Slashdot Mirror
Brazil Announces Secure Email To Counter US Spying
Hugh Pickens DOT Com writes "Phys Org reports that Brazilian President Dilma Rousseff has announced her government is creating a secure email system to try and shield official communications from spying by the United States and other countries. 'We need more security on our messages to prevent possible espionage,' Rousseff said on Twitter, ordering the Federal Data Processing Service, or SERPRO, to implement a safe email system throughout the federal government. The move came after Rousseff publicly condemned spying against Brazilian government agencies attributed to the United States and Canada. 'This is the first step toward extending the privacy and inviolability of official posts,' Rousseff said. After bringing her complaints against U.S. intelligence agencies to the United Nations General Assembly last month and canceling a state visit to Washington, Rousseff announced that the country will host an international conference on Internet governance in April."
Not me, no matter which government it is.
here come the liberal whiners to support Brazil and oppose the USA's effort to protect its own rational self interests.
Unless they can invent their own crypto hardware and software from scratch guaranteed to have no backdoors, I am skeptical about the prospects for success.
I'm sure the NSA is happy to see lots of people adopting popular systems that include NSA backdoors (explicit or implicit), and would rather not see lots of new systems that don't natively support NSA access.
However, I'm also sure that building a system that effectively blocks the NSA is a pretty tall order. You need algorithms that the NSA can't crack, and you need personnel that the NSA (and affiliated agencies) can't suborn.
I'm sure it'll be quite straightforward to develop a system that seems secure from NSA snooping. Something that provides actual security, rather than empty reassurance? That's a taller order.
If this trend continues the only people which the NSA will be able to spy on will be Americans. Precisely the populace it said it would not be spying on in the first place.
Join the Slashcott! Feb 10 thru Feb 17!
am i the only one who wants to go to this? where do i register? is there a CFP announcement yet?
I didn't read the article (who does?), but the summary makes no mention of them offering this as a service. Quite the contrary, in fact. It refers to it as being used for "official communications", "throughout the federal government", and for "extending the privacy and inviolability of official posts". Basically, this is a secure e-mail system for Brazil's government, by Brazil's government, and not something for use by normal citizens or residents in the country. As such, I don't see why this would be a boon whatsoever.
The US could have helped Brazil by exposing cronyism and kickbacks, which is why they lag economically, much to the puzzlement of Western scientists who point out they are as large as the US in size and population, with even more resources, said scientists deliberately putting on blinders that it's about government and its abuse like a mafia, not resources, that determines the wealth of a civilization.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Probably it will rely a lot on proprietary software/hardware (Brazil manufactures very little in the way of networking/communications equipment, and our government is addicted to proprietary software) with their own backdoors. Besides, our government spies on social movements, unions etc... so they are not innocent at all. Finally: given the deep shit that this government is into, it will likely run over schedule and budget and will eventually be scrapped.
They're there in their room. You're on your own.
This could be a boon for Brazil in tech. Offering services that are free of surveillance could make Brazil a tech powerhouse.
It already is.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Brazil wants to centralize "secure" email, run by the government. How long until the Brazilian government itself decides it wants a back door? I'm betting it will happen before the first end user signs up.
Any centralized system, once it reaches a critical mass, will become a very attractive target to the spies. Only decentralized systems--where NO ONE has the master key--have half a chance. A PGP-type system could come close, if somebody could figure out how to make it easy enough for non-technical users to use!
Who thinks the NSA can't breach Brazilian security?
And what is more... who thinks the Brazilians won't peek into the email of users?
So what does this actually accomplish? Stupidity.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Use a key as long as the message itself, and it will not be possible to decrypt the message.
How can I be assured that I won't be switching the NSA for Brazil's spying agency?
I can trust that ZTE and Huawei are NSA-free, but I'm sure -someone- will almost certainly have backdoor intercept, monitor, and active change/MITM capability.
At least the NSA/NIST has done some steps for security (SELinux, hardening other OS kernels.)
...that the Brazilian Government will move from hosting its mail on Google to private servers...
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Sorry to pop the hope bubble, but that is not going to happen.
First, as stated above, this is a government-only (for now, at least) project. They think they can do it, and I'm sure they will unload tons of public money into it.. But I bet the result will not be nearly as effective as they say they will get, or that the money spent should have bought. That's just how things work in Brazil.
Secondly, to move from a gov-only project to something being sold to third parties, you'd need a sort of tech, infrastructure and skilled manpower that currently don't exist here. Brazil imports the vast majority of its tech (including almost all of IT), infrastructure is entirely imported and skilled manpower exists, but not in high enough numbers (and specially, willing to work for the government) to make that happen.
As a side note.. I worked for the government here (state, not federal) and left after 4 years. I couldn't stand the bullshit and the excessive slowness for everything, the pay was extremely low (I was part of the gov that actually worked [as a slave, almost], to make up for those who do not work and make shit tons of money) and the workload was higher than I currently have working for one of the world's biggest corporations.
If that is true, that's a huge pity. I don't have any experience with Brazil's government so I can't comment knowledgeably.
All governments have secure internal communications systems. I'm not sure what's newsworthy about Brazil doing what it probably has always been doing.
Brazil keeps forgetting about something I like to call the rest of the world. It's easy to find. Grab and atlas and look at everything that isn't labeled "USA". Give or take your talking about roughly 200 countries that have an interest in spying as it is in the interest of every government to know what is going on with every other government.
Now figure that your system magically works against the NSA with faerie dust and a good dose of anti-US propaganda. Nevermind the technicalities, just go with it for a moment and look back at that list of 200 countries. A fair number of those countries could be thought of as technically incompetent, but then again many a third world country has managed to develop hackers as they are relatively about the cheapest form of espionage that you can get. They also have this wonderful ability not to get imprisoned when they get caught by the country their spying on (entire dossiers are available on certain Chinese or Pakistani state hackers, you'll note they still remain happily out of prison).
So let's go back to all of these other countries that now have a technical challenge that is keeping the NSA out. If it's good enough to keep the NSA out, than it's good enough to attract their attention for the express reason that it can keep the NSA out. That means there's a lot to learn about security there and that makes it an attractive target of it's own right, even if you could care less about the contents what lies within.
The hard reality is that all of the naive anti-US sentiment in the world isn't going to save you from the fact that the rest of the world has people that are perfectly intelligent, capable, willing to act. It's ivory tower thinking to believe that only a given country has the intellect and capacity to develop minds that can do something.
As of late my idea of any information being 'secure' has gone right out the window. Frankly the only secure place for information is in ones mind provided you can avoid being interrogated, tortured, or inebriated.
"Secure". Hah.
First thing the federal email system will do is determine how to snoop on email messages.... hehe
They will offer this as a service (even if it's not on the article). The main reason for all this is that our constitutions states that essential goods and services that the citizens cannot or might not get on the market must be provided by the government. That's why we have free universities, free healthcare, etc.
International human rights treaties go on our legal system with the status of national law (not as high as constitution). Both our constitution and the universal declaration of human rights (that Brazil and the US signed) include right to privacy. So basically the government has to provide us with an alternative email system that is private, because our citizens rights would not be fulfilled otherwise.
And the problem with the official communications system actually in place is that they are not using it in some branches of the federal government.
....."Brazil? Where did that come from? And isn't that a place full run down stacked-box neighborhoods?" I dunno.......Brazil just doesn't give me the impression that its the kind of place I'd expect to have really great security as far as technology (or anything really) is concerned.
SERPRO uses and mantains Expresso Livre groupware (webmail, messager, etc.). It is a GPL software based on a german software called Tine 2.0.
I was told it supports standard cryptographic systems (I actually never used them, I use Expresso only as a plain webmail).
If you understand portuguese or german there are more information in https://pt.wikipedia.org/wiki/Expresso_Livre and http://www.tine20.org
Let's hope that they use PGP or S/MIME and that this motivates other ISPs to roll it out as well. This would hopefully motivate GMail to at least make it compatible in some way. (I mean checking signatures etc)
The lot of you are commenting that it would be imposible todo as it has to be donde today and with the resources available now. The fact is that this initiative besides of providing independency at an implementation level, it could also mean that in some future they will have a new industry developed. Seeking independence is always the right way to go. It's quiet arrogant to bash or diminish their intention just beacuse US has already done it.
The first free country that offers secure webmail to the world will quickly become the most beloved country on earth.
They should charge enough to make it profitable, of course and then let anybody on earth sign up.
Let's say, for example, that - I don't know - Finland maybe, rolled out a secure webmail system. Unlike a private corporation, what's the US gov't going to do, threaten to invade Finland over too much freedom?
You are welcome on my lawn.
Just write in plain text in Linear A. problem solved.
The name of the "safe" service is "Expresso".
"Expresso" is a suite of FOSS tools, a LAMP bundle (Linux, Apache, PHP, PostgreSQL) plus OpenLDAP, Cyrus IMAP, Postfix, SASL and Jabber.
http://www.expressolivre.org/
Can they read it? Yes, they can. Now that doesn't mean there is always someone out there reading your email. With millions of people on the Internet, our individual messages likely get lost in a crowd. But you've got to realized that once email leaves your system, it may sit on another computer hundreds or thousands of miles away, and you have no control over who has access to it. What if that computer has a liberal security policy, or is full of security holes? The best thing to do is realize that your email is not going to be secure and avoid transmitting sensitive material, as already recommended in Chapter 3. Even if no one reads your email in transit, the recipient could forward the message on to whomever he or she pleases.
It is possible to physically "tap" networks, just like tapping phone lines. And if someone is able to do that, he can read anything going across those wires. But all hope is not lost: There are ways to make your email more secure. One is to encrypt it before it leaves your computer. Encrypt means simply that it's encoded into something that no one else can read without the proper key. Upon receipt, the message must be decrypted on the the recipient's machine.
The Internet Companion: A Beginner's Guide to Global Networking, Tracy LaQuey, 1993, p.122.
NSA bribes a Brazilian IT worker involved in the Brazilian Federal Secure Email System.
This already exists. I'm left wondering why they need to reinvent something. There are also ports allocated for IMAP and POP over SSL.
How will it be secured? Client-to-client encryption using GPG or similar product? Or just TLS-protected communications for cleartext messages?
And how do they address NSA ability to compromise clients?
There is so much essential functionality missing from key management and encrypted e-mail, that it is in a barely usable state. For the Brazilian government, or any government for that matter, to provide end-to-end email encrytption for their own workers, so much more needs to be done.
Name me even one mail client or plug-in that can search encrypted messages, the body not just the metadata. Or how about re-keying stored messages? Federal employees often have an obligation to archive communications, but how will that fit with the recommended practice of re-keying? The list goes on.
E-mail encryption has been rather thoroughly thought through at the protocol level (thanks, Phil!) but when it comes to how it can be made to fit in with normal workflow, practically nothing has been done yet.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
"Challenge accepted."
If you have the entire resources of a country at your disposal it seems a bit strange that you would want to contract a private company to create a new communications network that runs over the Internet.
If the aim is just to have a private network, you can do so simply by just not connecting it to the Internet.
If the aim is to stop the NSA spying on the Internet, you can do so by discovering individual NSA spies and either eliminating them or making their lives so unpleasant that they don't want to spy any more (the former tending to engender the latter for other spies). This is certainly not impossible for an entire nation to do.
The system is already in use in about 20% of the government agencies and will be mandatory by the end of 2014. It is based on http://www.tine20.com/en/, and will save some millions on software licenses. Currently Brazil has a mix of IBM and Microsoft servers and president Rouseff herself uses Outlook to check her email . Not very smart to give out this information to the public, right? :)
What i don't get is that they plan to offer this service to the public and it will be managed by the Postal Service! Am i the only one that sees no relation with the service provided by the postal service and email services?
This is all just media fluff on Brazil's part. They want to look super important to the world. Does anyone actually think the NSA actually gives a rat's ass about any possible secret Brazil may have? I believe what the NSA really wants is any info they can obtain on any terrorists who would use Brazil as a safe haven or transfer point to get to the U.S.
My karma is bad. Don't get too close!!!
All nations and all companies need to think hard about their communication
strategies.
Back in the old dot dash days companies had thick code books and
code protocols.
Nations like Japan in WWII had serious codes for their navy (Purple)
and the Germans had Enigma.
Cracking them was key to the outcome of the war and almost
exposed the attack on Perl in time to act.
Any nation needs some control over their communications.
The troubling bit to many might be the man in the middle attacks
where web content is rewritten or simply exposed via a wide open
leak.
Companies with old school processes still on file should take
note.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.