(T) “We have to trust the infrastructure (of the Internet)…The fact that it has been subverted in ways we don’t understand…we don’t know what to trust. And that is an enormous blow to the global promise of the Internet.” Those are some of the words of well-known cryptographer Bruce Schneier who reviewed some of the documents given by Edward Snowden to the Guardian newspaper.
Mr. Schneier has given multiple talks about the technology used in the NSA surveillance as well as its implications for the Internet and our global society. Following is one of his most interesting talks at Columbia Law School:
This year, the RSA Security Conference, that happens every year, was very different. Discussions about the role and actions of the NSA were present, in particular in the keynotes.
In addition, RSA itself has been in a very challenging situation because of its use of the NSA/NIST dual elliptic curve deterministic random bit generator in its BSafe encryption toolkits, whose generation of random numbers might not always be random. Those revelations led six security experts this year to not participate to the conference (For more about random numbers generation in cryptography, read Wikipedia Dual_EC_DRBG and Bruce Schneier’s article in 2007 in Wired Magazine and his interview on February 27, in the Register).
In response to the relationship between RSA and the NSA, another conference was organized next door to the Moscone Center at the Metreon: TrustyCon, whose impressive list of speakers included Mikko Hypponen (who was the first one to cancel his presentation at RSA 2014), Jeff Moss, Dan Boneh, and many others…see the video below…
So what governments, businesses, and individuals should do next?
We are just starting that debate…you, me and everyone…
Hardening the Internet was on the agenda of the last IETF (Internet Engineering Task Force)meeting and likely to be much more discussed in the coming meetings:
Bruce Schneier proposed a complete reorganization of the NSA: Breaking Up the NSA.
RSA Executive Chairman Art Coviello “articulated four guiding principles to encourage debate and action by all parties with a common vested interest in ensuring a safer Internet, in his keynote:
1. Renounce the use of cyber weapons and the use of the Internet for waging war.
“We must have the same abhorrence to cyberwar as we do nuclear and chemical war.”
2. Cooperate in the investigation, apprehension, and prosecution of cybercriminals.
“The only ones deriving advantage from governments trying to gain an advantage over one another on the Internet are the criminals. Our lack of immediate, consistent and sustained cooperation, globally, gives them the equivalent of safe havens.”
3. Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected.
“The benefits to all of us from the improvements of productivity in commerce, research, and communication are too valuable to not achieve agreement. Rule of law must rule!”
4. Respect and ensure the privacy of all individuals.
“Our personal information has become the true currency of the digital age. While it is important that we are not exploited, it is even more important that our fundamental freedoms are protected. But with our personal freedom comes responsibility. Governments have a duty to create and enforce a balance… a balance based on a fair governance model and transparency.”
Mr. Coviello also argued for changes at the NSA and intelligence organizations around the world to adopt a governance model that more clearly separates their defensive and intelligence gathering roles.”
For more details, watch the full keynote below:
A few additional footnotes:
1. Encryption is still the best “defense” to maintain someone’s privacy IF RIGHTLY implemented
2. Be careful about what you wish for! As the Royal United Services Institute found about the Stuxnet worm, cyber weapons can have the reverse consequences of what was initially expected
3. What the NSA is doing in the US is very much what any other well-funded nation-state is doing or planning to do
4. Today’s NSA tools will be tomorrow in any computer security textbook
- RSA Security Conference
- Schneier on Security
- The National Security Agency
- The NSA on Wikipedia
- NSA Domestic Surveillance Directorate
- NPR: 5 things to know about the NSA surveillance activities (quick summary)
- About the Stuxnet worm: NY Times’ article
- A Silicon Valley Insider, Symantec Stuxnet Deep Diving
- IETF: Leading Engineers Agree to Upgrade Standards to Improve Internet Privacy and Security
Note: The picture above is a street painting inspired by Blade Runner from two artists painting at RSA 2014.
Copyright © 2005-2014 by Serge-Paul Carrasco. All rights reserved.
Contact Us: asvinsider at gmail dot com.