Blog Entry For 8/9/2013
Encryption & Deception
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
- Benjamin Franklin 1775.
Right and wrong, legal an illegal are often temporally incongruent, with the latter several steps behind the former. One article I would recommend on this viewpoint is a thought provoking angle by Moxie Marlinspike. There are a multitude of news reports covering the recent revelations of Edward Snowden, and surely many more opinions of his actions. For those of us in the software field, the revelations are a severe blow to the industry. The principal rule of online security is to rely on the textbook mathematical formulae, and to never be tempted to 'roll your own'. The Snowden release provides strong evidence that the majority of textbook security measures may have been infiltrated in a most repulsive manner. According to reports, the NSA in conjunction with GCHQ have achieved an unprecedented, multi-faceted attack of online privacy. According to a report by Sky News, they have achieved success through brute force attack attempts. Other measures include forcing companies to build back doors into their systems and to provide master keys to access their data. To top it off, the very encryption standards themselves are believed to have intentional vulnerabilities in-built to aid in decryption measures.
It is this latter point that resonates in the software industry in particular. The industry has relied on the trust of NIST (National Institute of Standards and Technology) in their advice regarding the security of particular encryption methods. However, NIST has always had a complicated relationship with the NSA. Indeed, recent advices from NIST on the new Dual_EC_DRBG standard raised eyebrows, with what appeared to be clear evidence of detectable bias.
So, from what the news has been talking about, it seems that every email, Skype call and online transaction is laid bare for GCHQ and NSA to trawl through at their leisure. No secure algorithm is without suspicion of tampering. The cryptography industry may well have to re-evaluate their relationship with NIST and, perhaps, new methodologies and algorithms may need developing that circumvent the influence of government. Thankfully, key players in cryptography have already started the ball rolling in this respect.
The general public will no doubt have other issues, and are debating pros and cons of sacrificing privacy if it helps to intercept communications pertinent to national security. Personally, I'm with Franklin in this regard. The government keep pulling the security card out at every opportunity, biasing public opinion through fear, manipulation and misinformation. If this has the desired effect, then we have no right to complain when there is no means to establish trust on the internet. After all, as our elected representatives, they're only doing this for our benefit, aren't they? The question being, whilst they're watching us, who's watching them?
9/8/2013 Tags: edward snowden nsa gchq encryption