
Reddit co-founder calls out Google, Twitter, Facebook over CISPA - denzil_correa
http://www.networkworld.com/news/2013/041013-reddit-268596.html
======
tptacek
I would like to hear from Ohanian about what changes he would like to see to
improve the scope and privacy controls in CISPA.

~~~
deelowe
Agreed. There are valid reasons for the bill(mostly around giving agencies the
ability to do their jobs in the digital age without unnecessary restrictions).
Also, there's that whole issue of having the ability to do something about
cyberterrorism(which is happening today by the way). The implementation may
not be sound, but something does need to be done.

The CIA and FBI need to be able to research and distribute malware. The
government needs to have a way to do something in cyber warefare scenarios.
This is why the bill has so many supporters.

My guess is that big businesses are supporting this(Google) due to them having
been bit by state sponsored attacks in the
past([http://world.time.com/2012/06/06/google-warns-gmail-users-
of...](http://world.time.com/2012/06/06/google-warns-gmail-users-of-state-
sponsored-attacks/)).

~~~
AnthonyMouse
>something does need to be done.

Can you elaborate on why that is?

"Something must be done" is the refrain of private defense contractors seeking
new revenue streams following the tapering off of our most recent foreign
excursions. "Cyber war" is total B.S. It's just taking the same industrial
espionage issues that have existed forever and adding "on a computer" to it in
order to increase the hype level.

There are a ton of things the government could actually do to help with
information security. Some of them are even in the bill -- I don't think
anyone has a problem with government providing threat information to the
private sector. Or how about more funding for security research. Incentives to
implement protocols like DNSSEC.

But there is no excuse for exempting corporations from _all_ privacy laws
using extremely vague language. The problem with this bill is very much the
implementation rather than the intent, but "good intentions" are no
justification for bad legislation.

~~~
tptacek
Incidentally, not to get me started on another topic that will result in
18,000 new comments from me, but DNSSEC is a boondoggle that won't help the
Internet and is a massive favor to the largest registrars. We should be
thankful that we dodged the bullet of a bill that mandated DNSSEC.

~~~
AnthonyMouse
It seems like your argument is that TLS is better than DNSSEC, so use that
instead. But how is that better than using both?

I'll give you that DNSSEC is imperfectly designed, but given that it hasn't
been widely deployed, why not just make DNSSECv2 which addresses the concerns
(like have the end user device verify the signature)?

~~~
tptacek
TLS isn't simply better than DNSSEC: DNSSEC still requires TLS. If you use
just DNSSEC, and you stipulate that DNSSEC does what it's supposed to do
(spoiler: it doesn't) then all you've done is protect your DNS lookup. So TLS
is a non-optional component in the web stack even in the very unlikely event
DNSSEC is deployed.

So the problems with DNSSEC then boil down to:

* TLS isn't designed to depend on the security of the DNS. How you know that is, TLS works today, and nobody uses DNSSEC. So if everything needs TLS anyways, why forklift in a new DNS when we could instead work on making TLS better?

* DNSSEC actually degrades the DNS. In a couple ways. First, DNSSEC changes the security model of DNS records; they're now signed, but also they're public. For a long time, DNSSEC advocates claims that DNS records were _always_ public, but that's clearly not true; try to dump Bank of America's zone files. When the advocates lost the argument, they introduced a grotesque hack that turned DNS zones into crackable password files (this is "NSEC3"). That's just one example; there are better examples.

There is a proposed alternative to DNSSEC that I like: DNSCurve. DNSCurve
gives up on the idea of signing DNS records and instead just allows any DNS
client to create a secure connection to any DNS server. That's a totally sane
improvement to the DNS which inexplicably isn't included in DNSSEC (your DNS
lookups in a DNSSEC world are still unprotected!). We should do that instead
of DNSSEC.

~~~
AnthonyMouse
>So if everything needs TLS anyways, why forklift in a new DNS when we could
instead work on making TLS better?

For one thing, not everything uses TLS (even if it should). TLS normally
requires support by the application, securing DNS could be done in the OS. You
could fix DNS and have at least that fixed even for all the legacy
applications that nobody is ever going to update to use TLS. It would also
make IPSec easier to deploy to the same effect because it would allow the DNS
to be used for key distribution. And likewise for distributing ssh host keys.

I'll give you that DNSSEC is poorly designed, but I don't necessarily want
"DNSSEC" in particular, I'm just looking for something that allows client
devices to securely verify DNS query responses. Does DNSCurve do that? The
Wikipedia entry doesn't clearly distinguish whether it's securing the
connection to the server or the query response. In other words, does DNSCurve
allow you to detect if your ISP's DNS resolver is compromised?

~~~
tptacek
That is exactly what DNSCurve does, and is something DNSSEC _does not_ do.

~~~
AnthonyMouse
See, this is why I like this place. People who can teach me things. OK then,
so why haven't we deployed DNSCurve?

------
pms
Actually... Why do they want to pass this bill in the first place?

I mean... The things they want to do are comparable with monitoring all phone
calls. Listening to all phone calls and trying to catch dangerous words in the
conversations. Why nobody tried to do this with phone calls, but now they try
to do this with on-line messaging and social networks?

~~~
tptacek
What CISPA purports to do is not comparable with monitoring all phone calls.
Where, in the text of the bill or any of its amendments, do you find support
for the concern that the law would be used that way?

~~~
ryanSrich
They don't have to say those exact words pre se. All they have to do is keep
the wording vague enough so that those actions can be justified.

~~~
tptacek
In what words in the law do you find refuge for mass collection of the texts
of online messages?

~~~
nickdoesdesign
They dont need it. Look at the FBI's Carnivore Program, now obsolete. All they
needed was a warrant (or, nowadays an NSL) to do so. Just because its not
explicitly stated does not mean it cannot be a reality, justified by vague
wording and obfuscation.

~~~
chc
This seems like a generalized concern about the government's practices rather
than a specific concern about CISPA.

~~~
ryanSrich
Well of course it is.

All CISPA is, is the next logical progression of the totalitarian[1] state. It
harks back to the Patriot Act. There was an event of terror. Therefore there
must be "terrorists" out there and we really need protection from them. So
much so that we are willing to surrender our rights to a fair trial.

CISPA is the same thing. It focuses on one instance, or issue and abstracts
peoples actions away from that to make it seem like something they'll never
have to deal with. Case in point, no one thinks that they'll be detained and
held without trial, but that still doesn't mean the government can't do that.

[1. <http://en.wikipedia.org/wiki/Totalitarianism>]

~~~
GHFigs
You could make the same argument about any law. The point is that makes it a
weaker argument, not a stronger one.

------
davidmr
> The video is clearly meant to be less than totally serious - it seems
> unlikely that Ohanian, himself a prominent figure in the tech world, would
> need to resort to trying to talk his way to Page through Google's public
> phone number...

I realize that the author probably meant that Ohanian would have connections
who might have connections who would have Larry Page's phone number, but the
wording of that briefly made me think that the author thought there was some
secret phone book you get when you cash out your popular startup for a certain
amount.

------
wavesounds
Here's the petition: <http://www.saveyourprivacypolicy.org/>

------
kunai
If only Aaron Swartz was still alive.

------
GigabyteCoin
Hopefully Namecoin will see some more development out of this:
<http://reddit.com/r/namecoin>

------
TallboyOne
I would have a beer with that guy.

------
420365247
Why does this only have 73,000 views on YouTube?....

------
maciekp
freaky moves in the last part

------
cinquemb
well the market just went uptick for the encryption products/services :P

