Schneier: Either Everyone Is Cyber-secure Or No One Is

← Back to Stories (view on slashdot.org)

Schneier: Either Everyone Is Cyber-secure Or No One Is

Posted by Soulskill on Tuesday March 3, 2015 @07:12PM from the nobody's-safe-except-the-amish dept.

Presto Vivace sends a new essay from Bruce Schneier called "The Democratization of Cyberattack." Quoting: When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. ... We can't choose a world where the U.S. gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.

130 comments

Min score:

Reason:

Sort:

TFS is correct by Anonymous Coward · 2015-03-03 19:17 · Score: 0

Good luck implementing it though.
1. Re:TFS is correct by mwvdlee · 2015-03-03 20:03 · Score: 5, Insightful
  
  It's already implemented.
  The powers that be have chosen "No one is cyber-secure" for you.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
2. Re:TFS is correct by Anonymous Coward · 2015-03-03 23:07 · Score: 0
  
  It's already implemented.
  The powers that be have chosen "No one is cyber-secure" for you.
  Given history, did you expect the result to be anything different?
  Or more to the point, remain legal?
  The US Government was intercepting and reading your snail mail before email came along. Only reason you didn't hear about it more is because you were lacking the live global chat session that is the internet at the time.
  Let's also not forget that some of this is mired in the foundation of Capitalism. Many of these changes were done because of someone's capitalistic nature to convince others that they "need" it.
3. Re:TFS is correct by Burz · 2015-03-03 23:10 · Score: 1
  
  It's already implemented.
  The powers that be have chosen "No one is cyber-secure" for you.
  Granted, nothing is perfect. But I'd like to see any demonstration of hacking a system like this.
  Or, rather, I'd like to see them try.
  Real network security is defined by the quality of its endpoints. And to have secure endpoints we need a personal computing culture that values openness as the first step to better security.
4. Re:TFS is correct by MightyMartian · 2015-03-04 02:37 · Score: 1
  
  Because mass surveillance doesn't exist in other economic and political systems.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
5. Re:TFS is correct by Anonymous Coward · 2015-03-04 03:43 · Score: 0
  
  Why would they need to hack your OS when they can get you through all the insecure intermediaries?
6. Re:TFS is correct by Burz · 2015-03-04 07:02 · Score: 1
  
  If the intermediaries matter, you're doing it wrong.
7. Re:TFS is correct by losfromla · 2015-03-04 09:51 · Score: 1
  
  But Our Country is better than this, said all my grade school teachers (yes, I was schooled in an inner-city school district).
  
  --
  Only I can judge you.
8. Re:TFS is correct by Anonymous Coward · 2015-03-04 20:33 · Score: 0
  
  So your CPU doesn't matter? Your BIOS doesn't matter? Your video/network/sound card/dvd/hard drive firmware doesn't matter?
someone else can be first by pbjones · 2015-03-03 19:18 · Score: 1

not sure how packet injection breaks into my computer.

--
There was an unknown error in the submission.
1. Re:someone else can be first by Anonymous Coward · 2015-03-03 19:35 · Score: 4, Informative
  
  Zero day vulnerability even if you don't visit an infected website.
2. Re:someone else can be first by kesuki · 2015-03-03 20:33 · Score: 1, Informative
  
  packet injection for dummies.
  1. user initiates comms
  2. MITM detects comms
  3. MITM rewrited packet headers and sends falsified packets AS user
  4. Computer reads funny joke
  5. computer spits coffee into keyboard
  6. device is fried, user is blamed.
  7. government sells broken device to user
  8. user can't push device sold to them
  9. user wishes it never happened
  10. quantum paradox occurs
  11. server reboots
  12. ???
  13. nuked from orbit
  14. goto step 1.
  15. bitch complains about tight loop.
  
  --
  https://www.gnu.org/philosophy/free-sw.html
3. Re:someone else can be first by monkeyxpress · 2015-03-03 21:34 · Score: 3, Insightful
  
  not sure how packet injection breaks into my computer.
  It's not about hacking into your computer. It's about the fact that the govt spy agencies had quite sophisticated spying infrastructure installed into key parts of the internet. Why this is a surprise to anybody is beyond me. Other than the negative PR value (which I'm sure some 'we're protecting you from pedophiles rhetoric' would fix I don't even know why the govt particularly cared if people found out.
4. Re:someone else can be first by Anonymous Coward · 2015-03-03 21:42 · Score: 0
  
  I'm pretty sure there is an alternative point 6 where Obama gets blamed instead.
5. Re:someone else can be first by Anonymous Coward · 2015-03-03 22:18 · Score: 0
  
  No, Obama, and the USA government gets blame at point 2 & 3 for allowing spying and generalized automatic hacking of our private data.
6. Re:someone else can be first by Wootery · 2015-03-04 00:48 · Score: 2
  
  Sounds like another argument in favour of HTTPS for everything.
7. Re:someone else can be first by some+old+guy · 2015-03-04 02:24 · Score: 1
  
  And you think the TLA's haven't compromised that too?
  http://www.darkreading.com/att...?
  
  --
  Scruting the inscrutable for over 50 years.
8. Re:someone else can be first by MachineShedFred · 2015-03-04 02:48 · Score: 4, Insightful
  
  Sounds like an argument for IPSec for anything that matters - as long as you're Doing It Right you get message integrity and authenticity. That's the whole point.
  Now, if someone's cracked IKEv2, SHA, or AES all bets are off.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
9. Re:someone else can be first by Lunix+Nutcase · 2015-03-04 03:44 · Score: 1
  
  Ignorning all the ways HTTPS can by MITMed and/or forced to use insecure ciphers?
10. Re:someone else can be first by Anonymous Coward · 2015-03-04 04:32 · Score: 0
  
  You mean other large actors could have hacked Sony? Blaming it on NK?
  captcha: routed... how funny
Conventional weapons? by Anonymous Coward · 2015-03-03 19:18 · Score: 0

"...even a world where governments get to spy and criminals don't..."
How's it then that the governments get to use ICBMs but criminals don't?
1. Re:Conventional weapons? by bigfinger76 · 2015-03-03 20:40 · Score: 2
  
  Taking advantage of broken infrastructure (weakened crypto, for example) is easy. Creating and maintaining ICBM technology is not.
2. Re:Conventional weapons? by Anonymous Coward · 2015-03-03 22:48 · Score: 0
  
  "Creating and maintaining ICBM technology is not."
  sure you just need a guest account on the mainframe and a room of monkies with slide rules.
3. Re:Conventional weapons? by Gr8Apes · 2015-03-04 00:29 · Score: 1
  
  I'd have to disagree given how many countries now have long range rocket technology. It's merely a matter of scale after that. The biggest issue most have is guidance technology. Apparently that's still a big problem, much like the V1/V2s in WWII, they weren't good for eliminating a target, but they were excellent for demoralizing the populace.
  
  --
  The cesspool just got a check and balance.
4. Re:Conventional weapons? by Immerman · 2015-03-04 02:21 · Score: 1
  
  Given the devastating effects of a nuclear or biological airburst, there's a lot of situations where actually hitting the target might not even be desirable. Still, there's a world of difference between a rocket that can go hundreds of miles, and one that can go ten thousand - and you *really* don't want that super-secret, never-been-tested ICBM to blow up on the launch pad or while it's still over friendly territory. A nuclear warhead probably wouldn't detonate, but a chemical or biological warhead would quite likely be effectively dispersed.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
5. Re:Conventional weapons? by Gr8Apes · 2015-03-04 02:42 · Score: 1
  
  There's a difference in hitting LA or the Galapagos, which is the type of error margin you can get with ICBMs.
  
  --
  The cesspool just got a check and balance.
Stating the obvious by Anonymous Coward · 2015-03-03 19:19 · Score: 5, Informative

Its always seemed obvious to me that the system that you *know* grants unauthorised access cannot be considered to be secure. I never thought I was saying anything profound or even worthwhile, but apparently this fact is lost on a good number of people.
1. Re:Stating the obvious by AHuxley · 2015-03-03 19:35 · Score: 1
  
  Each generation has its own ability to set aside the way a telco network can be used domestically.
  The use was only for ww1, ww2, the Soviet Union, Russia, China, distant wars and long occupations.
  Tame brands, academics, political leaders all thought their generation of secure hardware and software was been looked after by different brands, legal teams, oversight or respected international standards.
  With the news of weak standards, academics been unaware or unsure where to look, brands letting other outside gov or mil networks just enter their internal secure networks people can grasp what weak security is over many generations.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re: Stating the obvious by Anonymous Coward · 2015-03-03 19:46 · Score: 0
  
  Wow mind blown. Www=ww3
3. Re: Stating the obvious by AHuxley · 2015-03-03 19:52 · Score: 3, Informative
  
  world wide wiretap AC
  
  --
  Domestic spying is now "Benign Information Gathering"
4. Re:Stating the obvious by gweihir · 2015-03-04 03:21 · Score: 1
  
  Most people are both stupid and incompetent, and in addition do not realize either. Once you have accepted that, basically all problems the human race has have a conclusive and accurate explanation.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Insecure by phantomfive · 2015-03-03 19:20 · Score: 3, Insightful

Right now there's not really an option, we're all insecure. And we will continue to be insecure as long as we favor features over security (which probably won't change).

--
"First they came for the slanderers and i said nothing."
1. Re:Insecure by fustakrakich · 2015-03-03 19:42 · Score: 1
  
  And we will continue to be insecure...
  Full stop. That's it. Nothing else. The best option is to make sure nobody has the advantage.
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:Insecure by phantomfive · 2015-03-03 19:46 · Score: 1
  
  What? No thankyou, I'd prefer to have my system secure.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:Insecure by Pieroxy · 2015-03-03 20:04 · Score: 1
  
  What? No thankyou, I'd prefer to have my system secure.
  It's all well and good, but how do you propose to do that ?
  
  --
  Write boring code, not shiny code!
4. Re:Insecure by phantomfive · 2015-03-03 20:13 · Score: 2
  
  Unplug the network.
  
  Seriously though, Daniel Bernstein has put a lot of thought into that question. You can start here.
  
  --
  "First they came for the slanderers and i said nothing."
5. Re:Insecure by Beamboom · 2015-03-03 20:21 · Score: 1
  
  That's an illusion, unless you design your own hardware and the system that runs on it.
6. Re:Insecure by Pieroxy · 2015-03-03 20:42 · Score: 1
  
  Well, you're right on one thing: unplugging is probably the only option. Given the gazillion lines of code running on any net-connected machine, there is just no way in hell all this code will ever be 100% secure. Given that anyone in the world can find a flaw and then market it for the others, I'd say the future looks pretty dark on that front.
  The paper is interesting but quite idealist. No OS, driver, app is going to be rewritten with this in mind. And we need ALL of them to be rewritten. There is, for all intents and purposes, an infinity of vulnerabilities in every system.
  Yeah, today is that kind of a day.
  
  --
  Write boring code, not shiny code!
7. Re:Insecure by Pieroxy · 2015-03-03 20:45 · Score: 1
  
  Also, don't forget they overfucked Iran's nuclear facilities infecting PCs that were on no network at all. It worked for more than 5 years. So all in all, network is just an accelerator, but they can get into anything with plugs. Fill the network plug, USB slots, CD-Rom drives and every other mean of communication from the computer and then it's become worthless.
  
  --
  Write boring code, not shiny code!
8. Re:Insecure by Anonymous Coward · 2015-03-03 21:05 · Score: 0
  
  well 17 retrofitted icbms went to the moon with just a guest account on a cloned mainframe.
9. Re:Insecure by AchilleTalon · 2015-03-03 23:59 · Score: 1
  
  False statement. Security and features are not mutually exclusive. Even though in the head of many security guys they are just looking forward to block features they haven't yet found how to make secure.
  
  --
  Achille Talon
  Hop!
10. Re:Insecure by fraxinus-tree · 2015-03-04 01:27 · Score: 1
  
  We are all insecure and this is not that bad. These vulnerabilities make people and corporations equal the way Colt made them in his time. We just have to maintain acceptable level of risk.
11. Re:Insecure by fraxinus-tree · 2015-03-04 01:31 · Score: 1
  
  Everyone preffers. Then, the relativity kicks in...
12. Re:Insecure by Aqualung812 · 2015-03-04 01:41 · Score: 1
  
  Unplug the network
  Not enough. Quoting Spaf:
  
  The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.
  http://spaf.cerias.purdue.edu/...
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
13. Re:Insecure by Anonymous Coward · 2015-03-04 01:55 · Score: 0
  
  An open door is a feature that can't be secured. It is not the "security guys" blocking a feature due to their incompetence at controlling reality. Alt: It is not your doctor's fault if he and his medical guys can't keep you alive forever.
14. Re:Insecure by rot26 · 2015-03-04 02:05 · Score: 1
  
  Penetrating air-gapped machines is old hat now. The next step will be discovering that the hardware we buy has been pre-compromised before purchase. Oh, that's right, that's already happening.
  
  Hurray for megabyte sized firmware... lots of room to hide anything.
  
  --
  
  To ensure perfect aim, shoot first and call whatever you hit the target
15. Re:Insecure by Immerman · 2015-03-04 02:29 · Score: 1
  
  That's a false equality. A revolver is nice and all, but it's of almost no use against an army. Even less against a battalion of tanks. You might get lucky and take out a few soldiers, but that won't even slow them down.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
16. Re:Insecure by fustakrakich · 2015-03-04 03:37 · Score: 1
  
  Well then, the best of luck to you. You will need that, and a miracle or two...
  
  --
  “He’s not deformed, he’s just drunk!”
17. Re:Insecure by Noah+Haders · 2015-03-04 03:46 · Score: 1
  
  *all intensive purposes
18. Re:Insecure by Noah+Haders · 2015-03-04 03:47 · Score: 1
  
  Even that doesn't matter if you don't own your own silicon fab.
19. Re:Insecure by Anonymous Coward · 2015-03-04 03:54 · Score: 0
  
  OP is actually correct
  http://en.wiktionary.org/wiki/...
  2. 'sometimes misconstructed as "for all intensive purposes" '
20. Re:Insecure by StikyPad · 2015-03-04 04:00 · Score: 2
  
  This doesn't really need to be the case. We're used to carrying keys to access our cars and homes -- we could carry digital encryption keys to access our emails and data. The bug/feature is that losing the keys necessarily means permanently losing access to the data, from the past anyway. But that's not actually very different from today -- much of our data rots for other reasons anyway. Photos and documents disappear when we buy a new phone, or when our hard drives bite the dust. Endpoint encryption would actually allow secure online storage without worrying who might access the data, because nobody else has a copy of the keys.
  One way to accomplish this without sacrificing convenience, for those who value it over security, would be to solve the specific problem instead of the general problem. Default to external keys only, and "bury" an option in the settings to store a copy of the key(s) on-device, or online, for convenience. Encourage good habits by making it the norm, but allow people to exercise bad habits if they need or choose to and accept the risks.
  I do applaud Schneier for coming out strongly in favor of security. In past speeches he's equivocated and said he doesn't have the answers, just the facts, but there really is only one answer in this case. We must choose security. We fought this battle in the late 90s and early aughts -- the so-called crypto wars -- but apparently we need to fight it again for a new generation. Let the battle begin.
  
  --
  https://www.eff.org/https-everywhere
21. Re:Insecure by phantomfive · 2015-03-04 04:05 · Score: 1
  
  No it doesn't. If a corporation loses your personal information, you're going to suffer more than them.
  
  --
  "First they came for the slanderers and i said nothing."
22. Re:Insecure by phantomfive · 2015-03-04 04:08 · Score: 1
  
  It takes much longer to secure a feature, which is why insecure code wins in the marketplace.
  
  --
  "First they came for the slanderers and i said nothing."
23. Re:Insecure by rot26 · 2015-03-04 04:08 · Score: 1
  
  You should go to be liberry and check up on that.
  
  --
  
  To ensure perfect aim, shoot first and call whatever you hit the target
24. Re:Insecure by Noah+Haders · 2015-03-04 04:17 · Score: 1
  
  You should go to teh dooctr and have that checked out.
25. Re:Insecure by Anonymous Coward · 2015-03-04 04:25 · Score: 0
  
  Nope, "intents and purposes" is correct. Emphasis by repetition.
  "Intensive purposes" makes no sense, can a purpose be intensive? A person could be intensive (more accurately, passionate) about a purpose, but a purpose just is.
  Now, if you're talking about intensive porpoises, you might be on to something, but I don't think porpoises, intensive or lackadaisical, use operating systems at all.
26. Re:Insecure by Anonymous Coward · 2015-03-04 04:28 · Score: 0
  
  No, that's not secure either. Can you trust the armed guards? Better to drop it down the throat of an active volcano.
  Or nuke it from orbit...
27. Re:Insecure by fraxinus-tree · 2015-03-04 04:32 · Score: 1
  
  It is already pretty clear that we have to (and will, some way or another) build a society where the personal information is not THAT sensitive.
28. Re:Insecure by phantomfive · 2015-03-04 04:36 · Score: 1
  
  That sounds harder than building a secure system.
  
  --
  "First they came for the slanderers and i said nothing."
29. Re:Insecure by Bing+Tsher+E · 2015-03-04 05:16 · Score: 1
  
  It's not that hard to build that society.
  We could start by eliminating the notion of the Social Security ID being a 'secret number.'
  There's no reason it needs to be a secret number for the Social Security system to operate. SS was set up as a pension savings plan and the SSN was never intended as an identification number.
  The government could simply publish everyone's SSN in a publicly available digest, either online or in big phone-book like volumes.
  That would fuck over the 'cheap' way that the Credit and Banking system has been using the SSN as a 'secret identifier' but it would quickly settle out.
  There's not supposed to be some sort of 'magic power' inherent in having someone's SSN and it only 'works' as such because people act like they're secret numbers.
30. Re: Insecure by Anonymous Coward · 2015-03-04 05:57 · Score: 0
  
  If you are losing data when changing phones you're doing it wrong... no backups taken before the hard disk went? We should take you seriously? Why?
31. Re:Insecure by mean+pun · 2015-03-04 06:48 · Score: 1
  
  Penetrating air-gapped machines is old hat now.
  
  Some vaguely plausible demos at a few conventions is not 'old hat'.
32. Re: Insecure by mean+pun · 2015-03-04 06:54 · Score: 1
  
  He's describing what happens to many people in practice, rather than in nerd nirvana.
33. Re: Insecure by Anonymous Coward · 2015-03-04 20:39 · Score: 0
  
  The problem is that unless you root (hack) your phone you can't backup app data because it is not allowed due to the fact that every app runs as a different user.
34. Re:Insecure by fraxinus-tree · 2015-03-04 21:14 · Score: 1
  
  I live in Europe and I simply do not understand the crazy SSN thing you have. Our "government IDs" are not secret. We still have a lot of room for improvement, sure, but you can use a lot of hints from us.
35. Re:Insecure by JimFive · 2015-03-06 04:36 · Score: 1
  
  The issue with the SSN is that with the number, a name, and a birth date you can get a credit card mailed to you. This happens because the credit card issuers make the mistake that if you know those 3 things then you must be that person (and, they have successfully pushed the pain onto the real person by coining the phrase identity theft, instead of what it really is, fraud).
  
  In your country in Europe, what do you need to do to get a credit card?
  --
  JimFive
  
  --
  Please stop using the word theory when you mean hypothesis.
36. Re:Insecure by fraxinus-tree · 2015-03-06 06:09 · Score: 1
  
  At least in Bulgaria where I live, CC is never mailed. You have to go in person to a bank office and show a state-issued ID card (or passport, if you are not local), to get one. IDs are generally hard to forge (crypto-enabled coming soon here and already usual in other EU states), have your photo printed on them, last usually 10 years and are mandatory.
  
  CCs became themselves crypto devices some 15 years ago and a lot of them do not have a magnetic strip now - good luck cloning them.
  
  It is not that we do not have bank fraud, it simply is not at such an entry level.
Actually a govrenment can be secure even if by MouseTheLuckyDog · 2015-03-03 19:30 · Score: 0

other governments are not.
Just develop everything in house. And I do mean everything.
1. Re:Actually a govrenment can be secure even if by phantomfive · 2015-03-03 19:50 · Score: 1
  
  That won't make you secure. Given how government programmers operate, it will probably be less secure.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:Actually a govrenment can be secure even if by fraxinus-tree · 2015-03-04 01:41 · Score: 1
  
  This way, you can only get security by obscurity. Not much. You also get all the expenses of in-house development. A LOT.
Hey Bruce by 93+Escort+Wagon · 2015-03-03 19:59 · Score: 3, Interesting

You're preaching to the choir here... but it'd sure be great if you got a chance to explain this to the President and to Congress, though.

--
#DeleteChrome
1. Re:Hey Bruce by Anonymous Coward · 2015-03-04 00:56 · Score: 0
  
  I just read that as...
  
  You're patching to the choir here...
  ...which makes me wonder if we can have a geek version of the old saying:
  "you're patching to the up-to-date"
  (posting as AC, because I've spent years trying to be pretty cool and I don't want my friends to know just how geeky I am)
2. Re:Hey Bruce by Bing+Tsher+E · 2015-03-04 05:20 · Score: 1
  
  Bruce is just a blogger and a journalist. He wrote the Cryptology book that nobody else dared publish and got it into print. He's not a credentialed cytologist, and his 'security expertise' comes from him having been a blogging journalist on the topic for over a decade.
  He probably would be good at explaining the issue to the President and Congress, but that would be because he's a good communicator, not an expert or scientist.
3. Re:Hey Bruce by Anonymous Coward · 2015-03-04 05:47 · Score: 0
  
  I am grateful that there are people out there who are good at explaining stuff to people, so that I can focus on fun things.
4. Re:Hey Bruce by losfromla · 2015-03-04 10:04 · Score: 2
  
  Have you forgotten where you are? Your friends who think you are cool here would still think you were cool if you started eating boogers on a regular basis. Nerd-cred matters but cool hardly does. Still, the joke was lame so it was smart of you to disassociate yourself from it.
  
  --
  Only I can judge you.
NOT TO BE TRUSTED by HughJazz · 2015-03-03 20:04 · Score: 0

Schneier is of course right. Unfortunately megalomaniac politicians around the world are violating the very rights their are supposed to be protecting which is why Bruce is naive is thinking this attitude will change any time soon. Thus the only path to security must come come through private sector. 1 Companies that sell software... better have all code open sourced (not same as free) or should be labelled "NOT TO BE TRUSTED". (including firmware.. Bios, NICs, HDD, GPU, riouter,s switches, etc..) Code (including scripts and updates) is then compiled locally and before first execution hash checked automatically against non-centralized database (p2p technology similar to bitcoin block chain) 3. All hardware sold with precise technical diagrams... or should be labelled "NOT TO BE TRUSTED" 4. All encryption always on client side. Virtually all major current email providers should be labelled "NOT TO BE TRUSTED" (salute to ProtonMail) 5. Get rid of centralized authorities for security (looking at you SSL) Centralized servers have big fat sign that say "NOT TO BE TRUSTED". P2P. 6. Create new network protocols (to replace www, ftp, imap, etc..) that are designed from ground up on zero knowledge principle. Websites not using it zero knowledge proof... "NOT TO BE TRUSTED" https://en.wikipedia.org/wiki/... 7. Shaming lists on NGOs (applause to EFF). Any politician that votes for mass surveillance or doesn't adhere to above principles. put on NGO lists as "HUMAN RIGHTS VIOLATORS" and NOT TO BE TRUSTED"..
1. Re:NOT TO BE TRUSTED by tburkhol · 2015-03-04 00:09 · Score: 1
  
  1 Companies that sell software... better have all code open sourced (not same as free) or should be labelled "NOT TO BE TRUSTED".
  No way to tell whether the provided source code matches the provided firmware
  
  Code (including scripts and updates) is then compiled locally and before first execution hash checked automatically against non-centralized database (p2p technology similar to bitcoin block chain)
  1) binary code will vary depending on the specific architecture, optimizations, and libraries during compilation. 2) a hash can be falsified as easily as a binary.
  
  3. All hardware sold with precise technical diagrams... or should be labelled "NOT TO BE TRUSTED"
  At least an order of magnitude less effective than open source, and we've seen that even "important" OSS like openssl can go decades without independent code review.
  
  4. All encryption always on client side.
  Quite sensible, although I suspect that people will rapidly become frustrated when they forget their pass phrase, or lose their private key, and 5 years of family snapshots disappear. Or when grandma dies, taking access to her archive of family history with her.
  
  5. Get rid of centralized authorities for security (looking at you SSL) Centralized servers have big fat sign that say "NOT TO BE TRUSTED". P2P.
  Because you'd rather trust 1000 amateurs to secure all of their systems than one professional to secure his server?
  
  7. Shaming lists on NGOs (applause to EFF). Any politician that votes for mass surveillance or doesn't adhere to above principles. put on NGO lists as "HUMAN RIGHTS VIOLATORS"
  Yeah, ranks right up there with executing journalists and kidnapping babies. Among the most certain ways to get people to ignore you is to blow your cause completely out of proportion. If you use the same words to describe digital surveillance as other people use to describe the Khmer Rouge or Stalin, then people are going to think you're a nutcase.
2. Re:NOT TO BE TRUSTED by LordLimecat · 2015-03-04 00:27 · Score: 1
  
  If you use the same words to describe digital surveillance as other people use to describe the Khmer Rouge or Stalin, then you're a nutcase.
  FTFY. I dont even think Stallman is nuts enough to make that comparison.
  Its also hillarious that GP is saying that no closed-source hardware should be used. Remind me-- how many "open-source" processors, hard drives, SSDs, and SoCs do we have out there? Who do you trust to build your chips? You gonna label Intel's fabs "not to be trusted"? And if so-- which "FOSS Fab" do you plan to use?
  The problem with asking geeks to implement policy is that a vast majority of them think they have very good ideas, which are totally disconnected from reality. Its called "Ivory tower thinking"
3. Re:NOT TO BE TRUSTED by Anonymous Coward · 2015-03-04 01:17 · Score: 0
  
  Actually we do not need absolute security and absolute privacy. It should be good enough to slow the automatic process and make scanning of all people not feasible as well as scanning of chosen individuals a bit more difficult than pressing enter. The former is probably possible the later is probably very difficult - for that the software that runs all this is just to complex thus making it faulty by definition (although I recall a manager telling me once that software can and must be faultless - I had a good laugh back then).
4. Re:NOT TO BE TRUSTED by Anonymous Coward · 2015-03-04 05:35 · Score: 0
  
  Seriously? You're suggesting everyone trusts self-signed certificates as if they came from a CA that trades on their reputation for signing and delivering authentic security services?
  Do you want more man-in-the-middle attacks? That's what you're proposing.
5. Re:NOT TO BE TRUSTED by HughJazz · 2015-03-04 10:43 · Score: 0
  
  1. "No way to tell whether the provided source code matches the provided firmware"
  Yes there is. See point about hash checking. Even firmware can be hash checked if the architecture is correct..
  
  2. binary code will vary depending on the specific architecture, optimizations, and libraries during compilation. 2) a hash can be falsified as easily as a binary.
  See point about using P2P technology to validate hash rather than central servers.
  
  3. At least an order of magnitude less effective than open source, and we've seen that even "important" OSS like openssl can go decades without independent code review.
  If apps are isolated from OS this can still be largely mitigated. (other than bugs in OS and firmware). Obviously until the day comes software is sophisticated enough to find all possible security errors zero day exploits will be a problem.
  
  4, people will get frustrated when they lose their private key, and 5 years of family snapshots disappear.
  Minor issue, Biometrics can be used to get around this problem. Furthermore if someone is too lazy to that one day they might misplace their keys they have no one but themselves to blame. Absolutely no different than users that don't bother backing up their data then complain the computer is somehow to blame.
  
  5. Because you'd rather trust 1000 amateurs to secure all of their systems than one professional to secure his server
  Absolutely yes. Your flawed assumption is that everyone is an amateur. The more eyes get to see the code, the more trustworthy it will become when experts also review it. Obviously there will be things that slip through but P2P based security is highly preferable to servers (which already know is a big fat target for intelligence agencies). Far harder to break into 100,000,000 systems without anyone noticing than just 1.
  
  6. "Yeah, ranks right up there with executing journalists and kidnapping babies."
  Mockery like that suggests you don't really see privacy as a human right. It is. And it has very real consequences to freedom when we don't have it. As for your ad hominem.. you destroy your own credibility.
6. Re:NOT TO BE TRUSTED by HughJazz · 2015-03-04 10:47 · Score: 1
  
  "Remind me-- how many "open-source" processors, hard drives, SSDs, and SoCs do we have out there? Who do you trust to build your chips? You gonna label Intel's fabs "not to be trusted"? And if so-- which "FOSS Fab" do you plan to use?" You are speaking in terms of pragmatic reality in present. Pragmatism is precisely why systems are insecure today. I am speaking in terms of principles to get us where we want to be.. real security.
7. Re:NOT TO BE TRUSTED by HughJazz · 2015-03-04 10:50 · Score: 0
  
  Without absolute privacy we will have not have privacy. There is no in between state for security. We either have security or we don't. That's Bruce;s entire argument (and he's spot on). Of course average people people don't have the skills and resources like NSA and GCHQ but the technology for average Joe to snoop is out there too (if one is willing to hire a black hat)
8. Re:NOT TO BE TRUSTED by HughJazz · 2015-03-04 10:56 · Score: 0
  
  "Seriously? You're suggesting everyone trusts self-signed certificates as if they came from a CA that trades on their reputation for signing and delivering authentic security services?" You've misunderstood what I'm implying. Of course self-signed certificates are worthless by themselves but the current system of using centralized CAs is flawed because CA servers are being compromised. Security validation should be offloaded to P2P. This is not some fantastically unproven idea. Bitcoin blockchain functions off P2P security. With the right tweaking of SSL, CA's could be made redundant. Any system that depends on a centralized server... that can be compromised by an NSL... is inherently insecure architecture. NOT TO BE TRUSTED. With P2P and server side zero knowledge protocols NSL's largely become worthless pieces of paper.
9. Re:NOT TO BE TRUSTED by HughJazz · 2015-03-04 11:28 · Score: 0
  
  With a theoretically absolute security and privacy (in terms of computing) we can certainly still trust our data to others. We could still provide personal information about ourselves to others. The point is it should all be based on voluntary interaction not others using backdoors to get to our personal data without our permission.
  
  I'm not implying that everyone will abide by principles of security I describe. Companies will still produce close source software and hardware. Ignore security principles I'm describing. That is their right if they wish. However, their products should be labelled "NOT TO BE TRUSTED" because ultimately we have no way of knowing if they've put in backdoors. Transparency in product design is what creates security. This is why government now demand MS open up its source code. This is why the NSA doesn't run any binaries or firmware on its servers where it hasn't first looked at the source code. The NSA has security far better than our own precisely because its sticking to principles that we are not.
10. Re:NOT TO BE TRUSTED by HughJazz · 2015-03-04 11:48 · Score: 0
  
  Human rights violations doesn't only apply to "executions and kidnapping of babies". Ultimately human rights is about rights. Do we have a right not to be spied on by our own government? According to the US Constitution the unambiguous answer is yes. It's unfortunate that some that claim to stand behind that Constitution.. that claim to stand for freedom.. .that claim to stand for human rights... grossly violate the right to privacy... thus should be shamed as HUMAN RIGHTS ABUSER Watch how vast politicians, who wish to be re-elected, start respecting people's right to privacy if enough constipates and NGOS start using the word HUMAN RIGHTS ABUSE to describe mass surveillance. If we pansy around with our words..they'll just keep doing what they are doing.
11. Re:NOT TO BE TRUSTED by HughJazz · 2015-03-04 11:51 · Score: 0
  
  "FTFY. I dont even think Stallman is nuts enough to make that comparison"
  
  Straw man.
facts please ! by swell · 2015-03-03 20:18 · Score: 1

This summary ends in a conclusion which seems appropriate for slashdot. But it grew from a questionable source.
We are expected to believe that Mr. Schneier at the Guardian, one of the anointed who had access to Snowden documents ... the NSA contacted him with concerns about exposing QUANTUM? Was this done by telephone, via intermediaries or a personal visit? How did the NSA know the Guardian/Schneier knew about QUANTUM? The logistics, the timeline, the specifics of this meeting have escaped me in this short summary and in TFA. Schneier has a good reputation at slashdot but that doesn't excuse him from documenting his public statements. I think the facts of his NSA communication are important if this allegation has substance. This is not Fox news and readers expect more than accusations and opinions.

--
...omphaloskepsis often...
1. Re:facts please ! by Programming+Ace · 2015-03-03 21:04 · Score: 5, Informative
  
  The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure.
2. Re:facts please ! by Simon+Brooke · 2015-03-03 21:16 · Score: 1
  
  I imagine, using standard journalists' practice, the Guardian phoned up the NSA and said 'we've found this in your documents. Would you like to comment?' That's what professional journalists do.
  
  --
  I'm old enough to remember when discussions on Slashdot were well informed.
3. Re:facts please ! by Anonymous Coward · 2015-03-04 01:21 · Score: 0
  
  judging on what these fuckers can do, it would be enough if chief redactor just said it aloud while browsing the documents. If nothing remarkable happened in short time - like mail etc then NSA accepted release of information. Kind of funny to think that this level of surveillance makes what some having capabilities of gods from times passed by.
4. Re:facts please ! by Anonymice · 2015-03-04 04:45 · Score: 1
  
  It could've come from GCHQ - y'know, the guys who turned up to the Guardian's offices & forced them to "symbolically" destroy a couple of their hard drives. And also the guys who harassed journalists & their partners whilst they were in the "international" zones of our airports.
5. Re:facts please ! by swell · 2015-03-04 05:08 · Score: 2
  
  "The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure."
  Thanks. The Guardian and other publishers are still slowly releasing documents after careful scrutiny. Partly, as you say, to avoid putting lives at risk. I had not been aware of them actually inviting the enemy to scrutinize their findings. It's worrisome.
  The press is pretty much our only check on government and at least since the Vietnam war the mainstream press has been a tool of government and others with power. Hearst and Murdoch are obvious examples of press manipulation. Novels & movies offer more. Even the old rock song "Dirty Laundry" reminds us how we are distracted by trivia from what's relevant in current events.
  My local daily paper is just a mouthpiece for a powerful developer who has a right wing agenda of corporate welfare. OTOH we have a left wing radio station that's all about environment, women's rights, workers rights, immigration issues... Slashdot has its own perspective on news. One treads lightly through modern media trying to sort the wheat from the chaff. One hopes the Guardian/Schneier is not overly influenced by their new advisers. Thanks again for your informative comment.
  
  --
  ...omphaloskepsis often...
Top Secret? by fred911 · 2015-03-03 20:23 · Score: 1

Haven't people testing wireless security with aircrack been using packet injection for like... years??

--
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
1. Re:Top Secret? by PhilHibbs · 2015-03-03 21:28 · Score: 4, Insightful
  
  It's not the idea that was top secret. It's the specific implementation and the fact that they were using it and what for that was secret.
2. Re:Top Secret? by StikyPad · 2015-03-04 05:15 · Score: 1
  
  There's some merit to that, in that some criminals and terrorists mistakenly believe that the infrastructure is secure, that they are not worthwhile targets, or that they are somehow anonymous. Alerting them to their mistaken beliefs doesn't make things easier for those tasked with limiting their damage.
  On the other hand, as this article points out, not disclosing, or drawing attention to, the catastrophic vulnerabilities that are used in offensive operations simultaneously makes us all vulnerable to those same techniques when used by bad actors. Including, in many cases, the very agencies or partner agencies that are exploiting those techniques. As someone else described it, it's really a cognitive dissonance.
  
  --
  https://www.eff.org/https-everywhere
What are you on ? by Anonymous Coward · 2015-03-03 20:37 · Score: 0

Really - you make no sense - have you missed your meds today ?
Too late... by Anonymous Coward · 2015-03-03 21:19 · Score: 0

... people don't make "free choices" to begin with, the universe works on the laws of nature. The only way to safeguard our privacy would have to have been to build it in at its foundations early in history when it was being invented but that didn't happen because the people who invented it didn't really think about it too much because of computational and other limits of the technology of the time. The freedom and open-ness that gave us the internet ended up being its achilles heel.
Just look at early things like Gopher and email, all plaintext and early HTML as well. That was pretty much just asking to be spied on and let's remember, most of the internet is in plaintext so its trivial to see what they are doing.
All systems can be hacked given infinite resources and time, and given the political climate, Schneier would do well to see what science has discovered about reasoing. Reason doesn't work the way we thought it does, your sense of reality is controlled by emotion not truth:
https://www.youtube.com/watch?v=PYmi0DLzBdQ
Most have no clue what's really going on in the world... the elites are afraid of political awakening.
The (mass surveillance) by the NSA and abuse by law enforcement is just more part and parcel of state suppression of dissent against corporate interests. They're worried that the more people are going to wake up and corporate centers like the US and canada may be among those who also awaken. See this vid with Zbigniew Brzezinski, former United States National Security Advisor.
https://www.youtube.com/watch?v=Ttv6n7PFniY
Brezinski at a press conference
https://www.youtube.com/watch?v=0kmUS--QCYY
The real news:
http://therealnews.com/t2/
http://www.amazon.com/Democracy-Incorporated-Managed-Inverted-Totalitarianism/dp/069114589X/
http://www.amazon.com/Shadow-Government-Surveillance-Security-Single-Superpower/dp/1608463656/
http://www.amazon.com/National-Security-Government-Michael-Glennon/dp/0190206446/
Look at the following graphs:
http://imgur.com/a/FShfb
http://www2.ucsc.edu/whorulesamerica/power/wealth.html
And then...
WIKILEAKS: U.S. Fought To Lower Minimum Wage In Haiti So Hanes And Levis Would Stay Cheap
http://www.businessinsider.com/wikileaks-haiti-minimum-wage-the-nation-2011-6
https://www.youtube.com/watch?v=hnkNKipiiiM
Free markets?
https://www.youtube.com/watch?v=WHj2GaPuEhY#t=349
Free trade?
https://www.youtube.com/watch?v=Ju06F3Os64
http://www.amazon.com/Empire-Illusion-Literacy-Triumph-Spectacle/dp/1568586132/
"We now live in two Americas. One—now the minority—functions in a print-based, literate world that can cope with complexity and can separate illusion from truth. The other—the majority—is retreating from a reality-based world into one of false certainty and magic. To this majority—which crosses social class lines, though the poor are overwhelmingly affected—presidential debate and political rhetoric is
1. Re:Too late... by Anonymous Coward · 2015-03-04 01:38 · Score: 0
  
  All this is probably true and yet it is not relevant. The world is evil and we made ourselves living in a world wild web as in wild west of days long gone. Only back then sudden attack of criminals, destruction of own wealth, rape of women and killing of children was painfully visible to affected - now the wealth and rape can happen while you sleep.
misleading headline by Tom · 2015-03-03 21:28 · Score: 5, Insightful

What's with the clickbait headlines? By itself, the headline is total BS. The actual statement made, however, is spot on. The hole in your security doesn't care who exploits it. There's no "good guy" flag in IP headers (though I'm sure some April 1st RFC will soon introduce it).
What worries me most is that we could win this fight, if it weren't for our own governments deciding to betray us. There are vastly more people interested in secure communication and other people not being able to spy on or subvert our computers and mobile devices than there are people interested in compromised communications and systems (basically only criminals and some deluded, criminal-if-the-laws-were-right elements of governments).
There is just one problem to Bruce's argument: The largest and most powerful spy agency in the world disagrees with his fundamental assumption. We often forget that the NSA has two missions, and they are exactly the two things that Bruce argues cannot co-exist: To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication.
The NSA believes, and/or is tasked with exactly these two things that Bruce says (and I agree) are mutually exclusive. No surprise they've gone rogue, their very mission statement is a recipe for a mental breakdown through cognitive dissonance.

--
Assorted stuff I do sometimes: Lemuria.org
1. Re:misleading headline by Anonymous Coward · 2015-03-03 23:09 · Score: 1
  
  There's no "good guy" flag in IP headers (though I'm sure some April 1st RFC will soon introduce it).
  Young rascals. Get off my lawn.
  http://tools.ietf.org/html/rfc3514
2. Re:misleading headline by Tom · 2015-03-03 23:43 · Score: 1
  
  Everyone knows about the evil bit. That's what prompted me to write the bracket remark. But it's not quite the same as a "we're from the NSA, nothing to see here" flag.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
3. Re:misleading headline by swb · 2015-03-04 00:29 · Score: 1
  
  The NSA used to get by with being clever because it used to be that mathematically secure communications didn't exist, or if they did, they were extremely difficult to implement without a mathematician and only useful for small messages.
  Now we have trivial access to computing power and well-understood encryption technologies that turns this on its head and communications can be trivially secured in ways that can only be broken by compromising them so they are internally flawed or by statutory means of denying access to the technology.
4. Re:misleading headline by Anonymous Coward · 2015-03-04 02:33 · Score: 0
  
  There IS an RFC for the evil bit in the IP header.
5. Re:misleading headline by DNS-and-BIND · 2015-03-04 05:53 · Score: 1
  
  Cognitive dissonance? Those two missions aren't mutually exclusive. Defend yourself at home and go on offense abroad. It's a classic mission time-tested by history, and it has plenty of counterparts in sports metaphors. Simply asserting that something is mutually contradictory because it sounds good to use words like 'cognitive dissonance' isn't any kind of argument.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
6. Re:misleading headline by Zalbik · 2015-03-04 07:59 · Score: 1
  
  Bruce's thesis is that if spy agencies deliberately allow for weakened security infrastructure so they can monitor communications, then the enemy can make use of those weak points. That there is no way to just let the "good guys hack".
  "the NSA has two missions...To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication."
  If they allow hacks to propagate so they can spy, then communication is not secure. (i.e. they fail the first part of their mission)
  If communication is secure, then they cannot spy (i.e. they fail the second part of their mission)
  The difference between this issue and military/sports metaphors is that in this case both sides make use of the exact same defensive tools, and those tools could be perfected such that it becomes unreasonably difficult to mount any sort of offense.
7. Re:misleading headline by Tom · 2015-03-04 08:29 · Score: 1
  
  Those two missions aren't mutually exclusive. Defend yourself at home and go on offense abroad.
  It works for bombs and tanks, but not for computer networks and communications. It might have even worked in the time of telegraphs and snail mail letters. But for encryption, it doesn't work. A cipher is either weak, or strong. You can compromise a foreign postal system without affecting the security of your own, but you can't secretly build a backdoor into an encryption algorithm that works only for you.
  
  Simply asserting that something is mutually contradictory because it sounds good to use words like 'cognitive dissonance' isn't any kind of argument.
  Now you're trying to reverse the chain of causality just to make a cute finishing sentence. :-)
  
  --
  Assorted stuff I do sometimes: Lemuria.org
I think you will find... by Anonymous Coward · 2015-03-03 22:11 · Score: 1

"... This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers." ,,,that ALL the spies have much more in common with each other than they do with civilians.
Towards the end of the Cold War the UK and Russian intelligence services were routinely exchanging data on their activities - the idea being that this enabled each group to justify its budget to its masters by warning of what the other side were doing.
Effectively, this whole field is a self-perpetuating blot on humanity. Spies justify their ever-increasing budgets by claiming that they are 'saving' their country from unspecified secret threats which do not really exist. And then they recommend that the military undertake destabilising activities in an attempt to make these threats exist. Why do you think that we went into the Middle East, Russia went into the Ukraine, or China is moving into the islands around Japan?
This is something David Cameron is unaware of by GauteL · 2015-03-03 23:53 · Score: 2

For those that don't know or have forgotten. The British PM made a statement that he wants to ban communication which cannot be intercepted and deciphered by the government. We may as well just send all our communication in plain text ascii.
1. Re:This is something David Cameron is unaware of by Roger+Lindsjo · 2015-03-04 19:32 · Score: 1
  
  Have you seen the state of some posts here? There is no chance of deciphering them, plain text or not.
It's MAD all over again by Cigarra · 2015-03-04 00:34 · Score: 1

Either we're all safe, or we all get destroyed.

--
I don't have a sig.
Not writing. by Anonymous Coward · 2015-03-04 00:47 · Score: 0

And if Schneier is writing about it, you do not think something has taken its place?
It's just not that simple by Anonymous Coward · 2015-03-04 00:57 · Score: 2, Insightful

We choose security for our homes but why don't we all live in bank vaults? cost? aesthetics?
There are some types of security that the average person simply can't have. Most of us have no choice but to use a commercial provider for our internet access and as long as we can't own and control every point between us and our target node and the development and manufacturer of every critical component in our devices - our governments will always be able to subvert our trust and spy on us anyway.
You're expecting companies that only care about making money to care about our security. They only care so far - to the point that people are satisfied enough to buy the service. For enough money or with threats of their profits or ability to do business being affected - There's very few businesses that won't comply and those that don't suddenly find themselves restricted in such a way as to lose out to their competitors. The shareholders won't be happy and they're more important to businesses than morality - or you.
There is nothing that anybody can do or say that will represent undeniable evidence that at some point in the chain, be it in your chips or your wires; security has not been compromised.
Remember - they're not protecting us, they're protecting themselves. It's not your elected officials that are making these decisions, it's unelected heads of powerful branches of government that are unaffected by elections.
Vote for whoever you like but the true power lies with agencies such as the NSA, CIA, GHCQ, MI5, MI6, Mossad.
No vote you cast will topple those pyramids and they live for control and power over you, foreign states and each other.
You want true security? fire every last single person from the top to the bottom in every last government connected office and replace them with randomly selected, suitable candidates. It's the only way you'll weed out the corruption that's the true heart of all the decisions that are made on 'our behalf'.
1. Re:It's just not that simple by Anonymous Coward · 2015-03-04 15:49 · Score: 0
  
  >> We choose security for our homes but why don't we all live in bank vaults? cost? aesthetics?
  Oxygen???
There are two kinds of people in teh world.... by Anonymous Coward · 2015-03-04 00:58 · Score: 0

....those that abuse false dichotomies and those that don't!
1. Re:There are two kinds of people in teh world.... by Ol+Olsoc · 2015-03-04 02:18 · Score: 1
  
  Dont forget, there are two types of people - those who separate everyone into two types, and those who don't
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
We are all doomed by joker784 · 2015-03-04 01:53 · Score: 1

Another huge problem with all this data gathering is that the amount of data is impossible to process by humans, so the agencies will have to rely on algorithms to find the "bad guys". Who can defend themself against accusations or persecution that falls out of such algorithms? It quickly becomes a case of everybody have to prove their own innocense (which of course is impossible). Add injection of false data and corruption of databases, and we are all doomed.
A Solution by Anonymous Coward · 2015-03-04 01:57 · Score: 0

There is a solution.
Fix most of the known flaws, and fix so called devices to raise the alarm when clumsy borked packets come in.
Failing that recompile your own software, and have a few different routers and firmware in line that drop mangled packets on the floor.
In short most of the commercial software lacks tight checking(for performance advantages). Beef up the checking, and put back the missing RFC parsing checks.
May not be complete, but will make things better.
It is just another plausible reason 'I must have been hacked' defense will convince juries to dismiss anything with an IP address claim.
Perfect by Ol+Olsoc · 2015-03-04 02:17 · Score: 1

is the enemy of good.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Of course you can have govs but not hackers by Anonymous Coward · 2015-03-04 02:26 · Score: 0

You can have gov spy on you and hackers not. Just mandate all traffic go through VPN.gov, and CAs co-operating. Yeah, gov can't spy on you covertly - you know they're there. And China.gov can't spy on your US.gov connection and vice-versa. Dystopias would have borders again. We've always been at war with East Asia, Emmanuel Goldstein spreads lies, and all that.
Real security by Anonymous Coward · 2015-03-04 03:01 · Score: 0

The counter argument is that citizens can never be truly secure unless national security services have the ability to see what adversaries such as terrorists and hostile nation states, corrupt criminal corporations are really up to which wholly locked down security paradigm would make impossible. Would you adversaries respect this standard? In fact, this is why you have security services so the whole argumentation is spurious and childish and shows a lack of mature insight.
The real problem here is are these services following the rule of law (they aren't) and are your elected representatives exercising proper oversight (they are not).
The basic problem is we are based on a constitution and a body of laws that the elites, business class, and the national security state are busily running into the ground. It's not a problem until a corrupt politician or extreme party buys it's way into the white house again and wants to create a "permanent" presidency and go after adversaries using this type of technology. There were some indications that the triumvirate of Bush, Cheney, Rumsfeld where willing to think along those lines.
Points Of Failure by Anonymous Coward · 2015-03-04 03:44 · Score: 0

There is enough shitty software out there, can we please try to not make it shittier by including extra points of failure just so that law enforcement can have an easier time at their job.
and why is it that Law Enforcement gets to make their lives easier when the last time i checked their bumbelings make our jobs harder day by day, so in the end we just get dumber cops.
Law Enforcement EVERYWHERE of ANY TYPE should be held to a much higher standard than the citizenery. it is glaring obvious that this is currently false and there are multiple levels of justice depending on how connected you are... Ladies and gentlemen, that is not a democracy! a democracy is when every member of the nation is considered equal.
Security by Anonymous Coward · 2015-03-04 04:13 · Score: 0

Here is the very simple point that everyone seems to have missed: It's not just a matter of data collection. The NSA and probably all other similar agencies around the globe must also be trusted to maintain the security of the data they collect. How on earth could one low level person download the crown jewels so easily as Edward Snowden? Might not Edward Snowden's evil twin have gone to the Chinese? How would we know?
1. Re:Security by Anonymous Coward · 2015-03-04 04:37 · Score: 0
  
  It's also a matter of how much of our (as taxpayers) money is being spent on all this data collection and storage. That new NSA data center in Utah not only wasn't free, it continues to pay a hefty sum in power bills, maintenance, salaries, etc.
  That's an opportunity cost. While we could argue about how the money could be better spent (lower taxes, improved medical care, student grants, whatever), spending it to illegally snoop on us should be about the lowest priority. Hell, I'd rather it be spent on hookers and blow for the politicians, at least it might keep them from passing so many stupid laws.
Re: discussions on Slashdot were well informed by BuGless · 2015-03-04 04:41 · Score: 1

Actually, discussions on Slashdot have never been well informed; they were bad back then, and they are worse now. "Well informed" died in september 1995, it existed on USENET prior to that.
By corollary ... by CaptainDork · 2015-03-04 04:56 · Score: 1

... everyone has access to the same tools.
By way of example, it's damn near impossible for me to buy a grenade, but the military has lots.
The way cyber warfare is developing, it's more of a level playing field.
The major difference between capabilities of governments and civilians, on the cyber warfare stage, is money.

--
It little behooves the best of us to comment on the rest of us.
Trovicor Monitoring Center by sgt_doom · 2015-03-04 06:33 · Score: 1

also uses DPI (packet injection) and is supposed to be the state-of-the-art full-spectrum intelligence platform: it will allow one to intercept an email, alter and forward it unknown to either the addressor or addressee, with a new meeting time and place, and then dispatch either an extreme rendition, or kill team, to the rendezvous point. Ain't life grand?

https://www.wikileaks.org/spyf...
http://www.spiegel.de/internat...
http://www.allgov.com/news/us-...
http://securityaffairs.co/word...
Saaaaayyyy whaaaaat????? by sgt_doom · 2015-03-04 06:36 · Score: 1

Commenter claims: . We often forget that the NSA has two missions, and they are exactly the two things that Bruce argues cannot co-exist: To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication.

Had you ever worked at the NSA, or served in military intelligence, you would know better, as their two missions are financial intelligence acquisition for the money masters, and command-and-control of the populace. Sometime you might study the history of who founded the American intelligence establishment, or else peruse the three chapters on the Kennedy administration in Richard Parker's outstanding biography of John Kenneth Galbraith.