#RSA2014: Q&A: #Schneierontrust, #NSAspying and the #endofUSinternethegemony #Basically, #werescrewedforthenextdecade or so By Iain Thomson, 27 Feb 2014 53 Related stories Vodafone: SPOOKS are plugged DIRECTLY into our network Apple: Well tell users when the Feds come looking for their data Kill dodgy RNG says NIST Bruce Schneier sneers at IBMs NSA denials Microsoft alters Hotmail policy amid blogger inbox probe outcry RSA 2014 #BruceSchneier is the man who literally wrote the book on #modernencryption, publishing #AppliedCryptography in 1994, and for the past 20 years has been an #important and sometimes #outspokenvoice in the #securityindustry. He founded the firm Counterpane Internet Security (later sold to BT), and is also a board member of the Electronic Frontier Foundation and an Advisory Board Member of the Electronic Privacy Information Center. More recently hes been working on documents released by Edward Snowden on NSA activities and presented his findings at this years RSA conference in San Francisco. The Register took the opportunity of sitting down with Schneier at the event and chewing through the current state of security, privacy and government intrusion online. The Reg: This conference opened with a statement from RSA chief Art Coviello regarding the use of the flawed NSA-championed Dual Elliptic Curve Deterministic Random Bit Generator in an encryption toolkit product. Coviello said RSA did all it could to secure its software. Whats your take on the affair? Schneier: I believe thats true. When NIST came out with that RNG standard, it was one of four choices available, and those choices tracked other crypto suites. It made sense in a holistic way that there should be an elliptic curve in there. It was slower, it was kludgier, but some people thought that was a plus, not a minus. By 2007 there was the first inkling that there might be a backdoor, but it was just guessing and it is part of the NIST standard. Any toolkit that says were compliant [with a particular standard], which Im sure is a requirement for all sorts of contracts, had to implement it. My guess is that RSA didnt know anything was amiss and when a large customer comes in with technical changes that don’t really matter you just do them. I think RSA was more a victim here, and I think its been unfortunate that over the last couple of months they havent been able to tell their story clearly. Its hard to tease out who did what and when. Certainly, I didnt boycott the RSA conference – Im here for myself and the attendees, not for RSA – and if I was going to list companies to boycott because of their NSA collaboration, RSA wouldn’t even make the top 10. Who would be your top 10? I think AT&T certainly would be on top, but I personally use AT&Ts cellphone service. Its really hard to pick. Thats the worst poison of these NSA actions; that we no longer know who to trust. We cannot trust any phone company, any operating system provider, any applications vendor, any security company. We simply don’t know who is colluding, who has been compelled to collude, who is being owned surreptitiously, and all the transparency reports and denials don’t really tell us anything. In your last-but-one book Liars and Outliers you went into great detail about the importance of trust. In the wake of NSA spying, has trust been irretrievably lost? I really think some of losses in trust are going to be very difficult, if not impossible to get back. The NSA deliberately subverted products and standards. We rely on these things for our security and there was the implicit assumption that those in charge of them were making them as good as they could. Additionally, US companies are going to find it very hard to get users to trust them again. The best slogan a company like Google can say now is were secure, except for the attacks we don’t know about and the attacks we are prohibited by law from telling you about, which is a sucky marketing slogan. Even if the NSA says, like they are saying, no, we havent subverted standards, no one believes them. If the President says hes changed the NSAs policy so they don’t do this any more, how do we know there isn’t another even more secret organization that he formed to get around those rules? In a sense theres been a blind trust that weve had all these years that we finally have been shown was ill-founded, and I don’t know if its possible – at least with current technology – to get it back. So whats your solution? You can imagine some future technology where you can prove assurance, where you can prove that a piece of software or hardware does what you believe it does and nothing more. Thats not beyond the realm of possibility. We don’t know how to do that but it seems plausible that someday we will. Until then the problems are not technical, they are political and social, and there aren’t technical solutions to those kind of problems. Next page: Youve written that the NSA now needs to be broken up. Whats the best way to do it? Page: 1/3 Next → theregister.co.uk/2014/02/27/qa_schneier_on_trust_nsa_spying_and_the_end_of_us_internet_hegemony/
Posted on: Sun, 08 Jun 2014 20:02:57 +0000
Trending Topics
Recently Viewed Topics
© 2015