|
|
Subscribe / Log in / New account

RFC 7258

RFC 7258

Posted May 13, 2014 22:21 UTC (Tue) by raven667 (subscriber, #5198)
Parent article: RFC 7258

It's kind of sad we have to go down this road, all this security engineering against pervasive monitoring is an added cost to doing business, double-cost actually because we are also paying _for_ the pervasive monitoring we are paying to engineer around. We should also work in taking control of the organizations which are doing the monitoring and shutting it down so that the environment is less hostile in the first place. The pervasive monitoring is more a people problem than a technology one.

Of course there will always be some small amount of monitoring which goes on, lawful or not, but the highly-resourced, pervasive monitoring should be stopped in preference to working around it.

to post comments

RFC 7258

Posted May 13, 2014 23:20 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link] (8 responses)

As long as there are organizations that can benefit from pervasive monitoring, there will be an incentive to create it. We're most worried about governments doing it now, but there is plenty of incentive for businesses and criminal enterprises to get in on it. I'd rather engineer around it now than discover in a few years that my ISP has been monitoring everything I do and selling my personal information to the highest bidder.

RFC 7258

Posted May 14, 2014 3:34 UTC (Wed) by raven667 (subscriber, #5198) [Link] (7 responses)

A lot of organizations have the incentive to create bad things they benefit from, that's why we have laws and audit standards, to try and detect this some percentage of the time and drive the risk up until it is greater than the reward. I'd rather knock this stuff down using regulation, laws and audit so that we don't have to each, individually and together, spend all our time doing security dances rather than whatever productive labor we actually want to do. It's all loss prevention and not value creation.

RFC 7258

Posted May 14, 2014 8:41 UTC (Wed) by nim-nim (subscriber, #34454) [Link]

Since Snowden pretty much proved the NSA was not bothering with network interception when they could just ask Google or Facebook, this RFC will change nothing data collection side (it will change a lot of things on the leeway *you* have to scrub what Google or Facebook wants you to see).

RFC 7258

Posted May 14, 2014 9:17 UTC (Wed) by Seegras (guest, #20463) [Link] (1 responses)

As long as certain governments ignore their own constitution, which might say something like this:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

which explicitly forbids wholesale surveillance of all _people_ (note that this does not say "citizens", this really means all people); we can only conclude that these laws and regulations are useless, and those criminal organizations and governments will go on with their pervasive monitoring.

RFC 7258

Posted May 14, 2014 14:04 UTC (Wed) by raven667 (subscriber, #5198) [Link]

The US Constitution is just a piece of paper without people who believe in what it describes and enforce that standard of behavior. No law is worth anything without a credible threat of enforcement.

RFC 7258

Posted May 14, 2014 13:45 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link] (1 responses)

It is illegal to break into people's houses and steal their stuff, and we have police departments to enforce those laws. Wise people still invest in locks and security systems. It's one of the things we do to drive up the cost of theft.

RFC 7258

Posted May 14, 2014 14:12 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Sure, but beyond some fairly simple door locks you run quickly into the land of diminishing returns in most locations. If your neighborhood is particularly bad you might invest in window bars but you are not going to clad your house in steel for example. Those are just static defenses as well, a captital expense, computer security tends to add operation expense to every operation and reduces the utility of the machine in a way that door locks and window bars do not reduce the utility of a house (well maybe it would be more analagous if you put deadbolts and biometrics on every interior door, that would be hella annoying).

RFC 7258

Posted May 16, 2014 11:54 UTC (Fri) by ortalo (guest, #4654) [Link] (1 responses)

In my opinion this view is a little misleading, real security is not about dancing at all.
Many laws, audit and standards already exist. But laws, audit and standards cannot do everything. It seems to me the current state of affair demonstrate it pretty blatantly.
Some things need to be made impossible, not only forbidden. Revolutions occur specifically in order to bring the system in such a satisfying state, generally by eliminating those who manipulate the rules to change the definition of "forbidden" to match their interests. However, even with such a momentum (which generally does not last long), now in the digital world we do not even state clearly which mechanisms are really expected to bring satisfying security properties for the society we desire (here).
There is at least some enlighting hope in the IETF reaction: we knew and they state that publicly available cryptographic mechanisms are part of the solution, and we also know now that the IETF is an acceptable body to work on the technical part of the problem.

(BTW, personnally, I was extremely happy to rediscover that the IETF could be such a trustable organization. A huge thank you for any of those belonging to it: past and present!)

RFC 7258

Posted May 16, 2014 18:20 UTC (Fri) by raven667 (subscriber, #5198) [Link]

> real security
> Some things need to be made impossible, not only forbidden.

Real security is a platonic ideal, like a frictionless surface, which doesn't exist in the real world.

> Many laws, audit and standards already exist. But laws, audit and standards cannot do everything. It seems to me the current state of affair demonstrate it pretty blatantly.

There are many laws and audit steps which could exist but do not, such as data retention requirements which forbid service providers from keeping profiling information, and there are many laws which do exist but for which there is no credible threat of enforcement, like the 4th Amendment in the US.

RFC 7258

Posted May 14, 2014 0:48 UTC (Wed) by josh (subscriber, #17465) [Link]

Pervasive monitoring should be stopped, but regardless, we also need to take the technical measures to block it and all other security holes. Among other things, traffic that isn't encrypted end-to-end is a bug.

Even if we thought we'd stopped pervasive monitoring by policy, we should still have protocols that prevent it.

RFC 7258

Posted May 14, 2014 6:42 UTC (Wed) by Lennie (subscriber, #49641) [Link] (2 responses)

The problem is, these organizations that are doing the monitoring might not be under your control.

For example you might be in the west and the monitoring is done by the Chinese.

RFC 7258

Posted May 14, 2014 12:27 UTC (Wed) by niner (subscriber, #26151) [Link]

Ironically it is much more likeley:
* to be Chinese
* to be monitored by the West
* that all of the above is true

RFC 7258

Posted May 14, 2014 13:58 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Sure, but you are responsible for the agencies run by your government, if you set the standard in your local area that pervasive monitoring is not tolerated, and make a serious effort to enforce your standards, you have better chance of throwing attackers out of your system and you can make a more credible case when asking that they stop attacking you.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds