Confidentiality is for the privileged. For normal people, it's not as if the math to do encryption yourself will be outlawed, but it's not practical to stay connected to the world at large and to maintain meaningful privacy.
The kind of capital-F Freedom that is supposed to exist in the Free World is in practice just the gap between what's practical to control hierarchically and the level of desired power to control (effectively limitless). Technology continues to narrow the gap.
Some of the themes of societal change in my lifetime are: reduced trust, reduced privacy, centralization of power, increased economic efficiency at the expense of robustness, and increased profit extraction at the expense of nearly everything else.
I would add, perverse and pervasive systematic financial and addictive emotional incentives for creating and promoting false information, tribal ideologies vs. independent reasoning, and aggressive social division vs. tolerance, respect and cooperation.
Perhaps only the state can provide a technological landscape where privacy is practical. Privacy technology is a true public good, and the state is ideally situated to provide substantial funding for the development public goods.
One of my privacy techniques has been to build a container with a new network namespace, randomly select a VPN server from the set of ~5k that my VPN provider has running across the globe and connect to it within that namespace, spawn a fresh instance of a web browser with no cookie history or anything of the sort, run DNS filtering and ad-blocking components, and then perform the individual task I want to perform with it before shutting the whole thing down.
I have all of this scripted to launch trivially within a few seconds, and it reduces the effectiveness of most of the attacks this RFC describes.
Qubes OS would work great too. I just prefer Debian, so I've hacked together a poor-man's sandbox on that platform. While it doesn't provide the degree of host-level isolation that Qubes does, I think it's pretty effective for what this RFC is about.
That's a good effort, but unfortunately every second desktop app now bundles a browser (Electron), and most people now access the internet through phone apps, an environment which offers no such control. Furthermore, if your VPN provider is seized, hacked, issued with a warrant, or is a honeypot operation you're going straight to the top of the interesting critters list, and you've probably given them your identity with your payment information, or it's trivially available to multiple state or corporate actors through the crypto gateway you used to purchase the intermediary token. Either that or your IP will also provide your home address by extension, as well as your tax information, income level, telephone numbers, historic personal/family/financial network, employers current and past, registered vehicles, upcoming transport reservations, current physical location through either network activity or cellular network operator ping, etc. Just sayin'.
Echelon was known by the late 1990s and has now been running for at least a third of a century. The European Parliament report came out in '01. Snowden and co, which this IETF document was presumably issued in response to, was a decade and a half later, a time in which offensive population-scale surveillance and targeted penetration as a service became open market products, secret global state-sanctioned kidnappings and assassinations became nominally normalized, literal constellations of surveillance satellites have been launched at ever-decreasing cost with ever-increasing capabilities, US 'instant global strike' capability is declared, drone warfare has not only been realized but is constant and in the popular consciousness, and every state actor worth its stazi-salt started playing.
IMHO this document is therefore primarily of historical interest in demonstrating the apparent, unfortunate, well-meaning near-irrelevance of the IETF in the face of global internet commercialization and the ongoing shift toward normalized state surveillance. It could be seen as the conscience of the internet coming to terms with its failure. In Assange's words of 2012 (some 3 years prior): "The internet, our greatest tool of emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen. The internet is a threat to human civilization." This is all the more significant in mid 2024 as Assange has just escaped torture, China and Russia tighten their grasp after abandoning any open market pretense, Europe, at war, stands on the cusp of a popular authoritarian transition and the US election looms.
What's a regular citizen to do? A shell script certainly won't save you, but it's something. It seems humanity has some organizational problems - its political systems no longer seem fit for purpose, and all of this while biodiversity tanks and global warming accelerates. Post industrial revolution we've built a machine, and it's no longer under our control. To Mars then? Perhaps not.
Regardless I'm not really trying to defend myself against state actors. If they target me, I know I'm screwed. What I am trying to do is reduce the amount of my private information non-government entities collect on me while raising the cost of mass surveillance.
Could we at least leverage LLMs to create fake targets and feed spooks a lot of chaff? Perhaps surveillance can't be completely avoided, but at least can be made very expensive and wasteful.
Windows is an oppressive government's wet dream. Records everything, collects massive amounts of private data and sends it to a central location, randomly forces remote software installation/"updates", prevents users from accessing parts of the OS/file system. What more could they want?
I wonder if you could create a ConLang with built-in usefully-hard encryption that is possible to do without a computer. Seems daunting, but the brain is an incredible machine.
Confidentiality is easy when you start with full trust and the ability to pre-exchange secrets.
I for one propose an unwritten language of moans and yodels steganographically modulating a subset of classical Chinese atop boudoir French poetry, preferably set to sitar.
1) Their idealized attacker "can observe every packet of all communications at any hop in any network path between an initiator and a recipient"
2) Therefore: "Protocols that do not encrypt their payload make the entire content of the communication available to the idealized attacker along their path."
3) Furthermore: "When store-and-forward protocols are used, intermediaries leave this data subject to observation by an attacker that has compromised these intermediaries..."
I will now prove a negative: If the idealized attacker has 1 then they've already achieved 3. Therefore this is a bullshit line of argument.
What next? Read your eyeballs with your web cam? Do I need to encrypt traffic on loopback? Where is "reasonable" here? There is no such thing as absolute zero trust or absolute air gap. Is the "idealized defender" an idiot who thinks that encrypting loopback mitigates pwnage at the os or hardware level? What role does deception, salting, misdirection play in a healthy security posture?
This should be interpreted as a followon to RFC 7258 (cited in the Introduction): "While PM is an attack, other forms of monitoring that might fit the definition of PM can be beneficial and not part of any attack, e.g., network management functions monitor packets or flows..."
I am reminded of this from RFC 1034: "Clients of the domain system should be able to identify trusted name servers they prefer to use before accepting referrals to name servers outside of this 'trusted' set." and rhetorically now I ask how has that worked out?
Not discounting that the technical issues and scenarios are valid, but to point out the blatantly political nature of this rhetoric.
What this gets us at the level of technical implementation is e.g. qname minimization, which in turn begets moaning about lame delegations (I don't deny they are a problem) and the horrible horrible excess traffic they cause... entirely omitting the fact that qname minimization can double the number of unprimed queries required to resolve a name. Just one example.
Is it possible to create totally network-safe (unexploitable from the network interface) computers should you start from scratch and write a new OS today? Maybe formally verified network interfaces and capability inheritance based process execution, with granular capabilities protected with a memory safe language? I'm thinking Theseus OS, with formal verification of anything that is on the network boundary.
But ok. So there is the issue of compilers carrying binary-only payloads, which are only passed on when compiling the compiler. Really paranoid people worry about this, so it fits in the set of theoretical and demonstrated issues. But I don't have references for you off the top of my head; it's been acknowledged for a very long time.
I'm ok with heterogenenaety and calling it good enough.
Sure, be ok with the status quo, you do you. But there will emerge young people who'll see the absolutely immense yet utterly overlooked advantages of a computing stack written from scratch, and they'll take on the enormous burden. Watch out, it's about time the world stop running on a kernel written in 1991. Software does age with real world time, and it shall die a natural death if it is to not to be kept in life support at ever increasing expense.
Open source could write 5 fully functional and modern Software Development, Distribution and Running Infrastructures (currently known as an OS) per day if all the effort didn't went into the hospitalization of the current ones and the ecosystems surrounding them.
> it's about time the world stop running on a kernel written in 1991
In the spirit of debate only, I observe that the Theseus legend concerns the farmer's axe: replaced the handle three times and the head twice, still a damned good axe.
Thus marches whatever software you cite: the legionnaires may die and be replaced but the legion marches on. A lot of the burgeoning cost concerns camp followers rather than the legion itself. You seem to get that in your reference to ecosystems. Having trouble getting water in camp? If your pack animals are dying it's a different concern than your follower's. I mean, whose animals are you going to eat first?
I would like nothing better than to be running on a kernel written in 1584. (Arbitrarily chosen year, seriously.)
I get that. However the analogy doesn't hold. "Modern" software is not a hammer you can replace the two parts of. It's a Boeing 747 which only allows small, incremental improvements in the replaced parts. With great effort you can customize it to be the Air Force One but you can't make an F35 out of it unless you start from scratch. Many design decisions made 33 years ago which are unwise in hindsight are ingrained in not only all software we write today, but even in the way we think about software now.
> Is it possible to create totally network-safe (unexploitable from the network interface) computers should you start from scratch and write a new OS today?
Confidentiality is for the privileged. For normal people, it's not as if the math to do encryption yourself will be outlawed, but it's not practical to stay connected to the world at large and to maintain meaningful privacy.
The kind of capital-F Freedom that is supposed to exist in the Free World is in practice just the gap between what's practical to control hierarchically and the level of desired power to control (effectively limitless). Technology continues to narrow the gap.
Some of the themes of societal change in my lifetime are: reduced trust, reduced privacy, centralization of power, increased economic efficiency at the expense of robustness, and increased profit extraction at the expense of nearly everything else.
I would add, perverse and pervasive systematic financial and addictive emotional incentives for creating and promoting false information, tribal ideologies vs. independent reasoning, and aggressive social division vs. tolerance, respect and cooperation.
Perhaps only the state can provide a technological landscape where privacy is practical. Privacy technology is a true public good, and the state is ideally situated to provide substantial funding for the development public goods.
One of my privacy techniques has been to build a container with a new network namespace, randomly select a VPN server from the set of ~5k that my VPN provider has running across the globe and connect to it within that namespace, spawn a fresh instance of a web browser with no cookie history or anything of the sort, run DNS filtering and ad-blocking components, and then perform the individual task I want to perform with it before shutting the whole thing down.
I have all of this scripted to launch trivially within a few seconds, and it reduces the effectiveness of most of the attacks this RFC describes.
Sounds like you reimplemented Qubes OS disposable VMs with a lower security level.
Qubes OS would work great too. I just prefer Debian, so I've hacked together a poor-man's sandbox on that platform. While it doesn't provide the degree of host-level isolation that Qubes does, I think it's pretty effective for what this RFC is about.
Have you tried Firejail security sandbox:
https://firejail.wordpress.com/
That's a good effort, but unfortunately every second desktop app now bundles a browser (Electron), and most people now access the internet through phone apps, an environment which offers no such control. Furthermore, if your VPN provider is seized, hacked, issued with a warrant, or is a honeypot operation you're going straight to the top of the interesting critters list, and you've probably given them your identity with your payment information, or it's trivially available to multiple state or corporate actors through the crypto gateway you used to purchase the intermediary token. Either that or your IP will also provide your home address by extension, as well as your tax information, income level, telephone numbers, historic personal/family/financial network, employers current and past, registered vehicles, upcoming transport reservations, current physical location through either network activity or cellular network operator ping, etc. Just sayin'.
Echelon was known by the late 1990s and has now been running for at least a third of a century. The European Parliament report came out in '01. Snowden and co, which this IETF document was presumably issued in response to, was a decade and a half later, a time in which offensive population-scale surveillance and targeted penetration as a service became open market products, secret global state-sanctioned kidnappings and assassinations became nominally normalized, literal constellations of surveillance satellites have been launched at ever-decreasing cost with ever-increasing capabilities, US 'instant global strike' capability is declared, drone warfare has not only been realized but is constant and in the popular consciousness, and every state actor worth its stazi-salt started playing.
IMHO this document is therefore primarily of historical interest in demonstrating the apparent, unfortunate, well-meaning near-irrelevance of the IETF in the face of global internet commercialization and the ongoing shift toward normalized state surveillance. It could be seen as the conscience of the internet coming to terms with its failure. In Assange's words of 2012 (some 3 years prior): "The internet, our greatest tool of emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen. The internet is a threat to human civilization." This is all the more significant in mid 2024 as Assange has just escaped torture, China and Russia tighten their grasp after abandoning any open market pretense, Europe, at war, stands on the cusp of a popular authoritarian transition and the US election looms.
What's a regular citizen to do? A shell script certainly won't save you, but it's something. It seems humanity has some organizational problems - its political systems no longer seem fit for purpose, and all of this while biodiversity tanks and global warming accelerates. Post industrial revolution we've built a machine, and it's no longer under our control. To Mars then? Perhaps not.
Mullvad takes cash, and if they are to be believed an attempt at a search warrant didn't work out for the authorities. https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-sea...
Regardless I'm not really trying to defend myself against state actors. If they target me, I know I'm screwed. What I am trying to do is reduce the amount of my private information non-government entities collect on me while raising the cost of mass surveillance.
Could we at least leverage LLMs to create fake targets and feed spooks a lot of chaff? Perhaps surveillance can't be completely avoided, but at least can be made very expensive and wasteful.
This is ten years old. Needs a date.
Was hoping for some new tips on what to do about government agencies demanding information from constituents and then storing it in MS Windows.
Windows is an oppressive government's wet dream. Records everything, collects massive amounts of private data and sends it to a central location, randomly forces remote software installation/"updates", prevents users from accessing parts of the OS/file system. What more could they want?
Invent a new language from scratch and teach it only to people you can trust fully, then start a society from scratch among those people.
There's https://toaq.net/ and many others. Spoken by <500 people last time I checked the discord.
To be undone by a bored linguist on the weekends
Not really. They would need sime hints about context. It can be made difficult.
I wonder if you could create a ConLang with built-in usefully-hard encryption that is possible to do without a computer. Seems daunting, but the brain is an incredible machine.
But, you see, this just makes it more interesting to them. Now they get to camp.
So Esperanto combined with the first rule of Fight Club?
Confidentiality is easy when you start with full trust and the ability to pre-exchange secrets.
I for one propose an unwritten language of moans and yodels steganographically modulating a subset of classical Chinese atop boudoir French poetry, preferably set to sitar.
Text link: https://www.rfc-editor.org/rfc/rfc7624.txt
1) Their idealized attacker "can observe every packet of all communications at any hop in any network path between an initiator and a recipient"
2) Therefore: "Protocols that do not encrypt their payload make the entire content of the communication available to the idealized attacker along their path."
3) Furthermore: "When store-and-forward protocols are used, intermediaries leave this data subject to observation by an attacker that has compromised these intermediaries..."
I will now prove a negative: If the idealized attacker has 1 then they've already achieved 3. Therefore this is a bullshit line of argument.
What next? Read your eyeballs with your web cam? Do I need to encrypt traffic on loopback? Where is "reasonable" here? There is no such thing as absolute zero trust or absolute air gap. Is the "idealized defender" an idiot who thinks that encrypting loopback mitigates pwnage at the os or hardware level? What role does deception, salting, misdirection play in a healthy security posture?
This should be interpreted as a followon to RFC 7258 (cited in the Introduction): "While PM is an attack, other forms of monitoring that might fit the definition of PM can be beneficial and not part of any attack, e.g., network management functions monitor packets or flows..."
I am reminded of this from RFC 1034: "Clients of the domain system should be able to identify trusted name servers they prefer to use before accepting referrals to name servers outside of this 'trusted' set." and rhetorically now I ask how has that worked out?
Not discounting that the technical issues and scenarios are valid, but to point out the blatantly political nature of this rhetoric.
What this gets us at the level of technical implementation is e.g. qname minimization, which in turn begets moaning about lame delegations (I don't deny they are a problem) and the horrible horrible excess traffic they cause... entirely omitting the fact that qname minimization can double the number of unprimed queries required to resolve a name. Just one example.
Is it possible to create totally network-safe (unexploitable from the network interface) computers should you start from scratch and write a new OS today? Maybe formally verified network interfaces and capability inheritance based process execution, with granular capabilities protected with a memory safe language? I'm thinking Theseus OS, with formal verification of anything that is on the network boundary.
> should you start from scratch
Not in somebody else's cloud. :-p
But ok. So there is the issue of compilers carrying binary-only payloads, which are only passed on when compiling the compiler. Really paranoid people worry about this, so it fits in the set of theoretical and demonstrated issues. But I don't have references for you off the top of my head; it's been acknowledged for a very long time.
I'm ok with heterogenenaety and calling it good enough.
Sure, be ok with the status quo, you do you. But there will emerge young people who'll see the absolutely immense yet utterly overlooked advantages of a computing stack written from scratch, and they'll take on the enormous burden. Watch out, it's about time the world stop running on a kernel written in 1991. Software does age with real world time, and it shall die a natural death if it is to not to be kept in life support at ever increasing expense.
Open source could write 5 fully functional and modern Software Development, Distribution and Running Infrastructures (currently known as an OS) per day if all the effort didn't went into the hospitalization of the current ones and the ecosystems surrounding them.
> it's about time the world stop running on a kernel written in 1991
In the spirit of debate only, I observe that the Theseus legend concerns the farmer's axe: replaced the handle three times and the head twice, still a damned good axe.
Thus marches whatever software you cite: the legionnaires may die and be replaced but the legion marches on. A lot of the burgeoning cost concerns camp followers rather than the legion itself. You seem to get that in your reference to ecosystems. Having trouble getting water in camp? If your pack animals are dying it's a different concern than your follower's. I mean, whose animals are you going to eat first?
I would like nothing better than to be running on a kernel written in 1584. (Arbitrarily chosen year, seriously.)
I get that. However the analogy doesn't hold. "Modern" software is not a hammer you can replace the two parts of. It's a Boeing 747 which only allows small, incremental improvements in the replaced parts. With great effort you can customize it to be the Air Force One but you can't make an F35 out of it unless you start from scratch. Many design decisions made 33 years ago which are unwise in hindsight are ingrained in not only all software we write today, but even in the way we think about software now.
> Is it possible to create totally network-safe (unexploitable from the network interface) computers should you start from scratch and write a new OS today?
Qubes OS comes to mind.