Warrantless data access is for surfing history etc from the ISP - the data in the database for Silver Stackers is essentially private property of the business operating the forum - I would need to check the legalities but if the hosting company where the website is hosted was to simply hand a copy over on request without a warrant they would be in breach of the Privacy Act - assuming the host does more than $3m/pa in turnover. Forum is moving shortly to one that definitely does anyway.
Is there any international obligations? Would hosting the website on an overseas hosting co/server make any difference in regard to handing over information to the feds?
I clearly said that I wasn't on board with it. I just suspect that of the 3,400 Australians that have been spied on, 2,000 of those are new employees of government departments, being fully aware that they are being "spied upon".
I'm surprised no-one has mentioned SSL encryption to protect the traffic between your computer and the SS server as well as verifying you are actually talking to the SS server . For ~$20 a year it's a nice little security/privacy boost as long as the servers can stand up to the extra load.
SSL is still prone to MITM attacks. With enough resources somebody could spoof a certificate and most people would be none the wiser. Back in my olden days on IRC we used a customized encryption system based on twofish and encrypted all of our chats. I think something like that is way overkill though for what we're doing (which is totally legal anyway). If you really have to do something questionable, perhaps don't do it on a public forum?
Yes it is, but it will also throw a certificate error up and (hopefully) an educated user would not continue. Granted this is the biggest failing of the SSL/TLS standards. I love to see some literature or a POC on this because I don't believe this is possible. You can self-sign a cert when doing a MitM or steal the real cert and use it to inspect the flowing traffic but i've not seen anything that can spoof a cert without generating the aforementioned error message. If the site is passing any sort of sensitive information (such as passwords) then it really should go across SSL/TLS anyway.
You talk a lot of detail about side issues but looks like most of you missed the main message. I think this is normal for apathetic people who live in the moment and cannot see what lies before them. Once you reach the stage where countries like Italy and Greece are now - and you will - and the state starts to make greater use of these abusive powers it has taken from under your noses to take whatever "taxes" it thinks appropriate and force on you all other forms of rules like stopping you moving your money out of currency then I believe more people will awaken from their slumber? Unfortunately by then it will be too late.
There have been plenty of examples over the years. http://it.slashdot.org/story/08/12/23/0046258/perfect-mitm-attacks-with-no-check-ssl-certs First one I google'd up. Basically you can hijack a legit cert distributor and make your own "legit" certs. No error messages and no nothing. Have you checked what certs your browser allows without question? Here's mines: Do you vet each and every company on that list to determine they are legit? I know I don't. I most certainly know that your average computer user does not.
