Feeds

Tech companies are raising their game (and pants) post-Snowden

Is everything fatally borked? Not quite, say security godheads

Security for virtualized datacentres

Snowden anniversary If there’s a positive to the disclosures by ex-National Security Contractor (NSA) contractor Edward Snowden, it’s that it’s been a disaster for technology and internet firms.

Yes, a positive.

In the last year we’ve learned the NSA has backdoors placed in the hardware that makes networks, the existence of massive funnels placed in internet and phone companies’ data centers to suck up vast amounts of data, and the breaking of internet encryption.

The effect of all this should be a raising of these companies’ games and a shaking of users’ complacency in relying on “free” products and in being too accepting of what they’re given and of standard “solutions.”

Already, tech and web companies are coming back. Caught with their pants down, they are now being given the time and money to pull them back up again.

Pre-Snowden it was generally assumed the government was carrying out some sorts of surveillance against key targets and that the bright boys and girls at the National Security Agency (NSA) could subvert security systems if they really wanted to.

Bruce Schneier

Schneier: how far has the NSA really gone?

There had long been rumors of backdoors in operating systems and government malware-writing teams, but very little in the way of proof.

Snowden's leaks showed not only that security weaknesses are being built into software but also that the large companies to whom we entrust our data are helping in this – and they have been criminally lax about the security of users' data within their own organizations.

The first two leaks from the Snowden files – allegations that Verizon was handing over consumer metadata on mobile calls and the existence of the PRISM program – didn’t come a as a massive surprise to many. Caspar Bowden, Microsoft's former chief privacy adviser, has been warning about this kind of stuff for years after all.

Then, in August 2013, Snowden's secure email provider Lavabit shut down its service, with its chief, Ladar Levison, saying that he wouldn't "become complicit in crimes against the American people." Shortly afterwards Silent Circle, which had been offering a similar service, followed suit.

Both companies are prohibited by law from confirming the exact reason for their shutdown, but it's down to the use of existing legislation whereby the US government can force email providers to hand over encryption keys on national security grounds. Too bad for users of this kind of system, you might think, but the problems didn’t stop there.

It was the September 2013 leak about Project Bullrun that really set the cat among the pigeons. The documents Snowden released showed that the NSA was spending $250m a year to build security weaknesses into common code and had cracked many of the encryption systems commonly used online.

Bullrun appears to have started after September 11, 2001 and appears to have allowed the NSA to get around both VPN protections, SSL and HTTPS. For most internet users that's pretty much the entire ballgame.

As any security expert knows, intentionally introducing flaws into your products is a stupid move. Sure, it gives the intelligence community a backdoor into software, but there's no guarantee that someone else won’t discover the same flaw and start using it. In fact, the way code examination is these days, it's a virtual certainty that someone will do this.

Crypto and privacy guru Bruce Schneier is frank in his assessment of what this all meant for the internet. He told The Register:

From forcing Microsoft to make Skype more eavesdropping friendly and then not telling anyone, to demanding Lavabit's master encryption key and demanding that they lie about it, to creating fake Facebook servers on the Internet to hack into computers, to intercepting Cisco networking equipment in transit to install eavesdropping equipment, the NSA has completely subverted the internet.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.