lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr1373.txt

297 lines
17 KiB
Plaintext
Raw Permalink Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 1373
Title: HPR1373: 01 - Why Do We Need Privacy, And Isn't It A Waste Of Time Anyway?
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1373/hpr1373.mp3
Transcribed: 2025-10-18 00:24:30
---
So
This is Ahuka and welcome to Hacker Public Radio and a series that we want to get into
some issues about security and privacy.
Now, this is going to be in some respects, I think, a little different from some of the
other series like my Libra Office series where, you know, for the Libra Office series,
I'm sort of the sole author of that, although anyone else who wants to create a program
on Libra Office is more than welcome to do so.
But for this security and privacy series, I really want to throw this open to the entire
Hacker Public Radio community and say it would be great if anyone jumped in to offer
some of their perspectives on this.
Maybe you think that I got something wrong and you want to write in and correct me or
you've just thought about something that I haven't thought about yet, a different topic
what happens, a lot of stuff we can talk about.
So I really hope that we will get some response from other people and that this series
will get large and create a very useful resource for anyone who wants to get into this further.
But I'm going to start and what I want to do is talk about privacy, why we need it and
why it's actually possible to get privacy, which is one of those things that a lot of people
may not actually understand.
So we probably, I would say most of us have the idea that government, whatever government
wherever you live, is investigating things all the time.
As you know, I live in the United States.
I don't think our situation is unique in that respect.
If you think back a few years, the government of India, for instance, told Blackberry that
they would not let it operate in that country unless it put servers within India and gave
them the keys to get in and take a look at all of those messages.
I tend to think that might have just been the first crack that led to Blackberry being
on the verge of disappearing.
Their whole selling point was that they could deliver secure communications and India
proof that governments will not tolerate secure communications.
That leads me to formulate O'Brien's first law of privacy, which is every government
regards the privacy and freedom of its citizens as a flaw and seeks to fix that flaw.
All right, I'm sure someone somewhere said something similar to this previously, but
until I see the citation, I'm claiming it.
Now, they don't necessarily do it because they are inherently evil.
I don't believe that either, although surely some of them are.
But I would imagine many of these security people have the highest possible motives and
believe that they are doing this for our own good.
If they could just monitor all of the communications, surely that will let them prevent the next
9-11 or the next 7-7.
And we'd want them to do that, wouldn't we?
And if I thought that reading all of our communications would in fact do that without any nasty
unintended consequences, I might even go along with it.
But the fact is you can't do this without a lot of unintended consequences.
One of them is that no citizen has any privacy at all.
And when the government then decides for any reason that you are the enemy, they can
crush you like a bug.
And you know what, they've already decided that you are the enemy.
We know that from the transcripts released by Edward Snowden, the NSA refers to the citizens
of the United States, let alone all you foreigners as adversaries.
They say that in their internal communications.
So even if you don't want to be in a conflict, they've already decided that you are.
Now I know every country is different, and we all have different cultural backgrounds.
So some of the things that motivate me may not motivate you, or certainly not all of
you to the same extent, but in the United States we like to think that we are a free people
and that the government is limited in its powers.
And many of us remember the words of Benjamin Franklin, one of our most revered founding fathers
who said, those who can give up essential liberty to obtain a little temporary safety deserve
neither liberty nor safety.
Many of us in the U.S. would rather live as free people than have an overbearing government
looking into all of our affairs.
In fact there is an excellent argument that free speech is endangered by all of this.
If you know that your every communication is being recorded, read, and monitored by the
government, you will probably censor yourself.
And we see people doing that now.
To go to Benjamin Franklin one more time, freedom of speech is a principle pillar of
a free government.
When this support is taken away, the constitution of a free society is dissolved and tyranny
is erected on its ruins.
So that is why I think we need privacy and security from our government.
And the problem is that they have gotten very good at seizing the opportunities presented
to them by the bad guys.
After 9-11 they were able to seize a lot of power in the United States.
And I think the same thing happened in England after 7-7.
In England, the home of George Orwell, author of 1984, they have been able to put cameras
pretty much everywhere and most people don't seem to find anything odd about that.
These encroachments on our privacy seem to have a ratchet effect which leads to O'Brien's
second law of privacy.
The tendency over time is for government to intrude more, nevertheless.
So every time there is a crisis, more gets surrendered and those losses become permanent.
And at the next crisis, they push the boundary even further until no one has any privacy at
all.
I think satisfies the imperative in O'Brien's first law of privacy.
Now the next hurdle for many people is that they think it is no use.
The government has lots of very smart scientists.
They have supercomputers.
They have massive resources to use.
We know the NSA built a mammoth facility in Utah that has not just terabytes but exabytes
of capacity that they are going to record all of this data.
Obviously, it is no use to even try to be private.
Well, in fact, that is not true.
Bruce Schneier, and he is one of the people that I check very frequently, renowned security
expert, looked into some of these recent revelations about NSA activity, dug into it and reported
back, you can trust the math.
The NSA or GCHQ has not achieved any kind of breakthrough that renders encryption useless.
Done properly, you can have secure communications that they cannot read.
And your data can be secure.
You can exchange files securely and so on.
It turns out to be not that hard.
If you look at what the NSA did, it turns out that they just subverted the human side
of the equation.
If someone else has the keys to your stuff, all they need to do is get them to turn the
keys over.
And that is a lot of what the NSA did.
We had an example here in the United States.
A fellow named Lodar Levison ran a secure mail service called LavaBit and went out of business
because the government went after him and said, we want all of your SSL keys.
He has 400,000 customers.
And the thing you have to understand about Lodar Levison is he's a law-biting citizen.
And he has, in any time the government has gone there with a warrant, signed by a judge
showing probable cause, he has handed over all of the information that the warrant required.
But the change here was that the government was saying, no, we don't want to go after
individual people.
We want everything that you have on all of your customers and we want the keys to get
it.
Well, Lodar is a hero, he went out of business.
I would assume that if they did that with LavaBit, they've already done it with all of
the other email providers and those other email providers are not heroes.
That's something to think about.
So that's one of the things that, but bear in mind, if they're having to go after the
keys, that means they don't have any other way of doing it.
If they could just take a supercomputer and run all this stuff through it and out comes
the plain text on the other side, they would just do that.
They can't.
That's the point.
Now the other thing the NSA has done is subvert standards, okay?
So let's take a look at some of these actions, all right?
Look at the evidence.
First there was a claim that they had direct access to the servers at places like Google,
Yahoo, and Microsoft.
And those companies strenuously rejected that idea.
So who is right?
So we already had the answer if we had paid attention.
The NSA did not need direct access to the servers as long as they had direct access to
the data.
And they can do that from the switching rooms of the telecom and network providers.
We know they did this because it was exposed in 2006.
Check out the history of room 641A, the NSA spying program.
And by the way, there is a link in the show notes.
And while I'm mentioning it, let me just say there's a lot of links in the show notes
for this particular program.
But anyway, in that link, what we saw was that they had set up in a switching room of AT&T.
They had their own room and just captured all the traffic coming in and out.
Another clue.
The program for this is called Prism.
And what is Prism?
Prism is a device for splitting a beam of light.
So what the NSA was doing, all of this data was coming on optical cables.
They just put a splitter.
So they got a copy of all of the data that they could put on their servers.
Now, if all of this traffic was in the clear, if it was unencrypted text, they got everything.
But if it was encrypted, they have a problem of needing the keys.
Without the keys, all they have is a blob of random or pseudo-random nonsense.
And they are right now powerless to crack it if you do it correctly.
That is what Bruce Schneyer meant by trust the math.
Now, what about subverting the standards?
In the United States, we have a body called the National Institute of Standards and Technology
and IST, and they promoted a standard for something called elliptical curve encryption.
Now, the NSA participated, in fact, you might even say they guided the formulation of this
standard.
Well, particularly in the wake of Edward Snowden's revelations, a lot of people say,
hey, wait a minute, what happened with that?
Well, they asked some security experts to take a look at that standard, and they came back
and said, this is so complicated, we can't even assess it.
We don't know what's going on in here.
We can't figure it out.
It's a spaghetti mess of code.
Now, that should be a big fat, hairy clue.
Good security is simple.
It's never complicated.
As it turns out, there's nothing wrong with elliptical curve encryption as a general
approach.
In fact, it is a distinct improvement on some current methods.
But the version the NSA guided is most likely crippled in a way that they can use.
So the general pattern of evidence tells us the NSA cannot simply break any code.
Therefore, it is practical to securely encrypt your communications.
And I would argue that if you place any value on freedom, it is your duty to employ these
methods.
The only way to change what the government is doing is by resisting, and the more of
us who do so, the less they can do anything to stop it.
And to those who say that if you have nothing to hide, you shouldn't object, I invite you
to publicly post the URL for the webcam you installed in your bathroom.
Now, I want to give you some resources.
And we've got a whole bucket of links in the show notes to cover all of this.
So these are just some of the things that have helped me to get a better understanding
of all of this stuff.
So I'm going to start with Corey Docturo.
Corey Docturo has published some excellent books about this kind of thing.
And two of them are Little Brother and Homeland.
You can find both at his website, which is craphound.com.
And Corey, God love him, puts the electronic text of all of his books online for anyone
to just download.
So go ahead, check it out.
Then there's a podcast that I like called The Command Line.
It's by a fellow named Thomas Gideon.
He is a friend of Corey Docturo.
The content of his podcast varies.
It's not a purely security oriented, but he does get into security and privacy from time
to time.
They're frequently featured.
So you can see his podcast at the commandline.net and subscribe to that.
Probably find that interesting.
There's a book by David Khan called The Codebreakers, which is considered a classic, sort of the history
of secret writing.
And in fact, at one point it was considered a danger to the United States.
But it's really just a good history of how folks have tried to secure their communications
over the millennia.
I checked it out.
I used to have a paperback.
I can't put my hands on it.
I hope to God.
I didn't lose it.
But when I went looking, they're now Amazon listed for $75.
I'm not sure that's the best way of spending $75.
I can think of.
But if you can find one used in a bookstore for a reasonable price, it is worth picking
up.
Another one you can get that covers much of the same ground is called The Codebook by Simon
Singe.
Or Singe.
I'm not sure how you, S-I-N-G-H, I'm not good at pronouncing those names.
That's available in a Kindle edition, if you like that sort of thing, which you can get
from Amazon or go to your local bookseller.
And I would say that you could pick it up for $9 or $10 and it's going to be well worth
it.
Another classic is called The Puzzle Palace by James Banford, which was really an inside
look at the NSA.
It's been out for a while, so it's not the most current.
But it certainly is.
It's a good book.
Again, you should be able to find a used copy if you look around.
Another podcast I want to mention is one called Security Now.
And that is on the Twit Network.
Features Steve Gibson, usually with Leo the Port, highly recommended for a non-sensational
view of what's going on in the world of security, what the NSA is doing, and so on.
Now as far as I know, Steve was the first person to correctly figure out just what the NSA
was doing with Prism.
And if you get used to listening to this particular podcast regularly, one of the things I appreciate
about it is, as often as not, he'll say about a particular report, these people are getting
hysterical.
This isn't a big deal.
And it's good to have something that's going to bring you back down to Earth from time
to time.
It's very easy to get sensational and hysterical about all this stuff.
A video podcast that I like is called Hack Five.
And that is, that's on the Revision Three Network, I believe.
If you go to Hack Five.org, you can find out all about that.
Now I've mentioned Bruce Schneier a couple of times, and he's got a lot of resources.
I've got an autographed copy of Schneier on Security, which is a treasured item on my
bookshelf.
You know, Bruce is one of the top people in the field.
He's published many books.
Schneier on Security is a good one.
You can find it on Amazon or at various booksellers.
If you want an overview of Security in general and how to think about it, he wrote a book called
Beyond Fear that was published, I believe, in 2003.
So it was after 9-11, and it was basically Bruce saying, hey, folks, let's not get hysterical,
let's think rationally about what security means.
He also publishes a great newsletter called The Cryptogram, and you can subscribe to it
by email.
Cosnothin has great information, and he has a blog, which is also called Schneier on Security,
which you can go to his website at Schneier.com and sign up for that.
Again, all of these links are in the show notes.
The Sands Institute is a great resource, and that's at sands.org, is the website,
and that's all security oriented.
They've got some mailing lists, they've got some blogs, there's just a ton of useful
material there.
And then finally, another blog that you can subscribe to is called Krebs on Security.
Brian Krebs was a security columnist with the Washington Post, and then went off on
his own.
So he's got a blog there, and that's a good thing you can sign up for and get some additional
information.
So I think I've given you a whole bunch of good resources to take a look at.
I hope you will, you'll all take a look at those.
And that will give us something to think about, and then next time we'll get into the basics
of encryption.
But for now, we'll just remind everyone to support free software, thank you.
You have been listening to Hacker Public Radio, or TechUpublicRadio.org.
We are a community podcast network that releases shows every weekday and Monday through Friday.
Today's show, like all our shows, was contributed by a HBR listener like yourself.
If you ever considered recording a podcast, then visit our website to find out how easy
it really is.
Hacker Public Radio was founded by the digital dog pound and the infonomicum computer
cloud.
HBR is funded by the binary revolution at binref.com, all binref projects are proudly sponsored
by Luna Pages.
For shared hosting to custom private clouds, go to LunaPages.com for all your hosting
needs.
Unless otherwise stasis, today's show is released under a creative commons, attribution, share
a line, free those own license.
Reference in New Issue Copy Permalink