This got my heart beating. There is actual rebellion among academics, and a movement to restore trust in both people and tech. This is the NY Times quoting Matt Green of John Hopkins in the article:
“I know from firsthand communications that a number of people at N.I.S.T. feel betrayed by their colleagues at the N.S.A.,” Mr. Green said in an interview Tuesday.
This is an important question of our times, and the cryptography experts should speak up like this. They have the credibility, and the ear of the people and media.
Yes, Prof. Green posted a critical post about the NSA, and then JHU asked him to remove the post from their servers[1]. I'm stunned; academic freedom is evidently an illusion in some parts of the US.
How deeply have our academic institutions been co-opted by the intelligence community?
With the NSA committing industrial espionage and able to do insider trading in order to fund its operations off the books I am sure they can also most generously "donate" money to Universities.
There's also the CIA Officer in Residence program, which I actually think is great because you get to meet people with IC experience who can point you in the direction of all sorts of cool unclassified tech.
And of course the quickly retracted notices not to read the Wikileaks cables if we ever wanted a security clearance that went out to all the Ivies, which were not so great. I believe Columbia was even stupid enough to email instructions to their students not to read vital source material if it came from Wikileaks.
“I know from firsthand communications that a number of people at N.I.S.T. feel betrayed by their colleagues at the N.S.A.,” Mr. Green said in an interview Tuesday.
That's the understatement of the century. NIST is pissed off. Many of these guys move fluidly back and forth from NSA, and clearly they were kept in the dark.
Let's see how they dramatically improve the process then. I hope they don't think statements like "we didn't do it, trust us" are enough.
But it's probably best to just forget about NIST and start from scratch with a new standards body with zero influence from the government - any government(how it should be).
They can't fix it. As the article noted, they are required by law to consult with the NSA. While the NSA is an expert on cryptography, they are obviously (and were, obviously, at the time that law was written) conflicted. That the law says that NIST has to consult with the NSA means that the law-writers, our government, want NIST to allow NSA to weaken cryptography standards. This is not conspiracy-thinking, anyone who thought through the consequences of this law would see that this is what the NSA would try to do.
Why would the cryptography community ever again cooperate with NIST while the requirement to consult with the NSA is in place? It's not a question of feeling betrayed, it's simply irrational to try to create a strong cryptography standard when the NSA is in the room. They can do that work outside of NIST.
Almost by definition, a standards organization would have some form of government (lowercase g) running it. What would you suggest as an alternative? Wikistandards? Even a wiki has government.
I don't see the utility in using "government" to mean something other than "the state". We have other words that can work just as well without introducing confusion about the intent of the speaker.
The actual words I wanted to use wouldn't be appropriate in daily conversation. The most accurate substitutes would be incensed, enraged, livid.
"Feeling betrayed" implies skulking about with a sad expression. In reality, from what I hear, I imagine it's more like senior NIST officials roaming the halls at Fort Meade looking for somebody at whom to scream strings of obscenities.
Part of the NSA's job is securing the United States cyber infrastructure, and the people tasked in that job take it just as seriously as the collection part. They sponsored SELinux, and their security guides are quite good:
If I remember correctly back in beginning of 1990s there was a discussion in the US about preventing export of encryption protocols, then it was a discussion about making laws where a suspect is obliged to give up his/her key just like in the UK to agencies, and someone even mentioned making encryption unavailable or forbidden by law for civilians. All in the name of "we wont be able to catch criminals if we cant listen in on communications". Up to that point in time, encryption and secure communications was reserved for agencies and those in power, it was not for the plebians. See for example how it went for PGP.
I guess a route that US agencies took is to "we will recommend good standards for you, because you know we also need security, but you shouldnt know all those standards and implementations will be compromised so we still retain the ability to spy on you while you wont be able to spy on us and if you do then you're a traitor".
“I know from firsthand communications that a number of people at N.I.S.T. feel betrayed by their colleagues at the N.S.A.,” Mr. Green said in an interview Tuesday.
Thats pretty strong sentiment. Seems to echo the bitterness of Rogaway: http://www.cs.ucdavis.edu/~rogaway/politics/surveillance.pdf
This is an important question of our times, and the cryptography experts should speak up like this. They have the credibility, and the ear of the people and media.