Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

European Commission Recommends OSS to Fight Echelon 106

CrossRhythm writes: "The European Commission Resolution on Echelon encourages the Commission and Member States "to promote software projects whose source text is made public", to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the "least reliable" category," and "systematically to encrypt e-mails, so that ultimately encryption becomes the norm"."
This discussion has been archived. No new comments can be posted.

European Commission Recommends OSS to Fight Echelon

Comments Filter:
  • So this would be a good reason for governments to fund the development of open source applications.
    Hopefully they'll do..
    J.
    • Which is why GnuPG [wwwgnupg.org] is funded mostly by the German Ministry for Economy and Technology [www.bmwi.de], for example.
    • Re:funding. (Score:1, Informative)

      by Anonymous Coward
      If companies/academics request R&D funding from the European Commission, they are already urged to license the software as open source (to get a better chance of getting funding). These guidelines started popping up for more then a year now.
    • To have governments embrace and use open source software would be enough for me. To have them fund the development of it is where it gets iffy. Who retains the copyright to the software, the Government or the programmer? What liscense would they use? What happens if the Government suddenly thinks that some encryption software is too good and needs to be closed source? Think about it. What was the last good think any of us had to say regarding the government and technology policy. I think the best thing the government can do is use open source software, the worst thing they can do is make it. Except for the NSA, cause they are just cool.
  • by room101 ( 236520 ) on Friday September 07, 2001 @10:53AM (#2263727) Homepage
    I may be wrong, but it sounds like MS' totally bogus "shared source" will move MS from "least reliable" to something better.

    The article is pretty long, so perhaps I missed something....

    • can anyone look at the source? say... me? you? any user? can I rebuild from source (if not.. how can I see that the source is indeed the same as the compiled product?)

      if not everyone can look at it it's not public. if it's not verifiably the code, it's not public.

      and let's face it.. Outlook has a history of being (ab)used for viruses, and will really have something to prove to rise above "least reliable".

      //rdj
      • can anyone look at the source? say... me? you? any user? can I rebuild from source (if not.. how can I see that the source is indeed the same as the compiled product?)

        Don't worry, Microsoft is still hiring. They'll screw up and hire someone who'll put the whole source on Freenet.

        Including complete build instructions.

      • can I rebuild from source

        That's the key one, let's not let anyone forget it.

        If you can't build the whole source for the OS, at least, every last bit of it involved in the security/communications chain, then it can't be said to be trustworthy.

    • In some cases, full disclosure of source code can indeed be sufficient (provided that you are sure all your binaries were compiled from these sources, using a benevolent compiler).

      The ability to help them improve what you don't like and fork if they won't is not a necessary prerequisite to a security audit: you find out it is not secure enough, you don't use it if you can't fix it.

      Kiwaiti

      Member of the Legion Of Microsoft Haters

      • Member of the Legion Of Microsoft Haters
        Member of the Legion Of Microsoft Haters


        A double-hater! Is there a website with info on how to become a member, or is this "legion" an unofficial group?
        • Slash didn't show my .sig on preview, so I retyped it. Come to think of it, I haven't seen a single funny .sig today. Shit. Just imagine you're drunk. Users.pl tells me I should be seeing the .sigs. More crap. Sorry.

          There was a website, I think it disappeared. I have been thinking about a formal resurrection of The Legion. I've been out of webspace for a moment, though (since I dropped myself out of "college").

          LOMH.org might still be available. cost?

          I was thinking about a structural thing, with ranks for amount of acquired recruits.

          Kiwaiti
          won't retype it now (hope it's there)

    • what is the guarantee that the code which one has access to is the exact same code which is in the shipped package? slip um a mickey! or tracking functions...
  • If your goal is encrypted e-mail, what does the source code have to do with anything? As long as it follows published encryption algorithms, that's all that matters. After all, if it doesn't follow the standard, then it's kind of hard to decrypt it.

    I think it's a tad more important for the underlying mathematics to be tight, than to be able to view the source code implementation of an inferior algorithm.

    • Re:This is stupid (Score:2, Flamebait)

      by blang ( 450736 )
      But not as stupid as you.


      Source code in the public domain exposes the software to scutiny. Without scrutiny, how do you know it's safe? You're just going to trust the word of any two bit software maker?

      • Without scrutiny, how do you know it's safe?

        Because, duh, it has a well-defined input, and a well-defined output. Tell me how anything in the middle matters.

        • Tell me how anything in the middle matters.

          Maybe your right... [goats.com]
        • > >
          > > Without scrutiny, how do you know it's safe?
          >
          > Because, duh, it has a well-defined input, and a well-defined output.
          > Tell me how anything in the middle matters.

          Actually, good encrypttion is rather trying to produce anything but a well-defined output. Or do you think that a cryptanalyst's job simply consists in shifting encrypted messages a few letters left or guessing that all a's shoud be replaced by b's?
          I think you have been a boy scout a bit too long ...

          • Actually, good encrypttion is rather trying to produce anything but a well-defined output.

            It is extremely well defined. It's just not easily readable.

            Remember what we're talking about here... sending a message from person to another. Unless you think the mail program is going to change the content of the message, and no one is going to notice that their messages are getting changed, then there isn't much wiggle room if the message is going to be successfully decrypted by the recipient.

        • - Bad keyphrase management, resulting in easily-cracked keyfiles should one be leaked.

          - Buggy implementations that don't fail on very many test cases at all, unless you relish testing your mailer with the infinite number of possible messages.

          - Bad handling of macros, attachments, and other things certain modern e-mailers try.

          - Bad coding practices such as buffer overflows, which can exacerbate the above.

          - Deliberate back-doors, such as automatically processing specially-formatted messages as instructions...

          - Other misc bad behaviors such as eating file handles, zombie processes, and other examples of lousy coding practices.
      • Without scrutiny, how do you know it's safe?

        Even then, it's only as safe if your compiler hasn't been compromised.

    • No, it isn't (Score:2, Redundant)

      by nestler ( 201193 )
      As long as it follows published encryption algorithms, that's all that matters. After all, if it doesn't follow the standard, then it's kind of hard to decrypt it.

      This is so wrong that I don't even know where to start.

      The program can use published algorithms everywhere, but if it RSA encrypts your message in the FBI's public key, and mails it to them (as well as encrypting as it should be and mailing to your friend), then it isn't exactly a secure email program. The only way to know if the program is doing stuff like this is to READ THE SOURCE.

      To trust that a security-related program does not have a back door, you need the source. Period.*

      *You could try to watch outgoing network connections, but this is a hack as you may not be able to figure out what it is sending since it could be encrypted. Having the source is a much more reliable method of spotting back doors.

      • but if it RSA encrypts your message in the FBI's public key, and mails it to them (as well as encrypting as it should be and mailing to your friend), then it isn't exactly a secure email program.

        You don't think anyone is going to notice that their e-mail queue is getting twice as many messages as it should? Or that logs aren't going to anything strange? That's absurd.

        • You don't think anyone is going to notice that their e-mail queue is getting twice as many messages as it should? Or that logs aren't going to anything strange? That's absurd.

          I'll rather use smtp and mail transport agent customized and embedded in the application just in that purpose. Sure I am not the first and the only one who came up with that idea.
        • Some server managers might, but, no, most casual users would not notice such things.

          The story that broke a couple days ago about the divorcee whose ex-husband installed spy software on her home PC is a testimony to the obliviousness of most computer users.

          The only reason he was caught was due to his own stupidity in mentioning things to his former wife's friend that could have only been known if he had installed such snooping software. Otherwise, he could peep to his heart's content.

          I know lots of people with fun, useful, http-active software running all the time on their PCs (webshots, newsfeeds). It would not be such a stretch to have those programs summarize key strokes, buffer them up, and send a compressed encrypted version back via web request to an innocuous site. It could all be done under the guise of normal operations. You know, "updating..." Kind of like cookies but more intrusive. And that's just one example. You can probably think of several other ways to do it.

          The earlier poster is correct. There are simply so many imaginative ways through which your security can be compromised that inspection of the actual source code is the only substantial guarantee you have.

    • You're missing an important point: how do you know that a given closed-source email encryption/decryption engine does not "leak" keys? You have no sure way to know that your keys won't wind up:
      • "Accidentally" sent packed into an IP header and sent to the NSA
      • Somewhere in your swap space, because some coder doesn't know how to lock memory correctly
      • Somewhere else on your hard drive, because some coder doesn't care about protecting your keys (or know what he's doing).
      • Compromised in response to a malicious message that the program is trying to decrypt. Don't forget about buffer overflows [ibm.com].

      Trusting a closed source application means that you're trusting every programmer who ever wrote a line of code for the application. When you can't see that code to make sure it's not crap, you've got a security nightmare waiting to happen.

      -all dead homiez

      • You're missing an important point: how do you know that a given closed-source email encryption/decryption engine does not "leak" keys?

        Well, this is the first reasonable point I've seen about this, and it's theoretically possible, I suppose.

        But it still comes down to "who do you trust". Either you trust that someone "somwhere" has certified an open source program, or you trust that some well-known company with a good reputation has certified the program. Either way, unless you are a security expert and can verify it yourself, you are going by blind trust.

        • ... such as Microsoft? We all know about the heaps of voulnerablities in MSFT software, and they're the largest SW company in the world and very well-known.
          In any case, you would have to trust the certifier.
          With a well-known open-source project, you only need to trust stastics. You only need to trust that there will be one person out of thousands that is experienced enough to find the hole and isn't looking for personal gain for covering it up (like the product vendor or an 'expert' hired by it might).
          Not satsified yet? Hire your own expert to test the code.
    • I think you've missed the point entirely. If I can't see the source, how do I know the algorithms have been implemented correctly? Bugs in software can cause even the most soundproof encryption to be useless. Of course, no one would ever code a back door into their software...
    • The recent ssh vulnerability is a good example of why this is wrong. The encryption methods can be entirely open (hell, they can be secure, even) but the app can still end up being vulnerable because it leaks some piece of information that the programmer didn't realize was sensitive -- like the timing between key presses.
    • How the hell do you verify the implementation of an algorithm without the source code.

      Here's a sample closed source algorithm:

      encrypt(msg)
      {
      send_msg_home(msg);
      e_msg = use_unbreakable_encryption_scheme(msg);
      return e_msg;
      }

      Don't you feel all safe and comfy with your closed source now!!

  • by All Dead Homiez ( 461966 ) on Friday September 07, 2001 @10:56AM (#2263742)
    This is an area where OSS really shines. Microsoft NSA key rumors [google.com] aside, the truth of the matter is that it is almost impossible to audit closed source programs for backdoors and security flaws. As more and more stupid programming mistakes [zdnet.com] are discovered, more and more people will realize that OSS is the only way to go when security and/or privacy is a concern. Expect many more endorsements of OSS in the near future for this very reason.

    -all dead homiez

  • by dwbryson ( 104783 ) <mutex@cry[ ]backpack.org ['pto' in gap]> on Friday September 07, 2001 @10:59AM (#2263756) Journal
    It's interesting to see that Europe is more openminded towards OSS than the US is. If they do things like this.. pass legislation to encourage OSS development. I could see how programmers would see countries in the EU as kind of a haven. Especially if they didn't arrest them on site like a certain country i know of...
    • it's because we're all socialists (at least some, mainly north-americans, seem to think so)

      //rdj
    • definitely! i'm moving [glug.org] to italy in the next few years, partly because US culture is getting to be a real drag, and partly because a good number of the hackers i respect [gnu.org] are in that time zone. (i'm serious.)

      i wonder if slashdot will be around, or if there will be a slashdot.it by then...

  • AFAIK, Echelon wiretapping is done at the physical layer level; it has nothing to do with trapdoors in the software itself. It would still be done with Linux in every desktop, cell phone and fax machine.
    • Right, but it could be more easily defeated with widespread use of strong encryption (e.g. transport mode IPSec). Use of OSS in the desktop allows the user to be confident that there are no backdoors there to circumvent such use of crypto.
  • end-to-end mail encryption schema/idea:

    1) sender checks compliancy of target machine. if encryption protocol is installed, message is encrypted.
    2) sender encrypts message.
    3) single use key is stored on originating server
    4) encrypted message is transported to target machine
    5) target machine receives message and reads encryption headers
    6) target machine requests one time key from sender
    7) simple security checks, this can be spoofed I'm sure, but try and validate 8he authenticity of the one-time key request. Flag and send a message to the sender if things seem out of order, or reject request.
    9) if request is valid, send key and delete one-time key from server
    10) further requests will be denied (so if a message gets intercepted and someone tried to get the key, if/when the actual target tries to unencrypt, they can get a notification that the key has already been used. they have to option to flag a message back to the sender notifying them of a possible breach.

    I dunno, this might work, then again I'm not a mail or encryption expert.
  • This is very good news. The next time I find a government-connected website, (or anything funded or contracted by the government for that matter) which does not work in Mozilla, I'll be emailing them a link to this page.

    • For that matter, any time I find something that I need to download a Windows executable to get to work.

      Or even services managed by regulators (ADSL, for example) should now be supported in non-Windows systems, or at least for specificatiosn to be released so that they may be.

  • Ever since I read that the EU was looking into anti-trust/price-fixing violations by the record and movie companies, and now are looking at M$, I think that maybe the EU will save the US from itself..

    Jim
  • ...is not necessarily the fact that OSS would benefit from such a move, but the fact that the EU takes the privacy of its citizens seriously and is eagerly promoting information security and encryption.

    Those of us in the US, on the other hand, have principles in the government (the VP for example) who have attempted to make information security and encryption illegal.

    • but the fact that the EU takes the privacy of its citizens seriously and is eagerly promoting information security and encryption.

      The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does. By 'EU' and 'US' we refer to the political power brokers of the respective organizations. Recall the draconian British laws that require law enforcement to be able to have access to any encryption that a private citizen my employ on pain of jail time.

      What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU' corporations and obtain market advantages. The fact that the most popular desktop software is owned by and US corporation with a reputation (deserved or not) for backdoors and hacks to break competitors doesn't sit well with the 'EU'. They would much rather be in control themselves.

      protect_privacy != protect_privacy_from_US


      • The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does.
        The part of the 'EU', represented by people chosen in a part of the world where I live does. Why else would there be a Non-US Debian GNU/Linux then, hosted outside the US? The US (and China, Afghanistan, Iran and [your favorite dead-penalty-applying country]) restricts encryption to take away the freedom to choose the amount of privacy one uses. You cannot seperate privacy and freedom, and it differs in various parts of the world.

        By 'EU' and 'US' we refer to the political power brokers of the respective organizations.
        The amount of privacy/freedom legally permitted is agreed upon by these political power brokers.

        ...the draconian British laws that require...
        The UK is, compared to other countries in Europe, closest related to the US, on various territories. Sometimes it shows. Sometimes it doesn't. Often it's humorous.

        What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU'
        Nuff said.

        Kudos for showing interest in European affairs though ;)


        • Jantastic makes good points. While the EUs privacy endorsing position may give some a warm fuzzy feeling, please remember that one of their members, the UK, has no qualms whatsoever about placing cameras on every square foot of public property and that those same cameras record every activity of citizens, running their faces through FR software to determine if they should be arrested.

          Geez.
      • The 'EU' doesn't give any more of a damn about the privacy of its citizens than the 'US' does. By 'EU' and 'US' we refer to the political power brokers of the respective organizations. Recall the draconian British laws that require law enforcement to be able to have access to any encryption that a private citizen my employ on pain of jail time. What the 'EU' is truly concerned with here is that they US may be able to spy on 'EU' corporations and obtain market advantages. The fact that the most popular desktop software is owned by and US corporation with a reputation (deserved or not) for backdoors and hacks to break competitors doesn't sit well with the 'EU'. They would much rather be in control themselves.

        I can only conclude you didn't read the report. It included many recommendations aimed at enforcement of the individual's fundamental right to privacy, a concept that some Americans may find difficult to grasp. It does not seem partial to business interests at all.

    • They may take the pivacy of their citizens seriously, but they certainly don't take the citizens' rights seriously. Especially freedom of expression, information & association. As most USians are no doubt aware, there aren't the same rigid protection of constitutional rights in European countries as there are in the USA. Some restriction of rights are permitted, which is why a lot of laws the US civil libertarians have been in arms about, like the CDA, have already been implemented in many European countries (though perhaps not quite as bad as the CDA). In some cases, there is no court to declare a law constitutional, in other cases, there is a court, but it is politically slanted and not obliged to declare laws that tread on principle freedoms unconstitutional unless they completely violate them. For example, if a theoretical law that made ISPs block everything that the goverment told them to was passed, it'd probably be declared unconstitutional. OTOH, Australia already has one of them. Good thing I don't live there anymore.
      On the positive side, most of us don't have a DMCA yet, and an SSSCA is out of the question, so it's not all bad ;)
  • by hardaker ( 32597 ) on Friday September 07, 2001 @01:16PM (#2264289) Homepage
    You really want to encrypt everything, not just email. I'm not sure why the EU thinks encrypting just email will stop echelon from being effective. Even if echelon was was only sniffing email, they certainly would switch to sniffing other forms of communication if all email was encrypted.

    The proper solution is to encrypt all your IP traffic through IPsec tunnels [ietf.org]. Recent work [ietf.org] within the IETF [ietf.org] has given new ideas about how to start performing automatic IPsec connections with any host you can speak with. This is the type of solution that will help battle echelon like networks.

    • The proper solution is to encrypt all your IP traffic through IPsec tunnels
      But doesn't IPsec normally travel through GRE, which is subject to ICMP hijacking - and thus vulnerable to man-in-the-middle attacks?

      Correct me if I'm wrong...

      --Charlie
        • But doesn't IPsec normally travel through GRE, which is subject to ICMP hijacking - and thus vulnerable to man-in-the-middle attacks?

          Correct me if I'm wrong...

        I'm afraid you're wrong. IPsec has it's own method of tunneling that isn't based on GRE.

        Now, what you could have noted was the internet-draft I pointed to required storing keys within secure-dns, which hasn't been deployed yet either...

    • Encrypting everything via IPsec tunnels will stop echelon specifically, but not all "attacks" such as Carnivore.

      Anything that monitors the email server rather than simply sniffing traffic will be able to sidestep the IPsec tunnel (assuming we are still using email and not some p2p tunneling mail protocol). Although it would be nice and much easier to just implement IPsec across the board (and easier still once IPv6 is more widely adopted), to stop system attacks rather than just network atacks requires encrypting each message. Oh well.
    • What you would really want is IPsec encryption and heavy PGP encryption on all documents going over the wire especially for common services like email, ftp transfers, etc.

      Okay so you've cracked my email server now you have access to a bunch of headers and a lot of encrypted garbage. You crack my ftp server and you've got nothing but encrypted files.
  • by rjamestaylor ( 117847 ) <rjamestaylor@gmail.com> on Friday September 07, 2001 @01:36PM (#2264407) Journal
    This answers another question, "Why did the Bush administration stop the MSFT breakup?". The US needs a US-based OS monopoly to insert APIs like NSA_key, FBI_tap, Jenna_beer, etc.

    With European governments wise to Echelon and MSFT's complicity with the US requests to make certain back doors...it would not be in the US's best interest to speed adoption of OSS software by breaking MSFT's stranglehold on competition.

    While I'm stretching a bit, I don't doubt this is inline with the thinking in Washington (or would that be Virginia?).

  • As anyone following the news might know, France is using Linux in most of its wiring of public schools, and many french firms are adopting OSS for their software needs.

    While some posters are correct that the UK is not pro-OSS in many respects, and certainly anti-privacy, Europe is not a monolith. OSS is spreading throughout northern Europe (Scandinavia), Germany, France, Spain, Italy, and so on.

    None of this will defeat Echelon, however, so long as the UK sits in the middle of the pipe, feeding any data that comes through Gibralter and England to the US. So, without strong encryption of normal traffic, and a move to IPv6sec, Echelon will continue to survive and prosper.

  • Mmmkay, so Open-Source software is better. And Microsoft is a bunch of NSA luvin bastards.
    I heard this before.

    (I am a very-new-newbie to linux so don't take this the wrong way)
    If OSS software developers were so concerned, why is there no industrial-strength ultra crypto distro(is that the term?) of linux with really kewl desktop themes and special ZoneAlarm-type-firewall, Serv-U-FTP looking encrypted FTP & other super-duper features.

    I think there was awhile back by the name of Paranoid Linux or something like that.

    Why wasn't there a demand for an ultra-secure version of linux. Just because you might not be commiting computer(or other) crimes is not a reason to run an unsecure OS.
    • Use debian and 'apt-get install enlightenment iptables ftpd-ssl gpg'.

      There isn't really anything special in your list that hasn't been offered by most distros for years.
  • As I was updating this site [minocw.nl] [Dutch Ministry of Education, Culture and Science], I couldn't help noticing these questions [minocw.nl] [in Dutch, for Loek Hermans, minister] asked in parliament this week.
    I was surprised to see some politicians here who seem to be aware of the consequences of the draconian Microsoft licensing coming up. So I decided to (try to) post some of them in english below.
    Disclaimer: translating is not part of my job, I'm not an politician and I don't represent anybody. I only do www-tech-stuff, thank you.


    1-4, summary:
    Did the minister calculate the amount of extra millions of money needed if schools, universities, government, etc. need these new [XP-type] Microsoft licenses?

    5
    Which other consequences does the new operating system [Microsoft] have in combination with the new licensing system, for Kennisnet [kennisnet.nl] and connected schools?
    (translated: Knowledgenet - an Internet-based network of primary(?) schools for kids, parents, teachers, etc.])

    6
    Which actions did you take in the past to inform schools about the Microsoft trap?

    7
    Which actions are undertaken now or in the near future to minimize negative consequences for schools? Are you willing [...] to focus their attention on alternatives like MacOS, Linux and FreeBSD?

    8
    How are you going to prevent that the government, and users and visitors of websites of the government, become dependant on only the Microsoft operating system?

    9
    Are you willing to investigate how can be assured that information from the government will remain accessible for all Internet users, despite their chosen operating system, or Internet-browser they use?


    Did you notice 'the Microsoft trap' in (6)? Not just a MS trap, or another MS trap, but the one and only.
    Although I like the question, I think the choice of words makes it look rather clumsy (for a politician, that is), or very MS-unfriendly. Which I find funny. I guess. :)

    It usually takes months before answers are put online, unfortunately.

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...