Forgot your password?
typodupeerror
Privacy Security Technology

Snowden Seeks To Develop Anti-Surveillance Technologies 129

Posted by samzenpus
from the snowden-brand dept.
An anonymous reader writes Speaking via a Google Hangout at the Hackers on Planet Earth Conference, Edward Snowden says he plans to work on technology to preserve personal data privacy and called on programmers and the tech industry to join his efforts. "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day," he said. "That is what a lot of my future work is going to be involved in."
This discussion has been archived. No new comments can be posted.

Snowden Seeks To Develop Anti-Surveillance Technologies

Comments Filter:
  • by Anonymous Coward

    Can't wait for an app that would allow anyone to be completely anonymous, even from the almighty Goog'lord.

    • by PopeRatzo (965947)

      Can't wait for an app that would allow anyone to be completely anonymous, even from the almighty Goog'lord.

      The NSA's probably got them in stock.

    • Retroshare can give you encrypted IM, mail and forums shared only with your retroshare contacts. It's a big of a headache on dynamic IPs though - it expects all nodes to be mostly-stationary. An observer could work out who your contacts are, but that's all they are getting - metadata only, no content. Also does file transfer and share-browsing.

      • by AHuxley (892839)
        Thats all the need. If the contact is the press and the sender works/worked for a gov they are both targeted.
        The "An observer could work out who your contacts are" gets even better if you try and meet in person. A member of the press turns their phone off and walks in a direction. Any other person in the area who turns their phone off and then on later like the member of the press is tracked.
        IP, the internet, mobile phones its all great for tracking back the moment a person in gov tries reach out.
        Th
        • Requiring the government to use fiddly correlation analysis to get a partial idea of your activities is still a lot better than the current situation, where they need issue one sternly-worded letter in order to retrieve everything including content and history.

          • by AHuxley (892839)
            Thats what the talks mentioned too, a set of small steps. Encryption but the wisdom to understand the networks as they are now.
      • by Anonymous Coward

        I've tried RS, Event tried to introduce it to the company but failed for a couple of reasons:

        1. The key exchange thing was a bit of a pain for others (don't see a way around that though). It wasn't seamless.
        2. No smart-phone support. People are not just PC bound.

        They ended up using HipChat.

        The thing is, RS is designed for the security conscious who are prepared to put up with a bit of stuffing around because there's nothing better out there. When people consider security 'a nice to have' with ease of use be

    • Re:Kinda Like Mega (Score:4, Informative)

      by mspohr (589790) on Monday July 21, 2014 @11:52AM (#47501033)

      An app won't give you much anonymity. You need to start from the ground up with an OS that leaves no trace on the hardware and has good encryption and anonymity tools built in.
      Here's a good start: TAILS
      https://tails.boum.org/ [boum.org]
       

    • Considering who owns Mega, I wouldn't trust it further than I can throw that blob.

  • soviet era crypto (Score:1, Insightful)

    by Penn (308504)

    And I'm sure Russia will have absolutely no influence over what Snowden is working so hard to bring us too!

    • by NotInHere (3654617) on Monday July 21, 2014 @06:33AM (#47499109)

      As long as it's not the latest curve, privacy preserving crypto can be written by NSA itself, and still be secure for you. SELinux was written by NSA, and I don't have a problem using it. Your security model shouldn't rely on the party your software came from. It should rely on the software itself, idependent reviews, and, if you can't afford your own review, the many-eyes-principle (which has chilling effects).
      The russians could only say "this is too secure, design something that can be broken more easily".

      • by balaband (1286038)

        Mod parent up.

        It is not who makes it, it is how it is made.

        • by Anonymous Coward

          Mod parent up.

          It is not who makes it, it is how it is made.

          Assumptions breed ignorance. And even you were likely surprised over the capabilities and activities revealed by the very person we're discussing here. One would have thought you would have learned when random number generators were found to be not-so-random, and encrypted microcode updates validating themselves against compromised key servers came along.

          But hey, if you truly feel that it doesn't matter who makes it, then feel free to ignore those export control laws and purchase your electronics where th

          • Kind of like "free" smartphone apps that never collect any information on you.

            They don't? That's good to know, I'll go install a few dozen free apps right now!

          • by balaband (1286038)

            I am not sure I follow your point.

            You are arguing that it does matter who makes the software, yet take examples of the unchecked software to be examples of supporting your case. Even if you get down to hardware level, you are back to square 1 - unchecked code.

            As for the build process, that only depends how thick is your tin-foil hat. I don't see any reason why Soviets are going to be any worse in producing your hardware then 'muricans or Chinese.

        • It is not who makes it, it is how it is made.

          I love that show [wikipedia.org]!

      • by Anonymous Coward

        Why (and this is the point,) would you trust the NSA any more than the Russian government? Neither wants you to be able to hide what you're doing from them. If these last few years have taught us anything, it's that your government, (wherever you live,) and possibly other governments, should be regarded as the same as any other group of people who could potentially do you harm by knowing things you might want to keep to yourself, whether or not you've committed any legitimate transgression or 'crime' as t

        • by AHuxley (892839)
          1+ for 'So forget crypto as a privacy device, unless you're prepared to make it yourself, test in yourself, and be responsible for it yourself. The only unbreakable crypto is the (TRULY F'ING RANDOM) one-time pad, and only if it's used correctly."
          Thats really the only way, one time pad used once, number stations. The key to all the free quality crypto was that all the press where been watched anyway so you get to encode all you want. The moment you send, attempt contact, its just tracked back. No need f
      • by AmiMoJo (196126) *

        The russians could only say "this is too secure, design something that can be broken more easily".

        Like the NSA did with TrueCrypt?

    • The strange thing is that I trust the Russkies more by now than I trust the US...

      If someone told me that 30 years ago...

  • by Stolpskott (2422670) on Monday July 21, 2014 @05:40AM (#47499009)

    Securing the technology is one thing - that in itself will be a huge job, because depending on how far you want to take it, you can end up needing to sandbox each application and harden each layer of the communication stack.
    You might need a complete new protocol ecosystem based on only systems which are open source (not just because I like open source, but so that everything can be audited and peer-reviewed at the code level), built with compilers which themselves are not only trusted but also auditable as matching their published source code, and using communication protocols which are themselves open source and audited.

    Put all of that together, and you still have the biggest security/privacy threat to deal with - the ID-10-T (aka the user sitting at the computer). Until users of a computer system are educated - not necessarily to the extent that they can themselves audit source code, but at least to the point where they can recognize compromised behaviour of a computer system - then they will always be the weak link in a security/privacy model for IT systems. Getting away from the Windows/local admin culture would be a huge step, but until the most idiotic and incompetent user of a given computer system is either isolated from the ability to do anything or educated to prevent them doing dumb stuff, the computer they use must be considered compromised and all users of that computer must be considered at risk.

    • by AHuxley (892839) on Monday July 21, 2014 @06:07AM (#47499057) Homepage Journal
      Small steps. Move away from the brands that helped ie the PRISM list of willing brands and tame staff building junk systems.
      Understand how "open source" telco layers over tame telco software and hardware can save any data on entry.
      ie once your targeted all is privacy lost no matter the fancy open source app. The security services will be in every hop of any network into and out of your computer/device until they get full plain text.
      Encryption seems to be the key until your use of it shows up at an endpoint under constant surveillance. Then the individual targeting starts on the new person.
      The most easy step is to make encryption more gui, web 2.0 friendly. Then a lot more people will be flooding the net with random heavy code 24/7.
      Use once hardware would be interesting. It would stop any longterm profile, any unique hardware numbers been sent. If you then work on really good crypto to hide voice, pic, file sent, text you could kind of have a one session. Snowden hinted a bit about association (you to the press), mixed routing, the need for unattributable internet access in the 1h+ talk.
      A lot of steps to fix an internet that is now really like Tempora https://en.wikipedia.org/wiki/... [wikipedia.org] and what that can do to your message and a person in the press been watched.
      The other aspect was education. A civic duty to teach, educate the wider public and press. The classic Sysadmins of the world, unite! also mentioned.
    • by Anonymous Coward

      Bull shit... OpenSSL is open source and look at all the crap they found this quarter alone...

    • I would say the bigger problem right now is that people don't care enough, period. Your average person is going to want to use whatever is cheaper, or whatever they have now, and isn't aware enough to demand something better and isn't going to want to pay for it. Existing products and services don't have a lot of incentive to improve because the customers don't care enough. As long as competition keeps the playing field level, as long as noone tightens up their security, nobody has to spend money on some
    • It doesn't have to be perfect, it just has to increase the cost of mass surveillance to a level where it is no longer feasible. Surveillance is too cheap because much of the data is just there for collection, unprotected.

      For example, the UK government just pass emergency data retention laws that require all ISPs to continue logging the domain names of every web site every subscriber visits. If more people started using VPNs regularly that capability would become far less useful, and while I'm sure they could attack the VPN providers or crypto or even the individual target's computers the cost would be much higher than simply requiring the ISP to run a large database. They would be forced to stop bulk collection and only target people of genuine interest, which is the reasonable.

      • For a start, just convince every site to use SSL. It's possible to MITM SSL, but not on a large scale without detection. All the ISPs would be able to log is DNS lookups and IP addresses, which is still bad but not nearly as bad as being able to see individual pages accessed. Then you can start looking into possible ways to make DNS harder to monitor somehow.

      • ...it just has to increase the cost of mass surveillance to a level where it is no longer feasible.

        It doesn't work that way. It becomes a call for a bigger budget and higher taxes to pay for it.

  • by SpzToid (869795) on Monday July 21, 2014 @05:47AM (#47499025)

    Edward Snowden certainly has name recognition in the security space, which in branding terms equals big money. He's got his share of wild and crazy times overseas doing various hijinx not always on the up and up, sorta just like other security specialists [slashdot.org] of an earlier generation. Sure, in terms of branding alone Snowden could easily become the next McAfee, and he's still very young!

    And isn't as if they weren't both wanted on international warrants either; and street cred. does sell sneakers.

  • So Slashdot... (Score:5, Insightful)

    by Anonymous Coward on Monday July 21, 2014 @06:30AM (#47499101)

    "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day,"

    Looking at you Slashdot.

    When are we going to have access to this site with https? You can stop pushing down out throats your fucking annoying beta and do something useful for everybody instead.

    • by Anonymous Coward

      You mean https that's built on OpenSSL?

      • by Anonymous Coward

        A protocol isn't built on an implementation. Use a version of OpenSSL that doesn't have known bugs or use another SSL implementation if you want to.
        Claiming that HTTPS is unsafe just because one implementation has bugs is like saying that C is slow because someone wrote a bad compiler once.

        • by Anonymous Coward

          Use a version of OpenSSL that doesn't have known bugs

          Bwa ha ha ha ha ha ha ha!
          Yeah, the guys who are making LibreSSL probably wish you could be doing that. If they weren't compelled to make a decent SSL implementation, they could probably focus more on things like the anti-botnet research of the Hail Mary cloud. But, since OpenSSL is known to not patch bugs, they've decided that this other work is necessary.
          Please don't refer to an OpenSSL version that doesn't have known bugs. Just because one super-critical bug has been identified and addressed does not m

    • Do something useful? Do you have any idea what it would do to Dice's profits?

    • by AmiMoJo (196126) *

      At this point I'm thinking that the NSA or GCHQ asked them not to implement HTTPS. What other reason could there be for not taking the simple, low cost, minimal action required to enable it? Soylent News, which runs on the same code base, supports it.

    • by Anonymous Coward

      And IPv6 access while you are at it.

    • I'm fine with http. I'm just stating my opinion. If that is grounds to lock me up, you can as well lock me up for then I'm in a prison already.

  • by DoofusOfDeath (636671) on Monday July 21, 2014 @06:36AM (#47499119)

    As long as the citizenry tolerates and sometimes even roots for the government's violation of civil rights, everything including the technology is just details.

    The existence of a decent open-source router can't do much against a U.S. National Security Letter.

    • End-to-end encrypted communications can.

    • by Sloppy (14984)

      It's a small part, but it's a part. I think Snowden has done his fair share of trying to inform laymen and stir up giving-a-fuck. If he wants to switch to working on tech, he could accomplish nothing and still come out far ahead of the rest of us. ;-)

      The existence of a decent open-source router can't do much against a U.S. National Security Letter.

      While we certain should care enough to force our government to stop being our adversary, there will always nevertheless be adversaries. You have to work on the

  • by johnjaydk (584895) on Monday July 21, 2014 @07:29AM (#47499277)

    A nice step ahead would be the establishment of a new set of root certificates and an accompanying authority that signs other peoples certificates. All located in a country that doesn't play ball with NSA and other thugs.

    This would do a lot to dampen the routine man-in-the-middle we see these days.

    • by Anonymous Coward

      We have already have them. We need Google and mozilla to stop being little bitches and bending over for the CA's and security services and implent DANE already in their browsers. I don't buy for a fucking minute that they don't implement it because it's not common enough yet...

    • by Sloppy (14984)

      A nice step ahead would be the establishment of a new set of root certificates...

      The lesson of CA failure is that there shouldn't be root authorities. Users (or the people who set things up for them, in the case of novices) should be deciding whom they trust and how much, and certificates should be signed by many different parties, in the hopes that some of them are trusted by the person who uses it.

      If you want to catch up to ~1990 [wikipedia.org] tech, then you need to remove the "A" in "CA."

      • by johnjaydk (584895)

        If you want to catch up to ~1990 tech, then you need to remove the "A" in "CA."

        Thanks for the insult. It hardly stung. I expect you to start the project shortly. I'll gladly donate to it on kickstarter.

        • by Sloppy (14984)

          Thanks for the insult. It hardly stung.

          Unless you worked at Netscape in the mid-1990s, no insult was intended.

          All I meant is that by the very early 1990s, we (and by "we" I mean people smarter than me; I was clueless at the time) had a pretty good idea that CAs wouldn't work well outside of real power hierarchies (e.g. corporate intranets). But then a few years later the web browser people came along and adopted X.509's crap, blowing off the more recent PKI improvements, in spite of the fact that it looked

    • There are already plenty of CA's in countries that are not under US jurisdiction. However, so far the CA's that issued bad certs were all outside the USA, and appear to have only done so because they got hacked and not because they were e.g. forced to by court order.

      Unless you have a magical solution to hacking I don't think your new root CA would solve much.

      Additionally, citation needed for "routine man in the middle". SSL MITM has been studied by academics at scale. They did not find evidence of much. Gov

  • by PopeRatzo (965947) on Monday July 21, 2014 @07:43AM (#47499323) Homepage Journal

    I'm going back to my 1942 Corona typewriter with the "t" slightly raised.

  • Privacy is about getting out. Put on light t-shirt, thin-sole running shoes, light shorts and go with your partner to a park, a stadium, etc.

    Or go to a beach for a swim.

    Have a meaningful private conversation while running, walking or swimming. Speak in a calm quiet voice, not louder than necessary.

    So getting out is good not only for health, but for privacy too. Besides, it is much safer to run together or to walk together.
  • Hell, he walked in and got the stash and fled the country. Manning had already done a similar heist before this.

    So, we've got minions with access to sensitive data and can't stop them. The government needs to audit itself ... again.

    It does no good to wrap this stuff up in a cloaking device if space cadets can glomp and run.

    • Unless you are trying to be sarcastic, I'd say you are one the remaining ones who still collect their checks from the government and didn't flee... yet...
  • by bsDaemon (87307) on Monday July 21, 2014 @09:32AM (#47499973)

    Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?

    I mean, let's be honest: Either way, whether he's going to just try and brand the stack or contribute, we have technologies that are perfectly good (that is, however, not to say perfect) already -- its just they aren't particularly widely deployed. How many organizations are running IPSec internally, other than just for site-to-site VPN tunnels? How many organizations are deploying DNSSec outside of governments and the military? How many organizations are using PGP or similar asymmetric encryption between employees? Making it easier might help, but chances are that the vast, vast majority of individuals aren't going to jump on any of these technologies in any great numbers unless they are mandated to (like at work, where they don't have a choice), but it isn't as if the government is going to make it a requirement that you try and "spy proof" your computer and communications.

    • by m00sh (2538182)

      Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?

      All that counts is that Snowden has the balls and integrity that is so lacking in the "uber-hacker" department. You can't threaten Snowden, you can't bribe him. An uber-hacker, you can buy him out or scare him.

      Anyways, you don't uber-hackers to develop security software. The encryption algorithms are university research level stuff and as long as you understand the basics of it, you're fine. The rest is just writing code around it that a decent programmer should be able to handle well.

    • Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker

      Except the stuff about how a 29 year old completely pwnd the NSA, probably the most technically sophisticated part of the US Government there is?

      Sheesh. Your standards are high. What would it take, exactly?

      Additionally, just because you have read nothing about his programming skills doesn't mean he has none. He once mentioned finding XSS holes in some CIA app so apparently he is good enough to do that.

  • So now I guess ZeroKnowledge [wikipedia.org] was 16 years too early. I remember laughing at it.

    I still don't care wether NSA or other idiots read my mail for I have nothing to hide. But the prospect of ill-advised policy enforcer's ability to use otherwise benign data as scapegoating is irritating.

  • Here's my latest Snowden / Binney 2016 bumper sticker art, suitable for printing at 2.75" x 5" cropped size plus a .125" bleed, 300 DPI, on vinyl:
    PNG [traxel.com]
    Vector (LibreOffice Draw) [traxel.com]

    This is my original artwork, CC BY-NC-SA, so print a pile and spread them around if you like. I use psprint.com, and I recommend searching "vinyl bumper stickers" on DuckDuckGo, where psprint is usually running a coupon in the search results. I haven't received the color proofs for this version yet, but these are corrected from a previo

  • Oh please, Eddy, shut the fuck up.

  • I applaud and vigorously support Mr. Snowden's suggestion that our rights MUST (my emphasis) be encoded into the programs and PROTOCOLS on which we rely every day. I seriously and sincerely doubt however that anyone, let alone the entrenched interests who construct and maintain the Internet, will in any way be moved to action.

    As instance I cite the farce that is known as email. Architectural and design decision were made which did not consider the mass adoption of email by billions. Nor were the possibil

"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Working...