-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/12/2015 01:26 PM, The Doctor wrote:
On 06/11/2015 11:32 PM, Александр wrote:
A very interesting essay... Thank you, Seth. So, ok. We've got it. There is no salvation from the "Barlog". But what are the alternatives (already operating)?
Telepathy?
<pulls a face>
I guess we're stuck with Eye Of Sauron and Balrog. Too bad, this is a much more Lovecraftian issue IMO: We are being pulled into a place where all the angles are "wrong," and watching the most merciful thing in the world - the inability of hostile actors to correlate all the contents of the Internet - starting to crumble away for reals. Couple of things I can see to work on: * Publicize this as a quantum leap in network security threats, requiring new trust models and comms protocols across the board, to every audience that is likely to understand the problem and respond proactively. * Review RFC 6973, Privacy Considerations For Internet Protocols, and work to amplify/expand sections relevant to what we are learning about large scale threat actors and their behavior as observed in the wild. This RFC is only two years old, so changes now may have a large impact on results later. https://tools.ietf.org/html/rfc6973 * Think about building an ecosystem of repositories for hashes and signatures, and protocols for monitoring consensus and assigning relative trust values to reduce reliance on repo signing keys as guarantors of software integrity. Developing comms protocols for this network would also contribute to general solutions for hardening networks against the capabilities of our new overlords. * Think hard about open projects to reverse engineer IC chips with attention to manufacturer sabotage. It seems to me that the likely venue for this would be non-aligned nations (so-called) with a vested interest in pooling their resources to push back against universal surveillance & sabotage capabilities of the Superpowers and their special pets. * Keep pressure on all fronts already being worked, i.e. replacing the HTTPS protocol with something that actually works in the sense of costing a lot more to defeat. Make the opposition spend more money when and wherever possible. Considering the choice of an apparently competent security oriented venue to "pen test to destruction" as reported, I wonder WTF that was about. Does somebody with control of the resources used WANT their capabilities publicly disclosed? If so, was this a strategic decision from the top, or an act of systemic sabotage by a lower level actor within the organization in question? So many questions, so few clues... so far. :o/ Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVezXcAAoJEDZ0Gg87KR0LGPwQAOgmnO/1EdQaeehEVr6GPwGf XAp90v1b1qomdGFya19Hs8i4hB6semgCq54MY265/Mo/2RB1N6MTL1K7R2kwR2lI neaVxjbiZimiQ3BFh67gqm0dw9i3TAnpmw2Yuyj3qYtOLA9ORVcTwGk+x3z/yFGc k2GyttbjQ14HLgxuRVnmRlTLhlAvYQorcG5hQdQLOU4oYbLTGsnRHOpmsForxZsX SnQ83+flO1XjfVwZvRT/a72CFolHvi2gTQKFnmA801tLx1bmexHfHl8R2TbUiXxO o53nycJuhGh6gzflzxFUGa/Cr/+KJc1bWLSpqNX8sncAn090OtGrtaWEsB0eSerm Jd+cEvDd8rbB971dzq6gQuIZCjY4KmuWiy6C1RgkTY+lbf1AotEy6nFnJxw+EqqY dtoWnoc8c8pXDWTOmZHT+8eN3ITJpq3BUp/A+JLQRLXQyh2cMa7Glo7J7udRL4CX KxClnERlQCbt7Ou1ujrro4pYNDMNa0lwWnOtHy9ZzABZsX4sPHjZCs4OqdLNwqfP 4NhLF/UQhrilVm0Nmhc5n70gAR44ZfBS82gPZJiD+a6umWi9CI/UZf6AmvhI6ftU Q7IX/ETFay6zHe6AB3rZnlkETHl4xdqtKSs6jNSy6UWI+v1Qg4UitrdtqD2HmvJ+ 9Q7XGdT4u5OVt1YBdqeD =zWuJ -----END PGP SIGNATURE-----