Security After the Death of Trust

← Back to Stories (view on slashdot.org)

Security After the Death of Trust

Posted by samzenpus on Thursday October 3, 2013 @12:07AM from the lock-it-down dept.

An anonymous reader writes "Simon St. Laurent reviews the options in the wake of recent NSA revelations. 'Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that we need to start planning for a computing world with minimal trust.'"

162 comments

Min score:

Reason:

Sort:

Minimal Trust: by Hartree · 2013-10-03 00:11 · Score: 4, Insightful

Shouldn't that have been the paradigm from the beginning if you really wanted security?
Just because you think a person or organization can mostly be trusted today, doesn't mean it will always be the case.
1. Re:Minimal Trust: by buravirgil · 2013-10-03 00:19 · Score: 2
  
  The paradigms shift along the sea changes and no patterned pulse cannot be read. But Bob Dylan sings better than I will ever post: Strike another match. Go start anew.
  
  --
  Would were! Should is! Could be! And live a hundred times three.
2. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 00:24 · Score: 4, Insightful
  
  It has been available for a kind of long time. RFC 2440 for encrypted email was written in the 1990s, but people are really resistant to anything that might help their own privacy. I can't even get my friends to use "Off The Record" for secure IMing. They don't care that their IM is going unencrypted over the network, or at least not enough to spend 2 minutes to install it.
  Yes nothing is perfect including this but encryption is a lot better than not. Endpoints (who you talk to) is still exposed but having your message contents hidden still seems like an improvement, but people won't do it even when it's easy and you prompt them to.
3. Re:Minimal Trust: by somersault · 2013-10-03 00:42 · Score: 2
  
  I don't see the point in encrypting all my IM either. If the government wants to watch me joke around with my friends, let them. I encrypt passwords and banking info, but who cares about the rest?
  If your friends felt they really had something they needed to tell you about in private, then they could talk to you via an encrypted connection from a Live CD, or tell you in person. For the rest, nobody cares.
  
  --
  which is totally what she said
4. Re:Minimal Trust: by Pieroxy · 2013-10-03 00:46 · Score: 4, Insightful
  
  Until you chat with a friend, make dirty terrorists jokes, and this friend is thought by the NSA to be a terrorist. You'll find yourself interrogated before you know it.
  There are countless scenarios that may see you regret this carelessness.
  
  --
  Write boring code, not shiny code!
5. Re:Minimal Trust: by h4rr4r · 2013-10-03 00:48 · Score: 1
  
  This is because most people don't care, most of the time.
  For the same reason they use credit cards instead of cash. Now go stand around your local headshop and see how many people suddenly switch to cash.
6. Re: Minimal Trust: by Anonymous Coward · 2013-10-03 00:49 · Score: 1
  
  Probably they should. We've been working for years on a cloud-alike, open source system (ball) where mutual distrust is the founding principle. Too few people who care about priciples. All they ask for is maximum convinience today.
7. Re:Minimal Trust: by jenningsthecat · 2013-10-03 00:51 · Score: 4, Insightful
  
  It has been available for a kind of long time. RFC 2440 for encrypted email was written in the 1990s, but people are really resistant to anything that might help their own privacy.
  The problem is getting a critical mass of users to adopt encryption. And although it's largerly a matter of people either not caring, or not knowing enough to care, it's also a problem of not wanting to stand out in the crowd and risk getting singled out. My friends and I don't use e-mail encryption because, with so few other regular users of it, we would simply be marking ourselves for special attention from TLA's.
  It's the kind of thing where a significant portion of the population - say 10% - needs to start using e-mail encryption simultaneously. And unfortunately, that's not likely to happen any time soon. I've said it before and I'll say it again: like sleight-of-hand in a magician's act, bread and circuses really do work to keep people distracted from what their leaders and masters are doing. Until enough of us pull our heads out of our popcorn bags, organize, and start engaging in the Internet's equivalent of 'passive resistance', the 1% and their minions are going to keep screwing us over.
  
  --
  'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
8. Re:Minimal Trust: by somersault · 2013-10-03 00:55 · Score: 2
  
  If the NSA want to feel like idiots, they're free to do so.
  I don't live in the US either btw, and I'm happy to let you guys keep it to yourselves.
  
  --
  which is totally what she said
9. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 00:57 · Score: 1
  
  If you think living outside of the US will keep you safe from the NSA (or other US TLAs), you're dumber than we thought.
10. Re:Minimal Trust: by lxs · 2013-10-03 01:08 · Score: 4, Informative
  
  To twist an oft abused quote around:
  If you have nothing to hide you have nothing to fear so go ahead and encrypt everything. Make the bastards work for every byte.
11. Re:Minimal Trust: by somersault · 2013-10-03 01:11 · Score: 1
  
  Yeah? What exactly do I need to be kept "safe" from? Are they going to send thugs round to interrogate me for flirting on Facebook?
  
  --
  which is totally what she said
12. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 01:16 · Score: 0
  
  Yeah? What exactly do I need to be kept "safe" from? Are they going to send thugs round to interrogate me for flirting on Facebook?
  yes.
13. Re:Minimal Trust: by somersault · 2013-10-03 01:16 · Score: 1
  
  (in another country, no less)
  You guys are unbelievably paranoid sometimes.
  Yes, I could get hassled if I try to fly into America. But I already knew that before the NSA shitstorm. Everyone knows that. This new wiretapping bullshit doesn't really change anything for me. In fact, considering this was made "legal" with the PATRIOT act, it isn't even a surprise. I'm not sure why anyone is surprised. I thought the whole point in the PATRIOT act was so that the government could abuse their power needlessly.
  
  --
  which is totally what she said
14. Re:Minimal Trust: by MadKeithV · 2013-10-03 01:21 · Score: 2
  
  (in another country, no less)
  You guys are unbelievably paranoid sometimes.
  Um, dude.
15. Re:Minimal Trust: by ArsenneLupin · 2013-10-03 01:24 · Score: 3, Insightful
  
  If the NSA want to feel like idiots, they're free to do so.
  A similar thing happened to a friend in Germany. And not, the German police didn't feel like idiots, and quite happily wrecked the guys life. If you have a gun, you never feel like an idiot. Instead you just pull the trigger on anybody who dares to snicker...
16. Re:Minimal Trust: by ArsenneLupin · 2013-10-03 01:26 · Score: 1
  
  You don't even need to be actually flirting. Just keeping pictures of nice ladies on your computer can be enough. Or just helpfully repairing the computer of a friend who happens to keep such pictures is enough.
17. Re:Minimal Trust: by MozeeToby · 2013-10-03 01:28 · Score: 5, Insightful
  
  For the rest, nobody cares
  I do. I fucking care that I can't communicate without big brother leaning over my shoulder to make sure I'm a good citizen. It's fucked up. Even if they never used a single byte of the data, the act itself is fucked up. Besides that, laws change. Much more of your day to day life than you imagine is already illegal to some extent or another. With pervasive eavesdropping you're just one ticked off bureaucrat away from a prison sentence. And even if you yourself by some miracle live (an almost impossible) squeaky clean lifestyle, it's even less likely that your family and friends to as well.
18. Re:Minimal Trust: by somersault · 2013-10-03 01:29 · Score: 1
  
  Whatever, I could use a holiday. If chatting about buying a kitten or playing guitar hero can get me a free holiday, then by all means I will continue what I'm doing.
  
  --
  which is totally what she said
19. Re:Minimal Trust: by radiumsoup · 2013-10-03 01:37 · Score: 1
  
  NSA doesn't stop at the US border. They are responsible for GLOBALLY monitoring communications that might be harmful to the United States.
20. Re:Minimal Trust: by Digital+Vomit · 2013-10-03 01:38 · Score: 1
  
  Good god, man.
  
  --
  Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
21. Re:Minimal Trust: by somersault · 2013-10-03 01:42 · Score: 1
  
  I'm aware of that, but generally the worst that happens if they don't like you is that they'll stop you from legally entering the US. You have to be being a douchebag on a pretty epic scale before they start being able to justify rendition.
  
  --
  which is totally what she said
22. Re:Minimal Trust: by pscottdv · 2013-10-03 02:05 · Score: 1
  
  Outside the US, they send drones...
  
  --
  this signature has been removed due to a DMCA takedown notice
23. Re:Minimal Trust: by AHuxley · 2013-10-03 02:10 · Score: 1
  
  Sometimes they just get names wrong :)
  
  --
  Domestic spying is now "Benign Information Gathering"
24. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 02:10 · Score: 3, Interesting
  
  Anyone remember when the NSA threw a fit regarding 128bit SSL becoming the next standard?
  Then suddenly there was silence, and technology moved forward to 256bit and then 1024 etc... never to hear another whisper from the NSA.
  This should have been the beginning of all the questions
  For most of us in the field, we rely on solutions doing what they say they will; in order to meet the requirements we set. So we have to maintain some level of trust somewhere, but at the same time, trust wasn't a part of the risk assessment process, at least it wasn't charted, it was assumed.
25. Re:Minimal Trust: by AHuxley · 2013-10-03 02:13 · Score: 1
  
  Another issue is state and national databases. If they all connect with junk encryption, junk servers, junk OS they are open.
  Millions of people can be sorted per country thanks to poor software and hardware import deals.
  
  --
  Domestic spying is now "Benign Information Gathering"
26. Re:Minimal Trust: by AHuxley · 2013-10-03 02:19 · Score: 1
  
  Yes globally many smart people will question their professors, tutors and wonder what they where educated on.
  They will start to write their own code out of pride or nationalism and be able to offer it to their govs at a fair market rate.
  No more trade deals to select from a few 'big' UK/UK brands at a low price and with long term support totally locking out skilled locals.
  The only way into air gapped systems will be via special forces teams breaking in or bribed local staff.
  Both options are very expensive and risky.
  
  --
  Domestic spying is now "Benign Information Gathering"
27. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 02:27 · Score: 1
  
  You mean like the Yemeni reporter who simply did his job and reported that the US was the one who bombed a village and killed a bunch of women and children? And then he was kidnapped by Yemeni intelligence agents, tortured (including having two teeth extracted), and thrown in prison. And then popular outcry in the country had the president there about to pardon him, but Obama phoned the dude up and asked him not to? Yeah, you just keep believing that everyone they're interested in is guilty. Or are you saying that you're cowardly enough to duck your responsibility should you ever find yourself in the position to do anything of significance?
28. Re:Minimal Trust: by kilfarsnar · 2013-10-03 02:32 · Score: 4, Insightful
  
  Yeah? What exactly do I need to be kept "safe" from? Are they going to send thugs round to interrogate me for flirting on Facebook?
  "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." -Cardinal Richelieu
  No I would imagine not. Any given person likely has little to fear from increased surveillance; most people's lives are uninteresting. But if someone is looking at you with the intent of finding wrongdoing, they will find it. Especially if they have a history to look back on.
  The other issue is that these surveillance powers are being used against anyone the US government doesn't like, for whatever reason. Do you agree with everything the US government does and says? I'd guess not. Do you support the actions of people who are organizing to push back against those policies you disagree with? I'd imagine so. Well these surveillance (and detention) powers are being used against those groups who are fighting for what you believe in, whether you participate or not. So your interests are being indirectly harmed by these powers.
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
29. Re:Minimal Trust: by kilfarsnar · 2013-10-03 02:34 · Score: 3, Funny
  
  Whatever, I could use a holiday. If chatting about buying a kitten or playing guitar hero can get me a free holiday, then by all means I will continue what I'm doing.
  If you think extraordinary rendition is like being on holiday, I'd hate to see where you usually vacation.
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
30. Re:Minimal Trust: by somersault · 2013-10-03 02:39 · Score: 1
  
  Skyrim. And France.
  
  --
  which is totally what she said
31. Re:Minimal Trust: by kilfarsnar · 2013-10-03 02:44 · Score: 3, Insightful
  
  I'm aware of that, but generally the worst that happens if they don't like you is that they'll stop you from legally entering the US. You have to be being a douchebag on a pretty epic scale before they start being able to justify rendition.
  ORLY?
  Do you think Khalid El-Masri and Maher Arar would agree? Or do you not have a Muslim sounding name, so you figure you'll be fine? First they came for the Muslims, something something...
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
32. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 03:25 · Score: 0
  
  If you live outside US, the president is legally mandated, even obligated, to kill you, if suspect of terrorism.
33. Re:Minimal Trust: by gmuslera · 2013-10-03 03:28 · Score: 1
  
  I suppose that you mean economically harmful for US corporations, having competition is definately not what is capitalism about.
  Is not just monitoring. Your lack of security will be used against you. If you have something critical enough in another country, you probably have a logical bomb running on your infrastructure. Stuxnet is an obsolete example by now.
  But even without logical bombs, information means control, if they have all your information they could control you, or your population. If your country don't lick the boots of the USA overlords, they could spill secrets about your government that could put it in trouble, or make the population revolt. Even just stealing money of banks of enough people could trigger that revolt. And the killer secret could be just a grandmother telling in facebook to her contacts that she saw certain politic in a place where he shouldn't be. And the revolt will be pretty useful to put a puppet in power, is not that we didn't see that in the past years, and how well it went for the local population, during and after all got "solved".
  In this scenario won't be surprised if most still independent countries just close ties with US and US companies, puts protective monitoring in all communications and restrict what can access citizens and foreigners. Probably the ones that in a year still didn't do it are not truly independent.
34. Re:Minimal Trust: by AlphaWoIf_HK · 2013-10-03 04:05 · Score: 1
  
  I don't see the point in encrypting all my IM either. If the government wants to watch me joke around with my friends, let them.
  Then you're part of the problem. You should never let the government conduct such surveillance, and by doing so, you make it more difficult for intelligent people who do care about their privacy to protect said privacy.
  
  --
  Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
35. Re:Minimal Trust: by AlphaWoIf_HK · 2013-10-03 04:07 · Score: 1
  
  Oh, and just because you think what you're saying is harmless, that doesn't mean the government thinks so. There are numerous cases of the government misinterpreting jokes and statements and then proceeding to try to ruin people's lives. Surely you don't want to suffer the same fate? Or do you believe that people who work for the government are perfect angels? From your comment, I would think not, but it's truly baffling that you would suggest that it doesn't matter if the government conducts such surveillance; it does matter, and it is dangerous to let them do so.
  
  --
  Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
36. Re:Minimal Trust: by somersault · 2013-10-03 04:19 · Score: 1
  
  Well, it's not my government, so I don't think I'm part of this particular problem.
  If it were my government, I'd have been out there protesting when the PATRIOT act was being mooted. I usually don't care about politics, but that was a really obvious violation of people's rights.
  I don't think they should be allowed to do this surveillance at all, but at the same time, I'm not going to encrypt anything that doesn't actually need encrypted.
  
  --
  which is totally what she said
37. Re:Minimal Trust: by AlphaWoIf_HK · 2013-10-03 04:27 · Score: 1
  
  I don't think they should be allowed to do this surveillance at all
  That's a start.
  
  but at the same time, I'm not going to encrypt anything that doesn't actually need encrypted.
  Most likely, it does need to be encrypted, but you'll only find that out when it's too late.
  
  --
  Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
38. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 04:46 · Score: 0
  
  FYI, the NSA's mandate is for foreign intelligence. They spy on Americans too, but their job is to spy on non-Americans.
39. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 04:47 · Score: 0
  
  I don't see the point in encrypting all my IM either. If the government wants to watch me joke around with my friends, let them. I encrypt passwords and banking info, but who cares about the rest?
  Why? Because if everything, no matter how mundane is encrypted and treated like Trump's banking credentials, it becomes a major PITA to filter out and target the stuff that is important. That really aught to be reason enough.
  Same argument for citizens with concealed carry licenses. If you're a thug or a villain, you never know if the person you're targeting is going to hand you money or deliver a case of acute lead poisoning. Thus, even the people who find firearms distasteful actually benefit from the collective immunity effect against robbers, rapists, home intruders and the like.
40. Re:Minimal Trust: by smash · 2013-10-03 04:54 · Score: 1
  
  This is the thing. Even if you trust an organization to try and do the right thing, do you trust their IT staff to be competent? Do you trust their provider? Unfortunately most people by nature are far too trusting with all this stuff.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
41. Re:Minimal Trust: by smash · 2013-10-03 04:56 · Score: 1
  
  Whilst you may technically be correct, I think the NSA/FBI/CIA have more pressing concerns than joe random on the other side of the world's porn collection.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
42. Re:Minimal Trust: by smash · 2013-10-03 05:02 · Score: 1
  
  Yup. That would have been circa... 2000 ish? So you just know they've been either in the firmware, or compromising RNGs since at least that long.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
43. Re:Minimal Trust: by khallow · 2013-10-03 05:09 · Score: 2
  
  I hope you're right. Hard to say what their priorities will be in the future though.
44. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 05:13 · Score: 0
  
  "You guys are unbelievably paranoid sometimes."
  Its not that theyre paranoid, its that they think they are special and that everyone pays attention to them. Its egomania.
45. Re:Minimal Trust: by someSnarkyBastard · 2013-10-03 05:35 · Score: 1
  
  You realize that you just demonstrated that the NSA gives fuck all about their "mandate" right? (or at least their public one)
46. Re:Minimal Trust: by ArsenneLupin · 2013-10-03 05:39 · Score: 2
  
  There's plenty of other agencies around who are interested in such silly concerns, unfortunately. And they do have the power and willingness to wreck people's life over such trivialities.
47. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 05:43 · Score: 0
  
  If you consider them pulling a high-salary paycheck you pay for, using state-of-the-art computer systems you pay for, from a cushy narcissistic Star Trek themed "command center" you pay for, to be sticking it to the bastards and making them "work", then, sure.
48. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 06:04 · Score: 0
  
  But even without logical bombs, information means control, if they have all your information they could control you, or your population. If your country don't lick the boots of the USA overlords, they could spill secrets about your government that could put it in trouble, or make the population revolt.
  A government that has secrets which could cause a revolt is equally as bad as the average description of the USA government on here. Just because something is the lesser evil does not absolve its evilness or make it "okay".
49. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 06:16 · Score: 0
  
  I don't see the point in encrypting all my IM either. If the government wants to watch me joke around with my friends, let them. I encrypt passwords and banking info, but who cares about the rest?
  If your friends felt they really had something they needed to tell you about in private, then they could talk to you via an encrypted connection from a Live CD, or tell you in person. For the rest, nobody cares.
  You point out exactly what the "new" paradigm is (or what people are now realizing it always was); there are two kinds of security: protection against thieves or similar, who just want to profit from knowing your secrets, and protection from states who want to keep their population's "calm" and root out "criminals" (where the definition of "calm" and "criminals" vary depending on the regime.)
  The former issue is and will continue for some time to be a matter of taking basic precautions, since encryption and bug-fixing are adequate to make the process of acquiring profitable information too expensive. The latter issue is and always has been a question of living under a regime that you get along with. If you have secrets the state wants, the state will get them. If the state wants to dragnet for dissidents of any particular flavor, they have always had pretty simple methods to accomplish that and the internet just means they can do it cheaper than before (the sword that enables your amazon.com order for 1 lb bags of lucky charms marshmallows for $9.99 +free shipping cuts both ways like that.)
50. Re:Minimal Trust: by davester666 · 2013-10-03 06:21 · Score: 1
  
  It's not just if your friend is thought to be a terrorist.
  It's if he/she is, or anybody they have ever associated with is, or anybody those people were ever associated with is thought to be a terrorist.
  3 hops.
  So, it would remarkable if they didn't dig through your email/telephone records/banking records, just to double-check that you aren't a filthy terrorist. Or an filthy anti-government protester.
  
  --
  Sleep your way to a whiter smile...date a dentist!
51. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 06:25 · Score: 0
  
  Wreck someone's life over porn? The U.S. is a stranger place than I thought - especially when considering how much of the internet porn they are hosting themselves.
  Having your porn collection exposed is embarassing, (Oh, so you like fat ladies with mustaches - bwahaha!) but it is hardly a life-wrecking experience. Next week they find something else to laugh at.
52. Re:Minimal Trust: by gmuslera · 2013-10-03 07:02 · Score: 1
  
  Is different attacking persons, over what could be moral or cultural tabus, than attacking a government. But both can cause revolts, picking the right persons. And there are other ways to desestabilize (i.e. faking a recording of Chavez saying that is actually kidnapped instead of dead) that could be enhanced manipulating or releasing partial information to the public.
53. Re:Minimal Trust: by CBravo · 2013-10-03 07:43 · Score: 1
  
  So you do not really care about privacy, wether it be government (yours or others) or organised crime.
  
  Privacy is a requirement for personal safety. Wether it is financial, physical or psychological safety. You give up your safety too easily and think it does not matter. I am fine with the first (for now) but not the second.
  
  searchterms: why privacy matters
  
  --
  nosig today
54. Re:Minimal Trust: by Anonymous Coward · 2013-10-03 07:49 · Score: 0
  
  Make the bastards work for every byte.
  On your dime. Finally, trolls foot the bill!
55. Re:Minimal Trust: by aix+tom · 2013-10-03 11:22 · Score: 1
  
  Depends. There also has been somewhat of a shift from "Who is the most important target" to "who is the easiest target to catch" in what is loosely called "law enforcement" these days.
56. Re:Minimal Trust: by Pieroxy · 2013-10-03 22:42 · Score: 1
  
  If you think living outside of the US will keep you safe from the NSA (or other US TLAs), you're dumber than we thought.
  Kim Dotcom lived outside the US. Did him good.
  
  --
  Write boring code, not shiny code!
57. Re:Minimal Trust: by somersault · 2013-10-06 21:33 · Score: 1
  
  I wouldn't say I "don't care", but it's literally impossible for them to read all IM. They'd have to rely on scanning for keywords and doing brief check-ups on whether the keywords are actually being used in a terrorist context. It's not like they're forcing unencrypted communications. If my government tried to do something like that, I'd protest. But I don't have a problem with people scanning unencrypted internet traffic any more than I have a problem with people scanning CB radio.
  
  --
  which is totally what she said
58. Re:Minimal Trust: by somersault · 2013-10-06 21:41 · Score: 1
  
  Uhm.. you really think there is no robbery, rape, home intrusion, etc, in the US? I'd say the guns give the criminals the upper hand in this case. Any criminal who can afford it (or steal it) will have a gun in the US. Not all citizens will.
  Here in the UK, some folks have guns, but realistically the worst you'd need to worry about in most places is knives. Which are still very effective at murder, but most people probably wouldn't throw them at least, so you have a better chance of running away.
  
  --
  which is totally what she said
What? by Anonymous Coward · 2013-10-03 00:16 · Score: 0

We never really trusted our government. These recent revelations only prove that we weren't completely paranoid or crazy.
1. Re:What? by Big+Hairy+Ian · 2013-10-03 00:19 · Score: 4, Insightful
  
  We never really trusted our government.
  The problem with elections is that the government always wins :(
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
2. Re:What? by fustakrakich · 2013-10-03 01:54 · Score: 1
  
  The problem with elections is that the government always wins...
  That's a reflection on us, not the government. Elections reveal how much we truly approve, nothing else, And I would say the present 98% is a pretty good number. You people will never learn how much power you have until you make the feeblest of effort to use it.
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re:What? by gmuslera · 2013-10-03 03:37 · Score: 1
  
  98% of the ones that actually voted (in countries where the vote is obligatory the government is choosen by everyone, not the specially motivated, paid to go to vote or partial by definition). And the electoral process have some flaws, only Lesters can say for who you can vote, in (most?) places you can't vote for no candidate, and of course, the opponent did a bad enough campaign to make sure that the people voted for Obama if were for make sure that he wasnt elected, and as the only way to get even noticed that you exist is a expensive, big corporations funded, and totally legal campaign, no matter who you choose, the same real rulers are elected each time.
4. Re:What? by fustakrakich · 2013-10-03 04:14 · Score: 1
  
  The most fundamental problem is a basic failure to overcome conditioned reflex. It may not be possible, but we can't know until we try. This whole thing about 'campaign funding' is bullshit. And besides, if you can vote people in and out to correct that, then you've already solved the problem, and further discussion is unnecessary.
  
  --
  “He’s not deformed, he’s just drunk!”
5. Re:What? by Anonymous Coward · 2013-10-03 05:05 · Score: 0
  
  To a point. Districts are gerrymandered, so the incumbent will always win. States like California passed laws that essentially bar third parties from the ballot. Political debates have their rules created by the two major parties to exclude third party and even major party candidates marginalized by their party leadership.
  Political choice, in the US, is illusory.
  Add general public apathy to the equation, and it is easy to see how we got here. But, it is not just public apathy.
6. Re:What? by Anonymous Coward · 2013-10-03 07:25 · Score: 0
  
  The problem with elections is that the government always wins...
  That's a reflection on us, not the government. Elections reveal how much we truly approve, nothing else, And I would say the present 98% is a pretty good number. You people will never learn how much power you have until you make the feeblest of effort to use it.
  98%? More like 57%.
  http://en.wikipedia.org/wiki/Voter_turnout_in_the_United_States_presidential_elections
  ... And if you discount the people who disapprove by voting third party, then just over half of all Americans support their government.
most people don't want to bother by Anonymous Coward · 2013-10-03 00:16 · Score: 5, Interesting

I try to get my family to stop using gmail, and instead use a local mail program which they can then use for end to end encryption, private non-cloud storage of their old emails, etc, but they don't want to bother. They'd rather have google storing all their emails and are fine with the advertising they get shown as a result of the data-mining of the email contents. They don't care about the NSA because they "aren't doing anything wrong".
That's what security is up against: people who want to put all their information in "the cloud" and don't really care what that means for privacy and security or even services that can disappear at any time or change their terms of service at any moment. It's all about the simplicity, and nothing else matters except allowing it to be a brainless usage model.
1. Re:most people don't want to bother by Anonymous Coward · 2013-10-03 00:28 · Score: 0
  
  I fear the species is doomed because of this brainless majority. Soon we can't even take a shit without logging to Failbook first.
2. Re:most people don't want to bother by ruir · 2013-10-03 00:37 · Score: 3, Informative
  
  There are PGP plug-ins for Chrome and Mail in Mac, at least. Why not exchange PGP keys with the family? I have used the gpgtools in the past in my Mac, and it is much pretty easy to install and use then.
3. Re:most people don't want to bother by nanospook · 2013-10-03 00:48 · Score: 1
  
  I ain't got no time for dat! Seriously.. it's about the backbone technology. Your average person isn't gong to be a subject matter expert on computer security. It has to be embedded in a transparent fashion to make it work and it has to be a transparent technology (as in open source) so the government doesn't use it for their own ends.
  
  --
  Have you fscked your local propeller head today?
4. Re:most people don't want to bother by ruir · 2013-10-03 01:00 · Score: 2
  
  PGP by definition has to have an element of trust unknown for 3rd players, i.e. the private keys. If gmail implemented it, it was almost the same as not having it. and I certainly wouldn't see the point of using it. The point of using it on your side, in a TRANSPARENT method, is for google not be able to access your private messages too. Note, you don't have to be an expert, the installation of the tools have just to be simple enough. After exchange keys, the software is smart enough to know when you are sending messages for people with you haven't exchanged keys (yet), or for people with keys on the store, and automatically encrypts that conversations. So yes, transparent, but on YOUR side. In the past, people would say only typists would write document and nowadays people with Word write documents too.
5. Re:most people don't want to bother by Anonymous Coward · 2013-10-03 01:04 · Score: 3, Insightful
  
  The screwy thing about that, is that it needs a plugin at all. This is ancient shit. For the last 15-20 years, most email clients have come ready to use pgp out of the box, but then you get to the high-profile (i.e. popular, because it comes with pre-installed consumer OSes) email clients, and they require people to search for plugins, in order to get basic 1990s-level tech. The problem used to mainly just be Apple Mail and MS Outlook (and then, sadly, Thunderbird, WTF) but then smartphones got popular, and the situation with today's smartphones is even worse, if that's possible. It's really pretty negligent for MS and Apple (and now Google) to be shipping out OSes with broken email by default. That means negative security by default. Shame on them.
6. Re:most people don't want to bother by Anonymous Coward · 2013-10-03 01:21 · Score: 0
  
  Your family would be like: "This is fun. How do these handcuffs fit around my wrists? Hahaha. Neat. What other information did you need about me Mr. police man?"
7. Re:most people don't want to bother by stardaemon · 2013-10-03 01:22 · Score: 1
  
  For the record, gmail supports IMAP.
  
  --
  The only way to stay sane in an insane world, is to be mad yourself...
8. Re:most people don't want to bother by naris · 2013-10-03 01:29 · Score: 1
  
  So, the NSA can read my gmail. It will probably put them to sleep. I am not concerned about putting NSA agents to sleep. Perhaps they might find out I buy stuff from newegg form time to time? or about my average bills? Sure, I could spend a lot of time (that I don't have) and effort to setup my own computer running my own SMTP server, and have to setup my own SPAM filter and maintain that, using copious amounts of time that I don't have. Perhaps I could even use PGP to encrypt both of the personal e-mails that I have time for per year, but what would I really be accomplishing? To claim that I am being "private" and "secure". Also, even the NSA does not have the resources to read each and every one of the 294 billion e-mails sent every day. The best they can do is to quickly scan a small percentage of them. most likely for a fairly narrow target criteria. No thanks, I'll continue using my gmail account that filters the spam for me. Especially since 90% of the e-mail that make it past the spam filter is utility bills and the like. I am not interested in hiding the fact that I heat my house with gas from the NSA...
9. Re:most people don't want to bother by fustakrakich · 2013-10-03 02:03 · Score: 1
  
  Soon we can't even take a shit without logging to Failbook first.
  For now, we have ratemypoo... Say I'm not number 2!
  
  --
  “He’s not deformed, he’s just drunk!”
10. Re:most people don't want to bother by interkin3tic · 2013-10-03 02:12 · Score: 2
  
  You always trade some privacy and security in exchange for being social and active. The terms of the compromise are up to the individual. If you're insisting your family should get end to end encryption and they don't want it, YOU'RE the brainless one for not realizing your preferences are not their preferences.
11. Re:most people don't want to bother by peon_a-z,A-Z,0-9$_+! · 2013-10-03 02:27 · Score: 1
  
  I try to get my family to stop using gmail, and instead use a local mail program which they can then use for end to end encryption, private non-cloud storage of their old emails, etc, but they don't want to bother.
  People have always been like this as long as civilization has been around. Some people fully understand a technology and take the details of it into their own hands, while others are more comfortable with someone else providing the expertise. Take your argument above and say:
  
  I try to get my family to stop using [the local mechanic], and instead use a [wrench from the garage] which they can then use for end to end [repair of their car, maintenance of essential parts, and general peace of mind for their family members that ride in the vehicle], but they don't want to bother.
  While this type of behavior has always been around, but we have yet to have it applied so forcefully to information. Therefore, I think to properly address the problem you have to see that this is not unique to mankind. The unique element, however, is the topic that these people are choosing not to gain deeper understanding of.
  A few months ago - when all of this was starting - I read a comment here on Slashdot about how the only thing holding back this sort of NSA spying over the last two hundred years is technology - not the Constitution. We are now only at a point that technology is beginning to no longer be the barrier to this type of activity, and we will have to see how these enabling technologies apply to the Constitution. Viewing the problem from it's root cause (not a unique case of people being "lazy") is the first step in the right direction.
12. Re:most people don't want to bother by TangoMargarine · 2013-10-03 02:42 · Score: 1
  
  Heh, nice car analogy :) I do agree with your general arguments.
  That said, the difference is that the mechanic is not likely to put a secret bomb in your car, of course.
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
13. Re:most people don't want to bother by Rich0 · 2013-10-03 02:42 · Score: 2
  
  I understand how to do exactly everything you're asking your family to do, and yet I still trust all my email to Gmail.
  The reason is that it makes the data readily accessible. I'd like to read my email from arbitrary computers using only a web browser, and routinely read my email in this way so the client needs keyboard shortcuts/etc.
  Sure, I could set up squirrelmail or roundcube and use IMAP with some client on Android (and have done so in the past), but the software is very clunky. With gmail I can process each email I read with a single keystroke. With something like squirrelmail it takes several mouse clicks to archive a message.
  I'd really prefer using FOSS and encrypting everything, but it is a real pain unless you're almost exclusively reading your email via an X11 console. Even then the keyboard shortcuts often aren't as good as gmail, but at least you have drag-and-drop.
14. Re:most people don't want to bother by Anonymous Coward · 2013-10-03 03:03 · Score: 0
  
  I'd really prefer using FOSS and encrypting everything, but it is a real pain unless you're almost exclusively reading your email via an X11 console. Even then the keyboard shortcuts often aren't as good as gmail, but at least you have drag-and-drop.
  WTF? So, was I dreaming when I setup Zimbra Open Source Edition and used the email client of choice (except for the shitty Gmail app) on any platform of choice? I don't remember an X11 console or clunky email clients anywhere in that dream.
15. Re:most people don't want to bother by Anonymous Coward · 2013-10-03 03:38 · Score: 1
  
  First, I'm not disagreeing with you; your reasoning is pretty similar to why I don't encrypt my e-mail and in fact use GMail.
  But the NSA doesn't need have a human read your e-mail. They have computers for that.
16. Re:most people don't want to bother by devent · 2013-10-03 03:52 · Score: 2
  
  True. Privacy is not a technological issue but a political one.
  I could barricade my windows, put steel fence around my house, install EM shielding etc. Would not be a nice life, through. The same is for Internet privacy: I could install packet filter, firewalls, encrypt everything, but it's not a nice experience of the Internet then.
  That is why we need strong privacy laws. We have privacy laws of mail and phone calls, why we don't have privacy laws for e-Mail and Web sites, Skype, etc.? Privacy laws are essential for freedom of expression and democracy.
  
  --
  http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
17. Re:most people don't want to bother by Anonymous Coward · 2013-10-03 04:18 · Score: 0
  
  OS X Mail does not need a plug-in to do encrypted e-mail. Buy an e-mail certificate (or create your own using Keychain Access) and new e-mails that you write have a button to digitally sign them. Receive a signed e-mail from someone else, and now any e-mail you write to them has a button to encrypt it. It's that easy: signing certificates are automatically stored in your keychain, and Mail automatically gives you the option to use them if they are available.
  The problem comes when trying to explain to users of Microsoft Outlook the convoluted steps that they have to go through to install the signing certificate that they just received from you as part of your signed e-mail, and then the further convoluted steps they have to go through to use the certificate each and every time they want to encrypt an e-mail to you.
18. Re:most people don't want to bother by Tom · 2013-10-03 05:02 · Score: 3, Insightful
  
  They don't care about the NSA because they "aren't doing anything wrong".
  They are missing the experience of living in a police state, bless them. One of the reasons Germany is a little (not enough, but a little) less ignorant of this is that many of its citizens still remember the GDR and the Stasi.
  Even risking to Gowdin this, but maybe it gets them thinking to tell them that the Jews in Germany also thought they didn't do anything wrong. The Nazis, on the other hand, were very happy that religious affiliation was on government record and were extremely efficient in rounding up all the Jews who, remember, didn't do anything wrong.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
19. Re:most people don't want to bother by Teckla · 2013-10-03 05:48 · Score: 2
  
  That's what security is up against: people who want to put all their information in "the cloud"
  I don't think that's quite accurate. People want simplicity, ease of use, worry free backups, automatic sync between devices, etc.
  Give them thick client, encrypted solutions that give them those things with minimal or no effort, and a great many would probably convert.
  The success of the cloud is largely because thick client solutions have largely failed the average user test. Us technical folks don't recognize or ignore this fact far too often.
20. Re:most people don't want to bother by someSnarkyBastard · 2013-10-03 05:50 · Score: 1
  
  People have always been like this as long as civilization has been around. Some people fully understand a technology and take the details of it into their own hands, while others are more comfortable with someone else providing the expertise.
  This. Those individuals don't understand the problem, don't want to understand the problem, and frankly don't care about the problem. To them it isn't a problem, or at least not their problem. Now, you harping on about it and making it their problem on the other hand...different story...
21. Re:most people don't want to bother by Anonymous Coward · 2013-10-03 06:30 · Score: 0
  
  A smartphone may not have a pgp plugin for their mail, but nothing stops your from installing a replacement email app. None exists? Nobody stops you from porting a "decent 1990's mail reader that supports pgp"
22. Re:most people don't want to bother by ruir · 2013-10-04 01:13 · Score: 1
  
  Would they be allowed to do it? Dude, we are talking about a protocol in which an american citizen was wanted for years by the FBI for writing and distributing an implementation.
23. Re:most people don't want to bother by Rich0 · 2013-10-04 22:10 · Score: 1
  
  WTF? So, was I dreaming when I setup Zimbra Open Source Edition and used the email client of choice (except for the shitty Gmail app) on any platform of choice? I don't remember an X11 console or clunky email clients anywhere in that dream.
  I've tried Zimbra Open Source Edition. It lacks any kind of Android client (you did say OPEN SOURCE edition, right?). It also lacks keyboard shortcuts for deleting and archiving mail, as far as I'm aware. I'm not certain, but I don't recall that it supported tag-based email sorting either.
This isn't news.... by Anonymous Coward · 2013-10-03 00:17 · Score: 0

Those of us wearing tin foil hats have already based our security paradigms and practices around the idea that the security institutions many people trust were not worthy of that trust.
For example, stop believing TOR offers you any security from the US government. It is a nice idea but it is just an illusion.
Secure conversations that I now have are written down on paper (where there are no cameras) and later burnt and the ash pulped.
So- by IWantMoreSpamPlease · 2013-10-03 00:18 · Score: 1

Back to sneakernet?

--
So rise up, all ye lost ones, as one, we'll claw the clouds.
1. Re:So- by lxs · 2013-10-03 01:11 · Score: 1
  
  Too smelly.
Start buying stamps again by jfdavis668 · 2013-10-03 00:24 · Score: 2

Well, I guess I have to start buying stamps again. But beware the postal inspectors!
Hardware by Anonymous Coward · 2013-10-03 00:31 · Score: 0

Hardware is the biggest problem.
You can use open source software all you want, but how many of you know exactly what the chips in your hardware do.
1. Re:Hardware by Anonymous Coward · 2013-10-03 00:44 · Score: 0
  
  We need to restart from scratch.
  Like we did in the late 70s & early 80s: a whole generation learned how computers worked and was willing to re-invent everything on microcomputers what already existed in the mainframe world and then went beyond that. It was also a huge boost for economy.
  Let's do it again, but this time on open & secure hardware which is designed around ease of auditing.
2. Re:Hardware by AHuxley · 2013-10-03 02:07 · Score: 1
  
  You can try http://en.wikipedia.org/wiki/Loongson#GNU.2FLinux
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Hardware by gmuslera · 2013-10-03 03:48 · Score: 3, Insightful
  
  Like Intel embedding 3g radios in the vPro processors? Putting trojan in FPGAs? If i can't walk to the next continent, why worry to start walking?
  Do what you have at your hands, you can improve a lot your security in the points where you control. And let the rest of the world figure the missing pieces, with open source software you also have portability, when an alternative comes in that area (i.e. moving to ARM) you will be able to take a step forward. Just don't get too tied to a solution that you can't control.
4. Re:Hardware by someSnarkyBastard · 2013-10-03 06:02 · Score: 1
  
  You do realize that the Loongson chip was developed by the People's Republic of China right? Not the first place I'd look for backdoor-free chip designs...
5. Re:Hardware by AHuxley · 2013-10-03 14:11 · Score: 1
  
  http://richard.stallman.usesthis.com/
  From 2010:
  "I am using a Lemote Yeelong, a netbook with a Loongson chip and a 9-inch display. This is my only computer, and I use it all the time. I chose it because I can run it with 100% free software even at the BIOS level."
  http://www.wired.com/magazine/2009/12/st_essay_china/
  "Lemote positions its netbook as the only computer in the world with nothing but free software, right down to the BIOS burned into the motherboard chip that tells it how to boot up."
  Vs the US "backdoor-free chip designs" that made the news? http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
  Tailored Access Programs "“templates” for breaking into common brands and models of routers, switches and firewalls."
  
  --
  Domestic spying is now "Benign Information Gathering"
less trust, more thrustworthyness by Anonymous Coward · 2013-10-03 00:33 · Score: 0

Trust is never the goal. It is granted, if people have been proven thrustworthy.
1. Re:less trust, more thrustworthyness by Entropius · 2013-10-03 01:08 · Score: 3, Funny
  
  "Thrustworthy" sounds like a colloquialism for someone worth having sex with.
2. Re:less trust, more thrustworthyness by kilfarsnar · 2013-10-03 03:03 · Score: 2
  
  Like spongeworthy?
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
It wasn't a revelation by Murdoch5 · 2013-10-03 00:35 · Score: 0

If you actually though that you could use a mobile phone, mobile computer or the internet with out being tracked then you deserved to surprised by the NSA leak. Why would a government not take the effort to look into what people do on a daily basis when they have the technology . For most people it is really not an issue, you only have to worry when you have something to hide. It's funny how people whine and freak out about privacy but they don't really have a point, only the assumed guilty act like they must hid what they do. People who know they aren't breaking the law and don't intend to aren't afraid of just letting people see what they do on a daily basis.

Personally I think it's funny that this entire thing has grown so out of proportion. If you actually thought you had security and privacy online then you have the problem, not the group that was looking at you.
1. Re:It wasn't a revelation by causality · 2013-10-03 01:05 · Score: 4, Insightful
  
  Why would a government not take the effort to look into what people do on a daily basis when they have the technology .
  To me it was also predictable, because I've read history books and noticed again and again that the most ruthless, sociopathic, often bloodthirsty control freaks are the ones who want power so badly that they'll do anything to achieve it. That's the nature of government. Public awareness and understanding is the only real thing holding it back. We have public apathy and ignorance because most people have been softened and made complacent by convenience and pointless indulgences (hundreds of channels of brain-dead horse-shit, news media controlled by 5 corporations all of which are cozy with government, public education for obedient workers and not for self-directed thinkers).
  
  But that the government would want to spy on its people and would use technology in that manner, no that's not remotely surprising to anyone who understands the nature of governments and the people who most want to run them. What we need is a majority of people who comprehend this basic fact that has been repeatedly observed throughout history. The stakes are higher now, and become higher the more our tech advances. Our leaders have noted that bread and circuses works, that's because they actually do learn from history.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
2. Re:It wasn't a revelation by Anonymous Coward · 2013-10-03 01:27 · Score: 0
  
  "People who know they aren't breaking the law and don't intend to aren't afraid of just letting people see what they do on a daily basis."
  It's not just about breaking the law.
  It's about doing and/or being anything not accepted by society.
3. Re:It wasn't a revelation by kilfarsnar · 2013-10-03 03:21 · Score: 1
  
  For most people it is really not an issue, you only have to worry when you have something to hide. It's funny how people whine and freak out about privacy but they don't really have a point, only the assumed guilty act like they must hid what they do. People who know they aren't breaking the law and don't intend to aren't afraid of just letting people see what they do on a daily basis.
  I thought this board had moved past this argument. How do you know you're not doing something illegal? Do you have a working knowledge of every law on the books for your state or local municipality, let alone the federal government? Are you under the impression that all laws are reasonable and adhere to your common sense? Is your idea of "wrong" the same as everyone employed at the NSA? Are you aware that these surveillance powers are being used against people who have not broken a law but are critical of, or inconvenient to the US government? Finally, how do you know that guy you cut off in traffic doesn't have a cousin at the NSA who now has you license number and is digging into your life? Are you sure your life will look squeaky clean to some faceless bureaucrat with an ax to grind?
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
4. Re:It wasn't a revelation by Tom · 2013-10-03 05:06 · Score: 2
  
  because I've read history books and noticed again and again that the most ruthless, sociopathic, often bloodthirsty control freaks are the ones who want power so badly that they'll do anything to achieve it. That's the nature of government.
  Give that man a cookie.
  I had a few years in an elected position. In the end, I gave it up because I couldn't take standing up against the egomaniac psychopaths anymore whose only concern was themselves and their position. These people will win out because people like you or me will reach a point where we just can't take it any longer, but for them it's the meaning of life.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
5. Re:It wasn't a revelation by Anonymous Coward · 2013-10-03 06:21 · Score: 0
  
  It's funny how people whine and freak out about privacy but they don't really have a point, only the assumed guilty act like they must hid what they do. People who know they aren't breaking the law and don't intend to aren't afraid of just letting people see what they do on a daily basis.
  Basically you haven't watched any tv show that has a "good guy" in it in the past 20 years. If you never do anything wrong ever, you are much more susceptible to slanderous claims because you won't be paying attention to signs of foul play. In reality, unlike on tv, the "good guy" is rarely exonerated...or ever heard from again.
Misunderstanding what trust is by onyxruby · 2013-10-03 00:37 · Score: 4, Interesting

Take the view of the Pentagon and assume that you are at all times compromised. You probably are. Any given entity can be broken into by a determined hacker. Talk to a pen tester sometime and ask them how many places they have failed to break into. The entire concept of trust is that you can send data privately over the Internet, you can't unless you encrypt your data offline ahead of time.
On the Internet trust is all about identity and encryption. For most people that translates into a certificate that is used to supply SSL. People then assume that because they are using SSL that they can now trust a given connection. There is no justification for trust and there never has been, the entire concept of trust is a misunderstanding of the concept of how a Certificate Authority works.
All a Certificate Authority does is say that their is an unbroken chain of identity from a given point to a given point. Even then a Certificate can be forged or stolen or issued improperly, and even if controls detect a bad certificate in use most people will click the button to use the bad certificate anyways.
All of this assumes that a given government entity hasn't used a court order to force a Certificate Authority to replicate a Certificate so that your data can be seized. Certificate Authorities cooperate with things like court orders, they don't self destruct like Lavabit. That whole backstory with Lavabit self destructing - it was a fight over getting the key that was used because he wouldn't hand over his private key.
People also forget that SSL is wholly dependent on Certificate Authorities. SSL is used to encrypt data with a key when data is in transit. The problem is that data anyone that owns the network can conduct an MITM attack against your key. SSL is fundamentally broken because it presents a perception of trust when it is incapable of providing that level of trust.
1. Re:Misunderstanding what trust is by LordLimecat · 2013-10-03 00:43 · Score: 1
  
  Your analysis of SSL isnt wholly correct. You can perform casual MITMs when you control the CA chain, and when your end users know they are being spied on.
  It is however fairly easy to see if someone has created a forged cert with an alternate CA, as the cert thumbprint and CA chain would be different.
2. Re:Misunderstanding what trust is by h4rr4r · 2013-10-03 00:50 · Score: 2
  
  Not when you hold the same keys the real CA does. The NSA may well have their own copies of these keys.
3. Re:Misunderstanding what trust is by blueg3 · 2013-10-03 01:30 · Score: 1
  
  The CA never has a copy of the SSL certificate necessary for doing key exchange.
  The public certificate is what is signed by the CA. It's also handed out to anyone that asks for an SSL connection, so it's hardly secret. The private key is only ever held by the certificate owner, not by the CA.
  If a CA is complicit (or gives you a copy of their key), you can create a pretty good MITM by generating a new keypair with the target's information (obtained from the public cert) and signing that. However, you cannot duplicate their public certificate or even have your fake certificate have the same fingerprint as theirs. So if someone initiating an SSL connection has seen the target's public certificate in the past and remembered the fingerprint -- or if they have received the fingerprint through a non-compromised channel -- then your attack is detectable.
  The only way to MITM undetectably is to have your public cert be exactly the same as theirs, which means that you need their private key. The only one with the private key is the target, not the CA.
4. Re:Misunderstanding what trust is by ArsenneLupin · 2013-10-03 01:33 · Score: 1
  
  Not when you hold the same keys the real CA does. The NSA may well have their own copies of these keys.
  The CA doesn't hold any private keys, at least not usually. Even the Mossad allows you to skip giving away your private key.
  So, all a malicious CA can do is issue a second certificate with the same info, but for a different private/public key pair. But that means that the fingerprint will be different (this is a hash over the entire certificate, including the public key, which won't match the public key of the original).
  So, an observing user can indeed spot this. Only the browser's automatic check (based solely on the CA's signature) will be fooled by this.
5. Re:Misunderstanding what trust is by ArsenneLupin · 2013-10-03 01:38 · Score: 1
  
  People also forget that SSL is wholly dependent on Certificate Authorities
  Well, technically, you could always very "certificate" fingerprints manually...
  
  The problem is that data anyone that owns the network can conduct an MITM attack against your key.
  Make that "... anyone that owns the network and the CA can conduct an attack...". The purpose of SSL is exactly to prevent attacks by people who "only" control the network between client and server.
  
  SSL is fundamentally broken because it presents a perception of trust when it is incapable of providing that level of trust.
  SSL doesn't supply trust, instead it relies on trust. Namely on the trust that CA's are doing their job properly (... which unfortunately, they don't always do...)
6. Re:Misunderstanding what trust is by h4rr4r · 2013-10-03 01:40 · Score: 1
  
  Or someone talking to the target.
  Look at what happened to Lavabit.
7. Re:Misunderstanding what trust is by petermgreen · 2013-10-03 01:47 · Score: 1
  
  It is however fairly easy to see if someone has created a forged cert with an alternate CA, as the cert thumbprint and CA chain would be different.
  It in indeed easy to see when a cert has changed.
  The difficult bit is deciding whether that cert change is legitimate or not. Sites do change their certs for a wide variety of reasons (upcoming expiry, dumb admin loses the keys, need a different selection of domains on the cert) and larger sites often end up with different load balanced/geolocated instances using different certs. So seeing a different cert from other people isn't nessacerally an indication of foul play.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
8. Re:Misunderstanding what trust is by blueg3 · 2013-10-03 02:56 · Score: 1
  
  To what is "or someone talking to the target" referring?
  The only one with the private key is the target. A person communicating over SSL with the target doesn't have the target's private key.
  If you want to undetectably MITM an SSL encryption, you need to acquire the SSL private key from the target. Is that more clear?
9. Re:Misunderstanding what trust is by h4rr4r · 2013-10-03 03:03 · Score: 1
  
  I meant if we the target of the investigation is not the target of the MITM attack.
  What I meant was if they have the CA cert and a copy of the priv key or heck at that point they can just take the cert like they did for lavabit, it is game over.
10. Re:Misunderstanding what trust is by KiloByte · 2013-10-03 03:25 · Score: 1
  
  Even worse, you can't trust just _a_ CA. You need to trust every single of them. Including CNNIC, Etisalat who conduct massive MITM attacks themselves, Turktrust and co who are merely criminally sloppy, and the whole rest, 95% of whom I suspect to not even wince when a three letter agency requests a fake cert pair.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
11. Re:Misunderstanding what trust is by someSnarkyBastard · 2013-10-03 06:29 · Score: 1
  
  So, an observing user can indeed spot this. Only the browser's automatic check (based solely on the CA's signature) will be fooled by this.
  And how many users do you think bother to regularly check every SSL cert is indeed legit? I'll be generous and assume single-digit percentages (realistically, I would put it closer to less than 1%)
  Now we move on to the next question, whose fault is this? The users for not being more vigilant? The browsers being lazy? Both? Other third parties? (Insert well-loved TLA name here) All the above?
  The Internet may have been developed in part by the military but it was not built on an adversarial (paranoid) security model, the default is to trust the other party. Web browsers constantly crow at every update about how they now support the latest greatest security tricks to keep you safe so you don't need to worry your little head about the big bad hackers. The general public still by and large consider computers and technology to be only a step or two removed from magic and blindly trust the system because that is what they have been conditioned to do.
  This is a perfect storm scenario, really and truly.
12. Re:Misunderstanding what trust is by Anonymous Coward · 2013-10-03 06:38 · Score: 0
  
  You don't have to trust all of them. If you decide to distrust only Turktrust - you set up your browsers etc. to not trust them. Now you no longer accept SSL connections where Turktrust is anywhere in the chain. So you probably miss out on your favourite Turkish https sites. Irritating, but there are lots of other sites not using Turktrust.
13. Re:Misunderstanding what trust is by KiloByte · 2013-10-03 07:38 · Score: 1
  
  Ok, so out of ~300 suspicious CAs, you are vulnerable to MITMs signed by 299 others.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
14. Re:Misunderstanding what trust is by LordLimecat · 2013-10-03 08:10 · Score: 1
  
  The CA cannot generate an identical cert to the end server-- they do NOT have the private key ever.
  Please read up on how SSL certs / CSRs are created before commenting on the process.
15. Re:Misunderstanding what trust is by LordLimecat · 2013-10-03 08:25 · Score: 1
  
  You are showing your ignorance. Lavabit was asked for private keys precisely because the attack you envisioned is IMPOSSIBLE without the private keys.
16. Re:Misunderstanding what trust is by LordLimecat · 2013-10-03 08:27 · Score: 1
  
  Ive told you this about 5 times in 5 different article threads. The CA NEVER has the private keys for EXACTLY this reason.
17. Re:Misunderstanding what trust is by LordLimecat · 2013-10-03 08:29 · Score: 1
  
  And how many users do you think bother to regularly check every SSL cert is indeed legit?
  It is irrelevant. As soon as ONE user spots it-- and SOMEONE will-- the jig is up: everyone will know surveillance is happening, theyll know which CA issued the phony cert, and theyll un-trust that CA.
18. Re:Misunderstanding what trust is by LordLimecat · 2013-10-03 08:49 · Score: 1
  
  The difficult bit is deciding whether that cert change is legitimate or not
  Seems like when this happens with Google for example, someone posts to a google groups "hey, google, is this legit?".
  Pretty simple for the vendor to throw out a quick "yea that thumbprint is ours".
19. Re:Misunderstanding what trust is by h4rr4r · 2013-10-04 01:03 · Score: 1
  
  If you can compromise the CA you can get the priv keys.
  I deal with CAs a lot. You would not believe how often a large national/regional retail chain has sent me their private keys. I ask for a CSR and they send me everything.
I'm already there. by Anonymous Coward · 2013-10-03 00:41 · Score: 0

The first question for a public site should be "does a site need to retain info?". Greed is what fuels the desire to use other people's activity for profit. I built a SAS that deletes all user data after 4 hours. When I started I did not know if people would accept this, but what I find interesting is through the apache log based tracking I can see that people manually delete their data even though it is automatically removed. I am not saying that temporary data will work for every need, but it should be considered.
Thanks for the heads up by Anonymous Coward · 2013-10-03 00:47 · Score: 0

What is this story from 10 years ago? Oh NOW we need to have minimal trust. Thanks for laying that out.
I like how all the "conspiracy theory" people are generally considered wacko, yet more of their predictions or "conspiracies" come to be yet they are never given validity. I would say the odds are better if you believe just about all conspiracies, with in reason, till they are proven false. I'd say you'd be right more times then wrong and wouldn't be surprised when the truth come to light.
1. Re:Thanks for the heads up by causality · 2013-10-03 01:12 · Score: 1
  
  I like how all the "conspiracy theory" people are generally considered wacko, yet more of their predictions or "conspiracies" come to be yet they are never given validity.
  
  The people who want modern-day prophets to be wrong so they can ridicule them, call them names, and feel better for a moment about their pitifully desperate and meaningless lives, well, these are not the kind of people who like to admit when they are wrong and try to avoid repeating the same mistake.
  
  Validity was never to be expected from the likes of them. Such people aren't interested in truth. They're interested in feeling superior to someone else. This is fundamentally incompatible with a search for truth.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
2. Re:Thanks for the heads up by HiThere · 2013-10-03 07:12 · Score: 1
  
  No. It's a noise level problem. MOST conspiracy theories are wrong. There are thousands of conspiracies happening at all times, and still most conspiracy theories are wrong. And it's not because the existing conspiracies are successfully remaining unpostulated.
  So. MOST conspiracy theories are wrong. Possibly as many as 95% of them. But many of them are correct. How can you identify the correct ones? Did Castro arrange to have Kennedy shot? How do you know? Was 9/11 and inside job? How do you know?
  So it's basically a noise-level problem. But there's the additional level of "people are reluctant to believe things that make them more uncomfortable if they believe them than if they deny them". It's not just cognitive dissonance, it's wider than that. So if you want to convince people you need more than a minimal level of proof. And if you're judging any particular conspiracy theory, you need to pay attention to how uncomfortable it would make you feel to believe it, and use that to adjust the weighing in favor of the conspiracy being true (or, if you want to believe it, of it being false).
  If there's an answer, I don't know it. But I'm quite skeptical of official "explanations". Also of videos I've seen on TV. (I've been at a few events that TV covered. The coverage has always been "processed for entertainment value"[usually horror].)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
P2P crypto software by Anonymous Coward · 2013-10-03 00:57 · Score: 0

Use this software http://is.gd/Ja2oWr for secure P2P communications.
It's better than email or SSL. It uses crypto not known to that unpopular agency.
1. Re:P2P crypto software by blueg3 · 2013-10-03 01:19 · Score: 2
  
  If you follow this link, you have failed the first test of computing with minimal trust.
  If it actually goes to crystallographic software and you use that software, you've failed the second and third tests.
2. Re:P2P crypto software by tepples · 2013-10-03 01:20 · Score: 1
  
  And it's useless to communicate with people who use an Android device or an iPhone or iPad as a primary communications device.
3. Re:P2P crypto software by Rich0 · 2013-10-03 02:48 · Score: 3, Insightful
  
  That is the real problem. If all I do is work from my desktop then I can just use kmail and its fairly strong gpg support and I'm done. The problem is that I use many operating systems, including ChromeOS, so I need Android clients, web-based clients, etc. I've yet to see anybody write a really good web-based email client, and even the IMAP options are very limited if you want to use tag-based email management (as in Gmail).
  I really don't want to use Gmail. Its identity management is broken on Android, it isn't good at threading, there is no way to use it with encryption, and it gives Google access to all my mail. The problem is that nobody has come up with an equivalent FOSS option. The best I can do is cobble together a bunch of stuff and still get an inferior product. I've yet to find a web-based MUA that handles keyboard shortcuts nearly as well as Gmail...
Should people try to emigrate? by tepples · 2013-10-03 01:11 · Score: 2

I don't live in the US either btw, and I'm happy to let you guys keep it to yourselves.
Is your country accepting refugees from the U.S. regime?
Practical problems with the web of trust by tepples · 2013-10-03 01:14 · Score: 2

RFC 2440 [describing OpenPGP] for encrypted email was written in the 1990s, but people are really resistant to anything that might help their own privacy.
You talk about OpenPGP. How much does it cost to travel to get your key signed by people who are well connected in the web of trust? And how can you trust that the people who signed the key of the person with whom you want to communicate are reliable at signing keys?

I can't even get my friends to use "Off The Record" for secure IMing.
That depends on whether a client supporting Off The Record is available for a particular operating system (such as Windows Phone) and how easy it is to start using. Mobile operating systems prefer monolithic apps over protocol plug-ins that can be installed into an existing app, and people might not be willing to learn a different IM client's user interface just to communicate with you.
Trust is context- and stake-dependent by aaaaaaargh! · 2013-10-03 01:15 · Score: 4, Insightful

I trust some people's knowledge and expertise in one domain, but not in another. Likewise, if I were a US citizen running an entirely legal US company I'd have not the slightest problem with trusting the NSA cloud with all my company data (if they had such a service). I trust AES with keeping my personal data unencryptable by crooks and criminals, but I probably wouldn't use AES to encrypt all my data if I were a member of the Chinese military. It really depends in the threat scenario and your goals. An unconditional discussion of trust is fruitless.
Not Quite by Anonymous Coward · 2013-10-03 01:16 · Score: 0

It was also recently revealed that the post office tracks and logs mail going overseas to see who is sending what and to where. The part that boggles my mind is the post office has the worst tracking system of all. It can only tell you if your package arrived at its destination several days after the fact.
minimal trust by Anonymous Coward · 2013-10-03 01:22 · Score: 0

"start planning for a computing world with minimal trust"
we've never had a computing world with more than minimal trust
The Internet is not designed to be secure by DogDude · 2013-10-03 02:31 · Score: 1

No matter what anybody does, the Internet is inherently insecure and non-anonymous because it was designed that way. Any slap-on security on the Net is temporary, at best.

--
I don't respond to AC's.
trust is earned by Gravis+Zero · 2013-10-03 02:38 · Score: 1

what has the NSA done to earn back our trust? NOTHING!
there is only one logical conclusion: stay outside of their reach and only expose information that you dont mind being public.
the internet has become toxic so where will we go now?

--
Anons need not reply. Questions end with a question mark.
minimal trust by l3v1 · 2013-10-03 04:11 · Score: 1

"the damage that has become visible over the past few months means that we need to start planning for a computing world with minimal trust"

Oh, come on. I mean I don't know about most people, but there has been no day during my life around computers during which I would've ever thought that computers, the networks, the internet, and/or services were more secure or more trustworthy than that 'minimal' the poster talks about. And I'd expect everyone with enough experince and insight to feel the same. So this 'waking up' one day and being dumbstruck of evaporating trust and security just feels weird and even funny. They were actually never there, just the illusion of some, mostly for the average non-caring crowds, but that's really easy to lose. Also, current generation 'westerners' are the worst in such matters, since they have no more memories of times not-so-long-past when survaillance - covert or open - was the norm. Thinking you live in freedom and liberty can be blinding. Take care, people.

--
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
nothing has changed by Tom · 2013-10-03 04:59 · Score: 1

I mean that. Nothing has changed. The issue is still the same: At some point you have to trust someone. Not everyone can write their own software. Even fewer can write their own operating system. Only very few can write their own compiler. Almost nobody can build their own hardware. Unless you are a government agency with almost unlimited budget, you have to trust someone at some point.
It may not be the provider of your technology - it can be someone checking it. The way we don't bring every piece of food we buy in the supermarket to a lab to check it, but trust that by and large the checks in place make sure food is safe. And before you cite some case where it wasn't: Nothing is 100% perfect, but in many areas in our civilized world we are coming damn near close.
IT is still a toddler, and as such we don't yet have the experience and knowledge to deal with it very well. Plus it keeps growing and changing, making some plans obsolete.
But if this really changes anything you did in a fundamental way, then you did it wrong before. You should already treat unencrypted Internet communication as being public, for example. You should already assume that Google and Facebook are reading your data and doing stuff with it. You should already not be a bloody fool who trusts any idiot who comes along and says "hi".

--
Assorted stuff I do sometimes: Lemuria.org
1. Re:nothing has changed by Burz · 2013-10-03 20:00 · Score: 1
  
  Plenty has changed. Its possible, with an IP replacement like I2P, to have a network of strong identitities that, nevertheless, start out as anonymous unknowns.
  The identity/address cannot be subverted (without breaking into the user's system) and the user can then reveal personal details according to their need or comfort level. They can even do full 'out of band' verification, if its desirable to do so, only with people the user chooses to trust.
2. Re:nothing has changed by Tom · 2013-10-04 02:41 · Score: 1
  
  Ah, another cute geek solution.
  You have almost 2.5 billion Internet users who use IP today. When you've figured out how to convince them of changing to something else, then you have something worth talking about. Until you've solved that fundamental issue, all you have is a cute tech idea.
  Reworking the Internet (as necessary as it is, I agree on that) is not so much a technological problem.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
Great idea, there: by Hartree · 2013-10-03 05:07 · Score: 1

"Instead you just pull the trigger on anybody who dares to snicker"
Yeah, they stop laughing quick. Then they call in the SWAT team that's more heavily armed than you are.
1. Re:Great idea, there: by ArsenneLupin · 2013-10-03 05:36 · Score: 1
  
  However, I somewhat doubt that the SWAT team would go after those police who don't like to feel like idiots...
2. Re:Great idea, there: by Hartree · 2013-10-03 11:06 · Score: 1
  
  Yeah, I misread your post. Sorry.
  Must have more coffee! :)
Um... by zooblethorpe · 2013-10-03 05:26 · Score: 1

If the NSA want to feel like idiots, they're free to do so.
A similar thing happened to a friend in Germany. And not, the German police didn't feel like idiots, and quite happily wrecked the guys life. If you have a gun, you never feel like an idiot. Instead you just pull the trigger on anybody who dares to snicker...
Yeah, they stop laughing quick. Then they call in the SWAT team that's more heavily armed than you are.
Um, I think ArsenneLupin was referring to the police as the one's with the guns, who wouldn't feel like idiots, and who would kill anyone who pokes fun at authority. As an attempt at pointing out how out-of-control people can be when armed and in a position of authority or power.
But then, your comment about SWAT teams actually just reinforces that point, so hey.
Cheers,

--
"What in the name of Fats Waller is that?"
"A four-foot prune."
Gah! by zooblethorpe · 2013-10-03 05:30 · Score: 1

Like spongeworthy?
It's Spongeworthy Bobpants, the new porn star!
...
Bleh. That's an image I didn't need to think of today.

--
"What in the name of Fats Waller is that?"
"A four-foot prune."
1. Re:Gah! by someSnarkyBastard · 2013-10-03 06:13 · Score: 1
  
  Actually the script would kind of write itself, He lives in Bikini Bottom and works for a crab after all...all that's missing is Squidward coming out in drag...
gMail by phorm · 2013-10-03 05:59 · Score: 1

One of the big advantages of Google is that their inspection and volume lends itself to very good anti-spam. I've run mail-servers before but for anything personal SPAM and filtering is a huge problem for a little guy.
We need a new C compiler by Anonymous Coward · 2013-10-03 06:46 · Score: 0

W need a new C compiler. Not a fast one, not an efficient one. We need a very simple C compiler (call it newCC) that can be used to bootstrap compile your package of choice.
The point is, it should be optimised to be read and understood, not to run efficiently. If we can trust it to produce honest output (without backdoors), then we can start to rebuild our toolchain, trusting that our toolchain does not now contain any backdoors
I would suggest initially building newCC based on an obsolete version of a scripting language, say python2.6 or ruby1.8. Since our newCC did not exist when python2.6 was current, we can reasonably assume that there are no compilation backdoors in python2.6 to subvert the output of newCC. We could use newCC to compile python2.6 (just to be sure), then compile GCC using newCC running on our clean version of python2.6.
I'm under no illusions that this would be completely foolproof, but it is a start to regaining a chain of trust in our tools.
Re:IT by Anonymous Coward · 2013-10-03 06:48 · Score: 0

Naw, IT is not a "toddler". "Toddlers" are only that for about two years before they become "Children" as in "Think Of".
IT is somewhere between 18, 35, and 50 depending on when you start the clock.
It's the defining social complex issue of the age, not a cute fad.
Destructive effects by dumky2 · 2013-10-03 07:06 · Score: 1

Again an example of an agency, supposedly designed to protect the American people, whose actions results in undermining safety and eroding trust.
There is no such thing as a universal level of security (regarding arguments like "it wasn't secure enough before"). In some neighborhoods, you need to put bars on the windows. In others, you don't.
What the NSA has done is make the internet a less safe neighborhood than otherwise. People will now have to put more virtual locks and bars. More effort on security and less on more productive features...

--
These comments are mine; I do not speak for my employer.
Peer Review Resources? by Anonymous Coward · 2013-10-03 20:25 · Score: 0

Suppose that someone is developing or has developed an encryption product that is intended to be strong and easier to use than currently available encryption products. It might be straight data encryption for personal use, encryption designed to secure network communication, or encryption designed to secure telephone communication.
What are some good ways that they can go about getting their algorithms and implementations reviewed by others?
Living without trust by JohnReynolds425 · 2013-10-04 04:39 · Score: 1

It's depressing to realize Big Brother is really watching. No online data is secure nowhere no how. If you keep it in your home, they still need a warrant to get to it. So far, the best way to keep your stuff safe from prying eyes is to get a private cloud, like a Cloudlocker (www.stoamigo.com) that works like a regular cloud service but stays at home. Look for more inventions like this to help protect us from the people supposed to protect us.