Snowden Seeks To Develop Anti-Surveillance Technologies 129
An anonymous reader writes Speaking via a Google Hangout at the Hackers on Planet Earth Conference, Edward Snowden says he plans to work on technology to preserve personal data privacy and called on programmers and the tech industry to join his efforts. "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day," he said. "That is what a lot of my future work is going to be involved in."
Kinda Like Mega (Score:1)
Can't wait for an app that would allow anyone to be completely anonymous, even from the almighty Goog'lord.
Re: (Score:1)
The NSA's probably got them in stock.
Re: (Score:2)
Retroshare can give you encrypted IM, mail and forums shared only with your retroshare contacts. It's a big of a headache on dynamic IPs though - it expects all nodes to be mostly-stationary. An observer could work out who your contacts are, but that's all they are getting - metadata only, no content. Also does file transfer and share-browsing.
Re: (Score:3)
The "An observer could work out who your contacts are" gets even better if you try and meet in person. A member of the press turns their phone off and walks in a direction. Any other person in the area who turns their phone off and then on later like the member of the press is tracked.
IP, the internet, mobile phones its all great for tracking back the moment a person in gov tries reach out.
Th
Re: (Score:2)
Requiring the government to use fiddly correlation analysis to get a partial idea of your activities is still a lot better than the current situation, where they need issue one sternly-worded letter in order to retrieve everything including content and history.
Re: (Score:2)
Re: (Score:1)
I've tried RS, Event tried to introduce it to the company but failed for a couple of reasons:
1. The key exchange thing was a bit of a pain for others (don't see a way around that though). It wasn't seamless.
2. No smart-phone support. People are not just PC bound.
They ended up using HipChat.
The thing is, RS is designed for the security conscious who are prepared to put up with a bit of stuffing around because there's nothing better out there. When people consider security 'a nice to have' with ease of use be
Re:Kinda Like Mega (Score:4, Informative)
An app won't give you much anonymity. You need to start from the ground up with an OS that leaves no trace on the hardware and has good encryption and anonymity tools built in.
Here's a good start: TAILS
https://tails.boum.org/ [boum.org]
Re: (Score:2)
Considering who owns Mega, I wouldn't trust it further than I can throw that blob.
soviet era crypto (Score:1, Insightful)
And I'm sure Russia will have absolutely no influence over what Snowden is working so hard to bring us too!
Re:soviet era crypto (Score:5, Insightful)
As long as it's not the latest curve, privacy preserving crypto can be written by NSA itself, and still be secure for you. SELinux was written by NSA, and I don't have a problem using it. Your security model shouldn't rely on the party your software came from. It should rely on the software itself, idependent reviews, and, if you can't afford your own review, the many-eyes-principle (which has chilling effects).
The russians could only say "this is too secure, design something that can be broken more easily".
Re: (Score:3)
Mod parent up.
It is not who makes it, it is how it is made.
Re: (Score:1)
Mod parent up.
It is not who makes it, it is how it is made.
Assumptions breed ignorance. And even you were likely surprised over the capabilities and activities revealed by the very person we're discussing here. One would have thought you would have learned when random number generators were found to be not-so-random, and encrypted microcode updates validating themselves against compromised key servers came along.
But hey, if you truly feel that it doesn't matter who makes it, then feel free to ignore those export control laws and purchase your electronics where th
Re: (Score:3)
They don't? That's good to know, I'll go install a few dozen free apps right now!
Re: (Score:1)
I am not sure I follow your point.
You are arguing that it does matter who makes the software, yet take examples of the unchecked software to be examples of supporting your case. Even if you get down to hardware level, you are back to square 1 - unchecked code.
As for the build process, that only depends how thick is your tin-foil hat. I don't see any reason why Soviets are going to be any worse in producing your hardware then 'muricans or Chinese.
Re: (Score:2)
I love that show [wikipedia.org]!
Re: (Score:2)
I'm waiting for them to do an episode on laws and sausages.
Re: (Score:2)
Why (and this is the point,) would you trust the NSA any more than the Russian government? Neither wants you to be able to hide what you're doing from them. If these last few years have taught us anything, it's that your government, (wherever you live,) and possibly other governments, should be regarded as the same as any other group of people who could potentially do you harm by knowing things you might want to keep to yourself, whether or not you've committed any legitimate transgression or 'crime' as t
Re: (Score:2)
Thats really the only way, one time pad used once, number stations. The key to all the free quality crypto was that all the press where been watched anyway so you get to encode all you want. The moment you send, attempt contact, its just tracked back. No need f
Re: (Score:2)
So, who will be auditing Snowden's code? I wouldn't even consider using anything he wrote without independent third party audits .... lots of audits of the code, design, algorithms, everything. And no binaries that he builds.
Imagine the evasive power of the dual or triple functionality achieved by some of the Obfuscated C content entries combined with the subtle designs of Russian government cryptographers. No threat there, no sir.
Can he actually write code? And I mean code at the level of sophistication required for the type of functionality he is calling for? What he is calling for is way beyond the realm of sysadmin-related programming.
Re: (Score:2)
Probably not, but he at least know it and instead calls upon those of greater ability in that area to rally to his cause.
Re: (Score:1)
See? Now I know you're full of it.. When have you ever seen anything subtle from the Russians?
The hackers on planet Earth? (Score:1)
I've taken the time to watch some of the Chaos Computer Club videos on cryptography, which I think is loosely connected with this HOPE crowd. They seem like a very sharp bunch. I would certainly take my chances on anything they've hammered on.
Re: (Score:2)
The russians could only say "this is too secure, design something that can be broken more easily".
Like the NSA did with TrueCrypt?
Re: (Score:2)
The strange thing is that I trust the Russkies more by now than I trust the US...
If someone told me that 30 years ago...
Re: (Score:2)
NSA is Malcolm in the Middle?
Re: (Score:1)
Re: (Score:2)
That's what strong encryption is for.
Biggest problem in IT security: ID-10-T errors (Score:5, Insightful)
Securing the technology is one thing - that in itself will be a huge job, because depending on how far you want to take it, you can end up needing to sandbox each application and harden each layer of the communication stack.
You might need a complete new protocol ecosystem based on only systems which are open source (not just because I like open source, but so that everything can be audited and peer-reviewed at the code level), built with compilers which themselves are not only trusted but also auditable as matching their published source code, and using communication protocols which are themselves open source and audited.
Put all of that together, and you still have the biggest security/privacy threat to deal with - the ID-10-T (aka the user sitting at the computer). Until users of a computer system are educated - not necessarily to the extent that they can themselves audit source code, but at least to the point where they can recognize compromised behaviour of a computer system - then they will always be the weak link in a security/privacy model for IT systems. Getting away from the Windows/local admin culture would be a huge step, but until the most idiotic and incompetent user of a given computer system is either isolated from the ability to do anything or educated to prevent them doing dumb stuff, the computer they use must be considered compromised and all users of that computer must be considered at risk.
Re:Biggest problem in IT security: ID-10-T errors (Score:5, Interesting)
Understand how "open source" telco layers over tame telco software and hardware can save any data on entry.
ie once your targeted all is privacy lost no matter the fancy open source app. The security services will be in every hop of any network into and out of your computer/device until they get full plain text.
Encryption seems to be the key until your use of it shows up at an endpoint under constant surveillance. Then the individual targeting starts on the new person.
The most easy step is to make encryption more gui, web 2.0 friendly. Then a lot more people will be flooding the net with random heavy code 24/7.
Use once hardware would be interesting. It would stop any longterm profile, any unique hardware numbers been sent. If you then work on really good crypto to hide voice, pic, file sent, text you could kind of have a one session. Snowden hinted a bit about association (you to the press), mixed routing, the need for unattributable internet access in the 1h+ talk.
A lot of steps to fix an internet that is now really like Tempora https://en.wikipedia.org/wiki/... [wikipedia.org] and what that can do to your message and a person in the press been watched.
The other aspect was education. A civic duty to teach, educate the wider public and press. The classic Sysadmins of the world, unite! also mentioned.
Re: Biggest problem in IT security: ID-10-T errors (Score:1, Insightful)
Bull shit... OpenSSL is open source and look at all the crap they found this quarter alone...
Re: Biggest problem in IT security: ID-10-T errors (Score:5, Insightful)
Bull shit... OpenSSL is open source and look at all the crap they found this quarter alone...
They found all that *because* OpenSSL is open source. How much have they found in closed source versions of SSL libraries?
Re: (Score:2)
Re:Biggest problem in IT security: ID-10-T errors (Score:5, Insightful)
It doesn't have to be perfect, it just has to increase the cost of mass surveillance to a level where it is no longer feasible. Surveillance is too cheap because much of the data is just there for collection, unprotected.
For example, the UK government just pass emergency data retention laws that require all ISPs to continue logging the domain names of every web site every subscriber visits. If more people started using VPNs regularly that capability would become far less useful, and while I'm sure they could attack the VPN providers or crypto or even the individual target's computers the cost would be much higher than simply requiring the ISP to run a large database. They would be forced to stop bulk collection and only target people of genuine interest, which is the reasonable.
Re: (Score:3)
For a start, just convince every site to use SSL. It's possible to MITM SSL, but not on a large scale without detection. All the ISPs would be able to log is DNS lookups and IP addresses, which is still bad but not nearly as bad as being able to see individual pages accessed. Then you can start looking into possible ways to make DNS harder to monitor somehow.
Re: (Score:1)
...it just has to increase the cost of mass surveillance to a level where it is no longer feasible.
It doesn't work that way. It becomes a call for a bigger budget and higher taxes to pay for it.
This could totally work out (Score:3)
Edward Snowden certainly has name recognition in the security space, which in branding terms equals big money. He's got his share of wild and crazy times overseas doing various hijinx not always on the up and up, sorta just like other security specialists [slashdot.org] of an earlier generation. Sure, in terms of branding alone Snowden could easily become the next McAfee, and he's still very young!
And isn't as if they weren't both wanted on international warrants either; and street cred. does sell sneakers.
So Slashdot... (Score:5, Insightful)
"You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day,"
Looking at you Slashdot.
When are we going to have access to this site with https? You can stop pushing down out throats your fucking annoying beta and do something useful for everybody instead.
Re: So Slashdot... (Score:1)
You mean https that's built on OpenSSL?
Re: (Score:1)
A protocol isn't built on an implementation. Use a version of OpenSSL that doesn't have known bugs or use another SSL implementation if you want to.
Claiming that HTTPS is unsafe just because one implementation has bugs is like saying that C is slow because someone wrote a bad compiler once.
Re: (Score:1)
Use a version of OpenSSL that doesn't have known bugs
Bwa ha ha ha ha ha ha ha!
Yeah, the guys who are making LibreSSL probably wish you could be doing that. If they weren't compelled to make a decent SSL implementation, they could probably focus more on things like the anti-botnet research of the Hail Mary cloud. But, since OpenSSL is known to not patch bugs, they've decided that this other work is necessary.
Please don't refer to an OpenSSL version that doesn't have known bugs. Just because one super-critical bug has been identified and addressed does not m
Re: (Score:2)
Do something useful? Do you have any idea what it would do to Dice's profits?
Re: (Score:2)
At this point I'm thinking that the NSA or GCHQ asked them not to implement HTTPS. What other reason could there be for not taking the simple, low cost, minimal action required to enable it? Soylent News, which runs on the same code base, supports it.
Re: (Score:1)
And IPv6 access while you are at it.
Re: (Score:2)
I'm fine with http. I'm just stating my opinion. If that is grounds to lock me up, you can as well lock me up for then I'm in a prison already.
Technology is only a small part of the problem (Score:5, Informative)
As long as the citizenry tolerates and sometimes even roots for the government's violation of civil rights, everything including the technology is just details.
The existence of a decent open-source router can't do much against a U.S. National Security Letter.
Re: (Score:2)
End-to-end encrypted communications can.
Re: (Score:2)
It's a small part, but it's a part. I think Snowden has done his fair share of trying to inform laymen and stir up giving-a-fuck. If he wants to switch to working on tech, he could accomplish nothing and still come out far ahead of the rest of us. ;-)
While we certain should care enough to force our government to stop being our adversary, there will always nevertheless be adversaries. You have to work on the
New SSL root certificate authority (Score:3, Interesting)
A nice step ahead would be the establishment of a new set of root certificates and an accompanying authority that signs other peoples certificates. All located in a country that doesn't play ball with NSA and other thugs.
This would do a lot to dampen the routine man-in-the-middle we see these days.
Re: New SSL root certificate authority (Score:1)
We have already have them. We need Google and mozilla to stop being little bitches and bending over for the CA's and security services and implent DANE already in their browsers. I don't buy for a fucking minute that they don't implement it because it's not common enough yet...
Re: (Score:3)
The lesson of CA failure is that there shouldn't be root authorities. Users (or the people who set things up for them, in the case of novices) should be deciding whom they trust and how much, and certificates should be signed by many different parties, in the hopes that some of them are trusted by the person who uses it.
If you want to catch up to ~1990 [wikipedia.org] tech, then you need to remove the "A" in "CA."
Re: (Score:2)
If you want to catch up to ~1990 tech, then you need to remove the "A" in "CA."
Thanks for the insult. It hardly stung. I expect you to start the project shortly. I'll gladly donate to it on kickstarter.
Re: (Score:2)
Unless you worked at Netscape in the mid-1990s, no insult was intended.
All I meant is that by the very early 1990s, we (and by "we" I mean people smarter than me; I was clueless at the time) had a pretty good idea that CAs wouldn't work well outside of real power hierarchies (e.g. corporate intranets). But then a few years later the web browser people came along and adopted X.509's crap, blowing off the more recent PKI improvements, in spite of the fact that it looked
Re: (Score:2)
There are already plenty of CA's in countries that are not under US jurisdiction. However, so far the CA's that issued bad certs were all outside the USA, and appear to have only done so because they got hacked and not because they were e.g. forced to by court order.
Unless you have a magical solution to hacking I don't think your new root CA would solve much.
Additionally, citation needed for "routine man in the middle". SSL MITM has been studied by academics at scale. They did not find evidence of much. Gov
Secure technology (Score:4, Funny)
I'm going back to my 1942 Corona typewriter with the "t" slightly raised.
Re:Secure technology (Score:4, Funny)
And why do you think the "t" is slightly raised, hum? Spyware, that's why.
Re: (Score:2)
Because in Soviet Russia, something something Dark Side.
It is about getting out. (Score:2)
Or go to a beach for a swim.
Have a meaningful private conversation while running, walking or swimming. Speak in a calm quiet voice, not louder than necessary.
So getting out is good not only for health, but for privacy too. Besides, it is much safer to run together or to walk together.
Re: (Score:1)
The parks are full of bugs...
Re: (Score:2)
Stop Snowden first ... (Score:1)
Hell, he walked in and got the stash and fled the country. Manning had already done a similar heist before this.
So, we've got minions with access to sensitive data and can't stop them. The government needs to audit itself ... again.
It does no good to wrap this stuff up in a cloaking device if space cadets can glomp and run.
Re: (Score:1)
"Develop" or "Instigate the development of"? (Score:3)
Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?
I mean, let's be honest: Either way, whether he's going to just try and brand the stack or contribute, we have technologies that are perfectly good (that is, however, not to say perfect) already -- its just they aren't particularly widely deployed. How many organizations are running IPSec internally, other than just for site-to-site VPN tunnels? How many organizations are deploying DNSSec outside of governments and the military? How many organizations are using PGP or similar asymmetric encryption between employees? Making it easier might help, but chances are that the vast, vast majority of individuals aren't going to jump on any of these technologies in any great numbers unless they are mandated to (like at work, where they don't have a choice), but it isn't as if the government is going to make it a requirement that you try and "spy proof" your computer and communications.
Re: (Score:3)
Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?
All that counts is that Snowden has the balls and integrity that is so lacking in the "uber-hacker" department. You can't threaten Snowden, you can't bribe him. An uber-hacker, you can buy him out or scare him.
Anyways, you don't uber-hackers to develop security software. The encryption algorithms are university research level stuff and as long as you understand the basics of it, you're fine. The rest is just writing code around it that a decent programmer should be able to handle well.
Re: (Score:2)
Or an equally good brag: "I wrote a program that's illegal in China."
All I've written are two programs illegal in the US - but that's because one infringes on a software patent, and the other is a circumvention device under the DMCA. It's also a trivial program consisting of about five lines of C, but that doesn't really matter.
Re: (Score:2)
Except the stuff about how a 29 year old completely pwnd the NSA, probably the most technically sophisticated part of the US Government there is?
Sheesh. Your standards are high. What would it take, exactly?
Additionally, just because you have read nothing about his programming skills doesn't mean he has none. He once mentioned finding XSS holes in some CIA app so apparently he is good enough to do that.
ZeroKnowledge (Score:2)
So now I guess ZeroKnowledge [wikipedia.org] was 16 years too early. I remember laughing at it.
I still don't care wether NSA or other idiots read my mail for I have nothing to hide. But the prospect of ill-advised policy enforcer's ability to use otherwise benign data as scapegoating is irritating.
Link to Snowden hangout video (Score:2)
https://www.youtube.com/watch?... [youtube.com]
Vote Snowden / Binney 2016! (Score:2)
Here's my latest Snowden / Binney 2016 bumper sticker art, suitable for printing at 2.75" x 5" cropped size plus a .125" bleed, 300 DPI, on vinyl:
PNG [traxel.com]
Vector (LibreOffice Draw) [traxel.com]
This is my original artwork, CC BY-NC-SA, so print a pile and spread them around if you like. I use psprint.com, and I recommend searching "vinyl bumper stickers" on DuckDuckGo, where psprint is usually running a coupon in the search results. I haven't received the color proofs for this version yet, but these are corrected from a previo
....In Russia (Score:1)
Oh please, Eddy, shut the fuck up.
Not going to happen. (Score:1)
As instance I cite the farce that is known as email. Architectural and design decision were made which did not consider the mass adoption of email by billions. Nor were the possibil
Re:Don't you want to be a traitor too? (Score:5, Funny)
Don't be a police state fan boy, and learn to spell "cretin", cretin.
Re: (Score:2)
Well, if he is a cretin, you shouldn't criticize him. It's not nice to criticize the mentally handicapped.
Re:Don't you want to be a traitor too? (Score:5, Insightful)
If making people realise that their basic rights are being trampled makes me a traitor, then I'd want to be a traitor any day...
Re: (Score:2)
Alright, but which day do you think it's going to be?
Signed,
your friends at the NSA.
Re: (Score:2)
Would July 14th [wikipedia.org] be ok?
The breeze around your neck that you feel shouldn't worry you...
Re: (Score:2)
As for 'if the Germans knew about it." is the classic understanding of ww2 crypto. Germany trusted the machine, upgraded it a bit and had all its spies turned.
Lets take Normandy. Army Group B has some idea, Pz Lehr Division was moved, Germany had a spy near the British ambassador to Turkey, the Royal Navy had lost aspects to its low level codes, British railroads codes had been lost by late 1943, the German airforce saw changes in US and UK practice traffic, US Transport Command lo
Re: (Score:2)
You seem to be comparing two searches:
1) Done on ALL civilians, including people who were suspected of nothing
2) Specifically targeting official transmissions with probable cause to expect genocide
I don't know about the other would-be traitors, but the problem I have isn't with intercepting any communications of any kind; it's with searching innocent people. I'm perfectly OK with the NSA hacking actual terrorists.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I hate to admit it, but I just happen to have an erect penis reading your public communications on Slashdot.
To be fair, it was erect before I opened the page. I think the SEO consultant sitting next to me is ovulating.