[HN Gopher] Second Swiss firm allegedly sold encrypted spying de...
___________________________________________________________________
Second Swiss firm allegedly sold encrypted spying devices
Author : secfirstmd
Score : 64 points
Date : 2020-11-28 20:18 UTC (2 hours ago)
(HTM) web link (www.swissinfo.ch)
(TXT) w3m dump (www.swissinfo.ch)
| _threads wrote:
| It's terrible because I don't trust ProtonMail & ProtonVPN
| entirely anymore because of this
| rch wrote:
| If you're worried about state agencies intercepting your
| communications, you're going to have to give up certain
| conveniences, like web based email and consumer VPN.
|
| The services you mentioned should have superficial security
| that's at least on par with dominant providers, and will
| hopefully keep your information from being intercepted for the
| sake of advertising. I think that's still worth something.
| bitL wrote:
| Just get one crypto device from the US, one from Russia and one
| from China, and then encrypt your stuff using all of them, one
| by one. Then no single secret service could decrypt it all.
| StanislavPetrov wrote:
| You shouldn't trust anything completely. All you can do is
| manage your risk to the best of your ability and be aware that
| unless you are talking to someone on top of a mountain and
| neither one of you have a phone with you, everything you
| communicate, digitally or otherwise, is very likely being
| recorded or logged somewhere by someone.
| PradeetPatel wrote:
| As naive as this may sound, but is there an internationally
| recognised ethics framework for signal intelligence?
|
| Something similar to the Geneva Convention perhaps?
| lucb1e wrote:
| Certain things are illegal to do even to the actual soldiers of
| a country you're at war with. I'd be interested to learn if
| these rules have been updated since the Internet (or ARPANET
| for that matter) created a whole new realm of possibilities and
| connections, but I assume not. I think you're right in saying
| that conventions for this sort of thing are a good idea.
|
| The rules will have to be very permissive for aggressors or
| even friendly nations to actually follow them to some degree,
| but it could still cover things that directly cost civilian
| lives like hacking a hospital in a way that risks lives.
| (Recently someone in Germany died because of malware in a
| hospital, though the public prosecutor concluded--as expected--
| there was too little causal evidence to press charges, even if
| they could find the perpetrator in the first place.)
| alecco wrote:
| If you were a spy agency with virtually unlimited resources,
| wouldn't you try to infiltrate it? Or even start one from
| scratch?
| thefounder wrote:
| This makes you give second thoughts when you see privacy and
| security services(i.e email, vpn) making a big deal they are
| based in Switzerland. The truth is that you cannot trust a 3rd
| party with your data. A zero trust mode is the only one that you
| should trust.
| lucb1e wrote:
| Zero trust, so... what about the chips in your system? What
| about the certificate authorities that Microsoft, Mozilla,
| Apple, or Google deliver to your system?
|
| It's a nice thing to say but it doesn't work, at least not as a
| oneliner without further explanation of how you think this
| could work.
| vaccinator wrote:
| zero trust means no computer devices around you... (including
| TVs, toasters, etc...)
| machinelabo wrote:
| You trust your can of baked beans? The entire society runs
| on the concept of trust. At some point, you're gonna have
| to trust _someone_.
| hutzlibu wrote:
| True. But I like to reinforce my trust with open and
| verifiable information.
|
| Meaning, I would prefer the can of baked beans from a
| company that is open about where their beans come from
| and in what conditions. That would be possible today, and
| is already done to some extend but in early stages.
|
| But getting your food from the local farmer, where you
| can actually visit the farm, it is much more easy to
| trust that it is good.
|
| And regarding software, well - open source, preferably
| with a open community (or company) around it, where you
| can at least look through the actual dev logs and git
| submits to see if they sound solid and if you have the
| time and skills, jump into it to verify that they do as
| promised.
|
| Then I can have trust. Otherwise the trust would have to
| be blind. And society has spoiled that for me, for
| various reasons.
| machinelabo wrote:
| Huh? That's why we have regulations. Every country has
| one, in the US it is the FDA.
|
| Please don't try to shoehorn open source principles
| everywhere in life. It becomes a chore and a burden for a
| common citizen to verify the hazards of Baked Beans.
| Citizens offload this to a regulatory agency. You don't
| have the time to verify a fucking can of baked beans like
| a million other things in life.
|
| If you buy a measuring tape, do you ask for a NIST
| certificate? Where does the chain of trust end? Somewhere
| at the measurement standards in the pyramid of trust.
| Your personal role in this chain ends at the brand name
| "STANLEY", because you trust them to make a measuring
| tape that measures within specified tolerance.
|
| The whole movement around "I don't trust unless the
| information is freely available" is a pipe dream. It
| grinds the society to a halt.
|
| I urge you to look around 99% things in life that you
| just blindly trust. We need better mechanisms for
| building trust than "Don't trust unless verified". It is
| applicable in high risk situations, but the society pays
| a huge price for such an inefficient way to live.
| TeMPOraL wrote:
| The trick is to avoid trusting parties that have
| incentives to abuse that trust and means to do so. Free
| market working the way it does, sooner or later one of
| such entities will abuse that trust.
|
| So, baked beans are probably OK in terms of SIGINT.
| Depending on how well food regulations are enforced in
| your area, I might or might not worry about the edibility
| of them, though. But on-line services are definitely
| suspect with respect to data handling. Doubly so, if they
| pop up where they shouldn't be in the first place - like
| e.g. IoT - as that's already evidence of a business model
| built on abusive relationship.
| lucb1e wrote:
| > Doubly so, if they pop up where they shouldn't be in
| the first place - like e.g. IoT
|
| Hanlon's razor, "never attribute to malice that which is
| adequately explained by stupidity", does seem to apply to
| that particular one, though. But I'm no war historian or
| politician or something; while the security of these
| devices is stupidity to the point of criminal negligence,
| I find it hard to say for sure whether some of this might
| be on purpose.
| machinelabo wrote:
| That's why we have regulations and regulatory agencies.
| You'll need to trust them to their job (just pegging the
| trust one more level up).
| lucb1e wrote:
| TeMPOraL does seem to be aware of the existence and
| enforcement of food regulations:
|
| > baked beans are probably OK in terms of SIGINT.
| Depending on how well food regulations are enforced in
| your area
|
| Unless you meant the IoT part, I'd love to see
| regulations, let alone enforcement, there.
| machinelabo wrote:
| Definitely, new technologies always had this issue
| though. Regulatory agencies move at a snails pace to
| adopt new changes - for good or for worse - that's up for
| debate. Good because new tech doesn't exploit consumers.
| Bad because haphazardly put together regulations can harm
| busineses and progress in general.
| fsflover wrote:
| > what about the chips in your system?
|
| https://www.crowdsupply.com/sutajio-kosagi/precursor
| dragonelite wrote:
| I just pretty much assume US spy agencies can track everything
| from all the logs they can gather and have access too. Want to
| keep a secret keep it in your head. Those so called neutral
| parties like Switzerland are just US proxies with a good imago
| that only recently got tarnished.
| hkon wrote:
| Not only that, but any service advertising their security and
| privacy. You can't really know unless you roll your own. But
| what kind of rabbithole that could be is insane, iirc even
| consumer hardware is compromised to some extent.
| kebman wrote:
| This is the trust level on some embassies around the world.
| Special typewriters and no computers, in a soundproof room.
| milofeynman wrote:
| It's why a lot of people had pause with the new owners of PIA,
| iirc
| cybralx wrote:
| Linked to US intelligence services. Makes you wonder how many VPN
| services are run by governments?
| java-man wrote:
| pretty much all of them, no?
| lucb1e wrote:
| No
| fakedang wrote:
| Well.... Tor started off as a government tech right?
| lucb1e wrote:
| That a government funded mixnet research in the 80s doesn't
| mean that VPNs are government-run, if that's what you are
| trying to say (honestly I'm not sure what exactly you're
| saying, the two have very little to do with each other).
| schoen wrote:
| By the way, you're off by a decade on when NRL did the
| onion routing research -- it was in the 90s rather than the
| 80s.
|
| https://en.wikipedia.org/wiki/Onion_routing#Development_and
| _...
| lucb1e wrote:
| Thanks, I didn't know that. It was meant more
| illustratively than as an accurate time indication, but
| nevertheless it's good to be correct and now I know.
| nyolfen wrote:
| the US state dept funds the tor project to this day
| markus_zhang wrote:
| So is the real solution such that you purchase internet service
| from another country and build your own VPN?
___________________________________________________________________
(page generated 2020-11-28 23:00 UTC)