The full list of documents: http://www.spiegel.de/international/world/nsa-documents-atta...
The accompanying lecture: http://streaming.media.ccc.de/relive/6258/
Also, obligatory: https://eff.org/donate
In addition to encouraging the NSA (and equivalent agencies in other countries) to change its approach, developers will do what we always do and build new secure protocols and tools with the lessons from previous attempts in mind.
It is a cat-and-mouse game that will never cease.
- Royal Jordanian
- Transaero Airlines
Govs:
- Mexico
- Pakistan
- Turkey
- Afghanistan
Slides 41/42.
http://gotocon.com/cph-2014/presentation/Privacy%20and%20Sec...
Where he argues that even though we can not achieve complete security there is great value in raising the bar. If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy. Where most communication will be secure. But he also argues that if one of these agencies really wants to target YOU specifically they will get to the information. By breaking into your house and installing cameras, if necessary.
[1] http://research.microsoft.com/en-us/people/mickens/thisworld...
>What they do if they find weaknesses is a different question.
Is it? It's obvious what they're going to do when they find those weaknesses. If they let people know of those weaknesses, they wouldn't be doing their job. Their job is to expose those weaknesses, so they can spy on us and take away whatever we have left, in this case is strong encryption.
Right now everyone's digital communications are being collected by those agencies, via fiber optic cable taps [1]. This could be called bulk surveillance. Different people & groups have access to these databases of communications. Some are government employees, some are contractors. Now, what if an activist or a Senator starts speaking out against bulk surveillance? Would those with access to the databases be tempted to run a few queries?
'SELECT * FROM `sms` WHERE `person_id`="$senator_id"'
[1] http://www.pbs.org/wgbh/pages/frontline/homefront/interviews...
No...their job is to exploit them, not expose.
Big difference.
This is why advocating for technical defenses alone is doomed to fail. It's great to employ as much technology as we can, but playing cat-and-mouse with our own government is a losing proposition. They are determined and have unlimited resources (read our money plus the printing press).
There needs to be much more pressing on the legal front, such that unwarranted breach of privacy is criminally punishable in very clear ways. If an individual is not the subject of an investigation, for which proper warrants have been obtained, then no records of any kind should be collected or maintained. Full-stop. And efforts to decrypt private communications, etc. should be considered criminal acts. All of this needs to be protected with very clear and robust whistle-blower laws.
Otherwise, thinking that we will deploy some tech to permanently stymie our government is fantasy. And over-focus on that aim tacitly cedes that our government is entitled to whatever it can crack.
Good enough privacy is no privacy.
Anyway, this is completely the wrong mindset. This is a legal problem which requires, not pretty good tech, but clear, strict laws, with whistle-blower protection. We have to stop ceding that this is legal or should be legal.
Otherwise, we've already lost.
I say "some" since Schneier has stated he now considers there to be at least 3 leakers... https://www.schneier.com/blog/archives/2014/08/the_us_intell...
The other two leakers got their information from somewhere, and it could have also included access at their own discretion.
Changing economics by deploying more PFS ciphersuites and shifting to technology which requires active attacks instead of passive ones can give real, practical improvements in privacy, even against state actors.
My comment was specifically with regard to the NSA, as is the topic of this article.
Certainly the NSA should be concerned with laws, and laws should be sufficient.
Their official line is that the data isn't being collected, correct?
Most people here don't have a lot of faith in our system of government these days and even less faith in those that do the governing. But the truth is that the american democracy has been around for hundreds of years and it will take more than a SQL statement to bring it down. There are checks and balances and highly motivated and intelligent people with a lot to lose on both sides of every issue. This too shall pass.
The bulk collection has been going on for at least a decade now.
> Politicians aren't known for being tech savvy, but they aren't known for being stupid either.
I've observed politicians get away with certain behaviors, to a point. For example, Eliot Spitzer, or Bill Clinton. Once they become a target, their trespasses aren't necessarily forgiven.
> This too shall pass.
The Snowden revelations are "The Jungle" of our time. We'll adapt to these issues. Still, our adaption won't be free, and a proactive attitude will benefit us.
That said, better encryption will raise the cost of NSA's surveillance which might eventually lead to policy reform (when budget hawks are forced to act). And it might mean their dragnets have to be more targeted which could slow the expanding the definition of "terrorist".
I think the most effective actions would be to make the public outraged over cracked encryption and surveillance. And even with all these leaks, that hasn't happened IMO (debatable I know). Outrage would happen if people understood how this has real-life effects. Storytelling is what's needed, not white-papers and tech blogs.
edit: wanted to add that Bruce Schneier gave an excellent talk on the topic of your question, https://www.youtube.com/watch?v=3v9t_IoOgyI
We are a bunch of disorganized folks with no budget and with no agreed goal on what is the best way to achieve this.
Also in defense you have to protect all the walls, in attack you just have to breach one.
I'm not saying we should do nothing, but that they will almost always be several steps ahead of us.
https://www.usenix.org/system/files/1309_14-17_mickens.pdf
i don't know how he gets paid to write these. perhaps as class clown for the fine folks at microsoft research? in any case, very amusing.
To use his book as a metaphor implies that Snowden's leaks will do nothing to stop domestic dragnet surveillance and everything to seal the system against future whistleblower leaks.
I find that I must agree.
http://research.microsoft.com/en-us/people/mickens/
He just also has a sense of humor, and makes time to exercise it.
Seems your doubts are what helps the NSA.
I also don't get the idea of "some privacy". It seems to me along the lines of "somewhat pregnant". But, you (and many others) are advocating an approach that says, "let's untether our government from even the pretense of adherence to any laws, allow them to attack us with impunity, and simply do the best we can with what we have to fend them off".
If I were of the lying, obfuscating NSA-worker ilk, what you are advocating is exactly the response that would make me salivate.
I know that many people have this romanticized notion that we will do tech battle against our government and win, but we simply won't. If years of battling virus writers, rootkits, and zero days have taught us nothing, it should have taught us that a determined adversary will own us. Add to that unlimited resources and claimed legal authority to compel cooperation from tech/infrastructure providers.
You really want to unleash the lying, obfuscating NSA and trust that your open-source encryption and ciphers won't be cracked, that your full software and hardware stacks have not been compromised, and that the same is true for everyone with whom you communicate, etc., then patch things up and try again if and when you are made aware of a compromise? Sorry, friend. That's a losing proposition.