|
SubG posted:If you want to make an actual argument, make it. But don't pretend a vague paraphrase of an appeal to authority is an argument. quote:The distinction between `bulk' and `targetted' is, as I've already argued in some detail, nonsense. What encryption will buy you is protection from disclosure of the cleartext of the communication during an intercept of the communication in transit. That's it. Preventing this is nice, and it protects you from a lot of kinds of threats. Having your privacy violated by NSA surveillance is not one of them. There is value to them in reading data off the wire, encryption takes that away from them. quote:Gmail and Yahoo mail account for about 20% of all email in the world. Assuming source and destination addresses are independent and normally distributed (this is probably not true, but will actually lead us to underestimate the reach) that means somewhat more than a third of all email passes through a service that can be compelled to supply data to LEAs. The same argument applies here though, XKEYSCORE indexes email contents, attachments, etc... They are doing this for a reason, PGP means they can't do this passively. Even what you're saying about compelling service providers to hand over data is not a passive attack. Active attacks are always harder than passive attacks and we should remove the capability to make passive attacks. quote:The same is true for social media, messaging, photo sharing, and so on. quote:Leave all that aside. What do the Anthem, Sony, Target, Home Depot, and so on hacks tell us? They tell us that tens of millions of people's privacy can be violated in a single incident independent of whether or not the end users were exercising proper security. Why? Because the bad guys don't have to compromise the individual users' communications in bulk. They can wait for the service providers to aggregate the data and then compromise that. When it comes to personal data on commercial sites, here's another thing you can do in song form: https://www.youtube.com/watch?v=7eIUOUfhoJ8 Again, this does not solve all problems all the time. But it closes off a few holes. And that is the problem, the entire system is made of holes, everyone in the security industry knows this. Plaintext comms is just one of those holes and it can be plugged. It is a long hard slog to regaining any real privacy, but there are things that can be done right now that go in the right direction. If you want to talk legal solutions feel free, but they're not going to work. Ever notice how anyone in high political office is always really friendly to the security services? Odd that.
|
#
?
Feb 25, 2015 18:27
|
|
|
|
| # ? Jun 1, 2024 17:29 |
|
|
sectoidman posted:I'd like to point out that a properly-implemented one-time pad is mathematically unbreakable without the key, even with infinite time. A one-time pad isn't encryption any more then giving your friend a USB drive is. It's a substitution cypher, and it's useless for two-way communication and completely academic in any discussion about securing two-way communications.
|
|
#
?
Feb 25, 2015 18:48
|
|
|
Powercrazy posted:A one-time pad isn't encryption any more then giving your friend a USB drive is. It's a substitution cypher, and it's useless for two-way communication and completely academic in any discussion about securing two-way communications. It's plenty useful for two-way communication. It does requires some form of secure communication to transfer the pad (that can be as inconvenient as an in-person meeting) and has a finite limit on how much data can be communicated per pad. But it's also unbreakable from just the cipertext.
|
|
#
?
Feb 25, 2015 21:09
|
|
|
Zombywuf posted:No-one cares about data in transit? So why is GCHQ sitting on every piece of fibre leaving the UK? Why did the lobby for a law allowing them to do exactly that and why did that law get passed? Passive surveillance is used, it is a mainstay of SIGINT. If you encrypt your poo poo there is no passive surveillance even if they have all the SSL keys. They are reading the data in transit and they are doing it because it is useful to them. They are looking at that data and looking at that data is when your privacy is most likely to be breached because it is indiscriminate. Your privacy is breached when they are not looking for you but your family album appears in their search results. The problem is that when your data reaches its destination, it gets de-encrypted! The NSA wasn't carrying out bulk collection of Gmail messages by reading the SSL-encrypted messages off the wire between you and Google. They waited until the email reached Google's services, was reverted to plaintext, and then transmitted between Google's data centers in plaintext as well as being dispatched off to the recipient's email provider in plaintext. Not only did it provide them an unencrypted version of your message for immediate collection, but they had to do far less sorting because they could tap Google's lines directly. Bulk data collection is not done at the individual user level - it's mostly done by targeting services, which are often vulnerable no matter what the user does. The NSA still skims large amounts of data traffic anyway, but not really for their current bulk data collection programs; their ultimate goal is to have a giant supercomputer with such highly-refined big data algorithms that they can shove the entire internet in one end and get a list of probable terrorists out of the other end.
|
|
#
?
Feb 25, 2015 21:10
|
|
|
Main Paineframe posted:The problem is that when your data reaches its destination, it gets de-encrypted! The NSA wasn't carrying out bulk collection of Gmail messages by reading the SSL-encrypted messages off the wire between you and Google. They waited until the email reached Google's services, was reverted to plaintext, and then transmitted between Google's data centers in plaintext as well as being dispatched off to the recipient's email provider in plaintext. Not only did it provide them an unencrypted version of your message for immediate collection, but they had to do far less sorting because they could tap Google's lines directly. Bulk data collection is not done at the individual user level - it's mostly done by targeting services, which are often vulnerable no matter what the user does. The NSA still skims large amounts of data traffic anyway, but not really for their current bulk data collection programs; their ultimate goal is to have a giant supercomputer with such highly-refined big data algorithms that they can shove the entire internet in one end and get a list of probable terrorists out of the other end. This is exactly saying "dont bother locking your doors, a criminal will just break the window and jump into your house." We all understand that there are a variety of ways that information leaks out of your control. Everyone here understands that. The existance of other security vulnerabilities that affect the internet doesn't have anything to do with the desirability of universal encryption. Nobody has the goal of perfect security because that is impossible by definition.
|
|
#
?
Feb 25, 2015 21:33
|
|
|
Main Paineframe posted:The problem is that when your data reaches its destination, it gets de-encrypted! The NSA wasn't carrying out bulk collection of Gmail messages by reading the SSL-encrypted messages off the wire between you and Google. They waited until the email reached Google's services, was reverted to plaintext, and then transmitted between Google's data centers in plaintext as well as being dispatched off to the recipient's email provider in plaintext. Not only did it provide them an unencrypted version of your message for immediate collection, but they had to do far less sorting because they could tap Google's lines directly. Bulk data collection is not done at the individual user level - it's mostly done by targeting services, which are often vulnerable no matter what the user does. The NSA still skims large amounts of data traffic anyway, but not really for their current bulk data collection programs; their ultimate goal is to have a giant supercomputer with such highly-refined big data algorithms that they can shove the entire internet in one end and get a list of probable terrorists out of the other end. Companies are moving to encrypt data at rest and encrypt communication between internal servers. These companies still hold the keys, which are vulnerable (see Gemalto), and they can still be legally compelled to provide information to groups like the NSA. It does make sucking up everything straight off the wire less valuable though, which is progress.
|
|
#
?
Feb 25, 2015 21:35
|
|
|
Encryption probably works for the time being in stopping mass surveillance, but there is something also do be said for being annoyed with smug compsci dorks saying "just encrypt everything" to the point of advocating that people use one-time pads, like that is practical, likely to be generally effective, or just. Also reminder that it doesn't make any difference if Google or any other US-based company has end to end encryption if they also have the keys to that encryption, since under US law they can be compelled to give all the keys to the government and be prohibited from talking about it if some kangaroo court functionary rubberstamps it.
|
|
#
?
Feb 25, 2015 22:26
|
|
|
Tezzor posted:Encryption probably works for the time being in stopping mass surveillance, but there is something also do be said for being annoyed with smug compsci dorks saying "just encrypt everything" to the point of advocating that people use one-time pads, like that is practical, likely to be generally effective, or just. Two points here; first, needing a rubber stamped warrant is worlds better than just sucking up clear text off the line without needing a paper trail. Second, corporations enjoy enormous political power and we've seen multiple high profile companies clamping down on bulk collection. For example, Apple's recent encryption changes which prevent them from retrieving certain content or Google encrypting between their datacenters. Strangely in this situation I think that consumers have more political power through pressuring corporations than citizens do by pressuring politicians.
|
|
#
?
Feb 25, 2015 22:36
|
|
|
Salt Fish posted:This is exactly saying "dont bother locking your doors, a criminal will just break the window and jump into your house." We all understand that there are a variety of ways that information leaks out of your control. Everyone here understands that. The existance of other security vulnerabilities that affect the internet doesn't have anything to do with the desirability of universal encryption. Nobody has the goal of perfect security because that is impossible by definition. "Locking your doors" is actually an apt analogy because it is pointless for solving the problem of being robbed.
|
|
#
?
Feb 25, 2015 22:43
|
|
|
Salt Fish posted:Two points here; first, needing a rubber stamped warrant is worlds better than just sucking up clear text off the line without needing a paper trail. Second, corporations enjoy enormous political power and we've seen multiple high profile companies clamping down on bulk collection. For example, Apple's recent encryption changes which prevent them from retrieving certain content or Google encrypting between their datacenters. Strangely in this situation I think that consumers have more political power through pressuring corporations than citizens do by pressuring politicians. No kidding. I really don't get the poo-pooing of encryption. Sure, they've got the resources to overcome it on the front and back end, but the more hurdles you throw up, the harder that is. New communication methods/companies/programs pop up all the time, if more and more engage in an evolving system of encrypted communications and any other methods at their disposal, we win. For all the resources, tools, and minds at their disposal, they're insignificant if an ever increasing number of people are using systems that defy basic data-collection. We can look at what's available regarding the Gemalto SIM key story occurring right now as a test case. They had to look into individuals, dig into all they could to determine how/where they could break in..there's an awful lot of people in the world. Place an ever increasing value on encryption and data-security across it all, it will make it functionally impossible for systems like this to operate quietly and secretly. Maybe they can even be forced down into actual targeted interceptions and operations, wherein they're going after what they should be instead of trawling the world for anything they can. Seems the best effort is hitting the budget instead of legislatively, sadly. I love rose-colored glasses sometimes.I'm sure there's a few people, somewhere, who've had a great big laugh at the tendency of the younger generation to text as opposed to talk on the phone.
|
|
#
?
Feb 25, 2015 23:08
|
|
|
Powercrazy posted:"Locking your doors" is actually an apt analogy because it is pointless for solving the problem of being robbed. That isn't accurate. Locking your doors will not stop a robber determined to break into a specific house but burglars prefer an easy targets if they are targeting an area instead of an individual.
|
|
#
?
Feb 25, 2015 23:58
|
|
|
Salt Fish posted:You're making GBS threads on people who want to make the Internet more secure and your entire argument boils down to encryption not being a panacea that perfectly solves every security and privacy issue related to the internet. If your goal isn't to troll/derail, what exactly is your goal? What solutions are you proposing? None as far as I can tell. We're in a thread talking about NSA surveillance. Someone proposes something (encryption) as a `solution' to the problem(s). It makes sense to look at any proposed solution and ask how it applies to common concerns: will it protect the privacy of my search habits? Will it protect the privacy of my browsing habits? Will it protect the privacy of my email? Will it protect the privacy of things I share with friends on social media? Will it protect the privacy of my instant messaging conversations? These are not weird corner-case issues I'm making up just to win rhetorical points. They're the basic poo poo that most people care about in the real world. Are you trying to argue that those issues aren't relevant to privacy? That they aren't relevant to NSA surveillance? That encryption makes them go away? And beyond that, I've talked about what I think solutions look like as recently as the last page---Church Committee, Supreme Court decision, Constitutional Amendment, industry regulation, and so on. And you've argued at some length with me about those things in this very thread before. I can link you to the posts if you're still having trouble remembering. snorch posted:Why is it so far-fetched? I mean you could just say gently caress those guys. Just worry about the 50% solution---the thing that works for the roughly half of the world that keeps reasonably current with this kind of poo poo. But then you're looking a demographic divide between the install base for 8.1 or the latest OS X and all of those old XP installs. And if your `solution' to NSA surveillance is something that only works for the folks running the latest and greatest then you're effectively making privacy a privilege of the comparatively affluent and educated. Zombywuf posted:You made the appeal to Snowden. Zombywuf posted:No-one cares about data in transit? You seem to be arguing strenuously against positions I haven't taken. And you seem to be presuming that I'm strenuously arguing against points you're making to which I have no objection. Once again: I'm not saying encryption is bad. Encryption is good. I'm not saying you shouldn't use encryption. You should use encryption. I'm not saying encryption doesn't solve any problems. Encryption solves lots of problems. What I'm saying is that if what we're worried about is the loss of individual privacy due to NSA surveillance then encryption is not a solution. For reasons I've gone over many times, as recently as this very post. Zombywuf posted:No-one is saying that encryption solves all this poo poo.
|
|
#
?
Feb 26, 2015 00:39
|
|
|
SubG posted:Changing how literally all communications in the world work is a big project. I could write out a long argument about all the logistical problems, interoperability issues, and all that kind of poo poo. But instead just consider this: the second most common desktop operating system in the world is Windows XP. At somewhere around one in five. That's the real world. You seem invested in the subject, and intelligent. But you also seem to approach it all from a defeatist outlook. You really seem to have at least a decent grasp of the situation, but whether it's pessimism or defeatism, an awful lot of what you post just lends toward a sense of discouragement. I think that just causes a lot of combativeness from others that really just ends up with people posting in circles. Windows and Google and their associated applications comprise an enormous section of computing and interaction with the internet, okay. 25 years ago what was Microsoft? 15 years ago what was Google? 50 years ago no one even imagined either of them. They're a behemoth in the world, to be sure, but it's also a world where a coupe years or 5 or 10 could potentially have an unimaginably different landscape. Long story short, do write out a long argument about logistical problems, interoperability issues, and all the various and related shits. I'd read it.
|
|
#
?
Feb 26, 2015 01:16
|
|
|
hobotrashcanfires posted:
Here's an illustrative example: IPv6. It was clear long ago that IPv4 had a big issue - namely, the limited address space. The IETF realized this was a problem and designed a new protocol that addressed it by 1998. We're only now reaching the point where it's pretty universally understood, and still a long way from having it be the standard one to use. It just takes that long to redesign all the software, hardware, and to distribute it all. Without a doubt, IP is a pretty central protocol to the internet, but it won't be any simpler to incorporate encryption. So we could guesstimate that, even if we had the protocols designed, it might be another 20 years before they're in use. Beyond that, encryption has all the additional problems of picking an algorithm, managing things like key distribution and trust, lots of additional overhead and processing requirements, etc. Designing widespread protocols to use encryption is a very very big challenge.
|
|
#
?
Feb 26, 2015 02:09
|
|
|
A Man With A Plan posted:Here's an illustrative example: IPv6. It was clear long ago that IPv4 had a big issue - namely, the limited address space. The IETF realized this was a problem and designed a new protocol that addressed it by 1998. We're only now reaching the point where it's pretty universally understood, and still a long way from having it be the standard one to use. It just takes that long to redesign all the software, hardware, and to distribute it all. Without a doubt, IP is a pretty central protocol to the internet, but it won't be any simpler to incorporate encryption. So we could guesstimate that, even if we had the protocols designed, it might be another 20 years before they're in use. In the case of IPv6 a variety of solutions were developed which all worked in tandem to eliminate the problem of address space use. Take for example CIDR or SNI. IPv6 was never "the one solution" to that problem which is the reason it took (is taking) so long to adopt. I don't think that IPv6 can really serve as an example of how long things take to change due to this.
|
|
#
?
Feb 26, 2015 02:41
|
|
|
Salt Fish posted:In the case of IPv6 a variety of solutions were developed which all worked in tandem to eliminate the problem of address space use. Take for example CIDR or SNI. IPv6 was never "the one solution" to that problem which is the reason it took (is taking) so long to adopt. I don't think that IPv6 can really serve as an example of how long things take to change due to this. Right CIDR and especially NAT reduced the need for more globally reachable addresses. In the same way, TLS and IPSec have reduced the need for built-in encryption by patching on solutions. I'm just saying that if people want stronger/ more guaranteed encryption for their communications, then we're going to need new protocols for it. And it takes a while for that to happen. I mean, it was only in the last few years that Google and Facebook moved to mandatory TLS.
|
|
#
?
Feb 26, 2015 03:25
|
|
|
Tezzor posted:That isn't accurate. Locking your doors will not stop a robber determined to break into a specific house but burglars prefer an easy targets if they are targeting an area instead of an individual. Sorry I meant it's pointless for solving the Social problem of robbery and the cause of it.
|
|
#
?
Feb 26, 2015 03:36
|
|
|
A Man With A Plan posted:Here's an illustrative example: IPv6. It was clear long ago that IPv4 had a big issue - namely, the limited address space. The IETF realized this was a problem and designed a new protocol that addressed it by 1998. We're only now reaching the point where it's pretty universally understood, and still a long way from having it be the standard one to use. hobotrashcanfires posted:Windows and Google and their associated applications comprise an enormous section of computing and interaction with the internet, okay. 25 years ago what was Microsoft? 15 years ago what was Google? 50 years ago no one even imagined either of them. Salt Fish posted:In the case of IPv6 a variety of solutions were developed which all worked in tandem to eliminate the problem of address space use. Take for example CIDR or SNI. IPv6 was never "the one solution" to that problem which is the reason it took (is taking) so long to adopt. I don't think that IPv6 can really serve as an example of how long things take to change due to this.
|
|
#
?
Feb 26, 2015 03:48
|
|
|
SubG posted:Is the implication here that encryption is `the one solution' to NSA surveillance? I'm just trying to unsplit the syllogism here. There's no implication, I just plainly wrote what I think about adoption time ipv6 as a metric to judge the overall adaptation of new technologies on the internet. TLS is already well implemented and small steps like Google giving rank preference to SSL enabled sites and the upcoming letsencrypt.org free CA are great examples of how we can make encryption spread faster than ipv6. Salt Fish fucked around with this message at 04:32 on Feb 26, 2015 |
|
#
?
Feb 26, 2015 04:29
|
|
|
Tezzor posted:That isn't accurate. Locking your doors will not stop a robber determined to break into a specific house but burglars prefer an easy targets if they are targeting an area instead of an individual. When everyone's house is locked, being locked no longer makes you a harder target.
|
|
#
?
Feb 26, 2015 04:37
|
|
|
SubG posted:I'm not sure what you're trying to argue here. In 25 or 50 years everything will be different. Sure. But a) I care about what happens between then and now and so waiting for technology to magically solve everything in a generation or two doesn't seem like an attractive option, and b) it is precisely because we can't imagine what things will be like in 25 to 50 years that we can't rely on what happens then to magically solve our problems. That discussion of the issue (which has begun a bit already thankfully, and I'm very interested in viewing and learning about, I'm certainly no expert) matters more than the vague arguments that have been occurring in this thread lately. Yeah, particulars of this overarching issue are highly technical and specialized, but hell, if you and others are capable, do so. Discuss the IPv4 to IPv6 conversion and related issues. I was never arguing for any magical solution, that's silly. Technology is evolving just about as rapidly now as it was 25 years ago, or 15 years ago. There is a problem now, solutions exist. Maybe people are hesitant to get too technical lest their posts become inaccessible to people reading..but it's a highly complicated issue, this is D&D, I say go all out if you have some expertise. I'm just a novice, so weighing in on the technical specifics is beyond me, but I'd rather see a technical discussion where I have to do research to understand, than the intermittent slapfight over encryption or other generalities. You know, so long as no one's in here arguing that total and complete surveillance is awesome because America is the best.
|
|
#
?
Feb 26, 2015 04:45
|
|
|
Salt Fish posted:There's no implication, I just plainly wrote what I think about adoption time ipv6 as a metric to judge the overall adaptation of new technologies on the internet. TLS is already well implemented and small steps like Google giving rank preference to SSL enabled sites and the upcoming letsencrypt.org free CA are great examples of how we can make encryption spread faster than ipv6. I mean if you want to use it as an illustrative example of internet-wide adoption of a security technology.
|
|
#
?
Feb 26, 2015 05:02
|
|
|
SubG posted:SSL/TLS is about 20 years old and the market penetration in the Alexa top 1,000,000 is about (but under) 50% (presumably global adoption is lower for sites not in the top million). According to surveys of SSL/TLS implementations around 84% of sites have one or more serious issues, about 20% support cipher suites known to be weak or insecure, around 80% are vulnerable to a common information disclosure attack, and so on. Wow! It's almost like we have a lot of work to do in improving adaptation and use! The exact thing I've been harping on for like a hundred posts.
|
|
#
?
Feb 26, 2015 05:19
|
|
|
Salt Fish posted:Wow! It's almost like we have a lot of work to do in improving adaptation and use! The exact thing I've been harping on for like a hundred posts. In 20 years the adoption hasn't reached 50%. Of the less than half of all sites using it, about 80% gently caress it up in some way. It is the absolute lowest of the lowest-hanging fruit: enabling SSL on a web server is as close to turnkey as anything in encryption, and there's literally no cost on the client side because everybody's web browser already supports it. End users don't have to do anything at all for it to work on the server end. It's some of the most well-explored and best-documented crypto technology ever made. And the number of sites using it and getting it right is still south of 10% of all sites. And an example of a site that does let you use SSL/TLS by default is google. Who discloses search data, browsing data, email content, and so on to the NSA. If this is your illustrative example, I don't think it illustrates what you seem to think it illustrates.
|
|
#
?
Feb 26, 2015 06:34
|
|
|
SubG posted:Snorch says the solution to NSA surveillance is easy...just encrypt everything everywhere. I don't see where snorch said it's easy: snorch posted:Yeah I forgot to mention that for this to work, it has to be "everyone encrypts everything all the time". This still leaves the metadata problem, which can only really be overcome by using something like onion routing, which is slow and impractical for most purposes. And you're right in that it's not a universal solution to the root of the problem. I think Snowden categorized the purpose of this approach nicely in one of his responses in the reddit AMA. SubG posted:Which is to say it doesn't work. It's a wild science fiction fantasy. It's like avoiding NSA surveillance by setting up a colony on Mars. It's barely within the realm of theoretical possibility, but it's so far beyond practical reality as to be meaningless as a real-world plan of action except in the distant and indistinct future. snorch posted:Why is it so far-fetched? The tech to make it happen is already there, and there is currently a big push to package it up in a way that "just works" in ways where the user doesn't have to worry about it. Putting keys in the hands of the users by way of behind-the-scenes automation instead of entrusting them to centralized authorities (SSL CAs, Gemalto, Microsoft, etc.) would already make a huge difference and render a huge patch of NSA tools (particularly the bulk collection elements) near-useless. It's more like "snorch says a solution exists, SubG says it's practically impossible".
|
|
#
?
Feb 26, 2015 07:35
|
|
|
I'm not sure why SubG's argument is so controversial. We have two "options" - 1) Literally re-engineer every single Internet protocol to be secure 2) Rein the NSA in If you think the second option is difficult, the first is loving impossible. Even if you succeeded, the second someone makes a boo-boo (e.g., Lenovo and Superfish) you're hosed.
|
|
#
?
Feb 26, 2015 08:17
|
|
|
hobotrashcanfires posted:That discussion of the issue (which has begun a bit already thankfully, and I'm very interested in viewing and learning about, I'm certainly no expert) matters more than the vague arguments that have been occurring in this thread lately. Yeah, particulars of this overarching issue are highly technical and specialized, but hell, if you and others are capable, do so. Discuss the IPv4 to IPv6 conversion and related issues. I was never arguing for any magical solution, that's silly. Technology is evolving just about as rapidly now as it was 25 years ago, or 15 years ago. There is a problem now, solutions exist. Maybe people are hesitant to get too technical lest their posts become inaccessible to people reading..but it's a highly complicated issue, this is D&D, I say go all out if you have some expertise. If it makes you feel better, I don't think a single person I know would espouse that last viewpoint. But regardless, I think this discussion necessarily has to stay at a high level. It's entirely to easy to get bogged down in technical specifics that, in the end, dont really matter. We're kind of at a point where we're defining what people want in regards to their technology,and I think we'll end up with two things: 1) Your average user doesn't give a poo poo about privacy. I'd be willing to bet that if you offered people the choice of Facebook instantly loading, lag-free, and the ability to use it without a government agency being able to snoop, people would choose the former by a large margin. Usability has always been the main driver in Internet development, from base protocols to the Internet of Things. Security and privacy take a back seat, which means companies have very little incentive to guarantee them. 2) Technological solutions aren't going to work. It wasn't all that long ago that DES was considered secure. Now, it's trivially breakable. It's irresponsible to assume that current tech will be much more secure, especially when looking at a time span of 15 years or more. And more and more attacks will be possible. Right now, an average person has a router, a phone, and a laptop. In the future, will you be able to trust that your web-acessible washing machine was coded in a secure manner? I doubt it. If you want privacy from your government, it's going to have to be a policy solution, as weak as that may be. Basically, in true D&D fashion, I think the solution is getting politically involved and pushing towards what you want. Even though I don't think you'll be stomped on by jack-boots on the basis of your forum posts any time soon. Also excuse typos, it's very late and I'm phone posting.
|
|
#
?
Feb 26, 2015 09:46
|
|
|
shrike82 posted:I'm not sure why SubG's argument is so controversial. There is nothing specific about the NSA when discussing these exploits. The NSA is simply illustrating the nature of the Internet for us by abusing its open nature. You cannot reign in the various state actors and unaffiliated criminals through some kind of political power we wield in the United States. If subg wants to feel hopeless about something surely it would be the political side of the issue rather than the technological.
|
|
#
?
Feb 26, 2015 10:40
|
|
|
Main Paineframe posted:The problem is that when your data reaches its destination, it gets de-encrypted! The NSA wasn't carrying out bulk collection of Gmail messages by reading the SSL-encrypted messages off the wire between you and Google. shrike82 posted:We have two "options" - SubG posted:No. I've referenced the documents leaked by Snowden, which are apparently from the NSA. But I've never cited Snowden himself as an authority or primary source. Feel free to quote me if you disagree. quote:What I'm saying is that if what we're worried about is the loss of individual privacy due to NSA surveillance then encryption is not a solution. For reasons I've gone over many times, as recently as this very post.
|
|
#
?
Feb 26, 2015 13:56
|
|
|
Zombywuf posted:
A primary source, but worse of one than even me. Remember, he was only there for about a year, working as an email/sharepoint IT manager. Reference the documents, not him.
|
|
#
?
Feb 26, 2015 16:48
|
|
|
A Man With A Plan posted:A primary source, but worse of one than even me. Remember, he was only there for about a year, working as an email/sharepoint IT manager. Reference the documents, not him. That's not what he claimed. And if an email/sharepoint IT manager can walk out with all those documents then I wouldn't trust the NSA to decrypt ROT13.
|
|
#
?
Feb 26, 2015 19:47
|
|
|
A Man With A Plan posted:A primary source, but worse of one than even me. Remember, he was only there for about a year, working as an email/sharepoint IT manager. Reference the documents, not him. Wasn't this the NSA's deflection? He claimed to be an analyst as well as doing system administration. Edit: To be clear, he was there for 3 years, working as an analyst (hacker). GutBomb fucked around with this message at 20:45 on Feb 26, 2015 |
|
#
?
Feb 26, 2015 20:35
|
|
|
GutBomb posted:Wasn't this the NSA's deflection? He claimed to be an analyst as well as doing system administration. My bad, I misread the article I was using for the timeline. He had spent a year in Hawaii. Before that Dell switched him between various locations, some CIA some NSA http://www.nbcnews.com/feature/edward-snowden-interview/edward-snowden-timeline-n114871 I can assure you "analyst" doesn't mean hacker though. You can go look at the nsa careers website, there are plenty of open spots for Computer Network Operations/Exploitation. Those are the hackers. Analysts look at intelligence info and turn it into reports.
|
|
#
?
Feb 26, 2015 21:34
|
|
|
Yes you're right a guy who worked for CIA undercover and was described by a former NSA co-worker as a genius was just some glorified data janitor. I too read some job postings and am now convinced.
|
|
#
?
Feb 26, 2015 21:53
|
|
|
Just for reference https://en.wikipedia.org/wiki/Edward_Snowden#Career It's Wikipedia, but if A Man With A Plan is to be believed it is spectacularly wrong here.
|
|
#
?
Feb 26, 2015 22:14
|
|
|
Tezzor posted:Encryption probably works for the time being in stopping mass surveillance, but there is something also do be said for being annoyed with smug compsci dorks saying "just encrypt everything" to the point of advocating that people use one-time pads, like that is practical, likely to be generally effective, or just. That's my point - real, effective, stake-your-life-on-it security is not practical or convenient. For much too long we've been relying on automatic door-locking machines to lock our doors when we leave the house, and now thanks to Snowden we know that the NSA can trivially open any door equipped with that system. So now we either have to go back to fumbling in our pockets for the key to lock the door ourselves, or just accept that the convenience we've grown to take for granted comes with a cost. And while that was a completely horrible analogy, you might want to read up on the security of electronic locks next time you stay in a hotel; suffice it to say the FBI wouldn't need to ask the hotel staff for access to your room. Just the same, though, next time I go traveling I'm not going to.go to the extra effort of finding a hotel that still uses a physical key rather than an electronic one - when things come to the point where adding security means actual inconvenience for yourself, most people will decide that being as secure as possible isn't that valuable. Though I don't know if we can really call it "as secure as possible" if you're not even barricading the doors and windows with furniture when you're in the room. Most people don't really need security enough to make sacrifices for it, and any security that you don't give up at least a little convenience for has been demonstrated to be useless at resisting bulk collection. Not just legit requests, either - an organization's encryption keys can be compromised by a determined attacker. Don't forget that it was just recently revealed that US and British intelligence hacked a SIM card maker and made off with the encryption keys for hundreds of thousands of SIM cards.
|
|
#
?
Feb 26, 2015 22:16
|
|
|
Salt Fish posted:There is nothing specific about the NSA when discussing these exploits. The NSA is simply illustrating the nature of the Internet for us by abusing its open nature. You cannot reign in the various state actors and unaffiliated criminals through some kind of political power we wield in the United States. Zombywuf posted:If Google's decrypting my PGP encrypted mails we've got a larger problem.  There's a bump in 2013 when the Snowden PRISM leak occurred. The number of new keys added per day went up threefold. That didn't last, but today the rate is still roughly twice what it had been before (1k keys per day instead of 500). Let's pretend that each new key is a new individual email user adopting PGP. This is absolutely going to be a gross overestimate---the numbers in the graph are totals, and PGP keys expire, a lot of keys are used by poo poo like open-source projects for code signing, and so on. I have a couple dozen PGP keys for different things, for example. Anyway, let's pretend the chart is telling us there are roughly four million PGP users in the world. Even though that's bound to be a monumental overestimate. There are conservatively two and a half billion email users in the world. Not accounts, individual users. That means that a completely optimistic estimate of the rate of adoption of PGP, 24 years old this year, is 0.2%. That's not two percent. That's two tenths of a percent. And keep in mind that both ends of the conversation have to be using PGP for the communication to be encrypted. So the number of actual email conversations actually encrypted by PGP is almost certainly south of 0.04%, or about one in every quarter million. And that's after getting a between 200% and 300% increase in the rate of new adoption after the PRISM disclosure. I mean honest question here: what percentage of your email communications are PGP encrypted? I mean really. I've been using PGP essentially as long as it's been around and I'm pretty sure my lifetime average is within rounding error of zero, and I'd be willing to bet I'm in the upper three sigma of PGP users---because I have routinely sent encrypted PGP emails at all. Zombywuf posted:So Snowden is not a primary source on the subject of NSA capabilities? Zombywuf posted:And no one is arguing that "encryption is a solution". Zombywuf posted:As I said, encryption is the bare minimum to even get started on the problem. It does make it harder for the NSA to get at everyone's data, if you disagree then please explain why they bother lifting data from the wire in the first place. Also explain why GCHQ did not bother to get the SIM keys that were transmitted with secure encryption and stuck only with those transmitted in plaintext. Also why bother to go to the effort of getting the keys in the first place. That is: You and the NSA are not playing a symmetrical, zero-sum game. The things most people care about when they think about privacy---search history, browsing history, social media, email, IM, and so on---are easily within scope of compromise by e.g. the NSA. But just because you've lost your privacy doesn't mean the NSA will stop because you've `lost'. Because it's not a zero-sum game, and the NSA hasn't `won'. So they'll keep going after more and more data long after virtually anyone would concede that their privacy had been compromised. Because that's how they play their end of the game. So I say encryption won't save your privacy and you say well if that's true why do spy agencies go after clear communications and attempt to compromise encryption there's no contradiction.
|
|
#
?
Feb 27, 2015 01:13
|
|
|
Megaman's Jockstrap posted:Yes you're right a guy who worked for CIA undercover and was described by a former NSA co-worker as a genius was just some glorified data janitor. I too read some job postings and am now convinced. Uh yeah, even the cia's data janitors, while abroad, are under cover. Anyway I was only talking about his time at the nsa, I only know as much as you do about what he did before. This is a dumb argument regardless. My point was only that he was not an expert in the sigint systems, so you should base your arguments on leaked documents, not his own words.
|
|
#
?
Feb 27, 2015 01:29
|
|
|
SubG posted:I mean honest question here: what percentage of your email communications are PGP encrypted? I mean really. I've been using PGP essentially as long as it's been around and I'm pretty sure my lifetime average is within rounding error of zero, and I'd be willing to bet I'm in the upper three sigma of PGP users---because I have routinely sent encrypted PGP emails at all. quote:I didn't say that. You're making up arguments again. quote:You're digging for an argument I'm not making. Which I have repeatedly pointed out I'm not making. Stipulate that any data you encrypt is literally perfectly protected against disclosure except to the intended recipient. Have you made things more difficult for the NSA? You have made them, in our fantasy version of things, perfectly difficult as far as that bit of data goes. So does that mean you win and get to keep your privacy? No. Why? Because denying the NSA access to that piece of data doesn't protect all of your data. quote:Because you can't, even in principle, encrypt all the data you care about. quote:So I say encryption won't save your privacy and you say well if that's true why do spy agencies go after clear communications and attempt to compromise encryption there's no contradiction. If they are actively attacking me I can at least take solace that I'm wasting a tiny part of their time.
|
|
#
?
Feb 27, 2015 12:36
|
|
|
|
| # ? Jun 1, 2024 17:29 |
|
|
Zombywuf posted:I don't get what you're arguing. That not enough people use PGP and more should? Assuming this isn't just a non sequitur it implies that PGP encryption has something to do with resolving the problem of NSA surveillance. So. Does it solve the systemic problem? Well, in the real world the adoption rate is a fraction of one percent. So that looks like a `no'. It's rounding error. Does it solve the problem on a personal level? Well, in order for PGP encryption of an email conversation to work both ends of have to be using PGP. So the answer is still no, because unless you're a crazy cryptosurvivalist who only associates with other crazy cryptosurvivalists that means that most of the people you want to have email conversations with---businesses you want to buy things from, health care providers, your workplace, your friends who aren't part of the fraction of a percent of the population using PGP, your family, and so on---won't be using PGP. I notice that you failed to answer my question: you say if Google is decryption your PGP-encrypted email there's a larger problem. How much of your email do you PGP encrypt, really? I'm actually asking. You're someone who apparently cares about NSA surveillance and you know about PGP and apparently think it's a viable solution to at least part of the problem. So given all of that, what percentage of your email are you PGP encrypting? All of it? Half? Ten percent? Zombywuf posted:Nah, you just made a dumb attempt to imply that somehow Snowden himself is untrustworthy. Zombywuf posted:Which is why Snowden said "Encryption is a waste of time, don't use it." Oh wait, that's not what he said, what he said was "Encryption works." SubG posted:If you want to make an actual argument, make it. But don't pretend a vague paraphrase of an appeal to authority is an argument. Encryption works for some things. Protecting your privacy against NSA surveillance is not one of them. For reasons I've explained in some detail. If you want to object to something I've actually argued, do so. Zombywuf posted:I've been trying to work out, and I still can't, what threat model do you have in mind when you talk about privacy. Because it looks like you conflate the NSA and individual actors within the NSA. I'm talking about---and I'm astonished you can't recite it by heart now---individual privacy being compromised by NSA surveillance. The sorts of things I'm talking about protecting the privacy of are things that most people care about and which reflect common internet usage cases: their search behaviour, their browsing behaviour, their social media behaviour, their email behaviour, their instant messaging behaviour, their phone use, and the contents of these things. The threat is NSA surveillance, specifically the programs and methods outlined in the Snowden (and other) disclosures. This includes but is not limited to programs like PRISM, which involve targeting things like search history, browsing history, social media content, email, instant messaging, and so on, as well as actions such as routinely and on a daily ongoing basis collecting all the phone records of millions of phone customers. None of this is corner case poo poo as far as privacy is concerned. And none of it is about some rogue NSA employee giggling over your holiday snaps. This is large-scale, institutional violation of individual privacy as a matter of policy.
|
|
#
?
Mar 2, 2015 23:40
|
|