

Academics Should Not Remain Silent On Government Hacking 135
ananyo writes "The Guardian's technology editor, Charles Arthur, asks why researchers have remained largely silent in the wake of the revelation that the U.S. National Institute of Standards and Technology's standard for random numbers used for cryptography had been weakened by the NSA: 'The nature of the subversions sounds abstruse: the random-number generator, the 'Dual EC DRBG' standard, had been hacked by the NSA and the UK's GCHQ so that its output would not be as random as it should have been. That might not sound like much, but if you are trying to break an encrypted message, the knowledge that it is hundreds or thousands of times weaker than advertised is a great encouragement.' Arthur attributes the silence of UK academics, at least, to pressure from GCHQ. He goes on to say: 'For those who do care, White and Matthew Green, who teaches cryptography at Johns Hopkins University in Baltimore, Maryland, have embarked on an ambitious effort to clean up the mess — one that needs help. They have created a non-profit organization called OpenAudit.org, which aims to recruit experts to provide technical assistance for security projects in the public interest, especially open-source security software.'"
Re:They're living on the government teat. (Score:1, Informative)
Peddle your hatred of academia somewhere else. Most scientists live paycheck-to-paycheck with the constant uncertainty over funding caused by competitive bidding.
Re:They're living on the government teat. (Score:4, Informative)
I agree as far as private institutions go. Of public institutions, I've only looked into the University of California system in detail, and it's definitely not true there. If you take the total UC system budget and divided by total undergraduates, per-student cost of education has gone down by about 20% since the 1980s. Why, then, you might ask, has tuition gone up? Because per-student state funding for the UC system has gone down by 60%. Tuition hikes make up the gap between cost reduction (20%) and funding reduction (60%). They aren't covering any kind of cost increase.
Re:Maybe because the Guardian has surprisingly lit (Score:5, Informative)
This NSA document [nytimes.com] published at the NYT states explicitly that the NSA is attempting to "Influence policies, standards and specifications" for public key encryption, and given that the project described in that same document is about expanding the NSA's access to data, rather than increasing the security of that data, this proves that the NSA is working to weaken, not enhance, public key crypto. That NSA document doesn't specifically mention DUAL EC DRBG, but this NYT story [nytimes.com] does say that the Snowden documents somewhere list DUAL EC DRBG as one backdoored technology.
Of course DUAL EC DRBG is only one algorithm. How many other algorithms has NSA contributed to? At this point, they're all suspect, because it's obvious now that the NSA is more worried about decrypting communications it intercepts rather than protecting any communications transmitted. So what academics should be doing is independently vetting all widely used encryption technology, starting with anything the NSA is known to be involved with, even peripherally. That is a tall order, and it used to be tin-foil-hat thinking, but like a police officer caught lying under oath causing decades worth of court cases to be thoroughly redone or thrown out, there is no alternative if we want to be sure that nothing else got through.