[HN Gopher] Second Swiss firm allegedly sold encrypted spying de... ___________________________________________________________________ Second Swiss firm allegedly sold encrypted spying devices Author : secfirstmd Score : 64 points Date : 2020-11-28 20:18 UTC (2 hours ago) (HTM) web link (www.swissinfo.ch) (TXT) w3m dump (www.swissinfo.ch) | _threads wrote: | It's terrible because I don't trust ProtonMail & ProtonVPN | entirely anymore because of this | rch wrote: | If you're worried about state agencies intercepting your | communications, you're going to have to give up certain | conveniences, like web based email and consumer VPN. | | The services you mentioned should have superficial security | that's at least on par with dominant providers, and will | hopefully keep your information from being intercepted for the | sake of advertising. I think that's still worth something. | bitL wrote: | Just get one crypto device from the US, one from Russia and one | from China, and then encrypt your stuff using all of them, one | by one. Then no single secret service could decrypt it all. | StanislavPetrov wrote: | You shouldn't trust anything completely. All you can do is | manage your risk to the best of your ability and be aware that | unless you are talking to someone on top of a mountain and | neither one of you have a phone with you, everything you | communicate, digitally or otherwise, is very likely being | recorded or logged somewhere by someone. | PradeetPatel wrote: | As naive as this may sound, but is there an internationally | recognised ethics framework for signal intelligence? | | Something similar to the Geneva Convention perhaps? | lucb1e wrote: | Certain things are illegal to do even to the actual soldiers of | a country you're at war with. I'd be interested to learn if | these rules have been updated since the Internet (or ARPANET | for that matter) created a whole new realm of possibilities and | connections, but I assume not. I think you're right in saying | that conventions for this sort of thing are a good idea. | | The rules will have to be very permissive for aggressors or | even friendly nations to actually follow them to some degree, | but it could still cover things that directly cost civilian | lives like hacking a hospital in a way that risks lives. | (Recently someone in Germany died because of malware in a | hospital, though the public prosecutor concluded--as expected-- | there was too little causal evidence to press charges, even if | they could find the perpetrator in the first place.) | alecco wrote: | If you were a spy agency with virtually unlimited resources, | wouldn't you try to infiltrate it? Or even start one from | scratch? | thefounder wrote: | This makes you give second thoughts when you see privacy and | security services(i.e email, vpn) making a big deal they are | based in Switzerland. The truth is that you cannot trust a 3rd | party with your data. A zero trust mode is the only one that you | should trust. | lucb1e wrote: | Zero trust, so... what about the chips in your system? What | about the certificate authorities that Microsoft, Mozilla, | Apple, or Google deliver to your system? | | It's a nice thing to say but it doesn't work, at least not as a | oneliner without further explanation of how you think this | could work. | vaccinator wrote: | zero trust means no computer devices around you... (including | TVs, toasters, etc...) | machinelabo wrote: | You trust your can of baked beans? The entire society runs | on the concept of trust. At some point, you're gonna have | to trust _someone_. | hutzlibu wrote: | True. But I like to reinforce my trust with open and | verifiable information. | | Meaning, I would prefer the can of baked beans from a | company that is open about where their beans come from | and in what conditions. That would be possible today, and | is already done to some extend but in early stages. | | But getting your food from the local farmer, where you | can actually visit the farm, it is much more easy to | trust that it is good. | | And regarding software, well - open source, preferably | with a open community (or company) around it, where you | can at least look through the actual dev logs and git | submits to see if they sound solid and if you have the | time and skills, jump into it to verify that they do as | promised. | | Then I can have trust. Otherwise the trust would have to | be blind. And society has spoiled that for me, for | various reasons. | machinelabo wrote: | Huh? That's why we have regulations. Every country has | one, in the US it is the FDA. | | Please don't try to shoehorn open source principles | everywhere in life. It becomes a chore and a burden for a | common citizen to verify the hazards of Baked Beans. | Citizens offload this to a regulatory agency. You don't | have the time to verify a fucking can of baked beans like | a million other things in life. | | If you buy a measuring tape, do you ask for a NIST | certificate? Where does the chain of trust end? Somewhere | at the measurement standards in the pyramid of trust. | Your personal role in this chain ends at the brand name | "STANLEY", because you trust them to make a measuring | tape that measures within specified tolerance. | | The whole movement around "I don't trust unless the | information is freely available" is a pipe dream. It | grinds the society to a halt. | | I urge you to look around 99% things in life that you | just blindly trust. We need better mechanisms for | building trust than "Don't trust unless verified". It is | applicable in high risk situations, but the society pays | a huge price for such an inefficient way to live. | TeMPOraL wrote: | The trick is to avoid trusting parties that have | incentives to abuse that trust and means to do so. Free | market working the way it does, sooner or later one of | such entities will abuse that trust. | | So, baked beans are probably OK in terms of SIGINT. | Depending on how well food regulations are enforced in | your area, I might or might not worry about the edibility | of them, though. But on-line services are definitely | suspect with respect to data handling. Doubly so, if they | pop up where they shouldn't be in the first place - like | e.g. IoT - as that's already evidence of a business model | built on abusive relationship. | lucb1e wrote: | > Doubly so, if they pop up where they shouldn't be in | the first place - like e.g. IoT | | Hanlon's razor, "never attribute to malice that which is | adequately explained by stupidity", does seem to apply to | that particular one, though. But I'm no war historian or | politician or something; while the security of these | devices is stupidity to the point of criminal negligence, | I find it hard to say for sure whether some of this might | be on purpose. | machinelabo wrote: | That's why we have regulations and regulatory agencies. | You'll need to trust them to their job (just pegging the | trust one more level up). | lucb1e wrote: | TeMPOraL does seem to be aware of the existence and | enforcement of food regulations: | | > baked beans are probably OK in terms of SIGINT. | Depending on how well food regulations are enforced in | your area | | Unless you meant the IoT part, I'd love to see | regulations, let alone enforcement, there. | machinelabo wrote: | Definitely, new technologies always had this issue | though. Regulatory agencies move at a snails pace to | adopt new changes - for good or for worse - that's up for | debate. Good because new tech doesn't exploit consumers. | Bad because haphazardly put together regulations can harm | busineses and progress in general. | fsflover wrote: | > what about the chips in your system? | | https://www.crowdsupply.com/sutajio-kosagi/precursor | dragonelite wrote: | I just pretty much assume US spy agencies can track everything | from all the logs they can gather and have access too. Want to | keep a secret keep it in your head. Those so called neutral | parties like Switzerland are just US proxies with a good imago | that only recently got tarnished. | hkon wrote: | Not only that, but any service advertising their security and | privacy. You can't really know unless you roll your own. But | what kind of rabbithole that could be is insane, iirc even | consumer hardware is compromised to some extent. | kebman wrote: | This is the trust level on some embassies around the world. | Special typewriters and no computers, in a soundproof room. | milofeynman wrote: | It's why a lot of people had pause with the new owners of PIA, | iirc | cybralx wrote: | Linked to US intelligence services. Makes you wonder how many VPN | services are run by governments? | java-man wrote: | pretty much all of them, no? | lucb1e wrote: | No | fakedang wrote: | Well.... Tor started off as a government tech right? | lucb1e wrote: | That a government funded mixnet research in the 80s doesn't | mean that VPNs are government-run, if that's what you are | trying to say (honestly I'm not sure what exactly you're | saying, the two have very little to do with each other). | schoen wrote: | By the way, you're off by a decade on when NRL did the | onion routing research -- it was in the 90s rather than the | 80s. | | https://en.wikipedia.org/wiki/Onion_routing#Development_and | _... | lucb1e wrote: | Thanks, I didn't know that. It was meant more | illustratively than as an accurate time indication, but | nevertheless it's good to be correct and now I know. | nyolfen wrote: | the US state dept funds the tor project to this day | markus_zhang wrote: | So is the real solution such that you purchase internet service | from another country and build your own VPN? ___________________________________________________________________ (page generated 2020-11-28 23:00 UTC)