Online Security Isn't Over; It's Just Beginning
from the time-to-move-on dept
One of the more annoying responses to the latest revelations about the NSA’s spying and surveillance is people brushing it off, saying, “well, of course the NSA was doing this.” That simplistic, short-sighted response doesn’t really take into account the importance of the details and, worse, seems to suggest that this kind of status quo is acceptable. It’s not. Worse, it’s leading some to take the fatalistic approach that there’s nothing to be done, so why even bother? That’s the the exact wrong approach. As Micah Lee points out:
Giving up and deciding that privacy is dead is counterproductive. We need to stop using commercial crypto. We need to make sure that free software crypto gets serious security and usability audits.
If we do this right we can still have privacy in the 21st century. If we give up on security because of this we will definitely lose.
Bruce Schneier has been thinking along similar lines, beyond just his call to rebuild internet infrastructure with security and openness in mind to make life more difficult for the NSA, he’s also discussing things people can do right now to remain a hell of a lot more secure in the face of the NSA’s activities.
If the internet is going to be as powerful and as useful as it should be, it needs to be a lot more secure. Throwing in the towel because of some backdoors is the exact wrong approach and is exactly what’s not needed right now. The security needs to be better and it needs to be easier to implement and to use. That won’t happen overnight, but it will happen. It needs to happen.
Filed Under: cryptology, cybersecurity, encryption, online security, privacy, security
Comments on “Online Security Isn't Over; It's Just Beginning”
WRONG! Don't try to hide from your errant servants!
Remind them that THEY ARE SERVANTS, that they’re breaking their oaths and BEING EVIL, and are allowed their power only so long as serve We The People.
That’s rock-bottom AMERICANISM: when The Rich use gov’t for tyranny, it’s time to rise up and pull down the tyrants, NOT HIDE LIKE MICE.
Re: WRONG! Don't try to hide from your errant servants!
Yeah, tell them to get us a glass of water!
Re: Re: WRONG! Don't try to hide from your errant servants!
% nsa make me a sandwich
Re: WRONG! Don't try to hide from your errant servants!
O.K. so Blue has a damn good point here and everyone just reflexively reports him? That’s pretty damn stupid.
We need a 2 step program here.
1. Make the government start working for us, the way we want it to.
2. Use that reformed government to stop excesses and abuse from the corporate world.
Re: Re: WRONG! Don't try to hide from your errant servants!
It’s kind of like a “boy cries wolf” scenario. Its hard to take the poor guy seriously when 99% of his comments are off-topic and/or ad homs.
Re: Re: Re: WRONG! Don't try to hide from your errant servants!
She’s still blaming “the Rich” for everything, even though they’re patently not the bad guys. The multinational corporations, the MIC and their religious authoritarian cohorts are. Get their grubby paws off the levers of power, and we’ll have the country we want. Attempting to break up the country or just hating on “the gubmint” ain’t a solution, it’s part of the problem because it denies that we actually need a government to enact governance.
Getting the government back under control with a mandate to serve We The People is the way to go. It begins with using our right to vote responsibly and NOT voting the same old grifters and corporate suck-ups back into office every damn time.
Re: WRONG! Don't try to hide from your errant servants!
Why can’t we do both?
XKCD
http://imgs.xkcd.com/comics/legal_hacks.png
Re: XKCD
… they really do have a comic for everything, don’t they?
Trust
-the internet (or at least it’s protocols) is based on trust
That may just be the beginning and end of the whole problem
Re: Trust
By definition, there is no privacy/security on the Internet; any communication that involves a 3rd party is unsecure. Wishing for the unattainable is silly.
You want privacy? Go somewhere by yourself or go talk to somebody face-to-face.
Re: Re: Trust
Security and privacy are not black-and-white. That is, you can never have 100% of either, but that doesn’t mean you should accept 0%.
Even talking face-to-face in a secluded location is not secure. It is, however, possible to communicate over the internet in a manner that is approximately as secure as that.
Re: Re: Re: Trust
Even talking face-to-face in a secluded location is not secure. It is, however, possible to communicate over the internet in a manner that is approximately as secure as that.
Uh, no.
What is the point of posting such bunk?
Re: Re: Re:2 Security is not binary
Given that the manpower of the NSA is actually quite limited, I see no reason why John Fenderson is incorrect. If I contact someone using what is advertised as his public key, even if the NSA runs a MITM against us, it would have to have a real human editing our conversation to prevent us from exchanging enough information to be able to detect the MITM attack. There is no way an automatic logger (which is all the NSA can afford to run against “Average Joe Who Is Probably Not A Terrorist Or Otherwise Interesting”) is going to be able to prevent us from confirming our PK fingerprints.
Re: Re: Re:2 Trust
Please explain why it’s not possible. I can think of a couple of ways right off the top of my head, mostly involving multilayered encryption, using a combination of different protocols and including at least one that isn’t a standard.
Aren’t we just overdue on putting together a third political party? …and not just some quarterback wannabe with personal wealth to run for president?
Re: Some steps are missing
I would prefer to see no parties at all rather than more parties. But the core problem isn’t any of the parties at all. The core problem is a prolonged and systemic takeover of the government by major corporations and the ultra-wealthy.
We’ve been down this road a couple of times before in US history. This is a familiar landscape.
Re: Re:
A third? Don’t you mean a second?
Top down?
1. Industry leaders come up with new solutions.
2. NSA (or some new, secret-funded group) pressures them for potential weak points.
3. Crypto is broken, again, silently.
4. Right back where we started.
None of the technical stuff matters anymore if it’s got the spooks with its fingers in it anyway.
Re: Top down?
The technical solution is easy: don’t use the “solutions” that industry leaders provide. We don’t need them.
hide in the open
Personally, I avoid certain words and phrases in my online communication now. I am sure this will get sorted one way (we take away their power to do this) or another (we are able to subvert their efforts to do this with better encryption)
The thing is, they SAVE EVERYTHING and even with better encryption its just a matter of time until they will be able to crack that as well. Seems the only truly secure way to regain our lost privacy is to take away the power which allows their actions. Until then I avoid using the net for important communication and hope to hide in the ever growing haystack.
We need a new open encryption protocol for HTTPS, with stronger encryption and no known weaknesses. (Even the latest version of TLS can be vulnerable since it supports RC4.)
Browsers should use the new protocol by default, and give an “Are you sure you want to navigate to this site? It has weak encryption.” warning message for sites using TLS 1.2 and older protocols.
Almost all sites use TLS 1.0/SSL 3.0, both of which are quite vulnerable. Maybe a large crowd of users complaining about sites’ weak encryption could finally get them to upgrade and thwart the NSA.
Re: Re:
TLS 1.2 without compression has exactly what you want. Stronger encryption (AES-GCM, SHA-256), no known weaknesses. You can easily disable RC4 when using it it (not offering it as a client, not taking it as a server).
That is a bit of an inversion, since plain non-encrypted HTTP (which has even weaker encryption – the equivalent of 0-bit crypto) would not get a warning. First add warning to non-encrypted connections, then start killing the older protocols one by one as people upgrade.
Re: Re: DNS Sec + Signing
I think that working around CAs and allow self-signing via DNSSec is probably the first step… the biggest points keeping out broader SSH are shared hosting (multiple IPs, one IP), and the CAs, which if compromised, may as well be public.
A sign of giving up
Not all of us who say “of course the NSA is doing this” mean it as a statement to throw in the towel for privacy.
You’ve got a shiny new thing to keep all your secrets? that’s good, keep working on the next new thing to keep it secret… soon the NSA will figure out how to get in to that new thing so you better have the next ready.
ha!
Onlne security & internet redesign
Besides needing massive government reform which we will not get so long as we do not have congressional term limits and don’t tax bribes. Redesign of the internet is not possible because much of it is controlled by oligopolies who collude with each other: the cable providers Comcast and Time Warner being the worst, they work with the Telcos/Wireless providers AT&T and Verizon. They will not support nor permit any change that they do not approve and that keep them from getting $Bn/year from DoJ and NSA.