Re: [perpass] perens-perpass-appropriate-response-01
Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 04 December 2013 18:58 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13C8F1AD943 for <perpass@ietfa.amsl.com>; Wed, 4 Dec 2013 10:58:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gea1_DI4Us-0 for <perpass@ietfa.amsl.com>; Wed, 4 Dec 2013 10:58:07 -0800 (PST)
Received: from mail-pb0-x22f.google.com (mail-pb0-x22f.google.com [IPv6:2607:f8b0:400e:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id C76EE1AD8F4 for <perpass@ietf.org>; Wed, 4 Dec 2013 10:58:07 -0800 (PST)
Received: by mail-pb0-f47.google.com with SMTP id um1so24119225pbc.34 for <perpass@ietf.org>; Wed, 04 Dec 2013 10:58:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=VIalVY7MESRkdwFXQzmVB3sYKx+u4riaonQXxQ2nl7Q=; b=ljBOXFMpJx9G2MHhuGMGM/HY2Y9cBLMSpLHiVrjNE40br1AqRlJTRL7i+MtG9oOZoU mfuO0aT295Y8tS7xAFbrzS6VpY4IRLMjHI/yLcIdWFoUhRttQ4UUW4/FQgB7y+Zrmkn+ c/pU2wpwxI4o9dB0Jc4d5Q81bvlDmDtQkpIJ9Q/EspiQPN1jN2i9Dzvbi6BceHgvtQtU uXuU2Dp1uzwFIqIv3kvCwpKCY0B1cWJ1wRqImLPDYMI44sYUPb9brTLesl8bKh/yGobx sZuZRSB2NNCL+1f338tXemHf8R7DTzZUSp+AidRAuzTEXSfswpIg/OrwtoZhH+h7XolN 4WeA==
X-Received: by 10.66.218.226 with SMTP id pj2mr83346737pac.62.1386183483750; Wed, 04 Dec 2013 10:58:03 -0800 (PST)
Received: from [192.168.178.20] (41.199.69.111.dynamic.snap.net.nz. [111.69.199.41]) by mx.google.com with ESMTPSA id nn6sm87748647pbc.29.2013.12.04.10.58.01 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Dec 2013 10:58:03 -0800 (PST)
Message-ID: <529F7B3B.5020901@gmail.com>
Date: Thu, 05 Dec 2013 07:58:03 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <E2DA1477-C86E-441E-A33D-D47A0D67AFF3@iab.org> <EF9BD1E4-6EF3-4035-AC4E-1A2D3CADE615@mnot.net> <529E8494.7000806@perens.com> <20131204111309.GB11727@nic.fr>
In-Reply-To: <20131204111309.GB11727@nic.fr>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: perpass@ietf.org, Bruce Perens <bruce@perens.com>
Subject: Re: [perpass] perens-perpass-appropriate-response-01
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 18:58:10 -0000
I've just read draft-farrell-perpass-attack-02 again. It carefully doesn't discuss political, legal or societal issues. It discusses monitoring and surveillance as a security threat model and states that the IETF will specify technical counter-measures to this threat model. That is well within the IETF's remit. Whether implementors and operators choose to implement the resulting counter- measures is a separate question that does have political, legal or societal aspects. I think that Bruce's concerns apply to deployment, not to the IETF's work. Regards Brian On 05/12/2013 00:13, Stephane Bortzmeyer wrote: > [List of recipients trimmed to be more reasonable.] > > On Tue, Dec 03, 2013 at 05:25:40PM -0800, > Bruce Perens <bruce@perens.com> wrote > a message of 37 lines which said: > >> I have written a reply to draft-farrell-perpass-attack-00 >> Please read it at >> [1]http://perens.com/works/ietf/perpass/appropriate-response/01.pdf > > I fully agree with the idea that the problem is *political* and should > receive a *political* response. However, as you noted, IETF is not a > political forum and is not the right place for this sort of > action. But, if the *main* response should be political, the IETF can > still *help* by making mass surveillance more difficult. It is a > general principle in security: make laws but do not neglect technical > measures to make the lives of the attackers more difficult. We have > laws against burglary, for instance, but we still develop better > locks, and for good reasons. So, yes, the work of perpass is perfectly > legitimate and reasonable. > >> Attacks on consumer privacy by commercial entities are generally >> within the domain of civil law. > > IANAL but this does not seem to me to be true. In my country, > collecting illegal personal data is a criminal offense. > >> Technical attacks by sovereign powers are in general justified by >> those powers as being part of law enforcement. The justice of such >> enforcement is the topic of political discourse and the >> courts. [...] Technical responses to attacks on individual privacy >> by sovereign entities may be held as acceptable, criminal, or even >> treasonous conduct by those entities. [...] The proposers and >> implementers of systems intended to hinder law enforcement are >> arguably a criminal or treasonous conspiracy. > > But the Internet is international. My surveillance (not me, > personally, but because it monitors everyone) by the NSA is certainly > illegal in my country. Whether or not it is legal in the USA is > irrelevant to me. Therefore, any technical measure against it is fair > game. > >> None of these things [static JS or CSS files] are secret and there >> is little reason to obscure an individual's access to them. > > Excuse me, but it seems you did not participate in the many > discussions about privacy in the last ten years. It is now well-known > that any information can be processed and used to find out about > users. Monitoring access to these files is one of the simplest means > to deduce (from the pattern of access) what an user is doing. There > are therefore many reasons to obscure it. > >> There is also an energy cost: the electricity wasted by all of this >> encryption would likely result in megatons of additional carbon >> emitted from the burning of fossil fuel for electric generation, as >> well as otherwise-avoidable social and economic costs of renewable >> energy sources. > > Is there a serious comparison somewhere about the relative cost of > encryption when we routinely access HD video files? I am not sure at > all that encryption is the main cost. > >> Unfortunately, encryption doesn't help with this. The information >> being collected comes predominantly from web servers and browser >> tool bars, which are on the ends of the communication where it is >> necessarily decrypted. The server owners and software providers >> profit from using or selling user data. > > Indeed, that's the main weakness of RFC 6973. But it is not a reason > to avoid encryption, because there are still threats by sniffing > third-parties. We have many holes by which private information > leak. We try to plug these holes. All of them. (Remember that the NSA > has PRISM, with the participation of the big Web silos like Google or > Facebook, but also has MUSCULAR - spying on unencrypted links - > because they prefer to have belts *and* suspenders. Following this > line, we have to secure both the endpoints and the links.) > >> It's almost universally held within the working groups that users >> can't be responsible for their own security, > > It is not IETF-specific, it is the opinion of most security experts, > backed by many observations and studies. This is not contempt, just > the recognition that a message "X.509 certificate has the wrong > issuer, do you want to continue?" is not easy to analyse and to act > upon, even for an expert. It is not fair to ask Mr Smith to decide > based on this information. He knows nothing about security (and that's > fine with me, I don't blame him for that, I know nothing about Mr > Smith's own area of expertise) > > (Go to <https://ietf.org/> if you want a good laugh.) > > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass >
- [perpass] perens-perpass-appropriate-response-01 Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… JOSEFSSON Erik
- Re: [perpass] perens-perpass-appropriate-response… Martin Millnert
- Re: [perpass] perens-perpass-appropriate-response… Stephane Bortzmeyer
- Re: [perpass] perens-perpass-appropriate-response… Hannes Tschofenig
- Re: [perpass] perens-perpass-appropriate-response… Yoav Nir
- Re: [perpass] perens-perpass-appropriate-response… S Moonesamy
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Theodore Ts'o
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Brian E Carpenter
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Martin Thomson
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Andreas Kuckartz
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Brian E Carpenter
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… l.wood
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Stephane Bortzmeyer
- Re: [perpass] perens-perpass-appropriate-response… Joseph Lorenzo Hall
- Re: [perpass] perens-perpass-appropriate-response… Eliot Lear
- Re: [perpass] perens-perpass-appropriate-response… Pranesh Prakash
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… SM
- Re: [perpass] perens-perpass-appropriate-response… Andreas Kuckartz
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- [perpass] Egal wie man diskutiert (was: perens-pe… SM
- Re: [perpass] perens-perpass-appropriate-response… Paul Ferguson
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… Andreas Kuckartz
- Re: [perpass] perens-perpass-appropriate-response… Ralf Skyper Kaiser
- Re: [perpass] perens-perpass-appropriate-response… Bjoern Hoehrmann
- Re: [perpass] perens-perpass-appropriate-response… John Wroclawski
- [perpass] Using the abusrd isn't a compelling arg… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Stephen Farrell
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] Egal wie man diskutiert Hannes Tschofenig
- [perpass] Fwd: Re: perens-perpass-appropriate-res… Bruce Perens
- [perpass] Fwd: Re: perens-perpass-appropriate-res… Bruce Perens
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Christian Huitema
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Nicholas Weaver
- Re: [perpass] Egal wie man diskutiert Phillip Hallam-Baker
- Re: [perpass] Egal wie man diskutiert Kent_Landfield
- Re: [perpass] Egal wie man diskutiert Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… Robin Wilton
- Re: [perpass] perens-perpass-appropriate-response… Robin Wilton
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Stephen Farrell
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Hannes Tschofenig
- Re: [perpass] perens-perpass-appropriate-response… Albert Lunde
- Re: [perpass] perens-perpass-appropriate-response… Robin Wilton
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Stephen Kent
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Stephen Kent
- Re: [perpass] perens-perpass-appropriate-response… Dave Crocker
- Re: [perpass] perens-perpass-appropriate-response… Richard Barnes
- Re: [perpass] perens-perpass-appropriate-response… Dave Crocker
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens