“We can end government censorship in a decade,” Schmidt said during a speech in Washington. “The solution to government surveillance is to encrypt everything.”
Setting aside the entertaining aspect of the source of said statement, I don’t think encryption in and of itself is enough. Encryption performed by companies is useless, since we know by now that companies – US or otherwise – are more than eager to bend over backwards to please their governments.
What we need is encryption that we perform ourselves, so that neither governments nor companies are involved. I imagine some sort of box between your home network and the internet, that encrypts and decrypts everything, regardless of source or destination. This box obviously needs to run open source software, otherwise we’d be right back where we started.
Is something like that even possible?
it’s possible and it’s done. the problem isn’t figuring out how to do end-to-end encryption. the problem is keeping democratic control of governments sufficient to prevent banning encryption. and so far we’ve lost more battles than we’ve won. did you know there are illegal ways to use technology you own, in your own home? it’s like we’ve been banned from chopping onions a certain way.
the war on privacy ends in a final battle over whether or not obfuscated packets are allowed across the network at all. we’ve been on a straight line path to this since the 90s. after that I guess we’ve got quantum decryption computers to worry about!
Its even worse than that.
I am a fan of Google, but Schmidt is seriously deluded…
Even in this perfect world where everyone has their own key pairs to do end to end encryption, assuming as you say the government doesn’t outlaw the practice (a very real possibility) – you still have a rather fundamental problem…
It requires you to trust that the party on the other side has not been compromised.
So yeah, casual eavesdropping is eliminated – but is that really the problem in light of all the secret NSLs that companies have reportedly gotten?
What good is encryption is the government can secretly demand anyone’s keys – and even saying that you were asked is a crime???
Encryption doesn’t mean anything at all in the current environment…
Not if the you give encrypted data to the other party.
An example:
Chrome has a bookmark, acocunt, whatever sync system. Data lives in cleartext at Google.
Firefox has a bookmark, account, whatever sync system, data is encrypted and than it is stored at Mozilla (Mozilla doesn’t even want to see your data, data that isn’t encrypted needs a lot more work to keep safe).
You could always choose where to keep your data with Mozilla, with Chrome you don’t. But you needed to run a server.
Mozilla is now working on making it possible to store that data anywhere you like. It could be something like Dropbox, as it is already encrypted it doesn’t matter all that much anumore.
What you are talking about isn’t communication… Communication involves one party sending information to another party with the intent that they can read it. That requires a key exchange, and your back to the same problem…
I don’t think Schmidt was talking only about communication, but maybe that was my interpretation.
but it’s a big improvement, because at the moment the spying took place without google knowing it.
In case of encryption, the nsa must go to google and with the approval by a judge.
So in case they want to spy on person X, they can, but they will not see also the stuff off the other people, that is flowing throw the same “pipe”.
So it’s a very big improvement, and I’m not against, that some certain people, can be spied, if suspected. The problem is, when they get all the data also from people that are not suspected.
I see what you are getting at… But as an end user, what difference does that make to me?
Seriously, as things are now my data may be monitored by the government without anyone’s knowledge.
In the “everything is encrypted” scenario, now Google will know when my data is being monitored… So what? I still won’t know about it – because Google cannot tell me without committing a crime.
I will admit that it could be better if you replace Google with someone like Lavabit that chooses to shut down rather than compromise their user’s security. The problem is when push comes to shove the Google’s of the world will cave before shutting down – anyone who things otherwise is completely deluded…
Governments asking for all your crypto keys (for instance) is certainly overbearing, but you’ve expressed your point clumsily. I can think of many illegal applications of the fire-axe. I’d rather they remain illegal.
Roll on steganography to encode encrypted data as correctly-formed, meaningful, non-suspicious English. I don’t imagine quantum crypto will shake things up much on this front, but I could be wrong.
I think onions and iphones are similarly weaponizable, and that your fire axe example is clumsy, you little stinker
Your question doesn’t make sense. Encryption is not a technological issue, it’s a trust issue. How do you secure trust in a conversation “regardless of source or destination”? Preventing eavesdropping by 3rd parties is the easy part – you can buy or build a VPN endpoint box for funny money nowadays. The hard part is finding a way of establishing trust among unrelated parties. For this I’m not confident there’s ever going to be a satisfactory method (X.509 was one attempt and look at the results…).
Exactly. The whole mess with certificate authorities seems to have no simple or satisfactory solution. Even if “everything” is encrypted, with whom am I talking? To really be sure there is no way around comparing out of band transmitted fingerprints.
What I wish for a start would be that all banks print their SSL certificate fingerprints onto all there brochures and any other paper work. Maybe also on the backside of debit cards (although debit cards often live longer than certificates). But if you ask bank clerks for their SSL fingerprints you just receive blank stares.
Apparently someone’s already done it: http://motherboard.vice.com/blog/the-anonymous-tor-network-now-come…
Not at all, it’s just Tor in a box. All it does is hide your IP address and it does nothing about all the other ways you (or your system actually) can be identified. Tor is also not secure since as soon as you leave the Tor network, which you will do 99% of the time, you use the same old http/https/ftp/whatever protocols so unless you use an already secure protocol, like https, nothing is gained.
Also, think about this: who pays for the heavy-duty, high-bandwidth exit nodes and why?
Technically DNSSEC with DANE can provide that.
You are probably using domainnames, so you are already trusting the root- and top level domain operators.
Hey, that’s a pretty neat idea. Now, if only DNSSEC didn’t suffer from “design by committee”….
Also, if it gets traction expect a LOT of FUD from companies like Verisign.
Edited 2013-11-23 13:10 UTC
Pretty much all protocols that you use on the Internet were ‘design by committee’.
And the software to deploy DNSSEC is already easy to use.
No, not really. Many were created by an individual or a company/organization and then got standardized with RFC’s.
Others, like IPSEC and DNSSEC, started out as committee projects and suffers from being overly complex and difficult to implement. Too many chefs.
(although in fairness, DNSSEC is nowhere near as bad as IPSEC)
Edited 2013-11-24 04:10 UTC
The real problem is that web browsers freak out when they see a certificate they don’t recognized. Allow me to create and use my own.
What’s stopping you? I’ve been using my own ones for ages, you just accept the certificate in your browser and go on your merry way.
I think he mean that if you use a self-signed certificate on your site all your visitors get the rather scary browser warning.
If that’s what he means, well, there’s just no workaround for that. I mean, he could get a certificate that’s signed by one of the CAs and then his visitors wouldn’t get the warning, but then it wouldn’t be self-signed. And on the other hand, if browsers just accepted self-signed certificates the whole point with certificates would’ve just been rendered moot; you can’t have your cake and eat it.
You just need something to anchor that trust on.
Currently, trust is anchored in your browser by including a bunch of CA root certs.
The easiest way currently to do something about that would be DNSSEC and DANE.
Where all DNS data (domain names and public-key information) is signed directly by the owner of the domain.
Everyone already trusts DNS. Your visiting http://www.osnews.com right ? Not: 74.86.31.159
Edited 2013-11-23 09:22 UTC
This right here is one of the biggest bug bears I have.
Encryption != Identity.
Tying the trust of encryption to SSL CAs is the reason that even today most websites don’t use HTTPS — just broadcasting everything unencrypted over the web.
The browser vendors too should be blamed. Had Firefox allowed ‘untrusted’ certificates in the beginning then HTTPS would be standard and on by default for all servers, everywhere. This is not a security problem — trustworthiness of the host (identity) is the responsibility of ECV certificates and the like, but that shouldn’t force everybody else to have to run on HTTP!
If you accept untrusted certificates, it makes SSL useless to prevent man-in-the-middle attacks.
You can still do them with trusted certificates, but with untrusted ones it is a piece of cake.
Actually, there are multiple reasons:
There is the one you mentioned:
– certs signing takes time, knowledge and effort to get done. Certs are actually already free (!) or cheap (10 euros). You don’t pay for the cert. You pay for that time and effort to talk to a CA.
But don’t dismiss:
– SNI for HTTPS, no support in all browsers for virtual hostnames like for HTTP, so you need an IP-address per website (think about how we are running out of IPv4-addresses and the administrative overhead of configuring the server). Here you pay for configuration overhead and an IPv4-address.
Support for DNSSEC/DANE and SNI in browsers would help here.
Edited 2013-11-23 09:28 UTC
Lennie,
Sounds like you’ve had a lot of experience navigating these muddied waters
“- certs signing takes time, knowledge and effort to get done. Certs are actually already free (!) or cheap (10 euros). You don’t pay for the cert. You pay for that time and effort to talk to a CA.”
The thing is, they aren’t all created equal. Many have bad support in browsers. And all the cheap CAs are of the automated variety, doing little more than contacting us via *insecure* email and http connections, pretty ironic right?
Another major problem with the CA model is that *everyone’s* security gets reduced to the weakest CA in the browser, since that CA technically has the ability to forge signatures for any website whether they are even customers of the CA or not.
“Support for DNSSEC/DANE and SNI in browsers would help here.”
Issues with complexity aside, I agree this is the way forward. It eliminates the security problems in relying on 3rd party CA’s and also entitles everyone to certificates without having to buy them (everyone wins except for the CA’s who loose big time).
It’s great for academic theory, but in the real world ISPs, network equipment, and existing software are major hurdles with no easy answers. Look at initiatives like IPv6, jumbo packets, etc. In each case, we are all in firm agreement that the old standards are holding back technology, yet they’re so deeply entrenched that we are barely any closer to deploying these things than we were 10 years ago.
I’m pretty convinced that the current internet will have to become completely unreliable before we will take migrations seriously.
On the issue of browser support.
Bad support in (desktop) browsers is a thing of the past, I’ve not seen issues in a long time.
There are probably still problems on mobile though, but even those are going away.
If you are a provider, you really do pay only 10 euros per cert per year, maybe even 10 dollars. This isn’t just some cheap provider that doesn’t work. That is from the widely known CAs.
https://www.startssl.com/ is the one that is free and supported by all browsers.
On the issue of insecure email…
Yep, that is what domain validation is. It’s just a check if you control the domain. I’ve never seen a CA use insecure HTTP though.
It really doesn’t matter if you pay some CA more money or not. Because the user doesn’t look at the CA, it just needs to be trusted by the browser.
If someone can prove they control your domain to an other browser supported CA then they’ll get a cert for your domain. There is really nothing special about the different CAs. Any CA will do.
There are some other issues that do matter, like OCSP performance. Or the root included by default in Windows. But especially the last one doesn’t matter all that much if it’s a widely used CA.
If you want something more, you might want EV but you’ll need to educate your users to look for the ‘green bar’ and not use the site if it’s not there.
In many, many cases, for example something like Facebook that obviously doesn’t work, when they visit the site they’ll probably already sent the auto-login-cookie which an attacker can use to login in to your site.
Lennie,
“If you are a provider, you really do pay only 10 euros per cert per year, maybe even 10 dollars. This isn’t just some cheap provider that doesn’t work. That is from the widely known CAs.”
I honestly haven’t seen them anywhere for quite that low. Big brands are still expensive, for example thwate’s cheapest domain cert is still $150/yr, verisign too. Although many of us don’t care for premium brand status, most other CAs seem to be in the $50-70/year range (ie instantssl, rapidssl, godaddy). I really needed to shop around to find a reseller for $14 (RunSSL), which is the cheapest price I’ve seen other than free trials. All these prices are for the basic domain validation certs.
I’m very surprised StartSSL is now offering domain certs for free, this is news to me and it doesn’t appear to be a trial offer. Thanks for mentioning it!
“Yep, that is what domain validation is. It’s just a check if you control the domain.”
I realize that, however isn’t it ironic that they are contacting you through channels that are vulnerable to the same kind of man in the middle attack that their certs are supposed to protect against? There are a few high profile cases where a CA issued certs to a fraudulent party, I wonder how often this happens to small guys without detection or making the news?
“If someone can prove they control your domain to an other browser supported CA then they’ll get a cert for your domain. There is really nothing special about the different CAs. Any CA will do.”
This is why I said that *everyone’s* SSL security gets reduced to the security of the weakest CA. It’s even technically plausible that some CA’s could be a front for a government operation with the intention of issuing fraudulent CA’s to the government. We implicitly have to trust the CA’s, yet nothing makes them inherently trustworthy.
So I work at a hosting provider. RapidSSL from GeoTrust and EssentialSSL from Comodo are really 10 and 13 euros (a little over 13 and 17,5 dollars).
StartSSL is cool. But selling free certs to customers feels a bit weird. 😉 Also the free certs display an email address in the cert-name, they call it a ‘personal cert’ (slightly unusual, but works).
StartSSL is cool because they do things like: if you certify your organization you can get unlimited certs for all your domains. Including SAN/UCC and wildcard.
That is 118 dollars for 2 years of free certs.
Governments yes, lots of fun there too. Look up the CNNIC controversy. There are over 1500 CAs that your browser trusts (indirectly) says the SSL observatory.
Do YOU trust them ? All of them ? 😉
Anyway, summary, always remember: certs is a race to the bottom. EV-certs only exist because the normal certificates became only domain verified certs. They used to be validated like the EV-certs are now.
Lennie,
“So I work at a hosting provider. RapidSSL from GeoTrust and EssentialSSL from Comodo are really 10 and 13 euros (a little over 13 and 17,5 dollars).”
I sell hosting services too
So you’re talking about volume discounts then…I was talking about consumer market prices (RapidSSL running at $49 right now). Never the less, I guess you must be big enough to negotiate prices significantly down? I really tried to become an SSL reseller for my hosting business earlier this year with several of the SSL providers (including comodo) however I discovered that for small businesses like myself, reseller prices were just as expensive as the market prices, and then my profits would be $0 – overhead if I charged market prices. If you can get me connected to someone who can offer cheaper prices I might take advantage of that.
As of right now I tell clients to buy the certs themselves and I charge them for my time in setting their environment up for them, which may be worth more to me than reselling certs anyways.
Edit: I’m looking at rapidssl’s resellar program right now (who are resellers for geotrust). Their reseller prices start at $34/year, at 50 certs you are still paying $24/cert/year, how many do you need to sell to get down to $13/cert??
https://products.geotrust.com/geocenter/reseller/register.do?partner…
Isn’t it funny that reseller prices are higher than the end user prices from RunSSL?
Edited 2013-11-25 06:53 UTC
What you do is, find a reseller of the reseller that already does a lot of volume 😉
http://www.rapidssl.com/resell-ssl/find-reseller/index.html
Kroc,
“The browser vendors too should be blamed. Had Firefox allowed ‘untrusted’ certificates in the beginning then HTTPS would be standard and on by default for all servers, everywhere.”
You are right. Mozilla has a long history of handling HTTPs certificates very poorly (starting with FFv3 they made unpopular changes I recall when they shifted policy from warning the user about unrecognized certificates to blocking the user completely). Their terrible support for self signed certificates makes it a continuous pain to use HTTPS on embedded devices (where the CA model is completely broken anyways) and even for websites where we cannot justify buying certs.
From a policy point of view, HTTPS connections to unverified peers is not less secure than plain HTTP, and would have the additional benefit of defeating passive surveillance techniques. Unfortunately, HTTPS implementations such as mozilla’s have precluded the possibility of enabling HTTPS _everywhere_, consequently many websites that would have enabled HTTPS are left using plain text HTTP, and we’re all much worse off given the widespread instances wiretapping.
I don’t know what you’re talking about, it works the same on my mobile as it does on the desktop: you get a screen that warns about a non-CA-signed certificate and then you can either go away or allow that certificate.
I’m going to have to ask you what would you prefer then? If browsers just automatically accepted all certificates regardless of where or by whom they were signed you’d just immediately render most of the points for using HTTPS in the first place moot as it’d be utterly ridiculously easy to just do a MITM and redirect the traffic elsewhere. It would still be passive surveillance at that point, no better than now.
WereCatf
“I don’t know what you’re talking about, it works the same on my mobile as it does on the desktop: you get a screen that warns about a non-CA-signed certificate and then you can either go away or allow that certificate.”
Maybe they improved it then because it used to take many annoyingly useless clicks and screens to get through to the site. I was using a plugin to make it show an unambiguous & detailed warning and let me through with a click and no other hassles to connect. Mozilla’s forums was full of others who thought the same thing, so it wasn’t isolated. I’ll need to reinstall FF without plugins to see what they changed.
“I’m going to have to ask you what would you prefer then?”
I guess it depends on how we feel about widespread deployment of HTTPS instead of HTTP. Those who support the idea of using self signed certificates over plain text HTTP will probably want self signed HTTPS websites to work the way HTTP does today.
Unfortunately the problem with this is that the CA’s themselves have already fragmented HTTPS between cheap “instant certs” and premium “EV certs”, and the browsers have already de-emphasize normal certs to look like HTTP.
“If browsers just automatically accepted all certificates regardless of where or by whom they were signed you’d just immediately render most of the points for using HTTPS in the first place”
I know what you are saying, however the goal isn’t strictly to ‘accept all certificates’, it’s to transition from a norm where everything is clear text to one which enables encryption to all websites. This would be easy to do had HTTPs evolved differently, such as a simple way to enable encryption without certificates. But now we are here and these are the standards that we have to work with, what would you propose?
“it’d be utterly ridiculously easy to just do a MITM and redirect the traffic elsewhere. It would still be passive surveillance at that point, no better than now.”
This is active surveillance. It means you have to modify traffic, which means it’s detectable, at least by experts and out of band verification. Passive surveillance like wire tapping gives spies an undetectable read-only tap from the network.
Consider that one can conduct blanket passive surveillance without much risk of getting caught. Active surveillance requires not only more resources to impersonate servers, but also leaks evidence that it’s happening.
You’re wrong.
They bend forwards.
And suck their little frankfurters
I think it’s more of an issue with people’s awareness and easy use of security technology? Take mobile phone as an example, recently I asked a friend, who is working on Android phone development, about how personal information on the phone can be protected. He told me the data can be encrypted but nobody he knows actually does that because it’s inconvenient. In the case that phone gets lost, most people care more about how to get the information (i.e., contact book) back than worrying about the leak. I think that may be the status with all phone platforms because there is no easy-to-use solution to protecting data, not to mention many users don’t care about it that much (i.e., most people around me don’t use disk or filesystem encryption to protect their files on laptop).
Regarding how to establish trust in end-to-end communication, I think there are actually interesting ways to do it? Examples are PGP’s ring of trust and SMP authentication used in OTR protocol. It’s just for various reasons, these technologies never draw mass people’s attention or become popular (take me as an example, I never think it’s necessary to use authentication and encryption in my emails).
2030 is very far away, hopefully people will figure out how to address all these issues before it comes. That said, most (if all all) encryption standards are defined by US government, so they are always in a better position than us normal people on this aspect (read: using weakness of encryption algorithm or bugs in software to thwart the effort
Edited 2013-11-22 02:29 UTC
Well, Firefox bookmarks sync encrypts your data before it sends it ‘into the cloud’.
Their system is OK, but they are very busy making it a lot better and easier to use.
10 years from now we all have dna on file and be in FEMA camps
No, not regardless of destination and protocol. Some protocol’s does not support encryption and some destinations don’t. also, companies and governments obviously have to be involved when you’re using their services.
HTTP 2 will most likely do encryption by default but even then the “Internet” is bigger than HTTP and there’s fallback for unencrypted connections.
Edited 2013-11-22 05:53 UTC
Isn’t the government elected by the people and representing the interests of the people?
I think we should always try and make systems and communications more secure, but it’s rather strange and a rather unwanted situation that we should be protecting us against people we choose to protect us.
Okay, I guess it’s naive to even hope one day governments stop trying to lie, cheat and f*ck us over, but I don’t think we should just accept that as a fact and treat it as normal.
If we increase our defenses they’ll just step up their offenses. Encryption of certain data could be come illegal, encryption of any data will become illegal after that. If they can’t snoop digitally they just start driving through the streets or post in front of your house. They stop having to prove you are guilty, you will have to start prove you are not.
What we need civil digital rights have these made constitutional.
I see it differently.
The government should really be encouraging everyone to encrypt. They may think they’re getting national security by allowing NSA backdoors, but in reality a backdoor is open to anyone with the same expertise and thus jeopardizes national security.
The government should encourage everyone to get encrypted as it does with vaccination.
I agree, but I have little faith in the capabilities of the average user.
A few weeks ago a co-worked called me with a problem. I told him to repeat his story in our ticket system. He didn’t know what that was, despite me sending several emails with explanations, screenshots with huge arrows. He denied it. So I asked him to fire up his browser, he didn’t know what a browser was.
Another person lost all her files. She was trying to open Word files from Excel. Then she lost a bunch of emails, turned out she made a subfolder in Outlook with the same name at 3 different locations and spilt the emails over them.
I can’t ask them to encrypt their stuff. Even if they manage to I’m sure many people then won’t be able to get their stuff back. Forgetting a password is inconvenient, forgetting a decryption key is game over.
How many people refuse to abandon Windows XP? I doubt these people would even do encryption even if the state begged them to.
Sure we need education and motivation from the government, but a lot and perhaps most people just don’t understand because they either can’t or won’t and a number that do give it a go may either encrypt their data and lose access to it or think they have encrypted it and actually haven’t done so.
Should have said “button for the internet” instead of browser.
Hard drive encryption and VPNs these days don’t require intervention from the user to, so it’s really just about having it set up for them as part of the install is good enough for a basic user.
He did have it, it was behind a picture of the lady. The lady is not supposed to be there.
Yes, but then you again delegate some trust to someone else.
A preferred situation would be an educated user that knows the situation and can choose how to act upon it. This is of course a dream that will never come close to reality.
But perhaps a good start would be mobile phones. Many iPhone users didn’t have a pass code. Apple came with iOS 7 that asked you to enter one. People didn’t get upset, they probably didn’t even realize what was going on and just entered a code and after that were too lazy to turn if off even if they disliked it.
So if every phone maker required the user to set a pass code and encrypted the phone’s contents it would be quite doable to have, after a while, most phones encrypted and protected by a pass code.
As phones are easily lost, stolen, sold without wiping them first or sneakily looked at I think these are a much more dangerous attack vector when it comes to privacy than a computer at home. A firewall, anti-virus and installed updates can handle most dangers, no encryption needed.
Computers at home an have a very long live, much longer than phones. There are enough people running Windows XP on a 10 year old computer. It will be hard to force those computers/people to adopt beter security measures.
There are always people that manage the systems of the people that really don’t know anything about computers.
Educate those people by giving Crypto parties. 🙂
Edited 2013-11-23 09:50 UTC
Not my thing, but I did come across this tip yesterday:
vi -x <file>
It will then ask for an encryption key (twice) and create an encrypted text file. To decrypt just vi <file> without a switch and it will ask you again for the key.
That is actually a pretty good idea.
It used Blowfish, not a bad choice. But how secure it is depends a lot on the length of your key though.
Never noticed it was available. I’m a nvi user not vim.
So I checked out, vim-tiny, it is actually smaller than nvi. Maybe I should switch, as nvi isn’t maintained anymore.
But vim-tiny does not have support for the encryption though, to bad. It’s a cool feature.
Edited 2013-11-23 10:43 UTC
Since when? Governments in all their various forms have always been about enforcement of the views and ideas of the elite running them; you raise certain people on a pedestal if they aren’t there already and they’ll proceed to strengthen that pedestal with fences, turrets and traps.
In most cases you don’t choose anyone, it’s an illusion. Votes are easy to manipulate and you’re never actually given the choice of choosing anyone you’d like, you’re only given the option of choosing from a group of people already chosen for you. Are you really being given a total freedom to choose as you see fit if you’re being told that you can only choose from a given set of choices?
How you describe it is what it is in reality, I just don’t think we should just accept that and I accept my idea is both naive and unrealistic given the history of mankind so far.
But then we at least should protect ourselves with a feeling that we should’t be and this is wrong and not protect ourselves just accepting that governments, politicians and generally people in charge don’t have our best interests high on their priority list.
“I imagine some sort of box between your home network and the internet, that encrypts and decrypts everything, regardless of source or destination. This box obviously needs to run open source software, otherwise we’d be right back where we started.
Is something like that even possible?”
Safeplug is an attempt at such a product.. dont know how good or reliable it is though.. uses Tor network.
https://pogoplug.com/safeplug
Edited 2013-11-22 09:00 UTC
Pfft, what a load of rubbish. It does nothing to stop websites from identifying you based on your cookies, fonts, browser, screen resolution and all the other myriad things that can be combed for statistics nor does it address the issue that you can rarely trust the other end — ie. the company — from shelling out your details just as well. Safeplug only creates a false sense of security by trying to latch on to Tor’s back. You need much more than that if you really want anonymous browsing.
Obvously you create a tor user which has it’s own (browser) profile et al. And you don’t share any logins/bookmarks between your normal browser and the tor browser.
It’s just a box with Tor and it addresses pretty much none of the concerns here. All it does, the only thing it does, is hide your IP address. And slow down your browsing because god knows that Tor is anything but fast.
On paper encryption work. The problem are the key to decrypt it are public, the random number generator aren’t good for encryption, and only you and the target should only should see it.
If I know everything to read the file then I can read it no matter who I claim I am, it like it wasn’t encrypted.
A set of number that give you the same set of number repeated isn’t a random number generator, ex 8, 4, 9, 2, 5, 7, 1, 3, 0, 2, and then repeat.
How can I get the key to only the target without anyone else making a copy of it, copying data is easy.
I just can’t see it work but it does.
Uh, no it isn’t.
Modern PRNG’s are good enough for encryption.
…yes, that is how encryption works. Only the participants can decrypt and read it.
Sorry, you lost me. Mainly because you make no sense at all.
It works, it’s a science. The fact that you don’t understand one thing about cryptography doesn’t change that fact.
Edited 2013-11-22 15:31 UTC
.
Edited 2013-11-23 03:05 UTC
Censorship, like invasion of privacy, is “for your own good” and therefore is going to happen whether you like it or not — assuming you’re even aware it’s happening to begin with.
Why anyone thinks they can have any real privacy or freedom in today’s world is beyond me. Controlling everything & everyone is what “we” are all about as a species, and those with the power to do so aren’t going to stop because you don’t like it. People aren’t even allowed to know about the food they put into their mouths (ie: GMO’s) so what does that tell you?
And that makes it ok?
No privacy = no freedom = no democracy!
Are you happy with that?
words of a sheeple!
I’d rather die taking out a few of the lowlife, scumbags with me!
http://www.alt-market.com/articles/1826-sheeple-why-you-should-feel…
Uh, I didn’t see him saying he’s okay with it, and neither did I earlier. Knowing the status quo doesn’t mean you’re okay with it. You shouldn’t go around insulting people after jumping to conclusions.
The proof is in the pudding, they say — you’re still seemingly quite alive.
It isn’t a matter of being “ok” or not, it’s just a few simple facts about the world you’re living in. Your (dis)approval of the facts is irrelevant.
Am I happy about it? No, of course not, and I don’t allow myself the illusion that we have any true privacy, freedom, or democracy to begin with. I don’t know why anyone would considering everywhere you look, you find evidence to the contrary.
You imply I’m speaking with `sheep mentality`, … By all means go ahead and back that claim up by explaining how anything I’ve said qualifies as such. Considering how tall of an order that is, take as long as you like trying.
I interpreted your post as someone who thinks there’s nothing we can do about it so why bother? They win we lose. Words of a sheeple, no?
If that’s not what you’re meaning then I apologise.
We can stop this if we all work together. But listening to and or putting trust in vile, low life, lying creeps like Schmidt is playing right into their hands. After all, he was the one that said you have no right to privacy on the internet and is tracking everyone that uses the net and building profiles on them. The scum is a wolf in sheep clothing.
http://www.huffingtonpost.com/2010/08/10/eric-schmidt-privacy-stan_…
And here’s what you can do to foil their plans amongst other things.
http://www.veteransnewsnow.com/?p=230229
We can stop this shit! But not by supporting dirt bags like spoogle or any other ussa corp, start fighting!
WereCatf
I didn’t see him saying he’s okay with it, and neither did I earlier
Touch a raw nerve did I? I read your posts and didn’t reply to you because you didn’t come across in the same way. You’re smart, so help people fight this shit instead of fighting anyone that thinks we “can” do something about it. The first step is stop using products from vile creatures like Schmidt.
I see you only berating Schmidt, but in truth you’re playing into their hands no matter who you buy your stuff from — China spies on you, Korea spies on you, Microsoft spies on you, LG spies on you, Nokia spies on you and so on and so forth. You’d quite literally have to stop buying services or products from anyone other than mom & pop – shops if you wanted not to play into such companies and governments’ hands. Don’t bother trying to vilify Schmidt while ignoring all the others, you just make yourself look petty.
Now, how useful is boycotting some company in the first place? We geeks are in the minority, the companies make most of their money and most of their tracking data from Joe Blows, and we boycotting someone will be like a fly trying to take down an elephant. You’d need a way of influencing the unwashed masses if you truly wanted to make a change or you’d have to get yourself in a position of power.
I’ve often toyed around with the idea of running for politics as I have plenty of characteristics that would quite possibly appeal to Joe Blows around here, making me easier to relate with — I’m mentally unstable, I’ve been unemployed for a decade so I know what it’s like, I’ve been at the brink of alcoholism, I don’t come from some rich, well-known family and so on. I could use all those to play a campaign of appealing to the faults in every one of us and the government, and if I ever got elected I could start working on trying to improve things from top-down. Alas, I’m just not driven enough, I don’t give a flying fuck about regular politics, only about basic human rights, privacy, environment and animal-life, and I’d probably just end up committing harakiri if I had to interact with all these greedy, selfish buttwipes every single day.
Only because this article is about him. Don’t worry I’m well aware of all the others.
Then teach the Joe Blows how to fight back, how to avoid their snares, what the implications are if they willfully turn a blind eye to immoral, vile practices. And you’re a bigger minority than you think! Think of the children!
David slayed Goliath with a stone. Only a 1/3rd of Americans took down a “whole empire!” Stop belittling yourself. It took years to get to where we are. Slowly we can crawl it back to the right way. We have the technology, the smarts and the means to win! It starts with standing tall and having the courage to take the first step and keep forging forward. Teach others and slowly they’ll begin to follow you.
As a small example of us winning small battles(Later we’ll win the big ones). Did you read about The Interactive Advertising Bureau whining about Ad blocking?
http://news.cnet.com/2100-1030_3-6207936.html
The doers of this world, the ones that stand tall (Ad block plus are just one) are right behind you. They didn’t just accept the status quo, they’re fighting back. This little battle is not just about blocking ads, it’s also to do with privacy and freedom and putting it back in the hands of the people!
Fabius Maximus didn’t achieve victory by joining Hannibal’s ranks when at the gates of Rome. He beat him by cutting of his life blood in a war of attrition. Projects like GNU/Linux, Adblock, noScript, Tor, Bitcoin, startpage, duckduckgo and others are Fabius’s foot soldiers attacking the system at its edges. The faster we educate people of the consequences of their actions and how to protect themselves and fight back the quicker the erosion/attrition will take effect.
Your writing and reasoning do not sound to me like someone with mental issues, more someone who is a little young and naive, who just needs to be set on the right path. As I said, “you’re smart”, use your smarts for the betterment of all and when you grow old and are ready to leave this place you’ll pass in comfort knowing you did good for the world instead of wondering and regretting if you could have done something or more!
The stigma of being unemployed is spread by those who lack intelligence, the sheeple. As long as you’re doing good for others around you, what does it matter if you’re not grinding the stone of the state? Your contributions to the people is what counts; not paying taxes to enrich some slime ball and increasing the power of the beast. This monster is going to eat us all sooner than later if we don’t stop feeding it. Use your time wisely for the good of all and that stigma will disappear!
I don’t believe you, or you wouldn’t be on this forum making the posts you do and arguing with me again! ;~)
Well honey, dear. Those things are politics and it would seem you do give a flying fuck ;~)
Every facet of our lives involves politics whether we want to admit to ourselves or not, but whatever makes you feel better.
Politics: Poli meaning many and tics being blood sucking parasites. I wonder why they called it that? ;~)
Hey, it’s rather rude to refer to my weight in this context!
The question is why wasn’t everything encrypted to begin with?
All network connections and data stores should have been encrypted right from the very beginning.
After all, Google is a services and data store company. You’d think paranoid security would be their foremost priority.
Mystilleef,
You are right, it’s funny that these corporations just assumed they were safe. This is a mistake many civilians make, but you’d think the corporations themselves would be a bit more savvy.
The whole irony of this story is that many of these corporations do not *really* want their users to have end to end encryption. They could store user data such that they themselves don’t have access to it if they really wanted to, private communications could go through them while remaining safely encrypted. However the current business models for companies like facebook & google are highly dependent on prodding around user data to sell ads. I wonder if they’d even continue to provide those services for free if all they could ever see was opaque encrypted data?
Of course they have every incentive to protect *their* infrastructure from government snooping, but I very much doubt they care to build infrastructures that protect users from corporate snooping. The fact remains that so long as user data isn’t cryptographically safe from corporate snooping, then there’s always the risk that user data will end up in government hands anyways through secret court orders and even government spies working as corporate security officers obtaining network keys, etc.
Edited 2013-11-22 20:02 UTC
Jrelwerpp plrkrek ll lll lre;ker; ;l=-oga-0reg- ;lkre;aker00 – relpoerg? reopgj0reigj, eroijgiorej,pppkregj.
rejrogj, roek.
I’ve always wanted to ask companies this question:
If you were providing information to the Government under a classified program, would you tell us?
And what would really happen if Larry Page released the exact numbers of FISA Courts requests and NSL? Would the Federal Marshals really go in and arrest him? And how long would a billionaire really be kept behind bars?
We already know the answer — it’s NO!
Not sure but I don’t see much relevance in what the exact number is in the larger picture.
Our justice system is far too corrupt for any American billionaire to spend any real time in prison, much less a real prison. The 1% here don’t play by the same rules and suffer the same consequences the average citizen does. We found out the hard way that if you’re in the top 1%, you can decimate peoples entire life savings and the only thing that will come of it is an increase in pay and your biggest bonus ever. Prison? Please, … that’s for the regular people.
BIOS-UEFI back-doors.
On-Silicon back-doors.
Privacy is a lost war.
Not me, Schmidt says so.
Edited 2013-11-23 00:05 UTC
Here’s one of his more memorable quotes:
http://www.huffingtonpost.com/2010/08/10/eric-schmidt-privacy-stan_…
That Google “do no evil” had him as CEO tells me a lot about Google. Google is probably the most evil, intrusive tech company there is now. I trust Microsoft a 1000x more than those assholes at Google.
End-to-end encryption is already there, but it’s only one side of the problem. NSA get a lot of information just analyzing communication meta-data.
Simple example: if I send an encrypted e-mail to one of my friend it may be impossible to read the message, but everybody knows I have sent a message to a specific person.
Encrypting everything means encrypting also these information. For example using the tor network you get something similar, no info is unencrypted, nor the data you communicate to and from a site nor the site address.
I think we need help from corporation to build an encrypt all Internet and Tor may be an example where even bad guys running a Tor node can not break the Tor network
All these companies, which actively cooperated with surveillance and which based much of their fortunes on that, are now trying to claim they have been victim of actions of their governments.
This is simply pathetic. I’m not referring to Google only but to all of them, including Microsoft, Yahoo, Apple and so on.
Of course, having been caught with their hands in the jam, they’re now trying to scream they didn’t know. Pathetic.
I would say it all comes down to the organisational issue of exchanging keys. The encryption technology is there for two parties to have a private conversation. But for it to be really secure they would have to exchange their keys through some other media first. As long as they rely on some central party to issue them a key, that party will always be able to eavesdrop and give access to the government.