Hacker News new | ask | show | jobs
by nickpsecurity 3844 days ago
"Legal protection provides a recourse after everything happens. Technological measures don't let it happen in the first place. Or, well, to be more correct - make it significantly harder to happen."

It actually prevents many things when the law is clear. Your email example misses the entire point. So, let's use it to illustrate the point. I create an encryption system to protect email. It gets large uptake to point NSA and FBI are pissed by it. With current laws, they will feel free to:

1. Hit me with a FISA warrant to order a backdoor or key leak.

2. Hit me with court order to do the same.

3. Parallel construct some dirt on me.

4. Use NSA TAO or TAREX to smash my systems for their benefit.

5. Use FBI to raid my stuff or seize my property.

6. Have me audited by SEC or IRS depending on my company structure.

We've seen stuff like this happen to leakers, supporters of Wikileaks, companies resisting subversion, etc. You can build all the tech in the world but it's not that helpful if legal system is set up to destroy the user or developer easily. Those laws need to be rolled back. Only the people can do that. They don't give a shit enough to act. So, it's a political problem rather than technical one.

Feel free to continue to deploy and use tech to protect yourself. Just know the bigger problem is what's enabling their surveillance dragnet and police state problem in first place. The things that can get you with or without crypto. The things that have to go away to maintain democracy.
2 comments
drdaeman 3844 days ago
Ah, sorry, I see your point now. I suppose I got it wrong when I replied to your comment. Yes, I fully agree with you here on the point that the laws that allow this are wrong and they must be rolled back. Those are legal issues and they must be fixed as such.

I must make it clear that I stand that both legal and technological measures are necessary and are equally important. And I believe that neither would work well without the other one.

Current mass surveillance relies on lack of technical measures that protect from one. So, I believe that if everyone and their dog encrypts their correspondence in a secure manner, it would cause much greater hit on mass surveillance programs than any lawmaking could do. Please note I don't say that lawmaking is not necessary here. On the contrary, it is equally important to prevent TLAs from even trying to break technological measures and hold them responsible for their actions.

link
nickpsecurity 3844 days ago
"I must make it clear that I stand that both legal and technological measures are necessary and are equally important. And I believe that neither would work well without the other one."

100% agree. The overall solution will combine technological methods and legal reforms. We continue developing and implementing what technical solutions we can for privacy and security in general. Just have to never fool ourselves on what it will take to stop the huge internal threat.

link
maxerickson 3844 days ago
Pointers to (seemingly) frivolous prosecutions (3) and pointers to anything resembling 4 or 6 would make them a lot more interesting.

Without just a little bit of evidence, they are like saying the NSA will shoot your dog.

My naive, facile reading suggests that systems like Signal, Pond and Tor tend to be more effective at actually securing communications, so it would be especially interesting to hear about the jackboots kicking them.

link
nickpsecurity 3844 days ago
The technique used for No 3 is here and other documents suggest they work with many agencies rather than just DEA:

http://www.huffingtonpost.com/peter-van-buren/parallel-const...

Number 4 we're not going to get examples of: TAO & TAREX operate in a bubble. There are two known efforts to do this sort of thing but tactics are unknown. One is BULLRUN:

http://securityaffairs.co/wordpress/17577/intelligence/nsa-b...

Additionally, the ECI leaks mention that the "FBI compels" firms to "SIGINT-enable" their stuff. This means the FBI has some way of coercing companies to backdoor things. The specifics were left out. That they've been doing it for years with no details public indicate even talking about it must be a crime. Like the other stuff.

IRS, SEC, whoever being used against people is a tactic with a long history. My bookmarks aren't giving me a link right now. I do recall Nacchio of Qwest claiming government came after him for being only ones not helping NSA. A quick Google had Binney saying IRS and NSA worked tight together albeit with speculation on Tea Party rather than obstacles to SIGINT as target.

http://www.wnd.com/2014/07/whistleblower-irs-in-cahoots-with...

And FBI raiding and seizing opponents stuff is well-known, happening to most leakers, too. Civil forfeiture is another weapon with a long history at FBI and DEA especially. Some journalists during Bush-Cheney Administration ended up on Do Not Fly list. Tor project people like Applebaum get harrassed at borders. So on and so forth. Many methods they can use without ever doing time for the abuse.

What they will do to you depends on who you are, what you're doing, what dirt they have on you, your resources, and so on. The uncertainty is one of their most powerful weapons. Never know when hammer will drop on you or how hard.

link
maxerickson 3844 days ago
Specific examples are more interesting than raising the specter. You've doubled down on raising the specter.
link
nickpsecurity 3844 days ago
Think I could've done better? Just file some FOIA requests and lawsuits on the subject requesting all specific examples of cooperation between NSA and other LEO's plus list of all TAO and BULLRUN activities against Americans. Bet you'll have less than I posted.

Btw, a manual for DEA of using NSA's evidence isn't a specter: means it's ongoing.

link
maxerickson 3844 days ago
Ongoing retaliation against people working on crypto?
link
nickpsecurity 3844 days ago
Part of my overall claims here is that the police state aspect of our government only kicks in on priority targets. Average person or project in crypto doesn't matter. A good case would be solid protection that applies to high-value target. Might support those like Wikileaks, Snowden, or terrorist cell that happens to use a specific product.

So, we saw LEO's and payment processors largely kill Wikileaks by cutting its donations off. Wikileaks supporter and Tor evangelist Jacob Appelbaum does plenty OPSEC to avoid problems they aim at him. Lavabit, Snowden's email provider, was shutdown after receiving a secret order to compromise all its users and lie to them about it (see records if you doubt that part). Surespot allegedly pulled its warrant canary after ISIS used its tech. Apple and other companies doing end-to-end messaging are getting hit hundreds of millions at a time via Virnetx: a shell company for patents from NSA, CIA, and SAIC.

Seems to be a number of actions and reactions against anyone that becomes a problem. Most never see it. Hence, would doubt it's a concern. That they do enforcement part with "legitimate" organizations and courts makes that more so. That's be beauty of the modern, Dual State: invisible to most means odds of questioning or getting rid of it are lower than prior surveillance and police state models.

link