Re: [perpass] perens-perpass-appropriate-response-01

Ted Lemon <> Wed, 04 December 2013 23:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F2E481A1F7C for <>; Wed, 4 Dec 2013 15:27:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e89MCtR_uM_H for <>; Wed, 4 Dec 2013 15:27:08 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 46A4E1A1F4A for <>; Wed, 4 Dec 2013 15:27:08 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTPSA id D589D2380384; Wed, 4 Dec 2013 18:27:03 -0500 (EST)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Ted Lemon <>
In-Reply-To: <>
Date: Wed, 4 Dec 2013 18:27:02 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Bruce Perens <>
X-Mailer: Apple Mail (2.1822)
Cc: Theodore Ts'o <>, perpass <>, Stephane Bortzmeyer <>, Jacob Appelbaum <>
Subject: Re: [perpass] perens-perpass-appropriate-response-01
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Dec 2013 23:27:10 -0000

On Dec 4, 2013, at 3:29 PM, Bruce Perens <> wrote:
> Every society chooses its balance between freedom and enforcement. Ours isn't the right balance today, agreed. But the proposals I see here are the hacker approach - we're not patient to deal with this as a political problem, so we'll change everyone's web browser.

I think you're missing the point.   The point is not that the NSA can surveil you.   The point is that _anyone_ can.   The NSA is just who most publicly did it recently.   We know of a number of really successful attacks that have actually been done, in the real world, by law enforcement organizations, but that could be done as easily by a criminal organization.

The lesson here is not "okay, so let's stop law enforcement from eavesdropping."   It is "holy shit, we are really vulnerable."

As to the question of encryption generally, nobody questions (I hope) that we want our transactions with banks to be secure.   I think it's generally accepted that what videos we watch is private (there's a federal law in the U.S. making it illegal for video stores to give out that information).   The Supreme Court recently decided that the FBI couldn't put a GPS tracker on your car without a warrant.   So at least in the U.S., we are not navigating uncharted waters.   Yes, we have a problem with LEO spying.   But as a country, we do recognize the need for at least some communication to be confidential.   And this is not a legal understanding that is unique to the U.S.   Canadian appellate courts have held similarly, for example.

So whether you think LEO spying is a good idea or not, there is clearly a problem here with the protocols that we have deployed on the internet.   They make it too easy for _anybody_ to eavesdrop, and to use the information they acquire whilst eavesdropping in really nefarious ways (e.g. the watering hole attack someone referred to recently).   And it is entirely appropriate for the IETF to think very seriously about how to make these protocols more secure.