Re: The US government has betrayed the Internet. We need to take it back
I'm sorry if you don't share my view. Personally I think the Patriot Act is unconsitutional and CALEA is a tool to enable the total invasion of privacy. I think the laws need changed, I want to change. That said I will not break them and neither will you. How would/does your company respond to NSLs or subpoenas? Do you comply with FCC 499 requirements and with CALEA requirements? I do, and I'm betting you will to. Does it suck? Yea of course it does but unless you have a better plan for a US based provider I will keep doing what I'm doing. Sam On 2013-09-06 18:29, Scot Weeks wrote: --- s...@circlenet.us wrote: From: Sam Moats s...@circlenet.us There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. So, there's no choice except to get a 5-gallon bucket of gov't-ky jelly and take it? So many things come to mind on your flag-waving emails, I can't think of what to say first. And believe me, that's not usual... ;-) After a while, you'll become raw and probably change your mind. scott
RE: The US government has betrayed the Internet. We need to take it back
Sure it does. You have confidentiality between the parties who are speaking together against third-parties merely passively intercepting the communication. Authentication and Confidentiality are two completely separate things and can (and are) implemented separately. The only Authentication which would be of any value to me is if the certificates was issued by me to the other party. Otherwise, one must assume that the certificate is fake for the purposes of authentication (ie, has no more value than a self-signed certificate). -Original Message- From: Michael Thomas [mailto:m...@mtcc.com] Sent: Friday, 6 September, 2013 13:25 To: Eugen Leitl Cc: nanog@nanog.org Subject: Re: The US government has betrayed the Internet. We need to take it back On 09/06/2013 12:14 PM, Eugen Leitl wrote: On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote: On 09/06/2013 11:19 AM, Nicolai wrote: That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Of course: Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) doesn't instill a lot of confidence :) It's better than nothing though. Mike
The US government has betrayed the Internet. We need to take it back
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying The US government has betrayed the Internet. We need to take it back The NSA has undermined a fundamental social contract. We engineers built the Internet – and now we have to fix it Bruce Schneier The Guardian, Thursday 5 September 2013 20.04 BST Internet business cables in California. 'Dismantling the surveillance state won't be easy. But whatever happens, we're going to be breaking new ground.' Photograph: Bob Sacha/Corbis Government and industry have betrayed the Internet, and us. By subverting the Internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our Internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical Internet stewards. This is not the Internet the world needs, or the Internet its creators envisioned. We need to take it back. And by we, I mean the engineering community. Yes, this is primarily a political problem, a policy matter that requires political intervention. But this is also an engineering problem, and there are several things engineers can – and should – do. One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers. We need to know how exactly how the NSA and other agencies are subverting routers, switches, the Internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I've just started collecting. I want 50. There's safety in numbers, and this form of civil disobedience is the moral thing to do. Two, we can design. We need to figure out how to re-engineer the Internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information. We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert. The Internet Engineering Task Force, the group that defines the standards that make the Internet run, has a meeting planned for early November in Vancouver. This group needs to dedicate its next meeting to this task. This is an emergency, and demands an emergency response. Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the Internet. The UK is no better. The NSA's actions are legitimizing the Internet abuses by China, Russia, Iran and others. We need to figure out new means of Internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's Internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Generations from now, when people look back on these early decades of the Internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy. To the engineers, I say this: we built the Internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it. • Bruce Schneier writes about security, technology, and people. His latest book is Liars and Outliers: Enabling the
Re: The US government has betrayed the Internet. We need to take it back
Eugen Leitl eu...@leitl.org wrote: We engineers built the Internet – and now we have to fix it Nonsense. This is not a technical issue, it's a socio-political issue. It’s both naive distracting to try solve this set of problems with code and/or silicon, when it must in fact be addressed within the civic arena. There are no purely technical solutions to social ills. Schneier of all people should know this. --- Roland Dobbins rdobb...@arbor.net
Re: The US government has betrayed the Internet. We need to take it back
We engineers built the Internet – and now we have to fix it There are no purely technical solutions to social ills. no. there are many issues in many arenas. but we are responsible for cleaning up our side of the street. randy
Re: The US government has betrayed the Internet. We need to take it back
I believe you are correct, whatever technical hurdles we put in place will be overcome by policy. As long as you can legally require me to make my network intercept able for lawful purposes and are able to prevent me from explaining these purposes to my users any security that I would put in place is effectively neutered. I give up trying to resist, I am now firmly in the tin foil hat club. Sam On 2013-09-06 05:57, Roland Dobbins wrote: Eugen Leitl eu...@leitl.org wrote: We engineers built the Internet – and now we have to fix it Nonsense. This is not a technical issue, it's a socio-political issue. It’s both naive distracting to try solve this set of problems with code and/or silicon, when it must in fact be addressed within the civic arena. There are no purely technical solutions to social ills. Schneier of all people should know this. --- Roland Dobbins rdobb...@arbor.net
Re: The US government has betrayed the Internet. We need to take it back
That and ignoring it will only continue to affect the code/silicon arena. Social problems are always affected by who throws the biggest fit. On Fri, Sep 6, 2013 at 4:18 AM, Randy Bush ra...@psg.com wrote: We engineers built the Internet – and now we have to fix it There are no purely technical solutions to social ills. no. there are many issues in many arenas. but we are responsible for cleaning up our side of the street. randy -- Bryan Tong Nullivex LLC | eSited LLC (507) 298-1624
Re: The US government has betrayed the Internet. We need to take it back
Who's going to pay for the cleanup? The same people who are/were paid to create the mess? Clearly many of the tin foil hat theories are now becoming common place. I really don't know if there is any way out of this stateside, it's legislated. On 9/6/13 3:18 AM, Randy Bush ra...@psg.com wrote: We engineers built the Internet and now we have to fix it There are no purely technical solutions to social ills. no. there are many issues in many arenas. but we are responsible for cleaning up our side of the street. randy
Re: The US government has betrayed the Internet. We need to take it back
On 9/6/2013 5:23 AM, Bryan Tong wrote: That and ignoring it will only continue to affect the code/silicon arena. Social problems are always affected by who throws the biggest fit. On Fri, Sep 6, 2013 at 4:18 AM, Randy Bush ra...@psg.com wrote: We engineers built the Internet – and now we have to fix it There are no purely technical solutions to social ills. no. there are many issues in many arenas. but we are responsible for cleaning up our side of the street. We need to think bigger than whatever it takes to get along to the end of the quarter: -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: The US government has betrayed the Internet. We need to take it back
On 2013-09-06 05:57, Roland Dobbins wrote: There are no purely technical solutions to social ills. Schneier of all people should know this. Schneier does know this, and explicitly said this. -jsq http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy. To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
Re: The US government has betrayed the Internet. We need to take it back
True I shot from the hip, he does address the concerns later. I'm used to implementing technologies to solve security problems. It's just damn frustrating to have your hands tied in such a way that you can not and that's the position that I see myself and most other network ops in. Our customers decided at the ballot box that they didn't want protection and it was acceptable to entrust their privacy to the system. They seem to forget that decision when they ask if they are vulnerable to this type of intercept and what they can do about it. The answer is not much because I will not and can not break the law, it's unethical and wrong. I will encourage people to seek to change the laws to encourage true end to end security but the odds of that happening are near 0. Sam On 2013-09-06 06:47, John S. Quarterman wrote: On 2013-09-06 05:57, Roland Dobbins wrote: There are no purely technical solutions to social ills. Schneier of all people should know this. Schneier does know this, and explicitly said this. -jsq http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy. To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
Re: The US government has betrayed the Internet. We need to take it back
True I shot from the hip, he does address the concerns later. It happens. I'm used to implementing technologies to solve security problems. It's just damn frustrating to have your hands tied in such a way that you can not and that's the position that I see myself and most other network ops in. Maybe NSA has provided a marketing opportunity to get the public to demand real security. Our customers decided at the ballot box that they didn't want protection and it was acceptable to entrust their privacy to the system. They seem to forget that decision when they ask if they are vulnerable to this type of intercept and what they can do about it. The answer is not much because I will not and can not break the law, it's unethical and wrong. I will encourage people to seek to change the laws to encourage true end to end security but the odds of that happening are near 0. If everybody refuses to try, the odds are indeed zero. So maybe we should try. Sam -jsq On 2013-09-06 06:47, John S. Quarterman wrote: On 2013-09-06 05:57, Roland Dobbins wrote: There are no purely technical solutions to social ills. Schneier of all people should know this. Schneier does know this, and explicitly said this. -jsq http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-in ternet-nsa-spying Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country. Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy. To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.
Re: The US government has betrayed the Internet. We need to take it back
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying The US government has betrayed the Internet. We need to take it back Who is we ? -J
Re: The US government has betrayed the Internet. We need to take it back
On Fri, 6 Sep 2013 07:46:59 -0500 Jorge Amodio jmamo...@gmail.com wrote: http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. -J -- John PGP Public Key: 412934AC
RE: The US government has betrayed the Internet. We need to take it back
From: Sam Moats [mailto:s...@circlenet.us] I give up trying to resist, I am now firmly in the tin foil hat club. And therein lies the problem.
Re: The US government has betrayed the Internet. We need to take it back
The answer is not much because I will not and can not break the law, it's unethical and wrong. I invite you to consider the concept of civil disobedience--where the law is unethical or wrong it can be argued that it's also unethical and wrong to FOLLOW the law. I haven't yet been placed in a position, and I doubt I will given the arc of my career, where I would have to make the choice between enabling this kind of surveillance quietly or blowing the whistle on it. I hope, as I imagine most of us do, that I'd choose to do the right thing (and correctly determine which option is right, which is probably the real trick). -- Josh Sholes
Re: The US government has betrayed the Internet. We need to take it back
On 6 September 2013 11:37, Eugen Leitl eu...@leitl.org wrote: http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying The US government has betrayed the Internet. We need to take it back Its like you have to abandon USA based encryptation systems that are closed source. But I dunno, maybe open source solutions can have problems. http://xkcd.com/221/ http://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL I think the encryptation world will think about this, and will recommend a group of products (like PGP) that are almost sure safe. The NSA can spy on underwater internet cables, but they can't abolish Math. If you have a encryptation system that is not backdoored and is cryptographically strong enough the NSA or anyone will have a hard time to uncover your secrets. -- -- ℱin del ℳensaje.
Re: The US government has betrayed the Internet. We need to take it back
The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
RE: The US government has betrayed the Internet. We need to take it back
The error in this whole conversation is that you cannot take it back as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a social contract to ensure that I do not run over squirrels with my Explorer, will they take it back if I do so? The whole social contract argument is ridiculous. You have a contract (or most likely an at will agreement) with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do. In the United States there are two main centers of power that can affect these policies, the consumer and the voter. 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. 3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their social contract to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the right thing. The problem with social contracts is that they are relative. As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China. Steven Naslund Chicago IL -Original Message- From: Jorge Amodio [mailto:jmamo...@gmail.com] Sent: Friday, September 06, 2013 8:51 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
Re: The US government has betrayed the Internet. We need to take it back
On Fri, 06 Sep 2013 10:24:26 -, Warren Bailey said: Who's going to pay for the cleanup? The same people who are/were paid to create the mess? Clearly many of the tin foil hat theories are now becoming common place. I really don't know if there is any way out of this stateside, it's legislated. There's no legislation that says you're not allowed to enable OpenSSL perfect forward secrecy on your website, and fix the layout so HTTPS Everywhere is able to work on it. pgpVaZgEhiR9r.pgp Description: PGP signature
RE: The US government has betrayed the Internet. We need to take it back
+1 I couldn't have said it any better. Sam On 2013-09-06 10:27, Naslund, Steve wrote: The error in this whole conversation is that you cannot take it back as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a social contract to ensure that I do not run over squirrels with my Explorer, will they take it back if I do so? The whole social contract argument is ridiculous. You have a contract (or most likely an at will agreement) with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do. In the United States there are two main centers of power that can affect these policies, the consumer and the voter. 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. 3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their social contract to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the right thing. The problem with social contracts is that they are relative. As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China. Steven Naslund Chicago IL -Original Message- From: Jorge Amodio [mailto:jmamo...@gmail.com] Sent: Friday, September 06, 2013 8:51 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
Re: The US government has betrayed the Internet. We need to take it back
So when do we riot? I've been waiting for months now. On Fri, Sep 6, 2013 at 8:50 AM, Jorge Amodio jmamo...@gmail.com wrote: The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
Re: The US government has betrayed the Internet. We need to take it back
I don't suggest a riot. I do believe in the rule of law, as a member of a democracy I need to accept that I will not always agree with the laws that are enacted. If we lived in China or somewhere else where there was no method to change laws that were unfair or unjust then yea I would support the civil disobiedence approach whole heartedly I do love my country, always have and I firmly believe in the concept of government by the consent of the governed. These rules were made by the people we choose, perhaps these were bad choices but they were are collective choices. Perhaps we should educate our user base so that in the future they make better choices. I suggest in an only half snarky way we just push out the standard DOD warning banner to them all. Since it now seems to apply... Below is a sample banner (IS is information System) By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. Sam On 2013-09-06 10:14, Ishmael Rufus wrote: So when do we riot? I've been waiting for months now. On Fri, Sep 6, 2013 at 8:50 AM, Jorge Amodio jmamo...@gmail.com wrote: The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
Re: The US government has betrayed the Internet. We need to take it back
We have to do the right thing anyway because as engineers we are always motivated to innovate, to fix, to make things better. Motivation has not to come form the NSA or any other spooking service of the day. Even if we design and deploy the best engineering solution there is always a weak link that can be compromised, coerced by law or workaround by counter-engineering. We want better was to provide privacy ? I'm not against that, but if you really want privacy the best and cheapest engineering solution is to remove the plug. We should spend more cycles about how to make broadband real broadband, deploying IPv6, implementing DNSSEC, educating people and bringing Internet where is no access or where there is bad access make it good, if in the process of doing that the NSA wants to get high sniffing all packets I really don't care much because that is not an engineering problem. I think that privacy on a public network is a very relative concept, same as security. -J On Fri, Sep 6, 2013 at 9:11 AM, Scott Brim scott.b...@gmail.com wrote: On Fri, Sep 6, 2013 at 9:50 AM, Jorge Amodio jmamo...@gmail.com wrote: IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. Yes but there is engineering to ensure that they have the opportunity to do the right thing in the first place. If we (IETF) naively engineer out the ability to have privacy, it doesn't matter if those people are stupid or not.
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 6, 2013 at 9:50 AM, Jorge Amodio jmamo...@gmail.com wrote: IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. Yes but there is engineering to ensure that they have the opportunity to do the right thing in the first place. If we (IETF) naively engineer out the ability to have privacy, it doesn't matter if those people are stupid or not.
Re: The US government has betrayed the Internet. We need to take it back
This is part of the purpose behind the separation of powers between executive, legislative and judicial. William Pitt wrote Unlimited power is apt to corrupt the minds of those who possess it . As such constraints are needed and in place. We expect politician to cheat,lie,be stupid and self serving. Because we like people who tell us what we want to hear and most of us vote for people that we like. The do not have to be wise, or even competent. Personally I think most of the fault currently lies with the Judicial side. These laws were enacted as a knee jerk reaction to an event. I can understand the passions of people at that time because I shared them, however the courts are supposed to be a bulwark against this very kind of rash action. These men and women are supposed to be well educated in the fundamental concepts that constructed our republic and appointed to terms that prevent them from worrying about the political whims of the time. Sam On 2013-09-06 10:55, Royce Williams wrote: On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve snasl...@medline.com wrote: [snip] 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. Historically speaking, I'm not convinced that a pure political solution will ever work, other than on the surface. The need for surveillance transcends both administrations and political parties. Once the newly elected are presented with the intel available at that level, even their approach to handling the flow of information and their social interaction have to change in order to function. Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical): http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys. When the time comes for the political choices to be made, the good technical choices must be the only ones available. Security engineering must pave the way to the high road -- so that it's the only road to get there. Royce
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve snasl...@medline.com wrote: [snip] 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. Historically speaking, I'm not convinced that a pure political solution will ever work, other than on the surface. The need for surveillance transcends both administrations and political parties. Once the newly elected are presented with the intel available at that level, even their approach to handling the flow of information and their social interaction have to change in order to function. Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical): http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys. When the time comes for the political choices to be made, the good technical choices must be the only ones available. Security engineering must pave the way to the high road -- so that it's the only road to get there. Royce
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 06, 2013 at 02:27:32PM +, Naslund, Steve wrote: If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about. Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace. Nicolai
Re: The US government has betrayed the Internet. We need to take it back
The biggest mistake everyone is making is that while we are talking about what the USGOV/NSA in this instance you assume this is the only entity behaving in this manner. Morpheus http://www.imdb.com/name/nm401/?ref_=tt_trv_qu: This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes. Mike On Fri, Sep 6, 2013 at 11:43 AM, Jorge Amodio jmamo...@gmail.com wrote: We have to do the right thing anyway because as engineers we are always motivated to innovate, to fix, to make things better. Motivation has not to come form the NSA or any other spooking service of the day. Even if we design and deploy the best engineering solution there is always a weak link that can be compromised, coerced by law or workaround by counter-engineering. We want better was to provide privacy ? I'm not against that, but if you really want privacy the best and cheapest engineering solution is to remove the plug. We should spend more cycles about how to make broadband real broadband, deploying IPv6, implementing DNSSEC, educating people and bringing Internet where is no access or where there is bad access make it good, if in the process of doing that the NSA wants to get high sniffing all packets I really don't care much because that is not an engineering problem. I think that privacy on a public network is a very relative concept, same as security. -J On Fri, Sep 6, 2013 at 9:11 AM, Scott Brim scott.b...@gmail.com wrote: On Fri, Sep 6, 2013 at 9:50 AM, Jorge Amodio jmamo...@gmail.com wrote: IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. Yes but there is engineering to ensure that they have the opportunity to do the right thing in the first place. If we (IETF) naively engineer out the ability to have privacy, it doesn't matter if those people are stupid or not.
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 6, 2013 at 6:55 AM, Royce Williams ro...@techsolvency.com wrote: Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical): http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge Er ... I forgot to include the part of the Ellsberg quote that was most relevant to the discussion, with the last sentence here being the icing on the cake: You will deal with a person who doesn't have those clearances only from the point of view of what you want him to believe and what impression you want him to go away with, since you'll have to lie carefully to him about what you know. In effect, you will have to manipulate him. You'll give up trying to assess what he has to say. The danger is, you'll become something like a moron. You'll become incapable of learning from most people in the world, no matter how much experience they may have in their particular areas that may be much greater than yours. In other words: the very politicians with the clearances necessary to strike the best balance are the ones that we cannot expect to hear us, even in our areas of expertise. Security engineering must take this fact as a constraint. Royce
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 06, 2013 at 01:52:16PM -0400, Sam Moats wrote: The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. But many or most services can be sufficiently improved, and that's the goal: improvement. http://prism-break.org/ lists examples of this improvement. Nicolai
Re: The US government has betrayed the Internet. We need to take it back
On 09/06/2013 12:14 PM, Eugen Leitl wrote: On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote: On 09/06/2013 11:19 AM, Nicolai wrote: That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Of course: Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) doesn't instill a lot of confidence :) It's better than nothing though. Mike
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote: On 09/06/2013 11:19 AM, Nicolai wrote: That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by leitl.org (Postfix) with ESMTPS id 57418543E4D for eu...@leitl.org; Fri, 6 Sep 2013 21:06:34 +0200 (CEST) Received: from localhost ([::1] helo=sc1.nanog.org) by sc1.nanog.org with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from nanog-boun...@nanog.org) id 1VI1KX-000CSi-NT; Fri, 06 Sep 2013 19:04:29 + Received: from mtcc.com ([50.0.18.224]) by sc1.nanog.org with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from m...@mtcc.com) id 1VI1KH-000CQe-Mt for nanog@nanog.org; Fri, 06 Sep 2013 19:04:13 + Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id r86J3uVr017222 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 6 Sep 2013 12:03:57 -0700 -- doesn't do PFS, unfortunately. Everything should be doing PFS, now that we know.
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 6, 2013 at 7:23 AM, Sam Moats s...@circlenet.us wrote: ... Below is a sample banner (IS is information System) By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. Sam Ah. So, if we all become ordained ministers, our communications become privileged communications not subject to monitoring by the US government? Matt (spoken mostly tongue-in-cheek; but it would be fun to see the government go up against the religious right on the question of whether the government has the right to violate the seal of the confessional and monitor layperson communications with their clergy...)
Re: The US government has betrayed the Internet. We need to take it back
On 09/06/2013 12:52 PM, Nicolai wrote: On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote: On 09/06/2013 11:19 AM, Nicolai wrote: That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Agreed. Although some people are uncomfortable with OpenSSL's track record, and don't want to trade system security for better-than-plaintext network security. But the deeper issue is coercing providers to give up mail stored on private servers, bypassing the network altogether. TLS doesn't address this problem. Short term: deploy [START]TLS. Long term: we need a new email protocol with E2E encryption. I'd say we already have those things too in the form of PGP/SMIME. Who knows what the NSA can break, but it's just not right to say that we need new protocols. The means has been there for many years to secure email (fsvo 'secure'), it's just that it's not terribly convenient so we just don't for the most part. Mike
Re: The US government has betrayed the Internet. We need to take it back
Once upon a time, Nicolai nicolai-na...@chocolatine.org said: Agreed. Although some people are uncomfortable with OpenSSL's track record, and don't want to trade system security for better-than-plaintext network security. OpenSSL is not the only game in town. -- Chris Adams c...@cmadams.net
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote: On 09/06/2013 11:19 AM, Nicolai wrote: That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Agreed. Although some people are uncomfortable with OpenSSL's track record, and don't want to trade system security for better-than-plaintext network security. But the deeper issue is coercing providers to give up mail stored on private servers, bypassing the network altogether. TLS doesn't address this problem. Short term: deploy [START]TLS. Long term: we need a new email protocol with E2E encryption. Nicolai
Re: The US government has betrayed the Internet. We need to take it back
The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. Sam Moats On 2013-09-06 13:20, Nicolai wrote: On Fri, Sep 06, 2013 at 02:27:32PM +, Naslund, Steve wrote: If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about. Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace. Nicolai
Re: The US government has betrayed the Internet. We need to take it back
MAN UP! From: Sam Moats s...@circlenet.us To: nanog@nanog.org Sent: Friday, September 6, 2013 8:04 AM Subject: Re: The US government has betrayed the Internet. We need to take it back This is part of the purpose behind the separation of powers between executive, legislative and judicial. William Pitt wrote Unlimited power is apt to corrupt the minds of those who possess it . As such constraints are needed and in place. We expect politician to cheat,lie,be stupid and self serving. Because we like people who tell us what we want to hear and most of us vote for people that we like. The do not have to be wise, or even competent. Personally I think most of the fault currently lies with the Judicial side. These laws were enacted as a knee jerk reaction to an event. I can understand the passions of people at that time because I shared them, however the courts are supposed to be a bulwark against this very kind of rash action. These men and women are supposed to be well educated in the fundamental concepts that constructed our republic and appointed to terms that prevent them from worrying about the political whims of the time. Sam On 2013-09-06 10:55, Royce Williams wrote: On Fri, Sep 6, 2013 at 6:27 AM, Naslund, Steve snasl...@medline.com wrote: [snip] 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. Historically speaking, I'm not convinced that a pure political solution will ever work, other than on the surface. The need for surveillance transcends both administrations and political parties. Once the newly elected are presented with the intel available at that level, even their approach to handling the flow of information and their social interaction have to change in order to function. Daniel Ellsberg's attempt to explain this to Kissinger is insightful. It's a pretty quick read, with many layers of important observations. (It's Mother Jones, but this content is apolitical): http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys. When the time comes for the political choices to be made, the good technical choices must be the only ones available. Security engineering must pave the way to the high road -- so that it's the only road to get there. Royce
Re: The US government has betrayed the Internet. We need to take it back
My dad told once me they could indict a ham sandwich. I never really knew what meant.. A law does not mean an automatic grant of constitutionality. I'm all for following laws, but at what point does the public just say.. The threat isn't large enough to warrant a protcologist visit via NSA to see if you've been a good boy. I'm innocent until proven guilty beyond a reasonably doubt by a jury of my peers, it doesn't work any other way. You either respect the document that establishes basic principals for this land, or you do not. As I said before.. Snowden would have had a world wife frenzy of activity had he included facebook is going to a pay model instead of legit information about national war crimes. Sent from my Mobile Device. Original message From: Sam Moats s...@circlenet.us Date: 09/06/2013 10:56 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: The US government has betrayed the Internet. We need to take it back The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. Sam Moats On 2013-09-06 13:20, Nicolai wrote: On Fri, Sep 06, 2013 at 02:27:32PM +, Naslund, Steve wrote: If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about. Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace. Nicolai
Re: The US government has betrayed the Internet. We need to take it back
Just following orders... From: Sam Moats s...@circlenet.us To: nanog@nanog.org Sent: Friday, September 6, 2013 7:30 AM Subject: RE: The US government has betrayed the Internet. We need to take it back +1 I couldn't have said it any better. Sam On 2013-09-06 10:27, Naslund, Steve wrote: The error in this whole conversation is that you cannot take it back as an engineer. You do not own it. You are like an architect or carpenter and are no more responsible for how it is used than the architect is responsible that the building he designed is being used as a crack house. Do Ford engineers have a social contract to ensure that I do not run over squirrels with my Explorer, will they take it back if I do so? The whole social contract argument is ridiculous. You have a contract (or most likely an at will agreement) with your employer to build what they want and operate it in the way that they want you to. If it is against your ethics to do so, quit. The companies that own the network have a fiduciary responsibility to their investors and a responsibility to serve their customers. If anyone is really that bent out of shape by the NSA tactics (and I am not so sure they are given the lack of political backlash) here is what you can do. In the United States there are two main centers of power that can affect these policies, the consumer and the voter. 1. We vote in a new executive branch every four years. They control and appoint the NSA director. Vote them out if you don't like how they run things. Do you think a President wants to maintain power? Of course they do and they will change a policy that will get them tossed out (if enough people actually care). 2. The Congress passes the laws that govern telecom and intelligence gathering. They also have the power to impeach and/or prosecute the executive branch for misdeeds. They will pass any law or do whatever it takes to keep themselves in power. Again this requires a lot of public pressure. 3. The companies that are consenting to monitoring (legal or illegal) are stuck between two powers. The federal government's power to regulate them and the investors / consumers they serve. Apparently they are more scared of the government even though the consumer can put them out of business overnight by simply not using their product any more. If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. If a social contract exists at all in the United States, it would be to hold your government and the companies you do business with to your ethical standards. Another things to remember is that the NSA engineers were probably acting under their social contract to defend the United States from whatever enemies they are trying to monitor and also felt they were doing the right thing. The problem with social contracts is that they are relative. As far as other countries are concerned, you can affect their policies as well. US carriers are peered with and provide transit to Chinese companies. If the whole world is that outraged with what they do, they just need to pressure the companies they do business with not to do business with China. Steven Naslund Chicago IL -Original Message- From: Jorge Amodio [mailto:jmamo...@gmail.com] Sent: Friday, September 06, 2013 8:51 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I read all of it, the original article and other references to it. IMHO, there is no amount of engineering that can fix stupid people doing stupid things on both sides of the stupid lines. By trying to fix what is perceived an engineering issue (seems that China doing the same or worse for many years wasn't an engineering problem) the only result you will obtain is a budget increase on the counter-engineering efforts, that may represent a big chunk of money that can be used in more effective ways where it is really needed. My .02 -J
Re: The US government has betrayed the Internet. We need to take it back
On 9/6/2013 8:08 AM, John Peach wrote: On Fri, 6 Sep 2013 07:46:59 -0500 Jorge Amodio jmamo...@gmail.com wrote: http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying The US government has betrayed the Internet. We need to take it back Who is we ? If you bothered to read the 1st paragraph you would know. I did bother.the first 'graf after the link reads, in toto: The US government has betrayed the Internet. We need to take it back[sic] You apparently use the silent period at the ends of 'grafs so I took the blank lime as the 'graf delimiter. Who is we. I lave learned to distrust the generic we as doers of stuff. What is your part of the recovery? What do you see as mine. (I like you and me as identifiers for doers of stuff. Third party identifiers are acceptible and tenatives, pending conversion to me or you. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: The US government has betrayed the Internet. We need to take it back
--- s...@circlenet.us wrote: From: Sam Moats s...@circlenet.us There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. So, there's no choice except to get a 5-gallon bucket of gov't-ky jelly and take it? So many things come to mind on your flag-waving emails, I can't think of what to say first. And believe me, that's not usual... ;-) After a while, you'll become raw and probably change your mind. scott
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 06, 2013 at 01:04:48PM -0700, Michael Thomas wrote: I'd say we already have those things too in the form of PGP/SMIME. Who knows what the NSA can break, but it's just not right to say that we need new protocols. The means has been there for many years to secure email (fsvo 'secure'), it's just that it's not terribly convenient so we just don't for the most part. The scuttlebutt is that anything SMTP is unfixable, so XMPP/OTR is gap-filler until really distributed systems with zero metadata (Tahoe LAFS Co) come along. In regards to Schneier's manifesto, it seems he's targeting noncorporate/nonaffiliated engineers, and there *has* been considerable activity in the woodworks in the past months. Most of the resulting countermeasures will be more for the network edge and end users, so not really operationally relevant for nanog. Sorry to waste your time, but it was worth a try.
Re: The US government has betrayed the Internet. We need to take it back
On 09/06/2013 11:19 AM, Nicolai wrote: That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol. Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least. Mike
Re: The US government has betrayed the Internet. We need to take it back
On 6 September 2013 10:52, Sam Moats s...@circlenet.us wrote: The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. Only if are on USA territory. You can also push for distributed services that don't depend on one fat server farm. -- -- ℱin del ℳensaje.
RE: The US government has betrayed the Internet. We need to take it back
I am unclear on what you mean by technical choice. Are you talking about a technical solution to keep the government from seeing your traffic? That will not work for two main reasons. 1. The government has a lot more resources and motivation than the average company when it comes to security systems. They do not have to be profitable, just effective. Most companies only invest in the security that they are required to provide. As a private entity they will be unlikely to want to get in a technological arms race with the NSA. Remember these are the guys that also design some of the most sophisticated encryption systems in the world and have nearly limitless computing power to break such systems. They attract some of the most brilliant mathematical minds in the world and actively pursue these employees. You are really unlikely to out security engineer the NSA especially since the USG can control legally what technology you are allowed to use and export. Who designed your encryption algorithm and which one of your employees is a qualified cryptographer that can assure you that it is secure enough. Is he qualified to tell you what backdoors or capability NSA has to break that encryption method? Do you have the technical experts to assure you that no US intelligence service has penetrated your human or technical resources? Do you think no one in your organization would plug something into your network if it comes with a bag of cash or a threat attached to it. If so, I think the NSA might offer you a lucrative job. Remember these are the same guys who are supposed to break the communications of foreign governments and by all accounts are fairly good at it. I don't want to bet my job on defeating them. 2. If the political environment allows, they will simply pass laws along the lines of CALEA to give them the legal right to tap your traffic. Even if you won the technological battle they can instantly trump you with key escrow and other such legal force means to defeat you. If the political will exists they can pass a law requiring you to pass them all information in plain text. Game over, you lose. Just try to defy a FISA court order or refuse a CALEA tap and see how long you are in business. There is always a debate of privacy vs security and there always has been in one form or the other. This is expressed by the people of this country in their political and economic choices. I know it does not seem like it sometimes but the government will only do what the majority of the people will accept most of the time. Every decision a politician makes is a balance between what he wants and what he thinks he can get away with. He want the information but it is only useful if he maintains his access to power. As you see, the ONLY solution is the political will to limit the governments powers. The only way that is done is to threaten the power structure or financial structure. The history of the best technical solution winning inside the US Government structure is pretty weak. POSIX compliance, ADA programming, need I say more? I say this as a former network engineer in the United States Air Force. As far as both parties being responsible for this, I agree completely. Everyone knows that information is power and everyone wants as much information as they can get. The only way to influence that is to make the cost of illegal information collection too high a price to pay for the politicians. The NSA will only use the technology they are allowed to use by whomever is in power. No one over there wants to go to jail and most government employees do not want to put their neck on the line if they know there is no safety net. The Director of NSA answers to the President. His job is to get the information the USG wants and not get anyone fired doing it. Everything he does is about that balance. If he does not do it, the President will appoint someone who does. Historically the NSA is directed by a General officer from the military. They generally follow the orders they are given by the President and that is where the power really lies. It is the job of the Congress to oversee that and ensure the limitations are being followed. If that is not happening, it is up to the citizens to replace the President or Congress with someone who will follow the will of the people. Steve -Original Message- From: Royce Williams [mailto:ro...@techsolvency.com] Sent: Friday, September 06, 2013 9:56 AM To: NANOG Subject: Re: The US government has betrayed the Internet. We need to take it back [snip] http://www.motherjones.com/kevin-drum/2010/02/daniel-ellsberg-limitations-knowledge I think that Schneier's got it right. The solution has to be both technical and political, and must optimize for two functions: catch the bad guys, while protecting the rights of the good guys. When the time comes for the political choices to be
Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 6, 2013 at 8:02 AM, Naslund, Steve snasl...@medline.com wrote: I am unclear on what you mean by technical choice. Are you talking about a technical solution to keep the government from seeing your traffic? That will not work for two main reasons. [good reasons snipped] Ah, I should have been more clear. I'm definitely not proposing that the private sector could succeed in such an arms race, for exactly the two reasons that you accurately laid out: the government has vastly greater resources, and they have the law. (And I would add a third: they have a valid mission to accomplish). I intended the technical choice idea to be more broad. I'm no crypto guy, but of the work happening in this space, it seems that there are a lot of people working on the problem of how do we keep everyone else out?, and a lot of other people are working on how do we get in? And recently, a lot more folks are working on how can we quickly tell that they got in? But it doesn't seem to me that very many people are working (at a technical level) on the hard problem of how do we simultaneously enable lawful intercept, and verifiably preserve privacy? There seems to be an intractable conflict between freedom and surveillance. But if we set aside that assumption, we might discover technical approaches to support both. The politics might change if the politicians didn't have to choose one or the other. Pipe dream? Certainly. But escaping assumptions is where breakthroughs are made. Royce
RE: The US government has betrayed the Internet. We need to take it back
Great opportunity for a country like Brazil (for example) to become a place of business for many of these services which are subject to Calea (and such) in the US. This type of behavior is certainly a motivator for folks in other countries to benefit, to our detriment. If the NSA is truly undermining the security of private enterprises which rely on compromised security implements, besides being counter productive, it will cost (maybe already has) in lost revenue or damages. Sooner or later this is going to take its toll. In the end the universal language of cold hard cash will reign. /wp From: Sam Moatsmailto:s...@circlenet.us Sent: 9/6/2013 11:55 AM To: nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: The US government has betrayed the Internet. We need to take it back The problem being is when you do have a provider that appears to be secure and out of reach, think lavabit, that provider will not survive for long. The CALEA requirements, and Patriot Act provisions will force them into compliance. There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. Sam Moats On 2013-09-06 13:20, Nicolai wrote: On Fri, Sep 06, 2013 at 02:27:32PM +, Naslund, Steve wrote: If everyone cancelled their gmail accounts, stopped using Google search, and stopped paying for Google placement and ads, their stock would go to zero nearly overnight. Again, no one seems to care about the issue enough to do this because I have seen no appreciable backlash against these companies. I think Joe 6mbps sitting at home reads that everything he uses has been subverted. He doesn't know what alternatives exist, and doesn't have the technical knowledge neccessary to find them on his own. And faced with a false choice -- stop using the Internet, or continue using it as he knows how -- he chooses the one that retains his ability to communicate with family and friends and keep up on the things he cares about. Schneier is saying we need to build better options for Joe 6mbps, competing with the PRISM-compatable services, so that privacy-respecting services become known and commonplace. Nicolai
RE: The US government has betrayed the Internet. We need to take it back
On Fri, 2013-09-06 at 23:03 +, Paul Donner (pdonner) wrote: Great opportunity for a country like Brazil (for example) to become a place of business for many of these services which are subject to Calea (and such) in the US. This type of behavior is certainly a motivator for folks in other countries to benefit, to our detriment. If the NSA is truly undermining the security of private enterprises which rely on compromised security implements, besides being counter productive, it will cost (maybe already has) in lost revenue or damages. Sooner or later this is going to take its toll. In the end the universal language of cold hard cash will reign. You mean like this? http://www.zdnet.com/u-s-cloud-industry-stands-to-lose-35-billion-amid-prism-fallout-718974/ As one currently working in the cloud this is deeply concerning. --Chris
Re: The US government has betrayed the Internet. We need to take it back
This has been known for years so why the sudden list spam Calea in Canada goes into full force jan 1 2014 and yes it was meant to stop pedo bears but it is much farther reaching Sent from my iPhone On 2013-09-06, at 5:33 PM, Scott Weeks sur...@mauigateway.com wrote: --- s...@circlenet.us wrote: From: Sam Moats s...@circlenet.us There only options are to: Disobey the law, unacceptable in my opinion Close down services, noble but I need to eat and you probably want to keep getting email Compromise your principles and obey the law, the path often choosen. So, there's no choice except to get a 5-gallon bucket of gov't-ky jelly and take it? So many things come to mind on your flag-waving emails, I can't think of what to say first. And believe me, that's not usual... ;-) After a while, you'll become raw and probably change your mind. scott
RE: The US government has betrayed the Internet. We need to take it back
The problem is that the US govt and others have been sucked into a vortex of bad game theory. They believe we the people don't want any terrorist acts against us, or minimized as much as possible, which is roughly: none. This belief is reasonable. Worse, terrorism has become a political weapon against whoever can be characterized as asleep on the watch. The president, DHS, FBI - remember all the news articles asking why the FBI didn't act earlier on the Marathon bombers? etc. Tonight at midnight Janet Napolitano is no longer head of DHS. As many have said: What a bad job she had! Just waiting for a terrorist attack so congress et al can demand to know why. So DHS, NSA, et al sit around dreaming up ways to prevent terrorism which in some cases probably works, and in other cases is probably impossible. They seem to have hit upon this surveillance effort as a deliverable. The govt is going to resist engineering efforts because as I said it's their butts on the line not yours if there's an attack. Or yours only figuratively or by some coincidence (you're actually the victim of an attack.) We have a bad feedback loop going on in govt right now. Did the brains at al Qaeda foresee this in 2001? Possibly. It's not magic -- fear of terrorism creating a feedback loop like this. There are, or were, intellectuals behind AQ, some no doubt bright. So when people ask what is the aim of terrorism I think we're living it right here. I'm not convinced that characterizing the govt as the evil here is entirely constructive. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*