PRISM: NSA/FBI Internet data mining project
Mike Jones
mike at mikejones.in
Sat Jun 8 12:06:14 UTC 2013
On 8 June 2013 12:12, Jimmy Hess <mysidia at gmail.com> wrote:
> On 6/7/13, Måns Nilsson <mansaxel at besserwisser.org> wrote:
> > Subject: Re: PRISM: NSA/FBI Internet data mining project Date: Fri, Jun
> 07,
> > 2013 at 12:25:35AM -0500 Quoting jamie rishaw (j at arpa.com):
> >> <tinfoilhat>
> >> Just wait until we find out dark and lit private fiber is getting
> >> vampired.
> >> </tinfoilhat>
> > I'm not even assuming it, I'm convinced. In Sweden, we have a law,
> > that makes what NSA/FBI did illegal while at the same time legalising,
>
> Perhaps strong crypto should be implemented on transceivers at each
> end of every link, so users could be protected from that without
> having to implement the crypto themselves at the application layer? :)
>
> --
> -JH
>
>
Encrypted wifi doesn't help if the access point is the one doing the
sniffing. How often are 'wiretaps' done by tapping in to a physical line vs
simply requesting a switch/router copy everything going through it to
another port? the CIA might use physical taps to monitor the russian
governments traffic, but within the US I imagine they normally just ask the
targets ISP to copy the data to them.
To be automatic and 'just work' would also mean not having to configure the
identity of the devices at the other end of every link. In this case you'll
just negotiate an encrypted link to the CIAs sniffer instead of the switch
you thought you were talking to.
End to end encryption with secure automatic authentication is needed, it's
taking a while to gain traction but DANE looks like the solution. When SSL
requires the overhead of getting a CA to re-sign everything every year you
only use it when you have a reason to. When SSL is a single copy/paste
operation to set it up and no maintenance it becomes much harder to justify
why you're not doing it. Unfortunately I haven't come across any good ideas
yet for p2p type applications were you don't have anywhere to securely
publish your certificates.
- Mike
More information about the NANOG
mailing list