OnPoint: Ich bin ein Cyberpunk
94 Responses
First ←Older Page 1 2 3 4 Newer→ Last
-
Amanda Wreckonwith, in reply to
I understand that.
But in my dystopia, La Collins was incarcerating merely for act of employing encryption...
'no smoke without fire' seems to be quite a popular conjecture from what I am hearing on my rounds -
Zen,
NSA spread digital AIDS to the Cloud.
What encryption options would you recommend there? -
Wasn't Kim Dotcom's new cloud based on encryption? Be ideal if you wanted to store stuff then retrieve it to yourself.
-
Andrew C, in reply to
General comment: Baby steps, folks. Tor, Truecrypt, everything else will come.
I like how Truecrypt pads out empty space with random noise. If you create a Truecrypt partition and fill it with your sooper dooper secritz, you can then include this partition inside/within another Truecrypt partition. This way if you are ever somehow forced to reveal your Truecrypt password then you can do the decryption on the outer layer and there is no way of knowing that you have an inner layer - it just looks like the regular and expected random padding made by the top layer.
Not that I do this, but I just thought it was kinda cool. These guys have thought stuff through.
-
Keith Ng, in reply to
Not that I do this, but I just thought it was kinda cool. These guys have thought stuff through.
Oh yeah. That's precisely why I'm going to go through Truecrypt. This is from the Police Search Manual:
A specified person may not be required to give any information tending to incriminate themselves. However, this does not prevent you from requiring them to provide information or assistance that is reasonable and necessary to allow you to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the person.
In NZ, it's give up your password, or face 3 months in jail.
-
Keith Ng, in reply to
Second Little Brother. I'm wondering if I need to have a key-signing party sometime.
YES. I'll work something out for my next post.
-
Cool Keith front page of /.
Discussion of the effectiveness of various forms of cryptography is fraught, it's not to be done by amateurs, and most of the professionals seem to work for 3-letter agencies, don't forget that the NSA helped set up TOR and have blessed various forms of crypto that are in common use - we honestly don't know why they blessed them - because they were good? or because they can be broken by the agency?
Recently we've all learned that the old maxim "you're not paranoid if they really are out to get you" applies to being worried about secret police reading all your online communications too
Even your tinfoil hats come from Rio Tinto, they're still great for keeping off the solar radiation though, not so much for wifi http://web.archive.org/web/20120411235930/http://berkeley.intel-research.net/arahimi/helmet/
Seriously though, given Key's recent almost-admission in parliament (I mean he would have said "no" if he could wouldn't he?) what did the US give the GCSB millions of dollars for?
-
Stephen R, in reply to
In NZ, it's give up your password, or face 3 months in jail.
In the UK it's worse. From Wikipedia's article on the RIP act
Especially contentious was Part III of the Act, which requires persons to supply decrypted information (which had been previously encrypted by the owner) and/or the cryptographic key to government representatives. Failure to disclose these items is a criminal offence, with a maximum penalty of two years in jail.
At least a couple of people have gone to gaol over that clause. The RIP act also requires ISPs to provide the government with technical assistance to intercept their customers' data (at the ISP's expense).
I had felt somewhat smug for the last 10 years that we didn't have that problem here.
Smugness has receded now.
-
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (MingW32)hQEMA4M1NX6HbamyAQgAt9GgDIEMzUtLgD/u/7yM7QWLJoRIzSBpfFaRY8eaLxcp
F0dDUK6WYHMglrEW6qQr7u2LymFxWQdSHrlyIItwtgj2TqrsxXEYOBBCtZz2lGgq
/R84A5TZS3RkI4CGLaVshEoDcEuX95CEn3g0p1hJAkr4ibn6ZtH3z1KIwZZEaStB
fR7+Q98T5dAEppFP5TN4dMqbEC2W/TuM1w4oQTBd60kZIfvLaX0XmOM8T/ELaCgS
KErNJL5dxFdfSSUX04rmoH/oUFyZPnsS/OGB4hkZ238WMScSe043tuRfX0tAxQiX
3ls0XLqZQPGXq78kgiKYOrubLjUiX5ZPvtaVc3wtJYUBDAM51OvWrWXIjgEIAKUg
pB5YsjkwD08fMlEfUL2G3pKmCsWwhHS3VJYDgb/XL3xmHBR13arDi3mEVEOKekVh
emLE0NTbdWZ79+8u8rs9KO/tFwnwGspUSp+p+FxjIHqRwmflhApo19ZBK9nix9dF
1/2J96PaYAnLy25XgkLr6yncpc6F0zPdSHFHTx4JOGX+Q7lxLsNv94b0BxgcKX8I
2SDxpqV926HUKKxXb///ua5wOC76KZDSBEayji4GpHghkXjpQhG7LchiIqZpBC8+
Km/AicuO7l+htxM9hYnwwy7iNQdoiFXBfpnLhrkGGQHEEN/SFQo5YYEREXXvl0FO
OciyulidWqvDhU9h6z7S6QF5jGnEFinp+UFPa9vqR7da4uNJXbDzgPrY4+nYcJXh
9cBuVIE3Y/VSp5LXotlwsn0czalXJosclGLj0YpnysSZtZN8uYmB7lLyBgN4JtvW
p+6cTchOqtlb0lCvmGZwVy6pLmOxLcQXnYBxfATxNoc00UGQoUhGY/JD5yh0b/Xn
8wPnvceRpxQyUnAWadKAKivtWU+QzTcjkIzQOpfnI3ykVNfjIGB4IdEmnYT08vba
wwROS3lWUkBHHp08vC8DwZ5QdCk2xfRfFdqKRWQAl5tHKuPQ1NbL0T+uTTJsHiWN
sBq2kctBuyiMOPhHUnqRdt6l99STXj2I5rhjByGQmlHt0wk/47o1TeN4DRa2z3Nf
Rbfpx5n8Sz13efGHN+K8VbTWehdZv55G5xv1ppQWTmkZwNA56NmDc4iXwXzS8lt3
2a51bf03W4guUYM0zOZ1+fjEZCEId7ijmGbPlqSGOyA21qhmBzbtUR2U0wcOulmz
7Ri49XwKTu4H02qKleqrNTB/PSMx6uK5KX17bAy48eAt2agaGHlnSDtrkf92KEj9
j4RpzEvvnZt+R9ePrRxQySZsvAfnFXugGwE0h3Kci6qU3kTaCL0T3bHJg0wr+c+i
lvD72KvK/pE2AMBMt4GCJhWBoDQFhg2PYxUdc00yZ9bl2V1zJetLZZilCEFaiBi5
e3D0q5a/1vj9xTBXRPvaxhvdO0dMS9a5kereKqh3kwUZWG6hn1dNLz2PfjRHkhCB
7/r/fYP76yOo4LXi3GZlj36umjmlyDHWGr00JsXK4MA32gNm3T+M5rOt169QHVNZ
a4w6nwZhM/1f4tCzh/SYJfcuGQRD5hgU7vtDbg==
=Ozim
-----END PGP MESSAGE----- -
Moz, in reply to
At least a couple of people have gone to gaol over that clause.
I half expect to go the same way. Not because I'm unusually prone to breaking the law, or doing anything particularly dodgy (I ride a push bike, so I'm not exactly mainstream), but because I have no intention of decrypting anything outside a public courtroom. Hopefully I'll have the guts to stick with that if shit happens.
One problem is that I share a computer with my partner, who necessarily has the boot passwords which also mount the shared/common disk space.
Also, I wish TrueCrypt gave some indication of how much random seed is enough... if I watch a half hour TV episode while jiggling the mouse is that much better than a 30 second scribble? How much? Does it matter? Who knows?
-
For those mentioning Little Brother, the main point (that I got) of the book is that if the watchers are looking at you (ie. they're Big Brother) then the response is to look at them (ie. become Little Brother) . Encryption does not stop "them" spying on you, or abusing freedoms (ie. the $5 wrench solution). But letting the world know what they're doing puts the spot light back on them.
BTW. There's a sequel to Little Brother, Homeland . An unfortunate outcome of using that name means that Fox has issued DCMA takedown requests... morons!
-
BenWilson, in reply to
Recently we’ve all learned that the old maxim “you’re not paranoid if they really are out to get you” applies to being worried about secret police reading all your online communications too
Isn't the saying "Just because you are paranoid doesn't mean they are not out to get you"?
-
Martin Lindberg, in reply to
Cool Keith front page of /.
Now also front page of Ars Technica: New Zealand appears to have used NSA spy network to target Kim Dotcom.
-
Ian Dalziel, in reply to
living in the Tron...
“GCSB doesn’t even operate their own spy cloud.
... it's a bit sad that,
of all countries,
Aotearoa has no
intelligence cloud
to call its own... -
For browsing, the Tor Network is a good start, even if it means a slight speed penalty.
-
Keith Ng, in reply to
-----BEGIN PGP MESSAGE-----
HenryB: Got it! And thanks!
-
Andrew C, in reply to
Also, I wish TrueCrypt gave some indication of how much random seed is enough… if I watch a half hour TV episode while jiggling the mouse is that much better than a 30 second scribble? How much? Does it matter? Who knows?
No, it itsn't greatly better Moz. It doesn't take much initial randomness to escalate into massive entropy after they start cycling the hashes.
For anyone interested, Steve Gibson from GRC has a couple of podcast episodes on what Truecrypt is/does which are fairly accessible to the non propeller head types. Below are links to the transcripts. At the top of each transcript it also shows the web address to the podcast mp3's if you would prefer to listen - generally his podcasts are around 1hr long.
https://www.grc.com/sn/sn-041.htm
https://www.grc.com/sn/sn-133.pdfHis "Security Now" podcast series is a great introduction into overviewing cryptography and internet security in general, amongst other things.
-
if you encrypt you MUST be guilty....therefore METADATA.
-
“SECRET//COMINT//REL TO NZL, AUS, CAN, GBR, USA”. In other words, the selectors were entered into a secret communications intelligence system, and this secret system was considered related to Five Eyes:
umm, not really. It means the request has a classification level of Secret, that its subject relates to communications intelligence (you got that bit right), and that it may be released to the members of Five Eyes.
-
Matthew Poole, in reply to
Key distribution, that’s the hard part. Ensuring that you have the public keys of everyone you want to contact and that these haven’t been tampered with.
It’s a hard problem, partly because of the risk of the man-in-the-middle attack (where somebody intercepts your traffic, substitutes the key and encrypts/recrypts your mail). I think the community got a bit hung up on this though – it should be possible to build an infrastructure that’s strong enough and tamper-evident enough to make systematic monitoring very difficult.
Taken care of, unless “they” manage to pull off a full-scale compromise of the PGP PKI. How? Key signing and levels of trust. If I meet Keith in person, verify his identity, and sign his PGP (for simplicity I will just say PGP instead of PGP/GPG) key, I will give it a very high level of validity because I have confirmed absolutely that he is Keith and it is his key. He can then take his signed key and put it onto the public key infrastructure (the PKI), complete with the indicator of the level of trust I have used for the signing. This would also happen with him signing my key and me uploading the signed key. Now, people whose keys I sign can trust that Keith’s key belongs to Keith, because they have confirmed that I am me and my key is mine. And so on, in a great big web of trust, where the further you get from an in-person signed key the lower the trust ranking you assign but also where the cumulative trust in all the upstream signers can sum up to near certainty that a key belongs to a given individual.
Because all the signed keys get uploaded to the PKI, and the original signers have confirmed the original key fingerprints, carrying out some kind of MITM between people who haven’t actually met means secretly subverting the PKI and changing the key fingerprints (which is how one looks up a specific key within the PKI) so that those people will get compromised keys. That subversion also needs to forge all the signatures on the keys, which becomes harder and harder to do as the web grows.
The most efficient way to get a whole lot of trust going on is a key-signing party (HT’ing to I/S instead of linking direct), which can mean a dozen people or more all establish the highest level of trust in each other’s keys, and if those signed keys are all uploaded to multiple PKI servers it’s an enormous job for “them” to subvert all of those keys and all of the cross-signing. Especially if people have signatures from outside the party, so it’s not just a matter of breaking the keys of that small number of people.
-
Moz, in reply to
<q>TrueCrypt how much random seed is enough?
It doesn’t take much initial randomness to escalate into massive entropy after they start cycling the hashes.</q>
Thanks. That's handy because I fairly regularly find myself regenerating keys for TB+ drives, and aside from going "gosh, that's a lot of bits", I've never really had a feel for just how much random input is required.
-
Matthew Poole, in reply to
Get a client that supports OTR (Off The Record), on the Mac that’s Adium. So long as you’ve clicked the “generate key” and both people have OTR installed, messages are encrypted.
But it’s only worthwhile if you take the key verification seriously, because if you don’t you could be getting man-in-the-middle’d by “them” and not know it. My experience with OTR is in both Adium and pidgin (Adium is the Mac version of pidgin), and both implementations provide for verification through shared-secret, question-and-answer, and manual (off-line) verification of the identity of the key’s creator. I’ve done both Q&A and manual (via SMS) verification of different people with whom I use OTR.
As with anything related to public-key encryption, the assurance OTR provides that you’re not being MITM’d is only as strong as the effort one puts into validating the association between the key and its purported owner.
-
nzlemming, in reply to
You need a third-party-signed certificate, but there are free providers
And you know these haven't been compromised because...?
The biggest advantage of rolling your own keypair is KNOWING that there was no compromise in the process, IMHO.
-
http://www.theregister.co.uk/2013/08/22/guardian_snowden_advice
The register has some sage and tongue in cheek, but true, information here.
-
Matthew Poole, in reply to
The biggest advantage of rolling your own keypair is KNOWING that there was no compromise in the process, IMHO.
Provided you assembled the compiler from scratch and verified the source code of the tools you're using the build the keys, of course :P
You're right, though, that the only way to know the key hasn't been compromised is to have control over the whole process of creation - including complete control over the system used, which rules out Windows 8 courtesy of MS-supplied back-doors.
Post your response…
This topic is closed.