The US Government Has Betrayed The Internet; It's Time To Fix That Now

from the no-more-messing-around dept

Thu, Sep 5th 2013 4:27pm — Mike Masnick

With the latest shocking revelations concerning the NSA's ability to break encryption, Bruce Schneier has made an excellent point. In pursuit of trying to find a few needles, the US government has basically betrayed the core of the internet -- and it's time for engineers to fix it. Now. Basically what's come out today is that the NSA has purposely been massively weakening internet security for its own good on the ridiculous belief that only it would find and use these vulnerabilities.

Schneier makes two important calls in his article. First, he calls on those who actually helped out in placing these backdoors into today's technologies to come out and reveal the details. Second, he says that the internet technology and security community needs to come together right now to rethink core internet infrastructure to build solutions that are done right, with real security in mind. Encryption is still viable and powerful, but it needs to be done correctly.

We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.

As we've written a few times now, a bunch of attempts have sprung up lately to build secure communications offerings, but this goes way beyond that. This is a problem going back to core internet infrastructure, and it needs to be rethought and re-implemented in an open way that can be reviewed by anyone and where it's much more difficult for the NSA to hide or to sneak in "covert" operatives whose roles are to subvert the security.

Of course, in the short run this is also going to give extra ammo to foreign governments who want greater control over the internet themselves (not always with good intentions). It's going to be important to resist that kind of control as well. Instead, the focus needs to be on rethinking this in a manner so that no party is in full control and can subvert the system.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, engineers, internet, internet infrastructure, nsa, nsa surveillance, security

51 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

silverscarcat (profile), 5 Sep 2013 @ 4:43pm

So...
This will be web 4.0?

We're on web 3.0 right now, right?
[ link to this | view in chronology ]
- Anonymous Coward, 6 Sep 2013 @ 12:28am
  
  Re: So...
  I suggest you think about who invented the Internet in the first place.
  
  In their opinion, they were nice enough to let the rest of the world use it, but it's still theirs and they feel they can do whatever they want with it.
  [ link to this | view in chronology ]
  - Anonymous Coward, 6 Sep 2013 @ 1:17am
    
    Re: Re: So...
    The United States should not, and does not, run the internet. Anyone can step in and provide an alternative regulatory agency for numbers and domains, and *poof* the control the US has is gone with nothing more than an approving nod from a handful of large networks.
    
    How's that for an insightful comment.
    [ link to this | view in chronology ]
    - Anonymous Coward, 6 Sep 2013 @ 6:19am
      
      Re: Re: Re: So...
      Good luck with that.
      [ link to this | view in chronology ]
justok (profile), 5 Sep 2013 @ 4:45pm

I'm going to use the Constitution as my private key. They'll never think of using that.
[ link to this | view in chronology ]
- Groove Tiger, 5 Sep 2013 @ 7:43pm
  
  Re:
  Ha! They'll be lucky to even find one in their building!
  [ link to this | view in chronology ]
  - Anonymous Coward, 6 Sep 2013 @ 12:14am
    
    Re: Re:
    No they won't. They just have to login using a minigame that shoots the Constitution with water.
    [ link to this | view in chronology ]
- Richard (profile), 6 Sep 2013 @ 3:51am
  
  Re:
  Something similar was already done in the 19th century using the Declaration of Independence.
  
  Your idea is over a century old....
  
  http://en.wikipedia.org/wiki/Beale_ciphers
  [ link to this | view in chronology ]
out_of_the_blue, 5 Sep 2013 @ 5:04pm

Requires a moral and legal fix, NOT more technical.
"We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying." -- FOR PROFIT. -- "We need new techniques to prevent communications intermediaries from leaking private information." -- What a euphemism for corporations!

The internet is designed for spying, and facilitated by javascript that allows extracting identifying data. -- Guess which corporation is surely the biggest user of javascript? That's right: Google.

So long as information on the internets can be "monetized" without moral and legal restraints, there's no hope. Nearly everyone getting money from internet traffic is literally paid off to SPY on users, so it's only going to increase.

Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising explicitly has the goal of changing you.
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 5 Sep 2013 @ 5:04pm

Requires a moral and legal fix, NOT more technical.
"We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying." -- FOR PROFIT. -- "We need new techniques to prevent communications intermediaries from leaking private information." -- What a euphemism for corporations!

The internet is designed for spying, and facilitated by javascript that allows extracting identifying data. -- Guess which corporation is surely the biggest user of javascript? That's right: Google.

So long as information on the internets can be "monetized" without moral and legal restraints, there's no hope. Nearly everyone getting money from internet traffic is literally paid off to SPY on users, so it's only going to increase.

Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising explicitly has the goal of changing you.
[ link to this | view in chronology ]
- aldestrawk (profile), 5 Sep 2013 @ 5:25pm
  
  Re: Requires a moral and legal fix, NOT more technical.
  I think that Google should change it's motto from "don't be evil" to "don't be completely evil". That would be more honest about all they do. I am often skeptical of their motivations and critical of their actions. However, you show an amazing, obsessed, fixation as if they were the only evil in the world. It makes me wonder if you're a victim of their age bias having once been an employee, or if you only survived through part of the interview process. Am I right?
  [ link to this | view in chronology ]
  - art guerrilla (profile), 5 Sep 2013 @ 5:45pm
    
    Re: Re: Requires a moral and legal fix, NOT more technical.
    actually, they literally -as in 'literally', not 'figuratively'- abandoned that as their operative motto a while back...
    i'm guessing right about the first time the nsa bent them over and lubed up...
    [ link to this | view in chronology ]
  - Carl "Bear" Bussjaeger (profile), 5 Sep 2013 @ 6:19pm
    
    Re: Re: Requires a moral and legal fix, NOT more technical.
    "I think that Google should change it's motto from "don't be evil" to "don't be completely evil". That would be more honest about all they do."
    
    Actually, it's now "Don't get caught." And they're about as good at that as they were the the not-evil bit.
    [ link to this | view in chronology ]
- Anonymous Coward, 5 Sep 2013 @ 6:09pm
  
  Re: Requires a moral and legal fix, NOT more technical.
  I think it's hilarious that you work yourself so much up over things that you could stop in literally one minute.
  [ link to this | view in chronology ]
Anonymous Coward, 5 Sep 2013 @ 5:04pm

If we all followed Richard Stallman's creed, we wouldn't be in this mess.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Sep 2013 @ 6:03pm
  
  Re:
  This. A thousand times this.
  
  Those of us who have carefully observed Stallman's pronouncements over time have noted that -- almost without exception -- what he says is at first considered crank-grade lunacy.
  
  Then it happens, and nearly everyone (a) is astonished that it took place and (b) forgets that Stallman saw it coming twenty years out.
  
  For my part, I figured out nearly 30 years ago that any software which wasn't open source could not be trusted, should not be trusted, would not be trusted. I credit Stallman in part for opening my eyes to that. I wish more of my contemporaries had listened.
  [ link to this | view in chronology ]
  - pixelpusher220 (profile), 5 Sep 2013 @ 6:22pm
    
    Re: Re:
    a fair point, but another point is that any computer to which someone else has physical access is always insecure. You simply can't trust it to be reliably [whatever] since they could have done something to it.
    
    Until we have a true private mesh network that doesn't rely on any public infrastructure, can anything traveling over wires the gov't/corp's control or monitor be considered secure?
    [ link to this | view in chronology ]
    - Argonel (profile), 5 Sep 2013 @ 7:49pm
      
      Re: Re: Re:
      You cannot consider a computer secure if anyone else has at any time had unmonitored access to it. Since I doubt you designed your own processor and fabbed your own chips you are in the same boat as the rest of us.
      
      The reason the government doesn't want Huawei bidding on communications infrastructure is the government is afraid they will do the same things that they are doing with respect to spying.
      [ link to this | view in chronology ]
  - DCX2, 5 Sep 2013 @ 7:04pm
    
    Re: Re:
    Technically, all programs are open source. You can easily disassemble any program that runs on an x86 processor with free tools. It's no secret what these programs are doing; having the source in a high-level language helps, but not having the high-level source does not mean the program is a black box.
    [ link to this | view in chronology ]
    - Anonymous Coward, 5 Sep 2013 @ 10:44pm
      
      Re: Re: Re:
      And a good riddance to you analysing the "sources" in assembler. With no comments, no symbols, and after compiler optimisation.
      [ link to this | view in chronology ]
      - Anonymous Howard (profile), 6 Sep 2013 @ 1:56am
        
        Re: Re: Re: Re:
        This.
        
        Windows XP has 45M lines of high level code. Good luck meddling in it in assembly..
        [ link to this | view in chronology ]
Web_Rat (profile), 5 Sep 2013 @ 5:23pm

From where I am sitting, the government has betrayed the US Constitution and the citizens of the United States......
[ link to this | view in chronology ]
- justok (profile), 5 Sep 2013 @ 6:22pm
  
  Re:
  Good to see you're not going to stand for that.
  [ link to this | view in chronology ]
Anonymous Coward, 5 Sep 2013 @ 5:30pm

R.I.P. Windows
R.I.P. Windows
By purchasing Nokia�s smartphone division, Microsoft has killed its signature strategy.

http://www.slate.com/articles/technology/technology/2013/09/microsoft_nokia_deal_a_grea t_idea_that_came_too_late_and_killed_windows.html
[ link to this | view in chronology ]
Applesauce, 5 Sep 2013 @ 5:41pm

Control is not security
Governments and their agents believe that increased control means increased security. The opposite is more often true. NSA's policy has always been to weaken internet security in order to facility their spying (and control). They believe that they even if they can't keep the backdoors hidden, the benefit (to their agency) far outweighs any possible danger to the country or its infrastructure.

National Security Agency is more accurately named National Control Agency.
[ link to this | view in chronology ]
Anonymous Coward, 5 Sep 2013 @ 5:49pm

Cisco likely sold out
We should probably assume that Cisco is in the NSA's back pocket here...
[ link to this | view in chronology ]
- Anonymous Coward, 5 Sep 2013 @ 6:31pm
  
  Re: Cisco likely sold out
  Most likely, and wasn't there some hubbub about potential security issues with Chinese made hardware? Seems kinda ironic now.
  [ link to this | view in chronology ]
  - Brent Ashley (profile), 5 Sep 2013 @ 7:36pm
    
    Re: Re: Cisco likely sold out
    Maybe the security issues with the Chinese hardware were that they were too secure!
    [ link to this | view in chronology ]
    - Herby, 6 Sep 2013 @ 2:49am
      
      Re: Re: Re: Cisco likely sold out
      Well since Cisco was giving China very special tech support in their hunt for Falun Gong members, I would say they don't have any moral qualms about helping to build a surveillance state.
      [ link to this | view in chronology ]
    - Ed (profile), 6 Sep 2013 @ 5:02am
      
      Re: Re: Re: Cisco likely sold out
      That was my thought, too. All the brouhaha about Huawei switches and routers, now in hindsight, is probably more because the NSA doesn't have the ability to insert backdoors into them.
      [ link to this | view in chronology ]
Keisar Betancourt (profile), 5 Sep 2013 @ 6:01pm

here's the plan...
open source the entire thing and allow it to fork based on popularity.
[ link to this | view in chronology ]
aldestrawk (profile), 5 Sep 2013 @ 6:10pm

trusting trust
The Internet security protocols are already open. That is to say the algorithms are public. The NSA may have some influence in crafting them and that's OK when they wearing their "secure network and computer infrastructure" hat. Their codebreaking hat means they cannot be trusted to have the final word on anything. However, NIST, under the influence of the NSA, did a good job in adopting the Rijndael algorithm for AES. The dark hat NSA may have the goal of subverting algorithm designs but AES and the 2007 discovery of an injected weakness in a 2006 protocol shows they can be kept honest here.
I agree with Schneier that not only the protocol stack for the Internet should be an open implementation, but whatever OS as well. That means that Microsoft and Apple will have to change or be supplanted by variations of Unix. There is one thing that Schneier did not address and that is probably because he was writing to a general audience. The tools used to build a protocol stack, or OS, or hardware logic also need to be open. If you use a subverted C compiler to compile your own instance of Linux, the software still cannot be trusted.
I wrote a comment (anonymously, I didn't realize I wasn't logged in) to an earlier post on Techdirt today mentioning Ken Thompson's seminal paper on computer security; "Reflecting on Trusting Trust". If you haven't read this and are distrustful of the NSA, then read it now.
[ link to this | view in chronology ]
- aldestrawk (profile), 5 Sep 2013 @ 6:13pm
  
  Re: trusting trust
  Sorry, that's "Reflections on Trusting Trust"
  [ link to this | view in chronology ]
- Anonymous Coward, 5 Sep 2013 @ 6:24pm
  
  Re: trusting trust
  I second that reading recommendation. That was Ken's Turing Award Acceptance Speech, and it's STILL brilliant. Non-technical readers may struggle with it, but it's absolutely worth the effort.
  
  Even more so today.
  [ link to this | view in chronology ]
aldestrawk (profile), 5 Sep 2013 @ 6:25pm

Internet Governance
One aspect of Schneier's article that Mike didn't mention (yet) is that the revelation of the NSA's surveillance will motivate a push away from US control and Internet governance will end up bending to nations that would use censorship to stifle dissent and to special interests who want to protect their business model (i.e. copyright). Unfortunately, all the problems being discussed on Techdirt may get worse as an indirect result of the NSA's actions.
[ link to this | view in chronology ]
bigpicture, 5 Sep 2013 @ 6:42pm

Bit of Irony Here
As it turns out it is not China, or Russia or North Korea that has to be vilified as the perpetrators of heinous internet hacking crimes. But who? Yours Truly the good old USA who vilifies everyone that it does not like. It is only the others who commit crimes, we're the good guys, believe us.
[ link to this | view in chronology ]
aldestrawk (profile), 5 Sep 2013 @ 6:56pm

civil wars
I am wondering if the henchman at the NSA don't have a delicious sense of irony and humor. There are two parts to the NSA; the "sigint-codebreaking" side and the "securing the nation's infrastructure" side. The program named after a civil war battle, bullrun, puts those two sides in direct conflict.
[ link to this | view in chronology ]
horse with no name, 5 Sep 2013 @ 7:24pm

This post will be censored by Techdirt
Just want to get that in the clear, this post will be held for moderation and released only when it is no longer relevant to the discussion.

Now then, my point:

Perhaps Mike it's time for you to change your view of the internet. You think that a system that is based on you handing your information to any number of intermediary parties, to be stored on other people's networks, systems, and software as entirely private and confidential. You seem to want a level of privacy that exceeds what you would get on your phone, by sending mail, courier, or talking in a public place. You appear to want the enter world, the whole planet, to be a "private" conversation.

It just doesn't work like that.

Encrypting something and then handing it to a third party doesn't make it secure, it just makes it harder for people to read. Adding deadbolt locks to your front door does not suddenly make your house impossible to break into, it just makes it harder. For those determined to get in, they will. Encrypting your messages but passing them through public third party means does not assure you any more privacy than just that.

The internet isn't broken, just your view of it.
[ link to this | view in chronology ]
- Anonymous Coward, 6 Sep 2013 @ 4:08pm
  
  Re: This post will be censored by Techdirt
  By the way, your post wasn't censored.
  
  So maybe your real problem isn't that Masnick et all are wrong, or have unrealistic expectations, but that you have an unwarranted level of pessimism.
  [ link to this | view in chronology ]
- Anonymous Coward, 5 Nov 2013 @ 6:00pm
  
  Re: This post will be censored by Techdirt
  You are such a lying scumbag.
  [ link to this | view in chronology ]
Anonymous Coward, 5 Sep 2013 @ 7:44pm

Avoid RC4-128
One of the things the NSA appears to be abusing is a vulnerability in RC4-128 used with SSL. Google and many other companies default to RC4-128 over other more secure ciphers such as AES-256 and AES-128 but will use them when RC4-128 is not available. Completely disabling the use of RC4-128 in modern web browsers would be a first and quick step people can take to put a stop to some of this data collection.
[ link to this | view in chronology ]
- Anonymous Coward, 6 Sep 2013 @ 1:28am
  
  Re: Avoid RC4-128
  I am so glad you told me about this, It forced me to check and I noticed that I have been going for months without disabling that.
  [ link to this | view in chronology ]
Pixelation, 5 Sep 2013 @ 8:33pm

"The US Government Has Betrayed The Internet"

I disagree entirely here. The Internet cannot be betrayed. The Internet is a tool.
WE THE PEOPLE have been Betrayed. End of story.
[ link to this | view in chronology ]
Guess Who, 6 Sep 2013 @ 12:51am

Too Late! Internet Company Selling all the Keys!
Internet Company offers HTTPS/SSL Interception and 180+ Internet Service Provider HTTPS Decrytion Keys to extract and decrypt all communications from open Cafe Wi-Fi's to steal and decrypt packet traffic from all THESE SERVICES and more instantly "On The Fly"! INCLUDING EBAY! (Access to Paypal ). Only $9,000 Complete System! YIKES! There are more companies online selling systems like this one!
SELLING QUOTE: "Easily Acquire Login usernames and passwords from Google or Gmail login, Yahoo Mail login, ebay login etc. will all be captured by the HTTPS/SSL Interceptor."
"Over 100 Systems Sold!"
Total Network Forensic Solutions from Decision Group - 2012
The Company http://www.edecision4u.com/HTTPS-SSL.html
http://www.edecision4u.com/E-DETECTIVE.html
[ link to this | view in chronology ]
Anonymous Coward, 6 Sep 2013 @ 1:57am

I do hope the US citizens realize that they are paying for and consenting to all of this.
[ link to this | view in chronology ]
Not an Electronic Rodent (profile), 6 Sep 2013 @ 2:15am

Who's the enemy again?
It's official, The People are the enemy according to the NSA. This from the guardian article quoting the NSA programme documents:
"These design changes make the systems in question exploitable through Sigint collection � with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." (Emphasis added)
So there you have it - if you are a consumer you are officially an NSA adversary.
[ link to this | view in chronology ]
wayout, 6 Sep 2013 @ 6:16am

so I guess that all those who said the govt was building backdoors into software/hardware over the years were not wearing tin foil hats afterall...huh...
[ link to this | view in chronology ]
- Rapnel (profile), 6 Sep 2013 @ 5:56pm
  
  Re:
  Correct.
  [ link to this | view in chronology ]
Hephaestus (profile), 6 Sep 2013 @ 11:00am

Now that people know the backdoors are there they will be found in short order. I wonder if the NSA could be sued for the cost of replacement hardware.
[ link to this | view in chronology ]
GEMont (profile), 6 Sep 2013 @ 1:08pm

Smokin!

Could it be true?

Could the sleeping giant actually be stirring?

Is the "Classified Enemy" of the US Government and its Organized Corporate Masters actually beginning to realize that its under assault by its own government and the combined forces of the wealthiest citizens on earth??

Now that would be something to witness.

The sheer anger of the masses, once they discover the extent of the betrayal should rival the energy put out by the sun.

Nah. It could never happen here.
It would interfere with the football season....
[ link to this | view in chronology ]
Emelio Lizardo, 8 Sep 2013 @ 9:30am

Core weakness of the Internet
The core weakness of the internet is not in its technology but in the ability of governments to coerce organizations into compliance with their agendas.

Whether it's terrorism or pornography or preserving the status of its elite, all governments feel entitled to do this and commercial enterprises are vulnerable.

Every web site host has to have censorship rules to avoid prosecution.

Until an international standard of rights is established, any hope of restraining governments from this behavior is futile.
[ link to this | view in chronology ]