US Infosec Researchers Against NSA Surveillance

I signed an open letter from US researchers in cryptography and information security on NSA surveillance. It has received a lot of media coverage.

Posted on February 17, 2014 at 12:13 PM • 15 Comments

Comments

anonymousFebruary 17, 2014 3:25 PM

That's an interesting list of names. I'm especially glad to have looked into Matthew Green of JHU. He has an Audit TrueCrypt project going on. The links he provides are certainly thought-provoking, particularly the Ubuntu Privacy Team's identification of weird random bits in the container header produced by the Windows binaries. As you have elsewhere endorsed TrueCrypt, do you have any comments or insight to share on the audit effort and related concerns?

BobS.February 17, 2014 5:40 PM

"We urge the US government to reject society-wide surveillance and the subversion of security technology..."

Instead, they are rushing straight ahead without a blink.

Today I read several articles covering the demand by police for a cell phone "kill switch", presumably for our own good to stop violent theft.

That's nonsense of course.

The cops want the power to destroy phones at will.

I don't see an end to it any time soon at all.

Nice letter, though.

name.withheld.for.obvious.reasonsFebruary 17, 2014 6:13 PM

I'm afraid it won't be until we collectively "load one in the chamber" that this republic attempts to live up to its principles. Citizen, soldier, governed and free peoples of this United States shall stand together waiting for the representative government that they collectively instituted in history, struggle, blood, and fortune.

It is the traitors to these IDEALS that must be made to answer for their treprass on our sacred inheritence bestowed to us by persons not so small. We would be served well if the bravery and conviction of our founders made way to the present.

Where are you Jeffefson, Franklin, Washington, Paine, Madison, Hamilton, Henry, and Revere? Your wisdom and courage are required, posthaste.

mooFebruary 17, 2014 6:19 PM

Um. I vaguely knew the TOR project was working on deterministic build stuff (ability to build from source across a non-homogenous set of systems and get identical binaries.. I saw a binutils comment somewhere about it). But I never bothered to read about why they were doing it.

https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise

And now I kind of wish I hadn't read it, because this rather terrifying scenario is mentioned:

"Such malware could be quite simple: One day, a timer goes off, and any computer running the infected software turns into a brick. In fact, it's not that hard to destroy a computer via software. Linux distributions have been accidentally tripping on bugs that do it for two decades now. If the right software vector is chosen (for example, a popular piece of software with a rapid release cycle and an auto-updater), a logic bomb that infects the build systems could continuously update the timestamps in the distributed versions of itself to ensure that the infected computers are only destroyed in the event that the attacker actually loses control of the software build infrastructure. If the right systems are chosen, this destruction could mean the disruption of all industrial control or supply chain systems simultaneously, disabling the ability to provide food, water, power, and aid to hundreds of millions of people in a very short amount of time."

Clive RobinsonFebruary 17, 2014 7:17 PM

@ BobS,

Oddly I just posted a comment about the "phone kill switch" over on the current Squid Page.

@ NameWitheld...,

Whilst I can see that the "tick" of the Industrial Military Complex has sunk it's head into the body politic, I'm not keen on the idea of using bullets to remove it as the result would be worse than shooting yourself in the foot.

However I must admit I can not currently think of any other credible alternative. The Pacifist approach of Gandi and others only works when the Government concerned is worried about how it is seen, since GWB it's clear that the USG does not give a fig about how it's own citizens let alone the rest of the world sees it. Perhaps that is why a founding father said that the tree of liberty needed to occasionaly be refreshed by the blood of true patriots.

@ moo,

And that is just one of very many ways I can think of...

As they say, "Welcom to my world" and "be afraid no realy be very very afraid".

Coyne TibbetsFebruary 17, 2014 7:41 PM

Just shaking my head: They have access to everything on the phone, but they're still downloading a copy of the PIN, just in case...

It's just reflex for these guys: Capture everything, even if they have no idea what it might ever be used for.

MRFebruary 17, 2014 10:13 PM

At the beginning of the second paragraph:

"[...] processing of unprecedented amounts of personal information chill free speech [...]"

"chill"? Is that a typo for "kill"?

I hope all those professors didn't sign a letter with a typo...=)

vas pupFebruary 18, 2014 12:02 PM

Is NSA subject to FOIA Federal Law request on your personal file? Just out of curiosity because most of LEAs are.

vas pupFebruary 18, 2014 12:22 PM

@Clive Robinson on kill switch. Good 'kill switch' on phone or other electronic device is mechanical/hardware (not software) switch which allow user, not anybody else to reliably disconnect microphone, camera, GPS, etc. leaking capabilities without removing battery.
In this only sense I am pro 'kill switch'.

Steve FriedlFebruary 18, 2014 2:28 PM

@Coyne Tibbets

They have access to everything on the phone, but they're still downloading a copy of the PIN, just in case...

... just in case the target uses the same PIN some other place

MarkFebruary 18, 2014 9:13 PM

Interesting that Ron Rivest has signed it, but neither Shamir nor Adleman have. Obviously Shamir isn't a US national, but Adleman certainly is. Anyone know why they are not signatories?

--Mark

p.s. Excellent letter, BTW.

opensaxFebruary 20, 2014 6:11 AM

To :anonymous "As you have elsewhere endorsed TrueCrypt, do you have any comments or insight to share on the audit effort and related concerns?"
yes there is one popular article about truecrypt where one Czech cryptologist claims that for TrueCrypt 4.3a mode LRW they done verification that in chosen mode Truecrypt does not contain a back door.
Unfortunately article is in Czech language here

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..