We should all be aware by now that the Root CAs we all know and trust are compromised by NSA and that they can MITM any SSL connection they want at any time.
Bear in mind that the CAs do not have copies of the private keys. When you have a CA sign your cert, you do not send them the private key that you generate. So the CAs cannot give your private key to the NSA to facilitate an MITM attack.
It is possible for them to generate a phoney cert to which they do have the private key, and they could give that private key to the NSA. But that would be detectable by programs like The Eff's Observatory, which monitors for key changes. If they tried a MITM attack with a monitored site on any significant scale, it would be detected (and you can run your own plugin if you want).
The problem with both Silent Circle and Lavabit is not SSL itself, but that they are a central organization that held the private key to many people's comm -- people who wanted strong security on their comm. That is a huge bank of high-value cleartext; an irresistable resource node to a group like the NSA. The root problem is not Root CAs, but centralized "secure" storage (and a government that has betrayed its nation -- though even without the NSA, those irresistable resource nodes would still be a threat, attracting abuse from the likes of China and Facebook).
But I digress. My point is that SSL can actually allow true end-to-end security, as long as we use a "trust but verify" model, like the Observatory allows, not just blind trust. If we want to eliminate the high risk behavior that enabled the NSA's attack, we have to eliminate centralized "secure" stores -- no more unencrypted cloud storage, and no more password recovery from cloud services. Everyone has to manage their own private key (whether SSL, GPG, or other), and losing it means it's gone forever. To me, that's the big hurdle.
Alternately, we could restore the 4th amendment, which does a pretty damned good job of protecting your house, even though locksmiths may have copies of many private keys and anyone with a little training could break into most houses in a matter of seconds. Since keys and locks existed when the intent of the 4th was still well known and agreed, they have the level of government protection that encryption should have. Well, that and it would be hard for the NSA to break into every house; it's easy to break into everyone's email. Even if we all had our own private keys, it would still be easier to break into all our systems than doing houses. Now I'm really off on a tangent, though, so I'm just going to stop here.
So if I rent a landline from the phone company I got a different expectation of privacy than a company renting a line?
No -- if you leased a point-to-point line from your house to your Mother's house, you would have the same expectation of privacy as a company that leases a point-to-point line between two of its offices (you probably wouldn't, because they're incredibly expensive, but you could). Investment banks, for example, use them to connect their desks in different time zones -- specifically for the privacy.
A lot of the NSA's pretense of innocence regarding metadata collection has been about expectation of privacy. They get information posessed by the telephone companies, not by private citizens. Since the information is already being given to the company by the citizen, the citizen has no reasonable expectation of privacy, and bulk metadata raises no 4th amendment issue.
This case defies that excuse. Those fiber optic cables are leased lines, over which Google and Yahoo have very reasonable expectations of privacy. So, if challenged, the government will either have to publish a different legal pretense or give Google and Yahoo some sort of sweetheart contract as hush money.
As Eisenhowr said, in the paragraphs everyone ignores just after he warned of the growing Military-Industrial Complex:
Using Eisenhower's warning about the influence of politics on science to reach the conclusion that all taxpayer funded scientific research should be eliminated is about as sensible as taking his warning about the military industrial complex to conclude there should be no taxpayer funded military.
The document notes that her husband, Paul Flanagan, was found guilty in 1986 to resisting arrest in Prince George's County. The warrant called for police to search the residence they share and seize all weapons and ammunition because he is prohibited under the law from possessing firearms.
Militarization of Police Angle:
At about 4:30 a.m. on Aug. 6, Hudson said officers dressed in full body armor presented a search warrant to enter the home she shares on the bay with her husband. She estimates that at least seven officers took part in the raid.
Document Seizure Justification:
Diaz explained that the files were taken because they found official government papers, which Hudson had obtained through a Freedom of Information Act request.
"During the course of the search, the CGIS agent discovered government documents labeled FOUO - For Official Use Only (FOUO) - and LES - Law Enforcement Sensitive. The files that contained these documents were cataloged on the search warrant inventory and taken from the premises," Diaz said.
"The documents were reviewed with the source agency and determined to be obtained properly through the Freedom of Information Act," he said.
Document Seizure Counterpoint:
But Hudson doesn't buy the explanation: "That explains the one file they took but does not explain why they took four other files with my handwritten and typed interview notes with confidential sources, that I staked my reputation as a journalist to protect under the auspices of the First Amendment of the Constitution," she said.
They Did Have Guns:
During the raid, the officers also went after Hudson's three pistols and three long guns, which she obtained legally.
"I'm a Kentucky girl," she said. "I come kitchen trained, and firearm ready. I grew up with guns and I've always been around guns."
She Is A "Real" Reporter:
Hudson has been a reporter in Washington, D.C. for nearly 15 years and was nominated twice by The Washington Times for the Pulitzer Prize. She is a freelancer for Newsmax and the Colorado Observer.
Her Investigative Reporting:
While at the Times, Hudson reported extensively on the air marshal program - specifically about whether Homeland Security officials had lied to Congress and reported protecting more flights than they really were. Using her sources inside the government, Hudson has also reported for years about possible terrorist "dry-runs" on airplanes.
Unlike some other reporters whose sources have been targeted in recent years by the government, Hudson said none of the information she had was classified or given to her by someone who broke the law.
"None of the documents were classified," she said. "There were no laws broken in me obtaining these files."
Thanks for being a good sport. I had added a whole paragraph about, "I understand what you mean in context and I'm not trying to bash you, just playing..." but it made the post feel clunky.
ahhahaahhahaa -- "You mean I have to click on the link and look at the article to know if it's going to be too long to read? [rolls eyes]" I can just see Zooey Deschanel doing her whole "look at me and how cool I am not caring whether you look at me and think I'm cool" thing delivering that line with a dismissive subtext of, "I'm way too cool to waste my time finding out whether the ramblings of some 'theoretical physicist' are too long to be worth my time. I live in real physics, every day, thank you; I think I know how time works."
You got me laughing so hard my eyes were watering. Thanks!:)
To me, the following bits from the article really strike to the heart of the matter:
The government also argued that if officers were required to obtain a warrant and have probable cause prior to executing a GPS search, "officers could not use GPS devices to gather information to establish probable cause, which is often the most productive use of such devices."
The justices said the government's statement "wags the dog rather vigorously," noting that the primary reason for a search cannot be to generate evidence for law enforcement purposes. They also noted that "Generally speaking, a warrantless search is not rendered reasonable merely because probable cause existed that would have justified the issuance of a warrant."
That seems to cast a dark shadow on the practice of NSA intercepts being used by the DEA to establish probable cause, followed by parallel construction of that probable cause.
Geddes said privacy concerns could resurface should governments expand the program and use SmartPhone or apps to track movements and reward motorists who avoid congested roads and drive during off-peak hours.
Oregon (the body of people) has a reasonable case for wanting usage taxes to be based, at least in part, on mileage. The economic case makes sense, and there is a simple solution: Each time the data is collected, calculate the amount of money owed, show it to the driver for approval, and give the driver the option to retain the data for appeal. If the driver accepts the amount owed and declines the option for data retention, the data used to generate the amount owed is discarded -- never entered into the database.
If it is only about calculating the fees owed, then that is the only datapoint that needs to be retained once the driver has waived his right to contest the tax. Oregon gets to include mileage in its road use taxation model, and drivers retain the right to keep their travels free from government surveillance. Everybody wins except those with an ulterior motive.
It has been said that the business of journalists is, "to comfort the afflicted and afflict the comfortable." Modern American journalism has inverted that phrase, mocking the weak to help the masses feel better about their dreary normalcy and fawning over the elite in hopes of being granted the favor of an interview or the opportunity to ask a question at a press conference. Glenn Greenwald has shown himself to be cut from cloth more worthy of the journalist mantle.
Thank you, Mr. Greenwald, and congratulations. "You earned it," has rarely sounded more apropos.
Anybody interesting and hilariously anti-drug in public life on the list yet, or do those get filtered out before they send in the jackboots?
I think it goes a little like this:
DEA Agent: So, I hear you are opposed to warrantless surveillance. Junior Senator: Umm, yes? DEA Agent: And my undertstanding is that recently you've been reconsidering your position. Junior Senator: No, I haven't. DEA Agent: See this post we have here from Silk Road where you say that BC Chronic made The Simpsons funny again? Junior Senator: What I meant to say was, I believe warrantless surveillance is a vital and necessary tool in our war on violent extremism. DEA Agent: I thought so.
If your pseudonym is persistent, reputation still matters. It does not matter whether your pseudonym can be connected to your meatspace identity; reputation is still reptuation.
The real problem with online harrassment, trolling, etc is that people lend credence to transient identities. Not a problem here, because we have persistent pseudonyms and transient identities. Transient identities get treated with skepticism and ignored if they're being abusive. Persistent pseudonyms which have earned a reputation are granted wider latitude to make their case.
The problem is not pseudonymity, or even transient identities and anonymity. It is that most public fora do not make it easy to distinguish between a member in good standing and a drive-by-troll.
even going so far to say that a moderate amount of inflation is a "good thing".
Unless you believe that stuffing money into pickle jars and burying them in the yard produces wealth, a moderate amount of inflation is a good thing. It motivates investment over hording.
U.S. Secretary of State John Kerry has announced an agreement between the U.S. and Russia on a plan for removing and destroying Syria's chemical weapons.
I don't understand why we have to resort to reasonable non-violent solutions when we had a perfectly good rash hotheaded answer in bombing the bejeezus out of them. When will we stop the sanity?!?
With no information about travelers, TSA had no choice but to treat them all alike,
What a horrifying reality, in which the government is forced to treat all citizens as equal. If the government were only allowed to pick and choose the dissidents to subject to harsh treatment and intimidation, all the properly submissive subjects would be free to do anything that doesn't irritate the lordship. You see, it is not the ruling elite who are imposing these restrictions that are harming you, it is your filthy fellow peasants. If you could all simply learn to kneel and submit to the natural authority of the nobility, you would all be happier.
Wish I had mod points. A clear, concise explanation of which side requires force of law, and a final sentence that raises the question of balance while allowing the reader to seek his own conclusion. The epitome of a thinking person's post. Thank you.
The disruption from MS patches exceeds the pain from defects in the OS.
And given the number of defects in the OS, that's really saying something. Bah-dum-bum. Thanks, I'll be here all week. Don't forget to tip the wait staff.
Slashdot Mirror
We should all be aware by now that the Root CAs we all know and trust are compromised by NSA and that they can MITM any SSL connection they want at any time.
Bear in mind that the CAs do not have copies of the private keys. When you have a CA sign your cert, you do not send them the private key that you generate. So the CAs cannot give your private key to the NSA to facilitate an MITM attack.
It is possible for them to generate a phoney cert to which they do have the private key, and they could give that private key to the NSA. But that would be detectable by programs like The Eff's Observatory, which monitors for key changes. If they tried a MITM attack with a monitored site on any significant scale, it would be detected (and you can run your own plugin if you want).
The problem with both Silent Circle and Lavabit is not SSL itself, but that they are a central organization that held the private key to many people's comm -- people who wanted strong security on their comm. That is a huge bank of high-value cleartext; an irresistable resource node to a group like the NSA. The root problem is not Root CAs, but centralized "secure" storage (and a government that has betrayed its nation -- though even without the NSA, those irresistable resource nodes would still be a threat, attracting abuse from the likes of China and Facebook).
But I digress. My point is that SSL can actually allow true end-to-end security, as long as we use a "trust but verify" model, like the Observatory allows, not just blind trust. If we want to eliminate the high risk behavior that enabled the NSA's attack, we have to eliminate centralized "secure" stores -- no more unencrypted cloud storage, and no more password recovery from cloud services. Everyone has to manage their own private key (whether SSL, GPG, or other), and losing it means it's gone forever. To me, that's the big hurdle.
Alternately, we could restore the 4th amendment, which does a pretty damned good job of protecting your house, even though locksmiths may have copies of many private keys and anyone with a little training could break into most houses in a matter of seconds. Since keys and locks existed when the intent of the 4th was still well known and agreed, they have the level of government protection that encryption should have. Well, that and it would be hard for the NSA to break into every house; it's easy to break into everyone's email. Even if we all had our own private keys, it would still be easier to break into all our systems than doing houses. Now I'm really off on a tangent, though, so I'm just going to stop here.
So if I rent a landline from the phone company I got a different expectation of privacy than a company renting a line?
No -- if you leased a point-to-point line from your house to your Mother's house, you would have the same expectation of privacy as a company that leases a point-to-point line between two of its offices (you probably wouldn't, because they're incredibly expensive, but you could). Investment banks, for example, use them to connect their desks in different time zones -- specifically for the privacy.
A lot of the NSA's pretense of innocence regarding metadata collection has been about expectation of privacy. They get information posessed by the telephone companies, not by private citizens. Since the information is already being given to the company by the citizen, the citizen has no reasonable expectation of privacy, and bulk metadata raises no 4th amendment issue.
This case defies that excuse. Those fiber optic cables are leased lines, over which Google and Yahoo have very reasonable expectations of privacy. So, if challenged, the government will either have to publish a different legal pretense or give Google and Yahoo some sort of sweetheart contract as hush money.
Perhaps I should go buy some GOOG and YHOO.
By eliminating all taxpayer funding of 'science'.
As Eisenhowr said, in the paragraphs everyone ignores just after he warned of the growing Military-Industrial Complex:
Using Eisenhower's warning about the influence of politics on science to reach the conclusion that all taxpayer funded scientific research should be eliminated is about as sensible as taking his warning about the military industrial complex to conclude there should be no taxpayer funded military.
Here are a few key points from the original story in The Daily Caller:
Warrant Basis:
The document notes that her husband, Paul Flanagan, was found guilty in 1986 to resisting arrest in Prince George's County. The warrant called for police to search the residence they share and seize all weapons and ammunition because he is prohibited under the law from possessing firearms.
Militarization of Police Angle:
At about 4:30 a.m. on Aug. 6, Hudson said officers dressed in full body armor presented a search warrant to enter the home she shares on the bay with her husband. She estimates that at least seven officers took part in the raid.
Document Seizure Justification:
Diaz explained that the files were taken because they found official government papers, which Hudson had obtained through a Freedom of Information Act request.
"During the course of the search, the CGIS agent discovered government documents labeled FOUO - For Official Use Only (FOUO) - and LES - Law Enforcement Sensitive. The files that contained these documents were cataloged on the search warrant inventory and taken from the premises," Diaz said.
"The documents were reviewed with the source agency and determined to be obtained properly through the Freedom of Information Act," he said.
Document Seizure Counterpoint:
But Hudson doesn't buy the explanation: "That explains the one file they took but does not explain why they took four other files with my handwritten and typed interview notes with confidential sources, that I staked my reputation as a journalist to protect under the auspices of the First Amendment of the Constitution," she said.
They Did Have Guns:
During the raid, the officers also went after Hudson's three pistols and three long guns, which she obtained legally.
"I'm a Kentucky girl," she said. "I come kitchen trained, and firearm ready. I grew up with guns and I've always been around guns."
She Is A "Real" Reporter:
Hudson has been a reporter in Washington, D.C. for nearly 15 years and was nominated twice by The Washington Times for the Pulitzer Prize. She is a freelancer for Newsmax and the Colorado Observer.
Her Investigative Reporting:
While at the Times, Hudson reported extensively on the air marshal program - specifically about whether Homeland Security officials had lied to Congress and reported protecting more flights than they really were. Using her sources inside the government, Hudson has also reported for years about possible terrorist "dry-runs" on airplanes.
Unlike some other reporters whose sources have been targeted in recent years by the government, Hudson said none of the information she had was classified or given to her by someone who broke the law.
"None of the documents were classified," she said. "There were no laws broken in me obtaining these files."
I'm not much of a celebrity wonk, but Chris Doohan (son of James Doohan) playing Scotty, and Grant Imahara (from Mythbusters) playing Sulu -- nice.
Thanks for being a good sport. I had added a whole paragraph about, "I understand what you mean in context and I'm not trying to bash you, just playing..." but it made the post feel clunky.
Why would you say only man cares about time?
This is dreadfully misogynistic, but I can't resist: Surely you have heard women say, "I'll be ready in two minutes, I'm just picking my shoes..."
The article is TL;DR (I assume...)
ahhahaahhahaa -- "You mean I have to click on the link and look at the article to know if it's going to be too long to read? [rolls eyes]" I can just see Zooey Deschanel doing her whole "look at me and how cool I am not caring whether you look at me and think I'm cool" thing delivering that line with a dismissive subtext of, "I'm way too cool to waste my time finding out whether the ramblings of some 'theoretical physicist' are too long to be worth my time. I live in real physics, every day, thank you; I think I know how time works."
You got me laughing so hard my eyes were watering. Thanks! :)
To me, the following bits from the article really strike to the heart of the matter:
The government also argued that if officers were required to obtain a warrant and have probable cause prior to executing a GPS search, "officers could not use GPS devices to gather information to establish probable cause, which is often the most productive use of such devices."
The justices said the government's statement "wags the dog rather vigorously," noting that the primary reason for a search cannot be to generate evidence for law enforcement purposes. They also noted that "Generally speaking, a warrantless search is not rendered reasonable merely because probable cause existed that would have justified the issuance of a warrant."
That seems to cast a dark shadow on the practice of NSA intercepts being used by the DEA to establish probable cause, followed by parallel construction of that probable cause.
Geddes said privacy concerns could resurface should governments expand the program and use SmartPhone or apps to track movements and reward motorists who avoid congested roads and drive during off-peak hours.
Oregon (the body of people) has a reasonable case for wanting usage taxes to be based, at least in part, on mileage. The economic case makes sense, and there is a simple solution: Each time the data is collected, calculate the amount of money owed, show it to the driver for approval, and give the driver the option to retain the data for appeal. If the driver accepts the amount owed and declines the option for data retention, the data used to generate the amount owed is discarded -- never entered into the database.
If it is only about calculating the fees owed, then that is the only datapoint that needs to be retained once the driver has waived his right to contest the tax. Oregon gets to include mileage in its road use taxation model, and drivers retain the right to keep their travels free from government surveillance. Everybody wins except those with an ulterior motive.
Unfortunately things can be a bit more complicated than what the phrase about journalists and your praise of Greenwald suggests.
I would rather die free than live in fear.
It has been said that the business of journalists is, "to comfort the afflicted and afflict the comfortable." Modern American journalism has inverted that phrase, mocking the weak to help the masses feel better about their dreary normalcy and fawning over the elite in hopes of being granted the favor of an interview or the opportunity to ask a question at a press conference. Glenn Greenwald has shown himself to be cut from cloth more worthy of the journalist mantle.
Thank you, Mr. Greenwald, and congratulations. "You earned it," has rarely sounded more apropos.
Anybody interesting and hilariously anti-drug in public life on the list yet, or do those get filtered out before they send in the jackboots?
I think it goes a little like this:
DEA Agent: So, I hear you are opposed to warrantless surveillance.
Junior Senator: Umm, yes?
DEA Agent: And my undertstanding is that recently you've been reconsidering your position.
Junior Senator: No, I haven't.
DEA Agent: See this post we have here from Silk Road where you say that BC Chronic made The Simpsons funny again?
Junior Senator: What I meant to say was, I believe warrantless surveillance is a vital and necessary tool in our war on violent extremism.
DEA Agent: I thought so.
Buying on a black market is never good. However,...
Excellent post. Thank you!
If your pseudonym is persistent, reputation still matters. It does not matter whether your pseudonym can be connected to your meatspace identity; reputation is still reptuation.
The real problem with online harrassment, trolling, etc is that people lend credence to transient identities. Not a problem here, because we have persistent pseudonyms and transient identities. Transient identities get treated with skepticism and ignored if they're being abusive. Persistent pseudonyms which have earned a reputation are granted wider latitude to make their case.
The problem is not pseudonymity, or even transient identities and anonymity. It is that most public fora do not make it easy to distinguish between a member in good standing and a drive-by-troll.
even going so far to say that a moderate amount of inflation is a "good thing".
Unless you believe that stuffing money into pickle jars and burying them in the yard produces wealth, a moderate amount of inflation is a good thing. It motivates investment over hording.
U.S. Secretary of State John Kerry has announced an agreement between the U.S. and Russia on a plan for removing and destroying Syria's chemical weapons.
I don't understand why we have to resort to reasonable non-violent solutions when we had a perfectly good rash hotheaded answer in bombing the bejeezus out of them. When will we stop the sanity?!?
Imagine if he had been the kind of psychopath that would image -- and even trivialize -- crushing people's skulls.
I *heart* you gclef. Clear, concise, unequivocal, market-oriented. Very well said. Thank you!
"I'm pretty sure I could qualify for the ruling elite" is not the most compelling argument I have ever heard for the benevolence of the ruling elite.
With no information about travelers, TSA had no choice but to treat them all alike,
What a horrifying reality, in which the government is forced to treat all citizens as equal. If the government were only allowed to pick and choose the dissidents to subject to harsh treatment and intimidation, all the properly submissive subjects would be free to do anything that doesn't irritate the lordship. You see, it is not the ruling elite who are imposing these restrictions that are harming you, it is your filthy fellow peasants. If you could all simply learn to kneel and submit to the natural authority of the nobility, you would all be happier.
Wish I had mod points. A clear, concise explanation of which side requires force of law, and a final sentence that raises the question of balance while allowing the reader to seek his own conclusion. The epitome of a thinking person's post. Thank you.
The disruption from MS patches exceeds the pain from defects in the OS.
And given the number of defects in the OS, that's really saying something. Bah-dum-bum. Thanks, I'll be here all week. Don't forget to tip the wait staff.
If Obama actually said [that cyber was the greatest threat to national security]
Hah! Actually, I was wrong. It wasn't Obama. It was James Clapper. :)
"This comes shortly after the release of the Worldwide Threat Assessment, in which U.S. Director of National Intelligence, James Clapper, identifies cyber attacks and cyber espionage as the nationâ(TM)s biggest threat, passing that of terrorism."