On Fri, 17 Jun 2016 21:09:21 -0500 Anthony Papillion <anthony@cajuntechie.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 6/17/2016 6:05 PM, juan wrote:
On Fri, 17 Jun 2016 13:52:38 -0500 Anthony Papillion <anthony@cajuntechie.org> wrote:
There's value in running security software on a compromised system because it helps to stop /mass/ surveillance.
Does it? Your servers are compromised and so are your 'SSL' connections...your tor routers are obviously compromised...any system used to defend against mass surveillance that you run on compromised hardware is...compromised.
Yes it does. Because before Snowden, they were basically capturing data right off the wire in many cases.
And now more people turned https on? So the gov't now has to steal keys? And how hard could it be to steal keys when all intel/amd processors are backdoored? Also, you say "before snowden", but it just so happens that there were people giving the game away before snowden did : This is from 2006 https://en.wikipedia.org/wiki/Room_641A
They were passive. It just flowed right into their filters. Compromised hardware doesn't stop them from getting your data in all cases, but it makes them work a little more for it. They can't just sit on the wire and collect it because they have to address the differences in each compromised system. They have to seek you out instead of sucking it all in.
Yes, they now have to work more. But the million dollar question is how much more.
I don't have a problem with targeted surveillance For example, if the police believe (with good reason) that someone is plotting to bomb the Whitehouse, I believe they should absolutely have the right and the tools to monitor that person.
And I believe that blowing up the white house and its contents is an act of justice ;)
That surveillance should stop the moment they either have enough to make an arrest or they realize they are wrong. Do you believe that no surveillance should happen at all for any reason? You believe that's reasonable?
This being the cpunks mailing list I think it's reasonable to subscribe to libertarian anarchism and correctly see the government as the biggest criminal organization in town and having zero legitimacy. So I don't think that anything the gov't does is reasonable (OK, defense of person and property would be reasonable IF they only did that, which is virtually impossible or an 'utopia')
It's that innocent people are getting caught in a dragnet and that information could be used against them later. Aren't they 'innocent'? If they are 'innocent' they 'have nothing to hide'.
I don't subscribe to that believe so please don't put words that I didn't say or assume beliefs that I haven't expressed. People who are caught in the surveillance dragnet /may/ be innocent of any crime or they might not be. We really don't know, do we?
We don't. My point is, if one believes the government is good and it catches the bad guys, then why would one object to mass surveillance?
I'm sure that some if the information the agencies have gathered /do/ involve people who are guilty of crimes and the data might prove it. Some, probably most, don't.
'crimes' as defined by the government? Like smoking pot or gay sex? But again, the gov't uses mass surveillance. They discover 'criminals', which is allegedly good, while the innocent under surveillance don't suffer any harm (they don't even know they are being spied). What's the objection to mass surveillance then?
Also, I don't subscribe to the bs about 'if you have nothing to hide, you have nothing to fear'.
Why not? The goverment is good. Why shouldn't they know everything, in order to 'prevent' crimes and find 'criminals'?
Taking precautions to protect privacy should never be taken as evidence of guilt. I'm not ashamed of my naked body and there are times when I might even have no problem walking in front of a window naked. But there are also times when I want privacy and will draw my blinds. I don't hide the fact that I use the bathroom but that won't stop me from closing the door when I go in. In both of those cases, I'm not hiding anything. I'm exercising a right to /privacy/. My privacy, when I am not committing a crime that harms others, should /always/ be under my control.
Right to privacy, sounds reasonable to me, but the government can claim that 'national security' trumps it. Or something.
And the few that are likely don't have the money to bring up what it takes to do it. It's not like this is going to be bootstrapped by a Kickstarter.
Actually, it seems exactly like the kind of project that could/should be 'crowfunded'.
What's the 'minimum order' when dealing with something like TSMC ?
OK, so I'll retract my statement above. Maybe this could be crowd sourced. But again, how do we guarantee fab security?
That is of course a good question...My answer is "I don't have the slightest idea" - grarpamp? But at least the design and fabrication of micros seems doable. Not only that, there are a few designs already created... https://en.wikipedia.org/wiki/LEON https://en.wikipedia.org/wiki/LatticeMico32 https://en.wikipedia.org/wiki/RISC-V https://en.wikipedia.org/wiki/S1_Core https://en.wikipedia.org/wiki/OpenSPARC
If a company has to crowdfund a small number of chips, do you really think they are going to have the money to set up fab operations that they can closely audit and control?
Building a fab isn't an option - at least not a 5 billion, state of the art fab. What can realistically be crowdfunded is the manufacturing of chips at one of the fabs that do that kind of work.
No, you're very right that they didn't. New attacks are being developed right now against vulnerabilities and backdoors we haven't even discovered yet. And the attacks get better and better especially when the companies collude with the government. It's not going to magically get better through simply knowing about how bad it is. That wasn't my point.
I see.
But what can happen is larger and larger groups of people (who control the money that places like Intel are rather fond of) standing up and saying "we can't trust you so we're going elsewhere". Critical mass is needed to make a difference not just a few geeks ranting on Internet forums and mailing list. We don't have the market moving power that a larger group does. That's why making people aware and actually agitating the situation is so important.
Yes, if enough people stopped buying stuff from intel, they might get worried. But how many people are we talking about? Tens of millions? More? Is it easier to convince that many people to boycott intel, or is it easier to manufacture open source processors for a smaller market more interested in security?
Perfect is the enemy of good. If the spooks don't go after one person because it would take more personalized resources than simply catching them in a dragnet, that security has worked. We don't need 'perfect'. We need 'good enough'.
'good enough' requires working hardware, not hardware remotely controlled from washington.
No it doesn't. Good enough, in this case, means getting a bit of breathing room for people while the geeks figure out how we back the government off technically. Until they can't technically control every single piece of hardware, at least make it as hard as possible for them to control it.
Yeah, but in this particular case I don't see how software is going to do any damage control when " the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface"
Sure, it's not solving the problem entirely but you have to admit it's going to protect some people who would otherwise get caught up in a dragnet. Their data isn't there anymore.
Don't get me wrong, I am 100% behind making hardware secure. But we can't be so focused on absolute security with no compromise that we /only/ work on that and leave everything wide open until we have absolute.
Yes, agreed. But what seems to have happened so far is that the majority of efforts have been directed at the software side of things.
That's kind of like "well, we think the NSA might be able to break TLS by asking for our private key so we'll just keep using HTTP until we develop a way where having our private key doesn't matter". You do what you can and then you refine it closer and closer to perfection.
Shit, I write a lot...
Sorry :)
no worries =P
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZK1RAAoJEAKK33RTsEsVZP0QAJGSzHuvIDzoGJav/QG2eXOf hgl8Q/D/0/xStelYBsx2Sq6y6RHzczFeI3LlJdAT3W/WkqtugSCRtTtUFY4sHsyL gbRfCIkW2Yfg25z6fCr5iCp6rMqwEYlEy+H46tVsEizmGtYqVYo1jNaEsHMAzbbD SwTZ+I2sByKRoc+ArLzNiuEyp/1qynxQStocFNjZuhyJi7ujaKxK5k3V6Lh2HBkt dcNJngwJ7Ws4esIDDQ4DtzsNgK56GWMEt66GtUHGQaZxklB+QAwawZGgFpP2rHLu hjH72ko0doGwoSX1SRVATneqofq7WCvR7k8bRTV2ipsgGKHOpfndT6UBldK94ukL Tso2BOb7YVxgNIbz2BIOE4auJr9CNpQJSoaikoLkmQ1/IeYqqt7JAhdYR0VuBNbt 5sFUq0LejAQYZQSNoPX/38tlz6t7+9VO4iVn2iWzNp052/S3UwLvZaH/n9cfjaNm Hjhz0jebH2rzLdm3SlZr8F618luPuqgQg7HHNCdvm2MIlNc5oDKZOWhhfvvgDy1/ q1wZPntscLdolM/VY1m4MZMOK219MEatp4lgNBxsChhKH5Op11LN2U6hUZ069Rgb TL121QmP7JfmkbpehVONRbhhbou8bKsbcRvBe7ZDaS1kp950npNY8vJOjbpcINAX ISgmOkyMy9JcdKhxwhOc =DS8O -----END PGP SIGNATURE-----