Is the Internet still safe?

The details about US NSA program Bullrun and SIGINT are now in public eyes. An atomic bomb is literally dropped. The real one dropped on Hiroshima forced Japan to end the war. This one is very different.

The documents released only gave a high level overview of programs funded by US and UK government intelligence units. Without details on how the agencies are able to decrypt commercial communication using de facto Internet encryption technologies SSL, HTTS and VPN, people feel worried about their privacy..

People start to ask “Are the Internet safe?” and they are right in asking this question. The documents show that there is systematic and long term planning to comprise encryption technology. Without the technical details, skepticism is spreading. However, without details and prove the encryption technologies is still our best defense against peeping eyes, from criminals or from gov. The atomic bomb I referred earlier is about the foundation of trust is destroyed. BUT not on the safety of Internet.

I like to highlight that the word “backdoor” is used a few times in the explanatory note on New York Times website. Backdoor is a very general concept and it is used by the reporter to help the public to comprehend the technical details. It does not mean there exists backdoor in commercial technologies. I think the better interpretation is the agencies has the ability and means if they need to.

An excellent write up by TrendMicro Security Blog offers similar views.

This entry was posted in Uncategorized and tagged on by .

About antonyma

Engineering trained, Antony has the qualifications of CISA, Oracle DBA and BS7799 ISMS assessor. He also received a LLM in Intellectual Property & Information Technology Law from The University of Hong Kong. Founder of travel tech statup Powerdata2go.com Antony was th Chairman of Professional Information Security Association (PISA) from 2009 to 2010. He also joined ISC2 workshop on developing a new cloud security certification. Current positions include: 1. Chairman of Cloud Security Alliance (Hong Kong & Macau Chapter) 2. Convenor of HK OGCIO Working Group on Cloud Security and Privacy 3. Hong Kong delegate to ISO SC 27 committee, which drafts security standards like ISO27001. email : antony.linkedin@gmail.com Specialties Retail Banking System & Process, IT Security, Copyright Law, Audit & Control, Technology Risk Management, Cloud Security

One thought on “Is the Internet still safe?

  1. Antony Ma (@AntonyVBHK)

    Below is a NYT reader’s (K. Liu) comment which I found is objective:

    This article is nothing but a mess of generalities.

    It mentioned PGP. It never mentioned whether PGP is still secure (it is). It mentioned the NSA internal e-mail that said “This can’t be good.” But did not elaborate.

    As someone with extensive experience in cryptography and security, I want to point out a few things. Nobody, not even the NSA can arbitrarily crack anything. When done correctly, even if the NSA set every computer on the planet to work on brute-forcing an encrypted message, it won’t be done in the next million years. If the NSA is able to break into communications, it does so through less magical means, like using a National Security Letter to demand that data be handed over, stealing a key from a user, even having agents who physically pilfer keys and data. While the NYT does make mentions of these alternate methods, it muddies it all up and fails to draw distinctions.

    E.g.: the weaknesses in NSA-sanctioned algorithms like AES and SHA that the article alluded to? Yes, those can make brute-force cracking go much faster, but the attacks aren’t practical because they will STILL take millions of years (if not much more).

    The NSA story is important, and deserves the attention of the public. But the NYT does nobody a favor by presenting an article so fraught with technical ignorance that makes it sound like all encryption is down the drain (they’re not) or that no web transactions are private (most still are) and that the sky is falling (nope).

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s