magic tools Report

Rank: 6Rank: 6

Post time 2013-9-7 19:16:51 |Display all floors

The United States government and its NSA spy on every one on planet earth, all American citizens included. And suddenly, there is only deafening silence from American citizens .... a dumbed downed zombie population at best ....

                                 
cartoon_nsaSpying.jpg

Use magic tools Report

Rank: 6Rank: 6

Post time 2013-9-7 19:23:46 |Display all floors

Who Are the NSA's Corporate Partners?

6/9/2013

Every day, there is new information on the shrinking of the scope of liberty and personal privacy.

Thursday, for example, the New York Times reported:

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

In court documents filed by Google and obtained by Consumer Watchdog, the tech giant argued “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Basically, Google claims the right to read the e-mail of all its customers in order to push ads to them based on key words in the communications.

Earlier, The New American reported on the participation of Facebook with government inquiries into users’ private data stored by the social-media company.


In light of the collusion of corporate, technological, and government interests it is important to rehearse the list of those companies whose cooperation in the various NSA snooping programs is facilitating the construction of the surveillance state.

First, there is PRISM. Under PRISM, the NSA and the FBI are “tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time,” as reported by the Washington Post.

The joint venture has been functioning since 2007, but only came to light in a PowerPoint presentation that was part of the cache of documents leaked by Snowden.

Snowden claimed that the program was so invasive that “They [the NSA and the FBI] quite literally can watch your ideas form as you type.”

According to Snowden, the following Internet outfits give the NSA access to their servers, and thus their users’ information:

Microsoft

Apple

Google

Facebook

PalTalk

AOL

Microsoft and Google have sued the federal government to get permission to publicly reveal the surveillance requests they have received from the various federal agencies.

On the telecommunication side, both AT&T and Verizon have apparently granted the government unconstitutional access to the phone records of millions of customers.

Most recently, a story published in the New York Times revealed that “For at least six years, law enforcement officials working on a counternarcotics program have had routine access, using subpoenas, to an enormous AT&T database that contains the records of decades of Americans’ phone calls.”

Included in the Snowden disclosures was a similar set-up involving Verizon customers’ call logs and the NSA.

A key to understanding how and why the NSA (and other intelligence and law enforcement agencies) can so quickly and consistently tap into the Internet and the telecom infrastructure is the Communications Assistance for Law Enforcement Act (CALEA) of 1994.

Under provisions of CALEA, domestic telecommunication companies are required to provide government and law enforcement with access to their data and telecom traffic. This includes the mandate that all vendors who provide equipment to those companies likewise leave their products vulnerable to government taps.

One of the companies most often named in connection with CALEA is Cisco, the nation’s leading service provider of routers and switches.

Then, on August 27, the Wall Street Journal reported that CALEA’s reach extended even to foreign telecommunication companies merging with or acquiring the assets of U.S.-based companies. Before being given the green light, these companies have had to commit to the federal government to adhere to the terms of CALEA and give unfettered access to their equipment whenever a demand was made.

International firms named in the Wall Street Journal article include Alcatel-Lucent, Nokia, and Ericsson, each of which has merged with or purchased American entities.

Despite a few well-intentioned, but ultimately impotent efforts by lawmakers to slow the sprawl of the surveillance apparatus, inertia seems to be carrying the NSA and others farther along the trajectory of tyranny. And every year Congress writes big checks, keeping the data collection programs in the black — literally and figuratively.

In August, a story in the Washington Post shone a little light on the secret surveillance budget.

According to information in that story, the “black budget” for intelligence activities for Fiscal Year 2013 was $52.6 billion. This covered the operating funds for “16 spy agencies” and their more than 107,000 employees.

As the borders of liberty are pushed by back by the federal government, there yet remains time for the people and the states to push back.

First, people must hold accountable every elected official who votes to fund these agencies and their unconstitutional searches and seizures of private information. Second, state legislators must refuse to act as mere administrative functionaries of the federal government.

Finally, rather than experience annual growth, companies suspected of giving the government access to customer files and data should be held accountable by those users.

Use magic tools Report

Rank: 6Rank: 6

Post time 2013-9-7 20:00:57 |Display all floors


Revealed: how US and UK spy agencies defeat internet privacy and security

• NSA and GCHQ unlock encryption used to protect emails, banking and medical records
• $250m-a-year US program works covertly with tech companies to insert weaknesses into products
• Security experts say programs 'undermine the fabric of the internet'

NSA-diagram-001.jpg


Experts on privacy and Internet security have blasted the National Security Agency over reports it has secretly been working with the British government to crack encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential data secure.

The New York Times, Britain's Guardian newspaper and the nonprofit news website ProPublica reported Thursday that the NSA has bypassed or altogether cracked much of the digital encryption used by businesses and everyday Web users. The reports describe how the NSA invested billions of dollars since 2000 to make nearly everyone's secrets available for government consumption.

Bruce Schneier, a security expert who worked with the Guardian to reveal the NSA's secrets, said Thursday that the U.S. government had "betrayed the Internet."

"By subverting the Internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract," Schneier wrote in an essay for the British paper.

"We can no longer trust them to be ethical Internet stewards. This is not the Internet the world needs, or the Internet its creators envisioned. We need to take it back."

The American Civil Liberties Union joined Schneier in criticizing the spy agency. Christopher Soghoian, principal technologist of the ACLU's Speech, Privacy and Technology Project, said late Thursday that the agency's alleged campaign against encryption is "is making the Internet less secure" and exposing Web users to "criminal hacking, foreign espionage, and unlawful surveillance."

'The NSA's efforts to secretly defeat encryption are recklessly shortsighted.'

- Christopher Soghoian, principal technologist of the ACLU's Speech, Privacy and Technology Project


"The NSA's efforts to secretly defeat encryption are recklessly shortsighted and will further erode not only the United States' reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies," Soghoian said in a statement.

The reports state that the NSA built powerful supercomputers to break encryption codes and partnered with unnamed technology companies to insert "back doors" into their software. Such a practice would give the government access to users' digital information before it was encrypted and sent over the Internet.

"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," according to a 2010 briefing document about the NSA's accomplishments meant for its UK counterpart, Government Communications Headquarters, or GCHQ. Security experts told the news organizations such a code-breaking practice would ultimately undermine Internet security and leave everyday Web users vulnerable to hackers.

The revelations stem from documents leaked by former NSA contractor Edward Snowden, who sought asylum in Russia this summer. His leaks, first published by the Guardian, revealed a massive effort by the U.S. government to collect and analyze all sorts of digital data that Americans send at home and around the world.

Those revelations prompted a renewed debate in the United States about the proper balance between civil liberties and keeping the country safe from terrorists. President Barack Obama said he welcomed the debate and called it "healthy for our democracy" but meanwhile criticized the leaks; the Justice Department charged Snowden under the federal Espionage Act.

Thursday's reports described how some of the NSA's "most intensive efforts" focused on Secure Sockets Layer, a type of encryption widely used on the Web by online retailers and corporate networks to secure their Internet traffic. One document said GCHQ had been trying for years to exploit traffic from popular companies like Google, Yahoo, Microsoft and Facebook.

GCHQ, they said, developed "new access opportunities" into Google's computers by 2012 but said the newly released documents didn't elaborate on how extensive the project was or what kind of data it could access.

Even though the latest document disclosures suggest the NSA is able to compromise many encryption programs, Snowden himself touted using encryption software when he first surfaced with his media revelations in June.

During a Web chat organized by the Guardian on June 17, Snowden told one questioner that "encryption works." Snowden said that "properly implemented strong crypto systems" were reliable, but he then alluded to the NSA's capability to crack tough encryption systems. "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it," Snowden said.

It was unclear if Snowden drew a distinction between everyday encryption used on the Internet — the kind described in Thursday's reports — versus more-secure encryption algorithms used to store data on hard drives and often requires more processing power to break or decode. Snowden used an encrypted email account from a now-closed private email company, Lavabit, when he sent out invitations to a mid-July meeting at Moscow's Sheremetyevo International Airport.

The operator of Lavabit LLC, Ladar Levison, suspended operations of the encrypted mail service in August, citing a pending "fight in the 4th (U.S.) Circuit Court of Appeals." Levison did not explain the pressures that forced him to shut the firm down but added that "a favorable decision would allow me to resurrect Lavabit as an American company."

The government asked the news organizations not to publish their stories, saying foreign enemies would switch to new forms of communication and make it harder for the NSA to break. The organizations removed some specific details but still published the story, they said, because of the "value of a public debate regarding government actions that weaken the most powerful tools for protecting the privacy of Americans and others."

Such tensions between government officials and journalists, while not new, have become more apparent since Snowden's leaks. Last month, Guardian editor Alan Rusbridger said that British government officials came by his newspaper's London offices to destroy hard drives containing leaked information. "You've had your debate," one UK official told him. "There's no need to write any more."

The Associated Press contributed to this report.

Use magic tools Report

Rank: 6Rank: 6

Post time 2013-9-7 20:08:11 |Display all floors

NSA surveillance: A guide to staying secure???

The NSA has huge capabilities – and if it wants in to your computer, it's in. With that in mind, here are five ways to stay safe


Bruce Schneier
theguardian.com,
Friday 6 September 2013 14.09 BST


Now that we have enough details about how the NSA eavesdrops on the internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story – it was in process well before I showed up – but everything I read confirms what the Guardian is reporting.

At this point, I feel I can provide some advice for keeping secure against such an adversary.

The primary way the NSA eavesdrops on internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.

Leveraging its secret agreements with telecommunications companies – all the US and UK ones, and many other "partners" around the world – the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn't have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.

That's an enormous amount of data, and the NSA has equivalently enormous capabilities to quickly sift through it all, looking for interesting traffic. "Interesting" can be defined in many ways: by the source, the destination, the content, the individuals involved, and so on. This data is funneled into the vast NSA system for future analysis.

The NSA collects much more metadata about internet traffic: who is talking to whom, when, how much, and by what mode of communication. Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.

The Systems Intelligence Directorate is in charge of data collection, and the resources it devotes to this is staggering. I read status report after status report about these programs, discussing capabilities, operational details, planned upgrades, and so on. Each individual problem – recovering electronic signals from fiber, keeping up with the terabyte streams as they go by, filtering out the interesting stuff – has its own group dedicated to solving it. Its reach is global.

The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.

The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you're running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won't detect them, and you'd have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it's in. Period.

The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there's a lot of bad cryptography out there. If it finds an internet connection protected by MS-CHAP, for example, that's easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.

TAO also hacks into computers to recover long-term keys. So if you're running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.

How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."

I believe this is true, despite today's revelations and tantalizing hints of "groundbreaking cryptanalytic capabilities" made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.

Snowden's follow-on sentence is equally important: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

Endpoint means the software you're using, the computer you're using it on, and the local network you're using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn't matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.

With all this in mind, I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my Password Safe program from the command line); I've been using that as well.

I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA.

Use magic tools Report

Rank: 6Rank: 6

Post time 2013-9-7 20:49:41 |Display all floors

Explaining the latest NSA revelations – Q&A with internet privacy experts

The Guardian's James Ball and cryptology expert Bruce Schneier answer questions about revelations that spy agencies in the US and UK have cracked internet privacy tools
l
James Ball and Bruce Schneier
theguardian.com, Friday 6 September 2013 15.41 BST

Employees inside the joint special operations command at National Security Agency (NSA) headquarters in Fort Meade, Maryland. Photograph: Brooks Kraft/Corbis

Today, beginning at 3pm ET | 8pm BST, the Guardian's James Ball, who reported on the latest NSA and GCHQ revelations, and cryptology expert Bruce Schneier, who wrote about the implications, will take your questions on the new revelation that the US and UK governments can crack much of the encryption protecting personal data, online transactions and emails – as well as the ongoing debate over surveillance. Toss your questions below and as you wait for a response, re-visit yesterday's stories:

• How US and UK spy agencies defeat internet privacy and security

• How internet encryption works

• The US government has betrayed the internet. We need to take it back
The Q&A is now over.

First Question:

rahulilr
06 September 2013 4:47pm

Can we trust open source? Of course it is more transparent than properietry, but if NSA has been influencing standard documents, what is stopping them penetrating free software?

Do we have evidence supporting/denying contamination of open source?

Answer:

James Ball: Because the NSA and GCHQ have been influencing standards, and working to covertly modify code, almost anything could potentially have been compromised. Something as simple as – hypothetically – modifying a basic random-number-generator could weaken numerous implementations of open-source code.

That said, anything done to open source projects, particularly popular ones, will have to be subtle, as anyone can audit the code. So I do believe they’re more trustworthy/dependable than other things. But almost nothing is certain, and we see quite regularly bugs/vulnerabilities discovered in major open source projects that have lain undiscovered for months.

Question:

bushism
06 September 2013 4:28pm

Is there any reason to believe that these back doors have also been built into hardware?

Answer:

Ball: There’s every reason to think this. The Washington Post mentioned in passing last week the use of ‘implants’, and the New York Times’ take on this story made reference to efforts against “encryption chips”.

Question:

SteppenHerring
06 September 2013 4:19pm

How hard do you think it will be to get people to take security seriously when people are willing to type so much personal data into Facebook/Google+ etc?

Answer:

Ball: I think we need more awareness of privacy and security generally, and I think as generations grow up net-native (as today’s teens are), that’s taking care of itself. I don’t think people who volunteer information to a strictly-controlled network on Facebook (or webmail, etc) are automatically willing to share that same information with their governments. That’s a large part of what the whole privacy and security debate the NSA files are fueling is about, I think.

Question:

oberstm
06 September 2013 3:57pm

How would one go about selecting a VPN service that is still viable? All US-based ones are likely compromised via National Security Letters, and many foreign ones are probably hacked. Is there anything specific about a VPN service's transmission protocol (key exchange method) that may make it more reliable?

Answer:

Ball: As you say, I think this is quite difficult, but one thing that is worth flagging is we have a sense of what the US and the other “Five Eyes” nations (the UK, Canada, Australia and New Zealand) are doing, because we have a whistleblower from those agencies.

It’s not inconceivable that intelligence agencies in other countries are doing a lot of the same things (it would be surprising if they weren’t doing some of it) – but we won’t hear about them unless a Chinese, Russian, German, Indian, etc, Edward Snowden comes along. I hope they do.

Question:

AhzirrTraajijazeri
06 September 2013 4:17pm

First off -- thanks to James and Bruce for taking some time to answer people's questions! I know a lot of us need answers in these uncertain times.

Mine is a two-part question:

1.) What can the average internet user do to protect him- or herself from government snooping online?

2.) What can the average citizen do to help stop the NSA?

Thank you.

Answer:

Ball: Bruce had a great article yesterday (http://www.theguardian.com/world ... secure-surveillance) on what to do to try to secure your own communications. I think it’s a brilliant starting place, especially for journalists and activists. Even though he’s described it well, of course, I think it’s beyond the expertise levels of 95%+ of internet users. This stuff is seriously hard, and I hope the crypto community carries on trying to make it easier.

As to the second question, the solution is going to have to be political: if your view is that what the NSA is doing isn’t acceptable, I think contacting congressmen, petitioning, and campaigning are the right steps. I’m sure the EFF, ACLU, EPIC and similar organizations will be stepping up their long-running efforts in the near future.

Question:

FlipGuard
06 September 2013 4:40pm

Bruce's article giving advice on staying more private online included selecting certain encryption algorithms based on their mathmatical features etc -- what are some direct examples of the most 'safe' encryption techniques to use, key lengths etc?

How can Tor be any safer than VPN if both SSL/TLS and VPN methodologies have been exploited? Is the Tor routing process still a good security?

Answer:

Ball: GCHQ’s phrasing of beating “30” then “300” VPNs suggest it’s done on a case-by-case basis, rather than a blanket capability. It’s also worth noting that just because the NSA can, say, beat SSL in some (or many, or most) cases, it doesn’t mean they can do it all the time, especially as they often seem to circumvent rather than directly beat security. Tor also has its onion methodology. I think Bruce’s take – that Tor makes tracing you harder, rather than impossible – seems a sensible one.
Note: Bruce Schneier has been traveling but will be online shortly. James Ball will take questions in the meantime.

Question:

Patrick White
06 September 2013 4:58pm

The questions I find myself asking are "Who is chiefly responsible for this breach of trust?", "Will anyone be held accountable?" and "What sort of backlash will there be, if any, from society at large?".

Answer:

Ball: Me too! There are a lot of issues here, not least that the technological capabilities of the NSA have hugely outpaced the efforts of most lawmakers to meaningfully understand them, let alone regulate them.

In the environment after 9/11, the agency had a permissive environment to expand its remit, masses more funding, and technological advancements making surveillance possible on a scale never previously imaginable. For privacy advocates, the past decade was essentially the perfect storm.

That encroachment happened under three Presidents, from two parties. I don’t think this is a partisan issue. It feels a little like the (apocryphal) tale of a frog in boiling water: if the water is slowly heated, the frog never notices it’s being cooked.

A final note is that at a bare minimum we need to hold senior intelligence officials accountable in public, and demand honest answers. Obama’s Director of National Intelligence has been accused of outright lying to Congress, seemingly with no adverse consequences. If you’re looking to increase accountability and transparency, surely you’ve got to start there.

Use magic tools Report

You can't reply post until you log in Log in | register

BACK TO THE TOP
Contact us:Tel: (86)010-84883548, Email: blog@chinadaily.com.cn
Blog announcement:| We reserve the right, and you authorize us, to use content, including words, photos and videos, which you provide to our blog
platform, for non-profit purposes on China Daily media, comprising newspaper, website, iPad and other social media accounts.