[pikzen]

La Quadrature du Net has also affirmed that while they were demonstrating in front of the National Assembly, there were two IMSI Catchers. And the law wasn't even passed yet. Great example of what will happen. (http://www.franceinfo.fr/actu/politique/article/des-appareil... link in french, can provide a translation if needed)

Bernard Cazeneuve, our ministre de l'Intérieur (Tasked with internal security, i.e. police etc.) has also declared the right to private life to not be a freedom. (https://www.youtube.com/watch?v=WODKfxtJQbE)

This law was voted by 30 delegates. From a total of 577. This is what we can expect of our National Assembly. I expected a bit more of them considering they were 40 (!) to debate it. And they were granted a whole two minutes to explain themselves. To debate a law that allows bypassing judges, installing black boxes (read: DPI tools) anywhere without needing a judge, and quite a few more fun things.

To any french reader here (or any reader in a country whose laws explicitly allow this type of mass surveilance) :

* Use LetsEncrypt to get an SSL certificate for your website (or selfsign one with the proper configuration). Not that this will matter much because this law will allow them to ask you to hand over your private keys

* Use TrueCrypt v 7.1a, the latest and audited version for you hard drive, or use LUKS if you're on Linux.

* Use TextSecure and RedPhone. While I'm not aware of any recent audits, it's a hundred times better than going through regular channels.

* Use Pidgin+OffTheRecord for your private chats.

I am so fucking mad. And have no doubts, the senate will pass this. The worst (best) that could happend to this law is a few minor changes, but the key points will stay. And I doubt our constitutional council will reject it.

[belorn]

Looks to be a very similar law as the one created in Sweden, and I suspect the arguments will be quite similar too. Publicly, its to hunt terrorists. Internally, its to give police and tax departments more power. Secretly, it is so spies has something to trade with other spies on the international level.

Since neither of those 3 things is something they want to discuss openly, no debate will happen between those who decide and the public.

[Fiahil]

Encrypting all communications is certainly the way to go.

But, I wonder if we can make these systems completely inefficient by flooding them with false positives. Assuming we can figure out the patterns they are looking for in our communications, could this be a possible solution to force them to withdraw they "black boxes"?

[adventured]

This was a premise considered a very long time ago when it came to the NSA's snooping. People were (still are?) putting keywords in every email, etc. It didn't make any difference, and inherently can't.

Here's why.

Scenario 1) It works. You get arrested on some arbitrary basis for impeding their system. Or they otherwise make it illegal to do so, and begin cracking down on that.

Scenario 2) You throw a vast amount of interference at their system, and it has an effect. They spend more of your money to constantly stay head of the collective efforts. Most likely a relatively small number of people will never be able to overwhelm it long-term.

Scenario 3) It doesn't work in any meaningful way at all.

Focus on strong encryption.

[venomsnake]

>Scenario 1) It works. You get arrested on some arbitrary basis for impeding their system. Or they otherwise make it illegal to do so, and begin cracking down on that.

That will be hard first amendment case in US ... very hard.

[jamiek88]

Secret courts care little for the constitution.

[vidarh]

Flooding the system can only work if the group that floods the system is large enough that it isn't simply expedient for the surveillance organisations to decide you're a potential risk and put you under additional surveillance.

Encryption is in a similar position, but it is a far easier sell to business and the general public, and so the chances of reaching critical mass of communications is much greater.

[Lawtonfogle]

The interesting bit is that the general public increasing their adoption of better security practices to make them invisible will benefit the pedophiles and terrorist already in hiding because their choice to hide/encrypt will no longer result in them sticking out from the masses.

[fabulist]

Most criminals are caught because their groups are targeted and OPSEC (operational security) is really, really hard. They catch the people who didn't maintain strict discipline and get them to flip on the rest. This is an age-old recipe which is resistant to technological change because, again, OPSEC is really, really hard.

[jazzdev]

But what groups are targeted? The new recipe is scanning everyone's online communication to decide who to target.

[DaFranker]

I think the idea was to use a DDoS-like farm of hacked machined to constantly send random messages and packets meant to trip their detection systems to random other IPs, thereby increasing the sheer amount of noise surveillance authorities have to deal with and false-positive "suspects" (the owners of all those hacked machines).

Naturally, that still doesn't solve any other problems...

[jackjeff]

Encryption won't solve the problem.

1/ They're after the meta data. Whether you have plaintext or encrypted communication, they still know to whom you talk. Unless you use TOR or VPN yourself out of the country, it's not going to help...

2/ Strict key disclosure laws. You can be thrown to jail, if you cannot decrypt some information when requested by a judge. That's true even in the case where you can prove the key is no longer in your possession...

[higherpurpose]

Who knew Tor wasn't going to be useful only for people in countries like China, Iran or Saudi Arabia...but also France, Spain, UK, US, Australia, Canada...you know, the "most freedom-loving democratic countries" in the world.

There's definitely a coordinated effort to pass these laws together now, to make it seem like it's the "sensible" thing to do after the terrorist attacks. FBI chief Backdoor-Comey has also been making rounds in European countries to push for total surveillance laws "or else it might hurt their relationship with the US". This may especially work in weaker countries where a partnership with the US is regarded as a god-send and they'll try not to do anything to hurt that partnership. In other words they'll do anything the US government tells them to do.

[MidnighToker]

> 2/ Strict key disclosure laws. You can be thrown to jail, if you cannot decrypt some information when requested by a judge. That's true even in the case where you can prove the key is no longer in your possession...

How the heck is this supposed to work when TLS supports Diffe-Hellman?

[Lawtonfogle]

It makes about as much sense as putting a poor person into debtors prison until they pay off their debt. Anyone who supports this is unethical.

[malka]

Are there encryption algorithm such that we could decrypt the payload with more than one key, but only with one key, the real one, it will return the true result, and other keys will return fake, but plausible result ?

something like 'hidden volumes' in TrueCrypt.

[malka]

people already did this with Echelon a decade ago. I remember people crafting sentences with specifics keywords such as 'bomb', 'explode', etc. that are totally inocuous in context, but were designed to trigger the algorithm.

Maybe i'll make my personnal server connect to random IP on port 80 to send data with such keywords.

[higherpurpose]

> This law was voted by 30 delegates. From a total of 577

This is how democracy dies. Now the 95% other members of the National Assembly will say "that it's not their fault, because they didn't even vote for it!", if some major abuses happen due to this in the future. Despicable.

[easytiger]

> This is how democracy dies.

We need a system of government that allows scientists and thinkers to have a weighted power balancing politicians. POliticians cannot be trusted by definition

[cm2187]

No, you need direct democracy. With modern communications, there is no reason to organize frequent elections on key issues, like in Switzerland.

[harperlee]

Direct democracy only works if most of the voters have: 1) sufficient general education; 2) sufficient domain education; 3) time to read the law; 4) time to reflect on the law; 5) peers to discuss at length and with depth the law; etc.

It's more efficient to have delegation systems. The problem is that both politicians and the press are corrupted delegation systems.

[joeyspn]

Well, you can have delegates that are not actual politicians. Agora Voting [0] (a secure direct democracy platform) allows this kind of political systems... Seriously, there's soft out there that can solve this problem. Thing is nobody gives a shit about these issues and people is brainwashed in such massive scale that horrendous laws are passed w/o proper public scrutiny...

[0] https://agoravoting.com/

https://github.com/agoravoting

[harperlee]

I'm optimistic on this, but we need to have these new systems tested on a small scale - villages, small regions and countries - first. A big country won't push for it... and I think that most of the problems of it might be less relevant on small groups. Think diversity of origin, opinions, detachment from the end result, who pays for it... these are problems for a big country that don't exist in, say, a condominium!

[yellowapple]

Do you happen to have a link to an overview on how Agora Voting actually works? Their homepage is way too vague for me to actually get any useful information out of it, and I'm not sure where exactly to look in the GitHub org/repos.

[flurdy]

So true. But..

"It has been said that democracy is the worst form of government except all the others that have been tried." - Winston Churchill.

[easytiger]

Why is why we are proposing a new one

[thirdsun]

I agree. Important decisions shouldn't be left to easily manipulated masses. It shouldn't be left to politicians either. Most of these issues are so complicated that it should be handled by actual experts in that field. I'm always baffled to see politicians take offices/positions throughout their career that couldn't be more different - from agriculture to technology to foreign affairs. Are you telling me they can do it all? And even if so, wouldn't we be better off with actual experts?

[javajosh]

I wish I could delegate my vote to a committee of my choosing, composed of people I respect, trust, and admire for their intelligence, integrity, and values. I would expect such a group to debate issues openly, and invite commentary from the voters. Something like a jury, but for a parliament.

[Zigurd]

Alternatives like direct democracy and demarchy only have to work better, not perfectly, to be preferable.

[dandelion_lover]

There is no reason to go from one extreme to the other. People, who wants, can have direct democracy and the rest can choose anyone to represent them. Do you see any weak points in such organization?

[r00fus]

I'm not even sure elected politicians have all that. They're paid plants, might as well get rid of the middle-men here.

[Aissen]

Not a silver bullet. With this we'd still have the death penalty; or voted for populists measures like banning minarets.

[donkeyd]

Completely agree, pseudoscience and fear mongering will rule the world if this happens...

[fennecfoxen]

Ooh, what a delightfully aristocratic objection. We can't give the lesser peoples self-rule, they'd rule themselves wrong!!

Have you considered any noblesse oblige-style colonization and rule of third-world nations? Sounds like a good match.

[CamperBob2]

You can be as snarky as you want, but the fact is, I don't want the average dumbass on the street to have that much power over my life, and neither, I suspect, do you.

There has to be something resembling meritocracy in any functioning organization, and that includes a government.

[Aissen]

I'm aware of the ethical implications, and I haven't made my mind on the matter (probably never will). I just said that it's not a silver bullet, and presented cases where it could go wrong.

[jodrellblank]

That looks like the author is not saying "they'd rule themselves wrong", they're saying "they'd rule me against my wishes by voting conservative reactionary and ineffective laws into my life"

[yellowapple]

> We can't give the lesser peoples self-rule, they'd rule themselves wrong!!

I'd normally take your side on this, but then there's the fact that the Southern United States still exists and is a major reason why U.S. law borders on jingoistic theocracy.

[easytiger]

So you are saying uninformed populist opinions should be made policy

[cm2187]

Then you don't really believe in democracy, and I have to disagree.

[koszik]

Please take a look at what happened in Athens a few thousand years ago. You'll see that even then people were susceptible to fear mongering and manipulation, so in effect the real power was in the hands of a few. People has always been stupid, there's no way around that, sorry.

[mercurial]

No, you have to understand how human nature works. Unfortunately, it is much easier to get people worked up about populist issues than about something that matters. I think the record speaks for itself.

[CamperBob2]

I did for a while, but I have to admit the charm is wearing off.

[acron0]

Nope, and neither should you.

[Lawtonfogle]

You might as well put those who control the media in charge and just skip the middleman then. News runs story "Tor is how pedophiles get access to your children, here is a line of a dozen different 'experts' explaining how." Tor is then made illegal.

I dare say that with enough media backing, I could get dihydrogen monoxide banned. It does kill a lot of children. It has been shown to be very important to terrorist. Companies like to put it in food unregulated because it lets them add mass for cheap.

[rayiner]

Direct democracy is what gave us lovely things like California's three-strikes law that puts people in prison for life for their third non-violent felony (voted in by public referendum 72-28).

[yellowapple]

No, we just need to establish Neil deGrasse Tyson and Bill Nye as co-dictators of Earth. Democracy is overrated.

[vacri]

The bad effects of direct democracy can be seen in elected judges in the US.

[javert]

In the US, many scientists are government vassals. They are not to be trusted, either.

Probably true elsewhere, but I only know the US.

[benbou09]

Nobody dared to oppose because of the recent Charlie Hebdo attacks. The opposition had a deal with the government to let the law be passed.

[rtpg]

I didn't realize there wasn't a quorum rule

[eshowk]

In the constitution of the 5th republic, there is no quorum rule nor a "recall" referendum at mid-term nor a prohibition of multi tenures. That's why we need to change to basic rules of the institutions. We need rules to avoid such democratic thefts in the future, rules written by the people, not the politics professionals. This is what citizen groups like "Mouvement pour la 6eme République" advocates for (http://www.m6r.fr).

[talideon]

Even where there's no constitutional requirement to have a quorum for votes, it's still possible to have a rule of order requiring a quorum before a vote can take place.

Ireland is an example of this: for there to be a quorum in either house, at least twenty members have to be present. This means at least 1/3 of the Seanad (upper house, 60 seats) or 12% of the Dáil (lower house, 166 seats) must be present for either to form a quorum. That's not written in the constitution, but a standing order of the Oireachtas (parliament).

Even if France has no such requirement in its constitution, it's ridiculous that there isn't at least a parliamentary rule of order requiring it.

[deciplex]

How's the constitution for the 6th one coming along?

[eshowk]

Many ideas are gaining traction with these events : prohibiton of pultiple-tenure, quorum rule everywhere, "recall" referendum for every elected, a constition elected by non professional politics and prohibited to participate to any further election, etc...

The movement M6R's got ~85K signatures, and a grass-roots assembly with ~180 members, transparent auto-financing, but it still need to get much bigger in order to make the change of constitution the big main issue in the next presidential race in 2017. After 2017 I don't know, but changing the constitution, getting back democracy has to be in "every mouth" from now on.

[hmsln]

It's not. There is some talk of a Sixth Republic during the presidential campaigns, generally from far-right or far-left parties, but the two main moderate parties do not want to hear about it.

French political life is characterized by a complete lack of impetus for change.

[LandoCalrissian]

Typically in most systems, you need a quorum to hold a vote of any kind. I'm really not sure why you can only vote with 30 out of 577 in the French Assembly.

[talideon]

In the French system, a quorum has to be requested, but if it can't be assembled in 15mins, the vote goes ahead anyway: http://www2.assemblee-nationale.fr/decouvrir-l-assemblee/rol...

[fixxer]

30 out of 577?! Is there no limit on a quorum in the Assembly? Might as well have a king.

[talideon]

Apparently, you have to request a quorum, and even then the quorum has to be assembled in 15mins, or else it's ignored and the vote goes ahead anyway to prevent 'obstruction': http://www2.assemblee-nationale.fr/decouvrir-l-assemblee/rol...

It's insane!

[pikzen]

To be fair, we DID have a huge problem with obstruction. The laws regarding quorum were so large that even if very few people were missing, you could delay the law once again.

The 2009 reform was passed while Nicolas Sarkozy was still president, and he took great care of consolidating the power of the president while lowering the National Assembly's.

[sheensleeves]

Just a word of caution. Sometimes I read "OffTheRecord" chatlogs that have been posted on Cryptome.

A false sense of security can be more risky business than weak security, as pertains to what gets exposed.

[vidarh]

Obviously no tool like that can prevent the exposure of the contents of the chat, and hopefully nobody believes that.

It does have the very useful property of granting plausible deniability, though, by making it possible to forge messages after the fact.

[nota_bene]

If you want to use encrypted communication tools, but don't know if you can convince enough people in your network to join you, use this tool to activate your friends & family (to build critical mass): https://www.iWouldDo.it

[chinathrow]

Re IMSI Catchers: tear them down when you see them.

[pikzen]

Except that you can't do that when they're in small suitcases held by security officials. Which it was, because the DGSE and CRS were in plain sight near the National Assembly, and there were no signs of IMSI catchers before this demonstration.

[chinathrow]

A small suitcase might get lost...

[zz1]

Not Pidgin! Jitsi.

[creshal]

Or Gajim.

[LBarret]

Same here. I have written to my MP, try to call a few others. This is a sad show of incompetence and political irresponsibility.

[Nusyne]

TextSecure is either Text (SMS, which are not encrypted), OR secure (data). Not both simultaneously.

[pikzen]

Yeah, I'm referring to the part where they use data. That said, didn't WhisperSystems remove the SMS part recently ? Or was it just SMS encryption ?

[zz1]

Just SMS encryption, which went to http://smssecure.org/, but having both installed leads to bugs.

[ryanlol]

Why would you recommend TrueCrypt? That's a terrible suggestion.

[fabulist]

A lot of people seem who recommend TC seem to think the same about BitLocker. To be fair, TrueCrypt has been audited and the code is freely available; BitLocker is proprietary, and the code is only available to a select few under NDA.

[ryanlol]

TCs developers told you to stop using it, BitLocker's didn't. Even the people responsible for the audit recommend that people not use TC

[fabulist]

As always, one must consider their own threat model and make an informed decision. I personally would use BitLocker over TrueCrypt, but LUKS over BitLocker.

[Forbo]

I wouldn't consider TrueCrypt's license to be the best example of "freely available".

[yellowapple]

In this context, what's important is source-code availability to the general public. A program which has publicly-available source code but is released under a nonfree (or at least potentially nonfree) license is leaps and bounds better than one which doesn't even provide the source code.

Yeah, software freedom is a very good thing, but - in the context of security - it's the source code availability that matters, and that doesn't necessarily require a FOSS license.

[worklogin]

Besides the knee-jerk reaction, it all depends on what you're defending against. If the NSA went around opening Truecrypt containers for every criminal case, their cover would be blown. So if you're keeping stuff from the local PD or thieves breaking into your house, even a supposedly backdoored app is better than cleartext.

That said, TC has been audited by what I hear is a reputable group of people, who say there's no evidence of severe crypto vulnerabilities.

[ryanlol]

You're missing the bigger issues related to TC, for example the fact that it doesn't even run on new windows versions (and never will)...

[veeti]

Thanks for the insightful comment explaining why.

[mikefonseca]

Why?

[vacri]

I don't know the full story, but word 'round the campfire is that it's been compromised by a certain TLA.

In any case, there's huge red letters saying "TrueCrypt is not secure" right next to their download links: http://truecrypt.sourceforge.net/

[fweespeech]

http://istruecryptauditedyet.com/

> The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances. Your argument is just so wrong :/

[ryanlol]

Are you seriously implying that there's never any security issues discovered after audits?