Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Privacy

Edward Snowden: 'Without Encryption, We Will Lose All Privacy. This is Our New Battleground' (theguardian.com) 135

Edward Snowden: In the midst of the greatest computer security crisis in history, the US government, along with the governments of the UK and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world's information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe. [...] Earlier this month the US, alongside the UK and Australia, called on Facebook to create a "backdoor," or fatal flaw, into its encrypted messaging apps, which would allow anyone with the key to that backdoor unlimited access to private communications. So far, Facebook has resisted this.

Donald Trump's attorney general, William Barr, who authorised one of the earliest mass surveillance programmes without reviewing whether it was legal, is now signalling an intention to halt -- or even roll back -- the progress of the last six years. WhatsApp, the messaging service owned by Facebook, already uses end-to-end encryption (E2EE): in March the company announced its intention to incorporate E2EE into its other messaging apps -- Facebook Messenger and Instagram -- as well. Now Barr is launching a public campaign to prevent Facebook from climbing this next rung on the ladder of digital security. This began with an open letter co-signed by Barr, UK home secretary Priti Patel, Australia's minister for home affairs and the US secretary of homeland security, demanding Facebook abandon its encryption proposals.

If Barr's campaign is successful, the communications of billions will remain frozen in a state of permanent insecurity: users will be vulnerable by design. And those communications will be vulnerable not only to investigators in the US, UK and Australia, but also to the intelligence agencies of China, Russia and Saudi Arabia -- not to mention hackers around the world. End-to-end encrypted communication systems are designed so that messages can be read only by the sender and their intended recipients, even if the encrypted -- meaning locked -- messages themselves are stored by an untrusted third party, for example, a social media company such as Facebook.

This discussion has been archived. No new comments can be posted.

Edward Snowden: 'Without Encryption, We Will Lose All Privacy. This is Our New Battleground'

Comments Filter:
  • Just wait till... (Score:5, Insightful)

    by Famanoran ( 568910 ) on Tuesday October 15, 2019 @09:13AM (#59309156)

    These governments discover that the terrorists can just run an old time guestbook CGI on a VPS hosted web server using a self signed SSL certificate on TLS1.2/1.3 behind simple Basic authentication with htpasswd for all their cell co-ordination needs...

    • Re: (Score:2, Insightful)

      These governments know very well that a self-hosted service is linked to a payment, and they know how to hit that. Remember how everyone suddenly (and withoug legal reason) stopped processing donations for Wikileaks in 2010, after the US government told them to?

      • Webservers can be leased for cheap using stolen credit cards. If someone busts one site then they will just restore it from backups in another place.
        • Compared to sitting at an internet cafe and chatting with P2P encryption with someone in another, this is practically like running a legal enterprise.

      • Problems:

        Due to the vast number of providers and consumers of said VPS services across the world, it's practically impossible to enforce any background checks at point of purchase with any consistency. So you're going to need to wait till the site itself is mentioned/linked/implicated during an existing investigation before its even in your radar.

        Credit card fraud - need I say more?

        Bitcoin bullet proof hosting - a little effort up front makes tracing the bitcoin much harder, plus those bullet proof provider

      • by Famanoran ( 568910 ) on Tuesday October 15, 2019 @09:59AM (#59309354)

        I'll put it like this. Encryption is math. It's awfully hard to legislate against math in any meaningful way.

        If the backdoors applied only to consumer and business services, ejabberd could well be a good replacement. Again, self signed certs would keep the contents of communications private.

        Even if all public (open+closed source) encryption libraries were backdoored at the source level, a dedicated criminal organisation is perfectly capable of funding a clean room implementation of any given encryption and communication standard.

        In fact, they would probably drive significant innovation in the field. Good for business if you don't get caught after all.

        The cat's out of the bag. Running around with fingers in our ears screaming lalalala and wishing for the good old days is not going to achieve a damn thing

        • This is not a technological problem, this is a legal problem. Once the governments mandate that keys are put in an escrow or disclosed upon request and introduce penalties for withholding them, and you only have the choice of surrendering your communications or ruining your life, they'll get what they want.

          Or, in one sentence, once encryption is outlawed, only outlaws will have digital privacy.

          • by SirAstral ( 1349985 ) on Tuesday October 15, 2019 @10:22AM (#59309460)

            They don't care about the outlaws. They love outlaws because they can use the subterfuge of combating outlaws to require citizens to give up rights.

            There is a reason why the following words are important to live by when politics and government is concerned.

            Those willing to give up "essential liberty" for a little temporary safety deserve neither liberty or safety!

            Rights to privacy are essential to liberty! The governments desire or demand to sacrifice these in the pursuit of the public good is an anathema to any decent form of government regardless of it being a republic, socialist, communist, democratic, or whatever form of government you can think of. All governments eventually become totalitarian, but certain ones are better at increasing the speed at which you arrive there.

          • by fred911 ( 83970 )

            ''Once the governments mandate that keys are put in an escrow or disclosed upon request and introduce penalties for withholding them, and you only have the choice of surrendering your communications or ruining your life, they'll get what they want.''

            NSA/Clinton had tried to mandate a similar system with what the called 'Clipper chip' in 1994;
            https://en.wikipedia.org/wiki/... [wikipedia.org]

            If there's a court order from an elected jurist, I would see it as valid. But it's quite hard to prove someone is in contempt if they '

          • Then you just hope the country you live in agrees in practice that freedom of speech is still a right.

        • Running around with fingers in our ears screaming lalalala and wishing for the good old days is not going to achieve a damn thing

          Make Encryption Great Again

      • by bjwest ( 14070 )
        Well, at least they're not using Visual Basic to create a GUI interface for tracking the IP address [youtube.com]. Now that would be scary.
        • by bjwest ( 14070 )
          DAMN IT! Clicked Reply on the wrong damn comment. I swear this is the same damn editor I was using 20+ years ago.
    • by Nidi62 ( 1525137 )

      These governments discover that the terrorists can just run an old time guestbook CGI on a VPS hosted web server using a self signed SSL certificate on TLS1.2/1.3 behind simple Basic authentication with htpasswd for all their cell co-ordination needs...

      Hell, the bad guys can just pick a popular MMO or any other game with a large playerbase and a global chat system. For even harder detection pick one with multiple servers (so you'd have to find the right game and server to eavesdrop) and use coded phrasing while chatting in game. You could even make a code specific to the game and no one reading the chat would be the wiser.

      • Heck, some of the bad guys are so well-heeled, they could make a MMO or some app that is low tech, but would be popular (A Meitu clone, perhaps.) Some type of low hanging fruit. From there, it wouldn't be hard to use the game client as a way of doing communications, as well as cryptocurrency validation. This wouldn't be so far-fetched. The only real tough OS to make this happen on would be iOS, but for that, it could pop up a Web browser and do HTML5 objects from that.

    • Or they go to a public library and read how cryptography works, then implement something themselves. You can prohibit encryption but bad guys aren't exactly known for abiding the law.

  • Fgnegvat abj, V cyna ba rapelcgvat nyy zl pbzzhavpngvbaf bire gur vagrearg.
  • The problem is that the systems are closed (source/hardware). Lots of closed source applications claim to be end-to-end encrypted, but who really knows? And the behavior can change on every update. The biggest threat is closed systems. Unfortunately it looks like that battle has been lost and Open Source has been relegated to be building blocks of closed systems.

    • by AHuxley ( 892839 )
      Well we now know thanks to PRISM and Bullrun https://en.wikipedia.org/wiki/... [wikipedia.org]
      That nice closed system by a big US brand will always help the NSA, Communist China, the GCHQ, New Zealand, some social media EU "law" from a nation like Austria, Germany, Spain.
  • Privacy is dead... (Score:4, Interesting)

    by blahplusplus ( 757119 ) on Tuesday October 15, 2019 @09:19AM (#59309188)

    ... the average person on the planet is too computer illiterate to not reward privacy invading software and technology.

    The last 20 years of games and now the last 10 years of software has been slowly splitting software into two pieces and not giving a complete application to the end user. This began with mmo's in the late 90's when CEO's and game devs conspired to undermine game ownership on the PC, the four horses of the game ownership apocalypse - ultima online, everquest, guild wars and World of warcraft. Which ultimately lead to steam in 2004, once steam hit the rest was inevitable once smart phones hit and microsoft started getting in on what the game industry and the smartphone industry had pioneered.

    Everyone has seen the profits from smart phone industry with locked down apps and software, so there is the big push with windows 10 to finally remove software ownership. Pandora is not going back in the box since the moms and dad's of the world are computer illiterate. Windows 10 now has everything the nerds of the 90's feared in it and it's going to get worse. Office is now in subscription and every company is trying to get rid of accessable files and exe's as abstractions, we're seeing the big push towards encrypted computing and VM's via Microsofts UWP... drowning the baby slowly as it were.

    Encryption isn't going to help us, the US government is corrupt as fuck and all of these privacy violating ways of making software would have never gotten off the groudn if we had gotten the rights to own software and our devices to begin with. Lobbyists made sure to get rid of any rights of the public to own its own software which is the root cause of all this mass privacy invasion and "software as a service" nonsense, where even Nvidia wants you to login to use certain functions of your videocard software.

    It's way too late and out of control because flaws in software law + internet has allowed companies to steal software and take over their machines without firing a shot.

    The internet is one giant world sized computer and software companies write the rules and laws that govern the machines, they are de-facto parallel governments who can determine whether you have any rights or not from the point of production since we wired them up with internet. Before internet they were forced to give you all the files and a complete application, after the internet they have the "option" of not doing that and that's what most of them did. So they've been stealing software for 20 years since the advent of the internet. Get used to it kids.

    • Exactly. And they used Open Source/Free Software to build a lot of it.

    • by Z80a ( 971949 )

      It's even worse than that, with a billion or even trillion dollar "underground" data selling market running under the hood, infecting everything with megacorporations no one know the name.
      They created an absolutely terrifying concept of "free" that will blow back in the face of everyone.
      At this point, i think only some massive scandal, like several famous people getting absolutely wrecked with data bought on those markets would start to save us.

    • You have written one of the best posts I've read on /. in a while.
      Bravo!
      • It is completely stupid, in fact it is the stupidest thing I have read in a long time.

        You do not have to do any of those things. You are totally free NOT to do them. You are totally free to own your own computer. You are totally free not to sign in to nVidia (of anywhere else).

        Some people may CHOOSE to do those things despite the obviously intended and obtained result thereof. Some people may choose NOT to do those things because they do not want the result thereof.

        There is no conspiracy, it is just a b

  • Tell you what... (Score:4, Interesting)

    by MitchDev ( 2526834 ) on Tuesday October 15, 2019 @09:20AM (#59309192)

    Government,

    Un-encrypt/Unhide ALL your communications first, then we'll talk about giving up our privacy...

    • Re:Tell you what... (Score:5, Interesting)

      by rickb928 ( 945187 ) on Tuesday October 15, 2019 @09:39AM (#59309272) Homepage Journal

      Clearly *some* government communications need to be secured, for the same reason some of mine do.

      And, so, please, government, permit me to have some of mine secured against even your wants. Bring a warrant. Play by the rules.

      And, if you're already judging this post as naive, consider that *we* ought to, need, to, must, and will make the rules. Even if it means rough play.

      • "And, so, please, government, permit me to have some of mine secured against even your wants."

        You are already a slave... why even bother asking?

        We either "demand" our privacy or we do not get it. That is just how it fucking works and no other way!

      • You miss the point. The whole point is to avoid the requirement to "bring a warrant".

        • Sooner or later the government will want something that is encrypted. They will either take it, if we permit that, or demand (ask being a synonym for governmental requests) it be given.

          With encryption we say yes or no. A warrant places us under judicial demand, which we then deal with. Without encryption, we may not even know it was taken.

          And if we know, we can question, require explanation or justification, and ultimately exercise whatever control we have and change future behavior by the government

          Whether

    • ridiculous.. They have important secrets to hide. If YOU aren't doing anything wrong, you have nothing to hide,.
  • So the question has to be, assuming these conversations are already going over TLS encrypted links, what do the governments know that we don't about hijacking that data?
    • TLS means nothing because it gets unencrypted at the endpoint. Monitoring is done at the endpoints by simply transferring database contents or a backdoor Kafka stream or whatever. No need to break encryption.

      • If one endpoint is under my control and the other one under the control of a trusted partner, where exactly is the data leak?

        • There isn't. I am not saying that encryption is useless (it is very useful). But just because you have a TLS connection between yourself and some endpoint doesn't mean anything. Data collection is done mostly at the unencrypted endpoints.

  • by AHuxley ( 892839 ) on Tuesday October 15, 2019 @09:24AM (#59309204) Journal
    Want one that works?
    Use a one time pad once well away from any "computer"
    Network the resulting code and never keep the workings.
    Never be tempted to reuse the code due to the amount of data.
    When the code is decoded, never keep the method and results on a computer.
    Dont buy a consumer computer, consumer OS to do crypto on.
    Expect every word, image, voice print and data set to be kept by the NSA and GCHQ for decades.
    Collection is cheaper than sorting for the NSA.
    • Even the NSA can't store everything. There aren't enough storage to save everything. Basically they just ask the companies to give them access to their databases that contains the email/messages/whatever. You guys are overthinking everything.

      • by AHuxley ( 892839 )
        Sure they can. They need a voice print. Thats some maths. Not every call made.
        Hops to friends, family, all other people that person knows and other places that voice print is then detected globally.
        Not a huge file per person. Not the rows of audio tapes Communist nations had to keep :)
        A voice detected in a war zone, talking about supporting a banned group? The NSA/GCHQ gets interested.
        What the NSA never wants to wonder is who is the other voice they dont have on file....
        So they collect it all.
        • They aren't storing everything. They don't need to. The corporations already store all your stuff in databases. Your websearches. Your messages. What you just posted. They just ask for it, and take a copy.

          "Re "databases that contains the email/messages/whatever" are not kept for decades."
           
          Um, yes they are. Either way, they just take a copy. I don't think you guys get it.

          • by AHuxley ( 892839 )
            Re 'The corporations" might not keep the data needed for 10's to 80 years like the NSA and CIA want.
            • So they take a copy. But the corporations do keep it. Just go download your data from Google. Go run a credit check on yourself. It will all be there.

              • by AHuxley ( 892839 )
                Re 'So they take a copy"
                The NSA can no longer trust US brands to keep the making of the copy safe from the EU, China.
                • Um, the corporations sell your data to anyone. I don't think you get it. What are they keeping "safe"?

                  • by AHuxley ( 892839 )
                    What are they keeping "safe"?
                    Their work with the NSA... ie what was PRISM.
                    Company staff did not talk, the US gov kept that secret, the NSA never got detected in any protected system, on any network... by experts.
                    That was the PRSIM secret to keep safe. The link between US brands domestically and the NSA...
                    Considering the Church Committee and the role of the NSA/CIA domestically...
      • Even the NSA can't store everything.

        Their problem isn't storage, it is how to query and analyze the data they get everyday.

        • Even the NSA can't store everything.

          Their problem isn't storage, it is how to query and analyze the data they get everyday.

          Both storage and analysis are problems. The fact that analysis is such a large problem makes the storage problem less acute, because why bother storing stuff that you'll never get around to analyzing?

  • Proper encryption cannot be distinguished from random data. That is kinda the point.
    So nobody can ban it, since nobody can tell what is encrypted and what not.
    Even banning random data does not help, as there is steganography, and every real world data contains a certain amount of random noise.

    So for the totalitarianists, this is already a lost cause. Not even a battle lost. But no way to even start one.

    The only way they can gain any control, is by going to the source, before it is even encrypted. Like in th

    • Proper encryption cannot be distinguished from random data... So nobody can ban it, since nobody can tell what is encrypted and what not..

      When the vast majority of 'net traffic is either not encrypted, or encrypted with backdoors, then the stuff that's really encrypted will stick out like a sore thumb.

      Besides... what is the point? It is much much easier, to just program a human via its senses, so it thinks like you want from the start.

      Yes, and the vast majority of humans have already been thus programmed. That's why effective encryption is in jeopardy; most people don't know enough / don't care enough to bring their governments and corporate overlords to heel by sharply jerking the leashes they've forgotten they're holding.

  • Are we going to require that all databases start storing user passwords as plain text now?

  • Why not ask him next time they have a "chat" with you. I doubt Russia is keeping you fed and watered for free.

  • tell them i lost my credit/debit cards and to issue me new ones with new numbers & dates, then instantly all the data ecommerce has on me will be obsolete as far as my credit/debit cards go
    • Uhhhhh...what? I don't think you understand how this works.

      • umm, yes i do...
        all these places where people do business with like paying bills online at Amazon, AT&T, Home Depot, Office Depot, Staples, Walmart, etc... they all have the credit card info on their servers and whenever you buy something or pay a bill they use that info so you are not typing it in every time (some browsers hold that for you too),
        have the bank change your card numbers and all those places now cant charge your account
  • Comment removed based on user account deletion
    • by sconeu ( 64226 )

      The founders didn't include term limits for the President, either. It was just tradition until the 23rd Amendment (post FDR).

      Technically there IS a guarantee of privacy (see the 9th Amendment). Since ALL men are endowed with their innate rights, the 9th makes this explicit.

      • by sconeu ( 64226 )

        Dammit. It was the 22nd Amendment. Should have checked instead of working from memory.

    • Just FYI, there were no term limits for president when the founders created the constitution. Term limits for president became a thing after FDR was elected to a FOURTH term in office and the opposition party thought that was excessive, so they drafted and got the 22nd amendment ratified in 1951.

      As to privacy, that was protected in some sense in the 4th amendment, prohibiting unreasonable searches and seizures, and enshrining "The right of the people to be secure in their persons, houses, papers, and effe
  • As long as you sleep.
    Then you suddenly wake up and find that you rely on something you don't really control nor can.
    Cryptography is an illusion, privacy double so.

  • Privacy is as far from dead, people just choose convenience over their own privacy. I run a communications hubs for groups of friends, there are ways to ensure security.

    1 ) Instant messaging: Don't use any official clients, use one that has a OTR plugin (Off the Record), I use an IRC gateway with a bouncer for all my accounts, that not only requires a password but also a PGP key so the server knowns it's the actual person logging in. So all my communications is going through OTR on top of IRC a well documen

  • This is why we desperately need USPS to provide vetted certs for individuals, along with states providing companies certs. We need the encryption, but first, you need to be able to vet who you are talking with. The current approach to doing certs is a joke.
  • It's also for authentication - the fact that the message decrypts with your public key is proof that you created it with your private key.

    Systems with escrowed keys don't have that guarantee any more - the escrow key holder can fake anything from anyone.

    THAT'S what businesses should be up in arms about here.

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...