- From: Norbert Bollow <nb@bollow.ch>
- Date: Tue, 20 Aug 2013 20:40:36 +0200
- To: David Singer <singer@apple.com>
- Cc: "public-restrictedmedia@w3.org" <public-restrictedmedia@w3.org>
David Singer <singer@apple.com> wrote: > > (1) People who are non-US persons must, if they want to deny the NSA > > the ability to watch what they're doing online (without the NSA > > having any need for a warrant, and without any other democratic > > checks and balances), avoid using an operating system which is > > closed source software that comes from a US company. > > I don't think (I don't know, of course) that the NSA relied on any > 'probes' or the like in the client computers. It is in fact publicly known that they did, at least in regard to computers running Microsoft software. http://blogs.computerworlduk.com/open-enterprise/2013/06/how-can-any-company-ever-trust-microsoft-again/index.htm > Why bother, when you > can watch their traffic, much more easily, by having probes in > important high-traffic internet links? Some communications are encrypted. If there is a convenient way to break into one of the computers which are communication endpoints, that is the easiest way to snoop on those encrypted communications. > I certainly don't think that > any monitoring software on the client side, if it existed at all, > would rely on any DRM or the like. Again, why bother? Any vulnerability that allows the attacker to execute arbitrary code with the user's privileges has the same devastating effect on the user's privacy, regardless of whether the vulnerability is in a DRM system implementation or elsewhere. > I think you are under a dangerous illusion if you think using only > free software on your computer makes you immune from, or even at > reduced risk from, being monitored. Just like no chain can be stronger than its weakest link, no assurance of a security property can possibly be stronger than the weakest among all the assertions on which it relies. Let's face it, for any piece of software X, if X is closed source software from a US company, then the credibility of the assertion “X does not contain any security vulnerabilites which the NSA may exploit at will against any non-US target” is pretty much zero nowadays. This implies that anyone outside the US who wants any kind of credible degree of privacy protection must avoid using closed source software from US companies. In practical terms, the alternative is to use free software exclusively or almost exclusively. (With “almost exclusively” I mean the possibility that if there are some proprietary software programs that you want to use for specific reasons, there is the option of isolating them e.g. in a VM which is then specifically managed so that the lack of trust for those programs won't prevent you from being able to achieve credible assurances for a reasonable set of security properties. This kind of set-up and reasoning is non-trivial, but it can be done.) Using a free software operating system is not sufficient of course. But for any reasonably well-informed non-US person who wants the feeling of being able to communicate privately (which is by the way internationally recognized as a human right), using a free software operating system is a necessary step nowadays. I find it rather disturbing if that ends up being made incompatible with the ability to fully participate in modern culture (note that the right “To take part in cultural life” is also internationally recognized as a human right) Greetings, Norbert FreedomHTML.org
Received on Tuesday, 20 August 2013 18:40:54 UTC