Out of the Frying Pan, Into the Fire


Posted:   |  More posts about privacy encryption unhosted federated freedom

This is of course my doom and gloom summary of the situation cast into light by the emergence of NSA/GCHQ documents leaked by Edward Snowden. Unfortunately the raw documents have not been released but instead are being filtered by and reported on by a couple of press organisations such as The Guardian.

When I read "if we knew what he knew, we'd stop too" in regards to LavaBit closing and Groklaw folding with it I was only mildly concerned. I thought OK security has to be kicked up a notch and people need to start reconsidering self-hosting and since I was already covered well enough in this area I didn't think much further about this. But, I guess now I do know what he knows. To put it mildly: I am fucking concerned. The revelations uncovered in this leak are not only concerning but also a kick to the balls in general.

So after fighting for the right to encrypt data, which we were eventually allowed (in most countries) we went ahead and built upon the crutch that is encryption. We piled all the weight of our creations upon this crutch, and now it is being taken away. We forgot to build anonymity into our systems and now we are falling on our asses, hard.

But of course, privacy is only for terrorists right? The leaked documents refer to consumers of software products which the NSA had compromised as "adversaries". A pretty telling statement on the view of citizens in relation to NSA/GCHQ operations. There is no civilian designation in their universe of discourse. Aren't the UK, USA and even Australian governments accountable to their constituents? Apparently these organisations think themselves above such petty things as laws and social constructs. I think, perhaps, we have found the real terrorists here.

It is one thing to scream about privacy, but it's another to justify the reasons for it. There is a strong trend amongst your average Western person that the right to keep your activities and communications secret is only for those who are up to nefarious deeds. I wonder how these people could possibly voice this train of thought without stopping to think would a world where you have no right to privacy be acceptable?. Of course, if you argue that we are headed in such a direction you will be accused of basing your argument on the Slippery Slope logical fallacy (but this is of course The Fallacy Falacy). In recent history the status quo in Western culture has been quite good and so people have come to not only trust positions of authority but have also become complacent in their duty to keep those who operate under their authorisation accountable, which is leading us down a dangerous path. As is noted in the presentation "Free Thought Requires Free Media" by Eben Moglen, a professor of law and legal history, we have seen what happens when citizens have their Freedom of Thought denied, for example by the Christian churches (Specifically Catholic?) - which resulted in what is known as The Dark Ages.

Furthermore, Eben notes that from now on all human development will happen in contact with the Internet so the stakes are higher than ever. The pressure is on to set a positive precedence is avoid a second round of The Dark Ages.

Something indicated in the documents leaked by Snowden is that while many forms of encryption have been cracked (directly) the stronger forms are still likely to be effective. However the utility of such strong encryption has been greatly decreased by the fact that many protocols which use strong encryption can be cracked. VPNs (other than IPSEC VPNs), HTTPS, SSL and various server applications have been defeated, however the documents stress the need for absolute secrecy regarding the full capabilities of the NSA/GCHQ. It is supposed that for TLS for instance still works - however the documents indicate that various Certificate Authorities have been compromised by GCHQ/NSA and so they should be able to launch undetectable Man-In-The-Middle (MITM) attacks on encrypted connections which use certificates from these compromised CAs.

In response to compromised CAs, I really wish we had Quantum cryptography at our disposal as this would solve a lot of vulnerabilities and make MITM attacks impossible to perform undetected, as the state of the bit will change if the bit is observed before it reaches the intended recipient. Obviously, this is no silver bullet as it is useless for non-optical communication. Perhaps in the future we can look forward to Quantum communications which will not even need encryption due to the wonders of Quantum Entanglement.

Hardware based Random Number Generators are also likely to be compromised by the NSA's activities.

  • Hardware based RNGs are fucked. Thank God Ted Tso isn't a retard. https://news.ycombinator.com/item?id=6336505

  • I guess I will talk about the need for data to never make it into the NSA's hands in the first place which basically means uptake of more unhosted and federated style systems...
    • We need private email systems and software which easily allows the use of private certificate authorities (and nice private CA software).
  • Anonymity?
    • Would TOR be effective if they are decrypting traffic on your physical network segment and thus can easily deduce who you are?
      • The consensus is that Tor is under serious threat as the majority of users use a weak key.
    • Logical level obfuscation? Forward secrecy?

    • OTR?

  • But what about when you send information to somebody as part of communication?
    • Should we start telling recipients clearly what information about you they can/can't communicate/store over the internet or in certain countries? (What about foreign NSA operations? What about countries spying on other countries citezens on the citezen's country's behalf?)
    • Is there a non-socially-offensive way to achieve this?
  • Is this the western people's cue to truly start demanding respect from their governments
    • arriving at a socio-political fix rather than applying technical band-aids?
  • Moving forward should we exclude governments from security standards now it has been proven that they have actively engaged in producing weak security standards?
Comments powered by Disqus
Contents © 2013 Daniel Devine - Nikola Powered - Flattr Me! Flattr this Source