Encryption can be circumvented. It's hard, but doable for a state, when it targets one high-value suspect. But if everything is encrypted, they can't go "big data" on it and collect everything about everyone: if proper encryption is generalized, spying doesn't scale anymore.
Big companies' ability to break the encryption between them an you is irrelevant: if they're the legitimate receiver of the communication, they can offer the plain text directly to governments.
The ability for a third party to break the secrecy between two individuals has a pretty good solution though, and that solution is local encryption + open source. It makes it very difficult for states to compromise the scheme, and every time they use this ability, they're at risk of having their exploit discovered, and going blind again. They'd only use information gathered that way for legitimate national security reasons, and will never show it in a court for instance. A discovered 0-day exploit in OpenSSL or GPG isn't as easily replaced as one in Flash player.
The biggest potential impact of Snowden's revelations is that now, any security scheme relying on trusting a third party companies has to be considered unacceptably weak, at least if you mind governments--or companies sponsoring politicians--reading everything you exchange.
TL;DR: encryption isn't the absolute weapon against illegal spying by governments, but it helps making it extremely difficult, expensive and unscalable. Which is good enough a reason to promote it in addition to political action.
I think the take-away from this article is that the political/legal environment is part of implementation detail you need to consider when considering a "private" communication mechanism.
No crypto-system is truly secure unless BOTH sides can be trusted. If either one is even remotely possible to compromise, then that willhappen. In the case where one of those parties is well-known and has something to lose, you can be certain that the powers-that-be will focus their attention on that party. (nb: Skype)
SO yeah, crypto en masse will make casual collection harder, but it's not even halfway towards what is needed. There has to be an awareness of the downside to reduced privacy that can be tangibly grasped by the populace otherwise we're all pissing in the wind. Any crypto-system that requires anything approaching trade-craft on the part of the user is probably going to fail miserably.
I was fresh out of the military when the USG was proposing the widespread deployment of the "Clipper" chip that included key-escrow as a fundamental feature for LEA access to keys. That failed, but I would not be surprised to hear that we got it anyway through quiet "arrangements" with major crypto-system equipment/software providers.
Have YOU inspected your CPU/Firmware/OS/Applications for backdoors? Even with the full source code?
It's a hard problem and requires a lot more than just neat technology to solve. In fact, it probably can't be solved with technology at all.
Completely agree. Anybody recall the TPM? Security is pretty much turtles all the way down.
Encryption isn't going to help stop a guy with a stick from beating the information out of you. A functional state, however, can help prevent such things from happening.
Not to mention backdoors in routers/cable modems and god knows what else. Every carrier is preloading in spyware to SIM cards now too, wait for that big revelation soon. They can already track you with their program that responds to type 0 sms and now they can OTA update your SIM to run voice capture, sms capture, store accelerometer data for decryption use, turn on the mic and listen in or turn on the camera.
Exactly. There was revelation in a recent court case that the feds had the ability to turn on and listen in on conversations from your cell phone that you thought was off.
Or consider "secure" to mean that your identity remains private if you so wish. One could certainly create a crypto system that binds an actor to an act without any end-points learning the identity of the actor, but still allowing the actor to take credit if they so wish.
Of course we have a form of Clipper through such agreements. Lotus Notes had a secret key escrow mechanism that was discovered in the '90s. It is very unlikely that Notes was the only supposedly secure product with secret arrangements with law enforcement and/or intelligence services, and it is even less likely that the pace and intensity of such arrangements has declined since then.
On the other hand, Edward Snowden thinks he can secure information effectively from attempts to crack it. He probably had practical knowledge of the day-to-day capabilities of the NSA when he worked there. There is no reason that most everything that you and I store and transmit can't be equally well-protected.
Snowden also admitted if they are personally targeting you it's game over unless you're a master of tradecraft and encryption. If you have an unencrypted bootloader then they can break into your hotel room while you're either sleeping (or drugged) or not around and evil maid attack. They did this in Dubai already to a Ukrainian fraudster they were after.
They could also just plant bugs/cameras and watch you type in passwords, or rent the room beside you and set up Van Eck/TEMPEST equipment. They could mess with the power socket in the wall to do encryption analysis as well or replace your powerbar with an evil bar.
You would need guards to watch your room, a SICP tent and TEMPEST proof NATO standards laptop, OpenBSD to softraid encrypt the discs leaving no bootloader (or carry around the bootloader on a usb or CD), and you would have to custom manufacture the equipment yourself in Taiwan to ensure no backdoors and pick it up in person, or manually solder in hardware firewalls to block signals from leaking out of proprietary blobs.
Half the article is talking about scalable attacks on encryption. For example: "To an intelligence agency, a well-thought-out weakness can easily be worth a cover identity and five years of salary to a top-notch programmer. Anybody who puts in five good years on an open source project can get away with inserting a patch that 'on further inspection might not be optimal.'"
I agree we should continue this arms race but I'm a little less confident than I was before reading this article.
It's true they can't reveal exploits in court, but that matters less and less. If they decide they don't like you there are all sorts of other ways they can screw with you.
> a well-thought-out weakness can easily be worth [a lot]
Indeed, but my point is, in addition to be worth a lot, it's difficult to implement, and it's very fragile. Every time they use it, they gamble its secrecy, hence its effectiveness. So they won't use it for petty reasons, only for genuine national security matters.
The problem isn't that NSA works on ensuring national security: it's that the scope of what they consider national security, and thus justifies extra-legal measures in their eyes, grows unreasonably, becoming a threat to the robustness of democracy.
A spy agency's ideal environment is totalitarian, not democratic. For a starter, they're scared of free speech and accountability. There must be counter-powers, cancelling their natural tendency to push towards totalitarianism (this is in no way specific to the USA).
> If they decide they don't like you there are all sorts of other ways [than courts] they can screw with you.
Yes, but those ways don't scale. You can screw with a couple of people you dislike, but not with hundreds or thousands of people simultaneously.
The problem isn't NSA. It's the President(s) and Congress who define the scope. Call me naive, but I think that most of the folks at NSA, even many of the leaders, are patriots who believe that they are protecting their country.
If you believe that politicians control the bureaucracy rather than the other way around, then I respectfully disagree.
Bureaucrats have expertize, inertia, the ability to sabotage many things, long term stable positions, and care about how things actually are, rather than how they look to the average voter. In many cases, including this one IMO, politicians have the appearance of control, but very little actual latitude in practice.
For better or worse, I'm intimately familiar with the strange working of bureaucracies. Obama's presidency is a textbook example of a politician being consumed by intertia.
That said, politically originated policy turned the FISA Court into a Star Chamber making Supreme Court type decisions, and broadened the scope of NSA's role from spying on the Russians to spying on humanity.
Politicians can curtail those activities as well, either by making explicit policy changes, or by defunding things strategically. It requires courage.
> "To an intelligence agency, a well-thought-out weakness can easily be worth a cover identity and five years of salary to a top-notch programmer. Anybody who puts in five good years on an open source project can get away with inserting a patch that 'on further inspection might not be optimal.'"
That is true, but it's true for every attacker, not just the government, which changes the situation quite a bit. There is a very strong incentive for security experts to look very carefully at every patch to, say, OpenSSL. Few things are better marketing for a security firm than revealing a critical hole in security infrastructure.
In fact, the high price of such an exploit on the black market works in our favour as well. Tons of black-hats are looking for holes, and when they find and sell one, the subsequent exploitation is bound to raise some red flags and eventually point white-hats in the right direction.
Basically, "You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time"
"To an intelligence agency, a well-thought-out weakness can easily be worth a cover identity and five years of salary to a top-notch programmer. Anybody who puts in five good years on an open source project can get away with inserting a patch that 'on further inspection might not be optimal.'"
Suddenly, Dijkstra's insistence on developing the proof together with the program and providing it to any interested person doesn't seem to be the ridiculous idea that some people consider it to be, does it?
> Encryption can be circumvented. It's hard, but doable for a state, when it targets one high-value suspect. But if everything is encrypted, they can't go "big data" on it and collect everything about everyone
That's what they (NSA) actually are doing/trying to do right now, collecting everything about everyone and decrypting it later when/if needed.
I don't quite believe that the NSA can reliably perform a ciphertext-only attack on RSA or even AES.
As far as we know, integer factorization is still hard, so RSA is still secure, given large enough keys. There's Shors Algorithm for quantum computers but these are still very much experimental things and subject to research. Besides, building, maintaining and running one is incredibly expensive. I might underestimate the NSA here though.
AES has been broken in theory but the results have no real repercussions. A "break" is anything faster than brute-force, no matter whether it actually makes the process computationally feasible or not. In the real world it doesn't currently matter whether we search through 2^256 keys or have a complexity of 2^254.4. Both are vastly out of the reach of current computers. AES has been rated as "suitable for top secret". There is reasons to believe that the NSA uses AES themselves. Knowing about a ciphertext-only attack would put their very own secrets at risk. If such an attack exists, it will only be a matter of time until somebody else finds it.
There are other weaknesses in both these systems though, most of which are due to implementation and physical realities. Side-channel attacks are known for both RSA and AES as well as for SSL.
So yes, they might very well collect everything right now but unless they are many decades ahead of the rest of the world in terms of cryptanalysis, they can't do anything with the data for now.
I wonder how big a jump it would be to have some mandated service running on every machine, to sidestep increased encrypted Internet traffic? Still seems unlikely but I've been so surprised by the level of apathy by most to this that I can almost imagine it
"if a nation-state decides that somebody should not have privacy, then it will use whatever means available to prevent that privacy."
One thing a lot of these discussions miss is that the entire point of doing privacy and anonymity correctly is that you are never on a list of people that any particular nation state wants to deny privacy to. That your True Name (to borrow the idea from Vinge’s story of the same name) is never the target, is never even interesting.
I personally don't advocate a world where everything I do is encrypted and anonymized, I think that that is as unachievable and sacrificing as living an entirely private life. Use gmail, skype, facebook, twitter, send non-encrypted messages about christmas to your friends and family, etc.
But what we do need is an online equivalent of a private life as well. And people need to be educated in the tools and techniques that can make this possible when necessary. Use tor, hidden services, pgp, i2p etc Use completely different online identities, ways of speaking and never login to a HN account associated with your real identity from that private space. Create and participate in hidden online communities, but don’t center those communities around your real life family and friends (ie facebook-esque hidden service would be a very bad idea).
The idea is not to challenge, fight or oppose nation states with surveillance capabilities, that's a losing proposition; the idea is to create a space away from them.
It's like hygiene. A few hundred years back people weren't washing their hands and health was very bad. As soon as we understood the germ theory of disease, we learned hygiene and now we are much better.
With encryption and privacy it will be the same. People will need to learn new skills.
Unfortunately, what we need to do is as cumbersome as a surgeon prepping for operation - it takes too much care to make sure you don't mix things up. You never login into your Gmail on Tor, don't refer to your reddit user name on Gmail, etc.
Unless you already did, in which case you're toast. They already have years of data on your views and interests.
Could we make a browser extension that would compare all you do and force privacy for you? For example, if you mistakenly mention your anonymous identity in your official mail, to catch it before sending. It should have a list of forbidden things - keywords, user names, etc - and send watch people not to mix the pots. Take care to separate cookies between anonymous mode and public mode. I am sure such an extension would go 99% of the way to making your private online life private again.
I envision a whole suite of apps - browser, mail, messaging, file sharing - written with this goal in mind - to separately manage identities - private and public - based on the content of communication. Like spam filters, but applied to all our data leaks.
I wonder if one day, 3d printing will be cheap enough so that one could go to the local hackerspace, Print print out chips, assemble the board/internal devices and be sure to be free from hardware backdoors?
This is feasible today. Although it takes a decent skill set. Open source communities like OpenCore.org have enough FPGA architecture to build your own RISC computer from scratch. I suspect as FPGA's become more popular and speeds improve the hacker community will move towards one-off computers they made themselves.
This coupled with your idea of 3d printing for casing is interesting.
I think it would be impossible, from a computer science standpoint, to create a backdoor in an FPGA that could compromise your own OS, in a general case. Perhaps, the computer that you use to program the chip could be compromised, to change the code that is put on the FPGA.
When I wrote that, I was under the assumption that people would use open-source CPU designs from OpenCore for convenience. With a little help from Xilinx and Altera, it wouldn't be too hard for a government to have the synthesizer detect when an OpenCore design is being used and surreptitiously put a backdoor in. I admit that it would be hard to write software to simultaneously detect a completely unique CPU design is being synthesized, figure out its instruction set and weaknesses, and finally create a hardware backdoor that could circumvent any software written for that device.
As always, there's a tradeoff between cost and security. How many hardware hackers are good enough (or motivated enough) to design their own brand new ISA and CPU design, then bootstrap a compiler and OS for their homemade CPU? Maybe 0.001% of the population, if that.
Well, I'd be down to try at somepoint, if I knew where to start. I feel like moving forward from now, in general, the future will require these skills in order to maintain some sovernty over onself.
I was wondering about that too. So we're down to buying silicon wafers in the the mail, 3d printer or some set up to dope them using open source designs? Is this possible now?
I really admire your sober and well thought out proposal.
Implementing what you suggest is just such a lot of work. Certainly too much for me, when I weight up the odds I'll fall foul of Big Brother ( as an Oz living in London. Burma, Saudi, etc have clear problems )
I believe that if one comes on the radar of Big Brother, it is for boring mundane reasons like they don't like your politics, they don't like someone you communicate with or you're a lawyer representing someone they don't like.
There are clearly edge cases with serious consequences, such as a police chief fancies your wife and uses privilege to mess with you. But these are rare thank G-d, and one probably has a heads up that this is occurring.
In this context of very low probability consequences, how can I justify all the effort ??
At least using PGP or GPG for your emails isn't much effort. These tools are very easy to integrate into all of the common mail clients and some web services. The only "hard" part is to get your communication partners to use them as well.
Yes, but not in a technical sense. People think encryption is hard. They believe that they have to jump huge hurdles and will be confronted with an incredible learning curve in order to protect their privacy via encryption. The fact of the matter is, that this is simply a misconception. There's nothing hard about using PGP for instance. It integrates nicely almost everywhere the typical user would want to use it with. The process is already rather streamlined. Our job as those who know this is to educate those who don't in how to use encryption. Most people I've done this with so far said something like "What? That's it?".
Because we are technical people, it's very tempting to think of a technical solution to the problem. This author is right on the money though. Against a state level actor there is little hope of securing your own person and effects, and thus, your technical solution.
I agree that a political solution is strongly preferable, but I'm not sure if that's ever going to happen. The only reason that the NSA can listen in on your Facebook, Google, Skype (etc) activity is because:
1. These communication tools are operated by a company under American jurisdiction, that can therefore be strong-armed into cooperation
2. These communication tools store your data unencrypted
3. The world outside that company has no way of figuring out what is happening inside (i.e. no transparency)
I am therefore of the opinion that the only viable technical solution to Prism has to be
a. Completely decentralized
b. Fully (end-to-end) encrypted
c. Open source
If our communication tools were decentralized, encrypted and open source, then the NSA would have had a much harder job listening in. What needs to happen is that we need to build those systems, and basically divorce Facebook the company from Facebook the tool.
We need to change the playing field, and remove the capability to listen in on our communications. The internet is an amazing tool, but it's still in its infancy. It could very well be that, decades from now, we will look back at this period and wonder how it was even possible that the NSA was listening in on every single person in the world. We're not there yet, but it's not impossible.
That's mostly true - but in the Facebook example (and Twitter, and to a much lesser extent gmail and Skype) - the whole purpose of using the service for most people is to be at least partially "public". Facebook wouldn't work if every message was encrypted - at least not unless it was encrypted in such a way that a large number of nodes on your social graph can all decrypt them. If my ~250 Facebook friends or ~500 Twitter followers can't read what I write there, the services would be useless. I'd _prefer_ the marketers and the NSA didn't also have access to my personal and professional interactions on Twitter/Facebook, but they're fundamentally "public". (I know there's "privacy" control for both services, but they only cut things down from "everybody sees what I post" to "all or perhaps just some of my contacts see what I post", not actually "private")
And the fundamental problem is, out of those 500 or 600 "contacts" I've got on Twitter/Facebook, I've got maybe 2 dozen PGP keys matching them. By far the greatest portion of any email I send is going to have to arrive in friends/colleages/clients mailboxes as cleartext, and I strongly suspect there are people who's PGP keys I do have, who'll decrypt mail I send them and store the cleartext somewhere vulnerable to NSA snooping anyway. Same with just about every other "technical solution", until everybody has properly managed and secured keypairs - most communication is going to have weakest-link vulnerabilities that are trivially defeat-able to a "globally present network embedded adversary". Having said that, it's still worth doing, from the point of view of increasing the level of difficulty for a ubiquiously surveilling adversary. (with the probably downside of drawing attention to myself by asserting my ethical "right to privacy", which is no doubt interpreted as "doing something suspicious" by the opponent)
You make two good points, but only the first one is structural. How do you keep information secure if it's meant to be semi-public? That's a rather fundamental question, and I don't have an answer to it. There must be a better way than storing everything in plain text in a centralized database, though.
Just think about it: the current communication tools store all the world's communication in plain text databases on American soil. No wonder the NSA engineered access to it - it is a prize too good to be true. I think we can and should at least try to change that.
Regarding the availability and use of PGP key pairs and related technology: you're right. Almost no one uses them, save for security enthusiasts. They're difficult to use, overly technical, make you feel like a paranoid conspiracy theorist and are frankly a pain. Those are all issues that could be overcome, though. There are no real, actual, structural reasons why good security has to be difficult to use.
But what I'm really wondering about is the best way forward. Like I said, I would strongly prefer a political solution, but I'm skeptical if that will ever pan out. I've been mulling this for a while, and if we would really want decentralized, encrypted, open source means of communications, shouldn't we take a structural approach to this?
The Diaspora guys had some ideas – but they were either not good enough ideas or too difficult to execute on to gain much traction, from what I can see.
It's an interesting question – who's going to fund writing the software that effectively needs to replace Facebook while making it impossible to monetise in the ways Facebook can?
(Random half-baked ideas: what about something built on top of BitTorrentSync? A distributed encrypted file storage repo with sufficient storage/bandwidth on every users machine to store many encrypted blobs, some of which are encrypted using your public key. A client-side app that gives you a personal view of that data showing only the stuff meant for you. Work backwards from there to a Facebook or Twitter like service, with a whole bunch of strong crypto using PGP keypairs and self-signed TLS certs authenticated with your social graph's web of trust. It's almost certainly more difficult than that though - I feel like like this guy: http://xkcd.com/793/ – and we're now back at the "everyone just needs a PGP keypair" showstopper…)
If our communication tools were decentralized, encrypted and open source, then the NSA would have had a much harder job listening in.
It makes eavesdropping without a warrant harder. However, in some countries the refusal to turn over a private key to the police is already a crime [1]. I don't find it hard to imagine that governments would seek to require that private keys are handed to the government or that they would reintroduce a Clipper-like chip. Especially if it becomes harder to wiretap via Facebook et al.
I agree that a political solution is strongly preferable, but I'm not sure if that's ever going to happen.
I am not sure. I think that under sufficient political pressure, it could happen in Europe. Perhaps with the wrong motivation (weakening the position of US companies), but some influential politicians (e.g. Neelie Kroes) have been very critical of Prism. Of course, we don't know that much of the breadth of data collection of EU security agencies...
One of the author's points was that you can't even trust your hardware. To prevent this fundamental weakness, we would need a whole new infrastructure of open-source hardware designs along with manufacturers who could somehow be trusted not to insert backdoors.
Also, you can't live in modern society without doing communicating with entities who you don't necessarily trust with your privacy (i.e. businesses). If the other party is agnostic or malicious regarding your privacy then you need the state's help if you want protection.
Expecting "perfect solutions" is absurd. Technological solutions can mitigate some risk and politics can mitigate some danger. Someone sufficiently powerful CAN still remove your privacy, always, but the goal is to make it hard enough that no such entity exists who might want to do it. Its a lot easier to remove the privacy of a jail prisoner in a third world country who uses plaintext and no password. It is a lot harder to do that to someone if they have encryption, AND the power of a nation state and/or a society ready to defend their privacy with ample force.
But the real reason technologists focus on the tech is because it is their area of expertise.
I have seen more bad things happening from politics than from encryption. Politics, in just about any nation, is the never ending cancer of "making deals". The never-ending tit for tat, the compromise. We need NO compromise. I'm in my 60's now, and have seen the internet been born. Actually I contributed to that birth while working at Arpa. Privacy, no matter how I look at it, is ABSOLUTE. Also for criminals, and yes, even for terrorists. Humans have the natural expectation of privacy. That's probably difficult to absorb for many reading this medium. Every human being has the ultimate right to be in charge of his or her own mind. Politics conflicts with privacy, all the time. Politics established the rule of law, and, did so by and at the convenience of those with the loudest noise and the toughest axes. Since none of us is capable, willing or able to put the politicians out of (our) business, we can only find resolve in taking care ourselves, and thus deploy encryption. And we do have good quality crypto. And it is even free. Can it be broken? Over time, yes. But complexity, volume and speed can make that a fairly long trajectory. Can it be broken by quantum-cryptanalysis? Probably yes, but even that is more than 30 years away to be in infant stage. The real problem is the endpoint security. Well, work on it, make it better, improve it. Don't just stand there and accept God knows who to run away with YOUR thoughts, ideas, inventions, preferences or problems. And by all means, please do NOT think that government, any government, is the only one looking at your data. There is an entire commercial world busy with your stuff without you knowing about it. ---RTF
PS: and yes, this is anonymous. My students would probably scaffold that I'm a weakling :)
More Encryption is not the final solution to the problem. I fully agree here. However, encryption should be the default for all communication. It provides a certain degree of privacy after all. Yes, there are weaknesses in some of the tools used. That can always happen. As the technical crowd, we should fix those weaknesses instead of screaming "encryption is useless".
I for one don't feel like making it easy for the NSA, a foreign agency in my case, to spy on me. I owe it to my privacy to at least try and protect it.
The political change that is necessary is out of my reach in the case of PRISM, as I am not from the US. I can only hope that the American public will realize how bad this really is and act accordingly. After all, this is still a democracy and it will be until all privacy has been taken away completely.
Just use bloody SIP or any other cryptographically-sound protocol; maintain trust with people and their personal endpoints, rather than companies which are obviously under enormous state pressure(the threat of violence and imprisonment, and the rape included with that, for life) to give up the goodies.
We have other issues, including the pervasive use of proprietary software trading convenience over the pragmatic requirement of not having industrial or governmental espionage committed against you.
Intel is under grave pressure to inject these bugs into their CPUs, and even a well-audited system such as OpenBSD is not modular enough to prevent remote exploitation through network stacks(see the last two remote vulnerabilities), but laziness leaves them on monolithic kernels.
Even if the systems worked correctly, proprietary firmware in PCIe devices like network cards and graphics cards allows them to directly access memory on the bus, generally with very little protection, and often enough with none at all.
You guys are buying all of this crap, supporting the people who subjugate and bend.
You paid them knowingly to do all of this crap(in addition to raping, killing, and enslaving hundreds of millions or billions in other countries), and you continue to today.
If you want this stuff to stop happening, you need to simply stop knowingly supporting these things, and playing dumb when you learn the specifics.
This viewpoint became very popular recently and it strikes me as odd. Does the author always leave his house unlocked because there is a law against theft? "Your" nation state over which you presumably have some degree of political control is absolutely not the only adversary. There are foreign states, there are cybercrime gangs etc.
Also, while politics sometimes trumps cryptography, the opposite happens just as often. All the police force is useless if they don't know where to point their guns (see Silk Road)
On top of that, increasing encryption definitely helps for mass surveillance - it's impractical to break all the keys for all the messages all the time.
Maybe they will still be able to spy on a select few individuals (just like they can order a locksmith to open a safe, or just blowtorch through).
But then again, there are much cheaper and old school ways to spy on a select few individuals
Encryption is not absolutely safe because it relies on trusting in who's at the other end, but it surely is much better than using clear net. We can still trust a few entities, right? We need to collectively scrutinize and make informed guesses about who to trust.
At the moment I set up TOR and use Starpage.COM instead of Google. Auto-delete cookies after closing the tabs and actively remove ads and tracking JS from web pages with the help of a few browser extensions. It's not perfect, but it's above average for the moment.
You know how we could become anonymous? Just pipe the traffic of 1000 people through the same box, mix their searches and pages loaded in the same stream. Then send them on the clear net - they can't trace back who requested what. Hiding in the crowd, in plain sight.
That's a good idea, but it falls down the first time someone in the crowd starts downloading cp. Instead of having one, or a few, people being traced to their IP and investigated for cp, you now have 1,000 people under suspicion. You can protect users by ensuring that the box doesn't log any information about them, but then the box's admin is the one being held responsible.
And how would author convince Russia or China not to spy? Or some people who are not government at all? (terrorists, scam...). Also NSA lied several times and said it would lie again.
Lets just treat it as any other security issue. Banning XSS in parliament is ridiculous.
The difference is the country in which the hardware or the business resides has many more tools for getting at private data. They can just hit you with a wrench until you give up your secrets.
People belive politics consists of picketing and elections. That's not it, as those don't deal with actual issues that effect society. Politics is about the organization of society and the systematic control over violence and power. No one wil put in the effort to protest a meaningful amount to change anything, as the cost/benefit isn't worth it for any one actor. But people who do wish to protect their privacy and find it worthwhile to circumvent the state will do so. Circumventing state power is an actual political solution.
I agree that if the privacy laws are strong, and anyone from any agency breaks those laws, he should be severely punished. In such a society and such an environment, you'd still be free to use services however you want.
Unfortunately, the current environment lets even the intelligence chief get away with blatantly lying to Congress about who's he spying on and why. I agree that a policy solution is definitely preferable in the long run, but for now we should protect ourselves however we can, until we get to turn the "surveillance state" into a "privacy state".
In general, the points are OK. Small detail which the author got wrong: According to the now famous Prism slides, Skype was a part of that program before it was sold to Microsoft. It seems that MSFT engineers didn't need to change the architecture just for that feature.
That also proves that the end users can't assume that they can get any idea when some company starts to be the part of such a program, even if now everybody likes to feel smart and more secure in his abilities to spot the difference: "look it was the architecture change."
I think the author is spot on, but not for the technical reasons given. As individuals, we don't share a need or desire for the type of operational discipline required to operate securely.
The US DoD/DISA publishes some of their documentation for how to operate iOS devices that access unclassified DoD networks (google for "ios stig"). It's inflexible -- no app store (except for internal, whitelisted app store), no music/etc, no iMessage, etc. They have a need to operate that way because even simple things like the physical location of personnel are potentially meaningful to adversaries. They also have the budget to do so.
I think that you need to scale up your security measures to meet your needs. If I were a political candidate running for a significant office, I'd demand a level of operational discipline to ensure that communication with key people was secure. Ditto if I were personally involved in some sort of extended litigation for attorney-client email.
Beyond that, what's the point? I could send pictures of my one-year old's birthday party to my mom with GPG. But why? And how would I expect my mom to handle that picture afterwards? Secrets (encrypted or not) are as strong as their weakest link -- I think that we all learned that lesson in high school.
The US government was already tracking every citizen's postal mail, and storing a copy of the contents for potential later use, for many years before networked computers, "email" and the "world wide web".
Further, anyone working at a government security contractor could at their own discretion inspect any such postal mail.
I would hope you're now thinking "Wait a second. That would be quite difficult to do." Truthfully, I have no idea whether postal mail was tracked and stored; I am only trying to make a point.
My point is that one reason we're seeing a mass scale dragnet now is because _it is so easy to accomplish_.
phk seems to ignore this inconvenient fact.
I see no reason for him to try to persuade citizens to choose politics _over_ use of technology as a means to preserve their right to privacy. Why does his frame of reference need to be binary: that it's either one or the other? Is there a rationale for this?
Maybe citizens should pursue _both_?
If citizens routinely through their choice of technology make surveillance of their communications _ridiculously easy_, then how will they be perceived when they come forth and demand greater privacy? Who would take them seriously?
If citizens are to persuade their representatives that the privacy of their communications is important to protect, then I would argue they must practice what they advocate. They should not be communicating by megaphone. Or plain text.
Encryption is not the silver bullet, I agree with that.
All the points he makes are possible scenarios. After Snowden, almost nothing that can be done seems unlikely to have been done. Heck, even the movie "The Net" looks like prophecy come true now.
It's weird to think that encryption is not as secure as we all believed but it still makes it more difficult for the Big Brother to watch over all of use.
In the end, encryption is only completely useless if each and every provider reports to the government. It's a shame and disgrace for the western world that we even assume that this could become a reality.
> Several nation-states, most notably the United Kingdom, have enacted laws that allow the police to jail suspects until they reveal the cryptographic keys to unlock their computers. Such laws open a host of due process and civil rights issues that we do not need to dwell on here. For now it is enough to note that such laws can be enacted and enforced.
Doesn't steganography mitigate this issue if used properly?
> * When a government couldn't be trusted by the general population in the past, you got revolution.*
To get a revolution the government would have to start to starve people. I don't think there was any period in history of organized nation-states when people trusted those in power.
> Only a very lazy and apolitical society would say that technology is the only recourse.
Technology is a force multiplier. Moreover, technology shapes the environment we live in. We can all see that groups of people behave like water. They do what they have always done (i.e. move down the potential gradient). You can try and do politics all you want, but this tend to be as pointless as arguing with water to start flowing upstream. What you can do is to change the potential gradient, and let the people achieve your goals by doing what they were always doing.
That's why I think technological solutions are important, and probably we should focus mainly on them.
>To get a revolution the government would have to start to starve people.
That's like the naive marxist notion that it's all about the economy. People have revolted without being starved and people have starved without revolting. Culture, patriotism, hummiliation, religion, and tons of other factors come into play.
>Technology is a force multiplier.
Yes, and if the government is allowed to have 10 times the force of regular citizens, then the government ends with 10multipler power using technology, where the people with just 1multiplier. That's why technology is not a solution.
>Moreover, technology shapes the environment we live in. We can all see that groups of people behave like water. They do what they have always done
The last 3000 years of history show great shifts of power, strikes, revolts, changes in government and culture etc. And the 2400 of them (e.g 1600 AD and before) are not even related with any great changes in technology.
Of course if people are convinced that they "behave like water", they will behave like water.
But that's not what history shows they did (and do).
He made a point saying the privacy problem will not be solved with more encryption. The problem is that there is no way to stop a terrorist plot or illegal activity without the ability to know of it's existence.
The author says the solution can only be on the politics side, but frankly I see a dilemma and don't see how to solve it.
The author makes an interresting parallel with the privacy loss we have at work and we accept. But I know I accept it because there are rules and higher authority that can punish abuse. The problem is that this doesn't exist with states spying.
If there was an authority who could punish states who abuse the information gathered for surveillance, then I beleive we could reconcile the need of surveilance for collective security interest and trust in privacy.
We may need some more decades to reach such evolution stage.
One worrying thing about more encryption is that there is a sudden flurry of more bad encryption. Many products are trivially easy to break. (If I can break them any idiot can break them.)
The combinations[1] mean that many people are not protected, and do not know that they are not protected.
What a bunch of establishment hacks... technological workarounds to political problems is politics. The current regime put this here, they're not going to remove it because we ask politely. That's a childish hope.
Politics is the answer yes in an ideal world. But politics does not scale, encryption does. What I mean is its very tough for just one country to respect privacy in their laws. So if we want the world to do so will be impractical.
This author reaches pretty far. The NSA paid Microsoft to acquire Skype? You can't just materialize multiple billions of dollars on a public company's income statement.
You can indeed. The figures are very large and you cannot view item level detail in the financials, only general concepts. The NSA may be propping up the Azure division or one of countless others through backroom deals over this type of thing.
In addition to selling extra-high priced items to NSA/Military/Government, the Government could allow the company tax breaks it wouldn't get otherwise.
Tax rules for a company of the size of Microsoft are not simple. It's not impossible to hide stuff.
Doesn't seem that hard. It could show up as "department of agriculture/energy/..." bought X million licenses of windows and office spread out over years, a few friendly countries, a few front corporations...
i realise that this doesn't affect the main point of the article, but the example on non-random symmetric keys in https is wrong, isn't it? the key is chosen by the client, not the server. http://stackoverflow.com/questions/3936071/how-does-browser-...
"The only surefire way to gain back our privacy is also the least likely: the citizens of all nation- states must empower politicians who will defund and dismantle the espionage machinery and instead rely on international cooperation to expose and prevent terrorist activity."
TFA just explained why this is not a "surefire" way.
Not to mention that the last 40 years not much progress has been made in this direction (if any).
Also: the other proposition also helps putting a better government in place. The "technological" solution, even if it worked, it would only solve the very specific problem of privacy. Not the much more important problem of a government that betrayed the trust of the people.
Not the much more important problem of a government that betrayed the trust of the people.
We've built a system that makes sure liars and demagogues get into office. Until people are on board with putting an end to such a system of elections, the only way to change the political landscape will be to circumvent it.
In general I agree, but I think encryption is still also an answer. You "simply" need to reduce the number of people you trust in, i.e. don't use Skype, write your own chat program.
Big companies' ability to break the encryption between them an you is irrelevant: if they're the legitimate receiver of the communication, they can offer the plain text directly to governments.
The ability for a third party to break the secrecy between two individuals has a pretty good solution though, and that solution is local encryption + open source. It makes it very difficult for states to compromise the scheme, and every time they use this ability, they're at risk of having their exploit discovered, and going blind again. They'd only use information gathered that way for legitimate national security reasons, and will never show it in a court for instance. A discovered 0-day exploit in OpenSSL or GPG isn't as easily replaced as one in Flash player.
The biggest potential impact of Snowden's revelations is that now, any security scheme relying on trusting a third party companies has to be considered unacceptably weak, at least if you mind governments--or companies sponsoring politicians--reading everything you exchange.
TL;DR: encryption isn't the absolute weapon against illegal spying by governments, but it helps making it extremely difficult, expensive and unscalable. Which is good enough a reason to promote it in addition to political action.