Snowden Seeks To Develop Anti-Surveillance Technologies

An anonymous reader writes Speaking via a Google Hangout at the Hackers on Planet Earth Conference, Edward Snowden says he plans to work on technology to preserve personal data privacy and called on programmers and the tech industry to join his efforts. "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day," he said. "That is what a lot of my future work is going to be involved in."

Kinda Like Mega

Can't wait for an app that would allow anyone to be completely anonymous, even from the almighty Goog'lord.

Re:Kinda Like Mega

[SuricouRaven]

Retroshare can give you encrypted IM, mail and forums shared only with your retroshare contacts. It's a big of a headache on dynamic IPs though - it expects all nodes to be mostly-stationary. An observer could work out who your contacts are, but that's all they are getting - metadata only, no content. Also does file transfer and share-browsing.

Re:Kinda Like Mega

[AHuxley]

Thats all the need. If the contact is the press and the sender works/worked for a gov they are both targeted.
The "An observer could work out who your contacts are" gets even better if you try and meet in person. A member of the press turns their phone off and walks in a direction. Any other person in the area who turns their phone off and then on later like the member of the press is tracked.
IP, the internet, mobile phones its all great for tracking back the moment a person in gov tries reach out.
Thats what a good section of the talk was about. Discovering that journalist to whistleblower association, then turning press and byline journalist into criminals for accepting the material and daring to publish. Then its all secret laws, secret courts for the gov worker and soon the press too.
More Vietnam, Iraq like entanglements as gov staff do not speak out. As they sit back and let more wars to start. That total oath only to authority.
You can encrypt all you like, the metadata of an unbreakable code to the press will be tracked back. So unattributable internet access was mentioned as a good skill to consider teaching via people with the skills to work on such tasks.

Re:Kinda Like Mega

[SuricouRaven]

Requiring the government to use fiddly correlation analysis to get a partial idea of your activities is still a lot better than the current situation, where they need issue one sternly-worded letter in order to retrieve everything including content and history.

Re:Kinda Like Mega

[AHuxley]

Thats what the talks mentioned too, a set of small steps. Encryption but the wisdom to understand the networks as they are now.

Re:Kinda Like Mega

[mspohr]

An app won't give you much anonymity. You need to start from the ground up with an OS that leaves no trace on the hardware and has good encryption and anonymity tools built in.
Here's a good start: TAILS
https://tails.boum.org/
 

Re:Kinda Like Mega

[Opportunist]

Considering who owns Mega, I wouldn't trust it further than I can throw that blob.

Re:Kinda Like Mega

I've tried RS, Event tried to introduce it to the company but failed for a couple of reasons:

1. The key exchange thing was a bit of a pain for others (don't see a way around that though). It wasn't seamless.
2. No smart-phone support. People are not just PC bound.

They ended up using HipChat.

The thing is, RS is designed for the security conscious who are prepared to put up with a bit of stuffing around because there's nothing better out there. When people consider security 'a nice to have' with ease of use being the top priority... well RS is an also ran.

soviet era crypto

[Penn]

And I'm sure Russia will have absolutely no influence over what Snowden is working so hard to bring us too!

Re:soviet era crypto

[NotInHere]

As long as it's not the latest curve, privacy preserving crypto can be written by NSA itself, and still be secure for you. SELinux was written by NSA, and I don't have a problem using it. Your security model shouldn't rely on the party your software came from. It should rely on the software itself, idependent reviews, and, if you can't afford your own review, the many-eyes-principle (which has chilling effects).
The russians could only say "this is too secure, design something that can be broken more easily".

Re:soviet era crypto

[balaband]

Mod parent up.

It is not who makes it, it is how it is made.

Re:soviet era crypto

Why (and this is the point,) would you trust the NSA any more than the Russian government? Neither wants you to be able to hide what you're doing from them. If these last few years have taught us anything, it's that your government, (wherever you live,) and possibly other governments, should be regarded as the same as any other group of people who could potentially do you harm by knowing things you might want to keep to yourself, whether or not you've committed any legitimate transgression or 'crime' as they call it. Crime is of course subjective because what's a crime in one place may or may not be in another. Case in point, possession, manufacture, consumption, transportation, or offering for sale the product generally known as "booze". Illegal in some places.

If there are any other lessons here, it's that governments, indeed, other people in general can listen-in on your communications, PERIOD. Using any form of communication that can be intercepted virtually guarantees it will be intercepted by someone, or at least that you should figure it will be. If you find yourself in a room full of loud, random-noise generating equipment, (or just are next to a large waterfall,) and whisper something directly into the ear of another human being, cupping your hands so your lips movements, (etc.) can't be seen, MAYBE no one other than the person to whom you whisper can hear you. Maybe.

If, OTOH, you're using a device that modulates your voice onto an electrical carrier wave, and broadcasts that via emissions of photons across half the universe, or conveys it using a half-dozen different companies' equipment to someone hundreds or thousands even, of miles away via wire and/or fiber... yeah, someone can listen in, and you should assume that someone will. You should further assume anything you say on the phone (or over the radio) can and will be used against you in a court of law, will be shown to your mother/father/wife/husband/boss/coworkers/the-general-public, and will be misinterpreted to make you seem complicit in whatever they decide it would be funny to frame you for, etc. etc. etc.

The reason most people get away with using these technologies is that there simply isn't enough crap to pin on people to put every single person into jail, and then no one left to make the cops' doughnuts after everyone else is locked up. That's why we're not all in jail. Yet.

But wait. They're working as fast as they can on robots who can do your job, and on technology that will enable them to read your minds. I can't wait, (though I think it will suck to live in this world, once this becomes reality,) if only to be able to say, "HA! I told you so!" to read of the first person put into prison for what he THOUGHT. No action, mind you, no "attempted" anything, just for having thought it; you know, he'll be wearing "Google Mind," or using the "iThink Headband," and won't realize they built backdoors into both, and the local police can read thoughts, and he'll have a fleeting fantasy about beating someone to death, pushing his mother off a cliff, or running someone over with his truck, or whatever... and they'll arrest and jail him, convict him and send him to the penitentiary just FOR THAT.

You know the day is coming. They already jail you for what you say, in some places, what you wear, or don't, they'll do THAT even in " 'Murica " ... yeah, as soon as someone figured out how to make money off putting people in jail... well, it's just like any other time someone figures out you can make money doing a thing, people will do it.

So forget crypto as a privacy device, unless you're prepared to make it yourself, test in yourself, and be responsible for it yourself. The only unbreakable crypto is the (TRULY F'ING RANDOM) one-time pad, and only if it's used correctly. Everything else is like the locks on your house or car, only keeps people out who don't REALLY want in. The reason the government relented on the whole "crypto is a weapon and you can't export it," is once they were c

Re:soviet era crypto

Mod parent up.

It is not who makes it, it is how it is made.

Assumptions breed ignorance. And even you were likely surprised over the capabilities and activities revealed by the very person we're discussing here. One would have thought you would have learned when random number generators were found to be not-so-random, and encrypted microcode updates validating themselves against compromised key servers came along.

But hey, if you truly feel that it doesn't matter who makes it, then feel free to ignore those export control laws and purchase your electronics where they are cheap. I'm sure it'll be worth it, kind of like "free" smartphone apps that never collect any information on you.

Do yourself a favor. Don't wait for the next Snowden document dump to come along. Wake up.

Re:soviet era crypto

[ArcadeMan]

It is not who makes it, it is how it is made.

I love that show!

Re:soviet era crypto

[ArcadeMan]

Kind of like "free" smartphone apps that never collect any information on you.

They don't? That's good to know, I'll go install a few dozen free apps right now!

Re:soviet era crypto

[SuricouRaven]

I'm waiting for them to do an episode on laws and sausages.

Re:soviet era crypto

[AmiMoJo]

The russians could only say "this is too secure, design something that can be broken more easily".

Like the NSA did with TrueCrypt?

Re:soviet era crypto

[AHuxley]

1+ for 'So forget crypto as a privacy device, unless you're prepared to make it yourself, test in yourself, and be responsible for it yourself. The only unbreakable crypto is the (TRULY F'ING RANDOM) one-time pad, and only if it's used correctly."
Thats really the only way, one time pad used once, number stations. The key to all the free quality crypto was that all the press where been watched anyway so you get to encode all you want. The moment you send, attempt contact, its just tracked back. No need for a gov to waste time on the decrypt, just watch for encryption been used and all the press. Then get the hardware, software and the plain text before its encoded.

Re:soviet era crypto

[Opportunist]

The strange thing is that I trust the Russkies more by now than I trust the US...

If someone told me that 30 years ago...

Biggest problem in IT security: ID-10-T errors

[Stolpskott]

Securing the technology is one thing - that in itself will be a huge job, because depending on how far you want to take it, you can end up needing to sandbox each application and harden each layer of the communication stack.
You might need a complete new protocol ecosystem based on only systems which are open source (not just because I like open source, but so that everything can be audited and peer-reviewed at the code level), built with compilers which themselves are not only trusted but also auditable as matching their published source code, and using communication protocols which are themselves open source and audited.

Put all of that together, and you still have the biggest security/privacy threat to deal with - the ID-10-T (aka the user sitting at the computer). Until users of a computer system are educated - not necessarily to the extent that they can themselves audit source code, but at least to the point where they can recognize compromised behaviour of a computer system - then they will always be the weak link in a security/privacy model for IT systems. Getting away from the Windows/local admin culture would be a huge step, but until the most idiotic and incompetent user of a given computer system is either isolated from the ability to do anything or educated to prevent them doing dumb stuff, the computer they use must be considered compromised and all users of that computer must be considered at risk.

Re:Biggest problem in IT security: ID-10-T errors

[AHuxley]

Small steps. Move away from the brands that helped ie the PRISM list of willing brands and tame staff building junk systems.
Understand how "open source" telco layers over tame telco software and hardware can save any data on entry.
ie once your targeted all is privacy lost no matter the fancy open source app. The security services will be in every hop of any network into and out of your computer/device until they get full plain text.
Encryption seems to be the key until your use of it shows up at an endpoint under constant surveillance. Then the individual targeting starts on the new person.
The most easy step is to make encryption more gui, web 2.0 friendly. Then a lot more people will be flooding the net with random heavy code 24/7.
Use once hardware would be interesting. It would stop any longterm profile, any unique hardware numbers been sent. If you then work on really good crypto to hide voice, pic, file sent, text you could kind of have a one session. Snowden hinted a bit about association (you to the press), mixed routing, the need for unattributable internet access in the 1h+ talk.
A lot of steps to fix an internet that is now really like Tempora https://en.wikipedia.org/wiki/... and what that can do to your message and a person in the press been watched.
The other aspect was education. A civic duty to teach, educate the wider public and press. The classic Sysadmins of the world, unite! also mentioned.

Re: Biggest problem in IT security: ID-10-T errors

Bull shit... OpenSSL is open source and look at all the crap they found this quarter alone...

Re:Biggest problem in IT security: ID-10-T errors

[Razed+By+TV]

I would say the bigger problem right now is that people don't care enough, period. Your average person is going to want to use whatever is cheaper, or whatever they have now, and isn't aware enough to demand something better and isn't going to want to pay for it. Existing products and services don't have a lot of incentive to improve because the customers don't care enough. As long as competition keeps the playing field level, as long as noone tightens up their security, nobody has to spend money on something that doesn't directly generate revenue.

Consumers aren't going to drive companies to improve. It's going to take competitors trying to one up each other, to offer better service at the same price, to make people want to use their product. Until then, it doesn't matter that the consumers are infecting their computers and giving scammers their login information; the NSA is just going to be using their dirty backdoor tricks to get what they want (plus whatever exploits they copy from the scammers).

Once you have the scammers and the NSA back on a level playing field, then you can get back to status quo where the user is the biggest unseen threat.

Re: Biggest problem in IT security: ID-10-T errors

Bull shit... OpenSSL is open source and look at all the crap they found this quarter alone...

They found all that *because* OpenSSL is open source. How much have they found in closed source versions of SSL libraries?

Re:Biggest problem in IT security: ID-10-T errors

[AmiMoJo]

It doesn't have to be perfect, it just has to increase the cost of mass surveillance to a level where it is no longer feasible. Surveillance is too cheap because much of the data is just there for collection, unprotected.

For example, the UK government just pass emergency data retention laws that require all ISPs to continue logging the domain names of every web site every subscriber visits. If more people started using VPNs regularly that capability would become far less useful, and while I'm sure they could attack the VPN providers or crypto or even the individual target's computers the cost would be much higher than simply requiring the ISP to run a large database. They would be forced to stop bulk collection and only target people of genuine interest, which is the reasonable.

Re:Biggest problem in IT security: ID-10-T errors

[SuricouRaven]

For a start, just convince every site to use SSL. It's possible to MITM SSL, but not on a large scale without detection. All the ISPs would be able to log is DNS lookups and IP addresses, which is still bad but not nearly as bad as being able to see individual pages accessed. Then you can start looking into possible ways to make DNS harder to monitor somehow.

Re:Biggest problem in IT security: ID-10-T errors

[fustakrakich]

...it just has to increase the cost of mass surveillance to a level where it is no longer feasible.

It doesn't work that way. It becomes a call for a bigger budget and higher taxes to pay for it.

This could totally work out

[SpzToid]

Edward Snowden certainly has name recognition in the security space, which in branding terms equals big money. He's got his share of wild and crazy times overseas doing various hijinx not always on the up and up, sorta just like other security specialists of an earlier generation. Sure, in terms of branding alone Snowden could easily become the next McAfee, and he's still very young!

And isn't as if they weren't both wanted on international warrants either; and street cred. does sell sneakers.

Re:Don't you want to be a traitor too?

[some+old+guy]

Don't be a police state fan boy, and learn to spell "cretin", cretin.

Re:Don't you want to be a traitor too?

[ChristW]

If making people realise that their basic rights are being trampled makes me a traitor, then I'd want to be a traitor any day...

Re:Don't you want to be a traitor too?

Ain't you worried that there is someone with an erect penis monitoring your private communications inside an NSA control room?

So Slashdot...

"You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day,"

Looking at you Slashdot.

When are we going to have access to this site with https? You can stop pushing down out throats your fucking annoying beta and do something useful for everybody instead.

Re: So Slashdot...

You mean https that's built on OpenSSL?

Re: So Slashdot...

A protocol isn't built on an implementation. Use a version of OpenSSL that doesn't have known bugs or use another SSL implementation if you want to.
Claiming that HTTPS is unsafe just because one implementation has bugs is like saying that C is slow because someone wrote a bad compiler once.

Re:So Slashdot...

[ArcadeMan]

Do something useful? Do you have any idea what it would do to Dice's profits?

Re:So Slashdot...

[AmiMoJo]

At this point I'm thinking that the NSA or GCHQ asked them not to implement HTTPS. What other reason could there be for not taking the simple, low cost, minimal action required to enable it? Soylent News, which runs on the same code base, supports it.

Re:So Slashdot...

And IPv6 access while you are at it.

Re: So Slashdot...

Use a version of OpenSSL that doesn't have known bugs

Bwa ha ha ha ha ha ha ha!
Yeah, the guys who are making LibreSSL probably wish you could be doing that. If they weren't compelled to make a decent SSL implementation, they could probably focus more on things like the anti-botnet research of the Hail Mary cloud. But, since OpenSSL is known to not patch bugs, they've decided that this other work is necessary.
Please don't refer to an OpenSSL version that doesn't have known bugs. Just because one super-critical bug has been identified and addressed does not mean that all other known security problems have been fixed.

Re:So Slashdot...

[Opportunist]

I'm fine with http. I'm just stating my opinion. If that is grounds to lock me up, you can as well lock me up for then I'm in a prison already.

Technology is only a small part of the problem

[DoofusOfDeath]

As long as the citizenry tolerates and sometimes even roots for the government's violation of civil rights, everything including the technology is just details.

The existence of a decent open-source router can't do much against a U.S. National Security Letter.

Re:Technology is only a small part of the problem

[SuricouRaven]

End-to-end encrypted communications can.

Re:Technology is only a small part of the problem

[Sloppy]

It's a small part, but it's a part. I think Snowden has done his fair share of trying to inform laymen and stir up giving-a-fuck. If he wants to switch to working on tech, he could accomplish nothing and still come out far ahead of the rest of us. ;-)

The existence of a decent open-source router can't do much against a U.S. National Security Letter.

While we certain should care enough to force our government to stop being our adversary, there will always nevertheless be adversaries. You have to work on the tech, too. Even if you totally fixed the US government, Americans would still have to worry about other governments (and non-government parties, such as common criminals, nosey snoops, etc), where you have no vote at all. You will never, ever have a total social/civic solution which relies on, say, 4th Amendment enforcement to keep your privacy. I'm not saying your chances are slim; I'm saying they're literally 0%.

Furthermore, getting our tech more acceptable to layment acually would correct some of the problems inherent with NSLs, improving the situation even in a we-still-don't-give-a-fuck society. If you do things right, then the person they send the NSL to, is the surveillance target. The reason NSLs (coercion with silence) works is that people unnecessarily put too much trust into the wrong places.

For example, Bob sends plaintext love letters to Alice, so anyone who delivers or stores the love letters, can be coerced into giving up the contents. OTOH if they did email right, then if someone wanted to read the email Bob sent to Alice, they'd have to visit Bob or Alice. That squashes the most egregious part of NSLs, where the victim doesn't even get to know they're under attack.

That's true whether we're talking about email, or even if Bob and Alice get secure routers and VPN to each other. One of them gets the NSL ordering them to install malware on their router.

New SSL root certificate authority

[johnjaydk]

A nice step ahead would be the establishment of a new set of root certificates and an accompanying authority that signs other peoples certificates. All located in a country that doesn't play ball with NSA and other thugs.

This would do a lot to dampen the routine man-in-the-middle we see these days.

Re: New SSL root certificate authority

We have already have them. We need Google and mozilla to stop being little bitches and bending over for the CA's and security services and implent DANE already in their browsers. I don't buy for a fucking minute that they don't implement it because it's not common enough yet...

Re:New SSL root certificate authority

[Sloppy]

A nice step ahead would be the establishment of a new set of root certificates...

The lesson of CA failure is that there shouldn't be root authorities. Users (or the people who set things up for them, in the case of novices) should be deciding whom they trust and how much, and certificates should be signed by many different parties, in the hopes that some of them are trusted by the person who uses it.

If you want to catch up to ~1990 tech, then you need to remove the "A" in "CA."

Re:New SSL root certificate authority

[johnjaydk]

If you want to catch up to ~1990 tech, then you need to remove the "A" in "CA."

Thanks for the insult. It hardly stung. I expect you to start the project shortly. I'll gladly donate to it on kickstarter.

Re:New SSL root certificate authority

[IamTheRealMike]

There are already plenty of CA's in countries that are not under US jurisdiction. However, so far the CA's that issued bad certs were all outside the USA, and appear to have only done so because they got hacked and not because they were e.g. forced to by court order.

Unless you have a magical solution to hacking I don't think your new root CA would solve much.

Additionally, citation needed for "routine man in the middle". SSL MITM has been studied by academics at scale. They did not find evidence of much. Governments don't need to MITM SSL for as long as users browse non-SSLd sites like Slashdot and browser exploits exist.

Re:New SSL root certificate authority

[Sloppy]

Thanks for the insult. It hardly stung.

Unless you worked at Netscape in the mid-1990s, no insult was intended.

All I meant is that by the very early 1990s, we (and by "we" I mean people smarter than me; I was clueless at the time) had a pretty good idea that CAs wouldn't work well outside of real power hierarchies (e.g. corporate intranets). But then a few years later the web browser people came along and adopted X.509's crap, blowing off the more recent PKI improvements, in spite of the fact that it looked like it wouldn't work well for situations like the WWW.

Unsurprisingly, it didn't work well. Organizing certificate trust differently than how real people handle trust, 1) allows bad CAs to do real damage, and 2) undermines peoples' confidence in the system.

A very nice way of saying this, is that in hindsight, the predicted problems are turning out to be more important than we thought most people would care about. ;-) It's almost as though now (no fair! you changed the requirements!!) people want SSL to be secure.

Keeping the same organization but with new faceless unaccountable trust-em-completely-or-not-at-all root CAs won't fix the problem. Having "root CAs" is the problem, and PRZ solved it, over 20 years ago.

I expect you to start the project shortly.

It's a little late to start, but I do happen to still be running an awful lot of applications (web browser being the most important one) which aren't using it yet.

Secure technology

[PopeRatzo]

I'm going back to my 1942 Corona typewriter with the "t" slightly raised.

Re:Secure technology

[ArcadeMan]

And why do you think the "t" is slightly raised, hum? Spyware, that's why.

Re:Don't you want to be a traitor too?

[Dins]

I didn't post this, but I think most of the replies/mods missed this dripping sarcasm...

Re:Don't you want to be a traitor too?

[Dins]

(My post above was in reference to the OP, not the post I replied to.)

Re:Maybe he can help hide BUK launches

[ArcadeMan]

Because in Soviet Russia, something something Dark Side.

Re:Don't you want to be a traitor too?

[dotancohen]

I hate to admit it, but I just happen to have an erect penis reading your public communications on Slashdot.

To be fair, it was erect before I opened the page. I think the SEO consultant sitting next to me is ovulating.

It is about getting out.

[Max_W]

Privacy is about getting out. Put on light t-shirt, thin-sole running shoes, light shorts and go with your partner to a park, a stadium, etc.

Or go to a beach for a swim.

Have a meaningful private conversation while running, walking or swimming. Speak in a calm quiet voice, not louder than necessary.

So getting out is good not only for health, but for privacy too. Besides, it is much safer to run together or to walk together.

Re:It is about getting out.

[messymerry]

The parks are full of bugs...

Re:It is about getting out.

[Max_W]

It is really funny :o)

Re:Don't you want to be a traitor too?

[ArcadeMan]

Alright, but which day do you think it's going to be?

Signed,
your friends at the NSA.

Re:Don't you want to be a traitor too?

[ArcadeMan]

cretin
krtn / noun
1. informal, offensive
a stupid person (used as a general term of abuse).
2. MEDICINE, dated
a person who is deformed and mentally handicapped because of congenital thyroid deficiency.

Well, if he is a cretin, you shouldn't criticize him. It's not nice to criticize the mentally handicapped.

Re:they will always be MITM

[ArcadeMan]

NSA is Malcolm in the Middle?

Re:they will always be MITM

[present_arms]

No, Malcolm was more intelligent

Stop Snowden first ...

[CaptainDork]

Hell, he walked in and got the stash and fled the country. Manning had already done a similar heist before this.

So, we've got minions with access to sensitive data and can't stop them. The government needs to audit itself ... again.

It does no good to wrap this stuff up in a cloaking device if space cadets can glomp and run.

Re:Stop Snowden first ...

[slimshady76]

Unless you are trying to be sarcastic, I'd say you are one the remaining ones who still collect their checks from the government and didn't flee... yet...

Re:Who will be auditing Snowden's code?

[luis_a_espinal]

So, who will be auditing Snowden's code? I wouldn't even consider using anything he wrote without independent third party audits .... lots of audits of the code, design, algorithms, everything. And no binaries that he builds.

Imagine the evasive power of the dual or triple functionality achieved by some of the Obfuscated C content entries combined with the subtle designs of Russian government cryptographers. No threat there, no sir.

Can he actually write code? And I mean code at the level of sophistication required for the type of functionality he is calling for? What he is calling for is way beyond the realm of sysadmin-related programming.

"Develop" or "Instigate the development of"?

[bsDaemon]

Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?

I mean, let's be honest: Either way, whether he's going to just try and brand the stack or contribute, we have technologies that are perfectly good (that is, however, not to say perfect) already -- its just they aren't particularly widely deployed. How many organizations are running IPSec internally, other than just for site-to-site VPN tunnels? How many organizations are deploying DNSSec outside of governments and the military? How many organizations are using PGP or similar asymmetric encryption between employees? Making it easier might help, but chances are that the vast, vast majority of individuals aren't going to jump on any of these technologies in any great numbers unless they are mandated to (like at work, where they don't have a choice), but it isn't as if the government is going to make it a requirement that you try and "spy proof" your computer and communications.

Re:"Develop" or "Instigate the development of"?

[m00sh]

Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?

All that counts is that Snowden has the balls and integrity that is so lacking in the "uber-hacker" department. You can't threaten Snowden, you can't bribe him. An uber-hacker, you can buy him out or scare him.

Anyways, you don't uber-hackers to develop security software. The encryption algorithms are university research level stuff and as long as you understand the basics of it, you're fine. The rest is just writing code around it that a decent programmer should be able to handle well.

Re:"Develop" or "Instigate the development of"?

[SuricouRaven]

Or an equally good brag: "I wrote a program that's illegal in China."

All I've written are two programs illegal in the US - but that's because one infringes on a software patent, and the other is a circumvention device under the DMCA. It's also a trivial program consisting of about five lines of C, but that doesn't really matter.

Re:"Develop" or "Instigate the development of"?

[IamTheRealMike]

Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker

Except the stuff about how a 29 year old completely pwnd the NSA, probably the most technically sophisticated part of the US Government there is?

Sheesh. Your standards are high. What would it take, exactly?

Additionally, just because you have read nothing about his programming skills doesn't mean he has none. He once mentioned finding XSS holes in some CIA app so apparently he is good enough to do that.

Re:Don't you want to be a traitor too?

[AHuxley]

How many more wars?
As for 'if the Germans knew about it." is the classic understanding of ww2 crypto. Germany trusted the machine, upgraded it a bit and had all its spies turned.
Lets take Normandy. Army Group B has some idea, Pz Lehr Division was moved, Germany had a spy near the British ambassador to Turkey, the Royal Navy had lost aspects to its low level codes, British railroads codes had been lost by late 1943, the German airforce saw changes in US and UK practice traffic, US Transport Command lost its codes, US M-209 and M-138 strip traffic was not totally secure, the A-3 A-3 speech scrambler was not so great, the Polish government in exile had code issues, a few German spies still existed in Sweden and Portugal, SIS-SOE agents where under watch in France
ie Germans moved units to Normandy.
As for "Enigma type machine encrypted messages" post ww2, the Soviet Union had a good understanding of the UK via humans. The Soviet Union was also moving to much tighter one time pad use as it fully understood its code reuse was a huge fault. But they had so much intel to send, they had few options but to risk it.
If govs cant get to one main code, they go for the weak ones, they go for people, they go for the weak codes that get used all day in sloppy ways.
For all the Enigma faith, Germany seemed to understand something was not perfect and worked hard to try and stay ahead.
New rotors, wheel permutations, random indicators, protections to counter cribbing, CY procedure, Uhr device, the UKW-D reflector but it all failed as cryptologic security was so split up. But people keep the old WW2 stories about Germany, Russia, Finland, Australia, Japan code work as just been all safe or all broken.
Post ww2 is filled with new advances and attempts by the UK and US. All very interesting, great in the new history books as more papers are released.
So for that Enigma vision we all give up our rights via an oath to authority for generations?
The talks did cover the authority and rights, press aspect in the last 30 mins.

ZeroKnowledge

[MouseR]

So now I guess ZeroKnowledge was 16 years too early. I remember laughing at it.

I still don't care wether NSA or other idiots read my mail for I have nothing to hide. But the prospect of ill-advised policy enforcer's ability to use otherwise benign data as scapegoating is irritating.

Link to Snowden hangout video

[NotInHere]

https://www.youtube.com/watch?...

Vote Snowden / Binney 2016!

[Bob9113]

Here's my latest Snowden / Binney 2016 bumper sticker art, suitable for printing at 2.75" x 5" cropped size plus a .125" bleed, 300 DPI, on vinyl:
PNG
Vector (LibreOffice Draw)

This is my original artwork, CC BY-NC-SA, so print a pile and spread them around if you like. I use psprint.com, and I recommend searching "vinyl bumper stickers" on DuckDuckGo, where psprint is usually running a coupon in the search results. I haven't received the color proofs for this version yet, but these are corrected from a previous batch and should be pretty good.

Disclaimer: I have no affiliation with DuckDuckGo or PSPrint, and Snowden/Binney is (perhaps unfortunately) neither a real nor a realistic campaign. This is just for giggles.

Re:Who will be auditing Snowden's code?

[SuricouRaven]

Probably not, but he at least know it and instead calls upon those of greater ability in that area to rally to his cause.

....In Russia

[gelfling]

Oh please, Eddy, shut the fuck up.

Re:Who will be auditing Snowden's code?

[fustakrakich]

See? Now I know you're full of it.. When have you ever seen anything subtle from the Russians?

Re:they will always be MITM

[Opportunist]

That's what strong encryption is for.

Re:Don't you want to be a traitor too?

You seem to be comparing two searches:
1) Done on ALL civilians, including people who were suspected of nothing
2) Specifically targeting official transmissions with probable cause to expect genocide

I don't know about the other would-be traitors, but the problem I have isn't with intercepting any communications of any kind; it's with searching innocent people. I'm perfectly OK with the NSA hacking actual terrorists.

Re:Don't you want to be a traitor too?

[Opportunist]

Would July 14th be ok?

The breeze around your neck that you feel shouldn't worry you...

Not going to happen.

[ops2048]

I applaud and vigorously support Mr. Snowden's suggestion that our rights MUST (my emphasis) be encoded into the programs and PROTOCOLS on which we rely every day. I seriously and sincerely doubt however that anyone, let alone the entrenched interests who construct and maintain the Internet, will in any way be moved to action.

As instance I cite the farce that is known as email. Architectural and design decision were made which did not consider the mass adoption of email by billions. Nor were the possibilities of incompetent, untrusted and malevolent actors considered. As a small illustrative example. Why, aside from the godlike feeling of absolute power conferred, do these servers allow sysadmins (or anybody who has hacked their account) to view or search the CONTENT of emails. The mail server programs implementing these flawed protocols were and continue to be kludges requiring near genius levels of competence to correctly configure and maintain.

These flaws were and are directly responsible for the tsunami of email spam and malware which began all of twenty years ago. The response was NOT to realize that the protocols were flawed and that serious refactoring was required. Instead castles of sand were built on top of quicksand. Heuristic Bayesian spam filters I'm looking at you here. This non response has directly enabled hundreds (if not perhaps thousands) of millions of dollars worth of damage and computer fraud yet still the protocols and programs were and still are not redesigned !!!

One could go on and on with similar critiques of virtually every piece of tcp/ip's fundamental infrastructure. IPV6 is not a counter example as some twenty years later it formats approximately four percent of internet traffic. These, not merely, and in addition to, the presence or absence of cryptography, I believe, are the privacy busting facts to which Mr Snowden alludes and refers.

If such serious monetary damage cannot impel substantive action this poster asserts that it is difficulty to imagine Mr Snowden's totally laudable revelations and prescriptions having any effect whatsoever.

The hackers on planet Earth?

[linearZ]

I'm guessing, with the crowd he was speaking to this kind of project would be open source.

I've taken the time to watch some of the Chaos Computer Club videos on cryptography, which I think is loosely connected with this HOPE crowd. They seem like a very sharp bunch. I would certainly take my chances on anything they've hammered on.