This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.theguardian.com/commentisfree/2013/sep/06/nsa-surveillance-revelations-encryption-expert-chat
The article has changed 7 times. There is an RSS feed of changes available.
| Version 1 | Version 2 |
|---|---|
| Explaining the latest NSA revelations –Q&A with internet privacy experts | Explaining the latest NSA revelations –Q&A with internet privacy experts |
| (35 minutes later) | |
| Today, beginning at 3pm ET | 8pm BST, the Guardian's James Ball, who reported on the latest NSA and GCHQ revelations, and cryptology expert Bruce Schneier, who wrote about the implications, will take your questions on the new revelation that the US and UK governments can crack much of the encryption protecting personal data, online transactions and emails – as well as the ongoing debate over surveillance. Toss your questions below and as you wait for a response, re-visit yesterday's stories: | Today, beginning at 3pm ET | 8pm BST, the Guardian's James Ball, who reported on the latest NSA and GCHQ revelations, and cryptology expert Bruce Schneier, who wrote about the implications, will take your questions on the new revelation that the US and UK governments can crack much of the encryption protecting personal data, online transactions and emails – as well as the ongoing debate over surveillance. Toss your questions below and as you wait for a response, re-visit yesterday's stories: |
| • How US and UK spy agencies defeat internet privacy and security | • How US and UK spy agencies defeat internet privacy and security |
| • How internet encryption works | • How internet encryption works |
| • The US government has betrayed the internet. We need to take it back | • The US government has betrayed the internet. We need to take it back |
| The Q&A is now live: | The Q&A is now live: |
| First Question: | First Question: |
| Can we trust open source? Of course it is more transparent than properietry, but if NSA has been influencing standard documents, what is stopping them penetrating free software? | Can we trust open source? Of course it is more transparent than properietry, but if NSA has been influencing standard documents, what is stopping them penetrating free software? |
| Do we have evidence supporting/denying contamination of open source? | Do we have evidence supporting/denying contamination of open source? |
| Answer: | Answer: |
| James Ball: Because the NSA and GCHQ have been influencing standards, and working to covertly modify code, almost anything could potentially have been compromised. Something as simple as – hypothetically – modifying a basic random-number-generator could weaken numerous implementations of open-source code. | James Ball: Because the NSA and GCHQ have been influencing standards, and working to covertly modify code, almost anything could potentially have been compromised. Something as simple as – hypothetically – modifying a basic random-number-generator could weaken numerous implementations of open-source code. |
| That said, anything done to open source projects, particularly popular ones, will have to be subtle, as anyone can audit the code. So I do believe they’re more trustworthy/dependable than other things. But almost nothing is certain, and we see quite regularly bugs/vulnerabilities discovered in major open source projects that have lain undiscovered for months. | That said, anything done to open source projects, particularly popular ones, will have to be subtle, as anyone can audit the code. So I do believe they’re more trustworthy/dependable than other things. But almost nothing is certain, and we see quite regularly bugs/vulnerabilities discovered in major open source projects that have lain undiscovered for months. |
| Question: | Question: |
| Is there any reason to believe that these back doors have also been built into hardware? | Is there any reason to believe that these back doors have also been built into hardware? |
| Answer: | Answer: |
| Ball: There’s every reason to think this. The Washington Post mentioned in passing last week the use of ‘implants’, and the New York Times’ take on this story made reference to efforts against “encryption chips”. | Ball: There’s every reason to think this. The Washington Post mentioned in passing last week the use of ‘implants’, and the New York Times’ take on this story made reference to efforts against “encryption chips”. |
| Question: | Question: |
| How hard do you think it will be to get people to take security seriously when people are willing to type so much personal data into Facebook/Google+ etc? | How hard do you think it will be to get people to take security seriously when people are willing to type so much personal data into Facebook/Google+ etc? |
| Answer: | Answer: |
| Ball: I think we need more awareness of privacy and security generally, and I think as generations grow up net-native (as today’s teens are), that’s taking care of itself. I don’t think people who volunteer information to a strictly-controlled network on Facebook (or webmail, etc) are automatically willing to share that same information with their governments. That’s a large part of what the whole privacy and security debate the NSA files are fueling is about, I think. | Ball: I think we need more awareness of privacy and security generally, and I think as generations grow up net-native (as today’s teens are), that’s taking care of itself. I don’t think people who volunteer information to a strictly-controlled network on Facebook (or webmail, etc) are automatically willing to share that same information with their governments. That’s a large part of what the whole privacy and security debate the NSA files are fueling is about, I think. |
| Question: | |
| How would one go about selecting a VPN service that is still viable? All US-based ones are likely compromised via National Security Letters, and many foreign ones are probably hacked. Is there anything specific about a VPN service's transmission protocol (key exchange method) that may make it more reliable? | |
| Answer: | |
| Ball: As you say, I think this is quite difficult, but one thing that is worth flagging is we have a sense of what the US and the other “Five Eyes” nations (the UK, Canada, Australia and New Zealand) are doing, because we have a whistleblower from those agencies. | |
| It’s not inconceivable that intelligence agencies in other countries are doing a lot of the same things (it would be surprising if they weren’t doing some of it) – but we won’t hear about them unless a Chinese, Russian, German, Indian, etc, Edward Snowden comes along. I hope they do. | |
| Question: | |
| First off -- thanks to James and Bruce for taking some time to answer people's questions! I know a lot of us need answers in these uncertain times. | |
| Mine is a two-part question: | |
| 1.) What can the average internet user do to protect him- or herself from government snooping online? | |
| 2.) What can the average citizen do to help stop the NSA? | |
| Thank you. | |
| Answer: | |
| Ball: Bruce had a great article yesterday (http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance) on what to do to try to secure your own communications. I think it’s a brilliant starting place, especially for journalists and activists. Even though he’s described it well, of course, I think it’s beyond the expertise levels of 95%+ of internet users. This stuff is seriously hard, and I hope the crypto community carries on trying to make it easier. | |
| As to the second question, the solution is going to have to be political: if your view is that what the NSA is doing isn’t acceptable, I think contacting congressmen, petitioning, and campaigning are the right steps. I’m sure the EFF, ACLU, EPIC and similar organizations will be stepping up their long-running efforts in the near future. | |
| Question: | |
| Bruce's article giving advice on staying more private online included selecting certain encryption algorithms based on their mathmatical features etc -- what are some direct examples of the most 'safe' encryption techniques to use, key lengths etc? | |
| How can Tor be any safer than VPN if both SSL/TLS and VPN methodologies have been exploited? Is the Tor routing process still a good security? | |
| Answer: | |
| Ball: GCHQ’s phrasing of beating “30” then “300” VPNs suggest it’s done on a case-by-case basis, rather than a blanket capability. It’s also worth noting that just because the NSA can, say, beat SSL in some (or many, or most) cases, it doesn’t mean they can do it all the time, especially as they often seem to circumvent rather than directly beat security. Tor also has its onion methodology. I think Bruce’s take – that Tor makes tracing you harder, rather than impossible – seems a sensible one. | |
| Note: Bruce Schneier has been traveling but will be online answering questions shortly. | |
| Question: | |
| The questions I find myself asking are "Who is chiefly responsible for this breach of trust?", "Will anyone be held accountable?" and "What sort of backlash will there be, if any, from society at large?". | |
| Answer: | |
| Ball: Me too! There are a lot of issues here, not least that the technological capabilities of the NSA have hugely outpaced the efforts of most lawmakers to meaningfully understand them, let alone regulate them. | |
| In the environment after 9/11, the agency had a permissive environment to expand its remit, masses more funding, and technological advancements making surveillance possible on a scale never previously imaginable. For privacy advocates, the past decade was essentially the perfect storm. | |
| That encroachment happened under three Presidents, from two parties. I don’t think this is a partisan issue. It feels a little like the (apocryphal) tale of a frog in boiling water: if the water is slowly heated, the frog never notices it’s being cooked. | |
| A final note is that at a bare minimum we need to hold senior intelligence officials accountable in public, and demand honest answers. Obama’s Director of National Intelligence has been accused of outright lying to Congress, seemingly with no adverse consequences. If you’re looking to increase accountability and transparency, surely you’ve got to start there. | |
| Question: | |
| Thus far the focus has been on the US and UK. But we see the five-eyed acronym on some of the documents. Should Aussies, Kiwis and Canadians be concerned about their privacy too? | |
| Answer: | |
| Ball: The short answer is yes – the techniques revealed in the whole NSA Files series are shared with the five eyes nations, as is access to most of the databases of intelligence and communications the agencies collect. | |
| Of course, there’s a flipside, which is that (in theory at least) the citizens of the five-eyes nations get a little bit extra protection against being spied on by the others – so perhaps you should be more worried if you’re NOT in the US, UK, Canada, Australia or New Zealand. Hard to say! |