Feeds

NSA security award winner calls for hearings into agency's conduct

Spying scandal is killing US cloud business, says Google Doc

Website security in corporate America

As part of the NSA's ongoing mission to research the finer arts of computer security, it funds and promotes a lot of academic research. And on July 18 it announced the winner of its first Science of Security (SoS) competition after a distinguished academic panel had considered 44 entries covering the latest academic output on the topic.

The winner was Google security engineer Dr. Joseph Bonneau for his paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords", which was hailed by Dr. Patricia Muoio, chief of the NSA research directorate's trusted systems research group, as "an example of research that demonstrates a sound scientific approach to cybersecurity."

But in a personal blog post the next day, Bonneau said that while he was honored by the award, he had "conflicted feelings" about accepting it in light of the NSA's conduct in industrial-scale snooping into private data, adding that he was "ashamed we've let our politicians sneak the country down this path."

"In accepting the award," he said, "I don't condone the NSA's surveillance. Simply put, I don't think a free society is compatible with an organisation like the NSA in its current form."

Since then, Bonneau has been speaking out on the issue on Twitter, and on Sunday set up an account on Reddit to take questions from all and sundry. He said that he fears the current focus on the extent of NSA activities will be swept under the carpet as a normal "scandal", a few people will be fired, and nothing else will change.

Dr Joseph Bonneau

Security expert he may be, but photographer he ain't

The biggest problem is that there can't be reasoned debate on the topic, he said, because no one knows what's being collected, how long it is being stored for, and for what purposes it is used. The uncertainty is also hurting companies – like his employer – who were looking to expand cloud services but have their servers under US jurisdiction.

"We'll kill the golden goose if other countries think US corporations can't be trusted with their data due to the local government, particularly when the law provides virtually no protection from eavesdropping for foreigner's data held by US companies," Bonneau said. "Can we honestly tell people in other countries that they should trust all of their data with US companies?"

Companies such as Google, Microsoft, and Facebook collect large amounts of data, he said, but such commercial systems are opt-in, unlike government surveillance. Companies also operate under the laws of the countries in which they operate, and he said that EU privacy laws were a good – if flawed – example of privacy oversight.

Not all of Europe got praise, however. Bonneau said he was "very dismayed" about the UK government's recently announced plans for a default anti-porn censorship shield from ISPs. (Although some have told the government where they can stick their shield.)

What's needed are public hearings, he suggested, with a root-and-branch pruning of the top NSA administration and their overseers, changes to the Foreign Intelligence Surveillance Court, and a proper independent review. If his going public moved the conversation 0.0001 per cent further, that's fantastic, he said.

In the meantime, end-to-end encryption will at least protect the content of messages, if not the metadata around them. PGP is a good idea, he said, especially coupled with Tor anonymity. He also recommended CryptoCat and mobile apps from TextSecure/RedPhone or SilentCircle.

When it comes to browsers, Bonneau recommends using Firefox or Chrome with HTTPS Everywhere downloaded. Steer clear of Internet Explorer, he suggests, because it is lagging in HTTPS support.

As for passwords – Bonneau's area of expertise – he recommends not bothering with them for little-used websites. Simply bash in 30 or so random characters into the password field and use a password reset if you want access at a later date. For day-to-day sites use a standard password, and for important websites use a string of at least 12 random characters, and preferably phone authentication.

Bonneau said he has respected the NSA staff he had met, saying they were smart people who stuck by the rules set for them by their political masters, but that the current system isn't compatible with a civilized society and informed debate is needed.

"It's very hard to predict which direction society will change, though history shows we often underestimate the scale of changes that are possible," he said.

"One of my favorite books is King Leopold's Ghost, which describes conditions in the Congo Free State barely over 100 years ago. The human rights violations are unfathomable today, yet changing them at the time was a crazy idea." ®

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Bono: Apple will sort out monetising music where the labels failed
Remastered so hard it would be difficult or impossible to master it again
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.