Slashdot Mirror
Safeguarding Data From Big Brother Sven?
An anonymous reader writes "Now that the Swedish government (in its infinite wisdom) has passed a law allowing them to monitor email traffic, a question that I think a lot of people are asking (or at least should be asking) is: 'What can I do to improve my privacy?' The answer is not obvious.
So, what are the best solutions for seamless email encryption, search privacy, etc? What are your experiences with PGP vs GPG vs ...? In this day and age, why is the use of this type of privacy technologies still so limited? Why isn't there a larger movement promoting the use of privacy tools? Also, what is in your opinion the largest privacy concern? Search tracking? Email transfer?
I believe this is an interesting question not only for Swedes, but for everyone. Lots of traffic is passing through Sweden, but more importantly, the Swedish government is not alone in using this type of surveillance."
Reader j1976 writes with a related question: "For most users with email addresses within large organizations, implementing their own email encryption scheme is not feasible, partly because of the technological aspects, but also since users in organizations often do not have administrative access to their workstations. What can an organization do, centrally, to lift the burden of encryption from the users? Are there any transparent schemes for email encryption which could be installed for the organization as a whole?"
I wonder how this affects people using Relakks. If the US intelligence agencies will get access to the data, it wont be long until the MPAA/RIAA get access to it also.
Many of the financial service companies I contracted for have only been sending sensitive mail to maybe a half dozen clients. It's reasonably easy if the two IT departments get together to establish secure tunnels at the organisation level for transferring mail between them. Doesn't protect the mail outside these of course but it's a reasonably quick solution and effective if enforced with policies within the workgroup about what is and isn't permissible in an email. Requires no extra software and is easy to set up and manage.
One of the things we need to add is SMTP over SSL. It won't prevent all snooping, but at least between 2 people that trust each other, no snooping happens on the path between.
now we need to go OSS in diesel cars
...(Of all places) there was a pretty good segment this morning regarding email encryption, even including a short interview with Phil Zimmerman. What was VERY interesting about it, to me, was the attitudes of the "man / woman in the internet cafe'" interviews they did, and how most people just "didn't care" about privacy issues regarding email. One fellow naively stated "I try to live my life in such a way that no one would have an issue with what I do." In my opinion, though, what YOU or I might consider innocuous might garner unwanted attention from government. As we are headed seemingly toward a more "European" philosophy here in the USA where the government assumes the duties of "personal watchdog" over your "lifestyle," what you eat, what you drink or smoke, what you teach your kids, etc., this would seem to be a foolhardy attitude.
Any technology distinguishable from magic is insufficiently advanced.
Because no matter what country you live in some of your Internet traffic is likely to pass through Sweden. They snoop and tell your government about your stash of __________ (insert your own illegal/grey market goods etc. here). Wala - your government has "proof" you are engaged in illegal activity and busts down your door. Moreover, you apparently haven't been watching the news regarding the change in behavior people exhibit when they know/think they are being watched.
Only terrorists have anything to fear from this! Are you a terrorist?
Yeah, it's turning into an old joke now, but, sadly (and in the words of Homer J.) it's funny 'cause it's true. Sort of (the perception, not the reality).
As for the "why are privacy technologies so limited?" question I think that probably, though not certainly, has something to do with Phil Zimmerman's experiences; I'm not sure, but I suspect that the prospect of criminal investigation puts many people off researching privacy technologies.
I think we're rather naïve if we believe, that Sweden is the only country in the Western world to do this. They're just (one of) the first to be honest about it.
As the submitter points out, you cannot be sure where your data is being sent on the route between you and your recipient. For all you know your "Dear Mom" email might go through Sweden, the US, the UK, Denmark, Russia and China even though you live within 50 km of eachother.
And your Skype call? Well, that's likely to do the same thing with its routing feature.
Your SSL connection isn't any safer from snooping - not sure about MitM attacks, but if you're just listening in, do you really need to be a MitM?
We do not live in the 21st century. We live in the 20 second century.
Linus is from Finland,/a>.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I use s/mime and gpg. I have for years.. but I believe this is too much of a hassle for people who can't even figure out Yahoo Mail or tell the difference between Internet Explorer and Firefox.
Some time ago I suggested someone write a thunderbird extension that was a "one click" encryption setup. On clicking "encrypt" it would create a gpg key > send the pub key to a key server > and if it does not have someone elses key it can suggest thunderbird and itself to that person.
I know this is not a good way to do this, but I can't see people using pgp/gpg it any other way.
Bringing liberty to the masses. - http://freetalklive.com/
He's getting rather old, but he's a good mouse.
How about browser and mail client extensions that run a lookup on the A or MX and show the user a warning when sending requests/mail to a box located in Sweden.
Obviously it doesn't cover routes but it's a start.
If you pass the SSL keys between two corporate Exchange servers, you can have all communication between them be encrypted.
However, not everyone runs Exchange, and not everyone is willing to set dedicated send/receive connectors.
SMTP over SSL/TLS would be a great thing. Its already implemented, but few mail servers take advantage of this.
EFF running story on 9th Circuit Court of Appeals ruling that email and text messages should be considered private, subscribers cannot get the ISPs to release without user consent or a warrant. At least in the U.S. email at work, as long as its 3rd party, cannot be released to your boss. Not entirely on point, but as far as privacy is concerned, this is at least a step in the right direction. http://www.eff.org/deeplinks/2008/06/new-ninth-circuit-case-protects-text-message-priva
I'm not sure that follows. In all the cases I recall the outgoing mail servers were running Exchange or Sendmail (with one looking at migrating to Exim). There are bolt on packages for all three that do encrpytion serverside if you want to go to the trouble and the expense in money and support time. The reason they didn't move in at least one case was that the servers couldn't easily cope with a large increase in the processing load to encrypt the messages.
I'm an uncultured idiot, you insensitive clod!
It's too complex for most. If it were as simple as me putting code on my machine and sending encrypted emails to my family and friends I would do it. Sadly, I have to step them ALL though putting GPG or PGP onto their machines, creating a pair of keys then sending my and all of their friends their public key. Want to place bets how many of them would send their private key themselves?
If MS would simplify it and make all of this just happen. I bet that there would be a big gaping hole for the gov't to make use of. Not to mention the security holes that would go along with it as well.
-- Many men would appreciate a woman's mind more if they could fondle it
And CC all of your email to the everyone in charge of this agency. Any good patriot should do this, just be sure the nation is secure even if the email monitoring system goes down.
There is no "seamless" encryption method that will give you enough protection. Sorry.
However, there are plenty of options if you're willing to do just a little work.
Install GPG or PGP. I use GPG because I can give it away legally to my friends who are less technically saavy and it works on Linux, OS X, and Windows.
Enigmail will integrate nicely into Mozilla's emailer and automate nearly everything once you have the person's public key. It will even notice who your recipient is and automatically pick the correct key.
There is something similar for the OS X Mail application (and I have it installed) but I don't remember the name of the application. It's not as bright as Enigmail and won't figure out who the recepient is automatically and pick the correct key.
FireGPG is a plug-in for FireFox (and it works for "Mozilla" because the web browser _is_ FireFox) that will allow you to use GPG with GMail.
I have an email account in which _all_ of the traffic is encrypted because I use these tools. I never send anything unencrypted on that account.
It's not seamless, but it's not that hard and it is not very intrusive.
I do not know if I should pity you because of your government reading your emails or if I should at least feel happy for you that they are honest enough to admit it (supposedly) before starting. Either way, I doubt things are any better here in the USA.
I find it amusing that the CAPTCHA is "incided", as in this new law inciting a riot.
The reason PGP, and GPG as well, fail is because PKI is just too difficult to setup and maintain. I'm sure some nerd who lives in his mom's basement is going to contest this but the fact remains it's too difficult to do in most corporations let alone end users. Making a key, remembering the password, managing keys, revoking keys, it's all just a total pain in the ass. If you truly want secure email for the masses it has to be transparent. This is just a given. People are not going to do PKI. This is the main reason we don't have mass adoption of PGP encrypted email.
The second reason and it's to a lesser extent but still a strong motivator IMO for the lack of secure options for communication are that corporations and governments don't WANT secure applications being adopted. How else can the government spy on you or corporations steal secrets from each other if things are encrypted. This isn't paranoid fantasy land I live in. I don't think any intelligent person today doesn't know especially over the last 8 years that the governments are doing everything they can to spy on you, record you, monitor you and track you. Wether its the TSA, DHS, warrant-less wiretapping whatever we are living in a 1984'esqe society. Seamless and mass adoption of strong encryption and anonymity by the masses would *seriously* curtail their ability to spy on you and find dissidents and evil doers who read catcher in the rye. So IMO these are the two strongest compelling reasons we don't have encryption for the masses yet. Phil's ZFone project is a good step in the right direction though.
More people need to use these. Operating without a centralized Certificate Authority, GPG really depends on there being sufficient users to establish a web of trust.
I think people (in the US at least) either don't understand the simplicity of sniffing cleartext, or don't think they care. The aggravating part is that GPG can be really easy to use. Apps like Seahorse make key and keyring management trivial. There's a great Thunderbird plugin that makes signing and/or encrypting your mail no harder than it was before. (Yes, I know not everyone uses Linux and Thunderbird, but I trust GPG tools exist for other OSs/email clients)
Given a safe and ubiquitous encryption scheme, I can't think any reasons for sending text/data in the clear. Now all we need is a ubiquitous encryption scheme.
I can't remember the last time I forgot anything.
Because most average people don't understand what is going on and still have that 'i'm not doing anything wrong' mentality.
And the few that do, dont understand how to mitigate it.
That 2nd is a problem for us techies too, as one way encryption is pretty worthless for communication.
---- Booth was a patriot ----
The fact that the majority of people will happily give up all manner of private information in exchange for a few pennies off the price of a carton of milk. If the threat of identity theft doesn't make people more conscious of their privacy, I doubt the threat of their government reading their email will.
I don't care why you're posting AC
You need to use a proxy that encrypts all traffic to and from you and it. Try dipconsultants.com ...I use it and it's very fast.
You make a fundamental assumption that there are no stupid criminals or stupid terrorists. Yes, *some* terrorists and criminals are smart enough to encrypt their emails. But I'm sure there really are people out there stupid enough to talk about their criminal plans/exploits in plaintext email, or plaintext IMs, because they are just stupid. The Swedish government, will, no doubt catch some of those stupid criminals through such spying on email, then point to those cases whenever they talk to the media/public about why this is a 'good thing'.
As with any invasive authoritarian law, the government can always present anecdotal examples of it 'working', and so 'justify' the law, despite the fact that it's fundamentally a bad law, and probably not necessary.
It is an unhappy prime.
True, but from the Swedish speaking minority of Finns.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
I agree , although for most windows users if you want (free) privacy you have to install X number of programs for gpg e.g. I think for the common user this is to much of not only a hassle but a technical burden gpg for example.
1.Install gpg4win
2. Thunderbird (or equivilent free email client)
3.) Extensions for email ( case Thunderbird)
4.) make keys
5.) configure programs, get other users pub key etc etc.
This is to much for normal Joe by step 3 or 4 the normal Joe has given up.
If this would be automised or somehow integrated into a email client , I think we would see email encryption more widely used. Although through the automation process problems can arise, security hole here , and their, because all these process's have to be linked automated etc. etc
Whereas with a nix distro, most users are tech orientated, after adding the correct repos or (with some distros these things are even default installed gpg for e.g.) then the only thing left is to configure, which really is pretty painless to the tech user who knows what hes doing in the first place.
Lots of traffic is passing through Sweden, but more importantly, the Swedish government is not alone in using this type of surveillance." If anything the Swedes are latecomers to this sort of monitoring. It's tough for a politician to resist that sort of power since it requires great strength of character. Our politicians in the USA are the weakest.
This is a perfect use for something like DIP Secure Browser (dipconsultants.com). It encrypt everything on disk, such as your history logs and bookmarks, there's nothing for Big Brother to see. Also, if you use it with their proxy service, all your internet traffic is also encrypted. Take a look
Don't mod this guy down. He's right. The reason people don't use public-private key cryptography is because they don't know what the hell it even is. Unfortunately, explaining why it's a good idea to a non-geek would be just as hard as explaining that even though that popup is flashy and says "Free Awesome Smileys", it's actually a Bad Thing.
You are quite correct. It's scary, but you're right. The thing that is frightening is not the fact that there are stupid criminals, like my favourite example of the night-time purse snatcher with the light-up trainers, but that these stupid criminals who are not bright enough to use encryption will be used as "proof" that this new invasive law "works".
I am quite confident that this _will_ be abused. There is an established history of laws like this being abused, such as that anti-terrorist law that was used against that family in the UK with regard to someone thinking they were registering their kid in the wrong school or some such non-terrorist activity. I'm saddened to see this happening to Sweden, or to any other country. I'm fairly confident it's already happening here in the USA to a much wider degree than most would suspect.
it is not that you don't deserve privacy, it is that privacy is philosophically impossible on a wide open network. such that giving up on the notion of privacy on the internet isn't cynical and defeatist, it is merely being realistic. in fact, fighting for privacy on the internet is not heroic and idealistic, it is simply gullible and naive and ignorant of the subject matter
if you take a large, open, sprawling network, there is no law or safeguard that can protect you from eavesdropping. forget the government for a moment, what about companies? what about technically astute oddballs? what about aspects of any country's government that does whatever the hell they want to regardless of what the goody two shoes in the legislature say? what about governments of other countries the network passes through? etc., etc.
let us say sweden instead passed a massive ANTI-eavesdropping law instead of the law it did pass. ok, are you going to celebrate? why? are there people out there who actually believe this would protect them from eavesdropping? who are you and what about the concept of a "vast open network" do you not understand?
the news of what the swedish government did is treated as if it were a ton of bricks here. folks: absolutely nothing has changed, and no law will ever protect you. ever. its called a sprawling, open network. its not a bank vault. your info, once it goes on the wire, is open season for snooping, is subject to thousands of different vectors for attack. by all sorts of entities
and there is no technological or legal to fix to that that does not also break what you like about the network in the first place: its openness. thats the downside to being open, call it a twist on the concept of the tragedy of the commons. its free for you to do anything you want... but that means it is also free for more nefarious interests to do whatever they want to to. there is no way to act against such nefarious interests that does not also somehow inconvenience what you like about the network at the same time
the solution? STOP ASSUMING PRIVACY ON AN OPEN NETOWRK IS POSSIBLE OR EVEN A VALID CONCEPT FOR YOU TO CONSIDER
seriously, get over it. privacy on the internet is a philosophical impossibility
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
A tech answer to this question may leave you wanting. The best way to protect your privacy is to make it illegal again for the government to infringe on it. Sweden is a parliamentary democracy that has to answer to the people. Organize and get involved in your government. Just don't do it over email for now.
The solution is to migrate TCP/IP to a public key system. The entire protocol.
Burn Hollywood Burn
I'll go out on a limb and predict that in 5 yrs or less time, encryption will be a 'self admission of guilt' to ALL governments.
....so depressing ;(
I really hope I'm wrong. but the trend is there if you just look.
we already have people saying 'if you are not a terrorist, you should have nothing to hide'. this is just a half step away from saying 'if you DO use encryption, you MUST be hiding something that we should see'.
mark my words.
you may think that you are out-smarting the governments but they have the money, the guns and all the power. and they're NOT about to give this bit of power (over the people) up.
if you encrypt a laptop and pass thru customs, you are FORCED to reveal your password or at the least, 'open' the disk for them to view the contents of. so tell me, how did encryption help here?
don't give me that crap about truecrypt, either. how long will it take before their border people know how to detect this?
--
"It is now safe to switch off your computer."
Sadly, not enough people care about the loss of privacy rights to change this. Look at all the people that say "I don't care, I have nothing to hide."
They snoop and tell your government about your stash of _blackjack-playing, postmoking hookers_ (I'm in the US). Wala - your government has "proof" you are engaged in illegal activity and busts down your door.
Although I agree with your comment, just putting in an email, slashdot comment, or even one of my journals can't get the FBI and DEA and whatever anti-prostitution agency to break down my door. Otherwise it seems they already would have, as although I'm no gambler, my slashdot journals often feature potsmoking and hookers. Maybe I should add some blackjack.
However, adultery is NOT against the law. Do you want your wife to find the email you sent to your girlfriend because Sweden seems to be as anti-freedom as America?
(OT but related; why is it legal for me to fuck my congressman's wife, but illegal for me to pay her for it?)
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
If you want software to do the same in Windows, it is available for free as well.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Some even think it a virtue to live an 'open life' and not do anything they would not mind seeing in public.
Since they are the future, it is no wonder that software vendors have little incentive to invest money in a product/feature that has no future market going forward.
Wala? It's "voila" you uncultured idiot
It is? Wow, learn something new every day. Am I cultured now, or do I need more yeast?
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
The Pirate Bay seems to have the right idea. Take the governemt to court, start legal procedings.
If this is anything like the other PirateBay cases i can't wait to see the legal corrispondance.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
Users of MySpace/Facebook etc. have clearly demonstrated by their actions that they don't care at all about their privacy.
Patients have clearly demonstrated by their actions that they don't care at all about their privacy. After all they keep getting sick all the time, and visiting hospitals containing busy emergency rooms full of all kinds of undesirables - and that's just the staff!....
I think the key word, as always, is CHOICE. Do you really propose that society accept your views on privacy with an argument based on what some teenagers are willing to do on "myspace"?
Seven puppies were harmed during the making of this post.
http://en.wikipedia.org/wiki/Off-the-Record_Messaging
There are plug-ins available for it. OTR has some nice properties including the fact that messages are encrypted, but still deniable. What this means is an eavesdropper cannot read what you write, but at some later time an attacker with an unencrypted copy of the conversation cannot prove that you wrote it.
The goal of the project is to provide a level of security similar to meeting in a private place an d talking. Privacy without a paper trail.
http://www.cypherpunks.ca/otr/
Aside from the usual reason of apathy, we have a (relatively) new, technical problem with securing email: a lot of people are using webmail.
That development was a technological step backwards: moving from specialized client software (mail reader) that understands what it is working on, to a generic tool (web browser). It's hard for a web browser to be able to understand that this piece of an web page is a PGP block, and this part is just UI, and that's assuming that it even has the whole message to work with (i.e. the web server actually sends all the PGP/MIME attachments, instead of presenting a nice webby interface that presents the message parts separately).
I have heard of a Firefox extension (damn, I can't remember the name) that can encrypt and decrypt pieces of web pages or textareas, but that sort of thing is always going to be hacky and cumbersome compared to a real mailreader, so I think that puts us at a disadvantage, compared to the situation ten years ago.
Discourage webmail. Webmail is creating a network effect that is a barrier to securing email.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Live in sweden: secure VPN out of sweden first :)
Easy thing to do, really no companies however offer this service
Pulsed Media Seedboxes
all they need to do is map his circle of friends, like you said, without even knowing what was said, just by finding the identity of two people in a conversation. thats good enough for them in most espionage work, because then they just focus on other communication channels to find something unencrypted and damaging
in other words, even if your communication was immune from being cracked by the world's finest supercomputers, you essentially have no protection from their eyes on an open network. you simply have no protection. its a myth. no law will protect you. stop clinging to an impossible notion
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
When the state wants to read your e-mail, you have these choices: 'oops, it was accidentally deleted, our bad', let them read it, go to jail. If you try to 'cheat' the system by encrypting your mail, then they can simply pass a law that enforces you handing over the password. If you resist, you get X years in jail automatically even if you are innocent of the original offence. Clearly, only the guilty have secrets to hide. Or so will be the slogan the politicians will use to pacify any large resistance.
When the state no longer protects your privacy or freedom you are left to protect it yourself. Usually it takes a revolution of some kind to develop a meaningful force to fight such a powerful state. Frankly, I'm not ready to die to stop the DHS from reading my e-mail. When enough people would rather be killed than submit a password to the authority, then we can hit the gigantic reset button and start over.
In the mean time, have fun with your various political processes. Some of them just won't quit even if you kill -9 them. You gotta reboot eventually. 200 years is a pretty good uptime, really.
Instead of emailing them a message, why not put the message on your secure server and email them a link.
When they follow the link they can be prompted for a password that you have pre-arranged over the phone. From there they could securely download and read the email, or go further and download and install certificates and keys that you had created that could be used for future communication.
It seems unlikely to me that the Swedish government would bug phone calls as well as the internet - especially if neither the sender or the recipient lived in Sweden. Even if they are, how likely is it that they would connect the dots. They are probably only doing this because it is easy, low-hanging intelligence. But if you are paranoid, I'm sure you could find a way to do the initial key exchange sub rosa.
Or are you spamming ?
Nullius in verba
and it takes some legislation that some people don't like to raise awareness?
./ is not a good start. Let me give you a tip. Your politically most powerful users in your organization will probably kill the project as soon as they understand it will change the way they work. Nevermind that it would be a minor change. That's not the point. The point is they don't want to be on the receiving end of this change. Which, will **irreparably** harm your career prospects.
I've used PGP encrypted attachments for years. Works great.
SMTP over TLS is a good start. TLS is supposed to replace ssl, but who knows when that will happen. If you want to get mad-tricky, there's stunnel.
VOIP over TLS is another good start. It's not widely implemented, but widely available.
Chat can also be handled over TLS. Either through a VOIP softphone which is widely available or possibly XMPP.
If I offered TLS services for chat, VOIP and email, for a $5/month, exactly how many takers would there be? Not enough to be worth my trouble and the crypto-overhead when you get into lots of users. Which is why it isn't widely available.
As for Reader j1976, getting free advice on
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
There are search proxies to google which would guard your search traffic. Unfortunately that means you have to trust Scroogle on top of everything else, and of course, if you click on any of the results, you'll go to the target page in the clear.
Why does Google not want to provide an SSL search page? It could only be a benefit to their users.
I also have no idea why more people don't use GPG/PGP. Ease of use has come a long way, at least in Thunderbird. I find the Outlook and Mail.app plugins that are currently available lacking in the area of non-annoyance.
I like music
hafta ) bork bork brok!
Only on slashdot would a positive reference to Linus Torvalds be moderated tr- um, no, wait a minute... um, wait, where am I?
Proud neuron in the Slashdot hivemind since 2002.
anything that passes onto an open network
which is my whole point
(rolls eyes)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Think about the sheer volume of email sent every hour of every day. Who is actually reading it? Likely, governments have automatic searches for certain key words or phrases (perhaps with some sort of algorithm for finding things close to those words or phrases as well), then messages containing those particular things will be flagged and sent into another filter process, then sent to someone to actually read. And email isn't all they'd be monitoring, either. Add to that volume phone calls, internet posts and any other forms of eavesdroppable communication, and you have a completely unmanageable amount of information without some serious filtering going on. All of which means that a small fraction of a percent of communications could ever truly be thoroughly monitored.
/.), no government will ever read your emails.
Realistically, unless you write anything that you probably shouldn't be writing about in the first place or live in a country that's totalitarian in nature (in which case you're probably not on
Of course, there's always hackers looking for personal information, business secrets, et cetera. Though if you send anything of that sort in an email, you deserve what you get.
There, spelled like here (ere), indicates location.
Their, Possessive.
The're, contraction of they are.
GET IT RIGHT! They're, contraction of 'they are'.
The're, not a word.
GET IT RIGHT!
Spelling mistakes, grammatical errors, and stupid comments are intentional.
There, spelled like here (ere), indicates location.
Their, Possessive.
They're, contraction of they are. GET IT RIGHT! There. Fixed that for you. : )
What day is it? Could you please tell me?
oh come on get a S/MIME cert from one of the big providers and worry less S/MIME is in outlook and apple mail... etc NO PLUGIN needed !
please simply use a standard !
http://en.wikipedia.org/wiki/S/MIME
regards
John Jones
http://www.johnjones.me.uk
I could, actually, really really, provide "encrypted" email, VOIP and chat over TLS. Easily since I already do it for myself and some family members.
If I charged $5/month for 5 addresses I'm pretty sure I wouldn't get enough takers to make it worth my time.
I'd like to hear otherwise.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
why is the use of this type of privacy technologies still so limited?
Several reasons:
Education. Most people that use email don't know what RSA, GPG or PGP is. Let alone the dozens of possible other ciphers available. These people also blissfully wandering around thinking their government is an effective, benevolent provider that keeps them safe so they don't even need encryption or privacy laws. (see: Nanny State). (Instead of the wasteful, corrupt, abusive, ignorant farce that it is.) Polls show that less than 1/4 of Americans know that there is no right to privacy (constitutionaly. The fourth amendment does not provide a right TO privacy; it only provides a right FROM search and seizure under certain conditions.) The rest of them think they have some such right and the government is upholding it, they don't need to encrypt their stuff. Besides [encryption is only for people breaking the law; if you aren't then you have nothing to hide.] lemma: People will not use something if they don't know they have a need for it or if it exists.
Ease of use. Have you ever tried to figured out how to be your own SSL Certificate Authority? or what that even means? I mean Christ, the openssl tool couldn't be any more complicated. Very few people can figure out and feel comfortable with creating, signing and maintaining keys and certificates correctly. Lemma: People will not use something that is confusing.
Guidance. Ever have a certificate/key fail to authenticate? Was the error/info helpful to somebody who doesn't understand the implementation details? No. When your VPN fails to connect or your message fails to decrypt is when I've seen some of the worst feedback presented to a user ever. We need to start practicing an intelligent feedback, one that diagnosis the problem and tells the user specifically what must be changed to solve the problem, not what the problem was. Tell people solutions, they already know a problem exists. Lemma: People will not use something that they cannot correct malfunctions with.
Standardization. PGP is not GPG. Not all mail agents support the same set of encryption capabilities. When sending a message you cannot be sure the recipient can read it no matter what you choose. As the receiver you are going to receive items that are incompatible with you. The result is pressure on ALL users not to use any encryption so that everybody is known to be using the same standard. Lemma: People will not use something [that interacts with all others] unless everybody else is using it.
Transparency. Install this, configure that, click this button, enter your password... People do not want to put this much effort into reading a piece of mail. I'm a security nut and I still hate typing my passwords the fifty times a day that I do. We need to make systems that are as transparent as possible. The user either has to never know they're using it, or they have to be expected to configure it only once and then never have to worry about it. Lemma: People will not use something that annoys them, especially repeatedly.
Too many choices. Which cipher do you want? Do you know why? Would you like RSA or DSA? How many bits? Would you like that in binary or ASCII armor? This detracts from a user's ability to be comfortable with a choice and as such they won't make one. Lemma: People will not use something if they aren't comfortable picking it.
Distribution. For PGP/GPG you need to distribute keys effectively (and transparently). This has not been solved adequately. Lemma: People will not use something that isn't available.
Economy. People do not want to pay for keys and certificates. While Verisign and others provide trusted stores where keys could be distributed the finance changes they enact are prohibitive for normal people. Yes, I know there exists free ones. But they aren't included in the root certificate databases of applications. You can add them but as I said earlier: you just crossed the line of ease of use that a user isn't going to cross
I will never live for sake of another man, nor ask another man to live for mine.
For casual messaging, the penny postcard was simple, reliable, and cheap, but no more private than a party line phone call or a ten word telegram.
680 million postcards were mailed in 1908 - when the US population was 89 million. The History of Postcards
Secure channels of communication do not remain secure when they are used for trivial reasons. Secure channels are bypassed when they introduce unwanted and unneeded layers of complexity.
To make this work and keep it simple you have to persuade all your correspondents to use and maintain the same system.
That isn't going to happen outside the institutional or corporate environment.
But on the other hand, things like factory labor in foreign countries/blood diamonds/etc, they won't outlaw those goods even though there are cases of much worse abuse when making them. Guess it all depends on who defines the word abuse and where the profits go?
Disclaimer: I am not god.
We may not be created equal
But we can be treated equal.
The "cat is out of the bag" as far as government electronic snooping is concerned.
Look at how "low-tech" the 9/11 attack was. Fake IDs and boxcutters.
Does anyone really believe that Terrorists are still using email and cellphones(other then bomb triggers)?
My guess is they have gone back to face-to-face MeatMeetings and good old SnailMail(with re-posting networks) in conjunction with simple codewords.
That being said, I seriously doubt all this Security "Theater" is aimed at Terrorists, if, indeed, it is more then theater. My guess is that it is all to head off the "revolution" by average citizens when they snap out of complacency.
17 is a cussword in Swedish. Incidentally, so is 1000. It's true, ask anyone from Sweden. In Sweden, 17 is also the most random number. If you need to make up statistics, it's traditional to use 17. Much like if you need a name for a method when discussing programming, you use "foo". I've seen university level math exams where every answer was 17. The professor had a wonderful sense of humor.
Well with half a dozen only, it's easy to drive over and deliver it by hand... that was one of the main attractions for the places I worked at - manual key exchange was feasible and secure.
Visual IRC: Fast. Powerful. Free.
Wait wait.. I got it... so lets see... the Swedish are bad when they spy on you and behave like good little socialists, but they're GOOD when they "tax the rich" like the good little socialists they are... (which includes pretty much anyone that has any means of production, their own or someone else's).
I fail to understand the hypocritical nature of socialists... its good when they fuck your neighbor, cause his car is nicer, but its bad when they spy on you so they can fuck you if they find out you've got a nice car too.
Oh well, the stupidity of the masses. Some day people might even wake up. I'm not holding my breath.
" What luck for rulers that men do not think" - Adolf Hitler
The folks there are going to get Swedened ;)
The problem with encryption and GPG\PGP is that most people are already totally overwhelmed by the flood of passwords they have to remember and in order for encryption you need long passphrases. Mine are 20+ characters and not even hi-security but I can't expect any user to remember such awkward combinations. I guess there will be no real encryption in email or IM until all computer users feel a personal urge to secure their privacy and make the sacrifice of remembering secure passkeys. Maybe Google should make encryption of emails and key management an integral part of their email service. But wait, it's an American company ... will never happen.
me: "OPEN. NETWORK. UNDERSTAND THE IMPLICATIONS?"
you: "well, make believe we could have an open network that miraculously acted like a closed network using miraculous so far nonexistent technology we will miraculously graft into the heart of the internet 30 years after the fact...
zzz
dude, it's very simple. it's not a technological issue, its a philosophical issue. when you have an OPEN network, you have all of these benefits that have made the internet the roaring success it is. into this situation you cannot introduce concepts of a CLOSED network that DOES NOT ALSO DESTROY THAT WHICH MAKES THE INTERNET ATTRACTIVE
get a stiff drink, think about that fact, then say something. do not try to talk about technological "solutions" that boil down to nothing more than a closed network, that thereby nullify any of the benefits of the internet. yes: you can cure the wart on your hand by cutting off your arm. but one would tend to want to keep the arm. that's what making the network closed does. get it?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Well, if that government is Swedish Borg and looks like the femme fatale Annika Seven of Nine, then they can tunnel me and my data all the time...
(Seven: Ensign Kim, would you like to have sex?
Kim: (Flustered) Bwa, bwa, why do you ask THAT?
Seven: Your perspiration has increased, your pupils are dilated, your temperature has elevated, and you are emitting pheromones. Those are common indicators in your species...)
Oh, and if you want to read FANFICTION about 7 of 9...
http://www.geocities.com/voyagerbluealert/VOYORGY.html
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Exploring ones sexuality, researching substances the government deems illegal for responsible adults or expressing dissent. Those all come to mind as activities best undertaken without someone looking over your shoulder.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
As I have said before, encryption is not the answer. What the Swedish authorities wanted was the ability to monitor all communications as opposed to just airborne traffic.
Encryption or not, you are still exposing your entire network of contact through your text, email, phone and IM traffic.
That's what's interesting and that's what the swedish law is all about. The rest is just the shroud to get it through.
If you can build sociograms of every citizen, you have the information and power required to do almost anything.
"So, how would you like it if we told your wife to contacted last night?"
"I know contacted you. Either we put you at gitmo or you stay quiet"
This is as disaster actually.
Taking care of ones citizenry via programs funded by the entire population for the 'greater good' seems to me to have little to do with spying on ones citizens to such a dramatic extent.
But then again you were simply looking to bash ideas you are disagree with.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
In each computer desktop, laptop, and smartphone, we installed hardware encryption and a C4 charge with remote 2 tier authentication for detonation. The two tier authentication was introduced after an unfortunate mishap involving our CFO getting his arm blown off while out golfing; it turns out the detonation frequency was a maritime frequency as well.
The C4 will also detonate if a password is entered incorrectly twice. We encourage employees who are "out of it" or even slightly ill to take the day off, and require them to call IT should they ever type their password in wrong once.
We also use an operating system completely built in house with a semi AI running security diagnostics at all times, and we have live people watching the network traffic to the few systems that are actively connected to the internet. Any systems that manage to get infected (to date, none) would also receive the C4 treatment. A bit draconian, but it gets the job done. Our datacenters also have thermite-amatol ceilings designed to completely melt down/destroy the facility if it comes under attack (three armed guards 24/7 are at the red button, just in case some new tech decides to think about hitting the button.)
These recent legal developments are troublesome, and so we are modifying our policies to stay current with the times. We now use hidden encrypted volumes as standard, with encrypted data set to degenerate into false data should a kill password be entered.
Protecting the world has taught us to take our own security seriously. Hopefully, you can learn from these measures and take the proper safeguards for your own facilities and equipment (remember, the answer is always hardware encryption and C4. Red Herrings can come and play too.)
Thank you,
Ortega Starfire
CTO, Hoffman Institute
For The Advancement of Humanity
(And you thought D20 Modern+Dark Matter wasn't fun! Just try breaking into my datacenter! I've killed the last 4 parties that tried! Bwahahahahahaha! Oh, and MGS gave me some more epic ideas to turn a datacenter into a modern dungeon deathtrap of epic proportions. Fear my microwave beam hallways with camera guns, halon filled halls, electrified floors, and laser tripwires!)
---- Liquid was a patriot ----
I really don't understand capitalists. At one second they are ranting about socialism when the government keeps people from starving in the streets, but when a bank has a bit of trouble they expect the government to come in and save it. They defend the right to own property, but say that a vast segment of the world's population having no property is not a violation of their rights.
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
Socialism refers to a broad array of ideologies and political movements with the goal of a socio-economic system in which property and the distribution of wealth are subject to control by the public.
Authoritarianism means a form of social control characterized by strict obedience to the authority of a state. Hence, the term has similar meaning with totalitarianism, with the latter being an extreme case of the former.
Of course, the other way to look at it is that catching stupid criminals IS a good argument in favor of a law like this. Don't get me wrong, there needs to be checks and balances on how wiretaps are used and not, and one of the main objections I have to this law is that it is very vague about what the data can and cannot be used for, who can and cannot see it, etc... , but I don't object to some degree of surveillance in principle. Yes, it can be used to attack whistle blowers and political dissidents, but it may also help prevent people intimidating political opponents through the use of violence and threats.
The real question when it comes to laws like this is not as much "what will this system be able to do" but rather "how do you ensure this system will not be abused". With technological advances I really do think it is somewhat inevitable for these things to become commonplace, it can be delayed at best. Therefore what we should really be campaigning for is not an end to wiretaps, CCTV cameras etc... but for checks and balances that prevent the techs from being used for nefarious purposes. If we could indeed know that these systems would only be used to deal with threats from terrorism, solve murder cases and robberies, etc... then I doubt many people would oppose it. The problem is that many of these things are being implemented without convincing plans or ways for preventing corrupt officials or government agencies from abusing them.
What i would really want to see is not an end to the FRA or a law banning internet traffic analysis by the police or the military. What I would like to see is the implementation of a REAL institution to "watch the watchers", and I don't mean the kind of stooge committee that is vaguely mentioned in this law proposal, and other ones like it. I'm talking about an actual branch of government with the sole purpose of dealing with corruption amongst police and military. It is obvious to everybody in Sweden that SKI , the organization inspecting our nuclear power plants, is to be independent of the operators of said plants, yet our police force is supposed to be self-regulating even tho it time and time again fails at it.
Very simple solution to all of this:
Step one: Produce a shared-secret key that is a gigabyte in size and get it to the other party via a secure medium.
Step two: XOR your secret message with this shared-secret key, beginning at some random address within the shared-secret.
Step three: Encrypt the XORed message with the usual mechanisms.
Step four: Email the thus-encrypted message.
Step five: Call the other party and tell them the beginning address within the shared secret key, speaking in some kind of predetermined code language.
Now, when some idiot government agency tries to decrypt the damn thing, they'll fry all their computers trying to brute-force the PGP or GPG or whatever encryption, only to end up with garbage no matter what they do. And there is NO way that they can brute force the shared secret since it will always be the same length as the message.
McCain/Palin '08. Now THAT's hope and change!
I'm sorry to interject, but... HE'S BEING FUNNY. Say "WALLAH!" in a really loud, comic accent, and you'll see what I mean. What was the policy... Assume good faith?
He's supporting Big Brother ...
I actually hate this kind of people.
They ASK for RIGHTS, but they won't FIGHT to conserve their POWERS. ( And when I say "fight" I actually mean even get your ass out of the chair )
They are supporting the biggest cancer technology has, and then complains about it and asks for improvements from the Free Software People, while he's not supporting us?
He installs Windows, and then "fixes it" by adding ClamAV, Firefox, Gaim, Thunderbird, Open Office, etc, etc, etc.
Get your head out of your ass. If you want the benefits from Free Software actually USE IT and support it, give back what you can to the comunity, publicity, money, code, what you can.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Name one!
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Unity in Diversity
Yes, listen to this AC and wala - your appearance is that of the cultured.
She made the willows dance
Questions like freedom and privacy take up rather a lot of space on /. - I suppose it is because a large proportion of the readers are young, and young people are still struggling with the big questions in life, where older people will have moved on to the practicalities of everyday life. The fact of the matter is that there is only so much one can do about these things anyway, and that not everything is either black or white. It is not a matter of total freedom or no freedom, total privacy or no privacy; 99.9% of us simply want enough to get by plus a little extra.
Yes, swedish socialists untie :-)
You have just made an excellent example without knowing it. Imagine someone who reads your post and is just a little bit unsure if sweden really is that socialistic singularity of evil (well it cant be an axis if we are alone).
They can either take your word for it and just assume that Sweden is a completly authoritarian socialist society with the police sending wealthy people to prison, neighbours being chased down the street for turning up in a Lexus
or... they can look up information... but would you really like to look up information regarding socialists (or where they communists?)... I dont think so, you would not like anyone at NSA thinking you are a socialist would you? Stay away from certain things, dont think and you'll be safe.
It is obvious you dont now anything about Sweden so why comment? We had laws in this country protecting the individual before your continent was even discovered (Alsnö stadga - 1280AD). One of the reasons this terrible law even made it into the international news was that we where shocked, it was completly against our traditions as a free market democracy with a bit of what you call socialism: healthcare is free for anyone. School is free even at college/university level.
I suppose this is bad, but as a conservative voter myself, I actually think that the people who are poor... they should also be able to send their kids to good schools. You should not be forced into poverty just because your parents where poor or alcoholics or whatever. (I understand that not everyone calls this socialism, but for some reason, I assume you will)
She made the willows dance
Incorrect, you mistake "the public" with "the government"... while one may pretend to serve the other or BE the other, and the public may have delusions of grandeur that it can, or will EVER control the government, make no mistake about it, those who intend to rule, will rule, and those who intend to be ruled fairly or otherwise, will be RULED... period.
I'm glad you can define terms, but in order to take from people and give to others, you require a form of authoritarianism or totalitarianism, because few would give 50% of what they make when their 40+ hours a week job is barely enough to pay the bare minimum BEFORE they are leeched off to pay for government "aid" programs. If people actually did the math of HOW MUCH they actually pay, for how much they actually get back... they'd stop paying taxes tomorrow.
" What luck for rulers that men do not think" - Adolf Hitler
I must have missed the part where I was defending the rights of the banks or corporate entities... I didn't know a piece of paper HAD any rights... Same with people who are unwilling to fight for their rights. Having the "RIGHT TO OWN PROPERTY" is not the same thing as "HAVING SOMEONE ELSE BE FORCED TO GIVE YOU THEIR PROPERTY"... And I'm not a capitalist... I'm just me, and I happen to have a wee bit of faith in that a free market works. I've lived under communism in childhood and this iron fist in the velvet glove bullshit you call "capitalism" (but is in reality a thinly veiled love child of fascism and socialism), and the ONLY thing that provides people with what they want today, and the only thing that provided the people with what they wanted back then was the FREE MARKET... note, that corporations do not operate on a free market... they operate on a dominated and centrally planned economic system... which has not a damn thing in common with an actual free market.
I don't expect you or the so called "capitalists" to understand this. The only "free markets" I've ever seen were black markets and backwater "bazaar" type markets in my native lands. Hard to explain. Personally though, I haven't forgotten how nicely "planned economies" work... I've had to wake up at 5 in the morning and stand in line for stuff before school. Came home afterwards to find out that mom and dad didn't get goods that day because the shipment ran out. Planned economies my ass.
" What luck for rulers that men do not think" - Adolf Hitler
Ironically, shortly after 2001, realizing what was coming in the USA, I wanted to move... and I looked at several countries. Sweden was a candidate... as was Canada. Three of my friends moved from Sweden to Japan, England and Germany, citing "less government intrusion in their lives" among the reasons. I've already visited Canada and Germany, so I wasn't exactly "impressed". (Their security people at airports are just as humorless and almost as stupid as the average TSA marshmallows I've met so far.)
Back to Sweden. Last I recall, you people have one of those lovely countries where it is GREAT to be lower income, or no income, but shit to be upper anything... great place to hunt reindeer from what my friends tell me, but you'll pardon me if I stick to Holland. :) Not that I don't like Swedish people, but it seems Holland is a bit less heavy handed on all issues.
PS - if your teachers/professors are well paid and your facilities are state of the art, either you're getting free tax money from the USA or the UN (again, USA, mostly) or someone there is getting heavily taxed to pay for those quality educations. And as for your questions, when I put myself through college, I worked, and I wrote essays and applied to a LOT of scholarships, all of them private. My government grants (yes I was one of those "gifted and talented" kids) was barely 1/4th of my expenses for my first year alone... the rest was out of pocket and scholarships. If I could do it, even though my parents came here with not a dime to their names and kids in tow, I'd say you can do it. Education didn't help them, it wasn't recognized. They did, however put their minds to use and built a business in an emerging market, a business, may I add, that was completely unrelated to their fields of studies in their communist homeland. Failures didn't stop them... and if they could raise funds mowing lawns and washing dishes in restaurants despite having Masters degrees, what's to stop you people from stepping on your prides and getting something done? Oh wait, must be Tee Vee watching, or gods only know what... I can't say for sure.
Now excuse me, I have coffee awaiting me... good luck to you.
" What luck for rulers that men do not think" - Adolf Hitler
As long as the key can be downloaded in a non standard way you are safe, at least from FRA and NSA like analysis. Your key can basically be as long as you'd like if you use symetric encryption.
As long as a machine travling through your messages can not tell where to also download the key and that they would need to use a human analyst to get the key it will cost too much to decrypt your messages.
This is similar in practice to how Slashdot handle s AC's. You need to look at an image that is very easy for humans, but very hard and costly for machines.
She made the willows dance
Sendmail can be trivially configured to prefer TLS for server-to-server communications. I think it can also be configured to not use non-TLS connections (and those with TLS but with an invalid certificate), although I've not tried. If your mail server and your customers' have valid certificates, and you use TLS when submitting mail and receiving it then no one who doesn't have access to the mail servers can intercept it.
This doesn't give you as much security as PGP, but it basically prevents interception of mail sent between people with well-configured mail servers. Another option is simply to set up a mail server for your friends to use which uses SMTPS and IMAPS for sending and receiving, and doesn't do external relaying. Most mail programs (including Lookout and Thunderbird) support TLS for sending and receiving, which is secure unless the server-to-server connection is not, which it usually isn't).
I am TheRaven on Soylent News
PKI
public key infrastructure
TANSTAAFL GIGO Acronyms to live by!
They had real IDs! All 19 of them were in this country _legally_ and had no problem getting _real IDs_. Read the 9/11 report!
All this BS about producing better IDs doesn't help us, it just helps the government put us in their databases.
-molo
Using your sig line to advertise for friends is lame.
Stop using me as a cliche, dammit
I believe you may already know but, because if you pay for it: then pimps step in and abuse girls to do it.
None of the hookers I know have pimps. They don't need them - they have enough regular customers that they don't even have to walk the streets. And if the practice were legal, there would be no need for pimps. In fact, like marijuana, if the practice were legal all the problemas associated with it would go away. Since they ended alcohol prohibition, although people still overdose and have accidents while under the influence, nobody dies from poisoned whiskey and there aren't gang wars over it.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
There is a small startup called Poosty which aims to bring encryption to the less tech-savvy masses. You sign up with your existing email address and mobile number, and they claim to provide easy-to-use 1024 bit encryption for a free account, 2048 bit encryption for "Pro" subscribers. The company is, interestingly enough, based in Stockholm, Sweden. https://secure.poosty.com/
Just FYI: Your friends have been pulling your leg. You don't hunt reindeer. At least not in Sweden. They are herded like cattle.
"how do you ensure this system will not be abused"
Don't you get it? You can't and sooner or later it will be (if you have such a system).
---
I wonder why FRA can not just do what they used to - keeping track of russian military movements? When did the swedish public become as frightening to our government as the Soviet Union was in the 1980:s?
She made the willows dance
I can write it, I just cant read it.
She made the willows dance
Why do the Navajo write it in code?
She made the willows dance
In fact, the french is "Voi lá" which literally means "see there" or in more common english, "there it is".
+Raider of the lost BBS
These are also the people leading Sweden currently, where are all these scary socialists?
Interesting... so lets see... socialists basically live by the principle that "society" is more important than any single individual. If society prospers by basically owning and dictating to all, and occasionally slaughtering the "undesirables", society as a whole gains.
Interestingly, the same worship of the group rather than respect for the individual is part of Christian Right Wingers (who LOVE to use government power to dictate to others what to think, how to think, how to live, where and why and even IF to live)... "social conservatives" are merely religious fanatics of other bents, who are usually the types that desire to use government power to oppress their neighbors...
And "liberals"... sorry, did I miss something? As has been par for the course, most of the old communists and socialists have "evolved" to be "social democrats" or "liberals" or "progressives". Perhaps you ought to do your homework. Sweden is famous for being one of the most heavily socialistic nations on the face of the planet. Even Japan and most especially England, barely come in second... mostly due to the taxes and heavy social controls exhibited in Sweden.
As a trio of my Swedish acquaintances told me when I sought to move there, years ago "you would be crazy to do so, even we're moving out, and we approve of the politics!"
" What luck for rulers that men do not think" - Adolf Hitler
I'm starting to think that more server-level encryption will be the way of the future. With running a site comparing Australian web hosting plans, perhaps adding more detailed encryption categories will promote their use.
And he finds what you say, think and do very interesting.
Seriously, you think the United States does not have any enemies? This naive thinking is why the USA has been losing the #1 spot.
And then you wonder why your job is being shipped overseas.
The only reason they have money guns and power is because they have privacy. If the US gives up privacy, the US will lose the war on terror, why?
Because you cannot win a war without security and you cannot have privacy without security. In an environment where nobody can communicate, not even the governments, what do you expect to happen?