Mikko Hypponen: How the NSA betrayed the world's trust — time to act

【微信公众号：Raz英语学习俱乐部（微信号Razkids）同步推送每日TED精读，关注Raz分级读物、TED、海外自由行/夏令营】 As computer access expands, Mikko Hypponen asks: What's the next killer virus, and will the world be able to cope with it? And also: How can we protect digital privacy in the age of government surveillance? *Why you should listen The chief research officer at F-Secure Corporation in Finland, Mikko Hypponen has led his team through some of the largest computer virus outbreaks in history. His team took down the world-wide network used by the Sobig.F worm. He was the first to warn the world about the Sasser outbreak, and he has done classified briefings on the operation of the Stuxnet worm -- a hugely complex worm designed to sabotage Iranian nuclear enrichment facilities. As a few hundred million more Internet users join the web from India and China and elsewhere, and as governments and corporations become more sophisticated at using viruses as weapons, Hypponen asks, what's next? Who will be at the front defending the world’s networks from malicious software? He says: "It's more than unsettling to realize there are large companies out there developing backdoors, exploits and trojans." Even more unsettling: revelations this year that the United States' NSA is conducting widespread digital surveillance of both US citizens and anyone whose data passes through a US entity, and that it has actively sabotaged encryption algorithms. Hypponen has become one of the most outspoken critics of the agency's programs and asks us all: Why are we so willing to hand over digital privacy? *Transcript The two most likely largest inventions of our generation are the Internet and the mobile phone. They've changed the world. However, largely to our surprise, they also turned out to be the perfect tools for the surveillance state. It turned out that the capability to collect data, information and connections about basically any of us and all of us is exactly what we've been hearing throughout of the summer through revelations and leaks about Western intelligence agencies, mostly U.S. intelligence agencies, watching over the rest of the world. We've heard about these starting with the revelations from June 6. Edward Snowden started leaking information, top secret classified information, from the U.S. intelligence agencies, and we started learning about things like PRISM and XKeyscore and others. And these are examples of the kinds of programs U.S. intelligence agencies are running right now, against the whole rest of the world. And if you look back about the forecasts on surveillance by George Orwell, well it turns out that George Orwell was an optimist. (Laughter) We are right now seeing a much larger scale of tracking of individual citizens than he could have ever imagined. And this here is the infamous NSA data center in Utah. Due to be opened very soon, it will be both a supercomputing center and a data storage center. You could basically imagine it has a large hall filled with hard drives storing data they are collecting. And it's a pretty big building. How big? Well, I can give you the numbers -- 140,000 square meters -- but that doesn't really tell you very much. Maybe it's better to imagine it as a comparison. You think about the largest IKEA store you've ever been in. This is five times larger. How many hard drives can you fit in an IKEA store? Right? It's pretty big. We estimate that just the electricity bill for running this data center is going to be in the tens of millions of dollars a year. And this kind of wholesale surveillance means that they can collect our data and keep it basically forever, keep it for extended periods of time, keep it for years, keep it for decades. And this opens up completely new kinds of risks to us all. And what this is is that it is wholesale blanket surveillance on everyone. Well, not exactly everyone, because the U.S. intelligence only has a legal right to monitor foreigners. They can monitor foreigners when foreigners' data connections end up in the United States or pass through the United States. And monitoring foreigners doesn't sound too bad until you realize that I'm a foreigner and you're a foreigner. In fact, 96 percent of the planet are foreigners. Right? So it is wholesale blanket surveillance of all of us, all of us who use telecommunications and the Internet. But don't get me wrong: There are actually types of surveillance that are okay. I love freedom, but even I agree that some surveillance is fine. If the law enforcement is trying to find a murderer, or they're trying to catch a drug lord or trying to prevent a school shooting, and they have leads and they have suspects, then it's perfectly fine for them to tap the suspect's phone, and to intercept his Internet communications. I'm not arguing that at all, but that's not what programs like PRISM are about. They are not about doing surveillance on people that they have reason to suspect of some wrongdoings. They're about doing surveillance on people they know are innocent. So the four main arguments supporting surveillance like this, well, the first of all is that whenever you start discussing about these revelations, there will be naysayers trying to minimize the importance of these revelations, saying that we knew all this already, we knew it was happening, there's nothing new here. And that's not true. Don't let anybody tell you that we knew this already, because we did not know this already. Our worst fears might have been something like this, but we didn't know this was happening. Now we know for a fact it's happening. We didn't know about this. We didn't know about PRISM. We didn't know about XKeyscore. We didn't know about Cybertrans. We didn't know about DoubleArrow. We did not know about Skywriter -- all these different programs run by U.S. intelligence agencies. But now we do. And we did not know that U.S. intelligence agencies go to extremes such as infiltrating standardization bodies to sabotage encryption algorithms on purpose. And what that means is that you take something which is secure, an encryption algorithm which is so secure that if you use that algorithm to encrypt one file, nobody can decrypt that file. Even if they take every single computer on the planet just to decrypt that one file, it's going to take millions of years. So that's basically perfectly safe, uncrackable. You take something which is that good and then you weaken it on purpose, making all of us less secure as an end result. A real-world equivalent would be that intelligence agencies would force some secret pin code into every single house alarm so they could get into every single house because, you know, bad people might have house alarms, but it will also make all of us less secure as an end result. Backdooring encryption algorithms just boggles the mind. But of course, these intelligence agencies are doing their job. This is what they have been told to do: do signals intelligence, monitor telecommunications, monitor Internet traffic. That's what they're trying to do, and since most, a very big part of the Internet traffic today is encrypted, they're trying to find ways around the encryption. One way is to sabotage encryption algorithms, which is a great example about how U.S. intelligence agencies are running loose. They are completely out of control, and they should be brought back under control. So what do we actually know about the leaks? Everything is based on the files leaked by Mr. Snowden. The very first PRISM slides from the beginning of June detail a collection program where the data is collected from service providers, and they actually go and name the service providers they have access to. They even have a specific date on when the collection of data began for each of the service providers. So for example, they name the collection from Microsoft started on September 11, 2007, for Yahoo on the March 12, 2008, and then others: Google, Facebook, Skype, Apple and so on. And every single one of these companies denies. They all say that this simply isn't true, that they are not giving backdoor access to their data. Yet we have these files. So is one of the parties lying, or is there some other alternative explanation? And one explanation would be that these parties, these service providers, are not cooperating. Instead, they've been hacked. That would explain it. They aren't cooperating. They've been hacked. In this case, they've been hacked by their own government. That might sound outlandish, but we already have cases where this has happened, for example, the case of the Flame malware which we strongly believe was authored by the U.S. government, and which, to spread, subverted the security of the Windows Update network, meaning here, the company was hacked by their own government. And there's more evidence supporting this theory as well. Der Spiegel, from Germany, leaked more information about the operations run by the elite hacker units operating inside these intelligence agencies. Inside NSA, the unit is called TAO, Tailored Access Operations, and inside GCHQ, which is the U.K. equivalent, it's called NAC, Network Analysis Centre. And these recent leaks of these three slides detail an operation run by this GCHQ intelligence agency from the United Kingdom targeting a telecom here in Belgium. And what this really means is that an E.U. country's intelligence agency is breaching the security of a telecom of a fellow E.U. country on purpose, and they discuss it in their slides completely casually, business as usual. Here's the primary target, here's the secondary target, here's the teaming. They probably have a team building on Thursday evening in a pub. They even use cheesy PowerPoint clip art like, you know, "Success," when they gain access to services like this. What the hell? And then there's the argument that okay, yes, this might be going on, but then again, other countries are doing it as well. All countries spy. And maybe that's true. Many countries spy, not all of them, but let's take an example. Let's take, for example, Sweden. I'm speaking of Sweden because Sweden has a little bit of a similar law to the United States. When your data traffic goes through Sweden, their intelligence agency has a legal right by the law to intercept that traffic. All right, how many Swedish decisionmakers and politicians and business leaders use, every day, U.S.-based services, like, you know, run Windows or OSX, or use Facebook or LinkedIn, or store their data in clouds like iCloud or Skydrive or DropBox, or maybe use online services like Amazon web services or sales support? And the answer is, every single Swedish business leader does that every single day. And then we turn it around. How many American leaders use Swedish webmails and cloud services? And the answer is zero. So this is not balanced. It's not balanced by any means, not even close. And when we do have the occasional European success story, even those, then, typically end up being sold to the United States. Like, Skype used to be secure. It used to be end-to-end encrypted. Then it was sold to the United States. Today, it no longer is secure. So once again, we take something which is secure and then we make it less secure on purpose, making all of us less secure as an outcome. More transcript please see: http://www.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act/transcript?language=en