Hacker News Comments on
USENIX Enigma 2016 - The Golden Age of Bulk Surveillance
USENIX Enigma Conference
·
Youtube
·
3
HN points
·
1
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.A (downvoted/dead) reply addresss the PGP question:because mainstream media didn't tell people to do it.
That's ... part of the problem, but only a part.
* Mainstream vendors never supported it within their applications.
* Key management remains difficult.
* Given the risk of key exfiltration (any soft key -- password, passphrase, PKI, biometrics -- can be compromised), PGP alone is not sufficient. Even with passphrase-protected keys.
* PGP-encrypted (and signed) email leaks massive amounts of cryptographically assured metadata. (There was a conference preso a few years back concerning PGP metadata leakage via email/Usenet though I cannot find it presently.) Absent some container which includes the message headers themselves (not just body), and the key metadata (sender / receiver), this remains a problem. And metadata are almost always more useful than message data themselves.
Not this preso, though it covers some of the same ground: https://www.youtube.com/watch?v=zqnKdGnzoh0
* Incorporating PGP/PKI into other authentication, encryption, decryption, integrity, ownership, and related process workflows is at best poor, and almost overwhelmingly nonexistent. The failure to settle on any uniform standards of web-based auth / encrypt / decrypt protocols is a major component of this.
I've been putting increasingly more thought into how protocols and standards are (and are not) established. One realisation is that very frequently it is not the supplier but a large-volume purchaser or consumer who is instrumental in establishing standards. The US Government has often played this role -- the US Bureau of Standards (established under Herbert Hoover as Secretary of Commerce), military purchasing and standardisation (often across multiple providers), the U.S. Navy's role in establishing containerisation standards during a logistics-supply problem known as the Vietnam war, standardised healthcare procedure, diagnostic, and billing codes, and more, all come to mind.
The prospect of the U.S. federal government, a large state government (California, New York, Illinois, ...), or the EU or an EU-member settling on a standard might move things forward.
As for owning your own domain -- that works, somewhat, but pushes a number of problems out into other spaces. Domain registration, ownership, control, payments, etc., are not painless, and even large organisations with dedicated personnel and procedures in place foul this up all the time.