Possible, but unlikely: I heard this witticism a year before (according to Wikipedia) Eddie's pro career started.

Remember that the reason they're your ISP, is that you gave power to the government, who made a deal with them to forcefully prevent competitors, grant easements, and other favors that most people don't get, and that no business would never have in a free market.

The terms of that deal are negotiable. Since we now know that some ISPs have caps, "no caps" should be in all future terms.

But in all practicality, how do you seize back control from the likes of the three-letter agencies?

You don't need to take back control, you just have to stop continuously ceding control to them.

Let me phrase this as ridiculously as possible, to make it easier to see how comically awful our decisions are:

The next time someone tells you to not install gpg, to not generate a key, and not cross-sign with people you know, tell them "no, I'm going to do those things."

The next time someone suggests you use webmail instead of a mail client that can encrypt and decrypt messages on a computer that you control, tell them, "no, I'd rather use my common sense instead of doing something obviously stupid."

The next time someone tells you that using a single high-stature central faceless corporation as the sole trusted introducer to authenticate a public key, tell them "that's insane on the face of it, and even 20 years ago, before HTTPS was invented, everybody knew that, which is why PGP was based on the opposite idea."

The joke, of course, is that (almost) nobody is ever there, really telling us to do things that we already know are insecure. We do those insecure things for other reasons, and usually those reasons have jack shit to do with governments pointing guns at our faces, telling us to be insecure. Democrats and Republicans aren't causing our problem here (though our underlying problem may be why we keep electing Democrats and Republicans). We do it because we don't give a fuck. If you start giving a fuck, many options become easier to see.

Bruce Schneier is putting his name on the line with everything he publicly does and says.

Or somebody is putting his name on the line. Did you check the fingerprint? ;-)

There mere fact that you're being investigated already means they're convinced you're hiding something. Even before they find out you're using TrueCrypt, you have already lost and they've already decided to torture/terrorize/imprison/expensively_annoy you.

The tech is irrelevant in cases like this. Imagine the same scenario, where you're not using TrueCrypt, and you simply don't have the data that they want. Same exact outcome.

For instance, rather than one signing authority, you could use three and then use three levels of public key encryption.

This is, in fact, The Best way to make PKI work. But it's not that there are multiple "levels" of PK encryption. It's that there are multiple attestations ("that key belongs to that person") in parallel, chosen by the users (and the details of their choice not strictly known to the attacker, though assuming they use gpg's defaults are a pretty decent bet), and for the output to be wrong, all the certs have to be consistently wrong.

The strength of a good WoT connection is that it requires the attacker to develop a wide conspiracy (and those are hard to keep secret) rather than coercing central authorities (which can be kept secret, though amusingly, we've learned it doesn't even have to be a secret in order to work). It multiplies defection probability estimates, quickly turning it into a pretty small number. (The downside is that the chaining does the opposite, so you've really gotta get out there and build up a lot of links. And yet, at least chaining is better than nothin'.)

Verisign can keep a NSL secret. The dozen people that you know, all of which signed a government's or criminal's replacement key for the guy that you're trying to talk to, can't keep the NSL secret.

Open source is just one more whole that they can insert malicious code into. They can still go up to the head of the open source organization and says "you must include this back-door in your program, or go to jail"

But then they also have to persuade all the users to adopt that fork. "Use crappy software or go to jail," didn't even work for the MPAA, so why does the NSA think they have a chance? ;-)

gpg in javascript is something that you download from an untrustable server, before every time you use it. And then you throw it away when you're done, so if that one copy on that one day was different, you'll probably never know.

gpg in machine code, you get once, possibly before you ever became a specific person of interest to your adversary, or they even knew who was downloading it since your apt-get's curl or wget command probably didn't send a fucking email address saying "I'm so and so, and I want some software that I'm going to tell my passphrase to," and your package manager probably has a checksum for it, so if it was different than "normal" (wheat millions of other e.g. Ubuntu users are using), your chances are much better that you might notice. And if it's the same and everyone's is compromised, maybe someone noticed.

The who situations are incomparable. Ubuntu's copy of gpg probably isn't comrpomised. We know for sure (this isn't speculation) that some web mail servers have served compromised crypto code (though it was java, not javascript, in the hushmail case) for purposes of getting the private key.

Is this all, really not obvious and not common knowledge to everyone? That would be disappointing. Fortunately, I refuse to believe that.

Paypal is scum, yadda yadda yadda. Not arguing that. In this situation, though, they might be doing the world a favor.

What this project is doing, looks like some kind of snakeoil thing. GPG and webmail? How can than possibly not be (putting it meanly) stupid and broken or (putting it nicely) a technological step backwards from 1990s email security tech?

If the server is sending plaintext to the relatively "OpenPGP-stupid" web browser, and assuming plenty of people will be hosting on VPSes not under their physical control, then the private keys are going to be extremely vulnerable. If the server is sending the ciphertext, then it must also be sending "gpg-written-in-javascript" to the browser, so that the browser can work with openpgp data, so that will be the attack point.

There's just no way webmail will be securable, until either:

1) browsers come with built in OpenPGP support, or make shell calls to GPG to do it, or something like that. And if that ever happens, then you might as well just add IMAP support to the browser too, and maybe call the browser "Navigator" instead of "Firefox." There's no reason to use webmail if you have a browser that capable.

or 2) people really self-host; i.e. you're going to trust the server to have your private keys, so it's at home, or better yet, the server is in your pocket (and is probably the same machine you're running the web browser on, once again raising the "why webmail?" question), not in some datacenter.

There are already tons of very capable email clients that have excellent GPG integration, and it sure as hell doesn't anywhere near a hundred thousand dollars to get them. Use one of them instead of some webmail horseshit, and fund whatever improvements you want. Not only will you get something vastly more secure, it'll be cheaper too.

I don't really like being a negative nellie asshole on this one. The mailpile team strikes me as not-stupid people with good intentions. That makes it all the more mystifying that they would try to get webmail to work; they're got to already know that the idea itself is flawed, no matter how good a job they do on it. But then I thought the same thing about Silent Circle, another obviously-dumb idea who anyone could see was vulnerable to server coercion. (and lavabit too, though I didn't even know they existed until they didn't exist.) Silent Circle was particularly disappointing, given who was behind it.

I'm not saying the classical (but secure!!) approach doesn't have difficulties for novice users, but anyone who tries to handwave those problems away by relying on trusting servers, should not be considered to be really working on the problem.

A friend who played lacrosse in college had this to say: "if you ain't cheatin', you ain't tryin'".

Black's Law Dictionary may be more relevant than OED:

Libel: Defamatory statement published through any manner or media. If intended to simply bring contempt, disrespect, hatred, or ridicule to a person or entity it is likely a civil breach of law. However, if it causes mayhem or breach of peace, it can be a criminal breach of law. Yet, again, if the statement is newsworthy, even if defamatory, proof of benefit to the public is required to avoid criminal complaint.

Nowhere near the same number of students in the system. Same as in Detroit, Baltimore, etc. It's absurd to have the same number of physical buildings and mid to upper level managers for 50,000 students as for 100,000 students.

What's this day of rest shit? What's this bullshit? I don't fuckin' care!

There's a few problems. Foremost is that you are addressing people who are angry at attempts to change computers for the benefit of the average slob. If they were happy flipping switches on a panel (or pecking away at a keyboard illuminated by the green glow of their text terminal) then everyone should be. They want to 'keep it real'.

There are also sour grapes, some NIH, etc.

My favorite from 'them' is "Apple is just a marketing company" accompanied with "anyone could do what they do". Somehow they never are able to explain if it's "so easy" and obvious why did it take until Apple did it for someone to do it? When I pose that question, comments regarding my sexual prefence, my mother's sexual proclivity, and the possibility that my religious affiliation involves a certain fruit based organization are raised.

Not a damned thing they can do about a hostile takeover. Sure, a poison pill, but sometimes that is worse.