Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: Either Everyone Is Cyber-secure Or No One Is

Posted by Soulskill on from the nobody's-safe-except-the-amish dept.

Presto Vivace sends a new essay from Bruce Schneier called "The Democratization of Cyberattack." Quoting: When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. ... We can't choose a world where the U.S. gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.

86 of 130 comments (clear)

  1. someone else can be first by pbjones · · Score: 1

    not sure how packet injection breaks into my computer.

    --
    There was an unknown error in the submission.
    1. Re:someone else can be first by Anonymous Coward · · Score: 4, Informative

      Zero day vulnerability even if you don't visit an infected website.

    2. Re:someone else can be first by kesuki · · Score: 1, Informative

      packet injection for dummies.
      1. user initiates comms
      2. MITM detects comms
      3. MITM rewrited packet headers and sends falsified packets AS user
      4. Computer reads funny joke
      5. computer spits coffee into keyboard
      6. device is fried, user is blamed.
      7. government sells broken device to user
      8. user can't push device sold to them
      9. user wishes it never happened
      10. quantum paradox occurs
      11. server reboots
      12. ???
      13. nuked from orbit
      14. goto step 1.
      15. bitch complains about tight loop.

      --
      https://www.gnu.org/philosophy/free-sw.html
    3. Re:someone else can be first by monkeyxpress · · Score: 3, Insightful

      not sure how packet injection breaks into my computer.

      It's not about hacking into your computer. It's about the fact that the govt spy agencies had quite sophisticated spying infrastructure installed into key parts of the internet. Why this is a surprise to anybody is beyond me. Other than the negative PR value (which I'm sure some 'we're protecting you from pedophiles rhetoric' would fix I don't even know why the govt particularly cared if people found out.

    4. Re:someone else can be first by Wootery · · Score: 2

      Sounds like another argument in favour of HTTPS for everything.

    5. Re:someone else can be first by some+old+guy · · Score: 1

      And you think the TLA's haven't compromised that too?

      http://www.darkreading.com/att...?

      --
      Scruting the inscrutable for over 50 years.
    6. Re:someone else can be first by MachineShedFred · · Score: 4, Insightful

      Sounds like an argument for IPSec for anything that matters - as long as you're Doing It Right you get message integrity and authenticity. That's the whole point.

      Now, if someone's cracked IKEv2, SHA, or AES all bets are off.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    7. Re:someone else can be first by Lunix+Nutcase · · Score: 1

      Ignorning all the ways HTTPS can by MITMed and/or forced to use insecure ciphers?

  2. Stating the obvious by Anonymous Coward · · Score: 5, Informative

    Its always seemed obvious to me that the system that you *know* grants unauthorised access cannot be considered to be secure. I never thought I was saying anything profound or even worthwhile, but apparently this fact is lost on a good number of people.

    1. Re:Stating the obvious by AHuxley · · Score: 1

      Each generation has its own ability to set aside the way a telco network can be used domestically.
      The use was only for ww1, ww2, the Soviet Union, Russia, China, distant wars and long occupations.
      Tame brands, academics, political leaders all thought their generation of secure hardware and software was been looked after by different brands, legal teams, oversight or respected international standards.
      With the news of weak standards, academics been unaware or unsure where to look, brands letting other outside gov or mil networks just enter their internal secure networks people can grasp what weak security is over many generations.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re: Stating the obvious by AHuxley · · Score: 3, Informative

      world wide wiretap AC

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Stating the obvious by gweihir · · Score: 1

      Most people are both stupid and incompetent, and in addition do not realize either. Once you have accepted that, basically all problems the human race has have a conclusive and accurate explanation.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Insecure by phantomfive · · Score: 3, Insightful

    Right now there's not really an option, we're all insecure. And we will continue to be insecure as long as we favor features over security (which probably won't change).

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Insecure by fustakrakich · · Score: 1

      And we will continue to be insecure...

      Full stop. That's it. Nothing else. The best option is to make sure nobody has the advantage.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Insecure by phantomfive · · Score: 1

      What? No thankyou, I'd prefer to have my system secure.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Insecure by Pieroxy · · Score: 1

      What? No thankyou, I'd prefer to have my system secure.

      It's all well and good, but how do you propose to do that ?

      --
      Write boring code, not shiny code!
    4. Re:Insecure by phantomfive · · Score: 2

      Unplug the network.

      Seriously though, Daniel Bernstein has put a lot of thought into that question. You can start here.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Insecure by Beamboom · · Score: 1

      That's an illusion, unless you design your own hardware and the system that runs on it.

    6. Re:Insecure by Pieroxy · · Score: 1

      Well, you're right on one thing: unplugging is probably the only option. Given the gazillion lines of code running on any net-connected machine, there is just no way in hell all this code will ever be 100% secure. Given that anyone in the world can find a flaw and then market it for the others, I'd say the future looks pretty dark on that front.

      The paper is interesting but quite idealist. No OS, driver, app is going to be rewritten with this in mind. And we need ALL of them to be rewritten. There is, for all intents and purposes, an infinity of vulnerabilities in every system.

      Yeah, today is that kind of a day.

      --
      Write boring code, not shiny code!
    7. Re:Insecure by Pieroxy · · Score: 1

      Also, don't forget they overfucked Iran's nuclear facilities infecting PCs that were on no network at all. It worked for more than 5 years. So all in all, network is just an accelerator, but they can get into anything with plugs. Fill the network plug, USB slots, CD-Rom drives and every other mean of communication from the computer and then it's become worthless.

      --
      Write boring code, not shiny code!
    8. Re:Insecure by AchilleTalon · · Score: 1

      False statement. Security and features are not mutually exclusive. Even though in the head of many security guys they are just looking forward to block features they haven't yet found how to make secure.

      --
      Achille Talon
      Hop!
    9. Re:Insecure by fraxinus-tree · · Score: 1

      We are all insecure and this is not that bad. These vulnerabilities make people and corporations equal the way Colt made them in his time. We just have to maintain acceptable level of risk.

    10. Re:Insecure by fraxinus-tree · · Score: 1

      Everyone preffers. Then, the relativity kicks in...

    11. Re:Insecure by Aqualung812 · · Score: 1

      Unplug the network

      Not enough. Quoting Spaf:

      The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

      http://spaf.cerias.purdue.edu/...

      --
      Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
    12. Re:Insecure by rot26 · · Score: 1

      Penetrating air-gapped machines is old hat now. The next step will be discovering that the hardware we buy has been pre-compromised before purchase. Oh, that's right, that's already happening.

      Hurray for megabyte sized firmware... lots of room to hide anything.

      --



      To ensure perfect aim, shoot first and call whatever you hit the target
    13. Re:Insecure by Immerman · · Score: 1

      That's a false equality. A revolver is nice and all, but it's of almost no use against an army. Even less against a battalion of tanks. You might get lucky and take out a few soldiers, but that won't even slow them down.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    14. Re:Insecure by fustakrakich · · Score: 1

      Well then, the best of luck to you. You will need that, and a miracle or two...

      --
      “He’s not deformed, he’s just drunk!”
    15. Re:Insecure by Noah+Haders · · Score: 1

      *all intensive purposes

    16. Re:Insecure by Noah+Haders · · Score: 1

      Even that doesn't matter if you don't own your own silicon fab.

    17. Re:Insecure by StikyPad · · Score: 2

      This doesn't really need to be the case. We're used to carrying keys to access our cars and homes -- we could carry digital encryption keys to access our emails and data. The bug/feature is that losing the keys necessarily means permanently losing access to the data, from the past anyway. But that's not actually very different from today -- much of our data rots for other reasons anyway. Photos and documents disappear when we buy a new phone, or when our hard drives bite the dust. Endpoint encryption would actually allow secure online storage without worrying who might access the data, because nobody else has a copy of the keys.

      One way to accomplish this without sacrificing convenience, for those who value it over security, would be to solve the specific problem instead of the general problem. Default to external keys only, and "bury" an option in the settings to store a copy of the key(s) on-device, or online, for convenience. Encourage good habits by making it the norm, but allow people to exercise bad habits if they need or choose to and accept the risks.

      I do applaud Schneier for coming out strongly in favor of security. In past speeches he's equivocated and said he doesn't have the answers, just the facts, but there really is only one answer in this case. We must choose security. We fought this battle in the late 90s and early aughts -- the so-called crypto wars -- but apparently we need to fight it again for a new generation. Let the battle begin.

      --
      https://www.eff.org/https-everywhere
    18. Re:Insecure by phantomfive · · Score: 1

      No it doesn't. If a corporation loses your personal information, you're going to suffer more than them.

      --
      "First they came for the slanderers and i said nothing."
    19. Re:Insecure by phantomfive · · Score: 1

      It takes much longer to secure a feature, which is why insecure code wins in the marketplace.

      --
      "First they came for the slanderers and i said nothing."
    20. Re:Insecure by rot26 · · Score: 1

      You should go to be liberry and check up on that.

      --



      To ensure perfect aim, shoot first and call whatever you hit the target
    21. Re:Insecure by Noah+Haders · · Score: 1

      You should go to teh dooctr and have that checked out.

    22. Re:Insecure by fraxinus-tree · · Score: 1

      It is already pretty clear that we have to (and will, some way or another) build a society where the personal information is not THAT sensitive.

    23. Re:Insecure by phantomfive · · Score: 1

      That sounds harder than building a secure system.

      --
      "First they came for the slanderers and i said nothing."
    24. Re:Insecure by Bing+Tsher+E · · Score: 1

      It's not that hard to build that society.

      We could start by eliminating the notion of the Social Security ID being a 'secret number.'

      There's no reason it needs to be a secret number for the Social Security system to operate. SS was set up as a pension savings plan and the SSN was never intended as an identification number.

      The government could simply publish everyone's SSN in a publicly available digest, either online or in big phone-book like volumes.

      That would fuck over the 'cheap' way that the Credit and Banking system has been using the SSN as a 'secret identifier' but it would quickly settle out.

      There's not supposed to be some sort of 'magic power' inherent in having someone's SSN and it only 'works' as such because people act like they're secret numbers.

    25. Re:Insecure by mean+pun · · Score: 1

      Penetrating air-gapped machines is old hat now.

      Some vaguely plausible demos at a few conventions is not 'old hat'.

    26. Re: Insecure by mean+pun · · Score: 1

      He's describing what happens to many people in practice, rather than in nerd nirvana.

    27. Re:Insecure by fraxinus-tree · · Score: 1

      I live in Europe and I simply do not understand the crazy SSN thing you have. Our "government IDs" are not secret. We still have a lot of room for improvement, sure, but you can use a lot of hints from us.

    28. Re:Insecure by JimFive · · Score: 1

      The issue with the SSN is that with the number, a name, and a birth date you can get a credit card mailed to you. This happens because the credit card issuers make the mistake that if you know those 3 things then you must be that person (and, they have successfully pushed the pain onto the real person by coining the phrase identity theft, instead of what it really is, fraud).

      In your country in Europe, what do you need to do to get a credit card?
      --
      JimFive

      --
      Please stop using the word theory when you mean hypothesis.
    29. Re:Insecure by fraxinus-tree · · Score: 1

      At least in Bulgaria where I live, CC is never mailed. You have to go in person to a bank office and show a state-issued ID card (or passport, if you are not local), to get one. IDs are generally hard to forge (crypto-enabled coming soon here and already usual in other EU states), have your photo printed on them, last usually 10 years and are mandatory.

      CCs became themselves crypto devices some 15 years ago and a lot of them do not have a magnetic strip now - good luck cloning them.

      It is not that we do not have bank fraud, it simply is not at such an entry level.

  4. Re:Actually a govrenment can be secure even if by phantomfive · · Score: 1

    That won't make you secure. Given how government programmers operate, it will probably be less secure.

    --
    "First they came for the slanderers and i said nothing."
  5. Hey Bruce by 93+Escort+Wagon · · Score: 3, Interesting

    You're preaching to the choir here... but it'd sure be great if you got a chance to explain this to the President and to Congress, though.

    --
    #DeleteChrome
    1. Re:Hey Bruce by Bing+Tsher+E · · Score: 1

      Bruce is just a blogger and a journalist. He wrote the Cryptology book that nobody else dared publish and got it into print. He's not a credentialed cytologist, and his 'security expertise' comes from him having been a blogging journalist on the topic for over a decade.

      He probably would be good at explaining the issue to the President and Congress, but that would be because he's a good communicator, not an expert or scientist.

    2. Re:Hey Bruce by losfromla · · Score: 2

      Have you forgotten where you are? Your friends who think you are cool here would still think you were cool if you started eating boogers on a regular basis. Nerd-cred matters but cool hardly does. Still, the joke was lame so it was smart of you to disassociate yourself from it.

      --
      Only I can judge you.
  6. Re:TFS is correct by mwvdlee · · Score: 5, Insightful

    It's already implemented.
    The powers that be have chosen "No one is cyber-secure" for you.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. facts please ! by swell · · Score: 1

    This summary ends in a conclusion which seems appropriate for slashdot. But it grew from a questionable source.

    We are expected to believe that Mr. Schneier at the Guardian, one of the anointed who had access to Snowden documents ... the NSA contacted him with concerns about exposing QUANTUM? Was this done by telephone, via intermediaries or a personal visit? How did the NSA know the Guardian/Schneier knew about QUANTUM? The logistics, the timeline, the specifics of this meeting have escaped me in this short summary and in TFA. Schneier has a good reputation at slashdot but that doesn't excuse him from documenting his public statements. I think the facts of his NSA communication are important if this allegation has substance. This is not Fox news and readers expect more than accusations and opinions.

    --
    ...omphaloskepsis often...
    1. Re:facts please ! by Programming+Ace · · Score: 5, Informative

      The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure.

    2. Re:facts please ! by Simon+Brooke · · Score: 1

      I imagine, using standard journalists' practice, the Guardian phoned up the NSA and said 'we've found this in your documents. Would you like to comment?' That's what professional journalists do.

      --
      I'm old enough to remember when discussions on Slashdot were well informed.
    3. Re:facts please ! by Anonymice · · Score: 1

      It could've come from GCHQ - y'know, the guys who turned up to the Guardian's offices & forced them to "symbolically" destroy a couple of their hard drives. And also the guys who harassed journalists & their partners whilst they were in the "international" zones of our airports.

    4. Re:facts please ! by swell · · Score: 2

      "The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure."

      Thanks. The Guardian and other publishers are still slowly releasing documents after careful scrutiny. Partly, as you say, to avoid putting lives at risk. I had not been aware of them actually inviting the enemy to scrutinize their findings. It's worrisome.

      The press is pretty much our only check on government and at least since the Vietnam war the mainstream press has been a tool of government and others with power. Hearst and Murdoch are obvious examples of press manipulation. Novels & movies offer more. Even the old rock song "Dirty Laundry" reminds us how we are distracted by trivia from what's relevant in current events.

      My local daily paper is just a mouthpiece for a powerful developer who has a right wing agenda of corporate welfare. OTOH we have a left wing radio station that's all about environment, women's rights, workers rights, immigration issues... Slashdot has its own perspective on news. One treads lightly through modern media trying to sort the wheat from the chaff. One hopes the Guardian/Schneier is not overly influenced by their new advisers. Thanks again for your informative comment.

      --
      ...omphaloskepsis often...
  8. Top Secret? by fred911 · · Score: 1

    Haven't people testing wireless security with aircrack been using packet injection for like... years??

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:Top Secret? by PhilHibbs · · Score: 4, Insightful

      It's not the idea that was top secret. It's the specific implementation and the fact that they were using it and what for that was secret.

    2. Re:Top Secret? by StikyPad · · Score: 1

      There's some merit to that, in that some criminals and terrorists mistakenly believe that the infrastructure is secure, that they are not worthwhile targets, or that they are somehow anonymous. Alerting them to their mistaken beliefs doesn't make things easier for those tasked with limiting their damage.

      On the other hand, as this article points out, not disclosing, or drawing attention to, the catastrophic vulnerabilities that are used in offensive operations simultaneously makes us all vulnerable to those same techniques when used by bad actors. Including, in many cases, the very agencies or partner agencies that are exploiting those techniques. As someone else described it, it's really a cognitive dissonance.

      --
      https://www.eff.org/https-everywhere
  9. Re:Conventional weapons? by bigfinger76 · · Score: 2

    Taking advantage of broken infrastructure (weakened crypto, for example) is easy. Creating and maintaining ICBM technology is not.

  10. misleading headline by Tom · · Score: 5, Insightful

    What's with the clickbait headlines? By itself, the headline is total BS. The actual statement made, however, is spot on. The hole in your security doesn't care who exploits it. There's no "good guy" flag in IP headers (though I'm sure some April 1st RFC will soon introduce it).

    What worries me most is that we could win this fight, if it weren't for our own governments deciding to betray us. There are vastly more people interested in secure communication and other people not being able to spy on or subvert our computers and mobile devices than there are people interested in compromised communications and systems (basically only criminals and some deluded, criminal-if-the-laws-were-right elements of governments).

    There is just one problem to Bruce's argument: The largest and most powerful spy agency in the world disagrees with his fundamental assumption. We often forget that the NSA has two missions, and they are exactly the two things that Bruce argues cannot co-exist: To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication.
    The NSA believes, and/or is tasked with exactly these two things that Bruce says (and I agree) are mutually exclusive. No surprise they've gone rogue, their very mission statement is a recipe for a mental breakdown through cognitive dissonance.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:misleading headline by Anonymous Coward · · Score: 1

      There's no "good guy" flag in IP headers (though I'm sure some April 1st RFC will soon introduce it).

      Young rascals. Get off my lawn.
      http://tools.ietf.org/html/rfc3514

    2. Re:misleading headline by Tom · · Score: 1

      Everyone knows about the evil bit. That's what prompted me to write the bracket remark. But it's not quite the same as a "we're from the NSA, nothing to see here" flag.

      --
      Assorted stuff I do sometimes: Lemuria.org
    3. Re:misleading headline by swb · · Score: 1

      The NSA used to get by with being clever because it used to be that mathematically secure communications didn't exist, or if they did, they were extremely difficult to implement without a mathematician and only useful for small messages.

      Now we have trivial access to computing power and well-understood encryption technologies that turns this on its head and communications can be trivially secured in ways that can only be broken by compromising them so they are internally flawed or by statutory means of denying access to the technology.

    4. Re:misleading headline by DNS-and-BIND · · Score: 1

      Cognitive dissonance? Those two missions aren't mutually exclusive. Defend yourself at home and go on offense abroad. It's a classic mission time-tested by history, and it has plenty of counterparts in sports metaphors. Simply asserting that something is mutually contradictory because it sounds good to use words like 'cognitive dissonance' isn't any kind of argument.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    5. Re:misleading headline by Zalbik · · Score: 1

      Bruce's thesis is that if spy agencies deliberately allow for weakened security infrastructure so they can monitor communications, then the enemy can make use of those weak points. That there is no way to just let the "good guys hack".

      "the NSA has two missions...To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication."
      If they allow hacks to propagate so they can spy, then communication is not secure. (i.e. they fail the first part of their mission)
      If communication is secure, then they cannot spy (i.e. they fail the second part of their mission)

      The difference between this issue and military/sports metaphors is that in this case both sides make use of the exact same defensive tools, and those tools could be perfected such that it becomes unreasonably difficult to mount any sort of offense.

    6. Re:misleading headline by Tom · · Score: 1

      Those two missions aren't mutually exclusive. Defend yourself at home and go on offense abroad.

      It works for bombs and tanks, but not for computer networks and communications. It might have even worked in the time of telegraphs and snail mail letters. But for encryption, it doesn't work. A cipher is either weak, or strong. You can compromise a foreign postal system without affecting the security of your own, but you can't secretly build a backdoor into an encryption algorithm that works only for you.

      Simply asserting that something is mutually contradictory because it sounds good to use words like 'cognitive dissonance' isn't any kind of argument.

      Now you're trying to reverse the chain of causality just to make a cute finishing sentence. :-)

      --
      Assorted stuff I do sometimes: Lemuria.org
  11. I think you will find... by Anonymous Coward · · Score: 1

    "... This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers." ,,,that ALL the spies have much more in common with each other than they do with civilians.

    Towards the end of the Cold War the UK and Russian intelligence services were routinely exchanging data on their activities - the idea being that this enabled each group to justify its budget to its masters by warning of what the other side were doing.

    Effectively, this whole field is a self-perpetuating blot on humanity. Spies justify their ever-increasing budgets by claiming that they are 'saving' their country from unspecified secret threats which do not really exist. And then they recommend that the military undertake destabilising activities in an attempt to make these threats exist. Why do you think that we went into the Middle East, Russia went into the Ukraine, or China is moving into the islands around Japan?

  12. Re:TFS is correct by Burz · · Score: 1

    It's already implemented.
    The powers that be have chosen "No one is cyber-secure" for you.

    Granted, nothing is perfect. But I'd like to see any demonstration of hacking a system like this.

    Or, rather, I'd like to see them try.

    Real network security is defined by the quality of its endpoints. And to have secure endpoints we need a personal computing culture that values openness as the first step to better security.

  13. This is something David Cameron is unaware of by GauteL · · Score: 2

    For those that don't know or have forgotten. The British PM made a statement that he wants to ban communication which cannot be intercepted and deciphered by the government. We may as well just send all our communication in plain text ascii.

    1. Re:This is something David Cameron is unaware of by Roger+Lindsjo · · Score: 1

      Have you seen the state of some posts here? There is no chance of deciphering them, plain text or not.

  14. Re:NOT TO BE TRUSTED by tburkhol · · Score: 1

    1 Companies that sell software... better have all code open sourced (not same as free) or should be labelled "NOT TO BE TRUSTED".

    No way to tell whether the provided source code matches the provided firmware

    Code (including scripts and updates) is then compiled locally and before first execution hash checked automatically against non-centralized database (p2p technology similar to bitcoin block chain)

    1) binary code will vary depending on the specific architecture, optimizations, and libraries during compilation. 2) a hash can be falsified as easily as a binary.

    3. All hardware sold with precise technical diagrams... or should be labelled "NOT TO BE TRUSTED"

    At least an order of magnitude less effective than open source, and we've seen that even "important" OSS like openssl can go decades without independent code review.

    4. All encryption always on client side.

    Quite sensible, although I suspect that people will rapidly become frustrated when they forget their pass phrase, or lose their private key, and 5 years of family snapshots disappear. Or when grandma dies, taking access to her archive of family history with her.

    5. Get rid of centralized authorities for security (looking at you SSL) Centralized servers have big fat sign that say "NOT TO BE TRUSTED". P2P.

    Because you'd rather trust 1000 amateurs to secure all of their systems than one professional to secure his server?

    7. Shaming lists on NGOs (applause to EFF). Any politician that votes for mass surveillance or doesn't adhere to above principles. put on NGO lists as "HUMAN RIGHTS VIOLATORS"

    Yeah, ranks right up there with executing journalists and kidnapping babies. Among the most certain ways to get people to ignore you is to blow your cause completely out of proportion. If you use the same words to describe digital surveillance as other people use to describe the Khmer Rouge or Stalin, then people are going to think you're a nutcase.

  15. Re:NOT TO BE TRUSTED by LordLimecat · · Score: 1

    If you use the same words to describe digital surveillance as other people use to describe the Khmer Rouge or Stalin, then you're a nutcase.

    FTFY. I dont even think Stallman is nuts enough to make that comparison.

    Its also hillarious that GP is saying that no closed-source hardware should be used. Remind me-- how many "open-source" processors, hard drives, SSDs, and SoCs do we have out there? Who do you trust to build your chips? You gonna label Intel's fabs "not to be trusted"? And if so-- which "FOSS Fab" do you plan to use?

    The problem with asking geeks to implement policy is that a vast majority of them think they have very good ideas, which are totally disconnected from reality. Its called "Ivory tower thinking"

  16. Re:Conventional weapons? by Gr8Apes · · Score: 1

    I'd have to disagree given how many countries now have long range rocket technology. It's merely a matter of scale after that. The biggest issue most have is guidance technology. Apparently that's still a big problem, much like the V1/V2s in WWII, they weren't good for eliminating a target, but they were excellent for demoralizing the populace.

    --
    The cesspool just got a check and balance.
  17. It's MAD all over again by Cigarra · · Score: 1

    Either we're all safe, or we all get destroyed.

    --
    I don't have a sig.
  18. It's just not that simple by Anonymous Coward · · Score: 2, Insightful

    We choose security for our homes but why don't we all live in bank vaults? cost? aesthetics?

    There are some types of security that the average person simply can't have. Most of us have no choice but to use a commercial provider for our internet access and as long as we can't own and control every point between us and our target node and the development and manufacturer of every critical component in our devices - our governments will always be able to subvert our trust and spy on us anyway.

    You're expecting companies that only care about making money to care about our security. They only care so far - to the point that people are satisfied enough to buy the service. For enough money or with threats of their profits or ability to do business being affected - There's very few businesses that won't comply and those that don't suddenly find themselves restricted in such a way as to lose out to their competitors. The shareholders won't be happy and they're more important to businesses than morality - or you.

    There is nothing that anybody can do or say that will represent undeniable evidence that at some point in the chain, be it in your chips or your wires; security has not been compromised.

    Remember - they're not protecting us, they're protecting themselves. It's not your elected officials that are making these decisions, it's unelected heads of powerful branches of government that are unaffected by elections.

    Vote for whoever you like but the true power lies with agencies such as the NSA, CIA, GHCQ, MI5, MI6, Mossad.

    No vote you cast will topple those pyramids and they live for control and power over you, foreign states and each other.

    You want true security? fire every last single person from the top to the bottom in every last government connected office and replace them with randomly selected, suitable candidates. It's the only way you'll weed out the corruption that's the true heart of all the decisions that are made on 'our behalf'.

  19. Re:Actually a govrenment can be secure even if by fraxinus-tree · · Score: 1

    This way, you can only get security by obscurity. Not much. You also get all the expenses of in-house development. A LOT.

  20. We are all doomed by joker784 · · Score: 1

    Another huge problem with all this data gathering is that the amount of data is impossible to process by humans, so the agencies will have to rely on algorithms to find the "bad guys". Who can defend themself against accusations or persecution that falls out of such algorithms? It quickly becomes a case of everybody have to prove their own innocense (which of course is impossible). Add injection of false data and corruption of databases, and we are all doomed.

  21. Perfect by Ol+Olsoc · · Score: 1

    is the enemy of good.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  22. Re:There are two kinds of people in teh world.... by Ol+Olsoc · · Score: 1

    Dont forget, there are two types of people - those who separate everyone into two types, and those who don't

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  23. Re:Conventional weapons? by Immerman · · Score: 1

    Given the devastating effects of a nuclear or biological airburst, there's a lot of situations where actually hitting the target might not even be desirable. Still, there's a world of difference between a rocket that can go hundreds of miles, and one that can go ten thousand - and you *really* don't want that super-secret, never-been-tested ICBM to blow up on the launch pad or while it's still over friendly territory. A nuclear warhead probably wouldn't detonate, but a chemical or biological warhead would quite likely be effectively dispersed.

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
  24. Re:TFS is correct by MightyMartian · · Score: 1

    Because mass surveillance doesn't exist in other economic and political systems.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  25. Re:Conventional weapons? by Gr8Apes · · Score: 1

    There's a difference in hitting LA or the Galapagos, which is the type of error margin you can get with ICBMs.

    --
    The cesspool just got a check and balance.
  26. Re: discussions on Slashdot were well informed by BuGless · · Score: 1

    Actually, discussions on Slashdot have never been well informed; they were bad back then, and they are worse now. "Well informed" died in september 1995, it existed on USENET prior to that.

  27. By corollary ... by CaptainDork · · Score: 1

    ... everyone has access to the same tools.

    By way of example, it's damn near impossible for me to buy a grenade, but the military has lots.

    The way cyber warfare is developing, it's more of a level playing field.

    The major difference between capabilities of governments and civilians, on the cyber warfare stage, is money.

    --
    It little behooves the best of us to comment on the rest of us.
  28. Trovicor Monitoring Center by sgt_doom · · Score: 1

    also uses DPI (packet injection) and is supposed to be the state-of-the-art full-spectrum intelligence platform: it will allow one to intercept an email, alter and forward it unknown to either the addressor or addressee, with a new meeting time and place, and then dispatch either an extreme rendition, or kill team, to the rendezvous point. Ain't life grand?

    https://www.wikileaks.org/spyf...
    http://www.spiegel.de/internat...
    http://www.allgov.com/news/us-...
    http://securityaffairs.co/word...

  29. Saaaaayyyy whaaaaat????? by sgt_doom · · Score: 1

    Commenter claims: . We often forget that the NSA has two missions, and they are exactly the two things that Bruce argues cannot co-exist: To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication.

    Had you ever worked at the NSA, or served in military intelligence, you would know better, as their two missions are financial intelligence acquisition for the money masters, and command-and-control of the populace. Sometime you might study the history of who founded the American intelligence establishment, or else peruse the three chapters on the Kennedy administration in Richard Parker's outstanding biography of John Kenneth Galbraith.

  30. Re:TFS is correct by Burz · · Score: 1

    If the intermediaries matter, you're doing it wrong.

  31. Re:TFS is correct by losfromla · · Score: 1

    But Our Country is better than this, said all my grade school teachers (yes, I was schooled in an inner-city school district).

    --
    Only I can judge you.
  32. Re:NOT TO BE TRUSTED by HughJazz · · Score: 1

    "Remind me-- how many "open-source" processors, hard drives, SSDs, and SoCs do we have out there? Who do you trust to build your chips? You gonna label Intel's fabs "not to be trusted"? And if so-- which "FOSS Fab" do you plan to use?" You are speaking in terms of pragmatic reality in present. Pragmatism is precisely why systems are insecure today. I am speaking in terms of principles to get us where we want to be.. real security.