Security quotes of the week [LWN.net]

In the long run, I suspect they will result in more deeply buried and impenetrable surveillance empires -- both in the U.S. and around the world -- and a determined sense by their proponents that in the future, the relative transparency we had this time around would be banished forever.

In the short run, we may see some small victories -- like Web firms being permitted by the government to more effectively defend themselves against false accusations, and perhaps a bit more transparency related to the court actions that enable and (at least in theory) monitor these programs.

But beyond that, while hope springs eternal, logic suggests that prospects for the masters of surveillance around the world have not been significantly dimmed, and in fact may have actually obtained a longer-term boost.

— Lauren Weinstein

Conspiracy theorists may be unsurprised that:

Microsoft's support for PFS is conspicuous by its absence across Internet Explorer, IIS, and some of its own web sites. Apple's support for PFS in Safari is only slightly better.
Russia, long-time target of US spies, is the home of the developer of nginx, the web server which uses PFS most often.
Almost all of the websites run by companies involved in the PRISM programme do not use PFS.

— Netcraft looks into perfect forward secrecy (PFS)

All of this mapping of vulnerabilities and keeping them secret for offensive use makes the Internet less secure, and these pretargeted, ready-to-unleash cyberweapons are destabilizing forces on international relationships. Rooting around other countries' networks, analyzing vulnerabilities, creating back doors, and leaving logic bombs could easily be construed as acts of war. And all it takes is one overachieving national leader for this all to tumble into actual war.

It's time to stop the madness. Yes, our military needs to invest in cyberwar capabilities, but we also need international rules of cyberwar, more transparency from our own government on what we are and are not doing, international cooperation between governments, and viable cyberweapons treaties. Yes, these are difficult. Yes, it's a long, slow process. Yes, there won't be international consensus, certainly not in the beginning. But even with all of those problems, it's a better path to go down than the one we're on now.

— Bruce Schneier

Just as important was what the Japanese government and people did not do. They didn't panic. They didn't make sweeping changes to their way of life. They didn't implement a vast system of domestic surveillance. They didn't suspend basic civil rights. They didn't begin to capture, torture, and kill without due process. They didn't, in other words, allow themselves to be terrorized. Instead, they addressed the threat. They investigated and arrested the cult's leadership. They tried them in civilian courts and earned convictions through due process. They buried their dead. They mourned. And they moved on. In every sense, it was a rational, adult, mature response to a terrible terrorist act, one that remained largely in keeping with liberal democratic ideals.

— Freddie on the Japanese reaction to the Aum Shinrikyo terrorism (from the L'Hôte blog)

(Log in to post comments)

Security quotes of the week

Posted Jun 27, 2013 14:21 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

Schneier:

"And all it takes is one overachieving national leader for this all to tumble into actual war.
It's time to stop the madness."

The madness is an intrinsic existential facet.
Let's talk about minimizing the global madness average, and diminishing the collateral damage of the inevitable madness eruptions.
Doing that is going to take:
- 'simpler' systems, with
- more people involving themselves, for
- shorter periods of time.
Restated: priesthoods bite.

Security quotes of the week

Posted Jun 27, 2013 22:19 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Irish terrorism didn't result in any significant changes to way of life? Northern Ireland had army patrols, roadblocks with people pointing guns at you, sections of towns that could be arbitrarily blocked off and a large number of cross-border roads blocked. In the 70s, it even included internment of large number of innocent people. I'd count those as pretty significant lifestyle changes.

Security quotes of the week

Posted Jul 5, 2013 20:14 UTC (Fri) by Wol (guest, #4433) [Link]

The other thing is, Irish terrorism WAS an "outside" thing.

First of all, we have an international border involved.

Secondly, we had masses of external funding, large chunks apparently coming from America!!! (And a lot from Libya).

Cheers,
Wol

Security quotes of the week

Posted Jul 5, 2013 21:41 UTC (Fri) by jubal (subscriber, #67202) [Link]

…yes, it was an outside thing, in the Republic. In the U.K. though, not necessarily.

Security quotes of the week

Posted Jul 8, 2013 7:32 UTC (Mon) by paulj (subscriber, #341) [Link]

Even at the height of the troubles, the border between the 6 counties and the rest of Ireland was never closed. It's rarely marked. There are roads that cross repeatedly between the two (e.g. the main road from Clones to Cavan - both of which are in the south). There were a few times where British army patrols accidentally wandered into the southern counties.

Bear in mind that, to a significant extent, the dispute was rooted in the existence of that border. A non-trivial chunk of the general population in the 6 counties would not have agreed with that border, even if many of them still found the violence objectionable.

The violence and the state reaction to it had a huge impact on daily life there.

ECDHE

Posted Jun 28, 2013 13:15 UTC (Fri) by cesarb (subscriber, #6266) [Link]

Annoyingly, Fedora's Firefox does not allow the use of ECDHE (only DHE), unless you recompile the nss-softokn package yourself with a few modifications. Ubuntu (at least 12.04 LTS) does not have that problem.

Google's websites do not use DHE, only ECDHE (I recall reading somewhere that they do it this way is because DHE is slower). So, if you are using Fedora's Firefox with an unmodified nss-softokn, you are not using PFS with Google.

You can use https://www.ssllabs.com/ssltest/ to check which cipher suites a web server uses, and https://cc.dcsec.uni-hannover.de/ to check which cipher suites your browser uses (however, this last site seems to be down right now).

ECDHE

Posted Jun 28, 2013 17:07 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

> Annoyingly, Fedora's Firefox does not allow the use of ECDHE (only DHE), unless you recompile the nss-softokn package yourself with a few modifications. Ubuntu (at least 12.04 LTS) does not have that problem.

This sounds like an RFE. Have you filed a bug?

ECDHE

Posted Jun 28, 2013 18:37 UTC (Fri) by cesarb (subscriber, #6266) [Link]

> This sounds like an RFE. Have you filed a bug?

Filing a bug would be pointless, it is disabled on purpose (to the point of striping the related source code from the srpm; you have to regenerate the source tarball yourself to compile with it enabled). See for instance https://bugzilla.redhat.com/show_bug.cgi?id=319901 (for OpenSSL, but the same issue).

Though now that I looked at it again, I found a very interesting bug report: https://bugzilla.redhat.com/show_bug.cgi?id=960193. Looks like RHEL will enable it soon, so Fedora will probably have no problem doing the same later. Great news!