Free software against Echelon

Posted 7 Sep 2001 at 11:09 UTC by mpawlo Share This

The existence of Echelon is often debated. Conspiracy theory, reality or both? You tell me. The EU Commission thinks Echelon is real. Now they want free software to protect Europe.

As reported by Gnuheter the Commission has published a report on Echelon. The Commission concludes (p 19 English version):

29. Urges the Commission and Member States to devise appropriate measures to promote, develop and manufacture European encryption technology and software and above all to support projects aimed at developing user-friendly open-source encryption software;

30. Calls on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes;

31. Calls on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the "least reliable" category;

Read entire report (PDF-format).

ACLU on Echelon.

Wired on Echelon.

Do you think free software and open source software is the answer? And what is the question?

interesting., posted 7 Sep 2001 at 12:43 UTC by lkcl » (Master)

define 'user-friendly' wrt encryption, please :) most people haven't a clue what encryption _is_ :)

to be honest with you, if a government is watching what you're doing, then as long as they have no legal right to _act_ upon what they see, such that they might as well not bother, and if they do they can be sued for all they're worth _and_ the wronged party has a right to all the legal and financial support of the judicial system, i don't honestly see what the fuss is about.

issues such as reliability and hidden snooping systems, and not having default low-security settings that save corporate money because they don't get the calls '*whine* my in'ur'ne' duurn' wuurk', such that people get hit by viruses and worms because they haven't a clue, are much more vital than whether echelon is in use or not.

other than that, i think this is a great idea.

it's just such a pity that they don't stand a chance with ms having 95% of the market share that the EC considers, in respect of this report, to be important.

with no access to the underlying APIs that such email programs will need, open source is in exactly the same position as other corporate entities that have lost market share due to ms strategies (okay, maybe we have an edge, but it's not much of an edge, being honest). until those strategies are neutralised, it's going to be tough going.

notes (int/ms), posted 7 Sep 2001 at 23:01 UTC by Malx » (Journeyer)

User-friendly encryption means that every encrypted mail whould have nice Film-like look (lots of meaningless symbols on screen) untill user press big button "decrypt" :)
After that background of mail displaingwindow changes from green to white and he could read mail.
Also it whould be great to make delay of dercipting (partial showing of message) to show length of key used (poorly encrypted whould be painted on screen during 10 sec. Good encryption whould take 30sec)

How about keys? It whould be icon(key image) on desktop. So you could DnD it to floppy or to mail window.

How to exchange key? It whould be called E-calling-Card. On excebition you'll exchange information with people same way you do with phone/mail cards now. Just insert floppy into box and you have another card (with public key included). Or even blueTooth/IR wireless exchange

And windows is real problemhere.... But you forgot, that if government whould be really serious , it could insist on using Linux/FreeBSD (open/free source) at leas for servers , at least for all gov. departments.

And you could make tools for server side (sendmail) seamless encription.....
Also it could mean - no free mails any more. Only fixed list or recipients you need to talk to.

The main problem with encryption, posted 8 Sep 2001 at 01:04 UTC by gary » (Master)

During World War II, British intelligence read a fairly decent amount of encrypted Enigma traffic. The problem (from the Germans' point of view) was never that the Enigma machine was particularly insecure; it was almost always human error. Not just any old humans either: the people entrusted to use the Enigma were always highly trained. Still, human error occurred often enough to allow a significant number of messages to be cracked.

For example, one part of the process involved the operator selecting three random letters. Several operators always picked the same three letters. Once this was realised, the intelligence guys realised that if they got a message encrypted by one of these guys then they knew the letters he set and cut down the keyspace by a factor of 17,576, and because it was not strong encryption, once you broke one message on a net you could crack them all for that day.

Need more convincing? At one stage operators were ordered to insert `junk' words at random points in the message. The manual specified three or four such words, like "bucket" or "christmas tree". Many operators used just those words, allowing an easy break into the message.

This may make you laugh, but people have not changed. Phil Zimmerman tried as hard as he could to stop you from being stupid with PGP but still people manage it. Ever downloaded a package and its signing key from the same server at the same time?

People need to be educated to use encryption properly, but the fact of the matter is that most people simply do not care.

people, posted 8 Sep 2001 at 11:28 UTC by Malx » (Journeyer)

I see...
Still I thinks that it is possible to write clever soft, which will not depend on people uncleverness....... :)

The good news, posted 8 Sep 2001 at 15:08 UTC by lilo » (Master)

It seems to me that this commission report is not a magic bullet. Yes, people will keep using Microsoft software. Yes, any number of people who use encryption software will not use it carefully.

But for people who want to use encryption and are careful enough to use it effectively, the report is a real PR coup. It's a way to argue convincingly against the intrusion of Microsoft marketing into government-sponsored and -mandated software use.

The problem with people reading your mail is, they don't have to tell you they're doing so. They can decide whether to use the information now or wait, whether to use it publicly or privately. Whether to pass laws allowing the more efficient use of that class of information. This puts a lot of power into the hands of the people who read your mail. It's an enormous temptation for bureaucrats. Not a good thing for civil liberties or personal freedom.

Open Source for Microsoft and Oracle, posted 9 Sep 2001 at 12:37 UTC by mpawlo » (Master)

I don't consider the encryption part or even the Echelon reference the most interesting issue in this respect. In my opinion, the reference to free software is quite remarkable. The report is quite bluntly stating that proprietary software can not be trusted, while no external party is reviewing the source code. I guess not only governments will consider this a problem in the long run.

I think this report and others following it will eventually make major software companies--like Oracle and Microsoft--apply open source-like business models. This does not mean that Microsoft will end up in bed with Richard M Stallman, but it could mean that Microsoft will be less reluctant in disclosing it's source code for external review.



Free Software is good for Security, German Government noticed, posted 10 Sep 2001 at 00:32 UTC by ber » (Master)

Free Software is good for security. David Wheeler answers the question: Is Free Software good for Security positively in the Secure Programming for Linux and Unix HOWTO.

The German Government also noticed this so the BMWi was funding work on gnupg and might fund more. If you are interested in this development I hope to continue status notes on gpa-dev. We should start a meta project for Free Software and secure e-mail. Working title is "GPA" for GNU privacy assisstance. Check August 2001 in the above archive.

In the USA, it's tough to sue the government, posted 10 Sep 2001 at 12:46 UTC by ztf » (Apprentice)

lkcl, I don't know what it's like on your side of the pond, but in the USA it's impossible to sue the Federal government without the consent of the government to be sued. Fantastical, but true.

Which puts a crimp in the argument "let them, and sue them if they get out of hand." Threats of lawsuit against the Feds are pretty much ineffective as a check on the actions of the Federal government.

re: interesting, posted 12 Sep 2001 at 23:28 UTC by gerv » (Master)

define 'user-friendly' wrt encryption, please :)

User-friendly is Mozilla (i.e. Netscape 6) mail, whereby:

- every incoming encrypted message has its public key fetched from the keyserver and is decrypted before display. Any replies are automatically encoded with the same public key

- each address book entry can have a public key (often automatically obtained) associated with it, which is used to encrypt all mail to that address

- every time you send an email to a new address, the Collected Addresses feature which stores the mail also queries the keyserver for a key. If there is one, it encrypts the mail to be sent and stores the key for later use. ... or something like that :-)


New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page