igor - Fotolia
“We have spent millions of euros, we have written hundreds of research papers, and we have delivered hundreds of millions of lines of code, but there is still no secure end-to-end communication system with a billion users,” he told the Eema ISSE 2016 security conference in Paris.
Preneel said he would leave it up to his audience to decide whether or not it was a coincidence that the US National Security Agency (NSA) was able to intercept Skype to Skype calls shortly after the internet-calling company was acquired by Microsoft, when it was unable to do so in all the years Skype was under European ownership.
All the “whining” by Apple and the FBI about encryption was “theatre”, he said, while the reality is that the security industry and research community have not delivered a means of communication for the masses that offers end-to-end encryption.
“This challenge remains for the next generation to do better,” said Preneel, and in the light of the privacy track record of US technology providers, the “only way to go” is open source.
The only reason the vulnerability was found in the Juniper Networks’ ScreenOS software at the end of 2015 was because Juniper announced there was a problem, said Preneel.
“And then dozens of researchers spend their whole Christmas break figuring out what was happening,” he added.
In January 2016, Juniper Networks announced a patch in response to unauthorised code in the software that was linked to the NSA and enabled hackers to decrypt traffic running through a VPN over Juniper firewalls.
“The only way we will have secure infrastructure is to have an open infrastructure, and of course we need to have better governance to prevent a recurrence of things like Heartbleed,” said Preneel, adding that this could be done by ensuring code is not released without proper review and testing.
“There is still a lot of work to be done to ensure that what we use is secure and correct,” he said.
Read more about open source security
- A study has found commercial code is more compliant than open source code with security compliance standards, such as the Owasp top 10 and the CWE top 25.
- According to researchers, malware makers have been targeting .NET since Microsoft made the software open source.
- Security researchers, Dropbox and Google have joined forces to make open source security tools easier to use.
- Shellshock and Heartbleed showed how flawed even ubiquitous open source software components can be.
According to Preneel, the “crypto wars” are not over yet. “I think we won the first battle, but then we lost a whole series of battles and were losing the war, but now the message is clear: we need to decide if we want to give people secure end-to-end communications or not,” he said.
“And if we don’t want to do this, we should be honest about it. If we want to give some security, but not real security, we need to be honest with our industry and with ourselves when we look in the mirror.”
Preneel said that although there is an undeniable case for access by law enforcement, it is clear that today the attackers are winning and that law enforcement has much more information than it has ever had before.
“We should first improve our defences and then think about how we can deal with the problem that happens with law enforcement,” he said, referring to concerns by law enforcement and state security agencies in the US, UK and elsewhere that increased use of encryption is hampering their work.
“My view is that even if [criminals and terrorists] encrypt everything, law enforcement is still perfectly fine with all the metadata at their disposal and the fact that so much surveillance can be done through the use of mobile phones, which is good enough for law enforcement,” said Preneel.
Open security systems
More attention should be paid to developing open security systems that are capable of dealing with active attacks, he said.
“The fact that hackers, law enforcement and intelligence agencies are all undermining our end systems means that currently, all the security that can be provided is actually very limited,” said Preneel.
“We really have to improve our act here, but the fact that our governments are trading zero-day exploits is not something we should accept. As a society, we need to have a proper debate about this because we are becoming increasingly dependent on IoT [internet of things] devices for our power, communications and transport.
“But at the same time, we have governments hacking stuff and keeping secret zero-days. This is not going to end well unless we have this difficult public debate and engage governments about building open security systems.”