Feeds

NSA security award winner calls for hearings into agency's conduct

Spying scandal is killing US cloud business, says Google Doc

Secure remote control for conventional and virtual desktops

As part of the NSA's ongoing mission to research the finer arts of computer security, it funds and promotes a lot of academic research. And on July 18 it announced the winner of its first Science of Security (SoS) competition after a distinguished academic panel had considered 44 entries covering the latest academic output on the topic.

The winner was Google security engineer Dr. Joseph Bonneau for his paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords", which was hailed by Dr. Patricia Muoio, chief of the NSA research directorate's trusted systems research group, as "an example of research that demonstrates a sound scientific approach to cybersecurity."

But in a personal blog post the next day, Bonneau said that while he was honored by the award, he had "conflicted feelings" about accepting it in light of the NSA's conduct in industrial-scale snooping into private data, adding that he was "ashamed we've let our politicians sneak the country down this path."

"In accepting the award," he said, "I don't condone the NSA's surveillance. Simply put, I don't think a free society is compatible with an organisation like the NSA in its current form."

Since then, Bonneau has been speaking out on the issue on Twitter, and on Sunday set up an account on Reddit to take questions from all and sundry. He said that he fears the current focus on the extent of NSA activities will be swept under the carpet as a normal "scandal", a few people will be fired, and nothing else will change.

Dr Joseph Bonneau

Security expert he may be, but photographer he ain't

The biggest problem is that there can't be reasoned debate on the topic, he said, because no one knows what's being collected, how long it is being stored for, and for what purposes it is used. The uncertainty is also hurting companies – like his employer – who were looking to expand cloud services but have their servers under US jurisdiction.

"We'll kill the golden goose if other countries think US corporations can't be trusted with their data due to the local government, particularly when the law provides virtually no protection from eavesdropping for foreigner's data held by US companies," Bonneau said. "Can we honestly tell people in other countries that they should trust all of their data with US companies?"

Companies such as Google, Microsoft, and Facebook collect large amounts of data, he said, but such commercial systems are opt-in, unlike government surveillance. Companies also operate under the laws of the countries in which they operate, and he said that EU privacy laws were a good – if flawed – example of privacy oversight.

Not all of Europe got praise, however. Bonneau said he was "very dismayed" about the UK government's recently announced plans for a default anti-porn censorship shield from ISPs. (Although some have told the government where they can stick their shield.)

What's needed are public hearings, he suggested, with a root-and-branch pruning of the top NSA administration and their overseers, changes to the Foreign Intelligence Surveillance Court, and a proper independent review. If his going public moved the conversation 0.0001 per cent further, that's fantastic, he said.

In the meantime, end-to-end encryption will at least protect the content of messages, if not the metadata around them. PGP is a good idea, he said, especially coupled with Tor anonymity. He also recommended CryptoCat and mobile apps from TextSecure/RedPhone or SilentCircle.

When it comes to browsers, Bonneau recommends using Firefox or Chrome with HTTPS Everywhere downloaded. Steer clear of Internet Explorer, he suggests, because it is lagging in HTTPS support.

As for passwords – Bonneau's area of expertise – he recommends not bothering with them for little-used websites. Simply bash in 30 or so random characters into the password field and use a password reset if you want access at a later date. For day-to-day sites use a standard password, and for important websites use a string of at least 12 random characters, and preferably phone authentication.

Bonneau said he has respected the NSA staff he had met, saying they were smart people who stuck by the rules set for them by their political masters, but that the current system isn't compatible with a civilized society and informed debate is needed.

"It's very hard to predict which direction society will change, though history shows we often underestimate the scale of changes that are possible," he said.

"One of my favorite books is King Leopold's Ghost, which describes conditions in the Congo Free State barely over 100 years ago. The human rights violations are unfathomable today, yet changing them at the time was a crazy idea." ®

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.