Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Safeguarding Data From Big Brother Sven?

Posted by timothy on Thu Jun 19, 2008 02:52 PM
from the dear-diary-sven-keeps-reading-my-diary dept.
Encryption Government Privacy Security The Internet News
An anonymous reader writes "Now that the Swedish government (in its infinite wisdom) has passed a law allowing them to monitor email traffic, a question that I think a lot of people are asking (or at least should be asking) is: 'What can I do to improve my privacy?' The answer is not obvious. So, what are the best solutions for seamless email encryption, search privacy, etc? What are your experiences with PGP vs GPG vs ...? In this day and age, why is the use of this type of privacy technologies still so limited? Why isn't there a larger movement promoting the use of privacy tools? Also, what is in your opinion the largest privacy concern? Search tracking? Email transfer? I believe this is an interesting question not only for Swedes, but for everyone. Lots of traffic is passing through Sweden, but more importantly, the Swedish government is not alone in using this type of surveillance."
Reader j1976 writes with a related question: "For most users with email addresses within large organizations, implementing their own email encryption scheme is not feasible, partly because of the technological aspects, but also since users in organizations often do not have administrative access to their workstations. What can an organization do, centrally, to lift the burden of encryption from the users? Are there any transparent schemes for email encryption which could be installed for the organization as a whole?"
+ -
story

Related Stories

[+] Interviews: Philip Zimmermann and 'Guilt' Over PGP 837 comments
Philip R. Zimmermann, creator of PGP, was quoted in a recent Washington Post article as saying he has been "overwhelmed with feelings of guilt" about the use of PGP by suspected terrorists. Zimmermann says the story was not entirely accurate, and has written a response to it (below) that he hopes will clear things up. He has also consented to a Slashdot interview, so please post any questions you have for him. As usual, we'll send 10 of the highest-moderated ones to Zimmermann by email, and post his replies verbatim as soon as we get them back.
[+] Your Rights Online: Sweden On Verge of Passing Sweeping Wiretap Plan 234 comments
An anonymous reader writes "No one seems to have noticed that Sweden is close to passing a far-reaching wiretapping program that would greatly expand the government's spying capabilities by permitting it to monitor all email and telephone traffic coming in and out of the country. If a bill before parliament becomes law, the country's National Defence Radio Establishment (FRA) will monitor all internet traffic that passes in or out of the country. As the article notes, there's a good chance email traveling from, say, the UK to Finland would be fair game, since it's likely to traverse through Sweden before reaching its final destination. So far, there's been nary a peep from Swedish media about the plan."
[+] Politics: Wiretapping Law Sparks Rage In Sweden 344 comments
castrox writes "This Wednesday at 9am the Swedish Parliament is voting on a new wiretapping law which would enable the civil agency (FRA — Defense Radio Agency) to snoop on all traffic crossing the Swedish border. E-mail, fax, telephone, web, SMS, etc. 24/7 without any requirement to obtain a court order. Furthermore, by law, the sitting Government will be able to instruct the wiretapping agency on what to look for. It also nullifies anonymity for press tipsters and whistleblowers. Many agencies within Sweden have weighed in on this, with very hefty criticism, e.g. SÄPO (akin to FBI in the US), the Justice Department, ex-employees of FRA, and more. Nonetheless, the ruling party block is supposedly pressuring its members to vote 'yes' to this new proposed law with threats to unseat any dissidents. After massive activity on blogs by ordinary citizens, and street protests, the story has finally been picked up by major Swedish news sources. The result will likely be huge street protests on Wednesday. People have been completely surprised since this law has not gotten any media uptake until very late in the game."
[+] Your Rights Online: Wiretapping Bill Passes Swedish Parliament, 143 to 138 326 comments
Assar Bruno Boveri writes "Swedish lawmakers came down in favour of a fiercely debated surveillance bill in a vote at the Riksdag on Wednesday evening. Despite some cosmetic changes, Sweden's proposed surveillance law is still a monster, writes Pär Ström from the independent New Welfare Foundation." The Swedish newspaper DN (in Swedish; translations welcome) compares the implications of the proposed law with activities carried out by East Germany's Ministerium für Staatssicherheit (STASI).
Firehose:Safeguarding data from the Staatssicherheit by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Safeguarding Data From Big Brother Sven? 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Secure tunnels (Score:5, Interesting)

    by Gandalf_the_Beardy (894476) on Thursday June 19 2008, @02:58PM (#23862207)
    Many of the financial service companies I contracted for have only been sending sensitive mail to maybe a half dozen clients. It's reasonably easy if the two IT departments get together to establish secure tunnels at the organisation level for transferring mail between them. Doesn't protect the mail outside these of course but it's a reasonably quick solution and effective if enforced with policies within the workgroup about what is and isn't permissible in an email. Requires no extra software and is easy to set up and manage.

  • SMTP over SSL (Score:5, Interesting)

    by Skapare (16644) on Thursday June 19 2008, @02:58PM (#23862215) Homepage

    One of the things we need to add is SMTP over SSL. It won't prevent all snooping, but at least between 2 people that trust each other, no snooping happens on the path between.

    • Re:SMTP over SSL (Score:5, Informative)

      by Z00L00K (682162) on Thursday June 19 2008, @03:23PM (#23862659) Homepage
      That part is actually relatively easy - and you have to remember to also implement IMAPS and POP3S - and close the IMAP and POP3 services.

      I have already implemented SMTPS, IMAPS and POP3S a few years ago. And it's actually not really necessary to buy a certificate if you are doing this for a closed group. Just use OpenSSL and generate your own certificate.

      To send emails to others both ends have to buy an email certificate, like from Verisign.

      And then some of those who voted for this law thought that encryption is very easy to crack - so easy that it doesn't matter if an email is encrypted or not. The problem with cracking encryption is that you first have to figure out which one it is - and the history is full of encryption techniques.

      So in the end - this law will be a good promotor for encryption more than anything else and the monitors can continue to search with Google and not get a bit of useful information from the real criminals and terrorists.

  • On NPR... (Score:5, Insightful)

    by Illbay (700081) on Thursday June 19 2008, @03:00PM (#23862253) Journal
    ...(Of all places) there was a pretty good segment this morning regarding email encryption, even including a short interview with Phil Zimmerman. What was VERY interesting about it, to me, was the attitudes of the "man / woman in the internet cafe'" interviews they did, and how most people just "didn't care" about privacy issues regarding email. One fellow naively stated "I try to live my life in such a way that no one would have an issue with what I do." In my opinion, though, what YOU or I might consider innocuous might garner unwanted attention from government. As we are headed seemingly toward a more "European" philosophy here in the USA where the government assumes the duties of "personal watchdog" over your "lifestyle," what you eat, what you drink or smoke, what you teach your kids, etc., this would seem to be a foolhardy attitude.

    • Re:On NPR... (Score:5, Interesting)

      by k1e0x (1040314) on Thursday June 19 2008, @04:15PM (#23863629) Homepage
      That is absolutely right.

      The 4th Amendment was written in response to the Stamp Act. Under the Stamp Act of 1765, all documents in your possession required the kings stamp on them to be legal. You had to by the stamps so this was in effect a tax.. the really ugly part of this law that people do not seem to know is that under the Stamp Act, British soldiers could come into your house any time they wanted to check your documents with what was known as a "writ of assistance". This is in effect a search warrant that British soldiers could write themselves. (It is akin to the NSA's National Security Letter as well..). Upon rummaging through your home, if you could not also prove that you paid taxes on other items such as your furniture or even your tea and your rum, they could arrest you.

      Privacy is a property right, you are in your right not to show your property to anyone. This becomes all the more dangerous in a society of data mining and government provided "universal health care" because the government may decide you do not work out enough or your diet is not proper.

      Don't think it can't happen.. In Japan the legal wast size is 33.5 inches. http://www.nytimes.com/2008/06/13/world/asia/13fat.html?_r=1&em&ex=1213588800&en=b5472f5ba2e31e50&ei=5087%0A&oref=slogin [nytimes.com] Anything over that and you may be sent to "re-education". If you deny "re-education" you may even be arrested for being fat.

      • Re:On NPR... (Score:5, Interesting)

        by bsDaemon (87307) on Thursday June 19 2008, @03:33PM (#23862831) Homepage
        The rest of his comment implies that he tends to the right of center -- an area of the political spectrum where NPR is not exactly loved and any information which backs up their preconceived notions, no matter what the topic is, is viewed as being "out of place."

        Of course, I used to be one of those people, too. I started out listening to NPR because I liked classical and jazz music... eventually the news wore on me and I realized that I had been sort of a dick prior. Now I really like NPR news.

  • Sweden's just being honest about it (Score:5, Interesting)

    by Hektor_Troy (262592) on Thursday June 19 2008, @03:01PM (#23862277)
    I think we're rather naïve if we believe, that Sweden is the only country in the Western world to do this. They're just (one of) the first to be honest about it.

    As the submitter points out, you cannot be sure where your data is being sent on the route between you and your recipient. For all you know your "Dear Mom" email might go through Sweden, the US, the UK, Denmark, Russia and China even though you live within 50 km of eachother.

    And your Skype call? Well, that's likely to do the same thing with its routing feature.

    Your SSL connection isn't any safer from snooping - not sure about MitM attacks, but if you're just listening in, do you really need to be a MitM?

    • Re:Sweden's just being honest about it (Score:4, Informative)

      by k1e0x (1040314) on Thursday June 19 2008, @03:10PM (#23862421) Homepage
      I've done MitM on SSL as a demonstration before. It would be reasonably hard to do in the real world even by an ISP. It involves generating a cert on the fly and passing it to the client.. today's browsers will warn on that.

      I'd be more worried about a super hardware AES cracker that the NSA isn't telling us about.

      • Re:Sweden's just being honest about it (Score:4, Informative)

        by 11223 (201561) on Thursday June 19 2008, @03:11PM (#23862437)
        It doesn't need to be an especially sophisticated attack if the government's doing it. Most uses of SSL just check that the other side has a properly signed certificate by a trusted authority. No doubt the government can generate trusted certificates at any time.

  • Why can't it be simple. (Score:5, Interesting)

    by k1e0x (1040314) on Thursday June 19 2008, @03:02PM (#23862285) Homepage
    I use s/mime and gpg. I have for years.. but I believe this is too much of a hassle for people who can't even figure out Yahoo Mail or tell the difference between Internet Explorer and Firefox.

    Some time ago I suggested someone write a thunderbird extension that was a "one click" encryption setup. On clicking "encrypt" it would create a gpg key > send the pub key to a key server > and if it does not have someone elses key it can suggest thunderbird and itself to that person.

    I know this is not a good way to do this, but I can't see people using pgp/gpg it any other way.

      • Re:Why can't it be simple. (Score:5, Informative)

        by ahugenerd (1310771) on Thursday June 19 2008, @03:27PM (#23862721)
        You have it backwards. Your public key is used to encrypt messages that are being sent TO you, which you can then only decrypt with your master key. The idea is that you (Alice) would send your message encrypted with Bob's public key to Bob. Since only Bob has his own master key (since it doesn't get posted to the server), then only Bob can decrypt it. Bob would then reply to you by encrypting his message with your public key. And so on.

      • Re:Why can't it be simple. (Score:5, Informative)

        by Godji (957148) on Thursday June 19 2008, @03:27PM (#23862731) Homepage
        The public key server only holds your public key - the one that was meant for anyone to see. Your private key, which is the only one that can be used to decrypt messages addressed to you, stays with you. Nobody other than the parties involved in the communication ever holds one or the other's private keys.

        The "public" in "public key server" means BOTH that the key server is public AND that it is a server for public keys. The most anal-retentive name for it would be a "public public key server".

        See http://en.wikipedia.org/wiki/Public-key_cryptography [wikipedia.org] for all the details.

  • Too complex (Score:5, Insightful)

    by croftj (2359) on Thursday June 19 2008, @03:13PM (#23862469) Homepage
    It's too complex for most. If it were as simple as me putting code on my machine and sending encrypted emails to my family and friends I would do it. Sadly, I have to step them ALL though putting GPG or PGP onto their machines, creating a pair of keys then sending my and all of their friends their public key. Want to place bets how many of them would send their private key themselves?

          If MS would simplify it and make all of this just happen. I bet that there would be a big gaping hole for the gov't to make use of. Not to mention the security holes that would go along with it as well.

  • Why not make the government's job easier (Score:5, Funny)

    by bigtrike (904535) on Thursday June 19 2008, @03:16PM (#23862517)
    And CC all of your email to the everyone in charge of this agency. Any good patriot should do this, just be sure the nation is secure even if the email monitoring system goes down.

  • Seamless, no. Pretty darn close, yes. (Score:5, Informative)

    by querist (97166) on Thursday June 19 2008, @03:16PM (#23862519) Homepage
    There is no "seamless" encryption method that will give you enough protection. Sorry.

    However, there are plenty of options if you're willing to do just a little work.

    Install GPG or PGP. I use GPG because I can give it away legally to my friends who are less technically saavy and it works on Linux, OS X, and Windows.

    Enigmail will integrate nicely into Mozilla's emailer and automate nearly everything once you have the person's public key. It will even notice who your recipient is and automatically pick the correct key.

    There is something similar for the OS X Mail application (and I have it installed) but I don't remember the name of the application. It's not as bright as Enigmail and won't figure out who the recepient is automatically and pick the correct key.

    FireGPG is a plug-in for FireFox (and it works for "Mozilla" because the web browser _is_ FireFox) that will allow you to use GPG with GMail.

    I have an email account in which _all_ of the traffic is encrypted because I use these tools. I never send anything unencrypted on that account.

    It's not seamless, but it's not that hard and it is not very intrusive.

    I do not know if I should pity you because of your government reading your emails or if I should at least feel happy for you that they are honest enough to admit it (supposedly) before starting. Either way, I doubt things are any better here in the USA.

    I find it amusing that the CAPTCHA is "incided", as in this new law inciting a riot.

  • Well as Phil Z. has said.. (Score:4, Insightful)

    by X86BSD (689041) on Thursday June 19 2008, @03:17PM (#23862523)
    The reason PGP, and GPG as well, fail is because PKI is just too difficult to setup and maintain. I'm sure some nerd who lives in his mom's basement is going to contest this but the fact remains it's too difficult to do in most corporations let alone end users. Making a key, remembering the password, managing keys, revoking keys, it's all just a total pain in the ass. If you truly want secure email for the masses it has to be transparent. This is just a given. People are not going to do PKI. This is the main reason we don't have mass adoption of PGP encrypted email.

    The second reason and it's to a lesser extent but still a strong motivator IMO for the lack of secure options for communication are that corporations and governments don't WANT secure applications being adopted. How else can the government spy on you or corporations steal secrets from each other if things are encrypted. This isn't paranoid fantasy land I live in. I don't think any intelligent person today doesn't know especially over the last 8 years that the governments are doing everything they can to spy on you, record you, monitor you and track you. Wether its the TSA, DHS, warrant-less wiretapping whatever we are living in a 1984'esqe society. Seamless and mass adoption of strong encryption and anonymity by the masses would *seriously* curtail their ability to spy on you and find dissidents and evil doers who read catcher in the rye. So IMO these are the two strongest compelling reasons we don't have encryption for the masses yet. Phil's ZFone project is a good step in the right direction though.

  • encryption is irrelevant (Score:5, Insightful)

    by TheGratefulNet (143330) on Thursday June 19 2008, @03:36PM (#23862897)
    I'll go out on a limb and predict that in 5 yrs or less time, encryption will be a 'self admission of guilt' to ALL governments.

    I really hope I'm wrong. but the trend is there if you just look.

    we already have people saying 'if you are not a terrorist, you should have nothing to hide'. this is just a half step away from saying 'if you DO use encryption, you MUST be hiding something that we should see'.

    mark my words.

    you may think that you are out-smarting the governments but they have the money, the guns and all the power. and they're NOT about to give this bit of power (over the people) up.

    if you encrypt a laptop and pass thru customs, you are FORCED to reveal your password or at the least, 'open' the disk for them to view the contents of. so tell me, how did encryption help here?

    don't give me that crap about truecrypt, either. how long will it take before their border people know how to detect this? ....so depressing ;(

    • Re:encryption is irrelevant (Score:5, Interesting)

      by Skal Tura (595728) on Thursday June 19 2008, @04:02PM (#23863425)
      As for passing customs, add in the hidden volume provided by truecrypt. I bet most would eat answer "there is none" ;)

      on the "public" portion, have semi-private personal pics, ie. your gf about naked, some sex stories from web and change them like they would be your experiences, love letters same thing, and other personalish data like that.

      That "GF" doesn't be even YOUR gf, just grab some package of amateur pics of some website X)

      Social engineering!

      2nd solution: Public torrent based encrypted "backup" service, goes through the borders easily. Could be somekind of torrent & truecrypt mashup.

      Could work if say you want to "backup" 5 gigs, you got to host atleast 10gigs. Gigantic waste of HDD space, Gigantic waste of bandwidth, no live usage, but have good key, and you are golden :)

      In theory could work, anyone attempting something like this?

    • Re:Someone please remind me... (Score:4, Insightful)

      by Anonymous Coward on Thursday June 19 2008, @03:01PM (#23862259)
      Because no matter what country you live in some of your Internet traffic is likely to pass through Sweden. They snoop and tell your government about your stash of __________ (insert your own illegal/grey market goods etc. here). Wala - your government has "proof" you are engaged in illegal activity and busts down your door. Moreover, you apparently haven't been watching the news regarding the change in behavior people exhibit when they know/think they are being watched.

      • Re:Someone please remind me... (Score:5, Interesting)

        by sm62704 (957197) on Thursday June 19 2008, @03:38PM (#23862939) Journal
        They snoop and tell your government about your stash of _blackjack-playing, postmoking hookers_ (I'm in the US). Wala - your government has "proof" you are engaged in illegal activity and busts down your door.

        Although I agree with your comment, just putting in an email, slashdot comment, or even one of my journals can't get the FBI and DEA and whatever anti-prostitution agency to break down my door. Otherwise it seems they already would have, as although I'm no gambler, my slashdot journals often feature potsmoking and hookers. Maybe I should add some blackjack.

        However, adultery is NOT against the law. Do you want your wife to find the email you sent to your girlfriend because Sweden seems to be as anti-freedom as America?

        (OT but related; why is it legal for me to fuck my congressman's wife, but illegal for me to pay her for it?)

          • Re:Someone please remind me... (Score:5, Insightful)

            by Mr2001 (90979) on Thursday June 19 2008, @05:49PM (#23865291) Homepage Journal

            I believe you may already know but, because if you pay for it: then pimps step in and abuse girls to do it.
            That's a result of prostitution being illegal, not a cause. When an industry is legal, workers can freely move from one employer to another, and disputes can be resolved with words in open court instead of a gold-tipped cane in a dark alley.
    • Ummm.....

      Linus is from Finland,/a>. [wikipedia.org]

    • Re:Terrorists use encryption! (Score:4, Insightful)

      by JSBiff (87824) on Thursday June 19 2008, @03:20PM (#23862595) Journal
      You make a fundamental assumption that there are no stupid criminals or stupid terrorists. Yes, *some* terrorists and criminals are smart enough to encrypt their emails. But I'm sure there really are people out there stupid enough to talk about their criminal plans/exploits in plaintext email, or plaintext IMs, because they are just stupid. The Swedish government, will, no doubt catch some of those stupid criminals through such spying on email, then point to those cases whenever they talk to the media/public about why this is a 'good thing'.

            As with any invasive authoritarian law, the government can always present anecdotal examples of it 'working', and so 'justify' the law, despite the fact that it's fundamentally a bad law, and probably not necessary.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.