We have the tech: Strong encryption, Tor-like relays, and the blockchain. What we need is a way to make services based on these technologies not just as easy to use but easier to use for the average Jane.
If the internet as we know it is to survive, we have to crack this nut.
May sound far-fetched, but it isn't.
(The singular with a "the" means the Bitcoin blockchain, which is increasingly centralised under a decreasing number of Chinese mining pools. And this is apart from the stupendous list of problems with literally every single aspect of Bitcoin. It may not be a great idea to pin any of our hopes on the digital Cue::Cat.)
Or a different social order (my favorite) - but the first problem is probably much easier to solve in a short time-frame.
We get that, then we might integrate it with our existing technologies to implement and use it. Need the foundation first, though.
Pick one. That is why we are in the mess we are in
I'm glad Snowden said DNS should be encrypted. From the tweet stream provided by @conflictmedia, that was tied for 1st for most re-tweeted, along with making the Internet for users, not spies. (It should be noted that DNSSEC is not encrypted.)
Too bad his appearance wasn't recorded, but HUGE thanks to Niels ten Oever and Rich Salz for tweeting major points!
You know, it's funny because just last week, I chatted with a friend of mine in the UK giving me some pretty crazy rundown of DNS issues he was having. I found out that BT (UK's leading ISP) hijacks DNS for parental control purposes (read: pornblock).
More info here: https://thecomputerperson.wordpress.com/2015/02/18/bts-netwo...
It boggles my mind actual major ISPs get away with this stuff. Sure am glad to use dnscrypt.
edit because HN won't let me post a rebuttal to the reply below:
Private corporations can be compelled and coerced by the government in other ways that aren't readily publicized. If you think these companies enjoy wasting resources on porn filter then you're crazy. Wikipedia:
"Prime Minister David Cameron made it clear in July 2013 that his aim was to ensure that by the end of 2013 all ISPs would have a filtering system in place.[13] As a result three of the four major ISPs (TalkTalk, Sky and BT[14]) began applying default filtering to new customers in 2013[15] with the fourth major ISP, Virgin, doing so in February 2014.[16] Default filtering of existing customers was implemented by all four major ISPs during 2014 with the aim of ensuring that the system applied to 95% of all households by the end of the year.[17][18]"
This timing isn't a big coincidence. Elect a better PM (or indirectly elect considering this is the UK) if you don't want such shenanigans.
There is a fairly healthy ecosystem of BIND alternatives these days, but djbdns is not one of them.
Routers frequently redirect anything going to port 53 to a local cache and anything that doesn't look like regular, unencrypted DNS queries, will be dropped on the floor.
It's also fairly common to have routers only support some DNS records, or to be unable to return more than one record type in a response (e.g. no RRSIG records and A records together). Wi-fi access points are particularly good at making any attempt at making DNS more secure next to impossible.
I've been working on DNSSIG, a DNSCurve-like protocol that encapsulates signed responses in TXT and CNAME records, similar to what ip-over-DNS tunnels do. The end result is pretty ugly.
DNSCrypt initially used port 53, similar to DNSCurve, but it turned out to be a terrible idea, as it didn't work for the majority of home users, that had routers redirecting DNS queries.
And yet, when HBO screwed up their dnssec config and Comcast blocked the site, how did users react? By demanding Comcast stop verifying!
(Fully encrypted DNS can only fail in even more ways than dnssec.)
The main reasons DNSSEC fails frequently are:
* pre-computed signatures, rather than online signing
* a demented, overly complex protocol
* signatures that expire rapidly
The only DNS encryption people are currently using (DNSCurve/DNSCrypt) does per-packet encryption, with a very simple protocol involving only a single ciphersuite designed by djb, and no signatures. This makes all the difference in the world.
If encryption were so bad then people wouldn't be using TLS, SSH, etc. It's the terrible design of DNSSEC that has poisoned efforts in DNS security.
People are leaning on him way too much for way too many things. I'm not even saying my statements apply to the article here so much as in general for people interviewing or citing him. Anyone reading posts of high-security engineers pushing strong hardware and software security pre-Snowden would've survived almost everything in NSA's toolbox using such methods. Leads me to add that Snowden seems totally unfamiliar with that stuff and it's unsurprising given his job was SIGINT-related rather than strong INFOSEC.
My only failure was not focusing on clean slate chips and hardware design enough. My priority was software but prioritizing the kind of hardware I've promoted here & elsewhere would've got me further. Makes the software easier to secure. Just was too lazy to learn all the hardware engineering knowledge it takes to (a) do custom hardware and (b) do sub-micron, custom hardware. I'm making amends now, at least.
My vision is complete and planned, all the way until The World Brain! See: https://sherlock.ischool.berkeley.edu/wells/world_brain.html
The first layer, MORPHiS, is a global secure encrypted distributed datastore that deprecates bittorrent, email and the web so far and is slated for release at the end of this Month!
See http://reddit.com/r/morphis for details.
Sorry for reddit; it is because I keep getting shadow banned here for being pro Snowden, Etc. Do not worry, MORPHiS is designed to deprecate hacker news! Anyways, the website is morph.is but doesn't launch until the 31st of this month. Read the only article in the /r/morphs subreddit for lots of details on MORPHiS!
Peace all!