The US Government Has Betrayed The Internet; It's Time To Fix That Now

from the no-more-messing-around dept

With the latest shocking revelations concerning the NSA's ability to break encryption, Bruce Schneier has made an excellent point. In pursuit of trying to find a few needles, the US government has basically betrayed the core of the internet -- and it's time for engineers to fix it. Now. Basically what's come out today is that the NSA has purposely been massively weakening internet security for its own good on the ridiculous belief that only it would find and use these vulnerabilities.

Schneier makes two important calls in his article. First, he calls on those who actually helped out in placing these backdoors into today's technologies to come out and reveal the details. Second, he says that the internet technology and security community needs to come together right now to rethink core internet infrastructure to build solutions that are done right, with real security in mind. Encryption is still viable and powerful, but it needs to be done correctly.
We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
As we've written a few times now, a bunch of attempts have sprung up lately to build secure communications offerings, but this goes way beyond that. This is a problem going back to core internet infrastructure, and it needs to be rethought and re-implemented in an open way that can be reviewed by anyone and where it's much more difficult for the NSA to hide or to sneak in "covert" operatives whose roles are to subvert the security.

Of course, in the short run this is also going to give extra ammo to foreign governments who want greater control over the internet themselves (not always with good intentions). It's going to be important to resist that kind of control as well. Instead, the focus needs to be on rethinking this in a manner so that no party is in full control and can subvert the system.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    silverscarcat (profile), Sep 5th, 2013 @ 4:43pm

    So...

    This will be web 4.0?

    We're on web 3.0 right now, right?

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    justok (profile), Sep 5th, 2013 @ 4:45pm

    I'm going to use the Constitution as my private key. They'll never think of using that.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    out_of_the_blue, Sep 5th, 2013 @ 5:04pm

    Requires a moral and legal fix, NOT more technical.

    "We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying." -- FOR PROFIT. -- "We need new techniques to prevent communications intermediaries from leaking private information." -- What a euphemism for corporations!

    The internet is designed for spying, and facilitated by javascript that allows extracting identifying data. -- Guess which corporation is surely the biggest user of javascript? That's right: Google.

    So long as information on the internets can be "monetized" without moral and legal restraints, there's no hope. Nearly everyone getting money from internet traffic is literally paid off to SPY on users, so it's only going to increase.

    Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising explicitly has the goal of changing you.

     

    reply to this | link to this | view in thread ]

  4. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Sep 5th, 2013 @ 5:04pm

    Requires a moral and legal fix, NOT more technical.

    "We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying." -- FOR PROFIT. -- "We need new techniques to prevent communications intermediaries from leaking private information." -- What a euphemism for corporations!

    The internet is designed for spying, and facilitated by javascript that allows extracting identifying data. -- Guess which corporation is surely the biggest user of javascript? That's right: Google.

    So long as information on the internets can be "monetized" without moral and legal restraints, there's no hope. Nearly everyone getting money from internet traffic is literally paid off to SPY on users, so it's only going to increase.

    Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising explicitly has the goal of changing you.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 5:04pm

    If we all followed Richard Stallman's creed, we wouldn't be in this mess.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Web_Rat (profile), Sep 5th, 2013 @ 5:23pm

    From where I am sitting, the government has betrayed the US Constitution and the citizens of the United States......

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    aldestrawk (profile), Sep 5th, 2013 @ 5:25pm

    Re: Requires a moral and legal fix, NOT more technical.

    I think that Google should change it's motto from "don't be evil" to "don't be completely evil". That would be more honest about all they do. I am often skeptical of their motivations and critical of their actions. However, you show an amazing, obsessed, fixation as if they were the only evil in the world. It makes me wonder if you're a victim of their age bias having once been an employee, or if you only survived through part of the interview process. Am I right?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 5:30pm

    R.I.P. Windows

    R.I.P. Windows
    By purchasing Nokia’s smartphone division, Microsoft has killed its signature strategy.

    http://www.slate.com/articles/technology/technology/2013/09/microsoft_nokia_deal_a_grea t_idea_that_came_too_late_and_killed_windows.html

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Applesauce, Sep 5th, 2013 @ 5:41pm

    Control is not security

    Governments and their agents believe that increased control means increased security. The opposite is more often true. NSA's policy has always been to weaken internet security in order to facility their spying (and control). They believe that they even if they can't keep the backdoors hidden, the benefit (to their agency) far outweighs any possible danger to the country or its infrastructure.

    National Security Agency is more accurately named National Control Agency.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    art guerrilla (profile), Sep 5th, 2013 @ 5:45pm

    Re: Re: Requires a moral and legal fix, NOT more technical.

    actually, they literally -as in 'literally', not 'figuratively'- abandoned that as their operative motto a while back...
    i'm guessing right about the first time the nsa bent them over and lubed up...

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 5:49pm

    Cisco likely sold out

    We should probably assume that Cisco is in the NSA's back pocket here...

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Keisar Betancourt, Sep 5th, 2013 @ 6:01pm

    here's the plan...

    open source the entire thing and allow it to fork based on popularity.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 6:03pm

    Re:

    This. A thousand times this.

    Those of us who have carefully observed Stallman's pronouncements over time have noted that -- almost without exception -- what he says is at first considered crank-grade lunacy.

    Then it happens, and nearly everyone (a) is astonished that it took place and (b) forgets that Stallman saw it coming twenty years out.

    For my part, I figured out nearly 30 years ago that any software which wasn't open source could not be trusted, should not be trusted, would not be trusted. I credit Stallman in part for opening my eyes to that. I wish more of my contemporaries had listened.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 6:09pm

    Re: Requires a moral and legal fix, NOT more technical.

    I think it's hilarious that you work yourself so much up over things that you could stop in literally one minute.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    aldestrawk (profile), Sep 5th, 2013 @ 6:10pm

    trusting trust

    The Internet security protocols are already open. That is to say the algorithms are public. The NSA may have some influence in crafting them and that's OK when they wearing their "secure network and computer infrastructure" hat. Their codebreaking hat means they cannot be trusted to have the final word on anything. However, NIST, under the influence of the NSA, did a good job in adopting the Rijndael algorithm for AES. The dark hat NSA may have the goal of subverting algorithm designs but AES and the 2007 discovery of an injected weakness in a 2006 protocol shows they can be kept honest here.
    I agree with Schneier that not only the protocol stack for the Internet should be an open implementation, but whatever OS as well. That means that Microsoft and Apple will have to change or be supplanted by variations of Unix. There is one thing that Schneier did not address and that is probably because he was writing to a general audience. The tools used to build a protocol stack, or OS, or hardware logic also need to be open. If you use a subverted C compiler to compile your own instance of Linux, the software still cannot be trusted.
    I wrote a comment (anonymously, I didn't realize I wasn't logged in) to an earlier post on Techdirt today mentioning Ken Thompson's seminal paper on computer security; "Reflecting on Trusting Trust". If you haven't read this and are distrustful of the NSA, then read it now.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    aldestrawk (profile), Sep 5th, 2013 @ 6:13pm

    Re: trusting trust

    Sorry, that's "Reflections on Trusting Trust"

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Carl "Bear" Bussjaeger (profile), Sep 5th, 2013 @ 6:19pm

    Re: Re: Requires a moral and legal fix, NOT more technical.

    "I think that Google should change it's motto from "don't be evil" to "don't be completely evil". That would be more honest about all they do."


    Actually, it's now "Don't get caught." And they're about as good at that as they were the the not-evil bit.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    justok (profile), Sep 5th, 2013 @ 6:22pm

    Re:

    Good to see you're not going to stand for that.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    pixelpusher220 (profile), Sep 5th, 2013 @ 6:22pm

    Re: Re:

    a fair point, but another point is that any computer to which someone else has physical access is always insecure. You simply can't trust it to be reliably [whatever] since they could have done something to it.

    Until we have a true private mesh network that doesn't rely on any public infrastructure, can anything traveling over wires the gov't/corp's control or monitor be considered secure?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 6:24pm

    Re: trusting trust

    I second that reading recommendation. That was Ken's Turing Award Acceptance Speech, and it's STILL brilliant. Non-technical readers may struggle with it, but it's absolutely worth the effort.

    Even more so today.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    aldestrawk (profile), Sep 5th, 2013 @ 6:25pm

    Internet Governance

    One aspect of Schneier's article that Mike didn't mention (yet) is that the revelation of the NSA's surveillance will motivate a push away from US control and Internet governance will end up bending to nations that would use censorship to stifle dissent and to special interests who want to protect their business model (i.e. copyright). Unfortunately, all the problems being discussed on Techdirt may get worse as an indirect result of the NSA's actions.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 6:31pm

    Re: Cisco likely sold out

    Most likely, and wasn't there some hubbub about potential security issues with Chinese made hardware? Seems kinda ironic now.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    bigpicture, Sep 5th, 2013 @ 6:42pm

    Bit of Irony Here

    As it turns out it is not China, or Russia or North Korea that has to be vilified as the perpetrators of heinous internet hacking crimes. But who? Yours Truly the good old USA who vilifies everyone that it does not like. It is only the others who commit crimes, we're the good guys, believe us.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    aldestrawk (profile), Sep 5th, 2013 @ 6:56pm

    civil wars

    I am wondering if the henchman at the NSA don't have a delicious sense of irony and humor. There are two parts to the NSA; the "sigint-codebreaking" side and the "securing the nation's infrastructure" side. The program named after a civil war battle, bullrun, puts those two sides in direct conflict.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    DCX2, Sep 5th, 2013 @ 7:04pm

    Re: Re:

    Technically, all programs are open source. You can easily disassemble any program that runs on an x86 processor with free tools. It's no secret what these programs are doing; having the source in a high-level language helps, but not having the high-level source does not mean the program is a black box.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    horse with no name, Sep 5th, 2013 @ 7:24pm

    This post will be censored by Techdirt

    Just want to get that in the clear, this post will be held for moderation and released only when it is no longer relevant to the discussion.

    Now then, my point:

    Perhaps Mike it's time for you to change your view of the internet. You think that a system that is based on you handing your information to any number of intermediary parties, to be stored on other people's networks, systems, and software as entirely private and confidential. You seem to want a level of privacy that exceeds what you would get on your phone, by sending mail, courier, or talking in a public place. You appear to want the enter world, the whole planet, to be a "private" conversation.

    It just doesn't work like that.

    Encrypting something and then handing it to a third party doesn't make it secure, it just makes it harder for people to read. Adding deadbolt locks to your front door does not suddenly make your house impossible to break into, it just makes it harder. For those determined to get in, they will. Encrypting your messages but passing them through public third party means does not assure you any more privacy than just that.

    The internet isn't broken, just your view of it.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Brent Ashley (profile), Sep 5th, 2013 @ 7:36pm

    Re: Re: Cisco likely sold out

    Maybe the security issues with the Chinese hardware were that they were too secure!

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Groove Tiger, Sep 5th, 2013 @ 7:43pm

    Re:

    Ha! They'll be lucky to even find one in their building!

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 7:44pm

    Avoid RC4-128

    One of the things the NSA appears to be abusing is a vulnerability in RC4-128 used with SSL. Google and many other companies default to RC4-128 over other more secure ciphers such as AES-256 and AES-128 but will use them when RC4-128 is not available. Completely disabling the use of RC4-128 in modern web browsers would be a first and quick step people can take to put a stop to some of this data collection.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Argonel (profile), Sep 5th, 2013 @ 7:49pm

    Re: Re: Re:

    You cannot consider a computer secure if anyone else has at any time had unmonitored access to it. Since I doubt you designed your own processor and fabbed your own chips you are in the same boat as the rest of us.

    The reason the government doesn't want Huawei bidding on communications infrastructure is the government is afraid they will do the same things that they are doing with respect to spying.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Pixelation, Sep 5th, 2013 @ 8:33pm

    "The US Government Has Betrayed The Internet"

    I disagree entirely here. The Internet cannot be betrayed. The Internet is a tool.
    WE THE PEOPLE have been Betrayed. End of story.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Sep 5th, 2013 @ 10:44pm

    Re: Re: Re:

    And a good riddance to you analysing the "sources" in assembler. With no comments, no symbols, and after compiler optimisation.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 12:14am

    Re: Re:

    No they won't. They just have to login using a minigame that shoots the Constitution with water.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 12:28am

    Re: So...

    I suggest you think about who invented the Internet in the first place.

    In their opinion, they were nice enough to let the rest of the world use it, but it's still theirs and they feel they can do whatever they want with it.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Guess Who, Sep 6th, 2013 @ 12:51am

    Too Late! Internet Company Selling all the Keys!

    Internet Company offers HTTPS/SSL Interception and 180+ Internet Service Provider HTTPS Decrytion Keys to extract and decrypt all communications from open Cafe Wi-Fi's to steal and decrypt packet traffic from all THESE SERVICES and more instantly "On The Fly"! INCLUDING EBAY! (Access to Paypal ). Only $9,000 Complete System! YIKES! There are more companies online selling systems like this one!
    SELLING QUOTE: "Easily Acquire Login usernames and passwords from Google or Gmail login, Yahoo Mail login, ebay login etc. will all be captured by the HTTPS/SSL Interceptor."
    "Over 100 Systems Sold!"
    Total Network Forensic Solutions from Decision Group - 2012
    The Company http://www.edecision4u.com/HTTPS-SSL.html
    http://www.edecision4u.com/E-DETECTIVE.html

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 1:17am

    Re: Re: So...

    The United States should not, and does not, run the internet. Anyone can step in and provide an alternative regulatory agency for numbers and domains, and *poof* the control the US has is gone with nothing more than an approving nod from a handful of large networks.

    How's that for an insightful comment.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 1:28am

    Re: Avoid RC4-128

    I am so glad you told me about this, It forced me to check and I noticed that I have been going for months without disabling that.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    Anonymous Howard (profile), Sep 6th, 2013 @ 1:56am

    Re: Re: Re: Re:

    This.

    Windows XP has 45M lines of high level code. Good luck meddling in it in assembly..

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 1:57am

    I do hope the US citizens realize that they are paying for and consenting to all of this.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    Not an Electronic Rodent (profile), Sep 6th, 2013 @ 2:15am

    Who's the enemy again?

    It's official, The People are the enemy according to the NSA. This from the guardian article quoting the NSA programme documents:
    "These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." (Emphasis added)
    So there you have it - if you are a consumer you are officially an NSA adversary.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Herby, Sep 6th, 2013 @ 2:49am

    Re: Re: Re: Cisco likely sold out

    Well since Cisco was giving China very special tech support in their hunt for Falun Gong members, I would say they don't have any moral qualms about helping to build a surveillance state.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    Richard (profile), Sep 6th, 2013 @ 3:51am

    Re:

    Something similar was already done in the 19th century using the Declaration of Independence.

    Your idea is over a century old....

    http://en.wikipedia.org/wiki/Beale_ciphers

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    Ed (profile), Sep 6th, 2013 @ 5:02am

    Re: Re: Re: Cisco likely sold out

    That was my thought, too. All the brouhaha about Huawei switches and routers, now in hindsight, is probably more because the NSA doesn't have the ability to insert backdoors into them.

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    wayout, Sep 6th, 2013 @ 6:16am

    so I guess that all those who said the govt was building backdoors into software/hardware over the years were not wearing tin foil hats afterall...huh...

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 6:19am

    Re: Re: Re: So...

    Good luck with that.

     

    reply to this | link to this | view in thread ]

  46.  
    icon
    Hephaestus (profile), Sep 6th, 2013 @ 11:00am

    Now that people know the backdoors are there they will be found in short order. I wonder if the NSA could be sued for the cost of replacement hardware.

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    GEMont, Sep 6th, 2013 @ 1:08pm

    Smokin!

    Could it be true?

    Could the sleeping giant actually be stirring?

    Is the "Classified Enemy" of the US Government and its Organized Corporate Masters actually beginning to realize that its under assault by its own government and the combined forces of the wealthiest citizens on earth??

    Now that would be something to witness.

    The sheer anger of the masses, once they discover the extent of the betrayal should rival the energy put out by the sun.

    Nah. It could never happen here.
    It would interfere with the football season....

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 4:08pm

    Re: This post will be censored by Techdirt

    By the way, your post wasn't censored.

    So maybe your real problem isn't that Masnick et all are wrong, or have unrealistic expectations, but that you have an unwarranted level of pessimism.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    Rapnel (profile), Sep 6th, 2013 @ 5:56pm

    Re:

    Correct.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Emelio Lizardo, Sep 8th, 2013 @ 9:30am

    Core weakness of the Internet

    The core weakness of the internet is not in its technology but in the ability of governments to coerce organizations into compliance with their agendas.

    Whether it's terrorism or pornography or preserving the status of its elite, all governments feel entitled to do this and commercial enterprises are vulnerable.

    Every web site host has to have censorship rules to avoid prosecution.

    Until an international standard of rights is established, any hope of restraining governments from this behavior is futile.

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 6:00pm

    Re: This post will be censored by Techdirt

    You are such a lying scumbag.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This