Internet Security 网络安全
1. WITHOUT encryption, internet traffic might as well be written on postcards. So governments, bankers and retailers encipher their messages, as do terrorists and criminals.
▌如果不要加密,互联网传递的信息倒不如写在明信片上。因此政府、银行家、零售商都对自己的信息进行加密处理,当然恐怖组织和犯罪分子也是如此。
2. For spy agencies, cracking methods of encryption is therefore a priority. Using computational brute force is costly and slow, because making codes is far easier than breaking them. One alternative is to force companies to help the authorities crack their customers’ encryption, the thrust of a new law just passed in China and a power that Western spy agencies also covet. Another option is to open “back doors”: flaws in software or hardware which make it possible to guess or steal the encryption keys. Such back doors can be the result of programming mistakes, built by design (with the co-operation of the encryption provider) or created through unauthorised tinkering with software—or some combination of the three.
▌因此对于情报机构来说,最重要的就是破解密码。生硬地使用计算机技术破解密码花费贵,耗时久,因为加密过程相比于解密过程来说简直小菜一碟。一种替代性方法是让各企业协助政府部门破解客户的加密信息,这是中国刚刚通过的一项法律的要旨所在,同时西方间谍组织也对此觊觎已久。而另一种方法就是开通“后门程序”,后门程序是一种软件或者硬件中的漏洞,可以使人们有可能推测甚至偷取密钥。这种后门程序可能是编程过程中的失误,或是程序员刻意创建的(通过与加密信息的提供者合作),亦或是未经授权跟软件打补丁时创建的,也有可能是以上三种原因兼而有之。
3. The problem with back doors is that, though they make life easier for spooks, they also make the internet less secure for everyone else. Recent revelations involving Juniper, an American maker of networking hardware and software, vividly demonstrate how. Juniper disclosed in December that a back door, dating to 2012, let anyone with knowledge of it read traffic encrypted by its “virtual private network” software, which is used by companies and government agencies worldwide to connect different offices via the public internet. It is unclear who is responsible, but the flaw may have arisen when one intelligence agency installed a back door which was then secretly modified by another. The back door involved a faulty random-number generator in an encryption standard championed by America’s National Security Agency (NSA); other clues point to Chinese or British intelligence agencies.
▌后门程序存在的问题是,尽管它能更加便利间谍工作,但它也会使网络对于其他人来说更加不安全。近期关于Juniper公司(美国的一家网络硬件和软件制造商)的揭露报道清楚地说明了这点。Juniper公司在十二月透露,2012年创建的一个后门程序可以让任何一个内行人士读取由“虚拟专用网络”(VPN)软件加密的数据。VPN广泛应用于世界各地的企业和政府机构,通过公共网络连接不同的办公区。现在还不清楚谁应该对此负责,但可能是因为一家情报局安装了后门程序,随后被其他组织秘密地修改过,由此漏洞便出现了。该后门程序包括一个有漏洞的随机数生成器,其按照美国国家安全局(NSA)所维护的加密标准开发;其他的线索指向了中国或英国的情报机构。
4. Decrypting messages that involve one or more intelligence targets is clearly within a spy agency’s remit. And there are good reasons why governments should be able to snoop, in the interests of national security and within legal limits. The danger is that back doors introduced for snooping may also end up being used for nefarious ends by rogue spooks, enemy governments, or malefactors who wish to spy on the law-abiding. It is unclear who installed Juniper’s back door or used it and to what end.
▌显然,破解含有一个或者多个情报目标的信息是一个情报机构职责范围内的应有之举。这也是政府为什么应该为了国家安全利益并在法律框架内实施侦探的充分原因。但为了实施侦探而引入后门程序,这可能会导致后门程序最终会被一些不法之徒加以利用,如图谋不轨的特工、敌方政府或是监视遵纪守法者的罪犯等。Juniper的后门程序到底是什么人出于什么目的安装、使用的,目前还不得而知。
5. Intelligence agencies argue that back doors can be kept secret and are sufficiently complex that their unauthorised use is unlikely. But an outsider may stumble across a weakness or steal details of it. America, in particular, has a lamentable record when it comes to storing secrets safely. In the summer it became known that the Office of Personnel Management, which stores the sensitive personal data of more than 20m federal employees and others, had been breached—allegedly by the Chinese. Some call that the biggest disaster in American intelligence history. It is rivalled only by the data taken by Edward Snowden, a former NSA contractor now living in Moscow. (The authorities responsible for airport security also let slip the details of master keys that can open most commercially available luggage—a form of physical back door.)
▌情报机构称,后门程序十分隐秘复杂,未经授权就使用它们是不太可能的。但局外人有可能会偶然发现其中的某些漏洞或盗取细节信息。要论及秘密资料的存储安全性方面,美国的表现尤其令人唏嘘。今年夏天,美政府人事管理办公室遭到攻破,其中存储了超过两千万名联邦雇员和其他职工的个人敏感数据,据说这是中国人所为。一些人将该事件视为美国情报历史上的最大灾难,唯有爱德华·斯诺登(Edward Snowden)泄密事件可与之相比(Edward Snowden:前美国国家安全局技术承包人,现居住在莫斯科)。(负责机场安全的管理部门无意间透露了可以打开大多数商业行李的万能钥匙的相关细节,这是一种物理后门程序。)
6. Push back against back doors拒绝后门程序
Calls for the mandatory inclusion of back doors should therefore be resisted. Their potential use by criminals weakens overall internet security, on which billions of people rely for banking and payments. Their existence also undermines confidence in technology companies and makes it hard for Western governments to criticise authoritarian regimes for interfering with the internet. And their imposition would be futile in any case: high-powered encryption software, with no back doors, is available free online to anyone who wants it.
▌因此,我们应该抵制那些强制性设置后门程序的要求。数以亿计的用户都要依赖网络安全进行理财和支付业务,这些后门程序很有可能会被罪犯利用而从整体上威胁网络安全。后门程序也削弱了公众对科技公司的信心,同时让西方国家政府更难以对独裁政权干涉互联网的行为予以抨击。而且植入后门程序在任何情况下都是徒劳无功的,因为任何人都可以在网上免费获得没有后门程序的高性能加密软件。
7. Rather than weakening everyone’s encryption by exploiting back doors, spies should use other means. The attacks in Paris in November succeeded not because terrorists used computer wizardry, but because information about their activities was not shared. When necessary, the NSA and other agencies can usually worm their way into suspects’ computers or phones. That is harder and slower than using a universal back door—but it is safer for everyone else.
▌与其通过设置后门程序来削弱他人的加密程序,情报工作者还应该另谋其路。十一月份的巴黎袭击事件之所以让恐怖分子得手,不是因为他们使用了高超的计算机技术,而是因为他们的活动信息并未外泄。如有必要,美国国家安全局以及其他机构通常可以潜入嫌疑人电脑和手机上以套取相关的信息。虽然这比使用通用的后门程序更慢更难,但对大家来说的确更安全。