Slashdot Mirror
Schneier: The US Government Has Betrayed the Internet, We Need To Take It Back
wabrandsma writes "Quoting Bruce Schneier in the Guardian: 'The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it. Government and industry have betrayed the internet, and us.
This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
And by we, I mean the engineering community. Yes, this is primarily a political problem, a policy matter that requires political intervention. But this is also an engineering problem, and there are several things engineers can – and should – do."
One solution at hand are darknets - awesome and uncensorable (but slow, though that is the price) Freenet,
and I2P for hidden services, and the orginal plain Tor.
Come join us, at #freenet at freenode.org we are supporting all users of freenetproject.org
Also, consider just started channel #mempo where new linux distribution is planned with the goal of being most secure one (combining best ideas from Hardened Gentoo, Debian, Tails, Whonix, Qubes-Os). Because security must be complete on all levels (e.g. darknet but also av, rootkit protection, programs compartmnet :)
That whole 'IP over Carrier Pigeon' thing doesn't look so crazy now does it? Until the NSA start training intercepting hawks.
Waiting for an amusing sig.
they've got flamethrowers, man
Thought I would use Bruce's Password safe http://passwordsafe.sourceforge.net/ and dowwnload http://sourceforge.net/projects/passwordsafe/files/ but no HTTPS, should I be worred?
But in all practicality, how do you seize back control from the likes of the three-letter agencies?
It's not like there is any party in the US which hasn't been complicit in granting them ever-greater powers. It's not like a Canadian like myself can vote against the bullshit. It's not like Canada is about to invade the US over the issues, nor anyone else, seeing as their three-letter agencies are doing the same god-damned thing.
I do not fail; I succeed at finding out what does not work.
gnUnion?
If there had been programmer unions in the Win95 era, we never would have got rid of IE6 to protect all the people with certifications in IE6-specific programming. Spare us, please.
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.
He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "
Silent circle - a US and UK connected commercial company - propriety closed source, and in a sneaky "no we are open, really trust us" sort of way. W T F!???
let me reproduce this informative message posted to the comment section of the article:
I usually rate Bruce Schneier highly, except for his faux pas a few years ago when he initially endorsed showing passwords on screen, saying that shoulder surfing is not such a big deal.
But I am not sure about some of the security mobs he is advocating here.
GPG: OK, clever people can read the source code (though most average Joe programmers can't)
Silent Circle: It's USA based, and subject to the same backdoor 'requests' as anyone US-based company. It also employs ex-special forces 'security experts' - just the sort of people who might go and do wiretaps in foreign climes.
Tails: What I have just seen on their website, 'Numerous security holes in Tails 0.19 Posted Mon 05 Aug 2013 12:00:00 AM CEST'. Not exactly the best advert and hardly comforting if one wanted security.
OTR: Same as GPG as the source code is available.
Truecrypt: Well the soruce code is avaiable, so I would put it in the same basket as GPG. It has a choice of algorithms, including one (partly) designed by Schneier.
Bleachbit: Well that is client-side. Anything in the clear across the net (i.e. non encrypted traffic) can be read anywhere along the route.
But the big glaring thing is, at least in the UK, you can be sent to prison for refusing to hand over your encryption keys. And this has happened. People like to talk big, but the prospect of eating porridge with a lot of nasty looking and foul smelling prisoners, does not appeal to most people.
I would say that doing your own encryption, by this I mean using some of the open source tools and not closed source ones (and definitely not American ones) is a good thing.
You're missing the bigger picture - if we had unions, we could sit behind nice desks, and have those with computers problems make appointments to see us (at times convenient for us, when we're not playing golf). Then we'd sit down and discuss the problem with them and go "reboot it twice and if it doesn't fix it call me in the morning", and charge a hefty fee.
"One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order"
Once again the UK trumps the US in the paranoia and anti-freedom game. The UK Official Secrets Act applies to all British subjects, OK they get you to sign it, but that us mostly a symbolic gesture to remind you of your obligations and the penalties. Under the act you don't even need to have clearance or be the recipient of a leak. Even if you have worked it out for yourself from publicly available information you can still be gagged, and breaking a gag can bring down the full force of the law against you.
You're in fantasy land.
Working for a union just means more and more onerous paperwork than any other job I've ever worked. Shuffle this, shuffle that, shuffle, shuffle, shuffle.
Even AT&T and Bell Canada didn't have as much paperwork as I got stuck filling out and filing while working a union job as a programmer.
Hated it, big time!
I do not fail; I succeed at finding out what does not work.
Bruce nailed it. We've sat on our collective asses and watched the politicians, spooks, and marketing clowns turn an engineering marvel into a sad parody of it's former intended self. I don't think anyone nowadays can question the need for some serious re-engineering. We can solve the technical problems and propose new standards and protocols.The real question is how do we implement the fix.
Will the standards committees support it? Will the Powers that Be allow it? Like Bill the Bard wrote, "Aye, there's the rub."
Scruting the inscrutable for over 50 years.
Just wait until the character assassination begins for Schneier too. He's been taking very strong positions, I'm waiting for a photoshopped picture of him fucking a sheep to be released on the Internet for the whole world to see. Pretty soon, he'll be living in a South American country's embassy.
I couldn't care less if Assange or Snowden are nice guys. That's completely irrelevant for the matter if they're sweet little cherubs or like to fuck sheep on their spare time. Nobody does what they did by being that nice guy everybody wants to have a beer with.
The hateful crimes they exposed are the true stars, here. If you focus on the messenger, you miss the message. That's what the governments, corporations and their global propaganda machine (a.k.a. mass media) badly, badly, badly want you to do. Quite successfully.
The worst part of the damage done by this isn't technical. It's human.
The reporting on this latest disclosure reveals that the NSA has systematically inserted itself into the standard-crafting process, in order to deliberately weaken those standards. It also reveals that the NSA has bypassed the management of communications providers and recruited technical staff directly. In both cases it's reasonable to assume that the people involved have been through a security clearance process and are thus barred for life from disclosing what they know.
I must now ask myself how many people I've worked with weren't doing so in good faith. When they argued that such-and-such a fine point of a network protocol standard didn't need improvement or that it should be changed in a certain way, were they doing so because it was their principled engineering opinion, or because it served some other purpose? Or when they were recommending that one of the many operations I've run move its colocation point or change its router hardware, was that good customer service, or was it to facilitate easier traffic capture?
Will anyone be asking themselves the same questions about me? (They probably should.)
The Internet was built on, and runs on, trust. Every postmaster, every network engineer, every webmaster, every system admin, every hostmaster, everyone crafting standards, everyone writing code, trusts that everyone else -- no matter how vehemently they disagree on a technical point -- is acting in good faith. The NSA, in its enormous arrogance, has single-handedly destroyed much of that trust overnight.
In the US, union workersplay golf? That explains a lot about the US labour policies. I don't think you grasped the concept very well...
I've had a number of union programming jobs in Denmark. The union ensured that I got to take my vacation, that my contract was in order, that I got training on company time for new technology and that if something illegal happened, I'd have access to a lawyer. I don't doubt that what you are saying was true in your case, it's hardly a universal property of programmers' unions.
We don't need unions. We need _good_ unions.
You make a really excellent point. Sadly, we can only react at this point. It seems to me that there are three useful reactions:
- Keep up the political and media pressure. Don't let this issue die in the news cycle. Americans can apply internal pressure; those of us elsewhere can do our bits to keep up international pressure. For example: I will be integrating the NSA as part of a larger Internet security discussion in at least two of my university lectures in the coming semester.
- Promote open-source software for all security purposes. While not everyone can audit the software, there are enough people out there who can and will. The NSA cannot predict who will do so, and hence cannot have them all in its pay.
- Refuse to use any American IT services where security is important. This is not only sensible, it also applies economic pressure to companies that can lobby in Washington.
Enjoy life! This is not a dress rehearsal.
I dispute that these vigilantes should decide what should be "declassified" or what isn't.... I just strongly object to the methods being used by the anti-secrecy crowd, and I don't trust their motivations at all.
That is a fair enough opinion and nobody can argue with it, it is good to have a healthy dose of skepticism about any information that is presented to us via any channel. However what is more difficult to dispute is when a leaked document reveals heinous war crimes - should focusing on the messenger still be more important than a message of that significance? Also remember that Washington leaks information all the time (for example the Bin Laden operation) - why are leaks that expose crimes be worse than leaks that make the president look good? To most people that just reeks of hypocrisy.
The usual reply to this logic is "what war crimes, there were no war crimes exposed - but look over there - Assange is a narcicist and Manning is a traitor!!". However even a basic search and read of the documents they destroyed their lives to bring to us show that this claim is absolutely false:
Revelations from the Afghanistan and Iraq war logs detailed the use of paramilitary death squads, complicity in the torture of Iraqi citizens, the indiscriminate killing of civilians by private military contractors and many other abuses. Meanwhile, the leaked State Department cables brought to light scores of secret drone strikes in countries we are not even at war with, and uncovered the collusion between the U.S. and Yemini governments to lie about American responsibility for the massacre of 41 people in the Al-Majalah region. They also revealed U.S. interference with judicial efforts in Spain to investigate the Bush administration's torture practices. In Tunisia, leaks exposing the opulence and corruption of Ben Ali's government were a catalyst for the revolution that brought down the repressive regime and ignited other pro-democracy movements throughout the Arab world. The list could go on but the point is simple: it would have been a disservice to democracy to withhold this important information.
That's what I'm hoping, but also wonder if the deployment of fast net in the US is being deliberately crippled so the NSA can keep up with it. "You can't install that tech until our capacity is up to speed" If everyone has 1gb connects to/from the net, and decent encryption is used on everything moving up and down the pipe, even the NSA would have trouble keeping up to speed on it all. Everyone would/could be running various TOR (and whatever comes next) to make it a moving target. But for now.. speeds what they are, it's got me wondering. The tech's there, other countries have deployed it, as well as breaking the internet, is it also slowing it down for US citizens to facilitate spying?
Waiting for an amusing sig.
I would argue that trust is what got us into the current mess of pervasive vulnerability. There's been too much trust, for too long. It is easier to program in a world where you can ignore the risk that someone is going to inject SQL commands into a Web form, or believe that once you've stored data on a server inside your firewall, that data is safe. That world is gone and it's not coming back. We, the tech community, have left too many back doors unlocked and unguarded for too long, and now there is a whole economy of data crime. The fact that the NSA has made sure there is no such thing as real encryption is just a piece - a significant piece, I'll admit - of an industry-wide failure.
What I'm saying is that designing systems based on trust is naive, and looking back, was a bad idea to begin with. Trust is for suckers. It doesn't scale: the larger the system, the greater the chance for a malefactor to infiltrate it. What we need today, I believe, is to approach re-engineering the Internet with a healthy does of *mistrust*.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
A more robust version of rsync.net's "warrant canary" (http://www.rsync.net/resources/notices/canary.txt) might help, if it were to become more commonplace, people would start to assume any provider not providing one to already be under gag order.
IANAL, but the legal theory is that while a gag order can make it illegal to speak out, it can't force someone to make falsified or fraudulent statements - any entity that has not already received a secret order is free to testify to that fact, and simply stop making that assertion at such time that they are compromised.
If this were made more robust, for example, key employees being videotaped undergoing a polygraph regularly where they are asked questions about the integrity of their service, it might just work. (I realize a polygraph isn't secure. For this purpose, however, it doesn't matter, because it provides a means to deliberately fail a test while having deniability of your intent to do so.
I'm sure similar creative ideas could be used :)
The guardian article mentions control of 30 VPN now and 300 VPN expected by 2014, almost certainly this includes big brand routers / firewall sat right now in the worlds datacenters...people need to be looking at the code running in cisco / dell / etc devices. This is taking the internet back from unreasonable searches (I for one think a business operating legally should not have all its data sent to a building in the US to be spied upon).
This all has created a climate of untrust, US businesses are going to see a % drop in business as the world decides to vote with its feet. You can imagine the shit storm which is brewing in capitol hill, nothing the administration can say now can save face, it is like catching the fat kid with his hand stuck in the cookie jar.
And the moral of this story is that whether you are a government, union, company or individual, power corrupts eventually.
Unions try to bloat their membership by requiring separate workers for different job classifications, even if that work type isn't full time.
You must hire extra sweepers rather than have, say, machinists clean their own area at the end of the day, even on company time. Also, when Hostess went bankrupt, one of the things they got rid of was unions forcing two different delivery trucks, one for bread, one for sweets, even if they were going to the same delivery places. And at one point in the 1970s, the auto unions had something like 1 full-time, company-paid-for shop steward for every 6 employees, in stead of 30 or 100.
Whatever good they do (which is always trotted out as a defense) they are the opposite of increasing efficiency and productivity trends.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
America is not the world. I'm from the UK.
I didn't elect any of your governments. Or even my own, come to that.
Even if I had have voted, I could not have voted for/against certain provisions, so my vote means nothing in terms of individual actions by the government. We still went to war despite most people who voted the parties in not agreeing with it (and look likely to do so again soon).
My commercial choices don't "make" Hollywood, or other people, anything. People are dumb now, have been in the future, and always will be. Most of the "most popular" shows / movies, I've never seen in my life.
And, yes, everything "we" do is fucked up. That's why it takes the few who SEE that to come along and fix it - for themselves at first, and others later.
I don't get how you then jump to the last paragraph of your comment. His suggestion is actually pretty smart, fairly dangerous to assert in the current climate, and a call-to-peaceful-arms to regain freedoms we had, lost, the Internet returned, and we've lost again.
All he really wants is a secure Internet. How can you break that down to be a "bad" thing that's not practically relevant? I've been arguing that the same would happen for years, it's just taken discovery of major government tampering to make it happen.
A secure Internet? Boy, I'd pay to have one now. Trouble is, Tor is SSSSLLLOOOWWW, and not that secure (because eventually it has to talk to insecure sites for anything "popular"), private darknets are frowned-upon and limited in scope, and the public Internet is largely unencrypted unless we're about to put in a credit-card number (where our transactions are then once-again trackable).
Personal privacy is something that the governments of the world do not want us to have, but cannot give anywhere near a reasonable explanation why. As such, it's something I'd like to have. And that comes about by engineers, the same type as those who designed a network that anyone can join, anyone can talk to anyone else, and anyone can extend and expand without government authorisation, building such a thing.
I'm pretty sure I have a comment on here from my first few posts, back pre-2000-ish) that says pretty much exactly what's happened - governments will overstep the mark, we'll all go into a much more secure mode (no more plain text emails whizzing around email servers), and eventually it will be impossible to track or trace anything even though the actual communication is inherently public - even someone ordering groceries.
You cannot fix this technologically, politically, or socially. This is not a "problem". Its a global coup-d'etat.
The internet was originally setup by DARPA as a government network and then evolved out of that into what we have now. It could be considered that everybody else are squatters and the government is just taking it back from us.
Maybe we should be electing people who will actually respect our rights an the constitution. As soon as someone like that actually runs...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
[quote]These people have a radical and fairly crude ant-secrecy agenda, and the stuff they bring to light may be done in a highly selective and self-serving manner. And regardless of whether you think governments should be allowed to keep secrets or spy on people, I dispute that these vigilantes should decide what should be "declassified" or what isn't. It's only slightly better when the leaks are channelled through the media, given that journalism is a "soft option", and that journalists are only slight better qualified than the leakers themselves to decide what's safe to leak or not. [/fullstop]
You're still missing the message to focus on messengers. Tyranny is what is the problem. Doesn't matter if it's Judy Gardland, Edward Snowden or Ariel Castro delivering the message. If the statements are true, focusing on the flaws/brokenness/evils of the messenger is ensures tyranny continues to succeed.
I'm pissed and I don't know what to do. The NSA is stealing both the ideals of what our democracy is based on, as well our increasingly modern era implementation of it. I don't think anything short of bloodshed in the streets has a chance of changing anything, and even then it likely won't. The Government in the name of security can lie, cheat, steal and kill and not be held accountable.
The internet has always been open. There have been fools that think adding "security" to it will change this. It doesn't. Get real, people. There are only two rules to security on the internet: 1. Never put anything on the net that you can't afford to be viewed by the public. 2. Never put anything solely on the internet that you can afford to lose. Corollary: Never put anything in a cloud that you can't afford to be viewed by the public.
Don't stop where the ink does.
I think the totalitarian sickness Schneier describes goes well beyond the NSA. Computers and especially mobile devices are becoming creepy, for lack of a better word, even without government intervention. They are the prying eyes in your house Harriton High School Used Laptop Webcams To SPY On Students At Home, they are following your every move Government Location Tracking: Cell Phones, GPS Devices, and License Plate Readers, they are keeping tabs on what you like and don't like Mapping, and Sharing, the Consumer Genome (featured on slashdot yesterday, itself a thinly veiled phishing scam IMHO). Although subject to government abuse, none of the "services" highlighted in those links were instigated by the government. Just yesterday I was innocuously checking for prices for various professional training seminars on Google, and on cue my Email inbox started overflowing with unsolicited offers. On some days, I want to throw my smartphone in the trash and unplug my computer from the internet and only plug it back in when I need to access the SVN repository.
So Kudos to Bruce Schneier for addressing his call to the engineering community, but now it begs a question: aren't engineers, including those outside the NSA/DEA/FBI, somewhat responsible for creating this creepy user experience? I don't think they're suddenly going to wake up one day and fix it; a significant subset has embraced the creepiness and fundamentally doesn't understand why it might be a problem for others.
What compromised foundation? A compiler that you can suck out and replace in a second with any of the alternatives?
Your *CODE* doesn't corrupt when you compile with a rogue compiler (that's what source management is for), only the base binary built from it.
The point is not to assume that your compiler is safe, but to work in a way that - WITH A SAFE COMPILER - your code is fine. Other people will be working with different compilers and - AGAIN - by comparing outputs of different compilers you can work on the assumption that they are not ALL compromised and so anything you use to code is fine. The step of later finding that GCC is malicious is a matter of replacing compiler and recompiling, not corrupting every line of code you've written in the meantime.
But losing YEARS of effort because you can't write a single line of code until you've audited GCC is insanity.
I'll add a bit more to what people have written above with another reason why these things have to be open.
Let's see an example of closed source encryption - Adobe Acrobat from a few years ago. Their code was the same one used by Julius Caesar, a very simple letter substitution code which could be cracked with a cardboard code wheel that used to be printed on the back of corn flakes packets to entertain children. Commercial "security" software needs to be open to prevent such laziness being used to defraud people that think they have paid for something that will stop third parties being able to read their PDF files or whatever.
Any readers that think I am making that ridiculous situation up should google Dmitry Sklyarov. The only thing more ridiculous than Adobe's code was that they hit Sklyarov with a DMCA notice for it which somehow resulted in him being imprisoned for months - a DMCA notice for something Julius Caesar wrote about so should be in the public domain by now! No penalty for a false DMCA notice was levied on Adobe (or anyone else - it's one sided with no consequence for crying wolf).