Hard News: The Real Threat
192 Responses
First ←Older Page 1 2 3 4 5 … 8 Newer→ Last
-
Stephen Judd, in reply to
The deal with treating metadata properly in the legislation is that many people fear that the GCSB currently belives comms metadata -- who calls whom, when, where, etc -- is not classed by them as a "communication", and therefore not subject to the same rules re warrants and oversight etc. So the reason we want a proper treatment of metadata in law is to clarify that metadata collection and analysis in the comms context is equally intrusive, in order that the GCSB be more restrained, not less.
In making this argument we're strictly concerned with the point of view that says the message is the communication and the details about the message are metadata. I agree that actually, the "meta-ness" of metadata is a matter of your current view of what the data is.
-
Trevor Nicholls, in reply to
Defence Force denies spying on Stephenson. Minister believes them.
Have they actually denied spying on him in any way? The report I heard said they denied any unlawful/illegal surveillance. Given that the legality of what the GCSB et al have been doing is one of the points at issue, y'know....
-
Sacha, in reply to
good point, yes.
"Minister hears what suits him"
-
I agree with Martin 's observation that https isn't s, not so much because of the other end of the cloud, but because the security of the system depends on the independence of the root certificate authorities.
-
SteveH, in reply to
I agree with Martin ’s observation that https isn’t s, not so much because of the other end of the cloud, but because the security of the system depends on the independence of the root certificate authorities.
But the other end of the connection is critical. Encrypting communication is irrelevant if the government (assuming that's who you're trying to keep your communication private from) can force the other party to reveal what you've communicated, or worse if they have a system like Prism that provides a backdoor into the data held by the other party. Using https for gmail is literally worse than useless if the NSA are harvesting data directly from Google's servers - functionally it's useless but it's actually worse than useless because it gives the illusion of security, possibly tricking you into trusting a communication channel that is not secure.
-
https does not hide what website you are communicating with, only the data sent between you and the site.
It should also be remembered that government and government-controlled organisations are in the trusted certificate authority lists of your typical browser. That means that they can redirect your internet traffic through an intermediate site using their encryption and decryption keys. They can pretend to be publicaddress.net and your browser will be perfectly happy with it as it has a certificate from a trusted source that it is the real deal.
-
I don't disagree - but making life difficult for the spooks by requiring them to do much more intrusive things (like demanding certs or backdoors into web sites) rather than just sitting there quietly and reassembling our packets and interpreting them in their own paranoid ways (think of it as a game of "telephone" with consequences) without out us having any knowledge it's even going on.
We've known about thing like the San Francisco AT&T internet tap (where the NSA takes a copy of every packet passing through that exchange) for several years now, Snowden tells us it's wider and more pervasive that we ever imagined. I have no controls over how my packets, my voip calls, my web accesses, etc get to the UK or Europe - I can't choose an ISP who promises not to send them through the US or through a switch tapped by the NSA - but what I can do is encrypt my packets, hopefully putting them in the "too hard" basket for casual NSA snooping.
I tossed Skype last week after we learned that Microsoft was enabling supposedly encrypted calls - peer-to-peer is the way to go - anything with a centralised service can be compromised by spooks quoting secret laws - luckily the crypto cat is out of the bag and we can all find our own secret large primes.
-
http://www.salon.com/2013/07/29/can_apple_and_google_be_trusted/
“Strongly encrypted data are virtually unreadable,” NSA director Keith Alexander told the Senate earlier this year.
Unless, of course, the NSA can obtain an Internet company’s private SSL key. With a copy of that key, a government agency that intercepts the contents of encrypted communications has the technical ability to decrypt and peruse everything it acquires in transit, although actual policies may be more restrictive.
PGP encrypted mail is still reasonably secure, but HTTPS might not be. The problem with PGP mail is maintaining your list of public keys for the people you want to talk to, (if you can get your correspondents to take the whole thing seriously enough to install pgp) and managing my keys across the wide variety of computers, tablets, phones etc that I use on a daily basis to access my mail.
Security, ease of use, or cheap price. Pick one.
-
Meanwhile back in the trenches ..
A good friend of mine, a senior journalist, is running his own backlash campaign , this from his email
" What I am seeking is an agreement that we will all, with effect from Monday August 5, copy j.key@ministers.govt.nz into every email we send.
Since he is so keen to read them, it seems to me that it is our patriotic duty to assist him. Obviously we can elect to except matters of a private nature; if they want to read them, they can spy on us.
But dentists' appointments; minutes of the tennis club committee meetings; correspondence with TradeMe traders; rsvps, anything. Stuff with massive attachments would be really good.
I expect this to have no effect other than nuisance value. But who knows: with a bit of luck one or two of us might get arrested. Or one of those subversive reporters might get onto it."Be interesting to see if it makes the news on 5 Aug .
-
yeah what we really need is a secure, decentralised, easy key distribution system - as you point out currently it's a pain
The problem is that the current centralised system takes care of much of what we need quietly behind our backs but it provides a single point of failure that allows for the possibility that someone can forge my bank's public key - really I should be snarfing my bank's key off of my ATM card, or grabbing it directly at the bank rather than depending on some third party to provide the infrastructure.
Every couple of months I have a conversation with a bank teller pointing out that I have no way to know whether their banking web site is safe to use - they usually dismiss my complaints .... then I point out that the DECT phone that they just used to talk over their secure phone system is easily hackable and was broken years ago (I implement DECT for a living) - I've been pointing this out for years now but they haven't reverted to corded phones yet
-
Rich of Observationz, in reply to
If they did that, they'd give themselves away to the first person who wanted to dig deeply (e.g. by obtaining the (imaginary?) publicaddress.net SSL certificate via a side channel, like visiting Russell and asking for it on memory stick and then comparing it with the one the site is serving to you).
What they need is the actual certificate and private keys from e.g. publicaddress.net which would let them extract session keys and read encrypted traffic. (What the perfect forward secrecy thing, as implemented by Google does is to ensure that they can only read traffic *after* obtaining the key).
-
I see Anonymous has taken down a bunch of Nat web sites - I bet there will be lots of gnashing of teeth, outraged people complaining about evil organisations hacking into people's website .... completely unaware of the irony
-
Rich of Observationz, in reply to
I'm sure the bank teller will have taken your comments on board. All bank tellers are educated to at least MSc level in the design of cryptographic systems, as well as their training in finance and economics. It's amazing many of them look so young after 14 years at university..
-
heh - it's usually more a response to "why don't you do this on line?" - if they were that smart they'd probably realise that continually asking that question probably wasn't particularly encouraging of their long term future job prospects.
Seriously though telling someone at the bank "there's a hole in the side of your ATM, people can reach in and grab fistfulls of money" is likely to be reported upwards and something done about it. "People can break in to your phone system when you call the central office and record account numbers, passwords, security questions, etc then make the same calls themselves looking as if they were talking from your phone" probably should too.
-
The devil is in the detail. Another good article from arstechnica
-
Just breaking ...
Answers to questions from Russel Norman indicate that Parliamentary Services DID hand over Andrea Vance's phone records to David Henry.
How and why were we told otherwise in the first place?
-
Graeme Edgeler, in reply to
Answers to questions from Russel Norman indicate that Parliamentary Services DID hand over Andrea Vance’s phone records to David Henry.
How and why were we told otherwise in the first place?
The information I saw in the media suggested it was a contractor. However, there are a great many reasons why someone would make a mistake like that, and it doesn't necessarily suggest mal-intent.
-
From Stuff:
Henry had been called in by Key to investigate an unauthorised leak to Vance of a report on the Government Communications Security Bureau.
It has previously been confirmed that Henry was provided with electronic records tracking Vance's movements in the parliamentary complex.
Carter said today he became aware on Friday his answer in response to questions about Vance's phone records was wrong.
Three months of phone records had "inadvertently" been supplied to Henry by Parliamentary Service during the course of his investigations. The information had been collated by parliamentary contractors Datacom.
Henry immediately returned the records without viewing them and made it clear he had neither sought nor wanted them, Carter said.
"I stress that the David Henry inquiry never requested this information and recorded that fact immediately the information was received. I am further advised that this information was not used by the inquiry."
Carter confirmed, however, that Henry had sought phone records detailing which government ministers had phoned Vance.
So the new story is that Henry only requested details of ministers' calls to Vance, but instead somehow, by accident, got details all Vance's calls.
Carter quoted in the Herald:
"I have been made aware that the phone records of a press gallery journalist were released by a Parliamentary Service contractor to the David Henry inquiry."
Possibly throwing Datacom under the bus here?
-
Alastair Thompson, in reply to
Illegal stuff happens accidentally these days, apparently rather a lot.
-
Quote from Stuff
In response to written questions last week, Carter said a request from investigator David Henry for Vance's phone records had been declined.
and once he'd "accidentally" got the records
Henry immediately returned the records without viewing them and made it clear he had neither sought nor wanted them, Carter said.
Does that make sense to anyone else? It looks like a contradiction to me which implies one of those statements is incorrect.
-
Steve Reeves, in reply to
Well, naturally he blames someone else...
A minister always takes the salary, but never the responsibility.
Thank goodness for outsourcing, I say!
-
Rob Stowell, in reply to
Definitely fishy!
As is 'there is no evidence Jon Stephenson was spied on". Which is quite compatible with: he was spied on, we know it, but we've destroyed all the evidence... -
Stephen R, in reply to
As is 'there is no evidence Jon Stephenson was spied on". Which is quite compatible with: he was spied on, we know it, but we've destroyed all the evidence...
One of the games played in our household at the moment is "With what technicality can this denial be true, while at the same time not be an actual denial".
It's disturbing a) how many denials don't actually deny what they're accused of, and b) how rarely the initial denial is followed up by the reporters to whom it is given. -
Aidan, in reply to
As is ’there is no evidence Jon Stephenson was spied on”. Which is quite compatible with: he was spied on, we know it, but we’ve destroyed all the evidence…
Very Yes Minister-esque, e.g. "There is no evidence Jon Stephenson was spied on .. we've made quite sure of that".
Gets to be every damn sentence needs to be parsed multiple ways for meaning. At the risk of seeming cliched, it really is Orwellian.
Here in Aus the leader of the opposition has the fantastic phrase "I had no specific knowledge"! WTF does that mean? Whatever he feels like when knew facts emerge about the degree of his "knowledge". Post truth politics. GAH!
-
Kumara Republic, in reply to
Which is quite compatible with: he was spied on, we know it, but we’ve destroyed all the evidence…
Speaking of which, Halliburton has just been pinged big time for destroying evidence relating to the Deepwater Horizon disaster.
Post your response…
This topic is closed.