Confidentiality in the Face of Pervasive Surveillance

Confidentiality is for the privileged. For normal people, it's not as if the math to do encryption yourself will be outlawed, but it's not practical to stay connected to the world at large and to maintain meaningful privacy.

The kind of capital-F Freedom that is supposed to exist in the Free World is in practice just the gap between what's practical to control hierarchically and the level of desired power to control (effectively limitless). Technology continues to narrow the gap.

Some of the themes of societal change in my lifetime are: reduced trust, reduced privacy, centralization of power, increased economic efficiency at the expense of robustness, and increased profit extraction at the expense of nearly everything else.

One of my privacy techniques has been to build a container with a new network namespace, randomly select a VPN server from the set of ~5k that my VPN provider has running across the globe and connect to it within that namespace, spawn a fresh instance of a web browser with no cookie history or anything of the sort, run DNS filtering and ad-blocking components, and then perform the individual task I want to perform with it before shutting the whole thing down.

I have all of this scripted to launch trivially within a few seconds, and it reduces the effectiveness of most of the attacks this RFC describes.

This is ten years old. Needs a date.

Was hoping for some new tips on what to do about government agencies demanding information from constituents and then storing it in MS Windows.

Text link: https://www.rfc-editor.org/rfc/rfc7624.txt

1) Their idealized attacker "can observe every packet of all communications at any hop in any network path between an initiator and a recipient"

2) Therefore: "Protocols that do not encrypt their payload make the entire content of the communication available to the idealized attacker along their path."

3) Furthermore: "When store-and-forward protocols are used, intermediaries leave this data subject to observation by an attacker that has compromised these intermediaries..."

I will now prove a negative: If the idealized attacker has 1 then they've already achieved 3. Therefore this is a bullshit line of argument.

What next? Read your eyeballs with your web cam? Do I need to encrypt traffic on loopback? Where is "reasonable" here? There is no such thing as absolute zero trust or absolute air gap. Is the "idealized defender" an idiot who thinks that encrypting loopback mitigates pwnage at the os or hardware level? What role does deception, salting, misdirection play in a healthy security posture?

This should be interpreted as a followon to RFC 7258 (cited in the Introduction): "While PM is an attack, other forms of monitoring that might fit the definition of PM can be beneficial and not part of any attack, e.g., network management functions monitor packets or flows..."

I am reminded of this from RFC 1034: "Clients of the domain system should be able to identify trusted name servers they prefer to use before accepting referrals to name servers outside of this 'trusted' set." and rhetorically now I ask how has that worked out?

Not discounting that the technical issues and scenarios are valid, but to point out the blatantly political nature of this rhetoric.

What this gets us at the level of technical implementation is e.g. qname minimization, which in turn begets moaning about lame delegations (I don't deny they are a problem) and the horrible horrible excess traffic they cause... entirely omitting the fact that qname minimization can double the number of unprimed queries required to resolve a name. Just one example.