Slashdot Mirror
Schneier: The US Government Has Betrayed the Internet, We Need To Take It Back
wabrandsma writes "Quoting Bruce Schneier in the Guardian: 'The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it. Government and industry have betrayed the internet, and us.
This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
And by we, I mean the engineering community. Yes, this is primarily a political problem, a policy matter that requires political intervention. But this is also an engineering problem, and there are several things engineers can – and should – do."
One solution at hand are darknets - awesome and uncensorable (but slow, though that is the price) Freenet,
and I2P for hidden services, and the orginal plain Tor.
Come join us, at #freenet at freenode.org we are supporting all users of freenetproject.org
Also, consider just started channel #mempo where new linux distribution is planned with the goal of being most secure one (combining best ideas from Hardened Gentoo, Debian, Tails, Whonix, Qubes-Os). Because security must be complete on all levels (e.g. darknet but also av, rootkit protection, programs compartmnet :)
That whole 'IP over Carrier Pigeon' thing doesn't look so crazy now does it? Until the NSA start training intercepting hawks.
Waiting for an amusing sig.
But in all practicality, how do you seize back control from the likes of the three-letter agencies?
It's not like there is any party in the US which hasn't been complicit in granting them ever-greater powers. It's not like a Canadian like myself can vote against the bullshit. It's not like Canada is about to invade the US over the issues, nor anyone else, seeing as their three-letter agencies are doing the same god-damned thing.
I do not fail; I succeed at finding out what does not work.
Naw, HTTPS only protects you against folks who don't already have the keys. You pretty much can't trust virtually any data communication that takes place on the internet. However, that doesn't mean stop doing stuff - it just means weigh the value of what you're doing against the expectation that the information is likely to be used against you. For example - the NSA may have my internet banking credentials - but am I worried they're going to steal my money? No - either 1) they don't need to, 2) if some rogue agent decided to, there are legal protection and insurance avenues I can take to regain my money, 3) if the government decided they needed to steal my money, then even them not having my internet banking credentials isn't going to stop them anyway.
I'm not an advocate for "if you have nothing to hide, you have nothing to worry about" at all. I'm just facing the realization that our government is completely morally corrupt, and outside of changing it by force, I can never protect my information online unless it's information I've encrypted and uploaded myself (and even then I'm still at risk if my OS is rooted or my encryption algorithm has a master algorithm). So, I weigh that knowledge against my activities and don't worry too much. If I was concerned about being identified, then you can protect yourself, but it largely involves not using your net connection, among other things.
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
gnUnion?
If there had been programmer unions in the Win95 era, we never would have got rid of IE6 to protect all the people with certifications in IE6-specific programming. Spare us, please.
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.
He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "
Silent circle - a US and UK connected commercial company - propriety closed source, and in a sneaky "no we are open, really trust us" sort of way. W T F!???
let me reproduce this informative message posted to the comment section of the article:
I usually rate Bruce Schneier highly, except for his faux pas a few years ago when he initially endorsed showing passwords on screen, saying that shoulder surfing is not such a big deal.
But I am not sure about some of the security mobs he is advocating here.
GPG: OK, clever people can read the source code (though most average Joe programmers can't)
Silent Circle: It's USA based, and subject to the same backdoor 'requests' as anyone US-based company. It also employs ex-special forces 'security experts' - just the sort of people who might go and do wiretaps in foreign climes.
Tails: What I have just seen on their website, 'Numerous security holes in Tails 0.19 Posted Mon 05 Aug 2013 12:00:00 AM CEST'. Not exactly the best advert and hardly comforting if one wanted security.
OTR: Same as GPG as the source code is available.
Truecrypt: Well the soruce code is avaiable, so I would put it in the same basket as GPG. It has a choice of algorithms, including one (partly) designed by Schneier.
Bleachbit: Well that is client-side. Anything in the clear across the net (i.e. non encrypted traffic) can be read anywhere along the route.
But the big glaring thing is, at least in the UK, you can be sent to prison for refusing to hand over your encryption keys. And this has happened. People like to talk big, but the prospect of eating porridge with a lot of nasty looking and foul smelling prisoners, does not appeal to most people.
I would say that doing your own encryption, by this I mean using some of the open source tools and not closed source ones (and definitely not American ones) is a good thing.
You're missing the bigger picture - if we had unions, we could sit behind nice desks, and have those with computers problems make appointments to see us (at times convenient for us, when we're not playing golf). Then we'd sit down and discuss the problem with them and go "reboot it twice and if it doesn't fix it call me in the morning", and charge a hefty fee.
"One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order"
Once again the UK trumps the US in the paranoia and anti-freedom game. The UK Official Secrets Act applies to all British subjects, OK they get you to sign it, but that us mostly a symbolic gesture to remind you of your obligations and the penalties. Under the act you don't even need to have clearance or be the recipient of a leak. Even if you have worked it out for yourself from publicly available information you can still be gagged, and breaking a gag can bring down the full force of the law against you.
Bruce nailed it. We've sat on our collective asses and watched the politicians, spooks, and marketing clowns turn an engineering marvel into a sad parody of it's former intended self. I don't think anyone nowadays can question the need for some serious re-engineering. We can solve the technical problems and propose new standards and protocols.The real question is how do we implement the fix.
Will the standards committees support it? Will the Powers that Be allow it? Like Bill the Bard wrote, "Aye, there's the rub."
Scruting the inscrutable for over 50 years.
Just wait until the character assassination begins for Schneier too. He's been taking very strong positions, I'm waiting for a photoshopped picture of him fucking a sheep to be released on the Internet for the whole world to see. Pretty soon, he'll be living in a South American country's embassy.
I couldn't care less if Assange or Snowden are nice guys. That's completely irrelevant for the matter if they're sweet little cherubs or like to fuck sheep on their spare time. Nobody does what they did by being that nice guy everybody wants to have a beer with.
The hateful crimes they exposed are the true stars, here. If you focus on the messenger, you miss the message. That's what the governments, corporations and their global propaganda machine (a.k.a. mass media) badly, badly, badly want you to do. Quite successfully.
The worst part of the damage done by this isn't technical. It's human.
The reporting on this latest disclosure reveals that the NSA has systematically inserted itself into the standard-crafting process, in order to deliberately weaken those standards. It also reveals that the NSA has bypassed the management of communications providers and recruited technical staff directly. In both cases it's reasonable to assume that the people involved have been through a security clearance process and are thus barred for life from disclosing what they know.
I must now ask myself how many people I've worked with weren't doing so in good faith. When they argued that such-and-such a fine point of a network protocol standard didn't need improvement or that it should be changed in a certain way, were they doing so because it was their principled engineering opinion, or because it served some other purpose? Or when they were recommending that one of the many operations I've run move its colocation point or change its router hardware, was that good customer service, or was it to facilitate easier traffic capture?
Will anyone be asking themselves the same questions about me? (They probably should.)
The Internet was built on, and runs on, trust. Every postmaster, every network engineer, every webmaster, every system admin, every hostmaster, everyone crafting standards, everyone writing code, trusts that everyone else -- no matter how vehemently they disagree on a technical point -- is acting in good faith. The NSA, in its enormous arrogance, has single-handedly destroyed much of that trust overnight.
You make a really excellent point. Sadly, we can only react at this point. It seems to me that there are three useful reactions:
- Keep up the political and media pressure. Don't let this issue die in the news cycle. Americans can apply internal pressure; those of us elsewhere can do our bits to keep up international pressure. For example: I will be integrating the NSA as part of a larger Internet security discussion in at least two of my university lectures in the coming semester.
- Promote open-source software for all security purposes. While not everyone can audit the software, there are enough people out there who can and will. The NSA cannot predict who will do so, and hence cannot have them all in its pay.
- Refuse to use any American IT services where security is important. This is not only sensible, it also applies economic pressure to companies that can lobby in Washington.
Enjoy life! This is not a dress rehearsal.
I dispute that these vigilantes should decide what should be "declassified" or what isn't.... I just strongly object to the methods being used by the anti-secrecy crowd, and I don't trust their motivations at all.
That is a fair enough opinion and nobody can argue with it, it is good to have a healthy dose of skepticism about any information that is presented to us via any channel. However what is more difficult to dispute is when a leaked document reveals heinous war crimes - should focusing on the messenger still be more important than a message of that significance? Also remember that Washington leaks information all the time (for example the Bin Laden operation) - why are leaks that expose crimes be worse than leaks that make the president look good? To most people that just reeks of hypocrisy.
The usual reply to this logic is "what war crimes, there were no war crimes exposed - but look over there - Assange is a narcicist and Manning is a traitor!!". However even a basic search and read of the documents they destroyed their lives to bring to us show that this claim is absolutely false:
Revelations from the Afghanistan and Iraq war logs detailed the use of paramilitary death squads, complicity in the torture of Iraqi citizens, the indiscriminate killing of civilians by private military contractors and many other abuses. Meanwhile, the leaked State Department cables brought to light scores of secret drone strikes in countries we are not even at war with, and uncovered the collusion between the U.S. and Yemini governments to lie about American responsibility for the massacre of 41 people in the Al-Majalah region. They also revealed U.S. interference with judicial efforts in Spain to investigate the Bush administration's torture practices. In Tunisia, leaks exposing the opulence and corruption of Ben Ali's government were a catalyst for the revolution that brought down the repressive regime and ignited other pro-democracy movements throughout the Arab world. The list could go on but the point is simple: it would have been a disservice to democracy to withhold this important information.
That's what I'm hoping, but also wonder if the deployment of fast net in the US is being deliberately crippled so the NSA can keep up with it. "You can't install that tech until our capacity is up to speed" If everyone has 1gb connects to/from the net, and decent encryption is used on everything moving up and down the pipe, even the NSA would have trouble keeping up to speed on it all. Everyone would/could be running various TOR (and whatever comes next) to make it a moving target. But for now.. speeds what they are, it's got me wondering. The tech's there, other countries have deployed it, as well as breaking the internet, is it also slowing it down for US citizens to facilitate spying?
Waiting for an amusing sig.
A more robust version of rsync.net's "warrant canary" (http://www.rsync.net/resources/notices/canary.txt) might help, if it were to become more commonplace, people would start to assume any provider not providing one to already be under gag order.
IANAL, but the legal theory is that while a gag order can make it illegal to speak out, it can't force someone to make falsified or fraudulent statements - any entity that has not already received a secret order is free to testify to that fact, and simply stop making that assertion at such time that they are compromised.
If this were made more robust, for example, key employees being videotaped undergoing a polygraph regularly where they are asked questions about the integrity of their service, it might just work. (I realize a polygraph isn't secure. For this purpose, however, it doesn't matter, because it provides a means to deliberately fail a test while having deniability of your intent to do so.
I'm sure similar creative ideas could be used :)
The internet has always been open. There have been fools that think adding "security" to it will change this. It doesn't. Get real, people. There are only two rules to security on the internet: 1. Never put anything on the net that you can't afford to be viewed by the public. 2. Never put anything solely on the internet that you can afford to lose. Corollary: Never put anything in a cloud that you can't afford to be viewed by the public.
Don't stop where the ink does.
I think the totalitarian sickness Schneier describes goes well beyond the NSA. Computers and especially mobile devices are becoming creepy, for lack of a better word, even without government intervention. They are the prying eyes in your house Harriton High School Used Laptop Webcams To SPY On Students At Home, they are following your every move Government Location Tracking: Cell Phones, GPS Devices, and License Plate Readers, they are keeping tabs on what you like and don't like Mapping, and Sharing, the Consumer Genome (featured on slashdot yesterday, itself a thinly veiled phishing scam IMHO). Although subject to government abuse, none of the "services" highlighted in those links were instigated by the government. Just yesterday I was innocuously checking for prices for various professional training seminars on Google, and on cue my Email inbox started overflowing with unsolicited offers. On some days, I want to throw my smartphone in the trash and unplug my computer from the internet and only plug it back in when I need to access the SVN repository.
So Kudos to Bruce Schneier for addressing his call to the engineering community, but now it begs a question: aren't engineers, including those outside the NSA/DEA/FBI, somewhat responsible for creating this creepy user experience? I don't think they're suddenly going to wake up one day and fix it; a significant subset has embraced the creepiness and fundamentally doesn't understand why it might be a problem for others.
I'll add a bit more to what people have written above with another reason why these things have to be open.
Let's see an example of closed source encryption - Adobe Acrobat from a few years ago. Their code was the same one used by Julius Caesar, a very simple letter substitution code which could be cracked with a cardboard code wheel that used to be printed on the back of corn flakes packets to entertain children. Commercial "security" software needs to be open to prevent such laziness being used to defraud people that think they have paid for something that will stop third parties being able to read their PDF files or whatever.
Any readers that think I am making that ridiculous situation up should google Dmitry Sklyarov. The only thing more ridiculous than Adobe's code was that they hit Sklyarov with a DMCA notice for it which somehow resulted in him being imprisoned for months - a DMCA notice for something Julius Caesar wrote about so should be in the public domain by now! No penalty for a false DMCA notice was levied on Adobe (or anyone else - it's one sided with no consequence for crying wolf).