Slashdot Mirror
Security After the Death of Trust
An anonymous reader writes "Simon St. Laurent reviews the options in the wake of recent NSA revelations. 'Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that we need to start planning for a computing world with minimal trust.'"
Shouldn't that have been the paradigm from the beginning if you really wanted security?
Just because you think a person or organization can mostly be trusted today, doesn't mean it will always be the case.
I try to get my family to stop using gmail, and instead use a local mail program which they can then use for end to end encryption, private non-cloud storage of their old emails, etc, but they don't want to bother. They'd rather have google storing all their emails and are fine with the advertising they get shown as a result of the data-mining of the email contents. They don't care about the NSA because they "aren't doing anything wrong".
That's what security is up against: people who want to put all their information in "the cloud" and don't really care what that means for privacy and security or even services that can disappear at any time or change their terms of service at any moment. It's all about the simplicity, and nothing else matters except allowing it to be a brainless usage model.
Back to sneakernet?
So rise up, all ye lost ones, as one, we'll claw the clouds.
We never really trusted our government.
The problem with elections is that the government always wins :(
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Well, I guess I have to start buying stamps again. But beware the postal inspectors!
Take the view of the Pentagon and assume that you are at all times compromised. You probably are. Any given entity can be broken into by a determined hacker. Talk to a pen tester sometime and ask them how many places they have failed to break into. The entire concept of trust is that you can send data privately over the Internet, you can't unless you encrypt your data offline ahead of time.
On the Internet trust is all about identity and encryption. For most people that translates into a certificate that is used to supply SSL. People then assume that because they are using SSL that they can now trust a given connection. There is no justification for trust and there never has been, the entire concept of trust is a misunderstanding of the concept of how a Certificate Authority works.
All a Certificate Authority does is say that their is an unbroken chain of identity from a given point to a given point. Even then a Certificate can be forged or stolen or issued improperly, and even if controls detect a bad certificate in use most people will click the button to use the bad certificate anyways.
All of this assumes that a given government entity hasn't used a court order to force a Certificate Authority to replicate a Certificate so that your data can be seized. Certificate Authorities cooperate with things like court orders, they don't self destruct like Lavabit. That whole backstory with Lavabit self destructing - it was a fight over getting the key that was used because he wouldn't hand over his private key.
People also forget that SSL is wholly dependent on Certificate Authorities. SSL is used to encrypt data with a key when data is in transit. The problem is that data anyone that owns the network can conduct an MITM attack against your key. SSL is fundamentally broken because it presents a perception of trust when it is incapable of providing that level of trust.
Why would a government not take the effort to look into what people do on a daily basis when they have the technology .
To me it was also predictable, because I've read history books and noticed again and again that the most ruthless, sociopathic, often bloodthirsty control freaks are the ones who want power so badly that they'll do anything to achieve it. That's the nature of government. Public awareness and understanding is the only real thing holding it back. We have public apathy and ignorance because most people have been softened and made complacent by convenience and pointless indulgences (hundreds of channels of brain-dead horse-shit, news media controlled by 5 corporations all of which are cozy with government, public education for obedient workers and not for self-directed thinkers).
But that the government would want to spy on its people and would use technology in that manner, no that's not remotely surprising to anyone who understands the nature of governments and the people who most want to run them. What we need is a majority of people who comprehend this basic fact that has been repeatedly observed throughout history. The stakes are higher now, and become higher the more our tech advances. Our leaders have noted that bread and circuses works, that's because they actually do learn from history.
It is a miracle that curiosity survives formal education. - Einstein
"Thrustworthy" sounds like a colloquialism for someone worth having sex with.
I don't live in the US either btw, and I'm happy to let you guys keep it to yourselves.
Is your country accepting refugees from the U.S. regime?
I like how all the "conspiracy theory" people are generally considered wacko, yet more of their predictions or "conspiracies" come to be yet they are never given validity.
The people who want modern-day prophets to be wrong so they can ridicule them, call them names, and feel better for a moment about their pitifully desperate and meaningless lives, well, these are not the kind of people who like to admit when they are wrong and try to avoid repeating the same mistake.
Validity was never to be expected from the likes of them. Such people aren't interested in truth. They're interested in feeling superior to someone else. This is fundamentally incompatible with a search for truth.
It is a miracle that curiosity survives formal education. - Einstein
RFC 2440 [describing OpenPGP] for encrypted email was written in the 1990s, but people are really resistant to anything that might help their own privacy.
You talk about OpenPGP. How much does it cost to travel to get your key signed by people who are well connected in the web of trust? And how can you trust that the people who signed the key of the person with whom you want to communicate are reliable at signing keys?
I can't even get my friends to use "Off The Record" for secure IMing.
That depends on whether a client supporting Off The Record is available for a particular operating system (such as Windows Phone) and how easy it is to start using. Mobile operating systems prefer monolithic apps over protocol plug-ins that can be installed into an existing app, and people might not be willing to learn a different IM client's user interface just to communicate with you.
I trust some people's knowledge and expertise in one domain, but not in another. Likewise, if I were a US citizen running an entirely legal US company I'd have not the slightest problem with trusting the NSA cloud with all my company data (if they had such a service). I trust AES with keeping my personal data unencryptable by crooks and criminals, but I probably wouldn't use AES to encrypt all my data if I were a member of the Chinese military. It really depends in the threat scenario and your goals. An unconditional discussion of trust is fruitless.
If you follow this link, you have failed the first test of computing with minimal trust.
If it actually goes to crystallographic software and you use that software, you've failed the second and third tests.
And it's useless to communicate with people who use an Android device or an iPhone or iPad as a primary communications device.
The problem with elections is that the government always wins...
That's a reflection on us, not the government. Elections reveal how much we truly approve, nothing else, And I would say the present 98% is a pretty good number. You people will never learn how much power you have until you make the feeblest of effort to use it.
“He’s not deformed, he’s just drunk!”
You can try http://en.wikipedia.org/wiki/Loongson#GNU.2FLinux
Domestic spying is now "Benign Information Gathering"
No matter what anybody does, the Internet is inherently insecure and non-anonymous because it was designed that way. Any slap-on security on the Net is temporary, at best.
I don't respond to AC's.
what has the NSA done to earn back our trust? NOTHING!
there is only one logical conclusion: stay outside of their reach and only expose information that you dont mind being public.
the internet has become toxic so where will we go now?
Anons need not reply. Questions end with a question mark.
That is the real problem. If all I do is work from my desktop then I can just use kmail and its fairly strong gpg support and I'm done. The problem is that I use many operating systems, including ChromeOS, so I need Android clients, web-based clients, etc. I've yet to see anybody write a really good web-based email client, and even the IMAP options are very limited if you want to use tag-based email management (as in Gmail).
I really don't want to use Gmail. Its identity management is broken on Android, it isn't good at threading, there is no way to use it with encryption, and it gives Google access to all my mail. The problem is that nobody has come up with an equivalent FOSS option. The best I can do is cobble together a bunch of stuff and still get an inferior product. I've yet to find a web-based MUA that handles keyboard shortcuts nearly as well as Gmail...
Like spongeworthy?
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
For most people it is really not an issue, you only have to worry when you have something to hide. It's funny how people whine and freak out about privacy but they don't really have a point, only the assumed guilty act like they must hid what they do. People who know they aren't breaking the law and don't intend to aren't afraid of just letting people see what they do on a daily basis.
I thought this board had moved past this argument. How do you know you're not doing something illegal? Do you have a working knowledge of every law on the books for your state or local municipality, let alone the federal government? Are you under the impression that all laws are reasonable and adhere to your common sense? Is your idea of "wrong" the same as everyone employed at the NSA? Are you aware that these surveillance powers are being used against people who have not broken a law but are critical of, or inconvenient to the US government? Finally, how do you know that guy you cut off in traffic doesn't have a cousin at the NSA who now has you license number and is digging into your life? Are you sure your life will look squeaky clean to some faceless bureaucrat with an ax to grind?
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
98% of the ones that actually voted (in countries where the vote is obligatory the government is choosen by everyone, not the specially motivated, paid to go to vote or partial by definition). And the electoral process have some flaws, only Lesters can say for who you can vote, in (most?) places you can't vote for no candidate, and of course, the opponent did a bad enough campaign to make sure that the people voted for Obama if were for make sure that he wasnt elected, and as the only way to get even noticed that you exist is a expensive, big corporations funded, and totally legal campaign, no matter who you choose, the same real rulers are elected each time.
Like Intel embedding 3g radios in the vPro processors? Putting trojan in FPGAs? If i can't walk to the next continent, why worry to start walking?
Do what you have at your hands, you can improve a lot your security in the points where you control. And let the rest of the world figure the missing pieces, with open source software you also have portability, when an alternative comes in that area (i.e. moving to ARM) you will be able to take a step forward. Just don't get too tied to a solution that you can't control.
"the damage that has become visible over the past few months means that we need to start planning for a computing world with minimal trust"
Oh, come on. I mean I don't know about most people, but there has been no day during my life around computers during which I would've ever thought that computers, the networks, the internet, and/or services were more secure or more trustworthy than that 'minimal' the poster talks about. And I'd expect everyone with enough experince and insight to feel the same. So this 'waking up' one day and being dumbstruck of evaporating trust and security just feels weird and even funny. They were actually never there, just the illusion of some, mostly for the average non-caring crowds, but that's really easy to lose. Also, current generation 'westerners' are the worst in such matters, since they have no more memories of times not-so-long-past when survaillance - covert or open - was the norm. Thinking you live in freedom and liberty can be blinding. Take care, people.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
The most fundamental problem is a basic failure to overcome conditioned reflex. It may not be possible, but we can't know until we try. This whole thing about 'campaign funding' is bullshit. And besides, if you can vote people in and out to correct that, then you've already solved the problem, and further discussion is unnecessary.
“He’s not deformed, he’s just drunk!”
I mean that. Nothing has changed. The issue is still the same: At some point you have to trust someone. Not everyone can write their own software. Even fewer can write their own operating system. Only very few can write their own compiler. Almost nobody can build their own hardware. Unless you are a government agency with almost unlimited budget, you have to trust someone at some point.
It may not be the provider of your technology - it can be someone checking it. The way we don't bring every piece of food we buy in the supermarket to a lab to check it, but trust that by and large the checks in place make sure food is safe. And before you cite some case where it wasn't: Nothing is 100% perfect, but in many areas in our civilized world we are coming damn near close.
IT is still a toddler, and as such we don't yet have the experience and knowledge to deal with it very well. Plus it keeps growing and changing, making some plans obsolete.
But if this really changes anything you did in a fundamental way, then you did it wrong before. You should already treat unencrypted Internet communication as being public, for example. You should already assume that Google and Facebook are reading your data and doing stuff with it. You should already not be a bloody fool who trusts any idiot who comes along and says "hi".
Assorted stuff I do sometimes: Lemuria.org
because I've read history books and noticed again and again that the most ruthless, sociopathic, often bloodthirsty control freaks are the ones who want power so badly that they'll do anything to achieve it. That's the nature of government.
Give that man a cookie.
I had a few years in an elected position. In the end, I gave it up because I couldn't take standing up against the egomaniac psychopaths anymore whose only concern was themselves and their position. These people will win out because people like you or me will reach a point where we just can't take it any longer, but for them it's the meaning of life.
Assorted stuff I do sometimes: Lemuria.org
"Instead you just pull the trigger on anybody who dares to snicker"
Yeah, they stop laughing quick. Then they call in the SWAT team that's more heavily armed than you are.
If the NSA want to feel like idiots, they're free to do so.
A similar thing happened to a friend in Germany. And not, the German police didn't feel like idiots, and quite happily wrecked the guys life. If you have a gun, you never feel like an idiot. Instead you just pull the trigger on anybody who dares to snicker...
Yeah, they stop laughing quick. Then they call in the SWAT team that's more heavily armed than you are.
Um, I think ArsenneLupin was referring to the police as the one's with the guns, who wouldn't feel like idiots, and who would kill anyone who pokes fun at authority. As an attempt at pointing out how out-of-control people can be when armed and in a position of authority or power.
But then, your comment about SWAT teams actually just reinforces that point, so hey.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Like spongeworthy?
It's Spongeworthy Bobpants, the new porn star!
...
Bleh. That's an image I didn't need to think of today.
"What in the name of Fats Waller is that?"
"A four-foot prune."
One of the big advantages of Google is that their inspection and volume lends itself to very good anti-spam. I've run mail-servers before but for anything personal SPAM and filtering is a huge problem for a little guy.
You do realize that the Loongson chip was developed by the People's Republic of China right? Not the first place I'd look for backdoor-free chip designs...
Again an example of an agency, supposedly designed to protect the American people, whose actions results in undermining safety and eroding trust.
There is no such thing as a universal level of security (regarding arguments like "it wasn't secure enough before"). In some neighborhoods, you need to put bars on the windows. In others, you don't.
What the NSA has done is make the internet a less safe neighborhood than otherwise. People will now have to put more virtual locks and bars. More effort on security and less on more productive features...
These comments are mine; I do not speak for my employer.
No. It's a noise level problem. MOST conspiracy theories are wrong. There are thousands of conspiracies happening at all times, and still most conspiracy theories are wrong. And it's not because the existing conspiracies are successfully remaining unpostulated.
So. MOST conspiracy theories are wrong. Possibly as many as 95% of them. But many of them are correct. How can you identify the correct ones? Did Castro arrange to have Kennedy shot? How do you know? Was 9/11 and inside job? How do you know?
So it's basically a noise-level problem. But there's the additional level of "people are reluctant to believe things that make them more uncomfortable if they believe them than if they deny them". It's not just cognitive dissonance, it's wider than that. So if you want to convince people you need more than a minimal level of proof. And if you're judging any particular conspiracy theory, you need to pay attention to how uncomfortable it would make you feel to believe it, and use that to adjust the weighing in favor of the conspiracy being true (or, if you want to believe it, of it being false).
If there's an answer, I don't know it. But I'm quite skeptical of official "explanations". Also of videos I've seen on TV. (I've been at a few events that TV covered. The coverage has always been "processed for entertainment value"[usually horror].)
I think we've pushed this "anyone can grow up to be president" thing too far.
http://richard.stallman.usesthis.com/
From 2010:
"I am using a Lemote Yeelong, a netbook with a Loongson chip and a 9-inch display. This is my only computer, and I use it all the time. I chose it because I can run it with 100% free software even at the BIOS level."
http://www.wired.com/magazine/2009/12/st_essay_china/
"Lemote positions its netbook as the only computer in the world with nothing but free software, right down to the BIOS burned into the motherboard chip that tells it how to boot up."
Vs the US "backdoor-free chip designs" that made the news? http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
Tailored Access Programs "“templates” for breaking into common brands and models of routers, switches and firewalls."
Domestic spying is now "Benign Information Gathering"
It's depressing to realize Big Brother is really watching. No online data is secure nowhere no how. If you keep it in your home, they still need a warrant to get to it. So far, the best way to keep your stuff safe from prying eyes is to get a private cloud, like a Cloudlocker (www.stoamigo.com) that works like a regular cloud service but stays at home. Look for more inventions like this to help protect us from the people supposed to protect us.