European Commission Recommends OSS to Fight Echelon

CrossRhythm writes: "The European Commission Resolution on Echelon encourages the Commission and Member States "to promote software projects whose source text is made public", to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the "least reliable" category," and "systematically to encrypt e-mails, so that ultimately encryption becomes the norm"."

what about MS "Shared Source"?

[room101]

I may be wrong, but it sounds like MS' totally bogus "shared source" will move MS from "least reliable" to something better.

The article is pretty long, so perhaps I missed something....

Re:what about MS "Shared Source"?

[radja]

can anyone look at the source? say... me? you? any user? can I rebuild from source (if not.. how can I see that the source is indeed the same as the compiled product?)

if not everyone can look at it it's not public. if it's not verifiably the code, it's not public.

and let's face it.. Outlook has a history of being (ab)used for viruses, and will really have something to prove to rise above "least reliable".

//rdj

Re:what about MS "Shared Source"?

[SurfsUp]

can I rebuild from source

That's the key one, let's not let anyone forget it.

If you can't build the whole source for the OS, at least, every last bit of it involved in the security/communications chain, then it can't be said to be trustworthy.

It all boils down to trust

[All+Dead+Homiez]

This is an area where OSS really shines. Microsoft NSA key rumors aside, the truth of the matter is that it is almost impossible to audit closed source programs for backdoors and security flaws. As more and more stupid programming mistakes are discovered, more and more people will realize that OSS is the only way to go when security and/or privacy is a concern. Expect many more endorsements of OSS in the near future for this very reason.

-all dead homiez

Re:This is stupid

[blang]

But not as stupid as you.

Source code in the public domain exposes the software to scutiny. Without scrutiny, how do you know it's safe? You're just going to trust the word of any two bit software maker?

Europe luring programmers?

[dwbryson]

It's interesting to see that Europe is more openminded towards OSS than the US is. If they do things like this.. pass legislation to encourage OSS development. I could see how programmers would see countries in the EU as kind of a haven. Especially if they didn't arrest them on site like a certain country i know of...

Re:Europe luring programmers?

[radja]

it's because we're all socialists (at least some, mainly north-americans, seem to think so)

//rdj

No, it isn't

[nestler]

As long as it follows published encryption algorithms, that's all that matters. After all, if it doesn't follow the standard, then it's kind of hard to decrypt it.

This is so wrong that I don't even know where to start.

The program can use published algorithms everywhere, but if it RSA encrypts your message in the FBI's public key, and mails it to them (as well as encrypting as it should be and mailing to your friend), then it isn't exactly a secure email program. The only way to know if the program is doing stuff like this is to READ THE SOURCE.

To trust that a security-related program does not have a back door, you need the source. Period.*

*You could try to watch outgoing network connections, but this is a hack as you may not be able to figure out what it is sending since it could be encrypted. Having the source is a much more reliable method of spotting back doors.

Re:No, it isn't

[Reality+Master+101]

but if it RSA encrypts your message in the FBI's public key, and mails it to them (as well as encrypting as it should be and mailing to your friend), then it isn't exactly a secure email program.

You don't think anyone is going to notice that their e-mail queue is getting twice as many messages as it should? Or that logs aren't going to anything strange? That's absurd.

Re:No, it isn't

[4of12]

Some server managers might, but, no, most casual users would not notice such things.

The story that broke a couple days ago about the divorcee whose ex-husband installed spy software on her home PC is a testimony to the obliviousness of most computer users.

The only reason he was caught was due to his own stupidity in mentioning things to his former wife's friend that could have only been known if he had installed such snooping software. Otherwise, he could peep to his heart's content.

I know lots of people with fun, useful, http-active software running all the time on their PCs (webshots, newsfeeds). It would not be such a stretch to have those programs summarize key strokes, buffer them up, and send a compressed encrypted version back via web request to an innocuous site. It could all be done under the guise of normal operations. You know, "updating..." Kind of like cookies but more intrusive. And that's just one example. You can probably think of several other ways to do it.

The earlier poster is correct. There are simply so many imaginative ways through which your security can be compromised that inspection of the actual source code is the only substantial guarantee you have.

Re:This is stupid

[All+Dead+Homiez]

You're missing an important point: how do you know that a given closed-source email encryption/decryption engine does not "leak" keys? You have no sure way to know that your keys won't wind up:

• "Accidentally" sent packed into an IP header and sent to the NSA
• Somewhere in your swap space, because some coder doesn't know how to lock memory correctly
• Somewhere else on your hard drive, because some coder doesn't care about protecting your keys (or know what he's doing).
• Compromised in response to a malicious message that the program is trying to decrypt. Don't forget about buffer overflows.

Trusting a closed source application means that you're trusting every programmer who ever wrote a line of code for the application. When you can't see that code to make sure it's not crap, you've got a security nightmare waiting to happen.

-all dead homiez

Maybe the EU will save the Yanks' collective butt!

[jswitte]

Ever since I read that the EU was looking into anti-trust/price-fixing violations by the record and movie companies, and now are looking at M$, I think that maybe the EU will save the US from itself..

Jim

Re:Mixing two different things

[sulli]

Right, but it could be more easily defeated with widespread use of strong encryption (e.g. transport mode IPSec). Use of OSS in the desktop allows the user to be confident that there are no backdoors there to circumvent such use of crypto.

Re:This is stupid

[Delirium+Tremens]

> >
> > Without scrutiny, how do you know it's safe?
>
> Because, duh, it has a well-defined input, and a well-defined output.
> Tell me how anything in the middle matters.

Actually, good encrypttion is rather trying to produce anything but a well-defined output. Or do you think that a cryptanalyst's job simply consists in shifting encrypted messages a few letters left or guessing that all a's shoud be replaced by b's?
I think you have been a boy scout a bit too long ...

Re:This is stupid

[Reality+Master+101]

You're missing an important point: how do you know that a given closed-source email encryption/decryption engine does not "leak" keys?

Well, this is the first reasonable point I've seen about this, and it's theoretically possible, I suppose.

But it still comes down to "who do you trust". Either you trust that someone "somwhere" has certified an open source program, or you trust that some well-known company with a good reputation has certified the program. Either way, unless you are a security expert and can verify it yourself, you are going by blind trust.

The proper solution: encrypt everything, not email

[hardaker]

You really want to encrypt everything, not just email. I'm not sure why the EU thinks encrypting just email will stop echelon from being effective. Even if echelon was was only sniffing email, they certainly would switch to sniffing other forms of communication if all email was encrypted.

The proper solution is to encrypt all your IP traffic through IPsec tunnels. Recent work within the IETF has given new ideas about how to start performing automatic IPsec connections with any host you can speak with. This is the type of solution that will help battle echelon like networks.

Re:This is stupid

[wishus]

Without scrutiny, how do you know it's safe?

Even then, it's only as safe if your compiler hasn't been compromised.

This answers another question

[rjamestaylor]

This answers another question, "Why did the Bush administration stop the MSFT breakup?". The US needs a US-based OS monopoly to insert APIs like NSA_key, FBI_tap, Jenna_beer, etc.

With European governments wise to Echelon and MSFT's complicity with the US requests to make certain back doors...it would not be in the US's best interest to speed adoption of OSS software by breaking MSFT's stranglehold on competition.

While I'm stretching a bit, I don't doubt this is inline with the thinking in Washington (or would that be Virginia?).

Re:The proper solution: encrypt everything, not em

[Medievalist]

The proper solution is to encrypt all your IP traffic through IPsec tunnels

But doesn't IPsec normally travel through GRE, which is subject to ICMP hijacking - and thus vulnerable to man-in-the-middle attacks?

Correct me if I'm wrong...

--Charlie

Re:The proper solution: encrypt everything, not em

[Gregoyle]

Encrypting everything via IPsec tunnels will stop echelon specifically, but not all "attacks" such as Carnivore.

Anything that monitors the email server rather than simply sniffing traffic will be able to sidestep the IPsec tunnel (assuming we are still using email and not some p2p tunneling mail protocol). Although it would be nice and much easier to just implement IPsec across the board (and easier still once IPv6 is more widely adopted), to stop system attacks rather than just network atacks requires encrypting each message. Oh well.

Re:This is stupid

[Shotgun]

How the hell do you verify the implementation of an algorithm without the source code.

Here's a sample closed source algorithm:

encrypt(msg)
{
send_msg_home(msg);
e_msg = use_unbreakable_encryption_scheme(msg);
return e_msg;
}

Don't you feel all safe and comfy with your closed source now!!

Re:The proper solution: encrypt everything, not em

[hardaker]

• But doesn't IPsec normally travel through GRE, which is subject to ICMP hijacking - and thus vulnerable to man-in-the-middle attacks?

  Correct me if I'm wrong...

I'm afraid you're wrong. IPsec has it's own method of tunneling that isn't based on GRE.

Now, what you could have noted was the internet-draft I pointed to required storing keys within secure-dns, which hasn't been deployed yet either...

Re:The real news here

[Shotgun]

but the fact that the EU takes the privacy of its citizens seriously and is eagerly promoting information security and encryption.

The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does. By 'EU' and 'US' we refer to the political power brokers of the respective organizations. Recall the draconian British laws that require law enforcement to be able to have access to any encryption that a private citizen my employ on pain of jail time.

What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU' corporations and obtain market advantages. The fact that the most popular desktop software is owned by and US corporation with a reputation (deserved or not) for backdoors and hacks to break competitors doesn't sit well with the 'EU'. They would much rather be in control themselves.

protect_privacy != protect_privacy_from_US

France already uses OSS in a lot of things

[WillSeattle]

As anyone following the news might know, France is using Linux in most of its wiring of public schools, and many french firms are adopting OSS for their software needs.

While some posters are correct that the UK is not pro-OSS in many respects, and certainly anti-privacy, Europe is not a monolith. OSS is spreading throughout northern Europe (Scandinavia), Germany, France, Spain, Italy, and so on.

None of this will defeat Echelon, however, so long as the UK sits in the middle of the pipe, feeding any data that comes through Gibralter and England to the US. So, without strong encryption of normal traffic, and a move to IPv6sec, Echelon will continue to survive and prosper.

1337 questions in Dutch parliament

[Jantastic]

As I was updating this site [Dutch Ministry of Education, Culture and Science], I couldn't help noticing these questions [in Dutch, for Loek Hermans, minister] asked in parliament this week.
I was surprised to see some politicians here who seem to be aware of the consequences of the draconian Microsoft licensing coming up. So I decided to (try to) post some of them in english below.
Disclaimer: translating is not part of my job, I'm not an politician and I don't represent anybody. I only do www-tech-stuff, thank you.


1-4, summary:
Did the minister calculate the amount of extra millions of money needed if schools, universities, government, etc. need these new [XP-type] Microsoft licenses?

5
Which other consequences does the new operating system [Microsoft] have in combination with the new licensing system, for Kennisnet and connected schools?
(translated: Knowledgenet - an Internet-based network of primary(?) schools for kids, parents, teachers, etc.])

6
Which actions did you take in the past to inform schools about the Microsoft trap?

7
Which actions are undertaken now or in the near future to minimize negative consequences for schools? Are you willing [...] to focus their attention on alternatives like MacOS, Linux and FreeBSD?

8
How are you going to prevent that the government, and users and visitors of websites of the government, become dependant on only the Microsoft operating system?

9
Are you willing to investigate how can be assured that information from the government will remain accessible for all Internet users, despite their chosen operating system, or Internet-browser they use?


Did you notice 'the Microsoft trap' in (6)? Not just a MS trap, or another MS trap, but the one and only.
Although I like the question, I think the choice of words makes it look rather clumsy (for a politician, that is), or very MS-unfriendly. Which I find funny. I guess. :)

It usually takes months before answers are put online, unfortunately.

Close, but not quite there

[gad_zuki!]

What you would really want is IPsec encryption and heavy PGP encryption on all documents going over the wire especially for common services like email, ftp transfers, etc.

Okay so you've cracked my email server now you have access to a bunch of headers and a lot of encrypted garbage. You crack my ftp server and you've got nothing but encrypted files.

Re:The real news here

[SurfsUp]

The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does. By 'EU' and 'US' we refer to the political power brokers of the respective organizations. Recall the draconian British laws that require law enforcement to be able to have access to any encryption that a private citizen my employ on pain of jail time. What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU' corporations and obtain market advantages. The fact that the most popular desktop software is owned by and US corporation with a reputation (deserved or not) for backdoors and hacks to break competitors doesn't sit well with the 'EU'. They would much rather be in control themselves.

I can only conclude you didn't read the report. It included many recommendations aimed at enforcement of the individual's fundamental right to privacy, a concept that some Americans may find difficult to grasp. It does not seem partial to business interests at all.

Re:Who cares?

[Ig0r]

Use debian and 'apt-get install enlightenment iptables ftpd-ssl gpg'.

There isn't really anything special in your list that hasn't been offered by most distros for years.