Sure there are, but since you'd be trying to prosecute the head of a federal agency (or near to it), you'd likely need the help of the Attorney General of the US.
And if he's decided (or been told) that it's not in the national interest to do this, it simply won't happen.
A junior prosecutor can't file charges his boss tells him he's not allowed to charge. He'd basically get fired or removed from the case.
Perhaps we should do a Kickstarter -- raise $2m to compensate a DoJ prosecutor for risking throwing away his career.
The news is full of all sorts of illegal shit that the NSA and its lackeys have been doing for years, yet I haven't heard a peep about any hints of prosecution.
Oh, come on, now, that's an exaggeration. Surely you've heard the politicians calling for Edward Snowden to face charges.
On a day national security is rallied behind by those in power to protect us
Do not forget that, according to the sitting US President, the greatest threat to national security is cyber-attack. And one of the greatest weaknesses in our cyber armor is the damage the NSA has done to the cryptography standards that our citizens and corporations rely upon for infosec. Well intentioned though they may be, the NSAs actions have harmed national cyber-security.
I was going to submit the same story. I'm glad I didn't; that summary is much better than what I had in mind. Nicely done, Unknown Lamer, IamTheRealMike, and any other editors who helped. Thank you for your effort on this important topic!
The only way to securely use GPG with webmail is to type the message in a text editor, encrypt and only then paste the cipertext into your webbrowser.
Even that would be susceptible to a compromised text editor. The only way to really securely use GPG is to write your message out on paper and perform the cipher longhand. For the PRNG, I recommend dropping grains of sand on a Go board.
(actually, I broadly agree with your sentiment; I just found the mental image of doing GPG longhand amusing)
It's still end-to-end encryption if a third party is responsible for generating keys and handing them out.
If that third party retains the keys, I disagree. It is not possible to provide "uninterrupted protection of the confidentiality and integrity of transmitted data" when the keys are not under the exclusive control of the endpoints.
Think S/MIME and e-mail, a certificate authority generates keys for users to encrypt mail to each other.
As far as I am aware, CAs sign keys, they do not generate them. You generate your key, and never divulge the private portion in the signing process. If you are doing otherwise, your data is not secure. A quick look through the S/MIME page on Wikipedia shows S/MIME is intended to be true end-to-end encryption, in the full sense:
S/MIME is tailored for end-to-end security. Logically it is not possible to have a third party inspecting email for malware and also have secure end-to-end communications. Encryption will not only encrypt the messages, but also the malware. Thus if mail is scanned for malware anywhere but at the end points, such as a company's gateway, encryption will defeat the detector and successfully deliver the malware. The only solution to this is to perform malware scanning on end user stations after decryption.
Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless.
From the synopsis:
Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,'
"End-to-End" means Google will not have access to the keys, unless Google is attempting to redefine that term. Here's the definition from Wikipedia:
End-to-end encryption (E2EE) is an uninterrupted protection of the confidentiality and integrity of transmitted data by encoding it at its starting point and decoding it at its destination. It involves encrypting clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels (e.g. public networks) to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).
It would be pretty bold for Google to claim that something is end-to-end encrypted if they can recover the keys. It would be like saying they're building a new kind of airplane that travels exclusively on the ground.
Seriously, how much research does selecting a number of Top 100 chart songs that aren't too dissimilar really involve that make it so vastly different from the mixtapes many of us made back in the days?
I take it you're not a DJ. I don't know if Ministry of Sound UK is building solid sets or not (I actually have a few of their compilations, but haven't listened to them for structure), but the difference between a professional set and a mix tape is like the difference between a well designed database and the chaotic crap-fest data-dump that front-end programmers hack together when they're prototyping. A good set can take many hours to build and gets refined over months, or even years.
It is not possible to have a truly frank discussion with a real ID requirement, because everyone knows that some people who will read the discussion are not reasonable, rational, and civil. If someone wants to present the argument that all men have an innate propensity to commit rape, I want that person to be able to make his or her case without fear of retribution. I don't agree, being a man who has no interest in rape, but I want that person to be completely uninhibited in presenting the case.
I'm not saying HuffPo has to be the place for unfettered discussion, but an online forum that wants to take on challenging issues has to find a way to handle anonymity and pseudonymity. And, of course, we have an excellent example of a functioning *onymity-supporting discussion forum right here. It's hard, it takes a lot of time to get it started and constant nurturing from within and without to keep it healthy, but if you want a forum that takes on the tough subjects, that is the price.
She seems to be implying that she fears that one day, maybe, she'll be forced to turn over a private e-mail, perhaps even an encrypted one and links that to the current NSA revelations. But that is a red herring - Groklaw has always been subject to subpoena for documents related to a criminal or even civil litigation. And anyone sending information to PJ knows the inherent security risks - PJ has no obligation to provide complete security, something that is impossible or at least nearly so.
Not sure about your hypothesis on what she is implying, but she outright said that she is doing this because she believes email that is critical of the government is being dragnetted, and she does not want to be a part of that.
I don't know but I just feel a bit like PJ is being a drama queen on this one.
I'm not sure what sacrifices you have made for your principles and your nation, but you would be a rare person indeed if you have given more than P.J. has. She was a deeply private and self-conscious person who exposed herself to withering personal assaults by enormously well funded enemies because she believed, rightly, that justice was not being done. I try to do the right thing when I can, but I can't pretend to hold a candle to her. I can only hope to get there someday.
I would like her to give more too. I want that because what she has already done makes her a national hero, and because she has a resource at her disposal with a great deal of power. All agreed, but running her down personally because she can't see an acceptable path forward -- to do more than her already collosal contribution to our society -- is not fair.
...seems like a bad thing from the perspective of the engineer at least. Ars seems to be arguing that it's not necessarily a bad thing for Google's stockholders, which is a pretty different question.
Same thing I came in here to say. Ars' argument seems about as on-target as saying, "Warrantless NSA surveillance of all Americans' Internet activity isn't necessarily a bad thing, because the NSA wants to know what you read."
Capitalism promotes......The USSR sucked. The USA sucks. They were the same thing but with "apparatchik" instead of "management" to label the guys running the show. Life under either is glorious for those at the top, and a shitty struggle for the average person.
I really enjoyed your post. I haven't seen that notion presented in exactly that way before, and it really hangs together. Makes me think, and I couldn't ask for more than that.
But Staten's real point is that when it comes down to it the cloud industry will likely not take much of a hit at all. Because as much as they voice their displeasure, turning back isn't really an option for businesses using the cloud.
So let me see if I'm reading that correctly: The free market would not choose to use these services under these conditions, but it's OK because they're locked in, so fuck 'em. That's a helluva way to run an economy -- how could that attitude possibly bite us in the ass in the long run?
Leaving your company, whether by your choice or theirs, and whether amicable or hostile, is a business transaction. It should be treated as such.
They have some value that they will get out of concessions you make, and you will get value out of some things that they offer. There is some extent to which you can trust them to be honest, and some extent to which you may believe they will be generous. The corporation has those same perceptions of you. You're both adults, sort of; you can have a frank discussion about the matter without getting hurt or angry.
So talk to them about it. Start with this question; "Does the company have a standard exit package under these circumstances?" Now you're not forcing the issue, and you're signalling your boss to think in business terms. Then you just talk through what each of you thinks is fair.
"I'm sorry I hurt people. I'm sorry that I hurt the United States," said Manning
Is this sonofabitch calling the Pentagon a liar? How dare he! The Pentagon investigated and clearly reported that the Wikileaks leak did not pose a threat.
The Pentagon is telling NBCâ(TM)s Michael Isikoff that a special assessment team looking over the WikiLeaks Afghanistan war logs has found nothing that could damage national security.
Which sardonic quip to use? I can't decide, so I'll post both.
Of all of them, you'd think it would have been Google to finally shake things up.
"Of all of them," perhaps, is true. Google may well be the least evil of the major providers. And Obama was the less evil of the two major 2012 candidates. Not high bars to get over, and yet they both just graze past.
Of all of them, you'd think it would have been Google to finally shake things up.
I think you may be confusing Google ca 2001 with Google ca 2013. They are two very different companies. The latter is a cookie-cutter American megacorp, money over everything; not strictly immoral, but profoundly amoral.
why does it not make sense to focus your suspicions while policing on people of that race?
The problem is not with focusing on them, the problem is with not subjecting all innocent people to the same infringements of liberty. A parallel case is the reason that we should have a strictly random draft in every war; not because it is good to send college-bound kids to war, but because the upper-class must suffer the same costs of war as the lower-class, or we wind up with military adventurism. If the infringements of liberty are visited only on those with less power and influence, they will be distorted toward excessive infringement.
That's true for hard sciences, but not climate science. Emotion and rhetoric play a huge part in that. And you can't repeat the experiment to see if it would have supported the conclusion, you just have to trust the original researcher's models.
While it is true that there is a lot of rhetoric, and you cannot re-run the experiment, you can, and should, independently audit the data and formulae. I did, when I didn't know which side of the issue I fell on, and felt that both sides had presented reasonable conjectures. The theorists on both sides have made falsifiable predictions -- some going back more than a hundred years -- which can be tested with available data. There is a huge amount of data out there, and it only takes a week or two to pore over it (maybe a little longer if you don't know how to write code -- but you could do the analysis with a spreadsheet, it would just take a little longer).
I mean, if you don't do that, you really would just be trusing some jackass pundit on one side or the other, and that would be choosing ignorance. Surely few here would make that choice. And anyone who did choose that simple path would be even more repugnant if he went about trying to infect others with his ignorance, am I right?
some commenters have noted that "just make up" could be an awkward choice of words by a non-native speaker of English who intended to instruct his student to make up a sample and then conduct the elemental analysis. Other commenters aren't buying it.
You know what the great thing about science is? We don't have to focus on emotion and rhetoric. We can do the experiment, and see if it would have supported the conclusion. If it would, our societal view of justice compels us to assume they were asking for the valid test results to be included. If it would not have supported the conclusion, then we can call for the author to be sanctioned.
"America is not interested in spying on ordinary people."
Then why is it? Why is it storing the metadata on every call and every HTTP request everyone makes? Is everyone not ordinary, or is America doing things in which it is not interested? I'm guessing it is option 3: You have redefined spying as "not spying" in your twisted little lawyer brain, to which I say, "Screw you, you forked-tongue traitor."
The operator of Lavabit CAN legally discuss what is happening. He cannot *safely* do so, because our government does not obey the law, and will punish him for exercising his first amendment rights.
Slashdot Mirror
Sure there are, but since you'd be trying to prosecute the head of a federal agency (or near to it), you'd likely need the help of the Attorney General of the US.
And if he's decided (or been told) that it's not in the national interest to do this, it simply won't happen.
A junior prosecutor can't file charges his boss tells him he's not allowed to charge. He'd basically get fired or removed from the case.
Perhaps we should do a Kickstarter -- raise $2m to compensate a DoJ prosecutor for risking throwing away his career.
The news is full of all sorts of illegal shit that the NSA and its lackeys have been doing for years, yet I haven't heard a peep about any hints of prosecution.
Oh, come on, now, that's an exaggeration. Surely you've heard the politicians calling for Edward Snowden to face charges.
On a day national security is rallied behind by those in power to protect us
Do not forget that, according to the sitting US President, the greatest threat to national security is cyber-attack. And one of the greatest weaknesses in our cyber armor is the damage the NSA has done to the cryptography standards that our citizens and corporations rely upon for infosec. Well intentioned though they may be, the NSAs actions have harmed national cyber-security.
I was going to submit the same story. I'm glad I didn't; that summary is much better than what I had in mind. Nicely done, Unknown Lamer, IamTheRealMike, and any other editors who helped. Thank you for your effort on this important topic!
hahahahah -- thanks for the laugh :)
The only way to securely use GPG with webmail is to type the message in a text editor, encrypt and only then paste the cipertext into your webbrowser.
Even that would be susceptible to a compromised text editor. The only way to really securely use GPG is to write your message out on paper and perform the cipher longhand. For the PRNG, I recommend dropping grains of sand on a Go board.
(actually, I broadly agree with your sentiment; I just found the mental image of doing GPG longhand amusing)
It's still end-to-end encryption if a third party is responsible for generating keys and handing them out.
If that third party retains the keys, I disagree. It is not possible to provide "uninterrupted protection of the confidentiality and integrity of transmitted data" when the keys are not under the exclusive control of the endpoints.
Think S/MIME and e-mail, a certificate authority generates keys for users to encrypt mail to each other.
As far as I am aware, CAs sign keys, they do not generate them. You generate your key, and never divulge the private portion in the signing process. If you are doing otherwise, your data is not secure. A quick look through the S/MIME page on Wikipedia shows S/MIME is intended to be true end-to-end encryption, in the full sense:
S/MIME is tailored for end-to-end security. Logically it is not possible to have a third party inspecting email for malware and also have secure end-to-end communications. Encryption will not only encrypt the messages, but also the malware. Thus if mail is scanned for malware anywhere but at the end points, such as a company's gateway, encryption will defeat the detector and successfully deliver the malware. The only solution to this is to perform malware scanning on end user stations after decryption.
Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless.
From the synopsis:
Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,'
"End-to-End" means Google will not have access to the keys, unless Google is attempting to redefine that term. Here's the definition from Wikipedia:
End-to-end encryption (E2EE) is an uninterrupted protection of the confidentiality and integrity of transmitted data by encoding it at its starting point and decoding it at its destination. It involves encrypting clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels (e.g. public networks) to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).
It would be pretty bold for Google to claim that something is end-to-end encrypted if they can recover the keys. It would be like saying they're building a new kind of airplane that travels exclusively on the ground.
Seriously, how much research does selecting a number of Top 100 chart songs that aren't too dissimilar really involve that make it so vastly different from the mixtapes many of us made back in the days?
I take it you're not a DJ. I don't know if Ministry of Sound UK is building solid sets or not (I actually have a few of their compilations, but haven't listened to them for structure), but the difference between a professional set and a mix tape is like the difference between a well designed database and the chaotic crap-fest data-dump that front-end programmers hack together when they're prototyping. A good set can take many hours to build and gets refined over months, or even years.
It is not possible to have a truly frank discussion with a real ID requirement, because everyone knows that some people who will read the discussion are not reasonable, rational, and civil. If someone wants to present the argument that all men have an innate propensity to commit rape, I want that person to be able to make his or her case without fear of retribution. I don't agree, being a man who has no interest in rape, but I want that person to be completely uninhibited in presenting the case.
I'm not saying HuffPo has to be the place for unfettered discussion, but an online forum that wants to take on challenging issues has to find a way to handle anonymity and pseudonymity. And, of course, we have an excellent example of a functioning *onymity-supporting discussion forum right here. It's hard, it takes a lot of time to get it started and constant nurturing from within and without to keep it healthy, but if you want a forum that takes on the tough subjects, that is the price.
"'There are regulations, policies and laws in place that prohibit that kind of abuse. And if abuse is discovered, it's punished."
It looks like you're new here. Welcome to Earth. Tell me more about your planet; what color is the sky there?
Here are a few starting points to learn a bit more about how The Blue Wall works when the department regulates its own behavior:
Wikipedia: Blue Code of Silence
Wikipedia: Frank Serpico
Wikipedia: Rampart Scandal
She seems to be implying that she fears that one day, maybe, she'll be forced to turn over a private e-mail, perhaps even an encrypted one and links that to the current NSA revelations. But that is a red herring - Groklaw has always been subject to subpoena for documents related to a criminal or even civil litigation. And anyone sending information to PJ knows the inherent security risks - PJ has no obligation to provide complete security, something that is impossible or at least nearly so.
Not sure about your hypothesis on what she is implying, but she outright said that she is doing this because she believes email that is critical of the government is being dragnetted, and she does not want to be a part of that.
I don't know but I just feel a bit like PJ is being a drama queen on this one.
I'm not sure what sacrifices you have made for your principles and your nation, but you would be a rare person indeed if you have given more than P.J. has. She was a deeply private and self-conscious person who exposed herself to withering personal assaults by enormously well funded enemies because she believed, rightly, that justice was not being done. I try to do the right thing when I can, but I can't pretend to hold a candle to her. I can only hope to get there someday.
I would like her to give more too. I want that because what she has already done makes her a national hero, and because she has a resource at her disposal with a great deal of power. All agreed, but running her down personally because she can't see an acceptable path forward -- to do more than her already collosal contribution to our society -- is not fair.
...seems like a bad thing from the perspective of the engineer at least. Ars seems to be arguing that it's not necessarily a bad thing for Google's stockholders, which is a pretty different question.
Same thing I came in here to say. Ars' argument seems about as on-target as saying, "Warrantless NSA surveillance of all Americans' Internet activity isn't necessarily a bad thing, because the NSA wants to know what you read."
Capitalism promotes... ...The USSR sucked. The USA sucks. They were the same thing but with "apparatchik" instead of "management" to label the guys running the show. Life under either is glorious for those at the top, and a shitty struggle for the average person.
I really enjoyed your post. I haven't seen that notion presented in exactly that way before, and it really hangs together. Makes me think, and I couldn't ask for more than that.
But Staten's real point is that when it comes down to it the cloud industry will likely not take much of a hit at all. Because as much as they voice their displeasure, turning back isn't really an option for businesses using the cloud.
So let me see if I'm reading that correctly: The free market would not choose to use these services under these conditions, but it's OK because they're locked in, so fuck 'em. That's a helluva way to run an economy -- how could that attitude possibly bite us in the ass in the long run?
Leaving your company, whether by your choice or theirs, and whether amicable or hostile, is a business transaction. It should be treated as such.
They have some value that they will get out of concessions you make, and you will get value out of some things that they offer. There is some extent to which you can trust them to be honest, and some extent to which you may believe they will be generous. The corporation has those same perceptions of you. You're both adults, sort of; you can have a frank discussion about the matter without getting hurt or angry.
So talk to them about it. Start with this question; "Does the company have a standard exit package under these circumstances?" Now you're not forcing the issue, and you're signalling your boss to think in business terms. Then you just talk through what each of you thinks is fair.
"I'm sorry I hurt people. I'm sorry that I hurt the United States," said Manning
Is this sonofabitch calling the Pentagon a liar? How dare he! The Pentagon investigated and clearly reported that the Wikileaks leak did not pose a threat.
DoD Says Wikileaks Not a Threat
The Pentagon is telling NBCâ(TM)s Michael Isikoff that a special assessment team looking over the WikiLeaks Afghanistan war logs has found nothing that could damage national security.
Which sardonic quip to use? I can't decide, so I'll post both.
Of all of them, you'd think it would have been Google to finally shake things up.
"Of all of them," perhaps, is true. Google may well be the least evil of the major providers. And Obama was the less evil of the two major 2012 candidates. Not high bars to get over, and yet they both just graze past.
Of all of them, you'd think it would have been Google to finally shake things up.
I think you may be confusing Google ca 2001 with Google ca 2013. They are two very different companies. The latter is a cookie-cutter American megacorp, money over everything; not strictly immoral, but profoundly amoral.
why does it not make sense to focus your suspicions while policing on people of that race?
The problem is not with focusing on them, the problem is with not subjecting all innocent people to the same infringements of liberty. A parallel case is the reason that we should have a strictly random draft in every war; not because it is good to send college-bound kids to war, but because the upper-class must suffer the same costs of war as the lower-class, or we wind up with military adventurism. If the infringements of liberty are visited only on those with less power and influence, they will be distorted toward excessive infringement.
Why Microsoft Needs 3 Surface Tablets
Ooh, I know this one: Because that's how many they sold.
Excellent post. Clear, thorough, and informative. Thank you.
That's true for hard sciences, but not climate science. Emotion and rhetoric play a huge part in that. And you can't repeat the experiment to see if it would have supported the conclusion, you just have to trust the original researcher's models.
While it is true that there is a lot of rhetoric, and you cannot re-run the experiment, you can, and should, independently audit the data and formulae. I did, when I didn't know which side of the issue I fell on, and felt that both sides had presented reasonable conjectures. The theorists on both sides have made falsifiable predictions -- some going back more than a hundred years -- which can be tested with available data. There is a huge amount of data out there, and it only takes a week or two to pore over it (maybe a little longer if you don't know how to write code -- but you could do the analysis with a spreadsheet, it would just take a little longer).
I mean, if you don't do that, you really would just be trusing some jackass pundit on one side or the other, and that would be choosing ignorance. Surely few here would make that choice. And anyone who did choose that simple path would be even more repugnant if he went about trying to infect others with his ignorance, am I right?
some commenters have noted that "just make up" could be an awkward choice of words by a non-native speaker of English who intended to instruct his student to make up a sample and then conduct the elemental analysis. Other commenters aren't buying it.
You know what the great thing about science is? We don't have to focus on emotion and rhetoric. We can do the experiment, and see if it would have supported the conclusion. If it would, our societal view of justice compels us to assume they were asking for the valid test results to be included. If it would not have supported the conclusion, then we can call for the author to be sanctioned.
"America is not interested in spying on ordinary people."
Then why is it? Why is it storing the metadata on every call and every HTTP request everyone makes? Is everyone not ordinary, or is America doing things in which it is not interested? I'm guessing it is option 3: You have redefined spying as "not spying" in your twisted little lawyer brain, to which I say, "Screw you, you forked-tongue traitor."
The operator of Lavabit CAN legally discuss what is happening. He cannot *safely* do so, because our government does not obey the law, and will punish him for exercising his first amendment rights.
Good post. Well said. Thanks.