The US government has betrayed the Internet. We need to take it back
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-int... The US government has betrayed the Internet. We need to take it back The NSA has undermined a fundamental social contract. We engineers built the Internet – and now we have to fix it Bruce Schneier The Guardian, Thursday 5 September 2013 20.04 BST Internet business cables in California. 'Dismantling the surveillance state won't be easy. But whatever happens, we're going to be breaking new ground.' Photograph: Bob Sacha/Corbis Government and industry have betrayed the Internet, and us. By subverting the Internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our Internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical Internet stewards. This is not the Internet the world needs, or the Internet its creators envisioned. We need to take it back. And by we, I mean the engineering community. Yes, this is primarily a political problem, a policy matter that requires political intervention. But this is also an engineering problem, and there are several things engineers can – and should – do. One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers. We need to know how exactly how the NSA and other agencies are subverting routers, switches, the Internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I've just started collecting. I want 50. There's safety in numbers, and this form of civil disobedience is the moral thing to do. Two, we can design. We need to figure out how to re-engineer the Internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information. We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert. The Internet Engineering Task Force, the group that defines the standards that make the Internet run, has a meeting planned for early November in Vancouver. This group needs to dedicate its next meeting to this task. This is an emergency, and demands an emergency response. Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the Internet. The UK is no better. The NSA's actions are legitimizing the Internet abuses by China, Russia, Iran and others. We need to figure out new means of Internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's Internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Generations from now, when people look back on these early decades of the Internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy. To the engineers, I say this: we built the Internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it. • Bruce Schneier writes about security, technology, and people. His latest book is Liars and Outliers: Enabling the Trust That Society Needs to Thrive. He is working for the Guardian on other NSA stories
Eugen Leitl <eugen@leitl.org> wrote:
We engineers built the Internet – and now we have to fix it
Nonsense. This is not a technical issue, it's a socio-political issue. It’s both naive & distracting to try & solve this set of problems with code and/or silicon, when it must in fact be addressed within the civic arena. There are no purely technical solutions to social ills. Schneier of all people should know this. --------------------------------------- Roland Dobbins <rdobbins@arbor.net>
I believe you are correct, whatever technical hurdles we put in place will be overcome by policy. As long as you can legally require me to make my network intercept able for "lawful" purposes and are able to prevent me from explaining these purposes to my users any security that I would put in place is effectively neutered. I give up trying to resist, I am now firmly in the tin foil hat club. Sam On 2013-09-06 05:57, Roland Dobbins wrote:
Eugen Leitl <eugen@leitl.org> wrote:
We engineers built the Internet – and now we have to fix it
Nonsense. This is not a technical issue, it's a socio-political issue. It’s both naive & distracting to try & solve this set of problems with code and/or silicon, when it must in fact be addressed within the civic arena.
There are no purely technical solutions to social ills. Schneier of all people should know this.
--------------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 2013-09-06 05:57, Roland Dobbins wrote:
There are no purely technical solutions to social ills. Schneier of all people should know this.
Schneier does know this, and explicitly said this. -jsq http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-int... Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy. To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
True I shot from the hip, he does address the concerns later. I'm used to implementing technologies to solve security problems. It's just damn frustrating to have your hands tied in such a way that you can not and that's the position that I see myself and most other network ops in. Our customers decided at the ballot box that they didn't want protection and it was acceptable to entrust their privacy to the system. They seem to forget that decision when they ask if they are vulnerable to this type of intercept and what they can do about it. The answer is not much because I will not and can not break the law, it's unethical and wrong. I will encourage people to seek to change the laws to encourage true end to end security but the odds of that happening are near 0. Sam On 2013-09-06 06:47, John S. Quarterman wrote:
On 2013-09-06 05:57, Roland Dobbins wrote:
There are no purely technical solutions to social ills. Schneier of all people should know this.
Schneier does know this, and explicitly said this.
-jsq
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-int...
Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.
Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.
Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.
Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.
Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.
To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
True I shot from the hip, he does address the concerns later.
It happens.
I'm used to implementing technologies to solve security problems. It's just damn frustrating to have your hands tied in such a way that you can not and that's the position that I see myself and most other network ops in.
Maybe NSA has provided a marketing opportunity to get the public to demand real security.
Our customers decided at the ballot box that they didn't want protection and it was acceptable to entrust their privacy to the system. They seem to forget that decision when they ask if they are vulnerable to this type of intercept and what they can do about it. The answer is not much because I will not and can not break the law, it's unethical and wrong. I will encourage people to seek to change the laws to encourage true end to end security but the odds of that happening are near 0.
If everybody refuses to try, the odds are indeed zero. So maybe we should try.
Sam
-jsq
On 2013-09-06 06:47, John S. Quarterman wrote:
On 2013-09-06 05:57, Roland Dobbins wrote:
There are no purely technical solutions to social ills. Schneier of all people should know this.
Schneier does know this, and explicitly said this.
-jsq
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-in ternet-nsa-spying
Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.
Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.
Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.
Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.
Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.
To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
The answer is not much because I will not and can not break the law, it's unethical and wrong.
I invite you to consider the concept of civil disobedience--where the law is unethical or wrong it can be argued that it's also unethical and wrong to FOLLOW the law. I haven't yet been placed in a position, and I doubt I will given the arc of my career, where I would have to make the choice between enabling this kind of surveillance quietly or blowing the whistle on it. I hope, as I imagine most of us do, that I'd choose to do the "right" thing (and correctly determine which option is "right", which is probably the real trick). -- Josh Sholes
That and ignoring it will only continue to affect the code/silicon arena. Social problems are always affected by who throws the biggest fit. On Fri, Sep 6, 2013 at 4:18 AM, Randy Bush <randy@psg.com> wrote:
We engineers built the Internet – and now we have to fix it There are no purely technical solutions to social ills.
no. there are many issues in many arenas. but we are responsible for cleaning up our side of the street.
randy
-- -------------------- Bryan Tong Nullivex LLC | eSited LLC (507) 298-1624
Who's going to pay for the cleanup? The same people who are/were paid to create the mess? Clearly many of the "tin foil hat" theories are now becoming common place. I really don't know if there is any way out of this stateside, it's legislated. On 9/6/13 3:18 AM, "Randy Bush" <randy@psg.com> wrote:
We engineers built the Internet and now we have to fix it There are no purely technical solutions to social ills.
no. there are many issues in many arenas. but we are responsible for cleaning up our side of the street.
randy
On Fri, 06 Sep 2013 10:24:26 -0000, Warren Bailey said:
Who's going to pay for the cleanup? The same people who are/were paid to create the mess? Clearly many of the "tin foil hat" theories are now becoming common place. I really don't know if there is any way out of this stateside, it's legislated.
There's no legislation that says you're not allowed to enable OpenSSL perfect forward secrecy on your website, and fix the layout so HTTPS Everywhere is able to work on it.
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-int...
The US government has betrayed the Internet. We need to take it back
Who is we ? -J
On Fri, 6 Sep 2013 07:46:59 -0500 Jorge Amodio <jmamodio@gmail.com> wrote:
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-int...
The US government has betrayed the Internet. We need to take it back
Who is we ?
If you bothered to read the 1st paragraph you would know.
-J
-- John PGP Public Key: 412934AC
The US government has betrayed the Internet. We need to take it back
Who is we ?
If you bothered to read the 1st paragraph you would know.
I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
On Fri, Sep 6, 2013 at 9:50 AM, Jorge Amodio <jmamodio@gmail.com> wrote:
IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines.
Yes but there is engineering to ensure that they have the opportunity to do the right thing in the first place. If we (IETF) naively engineer out the ability to have privacy, it doesn't matter if those people are stupid or not.
We have to do the right thing anyway because as engineers we are always motivated to innovate, to fix, to make things better. Motivation has not to come form the NSA or any other spooking service of the day. Even if we design and deploy the best engineering solution there is always a weak link that can be compromised, coerced by law or workaround by counter-engineering. We want better was to provide "privacy" ? I'm not against that, but if you really want privacy the best and cheapest engineering solution is to remove the plug. We should spend more cycles about how to make broadband real broadband, deploying IPv6, implementing DNSSEC, educating people and bringing Internet where is no access or where there is bad access make it good, if in the process of doing that the NSA wants to get high sniffing all packets I really don't care much because that is not an engineering problem. I think that "privacy" on a "public" network is a very relative concept, same as "security". -J On Fri, Sep 6, 2013 at 9:11 AM, Scott Brim <scott.brim@gmail.com> wrote:
On Fri, Sep 6, 2013 at 9:50 AM, Jorge Amodio <jmamodio@gmail.com> wrote:
IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines.
Yes but there is engineering to ensure that they have the opportunity to do the right thing in the first place. If we (IETF) naively engineer out the ability to have privacy, it doesn't matter if those people are stupid or not.
The biggest mistake everyone is making is that while we are talking about what the USGOV/NSA in this instance you assume this is the only entity behaving in this manner. Morpheus <http://www.imdb.com/name/nm0000401/?ref_=tt_trv_qu>: "This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes. " Mike On Fri, Sep 6, 2013 at 11:43 AM, Jorge Amodio <jmamodio@gmail.com> wrote:
We have to do the right thing anyway because as engineers we are always motivated to innovate, to fix, to make things better. Motivation has not to come form the NSA or any other spooking service of the day. Even if we design and deploy the best engineering solution there is always a weak link that can be compromised, coerced by law or workaround by counter-engineering.
We want better was to provide "privacy" ? I'm not against that, but if you really want privacy the best and cheapest engineering solution is to remove the plug.
We should spend more cycles about how to make broadband real broadband, deploying IPv6, implementing DNSSEC, educating people and bringing Internet where is no access or where there is bad access make it good, if in the process of doing that the NSA wants to get high sniffing all packets I really don't care much because that is not an engineering problem.
I think that "privacy" on a "public" network is a very relative concept, same as "security".
-J
On Fri, Sep 6, 2013 at 9:11 AM, Scott Brim <scott.brim@gmail.com> wrote:
On Fri, Sep 6, 2013 at 9:50 AM, Jorge Amodio <jmamodio@gmail.com> wrote:
IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines.
Yes but there is engineering to ensure that they have the opportunity to do the right thing in the first place. If we (IETF) naively engineer out the ability to have privacy, it doesn't matter if those people are stupid or not.
So when do we riot? I've been waiting for months now. On Fri, Sep 6, 2013 at 8:50 AM, Jorge Amodio <jmamodio@gmail.com> wrote:
The US government has betrayed the Internet. We need to take it back
Who is we ?
If you bothered to read the 1st paragraph you would know.
I read all of it, the original article and other references to it.
IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines.
By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed.
My .02 -J
I don't suggest a riot. I do believe in the rule of law, as a member of a democracy I need to accept that I will not always agree with the laws that are enacted. If we lived in China or somewhere else where there was no method to change laws that were unfair or unjust then yea I would support the civil disobiedence approach whole heartedly I do love my country, always have and I firmly believe in the concept of government by the consent of the governed. These rules were made by the people we choose, perhaps these were bad choices but they were are collective choices. Perhaps we should educate our user base so that in the future they make better choices. I suggest in an only half snarky way we just push out the standard DOD warning banner to them all. Since it now seems to apply... Below is a sample banner (IS is information System) By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. Sam On 2013-09-06 10:14, Ishmael Rufus wrote:
So when do we riot? I've been waiting for months now.
On Fri, Sep 6, 2013 at 8:50 AM, Jorge Amodio <jmamodio@gmail.com> wrote:
The US government has betrayed the Internet. We need to take it back
Who is we ?
If you bothered to read the 1st paragraph you would know.
I read all of it, the original article and other references to it.
IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines.
By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed.
My .02 -J
I don't suggest a riot. I do believe in the rule of law, as a member of a democracy I need to accept that I will not always agree with the laws that are enacted.
Well that's all nice and all, but what you're missing here is that this has very little to do with "laws that are enacted". When an author of the PATRIOT Act is filing amicus briefs indicating that the collection of data being done is not what Congress intended, and when the intelligence community is busy subverting the common definitions of words so that they can bend a law that says one thing when read in plain language but something very different when they use their own private definitions, then we're pretty far outside the scope of "law." We've been hearing for some years now that the way in which the PATRIOT Act has been interpreted was alarmingly expansive. If you choose to start redefining words, you can probably find a way to make the Constitution say "every child has a right to a puppy." Doesn't actually mean that it actually says that though. Feingold must be having such an "I told you so" moment. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Just call your senator and ask her/him to stop signing the checks ... -J
On Fri, Sep 6, 2013 at 7:23 AM, Sam Moats <sam@circlenet.us> wrote:
... Below is a sample banner (IS is information System)
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential.
Sam
Ah. So, if we all become ordained ministers, our communications become privileged communications not subject to monitoring by the US government? Matt (spoken mostly tongue-in-cheek; but it would be fun to see the government go up against the religious right on the question of whether the government has the right to violate the seal of the confessional and monitor layperson communications with their clergy...)
The error in this whole conversation is that you cannot "take it back" as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a "social contract" to ensure that I do not run over squirrels with my Explorer, will they "take it back" if I do so? The whole "social contract" argument is ridiculous. You have a contract (or most likely an "at will" agreement") with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do. In the United States there are two main centers of power that can affect these policies, the consumer and the voter. 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. 3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their "social contract" to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the "right thing". The problem with "social contracts" is that they are relative. As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China. Steven Naslund Chicago IL -----Original Message----- From: Jorge Amodio [mailto:jmamodio@gmail.com] Sent: Friday, September 06, 2013 8:51 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back
The US government has betrayed the Internet. We need to take it back
Who is we ?
If you bothered to read the 1st paragraph you would know.
I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
+1 I couldn't have said it any better. Sam On 2013-09-06 10:27, Naslund, Steve wrote:
The error in this whole conversation is that you cannot "take it back" as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a "social contract" to ensure that I do not run over squirrels with my Explorer, will they "take it back" if I do so? The whole "social contract" argument is ridiculous. You have a contract (or most likely an "at will" agreement") with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do.
In the United States there are two main centers of power that can affect these policies, the consumer and the voter.
1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care).
2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure.
3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies.
If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their "social contract" to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the "right thing". The problem with "social contracts" is that they are relative.
As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China.
Steven Naslund Chicago IL
-----Original Message----- From: Jorge Amodio [mailto:jmamodio@gmail.com] Sent: Friday, September 06, 2013 8:51 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back
The US government has betrayed the Internet. We need to take it back
Who is we ?
If you bothered to read the 1st paragraph you would know.
I read all of it, the original article and other references to it.
IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines.
By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed.
My .02 -J
"Just following orders..." ________________________________ From: Sam Moats <sam@circlenet.us> To: nanog@nanog.org Sent: Friday, September 6, 2013 7:30 AM Subject: RE: The US government has betrayed the Internet. We need to take it back +1 I couldn't have said it any better. Sam On 2013-09-06 10:27, Naslund, Steve wrote:
The error in this whole conversation is that you cannot "take it back" as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a "social contract" to ensure that I do not run over squirrels with my Explorer, will they "take it back" if I do so? The whole "social contract" argument is ridiculous. You have a contract (or most likely an "at will" agreement") with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do.
In the United States there are two main centers of power that can affect these policies, the consumer and the voter.
1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care).
2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure.
3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies.
If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their "social contract" to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the "right thing". The problem with "social contracts" is that they are relative.
As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China.
Steven Naslund Chicago IL
-----Original Message----- From: Jorge Amodio [mailto:jmamodio@gmail.com] Sent: Friday, September 06, 2013 8:51 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back
The US government has betrayed the Internet. We need to take it back
Who is we ?
If you bothered to read the 1st paragraph you would know.
I read all of it, the original article and other references to it.
IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines.
By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed.
My .02 -J
1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run
On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve <SNaslund@medline.com> wrote: [snip] things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care).
2. The Congress passes the laws that govern telecom and intelligence
gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. Historically speaking, I'm not convinced that a pure political solution will ever work, other than on the surface. The need for surveillance transcends both administrations and political parties. Once the newly elected are presented with the intel available at that level, even their approach to handling the flow of information and their social interaction have to change in order to function. Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical): http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-kn... I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys. When the time comes for the political choices to be made, the good technical choices must be the only ones available. Security engineering must pave the way to the high road -- so that it's the only road to get there. Royce
This is part of the purpose behind the separation of powers between executive, legislative and judicial. William Pitt wrote "Unlimited power is apt to corrupt the minds of those who possess it" . As such constraints are needed and in place. We expect politician to cheat,lie,be stupid and self serving. Because we like people who tell us what we want to hear and most of us vote for people that we like. The do not have to be wise, or even competent. Personally I think most of the fault currently lies with the Judicial side. These laws were enacted as a knee jerk reaction to an event. I can understand the passions of people at that time because I shared them, however the courts are supposed to be a bulwark against this very kind of rash action. These men and women are supposed to be well educated in the fundamental concepts that constructed our republic and appointed to terms that prevent them from worrying about the political whims of the time. Sam On 2013-09-06 10:55, Royce Williams wrote:
On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve <SNaslund@medline.com> wrote:
[snip]
1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care).
2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure.
Historically speaking, I'm not convinced that a pure political solution will ever work, other than on the surface. The need for surveillance transcends both administrations and political parties. Once the newly elected are presented with the intel available at that level, even their approach to handling the flow of information and their social interaction have to change in order to function.
Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical):
http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-kn...
I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys.
When the time comes for the political choices to be made, the good technical choices must be the only ones available.
Security engineering must pave the way to the high road -- so that it's the only road to get there.
Royce
MAN UP! ________________________________ From: Sam Moats <sam@circlenet.us> To: nanog@nanog.org Sent: Friday, September 6, 2013 8:04 AM Subject: Re: The US government has betrayed the Internet. We need to take it back This is part of the purpose behind the separation of powers between executive, legislative and judicial. William Pitt wrote "Unlimited power is apt to corrupt the minds of those who possess it" . As such constraints are needed and in place. We expect politician to cheat,lie,be stupid and self serving. Because we like people who tell us what we want to hear and most of us vote for people that we like. The do not have to be wise, or even competent. Personally I think most of the fault currently lies with the Judicial side. These laws were enacted as a knee jerk reaction to an event. I can understand the passions of people at that time because I shared them, however the courts are supposed to be a bulwark against this very kind of rash action. These men and women are supposed to be well educated in the fundamental concepts that constructed our republic and appointed to terms that prevent them from worrying about the political whims of the time. Sam On 2013-09-06 10:55, Royce Williams wrote:
On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve <SNaslund@medline.com> wrote:
[snip]
1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care).
2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure.
Historically speaking, I'm not convinced that a pure political solution will ever work, other than on the surface. The need for surveillance transcends both administrations and political parties. Once the newly elected are presented with the intel available at that level, even their approach to handling the flow of information and their social interaction have to change in order to function.
Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical):
http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-kn...
I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys.
When the time comes for the political choices to be made, the good technical choices must be the only ones available.
Security engineering must pave the way to the high road -- so that it's the only road to get there.
Royce
I am unclear on what you mean by technical choice. Are you talking about a technical solution to keep the government from seeing your traffic? That will not work for two main reasons. 1. The government has a lot more resources and motivation than the average company when it comes to security systems. They do not have to be profitable, just effective. Most companies only invest in the security that they are required to provide. As a private entity they will be unlikely to want to get in a technological arms race with the NSA. Remember these are the guys that also design some of the most sophisticated encryption systems in the world and have nearly limitless computing power to break such systems. They attract some of the most brilliant mathematical minds in the world and actively pursue these employees. You are really unlikely to out "security engineer" the NSA especially since the USG can control legally what technology you are allowed to use and export. Who designed your encryption algorithm and which one of your employees is a qualified cryptographer that can assure you that it is secure enough. Is he qualified to tell you what backdoors or capability NSA has to break that encryption method? Do you have the technical experts to assure you that no US intelligence service has penetrated your human or technical resources? Do you think no one in your organization would plug something into your network if it comes with a bag of cash or a threat attached to it. If so, I think the NSA might offer you a lucrative job. Remember these are the same guys who are supposed to break the communications of foreign governments and by all accounts are fairly good at it. I don't want to bet my job on defeating them. 2. If the political environment allows, they will simply pass laws along the lines of CALEA to give them the legal right to tap your traffic. Even if you won the technological battle they can instantly trump you with key escrow and other such legal force means to defeat you. If the political will exists they can pass a law requiring you to pass them all information in plain text. Game over, you lose. Just try to defy a FISA court order or refuse a CALEA tap and see how long you are in business. There is always a debate of privacy vs security and there always has been in one form or the other. This is expressed by the people of this country in their political and economic choices. I know it does not seem like it sometimes but the government will only do what the majority of the people will accept most of the time. Every decision a politician makes is a balance between what he wants and what he thinks he can get away with. He want the information but it is only useful if he maintains his access to power. As you see, the ONLY solution is the political will to limit the governments powers. The only way that is done is to threaten the power structure or financial structure. The history of the best technical solution winning inside the US Government structure is pretty weak. POSIX compliance, ADA programming, need I say more? I say this as a former network engineer in the United States Air Force. As far as both parties being responsible for this, I agree completely. Everyone knows that information is power and everyone wants as much information as they can get. The only way to influence that is to make the cost of illegal information collection too high a price to pay for the politicians. The NSA will only use the technology they are allowed to use by whomever is in power. No one over there wants to go to jail and most government employees do not want to put their neck on the line if they know there is no safety net. The Director of NSA answers to the President. His job is to get the information the USG wants and not get anyone fired doing it. Everything he does is about that balance. If he does not do it, the President will appoint someone who does. Historically the NSA is directed by a General officer from the military. They generally follow the orders they are given by the President and that is where the power really lies. It is the job of the Congress to oversee that and ensure the limitations are being followed. If that is not happening, it is up to the citizens to replace the President or Congress with someone who will follow the will of the people. Steve -----Original Message----- From: Royce Williams [mailto:royce@techsolvency.com] Sent: Friday, September 06, 2013 9:56 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back [snip] http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-kn... I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys. When the time comes for the political choices to be made, the good technical choices must be the only ones available. Security engineering must pave the way to the high road -- so that it's the only road to get there. Royce [snip]
On Fri, Sep 6, 2013 at 8:02 AM, Naslund, Steve <SNaslund@medline.com> wrote:
I am unclear on what you mean by technical choice. Are you talking about a technical solution to keep the government from seeing your traffic? That will not work for two main reasons.
[good reasons snipped] Ah, I should have been more clear. I'm definitely not proposing that the private sector could succeed in such an arms race, for exactly the two reasons that you accurately laid out: the government has vastly greater resources, and they have the law. (And I would add a third: they have a valid mission to accomplish). I intended the "technical choice" idea to be more broad. I'm no crypto guy, but of the work happening in this space, it seems that there are a lot of people working on the problem of "how do we keep everyone else out?", and a lot of other people are working on "how do we get in?" And recently, a lot more folks are working on "how can we quickly tell that they got in?" But it doesn't seem to me that very many people are working (at a technical level) on the hard problem of "how do we simultaneously enable lawful intercept, and verifiably preserve privacy?" There seems to be an intractable conflict between freedom and surveillance. But if we set aside that assumption, we might discover technical approaches to support both. The politics might change if the politicians didn't have to choose one or the other. Pipe dream? Certainly. But escaping assumptions is where breakthroughs are made. Royce
The problem is that the US govt and others have been sucked into a vortex of bad game theory. They believe we the people don't want any terrorist acts against us, or minimized as much as possible, which is roughly: none. This belief is reasonable. Worse, terrorism has become a political weapon against whoever can be characterized as asleep on the watch. The president, DHS, FBI - remember all the news articles asking why the FBI didn't act earlier on the Marathon bombers? etc. Tonight at midnight Janet Napolitano is no longer head of DHS. As many have said: What a bad job she had! Just waiting for a terrorist attack so congress et al can demand to know why. So DHS, NSA, et al sit around dreaming up ways to prevent terrorism which in some cases probably works, and in other cases is probably impossible. They seem to have hit upon this surveillance effort as a "deliverable". The govt is going to resist "engineering" efforts because as I said it's their butts on the line not yours if there's an attack. Or yours only figuratively or by some coincidence (you're actually the victim of an attack.) We have a bad feedback loop going on in govt right now. Did the brains at al Qaeda foresee this in 2001? Possibly. It's not magic -- fear of terrorism creating a feedback loop like this. There are, or were, intellectuals behind AQ, some no doubt bright. So when people ask what is the aim of terrorism I think we're living it right here. I'm not convinced that characterizing "the govt" as the evil here is entirely constructive. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Fri, Sep 6, 2013 at 6:55 AM, Royce Williams <royce@techsolvency.com> wrote:
Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical):
http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-kn...
Er ... I forgot to include the part of the Ellsberg quote that was most relevant to the discussion, with the last sentence here being the icing on the cake: "You will deal with a person who doesn't have those clearances only from the point of view of what you want him to believe and what impression you want him to go away with, since you'll have to lie carefully to him about what you know. In effect, you will have to manipulate him. You'll give up trying to assess what he has to say. The danger is, you'll become something like a moron. You'll become incapable of learning from most people in the world, no matter how much experience they may have in their particular areas that may be much greater than yours." In other words: the very politicians with the clearances necessary to strike the best balance are the ones that we cannot expect to hear us, even in our areas of expertise. Security engineering must take this fact as a constraint. Royce
On Fri, Sep 06, 2013 at 02:27:32PM +0000, Naslund, Steve wrote:
If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies.
I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about. Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace. Nicolai
The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. Sam Moats On 2013-09-06 13:20, Nicolai wrote:
On Fri, Sep 06, 2013 at 02:27:32PM +0000, Naslund, Steve wrote:
If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies.
I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about.
Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace.
Nicolai
The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen.
Actually it might not be so horrible if the law was rewritten to be more reasonable, and then on top of that if the executive branch would stop inventing new definitions for words used in the law. However, we shouldn't rely on either of those two things. But the other big giant fail here is that we, as the engineers who have built all this stuff, have made it exceedingly easy for users to "just sign up with Gmail" and have totally failed at providing easy alternatives for the average person to use. That includes building intelligent, secure, and easy-to-use security into MIME and email, and extends to policies by ISP's designed to make it difficult to run your own server/services, and winds up with software authors who totally fail at creating usable server implementations. And that's just a broad brush. There are more failings than that. Reducing or eliminating the third party involvement in operating services would severely impact the ability to perform the sorts of blanket surveillance that we've seen. There's no technically valid reason that my mother couldn't host and run her own e-mail server on her home Internet connection. Except that she doesn't have a fixed IP. And there's no software that would make it trivial for her to do so (there are honorable mentions, but really this has got to be nearly as easy as plug-and-go). The Internet was designed as an any node to any node system. The insertion of ISP mail servers as an intermediate step made lots of sense back in the days of shell and dialup. It makes a little less sense now. But the community is extremely resistant to change. Certainly Gmail has no incentive to suggest that people go run their own mail server. And we've created enough other roadblocks that it isn't likely to happen. Sigh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On 6 September 2013 10:52, Sam Moats <sam@circlenet.us> wrote:
The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance.
Only if are on USA territory. You can also push for distributed services that don't depend on one fat server farm. -- -- ℱin del ℳensaje.
My dad told once me they could indict a ham sandwich. I never really knew what meant.. A law does not mean an automatic grant of constitutionality. I'm all for following laws, but at what point does the public just say.. The threat isn't large enough to warrant a protcologist visit via NSA to see if you've been a good boy. I'm innocent until proven guilty beyond a reasonably doubt by a jury of my peers, it doesn't work any other way. You either respect the document that establishes basic principals for this land, or you do not. As I said before.. Snowden would have had a world wife frenzy of activity had he included "facebook is going to a pay model" instead of legit information about national war crimes. Sent from my Mobile Device. -------- Original message -------- From: Sam Moats <sam@circlenet.us> Date: 09/06/2013 10:56 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: The US government has betrayed the Internet. We need to take it back The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. Sam Moats On 2013-09-06 13:20, Nicolai wrote:
On Fri, Sep 06, 2013 at 02:27:32PM +0000, Naslund, Steve wrote:
If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies.
I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about.
Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace.
Nicolai
On Fri, Sep 06, 2013 at 01:52:16PM -0400, Sam Moats wrote:
The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long.
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. But many or most services can be sufficiently improved, and that's the goal: improvement. http://prism-break.org/ lists examples of this improvement. Nicolai
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Mike
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote:
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least.
Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by leitl.org (Postfix) with ESMTPS id 57418543E4D for <eugen@leitl.org>; Fri, 6 Sep 2013 21:06:34 +0200 (CEST) Received: from localhost ([::1] helo=sc1.nanog.org) by sc1.nanog.org with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from <nanog-bounces@nanog.org>) id 1VI1KX-000CSi-NT; Fri, 06 Sep 2013 19:04:29 +0000 Received: from mtcc.com ([50.0.18.224]) by sc1.nanog.org with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from <mike@mtcc.com>) id 1VI1KH-000CQe-Mt for nanog@nanog.org; Fri, 06 Sep 2013 19:04:13 +0000 Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id r86J3uVr017222 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 6 Sep 2013 12:03:57 -0700 -- doesn't do PFS, unfortunately. Everything should be doing PFS, now that we know.
On 09/06/2013 12:14 PM, Eugen Leitl wrote:
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote:
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least.
Of course:
Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate)
doesn't instill a lot of confidence :) It's better than nothing though. Mike
Sure it does. You have confidentiality between the parties who are speaking together against third-parties merely passively intercepting the communication. Authentication and Confidentiality are two completely separate things and can (and are) implemented separately. The only Authentication which would be of any value to me is if the certificates was issued by me to the other party. Otherwise, one must assume that the certificate is fake for the purposes of authentication (ie, has no more value than a self-signed certificate).
-----Original Message----- From: Michael Thomas [mailto:mike@mtcc.com] Sent: Friday, 6 September, 2013 13:25 To: Eugen Leitl Cc: nanog@nanog.org Subject: Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote:
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using
On 09/06/2013 12:14 PM, Eugen Leitl wrote: the
tools that have been implemented and deployed for a decade at least.
Of course:
Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate)
doesn't instill a lot of confidence :) It's better than nothing though.
Mike
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote:
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least.
Agreed. Although some people are uncomfortable with OpenSSL's track record, and don't want to trade system security for better-than-plaintext network security. But the deeper issue is coercing providers to give up mail stored on private servers, bypassing the network altogether. TLS doesn't address this problem. Short term: deploy [START]TLS. Long term: we need a new email protocol with E2E encryption. Nicolai
Once upon a time, Nicolai <nicolai-nanog@chocolatine.org> said:
Agreed. Although some people are uncomfortable with OpenSSL's track record, and don't want to trade system security for better-than-plaintext network security.
OpenSSL is not the only game in town. -- Chris Adams <cma@cmadams.net>
On 09/06/2013 12:52 PM, Nicolai wrote:
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote:
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Agreed. Although some people are uncomfortable with OpenSSL's track record, and don't want to trade system security for better-than-plaintext network security.
But the deeper issue is coercing providers to give up mail stored on private servers, bypassing the network altogether. TLS doesn't address this problem. Short term: deploy [START]TLS. Long term: we need a new email protocol with E2E encryption.
I'd say we already have those things too in the form of PGP/SMIME. Who knows what the NSA can break, but it's just not right to say that we need new protocols. The means has been there for many years to secure email (fsvo 'secure'), it's just that it's not terribly convenient so we just don't for the most part. Mike
On Fri, Sep 06, 2013 at 01:04:48PM -0700, Michael Thomas wrote:
I'd say we already have those things too in the form of PGP/SMIME. Who knows what the NSA can break, but it's just not right to say that we need new protocols. The means has been there for many years to secure email (fsvo 'secure'), it's just that it's not terribly convenient so we just don't for the most part.
The scuttlebutt is that anything SMTP is unfixable, so XMPP/OTR is gap-filler until really distributed systems with zero metadata (Tahoe LAFS & Co) come along. In regards to Schneier's manifesto, it seems he's targeting noncorporate/nonaffiliated engineers, and there *has* been considerable activity in the woodworks in the past months. Most of the resulting countermeasures will be more for the network edge and end users, so not really operationally relevant for nanog. Sorry to waste your time, but it was worth a try.
Great opportunity for a country like Brazil (for example) to become a place of business for many of these services which are subject to Calea (and such) in the US. This type of behavior is certainly a motivator for folks in other countries to benefit, to our detriment. If the NSA is truly undermining the security of private enterprises which rely on compromised security implements, besides being counter productive, it will cost (maybe already has) in lost revenue or damages. Sooner or later this is going to take its toll. In the end the universal language of "cold hard cash" will reign. /wp ________________________________ From: Sam Moats<mailto:sam@circlenet.us> Sent: 9/6/2013 11:55 AM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: The US government has betrayed the Internet. We need to take it back The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. Sam Moats On 2013-09-06 13:20, Nicolai wrote:
On Fri, Sep 06, 2013 at 02:27:32PM +0000, Naslund, Steve wrote:
If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies.
I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about.
Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace.
Nicolai
On Fri, 2013-09-06 at 23:03 +0000, Paul Donner (pdonner) wrote:
Great opportunity for a country like Brazil (for example) to become a place of business for many of these services which are subject to Calea (and such) in the US. This type of behavior is certainly a motivator for folks in other countries to benefit, to our detriment.
If the NSA is truly undermining the security of private enterprises which rely on compromised security implements, besides being counter productive, it will cost (maybe already has) in lost revenue or damages. Sooner or later this is going to take its toll. In the end the universal language of "cold hard cash" will reign.
You mean like this? http://www.zdnet.com/u-s-cloud-industry-stands-to-lose-35-billion-amid-prism... As one currently working in the cloud this is deeply concerning. --Chris
On 6 September 2013 11:37, Eugen Leitl <eugen@leitl.org> wrote:
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-int...
The US government has betrayed the Internet. We need to take it back
Its like you have to abandon USA based encryptation systems that are closed source. But I dunno, maybe open source solutions can have problems. http://xkcd.com/221/ http://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_i... I think the encryptation world will think about this, and will recommend a group of products (like PGP) that are almost sure safe. The NSA can spy on underwater internet cables, but they can't abolish Math. If you have a encryptation system that is not backdoored and is cryptographically strong enough the NSA or anyone will have a hard time to uncover your secrets. -- -- ℱin del ℳensaje.
participants (28)
-
<<"tei''>>>
-
Alex Rubenstein
-
Barry Shein
-
Bryan Tong
-
Chris Adams
-
Chris Boyd
-
Eugen Leitl
-
harbor235
-
Ishmael Rufus
-
Joe Greco
-
John Peach
-
John S. Quarterman
-
Jorge Amodio
-
Keith Medcalf
-
Larry Stites
-
Matthew Petach
-
Michael Thomas
-
Naslund, Steve
-
Nicolai
-
Paul Donner (pdonner)
-
Randy Bush
-
Roland Dobbins
-
Royce Williams
-
Sam Moats
-
Scott Brim
-
Sholes, Joshua
-
Valdis.Kletnieks@vt.edu
-
Warren Bailey