Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software 199
MojoKid writes "Microsoft's onetime Chief Privacy Advisor, Caspar Bowden, has come out with a vote of no-confidence in the company's long-term privacy measures and ability or interest to secure user data in the wake of the NSA's PRISM program. From 2002 — 2011, Bowden was in charge of privacy at Microsoft, and oversaw the company's efforts in that area in more than 40 countries, but claims to have been unaware of the PRISM program's existence while he worked at the company. In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source."
Re:The next obvious step is to ... (Score:5, Informative)
Read this FA ... (Score:3, Informative)
http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/ [scienceblogs.com]
Both AC and disposable60 were trying to explain to you the concept outlined by Mr. Thompson.
Read, and ponder.
Caspar Bowdens testimony in the EU Parliament (Score:5, Informative)
Last week, Caspar Bowden testified at a hearing in the European Parliament, and presented a report on the NSA surveillance to the European Parliament's Committee for Fundamental Rights LIBE.
Link to the report: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/briefingnote_/briefingnote_en.pdf [europa.eu]
Link to the Youtube-video with Bowden's statement and the following Q&A (63 min): http://youtu.be/qa83l2_ZzEo [youtu.be]
Re:Worthless (Score:5, Informative)
He doesn't have too, it appears that the Key exchange protocols were weakened and it's not necessary to break AES but extract the keys during KEP negoitiation. http://www.zdnet.com/has-the-nsa-broken-ssl-tls-aes-7000020312/ [zdnet.com]
You also have to remember that it's a negotiation and unless you set your browsers up and websites to use more secure protocols you could default to say RC4-RSA under SSLv2.0. There's acknowledged flaws in TLS 1.0 (SSLv3.0) but it wasn't until a couple of months ago that Firefox supported TLS 1.1 and it still doesn't support TLS 1.2. Chrome (Version 30+) and IE (9+) support TLS 1.1 and TLS 1.2. So you should see more and more websites turning on TLS 1.2 support and turning off TLS 1.0 and 1.1 if they can. http://en.wikipedia.org/wiki/Transport_Layer_Security [wikipedia.org]
I've already had change requests come in from customers to get away from AES and to push more TLS 1.2 out there and you're already seeing companies and other government agencies distancing themselves from NIST blessed standards and that's lamentable but the credibility of the organization has been irreparably compromised by NSA influence. As a result, may see more ChaCha [wikipedia.org] or more TwoFish implementations start to come into the mix over this, which is a good thing because it means that we have diversity in ciphers and less reliance on NIST and its standards processes.
Re:Routing Connections from Point A to Point B (Score:5, Informative)
I'm pretty sure that you don't really know where the physical hardware using the intermediate IP addresses shown in the traceroute actually was. Reverse DNS tends to show who owns it, *not* which country it's in. And geoip services are doing well if they can identify the right country in Europe, let alone anything more accurate than that.
Even if you did see routing like that, and it really did go to the cities you claim, it still wouldn't be that odd - when routing is optimized at all it's optimized for cost, rather than distance. For long-haul the two tend to go together, but for relatively short distances in the well-connected first world they don't.