Online Security Isn't Over; It's Just Beginning

from the time-to-move-on dept

Fri, Sep 6th 2013 7:21am — Mike Masnick

One of the more annoying responses to the latest revelations about the NSA's spying and surveillance is people brushing it off, saying, "well, of course the NSA was doing this." That simplistic, short-sighted response doesn't really take into account the importance of the details and, worse, seems to suggest that this kind of status quo is acceptable. It's not. Worse, it's leading some to take the fatalistic approach that there's nothing to be done, so why even bother? That's the the exact wrong approach. As Micah Lee points out:

Giving up and deciding that privacy is dead is counterproductive. We need to stop using commercial crypto. We need to make sure that free software crypto gets serious security and usability audits.

If we do this right we can still have privacy in the 21st century. If we give up on security because of this we will definitely lose.

Bruce Schneier has been thinking along similar lines, beyond just his call to rebuild internet infrastructure with security and openness in mind to make life more difficult for the NSA, he's also discussing things people can do right now to remain a hell of a lot more secure in the face of the NSA's activities.

If the internet is going to be as powerful and as useful as it should be, it needs to be a lot more secure. Throwing in the towel because of some backdoors is the exact wrong approach and is exactly what's not needed right now. The security needs to be better and it needs to be easier to implement and to use. That won't happen overnight, but it will happen. It needs to happen.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cryptology, cybersecurity, encryption, online security, privacy, security

27 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

out_of_the_blue, 6 Sep 2013 @ 7:29am

WRONG! Don't try to hide from your errant servants!
Remind them that THEY ARE SERVANTS, that they're breaking their oaths and BEING EVIL, and are allowed their power only so long as serve We The People.

That's rock-bottom AMERICANISM: when The Rich use gov't for tyranny, it's time to rise up and pull down the tyrants, NOT HIDE LIKE MICE.
[ link to this | view in chronology ]
- jackn, 6 Sep 2013 @ 7:46am
  
  Re: WRONG! Don't try to hide from your errant servants!
  Yeah, tell them to get us a glass of water!
  [ link to this | view in chronology ]
  - Rapnel (profile), 6 Sep 2013 @ 6:17pm
    
    Re: Re: WRONG! Don't try to hide from your errant servants!
    % nsa make me a sandwich
    [ link to this | view in chronology ]
- etrimby, 6 Sep 2013 @ 9:00am
  
  Re: WRONG! Don't try to hide from your errant servants!
  O.K. so Blue has a damn good point here and everyone just reflexively reports him? That's pretty damn stupid.
  We need a 2 step program here.
  1. Make the government start working for us, the way we want it to.
  2. Use that reformed government to stop excesses and abuse from the corporate world.
  [ link to this | view in chronology ]
  - beech, 6 Sep 2013 @ 9:15am
    
    Re: Re: WRONG! Don't try to hide from your errant servants!
    It's kind of like a "boy cries wolf'' scenario. Its hard to take the poor guy seriously when 99% of his comments are off-topic and/or ad homs.
    [ link to this | view in chronology ]
    - Pragmatic, 9 Sep 2013 @ 3:35am
      
      Re: Re: Re: WRONG! Don't try to hide from your errant servants!
      She's still blaming "the Rich" for everything, even though they're patently not the bad guys. The multinational corporations, the MIC and their religious authoritarian cohorts are. Get their grubby paws off the levers of power, and we'll have the country we want. Attempting to break up the country or just hating on "the gubmint" ain't a solution, it's part of the problem because it denies that we actually need a government to enact governance.
      
      Getting the government back under control with a mandate to serve We The People is the way to go. It begins with using our right to vote responsibly and NOT voting the same old grifters and corporate suck-ups back into office every damn time.
      [ link to this | view in chronology ]
- beech, 6 Sep 2013 @ 9:13am
  
  Re: WRONG! Don't try to hide from your errant servants!
  Why can't we do both?
  [ link to this | view in chronology ]
chad holbrook, 6 Sep 2013 @ 7:39am

XKCD
http://imgs.xkcd.com/comics/legal_hacks.png
[ link to this | view in chronology ]
- That One Guy (profile), 6 Sep 2013 @ 5:58pm
  
  Re: XKCD
  ... they really do have a comic for everything, don't they?
  [ link to this | view in chronology ]
Duven, 6 Sep 2013 @ 8:51am

Trust
-the internet (or at least it's protocols) is based on trust

That may just be the beginning and end of the whole problem
[ link to this | view in chronology ]
- Anonymous Coward, 6 Sep 2013 @ 10:47am
  
  Re: Trust
  By definition, there is no privacy/security on the Internet; any communication that involves a 3rd party is unsecure. Wishing for the unattainable is silly.
  
  You want privacy? Go somewhere by yourself or go talk to somebody face-to-face.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 6 Sep 2013 @ 11:38am
    
    Re: Re: Trust
    Security and privacy are not black-and-white. That is, you can never have 100% of either, but that doesn't mean you should accept 0%.
    
    Even talking face-to-face in a secluded location is not secure. It is, however, possible to communicate over the internet in a manner that is approximately as secure as that.
    [ link to this | view in chronology ]
    - Anonymous Coward, 6 Sep 2013 @ 12:48pm
      
      Re: Re: Re: Trust
      Even talking face-to-face in a secluded location is not secure. It is, however, possible to communicate over the internet in a manner that is approximately as secure as that.
      
      Uh, no.
      
      What is the point of posting such bunk?
      [ link to this | view in chronology ]
      - RonKaminsky (profile), 6 Sep 2013 @ 4:13pm
        
        Security is not binary
        Given that the manpower of the NSA is actually quite limited, I see no reason why John Fenderson is incorrect. If I contact someone using what is advertised as his public key, even if the NSA runs a MITM against us, it would have to have a real human editing our conversation to prevent us from exchanging enough information to be able to detect the MITM attack. There is no way an automatic logger (which is all the NSA can afford to run against "Average Joe Who Is Probably Not A Terrorist Or Otherwise Interesting") is going to be able to prevent us from confirming our PK fingerprints.
        [ link to this | view in chronology ]
      - John Fenderson (profile), 9 Sep 2013 @ 9:20am
        
        Re: Re: Re: Re: Trust
        Please explain why it's not possible. I can think of a couple of ways right off the top of my head, mostly involving multilayered encryption, using a combination of different protocols and including at least one that isn't a standard.
        [ link to this | view in chronology ]
anonymous coward, 6 Sep 2013 @ 8:54am

Aren't we just overdue on putting together a third political party? ...and not just some quarterback wannabe with personal wealth to run for president?
[ link to this | view in chronology ]
- John Fenderson (profile), 6 Sep 2013 @ 9:47am
  
  Some steps are missing
  I would prefer to see no parties at all rather than more parties. But the core problem isn't any of the parties at all. The core problem is a prolonged and systemic takeover of the government by major corporations and the ultra-wealthy.
  
  We've been down this road a couple of times before in US history. This is a familiar landscape.
  [ link to this | view in chronology ]
- Anonymous, 6 Sep 2013 @ 6:19pm
  
  Re:
  A third? Don't you mean a second?
  [ link to this | view in chronology ]
Indy, 6 Sep 2013 @ 9:16am

Top down?
1. Industry leaders come up with new solutions.
2. NSA (or some new, secret-funded group) pressures them for potential weak points.
3. Crypto is broken, again, silently.
4. Right back where we started.

None of the technical stuff matters anymore if it's got the spooks with its fingers in it anyway.
[ link to this | view in chronology ]
- John Fenderson (profile), 6 Sep 2013 @ 9:48am
  
  Re: Top down?
  The technical solution is easy: don't use the "solutions" that industry leaders provide. We don't need them.
  [ link to this | view in chronology ]
Alt0, 6 Sep 2013 @ 9:27am

hide in the open
Personally, I avoid certain words and phrases in my online communication now. I am sure this will get sorted one way (we take away their power to do this) or another (we are able to subvert their efforts to do this with better encryption)

The thing is, they SAVE EVERYTHING and even with better encryption its just a matter of time until they will be able to crack that as well. Seems the only truly secure way to regain our lost privacy is to take away the power which allows their actions. Until then I avoid using the net for important communication and hope to hide in the ever growing haystack.
[ link to this | view in chronology ]
Anonymous Coward, 6 Sep 2013 @ 9:51am

We need a new open encryption protocol for HTTPS, with stronger encryption and no known weaknesses. (Even the latest version of TLS can be vulnerable since it supports RC4.)

Browsers should use the new protocol by default, and give an "Are you sure you want to navigate to this site? It has weak encryption." warning message for sites using TLS 1.2 and older protocols.

Almost all sites use TLS 1.0/SSL 3.0, both of which are quite vulnerable. Maybe a large crowd of users complaining about sites' weak encryption could finally get them to upgrade and thwart the NSA.
[ link to this | view in chronology ]
- Anonymous Coward, 6 Sep 2013 @ 10:25am
  
  Re:
  We need a new open encryption protocol for HTTPS, with stronger encryption and no known weaknesses. (Even the latest version of TLS can be vulnerable since it supports RC4.)
  
  TLS 1.2 without compression has exactly what you want. Stronger encryption (AES-GCM, SHA-256), no known weaknesses. You can easily disable RC4 when using it it (not offering it as a client, not taking it as a server).
  
  Browsers should use the new protocol by default, and give an "Are you sure you want to navigate to this site? It has weak encryption." warning message for sites using TLS 1.2 and older protocols.
  
  That is a bit of an inversion, since plain non-encrypted HTTP (which has even weaker encryption - the equivalent of 0-bit crypto) would not get a warning. First add warning to non-encrypted connections, then start killing the older protocols one by one as people upgrade.
  [ link to this | view in chronology ]
  - tracker1 (profile), 6 Sep 2013 @ 3:21pm
    
    DNS Sec + Signing
    I think that working around CAs and allow self-signing via DNSSec is probably the first step... the biggest points keeping out broader SSH are shared hosting (multiple IPs, one IP), and the CAs, which if compromised, may as well be public.
    [ link to this | view in chronology ]
Anonymous Coward, 6 Sep 2013 @ 11:47am

A sign of giving up
Not all of us who say "of course the NSA is doing this" mean it as a statement to throw in the towel for privacy.

You've got a shiny new thing to keep all your secrets? that's good, keep working on the next new thing to keep it secret... soon the NSA will figure out how to get in to that new thing so you better have the next ready.
[ link to this | view in chronology ]
Anonymous Coward, 6 Sep 2013 @ 2:40pm

ha!
[ link to this | view in chronology ]
Gerald Robinson (profile), 7 Sep 2013 @ 9:34am

Onlne security & internet redesign
Besides needing massive government reform which we will not get so long as we do not have congressional term limits and don't tax bribes. Redesign of the internet is not possible because much of it is controlled by oligopolies who collude with each other: the cable providers Comcast and Time Warner being the worst, they work with the Telcos/Wireless providers AT&T and Verizon. They will not support nor permit any change that they do not approve and that keep them from getting $Bn/year from DoJ and NSA.
[ link to this | view in chronology ]