Technology

Nidhi Subbaraman NBC News

Jan. 27, 2014 at 3:23 PM ET

Jim Lo Scalzo / EPA, file

A Maryland State Trooper sits in an unmarked SUV outside the grounds of the National Security Administration just north of Washington, in Fort Meade, Md.

A group of cryptography researchers from universities around the country iscondemning the weakening of security infrastructure by the U.S. government and NSA, and warning against storing mass amounts of sensitive data.

In the open letter published Friday, the researchers write that data collection activities uncovered in the last 10 months stand to "chill free speech and invite many types of abuse, ranging from mission creep to identity theft."

The group hopes to improve the knowledge of privacy-preserving technology that already exists, that could aid legal surveillance proceed in a targeted manner. Should the NSA choose to use them, the cryptographic research community has and is developing tools and projects that can "protect civil liberties while enabling legit government searches,"Amit Sahai, a crypto researcher at UCLA who signed the letter, told NBC News. Though, "the exact ways in which they would fit together would very much depend on the precise questions that need to be addressed."

For example, Sahai noted that a kind of secure communication protocol would let phone companies rather than the government hold onto cell phone data, while allowing government entities to selectively search for information on a suspect. In this setup, the phone companies would not be privy to the exact searches, and the government would not have access to all available data.

In 2010, the FBI followed digital crumbs to track down a bank-robbing duo whod been involved in a spate of teller heists across Arizona and Colorado. After getting the greenlight from a judge, feds analyzed data from four Verizon cell towers near affected banks, and found one number that had accessed three of those towers on the days each of the banks was robbed.

Originally posted here:
US crypto researchers to NSA: If you must track, track responsibly

Cybersecurity

When President Barack Obama announced future changes to the governments surveillance programs on Jan. 17, he mentioned nothing about the National Security Agencys efforts to undermine worldwide encryption standards.

While the president focused most of his efforts on curbing the NSAs bulk records collections on phone call metadata, a group of more than 50 leading cryptographers believes the NSAs intentional weakening of Internet security standards is equally important and should be done away with, too.

The cryptographers, including several former federal officials, signed an open letter to the U.S. government Jan. 24 calling for an end to the subversion of security technology, referring to revelations from top-secret documents leaked by former NSA contractor Edward Snowden.

Those documents revealed the NSA deliberately weakened international encryption standards adopted and promoted by the National Institute of Standards and Technology, damaging NISTs reputation and forcing it to publicly recommend against using its own adopted standard.

Media reports since last June have revealed that the US government conducts domestic and international surveillance on a massive scale, that it engages in deliberate and covert weakening of Internet security standards, and that it pressures US technology companies to deploy backdoors and other data-collection features. As leading members of the US cryptography and information-security research communities, we deplore these practices and urge that they be changed, the open letter states.

The choice is not whether to allow the NSA to spy," the signatories argue in the letter. "The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. ... We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.

Among the many cryptographers to sign the letter were two former Federal Trade Commission chief technology officers: Steven Bellovin and Ed Felten, now professors at Columbia and Princeton universities, respectively.

The cryptographers are not alone in their concerns about the NSAs subversion of Internet security standards. In December, the presidents own NSA review panel recommended the NSA be separated from the approval processes NIST uses to adopt encryption standards. Obama has yet to publicly address that recommendation.

About the Author

Read more:
Cryptography experts sign open letter against NSA surveillance

President Barack Obama in his State of the Union on Tuesday failed to address an issue that affects everyone on the internet the NSAs subversion of cryptographic standards and technologies.

Privacy advocates and business interests were crossing their fingers that Obama would announce he was following the recommendations of a presidential panel that recently urged a dramatic overhaul of the NSAs efforts to undermine encryption on a global scale.

It was the second public address to the nation this month, and both times Obama overlooked the cryptography debacle disclosed by NSA whistleblower Edward Snowden.

When Obama outlined a host of reforms to address the Snowden revelations in a Jan. 17 public address, the 44th president was also mum on whether he would accept the crypto recommendations of the Presidents Review Group on Intelligence and Communications Technologies.

There would have been no better time for Obama to address the global community about a hot-button issue that has sparked a cottage industry of crypto-product makersand one that is impacting the tech sectors ability to conduct business overseas.

The State of the Union offered President Obama an opportunity to clear the air on outstanding surveillance issues that were not addressed in his recent reform speech. Chief among these is the governments introduction of vulnerabilities in cryptographic standards and commercial products. Unfortunately, this did not occur, says Daniel Castro, an analyst with the Washington, D.C.-based Information Technology and Innovation Foundation. As long as these questions go unanswered, U.S. technology companies will face a disadvantage in global markets and lose market share to foreign competitors.

The presidential panels two recommendations in that area were to fully support and not undermine efforts to create encryption standards and to not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.

Those recommendations were in response to classified documents Snowden obtained while an NSA contractor that suggested the agency engineered a backdoor into a random number generator standard promulgated by NIST..

The Snowden documents also highlighted that the NSA has worked with industry partners to covertly influence technology products. The documents also underlined that the NSA has vast crypto-cracking resources, a database of secretly held encryption keys used to decrypt private communications, and an ability to crack cryptography in certain VPN encryption chips.

See original here:
Obama Stays Silent on Reform of NSA's Crypto Subversion