Online Security Isn't Over; It's Just Beginning

from the time-to-move-on dept

One of the more annoying responses to the latest revelations about the NSA's spying and surveillance is people brushing it off, saying, "well, of course the NSA was doing this." That simplistic, short-sighted response doesn't really take into account the importance of the details and, worse, seems to suggest that this kind of status quo is acceptable. It's not. Worse, it's leading some to take the fatalistic approach that there's nothing to be done, so why even bother? That's the the exact wrong approach. As Micah Lee points out:
Giving up and deciding that privacy is dead is counterproductive. We need to stop using commercial crypto. We need to make sure that free software crypto gets serious security and usability audits.

If we do this right we can still have privacy in the 21st century. If we give up on security because of this we will definitely lose.
Bruce Schneier has been thinking along similar lines, beyond just his call to rebuild internet infrastructure with security and openness in mind to make life more difficult for the NSA, he's also discussing things people can do right now to remain a hell of a lot more secure in the face of the NSA's activities.

If the internet is going to be as powerful and as useful as it should be, it needs to be a lot more secure. Throwing in the towel because of some backdoors is the exact wrong approach and is exactly what's not needed right now. The security needs to be better and it needs to be easier to implement and to use. That won't happen overnight, but it will happen. It needs to happen.


Reader Comments (rss)

(Flattened / Threaded)

  1. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Sep 6th, 2013 @ 7:29am

    WRONG! Don't try to hide from your errant servants!

    Remind them that THEY ARE SERVANTS, that they're breaking their oaths and BEING EVIL, and are allowed their power only so long as serve We The People.

    That's rock-bottom AMERICANISM: when The Rich use gov't for tyranny, it's time to rise up and pull down the tyrants, NOT HIDE LIKE MICE.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    jackn, Sep 6th, 2013 @ 7:46am

    Re: WRONG! Don't try to hide from your errant servants!

    Yeah, tell them to get us a glass of water!

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Duven, Sep 6th, 2013 @ 8:51am

    Trust

    -the internet (or at least it's protocols) is based on trust

    That may just be the beginning and end of the whole problem

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    anonymous coward, Sep 6th, 2013 @ 8:54am

    Aren't we just overdue on putting together a third political party? ...and not just some quarterback wannabe with personal wealth to run for president?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    etrimby, Sep 6th, 2013 @ 9:00am

    Re: WRONG! Don't try to hide from your errant servants!

    O.K. so Blue has a damn good point here and everyone just reflexively reports him? That's pretty damn stupid.
    We need a 2 step program here.
    1. Make the government start working for us, the way we want it to.
    2. Use that reformed government to stop excesses and abuse from the corporate world.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    beech, Sep 6th, 2013 @ 9:13am

    Re: WRONG! Don't try to hide from your errant servants!

    Why can't we do both?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    beech, Sep 6th, 2013 @ 9:15am

    Re: Re: WRONG! Don't try to hide from your errant servants!

    It's kind of like a "boy cries wolf'' scenario. Its hard to take the poor guy seriously when 99% of his comments are off-topic and/or ad homs.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Indy, Sep 6th, 2013 @ 9:16am

    Top down?

    1. Industry leaders come up with new solutions.
    2. NSA (or some new, secret-funded group) pressures them for potential weak points.
    3. Crypto is broken, again, silently.
    4. Right back where we started.


    None of the technical stuff matters anymore if it's got the spooks with its fingers in it anyway.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Alt0, Sep 6th, 2013 @ 9:27am

    hide in the open

    Personally, I avoid certain words and phrases in my online communication now. I am sure this will get sorted one way (we take away their power to do this) or another (we are able to subvert their efforts to do this with better encryption)

    The thing is, they SAVE EVERYTHING and even with better encryption its just a matter of time until they will be able to crack that as well. Seems the only truly secure way to regain our lost privacy is to take away the power which allows their actions. Until then I avoid using the net for important communication and hope to hide in the ever growing haystack.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    John Fenderson (profile), Sep 6th, 2013 @ 9:47am

    Some steps are missing

    I would prefer to see no parties at all rather than more parties. But the core problem isn't any of the parties at all. The core problem is a prolonged and systemic takeover of the government by major corporations and the ultra-wealthy.

    We've been down this road a couple of times before in US history. This is a familiar landscape.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    John Fenderson (profile), Sep 6th, 2013 @ 9:48am

    Re: Top down?

    The technical solution is easy: don't use the "solutions" that industry leaders provide. We don't need them.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 9:51am

    We need a new open encryption protocol for HTTPS, with stronger encryption and no known weaknesses. (Even the latest version of TLS can be vulnerable since it supports RC4.)

    Browsers should use the new protocol by default, and give an "Are you sure you want to navigate to this site? It has weak encryption." warning message for sites using TLS 1.2 and older protocols.

    Almost all sites use TLS 1.0/SSL 3.0, both of which are quite vulnerable. Maybe a large crowd of users complaining about sites' weak encryption could finally get them to upgrade and thwart the NSA.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 10:25am

    Re:

    We need a new open encryption protocol for HTTPS, with stronger encryption and no known weaknesses. (Even the latest version of TLS can be vulnerable since it supports RC4.)


    TLS 1.2 without compression has exactly what you want. Stronger encryption (AES-GCM, SHA-256), no known weaknesses. You can easily disable RC4 when using it it (not offering it as a client, not taking it as a server).

    Browsers should use the new protocol by default, and give an "Are you sure you want to navigate to this site? It has weak encryption." warning message for sites using TLS 1.2 and older protocols.


    That is a bit of an inversion, since plain non-encrypted HTTP (which has even weaker encryption - the equivalent of 0-bit crypto) would not get a warning. First add warning to non-encrypted connections, then start killing the older protocols one by one as people upgrade.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 10:47am

    Re: Trust

    By definition, there is no privacy/security on the Internet; any communication that involves a 3rd party is unsecure. Wishing for the unattainable is silly.

    You want privacy? Go somewhere by yourself or go talk to somebody face-to-face.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    John Fenderson (profile), Sep 6th, 2013 @ 11:38am

    Re: Re: Trust

    Security and privacy are not black-and-white. That is, you can never have 100% of either, but that doesn't mean you should accept 0%.

    Even talking face-to-face in a secluded location is not secure. It is, however, possible to communicate over the internet in a manner that is approximately as secure as that.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 11:47am

    A sign of giving up

    Not all of us who say "of course the NSA is doing this" mean it as a statement to throw in the towel for privacy.

    You've got a shiny new thing to keep all your secrets? that's good, keep working on the next new thing to keep it secret... soon the NSA will figure out how to get in to that new thing so you better have the next ready.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 12:48pm

    Re: Re: Re: Trust

    Even talking face-to-face in a secluded location is not secure. It is, however, possible to communicate over the internet in a manner that is approximately as secure as that.

    Uh, no.

    What is the point of posting such bunk?

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Sep 6th, 2013 @ 2:40pm

    ha!

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    tracker1 (profile), Sep 6th, 2013 @ 3:21pm

    DNS Sec + Signing

    I think that working around CAs and allow self-signing via DNSSec is probably the first step... the biggest points keeping out broader SSH are shared hosting (multiple IPs, one IP), and the CAs, which if compromised, may as well be public.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    RonKaminsky (profile), Sep 6th, 2013 @ 4:13pm

    Security is not binary

    Given that the manpower of the NSA is actually quite limited, I see no reason why John Fenderson is incorrect. If I contact someone using what is advertised as his public key, even if the NSA runs a MITM against us, it would have to have a real human editing our conversation to prevent us from exchanging enough information to be able to detect the MITM attack. There is no way an automatic logger (which is all the NSA can afford to run against "Average Joe Who Is Probably Not A Terrorist Or Otherwise Interesting") is going to be able to prevent us from confirming our PK fingerprints.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    That One Guy (profile), Sep 6th, 2013 @ 5:58pm

    Re: XKCD

    ... they really do have a comic for everything, don't they?

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Rapnel (profile), Sep 6th, 2013 @ 6:17pm

    Re: Re: WRONG! Don't try to hide from your errant servants!

    % nsa make me a sandwich

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous, Sep 6th, 2013 @ 6:19pm

    Re:

    A third? Don't you mean a second?

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Gerald Robinson (profile), Sep 7th, 2013 @ 9:34am

    Onlne security & internet redesign

    Besides needing massive government reform which we will not get so long as we do not have congressional term limits and don't tax bribes. Redesign of the internet is not possible because much of it is controlled by oligopolies who collude with each other: the cable providers Comcast and Time Warner being the worst, they work with the Telcos/Wireless providers AT&T and Verizon. They will not support nor permit any change that they do not approve and that keep them from getting $Bn/year from DoJ and NSA.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Pragmatic, Sep 9th, 2013 @ 3:35am

    Re: Re: Re: WRONG! Don't try to hide from your errant servants!

    She's still blaming "the Rich" for everything, even though they're patently not the bad guys. The multinational corporations, the MIC and their religious authoritarian cohorts are. Get their grubby paws off the levers of power, and we'll have the country we want. Attempting to break up the country or just hating on "the gubmint" ain't a solution, it's part of the problem because it denies that we actually need a government to enact governance.

    Getting the government back under control with a mandate to serve We The People is the way to go. It begins with using our right to vote responsibly and NOT voting the same old grifters and corporate suck-ups back into office every damn time.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    John Fenderson (profile), Sep 9th, 2013 @ 9:20am

    Re: Re: Re: Re: Trust

    Please explain why it's not possible. I can think of a couple of ways right off the top of my head, mostly involving multilayered encryption, using a combination of different protocols and including at least one that isn't a standard.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This