NSA Award for Best Scientific Cybersecurity Paper

Yesterday I received the NSA award for the Best Scientific Cybersecurity Paper of 2012 for my IEEE Oakland paper “The science of guessing.” I’m honored to have been recognised by the distinguished academic panel assembled by the NSA. I’d like to again thank Henry Watts, Elizabeth Zwicky, and everybody else at Yahoo! who helped me with this research while I interned there, as well as Richard Clayton and Ross Anderson for their support and supervision throughout.

On a personal note, I’d be remiss not to mention my conflicted feelings about winning the award given what we know about the NSA’s widespread collection of private communications and what remains unknown about oversight over the agency’s operations. Like many in the community of cryptographers and security engineers, I’m sad that we haven’t better informed the public about the inherent dangers and questionable utility of mass surveillance. And like many American citizens I’m ashamed we’ve let our politicians sneak the country down this path.

In accepting the award I don’t condone the NSA’s surveillance. Simply put, I don’t think a free society is compatible with an organisation like the NSA in its current form. Yet I’m glad I got the rare opportunity to visit with the NSA and I’m grateful for my hosts’ genuine hospitality. A large group of engineers turned up to hear my presentation, asked sharp questions, understood and cared about the privacy implications of studying password data. It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade. Our focus must remain on winning the public debate around surveillance and developing privacy-enhancing technology. But I hope that this award program, established to increase engagement with academic researchers, can be a small but positive step.

60 thoughts on “NSA Award for Best Scientific Cybersecurity Paper

  1. I don’t agree with you. Mass surveillance is not a mistake. It is a grave misconduct against democracy. If you really wanted to do something against mass surveillance, you should have refused this award.

  2. “It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade.”

    You sure about that? The NSA’s Clapper has already coughed to misleading Congress & he also has form in this area: http://p.washingtontimes.com/news/2013/jul/9/heck-no-clapper-wont-go-dni-refuses-quit-over-misl/?page=all

    I wonder how much Obama is really aware of in terms of what’s really going on? The same could be said of our lot and GCHQ. How much are Hague & co really aware of which actually goes on? We already know that by accessing data collected by the NSA for PRISM, GCHQ are able to legitimately make claims that they are not breaking any laws. As Schneier has said elsewhere, the denials are carefully worded…

  3. Congratulations on the award.

    Now, please excuse me, for a moment, while I get some popcorn.

  4. I suspect there are problems both in Washington and in Fort Meade, as people like Tom Drake have amply shown.

    But I appreciate your candor on this matter, and your evident patriotism.

  5. Thank you for speaking out as someone who they respect that they are beyond redemption. This must stop and what you did is a step in the right direction.

  6. GOOGLE = NSA

    Your words would carry more meaning if you worked for a company that wasn’t in bed with US intelligence agencies.

  7. I am just stopping by to say hi from reddit. Millions of lurkers are on your side. Accepting the award wasn’t an easy decision for you. You’re doomed if you do and you’re doomed if you don’t. Overall though, your point stands: Mass surveillance is unacceptable in a society that claims to provide freedom. Not only is it ineffective, but it is comparable to killing weeds with a lawn mower. Only by getting to the root of the problem, will we ever have a safe and prosperous society.

    Shame on this government and shame on everyone that blindly supports it’s crimes against it’s own citizens.

    ಠ_ಠ

  8. I note that some people are already trolling you on Twitter, saying it’s ‘douchey’ to slam the Agency that just gave you the award. But what do Americans owe an Agency that spies on them with blank check 4th Amendment violating ‘general warrants’ of the type our Founding Fathers revolted against in the hands of the Redcoats; that collects every aspect of their electronic existence ‘just in case, but we don’t look at it pinky swear’ BUT contempt?

  9. Well said. I just wanted to comment as there are only 9 comments and so I’m guessing you’ll read this. It’s funny because you’re #1 on reddit right not, but yet it appears very few clicked thru to your blog.

    Congratulations on your award, your polite rebuttal to the NSA, and your #1 spot on Reddit. I would be very interested to hear your opinion of how the collection of personal data by google differs from that of the NSA data collection. Lastly, I hope your message reaches the NSA and is taken seriously, as your opinion is shared by many American’s. The NSA appears to not take view points of those apposed to their practices seriously, as recently they made a statement saying that Snowden did not give away the “crown jewel” of their data mining program, implying that their invasion of privacy goes far beyond what we already know.

    Cheers

  10. Great paper – the fact you took the award means it enables you to bring your topics forward to be discussed. Dignity and progress are not always great companions. (my own quote there)
    Good paper too – no wonder you won an award.

  11. You seem to understand the problems, but you’re still protecting your career. You’re too gracious to an organization whose activities you claim to criticize. Flatly rejecting the award would have given you a much larger platform for your views.

    The engineers who asked you sharp questions are all in the belly of the beast and will very likely continue enabling the NSA to do the evil, illegal things it does.

  12. Hi Joseph,
    In my experience you will always have roughly even positive and negative comments whenever you take a ‘serious’ public action as you have by coming into the spotlight, even if in your own best estimation you believe it is the “right” thing to do ethically or morally on any topic or issue.
    So I applaud you for the courage in putting forward your own perspective, regardless of what I or anyone else says.

    From my perspective, taking the award gives the agency credibility, though BURNING the award PUBLICLY would undermine the agency’s prestige in the minds of millions of people and thus it’s legitimacy. Have you given this idea some serious thought?

  13. Congratulations on your award. I am glad you spoke up.

    I wrote to my Congressman Joe Garcia and asked that he would vote against funding NSA, until they stopped grand sweeps, and warrant-less searches. I also asked him, why were there no tech advisers for the congress, during the so called question and answer panel? He chose as far as I am concerned, to believe what ever NSA told him, and voted accordingly. I voted for him once, that will not happen again.

    I want my country protected, but I know they can do it, without spying on us unilaterally and without grand sweeps!

  14. Congratulations on the award, which is well deserved.
    Many people don’t realize that NSA has a dual mission: signals intelligence is one, but the other is to protect national computing and communication systems from espionage and attack. Separating those missions is difficult because the people constructing the defenses need to be informed about methods of attack. I believe NSA’s efforts in Science of Security aim to lay the foundations for future systems that are more accountable and harder to attack. See http://cps-vo.org/group/SoS

  15. Reject the prize or don’t speak out. You can’t both accept the prize and try and denounce the NSA at the same time.

  16. Congratulations to you – and sincerely, thank you, for using the platform the aware has given you to speak out. I disagree with what others have said; you can certainly accept the prize and condemn the organization.

  17. OK, so… why did you accept the award, again?

    This opposition to so-called “mass surveillance” seems a bit odd coming from someone whose research in smart password attacks can clearly be used for offensive (better cracking techniques) in addition to defensive purposes…

  18. I think with Washington he meant politics/people in power, sure there are people of power in Fort Meade, he probably meant the engineers are fine people.

    However I do feel these fine people should really consider leaving, I know they are just trying to do good, but at this time at that organization maybe there is no good that can still be done.

  19. You make some good points very politely, but if you feel strongly that the organisation is malign in practice (even if not in intent) then you should refuse the award. By accepting it you are endorsing the organisation every time you submit your CV.

  20. I disagree.
    What must be overcome is the perception by a given human that they are of sufficient import to be watched in systems designed for national security threat detection.
    CCTV is all over the UK, it was in the 90s. know what that meant? it meant that you could walk safely through the streets in the middle of the night when people poured out of the pubs… that was it. effective crime deterrent.
    Do you have abuses? absolutely. should we contract out this kind of thing? In my opinion no.
    The internet is a cesspool, someone has to wade through it.

    it would be folly to attempt to dismantle the NSA. You’ll achieve only one thing. You’ll move the ‘real’ data beyond civilian view, forever. I’d not be surprised if that is happening already.

  21. Congratulations on the award, and ignore the people trolling you. It’s good you made a first statement against this program as it deserves it, but it would be worthwhile to see you undertake the public responsibility of continually and consistently speaking out against abuses against the American public.

  22. Congrats on the award Sir. You truly deserve it.

    And thankyou for speaking out for the rest of us. Its important our objections are raised because the situation is sliding out of citizen control, and this is bad for democracy.

  23. Congratulations on the award!!

    I have question regarding your paper.
    Based on your paper, I was just wondering how did you get access to the cleartext passwords. Does it mean that yahoo keeps the cleartext passwords? My understanding always has been that the has (md5|sha1) is stored. No password is stored anywhere.

  24. Congratulations on the award. Great paper. Putting it in the hands of the NSA though – not such a good idea. It’s just another avenue they’ll go down to access our accounts.

  25. Thank you for speaking your conscience about the activities of the NSA. I fully agree with you and often wonder if it’s already too late to stop the downward spiral this country has entered, of which NSA’s activities are but one of the symptoms. I think it’s the actions of people like you that have the best chance of shocking awake the majority of the population who thus far have sat back and watched, into a vocal, proactive opposition to this kind of government activity.

    The idea that the NSA as well as Law Enforcement need the ability top spy on everyone with impunity, or dangerous criminals will get away, is about as valid as insisting that weekly inspections of all private residences are essential in dealing with the drug problem.

    Best regards,
    JG

  26. Given Google does the same sort of data mining I can see how you’d go ahead and accept this award anyways. Welcome to Stasiland.

  27. How can you be against what the NSA does when you work for a company that does the exact same thing? And denying only proofs ignorance…. so!?

    You should be honored to receive the award of one of your peers!
    You should be honored to receive the award, because you entered (and I guess with the intention to participate and win)!
    You should not be so hypocritical!

  28. In accepting the award and posting your thoughts, I guess you can: 1) Have your cake and eat it too, 2) Bite the hand that feeds you. I can’t for the life of me understand why you are not declining the award. The fact that they gave it to you already proves your merit. Declining it would make a more-powerful and convincing statement of your opposition to NSA’s surveillance.

  29. These comments show that most people are missing something about the NSA: it’s schizophrenic. One mission is to gain intel by spying on about every communication it can. Another is Information Assurance Directorate tasked with protecting whatever it can. NSA’s INFOSEC people have helped design and certify a ton of highly secure stuff protecting Americans [mostly in Defense though]. I learned plenty from all the papers government researchers published. Ironically, I couldn’t have built NSA-proof systems in the past without their help. 😉

    So, that said, if he should do something about the award due to its source the first question is: “Was it issued by the part of the agency destroying freedom or the security driven group making tools to protect us?” If the former, a rejection or public burning sounds nice. If the latter, then not so much.

    Bigger consideration is the guy’s career. Being recognized by NSA, govt’s top INFOSEC group, is a definite plus on the resume. Why turn it down? For some idealistic, personal motive that won’t lead to anything other than turning down an award? Please… Accepting it with qualifiers means he can use it to continue doing good research and producing results for everyone. Joseph handled it wisely.

  30. Congratulations on being awarded a gold star by the NSA.
    Just as well. I suppose, the award was for brains and not for courage.

  31. Tough choice, whether to accept, given the circumstances. To refuse it would likely result in another selection being made and quickly falling off the radar by non-sec folks. Even with the division created by accepting the award, it will be forgotten soon enough.

    Another option, perhaps more substantial, is to accept, and then be vocal enough that they are either compelled to take the award away or engage in a more legitimate manner. Your initial response is a good first step, but you are in a unique position to spread an informed opinion to those with too few valid sources on the subject.

  32. You’re a paid lackey who does research for the NSA surveillance state and one of the biggest, creepiest corporations on the planet. Nothing more, nothing less. Stop trying to act like you didn’t do anything wrong and are still down with whatever ideals you had before you became a witting participant in all of this, for money.

  33. Now that you have helped them to break passwords, maybe you can invent something that helps privacy.

    For example, a generic account management system which controls the rate of “trying” and which is proven mathematically correct. Every dick and their dog currently implements their own password system and a single SQL injection is enough to open the whole system.

    In addition, maybe you can do something good in creating practical crypto and file-sharing solutions which assure privacy. That might offset your evil work at the GoogleNSA-plex. Thank you.

  34. It’s not too late to give the award back you know. Gushing about how nice all the nsa drones are is especially lame. I’m sure they are very nice people and working to destroy our privacy is just their day jobs.

  35. A Google engineer criticizing the NSA on data collection – the irony is unbelievable. The pot calling the kettle black.

  36. I’d be remiss not to mention my conflicted feelings about your acceptance of this award given what we know about the NSA. Do you think Neo would have accepted an award from the creators of The Matrix?

  37. @fatbloke

    Their misleading can’t be denied, but who is holding the NSA accountable? Who funds the NSA? And more recently, which “representatives” fought against the Amash amendment to defund the NSA PRISM/related programs?

    The problem truly is your leaders. And you are indeed all being led.

  38. Slashdot is discussing this blog post, and this builds on my comment there:
    “Both the NSA and Google have unexamined ironies”
    http://slashdot.org/comments.pl?sid=4023649&cid=44409487

    These tremendous exponential increases in computer power that make possible massive data collection, mining, and decryption are part of a “phase change” in our society. James P. Hogan talks about a shift in world view from scarcity to abundance in his sci-fi novel “Voyage from Yesteryear” and how that affects politics and social institutions.

    Hogan has his own optimistic take on this, but in general, it’s not clear where it is all going. Vernor Vinge writes on an unknowable “Singularity”. As I see it, the biggest challenge of the 21st century is the irony of technologies of abundance in the hands of those still thinking in terms of scarcity. As I mention in that post through links to longer essays, both Google and the NSA are caught up in that irony, as are most current social institutions.

    And individually, most of us (myself included) are also caught up in that irony as we try to survive in the current economic system — even as AI, robotics, and other automation as well as other factors like better design and communications are rapidly changing the global economic landscape.

    The same factors will eventually make both Google and maybe then the NSA increasingly anachronistic and obsolete. In 20-30 years or so, a laptop may have the power of the current Google compute farm and easily contain all the info a person would likely want for daily living needs and entertainment (including 3D printing files and software to print out and drive self-replicating agricultural and mining robots). Such compute power could likely decrypt most communications from today, especially if most passwords are weak (as your paper suggests). And also around then, nanotech “smart dust” (as in Vinge’s “A Deepness in the Sky”) may compromise every private communication everywhere including in the corridors of the NSA itself. Clarke’s “The Light of Other Days” is a sci-fi story with intriguing notions of the social effects, as in Brin’s “Transparent Society”.

    But one idea seems hopeful to me — the thought that our path out of any singularity may have a lot to do with our moral path into that singularity. Can we, as a global society, muster the moral courage and social effort to try to approach any singularity from a position of moral strength? Whatever that may mean (and people do disagree on that)?

    Anyway, thanks for at least raising the issue of some of these moral complexities and the politics that surround them. We need a lot more discussion about this, as well as better tools to support better discussions (the kind of things both Google and the NSA have worked towards in various ways).

  39. Of course in reality the problem must be the government again. What else? What utter Randian objectivistic nonsense. Every time the blame is randomly shifted to an institution that should be representing people and should be run by people, companies like Google are having a laugh. Not only do these sentiments draw attention away from their lobby machines, they erode government even further, creating great “opportunities” for big business to fill.
    Your NSA is a sign of the times which Google, your company, willfully helped usher in because people are their product.

  40. Some people in the US administration and inteligent services are so NON-democratic that all americans SHOULD be more aware – remember among them are still people who knows the true story about your murdering of JFK, Dr. King and more. There are still people who know the thruth about 9/11 – the US is on a path to a police state ! Such activity like the NSA should NOT be allowed and I think there should be more people doing like E. Snowdon – tell all about what’s going on !
    US, when do you wake up ?

  41. “It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade.”

    Well, keep telling yourself that, right as we head into another scandal. There will be another, you can bank on that. I used to work for a government agency. The problem is careerism and unethical staff — a dangerous combination and also its we the people who send such people to Washington. Yes, it can be reformed but we the people have be on top of these guys and don’t wallow when you are faced with opting for integrity or your nice house in the Virginia suburbs. Everyone likes to think it isnt ‘me’ but who then??

  42. Congratulations for the award, Jospeh! I agree with your view about NSA. It has been violating the civil rights of both Americans and the whole world.

  43. Just think how good burning it would feel. You should send out a bunch of emails through Gmail and Yahoo about burning your NSA award, then you should call people on your Verizon phone and tell them that you’re burning your NSA award, then you could post pictures on your facebook and youtube and upload them to your iCloud so everybody knows how and why you burnt it. Wouldn’t it be fun to burn it, Joe? I think you should burn it, Joe.

  44. As others have pointed out above, the problem can’t be Washington’s alone. We now know that there are entire NSA programs dedicated to illegal and unconstitutional activities which were concealed from lawmakers by NSA leadership.

    If the people of Fort Meade knew that NSA leadership had repeatedly lied under oath to congress (and they did indeed know this), they had a patriotic duty to blow the whistle and leak this information.

    Shame on them for helping to subvert the democratic process.

  45. Collecting metadata is not equivalent to actually capturing and monitoring the communications the metadata documents. Someone with your background should understand that fundamental distinction without having to be corrected. Paying heed to the anti-American propaganda coming out of the Guardian is a waste of your education.

    But let me put it another way. Al Qaeda’s stated objective is to start a world war by 2020 with the goal of imposing an Islamic caliphate upon every nation.

    If you feel you don’t want to live under their rule, the only option they offer you is death.

    If the price of your perceived liberty is to allow Al Qaeda and their allies to grow stronger, ultimately bringing on more death and destruction (even if they have little to no chance in succeeding), then your liberty costs too much.

    I don’t want to be the guy standing next to a car bomb just because you’re worried about the NSA collecting data points that don’t reveal anything about what you are actually doing or with whom you are doing it.

  46. @Michael Martinez: Sounds like ’33 when all Nazis declared politically unwanted people as Communists (after the establishment propaganda implemented the evilness of Communists into the people’s brains). Remember the Nazi-time of Germany, the constitution told people they’d live in democracy, but did they do? I don’t want to get more into it now. Be sure that there is no caliphate nor even something called Al Qaeda. This is propaganda only. You are getting fooled from top to bottom by your money-driven Leviathan. Wake up and start thinking.

  47. Congratulations on the award. It was a great paper I read it a while back when the password conference was on in Norway. For what it is worth I think you are right to accept the award and right to express your reservations. That you work for google and google share data with the NSA is spurious argument. The award is selected by a very distinguished committee and yours was an excellent paper.

  48. It is scary that people cant seperate an excellent academic paper from their thoughts and opinons of NSA and Google.

    Please give credit where its due.

  49. “It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade.”

    “I was only following orders…”

  50. at least you made it on a satirical blog in germany..it’s where i found out about your award recieved from the NSA.
    your words would have meaning and gain my respect if you would publicly return this award to the NSA. THe NSA is just that what the Stasi in the former DDR was and the GESTAPO in Hitlers time. Now america has become the enemy of a free world. by accepting your award you are a part of the system. after all the years of politics of fear by the bush -clan b4 and after 9/11, america has become the real example of 1984…the brave new world….good luck with observing for the home of the brave and land of the free….the united states of paranoia home of the bigotted and ignorant

  51. @.14 Tim
    I think I just found myself a new sig quote 🙂

    Joseph, congratulations on the award, and indeed the vehicle you fashioned of it. Declining the award as some have suggested would have IMHO had little to no impact of any significance.

    I look forward to your future observations.

Leave a Reply

Your email address will not be published. Required fields are marked *