I've come to believe that "the powers that be" will never stop this progressive march towards pervasive monitoring and surveillance. If we succeed in keeping this bill from passing, we'll just be fighting another just like it or worse in a few years. We have to make it fundamentally impossible to monitor our private communications and to share our private data.
To get there, it is going to take a complete shift in how we build internet software. These problems cannot be fixed using the current status quo. I highly encourage you to start looking into projects like Ethereum, IPFS, Whisper and Swarm. The offer a way to build web applications that are completely immune to censorship, monitoring, and large scale data breaches while giving user's control over their data.
This isn't to say that there aren't battles to be fought in the legislation arena. There are and kudos to entities like the EFF for leading the charge. What I'm trying to say is that as long as it's possible to do pervasive surveillance, we're going to keep seeing the powers that be continue in that direction. If it is possible, they will try and do it.
Please keep in mind that this person is an Ethereum developer and has a vested financial interest in seeing their Ethereum tokens appreciate in value. This may be a conflict of interest and cloud up the actual technical merits of Ethereum.
I find it a bit disingenuous that this is not being disclosed, considering that there are numerous Ethereum competitors (primary, Bitcoin with SegWit, coming 2016, and Storj, Maidsafe).
I still stand behind everything I said regardless of the technology that ends up accomplishing it. I chose to mention Ethereum because I think it has the best shot. If Ethereum fails, I'll be looking for the next best viable option for a decentralized internet.
I thought about adding the disclaimer and chose against it. Maybe I chose wrong. I sort of see your point about conflict of interest, but that line of thinking also disqualifies almost all of the people who are most intimately familiar with the technology.
If you're skeptical, lets have a conversation about it. I regularly describe my position as skeptically optimistic about Ethereum's future success.
> "I thought about adding the disclaimer and chose against it. Maybe I chose wrong."
Yes, when one is advocating for and recommending a product, it is pretty standard (and, in my opinion, an ethical requirement) for one to also disclose that he/she is heavily involved with that product. It is even more important when one stands to benefit -- especially financially! -- from the product's success.
One's credibility quickly goes right out the window when one fails to disclose these basic facts.
FWIW, If this is about his character: Piper is also a known, trusted, and valued member of the Python community.
Last year, I was driving across the country and needed a place to crash. I randomly looked for someone from a PyCon list and found Piper. He was happy to let myself and a friend sleep at his home; he introduced us to his family and greeted us warmly.
So, take his words with whichever grains of salt you find most relevant.
I'm not convinced that a comment on Hacker News is going to lead to any noticeable financial benefit for the poster's company, and by proxy, the poster himself.
Furthermore, I find your comment extremely suspect, considering you also have a top-level comment [1] in this thread that basically amounts to "guys, guys... there's no reason to worry about this bill!"
If anyone's motives should be questioned, it's you.
It's pretty standard around here for people to disclose their affiliations with $product when {commenting about|recommending|suggesting} $product, regardless of any (financial or other) benefit. Hardly a day goes by when I'm reading comments about some $product that I don't encounter one that includes "Disclosure: I'm a developer for $product".
The problem is that all these approaches to privacy are based on "anonymous activities" such as browsing the web without logging into any website, or participating into any social network where you connect with people you already know.
In order to make sure we don't spill private data I think we need a privacy active monitoring browser. For example, it should have a list of all the identifying attributes such as name, email, facebook page, reddit nickname and make sure they are not passed outside. The privacy browser could also identify dangerous topics and pages and send warnings before searching/posting/loading anything. It would actually enforce good data hygiene to make this process much easier for people.
Privacy is hard to maintain, requires a lot of care and a single mistake could be enough to reveal your real identity. That's why we need to create safe environments where privacy is a given.
> The privacy browser could also identify dangerous topics and pages and send warnings before searching/posting/loading anything. It would actually enforce good data hygiene to make this process much easier for people.
Isn't the point of the whole privacy thing to not be forced in to avoiding discussion of certain topics for fear of being labeled a dissident?
A more distributed internet infrastructure would also be needed i.e. mesh networks. Dragnet surveillance is too simple and easy to do when the internet infrastructure is centralized in the hands of a couple ISPs.
So, tl;dr: politicians are biased toward having more power, and don't take into account how this affects the world.
We saw this coming a long way off. The best solution I can think of is requiring politicians to take comprehensive classes on whatever topic they're grying to legislate, but that in itself is a nightmare to implement.
> It won't be, because he'd get the same intel briefs as Obama, the same advisors would tell him the same things, and they'd be generally right.
Well, first, they wouldn't be the same advisors -- even same-party administrations don't tend to carry over very many of of the President's direct advisors.
Second, even with the same advisors, Sanders, while he might agree with Obama on some things, is likely to have different priorities and values, which will shape actual policy, even if he had the same advisors presenting the same facts and similar interpretations of the facts.
If this information is so compelling and worthy of such drastic action, then, in a fair and transparent society, it's also necessary to disclose it and let the public decide.
The Occam's razor explanation is that this is just politicians acting in their interests, not that there is some blockbuster intel that, if only we knew...
He's deploying the argument against privacy that there is a great danger which is not being revealed to the public. It always makes me roll my eyes. Sure there is no doubt an intelligence situation that has a completely different perspective of the web, but that doesn't prevent a leader from implementing some basic protection for the public, making an effort to better secure (aka not covertly cripple) American tech or at least create an improved whistle blower system.
I think it's possible that somebody can be for "internet freedom" while also believing that as the bossman they have to enforce the law. Snowden would probably agree and just ask that the trail be fair and the punishment not designed to silence future whistleblowers.
> "I think Snowden played a very important role in educating the American public ... he did break the law, and I think there should be a penalty to that," Sanders said. He went on to say that the role Snowden played in educating the public about violations of their civil liberties should be considered before he is sentenced, and that as president he would "absolutely" end the NSA spying programs in question.
Basically it seems to me he wants Snowden to get a fair trial, which would require some new legislation first or for him to be charged with a different crime. And aside from Rand Paul, I don't think any other candidate is as strong on Internet freedom as Sanders.
In all honestly I do not see what the concern over this law has been about. It doesn't expand the (terrible) surveillance powers but just allows network operators to do what they have been doing anyway (e.g. CloudFlare's WTF and cloudsourced DDoS protection), and share data that you reasonably should expect to be shared.
What is concerning is what the law may be twisted to "authorize" (see patriotic act and mass metadata), but on the surface of it I really don't see concern about CISA.
End-to-end encryption is useless without endpoint security, i.e. security of the device you're using. As far as I can tell, all new chips have something like the Intel Management Engine, which allows out-of-band access to the device. It takes about 6 lines of VHDL to modify a CPU so that if it receives a specific combination of instructions, it will transition to ring 0. That could even be added to the microcode so you wouldn't even be able to find it with a microscope. That essentially means if someone knew the right combination of instructions, a simple javascript expression could give you kernel level access to the machine.
Despite how troubling this is, I have trouble accepting that end-to-end encryption is useless. It still offers significant protection from being monitored even if that protection can be theoretically circumvented by lower level methods.
+1 You're absolutely right; I really just meant to say that it could be circumvented by specific parties. We absolutely do need end-to-end encryption everywhere to protect information while in transit. But if someone is worried about a tyrannical government, then end-to-end encryption may not solve that person's problem.
Maybe we could use parts from different governments to check each other. ARM CPUs are available from US-controlled sources and China-controlled sources. An Intel ARM CPU and an Allwinner ARM CPU, run in lockstep with comparators checking the bus transactions, could be useful.
Two different vendors' CPUs running in lockstep won't have their buses equal each other anyway, due to differences in implementation. Even more so, you have to have different code for a Allwinner vs an Intel ARM CPU, since they have different memory-mappings, peripherals, etc.
> End-to-end encryption is useless without endpoint security
No, not in a practical sense. Securing data in transit and at rest drgrades the value of breaking endpoint security, and it degrades the value of massive internet snooping.
Breaking endpoint security, one machine at a time, and exfiltrating data, is vastly riskier than hoovering it up from the backbone. It is more likely to be noticed, and the exfiltration traced. It doesn't scale well.
Endpoint security sucks now, but if people, governments, and enterprises find out data being exfiltrated from their machines, the demand for secure hardware will increase.
This doesn't affect interception. It affects one end of the two-party comms saying, "Hm, there is suspicious traffic on my network. Let me report that". Think about if you had a business whose network was constantly attacked by an adversary, doing harm to your business. Under this law, you can share that data (in anonymized format) with the govt and with industry partners.
Whether that's good or bad can be debated, but we're talking about endpoints giving up data, not necessarily ISPs snooping and reporting badness.
You can't do that. End-to-end encryption only applies to private data or p2p communication. Anything p2p wouldn't even be covered by CISA since it's for network operators. If I make a post to HN it has to be decrypted for anyone else to read it. Financial transactions all need to be shared with banks. Banks can't read your balance unless they can decrypt.
End to end encryption prevents anyone except for your intended recipient from reading it, or making changes. This is about increasing the resources required for mass surveillance. To make a copy of all unencrypted traffic going through an ISP takes very little resources. Keeping a copy of all encrypted traffic, and unencrypting it to make it useful takes much more time and resources.
You're talking about encryption over the wire like HTTPS which already widespread. CISA is about data within a private network meaning it's probably already been decrypted. When people talk about end-to-end encryption they mean even network operators can't see it.
This might work out. With the preemption clause ("notwithstanding any other provision of law"), network providers can now snoop on any government snooping directed at them.
Is the Cybersecurity Act more of that "balance" the US government has been promising us since the Snowden revelations? And I bet this "balance" between privacy and security will keep moving towards one side of the scale (you can guess which) in the future.
To get there, it is going to take a complete shift in how we build internet software. These problems cannot be fixed using the current status quo. I highly encourage you to start looking into projects like Ethereum, IPFS, Whisper and Swarm. The offer a way to build web applications that are completely immune to censorship, monitoring, and large scale data breaches while giving user's control over their data.
This isn't to say that there aren't battles to be fought in the legislation arena. There are and kudos to entities like the EFF for leading the charge. What I'm trying to say is that as long as it's possible to do pervasive surveillance, we're going to keep seeing the powers that be continue in that direction. If it is possible, they will try and do it.
Sources:
* https://www.ethereum.org/
* https://github.com/ethereum/go-ethereum/wiki/Swarm---distrib...
* https://ipfs.io/
* https://github.com/ethereum/wiki/wiki/Whisper-Overview