Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Schneier: The US Government Has Betrayed the Internet, We Need To Take It Back

samzenpus posted about a year ago | from the power-to-the-online-people dept.

Privacy 397

wabrandsma writes "Quoting Bruce Schneier in the Guardian: 'The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it. Government and industry have betrayed the internet, and us. This is not the internet the world needs, or the internet its creators envisioned. We need to take it back. And by we, I mean the engineering community. Yes, this is primarily a political problem, a policy matter that requires political intervention. But this is also an engineering problem, and there are several things engineers can – and should – do."

cancel ×

397 comments

Sorry! There are no comments related to the filter you selected.

Freenet, I2P, Tor - darknets (5, Informative)

Anonymous Coward | about a year ago | (#44772957)

One solution at hand are darknets - awesome and uncensorable (but slow, though that is the price) Freenet,
and I2P for hidden services, and the orginal plain Tor.

Come join us, at #freenet at freenode.org we are supporting all users of freenetproject.org

Also, consider just started channel #mempo where new linux distribution is planned with the goal of being most secure one (combining best ideas from Hardened Gentoo, Debian, Tails, Whonix, Qubes-Os). Because security must be complete on all levels (e.g. darknet but also av, rootkit protection, programs compartmnet :)

Re:Freenet, I2P, Tor - darknets (3, Interesting)

Anonymous Coward | about a year ago | (#44772991)

There is not going to be privacy as long as the physical links are not in the hands of the people. You are not the king of your castle if you rent. People need to start digging ditches and burying fiber to connect to their neighbors.

What is Bruce Schneier's game? (5, Informative)

FriendlyLurker (50431) | about a year ago | (#44773047)

FTFA:

Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.

He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "

Silent circle - a US and UK connected commercial company - propriety closed source, and in a sneaky "no we are open, really trust us [issilentci...rceyet.com] " sort of way. W T F!???

let me reproduce this informative message posted to the comment section of the article:

I usually rate Bruce Schneier highly, except for his faux pas a few years ago when he initially endorsed showing passwords on screen, saying that shoulder surfing is not such a big deal.

But I am not sure about some of the security mobs he is advocating here.

GPG: OK, clever people can read the source code (though most average Joe programmers can't)

Silent Circle: It's USA based, and subject to the same backdoor 'requests' as anyone US-based company. It also employs ex-special forces 'security experts' - just the sort of people who might go and do wiretaps in foreign climes.

Tails: What I have just seen on their website, 'Numerous security holes in Tails 0.19 Posted Mon 05 Aug 2013 12:00:00 AM CEST'. Not exactly the best advert and hardly comforting if one wanted security.

OTR: Same as GPG as the source code is available.

Truecrypt: Well the soruce code is avaiable, so I would put it in the same basket as GPG. It has a choice of algorithms, including one (partly) designed by Schneier.

Bleachbit: Well that is client-side. Anything in the clear across the net (i.e. non encrypted traffic) can be read anywhere along the route.

But the big glaring thing is, at least in the UK, you can be sent to prison for refusing to hand over your encryption keys. And this has happened. People like to talk big, but the prospect of eating porridge with a lot of nasty looking and foul smelling prisoners, does not appeal to most people.

I would say that doing your own encryption, by this I mean using some of the open source tools and not closed source ones (and definitely not American ones) is a good thing.

Re:What is Bruce Schneier's game? (5, Informative)

Jah-Wren Ryel (80510) | about a year ago | (#44773113)

He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "

Do you know who founded and remains a principal of Silent Circle? Phil fucking Zimmermann. This is the guy who wrote and released PGP because he feared the NSA would get away with forcing everyone to use their back-doored skipjack clipper chip. He was subsequently harassed with a criminal investigation. If there is one guy that you can trust not to knuckle under to the NSA, it is Phil Zimmermann.

In fact, Silent Circle just withdrew their Silent Mail product because they feared that the NSA would force them to backdoor it in the near future. They canceled a product line rather than risk it being compromised.

Re:What is Bruce Schneier's game? (4, Interesting)

FriendlyLurker (50431) | about a year ago | (#44773161)

All fair points. Gag orders are gag orders however and they do not care for big famous names. If it does not have peer reviewed source code hanging out there - how can we trust it especially given this latest bombshell of a revelation showing just how far they are willing to go to "undermine the social contract [theguardian.com] " of the Internet?

Re:What is Bruce Schneier's game? (4, Interesting)

Jah-Wren Ryel (80510) | about a year ago | (#44773209)

Peer review is no panacea. I'm not going to argue against open-source, but open-source is at significant risk too. You can't pull an _NSAKEY but with the resources available to the NSA it is no big feat to weaken an implementation in a non-obvious way.

Silent Circle's approach is that they sell their software to the US and UK government. If the NSA were to require them to install a secret backdoor then the NSA would be compromising the security of all of their government customers because they don't sell two different versions of their software, it is the same for all customers.

Re:What is Bruce Schneier's game? (5, Insightful)

FriendlyLurker (50431) | about a year ago | (#44773289)

I agree that peer review is no panacea and that open-source is at significant risk too. however open peer review is sure better than no open review. Silent Circle could easily continue to sell their services to the US and UK government AND fully open source the code. Why dont they? More $$$ instead of more security, more likely - not a good sign.

Also your logic that they sell their software to the US and UK government so the NSA would not want to backdoor it does not hold up to scrutiny. How do we know that the NSA does not buy 10K worth a licenses - hardly a blip on their budget - just to shelve and never use them. In exchange the Silent Circle product is backed doored through gag orders, threats, coercion and/or covertly subverted (all things we know they now do, regularly). How do we know that the binary we get is not different than the binary the NSA gets - because their sales team told us?

There is no way around it anymore - if your a company providing security products and your not full open source, and that source has not been stable and well reviewed for some time, then your product cannot be trusted no matter how many famous upstanding people are on your board of directors or licenses the US/UK Gov buys from you.

Re:What is Bruce Schneier's game? (2, Insightful)

Ash Vince (602485) | about a year ago | (#44773331)

There is no way around it anymore - if your a company providing security products and your not full open source, and that source has not been stable and well reviewed for some time, then your product cannot be trusted no matter how many famous upstanding people are on your board of directors or licenses the US/UK Gov buys from you.

But if you do release all your source then someone can take all you hard work and then undercut you on price in the case of something like silent circle where you are selling a service not a product. Alternative people can take your source and just use it in house to roll their own solution. In both of these cases nobody pays you a penny and you go broke real fast.

Open Source is really tricky to do well and make money from and sometimes it is just not a viable business model.

Re:What is Bruce Schneier's game? (1)

FriendlyLurker (50431) | about a year ago | (#44773387)

But if you do release all your source then someone can take all you hard work and then undercut you on price in the case of something like silent circle where you are selling a service not a product. Alternative people can take your source and just use it in house to roll their own solution. In both of these cases nobody pays you a penny and you go broke real fast.

Yes and yes. So it is more $$$ Vs more security/customer (and leechers) confidence in your product decision. This latest round of news will galvanize a new round of "If it is not open source it cannot be trusted" thinking so closed and partially closed source companies may now start to sell less sales - the balance is tipping in favor of coming clean, opening up all the source and selling your professional services on the side. Yes less $$$, but I think that is going to happen anyway now that anyone who is paying attention will start to steer clear of closed source security products.

Oh, and the rout many companies seem to take of partially opening their source or showing source to companies who sign NDA's just does not cut it - it does not allow widespread many eyes peer review of the source over a long period so is little better than fully closed source.

Re:What is Bruce Schneier's game? (1)

Anonymous Coward | about a year ago | (#44773439)

Or, it's closed source so the NSA can't make their own copy with a back door and then force the secure version out the market so that everyone uses their version. While I agree that open source is preferable, it might be that the author is sacrificing one moral to protect a greater one.

Re:What is Bruce Schneier's game? (0)

Anonymous Coward | about a year ago | (#44773207)

If I cannot compile it to use it and must reply on binaries shipped to me by a private company, then this latest news just underlines the fact: YOU CANT TRUST THAT PRODUCT. Any security company that does not go full open source after these revelations is just being disingenuous, no matter how many big names you throw about as some kind of ultimate proof that the binary is secure. Let me raise a term that security professionals love to toss about to justify not bothering to encrypt anything at all: "False sense of security". If it is closed source, then that is at best all you got...

Re:What is Bruce Schneier's game? (1)

mcneely.mike (927221) | about a year ago | (#44773305)

Tomorrows Obituary page:

'Phil Zimmermann has, unfortunately died. His company, Silent Circle, is currently looking for a new CEO... one who cannot be compro... comprom... (sorry... just can't type this with a straight face)... one whose morality is beyond compare...(snicker)

His company, Silent Circle, is now looking for Jesus as their CEO...... someone the NSA has not gotten to...(oh man, this is hilarious to type... Hey Joe, come read this stuff I'm typing in this guys obituary... it's incredible.... someone the NSA hasn't gotten to... good stuff here, man!'

:)

Richard Stallman perhaps?

Re:What is Bruce Schneier's game? (0)

Anonymous Coward | about a year ago | (#44773361)

In this area, binary-only junk is a showstopper to begin with.

Regardless of Phil fucking Zimmermann or not.

Re:What is Bruce Schneier's game? (4, Informative)

wbr1 (2538558) | about a year ago | (#44773235)

About tails..you say the 'numerous security hols found' is not comforting...Did you read the post?

The tails devs regularly post all the security hols found, with links to the source of the hole, and then patch it in the next version.

The issues are often bugs in the browser, or libcrypt, or some other part of the system. Perhaps even a new TOR version. Since they are essentially just packaging a distribution, this shows not that it is OMG SCARY UNSAFE, but that they are staying abreast of the issues with the apps and libs they roll into their distro. Not just keeping up with it, but linking right on the front page all the information you need to determine if this is a significant threat or applies to you.

If you cannot bother to read the reports or care to even try to understand what they mean, then perhaps you should stick with windows. It auto updates for you and sound more than secure for your purposes.

Re:What is Bruce Schneier's game? (0)

Anonymous Coward | about a year ago | (#44773431)

More likely -- The tails devs regularly add new security holes, regularly post all the security holes found, with links to the source of the hole, then patch it in the next version while releasing new security holes.

Re:What is Bruce Schneier's game? (0)

Anonymous Coward | about a year ago | (#44773315)

TrueCrypt supports hidden volumes. So you're free to give up your "encryption key" and just put stuff like your tax returns in the volume you want them to find. They have no way of proving otherwise that a second partition even exists.

Re:What is Bruce Schneier's game? (1)

Kinwolf (945345) | about a year ago | (#44773451)

Err, what article are you talking about? I read the article linked in the summary and nowhere does he talks about GPG or others. I'd be interested in reading the FA you are quoting from.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773049)

Wouldn't a wifi mesh network be easier?

Re:Freenet, I2P, Tor - darknets (1)

Anonymous Coward | about a year ago | (#44773069)

Maybe, but also much slower, less reliable and easier to catalog, to intercept and to disrupt.

Re:Freenet, I2P, Tor - darknets (2, Insightful)

Joce640k (829181) | about a year ago | (#44773125)

Neither will make a difference so long as people use Gmail/Hotmail/Yahooo/Facebook/etc.

If your communications go through a large US corporation then no amount of quantum-encrypted cables (or whatever) will help.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773151)

So what's your recommendation? Give up?

Re:Freenet, I2P, Tor - darknets (4, Insightful)

Joce640k (829181) | about a year ago | (#44773229)

Make it really easy to encrypt/base-64 encode your emails before they're uploaded to Gmail/Hotmail/Yahooo/Facebook/etc.

"Transparent to the user" would be ideal. I don't know if a browser plugin could manage that but I don't see why not - just intercept the "send" process.

Encryption keys could be generated automatically during the first few exchanges with another person by attaching information to the end of the email. After two or three replies the displayed email address turns green and you're good to go.

Yes, they could do mass man-in-the-middle attacks during the key exchange but so long as two people can verify their keys by phone (or whatever) then we'll know about it. More importantly, we'll be able to prove they're doing it. That would lead to more news stories about what the NSA does and more public awareness of the importance of installing an encryption plugin.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773333)

That's never going to be even moderately secure. If you type the cleartext into a browser window with Javascript or read the cleartext in a browser window with Javascript, then any encryption is moot. And even if it worked, it would still leave the metadata wide open: Who, when, where.

You don't build a house on quicksand and you don't build cryptographic systems on compromised hosts.

Re:Freenet, I2P, Tor - darknets (1)

Joce640k (829181) | about a year ago | (#44773373)

That's never going to be even moderately secure. If you type the cleartext into a browser window with Javascript or read the cleartext in a browser window with Javascript, then any encryption is moot.

Packet sniffers would soon reveal any nefarious business, and there's plenty of people who'd run a sniffer just to be able to prove something was going on.

The real problem right now is proving anything - anybody in a position to provide hard proof is being gagged. An encrypting plugin plus sniffer would enable anybody to prove it.

even if it worked, it would still leave the metadata wide open: Who, when, where.

I admit that's a tougher problem to solve.

One step at a time, though. Let's start by encrypting the contents...

Re:Freenet, I2P, Tor - darknets (1)

Dr Max (1696200) | about a year ago | (#44773349)

How about an encryption key that evolves based on previous emails, so that unless the NSA have your entire email history with another person stored and unencrypted, they will have to brute force the key each time.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773425)

They can afford to brute force it every time now

Re:Freenet, I2P, Tor - darknets (2)

ehack (115197) | about a year ago | (#44773453)

Yes, one could have a stateful encryption with a very long state built into a threaded mail reader.

The idea obviously is not to make decryption impossible, it's to slow down mass decryption, thereby making mass mail searches harder and restoring a measure of civil liberties.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773457)

Because deleting an email would then completely destroy your data. In fact all the NSA need do is cause data to be dropped and then you can't use it either, at which point if you start again then they can just start logging your emails from the 'beginning' and have them all.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773355)

PGP

Re:Freenet, I2P, Tor - darknets (1)

Joce640k (829181) | about a year ago | (#44773103)

There is not going to be privacy as long as the physical links are not in the hands of the people. You are not the king of your castle if you rent. People need to start digging ditches and burying fiber to connect to their neighbors.

...or just encrypt all the data that passes along the existing cables.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773131)

No, that's not sufficient. Encrypted data still exposes metadata: Who, when, where. And that's under the generous assumption that the encryption actually does what it promises to do.

Re:Freenet, I2P, Tor - darknets (1)

rvw (755107) | about a year ago | (#44773169)

No, that's not sufficient. Encrypted data still exposes metadata: Who, when, where. And that's under the generous assumption that the encryption actually does what it promises to do.

And today we know it doesn't. Does codename Bullrun ring any bells? (Hint: Snowden, NSA)

Re:Freenet, I2P, Tor - darknets (4, Insightful)

N1AK (864906) | about a year ago | (#44773017)

The issue with Darknets etc is that it'll only protect a limited proportion of what normal people do:
1/ Email, if you want to send or receive, from normal people won't be secret.
2/ Facebook, Youtube, Skype, Amazon etc won't be on it.

If you've got something you want to hide enough then the tools to try and do it are available. For the average person though it isn't a viable or effective proposition. We need to stop this happening, not just find ways for a few people to work around it.

Re:Freenet, I2P, Tor - darknets (2)

Nerdfest (867930) | about a year ago | (#44773031)

There is also a KickStarter for software called Trsst [kickstarter.com] that's a secure, distributed replacement for Twitter. Basically it's makes the key management and public key distribution easy, and gives you control over your own data. They're at about 50% funding with a week or so left. If you have any interest in this sort of thing, have a look. This sort of thing shouldn't be required, but until things change, this is a nice solution.

Re:Freenet, I2P, Tor - darknets (3, Insightful)

aliquis (678370) | about a year ago | (#44773139)

Now even better! Only 159 characters per message! .. ? =P

Seriously. Twitter suck. Why would I want any form of twitter? 160 characters suck. SMS suck to.

Re:Freenet, I2P, Tor - darknets (1)

rvw (755107) | about a year ago | (#44773183)

There is also a KickStarter for software called Trsst [kickstarter.com] that's a secure, distributed replacement for Twitter.

All these free/secure Facebook and Twitter are great, but who is going to use it? How do you connect to eachother if nobody you know uses it or wants to use it?

Re:Freenet, I2P, Tor - darknets (1)

Nerdfest (867930) | about a year ago | (#44773301)

Only a few used Twitter and FaceBook in the beginning. If people are looking for a groundswell of support for properly encrypted communications, I think recent events are about the best advertising you're going to get.

Re:Freenet, I2P, Tor - darknets (5, Interesting)

Anonymous Coward | about a year ago | (#44773057)

Demand IPv6. Yell at your ISP. At least ask for it and tell them how important it is. With IPv6 people can start running own servers and more P2P stuff. The Internet before the last 10 years worked that way and it was good. The "Internet" of today is centralized and that is a major problem. No wonder it's easy for Intelligence agencies to do what they are doing if the only thing they need to do is attack 10 or 20 corporations to succeed.

Teach people around you about technology, encryption and how the Internet works. Give them an image of how their clear-text messages hop around and where they land and what happens to it when it does.

Don't be ignorant and don't say stuff like "well, I've known it all the time - I don't have anything to hide anyway so I don't care". Are your really sure about that? Do you know how your life will look like in 10 or 20 years time and how the political climate will look like where you live at that point?

Support organizations fighting for your freedom - I don't care if it's EFF, FSF, Pirate Party or something else. There are people willing to take on the big guys for you when you are not, but they can't do it without your help.

No complaints about the NSA here (0, Flamebait)

mozumder (178398) | about a year ago | (#44773075)

One solution at hand are darknets - awesome and uncensorable (but slow, though that is the price)

Will never gain traction. The public will always choose "easy-to-use" over "secure". The public doesn't care about high-grade security, since nothing they do is important enough to secure from government anyways. Do you really think people are going to spend the effort to secure their fantasy-football emails?

Also, you have people like me that fully support the NSA's collection of metadata on American citizens, since metadata isn't private, and was never supposed to be. How many dozens of organizations get to see your IP headers as it travels across the internet? That settles that question.

And as far as interceptions of actual communications of foreign nationals? Fuck 'em. They probably should have done a better job of inventing the internet and computer technology. The Internet is a US product, and in particular, the US military invented it anyways. Foreign nationals get a nice cup of Shut-The-Fuck-Up about any complaints they may have about modern computing and the Internet and the US government's dominance over it.

I seriously don't get the complaints people have about the internet. You are guests in someone else's house, so you get to play by their rules. Sucks to be you.

Invent something else that's not the Internet then, preferably something that has far less overall systematic latency.

Your best bet is to get off the computer entirely. Maybe start a fashion brand? Maybe go outside and take a walk? Graphics outside are so much better than graphics on your computer anyways.

People love their computers too much.

Re:Freenet, I2P, Tor - darknets (1)

aliquis (678370) | about a year ago | (#44773133)

I'm more interested in a "Internet 2" built out of peoples access points and possibly routed over the regular Internet when needed to reach a destination.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773219)

An internet is a type of network, the world wide web is a internet. Many different internets exist from local networking to wide area networks. Community wireless projects are essentially an internet.

Join a local network to peer with or start making your own and others will come.

Re:Freenet, I2P, Tor - darknets (0)

Anonymous Coward | about a year ago | (#44773141)

Ain't gonna hapend.
We have seen people being charged in kiddie porn, when all they did were node in TOR.

Local Networking (0)

Anonymous Coward | about a year ago | (#44773187)

Also join your local community wireless network, real networking directly with other people. CB Radio for computers.

first post? (-1)

Anonymous Coward | about a year ago | (#44772959)

is it so?

Low tech (5, Funny)

MrDoh! (71235) | about a year ago | (#44772965)

That whole 'IP over Carrier Pigeon' thing doesn't look so crazy now does it? Until the NSA start training intercepting hawks.

GOOD LUCK with that shit (2, Insightful)

Anonymous Coward | about a year ago | (#44772969)

they've got flamethrowers, man

Re:GOOD LUCK with that shit (2)

black3d (1648913) | about a year ago | (#44772987)

That, and, they'll simply legislate against anything which removes their central control. It'll only be a matter of time before darknets are legislated against "for the children", at least those they haven't already entirely honeypotted.

Thanks Mr Schneier (-1, Troll)

benjfowler (239527) | about a year ago | (#44772973)

I don't have time for leakers, traitors and narcissistic wreckers like Snowdon and Assange. And it has been easy for me to dismiss their statements, and those of their camp followers out of hand.

For me, having somebody as credible as Bruce Schneier take such a stand, changes everything. He's not just some criminally insane lunatic like Julian Assange, or some spotty kid out to make a name for himself -- he's an erudite, wise man with a proven track record of good judgement. If credentials matter -- then I think that having Schneier weigh in on this side of the political debate will have a major impact on people who are formerly undecided about the issue, including myself.

Re:Thanks Mr Schneier (1)

Shadow of Eternity (795165) | about a year ago | (#44772985)

The sarcasm BURNS it's so powerful...

Re:Thanks Mr Schneier (4, Interesting)

daem0n1x (748565) | about a year ago | (#44773147)

Just wait until the character assassination begins for Schneier too. He's been taking very strong positions, I'm waiting for a photoshopped picture of him fucking a sheep to be released on the Internet for the whole world to see. Pretty soon, he'll be living in a South American country's embassy.

Re:Thanks Mr Schneier (0, Flamebait)

benjfowler (239527) | about a year ago | (#44773181)

With the likes of Julian Assange, "character assassination" is hardly necessary. The guy is a walking PR disaster area.

Re:Thanks Mr Schneier (5, Insightful)

daem0n1x (748565) | about a year ago | (#44773233)

I couldn't care less if Assange or Snowden are nice guys. That's completely irrelevant for the matter if they're sweet little cherubs or like to fuck sheep on their spare time. Nobody does what they did by being that nice guy everybody wants to have a beer with.

The hateful crimes they exposed are the true stars, here. If you focus on the messenger, you miss the message. That's what the governments, corporations and their global propaganda machine (a.k.a. mass media) badly, badly, badly want you to do. Quite successfully.

Re:Thanks Mr Schneier (0)

benjfowler (239527) | about a year ago | (#44773281)

I'm not sure it's that easy to distinguish the message and the messenger.

These people have a radical and fairly crude ant-secrecy agenda, and the stuff they bring to light may be done in a highly selective and self-serving manner. And regardless of whether you think governments should be allowed to keep secrets or spy on people, I dispute that these vigilantes should decide what should be "declassified" or what isn't. It's only slightly better when the leaks are channelled through the media, given that journalism is a "soft option", and that journalists are only slight better qualified than the leakers themselves to decide what's safe to leak or not.

As for secrecy and spying, that debate needs to happen, and it's happening. That's a happy byproduct of what is going on. I just strongly object to the methods being used by the anti-secrecy crowd, and I don't trust their motivations at all.

Keeping things safe. (2)

auric_dude (610172) | about a year ago | (#44772975)

Thought I would use Bruce's Password safe http://passwordsafe.sourceforge.net/ [sourceforge.net] and dowwnload http://sourceforge.net/projects/passwordsafe/files/ [sourceforge.net] but no HTTPS, should I be worred?

Re:Keeping things safe. (5, Insightful)

black3d (1648913) | about a year ago | (#44773011)

Naw, HTTPS only protects you against folks who don't already have the keys. You pretty much can't trust virtually any data communication that takes place on the internet. However, that doesn't mean stop doing stuff - it just means weigh the value of what you're doing against the expectation that the information is likely to be used against you. For example - the NSA may have my internet banking credentials - but am I worried they're going to steal my money? No - either 1) they don't need to, 2) if some rogue agent decided to, there are legal protection and insurance avenues I can take to regain my money, 3) if the government decided they needed to steal my money, then even them not having my internet banking credentials isn't going to stop them anyway.

I'm not an advocate for "if you have nothing to hide, you have nothing to worry about" at all. I'm just facing the realization that our government is completely morally corrupt, and outside of changing it by force, I can never protect my information online unless it's information I've encrypted and uploaded myself (and even then I'm still at risk if my OS is rooted or my encryption algorithm has a master algorithm). So, I weigh that knowledge against my activities and don't worry too much. If I was concerned about being identified, then you can protect yourself, but it largely involves not using your net connection, among other things.

Re:Keeping things safe. (0)

Anonymous Coward | about a year ago | (#44773025)

no.

why would you worry?

it is source code, you can verify it yourself before you build it.

password safe operates on your computer, as long as your computer is uncompromised you should be relatively fine.

Re:Keeping things safe. (0)

Anonymous Coward | about a year ago | (#44773429)

no.

why would you worry?

it is source code, you can verify it yourself before you build it.

password safe operates on your computer, as long as your computer is uncompromised you should be relatively fine.

Oh, yeah. How many people are qualified to verify code themselves? I doubt that many programmers/software engineers are able to qualify the code of another major project without spending considerable time, probably more time than they are ever going to spend using the program itself.

Agreed (3, Insightful)

msobkow (48369) | about a year ago | (#44772977)

But in all practicality, how do you seize back control from the likes of the three-letter agencies?

It's not like there is any party in the US which hasn't been complicit in granting them ever-greater powers. It's not like a Canadian like myself can vote against the bullshit. It's not like Canada is about to invade the US over the issues, nor anyone else, seeing as their three-letter agencies are doing the same god-damned thing.

Re:Agreed (5, Insightful)

Joce640k (829181) | about a year ago | (#44773115)

See Robert Heinlein's book "Take Back Your Government" for details.

Unfortunately, it needs people like you to get up from their sofas and actually do something instead of just grumbling about it.

Sorry (0)

Anonymous Coward | about a year ago | (#44772979)

(Sorry for bad englihs)

As I have stated my opinion multiple times in last two decade, commercial, designers and politics has ruined the Internet
WWW should have been mostly textual information with good clear layout without "Everything can be clickable" and fancy animations and pictures everywhere (CSS, you are terrible!).
People have forgot that Internet is not same thing as WWW but WWW is only a "top-layer" using Internet and commercial has burn that false believe to consumers foreheads.
Politics has ruined internet by trying to "own it", same manner as well commercial (ISP/Carriers, big corporations like Microsoft) by inventing own protocols or limiting access to API. How do I miss the times when Xerox Star was the thing with ethernet.

It is sad thing that Unix in one manner died but nice to see that Linux is carrying the torch (vision) of possibility to have clear file-based networking systems.

Good luck with that,,, (1)

ksemlerK (610016) | about a year ago | (#44772993)

Let me know how it turns out.

Union (1)

StripedCow (776465) | about a year ago | (#44772999)

Actually, I think we need "unions" for programmers or engineers in general to sort out this kind of issue.

As another example, if we had unions back in the Windows95 era, then there would never have been an IE6. We would have had stronger web standards.

Re:Union (3, Funny)

basecastula (2556196) | about a year ago | (#44773029)

gnUnion?

Re:Union (4, Insightful)

jabberw0k (62554) | about a year ago | (#44773035)

If there had been programmer unions in the Win95 era, we never would have got rid of IE6 to protect all the people with certifications in IE6-specific programming. Spare us, please.

Re:Union (3, Insightful)

Anonymous Coward | about a year ago | (#44773061)

You're missing the bigger picture - if we had unions, we could sit behind nice desks, and have those with computers problems make appointments to see us (at times convenient for us, when we're not playing golf). Then we'd sit down and discuss the problem with them and go "reboot it twice and if it doesn't fix it call me in the morning", and charge a hefty fee.

Re:Union (2)

msobkow (48369) | about a year ago | (#44773093)

You're in fantasy land.

Working for a union just means more and more onerous paperwork than any other job I've ever worked. Shuffle this, shuffle that, shuffle, shuffle, shuffle.

Even AT&T and Bell Canada didn't have as much paperwork as I got stuck filling out and filing while working a union job as a programmer.

Hated it, big time!

Re:Union (2, Insightful)

Anonymous Coward | about a year ago | (#44773335)

I've had a number of union programming jobs in Denmark. The union ensured that I got to take my vacation, that my contract was in order, that I got training on company time for new technology and that if something illegal happened, I'd have access to a lawyer. I don't doubt that what you are saying was true in your case, it's hardly a universal property of programmers' unions.

We don't need unions. We need _good_ unions.

Re:Union (2)

daem0n1x (748565) | about a year ago | (#44773285)

In the US, union workersplay golf? That explains a lot about the US labour policies. I don't think you grasped the concept very well...

Re:Union (1)

Anonymous Coward | about a year ago | (#44773313)

Bullshit, but go on believing whatever you want. Taking orders from large corporations with no ability to fight back against stuipidity is just fine, I guess? Every kind of dumb thing you associate with unions has at its root some kind of abuse by employers. The only thing seriously wrong with them is that these large mega-unions are just as overweight in useless administration as the corporations they complain about. That can be fixed, but the concept of people demanding certain wages/conditions/etc. and having some ability to enforce those demands is a good one.

That said, it may not be the right solution for IT people. Our basic problem is lack of enforceable standards. We lack responsibility and accountability for the things we design. Frankly too many of us lack imagination (as to how our stuff will be abused) or we lack morals in that we won't say no to designing evil things. For that second thing, you need the ability to not get fired or blacklisted, hence some bargaining power.

Now I know that stuff goes against all the Ayn Rand worshippers that seem to pervade this industry, and who brought us all these corporate/government backdoors and other such cooperation in the first place, but I can't help that. If we had an actual discipline like doctors, or especially like physical engineers do, an awful lot of the crap out there would either not be there or would be better built. It would take longer. It would also cost more. It would prevent a lot of Silicon Valley startups from starting up, and I don't care. I don't care because the net bad we've created vastly outweighs the net good. I'd trade all of Facebook, Twitter, Gmail, etc. to not have the NSA spying on everything we do. That's an easy trade for me because I don't use any of that garbage, but average people don't know why those things are bad, just like average people don't know why some building designs are safe and others are not. They shouldn't have to NEED to know just to survive, and in every other aspect of our society we've managed to do something to make it so they don't personally need to be an expert in everything.

Granted some things we've done are bad, like the way lawyers have it rigged so you can't even give an opinion to somebody without risking "practicing law without a license"--the bar associations are a really bad model. Some others are OK, some are good, some are terrible. We have a lot of examples to know what works and what doesn't, but we lack the desire to be better, to get the weak and the corrupt out of our profession, and to stop designing things that are either easily breakable or deliberately backdoored.

Re:Union (1)

Anonymous Coward | about a year ago | (#44773319)

You're full of it. There's plenty of unions for programmers in Europe, and they have none of the problems that Americans seem to fear.

Though I don't see how unionization should have prevented IE6. They mainly deal with things like avoiding overreaching non-compete clauses and getting ergonomic keyboards.

Mesh internet / web of trust now! (1)

foreverdisillusioned (763799) | about a year ago | (#44773021)

It's our only hope.

Also: mandatory encryption, support for non-RSA modes of key exchange, and (this is what Tor really lacks) extra latency on request.

Re:Mesh internet / web of trust now! (1)

sxpert (139117) | about a year ago | (#44773039)

either latency, or constant speed traffic with mostly useless junk inside

Re:Mesh internet / web of trust now! (1)

foreverdisillusioned (763799) | about a year ago | (#44773073)

Junk traffic degrades performance for other people; optional variable latency improves it. That said, they could coexist.

Re:Mesh internet / web of trust now! (1)

foreverdisillusioned (763799) | about a year ago | (#44773085)

And by non-RSA, I don't just mean elliptic curve. The encryption protocol needs to support stateful and nonstateful solutions. Symmetric-only with web of trust, asymmetric+symmetric (like we have now), changing-response symmetric signing as an alternative to asymmetric certs, even one time pads need to be supported. All of these have advantages and disadvantages. And it should never be obvious to an eavesdropper which is being used at any given time.

Re:Mesh internet / web of trust now! (1)

foreverdisillusioned (763799) | about a year ago | (#44773087)

*challenge-response

"Engineers" (-1, Troll)

Anonymous Coward | about a year ago | (#44773045)

Stop calling yourselves Engineers, you fucking code monkeys.

Re:"Engineers" (0)

Anonymous Coward | about a year ago | (#44773263)

And you're just a chronic masturbating troll. Your point?

Bruce Schneier (-1)

Anonymous Coward | about a year ago | (#44773071)

This would be the same Bruce Schneier who works for BT, right? One of the companies specifically named in Snowden's documents as as providing GCHQ with access to all of their fibre links?

UK Official Secrets Act (5, Informative)

gramty (1344605) | about a year ago | (#44773079)

"One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order"

Once again the UK trumps the US in the paranoia and anti-freedom game. The UK Official Secrets Act applies to all British subjects, OK they get you to sign it, but that us mostly a symbolic gesture to remind you of your obligations and the penalties. Under the act you don't even need to have clearance or be the recipient of a leak. Even if you have worked it out for yourself from publicly available information you can still be gagged, and breaking a gag can bring down the full force of the law against you.

Re:UK Official Secrets Act (4, Informative)

Bogtha (906264) | about a year ago | (#44773247)

The UK Official Secrets Act applies to all British subjects

This is not true. There are some parts that only apply to government workers, and there are some parts that apply to everybody, regardless of nationality.

Also, practically nobody is a British subject these days, and this has been the case for over 30 years. People with british nationality are British citizens, not subjects. British subjects are a different category and there's hardly anybody in that category. It's mostly just a historical technicality that the category even exists.

Re:UK Official Secrets Act (1)

gramty (1344605) | about a year ago | (#44773323)

OK, I stand corrected.

The UK Official Secrets Act applies to everyone (with varying scope, but only likely to be enforceable in UK jurisdiction ), OK they get you to sign it, but that us mostly a symbolic gesture to remind you of your obligations and the penalties. Under the act you don't even need to have clearance or be the recipient of a leak. Even if you have worked it out for yourself from publicly available information you can still be gagged, and breaking a gag can bring down the full force of the law against you.

Only try and you will land in jail (1)

Anonymous Coward | about a year ago | (#44773095)

Nobody messes with US government. If you try to change it, you are endangering your family and put yourself in jail at best.

Spot On (4, Insightful)

some old guy (674482) | about a year ago | (#44773101)

Bruce nailed it. We've sat on our collective asses and watched the politicians, spooks, and marketing clowns turn an engineering marvel into a sad parody of it's former intended self. I don't think anyone nowadays can question the need for some serious re-engineering. We can solve the technical problems and propose new standards and protocols.The real question is how do we implement the fix.

Will the standards committees support it? Will the Powers that Be allow it? Like Bill the Bard wrote, "Aye, there's the rub."

Re:Spot On (0)

Anonymous Coward | about a year ago | (#44773303)

Bruce nailed it. We've sat on our collective asses
and watched the politicians, spooks, and marketing clowns turn an engineering marvel into a sad parody of it's former intended self.

The physical outlay of light pipes circling the globe connected by fancy many-gigabit packet pushers are indeed quite marvelous. While EE's continue to kick ass and take names things get progressivly less impressive as you go up the stack. (e.g. SMTP, DNS, HTTP..etc)

We can solve the technical problems and propose new standards and protocols.The real question is how do we implement the fix.

Will the standards committees support it? Will the Powers that Be allow it? Like Bill the Bard wrote, "Aye, there's the rub."

It is called hard work with no expectation of profit. Competely irrelevant whether "standards committees" support it or not. The "rub" is will users and by extension any needed operators care to support it.

Find the back doors (1)

mrspoonsi (2955715) | about a year ago | (#44773107)

There is proof there are back doors in VPN routers / switches / firewalls, so expose, only then when business feel the pressure, will the US government see the error of their ways (when leaned on by big business), until then it is just something needed for fighting a bunch of guys in caves on the other side of the planet.

Education (1)

j-b0y (449975) | about a year ago | (#44773119)

I think a necessary step is to make sure that there is a general understanding that this is a problem -- here we must not merely preach to the choir but reach a wider and maybe technically illiterate audience) Who are we dealing with

1. People who willingly forgo their right to privacy (and therefore understand the issue at hand)
2. People who are ignorant their privacy rights are not respected (and therefore do not understand the issue at hand)
3. People who are aware that their privacy rights are not respected but wish to interact with 1) and 2) and therefore give up some or all of their privacy rights (and therefore understand the issue at hand)
4. People who will protect their privacy rights at the cost of limiting their ability to interact with at least those in 1) and 2) (and therefore understand the issue at hand)

We cannot save those in category 1), they know the risks and accept the "terms and conditions" of using the internet with public and private data mining/surveillance in place. These people are lost to the Dark Side.

People in category 2) need education on what the consequences of their actions are, and may then resolve into one of the other groups.

People in category 3) should accept that their permissiveness strengthens the hand of the NSA et al. If a practical alternative solution is presented they will probably help to bring people in category 2 away from the Dark Side.

People in category 4) are probably a small population already using Tor, Freenet, PGP, etc. They can help by adopting new technologies that do not compromise (too much) their desire for privacy.

Re:Education (1)

w_dragon (1802458) | about a year ago | (#44773443)

You missed those people who don't do private stuff online. I know this will surprise a lot of slashdot, but for normal people a lot of life is public. The most private thing I do online is banking, and I suspect those records can be accessed by the government in easier ways than reading and decrypting every bit of Internet traffic. As always, if you want to keep something private don't use communication mechanisms you don't control. Sneakernet is still the best private network.

P2P works (1)

dirtaddshp (1188189) | about a year ago | (#44773127)

I would say more peer networks would work well, unfortunately in alot of cases it would take alot of resources on the host computers but it may be the price to pay to keep your data yours. Look at BitTorrent, Bitcoin or most other P2P systems... government has a very hard time stopping their use.

The REAL Story (0)

Anonymous Coward | about a year ago | (#44773153)

Now why isn't this a story on /. almost a day after its publicatoin:

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

In brief, almost nothing is safe anymore, even if it's encrypted.

The destruction of trust (5, Insightful)

Arrogant-Bastard (141720) | about a year ago | (#44773249)

The worst part of the damage done by this isn't technical. It's human.

The reporting on this latest disclosure reveals that the NSA has systematically inserted itself into the standard-crafting process, in order to deliberately weaken those standards. It also reveals that the NSA has bypassed the management of communications providers and recruited technical staff directly. In both cases it's reasonable to assume that the people involved have been through a security clearance process and are thus barred for life from disclosing what they know.

I must now ask myself how many people I've worked with weren't doing so in good faith. When they argued that such-and-such a fine point of a network protocol standard didn't need improvement or that it should be changed in a certain way, were they doing so because it was their principled engineering opinion, or because it served some other purpose? Or when they were recommending that one of the many operations I've run move its colocation point or change its router hardware, was that good customer service, or was it to facilitate easier traffic capture?

Will anyone be asking themselves the same questions about me? (They probably should.)

The Internet was built on, and runs on, trust. Every postmaster, every network engineer, every webmaster, every system admin, every hostmaster, everyone crafting standards, everyone writing code, trusts that everyone else -- no matter how vehemently they disagree on a technical point -- is acting in good faith. The NSA, in its enormous arrogance, has single-handedly destroyed much of that trust overnight.

Excellent point (3, Insightful)

bradley13 (1118935) | about a year ago | (#44773391)

You make a really excellent point. Sadly, we can only react at this point. It seems to me that there are three useful reactions:

- Keep up the political and media pressure. Don't let this issue die in the news cycle. Americans can apply internal pressure; those of us elsewhere can do our bits to keep up international pressure. For example: I will be integrating the NSA as part of a larger Internet security discussion in at least two of my university lectures in the coming semester.

- Promote open-source software for all security purposes. While not everyone can audit the software, there are enough people out there who can and will. The NSA cannot predict who will do so, and hence cannot have them all in its pay.

- Refuse to use any American IT services where security is important. This is not only sensible, it also applies economic pressure to companies that can lobby in Washington.

Re:The destruction of trust (4, Interesting)

MRe_nl (306212) | about a year ago | (#44773421)

The exact same process has been going with doctors (The Red Cross, Doctors without borders, World Polio programs etc.) being used as cover by intelligence services and special forces. This practice is forbidden by the Geneva conventions, and now real doctors working in war zone's are being treated with suspicion at the very least, or shot on sight at worst.

"Ah, arrogance and stupidity all in the same package. How efficient of you!"

Retry (1)

Hutt1235 (3045695) | about a year ago | (#44773273)

It is look like war ! I would say that doing your own encryption, by this I mean using some of the open source tools and not closed source ones (and definitely not American ones) is a good thing. Hamlet Devnozashvili Las Vegas 11 Ave Email - hutt1-petviashvili1@hotmail.com Website - Stick War [stickwar.info]

IP AutoSEC (0)

Anonymous Coward | about a year ago | (#44773283)

Although in a very new stage it aims to bring encryption on IP-Level without the need of client-side configuration:

https://github.com/kechel/ip-autosec

Reviews needed: programs, protcols, algorithms (1)

Alain Williams (2972) | about a year ago | (#44773339)

The first thing that we need is a good audit of programs, protcols, algorithms. That won't be easy. Open Source stuff has a head's start, but someone needs to read it all. We knew that Skype was broken, but what else: SSL ?

As for encryption algorithms, there are only a handful of people in the world who are really qualified to check them; what if their opinions can be bought/blackmailed ... ? This will take a lot of effort, but what good is GPG if the encryption algorithms that it uses have been weakened ?

Keyloggin (0)

Anonymous Coward | about a year ago | (#44773409)

It takes very little memory / diskspace to store every single thing you ever type with your keyboard. Sending this data will provide access no matter how fancy encryption mechanisms and programs you use.
So if you are using an operating system that has been made in the US I would not count on it having no built-in keylogger to simply bypass every single encryption mechanism out there.

And are "we", exactly? (0)

argStyopa (232550) | about a year ago | (#44773441)

Superficial utopianism, ahoy!

"The government" broke it, and "we" have to fix it, eh?
Remember, WE are the ones that elected this government, and all the previous ones. (And don't give me the crap about "all they give us is fake choices - this system is an evolution of what we've asked for...)
Remember, WE are the ones who vote in such elections at a what, sub-50% rate?
Remember, WE are the ones who, through our commercial choices have made Hollywood and television the engine of derivative, repetitive, simplistic, stupid entertainments.

I don't know about you, but just about everything "we" do is pretty fucked up. The odds that something positive is accomplished by a herd of humans is approximately 1/(2^(# of people involved)).

Personally, I'm finding Mr Schneier less practically relevant and more of an attention-whore every year.

This article needs to be pinned! (1)

Anonymous Coward | about a year ago | (#44773449)

This article needs to be pinned to the front-page of Slashdot for the next year.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>