How specifically to release the Internet
In the continuation of the articles " Snowden shed light on the situation with the breaking of cryptography. Everything is bad " and " The US government has betrayed the Internet. We need to get it back into our own hands " - about what specifically needs to be done to limit the lawlessness of the special services. Yes, Bruce Schneier has already given his recommendations, but he gave them to ordinary people - readers of The Guardian, far from IT; I want to turn to specialists who create and choose Internet technologies.
But first, let's define goals. The main task of law enforcement agencies is to catch killers, drug barons, terrorists and other pedophiles out there. The task is necessary and necessary. The whole question is in the methods by which it is solved. As long as these are investigative methods, the suspect is determined, a warrant is obtained for him in court, and already under this order, the cops have access to wiretapping phones, bank statements, e-mail — everything is fine. Yes, this is a restriction of the rights of the suspect, whose guilt has not yet been proven, but it is an inevitable evil, otherwise the cops simply will not be able to do their work. There is nothing wrong if the detective can send a request to the judge in electronic form from his smartphone, he will sign an electronic order with his EDS, and on the basis of this electronic order the corresponding companies will send the necessary information electronically back to the business smartphone to the cop. XXI century in the end.
But alas, the cops always and everywhere found it easier to work with gendarmes, that is, not to think, but to totally forbid and not to let go. For example, because of one loser bomber who tried to collect a bomb aboard an airplane and received only a burn of his own genitals, it is now impossible to carry a liquid all over the world around the world. Because of one jerk with acid and a pair of idiots with shoulder straps for generals, billions now suffer.
Today, all spheres of life somehow go on the Internet, and for some reason the security services around the world have decided that now they can get access to all the information transmitted on the Internet without warrants and other conventions of the law. But the Internet is a technical thing, and we, who create Internet engineers, can and must stop the special services. Whether we like it or not, states will monitor trunk lines and the largest IT service providers, eavesdropping and implementing bookmarks. But we can and must create such technological conditions in which it will be technically impossible for the state to follow the citizens automatically. I hope no one else on the planet believes in the honesty of the thoughts of the leaders of the special services or in the fact that they will be able to limit themselves. Therefore, if we do not cope and do not limit them on our own, very soon the world of Orwell will seem an unattainable utopia, an ideal of social order.
For specific villains - let them hunt. Let them get warrants for wiretapping, let villains' computers hack - these are all single-handed, manual methods of investigation. But total control without any accountability to the public must be made impossible.
Now about the engineering component, like what.
The first. As Bruce Schneier says, excrypt your communications . Encrypt everything. If you make websites - post them on HTTPS, the certificate now costs no more than a domain. Even if the site is not available at all for http, users will still not notice the difference. If you make websites for customers, persuade customers to hang them on HTTPS. Explain that over HTTP any student can steal a password for the admin panel just by being nearby (and this is really elementary in WiFi and other peer-to-peer networks with a common transmission medium).
If you write network software, no matter what - even games and chatiki - encrypt connections via TLS or there SSH, this is elementary. At the same time, you will get a nice bonus - the ability to identify the user's device by its key, which will greatly facilitate the life of your tech support.
The point is that DPI, interception of highways and all kinds of SORMs become useless for total surveillance, if all traffic of all users goes encrypted. Even if there are tabs in the basic encryption algorithms (openssl, etc.) that allow you to drastically reduce the cost of decryption with knowledge of some magic constants, it still does not allow to decrypt all traffic on the fly. Brutal to specific scoundrels - please. Watch for everything - it will manage.
')
The second is PKCS # 7 based crypto-mail. This is already working, but today it is mainly banks and state that are involved in the implementation and use of this business. organizations that need reliable EDS and that use multi-factor authentication authorization with USB tokens, scratch cards of one-time passwords, etc. This is all too difficult for an ordinary user. He needs to put the keys somewhere in the file right on the hard drive and figure out how to transfer them to another device. I pressed the button and it did everything by itself, as Firefox is now syncing.
And here we need geeks who will write the necessary final software for mere mortals. Browser plug-ins that allow you to encrypt and decrypt email messages in the web interface in the browser itself, plug-ins for email clients, etc. Well and, of course, go from a regular email to a crypto. Create fashion.
Behind geeks will catch up with ordinary business users who actually need a legally significant EDS (paper originals with stamps have long since got everyone), but it should not be as confused as in banking systems. Business users are good at teaching their aunts all to use.
And when everyone, including people far from IT, will go to cryptomail, simply because it is a standard that everywhere - then ANBshnik will no longer be able to just dig into the archives of the mail, solving their own, unknown tasks. Because those archives will contain encrypted messages from Google itself.
Well, the third - you need an open replacement for Skype . Generally, in almost every Windows there are two huge backdoors that are installed regularly - this is RDP (Remote Desktop) and Skype. Both allow you to regularly monitor the user's desktop and the user himself through the webcam and microphone. And, apparently, there is no reason to hope that the NSA does not have a secret key that allows you to enable tracking on any computer in the world.
At least RDP can be disabled in the control panel or block access from the Internet by firewall. With Skype you can not do either one or the other. And absolutely nothing prevents Microsoft from watching via Skype what sites you visit and what you read. Just a simple AI that restricts the flow of information to the NSA servers.
Once upon a time, Skype was an easy p2p program on a good cryptoscheme, tested by Schneier himself. Today we need the same, but only fully opensource and with open protocols for implementing clients on any vacuum cleaner. That doesn't seem like an unsolvable task, does it? Well and, of course, this new Skype should become the de facto standard, displacing all other alternatives. This also does not seem an unsolvable task, the fashion for a particular IM changes every few years.
There is, of course, another tab - this is the user's browser. IE, Chrome and its clones monitor users and send information to their developers and special services that supervise them about everything you visit. But even then you don’t need to develop anything, just go to Firefox.
Everything, it is enough these three points for the solution of an objective. Encrypting connections, encrypting messages, and encrypting video and telephone conversations makes total surveillance of the population impossible. It is only necessary to give this population new, working only in encrypted mode, programs instead of those used today. They won't even notice the difference.
In the end, the Internet is just a means of communication. The right to privacy of correspondence is enshrined in the constitutions of most countries of the world and cannot be limited without a court decision. There is absolutely nothing impossible to guarantee the realization of this right at a technical level, and we can do it. You just need to understand the problem and act together.
But first, let's define goals. The main task of law enforcement agencies is to catch killers, drug barons, terrorists and other pedophiles out there. The task is necessary and necessary. The whole question is in the methods by which it is solved. As long as these are investigative methods, the suspect is determined, a warrant is obtained for him in court, and already under this order, the cops have access to wiretapping phones, bank statements, e-mail — everything is fine. Yes, this is a restriction of the rights of the suspect, whose guilt has not yet been proven, but it is an inevitable evil, otherwise the cops simply will not be able to do their work. There is nothing wrong if the detective can send a request to the judge in electronic form from his smartphone, he will sign an electronic order with his EDS, and on the basis of this electronic order the corresponding companies will send the necessary information electronically back to the business smartphone to the cop. XXI century in the end.
But alas, the cops always and everywhere found it easier to work with gendarmes, that is, not to think, but to totally forbid and not to let go. For example, because of one loser bomber who tried to collect a bomb aboard an airplane and received only a burn of his own genitals, it is now impossible to carry a liquid all over the world around the world. Because of one jerk with acid and a pair of idiots with shoulder straps for generals, billions now suffer.
Today, all spheres of life somehow go on the Internet, and for some reason the security services around the world have decided that now they can get access to all the information transmitted on the Internet without warrants and other conventions of the law. But the Internet is a technical thing, and we, who create Internet engineers, can and must stop the special services. Whether we like it or not, states will monitor trunk lines and the largest IT service providers, eavesdropping and implementing bookmarks. But we can and must create such technological conditions in which it will be technically impossible for the state to follow the citizens automatically. I hope no one else on the planet believes in the honesty of the thoughts of the leaders of the special services or in the fact that they will be able to limit themselves. Therefore, if we do not cope and do not limit them on our own, very soon the world of Orwell will seem an unattainable utopia, an ideal of social order.
For specific villains - let them hunt. Let them get warrants for wiretapping, let villains' computers hack - these are all single-handed, manual methods of investigation. But total control without any accountability to the public must be made impossible.
Now about the engineering component, like what.
The first. As Bruce Schneier says, excrypt your communications . Encrypt everything. If you make websites - post them on HTTPS, the certificate now costs no more than a domain. Even if the site is not available at all for http, users will still not notice the difference. If you make websites for customers, persuade customers to hang them on HTTPS. Explain that over HTTP any student can steal a password for the admin panel just by being nearby (and this is really elementary in WiFi and other peer-to-peer networks with a common transmission medium).
If you write network software, no matter what - even games and chatiki - encrypt connections via TLS or there SSH, this is elementary. At the same time, you will get a nice bonus - the ability to identify the user's device by its key, which will greatly facilitate the life of your tech support.
The point is that DPI, interception of highways and all kinds of SORMs become useless for total surveillance, if all traffic of all users goes encrypted. Even if there are tabs in the basic encryption algorithms (openssl, etc.) that allow you to drastically reduce the cost of decryption with knowledge of some magic constants, it still does not allow to decrypt all traffic on the fly. Brutal to specific scoundrels - please. Watch for everything - it will manage.
')
The second is PKCS # 7 based crypto-mail. This is already working, but today it is mainly banks and state that are involved in the implementation and use of this business. organizations that need reliable EDS and that use multi-factor authentication authorization with USB tokens, scratch cards of one-time passwords, etc. This is all too difficult for an ordinary user. He needs to put the keys somewhere in the file right on the hard drive and figure out how to transfer them to another device. I pressed the button and it did everything by itself, as Firefox is now syncing.
And here we need geeks who will write the necessary final software for mere mortals. Browser plug-ins that allow you to encrypt and decrypt email messages in the web interface in the browser itself, plug-ins for email clients, etc. Well and, of course, go from a regular email to a crypto. Create fashion.
Behind geeks will catch up with ordinary business users who actually need a legally significant EDS (paper originals with stamps have long since got everyone), but it should not be as confused as in banking systems. Business users are good at teaching their aunts all to use.
And when everyone, including people far from IT, will go to cryptomail, simply because it is a standard that everywhere - then ANBshnik will no longer be able to just dig into the archives of the mail, solving their own, unknown tasks. Because those archives will contain encrypted messages from Google itself.
Well, the third - you need an open replacement for Skype . Generally, in almost every Windows there are two huge backdoors that are installed regularly - this is RDP (Remote Desktop) and Skype. Both allow you to regularly monitor the user's desktop and the user himself through the webcam and microphone. And, apparently, there is no reason to hope that the NSA does not have a secret key that allows you to enable tracking on any computer in the world.
At least RDP can be disabled in the control panel or block access from the Internet by firewall. With Skype you can not do either one or the other. And absolutely nothing prevents Microsoft from watching via Skype what sites you visit and what you read. Just a simple AI that restricts the flow of information to the NSA servers.
Once upon a time, Skype was an easy p2p program on a good cryptoscheme, tested by Schneier himself. Today we need the same, but only fully opensource and with open protocols for implementing clients on any vacuum cleaner. That doesn't seem like an unsolvable task, does it? Well and, of course, this new Skype should become the de facto standard, displacing all other alternatives. This also does not seem an unsolvable task, the fashion for a particular IM changes every few years.
There is, of course, another tab - this is the user's browser. IE, Chrome and its clones monitor users and send information to their developers and special services that supervise them about everything you visit. But even then you don’t need to develop anything, just go to Firefox.
Everything, it is enough these three points for the solution of an objective. Encrypting connections, encrypting messages, and encrypting video and telephone conversations makes total surveillance of the population impossible. It is only necessary to give this population new, working only in encrypted mode, programs instead of those used today. They won't even notice the difference.
In the end, the Internet is just a means of communication. The right to privacy of correspondence is enshrined in the constitutions of most countries of the world and cannot be limited without a court decision. There is absolutely nothing impossible to guarantee the realization of this right at a technical level, and we can do it. You just need to understand the problem and act together.
Source: https://habr.com/ru/post/192872/
All Articles