Re: [perpass] perens-perpass-appropriate-response-01

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 04 December 2013 18:58 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13C8F1AD943 for <perpass@ietfa.amsl.com>; Wed, 4 Dec 2013 10:58:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gea1_DI4Us-0 for <perpass@ietfa.amsl.com>; Wed, 4 Dec 2013 10:58:07 -0800 (PST)
Received: from mail-pb0-x22f.google.com (mail-pb0-x22f.google.com [IPv6:2607:f8b0:400e:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id C76EE1AD8F4 for <perpass@ietf.org>; Wed, 4 Dec 2013 10:58:07 -0800 (PST)
Received: by mail-pb0-f47.google.com with SMTP id um1so24119225pbc.34 for <perpass@ietf.org>; Wed, 04 Dec 2013 10:58:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=VIalVY7MESRkdwFXQzmVB3sYKx+u4riaonQXxQ2nl7Q=; b=ljBOXFMpJx9G2MHhuGMGM/HY2Y9cBLMSpLHiVrjNE40br1AqRlJTRL7i+MtG9oOZoU mfuO0aT295Y8tS7xAFbrzS6VpY4IRLMjHI/yLcIdWFoUhRttQ4UUW4/FQgB7y+Zrmkn+ c/pU2wpwxI4o9dB0Jc4d5Q81bvlDmDtQkpIJ9Q/EspiQPN1jN2i9Dzvbi6BceHgvtQtU uXuU2Dp1uzwFIqIv3kvCwpKCY0B1cWJ1wRqImLPDYMI44sYUPb9brTLesl8bKh/yGobx sZuZRSB2NNCL+1f338tXemHf8R7DTzZUSp+AidRAuzTEXSfswpIg/OrwtoZhH+h7XolN 4WeA==
X-Received: by 10.66.218.226 with SMTP id pj2mr83346737pac.62.1386183483750; Wed, 04 Dec 2013 10:58:03 -0800 (PST)
Received: from [192.168.178.20] (41.199.69.111.dynamic.snap.net.nz. [111.69.199.41]) by mx.google.com with ESMTPSA id nn6sm87748647pbc.29.2013.12.04.10.58.01 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Dec 2013 10:58:03 -0800 (PST)
Message-ID: <529F7B3B.5020901@gmail.com>
Date: Thu, 05 Dec 2013 07:58:03 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <E2DA1477-C86E-441E-A33D-D47A0D67AFF3@iab.org> <EF9BD1E4-6EF3-4035-AC4E-1A2D3CADE615@mnot.net> <529E8494.7000806@perens.com> <20131204111309.GB11727@nic.fr>
In-Reply-To: <20131204111309.GB11727@nic.fr>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: perpass@ietf.org, Bruce Perens <bruce@perens.com>
Subject: Re: [perpass] perens-perpass-appropriate-response-01
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 18:58:10 -0000

I've just read draft-farrell-perpass-attack-02 again.

It carefully doesn't discuss political, legal or societal issues.
It discusses monitoring and surveillance as a security threat model
and states that the IETF will specify technical counter-measures
to this threat model. That is well within the IETF's remit. Whether
implementors and operators choose to implement the resulting counter-
measures is a separate question that does have political, legal or
societal aspects.

I think that Bruce's concerns apply to deployment, not to the
IETF's work.

Regards
   Brian

On 05/12/2013 00:13, Stephane Bortzmeyer wrote:
> [List of recipients trimmed to be more reasonable.]
> 
> On Tue, Dec 03, 2013 at 05:25:40PM -0800,
>  Bruce Perens <bruce@perens.com> wrote 
>  a message of 37 lines which said:
> 
>>    I have written a reply to draft-farrell-perpass-attack-00
>>    Please read it at
>>    [1]http://perens.com/works/ietf/perpass/appropriate-response/01.pdf
> 
> I fully agree with the idea that the problem is *political* and should
> receive a *political* response. However, as you noted, IETF is not a
> political forum and is not the right place for this sort of
> action. But, if the *main* response should be political, the IETF can
> still *help* by making mass surveillance more difficult. It is a
> general principle in security: make laws but do not neglect technical
> measures to make the lives of the attackers more difficult. We have
> laws against burglary, for instance, but we still develop better
> locks, and for good reasons. So, yes, the work of perpass is perfectly
> legitimate and reasonable.
> 
>> Attacks on consumer privacy by commercial entities are generally
>> within the domain of civil law. 
> 
> IANAL but this does not seem to me to be true. In my country,
> collecting illegal personal data is a criminal offense.
> 
>> Technical attacks by sovereign powers are in general justified by
>> those powers as being part of law enforcement. The justice of such
>> enforcement is the topic of political discourse and the
>> courts. [...] Technical responses to attacks on individual privacy
>> by sovereign entities may be held as acceptable, criminal, or even
>> treasonous conduct by those entities. [...] The proposers and
>> implementers of systems intended to hinder law enforcement are
>> arguably a criminal or treasonous conspiracy.
> 
> But the Internet is international. My surveillance (not me,
> personally, but because it monitors everyone) by the NSA is certainly
> illegal in my country. Whether or not it is legal in the USA is
> irrelevant to me. Therefore, any technical measure against it is fair
> game.
> 
>> None of these things [static JS or CSS files] are secret and there
>> is little reason to obscure an individual's access to them.
> 
> Excuse me, but it seems you did not participate in the many
> discussions about privacy in the last ten years. It is now well-known
> that any information can be processed and used to find out about
> users. Monitoring access to these files is one of the simplest means
> to deduce (from the pattern of access) what an user is doing. There
> are therefore many reasons to obscure it.
> 
>> There is also an energy cost: the electricity wasted by all of this
>> encryption would likely result in megatons of additional carbon
>> emitted from the burning of fossil fuel for electric generation, as
>> well as otherwise-avoidable social and economic costs of renewable
>> energy sources.
> 
> Is there a serious comparison somewhere about the relative cost of
> encryption when we routinely access HD video files? I am not sure at
> all that encryption is the main cost.
> 
>> Unfortunately, encryption doesn't help with this. The information
>> being collected comes predominantly from web servers and browser
>> tool bars, which are on the ends of the communication where it is
>> necessarily decrypted. The server owners and software providers
>> profit from using or selling user data.
> 
> Indeed, that's the main weakness of RFC 6973. But it is not a reason
> to avoid encryption, because there are still threats by sniffing
> third-parties. We have many holes by which private information
> leak. We try to plug these holes. All of them. (Remember that the NSA
> has PRISM, with the participation of the big Web silos like Google or
> Facebook, but also has MUSCULAR - spying on unencrypted links -
> because they prefer to have belts *and* suspenders. Following this
> line, we have to secure both the endpoints and the links.)
> 
>> It's almost universally held within the working groups that users
>> can't be responsible for their own security,
> 
> It is not IETF-specific, it is the opinion of most security experts,
> backed by many observations and studies. This is not contempt, just
> the recognition that a message "X.509 certificate has the wrong
> issuer, do you want to continue?" is not easy to analyse and to act
> upon, even for an expert. It is not fair to ask Mr Smith to decide
> based on this information. He knows nothing about security (and that's
> fine with me, I don't blame him for that, I know nothing about Mr
> Smith's own area of expertise)
> 
> (Go to <https://ietf.org/> if you want a good laugh.)
> 
> 
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass
>