- From: Jacob Appelbaum <jacob@appelbaum.net>
- Date: Sat, 5 Dec 2015 15:21:10 +0000
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
On 12/5/15, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > -------- > In message > <CAFggDF0CzfWuufur4f8RrVYc7kxqKsCatim-Pqhg+i+1jHqQpA@mail.gmail.com> > , Jacob Appelbaum writes: > > >>> I have no idea what the Tor project will do, but fortunately the >>> human rights activists I know about has a fallback. >> >>I suspect that they will use Tor bridges or another similar bypass >>method. If they need help, we're always happy to help - please ask >>them to reach out if we can help. > > Obviously I am not going to say anything here that would compromise > anybody, but I can safely tell you that they are not in your dataset > for the graph you linked to, and that any contact to the Tor project > will be at least three arms length. Understood. None the less - the offer stands, if you have questions for example, please do reach out. >>People related to the Tor Project have been working to submit evidence >>with regard to the latest series of bills on exactly this topic. I >>guess other groups will do the same. > > Sure. > > And did you see what all the evidence did for the decision about > bombing Syria ? I admit, I did not submit evidence for that topic. I also have a near total lack of faith in say, the governments involved in those activities. That doesn't help me with my latent cynicism. Still, I think we have to look at each place where we can participate and then we can make an impact by contributing informed information. >>I'm sorry if I was unclear: The high cost is a cert chain that works >>on everyone without installing a root. > > If you are a government, the cost if getting everybody to install a > root-cert is probably cheaper than the kit. I do not believe that the root cert in question will be shipped by browsers or devices without a user manually installing it. > In Denmark for instance, all the legislation is in place to require > people to accept a root-cert for our "NemID" (digital citizen/company > ID/ single signon), the cert can be downloaded as part of the logon > procedure and in a matter of days a very large fraction of all Danish > computers have the root-cert installed. Yes, I can imagine that may happen - hopefully the cert would be scoped for specific connections, domains or otherwise treated differently. > Other countries are similarly positioned. Given their current > "cyber-war" threat-models, hey'd be stupid if not. Yes, the next step is likely to escalate in this direction. We see it in many places - still - the fact that things are detectable, fail closed or require a user to consent will again, change the terrain of struggle for everyone who cares about these issues. > (NB: I'm not saying their threat-models are correct or even sane, > they're not, but given that threat-model, being able to roll out a > root-cert is the obvious thing to be able to do.) > >>Surely you're aware that I'm working on many different angles at the >>same time - exactly in many of the areas that you suggest. > > I'd expect no less of you Jacob. Hooray. :-) > And I'll do anything I can do, including as much "empthy rhetoric" > as I can fit through my various megaphones. Yes, I totally see that. I feel that it is clear that we're allies even though we disagree about some of the issues. > > In other related news: The first news-item yesterday, following > the danish referendum (look it up) was "Denmark's NO means we cannot > participate in the new anti-terror flight-passenger database". It > was made abundantly obvious that this was a TERRIBLE thing. Interesting. The PNR system is a rich target for collection. Once the EU has it running with long term data, it will only be as protected as much as the most honest attacker decides to keep it protected. > We have, so far, *totally* failed to get the population behind us > on this cause. Many of the data collection issues at hand are as inaccessible as critical facts in biology to entire populations. I'm not sure that we'll find a way to deal with it until data is taken, leaked and/or abused. It is very frustrating that systems at scale do not allow for opt-out. All the best, Jacob
Received on Saturday, 5 December 2015 15:21:40 UTC