×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IETF Floats Draft PRISM-Proof Security Considerations

timothy posted about 7 months ago | from the there-should-be-an-spf-rating-for-such-things dept.

Encryption 75

hypnosec writes "PRISM-Proof Security Considerations, a draft proposal to make it harder for governments to implement and carry out surveillance activities like PRISM, has been floated by the Internet Engineering Task Force (IETF). The draft highlights security concerns as a result of government sponsored PRISM-like projects and the security controls that may be put into place to mitigate the risks of interception capabilities. Authored by Phillip Hallam-Baker of the Comodo Group the draft is however very sparse on details on how the Internet can be PRISM-proofed."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

75 comments

IETF is better than NIST, how? (0)

Anonymous Coward | about 7 months ago | (#44835041)

I can't imagine what difference it would make.

Re:IETF is better than NIST, how? (4, Insightful)

icebike (68054) | about 7 months ago | (#44835123)

I can't imagine what difference it would make.

Well not being owned by the US Government might be a good start, don't you think?

There is some (debated) evidence that NIST was compromised by directions from above, by external control of its budget, etc.

Lets face it, security and privacy were not designed into the protocols we use on the internet today, they were bolted on afterward, and the government played a big (and self serving) part of that effort. Any amount of data hardening would be welcome at this point. There will still be metadata that can be collected but content should be able to be kept private by default.

I would rather have a community of enraged engineers driving the design and management than a bunch of federal paper pushers with a police mentality.

Re:IETF is better than NIST, how? (-1)

Anonymous Coward | about 7 months ago | (#44835239)

Well not being owned by the US Government might be a good start, don't you think?

Yeah yeah. You eurofags have this great contempt for the US but you don't mind usin the internet the USA invented and USA developed and USA managed. You like our intellectual property and our technology and you admire our military but then there's this contempt of yours. I seriously think it's sour-grapes jealousy. Or maybe paranoia like you really believe the US national gov't cares about you or finds your life interesting/important in any way whatsoever.

Seriously get over yourselves. You think you're so great, try showin us how it's done. Invent the next Internet.

Re:IETF is better than NIST, how? (0)

Anonymous Coward | about 7 months ago | (#44835285)

You really should put [sarcasm] tags around remarks like these. Otherwise some people will think you're being serious and start treating you like an idiot.

Re:IETF is better than NIST, how? (-1, Flamebait)

hedwards (940851) | about 7 months ago | (#44835347)

Why sarcasm tags? I didn't post it, but the reality is that there wouldn't be an internet as it is were it not for the US starting things. And the world does depend a great deal on the US being willing to get involved in far off parts of the world when the Europeans refuse to.

The main criticism comes down to jealousy and the fact that we don't feel the need to follow their directions.

Yes, the US does make mistakes from time to time, but really, what about in Libya where our waiting for appropriate permissions ran the risk of disaster for the rebellion? Or how about in Syria where there's already been 100k dead where US intervention might have spared some of the casualties?

Re:IETF is better than NIST, how? (2)

george14215 (929657) | about 7 months ago | (#44835361)

Like the 100k civilian dead in Iraq? How in the world do we have any right pontificating on Syria?

Re:IETF is better than NIST, how? (0)

Score Whore (32328) | about 7 months ago | (#44835453)

You do realize that nobody was suggesting that anyone get involved in Syria when it was only 100,000 dead. It was when they started using CW that the concern was expressed. Not a legit moral position to take, but certainly your argument is rebutted.

Personally I think the US should go to the UN and say, "Hey, CW are bad. MMMKAY?" And if China and/or Russia say, "Yes, but ...". Then the US and the rest of the Western world should respond with, "Oh, so CW proliferation is not a big deal now? Then we'll go ahead and start selling into emerging markets, like Chechnya and Tibet." Of course I'm a bit of a provocateur.

Or just send a note to the Hague suggesting the Bashar al Assad is a war criminal and bring charges. It's a bit symbolic, but it's what the Europeans seem to want to do.

Re:IETF is better than NIST, how? (1)

george14215 (929657) | about 7 months ago | (#44835511)

GF implied that intervention was called for based on 100k dead. Anyway, so we are outraged at 4000 killed by CW and that's the red line? The first 100k dead didn't matter? It makes the current case for intervention even more absurd.

Re:IETF is better than NIST, how? (0)

Anonymous Coward | about 7 months ago | (#44835681)

You're an idiot.

The specific number doesn't matter, the bottom line here is that there's been a huge number of people killed in the fighting and isolationist tactics aren't likely to make things go any better.

Re:IETF is better than NIST, how? (1)

Score Whore (32328) | about 7 months ago | (#44835937)

My point is that the reason US pols started getting antsy had nothing to do with how many people were killed, it was the way they were killed.

According to the internet, over a quarter million people die every day. A portion of those can't be saved, but a good portion probably could. Where's the line drawn between sacrificing the future well being of my immediate family for the benefit of someone I've never met, never would meet and quite possibly who will, no matter what outside parties try to do, continue to make bad decisions and will drain you dry if you let them. At some point you have to recognize that taking action can result in a net negative result. The whole moral requirement goes both ways, you may say that those who are better off have an obligation to those who are worse off, but at the same time those who are worse off have an obligation to improve their lot and become a net contributor. Much like a life guard and a drowning swimmer, sometimes they'll take you down with them.

I read an article today where they were talking to Syrian refugees and the people in the refugee camp are developing anti-American sentiment because we're not fighting on their side. If the US intervenes then they get lambasted. If they don't they get lambasted. Well fuck it then.

Not sure if I made a point or not.

Re:IETF is better than NIST, how? (3, Interesting)

SuricouRaven (1897204) | about 7 months ago | (#44838199)

The number of civilians killed in the 9/11 attack was approximately equal to a little over a month of fatal traffic accidents in the US for 2001. If the government had spent even a fraction of the money spent on security and military action after 9/11 on road safety and public transport instead, they could have prevented several 9/11s each year.

Politics and public reaction are not rational.

Re:IETF is better than NIST, how? (2)

causality (777677) | about 7 months ago | (#44839457)

Politics and public reaction are not rational.

More like, the media discovered long ago that sensationalism sells better than rational thinking because emotions are much easier to manipulate. Being mostly followers who have been conditioned not to think critically, the public and thus the public's representatives simply follow.

Re:IETF is better than NIST, how? (1)

causality (777677) | about 7 months ago | (#44839445)

My point is that the reason US pols started getting antsy had nothing to do with how many people were killed, it was the way they were killed.

Yes. When the news reports about the chemical weapons first started coming out, they kept making a big deal out of this. I kept wondering, "and if those people had been shot instead, would that make you feel better?" Seems I'm not the only one to think of that.

Re:IETF is better than NIST, how? (0)

Anonymous Coward | about 7 months ago | (#44836511)

GF implied that...

Ah, but did your GF say it on Slashdot, or just in idle conversation? We can't really debate things with her if she doesn't post them here... ;-)

Re: IETF is better than NIST, how? (0)

Anonymous Coward | about 7 months ago | (#44845071)

Idiot. CW are the most acceptable reason to intervene. Domestic war, no. International law/convention, yes. We could do nothing too. Let CW become acceptable for all those shit hole counties to use. Yeah that sounds good. Lets sit and watch people getting chemically burned alive.

Re:IETF is better than NIST, how? (1)

daem0n1x (748565) | about 7 months ago | (#44839143)

If you are really so concerned about the Syrian people, stop arming foreign terrorists and sending them there. Haven't you learned anything from all the fuck-ups you did before?

Before anyone calls me an anti-American, that goes for France and UK, too.

Re:IETF is better than NIST, how? (1)

hedwards (940851) | about 7 months ago | (#44835673)

I'm sorry, but that has nothing to do with Syria.

The reason that there are 100k Iraqi civilians dead has nothing to do with the decision about whether or not to invade. The 100k is an argument for actually spending the time to make sure the plans are realistic. Had there been an adequate number of troops in Iraq that would never have happened.

It's beyond me how idiots like you can confuse the issue.

Re:IETF is better than NIST, how? (1)

george14215 (929657) | about 7 months ago | (#44835721)

That's small comfort to the 100k DEAD and their friends/family, idiot. Very convenient rationalizing 100k dead based on an "if". Oops! bureaucratic mistake, no harm no foul! How asshats like you can be so cavalier about human life is beyond me.

Re:IETF is better than NIST, how? (1)

daem0n1x (748565) | about 7 months ago | (#44839055)

I'm European. As far as I'm concerned you can keep your troops and guns at home, thank you very much.

I'm pretty sure most of my fellow Europeans feel the same.

But then, where would you spend all those shiny weapons your military-industrial complex keeps making and selling you?

Re:IETF is better than NIST, how? (0)

Anonymous Coward | about 7 months ago | (#44836829)

Two-time world war champs! Suck it, Eurotrash!!!

U S A! U S A! U S A!!!

Re:IETF is better than NIST, how? (2)

Anachragnome (1008495) | about 7 months ago | (#44835289)

"Lets face it, security and privacy were not designed into the protocols we use on the internet today, they were bolted on afterward, and the government played a big (and self serving) part of that effort."

For those that doubt that statement, please read the documentation provided by the none other than the NSA itself.

http://www.nsa.gov/ia/programs/suiteb_cryptography/ [nsa.gov]

That page was posted by the NSA 4 1/2 years ago and updated in May 2013. Surprisingly, they name names--exactly who worked on what--and even go so far as to provide addresses and personal information for these people. These names can be used to locate networks of "cooperation", just like the NSA uses metadata to find out things about us. For instance, one of the key writers in this document ( http://www.ietf.org/rfc/rfc6318.txt?number=6318 [ietf.org] ) when Googled is linked to this document-- https://www.google.com/patents/US6243467 [google.com] , which in turn adds more names. Follow the names, and see just how much trust you have afterwards.

Dig through the links! Very informative! Start asking yourself what crypto might be safe from the NSA, and you'll quickly realize--the further you dig--that none of it is safe from the NSA. They've identified and created "secure" versions of almost every protocol, for themselves (Suite B), and stuck the rest of the world with lesser versions, versions that would obviously be crackable given that they possess something better.

To be honest, I'm a little surprised that page is still available. I suspect it won't be for long.

Re:IETF is better than NIST, how? (0)

Anonymous Coward | about 7 months ago | (#44835423)

The last time I checked, New Zealand wan't owned by USG either. The point is that the goal is ideal but implementaion will suffer the same fate. It is the LAWS that need to be repealed and departments that needs to be abolished and people in charge of the said departments and "pushers" of the said laws are to be given very long prison terms, that is the solution.

Anything is better than NIST (1)

Taco Cowboy (5327) | about 7 months ago | (#44835809)

If the IETF is serious about foiling NSA's PRISM scheme, there is one item that they should add in their proposal ...

DO NOT USE ANY CISCO DEVICE

All CISCO devices come with NSA backdoor pre-installed

Re:IETF is better than NIST, how? (1)

icebike (68054) | about 7 months ago | (#44835999)

The best encryption is the kind that even when they hand you the algorithm you can't break it.
If we could just get government spooks out of the development chain and do it all in opensource we could prevent the backdoors they demand.

If we went to a plug-able encryption module web servers, mail servers, etc could support many of them, and the user could take their choice.
There are a lot of methods we could improve, and every single one of them is easier than your recommended restructuring of government.

Not an IETF Draft (5, Informative)

petithug (133086) | about 7 months ago | (#44835055)

An IETF draft starts with "draft-ietf-". This is merely a proposal by a member of the IETF to discuss this subject.

Re:Not an IETF Draft (1)

Zero__Kelvin (151819) | about 7 months ago | (#44835199)

The summary doesn't say it is a draft standard, it specifically says: "a draft proposal". This means that he is proposing that they create a draft standard.

Re: Not an IETF Draft (1)

petithug (133086) | about 7 months ago | (#44835467)

What I mean is that "floating by the IETF..." is misleading. Anybody can submit an I-D for standard track. Few are adopted by the IETF.

Re: Not an IETF Draft (1)

mellon (7048) | about 7 months ago | (#44836169)

Drafts aren't draft standards. They are drafts of documents that might someday become standards. Drafts that start with draft-ietf are drafts that have the consensus of some IETF working group to work on them, and are therefore somewhat closer to becoming standards. But they still aren't standards, and many of them die on the vine.

What PHB's document is is an individual submission. It's not got any kind of consensus yet. Not shocking, since the first version was published this morning. It's possible that it might be adopted by a working group, or be the basis for forming a new working group. Just as likely, several competing drafts that say similar things but differ on some key points will also be published, and there will be discussion about which one to work on, if any, or about combining the work. Eventually some document might reach a point where there is consensus to publish it, and then it would be a standard.

It's a messy and sometimes frustrating process, but by virtue of being a completely open process, it's hard to subvert it without leaving tracks, which is a big win for this particular subject.

This topic has generated a huge amount of interest in the IETF, and we're going to try to have a session on the topic in Vancouver, and also hopefully a presentation to the entire IETF in the meeting plenary. None of that is cast in concrete yet, because we have to get people to agree to come, and for that matter to come up with something to say. But it is something a lot of us would like to see happen, and it's being seriously worked on by the leadership.

Re: Not an IETF Draft (3, Interesting)

Zeinfeld (263942) | about 7 months ago | (#44836681)

It is not even meant to be a proposal.

The point of the document is that I took all the points that had been made five or more times already and put them into one document so that we can move the discussion on to the next stage. Otherwise every time we get a new person joining the group we have to go through the same thing all over. And the third or fourth time round it becomes 'we already know that', 'NOO you are trying to censor me, NSA plant!'.

It isn't meant to become an IETF draft, they would make me take out all the fun parts. Like pointing out the abject incompetence of an organization that lets a 29 year old contractor with a pole dancer for a girl friend have access to that material six months after joining. Why do Alexander and Clapper still have jobs? And spying on US citizens and then trading the raw SIGINT with foreign powers that are certain to share it with my commercial competitors? What were these idiots thinking?

There is work going on in IETF and in fact we started before his Bruce-ship made his call to arms. I doubt the PRISM-PROOF branding will stick. But it is powerful mind share as this story proves. We have botched deployment of almost all the security protocols developed in IETF except for TLS and that succeeded before it went in. This is a chance to hit the reset button and fix the mindbogglingly stupid deployment gaps. Like having no standard way to discover recipient keys and having two different message formats (OpenPGP and S/MIME) forcing people to choose between two key endorsement schemes rather than allow them to pick the one suited to their needs.

Yes, I do think there was interference in the past efforts but I suspect it was subtler than most imagine and not coming from the NIST folk. Rather, I think the interference came from folk who would encourage both sides in technical disputes to dig in and refuse to compromise, folk who participate with no visible means of financial support and seem to have limitless time to write drafts but are not very technical.

Re: Not an IETF Draft (2, Informative)

Anonymous Coward | about 7 months ago | (#44836181)

[Can't log in due to another slashfail, I wrote the draft]

Yeah, I did rather wonder about that when I got sent the Register article. They didn't even ask me for comment before publishing or I would have told them.

This is merely a summary I wrote of the traffic on a private list that we have been discussing PRISM on. It is not even all my work. And the main point is simply to set a baseline for the three drafts to follow so that we can avoid prolonged discussion of purported PRISM capabilities.

The next draft divides the problem space into two parts, first things that we already have good solutions for, second things that we need to improve on. Much of that is taken from the work I did on secure email in my book 'dotCrime Manifesto'. At the moment we have two email security solutions, neither of which is viable. S/MIME has ubiquitous deployment, PGP has mindshare. It does not matter how long we try, we are not going to get everyone on the Internet to use PGP. It is just too complicated for people to understand. And so is S/MIME. But there are parts of S/MIME and STARTTLS that we can just build on without modification. S/MIME message format works fine and many email clients can receive S/MIME encrypted mail without any horrid user issues. Key validation and distribution on the other hand is not done at all well. So we need a standard for a 'socket' that can fit into a MUA that allows them to access a module that does those well.

The idea of that draft is that there are four are five people who are working on innovative PKI schemes to address key distribution. But users don't want to have to bet on any one of those being the 'winner'. Plus we have lots of people who just want to hack cool crypto code into Thunderbird or the like. So if we define the interface between the two groups then we can both work in parallel and without wasted effort. And if there are enough people implementing sockets in MUAs then pretty much everyone can use encrypted email with their favorite mail client.

The third draft deals with key generation and proposes that we have a tool that generates keypairs and (optionally) submits them to some service that will be the gateway to the key distribution scheme. Although there are keygenerators out there, there are issues that just make them unsuited and none offers a good way to backup a private key or transfer it into another device. [No encrypting your private key with a human readable password with 40 bits of entropy is not a good approach). That draft goes beyond the current capabilities but is something I think we can all agree on as a common infrastructure.

The final part will be my solution to the researchy part of the problem. I doubt mine will be the only one. I am looking at building on the ideas in Google's Certificate Transparency but without the transparency proofs in the cert part which I find silly and for email is unnecessary since we do not worry about shaving a hundred milliseconds off latency. There is also a second layer of notaries, the inter-notary infrastructure.

It's called IPv6 DNSSEC (2)

VortexCortex (1117377) | about 7 months ago | (#44835079)

Mandatory end to end security was in IPv6. The Feds didn't like that, so guess what? It got removed.

If you ask me, it's time to shit-can the IETF too.

Re:It's called IPv6 DNSSEC (1)

steelfood (895457) | about 7 months ago | (#44835163)

At this point, does it even matter? IPv6 is taking forever to adopt. By the time any new PRISM-proof standard gains any amount of traction, the NSA would have developed a new system to work around it. And that's assuming that the NSA hasn't sabotaged its efforts either by directly convincing the standard-writers to put in back doors, or indirectly by convincing companies not to adopt secure portions of the standards.

Communication has been, and always will be about trust. Without trust, no communication can take place.

Re:It's called IPv6 DNSSEC (0)

Anonymous Coward | about 7 months ago | (#44835247)

The NSA isn't the only one in the game these days. Many other countries have their own analogues to that agency.

The thing is that people are aware and actively taking measures for this. I'm sure the Guardian will keep themselves relevant and in the spotlight by releasing an item every few days that will get people not just shocked, but willing to do something about it. (*cough* WoT and reputation based systems rather than 100% trust.)

Re:It's called IPv6 DNSSEC (1)

AHuxley (892839) | about 7 months ago | (#44836125)

Only the GCHQ and NSA can shape international telco standards and end user cryptography. They set the early EU/NATO export grade cypher machine standards, the consumer digital age was theirs to shape. The idea that some country with some satellite dishes and mirroring all optical in their region can have global reach is a joke.
You need physical global reach and a deep under standing of the systems in use. Very few countries ever had that.

Re:It's called IPv6 DNSSEC (1)

rtb61 (674572) | about 7 months ago | (#44837117)

Well, right now the US Administration has a choice, either get the NSA back under control or face the global exclusion of US software, hardware and computer services and US companies are fully entitled to send the bill for losses straight to the NSA. If fact they should start the court cases for damages right now.

Re:It's called IPv6 DNSSEC (1)

Zero__Kelvin (151819) | about 7 months ago | (#44835175)

Hindsight is 20/20. If they did that today then I would agree with you, however I'm assuming that happened prior to the Snowden Enlightenment, in which case you are criticizing them for not knowing what you didn't know either at the time.

Re:It's called IPv6 DNSSEC (0)

Anonymous Coward | about 7 months ago | (#44835263)

Hindsight is 20/20. If they did that today then I would agree with you, however I'm assuming that happened prior to the Snowden Enlightenment, in which case you are criticizing them for not knowing what you didn't know either at the time.

Default end-to-end security isn't a "why should we?" question. It's a "it won't hurt, why the hell isn't everybody already doing this?!" type of question. You don't need Snowden for this. NSA isn't the only one trying to compromise networks and hosts.

Re:It's called IPv6 DNSSEC (1)

Zero__Kelvin (151819) | about 7 months ago | (#44835297)

Bullshit. When IPv6 was first proposed (2000-10-05) hardware was far less capable, and requiring all systems that participated in the internet via IPv6 to do on the fly encryption was not a smart idea. Again, you are speaking as if this all happened today, with current knowledge of PRISM and current hardware capabilities.

Re:It's called IPv6 DNSSEC (0)

Anonymous Coward | about 7 months ago | (#44839427)

Bullshit. When IPv6 was first proposed (2000-10-05) hardware was far less capable, and requiring all systems that participated in the internet via IPv6 to do on the fly encryption was not a smart idea. Again, you are speaking as if this all happened today, with current knowledge of PRISM and current hardware capabilities.

Yes, because no one could ever make plans for the future... so how widespread is IPv6 again? Moore's "Law" had been around back then you know.

You really are a narrow-minded individual. You show signs of closing off your mind and refusing to think of "how could that be done" and instead thinking "heh I'm so smart". How typical.

Re:It's called IPv6 DNSSEC (1)

Zero__Kelvin (151819) | about 7 months ago | (#44840157)

They did make plans for the future. That is why end to end security is an option. End to End security has advantages and disadvantages, so it is pretty hilarious and ironic that you would accuse me (and the rest of the experts who know far more than you) of being the short-sighted ones.

"You really are a narrow-minded individual."

Thanks for that. I needed a good laugh this morning!

Re:It's called IPv6 DNSSEC (1)

cookYourDog (3030961) | about 7 months ago | (#44835221)

Aren't you still trusting certs to a third party with DNSSEC? Hasn't the NSA already subverted that model of trust?

And doesn't this only protect resolution confidentiality and integrity? What about actual http requests?

Re:It's called IPv6 DNSSEC (1)

mellon (7048) | about 7 months ago | (#44836271)

You can publish your PKI cert in DNSSEC. This forces an attacker not only to get a CA to sign their fake cert, but also to subvert the DNSSEC hierarchy. The cert protects the integrity and confidentiality of the communication. So in fact DNSSEC can play a role in that, and result in a system that's harder to subvert.

Furthermore, the NSA hasn't entirely subverted that model of trust. It is not _as_ trustworthy as people thought, but systematically snooping on https traffic with faked certs is still something that's not practical—you can do a targeted snoop, but the wider you cast the net, the more likely it is that your attack will be noticed. So yes, subverting the PKI is a risk, but no, it doesn't mean the PKI, or DNSSEC, is useless.

Re:It's called IPv6 DNSSEC (1)

cookYourDog (3030961) | about 7 months ago | (#44836573)

Good information, thanks for the reply. Unfortunately, I think it's far easier than faking certs. A national sec letter delivered to a CA seems to render the entire hierarchy useless. Am I wrong here?

Re:It's called IPv6 DNSSEC (0)

Anonymous Coward | about 7 months ago | (#44836705)

No you aren't and thats why CA is worthless against NSA/GCHQ/INSU

Re:It's called IPv6 DNSSEC (1)

slick7 (1703596) | about 7 months ago | (#44836275)

Aren't you still trusting certs to a third party with DNSSEC? Hasn't the NSA already subverted that model of trust? And doesn't this only protect resolution confidentiality and integrity? What about actual http requests?

Here's the circle of trust and you're not in it.

Re:It's called IPv6 DNSSEC (1)

Burz (138833) | about 7 months ago | (#44837331)

Only encrypted onion routing such as this [geti2p.net] can provide end-to-end security that does not leave reams of metadata (all of the who / when / where details of our communications) on the NSA's front porch every morning. No carrier can tell you what your addressing or NAT scheme can be, nor interfere with packet delivery in any fashion other than all-on-or-all-off. You even get to decide the number-of-hops vs speed tradeoff for different applications, and your address doubles as the cryptographic key that affirms your identity (only to the others you communicate with).

DNSSEC is a rubric of centralized control that leaves security as much subject to the secret courts and NSA "workarounds" as does PKI over IPv4.

Sure, null problemo (0)

Anonymous Coward | about 7 months ago | (#44835081)

First, design custom open source hardware for all components and make the chips as tamper-proof as possible. Don't forget to make it TEMPEST proof. Second, reimplement all software involved in highly audited Ada open source code in teams of two programmers, including all operating systems, drivers, network stacks etc. Third, seize physical control of all network cables everywhere at any time. Easy peasy.

Did I forget something? Probably, I was working on a time constraint. Need more funding.

The problem is that PRISM is all-seeing (0)

Anonymous Coward | about 7 months ago | (#44835119)

Tor is useless against someone who can see every single hop of the packet as it leaves your computer and goes through the various routers.

A bandaid for tor is to have every single packet padded out to max MTU with random gibberish so that every packet looks identical coming and going, but there's still going to be timing attacks for low-traffic nodes.

Re:The problem is that PRISM is all-seeing (1)

mellon (7048) | about 7 months ago | (#44836285)

Watching all Tor endpoints and coordinating the traffic between them is an O(N^2) problem. Not a problem for a targeted attack, not so easy for attacking everybody, unless not many people use it. So people who bittorrent through Tor are, ironically, doing a public service.

We need security from the US Government (0)

Anonymous Coward | about 7 months ago | (#44835141)

because the terrorists might hurt us! Besides, as long as you aren't doing anything illegal, you have nothing to worry about. :)

Re:We need security from the US Government (0)

Anonymous Coward | about 7 months ago | (#44835367)

I have Six Million® reasons to counter that silly "nothing to hide" argument. They could not stop being Jews, you know.

Re: We need security from the US Government (0)

Anonymous Coward | about 7 months ago | (#44845129)

Please explain.

It can't be PRISM proofed (0)

Anonymous Coward | about 7 months ago | (#44835145)

That would require true end-to-end security in the hands of the users and that concept is not compatible with anyone's business plan so far.

Re:It can't be PRISM proofed (1)

mellon (7048) | about 7 months ago | (#44836303)

You can have end-to-end security any time you want. The problem is, most people don't know to want it.

cat & mouse (0)

Anonymous Coward | about 7 months ago | (#44835161)

Why play cat and mouse with your own governing body? PRISM is illegal. Put effort towards ending it. Otherwise, you're helping terrorists... (rolls eyes)

Re:cat & mouse (2)

causality (777677) | about 7 months ago | (#44835281)

Why play cat and mouse with your own governing body? PRISM is illegal. Put effort towards ending it. Otherwise, you're helping terrorists... (rolls eyes)

Out-of-control governments are the real terrorists. Al-CIA-da would salivate at doing one one-thousandth the damage a cancerous government can do.

Maybe PRISM is a US government; I don't know. (2)

Zero__Kelvin (151819) | about 7 months ago | (#44835243)

"PRISM is reputed to be a classified US government that involves covert interception of a substantial proportion of global Internet traffic."

He repeats this line at least twice, which I am assuming is a result of copy and paste. Unless he is saying that PRISM is a second government, I guess my first suggestion would be to add the word "program" in there somewhere ;-)

Re:Maybe PRISM is a US government; I don't know. (0)

Anonymous Coward | about 7 months ago | (#44835287)

"PRISM is reputed to be a classified US government that involves covert interception of a substantial proportion of global Internet traffic."

He repeats this line at least twice, which I am assuming is a result of copy and paste. Unless he is saying that PRISM is a second government, I guess my first suggestion would be to add the word "program" in there somewhere ;-)

It might as well be a second government. Doesn't exactly follow the laws and Rights that supposedly were the foundation of the current democracy...

Outside the USA only (0)

Anonymous Coward | about 7 months ago | (#44835273)

how the Internet can be PRISM-proofed

Well, obviously, whatever Internet physical infrastructure is located inside the USA cannot be PRISM-proofed.

Any technology-based attempts to secure the Internet within the USA can be easily circumvented with national security letters.

Sparse Details (1)

Nethemas the Great (909900) | about 7 months ago | (#44835295)

the draft is however very sparse on details

Don't worry the NSA and GCHQ will help fill in those details.

Re:Sparse Details (1)

slick7 (1703596) | about 7 months ago | (#44836301)

the draft is however very sparse on details

Don't worry the NSA and GCHQ will help fill in those details.

And you still won't have a clue what they are.

Common Sense 101 (0)

Anonymous Coward | about 7 months ago | (#44835351)

The NSA has a two-fold mission. One is the protect the US government's privacy. Two is to invade everyone else's privacy, US citizenship be DAMNED!

OK?

Corrections (5, Informative)

WaffleMonster (969671) | about 7 months ago | (#44835407)

Anyone can submit an I-D for anything. With few exceptions they are uploaded automatically with no human review, zero buy-in, endorsement, weight..etc by anyone. This ID has not even been adopted by a particular WG.

Then theres question of what is it this draft proposes reads more like a hapazard list of one mans problems.

To be clear I'm not attacking the I-D I'm attacking the warped characterization of it by people who should know better.

Re:Corrections (0)

Anonymous Coward | about 7 months ago | (#44836449)

So you're saying that it's like a slashdot submission that hasn't yet been posted and duped.

How to fight terrorism (0)

Anonymous Coward | about 7 months ago | (#44835447)

Make everyone eat pork. If some object, they have had a homeland for sixty-five years, you know. Taqiyya notwithstanding.

At this point in time, it is not possible (0)

Anonymous Coward | about 7 months ago | (#44835869)

With the NSA already having backdoors in windows and linux, and probable backdoors in MACos, how is this possible?

Individual submission, not IETF document (1)

klapaucjusz (1167407) | about 7 months ago | (#44836305)

This is an individual submission, not an IETF working group draft, and does not appear to either be proposed for an IETF wg draft or to be in the RFC Editor's queue [rfc-editor.org]. In short, it has nothing to do with the IETF.

build a better lock (0)

Anonymous Coward | about 7 months ago | (#44836643)

and you build a better hacker. Looks like the saying now applies to the NSA as well.
The IT industry have built better locks and the NSA have worked around them.

Root Root Root for IETF (1)

John Reynolds (3026403) | about 7 months ago | (#44841757)

We need this. Without a way to make sure the NSA isn't invading our privacy, we need to take matters into our own hands. Laws won't do the job. My God, the NSA's philosophy is "We're hunting terrorists. We don't need no stinking 4th Amendment." Unfortunately, I doubt that encryption will keep NSA out entirely, but it will make it harder for them to pick us out of the crowd. Decrypting still takes extra time & effort and that little bit of hassle may be enough to keep their noses out of your business. One thing we can do right now is stop storing stuff on Dropbox, iCloud, etc., where it's easy pickings for NSA Take it down and stash everything in a CloudLocker (www.cloudlocker.it), which works just the same but it's private and stays in your home where they still need a warrant to see inside.

windows7keysonlineshop (0)

Anonymous Coward | about 7 months ago | (#44869463)

    small business server key stor , free product key for window 7 home premium , window 7 professional upgrade key , upgrade windows 7 home premium do professional cd key , windows 7 activation key sale [validcdkey.com] , purchase a product key for windows 7 online , windows 7 home premium key sale [hdsn.org] , H,aANJ=E
        windows 8 anytime upgrade key [windowspro...nalkey.com]

        windows 7 ultimate product key online [window7keys.com]

        windows 7 home premium product key buy [win7productkeys.org]

        windows product key online [yumzup.com]

        windows 7 activation key sale [validcdkey.com]

        windows 7 license key sale [ecomkeys.com]

        windows 7 home premium key sale [hdsn.org]

        cheap windows 7 ultimate product key sale [bouas.com]

        windows 7 ultimate product key [rmaol.com]

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...