Comments

lowinformatinoSeptember 13, 2013 12:05 PM

"NSA must have censored the Fourth."

NSA has pretty much f*cked the Fourth ... Amendment

unimportantSeptember 13, 2013 12:18 PM

"Breaking the security for everybody" could be done on purpose by the aggressive and unaccountable NSA. They also said that their aim is to master the Internet (and their infrastructure speaks volumes about their long-planned plan). Your political voice narrows down to the current status quo which is nation states and not to the forthcoming aggressive global surveillance state governed by the UN (= global bankers). Narrowing down is probably the right and brave thing to do for you, but "restoring trust" -- forget it. You cannot give an agency "trust" back if it is unaccountable and not effectively controlled. You may perhaps ask for a working NSA's oversight group (which is not filled with potentially blackmailed politicians who cannot withstand the power of the NSA, Goldman Sachs, Rockefeller and Rothschild).

RaoufSeptember 13, 2013 12:21 PM

@Gervase Markham

Thanks for the link, it is an interview with excellent content. The issue of finding a baseline for trust is very interesting and at the moment very pressing.

I cannot believe that all the work done at NIST is to be thrown out but it is extremely hard to find out which portion of it that should be kept.

I think that RC4, DSA and ECC are now suspect but have no clue if there are actual weaknesses.
Loosing trust is a b*tch

Quantum MechanicSeptember 13, 2013 1:05 PM

"Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser."

No thanks.

FigureitoutSeptember 13, 2013 2:34 PM

Regarding the call for a project to rebuild the internet. I can identify upwards of 20 agents and some support personnel. 1 for 20, if everyone can do that we can work towards having a set group of trusted people for such a project; and really get to work. Next stage, trusted/secured and mobile workspace; overnight intrusions must be detected. I can pentest this. 3 back-up power supplies for the sensors tested every single day. Next, secure hardware sourcing. All while using pencil/paper OTPs and simple transmitters which I can put together, no cells for protocol hacking. Finally, assuming the hypothetical "we" even make that far, software sourcing/creation.

Do we go so far as to consider replacing the current physical infrastructure and shunning current service providers?

Just an overview of my vision of a super hard project that is going to take diehard-dedicated individuals. Just the initial stage of a trusted (and perhaps interchangeable) group of engineers seems too much in the face of a surveillance state. Plus all the procedures eventually start sounding like you're running an intelligence agency...

NeverAgainSeptember 13, 2013 2:53 PM

@Figureitout
"Regarding the call for a project to rebuild the internet."

We can't rebuild the internet. The hardware and software are so complex, requiring so many trusted insiders, that we could never be sure that any component was secure. Digital security is broken. NSA, you broke the internet.

FigureitoutSeptember 13, 2013 6:54 PM

NeverAgain
--I try to be optimistic sometimes. They broke trust, much worse. Making it necessary to be an operative to trust someone; gross. Oh well, just use up resources on earth and we all die.

Joseph KSeptember 13, 2013 7:46 PM

SSL error:host(threatpost.com)!=cert(CN[*.wpengine.com])-Continue? (y)

honestly, i do not know.

RaoufSeptember 13, 2013 8:18 PM

@Figureitout

I think that everything needs to be reviewed carefully, however not everything needs to be rebuilt from scratch.

First is to have some restricted modes of internet security protocols that are considered safe by experts after review. This is about establishing which specs to use for secure communication.
Then would be to review some FOSS kernels which implement these specs and validate their implementation as safe (nothing is %100 - everything has a probability of breach).

We will need to add some form of identifying the OS and/or hardware on the other end because it is no good to communicate with someone who has a leaky environment.
We never needed to do that explicitly before.

Granted you will get a lot more "connection refused" because the other end is asking for something that you consider not safe enough for you but that is exactly what needs to happen at this stage.

Also internet security measures will need to be more explicit and more ubiquitous because the trust has been broken at a fundamental level.

I assume browsers makers will have their work cut out for them, although I doubt that anyone will trust any browser from a major vendor who could have received a NSL and complied with it.

CallMeLateForSupperSeptember 14, 2013 8:58 AM

Quantum Mechanic quoted: "...Flash Player is required... need to have JavaScript enabled...", and then commented, "No thanks".

Amen! to that. I really-really despise the ubiquity of Flash and Javascript. Also, posted links that point to pay walls (cough.. NY Times.. cough).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..