Schneier: The US Government Has Betrayed the Internet, We Need To Take It Back 397
wabrandsma writes "Quoting Bruce Schneier in the Guardian: 'The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it. Government and industry have betrayed the internet, and us.
This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
And by we, I mean the engineering community. Yes, this is primarily a political problem, a policy matter that requires political intervention. But this is also an engineering problem, and there are several things engineers can – and should – do."
Freenet, I2P, Tor - darknets (Score:5, Informative)
One solution at hand are darknets - awesome and uncensorable (but slow, though that is the price) Freenet,
and I2P for hidden services, and the orginal plain Tor.
Come join us, at #freenet at freenode.org we are supporting all users of freenetproject.org
Also, consider just started channel #mempo where new linux distribution is planned with the goal of being most secure one (combining best ideas from Hardened Gentoo, Debian, Tails, Whonix, Qubes-Os). Because security must be complete on all levels (e.g. darknet but also av, rootkit protection, programs compartmnet :)
What is Bruce Schneier's game? (Score:5, Informative)
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.
He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "
Silent circle - a US and UK connected commercial company - propriety closed source, and in a sneaky "no we are open, really trust us [issilentci...rceyet.com]" sort of way. W T F!???
let me reproduce this informative message posted to the comment section of the article:
I usually rate Bruce Schneier highly, except for his faux pas a few years ago when he initially endorsed showing passwords on screen, saying that shoulder surfing is not such a big deal.
But I am not sure about some of the security mobs he is advocating here.
GPG: OK, clever people can read the source code (though most average Joe programmers can't)
Silent Circle: It's USA based, and subject to the same backdoor 'requests' as anyone US-based company. It also employs ex-special forces 'security experts' - just the sort of people who might go and do wiretaps in foreign climes.
Tails: What I have just seen on their website, 'Numerous security holes in Tails 0.19 Posted Mon 05 Aug 2013 12:00:00 AM CEST'. Not exactly the best advert and hardly comforting if one wanted security.
OTR: Same as GPG as the source code is available.
Truecrypt: Well the soruce code is avaiable, so I would put it in the same basket as GPG. It has a choice of algorithms, including one (partly) designed by Schneier.
Bleachbit: Well that is client-side. Anything in the clear across the net (i.e. non encrypted traffic) can be read anywhere along the route.
But the big glaring thing is, at least in the UK, you can be sent to prison for refusing to hand over your encryption keys. And this has happened. People like to talk big, but the prospect of eating porridge with a lot of nasty looking and foul smelling prisoners, does not appeal to most people.
I would say that doing your own encryption, by this I mean using some of the open source tools and not closed source ones (and definitely not American ones) is a good thing.
UK Official Secrets Act (Score:5, Informative)
Once again the UK trumps the US in the paranoia and anti-freedom game. The UK Official Secrets Act applies to all British subjects, OK they get you to sign it, but that us mostly a symbolic gesture to remind you of your obligations and the penalties. Under the act you don't even need to have clearance or be the recipient of a leak. Even if you have worked it out for yourself from publicly available information you can still be gagged, and breaking a gag can bring down the full force of the law against you.
Re:What is Bruce Schneier's game? (Score:5, Informative)
He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "
Do you know who founded and remains a principal of Silent Circle? Phil fucking Zimmermann. This is the guy who wrote and released PGP because he feared the NSA would get away with forcing everyone to use their back-doored skipjack clipper chip. He was subsequently harassed with a criminal investigation. If there is one guy that you can trust not to knuckle under to the NSA, it is Phil Zimmermann.
In fact, Silent Circle just withdrew their Silent Mail product because they feared that the NSA would force them to backdoor it in the near future. They canceled a product line rather than risk it being compromised.
Re:What is Bruce Schneier's game? (Score:5, Informative)
The tails devs regularly post all the security hols found, with links to the source of the hole, and then patch it in the next version.
The issues are often bugs in the browser, or libcrypt, or some other part of the system. Perhaps even a new TOR version. Since they are essentially just packaging a distribution, this shows not that it is OMG SCARY UNSAFE, but that they are staying abreast of the issues with the apps and libs they roll into their distro. Not just keeping up with it, but linking right on the front page all the information you need to determine if this is a significant threat or applies to you.
If you cannot bother to read the reports or care to even try to understand what they mean, then perhaps you should stick with windows. It auto updates for you and sound more than secure for your purposes.
Re:UK Official Secrets Act (Score:5, Informative)
This is not true. There are some parts that only apply to government workers, and there are some parts that apply to everybody, regardless of nationality.
Also, practically nobody is a British subject these days, and this has been the case for over 30 years. People with british nationality are British citizens, not subjects. British subjects are a different category and there's hardly anybody in that category. It's mostly just a historical technicality that the category even exists.
Re:Agreed (Score:5, Informative)
Update:
According to Wikipedia a new edition was printed last year - https://en.wikipedia.org/wiki/Take_Back_Your_Government [wikipedia.org]
That's quite timely...
Re:Thanks Mr Schneier (Score:5, Informative)
I dispute that these vigilantes should decide what should be "declassified" or what isn't.... I just strongly object to the methods being used by the anti-secrecy crowd, and I don't trust their motivations at all.
That is a fair enough opinion and nobody can argue with it, it is good to have a healthy dose of skepticism about any information that is presented to us via any channel. However what is more difficult to dispute is when a leaked document reveals heinous war crimes - should focusing on the messenger still be more important than a message of that significance? Also remember that Washington leaks information all the time (for example the Bin Laden operation) - why are leaks that expose crimes be worse than leaks that make the president look good? To most people that just reeks of hypocrisy.
The usual reply to this logic is "what war crimes, there were no war crimes exposed - but look over there - Assange is a narcicist and Manning is a traitor!!". However even a basic search and read of the documents they destroyed their lives to bring to us show that this claim is absolutely false:
Revelations from the Afghanistan and Iraq war logs detailed the use of paramilitary death squads [wikileaks.org], complicity in the torture [telegraph.co.uk] of Iraqi citizens, the indiscriminate killing [guardian.co.uk] of civilians by private military contractors and many other abuses. Meanwhile, the leaked State Department cables brought to light scores of secret drone strikes in countries we are not even at war with, and uncovered the collusion [amnesty.org] between the U.S. and Yemini governments to lie about American responsibility [huffingtonpost.com] for the massacre of 41 people in the Al-Majalah region. They also revealed [ccrjustice.org] U.S. interference with judicial efforts in Spain to investigate the Bush administration's torture practices. In Tunisia, leaks exposing [pbs.org] the opulence and corruption of Ben Ali's government were a catalyst for the revolution that brought down the repressive regime and ignited other pro-democracy movements throughout the Arab world. The list could go on but the point is simple: it would have been a disservice to democracy to withhold this important information.
Warrant canary. (Score:5, Informative)
A more robust version of rsync.net's "warrant canary" (http://www.rsync.net/resources/notices/canary.txt) might help, if it were to become more commonplace, people would start to assume any provider not providing one to already be under gag order.
IANAL, but the legal theory is that while a gag order can make it illegal to speak out, it can't force someone to make falsified or fraudulent statements - any entity that has not already received a secret order is free to testify to that fact, and simply stop making that assertion at such time that they are compromised.
If this were made more robust, for example, key employees being videotaped undergoing a polygraph regularly where they are asked questions about the integrity of their service, it might just work. (I realize a polygraph isn't secure. For this purpose, however, it doesn't matter, because it provides a means to deliberately fail a test while having deniability of your intent to do so.
I'm sure similar creative ideas could be used :)
Here's why it has to be open (Score:5, Informative)
Let's see an example of closed source encryption - Adobe Acrobat from a few years ago. Their code was the same one used by Julius Caesar, a very simple letter substitution code which could be cracked with a cardboard code wheel that used to be printed on the back of corn flakes packets to entertain children. Commercial "security" software needs to be open to prevent such laziness being used to defraud people that think they have paid for something that will stop third parties being able to read their PDF files or whatever.
Any readers that think I am making that ridiculous situation up should google Dmitry Sklyarov. The only thing more ridiculous than Adobe's code was that they hit Sklyarov with a DMCA notice for it which somehow resulted in him being imprisoned for months - a DMCA notice for something Julius Caesar wrote about so should be in the public domain by now! No penalty for a false DMCA notice was levied on Adobe (or anyone else - it's one sided with no consequence for crying wolf).
Re:What is Bruce Schneier's game? (Score:4, Informative)
This of course permits the NSA to do a classic Man-In-The-Middle attack. They give your browser the fake certificate chain and a copy of the website login page, you type things in, they decrypt them, and use them to log in to the real website, they get the results back from the real website, re-encrypt them with the fake certificate chain, and send them back to you. As far as you know you're using the real website, as far as the website server knows they're speaking with a normal browser, but the NSA is capturing everything either side transmits in clear text and can inject fake content in either direction whenever they want.
This is why there are browser addons such as Perspectives [perspectives-project.org] which allow you to verify the certificate and will notify you if a certificate's signature changes at any time.