Neglecting the Lessons of Cypherpunk History 103
Nicola Hahn writes Over the course of the Snowden revelations there have been a number of high profile figures who've praised the merits of encryption as a remedy to the quandary of mass interception. Companies like Google and Apple have been quick to publicize their adoption of cryptographic countermeasures in an effort to maintain quarterly earnings. This marketing campaign has even convinced less credulous onlookers like Glenn Greenwald. For example, in a recent Intercept piece, Greenwald claimed:
"It is well-established that, prior to the Snowden reporting, Silicon Valley companies were secret, eager and vital participants in the growing Surveillance State. Once their role was revealed, and they perceived those disclosures threatening to their future profit-making, they instantly adopted a PR tactic of presenting themselves as Guardians of Privacy. Much of that is simply self-serving re-branding, but some of it, as I described last week, are genuine improvements in the technological means of protecting user privacy, such as the encryption products now being offered by Apple and Google, motivated by the belief that, post-Snowden, parading around as privacy protectors is necessary to stay competitive."
So, while he concedes the role of public relations in the ongoing cyber security push, Greenwald concurrently believes encryption is a "genuine" countermeasure. In other words, what we're seeing is mostly marketing hype... except for the part about strong encryption.
With regard to the promise of encryption as a privacy cure-all, history tells a markedly different story. Guarantees of security through encryption have often proven illusory, a magic act. Seeking refuge in a technical quick fix can be hazardous for a number of reasons.
"It is well-established that, prior to the Snowden reporting, Silicon Valley companies were secret, eager and vital participants in the growing Surveillance State. Once their role was revealed, and they perceived those disclosures threatening to their future profit-making, they instantly adopted a PR tactic of presenting themselves as Guardians of Privacy. Much of that is simply self-serving re-branding, but some of it, as I described last week, are genuine improvements in the technological means of protecting user privacy, such as the encryption products now being offered by Apple and Google, motivated by the belief that, post-Snowden, parading around as privacy protectors is necessary to stay competitive."
So, while he concedes the role of public relations in the ongoing cyber security push, Greenwald concurrently believes encryption is a "genuine" countermeasure. In other words, what we're seeing is mostly marketing hype... except for the part about strong encryption.
With regard to the promise of encryption as a privacy cure-all, history tells a markedly different story. Guarantees of security through encryption have often proven illusory, a magic act. Seeking refuge in a technical quick fix can be hazardous for a number of reasons.
Yep (Score:2, Insightful)
Publicly available 'encryption' does little more than keep the kids off your lawn. It is snake oil. While you are on the company wire, there will never be any hope of this elusive 'privacy'. Give it up, and make the rest of the world transparent.
Posting AC because the mods don't like hearing the truth about their golden calf...
Re:Yep (Score:4, Interesting)
Re:Yep (Score:5, Funny)
Re:Yep (Score:5, Interesting)
A security solution does not have to be 100% perfect to still provide value.
Let's take another example. A workstation requires pressing Ctrl-Alt-Del and typing a password to unlock the computer. You might say that it is useless protection because an attacker can just walk away with the hard drive of the computer.
So why is the password still useful? Well, without a password, an attacker might just start locally using the computer and quickly take a look at various secret documents. If he were to grab the hard drive, it would take significantly more time, which would increase the chances of being captured by the security team.
To get back to the topic, by using encryption you are not the lowest hanging fruit out there.
Re: (Score:2)
Beyond that, it makes the machine tamper evident. This is especially important with servers. Sure, you absolutely can get root without the password if you are physically present, but you can't do so without tripping the monitor system.
Re: (Score:2)
On the other hand, a security solution needs to not be pre-compromised. A mafioso was convicted in part due to his poor choice of cypher, one that had been developed pre-computer and was hand-calculatable, and offered no protection from anyone looking to make a concerted effort to break it.
During WWII, some Axis messages were transmitted in both a broken encryption and a not-yet-broken encryption, which led to the not-yet-broke
Re:Yep (Score:5, Informative)
There is no indication PGP/GnuPG can be broken if used right (some minimal care needed, e.g. verifying that you have the right keys for the people you communicate with). Things like BitLocker or current Phone encryption do not deserve much trust though.
You statement is far to generic to resemble the truth in this area. However there has been a consistent push behind your view from some quarters that can only be interpreted as a "don't use encryption, it does not help anyways" disinformation campaign. This is a rather strong indicator that even known-bad encryption like SSL makes things at least more difficult for the surveillance-fascists.
Re: (Score:3)
Mod parent up.
Though I would add one other thing, that increasing the amount of effort that is required to decrypt your communications means the cost increases. Sure they may have a huge budget however there must be a point where it is not worth spending the money unless it will produce a result, after all, it's not an infinite budget.
Re: (Score:3)
Indeed. And if we manage to drive their cost up past where it is sustainable, then even breakable encryption becomes unusable for mass-surveillance.
The other thing is that a hugely inflated and costly "national security" apparatus can bankrupt a country (the US is well on its way there and the Brits are not looking too good either) and serves as a natural deterrent and bad example for others.
Re: (Score:2)
You all are attacking this from the wrong angle. Why don't you try instead to elect people that respect privacy?
Because power corrupts and absolute power corrupts absolutely. To balance this protection of privacy must become systemic and impinging it must become expensive.
You people keep on putting layer upon layer of crap to compensate for your previous fuckups... Your entire car is made of Bondo and weighs 40 tons...
When you say "You people" it makes me wonder if you have ever written a letter to a politician and added your voice to a demand for them to act in their constituents interests and if you actually participate in democracy beyond voting for brand X or Y. As you have expressed yourself as an anonymous coward, perhaps you should consider if you are one
Re: (Score:2)
Because power corrupts and absolute power corrupts absolutely.
So, remove the over-reaching power.
The republic was never designed for a federal government with so much power. That was one of the basic tenets of it's design, to not allow the central government too much power.
Break it up like Ma Bell of old. Do away with the unnecessary/harmful/unconstitutional parts, and allow the states more control.
Note; I am not advocating doing away with a central government. Just reducing it's size, scope, power, and cost to more closely resemble what the founding documents say it
Re: (Score:3)
That's right! Hand over power to the states! Because unlike the fed, state government officials are totally immune to power grab and corruption!
If you have all the other states along with federal executive/judicial/legislative branches that are not so corrupted to the degree they are currently, the problem would self-correct. The Rule of Law instead of the Rule of Men would prevail.
It's like a computer network; A system built from independent machines with a varied 'ecosystem' of software, hardware, and security systems is a much harder 'nut' to crack than a single machine that operates a network of 'dumb' terminals.
In a very real way, those who wr
Re: (Score:2)
Your idea, while looking good on the surface, has a little problem, called "the voter". As long as 90% vote with their gut and are exceedingly easy to manipulate by those in power, no solution will come from the "democratic process". Hence we are not coming from the wrong angle, we are coming from the only angle that has a chance of working. Unless you propose that some of us try to infiltrate politics and manipulate the unthinking masses our way?
Re: (Score:2)
Absolutely and we seem to be seeing legislative constructs being passed that allow for these hugely intrusive schemes to operate legaly. It should be more concerning to Joe Citizen that a member of the intelligence community steps away from that world and says "Hey people, it *has* gone too far".
Unfortunately, here in Australia, we now see the type of legal framework introduced that makes whistleblowers, who are concerned about democracy, turned into criminals. I can only hope that such a thing remains un-
Re: (Score:3, Insightful)
I am far from being an expert on encryption, but the danger is not that PGP will be broken; it's that there are weaknesses in the entire "ecosystem" that allow for side-channel attacks. That's part of what that NSA paper, linked to in the article, is discussing. If there is something that can be exploited in the user's operating system or in the hardware, then that becomes the weak link in the chain.
Then, there is the whole issue that you touch on: namely, the caveat of encryption's efficacy "if used right.
Re: (Score:2)
I think it's possible to make the valid point that just hiding your communications, even if done perfectly, is not enough, and pursuing social change in addition to that is also needed, without casting baseless aspersions on cryptography in general. TFA strays too far towards the latter IMO.
That only a fraction of a percent of humanity is currently capable/willing to ensure that their crypto ducks are in a row is a more valid point, and how to get the general population to choose the right platforms/apps/p
Re: (Score:2)
If your crypto is vulnerable in this way, it is not technically executed correctly.
Re: (Score:2)
Highly unlikely. If they break the crypto, it will be noted, as it would not work with other implementations. The CPRNGs are not compromised, that would be infeasible with the number of people watching (but they have tried, see here: https://plus.google.com/+Theod... [google.com]). There is not really space for subtle leaks of key material in the PGP datagrams.
That does not mean they cannot break it, but it would come with a high risk of being discovered and the flaw would be attributable at least for GnuPG. There is al
Bolted down tight left and right (Score:1, Insightful)
Welcome to the Jail called The USA land of freedom ROFL
Man that government and it's agencies are keeping the nuts and bolts tight giving it a turn every time they have a chance on "We the People "
Never before in history , even in Russia , have we ever seen a People stay coy under such an attack to basic human rights violations and the absolute rape of it's Constitution.It is with great sorrow that the world watches the USA spiral down into a land of slavery and absolute State surveillance and control
Should be entitled "rewriting the lessons of cyphe (Score:1)
The article's premise - exhaustively made - is that the tech companies are at best incapable of securing their networks and at worst co-conspirators with those surveilling them.
The renewed push for strong crytography is summarily dismissed as mere marketing, reassuring spooked users with the illusion of protection. On slim evidence, Silicon Valley is painted as a monolithic entity complicit with surveillance - because lawful orders were complied with, because vulnerabilities keep being found (surprise) and
Re: (Score:3)
Why would "the IT guy" by which I assume you mean helpdesk have access to server level encryption at all? He doesn't know it, the end users don't know it.
Strategic vs tactical interception (Score:5, Insightful)
Crypto everywhere isn't going to stop you specifically being watched, but it will stop strategic dragnet interception, and force a return to tactical decrypts.
Re:Strategic vs tactical interception (Score:4, Insightful)
Mod the parent up.
We are trying to make bulk surveillance harder, not targeted surveillance. By bulk I mean something like 500 million devices, all to be cracked.
Re:Strategic vs tactical interception (Score:5, Insightful)
Exactly. This is like putting a decent U-Lock on a bicycle. You're not going to make your bike unstealable, you're just going to make it not worth the effort for anyone that doesn't specifically want to steal YOUR bike with professional grade tools.
Re: (Score:3, Interesting)
Yep. Cyclists certainly have learned the lesson that there is no such thing as absolute security, only relative security. The best you can do is make so the thief decides to go after someone else's bike instead. If your bike is an especially attractive target, the pros who know what they are looking for might still get it.
And not only in this case, are the cops not doing much to stop the thieves, they're working on the same team. So really, we can't give up efforts to limit what the thieves can do.
Re: (Score:2)
Good analogy.
Re:Strategic vs tactical interception (Score:5, Insightful)
Indeed. And the dragnet is what is exceptionally dangerous. If the NSA/CIA/GCHQ has dirt on any politician and other person when they finally get into positions of power, then they control state. What happens if intelligence agencies control a state can be seen in the former Soviet Union, former eastern Germany and current Northern Korea. These people are unable to tolerate individual freedoms or not being in total control, because they are terminally paranoid and see enemies everywhere. There is no more reliable way to establish universal Fascism than failing to limit the power of the intelligence agencies.
Re: (Score:2, Insightful)
Newsflash: The NSA *already* controls the politicians. Why else are there only two near-identical parties to choose from. The game has been rigged for a very very long time.
Re: (Score:2)
Too simplistic and inconsistent with observable historic facts. At the moment they do not have enough for solid control, they just use cheap manipulation. Which still works well, admittedly.
Re: (Score:1)
Crypto isn't going to protect you against the government reading everything from the Apple's or Microsoft's or Googles' servers.
Re:Strategic vs tactical interception (Score:4, Informative)
Yes it is. Apple, Microsoft and Google both have systems in places so that the data is encrypted at rest where they don't have the keys. Apple is putting things in place so that the data is not stored on their servers at all.
Respuctfully, Greenwald Is Wrong (Score:2, Interesting)
Whilst the changes implemented by Apple, Google and others are a matter of record, the sad truth is that none of that matters.
There is simply no amount of encryption that a US complany can deploy which trumps an NSL - a "National Security Letter". The fact is, if a company receives an NSL from the US Government, it has *no choice* but to comply, and to do so without alerting the potential subject[s] to the fact that it has been subverted. So far I am aware of only one party - Lavabit - who stood up to deman
Re:Respuctfully, Greenwald Is Wrong (Score:5, Interesting)
That Damocletian sword of a NSL is the biggest threat to competitiveness of the US data storage providers. On the internet, it does not matter where you store your data. Never before it mattered so little whether your datacenter is next door or in Abu Dhabi.
As a company, would I want to have my data in the hands of a data center where I KNOW it could instantly be forced to hand it over to a government that has a record that borders on that of China when it comes to industrial espionage?
I've been consulting with companies that wanted to outsource their data storage. They all had a list of countries where you may NOT store their data if you want to enter the bidding war, and without fail the US was on that list, along with other pinnacles of freedom like China. Iran was oddly absent from most lists, even.
Re: (Score:3)
Iran was oddly absent from most lists, even.
I look forward to hearing about how your business plan of storing all of your data in Iran works out for you.
Re: (Score:3)
Hey, not my decision to keep it from the list. Personally I wouldn't want my data stores anywhere but in a few select countries. Don't kill the consultant when the one hiring him decides not to listen to him!
Re: (Score:2)
Odd. Well, ok, of course my knowledge only reflects those companies that I had to deal with, which is of course by far not every company out there that wants to outsource its data center. I just find it highly amusing that the apparently few that do NOT want their data in the US all seem to chose me as a consultant.
Re: (Score:3)
If you live in the US, write your appropriate federal representatives (using an actual physical letter is still more likely to get noticed than an email I believe) and ask them to support the "Secure Data Act" which is designed to stop exactly this (the use of NSLs and other things to mandate backdoors and compromises in software)
See http://www.wyden.senate.gov/ne... [senate.gov] for details of the bill and get behind it (and spread the word about it). Is it perfect? No. But it (at least to my non-lawyer reading of the
Re:Respuctfully, Greenwald Is Wrong (Score:5, Informative)
Wrong. NSLs are "after the fact". Encryption is before. An NSL is also a _legal_ measure, while encryption is a _mathematical_ one. Guess what has more power to influence reality. If Apple and Google cannot break their encryption, then they cannot break their encryption, and no number of NSLs is going to change that. At the same time they cannot be forced to put backdoors into their products as that decreases product quality. The analogy to Lavabit is faulty, as Lavabit had the keys and could break its encryption.
Re: (Score:2, Insightful)
A few products tried that in the 1950-1980. The US and UK govs always got the plain text they wanted long term.
Staff where turned, cheaper standards where set. The junk international standards and tame systems can be seen years later.
At some point in the consumer network the plain text is ready. At that point the backdoors, trapdoors are ready.
Product quality did not save the world from the tame standards.
Political leaders did not help. Experts did not mention much about
Re: (Score:3)
So you are saying because it is an arms-race, the defenders of freedom should give up? Well, of course you are free to do so, but remember that _all_ freedoms you are enjoying today, including the one to post here, have been won by people that did not give up.
Re: (Score:1)
You can keep fighting, of course, but it's futile. You're simply outgunned. And if you insist, ultimately it will turn ugly for you. What you call "freedoms" are in the end just privileged, to be revoked at the whim of a powerful elite. Time to wake up and accept it. You can still have a pretty good life if you toe the line and learn to give up any delusion of "freedom". Your choice.
Re: (Score:2)
What a pathetic, defeatist attitude! Why not just kill yourself?
Re: (Score:2)
To be fair, the AC is just expressing the same attitude as every non-political person in Eastern Europe during the Cold War. Or the attitude of slaves in the Antebellum South. Or Hegel's redefinition of "freedom" as the recognition of necessity.
Not everyone is cut out to be Nat Turner, or John Brown. The AC clearly isn't.
Re: (Score:2)
Well, yes. I have no problem with the AC thinking that. What I resent and consider hugely unethical is that the AC tries to spread this attitude.
Re: (Score:2)
Sorry, but I feel that gutless cowards have the same free speech rights as the rest of us, even to advocating for others to snivel and bow and tug their forelocks.
After all, AC is desperately trying to save our families' lives from our advocating copyrights shorter than 150 years after the death of the last person associated with some work, or net neutrality (or against it, or whatever), or using mil-spec encryption on our daily emails.
Re: (Score:2)
You really do not understand what is going on. I do live in Europe. The problem is not limited physical rights. The problem is surveillance, which tries to get into your thoughts and violate your privacy. That is fundamentally different.
Re: (Score:2)
Then you break keys apart. No one has the full key other than the target. A system can easily have have 5 underlying private keys where you need any 4 of the 5 of decrypt and any entity only has one.
Re: (Score:2)
That's why a meaningful system must be one where only the device owner has the ABILITY to decrypt it. No number of NSLs can overcome the actual inability to decrypt the data. That may also include a requirement to be unable to push updates silently.
The roots of the problem are simple... (Score:2, Insightful)
... they stem from WW2 and the Cold War.
Normally, countries police citizens by applying a rule of law. In the US' case, there is a written constitution which drives this, but in general across the West there is a written or unwritten set of standards which limit state's powers.
If you are in an extreme war, and your country is at risk of being invaded, with many citizens being killed, it is appropriate to throw the above protection away. The state will do anything it needs to to survive, and will not follow
Computers are compromised by design (Score:2, Insightful)
Phones in particular, with their many hidden CPUs that have encompassing access to the one system that the users perceive as the "main processor", are untrustworthy. No secure encryption can be implemented on phones. But modern PCs are hardly better: System management mode, separate coprocessors and external buses with full RAM access, UEFI, etc. make it impossible to verify that there isn't hidden functionality, even if you assume the hardware isn't malicious.
Re: (Score:2)
That is Nonsense. True, there are numerous ways to hide things, but if you intend to make it secure and you do understand the system because you designed it, it is quite possible to make it secure. Do not take software written by "cheapest programmer possible" to indicate what can be done.
Re:Computers are compromised by design (Score:5, Insightful)
The device and the network has origins with the Communications Assistance for Law Enforcement Act.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Trying to build a better app over that voice, text and network logging ready system is interesting.
An app can encrypt but the data has to be entered?
Get the plain text as it is entered? Then the new app can be as powerful as it wants and totally tested. The plain text is still ready on any network.
Re: (Score:1)
You are rambling incoherently. You should reduce drug-intake.
TFA Misunderstands the History (Score:5, Interesting)
TFA is correct that simply thinking that, because there is a zillion-bit crypto algorithm thrown into the communication stream, that everything is good and security is guaranteed. There are many, many attack channels that do not involve brute-forcing the crypto. Keyloggers, for example.
But this is silly:
Back in the 1980s and 1990s, a group of encryption mavens known as cypherpunks sought to protect individual privacy by making "strong" encryption available to everyone. To this end they successfully spread their tools far and wide such that there were those in the cypherpunk crowd who declared victory. Thanks to Edward Snowden, we know how this story actually turned out. The NSA embarked on a clandestine, industry-spanning, program of mass subversion that weakened protocols and inserted covert backdoors into a myriad of products.
In actuality, the crypto implementations promoted by cypherpunks were exactly those that made it difficult or impossible for such a program of mass subversion to take place. Remember that the height of the cypherpunk movement was when the Clinton administration was pushing hard, really hard, for the NSA-sponsored Clipper Chip, which was, in a nutshell, crypto subverted by design and mandated by law. We now know that when the spooks found that was politically impossible, they went ahead and did it anyway, in secret. But the cypherpunk tools, most notably PGP (and later GPG, when PGP sold out and went corporate). Hell, even look at /dev/random: when it was revealed that the NSA had actually, and pretty amazingly, undermined hardware random number generators on widely available chips, /dev/random was still just fine, because it treats all sources of entropy as potentially untrustworthy, including the chip.
The first lesson we should learn from the history of the cypherpunks is that trusting your crypto to a closed product is always, always a bad idea. That was the lesson then, and it is still the lesson now.
The second lesson is that crypto, like any security, is all about the threat model. In that light, should we reject the widespread adoption of end-to-end crypto in commercial products? Of course not. If Apple and Google implement crypto by default, it will make efforts to dragnet information exponentially harder, even if the crypto is imperfect. This is why the spooks are beating the drum against it: it closes off that one particular threat model, which they have come to rely on. It doesn't close off other kinds of attack, but so what?
The third lesson is that crypto, by itself, is not a panacea. Nobody ever said it was. The cypherpunk message was not that we can write PGP, declare victory, and walk away. The message was that privacy changes the relationship between the citizen and the state in beneficial ways, and that, in a technological society, we need to embrace technological means of increasing our privacy, in ways that cannot be controlled by the state.
Re:TFA Misunderstands the History (Score:5, Interesting)
It's not that cryptography has failed to bring us security, it's that the people have failed to make use of the available cryptography in the first place.
It's worse than that. As an artist friend of mine told me recently: "Ten years ago I used to wonder how people would respond to the massive loss of privacy represented by social media. Now we know: the only thing people actually worry about is that nobody is watching."
Re: (Score:2)
The NSA embarked on a clandestine, industry-spanning, program of mass subversion that weakened protocols and inserted covert backdoors into a myriad of products.
In actuality, the crypto implementations promoted by cypherpunks were exactly those that made it difficult or impossible for such a program of mass subversion to take place.
Well, you're both right and wrong. What you say is true, but the NSA actually attacked security software, protocols, and even ciphers. They put back doors in some of the tools that people were depending on to defend them from the NSA.
Remember that the height of the cypherpunk movement was when the Clinton administration was pushing hard, really hard, for the NSA-sponsored Clipper Chip, which was, in a nutshell, crypto subverted by design and mandated by law. We now know that when the spooks found that was politically impossible, they went ahead and did it anyway, in secret.
Sigh. They went ahead and did it anyway, in plain sight. Both intel and AMD have implemented TPMs inside of their CPUs. You can no longer buy a mainstream PC without a TPM.
Re: (Score:2)
I understand a TPM can hypothetically be used as part of a system to lock users out of their own computers and into walled gardens, but that is a separate argument and not its only use. What do TPMs have to do with the NSA?
You just answered your own question.
Re: (Score:3)
A very good summary. Too many people view crypto as the "Daddy" in their privacy, protecting them from all manner of threats. There are many places where encryption efforts can be compromised, including improper implementation of even well written libraries.
But to argue, as some have, that it is worthless is wrong as well. It is the moat and wall around your castle. Sure there may be a day when the Mongolians overrun you but at least you have slowed them down by your efforts.
Re: (Score:3)
this is the first time i've heard this claim. reference? i know of the hand wringing about if we can trust the h/w, but i didn't see any evidence that it was broken.
Ars Technica [arstechnica.com]
New York Times [nytimes.com]
rt.com [rt.com]
Re: (Score:3)
"when it was revealed that the NSA had actually, and pretty amazingly, undermined hardware random number generators on widely available chips"
Such a thing was never revealed.
https://www.schneier.com/blog/... [schneier.com]
"I have no idea if the NSA convinced Intel to do this with the hardware random number generator it embedded into its CPU chips, but I do know that it could." (could meaning it is conceivable here, he doesn't investigate anything about feasibility)
No one ever showed that the NSA did this. No one even trie
Encryption is not the answer (Score:4, Insightful)
In the current political environment, encryption is not the answer. If you've been paying attention, there have been a number cases where a person was ordered to unlock the contents of a laptop or other device under the threat of being put in prison if they refuse. And that is the real problem. If you create some super-duper-encryption that is impossible to break, the various corrupt government agencies will simply declare you to be a terrorist, who can't possibly have any legitimate need for that encryption, and you will be ordered to decrypt or go to prison, and nobody will even know you are in prison thanks to secret laws enforced by secret courts.
Until THAT issue is addressed, encryption truly is just snake oil and feel-good public relations.
Encryption is conceptually broken because... (Score:2)
... you can't organize a mass political movement or broad cultural change by hiding what you are doing. You need to convince people to believe in a cause and be willing to commit resources to support it. And overall that requires broad mass communications and engaging more and more people, any one of whom could report you to "authorities". Successful broad change in a democracy is going to be focused on legal & non-violent means to change public opinion. Encryption is generally about hiding communicati
This is not about cryptography (Score:4, Insightful)
The author says that "cryptography is underhanded", but you will look in vain to find any technical meaning of that phrase anywhere in the article. What he really means is that the major corporations (Google, Apple, et al.) are underhanded because they are working with state spies to cripple algorithms and put in back doors, etc.
But trying to cripple cryptography this is something we already are aware of, and there are ways to shore up the technology to make it much, much harder for government to spy on us in bulk. Even using weak, crippled cryptography forces the spies to expend computing resources. Cryptography is all about raising the cost of spying, when dealing with government, not with preventing spying.
Re: (Score:1)
We have no clue just how advanced NSA decryption methods are, but my guess is that it's probably so ridiculously advanced that it would even surprise tech junkies. Like you said we also have to worry about algorithms that have been systematically weakened on purpose. Most encryption is more than most hackers can handle even with quad titans. My dual setup can rip most passwords apart for stuff like sign in passwords, but would be completely impractical against any medium level encryption with a decent lengt
Secrecy laws (Score:2)
I think the article is conflating three things:
a) The limited amount of cooperation the tech firms provided
b) The heavy amount of cooperation the telco firms provided
c) The NSA successfully breaking some encryption systems because they are good at their job and (b).
Silicon Valley companies were not eager participants but rather reluctant participants. However they can't fully disclose the extent of their involvement because of secrecy laws. Yes encryption systems have been attacked in ways that are com
Re: (Score:2)
Yes and no. Google and Facebook want an accurate picture of their user's interests. They want you to freely send them data. Which means they can't be doing anything which causes you to become cautious. Always being logged in, having only one account...
let's face it (Score:1)
If... (Score:2)
You are vulnerable to Social Engineering (and almost everyone is), no security of any kind will ever work. Become a Scottish crofter, it's your only hope of a life.
You are a private individual, see all XKCD coverage. Same remedy.
You are Sony, abandon hope now. You wouldn't even make it as a crofter.
You are anyone else, encryption is not enough. You want segmentation, active NIDS, proxies and firewalls at the gateways, HIDS on the machines, role-based access controls, host-to-host IPSec, security labels on p