Re: [cryptography] Define Privacy
Thank you, Maarten and others who responded off list. I have some new sources to consume and I appreciate your input. Jason On Tue, Oct 21, 2014 at 10:40 PM, Maarten Billemont lhun...@lyndir.com wrote: On Oct 21, 2014, at 22:22, Jason Iannone jason.iann...@gmail.com wrote: On a fundamental level I wonder why privacy is important and why we should care about it. Privacy advocates commonly cite pervasive surveillance by businesses and governments as a reason to change an individual's behavior. Discussions are stifled and joking references to The List are made. The most relevant and convincing issues are documented cases of chilled expression from authors, artists, activists, and average Andrews. Other concerns deal with abuse, ala LOVEINT, etc. Additional arguments tend to be obfuscated by nuance and lack any striking insight. The usual explanations, while appropriately concerning, don't do it for me. After scanning so many articles, journal papers, and NSA surveillance documents, fundamental questions remain: What is privacy? How is it useful? How am I harmed by pervasive surveillance? Why do I want privacy (to the extent that I'm willing to take operational measures to secure it)? I read a paper by Julie Cohen for the Harvard Law Review called What Privacy is For[1] that introduced concepts I hadn't previously seen on paper. She describes privacy as a nebulous space for growth. Cohen suggests that in private, we can make mistakes with impunity. We are self-determinate and define our own identities free of external subjective forces. For an example of what happens without the impunity and self-determination privacy provides, see what happens when popular politicians change their opinions in public. I think Cohen's is a novel approach and her description begins to soothe some of my agonizing over the topic. I'm still searching. [1]http://www.juliecohen.com/attachments/File/CohenWhatPrivacyIsFor.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography Without any reference, it is my understanding that privacy is very much a luxury right, not unlike education, which grants us the freedom to perform at our individual best when not alone and contemplate, experience and learn all the wrong paths away from the unforgiving blind judgement that is inevitable in a society of men. To unpack that slightly, privacy is very much a low-priority benefit, one that comes far behind keeping fed and physically healthy. It is often first out the door when sacrifices are being made with only minor short-term damage to the society. Privacy's benefits are very much long-term, and mainly favour individualism in the sense that it allows the individual to develop their own self, their own views, and their own solutions to societal and other problems. These benefits are highly praised in individualistic societies but hardly a necessity for any society to operate. Privacy is optional in a society geared toward pushing values; such as those strictly governed by religious principles (eg. Roman Catholic), economic or militaristic goals (eg. Total War), and desirable in societies open to exploration, the sciences and new understandings. In the absence of privacy, people tend to fall in line. Dreams and their many benefits are in my opinion proof that the human psyche needs and thrives on privacy. I've read others defining privacy as a withdrawal for the sake of making life with others bearable, in the sense that privacy is truly necessary only when the only alternative would be a personal conflict[1]. [1]http://www.jstor.org/discover/10.2307/2775779(The Social Psychology of Privacy, Barry Schwartz) — Maarten Billemont (lhunath) — me: http://www.lhunath.com – business: http://www.lyndir.com – http://masterpasswordapp.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Define Privacy
On a fundamental level I wonder why privacy is important and why we should care about it. Privacy advocates commonly cite pervasive surveillance by businesses and governments as a reason to change an individual's behavior. Discussions are stifled and joking references to The List are made. The most relevant and convincing issues are documented cases of chilled expression from authors, artists, activists, and average Andrews. Other concerns deal with abuse, ala LOVEINT, etc. Additional arguments tend to be obfuscated by nuance and lack any striking insight. The usual explanations, while appropriately concerning, don't do it for me. After scanning so many articles, journal papers, and NSA surveillance documents, fundamental questions remain: What is privacy? How is it useful? How am I harmed by pervasive surveillance? Why do I want privacy (to the extent that I'm willing to take operational measures to secure it)? I read a paper by Julie Cohen for the Harvard Law Review called What Privacy is For[1] that introduced concepts I hadn't previously seen on paper. She describes privacy as a nebulous space for growth. Cohen suggests that in private, we can make mistakes with impunity. We are self-determinate and define our own identities free of external subjective forces. For an example of what happens without the impunity and self-determination privacy provides, see what happens when popular politicians change their opinions in public. I think Cohen's is a novel approach and her description begins to soothe some of my agonizing over the topic. I'm still searching. [1]http://www.juliecohen.com/attachments/File/CohenWhatPrivacyIsFor.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Request - PKI/CA History Lesson
If browsers are defeating the purpose of the chain of trust, by forcing trust in this example, why design them to freak out when a site self signs? On Apr 28, 2014 6:32 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Apr 28, 2014 at 8:20 PM, Ryan Carboni rya...@gmail.com wrote: One can always start with the difficult first step of uninstalling certificate authorities you do not trust. Opera will autorepair damage to the certificate repository, a missing Certificate Authority is considered damage. Opera ships with a list of frequently used certificates, and if any of these are missing they will be added the next time the repository is read from disk. Other certificates will be added from the online repository as needed. - http://my.opera.com/community/forums/topic.dml?id=1580452 Its not just Opera. Others are using similar innovative methods to reduce the support load and costs. Jeff On Mon, Apr 28, 2014 at 4:42 PM, ianG i...@iang.org wrote: On 29/04/2014 00:12 am, Ryan Carboni wrote: trust is outsourced all the time in the non-cryptographic world trust is built up all the time, risks are taken all the time, choice is taken all the time. unless you do not have a bank account That's not outsourced, that's direct, person to bank, the person has a choice, chooses to place her trust in that bank. Also, it is limited to defined things that are required, can't be done by the person, and bolstered by real backing such as FIDC. When you suggest it's probably best we trust authorities that is CA-playbook crapola meaning you must trust the authorities that have been picked for you. The vector has been reversed, people are told what has to happen, so there is no trust. Trust derives from choice. Where is the choice? On Mon, Apr 28, 2014 at 3:00 PM, James A. Donald jam...@echeque.com mailto:jam...@echeque.com wrote: On 2014-04-29 05:58, Ryan Carboni wrote: We happen to live on a planet where most users are ordinary users. given the extent of phishing, it's probably best we outsource trust to centralized authorities. Although it should be easier establishing your own certificate authority. Cannot outsource trust Ann usually knows more about Bob than a distant authority does. A certificate authority does not certify that Bob is trustworthy, but that his name is Bob. In practice, however we find that diverse entities have very similar names, and a single entity may have many names. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Request - PKI/CA History Lesson
The more I read, the more bewildered I am by the state of the PKI. The trust model's unwieldy system[1] of protocols, dependencies, and outright assumptions begs to be exploited. Add to that the browser behavior for a self-signed certificate (RED ALERT! THE SKY IS FALLING!) compared to a trusted site and we're in bizarro world. I'd rather we close the gap and appreciate a secure transaction with an unauthenticated party than proclaim all is lost when a self-signed key is presented. I see no reason to trust VeriSign or Comodo any more than Reddit. Assuming trust in a top heavy system of Certificate Authorities, Subordinate Certificate Authorities[2], Registration Authorities, and Validation Authorities[3] in a post bulk data collection partnership world is a non-starter. The keys are compromised. With that, I ask for a history lesson to more fully understand the PKI's genesis and how we got here. Maybe a tottering complex recursive heirarchical system of trust is a really great idea and I just need to be led to the light. [1]http://csrc.nist.gov/publications/nistpubs/800-15/SP800-15.PDF, http://csrc.nist.gov/publications/nistpubs/800-32/sp800-32.pdf [2]https://www.eff.org/files/DefconSSLiverse.pdf, https://www.eff.org/files/ccc2010.pdf [3]http://en.wikipedia.org/wiki/Public-key_infrastructure ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets
The First Look article is light on details so I don't know how one gets from infect[ing] large-scale network routers to perform[ing] exploitation attacks against data that is sent through a Virtual Private Network. I'd like to better understand that. On Thu, Mar 13, 2014 at 7:22 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Mar 13, 2014 at 9:17 AM, Jason Iannone jason.iann...@gmail.com wrote: Are there details regarding Hammerstein? Are they actually breaking routers? Cisco makes regular appearances on Bugtraq an Full Disclosure. Pound for pound, there's probably more exploits for Cisco gear than Linux and Windows combined. Jeff On Thu, Mar 13, 2014 at 2:40 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Mar 13, 2014 at 1:57 AM, coderman coder...@gmail.com wrote: https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by _any_ other means. And Schneier's Guardian article on the Quantum and FoxAcid systems: http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity . -- PGP Public Key: 2048R/AC65B29D ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets
And remain undetected? That's a nontrivial task and one that I would suspect generates interesting CPU or other resource utilization anomalies. It's a pretty high risk activity. The best we can hope for is someone discovering the exploit and publicly dissecting it. On Thu, Mar 13, 2014 at 8:50 AM, Greg Rose g...@seer-grog.net wrote: You get the routers to create valid-looking certificates for the endpoints, to mount man-in-the-middle attacks. On Mar 13, 2014, at 6:28 , Jason Iannone jason.iann...@gmail.com wrote: The First Look article is light on details so I don't know how one gets from infect[ing] large-scale network routers to perform[ing] exploitation attacks against data that is sent through a Virtual Private Network. I'd like to better understand that. On Thu, Mar 13, 2014 at 7:22 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Mar 13, 2014 at 9:17 AM, Jason Iannone jason.iann...@gmail.com wrote: Are there details regarding Hammerstein? Are they actually breaking routers? Cisco makes regular appearances on Bugtraq an Full Disclosure. Pound for pound, there's probably more exploits for Cisco gear than Linux and Windows combined. Jeff On Thu, Mar 13, 2014 at 2:40 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Mar 13, 2014 at 1:57 AM, coderman coder...@gmail.com wrote: https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by _any_ other means. And Schneier's Guardian article on the Quantum and FoxAcid systems: http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity . -- PGP Public Key: 2048R/AC65B29D ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography Greg. Phone: +1 619 890 8236 secure voice / text: Seecrypt +28131139047 (referral code 54smjs if you want to try it). PGP: 09D3E64D 350A 797D 5E21 8D47 E353 7566 ACFB D945 (id says g...@usenix.org, but don't use that email) -- PGP Public Key: 2048R/AC65B29D ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography