Crypto Daddy Phil Zimmerman says surveillance society is DOOMED A killer combination of rapidly advancing technology and a desire for greater privacy among the public should condemn current surveillance state to an historical anachronism, according to PGP creator Phil Zimmermann. In an extended talk at Defcon 22 in Las Vegas, Zimmermann said it might seem as though the intelligence …
> Agreed. The big difference in that hygiene, education and health
Don't forget the roads...
Yeah, and the aqueducts....
Yeah, okay I'll give you the roads, and the aqueducts...
And of course, the wine....
Yeah... Yeah...
Yeah, you can't forget the wine Reg...
Okay, they have given us health, education, roads, aqueducts and wine, but besides all that... WHAT 'ave the Romans EVER done fer us...?
Things are going increasingly haywire in inside-the-Beltway and Neocon/Foreign politics, not to mention in economics where the point where the can kicking becomes ineffective seems past. Meanwhile "public forces" seem to be incresingly militarized, psychologically as well as gear-wise.
The prez is not on the side of liberty, not by a long shot (instead he is on the side of "the freedoms"). And so isn't the whole bipartisan clique. The next prez will hopefully not be Madame "We came, We saw, He died" Hillary (because LOL unelectable democrats) but the odds that there will be anything better on display are slim indeed.
The surveillance apparatus won't give up unless pitchforks come out and kebabs are removed from government buildings.
So no, I foresee a worsening.
This post has been deleted by its author
While I think most of your rant is just a rant, I have to applaud the "The surveillance apparatus won't give up unless pitchforks come out and kebabs are removed from government buildings". What a wonderful juxtaposition of words!
Unfortunately, removing all the kebabs will get rid of all the useless republican legislators, even the most pro-active do-nothing teabaggers. It'll also get rid of all military forces since their domiciles are in gummint buildings.
Let your airports run without the FAA, your cell-phone without GPS, your roads without any enforced rules.
Of course this isn't the first rant that spouts meaningless drivel so I shouldn't try to address all of its failings. You can probably research them yourself. Yes, if your wet-dreams come to fruition, there is a worsening.
During the reign of QE1, there really were foreign plots against the State. Aristocrats were being paid by Spain to try and bring about a revolution; the Queen could rely on Drake because he was a commoner (and had had an aristocrat executed) and so was totally dependent on her for protection.
The result was spies everywhere, which persisted until after the Dutch takeover in 1688. Under King William and his successors, the Church of England was repurposed as a kind of benevolent KGB intended to maintain social harmony, which it did very well until the 19th century and resurgent Catholicism. It was in the 19th century that it was decided that gentlemen only spied on foreigners.
Once again we have a lack of social cohesion and large groups of foreigners in the country whose interests probably don't align with the majority (perhaps I should add in "and Old Etonians"). The State answer as under QE1 is mass surveillance. It didn't end for a long time than, and I doubt it will now.
And you and me and everyone else who feels we are over surveilled is regarded as a conspiracy theorist and accordingly belittled and satirised by our government representatives. It is unfortunate that the mainstream media seems to play along with our governments in preference to defending it's readers/viewers.
I find the majority of people when engaged in conversation on theses subjects tend to be surprised that I have any issues and don't really know what I am talking about, so I am not expecting a groundswell of anti-government opinion against surveillance any time soon, it's going to get a lot worse before it gets better.
" He also said the abolition of slavery and absolute monarchy, and the achievement for civil rights, also once looked unlikely but were achieved."
The things that an engaged population can do are quite amazing. Unfortunately, at this point in time, not only is the population very much disengaged, the government and the media are actively promoting division (ie. partisan politics).
While we have achieved great things in the past, unless people are willing to shake off their complacency, such things will be beyond us in the future.
I do take his words as a bit of a dreamer. Believing that people will not stand for government encroaching further on their privacy looks a bit optimistic when people have gladly accepted it from businesses that had no right to do it in the first place (yes, Google and Facebook, I'm looking at you both).
And the issue I have with that is that once you have gotten used to being spied on under the excuse of serving better ads, what use it is to complain about being spied on for the overwhelming excuse of National Security ? I mean, I know that the general population has no problem with hypocrisy when applied to their own lives (like white people who don't like colored people but readily employ them because they can pay them cheaply), but I think that even the personal hypocrisy meter would be a bit blown by complaining now on Facebook or Twitter.
The saddest fact is simply that too many people don't care, or are even aware of, what they give up in order to continue farmvilling or twitterating or wall-posting what they had for breakfast.
And that's why it works.
As for editing EXIF data, please. Do you file your carburator intake to improve its efficiency too ? If you have that level of expertise and believe that everyone else does it too, you clearly don't go outside enough.
Wage slavery increases every day, though. Increases in Real incomes for 99% of the US population stopped during the Reagan era, while the top 1% have accrued all of the benefits of automation and increased productivity. You can see from this chart:
http://gyazo.com/e91db7668b1567168ad314e278b31b72
I really don't see the surveillance state being rolled back by anything resembling a popular backlash - not as things are going at the moment.
Internet-based surveillance is generally unobtrusive and I believe that most people either care little for their privacy or just assume that communications are monitored and act accordingly. By 'act accordingly' I mean that people naturally fill the snoops' logs with inane chatter.
What might kill the surveillance state would be the realisation by government bean counters that expenditure on surveillance just isn't reaping worthwhile rewards - as the ostensible targets will more likely be using more traditional means of communication.
Ah, but you make the mistake of thinking that the surveillance is there in order to protect people or to stop terrorism or other crimes. That is very obviously not the case -- it is there to up the IT spending of the government to please the buddies of those who make the purchasing decisions.
The governments of the West (and most others too) don't wan to prevent terrorism at all, apart from the few attacks aimed at them personally, but like terrorism as it can be used to keep people controlled and quiet.
I don't think I have made a mistake - I made no assumptions as to why the surveillance is there. There is some merit to your cynical view, and that is what my last bit was about : whatever the true reason for the surveillance, the justification is certainly based on terrorist threats and the like, and there may come a point where someone in government is brave enough to point out that all the expenditure isn't really cost-effective.
Having said that, I guess it will never happen - for the simple reason that our own spooks are not going to accept a reduction in their capabilities as long as the rest of the world's spooks are freely monitoring us. And I can't argue with that, I suppose.
Absolute monarchies have been replaced by political dynasties - sometimes even composed of blood relatives. The UK State has passed so many new laws that individuals are regarded as criminals who must be prevented from challenging the Establishment. That sounds like a form of slavery.
For that we need the State to step up to the plate and protect its citizens
That's some big honking stone under which you have been living for the last twenty years, mate.
Have a military MRE, because that's all you gonna get from state. That and rampant inflation.
Not so doomed.
In your eagerness to demonstrate eagerness in the west to respect privacy, you conveniently forgot the growth of the largest authoritarian state controlled internet networks in the world, and the not so subtle use of neo fascist propaganda to justify it all.
(Russia & China), never mind "innocent little places" like the Middle east, Turkey et al to name but a few...
The same show, coming soon to a town near you.
As much as I respect Phil Zimmerman, I think he is largely mistaken. For quite a few years I have urged nearly everyone I know who is even marginally computer literate to use PGP or OpenPGP to secure email, with exactly one success, who already was set for, and using, one of these product.
Although this sample is not at all random and the results of analysis unsuitable for making long term projectios, it nonetheless suggests that people are not very interested. Whatever the reason, it appears likely that a great many people are comfortable with the same degree of privacy they would get by sending a post card through the mail. I do not really expect that encryption of voice mail to have enough uptake to limit the signals intelligence agencies. Those who have reasons to use encryption, or a desire for the privacy that encryption can provide probably are using it already, and I rather doubt that preaching to the faithful at Black Hat will change that much.
For quite a few years I have urged nearly everyone I know who is even marginally computer literate to use PGP or OpenPGP to secure email, with exactly one success, who already was set for, and using, one of these product.
IT security is one of my fields; I've have GPG installed on all of my computers for years; I have a thorough understanding of cryptography and a passing familiarity with the specifics of the PGP, PEM, and S/MIME protocols. I don't bother encrypting or signing any of my email.
Why not? Few or none of the recipients are prepared to do anything with either, and the presence of signatures would only confuse them. And there's very little benefit to me in sending encrypted or signed email, even if my recipients did handle it correctly. My email just isn't that valuable (except internal work email, which never leaves the corporate network, so an attacker who gained access would almost certainly have stolen creds to read it anyway).
I think promoting secure email is a quixotic quest. Yes, if we could get most people using signed email, it'd at least cut back somewhat on phishing and the like. But the threshold for that to be useful is very high. Beyond that, it's mostly useful only if two parties agree beforehand that their threat model justifies it, and they configure it as a special arrangement. For everyone else, it's "oh, there's one of those weird paragraphs of garbage at the end of this message".
In my experience, the chief use of PGP/GPG is to sign software distributions, which has some utility, though many organizations don't practice any sort of consistency or provide decent key verification (hello, openssl.org).
"It was possible to conspire against the monarch without the monarch knowing about it."
Lord Protector Oliver Cromwell gave the existing Royal Mail a monopoly on the mail service. Therefore all letters had to pass through a central office where they could be opened, read, and copied - before being carefully resealed. The express purpose was to spy on possible dissidents. Transcripts of some letters still exist in archives.
If you've done nothing wrong, then you've got nothing to hide, Chief Constable of the Metropolitan Police
Insert obligatory Orwell quote: "By sitting in the alcove, and keeping well back, Winston was able to remain outside the range of the telescreen, so far as sight went. He could be heard, of course, but so long as he stayed in his present position he could not be seen."
It is natural that Zimmerman focuses on encryption as the main means to ensure privacy. However, encrypting one's communications is a means against eavesdropping, but not against surveillance. Surveillance is about gathering metadata - who is talking to whom - and not (so much) learning the contents of the conversations.
Since calls need to be connected, emails need to be delivered, packets need to be routed, IP addresses need to be assigned to physical locations, and even mobile phones need to talk to towers, metadata can be gathered, stored, and analysed, if deemed necessary. This is surveillance, and encryption will not help against it.
"addresses need to be assigned to physical locations, and even mobile phones need to talk to towers, metadata can be gathered, stored, and analysed, if deemed necessary. This is surveillance, and encryption will not help against it." --- TFM Reader.
Encryption can help against it, for instance, I can post the following AES256 encrypted text here:
ZQN+xEcBITAhITAhLR0+Us1QcS6pEiExNjAhEkJoHOJpLa8k9eT27QS+i2cjpcVXcMkt5ZgXV5qEIrbBcjmlD1jrGS3lSA58Zs9ut4Z64X/dBLN5LfwuN51uqGhS0di/oyEwIWk=
Quite a few people are going to see that, but only the people who know the password are going to be able to read it. So the mechanics of using encryption to obscure metadata can be relatively simple: you can broadcast encrypted messages to a wide group of people including your receiver, but in a form that only they will understand (numbers stations seem to have been doing this for decades).
Of course, the legality of it is something else. In the UK, as I understand it, having this message in your browser cache, and being unable to produce the key when asked, could result in you receiving an effectively infinite prison sentence, served out in 2 year chunks. In the short term, I can spare you this ("password") but in the longer term that legislation needs to be removed. That gets us back to the real problem - how to get people engaged.
So the mechanics of using encryption to obscure metadata can be relatively simple: you can broadcast encrypted messages to a wide group of people including your receiver, but in a form that only they will understand (numbers stations seem to have been doing this for decades).
More generally, there are any number of protocols to impede traffic analysis, from broadcast1 to steganography to using covert channels to chaffing-and-winnowing and so on.
All of these involve costs. As with anything in security, it's a question of trading off one part of the threat space for another. For example, protocols that involve message expansion (broadcasting, chaffing, &c) typically have a greater resource cost and make less efficient use of bandwidth, and potentially create the possibility of amplification DoS.
Most generally, you can say that if one secure-communications technique has problem X, there is probably an additional technique that can be layered on top of it to exchange X for problem Y. Repeat until you have a problem you can live with, or boredom sets in.
1With or without encryption. Encryption in your example is orthogonal to the goal of evading metadata surveillance.
"Quite a few people are going to see that, but only the people who know the password are going to be able to read it."
That alone, though, is still a set smaller than the set of all possible listeners, meaning it can be intersected with other sets gathered elsewhere, which allow you to gradually winnow down your list of suspects. Investigators can be patient; cold cases can be kept for decades. All they need is one new clew to narrow it down to that one suspect...
Furthermore, the act of posting that message can be traced as well...
Public vs Anonymity vs Privacy vs Secrecy
Four different levels of visibility for your Identity, Actions, Transactions and Opinions. Each one quite neatly covers widely agreed areas.
The real fun of course, comes when deciding what goes into each pot and even more fun happens with the assymetry of someone else deciding for you, without asking or even entering any form of reciprocal discussions on the information they hold.
My personal opionion is that there is not enough emphasis placed on anonymity. The ability to go out about your normal day without being tracked monitored or identified.
I see anonymity as a passive almost default state of being, until you introduce yourself to others.
Privacy is a chosen active state and it should be the default state of information particularly personal identifiers that you may regard it as sensitive.
PGP et al are really good at maintaining privacy and enabling secrecy. But the current Public networks carrying those messages do not easily confer Anonymity..
Phil argues it's going to be one of those generation-long problems, similar to access to strong crypto. That doesn't mean that it there aren't knock-on issues beyond that generation. In that way Phil is too sanguine.
Take crypto. When I wrote a Pine patch to provide PGP-encrypted mail there was a notice issued preventing the export of that beyond Australia. So we had a generation of mail clients without strong crypto (Pine was the "market leader" in Internet e-mail clients at that time, so competitors would have sought feature parity). Importantly, without strong crypto there can not be sophisticated crypto key management.
That lack of sophisticated key management -- that is, who you communicate with and how well you know who they are -- pretty directly allowed the rise of spam. Now there have been attempts since at "email reputation management" to mark particular uses are spammers or compromised, but the lack of widespread key management for e-mail means that those attempts have never got much further than the network layer -- marking particular IP addresses as suspect.
The cost of the side-effects has been immense. We can't even mark a Nigerian scammer as untrused. It's not at all clear that the two decades of additional ability to tap email has resulted in less threat to the people's welfare.
It's the tradeoff between anonymity and attestation. And it's a black-and-white either-or prospect because the moment you can trace something, you can identify and attest it, so it's all or nothing. If the world is anonymous, you have anarchy because criminals can roam free since no one can identify them. But if your world has attestation, you essentially have a police state because everyone will demand a clampdown on crime.
And no, you can't go in between because everyone fears for their lives; it's bloody instinct. They don't want to be the next victim, so either you have the power to assure your public or you don't. Meaning any attempt to go in between ultimate gravitates towards one or the other extreme.
I note a great deal of discussion about slavery. IIRC, someone above pointed out that there are probably more (at least de facto) slaves today than ever before. Nobody seems to have mentioned absolute monarchs. Are we ignoring the kingdoms of the Middle East? Or de facto monarchs like Putin, Kim, maybe Al Sisi?
These may not be so obvious to "first world" folks, but the globe is shrinking in more ways than one. Previously, there was some chance that, e.g. Spain or France would help out those rebelling against Britain or the Netherlands, and vice versa. Once pretty much every regime outside "our" tight little circle has even less interest in our welfare than our own overlords, and nothing to gain by helping us that couldn't be gained by helping our overlords squash us, it's Game Over.
There is no Frontier out there.
I guess this is yet further confirmation that the FBI, et al, have NO CONFIDENCE whatsoever in the extremely expensive Motorola designed, US coast-to-US coast clear-channel P25 system.
But Mattel proved that long ago.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
