zlacker

[return to "Inside the NSA's War on Internet Security"]
1. diafyg+S1[view] [source] 2014-12-28 20:54:14
>>Fabian+(OP)
THESE DOCUMENTS CONTAIN EVIDENCE OF ATTACKS ON VPN, SSL, TLS, SSH, TOR. What do we do now? No seriously, what do we do?

The full list of documents: http://www.spiegel.de/international/world/nsa-documents-atta...

The accompanying lecture: http://streaming.media.ccc.de/relive/6258/

Also, obligatory: https://eff.org/donate

◧◩
2. freedu+z4[view] [source] 2014-12-28 21:48:32
>>diafyg+S1
Earlier this year at goto copenhagen I heard a good talk by Tim bray:

http://gotocon.com/cph-2014/presentation/Privacy%20and%20Sec...

Where he argues that even though we can not achieve complete security there is great value in raising the bar. If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy. Where most communication will be secure. But he also argues that if one of these agencies really wants to target YOU specifically they will get to the information. By breaking into your house and installing cameras, if necessary.

◧◩◪
3. uncleb+9f[view] [source] 2014-12-29 01:59:48
>>freedu+z4
>If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy

Good enough privacy is no privacy.

Anyway, this is completely the wrong mindset. This is a legal problem which requires, not pretty good tech, but clear, strict laws, with whistle-blower protection. We have to stop ceding that this is legal or should be legal.

Otherwise, we've already lost.

◧◩◪◨
4. derf_+8h[view] [source] 2014-12-29 02:59:35
>>uncleb+9f
Why would laws be sufficient? There are plenty of people who would like to do the same things the NSA would like to do who are not concerned with laws. As Schneier says, "today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacker tools."

Changing economics by deploying more PFS ciphersuites and shifting to technology which requires active attacks instead of passive ones can give real, practical improvements in privacy, even against state actors.

◧◩◪◨⬒
5. uncleb+Zk[view] [source] 2014-12-29 05:10:47
>>derf_+8h
>There are plenty of people who would like to do the same things the NSA would like to do

My comment was specifically with regard to the NSA, as is the topic of this article.

Certainly the NSA should be concerned with laws, and laws should be sufficient.

◧◩◪◨⬒⬓
6. olifan+5b1[view] [source] 2014-12-29 21:19:25
>>uncleb+Zk
no laws are going to change the behaviour of the NSA or any other foreign agency with similar capabilities. Once they have it, they will lie, obfuscate and stall to make sure they never lose it. It's time to stop being angry at the NSA and realize than only open-source end-to-end encryption will help us regain some of the privacy that we lost. The web has to become secure by default.
◧◩◪◨⬒⬓⬔
7. uncleb+Cn1[view] [source] 2014-12-30 00:23:50
>>olifan+5b1
I sincerely don't understand this notion of capitulation to the whims of a rogue government in what is supposed to be a nation of laws. Currently, we don't even have a set of clear laws on the books that outlaw the behavior. This is what enables the current stalling and obfuscation. I am not saying we should simply trust them. Their actions have to be made clearly illegal, with full oversight and robust whistleblower protection. We must start with the law.

I also don't get the idea of "some privacy". It seems to me along the lines of "somewhat pregnant". But, you (and many others) are advocating an approach that says, "let's untether our government from even the pretense of adherence to any laws, allow them to attack us with impunity, and simply do the best we can with what we have to fend them off".

If I were of the lying, obfuscating NSA-worker ilk, what you are advocating is exactly the response that would make me salivate.

I know that many people have this romanticized notion that we will do tech battle against our government and win, but we simply won't. If years of battling virus writers, rootkits, and zero days have taught us nothing, it should have taught us that a determined adversary will own us. Add to that unlimited resources and claimed legal authority to compel cooperation from tech/infrastructure providers.

You really want to unleash the lying, obfuscating NSA and trust that your open-source encryption and ciphers won't be cracked, that your full software and hardware stacks have not been compromised, and that the same is true for everyone with whom you communicate, etc., then patch things up and try again if and when you are made aware of a compromise? Sorry, friend. That's a losing proposition.

[go to top]