The US Government Has Betrayed The Internet; It's Time To Fix That Now
from the no-more-messing-around dept
With the latest shocking revelations concerning the NSA’s ability to break encryption, Bruce Schneier has made an excellent point. In pursuit of trying to find a few needles, the US government has basically betrayed the core of the internet — and it’s time for engineers to fix it. Now. Basically what’s come out today is that the NSA has purposely been massively weakening internet security for its own good on the ridiculous belief that only it would find and use these vulnerabilities.
Schneier makes two important calls in his article. First, he calls on those who actually helped out in placing these backdoors into today’s technologies to come out and reveal the details. Second, he says that the internet technology and security community needs to come together right now to rethink core internet infrastructure to build solutions that are done right, with real security in mind. Encryption is still viable and powerful, but it needs to be done correctly.
We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.
We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
As we’ve written a few times now, a bunch of attempts have sprung up lately to build secure communications offerings, but this goes way beyond that. This is a problem going back to core internet infrastructure, and it needs to be rethought and re-implemented in an open way that can be reviewed by anyone and where it’s much more difficult for the NSA to hide or to sneak in “covert” operatives whose roles are to subvert the security.
Of course, in the short run this is also going to give extra ammo to foreign governments who want greater control over the internet themselves (not always with good intentions). It’s going to be important to resist that kind of control as well. Instead, the focus needs to be on rethinking this in a manner so that no party is in full control and can subvert the system.
Filed Under: encryption, engineers, internet, internet infrastructure, nsa, nsa surveillance, security
Comments on “The US Government Has Betrayed The Internet; It's Time To Fix That Now”
So...
This will be web 4.0?
We’re on web 3.0 right now, right?
Re: So...
I suggest you think about who invented the Internet in the first place.
In their opinion, they were nice enough to let the rest of the world use it, but it’s still theirs and they feel they can do whatever they want with it.
Re: Re: So...
The United States should not, and does not, run the internet. Anyone can step in and provide an alternative regulatory agency for numbers and domains, and poof the control the US has is gone with nothing more than an approving nod from a handful of large networks.
How’s that for an insightful comment.
Re: Re: Re: So...
Good luck with that.
I’m going to use the Constitution as my private key. They’ll never think of using that.
Re: Re:
Ha! They’ll be lucky to even find one in their building!
Re: Re: Re:
No they won’t. They just have to login using a minigame that shoots the Constitution with water.
Re: Re:
Something similar was already done in the 19th century using the Declaration of Independence.
Your idea is over a century old….
http://en.wikipedia.org/wiki/Beale_ciphers
Requires a moral and legal fix, NOT more technical.
“We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying.” — FOR PROFIT. — “We need new techniques to prevent communications intermediaries from leaking private information.” — What a euphemism for corporations!
The internet is designed for spying, and facilitated by javascript that allows extracting identifying data. — Guess which corporation is surely the biggest user of javascript? That’s right: Google.
So long as information on the internets can be “monetized” without moral and legal restraints, there’s no hope. Nearly everyone getting money from internet traffic is literally paid off to SPY on users, so it’s only going to increase.
Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising explicitly has the goal of changing you.
Requires a moral and legal fix, NOT more technical.
“We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying.” — FOR PROFIT. — “We need new techniques to prevent communications intermediaries from leaking private information.” — What a euphemism for corporations!
The internet is designed for spying, and facilitated by javascript that allows extracting identifying data. — Guess which corporation is surely the biggest user of javascript? That’s right: Google.
So long as information on the internets can be “monetized” without moral and legal restraints, there’s no hope. Nearly everyone getting money from internet traffic is literally paid off to SPY on users, so it’s only going to increase.
Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising explicitly has the goal of changing you.
Re: Requires a moral and legal fix, NOT more technical.
I think that Google should change it’s motto from “don’t be evil” to “don’t be completely evil”. That would be more honest about all they do. I am often skeptical of their motivations and critical of their actions. However, you show an amazing, obsessed, fixation as if they were the only evil in the world. It makes me wonder if you’re a victim of their age bias having once been an employee, or if you only survived through part of the interview process. Am I right?
Re: Re: Requires a moral and legal fix, NOT more technical.
actually, they literally -as in ‘literally’, not ‘figuratively’- abandoned that as their operative motto a while back…
i’m guessing right about the first time the nsa bent them over and lubed up…
Re: Re: Requires a moral and legal fix, NOT more technical.
Actually, it’s now “Don’t get caught.” And they’re about as good at that as they were the the not-evil bit.
Re: Requires a moral and legal fix, NOT more technical.
I think it’s hilarious that you work yourself so much up over things that you could stop in literally one minute.
If we all followed Richard Stallman’s creed, we wouldn’t be in this mess.
Re: Re:
This. A thousand times this.
Those of us who have carefully observed Stallman’s pronouncements over time have noted that — almost without exception — what he says is at first considered crank-grade lunacy.
Then it happens, and nearly everyone (a) is astonished that it took place and (b) forgets that Stallman saw it coming twenty years out.
For my part, I figured out nearly 30 years ago that any software which wasn’t open source could not be trusted, should not be trusted, would not be trusted. I credit Stallman in part for opening my eyes to that. I wish more of my contemporaries had listened.
Re: Re: Re:
a fair point, but another point is that any computer to which someone else has physical access is always insecure. You simply can’t trust it to be reliably [whatever] since they could have done something to it.
Until we have a true private mesh network that doesn’t rely on any public infrastructure, can anything traveling over wires the gov’t/corp’s control or monitor be considered secure?
Re: Re: Re: Re:
You cannot consider a computer secure if anyone else has at any time had unmonitored access to it. Since I doubt you designed your own processor and fabbed your own chips you are in the same boat as the rest of us.
The reason the government doesn’t want Huawei bidding on communications infrastructure is the government is afraid they will do the same things that they are doing with respect to spying.
Re: Re: Re:
Technically, all programs are open source. You can easily disassemble any program that runs on an x86 processor with free tools. It’s no secret what these programs are doing; having the source in a high-level language helps, but not having the high-level source does not mean the program is a black box.
Re: Re: Re: Re:
And a good riddance to you analysing the “sources” in assembler. With no comments, no symbols, and after compiler optimisation.
Re: Re: Re:2 Re:
This.
Windows XP has 45M lines of high level code. Good luck meddling in it in assembly..
From where I am sitting, the government has betrayed the US Constitution and the citizens of the United States……
Re: Re:
Good to see you’re not going to stand for that.
R.I.P. Windows
R.I.P. Windows
By purchasing Nokia?s smartphone division, Microsoft has killed its signature strategy.
http://www.slate.com/articles/technology/technology/2013/09/microsoft_nokia_deal_a_great_idea_that_came_too_late_and_killed_windows.html
Control is not security
Governments and their agents believe that increased control means increased security. The opposite is more often true. NSA’s policy has always been to weaken internet security in order to facility their spying (and control). They believe that they even if they can’t keep the backdoors hidden, the benefit (to their agency) far outweighs any possible danger to the country or its infrastructure.
National Security Agency is more accurately named National Control Agency.
Cisco likely sold out
We should probably assume that Cisco is in the NSA’s back pocket here…
Re: Cisco likely sold out
Most likely, and wasn’t there some hubbub about potential security issues with Chinese made hardware? Seems kinda ironic now.
Re: Re: Cisco likely sold out
Maybe the security issues with the Chinese hardware were that they were too secure!
Re: Re: Re: Cisco likely sold out
Well since Cisco was giving China very special tech support in their hunt for Falun Gong members, I would say they don’t have any moral qualms about helping to build a surveillance state.
Re: Re: Re: Cisco likely sold out
That was my thought, too. All the brouhaha about Huawei switches and routers, now in hindsight, is probably more because the NSA doesn’t have the ability to insert backdoors into them.
here's the plan...
open source the entire thing and allow it to fork based on popularity.
trusting trust
The Internet security protocols are already open. That is to say the algorithms are public. The NSA may have some influence in crafting them and that’s OK when they wearing their “secure network and computer infrastructure” hat. Their codebreaking hat means they cannot be trusted to have the final word on anything. However, NIST, under the influence of the NSA, did a good job in adopting the Rijndael algorithm for AES. The dark hat NSA may have the goal of subverting algorithm designs but AES and the 2007 discovery of an injected weakness in a 2006 protocol shows they can be kept honest here.
I agree with Schneier that not only the protocol stack for the Internet should be an open implementation, but whatever OS as well. That means that Microsoft and Apple will have to change or be supplanted by variations of Unix. There is one thing that Schneier did not address and that is probably because he was writing to a general audience. The tools used to build a protocol stack, or OS, or hardware logic also need to be open. If you use a subverted C compiler to compile your own instance of Linux, the software still cannot be trusted.
I wrote a comment (anonymously, I didn’t realize I wasn’t logged in) to an earlier post on Techdirt today mentioning Ken Thompson’s seminal paper on computer security; “Reflecting on Trusting Trust”. If you haven’t read this and are distrustful of the NSA, then read it now.
Re: trusting trust
Sorry, that’s “Reflections on Trusting Trust”
Re: trusting trust
I second that reading recommendation. That was Ken’s Turing Award Acceptance Speech, and it’s STILL brilliant. Non-technical readers may struggle with it, but it’s absolutely worth the effort.
Even more so today.
Internet Governance
One aspect of Schneier’s article that Mike didn’t mention (yet) is that the revelation of the NSA’s surveillance will motivate a push away from US control and Internet governance will end up bending to nations that would use censorship to stifle dissent and to special interests who want to protect their business model (i.e. copyright). Unfortunately, all the problems being discussed on Techdirt may get worse as an indirect result of the NSA’s actions.
Bit of Irony Here
As it turns out it is not China, or Russia or North Korea that has to be vilified as the perpetrators of heinous internet hacking crimes. But who? Yours Truly the good old USA who vilifies everyone that it does not like. It is only the others who commit crimes, we’re the good guys, believe us.
civil wars
I am wondering if the henchman at the NSA don’t have a delicious sense of irony and humor. There are two parts to the NSA; the “sigint-codebreaking” side and the “securing the nation’s infrastructure” side. The program named after a civil war battle, bullrun, puts those two sides in direct conflict.
This post will be censored by Techdirt
Just want to get that in the clear, this post will be held for moderation and released only when it is no longer relevant to the discussion.
Now then, my point:
Perhaps Mike it’s time for you to change your view of the internet. You think that a system that is based on you handing your information to any number of intermediary parties, to be stored on other people’s networks, systems, and software as entirely private and confidential. You seem to want a level of privacy that exceeds what you would get on your phone, by sending mail, courier, or talking in a public place. You appear to want the enter world, the whole planet, to be a “private” conversation.
It just doesn’t work like that.
Encrypting something and then handing it to a third party doesn’t make it secure, it just makes it harder for people to read. Adding deadbolt locks to your front door does not suddenly make your house impossible to break into, it just makes it harder. For those determined to get in, they will. Encrypting your messages but passing them through public third party means does not assure you any more privacy than just that.
The internet isn’t broken, just your view of it.
Re: This post will be censored by Techdirt
By the way, your post wasn’t censored.
So maybe your real problem isn’t that Masnick et all are wrong, or have unrealistic expectations, but that you have an unwarranted level of pessimism.
Re: This post will be censored by Techdirt
You are such a lying scumbag.
Avoid RC4-128
One of the things the NSA appears to be abusing is a vulnerability in RC4-128 used with SSL. Google and many other companies default to RC4-128 over other more secure ciphers such as AES-256 and AES-128 but will use them when RC4-128 is not available. Completely disabling the use of RC4-128 in modern web browsers would be a first and quick step people can take to put a stop to some of this data collection.
Re: Avoid RC4-128
I am so glad you told me about this, It forced me to check and I noticed that I have been going for months without disabling that.
“The US Government Has Betrayed The Internet”
I disagree entirely here. The Internet cannot be betrayed. The Internet is a tool.
WE THE PEOPLE have been Betrayed. End of story.
Too Late! Internet Company Selling all the Keys!
Internet Company offers HTTPS/SSL Interception and 180+ Internet Service Provider HTTPS Decrytion Keys to extract and decrypt all communications from open Cafe Wi-Fi’s to steal and decrypt packet traffic from all THESE SERVICES and more instantly “On The Fly”! INCLUDING EBAY! (Access to Paypal ). Only $9,000 Complete System! YIKES! There are more companies online selling systems like this one!
SELLING QUOTE: “Easily Acquire Login usernames and passwords from Google or Gmail login, Yahoo Mail login, ebay login etc. will all be captured by the HTTPS/SSL Interceptor.”
“Over 100 Systems Sold!”
Total Network Forensic Solutions from Decision Group – 2012
The Company http://www.edecision4u.com/HTTPS-SSL.html
http://www.edecision4u.com/E-DETECTIVE.html
I do hope the US citizens realize that they are paying for and consenting to all of this.
Who's the enemy again?
It’s official, The People are the enemy according to the NSA. This from the guardian article quoting the NSA programme documents:
So there you have it – if you are a consumer you are officially an NSA adversary.
so I guess that all those who said the govt was building backdoors into software/hardware over the years were not wearing tin foil hats afterall…huh…
Re: Re:
Correct.
Now that people know the backdoors are there they will be found in short order. I wonder if the NSA could be sued for the cost of replacement hardware.
Smokin!
Could it be true?
Could the sleeping giant actually be stirring?
Is the “Classified Enemy” of the US Government and its Organized Corporate Masters actually beginning to realize that its under assault by its own government and the combined forces of the wealthiest citizens on earth??
Now that would be something to witness.
The sheer anger of the masses, once they discover the extent of the betrayal should rival the energy put out by the sun.
Nah. It could never happen here.
It would interfere with the football season….
Core weakness of the Internet
The core weakness of the internet is not in its technology but in the ability of governments to coerce organizations into compliance with their agendas.
Whether it’s terrorism or pornography or preserving the status of its elite, all governments feel entitled to do this and commercial enterprises are vulnerable.
Every web site host has to have censorship rules to avoid prosecution.
Until an international standard of rights is established, any hope of restraining governments from this behavior is futile.