OpenBSD and the latest OpenSSL bugs

Posted Jun 13, 2014 7:20 UTC (Fri) by malor (guest, #2973)
Parent article: OpenBSD and the latest OpenSSL bugs

It strikes me that, given what we now know about the NSA's massive surveillance and active cracking of encryption whenever possible, it's downright irresponsible to discuss private, security-related information on any unencrypted channel.

Email is no longer a good method for spreading news of security problems, because the spooks are going to read that mail, and exploit the bugs before they can be fixed.

to post comments

OpenBSD and the latest OpenSSL bugs

Posted Jun 13, 2014 7:32 UTC (Fri) by dlang (guest, #313) [Link] (2 responses)

so what encrypted channel do you think exists that has no chance of the spooks listening in on (either by intercepting the channel and breaking the encryption, by having control of one of the endpoints to read the message as it's decrypted for viewing, or by simply subscribing like anyone else?)

and how long do you think the channel is going to remain 'spook proof'?

Also, keep in mind that anyone you send the info about a security problem to is going to have to pass the information to others, so all those organizations internal communications needs to be equally secure, and people had better not talk about it in a meeting, because it's really hard to have face-to-face discussions encrypted....

OpenBSD and the latest OpenSSL bugs

Posted Jun 14, 2014 8:10 UTC (Sat) by malor (guest, #2973) [Link] (1 responses)

I didn't say the solution would be easy, just that it's necessary.

In a world of ubiquitous surveillance, people could die because of unencrypted discussions of this type. Nice people, ones you'd like to have over for beer and movie night, who happen to hold opinions that are deemed threatening by their government.

If a solution doesn't exist to let a group of security researchers discuss things in a fairly secure way, then we really need to write something. Perhaps something vaguely like SilentCircle might be appropriate.

OpenBSD and the latest OpenSSL bugs

Posted Jun 17, 2014 14:53 UTC (Tue) by dlang (guest, #313) [Link]

> I didn't say the solution would be easy, just that it's necessary.

you can claim that it's necessary as much as you want, but I'm saying that you need to first establish that it's even possible.

I'm claiming that in an environment where you don't know who the people are, and where trying to establish who everyone is would be detrimental to your mission, keeping 'spooks' off of the list isn't going to be possible.