zlacker

Earlier this year at goto copenhagen I heard a good talk by Tim bray:

http://gotocon.com/cph-2014/presentation/Privacy%20and%20Sec...

Where he argues that even though we can not achieve complete security there is great value in raising the bar. If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy. Where most communication will be secure. But he also argues that if one of these agencies really wants to target YOU specifically they will get to the information. By breaking into your house and installing cameras, if necessary.

>>freedu+(OP)
It's Michens' MOSSAD/not-MOSSAD question[1]. Any half-decent encryption will protect you from bulk collection and monitoring, but if you're targeted, you lose.

[1] http://research.microsoft.com/en-us/people/mickens/thisworld...

>>freedu+(OP)
> If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy

Right now everyone's digital communications are being collected by those agencies, via fiber optic cable taps [1]. This could be called bulk surveillance. Different people & groups have access to these databases of communications. Some are government employees, some are contractors. Now, what if an activist or a Senator starts speaking out against bulk surveillance? Would those with access to the databases be tempted to run a few queries?

  'SELECT * FROM `sms` WHERE `person_id`="$senator_id"'

Note: Most analysts would never run that query. But it just takes one.

[1] http://www.pbs.org/wgbh/pages/frontline/homefront/interviews...

>>freedu+(OP)
>If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy

Good enough privacy is no privacy.

Anyway, this is completely the wrong mindset. This is a legal problem which requires, not pretty good tech, but clear, strict laws, with whistle-blower protection. We have to stop ceding that this is legal or should be legal.

Otherwise, we've already lost.

>>ChrisA+d6
Although I'm not familiar with the _actual_ operating procedures involved, one would hope/expect this not to be available to lone analysts at their own discretion.

>>cmyr+La
I thought the source of some of this data was Snowden's access at his own discretion, with his own keys and others' that he obtained?

I say "some" since Schneier has stated he now considers there to be at least 3 leakers... https://www.schneier.com/blog/archives/2014/08/the_us_intell...

The other two leakers got their information from somewhere, and it could have also included access at their own discretion.

>>uncleb+Aa
Why would laws be sufficient? There are plenty of people who would like to do the same things the NSA would like to do who are not concerned with laws. As Schneier says, "today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacker tools."

Changing economics by deploying more PFS ciphersuites and shifting to technology which requires active attacks instead of passive ones can give real, practical improvements in privacy, even against state actors.

>>userna+V4
That has to be the best paper I've ever read

>>cmyr+La
One can hope. When Binney blew the whistle on the NSA he specifically said that he saw a request for Senator Obama's communications during his time there, as well as other elected officials.

>>derf_+zc
>There are plenty of people who would like to do the same things the NSA would like to do

My comment was specifically with regard to the NSA, as is the topic of this article.

Certainly the NSA should be concerned with laws, and laws should be sufficient.

>>xnull2+ig
Was that Binney or Tice?

>>cmyr+La
> Although I'm not familiar with the _actual_ operating procedures involved

Their official line is that the data isn't being collected, correct?

>>ChrisA+Ag
It was Tice. My mistake. Thank you for the check.

>>ChrisA+d6
FWIW, if I were a senator who was considering taking on the intelligence community I would probably think it through and have my house in order first. Politicians aren't known for being tech savvy, but they aren't known for being stupid either. People took on McCarthy, Hoover and Nixon and they survived.

Most people here don't have a lot of faith in our system of government these days and even less faith in those that do the governing. But the truth is that the american democracy has been around for hundreds of years and it will take more than a SQL statement to bring it down. There are checks and balances and highly motivated and intelligent people with a lot to lose on both sides of every issue. This too shall pass.

>>karmac+mh
> I would probably think it through and have my house in order first

The bulk collection has been going on for at least a decade now.

> Politicians aren't known for being tech savvy, but they aren't known for being stupid either.

I've observed politicians get away with certain behaviors, to a point. For example, Eliot Spitzer, or Bill Clinton. Once they become a target, their trespasses aren't necessarily forgiven.

> This too shall pass.

The Snowden revelations are "The Jungle" of our time. We'll adapt to these issues. Still, our adaption won't be free, and a proactive attitude will benefit us.

>>peterk+2f
I thought you were joking, but I had to click anyway. You're right, this paper is fantastic. I thought Micken's stopped writing, I'm so glad he didn't.

>>userna+V4
That was fun. I'm going to read all the rest of his stuff now. Thats dangerous linking, username223.

>>userna+V4
Wow, I think Mickens may oversimplify a few points for comedic effect, but that is a wonderful read!

>>userna+V4
Amazing

>>userna+V4
here's another i read some time ago

https://www.usenix.org/system/files/1309_14-17_mickens.pdf

i don't know how he gets paid to write these. perhaps as class clown for the fine folks at microsoft research? in any case, very amusing.

>>ChrisA+gj
Remember that Sinclair aimed for the heart and hit the stomach. His goal was reform of industrialized labor conditions, but he got food purity and safety laws.

To use his book as a metaphor implies that Snowden's leaks will do nothing to stop domestic dragnet surveillance and everything to seal the system against future whistleblower leaks.

I find that I must agree.

>>uncleb+qg
no laws are going to change the behaviour of the NSA or any other foreign agency with similar capabilities. Once they have it, they will lie, obfuscate and stall to make sure they never lose it. It's time to stop being angry at the NSA and realize than only open-source end-to-end encryption will help us regain some of the privacy that we lost. The web has to become secure by default.

>>throwa+St
He does real systems research:

http://research.microsoft.com/en-us/people/mickens/

He just also has a sense of humor, and makes time to exercise it.

>>olifan+w61
I sincerely don't understand this notion of capitulation to the whims of a rogue government in what is supposed to be a nation of laws. Currently, we don't even have a set of clear laws on the books that outlaw the behavior. This is what enables the current stalling and obfuscation. I am not saying we should simply trust them. Their actions have to be made clearly illegal, with full oversight and robust whistleblower protection. We must start with the law.

I also don't get the idea of "some privacy". It seems to me along the lines of "somewhat pregnant". But, you (and many others) are advocating an approach that says, "let's untether our government from even the pretense of adherence to any laws, allow them to attack us with impunity, and simply do the best we can with what we have to fend them off".

If I were of the lying, obfuscating NSA-worker ilk, what you are advocating is exactly the response that would make me salivate.

I know that many people have this romanticized notion that we will do tech battle against our government and win, but we simply won't. If years of battling virus writers, rootkits, and zero days have taught us nothing, it should have taught us that a determined adversary will own us. Add to that unlimited resources and claimed legal authority to compel cooperation from tech/infrastructure providers.

You really want to unleash the lying, obfuscating NSA and trust that your open-source encryption and ciphers won't be cracked, that your full software and hardware stacks have not been compromised, and that the same is true for everyone with whom you communicate, etc., then patch things up and try again if and when you are made aware of a compromise? Sorry, friend. That's a losing proposition.