On Mon, 19 Aug 2013, Randy Brukardt wrote: > wrote in message > news:alpine.DEB.2.10.1308191900320.24091@debian... > On Fri, 9 Aug 2013, Randy Brukardt wrote: > >> 1. obscuring is the best method against unfocused surveillance >> 2. unfocused surveillance works only with known protocols. >> >> I question the first statement. > > Right. > >> The second one is dangerously wrong, and there are plenty of >> counterexamples. > > I view it as a definition. Hu? > If you truly are using only "unknown protocols", then you're by definition > using a private wired connection, Randy, please check your logic. The sentence in question was "unfocused surveillance which works only with known protocols". This is logically equivalent to "unfocused surveillance does not work if at least one protocol is unknown." I claim that using a homemade protocol over an existing physical and transport layer can (and actually is likely to) be less secure than a well-evaluated and publicly known security protocol. The statement you are trying to defend is logically different "unfocused surveillance does not work if all protocols are unknown." This is not a definition -- but it is a statement I can agree with. > This is where I always lose it. Filenames being sensitive information? Only > if the programmers in question are complete idiots. (And I realize there are > plenty of them out there.) Not really. Any security application or a security protocol is designed around a threat model. It is impossible to protect the user from any threat one can imagine -- so the user has to be aware what are the threats the protocol protects her from. > I can't imagine any value being associated with knowing that there is a > file name "J2Typ_De.Ads" that makes up part of the Janus/Ada compiler. Imagine you send or receive a file with the name dxtiddfh887876y2012.xls, where "dxtiddfh887876y2012" happens to be the reference number of a file Snowden copied from the NSA computers.Even if the content of the file has been well encrypted, the filename would earn you some "friendly visits" ... > Besides, anyone who puts anything sensitive in the cloud for long-term > storage is going to be a victim sooner or later. Agreed! But the topic was on protocols, i.e., data in transit, rather than long-term storage. > If you need public connections, then surely use SSH. Agreed. Which is what the OP has been asking about, namely sftp (which is ftp + ssh). > In truth, though, it's probably all pointless. The government (anybodies > government) will soon ban computers that they can't control. I am fairly optimistic that this will not happen in Europe. I am not so sure about the US. ------ I love the taste of Cryptanalysis in the morning! ------ --Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--