Feeds

NSA security award winner calls for hearings into agency's conduct

Spying scandal is killing US cloud business, says Google Doc

Mobile application security vulnerability report

As part of the NSA's ongoing mission to research the finer arts of computer security, it funds and promotes a lot of academic research. And on July 18 it announced the winner of its first Science of Security (SoS) competition after a distinguished academic panel had considered 44 entries covering the latest academic output on the topic.

The winner was Google security engineer Dr. Joseph Bonneau for his paper, "The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords", which was hailed by Dr. Patricia Muoio, chief of the NSA research directorate's trusted systems research group, as "an example of research that demonstrates a sound scientific approach to cybersecurity."

But in a personal blog post the next day, Bonneau said that while he was honored by the award, he had "conflicted feelings" about accepting it in light of the NSA's conduct in industrial-scale snooping into private data, adding that he was "ashamed we've let our politicians sneak the country down this path."

"In accepting the award," he said, "I don't condone the NSA's surveillance. Simply put, I don't think a free society is compatible with an organisation like the NSA in its current form."

Since then, Bonneau has been speaking out on the issue on Twitter, and on Sunday set up an account on Reddit to take questions from all and sundry. He said that he fears the current focus on the extent of NSA activities will be swept under the carpet as a normal "scandal", a few people will be fired, and nothing else will change.

Dr Joseph Bonneau

Security expert he may be, but photographer he ain't

The biggest problem is that there can't be reasoned debate on the topic, he said, because no one knows what's being collected, how long it is being stored for, and for what purposes it is used. The uncertainty is also hurting companies – like his employer – who were looking to expand cloud services but have their servers under US jurisdiction.

"We'll kill the golden goose if other countries think US corporations can't be trusted with their data due to the local government, particularly when the law provides virtually no protection from eavesdropping for foreigner's data held by US companies," Bonneau said. "Can we honestly tell people in other countries that they should trust all of their data with US companies?"

Companies such as Google, Microsoft, and Facebook collect large amounts of data, he said, but such commercial systems are opt-in, unlike government surveillance. Companies also operate under the laws of the countries in which they operate, and he said that EU privacy laws were a good – if flawed – example of privacy oversight.

Not all of Europe got praise, however. Bonneau said he was "very dismayed" about the UK government's recently announced plans for a default anti-porn censorship shield from ISPs. (Although some have told the government where they can stick their shield.)

What's needed are public hearings, he suggested, with a root-and-branch pruning of the top NSA administration and their overseers, changes to the Foreign Intelligence Surveillance Court, and a proper independent review. If his going public moved the conversation 0.0001 per cent further, that's fantastic, he said.

In the meantime, end-to-end encryption will at least protect the content of messages, if not the metadata around them. PGP is a good idea, he said, especially coupled with Tor anonymity. He also recommended CryptoCat and mobile apps from TextSecure/RedPhone or SilentCircle.

When it comes to browsers, Bonneau recommends using Firefox or Chrome with HTTPS Everywhere downloaded. Steer clear of Internet Explorer, he suggests, because it is lagging in HTTPS support.

As for passwords – Bonneau's area of expertise – he recommends not bothering with them for little-used websites. Simply bash in 30 or so random characters into the password field and use a password reset if you want access at a later date. For day-to-day sites use a standard password, and for important websites use a string of at least 12 random characters, and preferably phone authentication.

Bonneau said he has respected the NSA staff he had met, saying they were smart people who stuck by the rules set for them by their political masters, but that the current system isn't compatible with a civilized society and informed debate is needed.

"It's very hard to predict which direction society will change, though history shows we often underestimate the scale of changes that are possible," he said.

"One of my favorite books is King Leopold's Ghost, which describes conditions in the Congo Free State barely over 100 years ago. The human rights violations are unfathomable today, yet changing them at the time was a crazy idea." ®

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
'Greenhouse effect is real, but as for the rest of it ...'
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.