Death and the NSA: A Q&A With Bruce Schneier 149
Daniel_Stuckey writes "Since Edward Snowden's disclosures about widespread NSA surveillance, Americans and people everywhere have been presented with a digital variation on an old analog threat: the erosion of freedoms and privacy in exchange, presumably, for safety and security.
Bruce Schneier knows the debate well. He's an expert in cryptography and he wrote the book on computer security; Applied Cryptography is one of the field's basic resources, 'the book the NSA never wanted to be published,' raved Wired in 1994. He knows the evidence well too: lately he's been helping the Guardian and the journalist Glenn Greenwald review the documents they have gathered from Snowden, in order to help explain some of the agency's top secret and highly complex spying programs.
To do that, Schneier has taken his careful digital privacy regime to a new level, relying on a laptop with an encrypted hard drive that he never connects to the internet. That couldn't prevent a pilfered laptop during, say, a 'black bag operation,' of course. 'I know that if some government really wanted to get my data, there'd be little I could do to stop them,' he says."
obligatory quote (Score:5, Interesting)
"Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing." Helen Keller
Schneier is right,
I thought (Score:5, Insightful)
Security is a process, not a product. For instance, one cannot purchase some product that guarantees your online security, then babble endlessly on Facebook about your every bowel movement while expecting to be "secure". McCafee may promise that online stalkers can't track you, but your posts to Facebook informs that stalker where he can find you every afternoon at 1:30. Don't be surprised when he kicks the bathroom stall open, and has his way with you.
Re: (Score:1)
[...] one cannot purchase some product that guarantees your online security [...]
Death. If your death isn't enough, try everyone else's instead.
Re:I thought (Score:5, Funny)
You cannot just kill yourself, then babble endlessly on the Tome of Faces Crossed Over about your meta existence while expecting to "Rest in Peace". Charon may promise safe passage, that those pesky "seers" won't stalk you, but don't be surprised when one unearths your casket and has his way with your corpse.
Re: (Score:3)
Re:I thought (Score:4, Insightful)
Re: (Score:2)
Re:I thought (Score:5, Insightful)
Problem exists between keyboard and chair. Every security professional knows this. The math is an upper bound of security. What sits between keyboard and chair is the lower bound.
The real question is how to solve this problem. My traditional answer is education, but that's been actively attacked for the past 100 years. Fear does the same in 6 months what education does in 50 years. How do you make people fear for their loss of privacy enough that they will lash out against it? That's the million-(billion-?)dollar question freedom advocates have to answer.
Re:I thought (Score:5, Interesting)
One solution is technological. You can't educate users, but you can configure the technology to improve the 'idiot mode' security. SSL is a good example: The end user can get most of the benefits without even knowing what SSL is or having any understanding at all of cryptography.
Re: (Score:3)
The end user can get most of the benefits without even knowing what SSL is or having any understanding at all of cryptography.
When it comes to protection from the common script kiddie possibly. I am not suggesting we should stop aiming at secure by default, it can't hurt. What can hurt though is this idea that you don't need to know anything. IGNORANCE IS ALWAYS DANGEROUS. Sorry for shouting but the point must be driving home. What you don't know can hurt you. Now nobody can know everything but not knowing anything is just lazy and asking for trouble.
I am not suggesting everyone needs to understand all the math behind the
Re: (Score:2)
You can't educate users, but you can configure the technology to improve the 'idiot mode'...
And thus, we all get Windows 8.
Re: (Score:2)
You can't educate users, but you can configure the technology to improve the 'idiot mode'...
And thus, we all get Windows 8.
No, that's definitely marketing-driven.
Re:I thought (Score:5, Insightful)
Problem exists between keyboard and chair. Every security professional knows this. The math is an upper bound of security. What sits between keyboard and chair is the lower bound.
The real question is how to solve this problem.
That's a strong assumption that the upper bound is the math. We haven't seen the rest of Snowden's documents.
We used to think that monitoring 300 million Americans at once was a mathematically impossible (or at least highly improbable) task. We were proven wrong.
And as we've seen even parodied in cartoon, a pipe wrench can beat the shit out of most crypto. Literally. Physical security is always the first line of defense.
Re: (Score:2)
The phone numbers at both ends would be a filter - is one or both known/of interest? Are they related/friends/connected with a person/group of interest?
Are any of the words spoken during the call of interest? Later are any of the voice prints known?
That would keep the front end of any international and domestic system very busy for a short time per call but the number of kept calls would be low.
The private t
Re: (Score:2)
That's a strong assumption that the upper bound is the math. We haven't seen the rest of Snowden's documents.
I think one of the points in saying this is what it leads to. If the upper bound is the mathematics, and the mathematics is weak (e.g. triple ROT13), then you can't get any more security than that. Well, you sort of can, but that's security through obscurity, or security theatre, which is a fairly weak stance to take.
Wrong scale. (Score:5, Insightful)
We used to think that monitoring 300 million Americans at once was a mathematically impossible (or at least highly improbable) task. We were proven wrong.
It's not impossible. It was considered to cumbersome, because it would require too much ressource. (i.e.: it was considered practically impossible. It is feasible, but we though that it wouldn't be worth the effort and nobody would try the hassle).
But the NSA came and showed they *are* really ready to throw the vast amount of ressource. They were the people ready to go through all the practical hurdles.
What is currently considered mathematically and physically impossible is breaking most of the current secure algorithms:
- Brute forcing can't be done. At all. Not as in "it requires a too big computer" [as was back the case in WW2 regarding Enigma. Enigma was practically not breakable, but the Allie were ready to throw the ressources at building even bigger computers to brute-force it]. But as is "the computer required for can't physically exist" - the range to brute force (the "bits of security" concept) is so vast that you'll reach the heat-death of the universe before ending-up finding a solution. Brute-forcing doesn't work, at least not with current mathematics in the current universe.
- The only way out is either exotic new forms of computing that work on different physical principles (the well known hypothetical "quantum computer" example)
- Or finding a flaw in the maths behind an algorithm that vastly reduces the range to brute-force (as in: you don't need to scan the whole range, you can deduce more likely candidate and only test them. Small scale example: a "ceasar substitution cypher" has 25 possible rotation of the alphabet. Brute force would require testing all 25 of them (and as its only 26, its doable). But a simple statistic test gives out 1 or maybe 2 most likely rotation to test)
As a side note, Bitcoin and Altcoin are a very interesting test-case on modern crypto: They all relly on modern cryptography for their inner working
- ECDSA for all transaction signing on all protocols
- SHA256 for block validation on Bitcoin (and co)
- Scrypt for block validation on Litecoin (and co)
- large prime factoring for block validation on Primecoin (and co)
- all SHA-3 candidate on Quark, Yacoin (and co)
- etc.
Given the huge money at stake, there would be a big pressure to actually break the algorithms, and if there were flaws, someone would be bound to break them and laughs his/her way to the bank, why everybody else complains about stolen wallets.
But that hasn't happened yet.
The only thing that happened is people building even bigger and more absurde machine to do regular bruteforcing (as part of the normal block-validation procedure). And a few heist happening due to actual implementation bugs (DSA requires cryptographically-good random numbers).
The NSA can't break this. They usually proceed differently:
- bribe/inflitrate their way into bogus SSL certificates/stolen root private keys
- count on- or even intentionnally plant- implementation bugs (See the various random-generator stories)
- count on- or even intentionnally plant- backdoors (See spying through Google, Yahoo, Microsoft, and co).
- publish bogus/asinine/or booby trapped standards.
The perfect security of maths isn't a guarantee by itself if anything else in the system is broken.
Re: (Score:2, Flamebait)
What sits between keyboard and chair is the lower bound.
How quaint. Your statement panders to those who are easily fooled by the preconceived bias you share. Your answer "education" is so pitiable that I would laugh in ridicule if it weren't so sad that this is what you actually believe.
You're not seriously implying that expending the energy to trick each person into disclosing their private data is easier than purchasing a zero day exploit on the black market -- that's ready and set to attach a payload -- and deploying it against the entire world in an aftern
Re:I thought (Score:4, Insightful)
The real question is how to solve this problem. My traditional answer is education, but that's been actively attacked for the past 100 years.
The answer is engagement. You must actively engage. Part of that is proselytization. Nobody wants to be the marketing dick (except the dicks who are selling us shit we don't need, mostly) but we all need to get other people to engage, too. Right after we get off our own arses.
Re: (Score:2)
your posts to Facebook informs that stalker where he can find you every afternoon at 1:30. Don't be surprised when he kicks the bathroom stall open, and has his way with you.
Oh, you flirt! but, come now, you're taking away the surprise, and you know that's half the fun...
Re: (Score:1, Insightful)
Re: (Score:2)
If one truly believes that the laptop will be stolen and the contents of the drive must never be revealed, then don't store the contents on the drive. Decoys, deception and hiding things in plain sight are paramount to paranoia. Yes, sometimes they are out to get you. Or place a small explosive charge within the drive itself that will be triggered unless an authorised command is sent. (yes, it can be done).
Er, explosive triggers on hard drives? Seriously?
While we're talking about the NSA here, let's not let the conversation spiral out of control due to the audience on the other end. The average citizen is trying to secure their embarrassing porn collection and grandmothers cookie recipes. I doubt a murder charge is worth the explosive security model or the investment.
That said, a self-destructing hard drive might be an interesting sales tactic for the hard drive vendors out there. Rather pointless when yo
Re:obligatory quote (Score:5, Insightful)
Many of us don't even care that much about the actual data, but are trying to secure our *right* to privacy.
Re: (Score:3)
Er, explosive triggers on hard drives? Seriously?
He's probably thinking more along the lines of a percussion cap rather than a few ounces of C4. You only need enough to damage the platters.
Re: (Score:2)
Need is quite a funny word here.
All you need to do is overwrite the sectors with the encryption headers, then nobody is accessing the data. Course if you can't garauntee its never in anyones hands without you being around, then you probably don't have a mobile device and need something always on, so it can be always ready to trash itself..... but....
no matter how small a boom you make, you are going to be accused of some sort of recklessness, terrorism and whatever else. If you have a security system that w
Re: (Score:2)
All you need to do is overwrite the sectors with the encryption headers, then nobody is accessing the data
Or use an OPAL-compliant self-encrypting hard drive.
Send it the code to generate a new encryption key and *bam* the drive resets back to factory spec with all data rendered as inaccessible garbage.
Re: (Score:2)
While I appreciate throwing specialized hardware at the problem, it sounds like a rather expensive solution to the problem. Still going to have the same constraints, going to need to be powered up to receive the burn instructions.
Its actually an interesting problem set, what happens if the drive electrically dies? Seems like you want key data on a separate device where you can then wipe sections of either drive to destroy the data (that way a failed drive can be "erased"), but then you also need to guard ag
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Or place a small explosive charge within the drive itself that will be triggered unless an authorised command is sent. (yes, it can be done).
I doubt that a explosive charge that small could guarantee a destruction of the hard drive that is rules out forensic recovery of at least part of the data. Now thermite neatly wrapped around the hard drive burning at 2400 C now that would leave nothing left to work with unless there is a way to physically rebuild a hard drive from a smoldering pile of molten metal, plastic and cement. Though I have to admit to being paranoid I am also far too attached to my genitals for ever even considering rigging such a
Re: (Score:2)
I'm afraid that you've already been trapped by starting out with a flawed assumption, that such a device would require explosives. Self-destruct drives already exist, from a company called RunCore, at http://www.runcore.co/en/ [runcore.co] Their site seems to have been slashdotted, but it's an interesting approach for high seurity data.
Re: (Score:2)
Re: (Score:2)
"Now thermite neatly wrapped around the hard drive burning at 2400 C now that would leave nothing left to work with unless there is a way to physically rebuild a hard drive from a smoldering pile of molten metal, plastic and cement."
Possibly killing and maiming everybody in the same house by burning it down, is way worse than e little explosive in the face of a policeman.
A degausser would work without killing policemen or bystanders.
www.datadestroyers.eu/index.html
Perhaps it could be miniaturized enough to
Re: (Score:2)
Possibly killing and maiming everybody in the same house by burning it down, is way worse than e little explosive in the face of a policeman.
Well.... I didn't recommend it as a solution only pointing out that for data destruction it would be rather extremely effective, and if side effects as described by you occurred it would quite likely severely set back the investigation, albeit with the quite possible result that from only being a person of minor interest one would end up with being the new hearts of 5 on playing cards. [wikipedia.org]
Re: (Score:2)
Or place a small explosive charge within the drive itself that will be triggered unless an authorised command is sent. (yes, it can be done).
I doubt that a explosive charge that small could guarantee a destruction of the hard drive that is rules out forensic recovery of at least part of the data. Now thermite neatly wrapped around the hard drive burning at 2400 C now that would leave nothing left to work with unless there is a way to physically rebuild a hard drive from a smoldering pile of molten metal, plastic and cement. Though I have to admit to being paranoid I am also far too attached to my genitals for ever even considering rigging such a thing in my laptop, and so should everyone else be with the exception of aspiring Darwin award winners
Jesus the fucking lawnmowing guy.
You lot are pissweak amateurs.
If you're going to use explosives to protect your data, do it bloody properly. Use enough semtex to take out the entire room, all the disks and the pesky agents trying to get your data. Double points for having it set up in a controlled demolition so that aerial photos display the logo of your evil organisation.
Re: (Score:3)
Schneier is right,
Snowden was working hand in glove with the NSA.
While I respect everything Schneier has accomplished,
I'd go with Snowden's appraisal of the NSA's (in)ability to crack certain forms of encryption.
Snowden is obviously not going to write a how-to for us,
but it's been reported multiple times that he's using layers of encryption.
If it's possible for Snowden to craft something the NSA can't break, then it's possible for Schneier too.
Re:obligatory quote (Score:5, Insightful)
Encryption can't be cracked. (Score:4, Interesting)
I'd go with Snowden's appraisal of the NSA's (in)ability to crack certain forms of encryption. Snowden is obviously not going to write a how-to for us,
but it's been reported multiple times that he's using layers of encryption. If it's possible for Snowden to craft something the NSA can't break, then it's possible for Schneier too.
Encryption fucking works. And well done modern encryption is more or less impossible to crack.
(Just think about Bitcoin and all the other alt-coin. They all heavily rely on modern encryption. Yet, despite the tremendous monetary incentive, nobody has managed to crack their algorithms yet. Only find implementation bugs to exploit).
Usually, when NSA finds something, it's not by magically cracking an "impossible-to-break" crypto.
It's by getting around the crypto: using exploits or otherwise abusing bugs, bribing their way, etc.
Crypto is the strongest link in the chain, but they are tons of other link much more easy to break.
What makes the difference between successful security operation like Snoden and Scheiner on one hand and busted fails (like Silk Road's DPR) is the rigorous discipline in doing *EVERYTHING ELSE in addition of crypto* absolutely right.
To come back to the example in the summary:
online exploit won't be of any help for breaking into a computer if this computer is never connected (and "off" most of the time).
(Though said offline computer can still simply be stolen).
Re: (Score:2)
Let's say the NSA can crack SHA-2 256.
They have an annual operating budget somewhere above $10 Billion USD. (http://www.washingtonpost.com/wp-srv/special/national/black-budget/)
The total current value of all bitcoins is about $11 Billion USD. (http://bitcoincharts.com/bitcoin/)
If someone starts selling massive numbers of bitcoins the price will quickly drop, just like in a run on a bank.
The total amount they can extract at once is limited by the amounts of money the e
Sorry, I don't buy that ! (Score:1)
" Security is mostly a superstition. It does not exist in nature ... Avoiding danger is no safer in the long run than outright exposure. " Helen Keller
Sorry, I just don't buy that !
Security is BUILT into nature !
Plants, fungi, bacteria all fought each others with an assortment of chemicals.
Some of the chemicals are offensive in nature ~ to be used to destroy opponents' defense ~ while others are defensive ~ to discourage potential opponents from launching attacks ~, for example.
For animal kingdoms, evolution had provided all kinds of offensive weapons and defensive weapons, from fangs, claws, razor sharp talons, to poisonous nerve toxins, to ultra-thick e
So then, (Score:5, Insightful)
which organism in nature has developed an unassailable position, from which it cannot be dislodged?
The word "secure" implies that "I'm safe, and I don't need to worry about stuff". And, that is the attitude that most internet users seem to develop. Install some magical suite of software from a "reputable" vendor, and you are home free.
In fact, all organisms in nature are in constant battle with their environment. The hawk will starve if he doesn't eat, and the rabbit is dinner if he doesn't stay alert. The flowers in the garden are fighting for their own survival, warding off parasites, while luring pollinators, all the while maintaining their positions in the sun.
There is no "security" in nature - none.
Re: (Score:1)
That's perfect being the enemy of good. The original quote seemed to be arguing that if perfect safety couldn't be achieved (and I agree that it can't) then you might as well cheefully fling yourself into the face of danger.
Any layer of defense can increase your security somewhat, whether in nature or online, and if the cost isn't too high that's a good thing.
This entire thread seems to have skipped that part of the analysis. The question is not whether it's a good idea to defend yourself from danger. Of c
Re:So then, (Score:5, Funny)
"which organism in nature has developed an unassailable position, from which it cannot be dislodged?"
Cats.
Consider, they domesticated mankind thousands of years ago, having discovered just how weak our minds can be, We feed them, care for them, provide them shelter and in return they give nothing back, but disdain or the occasional brush up. Sure there are exceptions to the rule, individual cats being harmed, but when looked in total, they have become the true, dominate species on the planet. One day it will be Cats that go into space, using their human drones to establish the infrastructure and means to propel them out into a galaxy ripe for conquest.
(I have to go, my overlords are coming towards me, pray they don't see what I wrote)
Re: (Score:2)
Re: (Score:2)
It was Helen Keller "speaking" though...
Re: the children of men (Score:1)
Totally sent me on a tangent to study Ecclesasties.
Re: (Score:1)
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Benjamin Franklin)
Re: (Score:2)
This is just an assertion. Do you have any arguments to back it up?
Re: (Score:2)
Re: (Score:3)
Yes and No. In cyber security class they taught us that nothing is secure from someone who absolutely wants your data, but that doesn't mean you can do nothing. Security is not an all or nothing event.
Cyber Security relies of being meshed with physical security, and the good will and social reliability of everyone else, to certain degrees, and other non-cyber security measures.
The three "Ds" of security are Deter, Detect, and Delay.
The ability to detect intrusion can give you the ability to start clean up s
Re: (Score:1)
Cold warriors (Score:5, Interesting)
Re:Cold warriors (Score:4, Insightful)
classic infiltration? the kind of where the "intelligence" agency recruits some people to do something and then they bust them for being recruited to do something?
Re: (Score:1)
Sometimes they don't even need to recruit (Score:1)
classic infiltration? the kind of where the "intelligence" agency recruits some people to do something and then they bust them for being recruited to do something?
If you read this article ~ https://medium.com/quinn-norton/654abf6aeff7 [medium.com] ~ you would know that at times them "intelligent agencies" don't even need to do any recruitment
All they need to do is to set a trap and sheeples (even those with above average IQ) would fall in and work their ass off for worse than nothing.
Re:Cold warriors (Score:5, Insightful)
What terrorism? You mean the semi-cretins that needed massive help from the FBI?
"Terrorism" is not a relevant threat today.
Re: (Score:1)
Don't tell the Department of Homeland Security, the FBI, the CIA and the Department of Defense that. Of course the NSA is part of that too. They have programs and payrolls to maintain. Just think of Terrorism as the new Beltway jobs program. Once the cold war ended, how else were we going to keep the DC economy going?
Don't believe me? Just look at home real estate prices over the past few years. While most of the nation suffered home price stagnation or depreciation, there was
one area of the country t
Re: (Score:3)
Oh, I completely agree. All this surveillance and fear-mongering is basically about bureaucrats trying to keep and enlarge their fiefdoms. If they would just waste the money, I would not mind so much. Instead, they are trying to establish a totalitarian regime with global reach. Hitler dreamed of this, but fortunately could not make it happen. These people have a fair chance.
Re: (Score:2)
I think you have to throw Stalin as well as the PRC in that mix as well. Our focus on using technology should be to enhance our lives not watch everything we're doing. As for wasting money, they also need to stop doing that as well. Frankly if congress would grow a backbone and de-fund 90% of this stuff we'd all be better off but because of the fear mongering won't happen soon because both parties in power love to have their constituents afraid.
Re: (Score:2)
Yes, Stalin and several others. I grew up in Germany, so I was thinking of the "1000 Year Reich" Hitler wanted to build.
I completely agree on fear. "Fear is the mind-killer." That makes people that are afraid easy to govern. And as most politicians are pathetically incompetent at their jobs, they need all the help they can get.
Re: (Score:2)
"Terrorism" is not a relevant threat today.
Terrorism never was a threat which required the huge amount resources that were being used in the guise of fighting it.
Offhand, I can suggest at least two more plausible reasons:
1. Political (prevention of dissent)
2. Economic (industrial espionage)
Re: (Score:2)
I agree. But I would go farther and say that even a much smaller amount of resources would be entirely wasted.
Of course, the use is to keep people in fear. "Fear is the mind-killer." and makes people easy to control. That is also why instead of being fought, terrorism must be amplified and fostered, as otherwise the threat becomes even more flimsy. That explains well why this huge effort has not stopped any terrorist plots at all. (Of course, this little fact is being lied about...) The absolute worst thing
Re:Cold warrior (Score:1)
That the intelligence community is created in its present form as a means to fight the cold war.
Even in the last decade or so before the Wall fell and the Cold War was over, if not long before, spending on military and intelligence has been primarily another channel for shoveling public funds to private contractors. Notice how spending did not decrease post-1989, when the alleged threat had evaporated. They badly needed a new threat to justify the outlandish "defense" budgets and sure enough a decade later one presented itself. The amounts are way out of proportion to the actual danger, just as before
Re: (Score:3, Interesting)
The intelligence community ... was made as an conventional army fighting another conventional army (the GRU and KGB) and the sigint operations was hand-tailored to this kind of war. But what has happened since is that the enemy has changed.
It's like the immune system gone into overdrive attacking its own body - c.f. Aids.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Schneier addresses one important point here. That the intelligence community is created in it's present form as a means to fight the cold war. It was made as an conventional army fighting another conventional army (the GRU and KGB) and the sigint operations was hand-tailored to this kind of war. But what has happened since is that the enemy has changed. The guerrilla tactics of terrorism is a sigint nightmare, and scaling it to perverse and antidemocratic level isn't helping at all. Every time I hear about the needle and the haystack I can't but wonder how these dinosaurs have come to pull this Jurassic stunt on us.
The reality is that what works is not sigint. It is not more computers. What seems to be working is classic infiltration. Please think about that Dianne Feinstein before you use more American tax-money on your Silicon Valley pets.
I respect your comment, but your beating an invisible drum, there is no real threat from "terrorism" just as there was no real threat from Russia's/communism. Part of it was done as a means to boost tech among the military, and to implement a way to keep control over US citizens that they deemed a threat to there checks and balances. (You seem to know how and who was targeted, Im hoping)
"explain some of the agency's top secret and highly complex spying programs" (quote from the /. story) What a redundant st
false flag? (Score:5, Insightful)
The snowden leaks almost seem like a false flag type situation. the scary NSA/CIA/FBI are snooping on you, queue the outrage! Meanwhile every single fucking corporation in the USA is doing the same, with far less oversight, and far spookier goals. (Sure a government agency should be expected to come along and strong-arm entities such as google and facebook (though who am I kidding? they're basically partners.) so either way they get the data..). How is it not commented on, that short of a few very specific use cases, 'big data' is basically the solution to personal privacy?
GIve it 10 years and you'll have your health and life insurance companies discussing your shopping habits with your grocery store, your car insurance company with it's lojack device in your car (or failing that, your smartphones GPS data), and 100% of your web-usage habits tracked and correlated to YOU. It's 12:30 am and maybe it's the wine, but as melodramatic as this sounds, we're a society marching into our own yokes -- all for the sake of convenience and saving 10 cents on a pack of toilet paper.
Basically the score is this: the security/privacy/sanity focused crowd is up in arms over the NSA, which represents about 1% of the population, half of whom bleat about privacy while still using the services that enable the NSA/FBI/Whoever. 99.5% of the population is either not using these services, or is indifferent (in actions, though perhaps not in words.).
Re: (Score:2)
Re:false flag? (Score:4, Interesting)
Where no one reports it, or prosecutes it, it's already being done. I've recently worked with educational facilities whose compliance with basic security practices for student and staff data is in "compliance" with EU law because they passed an audit, but the audit was basically a checklist they filled out. I refused to sign the parts of it that came to my crew, because the answers were lies, and submitted my concerns to their company and my company's lawyers and security managers. The education company was very, very careful to keep the auditors away from _me_.
They have changed their approaches to a number of the security issues I raised, but their own leaders did not know the security violations performed as a matter of common practice by their own staff, especially concerning student private data.
Re: (Score:2)
Re:false flag? (Score:5, Funny)
queue the outrage!
Sorry, my outrage is strictly in a FIFO stack. I'm now scheduled to be outraged about (pop) let's see... orang-utans in Guatemala... who are (pop) racist against French children.
Re: (Score:2, Informative)
queue the outrage!
Sorry, my outrage is strictly in a FIFO stack. I'm now scheduled to be outraged about (pop) let's see... orang-utans in Guatemala... who are (pop) racist against French children.
FIFO is queue. stack is LIFO.
Re: (Score:2)
Re:false flag? (Score:5, Insightful)
The snowden leaks almost seem like a false flag type situation. the scary NSA/CIA/FBI are snooping on you, queue the outrage! Meanwhile every single fucking corporation in the USA is doing the same, with far less oversight, and far spookier goals.
The CIA is authorized to eliminate threats, foreign or domestic. In 10 years time, that might simply be accomplished via a mouse click to send the signal to an armed drone. Speaking of false flag, let's hope the threat algorithms are not automated and tied to that drone army.
Whatever Google/Facebook/Yahoo/Microsoft wants to do with my data, I highly doubt it could get much spookier than that.
You may remove your rose-colored glasses now. And put the Constitution and Bill of Rights away. Those are nothing more than art exhibits.
Re: (Score:2)
Problems with the Snowden timeline? Getting from the CIA to a contractor with the NSA - who cleaned/reviewed the record and let the NSA/contractor continue with the hiring process?.
The gatekeeper/time frame for release on the documents?
http://cryptome.org/2013/11/snowden-tally.htm [cryptome.org] "Tally now 548 pages (~1%) of reported 50,000. NSA head claims 200,000 (~.25% of that
Re: (Score:2)
Re: (Score:2)
I don't think many major corps are legally tapping into their competitors lines...
but yeah, it's kind of a big problem that they can deal all your information legally in USA. though eventually that will lead to credit check companies becoming useless(due to having sold so much info for identity fraud).
it's not really spying _me_ that I'm worried about, it's about them(nsa) affecting the corporate and world economic policies through spying the companies and favoring some over the others. that's fucking behin
Re: (Score:2)
The reach of those private companies is limited by design. They can see what you intentionally share with them, is not like they hack your PC if you are using an encrypted network [slashdot.org], lower internet encryption standards so they can sneak in the communications that are not for them, plant backdoors in foreing, private networks [www.nrc.nl], and force vendors of all major closed software companies to put backdoors in their code for them (and to bad apples in their organization, and whoever else that figures how to use them)
Re: (Score:2)
Of course I
Re: (Score:2)
The snowden leaks almost seem like a false flag type situation. the scary NSA/CIA/FBI are snooping on you, queue the outrage! Meanwhile every single fucking corporation in the USA is doing the same, with far less oversight, and far spookier goals.
This is so divorced from reality. I hope you're just "false flag" trolling and don't actually believe what you're shoveling.
... in the Land of the Free... (Score:5, Insightful)
So... America as an open, strong democracy that liberates people to express their highest ideals, to be allowed live their lives as they see fit, and is a force of good around the world is... what?... a lie?
There seems to be quite a gap between what people believe about America and reality. Maybe somewhat enlightened people in the US are coming to understand reality, but, no matter how many people have awoken, this is not the America I thought I grew up in. The citizens of that formerly great country remain too complacent for any true, lasting change to take place.
"Land of the Free?" I think not. "We're number One?" Only in per capita incarceration rates and military spending. "Hey, look! It's a Wookie!!" Ya, right. Go back to sleep.
To me it's a mark of reality to understand we absolutely need people like Snowden, Manning, and Assange, as well as writers like Hersch, Greenwald, and Schneier.
Re: (Score:3)
It's relative. America is a lot more free than many countries, arguably less free than a few others, and certainly falls short of the (unattainable) ideal many citizens believe it to be.
WTF ?! (Score:5, Insightful)
America is a lot more free than many countries, arguably less free than a few others, and certainly falls short of the (unattainable) ideal many citizens believe it to be.
It's exactly this kind of mindset that is KILLING THE UNITED STATES OF AMERICA
Unattainable ideal ?
You gave up even before you started the journey ?!
Re: (Score:2)
Re: (Score:1)
What "good ole days" when "Americans were united"? You mean, when wealthy white males were united, and if you were black/female/poor then sucks to be you? We've still got a lot of those good ole days left, and many are valiantly working to bring us back in that direction. America has never been united, and never can be until class, race, and sexist divisions are eliminated --- e.g. Capitalism is abandoned. Before that, "united America" is a propaganda lie to keep people from examining the true divisions und
Re: (Score:3)
There's a balance to be had there. Our ideals are number one, or at least a heck of a lot better than most. That's why you even have some mental standard to trash us with.
You can get so far into trashing your own country that you don't even know why you are doing it.
I've traveled enough to know that when most people start a sentence with "in this country", it just means they don't know about others, even if they think they do.
E.g. you haven't seen racism until you've seen how they treat the one half-black k
Re: (Score:3)
E.g. you haven't seen racism until you've seen how they treat the one half-black kid in a tiny Chilean town. ... We're a flipping racial harmony paradise compared to most of the world.
Tell that to the millions of completely innocent black men roughed up by the NYPD in what is politely called "stop-and-frisk", solely because they're black men, with police chief Ray Kelly and mayor Michael Bloomberg cheering on the cops. Tell that to the thousands of Hispanic people roughed up and frequently locked up in Arizona because they aren't carrying with them something that would prove they are a citizen of the US. Tell that to the thousands of US citizens who were rounded up in September of 2001 o
Re: (Score:1)
They already have his data (Score:5, Insightful)
Or do you think they have spared Schneier from being forced to hand out Snowden's data, while they have destroyed Lavabit just to get to his emails? C'mon people, this is ridiculous! Of course he had to give it to them!
On a side note, I wouldn't be surprised if he had been somehow prevented (presumably in some 'legal' way) from re-editing and updating Applied Cryptography after the 2nd edition. At least in this case it's fairly hard to see any other reason why the best selling and most popular book on cryptography shouldn't have been modernized.
Re: (Score:3, Informative)
At least in this case it's fairly hard to see any other reason why the best selling and most popular book on cryptography shouldn't have been modernized.
Read his preface to Practical Cryptography and you'll get your reason. In a nutshell: so many people took Applied Cryptography, wrote code to do the ciphers, packaged a nice API, and then did shipped a bunch of information-leaky broken implementations that provided a false sense of security, that Schneier's followup work was more like "use THIS not THAT".
Schneier's privacy todo list at IETF Tech Plenary (Score:4, Interesting)
I thought it was a good speech, but this 'todo' part [youtube.com] towards making mass surveillance "expensive" stood out for me. So I used it as a list of criteria to evaluate [slashdot.org] my favorite privacy tools, I2P and Qubes OS.
Schneier's guidance does seem like a mixed bag to me, especially in this day and age; He mostly wants the privacy tech of the 1990s, only "more". I also got the same impression once watching Jake Applebaum speak at a gathering. There is this tendency to appreciate all the neat little qualities that targetted crypto does within various applications and platforms, and when asked about online privacy they regurgitate them all in a fashion that ensures no normal person would take heed. Extra demerits for implying that large IT industry projects need to be unleashed to address the privacy problem.
Its not hard to surmise from my other posts that I advocate a more blanket approach that is PC focused, so that ordinary people on their own can make the largest improvement in their online privacy using the fewest number of tools. The upshot is that those tools have to be more radical than usual in their design.
Oblg xkcd (Score:1)
How a black bag operation works. [xkcd.com]
Re: (Score:1)
in 2006, in a "democrazy" middle-eastern country, my HP IPAQ failed to deactivate the gprs, after having inserted a bezeqint simcard. After that, i had many technical problems. I was highly displeased, and at port-of-departure (ben-gurion-internazional-airport),
they confiscated my laptop, saying that it would be on the next flight.
Then, i had to wait nine-days before they sent me the laptop. why didnt they just clone the drive (in a minute-flat)?
These agencies are way too beligerent, and full of shit.
Re: (Score:2)
Ridiculous (Score:2)
This is absurd.
The NSA is an organisation of bureaucratic code monkeys. It employs more mathematicians than security staff. The NSA does not do black bag operations.
An organisation like the CIA, yes, would be expected to perform such activities. But the CIA would have a lot more discretion/sense in how it went about such things.
If the NSA does actually start running "black bag" operations, I am confident they will do as poor a job of keeping it secret as they have with the rest of their Austin Powers arsena
Actually, no. (Score:3, Insightful)
Mostly the rest of the world has been presented with the erosion of freedoms and privacy in exchange for Americans presumably having better safety and security, but with nothing in return.
Somehow the expectation is that everyone else in the world give up our freedom and privacy in order to benefit the Americans.
And, really, none of us were asked if we think that's fair, and many of us are past the point of accepting what makes Americans more secure if it means that we have lost some of our rights.
If the choice is between me keeping my freedom and privacy and Americans having security, quite frankly, I'd rather keep my rights intact. I'm not sacrificing myself for you, because you wouldn't do the same for me.
So fuck that. I didn't sign up for it. America might think that's an equitable arrangement, but it isn't.
Re: (Score:3)
If the choice is between me keeping my freedom and privacy and Americans having security, quite frankly, I'd rather keep my rights intact.
I'd rather have you keep your rights, and I'd rather keep my rights, too. To me, it doesn't matter whether or not the security is real; freedom is my goal.
It's not about security vs privacy (Score:1)
The technotronic era involves the gradual appearance of a more controlled society...
dominated by an elite unrestrained by traditional values. Soon it will be possible
to assert almost continuous surveillance over every citizen and maintain up-to-date
complete files containing the most personal information about millions of
uncoordinated citizens... effectively exploiting the latest communications
techniques to manipulate emotions and control reason...
America's Role in the Technetronic Era: Between Two Ages, Zbi