Slashdot Mirror
The UK Is About to Legalize Mass Surveillance [Update] (vice.com)
From a report on Motherboard: On Tuesday, the UK is due to pass its controversial new surveillance law, the Investigatory Powers Act, according to the Home Office. The Act, which has received overwhelming support in both the House of Commons and Lords, formally legalizes a number of mass surveillance programs revealed by Edward Snowden in 2013. It also introduces a new power which will force internet service providers to store browsing data on all customers for 12 months. Civil liberties campaigners have described the Act as one of the most extreme surveillance laws in any democracy, while law enforcement agencies believe that the collection of browsing data is vital in an age of ubiquitous internet communications. "The Investigatory Powers Act 2016 will ensure that law enforcement and the security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks, subject to strict safeguards and world-leading oversight," a statement from the Home Office reads. Much of the Act gives stronger legal footing to the UK's various bulk powers, including "bulk interception," which is, in general terms, the collection of internet and phone communications en masse. In June 2013, using documents provided by Edward Snowden, The Guardian revealed that the GCHQ taps fibre-optic undersea cables in order to intercept emails, internet histories, calls, and a wealth of other data. Update: "Snooper's charter" bill has become the law. The home secretary said:"The Investigatory Powers Act is world-leading legislation, that provides unprecedented transparency and substantial privacy protection. "The government is clear that, at a time of heightened security threat, it is essential our law enforcement and security and intelligence services have the power they need to keep people safe. The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight."
It's a beautiful thing, the destruction of civil society :)
... at least until they legalize mass-less surveillance too.
FBI and NSA Poised to Gain New Surveillance Powers Under Trump
All because you sheeple want to feel safe.
"People want to be slaves" - Academy Award nominated director I work out with.
Face it, the people don't want to really be free. They want to feel safe above all else. They are so afraid of terrorism when the fact is they are most likely to die from complications of their obesity or from a car accident because they were distracted while they were updating their facebook page.
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
We'll make great pets
Look, I know my browsing will be in a huge database that nobody will look at it... for now. But if this year has taught all of us anything it is that things change. If you take these powers, whoever is in power in the future can abuse them. Everyone, no matter how good intentioned, should think about how those powers might be abused in the future.
I think this is something that will ultimately hurt a lot of innocent people in the UK over the coming years.
However, it will also help the Internet mature with new encryption and canary protocols, and more ubiquitous deployment of them, to ensure privacy and protection from all threats.
A government is a body of people notably ungoverned - AC
You and I don't need to invent anything. We can create our own encryption keys, exchange them, and securely communicate.
The problem is the HTTPS infrastructure is broken by design, which is what the original poster was talking about.
The absolute irony is that visiting a site with a self-signed certificate shows the user a warning error (I understand why, don't worry) yet the resulting HTTPS exchange is actually immune to any and all eavesdropping. When visiting a site with a cert authority signed certificate, no error is displayed, yet this connection is vulnerable to anyone who has broken/intercepted the chain of trust. This includes state actors, but also businesses, and anyone that can get their certs onto your system, or can influence the signing authorities to give them the keys.
At this point some rabid net admin for a large corporation will chime in with "it's my network" etc... but the point is that we have been training users for years to interpret HTTPS as being "secure" and "safe" when it actually isn't. Just like we have been encouraging users to update Windows, yet now Microsoft have broken that trust with their forced updates and broken/mislabeled updates. The internet is currently broken and indeed has been broken maliciously by state actors. Are we going to just accept that as "good enough" and live with it? What exactly was so terrible about the internet in 1990 or 2000, before the NSA got their hooks in and started fucking everything up?? Can we point to a global reduction in crime, violence, terrorism, or child pornography, due to the valliant efforts of the NSA and similar outfits abroad?
At the **very very least** prior to this bill in the UK passing, anyone with half a mind should take note of the current state of UK society and crime. In ten years time, once the full ramifications of these new laws come to pass, look around again and make a comparison. My prediction, for what it's worth, is everything will be exactly the same (in which case what was the point?) or it will be much much worse.
The BBC has multiple stories on this. Maybe you should dislodge your head from your ass?
From here:
Blogger Chris Yiu compiled a list of the 48 organisations and departments that will be able to access the browsing records of individuals without a warrant.
They include various police, military, government and NHS departments as well as the Food Standards Agency, the Gambling Commission, the Financial Conduct Authority and the Health and Safety Executive.
I found this article in about 20 seconds.
The absolute irony is that visiting a site with a self-signed certificate shows the user a warning error (I understand why, don't worry) yet the resulting HTTPS exchange is actually immune to any and all eavesdropping. When visiting a site with a cert authority signed certificate, no error is displayed, yet this connection is vulnerable to anyone who has broken/intercepted the chain of trust
Not quite. Both connections are entirely safe from passive eavesdropping. Even if I've compromised a root cert that you're using, that doesn't let me decrypt TLS traffic. It does mean that if I am actively performing a man in the middle attack on you, then you won't notice, because during the initial key exchange you'll connect to me and establish a secure connection and I'll connect to the remote server and establish a secure connection. You'll trust me because I'll use a cert signed by one that I trust. The difference between this and a self-signed cert is that when the server uses a self-signed cert, there's no need for me to compromise a root cert that you trust: I can still perform the MITM attack and you won't know the difference.
Certificate pinning protects you from this to a degree: If you connect to a server twice and the certificate changes, then there may be a problem. On the other hand, there might not be, and with a self-signed cert, you can't revoke it if it's compromised and you can't easily advertise the fact that this is a replacement cert from the same person (unless you properly self-sign, rather than simply not signing, and people pin your signing cert).
Certificate transparency protects in both cases, by providing a public log of all of the certificates that have been seen by people connecting to the server. If the server operator sees a cert that they didn't issue, or if you see a cert that's not the same one that other people are seeing, then something is wrong.
I am TheRaven on Soylent News