Slashdot Mirror

← Back to Stories (view on slashdot.org)

Neglecting the Lessons of Cypherpunk History

Posted by Soulskill on from the moore's-law-makes-liars-of-us dept.

Nicola Hahn writes Over the course of the Snowden revelations there have been a number of high profile figures who've praised the merits of encryption as a remedy to the quandary of mass interception. Companies like Google and Apple have been quick to publicize their adoption of cryptographic countermeasures in an effort to maintain quarterly earnings. This marketing campaign has even convinced less credulous onlookers like Glenn Greenwald. For example, in a recent Intercept piece, Greenwald claimed:

"It is well-established that, prior to the Snowden reporting, Silicon Valley companies were secret, eager and vital participants in the growing Surveillance State. Once their role was revealed, and they perceived those disclosures threatening to their future profit-making, they instantly adopted a PR tactic of presenting themselves as Guardians of Privacy. Much of that is simply self-serving re-branding, but some of it, as I described last week, are genuine improvements in the technological means of protecting user privacy, such as the encryption products now being offered by Apple and Google, motivated by the belief that, post-Snowden, parading around as privacy protectors is necessary to stay competitive."

So, while he concedes the role of public relations in the ongoing cyber security push, Greenwald concurrently believes encryption is a "genuine" countermeasure. In other words, what we're seeing is mostly marketing hype... except for the part about strong encryption.

With regard to the promise of encryption as a privacy cure-all, history tells a markedly different story. Guarantees of security through encryption have often proven illusory, a magic act. Seeking refuge in a technical quick fix can be hazardous for a number of reasons.

103 comments

  1. Yep by Anonymous Coward · · Score: 2, Insightful

    Publicly available 'encryption' does little more than keep the kids off your lawn. It is snake oil. While you are on the company wire, there will never be any hope of this elusive 'privacy'. Give it up, and make the rest of the world transparent.

    Posting AC because the mods don't like hearing the truth about their golden calf...

    1. Re:Yep by Travis+Mansbridge · · Score: 4, Interesting

      Even ROT13 takes some effort to solve, it's better than laying everything out over the wire in plaintext. Will it stop the NSA from reading it if they really want to? No, but it prevents it from being searchable at the press of a button from a massive index of communications.

    2. Re:Yep by jones_supa · · Score: 5, Interesting

      A security solution does not have to be 100% perfect to still provide value.

      Let's take another example. A workstation requires pressing Ctrl-Alt-Del and typing a password to unlock the computer. You might say that it is useless protection because an attacker can just walk away with the hard drive of the computer.

      So why is the password still useful? Well, without a password, an attacker might just start locally using the computer and quickly take a look at various secret documents. If he were to grab the hard drive, it would take significantly more time, which would increase the chances of being captured by the security team.

      To get back to the topic, by using encryption you are not the lowest hanging fruit out there.

    3. Re:Yep by flowsnake · · Score: 5, Funny

      I've upgraded to ROT26 to make it twice as hard for the NSA to read my cookie recipes.

    4. Re:Yep by gweihir · · Score: 5, Informative

      There is no indication PGP/GnuPG can be broken if used right (some minimal care needed, e.g. verifying that you have the right keys for the people you communicate with). Things like BitLocker or current Phone encryption do not deserve much trust though.

      You statement is far to generic to resemble the truth in this area. However there has been a consistent push behind your view from some quarters that can only be interpreted as a "don't use encryption, it does not help anyways" disinformation campaign. This is a rather strong indicator that even known-bad encryption like SSL makes things at least more difficult for the surveillance-fascists.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Yep by MrKaos · · Score: 2

      Mod parent up.

      Though I would add one other thing, that increasing the amount of effort that is required to decrypt your communications means the cost increases. Sure they may have a huge budget however there must be a point where it is not worth spending the money unless it will produce a result, after all, it's not an infinite budget.

      --
      My ism, it's full of beliefs.
    6. Re:Yep by gweihir · · Score: 2

      Indeed. And if we manage to drive their cost up past where it is sustainable, then even breakable encryption becomes unusable for mass-surveillance.

      The other thing is that a hugely inflated and costly "national security" apparatus can bankrupt a country (the US is well on its way there and the Brits are not looking too good either) and serves as a natural deterrent and bad example for others.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:Yep by mariox19 · · Score: 3, Insightful

      I am far from being an expert on encryption, but the danger is not that PGP will be broken; it's that there are weaknesses in the entire "ecosystem" that allow for side-channel attacks. That's part of what that NSA paper, linked to in the article, is discussing. If there is something that can be exploited in the user's operating system or in the hardware, then that becomes the weak link in the chain.

      Then, there is the whole issue that you touch on: namely, the caveat of encryption's efficacy "if used right." The same is true of condoms and even oral contraceptives. Sadly, human beings are very bad at scrupulously adhering to the injunction to "use as directed."

      --

      quiquid id est, timeo puellas et oscula dantes.

    8. Re:Yep by sjames · · Score: 1

      Beyond that, it makes the machine tamper evident. This is especially important with servers. Sure, you absolutely can get root without the password if you are physically present, but you can't do so without tripping the monitor system.

    9. Re:Yep by Anonymous Coward · · Score: 0

      There is no indication PGP/GnuPG can be broken if used right (some minimal care needed, e.g. verifying that you have the right keys for the people you communicate with).

      Would that not depend on whether it uses any math libraries compromised by the NSA?

    10. Re:Yep by TWX · · Score: 1

      A security solution does not have to be 100% perfect to still provide value.

      On the other hand, a security solution needs to not be pre-compromised. A mafioso was convicted in part due to his poor choice of cypher, one that had been developed pre-computer and was hand-calculatable, and offered no protection from anyone looking to make a concerted effort to break it.

      During WWII, some Axis messages were transmitted in both a broken encryption and a not-yet-broken encryption, which led to the not-yet-broken encryption being more easily decrypted.

      Digital:Convergence attempted to sue people that figured out that their Cue Cat barcode scanners were just XORed and made software that used the Cue Cat for other-than-intended purposes.

      An encryption or security solution needs to start out working, and even if weaknesses are found later, they need to be hard-to-exploit weaknesses making circumvention an involved process. If a script kiddie or an entry-level computer professional can get around those measures as simply part of the course of use, then they're worthless.

      --
      Do not look into laser with remaining eye.
    11. Re:Yep by Anonymous Coward · · Score: 0

      You all are attacking this from the wrong angle. Why don't you try instead to elect people that respect privacy? Make it expensive for the crooks by voting them out! You people keep on putting layer upon layer of crap to compensate for your previous fuckups... Your entire car is made of Bondo and weighs 40 tons... And instead of worrying about your 'privacy', just take away theirs. Show 'em how it feels. You won't get any respect until then.

    12. Re:Yep by MrKaos · · Score: 1

      You all are attacking this from the wrong angle. Why don't you try instead to elect people that respect privacy?

      Because power corrupts and absolute power corrupts absolutely. To balance this protection of privacy must become systemic and impinging it must become expensive.

      You people keep on putting layer upon layer of crap to compensate for your previous fuckups... Your entire car is made of Bondo and weighs 40 tons...

      When you say "You people" it makes me wonder if you have ever written a letter to a politician and added your voice to a demand for them to act in their constituents interests and if you actually participate in democracy beyond voting for brand X or Y. As you have expressed yourself as an anonymous coward, perhaps you should consider if you are one of the people you are talking about.

      And instead of worrying about your 'privacy', just take away theirs. Show 'em how it feels. You won't get any respect until then.

      Effectively they have already done that to themselves, however, you may find that certain political exectives receive dispensation due to the financial connections they have.

      As for respect, first we have to move up to contempt from the downright hostility we are currently being shown as citizens.

      --
      My ism, it's full of beliefs.
    13. Re:Yep by gweihir · · Score: 1

      Your idea, while looking good on the surface, has a little problem, called "the voter". As long as 90% vote with their gut and are exceedingly easy to manipulate by those in power, no solution will come from the "democratic process". Hence we are not coming from the wrong angle, we are coming from the only angle that has a chance of working. Unless you propose that some of us try to infiltrate politics and manipulate the unthinking masses our way?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re:Yep by MrKaos · · Score: 1

      Absolutely and we seem to be seeing legislative constructs being passed that allow for these hugely intrusive schemes to operate legaly. It should be more concerning to Joe Citizen that a member of the intelligence community steps away from that world and says "Hey people, it *has* gone too far".

      Unfortunately, here in Australia, we now see the type of legal framework introduced that makes whistleblowers, who are concerned about democracy, turned into criminals. I can only hope that such a thing remains un-constitutional in the US and UK.

      --
      My ism, it's full of beliefs.
    15. Re:Yep by gweihir · · Score: 1

      Highly unlikely. If they break the crypto, it will be noted, as it would not work with other implementations. The CPRNGs are not compromised, that would be infeasible with the number of people watching (but they have tried, see here: https://plus.google.com/+Theod...). There is not really space for subtle leaks of key material in the PGP datagrams.

      That does not mean they cannot break it, but it would come with a high risk of being discovered and the flaw would be attributable at least for GnuPG. There is also the risk of the NSA compromising the Linux kernel. One of the design-features of git is forward-hashes, so anybody with a repository copy can find out who exactly put in the malicious code. GnuPG uses git as well and so does other FOSS security software.

      As the surveillance and control fascists fear nothing more than having their evil machinations pulled into the light, a high risk of that is usually enough to deter them. And with code in git, any whistle-blower could just point to the critical parts and there would be no way of denying the compromise and who did it. Sure, sometimes they can compromise things so that it just looks like an error, but that has gotten extremely hard these days.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    16. Re:Yep by BlueStrat · · Score: 1

      Because power corrupts and absolute power corrupts absolutely.

      So, remove the over-reaching power.

      The republic was never designed for a federal government with so much power. That was one of the basic tenets of it's design, to not allow the central government too much power.

      Break it up like Ma Bell of old. Do away with the unnecessary/harmful/unconstitutional parts, and allow the states more control.

      Note; I am not advocating doing away with a central government. Just reducing it's size, scope, power, and cost to more closely resemble what the founding documents say it should look like.

      Nobody is going to pay off an official who hasn't enough power to accomplish the goal(s) of the pay off. It's also hard to politically influence a federal agency/department/bureau that does not exist.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    17. Re:Yep by skids · · Score: 1

      I think it's possible to make the valid point that just hiding your communications, even if done perfectly, is not enough, and pursuing social change in addition to that is also needed, without casting baseless aspersions on cryptography in general. TFA strays too far towards the latter IMO.

      That only a fraction of a percent of humanity is currently capable/willing to ensure that their crypto ducks are in a row is a more valid point, and how to get the general population to choose the right platforms/apps/providers when there is no way to establish trust relationships that is not vulnerable to everyone ending up trusting a prick -- that is also a valid point.

      Eventually, however, social prohibitions against snooping will become impossible to enforce at the individual level, forget at the institutional level, just like it has become rather impossible these days to stop a determined individual from eavesdropping on face-to-face conversations, nor even prosecute them were a listening device discovered, if they were careful enough. There's a window past which the technical execution of strong crypto will be the only recourse left.

      --
      Someone had to do it.
    18. Re:Yep by Anonymous Coward · · Score: 0

      That's right! Hand over power to the states! Because unlike the fed, state government officials are totally immune to power grab and corruption!

    19. Re:Yep by BlueStrat · · Score: 2

      That's right! Hand over power to the states! Because unlike the fed, state government officials are totally immune to power grab and corruption!

      If you have all the other states along with federal executive/judicial/legislative branches that are not so corrupted to the degree they are currently, the problem would self-correct. The Rule of Law instead of the Rule of Men would prevail.

      It's like a computer network; A system built from independent machines with a varied 'ecosystem' of software, hardware, and security systems is a much harder 'nut' to crack than a single machine that operates a network of 'dumb' terminals.

      In a very real way, those who wrote the US Constitution were network design geniuses. It makes little difference whether one is discussing a computer network or a government. Whether it's a network for data or for government power, many of the basic principles governing their operation, behavior, and security remain identical.

      They were the ones introducing the new & disruptive concepts of their age, like all rights and powers originating from and by the People, and that government exists at the People's pleasure to protect and defend those rights equally, and has only those powers loaned to it by the People, and those powers may be altered or abolished by the People as described in the Constitution as they see fit.

      Go and read the Federalist and Anti-Federalist Papers and the associated letters exchanged between the authors of the US Constitution if you want to understand these concepts. Of course if you're already fixed in your beliefs, then you may as well save time & bandwidth.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    20. Re: Yep by Anonymous Coward · · Score: 0

      You clearly haven't even spent a couple minutes thinking before jumping in and shooting your mouth off. The encryption itself has tremendous value. The question is whether or not companies like Apple and Google are subverting it internally, either by force (ie, NSL) or malice.

    21. Re:Yep by Anonymous Coward · · Score: 0

      Doesn't help at all. Unless the sender recipient are encrypted so they don't know who's messages these are. The reality is that the surveillance isn't to stop crime or terrorism. Its not even to identify political enemies. Its to destroy enemies already identified. They'll decrypt all your stuff when you rise to their attention to destroy you. Not before. Having all the data on you, even if encrypted, is all they want or need. Beyond that even if unencrypted its too difficult to find the needle in the haystack. They find the needle of who to go after first, for other, likely public reasons. Just look at how the IRS was going after certain groups but not others. They're not looking for tax cheats, they're going after threats to their, and their masters status quo. Same way here. after they find a threat then they'll decrypt and go after the person.

      Ever wonder why Congress can't get anything done? They're a nice public target.

  2. Bolted down tight left and right by Anonymous Coward · · Score: 1, Insightful

    Welcome to the Jail called The USA land of freedom ROFL
    Man that government and it's agencies are keeping the nuts and bolts tight giving it a turn every time they have a chance on "We the People "
    Never before in history , even in Russia , have we ever seen a People stay coy under such an attack to basic human rights violations and the absolute rape of it's Constitution.It is with great sorrow that the world watches the USA spiral down into a land of slavery and absolute State surveillance and control without it's people takign arms and revolt against the tyrants in power . The whole establishment is rotten to the core and there's no way out. Surveillance of a planetary infrastructure should get the USA kicked out of all the world's groups and associations and make them loose their seats in all bodies of governance. I hope the world will react strongly and really start to hurt the USA in their wallet. They cannot be trusted , period. They are the enemies to the world now. Putin looks like a good guy compared to the politicians ( whose elections are funded by company money (so much for the politicos representing the people ) ) that are adopting laws and regulations further putting the screws to their own people and the world. Wake up .. the USA is THE threat to the free world.

    1. Re:Bolted down tight left and right by Anonymous Coward · · Score: 0

      it really doesn't matter, everyone is high out of their minds on marijuana and football.

    2. Re:Bolted down tight left and right by Anonymous Coward · · Score: 0

      All the poor fucks of eastern Europe can be bought with the following three things

      A) A bottle of brown sugar water
      B) A fatty piece of hacked meat
      C) Colored Glass Beads with some Android flavour

      You should never understimate the willingness of people to enslave themselves to the juice of Hollywood.

  3. Should be entitled "rewriting the lessons of cyphe by Anonymous Coward · · Score: 1

    The article's premise - exhaustively made - is that the tech companies are at best incapable of securing their networks and at worst co-conspirators with those surveilling them.

    The renewed push for strong crytography is summarily dismissed as mere marketing, reassuring spooked users with the illusion of protection. On slim evidence, Silicon Valley is painted as a monolithic entity complicit with surveillance - because lawful orders were complied with, because vulnerabilities keep being found (surprise) and because Keith Alexander was on first name terms with some CEO's including at Google. The very real outrage from engineers and security professionals is not mentioned.

    The author Bill Blunden draws the exceptionally paranoid conclusion that because the FBI - rightly or wrongly - have spoken out against the renewed push for strong encryption, they must be doing so as a feint, to reinforce the pretence of security made by the tech companies and thus make users feel fuzzy whilst carrying on with business as usual. It's almost a "wake up sheeple" moment.

    In doing so, he ignores and diminishes real cypherpunk history - the very real and ongoing evolutionary struggle between those who secure networks and those who would seek to undermine that security.

  4. Can be useless by Anonymous Coward · · Score: 0

    A billion-bit encryption scheme is useless when you can 1) simply ask for a password, claiming to be the new IT guy, 2) install a screen caster or key logger through any number of means, 3) ... 4) profit.

    1. Re:Can be useless by jbolden · · Score: 2

      Why would "the IT guy" by which I assume you mean helpdesk have access to server level encryption at all? He doesn't know it, the end users don't know it.

  5. Strategic vs tactical interception by Anonymous Coward · · Score: 5, Insightful

    Crypto everywhere isn't going to stop you specifically being watched, but it will stop strategic dragnet interception, and force a return to tactical decrypts.

    1. Re:Strategic vs tactical interception by anorlunda · · Score: 3, Insightful

      Mod the parent up.

      We are trying to make bulk surveillance harder, not targeted surveillance. By bulk I mean something like 500 million devices, all to be cracked.

    2. Re:Strategic vs tactical interception by Shadow+of+Eternity · · Score: 4, Insightful

      Exactly. This is like putting a decent U-Lock on a bicycle. You're not going to make your bike unstealable, you're just going to make it not worth the effort for anyone that doesn't specifically want to steal YOUR bike with professional grade tools.

      --
      A bullet may have your name on it but splash damage is addressed "To whom it may concern."
    3. Re:Strategic vs tactical interception by gweihir · · Score: 4, Insightful

      Indeed. And the dragnet is what is exceptionally dangerous. If the NSA/CIA/GCHQ has dirt on any politician and other person when they finally get into positions of power, then they control state. What happens if intelligence agencies control a state can be seen in the former Soviet Union, former eastern Germany and current Northern Korea. These people are unable to tolerate individual freedoms or not being in total control, because they are terminally paranoid and see enemies everywhere. There is no more reliable way to establish universal Fascism than failing to limit the power of the intelligence agencies.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Strategic vs tactical interception by Anonymous Coward · · Score: 3, Interesting

      Yep. Cyclists certainly have learned the lesson that there is no such thing as absolute security, only relative security. The best you can do is make so the thief decides to go after someone else's bike instead. If your bike is an especially attractive target, the pros who know what they are looking for might still get it.

      And not only in this case, are the cops not doing much to stop the thieves, they're working on the same team. So really, we can't give up efforts to limit what the thieves can do.

    5. Re:Strategic vs tactical interception by gweihir · · Score: 1

      Good analogy.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Strategic vs tactical interception by Anonymous Coward · · Score: 1

      Crypto isn't going to protect you against the government reading everything from the Apple's or Microsoft's or Googles' servers.

    7. Re:Strategic vs tactical interception by jbolden · · Score: 3, Informative

      Yes it is. Apple, Microsoft and Google both have systems in places so that the data is encrypted at rest where they don't have the keys. Apple is putting things in place so that the data is not stored on their servers at all.

    8. Re:Strategic vs tactical interception by Anonymous Coward · · Score: 2, Insightful

      Newsflash: The NSA *already* controls the politicians. Why else are there only two near-identical parties to choose from. The game has been rigged for a very very long time.

    9. Re:Strategic vs tactical interception by gweihir · · Score: 1

      Too simplistic and inconsistent with observable historic facts. At the moment they do not have enough for solid control, they just use cheap manipulation. Which still works well, admittedly.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Strategic vs tactical interception by Anonymous Coward · · Score: 0

      The reason there's 2 near identical parties is a pure consequence of the statistics of elections where the 'winner takes it all'. That system always leads to 2 parties that will converge, both wanting to have the vote of the majority of the population.
      More variation is achieved when multiple parties have to form coalitions to govern. Each party can then chase the votes for their niche. Take Germany, where a lefty green party appeals to some, and a very right-wing nationalistic party to others, and both can have 10% of the votes and still both have an opportunity to be invited to the table by moderate center parties to form a coalition, because the moderate party cannot take it all on its own. This electoral system makes for diversity.
      Nothing to do with NSA, just basic laws of statistics.

  6. Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 2, Interesting

    Whilst the changes implemented by Apple, Google and others are a matter of record, the sad truth is that none of that matters.

    There is simply no amount of encryption that a US complany can deploy which trumps an NSL - a "National Security Letter". The fact is, if a company receives an NSL from the US Government, it has *no choice* but to comply, and to do so without alerting the potential subject[s] to the fact that it has been subverted. So far I am aware of only one party - Lavabit - who stood up to demands for keying materials.

    So Glenn is misguided at best, outright wrong at worst. At the moment, there are very few countries in the world where it is possible for a private citizen [or company] to set up a cryptoscheme that the government does not have the right to demand access. In most cases, witholding keys or pass phrases can result in instant censure, typically including jail time.

    I think the lesson is: you can't trust your PC, or your government...

    1. Re:Respuctfully, Greenwald Is Wrong by Opportunist · · Score: 5, Interesting

      That Damocletian sword of a NSL is the biggest threat to competitiveness of the US data storage providers. On the internet, it does not matter where you store your data. Never before it mattered so little whether your datacenter is next door or in Abu Dhabi.

      As a company, would I want to have my data in the hands of a data center where I KNOW it could instantly be forced to hand it over to a government that has a record that borders on that of China when it comes to industrial espionage?

      I've been consulting with companies that wanted to outsource their data storage. They all had a list of countries where you may NOT store their data if you want to enter the bidding war, and without fail the US was on that list, along with other pinnacles of freedom like China. Iran was oddly absent from most lists, even.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Respuctfully, Greenwald Is Wrong by cascadingstylesheet · · Score: 2

      Iran was oddly absent from most lists, even.

      I look forward to hearing about how your business plan of storing all of your data in Iran works out for you.

    3. Re:Respuctfully, Greenwald Is Wrong by Opportunist · · Score: 2

      Hey, not my decision to keep it from the list. Personally I wouldn't want my data stores anywhere but in a few select countries. Don't kill the consultant when the one hiring him decides not to listen to him!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Respuctfully, Greenwald Is Wrong by jonwil · · Score: 2

      If you live in the US, write your appropriate federal representatives (using an actual physical letter is still more likely to get noticed than an email I believe) and ask them to support the "Secure Data Act" which is designed to stop exactly this (the use of NSLs and other things to mandate backdoors and compromises in software)

      See http://www.wyden.senate.gov/ne... for details of the bill and get behind it (and spread the word about it). Is it perfect? No. But it (at least to my non-lawyer reading of the relavent info) seems to be a good place to start.

    5. Re:Respuctfully, Greenwald Is Wrong by gweihir · · Score: 5, Informative

      Wrong. NSLs are "after the fact". Encryption is before. An NSL is also a _legal_ measure, while encryption is a _mathematical_ one. Guess what has more power to influence reality. If Apple and Google cannot break their encryption, then they cannot break their encryption, and no number of NSLs is going to change that. At the same time they cannot be forced to put backdoors into their products as that decreases product quality. The analogy to Lavabit is faulty, as Lavabit had the keys and could break its encryption.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Respuctfully, Greenwald Is Wrong by AHuxley · · Score: 1, Insightful

      Re Encryption is before.
      A few products tried that in the 1950-1980. The US and UK govs always got the plain text they wanted long term.
      Staff where turned, cheaper standards where set. The junk international standards and tame systems can be seen years later.
      At some point in the consumer network the plain text is ready. At that point the backdoors, trapdoors are ready.
      Product quality did not save the world from the tame standards.
      Political leaders did not help. Experts did not mention much about junk standards. Was a lot said about tame encryption over the decades in the press?
      The big brands did not seem to understand what was been done to their own networks.

      --
      Domestic spying is now "Benign Information Gathering"
    7. Re:Respuctfully, Greenwald Is Wrong by jbolden · · Score: 1

      Then you break keys apart. No one has the full key other than the target. A system can easily have have 5 underlying private keys where you need any 4 of the 5 of decrypt and any entity only has one.

    8. Re:Respuctfully, Greenwald Is Wrong by gweihir · · Score: 2

      So you are saying because it is an arms-race, the defenders of freedom should give up? Well, of course you are free to do so, but remember that _all_ freedoms you are enjoying today, including the one to post here, have been won by people that did not give up.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Respuctfully, Greenwald Is Wrong by sjames · · Score: 1

      That's why a meaningful system must be one where only the device owner has the ABILITY to decrypt it. No number of NSLs can overcome the actual inability to decrypt the data. That may also include a requirement to be unable to push updates silently.

    10. Re:Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 1

      You can keep fighting, of course, but it's futile. You're simply outgunned. And if you insist, ultimately it will turn ugly for you. What you call "freedoms" are in the end just privileged, to be revoked at the whim of a powerful elite. Time to wake up and accept it. You can still have a pretty good life if you toe the line and learn to give up any delusion of "freedom". Your choice.

    11. Re:Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      I trust Iran as far as China Russia and Britain and the US. That is,
      I encrypt before I upload anything to any cloud.

      Also, I always use TorBrowser to when accessing accounts. And I spoof all registration information.

      Nothing special. Just the basic security defenses required these days.

    12. Re:Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      There is simply no amount of encryption that a US complany can deploy which trumps an NSL - a "National Security Letter". The fact is, if a company receives an NSL from the US Government, it has *no choice* but to comply, and to do so without alerting the potential subject[s] to the fact that it has been subverted.

      I would disagree. If a company is physically unable to comply (they have no "back door" past the encryption and the data never passes through their system unencrypted) then the government must resort to doing actual police work, something the FBI is in deathly fear of. Besides, rubber hose cryptography usually works pretty good, however the FBI is also deathly afraid of the public becoming aware of their illegal investigation methods (such as stingray).

    13. Re:Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      Doesn't much matter what country you store the data in if the guys who want it simply flash a bunch of cash at the low level employees and convince them to walk out with a bunch of thumb drives filled with your data. The price it takes to get someone to sell you out is usually shockingly low.

      Or, if they simply tap the undersea cable that your data travels on to get there in the first place.

    14. Re:Respuctfully, Greenwald Is Wrong by gweihir · · Score: 1

      What a pathetic, defeatist attitude! Why not just kill yourself?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    15. Re:Respuctfully, Greenwald Is Wrong by dwye · · Score: 1

      To be fair, the AC is just expressing the same attitude as every non-political person in Eastern Europe during the Cold War. Or the attitude of slaves in the Antebellum South. Or Hegel's redefinition of "freedom" as the recognition of necessity.

      Not everyone is cut out to be Nat Turner, or John Brown. The AC clearly isn't.

    16. Re:Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      Baloney. US data services and centers are booming. No one is going to store their data in a non-US or non-EU country.

    17. Re: Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      Because life is good, even without those "freedoms" you crow about. Europeans live happy lives with limited freedom of speech and no gun rights. Thais live happy lives without the freedom of criticizing the King. I don't see Britons complaining much about surveillance, the compulsory handing over of passwords and internet filters. Australians are not taking it to the streets over the Australian firewall and censorship. Have you ever thought that maybe - just maybe - it's you "freedom and privacy" fanatics who are wrong, while the rest of us mature people have simply learned to let go of silly, naive ideas?

    18. Re:Respuctfully, Greenwald Is Wrong by gweihir · · Score: 1

      Well, yes. I have no problem with the AC thinking that. What I resent and consider hugely unethical is that the AC tries to spread this attitude.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    19. Re: Respuctfully, Greenwald Is Wrong by gweihir · · Score: 1

      You really do not understand what is going on. I do live in Europe. The problem is not limited physical rights. The problem is surveillance, which tries to get into your thoughts and violate your privacy. That is fundamentally different.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    20. Re: Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      Getting into my thoughts? Don't make me laugh, telepathy does not exist. Surveillance is not and has never been a problem, it's a fact that most European cities now have CCTVs cameras installed and nobody complains. Nobody but people with a vested interest in not getting caught doing illegal things is complaining. Crimes rate *have* been reduced. Crimes *have* been solved thanks to surveillance. Those are cold hard facts. It's not a perfect system but it's better than the anarchy some stupid kids on the internet would love. My privacy stops when I get out of the door. Other than that, I do not talk to criminals or terrorists so I have absolutely nothing to care about my communications being monitored and if it saves one life it's worth it. Now grow up and accept compromises like all adults or shut up and sulk in a corner because society is not going to roll back. Ever. Deal with it.

    21. Re: Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      Your privacy stops in your bedroom, where they can switch on the microphone of your electronic devices ANY TIME they feel the need.

      Before we had the nasty cameras there were plenty of ways of protecting property. It actually employed human beings; folks we now chose to have on uemployment benefits for their entire life.

    22. Re:Respuctfully, Greenwald Is Wrong by dwye · · Score: 1

      Sorry, but I feel that gutless cowards have the same free speech rights as the rest of us, even to advocating for others to snivel and bow and tug their forelocks.

      After all, AC is desperately trying to save our families' lives from our advocating copyrights shorter than 150 years after the death of the last person associated with some work, or net neutrality (or against it, or whatever), or using mil-spec encryption on our daily emails.

    23. Re: Respuctfully, Greenwald Is Wrong by Anonymous Coward · · Score: 0

      hmmm that must be why everyone is scrambling to put their servers overseas. :/

    24. Re:Respuctfully, Greenwald Is Wrong by Opportunist · · Score: 1

      Odd. Well, ok, of course my knowledge only reflects those companies that I had to deal with, which is of course by far not every company out there that wants to outsource its data center. I just find it highly amusing that the apparently few that do NOT want their data in the US all seem to chose me as a consultant.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. The roots of the problem are simple... by Anonymous Coward · · Score: 2, Insightful

    ... they stem from WW2 and the Cold War.

    Normally, countries police citizens by applying a rule of law. In the US' case, there is a written constitution which drives this, but in general across the West there is a written or unwritten set of standards which limit state's powers.

    If you are in an extreme war, and your country is at risk of being invaded, with many citizens being killed, it is appropriate to throw the above protection away. The state will do anything it needs to to survive, and will not follow normal rules. Interning enemy aliens or anyone suspected of supporting them is a good example - this would not be appropriate during peacetime.

    During WW2 the Western Powers (in particular the US and UK) set up state systems with these extra-legal powers. When WW2 finished, much of this apparatus was closed down, but the intelligence services managed to keep their jobs, on the grounds that they were fighting a Cold War with the Eastern Bloc.They maintained their extra-legal modus operandi, though no one cared very much, since the game was only being played between competing members of the two blocks security services.

    Then came the fall of the Berlin Wall. And the end of the Eastern Bloc as a credible war enemy.

    That should have spelled the end of the security services' extra-legal operations. But it didn't. Instead, they cast around for new threats to justify their existence and their continuing role. And they found them in Middle Eastern terrorism.

    Our current foreign policy seems to be INTENDED to stoke up the threat of terrorism, and to destabilise the Middle East. This only started after 2001. Now you know why. It's to keep people in the jobs they have become accustomed to...

     

  8. Computers are compromised by design by Anonymous Coward · · Score: 2, Insightful

    Phones in particular, with their many hidden CPUs that have encompassing access to the one system that the users perceive as the "main processor", are untrustworthy. No secure encryption can be implemented on phones. But modern PCs are hardly better: System management mode, separate coprocessors and external buses with full RAM access, UEFI, etc. make it impossible to verify that there isn't hidden functionality, even if you assume the hardware isn't malicious.

    1. Re:Computers are compromised by design by gweihir · · Score: 1

      That is Nonsense. True, there are numerous ways to hide things, but if you intend to make it secure and you do understand the system because you designed it, it is quite possible to make it secure. Do not take software written by "cheapest programmer possible" to indicate what can be done.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Computers are compromised by design by AHuxley · · Score: 4, Insightful

      Re "True, there are numerous ways to hide things, but if you intend to make it secure and you do understand the system because you designed it, it is quite possible to make it secure"
      The device and the network has origins with the Communications Assistance for Law Enforcement Act.
      https://en.wikipedia.org/wiki/...
      Trying to build a better app over that voice, text and network logging ready system is interesting.
      An app can encrypt but the data has to be entered?
      Get the plain text as it is entered? Then the new app can be as powerful as it wants and totally tested. The plain text is still ready on any network.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Computers are compromised by design by gweihir · · Score: 0

      You are rambling incoherently. You should reduce drug-intake.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. TFA Misunderstands the History by PvtVoid · · Score: 5, Interesting

    TFA is correct that simply thinking that, because there is a zillion-bit crypto algorithm thrown into the communication stream, that everything is good and security is guaranteed. There are many, many attack channels that do not involve brute-forcing the crypto. Keyloggers, for example.

    But this is silly:

    Back in the 1980s and 1990s, a group of encryption mavens known as cypherpunks sought to protect individual privacy by making "strong" encryption available to everyone. To this end they successfully spread their tools far and wide such that there were those in the cypherpunk crowd who declared victory. Thanks to Edward Snowden, we know how this story actually turned out. The NSA embarked on a clandestine, industry-spanning, program of mass subversion that weakened protocols and inserted covert backdoors into a myriad of products.

    In actuality, the crypto implementations promoted by cypherpunks were exactly those that made it difficult or impossible for such a program of mass subversion to take place. Remember that the height of the cypherpunk movement was when the Clinton administration was pushing hard, really hard, for the NSA-sponsored Clipper Chip, which was, in a nutshell, crypto subverted by design and mandated by law. We now know that when the spooks found that was politically impossible, they went ahead and did it anyway, in secret. But the cypherpunk tools, most notably PGP (and later GPG, when PGP sold out and went corporate). Hell, even look at /dev/random: when it was revealed that the NSA had actually, and pretty amazingly, undermined hardware random number generators on widely available chips, /dev/random was still just fine, because it treats all sources of entropy as potentially untrustworthy, including the chip.

    The first lesson we should learn from the history of the cypherpunks is that trusting your crypto to a closed product is always, always a bad idea. That was the lesson then, and it is still the lesson now.

    The second lesson is that crypto, like any security, is all about the threat model. In that light, should we reject the widespread adoption of end-to-end crypto in commercial products? Of course not. If Apple and Google implement crypto by default, it will make efforts to dragnet information exponentially harder, even if the crypto is imperfect. This is why the spooks are beating the drum against it: it closes off that one particular threat model, which they have come to rely on. It doesn't close off other kinds of attack, but so what?

    The third lesson is that crypto, by itself, is not a panacea. Nobody ever said it was. The cypherpunk message was not that we can write PGP, declare victory, and walk away. The message was that privacy changes the relationship between the citizen and the state in beneficial ways, and that, in a technological society, we need to embrace technological means of increasing our privacy, in ways that cannot be controlled by the state.

    1. Re:TFA Misunderstands the History by Anonymous Coward · · Score: 0

      In actuality, the crypto implementations promoted by cypherpunks were exactly those that made it difficult or impossible for such a program of mass subversion to take place.

      Exactly. The author of TFA seems to be misinformed about what tools came out of the cypherpunk movement. He makes the assumption that those tools are actually used by the services that most of the people use nowadays, which is not true at all.
      If you look at tools like PGP, OTR, VPN implementations, or Tor, which all to some degree came from cypherpunks, those tools are actually very successful security-wise.
      The only way the cypherpunk movement failed is that most of these tools are not widely used by the general population as of today. However, they still brought strong encryption to many areas, and the tools are there to use for the people who need them the most.

      It's not that cryptography has failed to bring us security, it's that the people have failed to make use of the available cryptography in the first place.

      (Excuse my bad english...)

    2. Re:TFA Misunderstands the History by PvtVoid · · Score: 4, Interesting

      It's not that cryptography has failed to bring us security, it's that the people have failed to make use of the available cryptography in the first place.

      It's worse than that. As an artist friend of mine told me recently: "Ten years ago I used to wonder how people would respond to the massive loss of privacy represented by social media. Now we know: the only thing people actually worry about is that nobody is watching."

    3. Re:TFA Misunderstands the History by drinkypoo · · Score: 1

      The NSA embarked on a clandestine, industry-spanning, program of mass subversion that weakened protocols and inserted covert backdoors into a myriad of products.

      In actuality, the crypto implementations promoted by cypherpunks were exactly those that made it difficult or impossible for such a program of mass subversion to take place.

      Well, you're both right and wrong. What you say is true, but the NSA actually attacked security software, protocols, and even ciphers. They put back doors in some of the tools that people were depending on to defend them from the NSA.

      Remember that the height of the cypherpunk movement was when the Clinton administration was pushing hard, really hard, for the NSA-sponsored Clipper Chip, which was, in a nutshell, crypto subverted by design and mandated by law. We now know that when the spooks found that was politically impossible, they went ahead and did it anyway, in secret.

      Sigh. They went ahead and did it anyway, in plain sight. Both intel and AMD have implemented TPMs inside of their CPUs. You can no longer buy a mainstream PC without a TPM.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:TFA Misunderstands the History by Lawrence_Bird · · Score: 2

      A very good summary. Too many people view crypto as the "Daddy" in their privacy, protecting them from all manner of threats. There are many places where encryption efforts can be compromised, including improper implementation of even well written libraries.

      But to argue, as some have, that it is worthless is wrong as well. It is the moat and wall around your castle. Sure there may be a day when the Mongolians overrun you but at least you have slowed them down by your efforts.

    5. Re:TFA Misunderstands the History by Anonymous Coward · · Score: 0

      Both intel and AMD have implemented TPMs inside of their CPUs. You can no longer buy a mainstream PC without a TPM.

      ok. I'm not positive that's correct because I heard Macs didn't have them, but let's assume it is for now. Why do you want to do that?

      TPM is used by the effaceable store in Pond and to make offline attacks harder in ChromeOS disk encryption. They make iOS disk encryption better than Android and allow the encryption of parts of the iOS cloud backup so that it can only be restored onto the device that backed it up. To me they seem, like everything else, meaningful but imperfect tools for surveillance resistance. I understand a TPM can hypothetically be used as part of a system to lock users out of their own computers and into walled gardens, but that is a separate argument and not its only use. What do TPMs have to do with the NSA?

    6. Re:TFA Misunderstands the History by drinkypoo · · Score: 1

      I understand a TPM can hypothetically be used as part of a system to lock users out of their own computers and into walled gardens, but that is a separate argument and not its only use. What do TPMs have to do with the NSA?

      You just answered your own question.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:TFA Misunderstands the History by YesIAmAScript · · Score: 2

      "when it was revealed that the NSA had actually, and pretty amazingly, undermined hardware random number generators on widely available chips"

      Such a thing was never revealed.

      https://www.schneier.com/blog/...

      "I have no idea if the NSA convinced Intel to do this with the hardware random number generator it embedded into its CPU chips, but I do know that it could." (could meaning it is conceivable here, he doesn't investigate anything about feasibility)

      No one ever showed that the NSA did this. No one even tried.

      It's really frustrating to see speculation reported as truth from a person who seems very careful to try to be sensible and not just ring alarm bells to get notice.

      --
      http://lkml.org/lkml/2005/8/20/95
    8. Re:TFA Misunderstands the History by Anonymous Coward · · Score: 0

      It IS the consensus they forced/bribed/compelled a swiss company called "Crypto AG" to weaken their devices. They sweetened this by buying some of their products during WW2. And use that for low-level stuff, which was promptly broken by the German army.

      http://de.wikipedia.org/wiki/M-209

      http://en.wikipedia.org/wiki/Crypto_AG#Back-doored_machines

      There are multiple reports of NSA employees walking in and out of Crypto AG offices.

    9. Re:TFA Misunderstands the History by Anonymous Coward · · Score: 0

      The Lives of Others

  10. Encryption is not the answer by Anonymous Coward · · Score: 4, Insightful

    In the current political environment, encryption is not the answer. If you've been paying attention, there have been a number cases where a person was ordered to unlock the contents of a laptop or other device under the threat of being put in prison if they refuse. And that is the real problem. If you create some super-duper-encryption that is impossible to break, the various corrupt government agencies will simply declare you to be a terrorist, who can't possibly have any legitimate need for that encryption, and you will be ordered to decrypt or go to prison, and nobody will even know you are in prison thanks to secret laws enforced by secret courts.

    Until THAT issue is addressed, encryption truly is just snake oil and feel-good public relations.

    1. Re:Encryption is not the answer by Anonymous Coward · · Score: 0

      This. And unfortunately there is no way to "address the issue". No way. All that ever stood between the old times and the current times was simply technical capabilities. The technical capabilities to intercept every communication on the whole nation, if not the whole world. Now those capabilities exist, they cannot be made to disappear and the State will not give them up. Ever. Any technology employed by "the people" to protect themselves will be made irrelevant by laws. It's over, they won, we lost, and that's all there is to it. Now and forever.

  11. This is not about cryptography by davide+marney · · Score: 3, Insightful

    The author says that "cryptography is underhanded", but you will look in vain to find any technical meaning of that phrase anywhere in the article. What he really means is that the major corporations (Google, Apple, et al.) are underhanded because they are working with state spies to cripple algorithms and put in back doors, etc.

    But trying to cripple cryptography this is something we already are aware of, and there are ways to shore up the technology to make it much, much harder for government to spy on us in bulk. Even using weak, crippled cryptography forces the spies to expend computing resources. Cryptography is all about raising the cost of spying, when dealing with government, not with preventing spying.

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
    1. Re:This is not about cryptography by Anonymous Coward · · Score: 1

      We have no clue just how advanced NSA decryption methods are, but my guess is that it's probably so ridiculously advanced that it would even surprise tech junkies. Like you said we also have to worry about algorithms that have been systematically weakened on purpose. Most encryption is more than most hackers can handle even with quad titans. My dual setup can rip most passwords apart for stuff like sign in passwords, but would be completely impractical against any medium level encryption with a decent length password with a diverse character set.

      Like I said at the start we have no clue what their shit can do and they have pretty much unlimited funding. I just wish they were using it to do their actual fucking job instead of wasting time on the public who has done nothing wrong. I never thought saying something sarcastically online would get someone thrown in jail until it happened. I never thought the government had the resources to spy on the entire world until we were told.

      I could be wrong, but I believe they have to capability to decrypt almost anything and fast. That could be a good thing if they were pointing it in the right direction.

  12. Secrecy laws by jbolden · · Score: 1

    I think the article is conflating three things:

    a) The limited amount of cooperation the tech firms provided
    b) The heavy amount of cooperation the telco firms provided
    c) The NSA successfully breaking some encryption systems because they are good at their job and (b).

    Silicon Valley companies were not eager participants but rather reluctant participants. However they can't fully disclose the extent of their involvement because of secrecy laws. Yes encryption systems have been attacked in ways that are complex. Yes they are likely to be attacked. But that is far different from them being worthless. The situation is far better today than it would be if there were no encryption at all.

    1. Re:Secrecy laws by Anonymous Coward · · Score: 0

      And also, at least in the case of Google and Facebook (don't know and don't really care about Apple), their business model is to snoop on users and to sell that information to others, albeit in a somewhat processed format. That is kind of a conflict with being guardians of privacy. Fine, their business model probably doesn't include selling the information to the NSA and not in the form that the NSA asks for, but if they pay, I suppose they are just another customer. So I'll trust Google as soon as they decide to change their business model and make money in some other way than ads. Not sooner. I'll never trust Facebook, no matter what they do.

    2. Re:Secrecy laws by jbolden · · Score: 1

      Yes and no. Google and Facebook want an accurate picture of their user's interests. They want you to freely send them data. Which means they can't be doing anything which causes you to become cautious. Always being logged in, having only one account...

  13. fud? by Anonymous Coward · · Score: 0

    Hell, even look at /dev/random: when it was revealed that the NSA had actually, and pretty amazingly, undermined hardware random number generators on widely available chips, /dev/random was still just fine, because it treats all sources of entropy as potentially untrustworthy, including the chip.

    this is the first time i've heard this claim. reference? i know of the hand wringing about if we can trust the h/w, but i didn't see any evidence that it was broken.

    1. Re:fud? by PvtVoid · · Score: 2

      this is the first time i've heard this claim. reference? i know of the hand wringing about if we can trust the h/w, but i didn't see any evidence that it was broken.

      Ars Technica
      New York Times
      rt.com

    2. Re:fud? by Anonymous Coward · · Score: 0

      this sounds pretty fuddy. there are no specifics. i don't see intel or via mentioned by
      anyone except the freebsd guys.

  14. Still at dawn of internet, encryption will rule by Anonymous Coward · · Score: 0

    It's clear that there have been issues with current hashing and encryption tools, but they will get better. We are really just at the dawn of the internet, of digital communications. There will be ten thousand bugs, shakeups, discoveries, and sabotage acts; but each one will make things better. Eventually; whether it's ten, or a hundred years from how there will be unbreakable encryption and perfectly secure communication.

  15. let's face it by Masked+Coward · · Score: 1

    With most western governments being so intimately involved in commerce, in conjunction with (and because of) their deep level of corruption, no major player in the tech industry is going to take an antagonistic stance against the spooks. Particularly speaking of my country (US), the government's shadow agencies are going to get what they want. They hold all the levers of power, and therefore the means to determine the very existence of Apple/Google/MS as they exist today. Passing new laws, or perverting existing ones through parliamentary tricks, is already being used to put the screws to an array of "powerful" industries (healthcare, energy, insurance, financial, auto). The tech companies are no different - they will play ball or they will cease to exist. I'm not sure if there is a viable solution unless the vast majority of people wake up and resist. As long as people are camping out for 3 days in order to get the latest i-Phone, it ain't going to happen.

  16. Sorry, even Greenwald sells a little BS. by Anonymous Coward · · Score: 0

    That is hard to reconcile with the facts presented thus far. Levels of corporate management were kept in the dark (gagged internally and externally) while others were forced into compliance with threats that were beyond the pale. When it was all behind closed doors there was little that many thought could be done. Now the cat is out of the bag it is easier to be braver and stand up. It isn't just PR. Although it would make it a great reason to buy his book.

    But encryption is not the panacea as linked in the summary, Greenwald is entitled to his own opinions of course. However, he has no technical skills that I am aware of. Indeed, just the opposite. He would serve us best is he was to stick to journalism.

  17. That Base Covered by Anonymous Coward · · Score: 0

    You can use all your "strong crypto". They will then routinely obtain the keys by means of a weakness they have put into the OS or the hardware itself.

    These folks operate under the rule "whatever goes over the wire is ours" since 1920 or so. Read Herbert Yardley.

    1. Re:That Base Covered by skids · · Score: 1

      If your crypto is vulnerable in this way, it is not technically executed correctly.

      --
      Someone had to do it.
  18. Reprint by Anonymous Coward · · Score: 0

    "You can use all your "strong crypto". They* will then routinely obtain the keys by means of a weakness they have put into the OS or the hardware itself.

    These folks operate under the rule "whatever goes over the wire is ours" since 1920 or so. Read Herbert Yardley.
    "

    * Armed Forces General Staff

  19. Re:Should be entitled "rewriting the lessons of cy by Anonymous Coward · · Score: 0

    There is no "struggle". They have pwned everything AT THE CORE. Your funny GPG is useless because they can run their own stuff right inside your Intel and ARM processor. Lets call it "microcode".

  20. Oh Really ? by Anonymous Coward · · Score: 0

    "Europe" is mostly a bunch of fucked-up countries on their economic and social deathbed. You can have a chemistry PHD here and dont get a job for your entire life. I know because I live and work here.

  21. German Cryptanalysis of M-209 by Anonymous Coward · · Score: 0

    http://www.heise.de/tp/artikel/18/18371/1.html

  22. If... by jd · · Score: 1

    You are vulnerable to Social Engineering (and almost everyone is), no security of any kind will ever work. Become a Scottish crofter, it's your only hope of a life.

    You are a private individual, see all XKCD coverage. Same remedy.

    You are Sony, abandon hope now. You wouldn't even make it as a crofter.

    You are anyone else, encryption is not enough. You want segmentation, active NIDS, proxies and firewalls at the gateways, HIDS on the machines, role-based access controls, host-to-host IPSec, security labels on packets, total removal of all vulnerable protocols, disk encryption, strong authentication and Neuromancer's Black Ice. A platoon of extreme freediving Ninja with enhanced magnetic sensors in their eyeballs would help, too.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  23. Encryption is conceptually broken because... by Paul+Fernhout · · Score: 1

    ... you can't organize a mass political movement or broad cultural change by hiding what you are doing. You need to convince people to believe in a cause and be willing to commit resources to support it. And overall that requires broad mass communications and engaging more and more people, any one of whom could report you to "authorities". Successful broad change in a democracy is going to be focused on legal & non-violent means to change public opinion. Encryption is generally about hiding communications and their contents, which is the opposite of what you need to be doing to make large scale social change.

    Encryption to ensure security is like the same argument for personal handgun ownership. While you can make arguments for such things and personal protection as individual solutions, neither do much by themselves to change the societal culture (including changing spending policies and laws) to make the community healthier and safer. An emphasis on such shows a fundamental misunderstanding of the core social problems that confront us related to building healthier communities around shared values.

    Encrypted communications also don't help much when the person you are communicating with forwards everything to someone you don't know. And as an XKCD comic shows, a pipe wrench can defeat most encryption fairly straightforwardly. Encrypted communications can also be compromised in practice any number of ways, which then leaves you with a false sense of security and depending on something you should not be trusting. So, not only is a focus on encryption misleading, it is dangerous.

    Sure, encryption may enhance privacy and in that sense affect a balance of power between individual and state, and it is useful for protecting commercial transactions against criminals. It has its place. But that place is not at the heart of making social change of the kind we need for the 21st century -- which I feel relate more to making the most of abundant modern technology despite a culture and habits of mind adapted for scarcity.

    Or as I've said elsewhere:
    http://www.pdfernhout.net/on-d...
    "As I see it, there is a race going on. The race is between two trends. On the one hand, the internet can be used to profile and round up dissenters to the scarcity-based economic status quo (thus legitimate worries about privacy and something like TIA). On the other hand, the internet can be used to change the status quo in various ways (better designs, better science, stronger social networks advocating for things like a basic income, all supported by better structured arguments like with the Genoa II approach) to the point where there is abundance for all and rounding up dissenters to mainstream economics is a non-issue because material abundance is everywhere. So, as Bucky Fuller said, whether is will be Utopia or Oblivion will be a touch-and-go relay race to the very end. While I can't guarantee success at the second option of using the internet for abundance for all, I can guarantee that if we do nothing, the first option of using the internet to round up dissenters (or really, anybody who is different, like was done using IBM [punched card tabulators] in WWII Germany) will probably prevail. So, I feel the global public really needs access to these sorts of sensemaking tools in an open source way, and the way to use them is not so much to "fight back" as to "transform and/or transcend the system". As Bucky Fuller said, you never change thing by fighting the old paradigm directly; you change things by inventing a new way that makes the old paradigm obsolete. ...
    As with that notion of "mutual security", the US intelligence community needs to look beyond seeing an intelligence tool as just something proprietary that gives a "friendly" analyst some advantage over an "unfriendly" analyst. Instead, the intelligence community could begin to see the potential for a free and open source intellig

    --
    A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.