EFF: the NSA has endangered us all by sabotaging security

The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm look at the NSA's Bullrun program, through which the US and UK governments have spent $250M/year sabotaging computer security. Cindy is the lawyer who argued the Bernstein case, which legalized civilian access to strong cryptography -- in other words, it's her work that gave us all the ability to communicate securely online. And so she's very well-situated to comment on what it means to learn that the NSA has deliberately weakened the security that ensures the integrity of the banking system, aviation control, embedded systems in everything from cars to implanted defibrillators, as well as network infrastructure, desktop computers, cloud servers, laptops, phones, tablets, TVs, and other devices.

Thankfully, the recent disclosures have led to at least some change. The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.

And we’re beginning to see the international computer security community come to grips with this disturbing news.

But we must do more. 

    * We must rebuild the broad coalition that fought the first crypto wars, including investors, businesses, civil liberties groups, scientists and ordinary people. 

    * We must expose the vulnerabilities that have been secreted into our technologies. We must expose them and we must demand that they be fixed.

    * We must ask standards bodies, companies and individual developers to pledge, publicly and unequivocally, to reject efforts to build backdoors or insert known vulnerabilities into their products—and create transparency so that they can't secretly cooperate with these efforts in the future.

    * We must build our own tools, and support the tools that already exist that are independently verifiable as secure (most prominently, open source tools). 

    * We must support efforts in Congress to rein in the NSA and bring it back under the rule of law, and we must make sure those efforts ensure that our technologies are safe.

    * And we must not succumb to privacy nihilism.

But the public debate must start from a fundamental principle: The NSA has been making us less safe and it must stop.  Now. 

The NSA is Making Us All Less Safe

Notable Replies

  1. Futhermore, Keith Alexander, head of the NSA should face criminal prosecution for treasonous and unconstitutional spying on American citizens.

    This warrants the death penalty because of its scope, its damage to the American economy, and its damage to American security.

  2. IMB says:

    I know BB has a lot of computer geniuses, so perhaps one of you might answer this for me.
    How secure is the site to sign up for the healthcare marketplace? With the security issues created by the NSA, is the site essentially a one stop shopping spot for hackers looking to get social security numbers? I haven't been able to sign up yet, but I have had an uneasy feeling about it.

  3. xzzy says:

    "Fairly secure." I mean, if they're even remotely competent at their job they'll be at least as secure as whatever website your bank provides for managing your account. But nothing plugged into the internet is totally secure. Something can always go wrong.

    Just keep in mind this would have been true with or without the NSA's interference. It's like sex, the only 100% guaranteed way to avoid pregnancy is abstinence. Which means you have a decision to make.. is 99% certainty good enough to make you comfortable?

  4. So secure, it doesn't even work for for DHHS.

  5. Rindan says:

    Treat it like any intertubes site... it isn't secure. That said, the information they have isn't all that exciting in the grand scheme of things. You could file the information there as "mildly important". They can't steal your money, but if they managed to hack the site and take all the user profiles, they would have a good start for rocking some identity theft, which while annoying, isn't generally the end of the world. Social security numbers, names, and addresses are a dime a dozen and not all that valuable.

    Whenever you hand over your password, you should just assume that it is going to be stolen along with your e-mail address and user name... which is why you should never use the same password twice, especially for important things. For truly important things, you should be using two step encryption.

Continue the discussion bbs.boingboing.net

4 more replies