I am Joseph Bonneau, 2013 NSA award winner for "Best Cybersecurity Paper". AMA!

Did attending change your opinion of NSA at all?

Not about the politics, but it was a good reminder that the NSA is full of decent people who aren't too different from the engineers anywhere else. They have a job to do and they're doing their best, and it actually stood out how much people working there do care about the rules and formal processes they have in place, unlike academia where people hate following rules. I think the main changes that need to happen are political, and changing FISA courts, and probably replacing some of the NSA leadership, but I can respect most of the people working at the NSA.

Thank you for bringing a rational interpretation of our situation to the proverbial table; what are some of your plans/objectives for the immediate future?

Career-wise I have lots of interesting projects to work on at Google, perhaps I'll try to become a professor in the future. I enjoy research and teaching.

Life-wise I want to finish a half-Ironman this fall and get certified as an EMT.

I'd like to encourage you to go beyond EMT-B and obtain an EMT-P. It's a great personal challenge, and it really is knowledge that is applicable the rest of your life.

Thanks for the AMA!

Thanks for the tip! I'm just getting started though so one step at a time. I'm hoping to do a WEMT/EMT-B first

Currently studying the trauma section for my exam tomorrow. Gotta say as intense as the course is it is really run doing the practicals and learning about the functions of the body. My advice: Always be the person who goes first. You'll get more hands on experience and will be better off when it comes time for the national exam. Good luck in your studies

Great advice. Thanks and GL on your exam.

Isn't this in many ways more worrying? If there's some hidden evil person then you can boot them. If, on the other hand, negative outcomes are just an emergent property of that many people trying to do the right thing in their small sub-universe of that bureaucracy, isn't that a lot harder to change?

I agree that it's disturbing on a philosophical level. We're far from the first people to be having this discussion, search for "The Banality of Evil" and all of the subsequent literary discourse. I should say preemptively the NSA's surveillance is not in any way comparable to the crimes of Nazis, of course.

I disagree that this makes things harder to change though. This is why I have some hope that if we change the rules, and demand real oversight and limits on collection, the NSA (or some successor organization) can change in accordance with what we want as a democratic society.

Do you think you would be in line with what a democratic majority of Americans would want their National Security Agency to be?

I think the majority of Americans would accept a greater level of secrecy and surveillance than I would advocate for, and that's probably true for most people working in cryptography or security research. But the polls I've seen are clear that the current situation is not popular.

Do you think that in the end Google depends on the NSA, and knows it? We've seen Google publicly ask to be "allowed" to reveal more specific government data requests after the NSA scandal came to light, similar to how I might ask the government to make pizzas cheaper if I opened my own pizzaria, in both instances we are asking something that we really know won't actually happen but that will appease our customers/users.

I'm not sure how high up the chain of command you are, but I'd be absolutely shocked if there weren't hands being shaken between the NSA and a corporate giant data-mining company like Google. My other question to you then, would be, which public company do you think is the biggest culprit of working together with the NSA? I obviously don't expect you to say G since you work there, but what are your opinions of Facebook, Microsoft, etc. in this regard?

Thanks for doing this AMA and congrats on your award! :)

Bonus easy question: I've actually applied to intern at Google and will be again next summer. What do employees at Google think of the movie The Internship?

I'm sure I wouldn't be allowed to say anything about Google's relationship with the NSA if I knew anything about it that the public didn't, but I don't. I'm at the bottom of the chain of command at Google, probably only above the interns :-)

As to the movie, I didn't see it but has taken a large amount of abuse internally on company email lists. I don't think the average Google employee was impressed by it and I think it's very far away from the reality of working at Google.

As to the movie, I didn't see it but has taken a large amount of abuse internally on company email lists. I don't think the average Google employee was impressed by it and I think it's very far away from the reality of working at Google.

That's exactly the vibe I got from the commercials haha. Well thanks for answering my questions and congratulations again on the award, whether it was given by the NSA or not. Also I'd be careful about doing AMA's when working at Google due to their intense NDA, though I'm sure you know more about this than I do.

Best of luck moving forward and keep making good things!

Oh and one last thing, I'm attending SFSU as a Comp Sci major and am wondering if there is anything in particular you know of that I could do to increase my chances of being taken on as an intern?

I don't have any role in interviewing or selecting interns, but I'd advise writing some code for an open-source project or starting one. That's the best way as a student to demonstrate that you have good programming skills.

What do you think the outcome of the NSA scandal will be in the end?

My fear is that it will be treated as a normal "scandal", they'll fire 1 or 2 NSA executives, and none of the laws will change. I hope this becomes a well-known cautionary tale and is a constant reminder for future politicians that we don't want to go down this path, essentially an anti-9/11.

You mentioned that you interacted with many people who legitimately believed their work at the NSA was right. How did they react when you presented some of the arguments against it? (unconstitutionality, specifically)

NSA employees can't talk about this kind of thing at all so you don't get to directly have that conversation unfortunately. Perhaps it's different behind closed doors in the employee break room, but even then I doubt it's discussed a whole lot.

What do you think is the biggest obstacle in the way of ending the NSA's surveillance?

Secrecy and lack of oversight. What we don't know is still the most dangerous thing here. If we get to the point where much more is publicly known about the scale of the NSA's operations, I expect there will be more pressure to scale it back.

How exactly does the NSA process all the data for all of us who are techno illiterate

I don't have any inside knowledge about the NSA, but I imagine it's not too far away from how companies like Google, Yahoo, Facebook, Amazon, Microsoft store exabytes of data from webcrawls, email, etc. and make it available and searchable to users around the world on demand. It's actually all stored on millions of pretty-ordinary computers packed into special data center rooms with special cooling. Think a high-tech version of the room at the end of Raiders of the Lost Ark, that just seems to go on forever. Companies are very secretive of their data center setups, as is the NSA no doubt. Google has made some photos publicly available: http://www.google.com/about/datacenters/

You can learn much more about the software if you're interested. Read up on things like the Hadoop project, the best-known open source software. Basically Hadoop lets computer programmers access data stored on millions of computers as if it were all stored on one massive computer, without worrying about most of the details.

Google is secretive about its datacentres, yes. Not all companies are. http://www.opencompute.org/

(I work for FB.)

Fair point, this is a good step by Facebook. I was thinking mostly of Google and Amazon in terms of data center secrecy.

http://www.palantir.com/ (More info:http://en.wikipedia.org/wiki/Palantir_Technologies)

Interestingly, I interviewed at Palantir when I was graduating from Stanford and had the opportunity to be an early employee. Quite a few classmates did go work there and did quite well financially. I went to Cryptography Research instead because I was more interested in cryptography.

Hold your horses, we don't want him turning into the next Edward Snowden.

I don't have a security clearance and I don't know anything about the NSA to leak, so no worries there.

Hi there, thanks for the AMA. I've followed the NSA stuff just on headlines, so I think my knowledge of it would roughly fall around the average American's. If you don't mind, can you explain to me what the worry is with their collection of data? Is it the method they are using, or just the potential abuse, or what exactly?

The biggest worry is that we don't know what's being collected, how long it's being stored, and what limitations there are on its use (or abuse). We know just enough to know we should be very concerned, but we don't really know enough to have a public debate about if the amount collected is "reasonable."

A second, very important issue is economic. The US is fortunate to be home to most of the largest web companies. That's a tremendous economic resource, but we'll kill the golden goose if other countries think US corporations can't be trusted with their data due to the local government, particularly when the law provides virtually no protection from eavesdroppping for foreigner's data held by US companies. Can we honestly tell people in other countries that they should trust all of their data with US companies?

The "golden goose" comment is a very important consideration, which is not reflected in the press at all. As far as I know, you are the first one who mentioned it.

Demoralizing the public spirit will also have a long lasting economical effect

Not my point originally, this is a reasonably common thought in the valley. Slate did run it to their credit: http://www.slate.com/blogs/moneybox/2013/06/07/prism_tech_exports_will_nsa_revelations_block_american_companies_abroad.html

Agreed the media needs to pick up on this more.

Do NSA workers realize the danger of metadata collection?

What the what? Hello Reddit Gold! (obligatory edit)

Thanks!

Well, they obviously realize the tremendous value of this data. I would guess most workers either don't think about the ethics much and leave that to higher-ups who have deemed it legal, or think it's a necessary trade-off to accomplish their organizational mission. This is all speculation though. People who work at the NSA, even ex-employees, never discuss this.

Will Americans reach a point where change is made? Or do you think nothing major will come of anything?

It's very hard to predict which direction society will change, though history shows we often underestimate the scale of changes that are possible. One of my favorite books is King Leopold's Ghost, which describes conditions in the Congo Free State barely over 100 years ago. The human rights violations are unfathomable today, yet changing them at the time was a crazy idea.

I hope this is one of those things that my kids will be amazed I'm old enough to have lived through because it seems so archaic, the way I'm amazed my parents lived through desegregation. Can we change it in 5-10 years? I don't know.

What do you feel is the best/most persuasive argument for maintaining the NSA as it is, and why do you disagree with it?

The public argument I've seen is basically "this has protected us from lots of threats that you don't even know about and we can't tell you about or else we'd lose the ability to protect you from them" http://www.usatoday.com/story/news/nation/2013/06/18/nsa-surveillance-secret-programs-terror-plots/2434193/

I reject that argument because we have no way to tell if it's even falsifiable. We can't even have an argument about if the NSA's surveillance is an acceptable tradeoff for the security they provide, since we don't know what security they provide or even really what they're collecting (though we have some leaks on that).

It's important to realize secrecy is the #1 problem here. We can't debate surveillance properly without addressing that first.

What do you think will happen after saying NSA should be abolished?

Nothing, honestly. It's just my opinion and it was easy enough to say. If it moves the discussion 0.0001% further, that's fantastic.

When people like Jimmy Carter are speaking up, that's a much bigger deal. Lots of journalists are pushing to get the story out, and organizations like the EFF are pushing the fight in court. That's where the real action is.

Personally, I'll try to keep doing research and working on technical solutions. I've done some work with CryptoCat and I hope to do some more in the future to make end-to-end encrypted chat more secure and easy to use, for example.

What do you think about Project Tox?

https://github.com/irungentoo/ProjectTox-Core

Never heard of Tox until just now, but there are now a few different chat services that do end-to-end encryption, which is a minimum step to prevent surveillance. Also see RedPhone/TextSecure or SilentCircle for phone chat (or recently Threema), or CryptoCat for instant E2E encrypted chat on the web. More is good, but beware that cryptography is notoriously difficult to get right. You generally shouldn't trust crypto software unless it's been around for a while, has public source code and documentation, and has been vetted by experts. PGP is the most trusted encryption software if you really need it (and it's free).

Hi!

I'm a CS student at Dalhousie University. I was wondering what advice in general you could give me, either about education or advice for after I've graduated. Sorry if this is a lame question, but I was just looking at your website, and you've done some awesome stuff!

It's hard for me to give advice, because I've mostly had no plan, and people often don't give advice that they followed, just what they wish they had followed. It's also hard to take advice from somebody 5-10 years ahead of you career-wise, because it's hard to realize they were just as lost as you were 5-10 years prior.

My simplest advice would be, surround yourself by the smartest people you can. Go for it and engage with them in a respectful manner. Most of what I've learned has been osmosis by being around smart people. I was very fortunate to go to good universities and have great advisors, but there are other ways to do it. Go to events or hackathons with top people. Contribute to open-source projects. Write people emails and discuss work, it's more likely than you think that they'll write back. Even Twitter might work now.

Do you fear that you'll be targeted for your opinions?

Targeted by whom? There are thousands of writers who have said it all much better than I have.

You won the award based on what?

A research paper I wrote, that's it.

Finally on time for an AMA. What was your first reaction after being notified of your award? Did you immediately decide how to proceed?

I actually thought it was a prank email or scam. It came from a strange address and was oddly written. The headers all checked out though.

Then it was a mix of emotions. That awkward moment when your research wins an award from an organisation you have deep misgivings about.

What's the best way to keep our information safe from these types of entities. Do you feel there needs to be a balance between security and privacy?

There are technical tools to provide end-to-end encryption, which is what it takes. You can use PGP to encrypt your important communication if you want. Honestly the crypto community hasn't made these tools usable enough for the average person, which is a big failure that we need to work on. CryptoCat is an attempt to enable encrypted chat which is usable for everybody with no software installation, though it's not bullet-proof from a security standpoint. If you can install a mobile app, go with TextSecure/RedPhone or SilentCircle.

And not to plug my employer, but the Chrome development team (including some non-Google people, since it's an open-source project) has been leading the way on SSL/TLS security. There are a number of advanced features like key pinning that are important. Firefox is close behind on crypto quality. Avoid IE-they have not implemented HSTS years after Chrome and FF did (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).

EDITED TO ADD: Download HTTPS Everywhere for Chrome or Firefox to significantly increase the number of websites that you'll access over an encrypted channel. If you need anonymity, use Tor. The Tor Browser Bundle includes HTTPS Everywhere, that's about the best you can get right now.

If possible, you should always connect to websites via SSL. Check out HTTPS Everywhere to make sure your traffic is encrypted whenever possible. This only protects the data that's being transmitted of course, so you should also connect to websites through a VPN for additional privacy. I use ProXPN, and it seems to work well. They have a free tier (that is slowed down quite a bit), but should server basic browsing purposes, or for testing to see how it works.

Of course, neither of these things will help at all if the NSA has access to the website's databases, and there isn't much you can do to stay hidden in that case. Avoid using personal identifying information if at all possible, and avoid logging into websites with Facebook/Google accounts.

SSL itself is just as secure as the certificate authority's loyalty to their customers.

On top of that, browsers don't check (without extensions) where the certificate comes from, just if it's signed by any of the trusted authorities - and governments are among them. This means the NSA could intercept your requests to somesite.com, establish a proper SSL connection between them and somesite.com and forward everything to you through a seemingly valid SSL connection.

SSL is fine to protect yourself on open Wifi networks, but it doesn't protect you from government surveillance. At least that's what I understand. I'm not a cryptologist. Please correct me if I'm wrong.

What you've said is generally true, but Chrome now has key pinning (and soon FF will) which prevents certificates being used except from CAs the website trust, which usually exclude the government CAs. It's only turned on for 4 sites right now (Google, Twitter, Tor, and CryptoCat) but we're hoping to get more enrolled. This is going to be an important step to fixing this problem. Google is also launching a project called Certificate Transparency (http://www.certificate-transparency.org/) to get every acceptable certificate publicly logged, so that we can detect this kind of attack.

This is the kind of work that makes me very proud to be a part of Google.

Dr. Bonneau, I share your last name. I've never ran into a fellow Bonneau in the wild so I don't know how to handle myself... Any advice?

Go to France. Or Quebec. Or even Maine or Lousiana. There are literally thousands of us.

Okay, I'm gonna try and ask a question that hasn't been asked. The NSA collecting and storing data is obviously unacceptable to many Americans, and yourself, and I preface this by saying I am not attacking Google, and I staunch supporter. But why exactly are you worried about the NSA collecting all this data, with Google maintaining an equal or superior stash of information on people?

Two important differences between data collection by government agencies vs. companies in general:

(a) You can opt-out of using any one company's products/services, though there's criticism that this can be too hard to do for some web services, at least it's there and can improve. You usually can't opt-out of government surveillance. (b) There are privacy laws that apply to private companies, particularly in the EU. Companies do have to reveal what they collect and are limited in a number of ways. They're not perfect laws, but they provide vastly more oversight than is available over intelligence agencies..

is censoring porn from the internet completely and utterly impossible?

Today, completely censoring anything from the Internet that there is a very high public demand for is impossible. Porn falls into that category.

Censorship doesn't require making things impossible to access though, only difficult enough that most people will give up. That's why I'm very dismayed by the recently announced UK plan to have opt-out porn filtering at the ISP level. Opt-out censorship can be pretty effective.

Thanks for using the opportunity to speak out. Your respect for some of the people at the NSA is apparent; do you think, if your situation were different and you were working there, that your opinions about the NSA's conduct might be different?

That's a very good question and I've tried to think honestly about it. It's not out of the question that with a few random life choices going differently as a teenager or in college I could have ended up there. I'm sure my opinions would be different in that I'd know a lot more.

I honestly don't know what I'd be doing today if I worked there, I could certainly imagine really believing that the organisation is mostly doing the right thing and I was better served trying to push for as much change from within as I could get.

If you'd have another job, what would it be?

Outside of computer science completely? Probably writing trivia questions and reading/hosting pub trivia. I did some of that as a student in England and I loved it.

What was this award for, exactly?

By this I of course mean to ask your career history in as much detail as you can be bothered to express.

It was not a career award, just an award for a paper I wrote last year during my time as PhD student. You can probably find my resume online if you search for it. I did a BS and MS at Stanford, worked for a small company called Cryptography Research, did my PhD at the University of Cambridge (England), and now work at Google.

What do you think the Computer Security landscape will look like in the next 20 years? Your paper was about passwords, do you think text passwords will be replaced or augmented?

Augmented, not completely replaced. People have been claiming they're a year away from replacement for over a decade. Passwords surviving is a safe bet.

Do you think that this surveillance will make it difficult for media outlets (e.g. NYT, WashPost) to acquire/keep sources? What's to stop them from flagging journalists phone numbers and finding out who they're talking to (preventing sources from feeling secure in exposing government wrongdoing)?

Having a secure, easy way for journalists to talk to anonymous sources is a very important goal. Wikileaks was one platform, though it doesn't exist any more. The New Yorker is sponsoring a project called Strongbox aimed at achieving this: http://www.newyorker.com/online/blogs/closeread/2013/05/introducing-strongbox-anonymous-document-sharing-tool.html

Strongbox still has some issues to work out but I think we'll see more work from the crypto community in the next few years on this, now that we've recognized how important this problem is.

Why do you look like Judd from Big Brother 15?

that's a new one to me. Most people tell me now that I look like Matt Saracen from Friday Night Lights

How does the NSA award affect your position at Google and your quest to win a flag football championship?

The award ceremony caused me to miss a game. I'm more concerned about our team captain not catching several of my perfectly-thrown spirals that hit him in the hands during the last game though.

Not entirely related, but how would you recommend someone get involved in the field of cybersecurity? What skills would you recommend they have?

A lot of it is mindset, not specific skills. You have to enjoy breaking things and be creative and paranoid in imagining what might go wrong.

Beyond that, having good programming ability is the most important, math skills always help too.

Isn't it a bit extreme to say the NSA should be abolished as a whole, rather than reformed?

Perhaps. I'm certainly open to the idea that it can be reformed, as I've said I think they have great engineers with good intentions. I'd rather have it abolished than keep it around as is.

Where are you from?

San Francisco Bay Area