

Disagreeing with Bruce Schneier: More Crypto is Not the Answer - wheels
http://continuations.com/post/60444129080/disagreeing-with-bruce-schneier-more-crypto-is-not-the

======
oneandoneis2
I find it very naive that people think that they can solve the NSA/PRISM
spying problems just by getting some laws changed.

The NSA's activities are already probably both illegal and unconstitutional.
The problem isn't that the laws aren't protecting the people: The problem is
the laws are being ignored.

Politicians and co. have made it very clear that they can't be trusted,
regardless of the law: Big Brother is determined to watch you.

We need both: Our privacy needs to be enshrined in law; and we need to make it
as hard as possible for it to be violated, by use of strong encryption.

Just like it's illegal for people to come into our home uninvited, but we
still fit locks to our doors.

It's not one or the other. We have to have both.

~~~
6cxs2hd6
I agree we need both.

Coincidentally I read "Crack my Software"[0] just prior to reading this. So it
strikes me this is not unlike the "arms race" with copy-protection and DRM.
Where we are the publisher and the NSA is the cracker.

Ultimately DRM alone can't do the job. There needs to be a legal environment.
Also there needs to be a culture of owning not stealing (which implies an
economy of sufficient prosperity). Or the opposite, a culture of never
owning[1].

Likewise, encryption is an arms race. Long-term, of course we should seek and
use better encryption. But also, we need a legal and cultural shift in favor
of privacy.

[0]:
[https://news.ycombinator.com/item?id=6338013](https://news.ycombinator.com/item?id=6338013)

[1]: Not to push the analogy, but another path is a (very rough, approximate)
analog of "free software": As you abandon proprietary software, abandon
privacy. Don't fight to protect privacy. Accept "life in a small town". I'm
not advocating this, I'm just pointing out it's another way to defuse the
encryption arms race, by stepping out of it.

------
mseebach
The analogy is beyond flawed. Only houses that are indeed fortresses aren't
routinely broken into if they are located anywhere near "a bad area". And even
though the law is configured to punish those who break into houses, it rarely
actually achieves it in practise.

Online, the fact that your presence must already be surrounded by a
cryptographic fortress is well established, because the bad guys are lining up
to wander straight in if you let down your guard. Law or no laws.

In your house, even if you have all the best protections, the government
_will_ enter your house if it feels it needs to. There are plenty of
thoroughly unjust laws on the books (Civil forfeiture is particularly onerous:
[http://reason.com/archives/2010/01/26/the-forfeiture-
racket](http://reason.com/archives/2010/01/26/the-forfeiture-racket)).

The problem isn't the NSA, that's just another symptom in a long row where
civil forfeiture is another. The root is that government has grown from being
a servant of the people to considering itself the rightful ruler of the people
(and plenty of people happily cheering along, even those who should know a lot
better - see here for an example:
[https://news.ycombinator.com/item?id=6339434](https://news.ycombinator.com/item?id=6339434)).

The author is correct that it shouldn't be necessary to protect ourselves
against the government to this extend - but the important distinction in the
surveillance case over the 'house' case is that we actually have a fighting
chance, for once.

~~~
rtpg
I find you choosing the roaming charge example to be bizarre: A lot of people
here are pretty free-market, and the telecoms industry is not one of those
free markets. It's dominated by few large corporations who piggy-backed off of
large public investment (ultimately from the taxpayer).

This is one of the most legitimate uses of government : when the market fails,
at least make sure that people are protected from being exploited.

~~~
mseebach
It's relevant because you can't have your cake and eat it too. An organisation
powerful enough to dictate prices for a service on the european market, is an
organisation powerful enough to dictate, say, total data retention:
[http://en.wikipedia.org/wiki/Data_Retention_Directive](http://en.wikipedia.org/wiki/Data_Retention_Directive)

~~~
rtpg
The price dictation is more of something similar to the WTO: roaming is pretty
isomorphic to tariffs, in one sense. Technically speaking it isn't (tariffs do
not represent anything other than some line, roaming is because you're
actually on some other guy's network) but de facto larger carriers end up with
plans to mutualise this anyways. Getting rid of tariffs is nice.

Also I don't see the link between price control and data retention. You're
conflating everything under government. I'm pretty sure these two things
underwent completely different processes.

~~~
mseebach
You seem to be under the impression that there is a separate "evil" arm of
governments that can be cut away somehow, letting you retain the good (or,
rather, convenient) bits while getting rid of the bad ones.

That kind of fantasy is why we won't get rid of PRISM or the data logging
directive. Government will only ever work for its own benefit, it's just that
every once in a while, it's in its benefit to throw you a bone.

~~~
rtpg
actually yeah, what you're talking about is something called checks and
balances, where the bad is mitigated as much as possible.

Even in your situation where government works in its own benefit, these are
conflicting:

\- The executive wants the data logging because it makes investigations easier
, so less police work

\- The judicial would not want this because it would make more open and shut
cases, those reducing the need for workforce there

Even here , by applying your logic, checks and balances work

~~~
mseebach
That would be a wholly more convincing argument had checks and balances
actually prevented the data retention directive and the NSA excesses. They
didn't. Now what?

------
theboss
Many people who download illegally would never dream of stealing from a store.

Many people who may steal data would never dream of breaking in and physically
doing it.

It is much easier to steal 1s and 0s than it is to physically do it. Humans
seem to take the path of least resistance. If they can do it, they will do it.
And if they won't do it on their own network then a bad guy from Latvia or
somewhere who knows how to send phishing emails will.

Due to the mystery about who is truly on your network combined with the ease
of breaking bad security, you have to protect yourself fully. Banks don't have
lax security just because people 'shouldn't' rob banks.

Sorry blogger guy....your argument just doesn't hold water

edit: I want to add the reason your house is insecure is because we can't
protect it with math. If you wanted a perfectly secure house....you would end
up sinking billions into it and end up with a military base. Locks are flawed,
Windows are flawed, but they are good enough so that when there is a security
breach you will be aware of it and can hopefully remedy the situation or fight
back.

~~~
xj9

        Many people who download illegally would never dream of stealing from a store.
    

Copyright infringement and theft are two entirely different things.

~~~
theboss
So is breaking into someones house to steal papers and passive eavesdropping.
But the results are the same. You still end up with data you didn't have
before

------
drivingmenuts
It's an awesome idea, except for one thing:

It's very clear that there is one law for the public and another, secret law
for the NSA. Furthermore, if it turns out that the secret law is inconvenient,
they'll just do an end-run around that and ignore it.

The laws are already mostly there. One major problem is that there is little
to no public consequence for breaking those laws. Public officials are given
trust and the tools to do things that are far beyond the abilities of ordinary
citizens. Should not the punishment for breaking those laws be accordingly
greater?

Right now, they do it because they have no fear.

------
hga
" _Our homes are safe from thieves and from government not because they
couldn’t get in if they wanted to but because the law and its enforcement
prevents them from doing so._ "

A very parochial attitude from someone who lives in either Westchester County,
NY, or I think NYC in the last year and a half or so.

Where I live we believe in defense in depth, not the crust defense of
perimeter security backed up essentially nothing, "when seconds count, the
police are minutes away".

If he lives in the suburb, as I gather he used to, the use of effective self-
defense, i.e. "lethal force" in the form of guns, is strongly discouraged and
there are a variety of traps for those wishing to abide by the law. If he's
moved to NYC, it's almost certainly not even an option unless he's a lot more
connected than he appears to be (a bit more than 50K each licensed hangun and
long gun owners in a city of 8 million).

BTW, we have statistics strongly suggesting this has a deterrent effect.

So this further distances this analogy from the Internet.

Mostly. If I see a hacker's process running on one of my systems, I'd "kill"
it. But that's not really the same thing....

On the other hand, defense in depth is very valid for all these issues. E.g.
you hopefully don't _entirely_ depend on the crust defense of a firewall.
Others are suggesting that if you're careful about side channel attacks, there
might be utility to doubling up on encryption algorithms. Although if your
adversary has access to your or your counterparty's keys, which is what this
latest revelation is about, it's game over. Not sure how to address that,
other than don't entirely depend on easily targeted 3rd parties.

------
john_b
> _" We cannot and should not be living in digital fortresses any more than we
> are living in physical fortresses at home. Our homes are safe from thieves
> and from government not because they couldn’t get in if they wanted to but
> because the law and its enforcement prevents them from doing so. All we have
> to do is minimal physical security (lock the doors when you are out)."_

If the police really want to enter your house, they will. This is government
we're talking about, not some random small time thief. Laws have been weakened
over the past few decades to the point that they barely provide much
protection at all, and where they do, the government will find any excuse
(however absurd) to ignore them. And even when it becomes apparent that
government surveillance is blatantly illegal, they will still defend it by
saying that it's necessary or else the terrorists and child pornographers will
win.

Better (and better enforced) laws are a big part of the solution. When someone
breaks into your house they should be held accountable, whether they are a
small time thief, a police officer without a warrant, or the NSA. But until we
live in a perfect world with perfect officials who perfectly follow the law,
it helps to have a weapon to act as a deterrent against people who are not
deterred by the law.

------
yafujifide
No, I think Schneier is right. Law enforcement and culture may play a role in
keeping your home safe, but so does the lock on the door. Certainly when
government goes off the rails it's bad for security, but you should still lock
the door.

------
quchen
While I agree with the author's ideals, I think the comparison between the
personal computer with a personal home is not a very good one: computers are
not local anymore, they are (very) connected to a global network most of the
time; houses are not.

Even in an ideal world where there are no secret government agencies looking
through all of my data, I would still seal the envelope of letters I send, and
I think cryptography should be treated as at least that. Increased public
awareness is a good thing, and if we can trust it that's even better.

------
nkurz
_This is completely the wrong direction for us to take. We cannot and should
not be living in digital fortresses any more than we are living in physical
fortresses at home. Our homes are safe from thieves and from government not
because they couldn’t get in if they wanted to but because the law and its
enforcement prevents them from doing so. All we have to do is minimal physical
security (lock the doors when you are out)._

Perhaps as a result of growing up in places where locking doors is usually
unnecessary, I've never quite understood this argument. If the basis for
security is societal norm and legal enforcement, what's the significance of
the locked versus unlocked door?

I feel like this attitude is usually an excuse to blame the victim, and
disguises the fact that most people are more reliant on the lock than they
wish to admit. When your locked car is broken into or stolen, the argument
often quickly changes to point out your additional responsibility to use an
alarm, a physical theft deterrent device, keep anything that might look
valuable out of sight, carry appropriate insurance, and if possible avoid
parking on the street.

I worry that the analogy between locked doors and encryption doesn't yield the
conclusion the author draws. While in theory privacy can be maintained through
change of law, in practice it may need to be guarded with measures appropriate
to the level of security desired.

------
racbart
Except that before we reached some kind of protection coming from governments,
we lived through thousands of years where governments, kings and lords of any
kinds were the masters of life and death of ordinary citizens. Would we have
such kind of freedoms and security as we have today if past generations didn't
take a stand? I doubt so. If they decided that weapons and violence is the
governments thing and resistance is futile, nothing would change.

Rights and freedoms are never granted, they have to be taken. We shouldn't
opt-out from our right to privacy and if you stop trying to circumvent
governments' spying efforts, you basically opt-out. Even if a single isolated
action seems futile, you shouldn't stop doing it, because if you stop, then
they'll know that they can do their thing and they can escalate even more.

The only thing that can stop them from escalating, and create enough political
or legal climate to change things to grant us privacy, are the actions from
ordinary citizens who try to defy, regardless of how futile that seems. If
there will be only criminals and enemies who will actively fight and try to
avoid total surveillance, then it will be clear that it's a tool specifically
against criminals and enemies and it will conclude as the end of the story.

------
rdc12
The law doesn't prevent any one, breaking into your home, ask any one
(including myself, but came of pretty lightly) who has ever been burgled. The
law may or may not protect you after the fact.

The consequences of survalliance and data collection is also in no way
comparable to home security. Currently the law in most (if not all western
countries), the state has provisions for searching your home too, but requires
oversight from a (hopefully) neutral judge.

Short of completely changing the nature of goverments and their agencies
operate, nothing will change. As it stands it is up to the individual to
protect themselves, which given the general publics understanding of digital
security and crypto, is a really bad place to be.

------
gmuslera
More crypto is not a solution. Is a mitigation, And is something that most of
us can do.

There are more things that we all can do. Switching to open source and/or non-
US based alternatives will improve also security, and whats more, will hit big
companies, that have a louder voice than normal consumers.

And the rise of alternate economies (or even switch to cash when possible)
could improve privacy, and if becomes commonplace enough, hit banks, that have
the loudest voice of all.

That don't take out that US citizens must do something in the legal level,
even if next election is pretty far and anyway odds that the same idiocy shown
in previous one (there had been plenty of hints of how bad both of the main
candidates would be) is likely to be there again in next one.

Regarding manifestations the occupy movement was an example of what could go
wrong there, is easy to infiltrate someone to make the movement look as
extremist, terrorist, or whatever, they even had the idea of killing some of
the leaders (or what they did with Aaron Swartz). Raising awareness online, in
the other hand, is something that could be done, and Schneier is doing exactly
that.

Regarding the rest of the world, they must spot their dirty apples (i.e. those
workers on telcos than open up things for NSA), and enable people to become
less dependant on US network and based services (i.e. providing alternatives,
letting (or even encouraging) people install their own servers at their home
connection.

------
jacquesm
Disagreeing with the disagreement. You need both firefighting equipment _and_
insurance, not just one or the other.

So we need laws and checks in place to make sure that there is no unauthorized
snooping. And then for those that try to snoop unauthorized (which is as good
as undetectable until some acts on the data snooped) we need to make the
defense as good as we can.

The analogy with houses and breaking in is faulty because there we can detect
something is wrong (in most cases, at least).

------
lotsofcows
Are you USAian? This inability to understand that internet traffic travels
over multiple geopolitical jurisdictions seems very particular to a certain
sort of American. Unless you're arguing that the UN should set up some sort of
world-wide legal framework for spying and/or internet privacy, governmental
interference is not going to help.

That being said, everyone should be making it very clear to their respective
governmental representative that this problem is unacceptable not just from a
personal privacy point of view but because it is inherently destabilising to
an phenomenon that is intrinsic to the very nature of modern business and our
lives.

------
skylan_q
_We have to all become outraged and start a big and public online and offline
campaign to take back the law into the hands of the people and their
representatives and away from secret organizations “overseen” by secret courts
in a system that goes beyond Kafka’s worst nightmares._

This is not politics. This is wishful thinking. Only a headline from the Onion
would read "Politicians change laws to conform with the wishes of a small
protest group"

The actual political solution is in bucking the system that's betrayed us.

------
DennisP
The approaches are complementary, not contradictory. The more expensive the
surveillance is, and the less useful the results, the easier it will be
convince the government to let go of it.

And the better we are at drumming up grassroots opposition in the political
realm, the more people are likely to use good encryption too.

~~~
bcaulf
I hope that the NSA revelations will be the biggest spur ever for use of
effective crypto. It's the only effective response we have. The Administration
and the Congress aren't going to restore privacy. We don't have a national
anti-totalitarian party in the USA. Just the two pro-totalitarian parties.

------
danso
I agree that those who are outraged/concerned need to bring this out into the
public sphere...however, I think the OP is ignoring the effect of technology
here. Even with government surveillance curtailed, they will still have room,
with the advent of more powerful computers and infrastructure, to make
mistakes...and so individuals should get used to the _practice_ of security,
because, unlike a home invasion or breaking the seal of a physical letter,
it's much harder to detect when your online privacy has been (inadvertently or
maliciously) broken.

------
meapix
Why lock the door if people can break in anyways? I think your point is
seriously flawed.

