Comments

WaelOctober 21, 2015 4:34 PM

Funny but true. You no longer have to remember your password. Apparently "metadata" includes passwords ;)

[1] Sorry, second time I link to this picture :)

rgaffOctober 21, 2015 4:58 PM

@Wael however, as is typical of bureaucracy https://www.nsa.gov doesn't have an easy-to-find "forgot password" link to retrieve it... :)

I also wonder why on earth they only serve their site through HTTPS when they're the ones spreading the word that nobody needs anything to be encrypted... I guess bureaucracies are known for being hypocritical...

WaelOctober 21, 2015 5:29 PM

@rgaff,

doesn't have an easy-to-find "forgot password" link to retrieve it

Oh, no! They're a little ahead of the curve. They know when you lost your password and will let you know. They also know when you will "loose" your password! No button needed :)

HTTPS? Don't get me started :)

Alien JerkyOctober 21, 2015 6:27 PM

Should be a phone number to call at the NSA whenever I forget something, since they know my stuff better than me.

rgaffOctober 21, 2015 6:38 PM

Right, they just beam into my head from space to read it... maybe even to remind me of it too, eh? Tin foil hats got bad rap. :)

All joking aside, the sad thing is, if such a technology existed I do not doubt for one second they'd be trying to use it on a global scale! There are no bounds or limits to how much some want absolute control over others, and all those tend to rise to the top... or the top tends to convert normal people into that, I'm not sure which... :(

If any of this tends to make anyone reading feel depressed, turn off the Telescreen (I mean, Television) and go outside on a walk.... that will help you feel better, and think straighter too.

Spaceman SpiffOctober 21, 2015 7:36 PM

Then there is the "create new user" that first asks for your email address, which you input, and then it tells you "Sorry, but that email address is in use." - Goh! What, like more than one person can't share an email address? Ok, off to gmail to create a new user and email address...

SkepticalOctober 21, 2015 7:44 PM

@rgaff: I also wonder why on earth they only serve their site through HTTPS when they're the ones spreading the word that nobody needs anything to be encrypted... I guess bureaucracies are known for being hypocritical...

No one has ever made such an argument.

The question has always boiled down to this:

whether the sum of the costs of (i) a security gap between a system of encryption in which as few as 1 person can decrypt a given message and a system of encryption in which 1 person and (a government agency acting with lawful authorization) can decrypt a given message, and the cost of (ii) implementing the latter system (assuming that for some cost it could be)

is greater than

the benefits of government agencies acting with lawful authorization having the ability to decrypt messages they would otherwise not possess.

The answer to the question is unlikely to be the same across all configurations of technology, use of technology by individuals and groups within the applicable society or societies, and political and social factors.

For example, a society with a legitimate government composed of robust institutions with safeguards against abuse that is under the extreme duress of attacks by terrorist cells hiding within society might find the costs and benefits appreciably different than a society in different circumstances.

Where it gets really complicated is when we attempt to factor non-rational responses by society to various events in either the presence or absence of a given system.

At present, I don't think there's a clear answer either way - which may be an argument in favor of the status quo. I don't think the implementation of such a system would spell the end of meaningful security or destine us for tyranny, but neither, at present, does it seem that the non-implementation of such a system will come with great costs.

Whether that casual assessment of non-implementation continues to hold true... who can say. But I do find it at least somewhat ironic that certain nations may continue to ameliorate the dilemmas faced by US and allied signals intelligence agencies by deliberately adopting technology that is distinguished from that used in US and allied information systems, both government and private.

rgaffOctober 21, 2015 9:09 PM

@ Skeptical

"they're the ones spreading the word that nobody needs anything to be encrypted"

"No one has ever made such an argument."

You, Skeptical, are talking bullshit and YOU KNOW IT!!!

It's wrapped up in the tired old "if you've done nothing wrong, you have nothing to hide" nonsense and even stronger "if you have nothing to hide, you have nothing to fear" (which is practically an outright threat to anyone hiding anything) that government officials and their lackeys like you keep spouting everywhere. See https://en.wikipedia.org/wiki/Nothing_to_hide_argument

It's also a logical part of the backdoor argument (which is essentially, "nothing should be encrypted that we don't have the keys to also") that many officials keep spouting too. Why? Well, because THEY MUST SEE ALL BECAUSE THEY ARE GODS KNEEL BEFORE THEM AND KISS THEIR FEET is what that really comes down to. Which is the same as having no encryption at all... from their perspective.

All of this is trying to teach everyone that having every thought you've ever had out there naked and recorded forever for your overlords to view and try to pin crimes on you is the way of the future. After all, we need to grow our prison business bigger, our investors gotta make money somehow.

This just shows that Skeptical is a Nazi. Just embrace it man, don't fight it, relax, admit it, you are.

WinterOctober 22, 2015 3:08 AM

@Skeptical
"For example, a society with a legitimate government composed of robust institutions with safeguards against abuse that is under the extreme duress of attacks by terrorist cells hiding within society might find the costs and benefits appreciably different than a society in different circumstances."

Indeed, but then where is that society?

I assume you somehow want to suggest this is the USA. However, the USA fails every one of the criteria you mention. To start with legitimate government, the supporters of the biggest political party considers the president illegitimate, and the party acts accordingly. The rest also do not apply to the USA (e.g., more than 400 people a year are legally shot by the police, neither is there extreme duress from terrorist attacks).

So, this all does not apply to the USA. What should we then conclude?

SJOctober 22, 2015 10:34 AM

@SpacemanSpiff...

RE: Multiple people sharing an email

There's a detail of the RFC about email which states that address+modifier@host.com should arrive at the same inbox as address@host.com

If the SignUp form doesn't disallow the "+" symbol, this allow you to create multiple accounts linked to the same email.

I suspect that Gmail will try to apply a tag using the value after "+", if such a Tag exists in that account.

CassandraOctober 22, 2015 11:09 AM

Often problems are caused by incorrect assumptions. There is absolutely nothing that enforces a rule that says that an email address corresponds to an account accessible by one and only one person. It is, however, an assumption made by many people. There are many 'group' email addresses, where an email sent to that address is viewable by many people in a group, and even at a mundane level, Mom&Pop can share an email address as naturally as they share a postal address.

While email addresses are often used as unique identifiers, that should only be done once you have qualified with the email address owner that it is used by only one person. Even then, a malicious admin of an MTA can have fun...

TatütataOctober 22, 2015 1:07 PM

There was a rather similar skit from NDR, a German broadcaster, roughly titled: "Coping with thousands of passwords".

I gave up setting up an online account with a certain Canadian government agency's web site, which absolutely insisted that I set up answers to three so-called "security questions" selected out of a list. The problem is that NONE of the questions made any sense to me. They were in the lines of "what is your favourite hockey team?" [I don't give a sh*t abut hockey], "what was your first car's make" [ditto for motorcars], etc. etc.

If I had selected fake answers, I would have had to record them somewhere.

ianfOctober 22, 2015 4:25 PM


@ Tatütata

What's with Canada and idiot login ID verification schemes? Happened to me, too, at a major Canadian news site.

There's an American company (I know the name but won't disclose it, may they die a painful death), that had the "clever" idea to monetize CAPTCHAs for use in commenting etc. Instead of the non-bot user visually decoding some graphically scrambled letter glyphs on a noisy background or similar, their scheme presented us with (apparently, I wouldn't know) partial slogans, or some taglines from American TV ads for given brands, and expected us to fill in the rest of those exhortations! Like: “When you need it, you really need ____________.”

Which wannabe commenters of that (major in its niche) website were supposed to have seen/ heard off the telly often enough to recall them. Global readers, mind, even those not exposed to American commercial television channels. Even if the majority of recurring commenters were more or less local, hence presumably saturated/ familiar with these slogans, how was that supposed to work with ALL readers, by TV-telepathy? Once answered correctly, thus commenter let in, the brand in question would pay the website for ad exposure, with no doubt lion portion of that going to the seller of that kooky scheme. If that wasn't a clear-cut instance of American and Canadian parochialism, then I don't know what is.

    I can just visualize the scene in the news site's boardroom, when the CAPTCHA company made a presentation calling it "another revenue stream," and the greedy bastards CEO & CFO congratulated themselves on achieving just that at no cost to themselves, and seemingly with no thought of future repercussions!

Worst of all was that I could not convince the webmaster via e-mail that by implementing that scheme they effectively told non-American commenters to go fly a kite. I told them right away, that even though only a minority of readers ever commented, they would see a dip in the number of accesses from outside America, which I reckon was something like 25% before. They kept it going for some months; even if previously I only commented perhaps twice a year, I stopped reading it. Apparently the scheme didn't work out, however, because they changed back to a more traditional CAPTCHA model… but, just as I weaned myself off their site in the meantime, and no longer access it with any regularity, so must have a noticeable number of others. Market share lost, other ad revenue suffering (lower readership rates, hence lower per-click income), tempers flaring and fingers pointed at one another around the table… am I a clairvoyant or what.

MORAL: “If monetization is your bag, you will end up _________.” ;-))

Dirk PraetOctober 22, 2015 6:25 PM

@ Skeptical, @ Winter

For example, a society with a legitimate government composed of robust institutions with safeguards against abuse that is under the extreme duress of attacks by terrorist cells hiding within society might find the costs and benefits appreciably different than a society in different circumstances.

I'm pretty sure that's exactly how Assad & co. see it too. It starts with some harmless mass surveillance and private-public sector collusion. Then a little censorship and internet kill switches. You move on to collecting DNA and encryption backdoors because of terrorists and criminals. Eventually you end up barrel bombing a population that's sick and tired of the paranoid sh*t of an authoritarian ruling class that only serves itself.

madagascarOctober 23, 2015 5:11 AM

@rgaff, @Winter

Even as a relatively-less-informed-than-most-of-you lurker here, I have come to recognise Skeptical as essentially a troll or at best a "company man"[1].

I'm just curious why you folks bother to respond? Is it because you feel that, if he is left unchallenged, any casual reader of the blog will think he is correct? I don't consider myself a huge expert but even I can see the bald-faced lies he often writes so that does not sound like a sufficient reason.

I'm not saying you shouldn't; I just want to understand what motivates you.

[1]: need to find a name similar to "the company" for NSA, but we'll make do for now

WinterOctober 23, 2015 5:57 AM

@madagascar
Personally, I always respond with an eye to unsuspecting readers passing by. I have no illusions about Skeptical being moved by arguments. But other readers might.

ianfOctober 23, 2015 7:15 AM


greg, "many" is relative, and I'd say in view of the lowest-threshold CAPTCHA, not that many (then we don't know how much work @Bruce is putting into their removal). Also, not "trolls" per se, but kiddy spammers. Of the known unknown trolls there only are 2 clear-cut head cases here, the DoD-plant Skeptical, and that Miguel Something Know-it-all fella.

Darnell TiceOctober 23, 2015 7:51 AM

@greg re. "Why so many trolls in the comments here these days?"

There appears to have been a spike after the post on NSA's DHE prime number cracking and the ensuing discussion on how to protect users. I guess it hurt their feelings.

SkepticalOctober 23, 2015 11:19 AM


@Winter: I assume you somehow want to suggest this is the USA.

No, I explicitly say that the US is not in such a position. But then what would you have written in response?

And I go on to say that that fact may form part of a persuasive argument in favor of the status quo. I note that I don't think the implementation of such a system would spell the end of meaningful liberty or the dawn of tyranny, and that I also don't think that catastrophe awaits us if we do not implement such a system.

@Dirk: I'm pretty sure that's exactly how Assad & co. see it too. It starts with some harmless mass surveillance and private-public sector collusion. Then a little censorship and internet kill switches. You move on to collecting DNA and encryption backdoors because of terrorists and criminals. Eventually you end up barrel bombing a population that's sick and tired of the paranoid sh*t of an authoritarian ruling class that only serves itself.

I'm sure Assad has many rationalizations for his actions. They are no more persuasive than your assumption of an incredibly steep slippery slope, on which a single step quickly transforms that society's government into an authoritarian beast that survives only by virtue of its ability to slaughter the very people it claims to represent.

Western democracies undertook many internal security measures during periods of duress, such as World War II, and some of which were in fact unjustified. But that did not transform them into authoritarian nations, ending in civil war.

But such an assumption does make it easier to answer complex policy questions. Unfortunately it does so only by ignoring important components of reality.

rgaffOctober 23, 2015 2:50 PM

@ madagascar

Yes, as with @Winter, it's generally to help the passers-by see the issues more clearly. That's why I generally don't even address him directly with my replies... though there are obviously exceptions to that.

For example, I think he just argued that since our wholesale imprisonment of an entire race during WWII didn't result in a civil war, our current actions destroying global and domestic civil liberties and human rights over an imaginary boogey man will turn out fine too.

Sceptical of SkepticalOctober 28, 2015 4:32 PM

@Skeptical "a society with a legitimate government"

Please provide a single example of said society.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.