On Fri, Sep 6, 2013 at 9:02 AM, Vinayak Hegde <vinayakh@xxxxxxxxx> wrote:
On Fri, Sep 6, 2013 at 8:41 AM, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote:
On Thu, Sep 5, 2013 at 9:36 PM, Brian E Carpenter <brian.e.carpenter@xxxxxxxxx> wrote:
I'm sorry, I don't detect the emergency.
I'm not saying there's no issue or no work to do, but what's new about
any of this?As I have suggested to several people, we can turn lemons into lemonade.While it is nice to do a dedication of this meeting to the SA surveillance, I do not see us solving any issue here. It is merely a "feel-good" measure without real impact.
First, the IETF always had a bias for action. We always respect "rough consensus and running code". So far I have not seen not I-Ds and drafts to fix the privacy and encryption issues on this thread.
Second, technology can never fix what is essentially a political problem. for eg. We mandate strong security protocols and end-to-end encryption in HTTP(S) by default. Lets assume all browsers implement this and do this perfectly without software flaws. All the NSA has to do is to compromise the other endpoint (controlled by ACME major corp). ACME gives over the encryption keys and access to all the unencrypted data to the NSA. So now what are we going to do. The IETF can make an political statement by taking a stand but that may mean nothing in reality when the laws are weak. Another example is when you have encrypted your drive and do not want to hand over the keys as it has some personal (and possibly incriminating evidence). In several countries you can be held in jail indefinitely (with obvious renewals of sentences) until you hand the keys over[1]. So in summary, technology cannot solve political and legal issues. At best it can make it harder. But in this case maybe not even that.
Also when people talk about NSA surveillance, they often talk about
servers and PCs which serve as endpoints. The NSA seems to have figured
out that the weaker points are in the intermediate routers and bugs in
the software[1]. If anything, network engineers and operations should
update their software more regularly[1].
-- Vinayak1. http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/