Hacker News new | past | comments | ask | show | jobs | submit login
Edward Snowden: The Internet Is Broken (popsci.com)
350 points by doctorshady on April 22, 2016 | hide | past | favorite | 168 comments



Excellect! It's the most cogent analysis that I've seen from him. Damn, what a fucking hero!

A few comments, however ...

> ... we had to go to the dark side to be able to confront the threat posed by bad guys. We had to adopt their methods for ourselves.

He's using "we" there in reference to the government. But it can also be read with "we" as you and me, and "bad guys" as the government ;) But then, I claim a broad "right to be left alone", one that doesn't concede any state monopoly on power.

> ... you can’t opt out of governmental mass surveillance that watches everybody in the world without regard to any suspicious criminal activity or any kind of wrong doing.

Well, sure you can ... as he goes on to explain ...

> You would need to act like a spy to pursue a career in a field like journalism because you are always being watched.

... and ...

> Instead of changing your phone to change your persona — divorcing your journalist phone from your personal phone — you can use the systems that are surrounding us all of the time to move between personas.

Right! Compartmentalization is for sure the way to go. There are numerous personas like Mirimir. Maybe I make it too distinctive. But I have no meatspace identity that goes on like Mirimir does. And Mirimir, ve has lots of vis personas. So hey, let's create a tangled morass of overlapping personas ;)


> ve has lots of vis personas

Are those typos?

You touched on the cyperpunk fantasy: using multiple online identities, all kept carefully separate from each other and from your real identity. (There's an excellent short story called True Names that explores this idea.)

For the majority of ordinary, nontechnical people, there are lots of simpler solutions.

* Use cash. In Berlin, many ordinary people have an awareness of and distaste for government surveillance. People remember East Germany. One result is that lots of people will just pay for everything in cash. In most other western countries, the norm is to leave an electronic trail of every single shop you visit.

* Use Signal or WhatsApp. WhatsApp rolled out strong end to end encryption to a billion people--most of whom have no idea what a "key" is and only the faintest sense of what "encryption" means.

The lesson I take from those projects is that whenever we can ship transparent, easy to use encryption that our users dont have to worry about, its a massive win.

If your app allows users to talk to each other privately, consider adding E2E encryption. It's the future.

If your app has some kind of cloud backup, like a password manager or a photo app, make sure that it's encrypted with a key that you don't have access to.

E2E comes with product tradeoffs. You may have to charge your users money, because you cant target ads against data you cant access. You'll need to make an installed app rather than a webapp. But its worth it -- and I think someday, hopefully soon, users will demand it.


No, they're gender-neutral pronouns:

ve = she/he

ver = him/her

vis = hers/his

I encountered them in Greg Egan's Diaspora.

And yes, True Names :) An inspiration.

With a decent host machine, one can run numerous Whonix instances, each with one or more personas. They can be long-term or throwaway.

I do nothing at all private on smartphones. Signal and WhatsApp are cool and all, but radios are untrustable black boxes. Even if the data is secured at rest.

Edit: In Egan's Diaspora, one of the protagonists is a software-generated entity, which literally has no gender. In my case, I'm referring to invented personas, which have whatever gender I fancy.


Tangentially, I prefer the Spivak pronouns sets. They feel more "natural" to me than spiking the distributions of X and V.


Personally I like David Brin's solution from the Uplift novels. Most of the things we want to say have nothing to do with sex and apply regardless of gender, so if we aren't going to let the same words double for male and gender-neutral usage, keep the traditional, simple words for the latter usage and move the former to something else. Thus, in Brin's novels, 'man' refers to any human with no implication of gender, and the words for a specifically male or female human are 'mel' and 'fem'.


It's definitely more natural. You'll never hear any significant number of English speakers saying bullshit like "ve, vis".


Yeah, I get that. I normally use they/them/their. But then I'm stuck in plural. That does generally flow better, but sometimes... Anyway, I used to like s/he, but there's nothing elegant for him/her and his/hers.

Edit: Oops, this was in the wrong subthread, so now I have maybe a duplicate. Damn.


[flagged]


Languages do exist with gender-neutral pronouns. Is Hungarian full of "sjw" crap? Adding a gender neutral pronoun to English isn't a crazy idea- "sibling" is a gender-neutral 20th Century invention and it fits in fine. I'm partial to "they" as the easiest option (it has a long history of being used in the singular) but constructed pronouns would work too.


It's not crazy. English speakers tend to use "they" when they need a gender-neutral option. This just sounds like some edgy teenager... ooh look at me, I'm using some invented new pronouns because of the injustices I've never actually faced myself.


Why does someone have to face injustice themself to do something about it? White people faught for abolition and in the civil rights movement, straight people are the reason we have gay marriage...

Or is it just that you fundamentally disagree with the "need" for gender neutral pronouns and this is your way of ridiculing it? I'm afraid I don't follow your logic at all.


They is the easiest, and already fully adopted, option. Why bother trying to add another?


Are you unable to think of an argument? It's not hard to list some ways in which using 'they' as a singular pronoun when gender is ambiguous is confusing and undesirable. It's not a stretch to then argue we should have a better alternative.


It's like how some languages don't have ternary operators. We just have to muddle through and sometimes "take the long way" to describe someone without implying a gender or sex or other attribute.


"They" has a logical connotation that it translates to "either he or she" (hence the plural). Something like "ve" seems to imply "neither he nor she" , as if, "something else". That's why it may alienate ppl.


Doesn't "they" mean more than one person, without specifying gender?


That might be, however languages usually evolve on their own.

Simply inventing a new word and expecting that suddenly everyone understands it feels arrogant and leads to discussion derailments like this one.

I would also agree that "they" is the best choice.


I would argue that languages evolve when someone needs to express a concept and reaches for a word, finds nothing, and improvises. The first person who does it always stands out, but if other people around them have the same need, the word catches on. Eventually, the perception of arrogance mellows and it becomes an ordinary word.

I don't like artificial pronouns either, they stick in my mouth and feel weird, and I'm lazy so I use they. But other people have other preferences or needs so I try to tamp down any unproductive instinctive reaction in myself- who am I to say in a hundred years we won't be using them? After all, our post-singularity AI offspring won't have the same idea of gender as we do...


Also, sibling is not a 20th century invention in gender neutrality. Sibling is an old English word meaning a kinsmen or relative. It simply saw a revival in the 20th century and had its meaning narrowed to mean only brother or sister.


You're right, but when people began to hear it again in the 20th century, they didn't think "ah, I know that word! It's Old English." It wasn't, at the beginning of the 20th Century, an English word at all.

I'm not sure reintroducing a word from a long-dead language (even if it's an antecedent to your own) is much different from just making a new word up, other than it might sound a bit better if the language is related. Words can come from anywhere; why not invent the ones you need? Laser radar quark...


Hey, you don't think that all of my personas would profess the same gender, do you?


Why is your OP getting downvoted? Are we assuming they're an SJW because they informed us of the popular meaning of those words?

I knew what those words meant and would have shared as well, despite how much I detest the SJW movement.


Damn, I don't even know what SJW is, without googling it ;)

Edit: Oh, social justice warrior. Meh. Me, I'm just an old anarchist ;)


It's a person suffering from Saint John's Wart per Google. Apparently, it's been going through the bloodstream into the brain to have mental effects that are hard for scientists to characterize. Suffice it to say, it may be responsible for a good chunk of non-video traffic on the Internet and its victims may not even understand why they involved themselves. DARPA and the FDA are said to be teaming up to deal with the epidemic but the results remain to be seen so far.


The thing that's infesting the net is the kind of dbag comment you just posted. You apparently don't even understand the purpose of gender-neutral pronouns, and yet you feel the need to express your opinion about an irrelevant subject.

You should try to stay on topic around here, and take that kind of vitriol elsewhere.


Most cash is easily surveilled as it has serial numbers on it. Only coins are a safe form of cash but have a huge disadvantage of being exceptionally bulky.


That would assume a comprehensive system of serial number scanning at point-of-sale in order to track the movements and actually connect it with people/purchases.

The technology is probably available, and it's entirely possible that ATMs could be recording serial numbers of dispensed cash and tying them to the account used, but it's (presently) deeply unrealistic that every possible (or even most) places that accept paper money have the ability or desire to record serial numbers of incoming & outgoing bills.


You're falling victim to the same trap as what Snowden is talking about.

Serial numbers on bills are routinely scanned and tracked. There's a discussion here:

https://www.reddit.com/r/explainlikeimfive/comments/3ou4h4/e...

It's not done at the point of sale. It's done when the money is returned to the banks themselves, and when they're dispensed at ATMs. Cash doesn't circulate for long and anti-money laundering laws prevent payment for many expensive items in cash, so this can provide important clues about where the money goes.

For instance, withdraw money from an ATM, pay for food at your local grocery shop, and the bank/govt can see "withdrawal from account Herr Schmidt at 7:03pm Thursday, deposited by a grocery store down the road the next day" and conclude the money was used to buy food ... or at least had at most one hop in between.


Yes, and that's problematic for mailing cash anonymously. It's not so easy to accumulate large denominations, and may attract attention. When possible, I like to mail gold. It's easy to clean, too.


We need people operating mixes for cash and SIM cards.

Dump $50, get a random bunch of notes that add up to $50.

Dump a prepaid SIM, get a new prepaid SIM.


You can't E2E with a web app?


No, not really. Until there's a standard that allows doing crypto in the browser, enforcing a higher security level for the page, and somehow verifying the hash of contents (so sites can "publish" an app) then web apps are basically useless for security.

I know this is as pathetic as "why aren't scientists working on cancer instead of X", but we have WebXXX including Bluetooth and USB, you'd think we'd have "WebVerifiedApps" or something. Even content-addressable URIs aren't being allowed.

It's funny, given the rise of things like Tutanota, which provide basically zero security over Gmail. (In fact, probably worse, since Google's sec team is way better.)


To some degree yes, for example you could use something like https://github.com/openpgpjs/openpgpjs to encrypt from one customer to another across even your own infrastructure, but (afaik) the browser VM is an incredibly insecure platform to run a "secure" application.


It's even harder than with a normal application for a user to verify that you didn't change the code to one with a backdoor.


I wonder, would it be possible to build a secure P2P client using encrypted Media Extensions and WebRTC? Going to check to see if EME supports encryption as well as decryption...

update No. EME is only intended to be used by content consumers; even if it could be hacked to encrypt uploads / outgoing transfers, that use case wouldn't even be considered important as the spec evolves. Super lame.


What you have to realize is it's an arms race. When splitting and comparmentalizing is the norm, the government will be putting every effort into connecting the dots between your disparate personas.

It takes a special kind of persistent, all-encompassing paranoia and effort. And as we've seen in the past, it only takes a single fuck-up, logging into the wrong server with the wrong account once, mentioning the wrong anecdote with the wrong persona, and bam, you're fucked. Once two dots are connected, they cannot be unconnected.


Also,

> But we were confronted with documented evidence in 2013 that even what most people would consider to be a fairly forthright upstanding government was abusing these capabilities in the most indiscriminate way.

This really does depend on who you ask.


I guess all he needs is to grow his hair long and a beard and HNers would genuflect at his picture in their hallway. Funny how this guy, at age 29 three years ago, is an expert in all worldly things nowadays.


I would say making a move like be did brought him into laser focus, and into more contact with like-minded individuals that only amplified his knowledge and commitment. We can all grow our minds if we apply ourselves.


First, understand that he did not make a movie. Someone else did.

Second, if someone makes a movie about you, that does not expand your knowledge into wide areas or into depths of world knowledge.

Third, no one individual can become an expert on all things based on knowing other like-minded individuals.

My point was, it seems too many of his worshipers now come to his altar asking for his opinion on all things ... and forgiveness.


I think you may want to re-read the parent comment :)


The EFF warned long ago something was going on when AT&T was putting beam splitters on Internet backbones to feed the NSA. Then Snowden revealed how everything is tapped. Then, be sure all mainstream encryption is "NOBUS". Nothing is truly random. Someone somewhere has the master key: elliptic curve cryptography using magic numbers from NIST? "Secure boot" by Intel? OpenSSL? Microsoft software? All backdoored. Trust no one.


For as long as technologically minded folks insist on technological solutions to political problems, we will be stuck in this quagmire. The answer is a political solution to a political problem. Admittedly, that's a hard one for some folks. It requires talking to people and building relationships. It takes a long time and change can be frustratingly slow to present itself. But that's how it is.

Trust no one

With this sort of attitude you might as well give up on life. Society doesn't work without trust between people.


There has never, in my life, been a time that the government and the people they work for/represent/are have ever been more adversarial. When you realize government has stopped working for you and are actively treating you like a criminal, you ask who they are working for. It's hard not to land on banks, corporations, and Bernie's "Billionaire Class" - whether that's true or not isn't part of my point.

So it's hard to "trust" in a single direction when the actions that cause distrust are so, so bald-faced. Every conspiracy-sounding theory surrounding surveillance has turned out to be true. And all that worry about being caught has had a net-zero effect. Maybe Let's Encrypt was at least partially a result, but that's about it. So why worry now? Turns out secret courts are just about guaranteed to green-light whatever the hell the NSA wants, so people finding out didn't really turn out as badly as they were worried about.

So "trust us" is about impossible anymore. I don't know if the relationship can be healed, to be honest. Obama was the ideal of our best shot, but that ship sailed like, day 2.


I didn't say "trust government", I said "trust people". Do you trust your neighbours? Do you attend meetings or organizations with like-minded people? The surveillance state is most powerful when everybody sits at home afraid to go out. If you get out in public and organize with people and talk about these issues, you'll find strength and courage in your neighbours.

The #1 goal of the Neoliberal elite class is to crush the will of people like you. If you've already given up then you might as well be dead to them; they don't even need to spy on you at that point! If, on the other hand, you're out in public and organizing in large numbers then what can they do? You can force them to engage with the issues on your terms.


I'd like every person to attend a few public council meetings per year. In person. So much criticism about The System is so wide of the mark, its not even wrong.

If people are upset, enough to effect change, they only have to start showing up. Find the game, learn the game, play the game.


You must not have been alive long. There was a time people in the States were being jailed and having their rights rescinded for possibly, maybe, being communists.


Trust isn't a binary thing. I trust different people; different organisations, with different data, information and details about my life and other peoples lives.


"Frustratingly slow" as in "not happening at all, and in fact getting steadily worse"? I'll take the gamble of a technological solution which might actually work over the certainty of a political solution which will happily consume more time and energy than I can afford to waste on it without showing any results whatsoever.


You need both.

Technology alone cannot solve political problems. The technology can be banned.

Technology can, however, raise the difficulty for sub-components of a government that are wanting to push the limits and do things outside the boundaries of the politically agreed upon systems. Encryption can't stop the NSA if it has widespread political support because the encryption can be banned. But right now intelligence agencies are absolutely hurting, because what they're doing is highly controversial and blocking them with encryption is not at illegal. If the political debate is won, even if it's just a partial win, then they're forced back inside their box for a long time to come.


Governments can ban anything they like but the ban doesn't mean much if they cannot feasibly enforce it. Such is the lesson of the War on Drugs: the government comes in and makes trouble for people from time to time, but otherwise they simply haven't got a clue, and for the most part people just live their lives as they please and ignore the laws they don't agree with.

I'm glad there are people fighting the political fights too, though I can't imagine where they get the patience. I certainly have nothing to offer in that arena.

I take your point about the NSA, but it doesn't appear that political action will stop them either, because they are happy to ignore political constraints (and lie to Congress about it, for example) and simply do whatever their technological capabilities allow them to.


Yes, but that's why strong encryption is such a strong force to stop them. They operate outside the political sphere at the moment. It's questionable how long that can last.

A war on encryption would be much easier to enforce than a war on drugs because there are such fewer sources, and there's not a big market for its use.


Just possibly old versions of truecrypt.

This author's conclusions seem quite sound to me. They collapsed it in a way to comply with a gag order while silently sounding an alarm.

https://forum.truecrypt.ch/t/my-analysis-of-what-really-happ...

Anyone operating in this space is eventually going to get the same option as Lavabit's founder: compromise or collapse.


If you're super paranoid you shouldn't trust any version of truecrypt. Read the fascinating story of Paul Le Roux...

https://mastermind.atavist.com/

He created E4M (which truecrypt was based on) and is rumored to have been one of the creators of truecrypt. Apparently he's also been a US government asset for a while.


If you're superparanoid, you should trust that because a superparanoid seemed to build it for himself and open-source it to stick it to the man in his mind. And then built a criminal empire that, if he was still financing it, depended on it for his survival. That's the kind of incentives that get results.


TrueCrypt has been subjected to an independent security audit. As have successors like VeraCrypt. Any alternatives likely haven't.


So what? Snowden even said that Truecrypt was one of the only tools that currently the NSA could not defeat. I'd rather trust him on that than your opinion on the matter.


Same shit I said to Moxie about GPG. There's only a few things consistently stopping them. Best endorsement ever if you ask me. I still push for even greater levels of security and assurance but what stops NSA at the moment is one hell of a starting place.


I wish there was some kind of map showing where each area (hardware, software/firmware, network, yada yada) is compromised and by which initiatives and companies. With solid info (avoid speculation). Just curious if would make any impact if the regular user see how their data and everything else is treated by the companies they think they "know" and "trust".


I heard about those taps in 2008/2009 I think. Snowden hasn't really given us anything truly new. It's also bizarre how quickly everything he presented was/is accepted as fact immediately without question.

I think it's way more likely Snowden was intentional. He's still working for the Federal government and the leaks are intentional so that the Federal Government could announce to the world that they are spying on all their own citizens...and nothing happen. No real revolution, and no real end to the surveillance.

I mean yea, we have better security practices, more people use encryption, more people are aware about security ... but overall the landscape hasn't changed except in one crucial aspect: people are talking less publicly. People are afraid that what they say is monitored. There has been a chilling effect.

The Snowden narrative needs to be questioned. Since when does an NSA contractor working from home in Hawaii get VPN access to all the government secretes? Like...people actually believe that?


The Snowden narrative needs to be questioned.

Oh for goodness sake. Reality is too boring for you? You could engage with the real campaign that EFF and Snowden and others are trying to get going, or you could wander off and make up some other story that protects you from having to do anything.

Since when does an NSA contractor working from home in Hawaii get VPN access to all the government secretes?

Since the NSA got reliant on huge networks that aren't understood by their own management and they needed to hire in techies to keep it running.

Essentially: big organisations have to choose between (a) crippling levels of security that prevent them from getting anything done or (b) getting things done with a small risk of leaks.

(a) is pointless so everything is heading for (b) and thats why every major news story of the last few years and the next few decades is going to be based around leaks.


I have to question how much experience you have dealing with the Fed gov't. There are hundreds of thousands of contractors cleared at the level Snowden was at. It is all very mundane, actually. The government is not composed of superspies, though they do have some. But for day to day operations they do not run a tight ship. It's not unbelievable that Snowden had the access. More unbelievable that he gave up his freedom to let the world know.


> I heard about those taps in 2008/2009

Back then the excuse was that they were only being used to collect foreign traffic. Snowden revealed their loose interpretation of "foreign" and many more domestic activities happening outside of AT&T NOCs.

Foreigners' rights aren't protected by the constitution. Citizens' are and now we have legal standing to force the government to respect the law which we didn't have before knowing that the panopticon was pointed at us.


It was fairly widely known in the network engineering community in 2003/2004 that the "Echelon" system collected an extensive amount of domestic data for each of the five eyes, using legal dodges where a foreign agency (like GCHQ) would siphon american/canadian data and feed it to the NSA and CSE, and vice versa.

Those who knew how much the system had changed from satellite-intelligence gathering (from the era prior to transatlantic/transpacific submarine fiber, where most phone calls and international data were satellite based), to tapping fiber at submarine cable landing stations and "partnering" with major telcos, were totally unsurprised.


Echelon was never publicly acknowledged. Carnivore was explained as only targeted at suspected criminals under investigation. Snowden's revelations were the first hard , undeniable facts in the matter showing the true scope of the unconstitutional activity.


You're right that they never admittee it directly. Their defense was funny and an indirect admission:

https://fcw.com/articles/1999/06/02/congress-nsa-butt-heads-...

Anyway, it was all over US media from 1999-2001 plus European Parliament with plenty testimony and recommendations. And again, the link encryption recommendation was in US security requirements anyway.


Of course people knew it was going on but Snowden has put it beyond deniability and that is very very important. We now have (for example) the CEOs of the biggest tech companies in the world able to talk about this stuff. That could never have happened before Snowden.


Yes it was. Evdn mass audience heard with the reporting in Guardian, USA Today, and so on starting in late 90's. Not to mention awareness that Enemy of the State created which NSA considered one of worst events to ever happen haha.


I hope you're being satirical. This is such a classic formulation of a conspiracy theory that I hope it's intentional. If so, bravo!

If not, then like all conspiracy theories you need to account for everyone who would need to be in on the secret, how they're all keeping the secret, and why--what's in it for them.


Just to be clear, a big chunk of what Snowden's leak revealed actualized a bunch of conspiracy theories. Do you see the disturbing irony of dismissing another conspiracy theory so flippantly? I don't believe it's true, but if it turned out to be, I'd hardly be surprised.


The difference is evidence vs no evidence.


I was guessing trolling, conspiracy nut, or underhanded humor.


Questioning the narrative is fine. I for one think he's a combo of whistleblower and traitir, hero and coward depending on what leaks and actions we're talking about. Yet, to think NSA or US did it intdntionally is beyond all reason. Snowden set back so many goal posts for US intelligence, LEO's, and industry that it's impossible thaf it was intentional by USG.


One thing is for sure. The CIA could have killed him, could kill him now, if he truly posed a threat to national security. The fact that they don't indicates they don't feel he is a threat. I'm confident that whatever goal posts you claim Snowden set back, I can explain as ultimatley serving US interests. That's the barometer. Has he hurt US Interests? Seems US interests are doing fine to me. Would things be better if he has revealed nothing? Probably not. His revelations are great distractions.


No, they can't kill him now. They're not allowed to by one of only players on Earth they try not to push too hard: Putin, head of Superpower No 2. They weigh the risk against the fact that damage is already done and all they'd protect is further image problems. They're countering that seperately.

Re damage. Tens of billions to economy that military-industrial complex worked hard to get. Push-back against police state legislation. NSA ops and methods blown. Large uptake in products that reduce SIGINT. Businesses moving overseas. All with no benefits on the table for intelligence agencies.

Far as distractions, that's the media's job focing on mass shooters, North Korea, ISIS, etc instead of pending legislation and schemes by government.


They can't kill him now. Assassination would risk public backlash way beyond anything he could say.


"Super secret information leak! Oh no, please don't read it" = "Sale! 50% off! We are losing so much money!"


> But at the same time, we technologists as a class knew academically that these capabilities could be abused, but nobody actually believed they would be abused. Because why would you do that? It seemed so antisocial as a basic concept.

I guess so? Not me though. Snowden literally only proved what I had learned on my own.

> But we were confronted with documented evidence in 2013 that even what most people would consider to be a fairly forthright upstanding government was abusing these capabilities in the most indiscriminate way.

Um. Who thought this? Ever? Since the 90s.


Yeah, he's full of it. We in high-assurance community and even the cypherpunks have been telling people forever it was being abused. Because people were abusing it and its design practically asked for it. These were ignored as externalities by people motivated by convenience, feature bloat, price, and/or profit. Even getting it down to almost identical cost/speed didn't help if it lacked unnecessary feature X.

This was censorship by business and security communities plus apathy by consumers. Plain and simple. The business communities didn't want to spend crap on INFOSEC. The ones that did faced two obstacles: (a) low volume meant real deal was ridiculously expensive with slower development; (b) mainstream INFOSEC conned companies with bandaids or fake security because they made more money that way. Constantly charging to fix problems they left in or upgrades people didn't need.

So, result was everything is shit security and stays that way. Neither proprietary nor FOSS learn from lessons 99% of the time. All due to what Schneier always called "perverse incentives" that keep bad stuff produced.


> Yeah, he's full of it. We in high-assurance community and even the cypherpunks have been telling people forever it was being abused. Because people were abusing it and its design practically asked for it. These were ignored as externalities by people motivated by convenience, feature bloat, price, and/or profit. Even getting it down to almost identical cost/speed didn't help if it lacked unnecessary feature X.

So, you're saying that Snowden is right, that computer people as a whole were not aware of it. There is a huge difference between a theoretical risk and someone coming forward with a huge amount of proof that it is, in fact, happening right now.


It was a theoretical risk pre-Snowden that PC and neteork security was horrible? No, it was in thd news every day with recommendations from industry and government on how to counter a lot of it. Further, academia was teaching the INFOSEC people about high assurance methods from the old days.

Such things were mostly ignored despite being in media, conferences, government certifications... yoh name it. Interestinv enough, Snowden had seeminglh no impact on number of high assurance dsvelopments out there. So, even as bad as it is, people aren't doing the things that stop even NSA during evaluations and which they themselves use for most critical stuff.


Foresight has been essential in this.

Without Stallman's foresight of the need for public domain open source software, there would only be proprietary software, all subject to PRISM.

Without the foresight of potential Government's to come the US founding fathers would not have written in such protections as still exist today.

Before Snowden there were many that suspected but now everyone knows.

>Um. Who thought this?

Snowden himself:

"I had too much faith that the government really would do no wrong. I was drinking the Kool-Aid in the post-9/11 moment. I believed the claims of government, that this was a just cause, a moral cause, and we don't need to listen to these people who say we broke this law or that law."

pre Snowden this was unopposable, the NSA's James Clapper lied to Ron Wyden in Congress about mass surveillance.


I kid you not. Stallman looked crazy in my eyes before Snowden. Even my "paranoid" perspective on all these things pre-snowden where never close to true Stallman "crazy" (or so I thought before..)

Now I want to use Emacs. I want to use everything FSF if possible. I'm no where close. There is a lot for me to do to get there. But I'm hoping I will because soon that may be our only hope.

> NSA's James Clapper lied to Ron Wyden in Congress about mass surveillance.

And isn't that crazy? Try lying in front of congress and not go to jail. Such corruption. Completely institutionalized corruption of the processes and the power of congress to check the power of the NSA.


Perfect timing: New LTS of Ubuntu this month! Jump in!


Yes, Free software is not only your security but an investment in everyones security, rich or poor for generations to come.


> Now I want to use Emacs

Whoa, whoa, let's not go that far.


"Without Stallman's foresight of the need for public domain open source software, there would only be proprietary software, all subject to PRISM."

Or proprietary, shared-source software provided by nonprofits or companies in jurisdictions that aren't surveillance heavy. No, you don't need FOSS to avoid PRISM lol. It has its advantages in resisting totalitarianism for sure but you don't actually need them. More of author or organization's intent and licensing that really matters. Many models available.

Btw, the first, secure-ish mainframe OS (MCP of Tron fame) was sold in source form by Burroughs with fixes/updates allowed to be submitted. In 1963. High-assurance stuff under Orange Book similarly had to deliver source that was reviewed and provided a way to know you had same copy. Just to support my claim that there's proprietary models for it but most just wanted money instead. ;)


There was a cultural change when Bell was broken up and UNIX became less laissez-faire, a paradigm shift. Software became valuable and not just bundled with hardware.

Stallman saw it coming early enough that he had completed his GNU Free toolchain in time for Torvalds to use it.

A developer community is less likely to arise when your modifications can be closed and you cannot fork. If your business runs in someone elses walled garden it can be taken away.

Without the GPL's four freedoms we would not have the rich public domain of code we have today - a legally protected commons.

Before the GPL the public domain suffered from the tradgedy of the commons, a fantastic legal hack.


I mostly agree with that. It's not what you said, though, which went further and is what I responded to. Stallman and FOSS fans like to go from those contributions to unsopported claims where no proprietary can have a single property of OSS. Yours implied only FOSS could've resisted a secret, US directive which was 100% untrue given existence of closed, non-US products. I preempted your likely counter by pointing out proprietary can come with source too for anti-subversion and actually reached highest form of security possible.

We're still waiting on FOSS model to do that. Nobody has. Fortunately, the cathedral builders in industry and good CompSci are sometimes open-sourcing stuff after the fact. RISC-V, GenodeOS, seL4, NaCl, etc.


Fair point and well preempted. Proprietary software can offer some freedom but it does not ensure it will remain, nor does it offer the full 4 freedoms required.

What you say is not technically incorrect, but practically Google, Apple & Microsoft were all secretly in NSA's PRISM. A large corporate entity is subject to state pressure in a different way than a public good. A corporation must profit, new markets must be entered, their regimes placated at the expense of users. Ownership is a single point of failure.

A proper security audit is only possible if one can compile that source with ones own toolchain or get the binary from a source you trust. One must test and make modifications, otherwise the binary only purports to be from exactly that source.

So you must in the end trust the companies, and trust them to release patches promptly, not delay them at the behest of the NSA (as per Snowden).

PGP and SSH are both provably secure. Security is dynamic, FOSS is faster at releasing patches and not removing features while updating security.

If a patch removes an essential feature and security is bundled with it, this is problematic. If you cannot use distributed community modifications then you are often out of luck.

Companies change hands, policies change, you may be secure today but they sell your data tomorrow. Free software forks at disagreements so everyone is happy. Free software cannot be taken from you by law - it is public domain.


"Ownership is a single point of failure."

Ownership can be a single point of failure but someone owns copyright to GPL code, too. Trick is protections in licensing. A recent conversation found that the real issue, if you get down to it, is in distribution: free distribution and network effects is strongest benefit of FOSS over proprietary, shared-source model which may have every other benefit.

"A proper security audit is only possible if one can compile that source with ones own toolchain or get the binary from a source you trust. One must test and make modifications, otherwise the binary only purports to be from exactly that source."

Realize that I said proprietary, shared source. You have the source of whatever you need. One can also do something like Wirth's Pascal/P where runtime is P-code and some I/O shims. Everything else in toolchain was compiled to it. Result was amateurs ported whole thing to 70+ architectures while having to reimplement just one, tiny part. Interesting enough, System/38 design did same thing at microcode or asm level with successful port to POWER with many apps needing no source recompile.

"So you must in the end trust the companies, and trust them to release patches promptly, not delay them at the behest of the NSA (as per Snowden)."

This problem exists for FOSS, too, so don't kid yourself. The vast majority of FOSS isn't Linux: it's barely maintained and many ignore bug reports for long periods. The average is in favor of FOSS if it's major projects vs proprietary software but individually it ranges from total shit to excellence. Totally dependent on contributors or maintainers.

"PGP and SSH are both provably secure. "

They're not due to their CVE history. They just got really good with GPG foiling NSA after years of improvements with a narrow focus for GPG. GEMSOS, PSOS, and seL4 are provably secure. World of difference in how they're built. None were created with a FOSS model.

"If a patch removes an essential feature and security is bundled with it, this is problematic. If you cannot use distributed community modifications then you are often out of luck."

" Free software forks at disagreements so everyone is happy. "

It's a risk but can be countered. The counter I did in another discussion was a shared-source license that allowed fixes, modifications, and even distribution to other customers. You perpetually keep what you licensed if you keep paying optionally with a limit on per organization charges. You and a group can do anything you want with that commercial code if you're paying. Btw, the real hacker OS was provided with some (but not enough) of those attributes with features UNIX still can't fully match:

http://www.symbolics-dks.com/Genera-why-1.htm

"cannot be taken from you by law - it is public domain."

It's actually not: it's copywritten software licensed with specific terms that enforce things on you. Public domain has no copyrights or restrictions. This is a problem or a feature of GPL vs public domain depending on who you ask. Only thing both protect almost 100% is widespread distribution which any paid model might... might... always reduce.


While you are technically not incorrect in your points, you also miss the entire point: if you can take it from me tomorrow I am not free. Paraphrasing Whedon "You can backdoor Google & surveil the net but you can't take my GNU PGP from me."

Your 'Network Effects and free distribution' are benefits of the efficiencies of freedom. But paltry when it comes to legal freedoms in the face of tyranny, the topic of this post-Snowden thread.

A Good Monarch or Wise & Benificent Dictator is a great form of government and historically golden ages & enlightenments record this. It is not the 'do no evil' CEOs, or good kings but those that might follow that Free Software offers legal protection against.

GPL is public domain 2.0, not a poor tragic commons starved by ever extending legal protectionisms or over grazing and undersharing.

Technically you are right, a company could stand up for our rights, but they didn't recently and they had to keep it secret. Discretionary, temporary freedom is illusory - it vanished when needed most. Like the constitution of a democracy the GPL seeks to enshrine natural rights in law. Like Democracy it must be actively defended and abuses policed. The GPL ensures freedom cannot be taken back easily, it is a legal hack that protects itself and the 4 freedoms with copyright.

Historically it revitalised the public domain in the software sphere and practically protected it against decades of well funded attacks and FUD - creating billions of dollars in value that didn't mainly go to rent-seeking intellectual landowners but developers and users.

Yes, your proprietary shared source model has given some freedoms & verifiability; Snowden shows how illusionly this was. The four freedoms: to Run, Compile, Modify & Share are all needed to ensure (not merely offer or promise) continued freedom.

FOSS & Shared source are one thing; Free GPL Software is quite another.

Is CVE french for FUD ? Because this is nonesense, security is an arms race. Under a panopticon even TOR is weak. Since Snowden millions have been spent & volunteered auditing, patching & shoring up our commerce & the individual against state level actors & fifth column code. Pre-Snowden no-one imagined the elliptic curves were a lie or our own governments funded & coerced weaknesses into ssh - freedom is playing catchup. Our own governments paid to make us all vulnerable to intrusion. Everyone technical was dumbfounded at the scale of the hidden betrayal of trust.

Security by obscurity & secrecy is weak. Published source alone is not free nor verifiably safe, the distributed binary's hash and compiled binaries hash may coincide but malicious code hash collisions are trivial for states to produce. Your scenario offers hypothetical freedom but Snowden's slides show backdoor concealement is actively pursued by states coercing companies, e.g. Lavabit CEO (and noone knows how many who merely complied and distributed the backdoored binaries rather than face jail.) Furthermore if the toolchain isn't free the Ken Thompson backdooring compiler hack applies.

GPL is owned by all. Coders retain their personal copyrights - that is its genius not a quibble. Again if you can't make a change you alone believe is necessary or receive it from & share it with with your community yous aren't free. GPL forks ensure every party has the same rights. Owners & Licensee's legal asymmetry can & has prevented this. Forking requires all 4 freedoms.

Yes GPL can license crap & democracies have elected theocracies & dictatorships. Magna Carta states If the Executive is not subject to the rule of law, it is nothing less than tyranny.

In final answer I quote Vonnegut & Churchill who both witnessed true horror: "So it goes. All is Foma.", & “Democracy is the worst form of government, except for all the others”



You knew GCHQ tapped Google's datacenter-to-datacenter links?


Definitely. They could, targets were using it, they were known to tap backhaul microwaves/satellites, their own guideance in high-assurance side was using link encryptors between sites, its in their commercial recommendations (NIPSOM Industrial Security Manual), and so on. Everything in the world to make you think somebody was tapping your line and that they might.

So, some groups that were wise went ahead and deployed link encryptors. Black programs, follow NIPSOM and SAP supplements, sure as hell used link encryptors so good [1] we can't buy them because... national security. I sure as hell used end-to-end crypto and VPN's for anything significant. Google and Facebook... treasure troves of PII and I.P.... didn't for reasons I can't imagine. Result was they got intercepted in bulk by something that's been a known risk for 20+ years. Take NSA out of picture and they should've still thought the lines might get tapped by crooks or foreign spooks.

So, yes, Snowden leaks mostly just taught us what we already knew in greater detail. People ignored it then, some ignore it now, and yeah problems happened.

[1] http://www.raytheon.com/capabilities/products/high_speed_net...


Google's datacenter-to-datacenter links probably weren't going over the public internet, so they didn't feel the need to protect against man-in-the-middle attacks on physical lines that they owned. If you connected two computers to each other with a cross-over cable, would you feel the need to encrypt all communications between them, just in case?


I'm sure that's what they thought. It's so common it's in textbooks. As in, any point-to-point line running outside two buildings through public land and a third party network owned by sneaky, Tier 1 types could never result in eavesdropping by anyone with physical or logical access. It was ridiculous claim when I read it and wasnt doing INFOSEC at the time. Horrendously stupid. There were already link encryptors on market for those exact lines for a reason. A good one in this case.

Far as your contrived example, yes I did recommend Layer 2 or 3 encryption, authentication, and monitoring between all nodes for a variety of benefits. It was also in Red Book (Orange Book for networking) as a high-assurance security requirement due to malicious hosts or tapped lines. All the times I eavesdropped on and screwed with Intranets fully justified it. Moreover, reading the Security Monkey later showed he handled a situation where an intruder did a physical splice of the line into a nearby building for his attacks. Just more evidence.

So, yes, security must be applied to every layer inside of and around endpoints, networks, and more. The risk you mentioned, minus crossover part, resulted in numerous hacks in the real world that my methods and 80's era methods would've stopped. In a PCI form factor, too, as DiamondTEK secure LAN did exactly that.


> If you connected two computers to each other with a cross-over cable, would you feel the need to encrypt all communications between them, just in case?

If I cared about privacy and I couldn't control physical access to the cable? Yes, of course.


The core infrastructure security people at Google didn't know it, from what I understand. Maybe they're all incompetent; maybe they were lying; or maybe the knowledge (not rumour or suspicion) wasn't as pervasive as you say it was.



I had no idea. I'm not downplaying Snowden. The guy is 100% a hero in my eyes. But, to claim we in tech community were all like "I have no idea this was happening" is completely bogus.


It was also very easy to dismiss us as conspiracy theorists. And indeed we were. The Snowden revelations are useful as a way of saying "we predicted the state was engaging in mass surveillance and they denied it while they continued the program". That is immensely useful for the future.


I agree. I agree in a specific way: people were always thinking that anything with a significant chunk of people would've been revealed by a bunch of them. There's probably thousands involved in everything in the Snowden leaks from government to private industry. About biggest stuff, only one or two people talked while the rest worked in secret by the thousands to make it happen for around 10 years.

That's one hell of a counter to the bullshit I keep hearing that nothing secret or evil could happen if it's 2 or more government people.


http://archive.wired.com/science/discoveries/news/2006/05/70...

This stuff has been going on, and widely discussed, for over a decade. But no one really cared or understood the full scope until Snowden's slapped everyone across the face with it.


Yeah I know about the AT&T splitters mentioned in the footnotes. But the Snowden leak was a lot bigger than that. Did 0xCMP know that the NSA was recording the full contents of every cell phone call in the Bahamas and keeping them around for at least 30 days?


We didn't know but it wasn't paranoid to assume it. The reason was the Echelon leaks and what was done about those. The answer: nothing.


It wasn't paranoid in crypto-knowledgable circles. It earned you a tinfoil hat outside of them. That's why Snowden was important.


This 100%. Snowden was so important because he brought this stuff mainstream. But, let's be completely clear that it was already mostly known in bits and pieces and many leaders in tech had already been sounding the alarms.

I am in no way downplaying Snowden or what he prompted everyone to do, but everyone knew it was happening. They just weren't motivated or felt no one else cared.

Its kind of like trying to get people to use PGP for normal communications: You understand why, and they might too, but they don't care enough. So it doesn't get done.


"Its kind of like trying to get people to use PGP for normal communications: You understand why, and they might too, but they don't care enough. So it doesn't get done."

Good example. I've seen harder to use tools with little benefit adopted by enterprises because management forced it. The simplest version of encrypted email and storage often was ignored for just apathy.


I totally agree with that. His work was greatest in raising awareness of people who'd otherwise never be exposed to it.


That archive link doesn't reference Google at all, or non-consenting data feeds from internal networks of friendly companies.

I too knew about that whistleblower before Snowden. I didn't know about Google intranet being compromised, or things like hostile code uploaded to hard disk controllers, or data exfiltration via compromised in-transit routers, etc.


> > But we were confronted with documented evidence in 2013 that even what most people would consider to be a fairly forthright upstanding government was abusing these capabilities in the most indiscriminate way.

> Um. Who thought this? Ever? Since the 90s.

To be clear this meant who thought we had "a fairly forthright upstanding government [not] abusing these capabilities in the most indiscriminate way" ever since the 90s.


Yeah...there was a pretty hit movie in the 90s about government abusing surveillance powers with two power house actors (Enemy of the State.) I think what Snowden did was good generally, but I think he thinks too highly of himself. Almost everything he leaked was already suspected or known, he just pushed it into the public eye.


Well yes, the internet is broken. That article is inaccessible to me. I am redirected from popsci.com to popsci.com.au which, it appears, doesn't have the article in question. I just get a message telling me "Oops! Something went wrong. Please scroll down to find your content." The content isn't there and there is no way to select the non-au site. Very broken.


I guess, the Snowden incidence is being used to hurl undue venom towards USA. But these people are ignoring or deliberately misleading other people to ignore the real dangers posed by extremists (including Islamists, communists, the far right Christians and so on). These ideologically driven criminals (called terrorists) live hidden in the general public. Their identification is a main problem. This "identification" problem is what requires mass surveillance.

The terrorists are significantly different than many other criminals. In the sense that terrorists are not mainly driven by personal and earthly goals but they are driven by the goals set by their ideologies. Thus terrorism (inspired by hate ideology or religion) is significantly different in a very important respect from other crimes; that is, the terrorist(s) generally find support and shelter amongst large number of otherwise normal citizens inspired/driven by the hate ideology or religion whereas a murderer or a pedophile generally doesn't find such shelter.

Tell this Snowden to do (or at least talk) a little bit about the dire situation of people's freedom in the country he has chosen to flee to, namely, Russia. And the people who are criticizing US way too much should do themselves a favor by looking at countries run by tyrants like China, North Korea, most Islamist countries and Cuba. The way the Chinese government does the mass surveillance of its citizens on the Internet and the way the communists have installed the reward/punishment system based on it will make you realize that what is happening in US is hardly even annoying.

I am not to say that US is innocent person but it has been receiving criticism way too much.

Edit: typo


"...people's freedom in the country he has chosen to flee to, namely, Russia."

Snowden got stuck in a Russian airport when his US visa got revoked. He then applied to many countries for asylum. Russia granted it. I've read that Snowden is still trying to find another host country.


> I guess, the Snowden incidence is being used to hurl undue venom towards USA. But these people are ignoring or deliberately misleading other people to ignore the real dangers posed by extremists (including Islamists, communists, the far right Christians and so on).

Yeah, well, I don't think Cuban or North Korean spies are really at the forefront of anyone's concerns (apart from South Korea and Japan).

> Thus terrorism (inspired by hate ideology or religion) is significantly different in a very important respect from other crimes; that is, the terrorist(s) generally find support and shelter amongst large number of otherwise normal citizens inspired/driven by the hate ideology or religion whereas a murderer or a pedophile generally doesn't find such shelter.

Funny how pedophile rings are regularly dismantled (and made of "otherwise normal citizens" in majority). As for the "wolf in sheep's clothing" thing, it's not necessarily true (look at the profile of the attackers in France and Belgian, most of whom were linked to petty criminality - not to mention the guy who actually went to Syria).

> Tell this Snowden to do (or at least talk) a little bit about the dire situation of people's freedom in the country he has chosen to flee to, namely, Russia.

It was only a choice in the sense that the alternative was "kidnapping by the CIA". Russia was way down in Snowden's list of countries to flee to. What you don't seem to realize is that even if it's not abused now, it could very well be abused tomorrow. You want a Donald Trump nominating one of his cronies at the head of the US intelligence services and starting to dig into untold amounts of already-recorded communications?

And it's not only the US. Us Europeans are doing exactly the same thing, just with less money. The potential of it being abused by organizations which by their very nature have little to no external oversight (or by their political masters) is absolutely frightening. And that's compounded by the panopticon effect: if you're never sure of how much you're being watched, you will self-censor.


>>You want a Donald Trump nominating one of his cronies at the head of the US intelligence services and starting to dig into untold amounts of already-recorded communications?

Still a Donald Trump in USA is far better and very less dangerous as compared to the tyrants like Mao or Stalin or Castro, because USA has many good checks and balances in place. I do appreciate people's fears about state becoming tyrannical but people in USA should not allow its enemies to use (exploit) such fear to push forward their agenda and make US a weak and vulnerable state.

The people of USA should recognize this. The important point to note here is that the intellectuals (Snowden and his supporters) who are targeting USA both at national and international level were silent about the extremely intrusive surveillance and other atrocities inflicted by the tyrants like Putin (at whose place Snowden may be currently enjoying his reward) and are still silent.


> Still a Donald Trump in USA is far better and very less dangerous as compared to the tyrants like Mao or Stalin or Castro, because USA has many good checks and balances in place.

How do you think Hoover stayed in place that long? You can pull a great many things without needing to disappear people at four in the morning.

> The important point to note here is that the intellectuals (Snowden and his supporters) who are targeting USA both at national and international level were silent about the extremely intrusive surveillance and other atrocities inflicted by the tyrants like Putin (at whose place Snowden may be currently enjoying his reward) and are still silent.

Snowden was not a public figure before. And you really think a life of exile in Russia is some kind of reward?

That said, I think Snowden is against global surveillance in general, but:

a) I can totally understand that you want to tread carefully in this kind of situation. You don't think he has already given up enough? What would you do in his situation?

b) While Putin is certainly more willing to suppress political opponents, I doubt the Russian surveillance network is even remotely in the same league as the NSA

c) Snowden is no doubt a lot more qualified to speak about Western surveillance than he is about Russian or Chinese efforts


>>How do you think Hoover stayed in place that long? You can pull a great many things without needing to disappear people at four in the morning.

Still Hoover or whoever in USA is no match for Mao or Stalin or Castro as far as their potential to inflict torture and control over their citizens is concerned. A president in US cannot be a president for his entire life, it's only 8 years max (that too if people wanted him/her to be).

While in Cuba we can see Castro remained in power until he couldn't move his body even so much and then also he put his crony (his brother) in power. That is dangerous and worrisome.

>>While Putin is certainly more willing to suppress political opponents, I doubt the Russian surveillance network is even remotely in the same league as the NSA.

The way Putin and his cronies suppressed homosexuals in Russia sends chills down the spines of free thinkers.

In short, with your neighbours and even family members spying on each other and reporting to Putin's people, you don't need sophisticated surveillance network in the first place.

In USA, the situation is far, far better than what the Snowdens and their supporters are trying to portray.



>But at the same time, we technologists as a class knew academically that these capabilities could be abused, but nobody actually believed they would be abused. Because why would you do that? It seemed so antisocial as a basic concept.

What's with 'we?' The various classes of technologists that I've been a member of - from the teen hax0r BBS days thru the crypto lists and Usenet groups to actual working professionals have absolutely believed this. It takes a truly spectacular amount of naivety to believe the contrary.

I have a deep and profound respect for Snowden, who has certainly sacrificed any possible semblance of a normal life in his native culture and likely narrowly escaped a worse fate, something he must certainly have known was a risk. It is his very naivety that made him such a perfect whistleblower : he's in there looking around and he's like "Holy crap! These guys are into some profoundly bad shit! I have to tell everyone!"

There's probably a hiring policy moral for black ops shops in there somewhere.


I think he's right. His statement is carefully phrased. Yes, of course, all sorts of intelligent people have argued that the tools of mass surveillance could be developed and could be abused.

But only a very small number of people picked up on AT&T Room 101 and Echelon and so on, and saw their significance. Unfortunately those things were more like news stories than events that redefined people's thinking. Mass surveillance simply wasn't a part of the conversation for the vast majority of technologists who mattered, i.e. the ones building the products we all use.

The NSA leaks changed all that. Now you have the guys running WhatsApp and Apple talking about this stuff. And even though for politeness reasons they sometimes talk in hypotheticals, "if we don't encrypt it could be abused by bad governments", it's as clear as day that what they really mean is "because we don't encrypt it is being abused by our governments".


Not could. Had been and were, for which there was growing evidence culminating with the Snowden files. I don't disagree that they had a considerably larger impact than what went before. You're absolutely right in the sense that once the stories of GCHQ's black boxes, the EUP's documented disclosure of Echelon [0], room 101 and so on and so forth got outside the circle of people who were familiar with them they became FOAF stories and conspiracy theories and weren't part of any mainstream discourse, but there was a bit more to [it] than abstract hypotheticals and general 'power corrupts' cynicism.

[0] An Appraisal of Technologies of Political Control. http://www.europarl.europa.eu/pdf/jadis/2013_12/8.PE4_AP_PV!...

[edit]


He's still not getting it or fully recommending it any more than most have. The funny thing is that I recently read a 150 page interview with one of founders of INFOSEC, Dr Schell, that showed his employer was the same way: ignored "COMPUSEC" as useless in favor of "COMSEC" solutions to all security problems. Schell, Karger, and Anderson's tiger teams smashed every mainframe and crypto using system put in front of them due to hardware and software bugs. They bypassed it.

Like Schell and Karger said for 30 years, what we need is to start deploying high-assurance security practices, protocols, systems, methods... everything that's proven to get the job done in various ways. We need them deployed pervasively. More private protocols and encryption by default, too, but who gives a shit if it runs on systems so insecure it doesn't need backdoors?

Let's go back to 1960's moving toward the 70's and 80's on hardware stuff. Burroughs stuff was tagged so everything in memory was code or data, pointers protected, arrays bounds-checked, arguments checked on function calls, and OS tried to isolate apps from each other. Some LISP machines had GC's for memory management. System/38 had capability-security & built-in database. Solo had safe concurrency at OS level. One had read-only firmware you couldn't change without physically moving it with a nucleus that handle protected functions that OS's built on. Two implemented a secure, Ada runtime that enforced the language's safety properties. SAFE (crash-safe.org), Cambridge's CHERI, and Sandia's SSP/Score processors follow these traditions.

Now let's look at how Schell et al said to do assurance. Precise, math/flowcharts/whatever description of functional and security requirements to avoid ambiguities & resulting vulnerabilities. Similar for design with attention to simplicity. Implementation in safest language you can with simpler subset and style easy to analyze. Every module proven to match a requirement/spec so no subversion (well, a start on it...). Strict modularity, layering, and interface checks all over the place. Success and failure states modeled then shown to follow a precise, security policy. If you can't state it precisely, then you can't secure it because you don't know what security means for you. Code review, tests of each function, formal proofs if possible, static analysis if possible, covert channel analysis of info flows, configuration management that assumes malicious developers, source to object code verification, trusted distribution of HW/SW to customers, onsite verification/generation from source, and configuration guidance. All of this independently verified by at least one set of professionals that know what they're doing.

That was security in 1970's-1980's. Far from red tape some here claim, every method above was proven by researchers, field users, and pentesters to catch serious problems. The only dispute was what caught most and where to spend most money. Even those questions had decent answers. Well, plus specific design and modeling decisions but INFOSEC was in infancy & that was evolving. I'm talking assurance activities: getting it done right whatever it is. Fast forward today to find that all the problems Schell, Karger, etc predicted have happened and consistently in systems that don't use those methods whereas systems that do avoid many more problems.

So, here's the solution: raise assurance of our systems across the board using methods that go back to 1961. That's right, Burroughs engineers were doing a better job on security before that was even a thing just trying to improve reliability. This is 2016. We have better specs, better languages, better static analysis, easier formal tools, automated test generation, tons of sample code, fast dev machines... you name it. There's no excuse, outside willful ignorance or apathy, for security-focused developers (esp in FOSS) to not use everything at their disposal that's proven to work at reducing risk. Even less excuse for the stuff they make to still be less secure than tech from the friggin 60's and 70's.

Shout out to the exceptions that are trying to do it right. Groups like GenodeOS, Dresden, NICTA/OKL4, Carlisle's IRONSIDES DNS, Bernstein's stuff, Galois, JX OS, ETH, INRIA, Secure64, Sentinel HYDRA (minus bodacion crap lol), Combex, and even NativeClient since they knocked off OP browser. Enough stuff like this and NSA will be begging us to ban INFOSEC books and shit since their info will dry up haha.


I agree that software bugs are a bigger concern than encrypting everything. I think the problem is that not many people are starting companies around "high assurance." How do you get people to turn their PL research into startups?


Galois Inc is a perfect example of one that continually makes money on high-assurance R&D some of which they open-source. Others spin it off into useful commercial tools. INRIA has done that with Astree Analyzer for C. Other times they can just make the tools practical and available for a community that will then build on them alongside their students. INRIA w/ Ocaml and Coq come to mind again.

So, that's one route.


I'm pretty sure Galois get a lot of contracts from the government.


The U.S. government invented INFOSEC and funded most tech (security or otherwise) that you depend on. So what. It's the specific tech or actions that matter rather than who funds them. At worst, you increase scrutiny or consider subversion issues. Of course, high assurance is specifically designed to counter that. So, people worried about subversion should be using this stuff more than anyone.

Btw, here's two things Galois did with their contracts that mainstream security folks are mostly ignoring instead of building on or applying:

http://www.cryptol.net/

http://ivorylang.org/

And a repo with the rest that uses the magical power of open source to counter people's fears and improve the world:

https://github.com/galoisinc

At least some of them have stars in the three digits. I'm impressed an open-source crowd giving it that much attention. Maybe cuz it's on GitHub. The rest might need to go on there, too, for better odds of adoption. Using Google and Save As... are apparently major obstacles of adoption these days. Idk as I'm still trying to figure it out.


I myself have already previously starred Cryptol (I'm acquainted with a few ex-Galois people) but was unaware as to its wider adoption. Certainly I get reasonably frequent notifications on its issues list from Github.


Cool stuff. I think their Xen and Ivory work will probably have highest odds of benefiting people. All kinds of people doing stuff like Arduino and Raspberry Pi that it could be applied to. Either immediately or with a port.


Cryptol is a nice tool, but it can't eliminate most important crypto bugs (for example, the sorts of bugs found in OpenSSL). It's useful for proving things about bit-mixy crypto code like AES, SHA, etc, but that code rarely has bugs (due to known-answer tests).


Well, it actually shouldn't introduce most of the bugs you find in OpenSSL. Plus, you don't use it alone. It works like this:

1. Cryptographers come up with the algorithms and protocols with their mathematical proofs applied to their properties.

2. Someone uses tools like CRYPTOL for algorithms or AnBx for protocols to generate the code.

http://www.dsi.unive.it/~modesti/anbx/

3. The code is run through visual inspections, static analysis tools like ASTREE or SPARK, tests, covert channel analysis, and so on. Modified if problems are found.

4. An optimizing version of a certified compiler like CompCert produces the object code.

5. It's distributed with public key cryptography and/or Merkle Signatures if people don't trust that. There's modern versions with efficient or unlimited signing.

6. Optionally, a subversion-resistant process builds the fist compiler and checkers in stages.


You can get a nice PLDI paper by following those steps!


Never looked into it. Will do.


I have absolutely no faith in any government that gives the impression that they will add tighter controls or a reduction on the collection of personal data.

They've been doing this for many years before Snowden and will continue long after any new laws are passed to give us the impression of an improvement.


I'd love to be able to read this article, however popsci, in their infinite wisdom, redirect all Australian users to the .com.au site...which doesn't have the same articles. Sigh

US proxy it is then!


Excellent points.

I think the other part which he hasn't discussed is the rise of Cloud companies like Google, Facebook. We should really be working towards an internet where people can keep the data to themselves and decide how it gets used. But now, the default is for these corporations to own all the data.

Of course, govt can still access the data (which is what snowden is talking about) but that is a different problem.


Computers are also broken, and the Internet makes it more obvious.


Soo... roll out your own crypto?


>hello,

>You are receiving this error message because your ip (89.234.157.254) is listed in the StopForumSpam.com database.

>You can check the status of your IP and have it removed by visiting http://www.stopforumspam.com/removal. Thank you.

It's kind of ironical that they are quoting Snowden and their own site blocks Tor.

E: didn't HN used to have markdown quoting?



Case in point for the article title..


It's not really ironic - Tor is used for spam all the time.


Just like VPNs, proxies and abuse tolerant networks.

If you can't prevent the spam by other means than IP blocking then maybe you should make your website read-only.


Or just block the sources of abuse while everyone else enjoys and can act on the content. Or just block comments from anonymous nets so they can at least read. Comment sections that are Wild West hurt branding too much for it to be an option.


It seems like we know how to solve this. Put a CAPTCHA on account creation, then allow users to flag posts and auto-ban fresh accounts with high flag rates.

I'm honestly kind of surprised that there isn't more spam from attackers who compromise something close enough to a backbone provider that they can spoof arbitrary IP addresses and still see the return traffic.


Those are possibilities. As is Disqus-style moderation. Nonetheless, it's a lot of extra work with nothing to show for it and possibly dangerous to site experience. That's the problem Tor poses.


The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. Which means blocking Tor blocks the people who follow the law but not the people who break the law.

And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). The answer to that is IPv6 as ever, but that has the opposite problem. IPv6 addresses are too cheap to meter and using a thing for proof of stake requires the thing to be scarce.

So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses.


"The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. "

That's sort of true. It's technically true that any I.P. address might be the source of malice. Yet, Tor's I.P. addresses will steadily be the source of a ton of malice with no resolution of that problem. Quite different than what happens when someone's ISP tells them there's malware on their machine. There's also economics involved where people have to pay for those machines and are therefore more likely to use them for other, profitable activities. Probably why we see less spam from those accounts.

What remains are WiFi hotspots, libraries, etc. Apparently, they're not drowning services in hatemail and spam because they're still allowed. They could but few are complaining about them.

"And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). "

Good call. I saw this coming. There were already talks by Ross Anderson IIRC about how critical it was for forensics to get the port number and time-stamp since CG-NAT would make I.P.'s useless. Already is in some areas.

"So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses."

Haha. Interesting way of looking at it. I'm more worried about the routing tables, though, if IPv6 got massive surge of traffic. Never looked to see if they fixed early concerns about how well Tier 1-3 HW would handle it vs IPv4.


> It's technically true that any I.P. address might be the source of malice. Yet, Tor's I.P. addresses will steadily be the source of a ton of malice with no resolution of that problem.

Which makes blocking Tor seem attractive until you still need some defense against the attacks from arbitrary other IP addresses, and once you have those defenses you can use them against malicious Tor traffic and no longer need to block its legitimate users.

> Good call. I saw this coming. There were already talks by Ross Anderson IIRC about how critical it was for forensics to get the port number and time-stamp since CG-NAT would make I.P.'s useless. Already is in some areas.

And even then it's assuming the carrier has port-level logs to compare against. If you have ten million customers who on average make one connection every ten seconds and a connection log entry is 50 bytes then you're writing 50MB/sec of log entries, i.e. >4TB/day. If they keep them at all it's not going to be for very long.

It seems like it would be a lot easier to move identities to some kind of proof of work based pseudonyms than to keep trying to force IP addresses to serve a role they were never designed for and the casting into of which causes no small amount of collateral damage.

> I'm more worried about the routing tables, though, if IPv6 got massive surge of traffic. Never looked to see if they fixed early concerns about how well Tier 1-3 HW would handle it vs IPv4.

Part of it is that IPv6 addresses are allocated in larger blocks, which means less address space fragmentation because nobody runs out and has to come back for another non-contiguous block, which means more addresses per routing table entry. And the rest of it is that memory is cheaper than it used to be.


"and once you have those defenses you can use them against malicious Tor traffic and no longer need to block its legitimate users."

What's your recommendation for a low-cost, low-effort method that solves the Tor and every other I.P. user problem? It has to provide a reduction just as good as blocking Tor with similar effort by admin.


> What's your recommendation for a low-cost, low-effort method that solves the Tor and every other I.P. user problem?

The first step is realizing that you have a behavior problem, not an IP address problem. There is no silver bullet against an adaptive adversary, but this is the sort of thing that proof of stake or proof of work is well suited for. If the user wants to do more than read your website then they need to post some collateral. In the small time case this is just putting a CAPTCHA on account creation. If you're a bank or something then nobody gets in the door unless they have an account with you which has been verified against their government ID etc.

Then anybody who misbehaves forfeits their collateral, i.e. you close their account. Which for normal people never happens, but for malicious parties is designed to happen before the profit from their malice exceeds the value of the collateral. Spammers aren't going to be willing to solve CAPTCHAs all day just to post one message at a time which will be deleted in twenty minutes.

And then the administrative cost disappears because the spammers realize it isn't worth doing and you don't have to spend time deleting spam once they stop posting it.

> It has to provide a reduction just as good as blocking Tor with similar effort by admin.

To which a large point is that blocking Tor isn't particularly effective. People make a lot of noise about the fact that a Tor IP address is some large factor more likely than average to have malicious traffic, but it also represents a larger number of people than most IP addresses. If you look instead at the percentage of all malicious traffic that comes from Tor, it's a minority.

And even allowing Tor traffic and then trying to measure what percentage of all malicious traffic is from Tor is over-representing the effectiveness of blocking Tor by counting malicious traffic that comes from Tor if you allow it but would still come from somewhere else if you didn't.

Net result being that blocking Tor might get you something like a single digit reduction in malicious traffic. Now you need to do something about the other 90%. CAPTCHAs and pseudonym reputation systems and so on. But those things work about as well against traffic from Tor as traffic from anywhere else, which cuts a nice chunk out of the remaining single digit percentage improvement you had been getting by blocking Tor.

Net result is you end up blocking a lot of innocent people to get something like a 2% overall reduction in malicious traffic. And the better you get at solving the problem in other ways, the smaller the benefit of blacklisting IP addresses becomes.


Ah yes, we can't sacrifice the all-important branding!


If you're a business, you can't. There's a decision to make:

1. Focus on benefiting anonymous people who either don't contribute shit back to the business or barely do. Freeloaders.

2. Focus on benefiting the founders, customers, and employees (in that order). If you loose some freeloaders, then so be it. If it's their design decision, then so be it time 10. They can always set up an unrestricted forum for people like them to discuss the article and deal with security headaches they bring in.

Wait, No 2 seems to work as most readers and the company are benefiting except for the few that choose not to.


It's not exactly difficult to find another IP if the one you're on is blacklisted.


Broken for whom?


The Dutch for one, whose major ISP Ziggo still does not provide IPv6.


They do provide IPv6. RIPE Atlas features at least 6 probes that are in Ziggo's AS (ASN9143):

See https://atlas.ripe.net/api/v2/probes/?asn_v6=9143

Thing is it only works in non-bridged mode latest generation Technicolor modems. If you need bridge mode, they will switch you back to IPv4.


The only cable provider(charter) in northern MI doesn't support IPV6.


The largest provider where I live in Southern California does not support IPv6. The largest cloud providers don't either. Amazon, Google, and Microsoft all lack any IPv6 support at all.


Large cloud providers may have poor IPv6 support, but they do have some support.

For instance, do a DNS lookup on netflix.com. You'll find IPv6 records pointing to Amazon AWS IP space.


"police and the government then have the authority to search through your entire life in your pocket just because you are pulled over for a broken taillight"

This is the classic Snowden formula. Establish a false premise that has no faith in the government or constitutional rights, then continue to paint a picture of a dystopian future.

This guy should be writing sci-fi novels...

[edit: I predicted at least 5 down votes as I typed this. Don't disappoint me ;-) ]


If authority figures that broke laws were appropriately punished, then it would be easier to trust in the rule of law. When police officers, politicians, judges, etc can all get away with things that "regular" people would not get away with, then the system is broken.


We should always look at how laws and institutions may abuse their power, and establish the proper safeguards.


What is the false premise?

Why do you think 'faith' is required in a logical argument?

What future?


"police and the government then have the authority to search through your entire life in your pocket just because you are pulled over for a broken taillight: "

Is false.


Isn't it routine?


"Cops Need a Warrant Event Just To Look At The Screen"

http://motherboard.vice.com/read/court-cops-need-a-warrant-t...

Seriously.... don't fall prey to Snowden's scare tactics.

US law enforcement cannot physically take your smartphone without cause, much less even look at it.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: