
Snowden Meets the IETF - kazuho
https://www.mnot.net/blog/2015/07/20/snowden_meets_the_ietf
======
s_q_b
The more I consider the ramifications of these news reports, the more I
realize we need full decentralization and total encryption.

We have the tech: Strong encryption, Tor-like relays, and the blockchain. What
we need is a way to make services based on these technologies not just _as
easy to use_ but _easier to use_ for the average Jane.

If the internet as we know it is to survive, we have to crack this nut.

~~~
JoshTriplett
That's necessary, but not sufficient. We need both sane policies _and_
technical measures to ensure that nothing less than those policies is
possible. If we only have the technology, policy-makers can and will make life
difficult both for the users and makers of these technologies; more draconian
regimes will simply never allow those technologies to take root to begin with.

~~~
enraged_camel
Either that, or they will simply intimidate and even torture people for their
private keys.

May sound far-fetched, but it isn't.

~~~
pigeons
Force them to intimidate and torture at least one side of every communication
they want, instead of letting them intimidate and torture three or four
centralized service operators to get everybody's communication.

------
Panino
It must have been an exciting surprise for attendees.

I'm glad Snowden said DNS should be encrypted. From the tweet stream provided
by @conflictmedia, that was tied for 1st for most re-tweeted, along with
making the Internet for users, not spies. (It should be noted that DNSSEC is
not encrypted.)

Too bad his appearance wasn't recorded, but HUGE thanks to Niels ten Oever and
Rich Salz for tweeting major points!

~~~
arca_vorago
This is where I get to plug djbdns and DNSCURVE over DNSSEC. I think DJ has
been ahead of the curve (no pun intended) on these things for quite some time.
I am currently in the process of migrating from bind9 (and avoiding bind10
like the plague) to djbdns wherever possible. Quirks and lack of
updates/extensions not withstanding, it's great so far.

[http://dnscurve.org/integration.html](http://dnscurve.org/integration.html)

~~~
skuhn
I think that's a mistake. You are using abandoned software: djbdns 1.05 was
released in 2001. It even has a published security flaw from 2009, for which
the $1000 guarantee was paid by DJB, and yet there is still no official
release to fix the issue (there is a patch available from other sources).

There is a fairly healthy ecosystem of BIND alternatives these days, but
djbdns is not one of them.

~~~
scintill76
This one?
[http://article.gmane.org/gmane.network.djbdns/13864](http://article.gmane.org/gmane.network.djbdns/13864)
It is a little disappointing he didn't issue a new release with the patch
included. Perhaps it can be rationalized that the original fork is abandoned,
but distro-maintained forks are fine.

As someone who runs tinydns to serve a few personal domains, I'd be interested
to hear of another simple, solid option, if it fixes any concrete problems a
recent Ubuntu build of tinydns has.

------
frankNo
Well, luckily for humanity this is exactly what I've been coding full time
since December of 2014, dedicating my life to. I have been designing it for
many years.

My vision is complete and planned, all the way until The World Brain! See:
[https://sherlock.ischool.berkeley.edu/wells/world_brain.html](https://sherlock.ischool.berkeley.edu/wells/world_brain.html)

The first layer, MORPHiS, is a global secure encrypted distributed datastore
that deprecates bittorrent, email and the web so far and is slated for release
at the end of this Month!

See [http://reddit.com/r/morphis](http://reddit.com/r/morphis) for details.

Sorry for reddit; it is because I keep getting shadow banned here for being
pro Snowden, Etc. Do not worry, MORPHiS is designed to deprecate hacker news!
Anyways, the website is morph.is but doesn't launch until the 31st of this
month. Read the only article in the /r/morphs subreddit for lots of details on
MORPHiS!

Peace all!

------
justwannasing
I find it interesting that people now consider Snowden the authority and
source for all these things.

~~~
nickpsecurity
Agreed. He actually knows little about most of INFOSEC compared to other,
serious practitioners. He seems to be a good IT guy, expert on NSA tools, and
have anecdotes of what they had trouble hitting. Far as security engineering,
I'd trust a source with a good track record of building and breaking stuff
similar to what I'm assessing.

People are leaning on him way too much for way too many things. I'm not even
saying my statements apply to the article here so much as in general for
people interviewing or citing him. Anyone reading posts of high-security
engineers pushing strong hardware and software security pre-Snowden would've
survived almost everything in NSA's toolbox using such methods. Leads me to
add that Snowden seems totally unfamiliar with that stuff and it's
unsurprising given his job was SIGINT-related rather than strong INFOSEC.

My only failure was not focusing on clean slate chips and hardware design
enough. My priority was software but prioritizing the kind of hardware I've
promoted here & elsewhere would've got me further. Makes the software easier
to secure. Just was too lazy to learn all the hardware engineering knowledge
it takes to (a) do custom hardware and (b) do sub-micron, custom hardware. I'm
making amends now, at least.

