Online Security Isn't Over; It's Just Beginning

from the time-to-move-on dept

One of the more annoying responses to the latest revelations about the NSA’s spying and surveillance is people brushing it off, saying, “well, of course the NSA was doing this.” That simplistic, short-sighted response doesn’t really take into account the importance of the details and, worse, seems to suggest that this kind of status quo is acceptable. It’s not. Worse, it’s leading some to take the fatalistic approach that there’s nothing to be done, so why even bother? That’s the the exact wrong approach. As Micah Lee points out:

Giving up and deciding that privacy is dead is counterproductive. We need to stop using commercial crypto. We need to make sure that free software crypto gets serious security and usability audits.

If we do this right we can still have privacy in the 21st century. If we give up on security because of this we will definitely lose.

Bruce Schneier has been thinking along similar lines, beyond just his call to rebuild internet infrastructure with security and openness in mind to make life more difficult for the NSA, he’s also discussing things people can do right now to remain a hell of a lot more secure in the face of the NSA’s activities.

If the internet is going to be as powerful and as useful as it should be, it needs to be a lot more secure. Throwing in the towel because of some backdoors is the exact wrong approach and is exactly what’s not needed right now. The security needs to be better and it needs to be easier to implement and to use. That won’t happen overnight, but it will happen. It needs to happen.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Online Security Isn't Over; It's Just Beginning”

Subscribe: RSS Leave a comment
out_of_the_blue says:

WRONG! Don't try to hide from your errant servants!

Remind them that THEY ARE SERVANTS, that they’re breaking their oaths and BEING EVIL, and are allowed their power only so long as serve We The People.

That’s rock-bottom AMERICANISM: when The Rich use gov’t for tyranny, it’s time to rise up and pull down the tyrants, NOT HIDE LIKE MICE.

etrimby says:

Re: WRONG! Don't try to hide from your errant servants!

O.K. so Blue has a damn good point here and everyone just reflexively reports him? That’s pretty damn stupid.
We need a 2 step program here.
1. Make the government start working for us, the way we want it to.
2. Use that reformed government to stop excesses and abuse from the corporate world.

Pragmatic says:

Re: Re: Re: WRONG! Don't try to hide from your errant servants!

She’s still blaming “the Rich” for everything, even though they’re patently not the bad guys. The multinational corporations, the MIC and their religious authoritarian cohorts are. Get their grubby paws off the levers of power, and we’ll have the country we want. Attempting to break up the country or just hating on “the gubmint” ain’t a solution, it’s part of the problem because it denies that we actually need a government to enact governance.

Getting the government back under control with a mandate to serve We The People is the way to go. It begins with using our right to vote responsibly and NOT voting the same old grifters and corporate suck-ups back into office every damn time.

John Fenderson (profile) says:

Re: Re: Trust

Security and privacy are not black-and-white. That is, you can never have 100% of either, but that doesn’t mean you should accept 0%.

Even talking face-to-face in a secluded location is not secure. It is, however, possible to communicate over the internet in a manner that is approximately as secure as that.

RonKaminsky (profile) says:

Re: Re: Re:2 Security is not binary

Given that the manpower of the NSA is actually quite limited, I see no reason why John Fenderson is incorrect. If I contact someone using what is advertised as his public key, even if the NSA runs a MITM against us, it would have to have a real human editing our conversation to prevent us from exchanging enough information to be able to detect the MITM attack. There is no way an automatic logger (which is all the NSA can afford to run against “Average Joe Who Is Probably Not A Terrorist Or Otherwise Interesting”) is going to be able to prevent us from confirming our PK fingerprints.

John Fenderson (profile) says:

Re: Some steps are missing

I would prefer to see no parties at all rather than more parties. But the core problem isn’t any of the parties at all. The core problem is a prolonged and systemic takeover of the government by major corporations and the ultra-wealthy.

We’ve been down this road a couple of times before in US history. This is a familiar landscape.

Alt0 says:

hide in the open

Personally, I avoid certain words and phrases in my online communication now. I am sure this will get sorted one way (we take away their power to do this) or another (we are able to subvert their efforts to do this with better encryption)

The thing is, they SAVE EVERYTHING and even with better encryption its just a matter of time until they will be able to crack that as well. Seems the only truly secure way to regain our lost privacy is to take away the power which allows their actions. Until then I avoid using the net for important communication and hope to hide in the ever growing haystack.

Anonymous Coward says:

We need a new open encryption protocol for HTTPS, with stronger encryption and no known weaknesses. (Even the latest version of TLS can be vulnerable since it supports RC4.)

Browsers should use the new protocol by default, and give an “Are you sure you want to navigate to this site? It has weak encryption.” warning message for sites using TLS 1.2 and older protocols.

Almost all sites use TLS 1.0/SSL 3.0, both of which are quite vulnerable. Maybe a large crowd of users complaining about sites’ weak encryption could finally get them to upgrade and thwart the NSA.

Anonymous Coward says:

Re: Re:

We need a new open encryption protocol for HTTPS, with stronger encryption and no known weaknesses. (Even the latest version of TLS can be vulnerable since it supports RC4.)

TLS 1.2 without compression has exactly what you want. Stronger encryption (AES-GCM, SHA-256), no known weaknesses. You can easily disable RC4 when using it it (not offering it as a client, not taking it as a server).

Browsers should use the new protocol by default, and give an “Are you sure you want to navigate to this site? It has weak encryption.” warning message for sites using TLS 1.2 and older protocols.

That is a bit of an inversion, since plain non-encrypted HTTP (which has even weaker encryption – the equivalent of 0-bit crypto) would not get a warning. First add warning to non-encrypted connections, then start killing the older protocols one by one as people upgrade.

Anonymous Coward says:

A sign of giving up

Not all of us who say “of course the NSA is doing this” mean it as a statement to throw in the towel for privacy.

You’ve got a shiny new thing to keep all your secrets? that’s good, keep working on the next new thing to keep it secret… soon the NSA will figure out how to get in to that new thing so you better have the next ready.

Gerald Robinson (profile) says:

Onlne security & internet redesign

Besides needing massive government reform which we will not get so long as we do not have congressional term limits and don’t tax bribes. Redesign of the internet is not possible because much of it is controlled by oligopolies who collude with each other: the cable providers Comcast and Time Warner being the worst, they work with the Telcos/Wireless providers AT&T and Verizon. They will not support nor permit any change that they do not approve and that keep them from getting $Bn/year from DoJ and NSA.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...