Yesterday, in his first public appearance, Edward Snowden emphasized the vital role techies will play in protecting the security of the internet, our rights as citizens and individual privacy. Speaking at SXSW,
Snowden reminded the technologists in the room that “Crypto works. It’s not an arcane black art. It is a basic protection, the Defense Against the Dark Arts for the digital world. We must implement it, actively research it,” going on to ask the audience to take on “a moral, philosophical and technical commitment to enforce and defend our liberties.”
Legendary inventor Tim Berners-Lee asked Snowden how he’d change the web to make it more accountable, given the reality that spies will always try to collect information.
Snowden acknowledged that this was a complex problem, with lots of moving parts, made more complex by the secret nature of spy agencies. Still: “We had an oversight model that could have worked” – meaning the Congressional and judicial oversight systems for the NSA – “But the overseers weren’t interested in oversight – the Senate and House intelligence committees championed surveillance. James Clapper lied, and the congressmen who knew he’d lied allowed Americans to believe he’d told the truth.”
Overseers not interested in oversight? The finger is pointing at you Ms. Pelosi (Minority Leader, former Speaker, who spent 10 years on the House Permanent Select Committee on Intelligence) and especially you, Ms. Feinstein, chair of the Senate Select Committee on Intelligence.
For more on the Snowden speech, see Cory Doctorow’s report HERE.
As Snowden was speaking yesterday, I received an email from Mr. Bryan Grillo of CHEN PR, on behalf of RSA, in response to a post last week about the RSA Conference in SF. Mr. Grillo wished to call my attention to the fact that the Snowden documents did not reveal any specific collaboration between RSA and the National Security Agency in the production and distribution of a flawed software tool. Good catch Bryan.
Although the Snowden documents do not (as yet) specifically identify RSA, they did
show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
The final link came when Reuters reported the flawed encryption product was a result of a $10 million contract with the N.S.A. RSA denies any intention to weaken its encryption products or any nefarious deal with the N.S.A.
RSA’s denials did not stop the issue from being the “elephant in the room” at a conference devoted to digital security. Nor did it stop an organized boycott of the RSA conference and formation of a counter-conference across the street. At that packed event, Mikko Hypponen, chief research officer at Finnish cybersecurity company F-Secure, called the backdoor reports a “declaration of losing trust.”
He sees that as a major issue for his industry. “Security companies work on the basis of trust — if our users don’t trust us, there really is nothing left.” And RSA, he said, should have “known better” than to enter into an agreement with the NSA in this particular instance.
“The suspicions about weaknesses in the algorithms that they were using and being paid to use had been floating around for years,” he said. Indeed, some security professionals raised concerns about the code as far back as 2006.
Much like security companies, politicians work on the basis of trust, and once that trust is lost, “there really is nothing left.”