For me, all the revelations and confirmations of foil hat theories have destroyed the joy the internet used to be. To me its now a dirty high tech voyeur spy's dream.
As for the US part of this, yes, my country the UK, is up to its neck in it, but, the part that is driving me away from the internet is the fact that Americans think their laws apply to non-Americans, and if necessary, Americans will force those laws on people who had no vote in it what so ever. Government will be leaned on and pressured to hand their people over to a US legal system I have zero faith in, and a penal system that borders a barbaric reinvention of slavery. If that fails, the US will "render" people, or as the rest of us call it, kidnap. To get my encryption keys, as a foreigner I genuinely fear American torture.
Now, I suspect the likes of China also do or aspire to spy on us all in the same way, but I don't feel the same risk of state kidnap, their laws, legals system, etc.
The spying is one thing, to a point I can live with that and alter behavior to compensate, but the idea I could break laws I don't agree with and have no influence over, while getting no support from my government, or be kidnapped, is frankly too much to accept. Even in typing this post I am self censoring.
As such, the internet has now become something I'm now very wary of. I almost feel like the using the internet is the same as traveling to the US, which is something I would never ever do. Its simply not worth the risk to my liberty and freedom.
The confirmation that there can be no expectation of privacy has destroyed a lot of the joy of internet use for me as well. At a more pressing existential level, it's making me despise working in web development. I may never work on a project 'noteworthy' enough to warrant the NSA seeing some use in collecting data from it, but I am firmly in the startup minded 30ish crowd willfully slaving away the prime of my life making tools and sites that encourage people to use and trust this byzantine conduit of an internet thoroughly infested with spooks gleefully abusing power and destroying privacy more and more every day.
Edit: perhaps research and training in security and seeing how I can contribute on that front is the first step back towards being proud of my work...?
> Edit: perhaps research and training in security and seeing how I can contribute on that front is the first step back towards being proud of my work...?
Well. The open-source tools might be as easy as the professional tools to taint.
Someone training for the CCNA/P-Security or any other certifications is still using the same corrupted conduits :(
William Gibson said this about virtual lights (a novel which deals with bike messengers and data): "In the future, information'll be more secure when written on paper and transported by physical human hands than on the wired."
Hyperboria is a technology that is in it's infancy, and is currently woefully underdeveloped. If you don't like contributing to the development of the Internet, maybe you could contribute instead to another network that runs a little less parallel to the United States?
I feel the same way. Besides the fact that I think the Patriot Act and the FISA Amendments Act are disgusting, unconstitutional laws, at least let that be Americans' problem. If they are fine with it, so be it (they really shouldn't be, though).
But in no way do I find acceptable that just because I'm using an American service, the US has access at will to all my data. I think it's common sense that there should be international treaties that state that "if you want my citizen's data, then you have to ask me first (the local government)".
Stuff like that is what (maybe) will restore some trust in US companies in the future, but it's only one small step of the many steps needed to be taken to ensure the protection of both Americans and foreigners' privacy.
The way I see it, foreigners with data on American corporations' servers should be more protected than American citizens, not less, because I'm not their damn citizen, so they have no business scooping up all my data when they want to! At least that's how they should approach this if they still care about the "economy" and their corporations' welfare.
EU and UN also need to speak up more and say that this whole NSA spying thing is infringing on everyone's human rights for privacy. I feel this argument is being used very little right now, because I do think having private communications goes well beyond just one country's Constitution.
That's rich. You can be imprisoned by your own UK government for having a file of random numbers and "refusing" to give the encryption key that doesn't exist, and neither citizens nor travelers have the right to even remain silent.
I think this anti-USA kick is misplaced anger about your own governments being happily in cahoots. Do you think US strong-armed UK into house arresting Assange or interrogating Miranda? The UK/USA liaisons are probably high-fiving each other over these things.
Germany apparently was using XKEYSCORE, but oh my where could that data have come from? The information fairy came and put it under their pillow!
Come on. Your governments are just as bad or worse and that's why these revelations are so troubling for you.
You may be right but then again you might be wrong. I'd rather not psychoanalyze in the middle of a discussion. The universal police with a 10-year long jail with no trial is there, and it is not the UK's or Spain for that matter.
I have to say that even for someone like myself who considers himself very America friendly for personal, cultural and historical reasons, it is very hard to stomach the kind of attitude coming from the US right now.
The president and the NSA are basically saying, don't worry, we're not running a dragnet data mining operation that covers everything and everyone and violates your most basic privacy rights, unless you happen not to be a US person.
We seem to be at a rather dangerous stage within that process of globalization if a profound sense of injustice and inequality spreads beyond a small group of radicalized fanatics right into the mainstream of many societies around the world.
There are many benefits to having some cultural commons, a language that everyone knows, some common ideas about what's right and wrong. I'd hate to see the world slide into the kind of void that followed the decline of the Roman Empire, or worse some kind of global apartheid state.
"I almost feel like the using the internet is the same as traveling to the US, which is something I would never ever do."
Seriously, you're so terrified of traveling to the US? Give me a break man, the UK government has done plenty of scary things and have been complicit and willful participants in the sort of surveillance the NSA is conducting. Are you hiding under your bed at night then, because if you're scared just to travel in the US I would feel you should be just as terrified living in your own country.
I'm going to be in the UK in a few weeks, maybe I should be concerned I'll be detained for 9 hours without access to a lawyer and my laptop, phone, and other electronics confiscated for no reason other then some nebulous pretense that I could be associated with terrorists?
While I'm seriously concerned about the what the NSA is doing some of the language I've seen here borders a bit on the ridiculous. I don't think anyone should legitimately terrified to the point of not wanting to travel in any of these places quite yet, as opposed to lets say Eygpt, where there are more real dangers and a seriously corrupt government and police state. A bit more on the rational side figuring out which encryption technologies the NSA has compromised (http://bit.ly/17botWf) and not using them might be a more valuable use of your time.
The fun you'd been having at the web services party was facilitated by denial. The software community has wasted the past several years focusing on flawed technologies, and has now built up a dependency on easy VC money (which only flows with the promise of creating new middlemen) and the glamor it brings.
The way to repent is by migrating to securable[0] technologies where possible, and deprecating insecure ones by treating them as prima facie compromised. Yes, this means giving up the unthinking conveniences you've probably become accustomed to. For instance, if you care about the security of "your data", you simply cannot have unfettered access on a contemporary mobile phone. For that capability to be created, we have to stop pretending that it already exists. Otherwise, the demand shifts towards MHz+eyecandy bumps instead of for phones that create security for their users.
[0] The primary thing for a secure technology is not to be assuredly secure, but for it to have a design goals that are compatible with security. For instance, OpenSSH may still have gaping holes in it. But when these are discovered, they are considered unambiguous bugs and they're patched to be closer to the platonic. A system that relies on storing plaintext or equivalents on someone else's server can never be patched to fix this.
At some level I'm very disappointed and depressed by the revelations, even though I'm not surprised and had suspected much of it, since it 'seemed' possible, and these agencies are in a continuous arms race largely of their own paranoid invention (although I would argue that the CIA does more than it's fair share to ensure that foreign meddling is a reality that the world has to deal with). This is why I think the story about adversary roadmaps being affected is largely nonsense; many, many hackers have known about these possibilities for a long time.
I feel like a lot of businesses and VC funds have intentionally tried to push towards collecting as much user data and communications as possible, knowing how valuable it will be not only for advertising and genuine business, but also for national and international security, a world of secret dollars and prop-ups for important data stations.
Maybe that's me pushing too much complicity where none exists, but I honestly get the feeling that there must have been enough people with experience of communications interception history in S.V. (IT, telecoms, communications have existed for a long time before Internet startups, and will have been doing similar things during the cold war) to know that this was going to be a big trend. They would have been able to least slightly influence the recent trends towards 'openness' and 'social sharing', which neatly leverage narcissism, human psychology, and network effects to draw people in (and promote consumerism as a side benefit).
The inward-looking nature of the U.S. is definitely a concern as well - there's still certainly a huge amount of naivety about the rest of the world and the way things work elsewhere, even in cultured circles where people travel -- ultimately the news and media still set a lot of opinions. There is an awareness that many things operate differently in other countries, but very often only a miniscule understanding of different cultures (socialized healthcare being a long-running example).
So yes, it is very annoying that so much data travels over U.S. links, and that there is so much focus on how everything is OK, because the U.S. works hard to avoid spying on it's own citizens -- when that is just a tiny proportion of the world population, which is broadly innocent. At near enough a billion users, a huge proportion of Facebook users have no protection from this at all - and so any upcoming politicians in other countries are completely open to access, presumably.
I would disagree slightly on the point regarding other countries - I honestly think that on the whole, the U.S. does still respect free speech and has a bit of an edge on other countries in terms of liberties, but the trends are very worrying, and what will be important is how it reacts as a country to legitimate attempts to understand, curtail, and avoid all this surveillance.
All this said, I'm an eternal optimist - I think we have the tools to build very good secure communications, and I think we can do it with distributed systems. We can now transfer value without banks using bitcoin, route traffic very ambiguously and easily using Tor, encrypt and send messages anonymously using bitmessage/PGP/etc. It is possible to get off Gmail and Facebook, we just need to make it easier to do so, and provide the functionality that everyone expects in a more distributed setting.
There's a lot of work to make it all easy to use safely (even for hackers, but then for everyone), and then a lot more work to get it adopted widely, but I think there will be a huge appetite for it now, and I think it can be done. The more revelations that appear and the more that the realities of centralization and surveillance become part of the public understanding, the easier it'll be to persuade people to use secure services -- and crucially, the better people will be able to critique the vulnerabilities of them.
Money and marketing are a huge force multiplier for centralized services (especially if they have state-level support), but ultimately as long as the Internet is there and allows us to communicate, eventually we'll figure this stuff out and build the tools we need.
I agree with you for the most part, except for your concern about not having a vote on laws that effect you. In America, voting is a placebo. It has been effectively neutered of all potency or threat to the political regime. Do you believe that things would be different if Americans elected John McCain in 2008 or Romney in 2012?
All politicians draw from the same pool of bureaucrats and advisors. They all went to the same schools, mostly in the Northeast United States. Every member of the President's board of economic advisors has been from a school in Cambridge, MA since the turn of the millennium.
Only 2,000 jobs are elected or politically appointed out of a federal bureaucracy numbering over 2.5 million people. We could give the Brits a vote in American elections and it simply wouldn't make any difference. Democracy has been successfully tamed by politicians.
You are raving. Every society has thoughtcrimes—no sensible person voted for them, civil liberties do not apply, and there is no recourse or appeal.
All the U.S. influence means is that you now have to check CNN.com as well as the Daily Mail. If CNN has weeks of coverage of new anti-tomato laws, move your pro-tomato website to a non-American server. For the most part, the CIA is just a bunch of fashion-conscious hipsters with really cool spy shit. Avoid whatever is unfashionable and you're safe.
If you really want to worry about government surveillance, worry about one of your friends drinking an epic amount of cider and deciding to use your bank card on a kiddie porn website as a lark. The NSA's influence is nothing compare to what your local thoughtcrime enforcers do.
Speaking as a foreigner, I now have very little trust for basically any major US tech corporation. The NSA claims it deals responsibly with data relating to US citizens: I'm not a US citizen.
I plan on spending the next few months moving most of my accounts back to self-hosted, or at least hosted nationally.
"...The state then is the most flagrant negation, the most cynical and complete negation of humanity. It rends apart the universal solidarity of all men upon earth, and it unites some of them only in order to destroy, conquer, and enslave all the rest. It takes under its protection only its own citizens, and it recognizes human right, humanity, and civilization only within the confines of its own boundaries."
For non-US companies this is even worse. We could actually get sued for not securing our data, if we use hosting in US. Already happened to Irish Google.
It could actually result in people being sued in the US as well. There are many standards that require protection of user data (like PCI and HIPPA) that could be compromised by the NSA. Yet there is no simple defense since you can't point a finger at a secretive government agency. If you are legally required to demonstrate the data is protected, yet it appears to be available to any random contractor of the NSA, it might make it impossible to provide that guarantee.
It's kind of absurd. I'm working with Restore the Fourth, who, to my knowledge, is one of the only groups who is keeping on the surveillance message.
It's frustrating. I don't believe the US should spy on foreign citizens. But in order to present a bulletproof argument, I have to focus on "American Citizens".
The main reason for this is because spying on American citizens is actually illegal. If I let the concept of "foreigners" into the discussion, I lose the constitutional, legal, and rhetorical footing that is already pretty tenuous.
When you're talking about spying on communications over the wire I agree, but that's not the scandal here. The scandal here is that the USG's position is that "we can obtain from the service provider without a warrant the data of any user or corporation as long as they are foreign, even if that data is stored in a non-US datacenter".
Imagine the same kind of position in the physical world. A multinational storage company would be forced by the USG to open up a client's storage locker somewhere in Europe, copy all the documents in it and send them to the US.
If nothing else this is a very serious threat to the US as the global provider of tech services.
Again, name one country in the world that does not have this position. You tried to change the topic to law enforcement, we're talking about spy agencies. They operate on different rules.
MI5/6 doesn't go 'oh poppycock, they've hopped on the chunnel and fled to France.' They talk to the French agencies or if it's too secret, they go and do it them self. Mossad doesn't give a damn where in the world you are.
'Everyone, everywhere, our laws only exist in our country' is, and has been for a long time, standard operating procedure for these agencies in every country for basically their entire existence.
>Again, name one country in the world that does not have this position. You tried to change the topic to law enforcement, we're talking about spy agencies. They operate on different rules.
I didn't change the topic at all. I can't quote the relevant laws in this case but as far as I know the law in Europe is that you need a warrant to get the information and that requirement doesn't disappear if the owner of the information is a foreigner.
That's what's truly amazing in the USG's position. I agree that everyone tries to spy on information on the wire, but the idea that you can demand any information at rest from any company as long as the owner of the information is a foreigner is an amazing position to hold.
There are two other reasons to move your data to your own jurisdiction from US services. 1) the US has the most well funded military so your local spooks probably have less capabilities 2) if one of your local spooks spies on you at least you're in the same jurisdiction and have a small amount of agency (the courts, the vote).
Everyone is spying to the extent their budget allows. Keep in mind US military spending is larger that the rest of the world combined. Nobody else on the planet has the ability to bribe or coerce equipment and software makers like the NSA.
There is without doubt an asymmetry at play. Try to read the following headlines with reversed roles: http://news.firedoglake.com/2012/01/06/us-ambassador-to-spai... In many countries the patience is running out. If that turns out to have political consequence remains to be seen. But I do not believe that all governments are the same in that respect.
However, there is a thing called economic espionage. Depending on what you're doing, having your own government spy on you can be a very different thing from having a foreign government spy on you.
Then, what you do, is what Cuba, Vietnam, Venezuela did/does, you organize local watch committees. These bodies are set-up so that neighbors rat on neighbors. No big budgets necessary. You trust on one and by and large, you outwardly toe the party line.
I use affinity.net.nz -- it's run by a friend :). Probably not the greatest if you're not in New Zealand though, as our international bandwidth charges are pretty high.
The only issue with that, speaking as a US citizen living abroad, is that at some point you will likely interact with a person or service based in the US, at which point you can consider your communication intercepted, as it were.
We're all dealing with 'unknown unknowns', that which we don't know we don't know because it's so secretive. If it were a 'known unknown' (such as "What is water made of?"), we could at least know where to go to find out such information (and actually find it out).
There's no unknown unknowns in the NSA surveillance - that's for things where you don't know what the risks are.
This is a case of known unknowns - you don't know if any given piece of digital information about you has been collected and investigated, but an easy way is to simply assume that it all has. Same with encryption backdoors - we know they're possible, we just don't know where they exist. What's more, we even have examples of these kind of things existing from things like the Great Firewall.
Unknown unknowns would be (for example) a sufficiently general P = NP proof rendering crypto as it exists today obsolete, efficient large qubit quantum computing clusters running Shor's algorithm, or mind-reading at a distance apparatus, or genuine telepathy, or anything that's completely off the charts.
Assume all the certificate authorities based in the US are compromised, all the cryptography implementations from the US are backdoored, and all the communications transiting in the US in any form are available to search by whomever you least want to see them.
The problem with "assume the maximum worst everything" case is that it places constraints on you that are essentially certain to be overly broad. Building a workable threat model & defending against it isn't practical (or necessary) if you assume worst case everything.
For example, have they recorded all IP traffic ever? It's possible, but absolutely overwhelmingly unlikely. But all IP traffic originating from $small_anti-US_country_x in the last year? That's a whole lot more plausible, and thus probably worthwhile to defend against.
Also, does that mean non-US CAs are trustworthy? Are non-US comms also subject to tapping, modernday Ivy Bells[1] style?
Also, you have no real idea of exactly if/how they're analysing their captured data in order to extract "threat metrics" or whatever. Posting in a reddit thread about kittens would seem utterly innocuous to virtually everyone; but suppose their steganography detection throws a false positive on your image and by random coincidence they also have hits from some IP once used by a 'terror organisation' in the same thread.
Should threats of that nature be considered, purely because they're possible? How do you clear your name? Why won't you give up the password to the bomb plans claimed to be embedded in your image file? Is it because you're protecting other commie mutants[2]?
How well do you trust secret services in you own country?
This is overblown out of proportions, anyone that ever had any contact with secret services knows, the only rules they follow is their own, regardless of the country.
I don't :). For what it's worth, our government very recently passed laws granting our GCSB much further reaching powers. It's been a media circus; one particularly hypocritical politician's currently up in arms because a bunch of his data was compromised -- but in a staggering display of cognitive dissonance, Mr. Dunne voted for the law anyway.
Basically, I've always accepted that whatever I do online is public anyway. That doesn't mean I endorse that, and I'd rather give my money to local companies than endorse the US at this time.
Would you rather have the American NSA with the size of their budget and capabilities, trying to get at your data, or the Estonian equivalent, with their budget and capabilities?
Well for starters which one gets to talk to the Estonian state police?
But either way surveillance is either good or it's bad, I've never understood the reasoning of people who say that it's OK for their own state to do surveillance as they're "probably inept" anyways.
Would you be OK with NSA surveillance if the NSA were inept? No, you wouldn't, so apply the same standard to your own nation as you do to the USA.
There's a much higher probability of your data being compromised by the NSA than by any other surveillance institution. Not sure why you don't understand that, not all surveillance is equally successful.
The very principle is wrong, but if we assume everyone is surveilling us (which is what is being discussed as people make excuses for the US government doing it), then you'd want to be surveilled by the ones who are the least likely to actually hurt you.
It's obvious no one is thinking their own government will never try to break laws just because they're national, but the extent to which they'll do it is far, far less than the US government. For the very practical reasons of political capital, budget, technological and intellectual capabilities.
Not sure if this is the position you're asking about, but my position is that surveillance of foreigners is far less of a problem than of citizens in any state. Surveillance of local citizens can be abused to destroy democracy, whereas that of foreigners cannot be. Citizens need to be protected from their own government which holds tremendous power over them, but less so w.r.t foreign government.
>Citizens need to be protected from their own government which holds tremendous power over them, but less so w.r.t foreign government.
The US certainly holds less power over foreigners, but the CIA's job is to blur the distinction between citizens and foreigners, and the CIA operates with essentially no oversight or restrictions aside from its budget.
Nah, I'm referring to people who say that domestic surveillance from their own nation's spy agency is better than being spied on by NSA (despite their being 'foreign' to the NSA).
Although the reasoning you mention is a better way to express one of the points I was trying to make.
But we're not comparing navies. Something like a Navy has an extraordinarily high up-front cost before you get any value at all from it.
People-focused forces (such as the police or an army) don't have the same issue.
Nor do technologies that are relatively cheap, such as the kind of computer hardware that would help a state surveil its own networks.
If anything, America is slipping compared to the rest of the world with regard to the quality of their computer programmers and other computer-focused developers. Even countries like Estonia could certainly find someone to help them develop competent surveillance if necessary.
The only limitation is that they'd probably not be able to attack the underpinnings of cryptology the way the NSA probably can, but we as computer professionals already know that usually the crypto is not the problem, it's the people or the implementation that is, and both of those are within reach of the Estonia state, if they really wish.
I understand that if I was targetted for investigation, nothing within my power can really prevent that. Having worked in an ISP's operations department, I've seen both sides of the coin. I'm under no illusions here :).
Still, I'd rather my money went to local interests, and my data stayed within a sphere I have some control of.
> Still, I'd rather my money went to local interests, and my data stayed within a sphere I have some control of.
Yeah, that has an appeal all its own completely independent of what you feel about spying in general.
The USA certainly does the same in reverse, there's always a big push for buying things "Made in the USA" so it's fair to push for it the other way. :)
Unless they have the NSA's budget, the NSA mathematicians, the NSA's history of accumulating the NSA's capabilities, they can't.
If you want to visualize this, think of the world's navies. Who else but the US navy can even operate globally? Who has naval aviation? You might come to think there is a qualitative difference in the ability to do spying.
but voting with your money is a powerful tool. If the US companies lose money because of this issue, they will pressure the government to do something about it.
Just think about the use of microsoft os/programs in the government and how much they could lose.
I imagine that a foreign company not operating in the US doesn't give a damn about threats by the US, which is what I assume the OP meant. What do you mean?
Use a 0-day remote exploit to get a login, exfiltrate data.
Use a known, unpatched exploit to do same.
Use 0-day/known local exploit with sophisticated spear-phish trojan to do same.
Use leverage over domestic software suppliers to ship a customised exploitable (or directly backdoored) update to target company. Ditto domestic hardware manufacturers.
Black-bag (or diplomatic quid pro quo) tap of external or internal comm links, to get either raw traffic or encrypted. If the latter, apply other complementary techniques to obtain keys.
Infiltrate company with agent who can deploy local exploit via physical access, or who can bug/exploit workstations of users to obtain privileged access to server.
Bully/dupe the German government into raiding & seizing the server as part of an international terror/crime investigation. Acquire disk image from seized machines via direct or complementary techniques.
Purchase/acquire German company via a domestic front company. Demand IT infrastructure be 'harmonised' with acquirer and moved to US.
...and many, many more. The only reason not to do most of these things is because the cost/benefit analysis doesn't make it worthwhile to do universally without any prior suspicion.
So to summarize they need to do something else than get a NSL and have the company hand over the data. Which is what's different if the company in the US.
Even if Microsoft is telling the truth (very skeptical about it), you could see how they can easily lie through their teeth with that statement "We aren't explicitly providing a backdoor for the NSA - but hey, if NSA knows of a vulnerability in Windows that is very hidden, and we know about it, too, then it's out of our hands, and NSA can do whatever".
This is also interesting, something someone posted on HN from Steve Gibson back in 2006:
At this point I would really start with the presumption that at least Windows and Intel's chips (possibly others, too) have backdoors in them, and that the chances of that happening at this point is higher than not happening.
I'd also assume most routers have at least dormant backdoors in them. Jacob Appelbaum has been saying for years that it's easier for manufacturers to just build-in the backdoors in all routers that they're making, because so many countries demand them, and they just keep them "disabled" in the countries that don't ask for them. It might be a good idea to start installing OpenWRT firmware on your routers.
Services are forever tainted. And services are the most interesting part of the puzzle.
Open source software that runs on the client is nice, but frankly I'm not as concerned about the NSA having access to my desktop. Logging, parsing, and analyzing client data of this sort opportunistically probably doesn't scale. And it's easier for me to set up a system in my house where I can audit all incoming and outgoing traffic (not that I'm going to do it, but I'm confident that I could). The one exception to this is encryption software... more on this later.
But it's hosted services where a lot of my interesting data lives, is structured in a way that makes opportunistic scanning much easier, and there is no way for me to audit it.
There's no way for me to know that GMail's servers don't have a backdoor. Or likewise for Dropbox or Facebook or Citi or my Amazon, etc...
This means I have to encrypt everything stored on any service (which is why my encryption software does need to be backdoor free). But most services store data about me where I don't control if its encrypted or not (it's not easy to encrypt voice calls from the end user perspective).
The end result is I already have fatigue, and I haven't even done any work yet!
I think most people are going to rely on an old story:
"Two guys are walking through the woods when they run across a hungry bear. At this point one of the men quickly ties his shoes. The other man says, 'Why are you tying your shoes -- you can't outrun this bear!' To which the other man says, 'I don't need to outrun the bear, I just need to outrun you.'"
Internet services are too valuable to not use. But it will be too much work for 99.9% of the population to preserve their privacy. The lack of privacy from the NSA will become the new normal. I have trouble seeing it playing out in any other way.
Services are forever tainted. And services are the most interesting part of the puzzle.
I see it as a plus. But I've been against the very concept of such services in the first place. I think most centralization is unnecessary, that the reason it is so common today is because it is a straight-forward business plan for a company to insert itself as an intermediary between all of the users and thus extract money (and therefore efficiency) from their interactions.
Facebook's the ultimate example. Their popularity is a result of people needing a place to easily host and share their photos. But the cheaper storage and bandwidth get, the less utility Facebook provides compared to a distributed system. I think we are at a point today where high-end phones could host all the content that the majority of people want to share. Combine that with a little smart caching between "friends" so that their phones on wifi can pick up the slack when the original host is cell-only and throw in a distributed hash table for finding new "friends" and the value that facebook provides users by centralization drops precipitously.
If these NSA revelations help kickstart a new (but actually old) paradigm where each internet user is essentially self-hosting, then I believe that will be a great boon in the long run.
Precisely! If there is any silver-lining to the NSA revelations (and there really is not a silver-lining, I'm just using it as a figure of speech), it is that the pendulum is swinging back to self-control of data and applications. I've for several years wanted to see a post-cloud model where an application and data host I control runs singular application instances for me and all my devices are merely views on those applications [1]. I call it personal application omnipresence, and the "personal" aspect is of chief importance.
I see the current configuration of Internet services--what I call the "plain cloud"--to be a frustrating diversion, and one that passively or actives suppresses the "personal" aspect of applications. As Amadou points out, the plain cloud is facile because businesses can easily be intermediaries. Oh, it's so difficult to connect an always-on, secure, and self-controlled host to the Internet to share your photos with family and friends? Don't worry! We'll handle that for you. Oh and look, we also get all of your photos and data. But don't you worry, we're good people. Trust us.
For years, it has irked me that so many have voluntarily forfeited control of their data and applications out of convenience when alternative models that would provide convenience without sacrificing control are fairly easy to conceive. With equal R&D effort as the plain cloud has seen, these alternatives could be realized.
I was angry when Google made their terms of service for Google Fiber disallow home servers. I imagine Amadou was as well. (I don't have Google Fiber, but I want it or something similar with reasonable TOS.) Preventing home servers is just perpetuating the current narrow vision of centralized hosting, and that notion is overdue for disruption. Obviously that's favorable to Google, but I don't really care about what's good for Google.
Data centers in general should fear symmetric gigabit+ to the home. I know that without a doubt if I had fiber to my home, I would pull my servers out of my data center immediately and put a rack in my garage.
I want self-hosting demystified and mainstreamed. As the pendulum swings back to self-control, anyone who is working to make "self-hosting" synonymous with today's popular verb, "sharing" is posed to earn my business. The model should be embraced by open source advocates. I even suggest Microsoft should leverage the building momentum and be the first industry titan to champion disintermediating the plain cloud [2].
From the documents published by the New York Times it seems that the NSA have introduced backdoors into VPN and SSL hardware crypto chips. There aren't that many major vendors who make such chips and undoubtedly people are going to be trying to find them now.
The question is what's going to happen when the vendors are identified ? - I can't imagine it'll be good for their customer base or their share-price.
Imagine you're a bank using vendor X's backdoored SSL acceleration. Say you're involved in a lawsuit where a customer claims they didn't authorise a transaction, now the customer can point to the fact that you're knowingly using hardware which has backdoor which would have allowed a third party to silently steal the users credentials.
I can see Silicon Valley taking a big hit here. Being a foreigner I no longer trust US based services. I think I will move all my data and Web apps off Amazon, meaning no more Dropbox for me. Any website I have hosted on there now I will find a way to get off these US servers.
I even see things like Facebook and Twitter taking hits with competitive services hosted in "more secure countries" popping up.
At this point I feel Chinese based services is safer, and that is saying a lot.
Not at all, they've made it quite clear that there are only two options: have the capability to decrypt everything or create America's Great Firewall. They couldn't give a rats ass about the economy.
Now that the cat's out of the bag I'm sure they will refocus their efforts on shoring up the defence of every government communications network.
David Dampier's comment about cryptography in this article is a bit surprising:
“I don’t care what company is selling you encryption software. Whatever they are going to sell you, it can be decrypted. There’s nothing that is infallible.”
Leaving aside the fact that a significant fraction of cryptographic software that is free and open source (ssh, gpg, tls implementations in browsers, etc.) the idea that any cryptography available to an end user is breakable by an adversary like NSA is not supported by what we know about current and historical progress in the mathematics of cryptanalysis. Dampier's credentials on his academic home page are not that relevant or convincing when it comes to cryptography proper. I would be more likely to go with Bruce Schneier's opinion that cryptography is still secure with appropriate key sizes: "Still, I trust the mathematics" https://www.schneier.com/blog/archives/2013/09/the_nsas_cryp...
> NSA Revelations Cast Doubt on the Entire Tech Industry
I'd say it's true for everything that's not open-source and doesn't allow for proper public key encryption. (Assuming that public key encryption is still holding up.)
I'm thinking there are questions about even open source projects. Who is to say they've not been covertly influencing them, or even running them altogether?
I'd certainly agree that open source offers the potential for independent verification of its nature, how many of these applications and libraries have been examined in detail by those who have the deep expertise to spot a subtle flaw and how many are just taken at face value?
If I owned any server hardware, chances are it would be in a rack in a datacenter. What's to say somebody hasn't walked in, flipped a badge and taken my SSL private keys? In fact, that's quite probable.
Certificate Authorities are almost certainly compromised. Why bother with one at a time when you can just force the vendor to hand the keys to the castle over? Sign your own certs, MITM anyone you want.
MITM isn't the issue, we assume for the most part that the NSA is a passive eavesdropper. Easier in that situation to sniff and decode with a stolen secret, rather than rewriting traffic on the fly.
Not really. For a passive attack the key would have to be stolen from a server rather then the CA, who never sees the private key, rather only the CSR (public key).
We're assuming under the current circumstances that it's backdoored, basically. The NSA definitely doesn't want to have to go knock on doors to collect those private keys.
Right, I've gotten certs before. I'm saying that they could be faking certs for their own usage, and we're also assuming they have subtle backdoors in openssl, for example, to perhaps render having the private key moot.
Except now we also have to be much more vigilant about open source standards, too.
For example, now I worry the security model of WebRTC has been compromised by NSA, because it has the potential to offer very secure P2P conversations to the masses (at least 1 billion users - and that's before IE even adopts it in IE12, hopefully).
If your goal is to communicate securely, it's preferable to encrypt using a native (and obviously open-source) application (and OS) and to avoid the browser, for the time being.
If you have an Android phone, Google tracks your location (GPS, cell towers and maps-wardriving-provided Wifi hotspots at least), so it's probably easy to see who met who. Maybe they also save seen bluetooth devices.
Phones don't record conversations in the pocket by default yet, but it's not inconceivable when computing efficiency improves that recording is always on, and keyword data is saved by default. Handy if it can creates calendar markings from verbal agreements...
And with Glass, video too.
So meeting in person is getting less secure as well.
I think the NSA revelations may also hurt data mining initiatives in the private sector. At some point I think the privacy advocates that are criticizing NSA access to private sector data, will turn their attention to the services that hold the data. I believe there will be more pressure on service providers to purge archived data, whether it be phone call meta-data or other kinds of information.
There are folks that made their fortunes and earn their livelihoods on the net. These folks are going to defend what we built to their dying day. There are governments and corporations, which believe they absolutely must have whatever data they view as honorable (and this definition is surprisingly flexible) in order to continue to privide their services.
Then there's the general public, including most reporters, who suspects something is amiss but keeps hearing all kinds of contradictory opinions, including calling out the folks who warned about these as tinfoil hat types.
Yeah sure, there's lots of noise and confusion, but doubt? I don't think so.
Note: I'm not trying to weave a conspiracy theory here. My only point about existing players is that they're too emotionally wrapped up in things that took many years of hard work to see the situation objectively
It will indeed be interesting. One thing to consider is that we can assume the US Government has enough information about most individuals and businesses to cause significant harm, even if everyone (individuals and businesses) stopped trusting tech companies tomorrow, the damage is done and an enormous trove of intel has been captured.
This looming threat will only get worse as the government shifts its focus from capturing data to utilizing it at scale.
I've been wondering why WatchGuard firewalls require mandatory registration before working. There they ask questions like, is this firewall being used to secure important military site etc. Wtf, if I would use it to protect important military / nuclear research lab etc... Do they really think I would tell it? I'm sure that information is directly passed to "authorities" and then they can bypass that firewall/vpn/ipsec to steal secrets whenever they want to.
Can Web of Trust/PGP be applied/adapted to client-server communication such as that handled by HTTP? Conceptually, HTTPS built on PGP? Would new products or services help the adoption of this (like a social network for PGP keys)?
Although it wouldn't solve all of the NSA techniques (social engineering, acquiring pre-encrypted data) it would certainly be harder to track down (i.e. steal, crack, coerce, subpoena, etc) tens of millions of keys rather than tens of thousands.
I feel like anybody with their ear even moderately to the ground knew the NSA had encryption breaking techniques... Why else would higher-level encryption be illegal?
As for the US part of this, yes, my country the UK, is up to its neck in it, but, the part that is driving me away from the internet is the fact that Americans think their laws apply to non-Americans, and if necessary, Americans will force those laws on people who had no vote in it what so ever. Government will be leaned on and pressured to hand their people over to a US legal system I have zero faith in, and a penal system that borders a barbaric reinvention of slavery. If that fails, the US will "render" people, or as the rest of us call it, kidnap. To get my encryption keys, as a foreigner I genuinely fear American torture.
Now, I suspect the likes of China also do or aspire to spy on us all in the same way, but I don't feel the same risk of state kidnap, their laws, legals system, etc.
The spying is one thing, to a point I can live with that and alter behavior to compensate, but the idea I could break laws I don't agree with and have no influence over, while getting no support from my government, or be kidnapped, is frankly too much to accept. Even in typing this post I am self censoring.
As such, the internet has now become something I'm now very wary of. I almost feel like the using the internet is the same as traveling to the US, which is something I would never ever do. Its simply not worth the risk to my liberty and freedom.
Sad, very sad.