European Commission Recommends OSS to Fight Echelon

CrossRhythm writes: "The European Commission Resolution on Echelon encourages the Commission and Member States "to promote software projects whose source text is made public", to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the "least reliable" category," and "systematically to encrypt e-mails, so that ultimately encryption becomes the norm"."

an Apache port to rubber bands and plastic?

[lowy]

If only their webserver were built from Lego:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ''.

/inventions/invention.asp, line 64

Re:an Apache port to rubber bands and plastic?

[lowy]

Oops. Mod me down offtopic. This should have gone under the Lego section. My bad.

Re:an Apache port to rubber bands and plastic?

Everyone makes fun of SQL servers that die under a slashdotting, how come no one makes fun of slashdot when the database takes a shit? The database is down all the time, everyday lately.

Unless that's just an excuse to "lose some posts in a database crash"...

Re:an Apache port to rubber bands and plastic?

[stx23]

Your post is in there, as well as here.
Weird, huh?
Even better, the above apparently violated the postercomment compression filter. Comment aborted. Lameness filter encountered.

Re:an Apache port to rubber bands and plastic?

[jamie]

"how come no one makes fun of slashdot when the database takes a shit?"

Where have YOU been??

Re:an Apache port to rubber bands and plastic?

lol

funding.

[michaelo]

So this would be a good reason for governments to fund the development of open source applications.
Hopefully they'll do..
J.

Re:funding.

[Voidhobo]

Which is why GnuPG is funded mostly by the German Ministry for Economy and Technology, for example.

Re:funding.

If companies/academics request R&D funding from the European Commission, they are already urged to license the software as open source (to get a better chance of getting funding). These guidelines started popping up for more then a year now.

Re:funding.

[Dante333]

To have governments embrace and use open source software would be enough for me. To have them fund the development of it is where it gets iffy. Who retains the copyright to the software, the Government or the programmer? What liscense would they use? What happens if the Government suddenly thinks that some encryption software is too good and needs to be closed source? Think about it. What was the last good think any of us had to say regarding the government and technology policy. I think the best thing the government can do is use open source software, the worst thing they can do is make it. Except for the NSA, cause they are just cool.

Re:funding.

they are already urged to license the software as open source

So the European socialist mindset strikes at the very heart of this new industry. What's the point in developing anything if you're obliged to give it all away for free?

what about MS "Shared Source"?

[room101]

I may be wrong, but it sounds like MS' totally bogus "shared source" will move MS from "least reliable" to something better.

The article is pretty long, so perhaps I missed something....

Re:what about MS "Shared Source"?

[radja]

can anyone look at the source? say... me? you? any user? can I rebuild from source (if not.. how can I see that the source is indeed the same as the compiled product?)

if not everyone can look at it it's not public. if it's not verifiably the code, it's not public.

and let's face it.. Outlook has a history of being (ab)used for viruses, and will really have something to prove to rise above "least reliable".

//rdj

Re:what about MS "Shared Source"?

[kiwaiti]

In some cases, full disclosure of source code can indeed be sufficient (provided that you are sure all your binaries were compiled from these sources, using a benevolent compiler).

The ability to help them improve what you don't like and fork if they won't is not a necessary prerequisite to a security audit: you find out it is not secure enough, you don't use it if you can't fix it.

Kiwaiti

Member of the Legion Of Microsoft Haters

Re:what about MS "Shared Source"?

[kilgore_47]

Member of the Legion Of Microsoft Haters
Member of the Legion Of Microsoft Haters

A double-hater! Is there a website with info on how to become a member, or is this "legion" an unofficial group?

Re:what about MS "Shared Source"?

Of course there's a website

Re:what about MS "Shared Source"?

[kiwaiti]

Slash didn't show my .sig on preview, so I retyped it. Come to think of it, I haven't seen a single funny .sig today. Shit. Just imagine you're drunk. Users.pl tells me I should be seeing the .sigs. More crap. Sorry.

There was a website, I think it disappeared. I have been thinking about a formal resurrection of The Legion. I've been out of webspace for a moment, though (since I dropped myself out of "college").

LOMH.org might still be available. cost?

I was thinking about a structural thing, with ranks for amount of acquired recruits.

Kiwaiti
won't retype it now (hope it's there)

Re:what about MS "Shared Source"?

[kiwaiti]

Oops - lomh.org exists.

Re:what about MS "Shared Source"?

[Thing+1]

can anyone look at the source? say... me? you? any user? can I rebuild from source (if not.. how can I see that the source is indeed the same as the compiled product?)

Don't worry, Microsoft is still hiring. They'll screw up and hire someone who'll put the whole source on Freenet.

Including complete build instructions.

Re:what about MS "Shared Source"?

[SurfsUp]

can I rebuild from source

That's the key one, let's not let anyone forget it.

If you can't build the whole source for the OS, at least, every last bit of it involved in the security/communications chain, then it can't be said to be trustworthy.

This is stupid

[Reality+Master+101]

If your goal is encrypted e-mail, what does the source code have to do with anything? As long as it follows published encryption algorithms, that's all that matters. After all, if it doesn't follow the standard, then it's kind of hard to decrypt it.

I think it's a tad more important for the underlying mathematics to be tight, than to be able to view the source code implementation of an inferior algorithm.

Re:This is stupid

[blang]

But not as stupid as you.

Source code in the public domain exposes the software to scutiny. Without scrutiny, how do you know it's safe? You're just going to trust the word of any two bit software maker?

Re:This is stupid

[All+Dead+Homiez]

You're missing an important point: how do you know that a given closed-source email encryption/decryption engine does not "leak" keys? You have no sure way to know that your keys won't wind up:

• "Accidentally" sent packed into an IP header and sent to the NSA
• Somewhere in your swap space, because some coder doesn't know how to lock memory correctly
• Somewhere else on your hard drive, because some coder doesn't care about protecting your keys (or know what he's doing).
• Compromised in response to a malicious message that the program is trying to decrypt. Don't forget about buffer overflows.

Trusting a closed source application means that you're trusting every programmer who ever wrote a line of code for the application. When you can't see that code to make sure it's not crap, you've got a security nightmare waiting to happen.

-all dead homiez

Re:This is stupid

[SilLumTao]

I think you've missed the point entirely. If I can't see the source, how do I know the algorithms have been implemented correctly? Bugs in software can cause even the most soundproof encryption to be useless. Of course, no one would ever code a back door into their software...

Re:This is stupid

So I'm assuming you've checked the source of all the algorithms you use to make sure they're 100% correct? Right! Have fun on those Blowfish S-boxes. fuck face.

Re:This is stupid

I think you don't get it.
There is no need for oneself to check the source code, I trust the thousands of cryptography experts out there that do check the code; if they found something wrong they would make it public and I would not trust the product anymore.
If nobody can see the source code, it is uncertain if it trusful or not.

Re:This is stupid

[Reality+Master+101]

Without scrutiny, how do you know it's safe?

Because, duh, it has a well-defined input, and a well-defined output. Tell me how anything in the middle matters.

Re:This is stupid

[jayhawk88]

Tell me how anything in the middle matters.

Maybe your right...

Re:This is stupid

[SilLumTao]

So I'm assuming you've checked the source of all the algorithms you use to make sure they're 100% correct?

Honestly, no I wouldn't (because I don't use any encryption).

However, if I were a European business worried about the possibility of losing millions of dollars in trade secrets to US companies because of Echelon, I would gladly pay a few mathematicians to review and test all the source code I use. If my company is willing to do this, then so would others.

Algorithms that are too complicated (i.e. obfuscated) to understand and test might be ignored in favor of ones that are. Code that makes unexplained calls to the socket library gets trashed.

Security through obscurity is foolish as long as Echelon exits.

Re:This is stupid

[Delirium+Tremens]

> >
> > Without scrutiny, how do you know it's safe?
>
> Because, duh, it has a well-defined input, and a well-defined output.
> Tell me how anything in the middle matters.

Actually, good encrypttion is rather trying to produce anything but a well-defined output. Or do you think that a cryptanalyst's job simply consists in shifting encrypted messages a few letters left or guessing that all a's shoud be replaced by b's?
I think you have been a boy scout a bit too long ...

Re:This is stupid

[Reality+Master+101]

Actually, good encrypttion is rather trying to produce anything but a well-defined output.

It is extremely well defined. It's just not easily readable.

Remember what we're talking about here... sending a message from person to another. Unless you think the mail program is going to change the content of the message, and no one is going to notice that their messages are getting changed, then there isn't much wiggle room if the message is going to be successfully decrypted by the recipient.

Re:This is stupid

[Reality+Master+101]

You're missing an important point: how do you know that a given closed-source email encryption/decryption engine does not "leak" keys?

Well, this is the first reasonable point I've seen about this, and it's theoretically possible, I suppose.

But it still comes down to "who do you trust". Either you trust that someone "somwhere" has certified an open source program, or you trust that some well-known company with a good reputation has certified the program. Either way, unless you are a security expert and can verify it yourself, you are going by blind trust.

Re:This is stupid

[Stonehand]

- Bad keyphrase management, resulting in easily-cracked keyfiles should one be leaked.

- Buggy implementations that don't fail on very many test cases at all, unless you relish testing your mailer with the infinite number of possible messages.

- Bad handling of macros, attachments, and other things certain modern e-mailers try.

- Bad coding practices such as buffer overflows, which can exacerbate the above.

- Deliberate back-doors, such as automatically processing specially-formatted messages as instructions...

- Other misc bad behaviors such as eating file handles, zombie processes, and other examples of lousy coding practices.

Re:This is stupid

[Herstel]

There is no need for oneself to check the source code, I trust the thousands of cryptography experts out there that do check the code; if they found something wrong they would make it public

Having read your post I don't trust anyone any more. From now on I'll use exclusively open source security apps, and encourage others to do the same by showing them your post.

Re:This is stupid

But don't forget - the 'someone "somewhere"' who is certifying open source programs tends to be a bunch of BUGTRAQ regulars who like to feed their ego by finding security holes. The "well-known company with a good rep" might not have good code review processes, because they know that the chances of somebody poring through megabytes of compiled code and finding their mistakes is slim.

Re:This is stupid

[wishus]

Without scrutiny, how do you know it's safe?

Even then, it's only as safe if your compiler hasn't been compromised.

Re:This is stupid

[Shotgun]

How the hell do you verify the implementation of an algorithm without the source code.

Here's a sample closed source algorithm:

encrypt(msg)
{
send_msg_home(msg);
e_msg = use_unbreakable_encryption_scheme(msg);
return e_msg;
}

Don't you feel all safe and comfy with your closed source now!!

Re:This is stupid

[epsalon]

From now on I'll use exclusively open source security apps, and encourage others to do the same by showing them your post.

Actually, this is not enough. When you are dealing with sensitive information, all your apps should be open-source, this includes the OS, the libraries, and any installed software.

Why, you ask? Because any bit of closed source software could include a keylogger or screen recorder or just modify in RAM your compiled open-source program. Especially you need to fear using closed-source OS, a closed-source library, and a closed-source compiler. All can easily hide backdoors.

The French

[Shanep]

will probably kick it's citizens arses for so much as rot13'ing their emails.

Re:The French

[maroberts]

AFAIK, the French did have some rather tight laws on encryption, but the security services were told to get stuffed when the question of enforcing them came into question.

The French have this rather strange idea of puting laws on their statute books, but not implementing them in practise, as any visitor to a french kitchen restaurant will agree with regard to EU Health and Safety regulations. Its a subtle ploy to make English products hideously uncompetitive, as here we believe in implementing and enforcing every daft notion which comes out of Brussels and Frankfurt.

[ I have to say that the Resolution in the headline, though, seems to be one of the better ones! Maybe as a result of this, once a bureaucrat gets a Linux system and finds he can't play DVDs on it, maybe he'll realise that implementing the European equivalent of the DMCA is a damn stupid idea.... :-) ]

Re:The French

[Snake]

> will probably kick it's citizens arses for so much as rot13'ing their emails

Sorry, we, French, are much more enlightened than that. Basically, the government lifted most of the restrictions on cryptography.

http://www.oreilly.com/~andyo/ar/crypto_reversal .h tml

Re:The French

Until another German invasion ....

See you then.

Finally

Looks like another government is starting to advocate OSS's security. Good for them. Maybe someday companies and users will start to realize that all these hacker attacks and viruses are cause by MS's insecure software

It all boils down to trust

[All+Dead+Homiez]

This is an area where OSS really shines. Microsoft NSA key rumors aside, the truth of the matter is that it is almost impossible to audit closed source programs for backdoors and security flaws. As more and more stupid programming mistakes are discovered, more and more people will realize that OSS is the only way to go when security and/or privacy is a concern. Expect many more endorsements of OSS in the near future for this very reason.

-all dead homiez

Europe luring programmers?

[dwbryson]

It's interesting to see that Europe is more openminded towards OSS than the US is. If they do things like this.. pass legislation to encourage OSS development. I could see how programmers would see countries in the EU as kind of a haven. Especially if they didn't arrest them on site like a certain country i know of...

Re:Europe luring programmers?

[radja]

it's because we're all socialists (at least some, mainly north-americans, seem to think so)

//rdj

Re:Europe luring programmers?

Europe is more open minded about most tihngs. Don't forget, a large lump of the american population is descended from christian religious extremists ("puritans") who thought europe's society was too corrupt and materialistic...

In essence, a lot of america's genetic inheritance comes from ex-european ultra-prudes.

Re:Europe luring programmers?

You forget that many european criminals of all kinds and shapes were also sent over there as an alternative to jail or other punishments.
It explains why America has 75% of the world's lawyers, they simply ran out of job in Europe and had to go where the job is.

Re:Europe luring programmers?

[dwbryson]

Agreed. And I'm not terribly proud of it. Just think where we'd be today if the puritans hadn't come to america. We wouldn't have such rediculously immature culture viewpoints on sex and nudity.

Re:Europe luring programmers?

[mimbleton]

" lot of america's genetic inheritance comes from ex-european ultra-prudes"

Considering tremendous immigration during XIX and XX centuries there are hardly any puritan blood left in this society.

Re:Europe luring programmers?

[10am-bedtime]

definitely! i'm moving to italy in the next few years, partly because US culture is getting to be a real drag, and partly because a good number of the hackers i respect are in that time zone. (i'm serious.)

i wonder if slashdot will be around, or if there will be a slashdot.it by then...

Re:Europe luring programmers?

[RKloti]

Which society?

Do you know that blasphemy is illegal in the republic of Ireland?
If that's not puritanical, I don't know what is...

No, it isn't

[nestler]

As long as it follows published encryption algorithms, that's all that matters. After all, if it doesn't follow the standard, then it's kind of hard to decrypt it.

This is so wrong that I don't even know where to start.

The program can use published algorithms everywhere, but if it RSA encrypts your message in the FBI's public key, and mails it to them (as well as encrypting as it should be and mailing to your friend), then it isn't exactly a secure email program. The only way to know if the program is doing stuff like this is to READ THE SOURCE.

To trust that a security-related program does not have a back door, you need the source. Period.*

*You could try to watch outgoing network connections, but this is a hack as you may not be able to figure out what it is sending since it could be encrypted. Having the source is a much more reliable method of spotting back doors.

Re:No, it isn't

[Reality+Master+101]

but if it RSA encrypts your message in the FBI's public key, and mails it to them (as well as encrypting as it should be and mailing to your friend), then it isn't exactly a secure email program.

You don't think anyone is going to notice that their e-mail queue is getting twice as many messages as it should? Or that logs aren't going to anything strange? That's absurd.

Re:No, it isn't

[netsharc]

Well what if the mail-server is also closed-source, and doesn't record emails that go to the FBI in the log? :)

Re:No, it isn't

[Herstel]

You don't think anyone is going to notice that their e-mail queue is getting twice as many messages as it should? Or that logs aren't going to anything strange? That's absurd.

I'll rather use smtp and mail transport agent customized and embedded in the application just in that purpose. Sure I am not the first and the only one who came up with that idea.

Re:No, it isn't

[4of12]

Some server managers might, but, no, most casual users would not notice such things.

The story that broke a couple days ago about the divorcee whose ex-husband installed spy software on her home PC is a testimony to the obliviousness of most computer users.

The only reason he was caught was due to his own stupidity in mentioning things to his former wife's friend that could have only been known if he had installed such snooping software. Otherwise, he could peep to his heart's content.

I know lots of people with fun, useful, http-active software running all the time on their PCs (webshots, newsfeeds). It would not be such a stretch to have those programs summarize key strokes, buffer them up, and send a compressed encrypted version back via web request to an innocuous site. It could all be done under the guise of normal operations. You know, "updating..." Kind of like cookies but more intrusive. And that's just one example. You can probably think of several other ways to do it.

The earlier poster is correct. There are simply so many imaginative ways through which your security can be compromised that inspection of the actual source code is the only substantial guarantee you have.

Mixing two different things

[jmerelo]

AFAIK, Echelon wiretapping is done at the physical layer level; it has nothing to do with trapdoors in the software itself. It would still be done with Linux in every desktop, cell phone and fax machine.

Re:Mixing two different things

[sulli]

Right, but it could be more easily defeated with widespread use of strong encryption (e.g. transport mode IPSec). Use of OSS in the desktop allows the user to be confident that there are no backdoors there to circumvent such use of crypto.

secure mail idea?

[smack_attack]

end-to-end mail encryption schema/idea:

1) sender checks compliancy of target machine. if encryption protocol is installed, message is encrypted.
2) sender encrypts message.
3) single use key is stored on originating server
4) encrypted message is transported to target machine
5) target machine receives message and reads encryption headers
6) target machine requests one time key from sender
7) simple security checks, this can be spoofed I'm sure, but try and validate 8he authenticity of the one-time key request. Flag and send a message to the sender if things seem out of order, or reject request.
9) if request is valid, send key and delete one-time key from server
10) further requests will be denied (so if a message gets intercepted and someone tried to get the key, if/when the actual target tries to unencrypt, they can get a notification that the key has already been used. they have to option to flag a message back to the sender notifying them of a possible breach.

I dunno, this might work, then again I'm not a mail or encryption expert.

OSS support

[gorf]

This is very good news. The next time I find a government-connected website, (or anything funded or contracted by the government for that matter) which does not work in Mozilla, I'll be emailing them a link to this page.

Re:OSS support

[gorf]

For that matter, any time I find something that I need to download a Windows executable to get to work.

Or even services managed by regulators (ADSL, for example) should now be supported in non-Windows systems, or at least for specificatiosn to be released so that they may be.

Maybe the EU will save the Yanks' collective butt!

[jswitte]

Ever since I read that the EU was looking into anti-trust/price-fixing violations by the record and movie companies, and now are looking at M$, I think that maybe the EU will save the US from itself..

Jim

Austria still has a few prudes left

Last time I looked adultery was against the law in Austria.

I guess it must be illegal in the US because they just prosecuted a man there for polygamy, which is impossible.

After all, the law says you can't marry while you are already married, therefore you are not married to the supposed second bride. I can see the problem if someone from a muslim country came in with multiple wives (legally married elsewhere), but that was not the case with the USian guy.

So it must have been for adultery (or possibly fraud if various marriage related allowences were falsely claimed).

Re:Austria still has a few prudes left

[RKloti]

I read some of the Austrian StGB (Strafgesetzbuch = Penal Code) yesterday, and IMO there is nothing illegal about adultery there. Polygamy and incest are illegal. OTOH, there are some very questionable laws over there.

If you can read German fluently, the Austrian StGB is available here. The Swiss StGB is here and the German one is here.

US-EU relations

There's some other stuff in that document that is interesting with regards US-EU relations. For example:

The European Parliament,

[...]

9. Regards it as essential that an agreement should be negotiated and signed between the European Union and the United States stipulating that each of the two parties should observe, vis-à-vis the other, the provisions governing the protection of the privacy of citizens and the confidentiality of business communications applicable to its own citizens and firms;

10. Calls on the US to sign the Additional Protocol to the International Covenant on Civil and Political Rights, so that complaints by individuals concerning breaches of the Covenant by the US can be submitted to the Human Rights Committee set up under the Covenant; calls on the relevant American NGOs, in particular the ACLU (American Civil Liberties Union) and the EPIC (Electronic Privacy Information Center), to exert pressure on the US Administration to that end;

Hitler only followed US lead on native americans

As is well documented in Mein Kampf (1923) and biographies of the guy.

Although the British can claim the invention of concentration camps, in the Boer war.

Chop Chop poor USians

After all, most US boys have their bits chopped off. If that's not persuasive power I don't know what is.

Re:Chop Chop poor USians

After all, most US boys have their bits chopped off.

yes and because of that we are cleaner(no cheese buildup) and the exposed "head" provides both greater sensitivity for the male as well as extra stimulus for the female. In short, we Americans have better sex. It also helps that we are better looking on average than every other country in the world.

Its pretty clear why the Jews were so hated in Europe. A minority people who are richer and better educated, that steadfastly refused to lower their quality of life by trying to "fit in" with the rest of Europe. There may have been other reasons but the prime cause of anti-semitism is jealousy.

Re:Chop Chop poor USians

> the exposed "head" provides both greater
> sensitivity for the male as well as
> extra stimulus for the female.

Uh, I guess you've never seen a non-snipped
dick at work. When it rises to the occasion,
it proudly pushes the entire head clear out
of the foreskin, looking just like a snipped dick.

The only difference is that the non-snipped
head is more sensitive, since its skin doesn't
spend all day chafing against underwear.

Re:Chop Chop poor USians

..right.. ..right..

I see you have been trained well. that is all such BS. I find that whole thing so funny. THINK about it. "oh yes, we need to cut something of here because the body is better off without". It is such nonsense.

It also helps that we are better looking on average than every other country in the world.
Or maybe you are just stupid. Try to guess which country has the highest percentage of fat people.

Remember the ssh key-press timing hole?

[nowan]

The recent ssh vulnerability is a good example of why this is wrong. The encryption methods can be entirely open (hell, they can be secure, even) but the app can still end up being vulnerable because it leaks some piece of information that the programmer didn't realize was sensitive -- like the timing between key presses.

The real news here

[stuccoguy]

...is not necessarily the fact that OSS would benefit from such a move, but the fact that the EU takes the privacy of its citizens seriously and is eagerly promoting information security and encryption.

Those of us in the US, on the other hand, have principles in the government (the VP for example) who have attempted to make information security and encryption illegal.

Re:The real news here

[Shotgun]

but the fact that the EU takes the privacy of its citizens seriously and is eagerly promoting information security and encryption.

The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does. By 'EU' and 'US' we refer to the political power brokers of the respective organizations. Recall the draconian British laws that require law enforcement to be able to have access to any encryption that a private citizen my employ on pain of jail time.

What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU' corporations and obtain market advantages. The fact that the most popular desktop software is owned by and US corporation with a reputation (deserved or not) for backdoors and hacks to break competitors doesn't sit well with the 'EU'. They would much rather be in control themselves.

protect_privacy != protect_privacy_from_US

Re:The real news here

[Jantastic]

The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does.
The part of the 'EU', represented by people chosen in a part of the world where I live does. Why else would there be a Non-US Debian GNU/Linux then, hosted outside the US? The US (and China, Afghanistan, Iran and [your favorite dead-penalty-applying country]) restricts encryption to take away the freedom to choose the amount of privacy one uses. You cannot seperate privacy and freedom, and it differs in various parts of the world.

By 'EU' and 'US' we refer to the political power brokers of the respective organizations.
The amount of privacy/freedom legally permitted is agreed upon by these political power brokers.

...the draconian British laws that require...
The UK is, compared to other countries in Europe, closest related to the US, on various territories. Sometimes it shows. Sometimes it doesn't. Often it's humorous.

What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU'
Nuff said.

Kudos for showing interest in European affairs though ;)

Re:The real news here

[SurfsUp]

The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does. By 'EU' and 'US' we refer to the political power brokers of the respective organizations. Recall the draconian British laws that require law enforcement to be able to have access to any encryption that a private citizen my employ on pain of jail time. What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU' corporations and obtain market advantages. The fact that the most popular desktop software is owned by and US corporation with a reputation (deserved or not) for backdoors and hacks to break competitors doesn't sit well with the 'EU'. They would much rather be in control themselves.

I can only conclude you didn't read the report. It included many recommendations aimed at enforcement of the individual's fundamental right to privacy, a concept that some Americans may find difficult to grasp. It does not seem partial to business interests at all.

Re:The real news here

[RKloti]

They may take the pivacy of their citizens seriously, but they certainly don't take the citizens' rights seriously. Especially freedom of expression, information & association. As most USians are no doubt aware, there aren't the same rigid protection of constitutional rights in European countries as there are in the USA. Some restriction of rights are permitted, which is why a lot of laws the US civil libertarians have been in arms about, like the CDA, have already been implemented in many European countries (though perhaps not quite as bad as the CDA). In some cases, there is no court to declare a law constitutional, in other cases, there is a court, but it is politically slanted and not obliged to declare laws that tread on principle freedoms unconstitutional unless they completely violate them. For example, if a theoretical law that made ISPs block everything that the goverment told them to was passed, it'd probably be declared unconstitutional. OTOH, Australia already has one of them. Good thing I don't live there anymore.
On the positive side, most of us don't have a DMCA yet, and an SSSCA is out of the question, so it's not all bad ;)

Re:Maybe the EU will save the Yanks' collective bu

[isa-kuruption]

Guess that'll be payback for WWII... and then all the money the U.S. funneled into Europe following the war to get the economy back on track.

It's good to have allies ;)

The proper solution: encrypt everything, not email

[hardaker]

You really want to encrypt everything, not just email. I'm not sure why the EU thinks encrypting just email will stop echelon from being effective. Even if echelon was was only sniffing email, they certainly would switch to sniffing other forms of communication if all email was encrypted.

The proper solution is to encrypt all your IP traffic through IPsec tunnels. Recent work within the IETF has given new ideas about how to start performing automatic IPsec connections with any host you can speak with. This is the type of solution that will help battle echelon like networks.

Re:Hitler only followed US lead on native american

[isa-kuruption]

The difference being that the U.S. didn't systematically kill off (or attempt to) a race of people... it was just forced relocation. Of course, that has happened for centuries. What happened in Europe w/ Hitler was that he affected a group of people that was so widely distributed it caused panic in other countries.

However, if Hitler *only* enslaved the Jewish people, there would have not been a WWII. It would have been a dictatorship with governmental prejudices... just like many Arabic nations nowadays where they relocate people of certain ethnic origins (e.g. the Yugoslavia, Iraq, Iran, Isreal...).

Re:Hitler only followed US lead on native american

Also, let's not forget that the Indians we so busy trying to either wipe out or otherwise dominate other tribes that they were there own worst enemies. By the time of the Trial of Tears, etc., the Iroquois Nation had decimated all the other tribes in the Ohio valley to be point that they were totally subservient to British and French traders.

The root cause of Pontiacs Revolt after the French and Indian War was that the British stopped trading with the Indians. They were furious that the British would no longer sell them alcohol or gun powder.

New protocols are not needed

Doing secure email is a solved problem; use PGP or S/MIME. We need more, easy-to-use implementations, not new protocols.

This answers another question

[rjamestaylor]

This answers another question, "Why did the Bush administration stop the MSFT breakup?". The US needs a US-based OS monopoly to insert APIs like NSA_key, FBI_tap, Jenna_beer, etc.

With European governments wise to Echelon and MSFT's complicity with the US requests to make certain back doors...it would not be in the US's best interest to speed adoption of OSS software by breaking MSFT's stranglehold on competition.

While I'm stretching a bit, I don't doubt this is inline with the thinking in Washington (or would that be Virginia?).

same code?

[simpl3x]

what is the guarantee that the code which one has access to is the exact same code which is in the shipped package? slip um a mickey! or tracking functions...

Re:The proper solution: encrypt everything, not em

[Medievalist]

The proper solution is to encrypt all your IP traffic through IPsec tunnels

But doesn't IPsec normally travel through GRE, which is subject to ICMP hijacking - and thus vulnerable to man-in-the-middle attacks?

Correct me if I'm wrong...

--Charlie

Re:The proper solution: encrypt everything, not em

[Gregoyle]

Encrypting everything via IPsec tunnels will stop echelon specifically, but not all "attacks" such as Carnivore.

Anything that monitors the email server rather than simply sniffing traffic will be able to sidestep the IPsec tunnel (assuming we are still using email and not some p2p tunneling mail protocol). Although it would be nice and much easier to just implement IPsec across the board (and easier still once IPv6 is more widely adopted), to stop system attacks rather than just network atacks requires encrypting each message. Oh well.

Re:The proper solution: encrypt everything, not em

[hardaker]

• But doesn't IPsec normally travel through GRE, which is subject to ICMP hijacking - and thus vulnerable to man-in-the-middle attacks?

  Correct me if I'm wrong...

I'm afraid you're wrong. IPsec has it's own method of tunneling that isn't based on GRE.

Now, what you could have noted was the internet-draft I pointed to required storing keys within secure-dns, which hasn't been deployed yet either...

France already uses OSS in a lot of things

[WillSeattle]

As anyone following the news might know, France is using Linux in most of its wiring of public schools, and many french firms are adopting OSS for their software needs.

While some posters are correct that the UK is not pro-OSS in many respects, and certainly anti-privacy, Europe is not a monolith. OSS is spreading throughout northern Europe (Scandinavia), Germany, France, Spain, Italy, and so on.

None of this will defeat Echelon, however, so long as the UK sits in the middle of the pipe, feeding any data that comes through Gibralter and England to the US. So, without strong encryption of normal traffic, and a move to IPv6sec, Echelon will continue to survive and prosper.

Who cares?

[NiGHTSFTP]

Mmmkay, so Open-Source software is better. And Microsoft is a bunch of NSA luvin bastards.
I heard this before.

(I am a very-new-newbie to linux so don't take this the wrong way)
If OSS software developers were so concerned, why is there no industrial-strength ultra crypto distro(is that the term?) of linux with really kewl desktop themes and special ZoneAlarm-type-firewall, Serv-U-FTP looking encrypted FTP & other super-duper features.

I think there was awhile back by the name of Paranoid Linux or something like that.

Why wasn't there a demand for an ultra-secure version of linux. Just because you might not be commiting computer(or other) crimes is not a reason to run an unsecure OS.

Re:Who cares?

[Ig0r]

Use debian and 'apt-get install enlightenment iptables ftpd-ssl gpg'.

There isn't really anything special in your list that hasn't been offered by most distros for years.

1337 questions in Dutch parliament

[Jantastic]

As I was updating this site [Dutch Ministry of Education, Culture and Science], I couldn't help noticing these questions [in Dutch, for Loek Hermans, minister] asked in parliament this week.
I was surprised to see some politicians here who seem to be aware of the consequences of the draconian Microsoft licensing coming up. So I decided to (try to) post some of them in english below.
Disclaimer: translating is not part of my job, I'm not an politician and I don't represent anybody. I only do www-tech-stuff, thank you.


1-4, summary:
Did the minister calculate the amount of extra millions of money needed if schools, universities, government, etc. need these new [XP-type] Microsoft licenses?

5
Which other consequences does the new operating system [Microsoft] have in combination with the new licensing system, for Kennisnet and connected schools?
(translated: Knowledgenet - an Internet-based network of primary(?) schools for kids, parents, teachers, etc.])

6
Which actions did you take in the past to inform schools about the Microsoft trap?

7
Which actions are undertaken now or in the near future to minimize negative consequences for schools? Are you willing [...] to focus their attention on alternatives like MacOS, Linux and FreeBSD?

8
How are you going to prevent that the government, and users and visitors of websites of the government, become dependant on only the Microsoft operating system?

9
Are you willing to investigate how can be assured that information from the government will remain accessible for all Internet users, despite their chosen operating system, or Internet-browser they use?


Did you notice 'the Microsoft trap' in (6)? Not just a MS trap, or another MS trap, but the one and only.
Although I like the question, I think the choice of words makes it look rather clumsy (for a politician, that is), or very MS-unfriendly. Which I find funny. I guess. :)

It usually takes months before answers are put online, unfortunately.

Re:1337 questions in Dutch parliament

Compare that to our dumb PM (here in Australia) inviting Bill Gates to a Cabinet meeting some while back.

Close, but not quite there

[gad_zuki!]

What you would really want is IPsec encryption and heavy PGP encryption on all documents going over the wire especially for common services like email, ftp transfers, etc.

Okay so you've cracked my email server now you have access to a bunch of headers and a lot of encrypted garbage. You crack my ftp server and you've got nothing but encrypted files.

Well known company...

[epsalon]

... such as Microsoft? We all know about the heaps of voulnerablities in MSFT software, and they're the largest SW company in the world and very well-known.
In any case, you would have to trust the certifier.
With a well-known open-source project, you only need to trust stastics. You only need to trust that there will be one person out of thousands that is experienced enough to find the hole and isn't looking for personal gain for covering it up (like the product vendor or an 'expert' hired by it might).
Not satsified yet? Hire your own expert to test the code.

Privacy interests - was Re:The real news here

[toominator]

Jantastic makes good points. While the EUs privacy endorsing position may give some a warm fuzzy feeling, please remember that one of their members, the UK, has no qualms whatsoever about placing cameras on every square foot of public property and that those same cameras record every activity of citizens, running their faces through FR software to determine if they should be arrested.

Geez.

Re:Hitler only followed US lead on native american

However, if Hitler *only* enslaved the Jewish people, there would have not been a WWII. It would have been a dictatorship with governmental prejudices... just like many Arabic nations nowadays where they relocate people of certain ethnic origins (e.g. the Yugoslavia, Iraq, Iran, Isreal...).

Eh?

[RKloti]

More open minded?!
Say, where exactly do you live?
Last time I checked, Europeans, or at least non-English-and-non-French-speaking-Europeans were actually quite conservative.