>What would happen if you manufactured lots of packets to trigger the expensive filters?
then you would effectively DoS/DDoS the IPS. Now depending on how the system as a whole works it could be an efficient way to get through with a different attack that would normally be detected/blocked by IPS.
>- block access ala GFW, ensuring that most people will have difficulty accessing it or using it
depending on sofistication of that solution you could imagine some forms of tunnelling to be efficient against that (IP-over-X). Then of course due to the complexity this workaround will be used by a tiny fraction of users.
>- block access to any data you cannot decrypt or from an endpoint you cannot backdoor
steganography would be a solution to this, you can decrypt the cat pictures I'm exchanging with friends but you may not be able to notice that those images have hidden content (which may also be encrypted)
>- do nothing, knowing that most users will avoid using anything that isn't one of the major web platforms
this seems to be a guaranteed-to-succeed solution. Probably much better than
>- run some kind of propaganda campaign on the evils of using unsanctioned software (supporting terrorism etc.)
since there is always a risk that this may backfire and encourage resistance in some groups
> anyone can make their own communication platform
and then the users of that platform would simply stand out in ISP logs making it actually easier to spot them. If this platform was a dedicated tool developed by/for a bad actor, then everyone working with/for that actor would be easily found.
Given that, it seems that steganography (combined with encryption) could be a solution with a "battle" between steganographic methods and algorithms to detect them
>and then the users of that platform would simply stand out in ISP logs making it actually easier to spot them.
Yeah no.
Encrypted data would still be flowing all over the place, if our bad actors use VPN's to hide their traffic then it would become impossible for ISP's to see what they're doing or using.
In addition, even if you can pinpoint who's using encrypted communications, unless you can prove they're actually engaged in some criminal practice, it won't do you much good. With EARN-IT the responsibility is on the encryption providers, so those two random devs who made the app. You can't tell what the users were talking about since communication is encrypted, you can't really prosecute any of the users for anything besides maybe using those apps if it becomes completely illegal or you can prove that the app is only used by criminals and no one else.
Now you can potentially go after the devs, assuming of course you can figure out who made the app, and assuming these people are in a place where US laws apply. The global nature of the Internet makes things very difficult. If a Swedish team develops and encrypted communication app and distributes it on their website, are they still required to comply with US laws? If they prevent US citizens from downloading the app with geoblocking but people get around it with VPN's, are they still required to comply with US laws?
>if our bad actors use VPN's to hide their traffic then it would become impossible for ISP's to see what they're doing or using
you just transfered a problem from ISP level to VPN operator level. While you could argue that using multiple VPNs from different countries could make this somewhat harder, the problem still exists. Especially if you consider metrics other than IP, for example specific packet sizes or timing patterns (for example, instead of users connecting to given IP, the adversary would look for users sending 640 byte packets every 300 seconds).
While the arguments that encryption of messages makes it impossible to know the contents of messages (and thus using the contents as evidence), however the ability to uncover the members/employees/cooperators of bad actor would make it easier to investigate them and/or use other means of targeted surveilance to obtain evidence. Also this would make it easier to infiltrate bad actor, since one of the uncovered users could be then coerced into cooperation.
(All above assumes that the app/platform is used only by members of "bad actor" and noone outside that organization is using the app. It is completely different if there are other users, perhaps even bad-actor users being a minority.)
With the developers outside jurisdiction, the problem is that while they of course might or might not be required to comply with the law, but they can still be coerced/manipulated/otherwise encouraged into providing a "patch" (backdoor) into the application.
I believe that much better solution would be to simply use any popular platform as a transport layer, with independent end-to-end encryption. Possibly with some steganography as well. The simplest example would be users exchanging memes/cat pictures - this will not stand out in any ISP/VPN traffic analysis. It will also not stand out (that much) in content analysis by any entity that can decrypt/access plain-content. The images being exchanged could then contain embedded (and end-to-end encrypted) content.
While this is still far from perfect - you could imagine detection of repetitive images being sent, content/timing patterns or actual analysis of attachments for steganography but all those still require significantly more resources to work on massive scale.
Alternative would be to use custom platform but having as many "external" (in a sense of not working with/for bad actor) users as possible
I mean a bad actor can easily use stolen/free wireless with a randomized mac on a machine that’s used for nothing else and not access any “usual” services while doing it.
This is more about ordinary people maintaining privacy in their normal daily activities, in ways that aren’t too inconvenient to use 24/7.
If a bad actor has the knowhow to build a custom platform they sure have the ability to access the internet in a way where they can’t be found by IP.
Governments still like to push anti-privacy laws because they help catch non-technical criminals who don’t put in a serious effort to hide. This is why they hate “built in” privacy protections in consumer software and demand ways around it, because they help protect even technically illiterate criminals.
What I'm trying to say is, the important question is how much do we want to erase privacy for 99% of people who use normal consumer software in order to help police catch the ~1% or whatever the percent of criminals is that also use normal consumer software, and just happen to also be criminals. The 0.01% of people that are criminals and have the resources and knowhow to actively try to avoid detection by building their own systems are not going to be caught in trivial ways (like tracking their IP to their apartment, vpn or no vpn, or tracking them through correlation from using their personal social media account from the same connection they perform illegal activity from) anyway so they don't matter.
But if the app is in the gray area (e.g. in addition to bad actors, it's also used by a niche set of privacy enthusiasts) it enables plauisble deniability.
>Some scientists are self-administering an untested product. Is it ethical?
Depends, if the self-administering scientist is the only person at risk then I don't see any reason to believe it is not ethical. Assuming they are adult, sane persons it is ethical to take personal risk, at least in my book.
Now, depending on what is being injected you could imagine a situation where this could pose risk to other people as well - for example a vaccination containing an active virus (through a design or mistake) that could spread outside the lab and infect others. This would NOT be ethical.
tldr: if the self-administering person does not put anyone else at risk it should be considered ethical
What if they are a well educated, critical scientist who loses their life to the untested vaccine? The world may be missing out on decades of their future work. If they have a family who has to mourn their passing?
Not saying that makes it unethical, but the calculus is more complex than just whether they put others in direct risk.
is the world entitled to the future work of a bright mind, before it is even done? imo, this is a worrying line of thought if you follow the thread further.
It creates a precedent and expectation from other scientists to do the same, which, down the road will lead to laxed testing standards in the future -- this isn't the wild west!
What does self administering a vaccine actually accomplished in the end?
Guys, read the article, they are not doing it to speed things up for everybody, they are doing it because they think their survival of the pandemic is a net positive for science!
then you would effectively DoS/DDoS the IPS. Now depending on how the system as a whole works it could be an efficient way to get through with a different attack that would normally be detected/blocked by IPS.