Slashdot Mirror
Death and the NSA: A Q&A With Bruce Schneier
Daniel_Stuckey writes "Since Edward Snowden's disclosures about widespread NSA surveillance, Americans and people everywhere have been presented with a digital variation on an old analog threat: the erosion of freedoms and privacy in exchange, presumably, for safety and security.
Bruce Schneier knows the debate well. He's an expert in cryptography and he wrote the book on computer security; Applied Cryptography is one of the field's basic resources, 'the book the NSA never wanted to be published,' raved Wired in 1994. He knows the evidence well too: lately he's been helping the Guardian and the journalist Glenn Greenwald review the documents they have gathered from Snowden, in order to help explain some of the agency's top secret and highly complex spying programs.
To do that, Schneier has taken his careful digital privacy regime to a new level, relying on a laptop with an encrypted hard drive that he never connects to the internet. That couldn't prevent a pilfered laptop during, say, a 'black bag operation,' of course. 'I know that if some government really wanted to get my data, there'd be little I could do to stop them,' he says."
"Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing." Helen Keller
Schneier is right,
All those moments will be lost in time, like tears in rain. Time to die.
Security is a process, not a product. For instance, one cannot purchase some product that guarantees your online security, then babble endlessly on Facebook about your every bowel movement while expecting to be "secure". McCafee may promise that online stalkers can't track you, but your posts to Facebook informs that stalker where he can find you every afternoon at 1:30. Don't be surprised when he kicks the bathroom stall open, and has his way with you.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Is the takeaway here that if you do something the government frowns on, they might squash you and take your stuff? I'm unimpressed.
Stop! Do not look further! Forget what you have seen!
You'll be wise to submit.
Schneier addresses one important point here. That the intelligence community is created in it's present form as a means to fight the cold war. It was made as an conventional army fighting another conventional army (the GRU and KGB) and the sigint operations was hand-tailored to this kind of war. But what has happened since is that the enemy has changed. The guerrilla tactics of terrorism is a sigint nightmare, and scaling it to perverse and antidemocratic level isn't helping at all. Every time I hear about the needle and the haystack I can't but wonder how these dinosaurs have come to pull this Jurassic stunt on us. The reality is that what works is not sigint. It is not more computers. What seems to be working is classic infiltration. Please think about that Dianne Feinstein before you use more American tax-money on your Silicon Valley pets.
The snowden leaks almost seem like a false flag type situation. the scary NSA/CIA/FBI are snooping on you, queue the outrage! Meanwhile every single fucking corporation in the USA is doing the same, with far less oversight, and far spookier goals. (Sure a government agency should be expected to come along and strong-arm entities such as google and facebook (though who am I kidding? they're basically partners.) so either way they get the data..). How is it not commented on, that short of a few very specific use cases, 'big data' is basically the solution to personal privacy?
GIve it 10 years and you'll have your health and life insurance companies discussing your shopping habits with your grocery store, your car insurance company with it's lojack device in your car (or failing that, your smartphones GPS data), and 100% of your web-usage habits tracked and correlated to YOU. It's 12:30 am and maybe it's the wine, but as melodramatic as this sounds, we're a society marching into our own yokes -- all for the sake of convenience and saving 10 cents on a pack of toilet paper.
Basically the score is this: the security/privacy/sanity focused crowd is up in arms over the NSA, which represents about 1% of the population, half of whom bleat about privacy while still using the services that enable the NSA/FBI/Whoever. 99.5% of the population is either not using these services, or is indifferent (in actions, though perhaps not in words.).
So... America as an open, strong democracy that liberates people to express their highest ideals, to be allowed live their lives as they see fit, and is a force of good around the world is... what?... a lie?
There seems to be quite a gap between what people believe about America and reality. Maybe somewhat enlightened people in the US are coming to understand reality, but, no matter how many people have awoken, this is not the America I thought I grew up in. The citizens of that formerly great country remain too complacent for any true, lasting change to take place.
"Land of the Free?" I think not. "We're number One?" Only in per capita incarceration rates and military spending. "Hey, look! It's a Wookie!!" Ya, right. Go back to sleep.
To me it's a mark of reality to understand we absolutely need people like Snowden, Manning, and Assange, as well as writers like Hersch, Greenwald, and Schneier.
That the intelligence community is created in its present form as a means to fight the cold war.
Even in the last decade or so before the Wall fell and the Cold War was over, if not long before, spending on military and intelligence has been primarily another channel for shoveling public funds to private contractors. Notice how spending did not decrease post-1989, when the alleged threat had evaporated. They badly needed a new threat to justify the outlandish "defense" budgets and sure enough a decade later one presented itself. The amounts are way out of proportion to the actual danger, just as before.
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
" Security is mostly a superstition. It does not exist in nature ... Avoiding danger is no safer in the long run than outright exposure. " Helen Keller
Sorry, I just don't buy that !
Security is BUILT into nature !
Plants, fungi, bacteria all fought each others with an assortment of chemicals.
Some of the chemicals are offensive in nature ~ to be used to destroy opponents' defense ~ while others are defensive ~ to discourage potential opponents from launching attacks ~, for example.
For animal kingdoms, evolution had provided all kinds of offensive weapons and defensive weapons, from fangs, claws, razor sharp talons, to poisonous nerve toxins, to ultra-thick exteriors.
And for animals which are not endowed with those weapons, they were given the ability to run very very fast, and to breed very very frequently, just so that they will have enough offspring left to survive the relentless attacks from the predators.
To say that "security" does not exist in Nature is to blind oneself to the REAL NATURE !
Muchas Gracias, Señor Edward Snowden !
Totally sent me on a tangent to study Ecclesasties.
If you're interested in facts I'll tell you what they are and I'll give you sources - Chomsky on The Big Idea
Or do you think they have spared Schneier from being forced to hand out Snowden's data, while they have destroyed Lavabit just to get to his emails? C'mon people, this is ridiculous! Of course he had to give it to them!
On a side note, I wouldn't be surprised if he had been somehow prevented (presumably in some 'legal' way) from re-editing and updating Applied Cryptography after the 2nd edition. At least in this case it's fairly hard to see any other reason why the best selling and most popular book on cryptography shouldn't have been modernized.
which organism in nature has developed an unassailable position, from which it cannot be dislodged?
The word "secure" implies that "I'm safe, and I don't need to worry about stuff". And, that is the attitude that most internet users seem to develop. Install some magical suite of software from a "reputable" vendor, and you are home free.
In fact, all organisms in nature are in constant battle with their environment. The hawk will starve if he doesn't eat, and the rabbit is dinner if he doesn't stay alert. The flowers in the garden are fighting for their own survival, warding off parasites, while luring pollinators, all the while maintaining their positions in the sun.
There is no "security" in nature - none.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
WTF does Manning have to do with Snowden? Seriously, WTF?
Manning released top secret intel to "get even" with his peers and supervisors. Manning is an immature little bitch, who isn't even sure what gender it is, or where it's loyalties lie, if it even HAS any loyalties.
Snowden, on the other hand, was outraged at obviously illegal activities, and exposed those activities to the world at large.
Jesus H. Christ - the world is a sad, sad place, when honorable men are confused with childish bitches.
Or, would it be more accurate to say that some of you people simply hate the United States, so you create heroes of anyone and everyone who opposes the government for any reason?
Pathetic . . .
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I thought it was a good speech, but this 'todo' part towards making mass surveillance "expensive" stood out for me. So I used it as a list of criteria to evaluate my favorite privacy tools, I2P and Qubes OS.
Schneier's guidance does seem like a mixed bag to me, especially in this day and age; He mostly wants the privacy tech of the 1990s, only "more". I also got the same impression once watching Jake Applebaum speak at a gathering. There is this tendency to appreciate all the neat little qualities that targetted crypto does within various applications and platforms, and when asked about online privacy they regurgitate them all in a fashion that ensures no normal person would take heed. Extra demerits for implying that large IT industry projects need to be unleashed to address the privacy problem.
Its not hard to surmise from my other posts that I advocate a more blanket approach that is PC focused, so that ordinary people on their own can make the largest improvement in their online privacy using the fewest number of tools. The upshot is that those tools have to be more radical than usual in their design.
How a black bag operation works.
seems like the self appointed crown royal WMD on credit cabal murderers go free (give themselves raises) while genuine dogooders get nailed jailed besmirched & impaled etc,,,,, happy hollow daze. corepirate nazi vaudvillian burlesque schjapschtick rhettorhea never changes.
free the innocent stem cells etc... we'll all feel better soon
classic infiltration? the kind of where the "intelligence" agency recruits some people to do something and then they bust them for being recruited to do something?
If you read this article ~ https://medium.com/quinn-norton/654abf6aeff7 ~ you would know that at times them "intelligent agencies" don't even need to do any recruitment
All they need to do is to set a trap and sheeples (even those with above average IQ) would fall in and work their ass off for worse than nothing.
Muchas Gracias, Señor Edward Snowden !
America is a lot more free than many countries, arguably less free than a few others, and certainly falls short of the (unattainable) ideal many citizens believe it to be.
It's exactly this kind of mindset that is KILLING THE UNITED STATES OF AMERICA
Unattainable ideal ?
You gave up even before you started the journey ?!
Muchas Gracias, Señor Edward Snowden !
(r)evolution was in the air in the 60's too, sorry you missed it spirits still soaring...... free as in positive outcome goal oriented.
now we are virtually surrounded by parroting hypenosys of corepirate nazi spirit rationing/deletion by free land freeloader WMD on credit cabals
may as well call the hog a hog? geographically, cairo's fate is the center of our future freedom,,, hola moms of the nile
This is absurd.
The NSA is an organisation of bureaucratic code monkeys. It employs more mathematicians than security staff. The NSA does not do black bag operations.
An organisation like the CIA, yes, would be expected to perform such activities. But the CIA would have a lot more discretion/sense in how it went about such things.
If the NSA does actually start running "black bag" operations, I am confident they will do as poor a job of keeping it secret as they have with the rest of their Austin Powers arsenal of projects.
May the Maths Be with you!
Mostly the rest of the world has been presented with the erosion of freedoms and privacy in exchange for Americans presumably having better safety and security, but with nothing in return.
Somehow the expectation is that everyone else in the world give up our freedom and privacy in order to benefit the Americans.
And, really, none of us were asked if we think that's fair, and many of us are past the point of accepting what makes Americans more secure if it means that we have lost some of our rights.
If the choice is between me keeping my freedom and privacy and Americans having security, quite frankly, I'd rather keep my rights intact. I'm not sacrificing myself for you, because you wouldn't do the same for me.
So fuck that. I didn't sign up for it. America might think that's an equitable arrangement, but it isn't.
What did people think the NSA was doing?
It's a spy agency for the more obtuse out there.
People sure be dumb.
Jeremy Hammond, Sabu, and the Intelligence-Industrial Complex
Targets supplied by FBI to Jeremy Hammond
Ultimately everything boils down to direct action efforts...HUMINT if you will. At some point your safeguards will be sufficient to require a personal visit of sorts. It is at this point that only a sense of dedication to personal human rights will limit the actions of a government. When that is lost, the personal freedom, privacy, etc. are lost as well.
The technotronic era involves the gradual appearance of a more controlled society...
dominated by an elite unrestrained by traditional values. Soon it will be possible
to assert almost continuous surveillance over every citizen and maintain up-to-date
complete files containing the most personal information about millions of
uncoordinated citizens... effectively exploiting the latest communications
techniques to manipulate emotions and control reason...
America's Role in the Technetronic Era: Between Two Ages, Zbigniew Brzezinski, 1970
We used to think that monitoring 300 million Americans at once was a mathematically impossible (or at least highly improbable) task. We were proven wrong.
It's not impossible. It was considered to cumbersome, because it would require too much ressource. (i.e.: it was considered practically impossible. It is feasible, but we though that it wouldn't be worth the effort and nobody would try the hassle).
But the NSA came and showed they *are* really ready to throw the vast amount of ressource. They were the people ready to go through all the practical hurdles.
What is currently considered mathematically and physically impossible is breaking most of the current secure algorithms:
- Brute forcing can't be done. At all. Not as in "it requires a too big computer" [as was back the case in WW2 regarding Enigma. Enigma was practically not breakable, but the Allie were ready to throw the ressources at building even bigger computers to brute-force it]. But as is "the computer required for can't physically exist" - the range to brute force (the "bits of security" concept) is so vast that you'll reach the heat-death of the universe before ending-up finding a solution. Brute-forcing doesn't work, at least not with current mathematics in the current universe.
- The only way out is either exotic new forms of computing that work on different physical principles (the well known hypothetical "quantum computer" example)
- Or finding a flaw in the maths behind an algorithm that vastly reduces the range to brute-force (as in: you don't need to scan the whole range, you can deduce more likely candidate and only test them. Small scale example: a "ceasar substitution cypher" has 25 possible rotation of the alphabet. Brute force would require testing all 25 of them (and as its only 26, its doable). But a simple statistic test gives out 1 or maybe 2 most likely rotation to test)
As a side note, Bitcoin and Altcoin are a very interesting test-case on modern crypto: They all relly on modern cryptography for their inner working
- ECDSA for all transaction signing on all protocols
- SHA256 for block validation on Bitcoin (and co)
- Scrypt for block validation on Litecoin (and co)
- large prime factoring for block validation on Primecoin (and co)
- all SHA-3 candidate on Quark, Yacoin (and co)
- etc.
Given the huge money at stake, there would be a big pressure to actually break the algorithms, and if there were flaws, someone would be bound to break them and laughs his/her way to the bank, why everybody else complains about stolen wallets.
But that hasn't happened yet.
The only thing that happened is people building even bigger and more absurde machine to do regular bruteforcing (as part of the normal block-validation procedure). And a few heist happening due to actual implementation bugs (DSA requires cryptographically-good random numbers).
The NSA can't break this. They usually proceed differently:
- bribe/inflitrate their way into bogus SSL certificates/stolen root private keys
- count on- or even intentionnally plant- implementation bugs (See the various random-generator stories)
- count on- or even intentionnally plant- backdoors (See spying through Google, Yahoo, Microsoft, and co).
- publish bogus/asinine/or booby trapped standards.
The perfect security of maths isn't a guarantee by itself if anything else in the system is broken.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I'd go with Snowden's appraisal of the NSA's (in)ability to crack certain forms of encryption. Snowden is obviously not going to write a how-to for us,
but it's been reported multiple times that he's using layers of encryption. If it's possible for Snowden to craft something the NSA can't break, then it's possible for Schneier too.
Encryption fucking works. And well done modern encryption is more or less impossible to crack.
(Just think about Bitcoin and all the other alt-coin. They all heavily rely on modern encryption. Yet, despite the tremendous monetary incentive, nobody has managed to crack their algorithms yet. Only find implementation bugs to exploit).
Usually, when NSA finds something, it's not by magically cracking an "impossible-to-break" crypto.
It's by getting around the crypto: using exploits or otherwise abusing bugs, bribing their way, etc.
Crypto is the strongest link in the chain, but they are tons of other link much more easy to break.
What makes the difference between successful security operation like Snoden and Scheiner on one hand and busted fails (like Silk Road's DPR) is the rigorous discipline in doing *EVERYTHING ELSE in addition of crypto* absolutely right.
To come back to the example in the summary:
online exploit won't be of any help for breaking into a computer if this computer is never connected (and "off" most of the time).
(Though said offline computer can still simply be stolen).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Frankly I don't think that our modern conception of the Internet can be protected from mass surveillance while also being monetized by advertising, i.e. if you get privacy from the spooks then you also get privacy from the ad pushers. So if you want real privacy, you have to go back to the pre-dot-com model, hence 1990's looking solutions.