Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security After the Death of Trust

Posted by samzenpus on from the lock-it-down dept.

An anonymous reader writes "Simon St. Laurent reviews the options in the wake of recent NSA revelations. 'Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that we need to start planning for a computing world with minimal trust.'"

9 of 162 comments (clear)

  1. Minimal Trust: by Hartree · · Score: 4, Insightful

    Shouldn't that have been the paradigm from the beginning if you really wanted security?

    Just because you think a person or organization can mostly be trusted today, doesn't mean it will always be the case.

    1. Re:Minimal Trust: by Anonymous Coward · · Score: 4, Insightful

      It has been available for a kind of long time. RFC 2440 for encrypted email was written in the 1990s, but people are really resistant to anything that might help their own privacy. I can't even get my friends to use "Off The Record" for secure IMing. They don't care that their IM is going unencrypted over the network, or at least not enough to spend 2 minutes to install it.

      Yes nothing is perfect including this but encryption is a lot better than not. Endpoints (who you talk to) is still exposed but having your message contents hidden still seems like an improvement, but people won't do it even when it's easy and you prompt them to.

    2. Re:Minimal Trust: by Pieroxy · · Score: 4, Insightful

      Until you chat with a friend, make dirty terrorists jokes, and this friend is thought by the NSA to be a terrorist. You'll find yourself interrogated before you know it.

      There are countless scenarios that may see you regret this carelessness.

      --
      Write boring code, not shiny code!
    3. Re:Minimal Trust: by jenningsthecat · · Score: 4, Insightful

      It has been available for a kind of long time. RFC 2440 for encrypted email was written in the 1990s, but people are really resistant to anything that might help their own privacy.

      The problem is getting a critical mass of users to adopt encryption. And although it's largerly a matter of people either not caring, or not knowing enough to care, it's also a problem of not wanting to stand out in the crowd and risk getting singled out. My friends and I don't use e-mail encryption because, with so few other regular users of it, we would simply be marking ourselves for special attention from TLA's.

      It's the kind of thing where a significant portion of the population - say 10% - needs to start using e-mail encryption simultaneously. And unfortunately, that's not likely to happen any time soon. I've said it before and I'll say it again: like sleight-of-hand in a magician's act, bread and circuses really do work to keep people distracted from what their leaders and masters are doing. Until enough of us pull our heads out of our popcorn bags, organize, and start engaging in the Internet's equivalent of 'passive resistance', the 1% and their minions are going to keep screwing us over.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    4. Re:Minimal Trust: by MozeeToby · · Score: 5, Insightful

      For the rest, nobody cares

      I do. I fucking care that I can't communicate without big brother leaning over my shoulder to make sure I'm a good citizen. It's fucked up. Even if they never used a single byte of the data, the act itself is fucked up. Besides that, laws change. Much more of your day to day life than you imagine is already illegal to some extent or another. With pervasive eavesdropping you're just one ticked off bureaucrat away from a prison sentence. And even if you yourself by some miracle live (an almost impossible) squeaky clean lifestyle, it's even less likely that your family and friends to as well.

    5. Re:Minimal Trust: by kilfarsnar · · Score: 4, Insightful

      Yeah? What exactly do I need to be kept "safe" from? Are they going to send thugs round to interrogate me for flirting on Facebook?

      "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." -Cardinal Richelieu

      No I would imagine not. Any given person likely has little to fear from increased surveillance; most people's lives are uninteresting. But if someone is looking at you with the intent of finding wrongdoing, they will find it. Especially if they have a history to look back on.

      The other issue is that these surveillance powers are being used against anyone the US government doesn't like, for whatever reason. Do you agree with everything the US government does and says? I'd guess not. Do you support the actions of people who are organizing to push back against those policies you disagree with? I'd imagine so. Well these surveillance (and detention) powers are being used against those groups who are fighting for what you believe in, whether you participate or not. So your interests are being indirectly harmed by these powers.

      --
      "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
  2. Re:What? by Big+Hairy+Ian · · Score: 4, Insightful

    We never really trusted our government.

    The problem with elections is that the government always wins :(

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  3. Re:It wasn't a revelation by causality · · Score: 4, Insightful

    Why would a government not take the effort to look into what people do on a daily basis when they have the technology .

    To me it was also predictable, because I've read history books and noticed again and again that the most ruthless, sociopathic, often bloodthirsty control freaks are the ones who want power so badly that they'll do anything to achieve it. That's the nature of government. Public awareness and understanding is the only real thing holding it back. We have public apathy and ignorance because most people have been softened and made complacent by convenience and pointless indulgences (hundreds of channels of brain-dead horse-shit, news media controlled by 5 corporations all of which are cozy with government, public education for obedient workers and not for self-directed thinkers).

    But that the government would want to spy on its people and would use technology in that manner, no that's not remotely surprising to anyone who understands the nature of governments and the people who most want to run them. What we need is a majority of people who comprehend this basic fact that has been repeatedly observed throughout history. The stakes are higher now, and become higher the more our tech advances. Our leaders have noted that bread and circuses works, that's because they actually do learn from history.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  4. Trust is context- and stake-dependent by aaaaaaargh! · · Score: 4, Insightful

    I trust some people's knowledge and expertise in one domain, but not in another. Likewise, if I were a US citizen running an entirely legal US company I'd have not the slightest problem with trusting the NSA cloud with all my company data (if they had such a service). I trust AES with keeping my personal data unencryptable by crooks and criminals, but I probably wouldn't use AES to encrypt all my data if I were a member of the Chinese military. It really depends in the threat scenario and your goals. An unconditional discussion of trust is fruitless.