
Post-Snowden: The Economics of Surveillance - privong
http://www.lightbluetouchpaper.org/2014/05/27/post-snowden-the-economics-of-surveillance/
======
Zigurd
It's an interesting paper, but seemingly disconnected from at least two
important facts about surveillance:

1\. Strong encryption works and data in transit and at rest can be secured.

2\. Node security doesn't work, and state actors are behaving irresponsibly by
creating a market in insecurity by buying zero-day attacks. This is analogous
to buying bioweapons from freelance laboratories and hoping nothing really bad
happens. How do you "govern" a dangerous practice like that?

The article appears to assume that all nations will accept a subservient role
in a monitored world. Nobody will want actual confidentiality for their
government and industry. That doesn't seem plausible.

~~~
sliverstorm
_Strong encryption works and data in transit and at rest can be secured._

Hey, if we can capture the packets today, it's only a matter of time until
quantum computers are brought online and AES256 is rendered as strong as wet
paper.

(Or so the gamble might go)

~~~
tzs
For symmetrical ciphers like AES, quantum computers effectively cut the key
length in half for brute force attacks. If you used a good key with AES256,
you do not need to worry much about quantum computers.

~~~
tptacek
That's true, and AES is a bad example of a QC threat, but if you're talking
about packet captures, in practice AES is usually keyed by something that is
very vulnerable to QC.

------
contingencies
TLDR: _Use of surveillance examples to zoom-out to big picture questions about
the role of technology in civilization and the future of humanity versus
entrenched capital and increasingly powerful technologies increasingly
harnessed to cement present-era dynastic power /economic structures._

Well, aint that just the question. If you're not working on world-changing
technologies (~= morally defensible alternatives to today's centralized
technologies) then quit your job and get with the program.

~~~
pyre
Node security is just as much a problem. Sure, not as much in a 'large dragnet
of the Internet' sense, but de-centralizing (e.g.) Facebook won't help you to
trust your hardware or OS more.

------
lotsofmangos
_The global surveillance network that’s currently being built by the NSA, GCHQ
and its collaborator agencies in dozens of countries may become a new
international institution, like the World Bank or the United Nations, but more
influential and rather harder to govern. And just as Britain’s imperial
network of telegraph and telephone cables survived the demise of empire, so
the global surveillance network may survive America’s pre-eminence. "_

Sounds a lot like the Central Intelligence Corporation from Snowcrash.
Presumably Google glass owners are going to become the gargoyles.

~~~
w_t_payne
Presumably ... although I suspect that sensors will be cheap and ubiquitous
enough that gargoyles in the manner that Stephenson described them will be
quite redundant.

~~~
vidarh
In fact, sensors and delivery systems are close enough to being cheap and
ubiquitous enough to enable non-governmental "competing" intelligence
organizations becoming a problem.

I keep expecting the first publicly known example to be conspiracy nutcases
deploying drones into Area 51 or similar... We've already seen what the semi-
anonymity of hacking over the network leads to.

Over the next few years, we're likely to see the next step: With robotic
delivery platforms becoming small enough and cheap enough to be hard to
stop/track (either because they're hard to spot, or simply because they're
cheap enough that there can be ridiculous _numbers_ of them), and sensors and
networking lets "anyone" capture high quality images etc., while gaining some
chance at evading capture by being physically detached from an intrusion.

On one hand there's plenty of potential for abuse against individuals, and for
corporate espionage and organized crime. On the other hand, it seems like
we're at a stage where it may become incredibly hard for state intelligence
and military actors to prevent individual civilians, political groups or
organized crime from carrying out intrusions of an unprecedented level.

~~~
olefoo
Just wait 'til someone finds a zero day for Otis equipment that lets you turn
an elevator into a remote control assassination tool. Facial recognition is
good enough that if you had the right systems in play you could automate the
whole kill chain from identification to placement to action.

And here's the thing; it's a tool that's most effective against the midlist,
the strivers, the up and coming execs and entrepreneurs who can't afford a
real security detail yet. If you start hearing a lot of stories about
promising young execs dying by weird household and office mishaps that could
involve automated machinery ( like burned to death by scalding water from a
dishwasher, electrocutions, garage doors closing at inopportune moments or
such.)... you might be seeing traces of an organized campaign.

Just something to think about next time you step into a hotel elevator...

~~~
pdkl95
> someone finds a zero day for Otis equipment that lets you turn an
> elevator...

I'm reminded of the EE-vs-CS joke about how to design a toaster[1].
Engineering-major rivalries aside, I've always liked it for its caution
against over-engineering. For some things - such as elevators - we hit "good
enough" a long time ago.

I wonder if "non-programmability" will become a popular feature in the future,
specifically to avoid these risks. Using non-Turing Complete "Little
Languages"[2] or hardware that's fixed to a single circuit could help.
Unfortunately, it's probably too late; we spent the last few decades putting
CPUs into everything, and now we get to slowly find out how many security
holes that additional complexity left us with.

[1]
[http://www.ee.ryerson.ca/~elf/hack/ktoast.html](http://www.ee.ryerson.ca/~elf/hack/ktoast.html)

[2]
[http://c2.com/cgi/wiki?LittleLanguage](http://c2.com/cgi/wiki?LittleLanguage)

------
suprgeek
(Politico-Technical comment) India shares intelligence with the NSA because
(presumably) given the cozy relationship between the USA & Pakistan, the US
(via the NSA) is in a better position to figure out if the intelligence has
Terrorism implications for either country.

Last I checked, Russia was not shoveling many billions in aid to Pakistan
along with F16s & other weapons systems with the misguided hope that
engagement is better than outright confrontation of a failed state with Nukes.

So India "sharing intelligence with NSA vs FSB" as proof of some Network
effect is bogus. NSA spies on Pakistan extensively via direct & indirect
methods, FSB does not (that we know of).

------
etiam
Ross Anderson's own comment:
[http://www.lightbluetouchpaper.org/2014/05/27/post-
snowden-t...](http://www.lightbluetouchpaper.org/2014/05/27/post-snowden-the-
economics-of-surveillance/)

~~~
dang
Yes. Url changed from
[https://www.schneier.com/blog/archives/2014/05/the_economics...](https://www.schneier.com/blog/archives/2014/05/the_economics_o_3.html),
which points to this.

~~~
tomp
This was a bad idea, IMO. The part of the paper quoted in Schneier's blog post
does a much better job of explaining the "economics of surveillance" than Ross
Anderson's comment does.

~~~
dang
Unfortunately I don't have time to look at it right now. Should we just link
to the pdf instead?

Blog posts consisting of nothing but an excerpt from someone else's work
generally don't count as good links for HN.

------
known
Globalization is zero-sum

