Feeds

NSA security award winner calls for hearings into agency's conduct

Spying scandal is killing US cloud business, says Google Doc

Choosing a cloud hosting partner with confidence

As part of the NSA's ongoing mission to research the finer arts of computer security, it funds and promotes a lot of academic research. And on July 18 it announced the winner of its first Science of Security (SoS) competition after a distinguished academic panel had considered 44 entries covering the latest academic output on the topic.

The winner was Google security engineer Dr. Joseph Bonneau for his paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords", which was hailed by Dr. Patricia Muoio, chief of the NSA research directorate's trusted systems research group, as "an example of research that demonstrates a sound scientific approach to cybersecurity."

But in a personal blog post the next day, Bonneau said that while he was honored by the award, he had "conflicted feelings" about accepting it in light of the NSA's conduct in industrial-scale snooping into private data, adding that he was "ashamed we've let our politicians sneak the country down this path."

"In accepting the award," he said, "I don't condone the NSA's surveillance. Simply put, I don't think a free society is compatible with an organisation like the NSA in its current form."

Since then, Bonneau has been speaking out on the issue on Twitter, and on Sunday set up an account on Reddit to take questions from all and sundry. He said that he fears the current focus on the extent of NSA activities will be swept under the carpet as a normal "scandal", a few people will be fired, and nothing else will change.

Dr Joseph Bonneau

Security expert he may be, but photographer he ain't

The biggest problem is that there can't be reasoned debate on the topic, he said, because no one knows what's being collected, how long it is being stored for, and for what purposes it is used. The uncertainty is also hurting companies – like his employer – who were looking to expand cloud services but have their servers under US jurisdiction.

"We'll kill the golden goose if other countries think US corporations can't be trusted with their data due to the local government, particularly when the law provides virtually no protection from eavesdropping for foreigner's data held by US companies," Bonneau said. "Can we honestly tell people in other countries that they should trust all of their data with US companies?"

Companies such as Google, Microsoft, and Facebook collect large amounts of data, he said, but such commercial systems are opt-in, unlike government surveillance. Companies also operate under the laws of the countries in which they operate, and he said that EU privacy laws were a good – if flawed – example of privacy oversight.

Not all of Europe got praise, however. Bonneau said he was "very dismayed" about the UK government's recently announced plans for a default anti-porn censorship shield from ISPs. (Although some have told the government where they can stick their shield.)

What's needed are public hearings, he suggested, with a root-and-branch pruning of the top NSA administration and their overseers, changes to the Foreign Intelligence Surveillance Court, and a proper independent review. If his going public moved the conversation 0.0001 per cent further, that's fantastic, he said.

In the meantime, end-to-end encryption will at least protect the content of messages, if not the metadata around them. PGP is a good idea, he said, especially coupled with Tor anonymity. He also recommended CryptoCat and mobile apps from TextSecure/RedPhone or SilentCircle.

When it comes to browsers, Bonneau recommends using Firefox or Chrome with HTTPS Everywhere downloaded. Steer clear of Internet Explorer, he suggests, because it is lagging in HTTPS support.

As for passwords – Bonneau's area of expertise – he recommends not bothering with them for little-used websites. Simply bash in 30 or so random characters into the password field and use a password reset if you want access at a later date. For day-to-day sites use a standard password, and for important websites use a string of at least 12 random characters, and preferably phone authentication.

Bonneau said he has respected the NSA staff he had met, saying they were smart people who stuck by the rules set for them by their political masters, but that the current system isn't compatible with a civilized society and informed debate is needed.

"It's very hard to predict which direction society will change, though history shows we often underestimate the scale of changes that are possible," he said.

"One of my favorite books is King Leopold's Ghost, which describes conditions in the Congo Free State barely over 100 years ago. The human rights violations are unfathomable today, yet changing them at the time was a crazy idea." ®

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.