On Fri, Nov 1, 2013 at 4:01 PM, Masataka Ohta < mohta@necom830.hpcl.titech.ac.jp> wrote:
Anthony Junk wrote:
It seems as if both Yahoo and Google assumed that since they were private circuits that they didn't have to encrypt.
According to Snowden, there are government agents at key positions for managing security.
When they declare the private circuits are secure, no one else in the companies can argue against.
Unless they are fired and all the backdoors installed by them are removed, neither Yahoo and Google are secure.
This is probably not entirely true, however... There is certainly enough in the Snowden docs to render this a valid question, and there is enough to assume some truth to the statement. Anyone familiar with secure organizations will realize this as the internal witch hunt problem. You now have serious reason to believe that you have been compromised. If security needs to be absolute, then the degree of response needed to succeed at attaining that will require very serious vetting of all the staff, of the nature of what national security organizations do (background checks, polygraphs, detailed personal histories, intrusive random monitoring of employee actions in and outside the office, etc). Most of "us" will not put up with that. However, most of "us" also desire reasonably secure services (both those of us who work for those services, and those of us who use them). The prior default setting was to assume there was nobody trying hard enough to penetrate those services that the internal witch hunt degree of internal security was necessary. It was "reasonable" to hope that someone with nation-state / superpower level resources was not actively Trying To Get In. Now that's not a safe assumption. The NSA has just put the entire profession in a horrible bind. By going beyond the foggy-but-legally-documented FISA warrant activities into active hostile actions against US providers we have to wonder about what degree of paranoia is necessary. Do we now just stick our heads back in the sand? Identify key security groups with override authority within our organizations, vet them and monitor them like the CIA and NSA vet and monitor their employees? Try to establish that level of review of all our staffs? Bruce Schneier has tiptoed around this some, but the thread from his blog last week of "How do we know we can trust Bruce" is terrifying when we have to consider applying that question to everyone on this list (and who should be on this list). -- -george william herbert george.herbert@gmail.com