OnPoint: Ich bin ein Cyberpunk
94 Responses
First ←Older Page 1 2 3 4 Newer→ Last
-
Is there a preferred keyserver for NZ keys?
-
Ian Dalziel, in reply to
latchkey kids...
Key security is a biggy...
There is a certain irony in using a Key to circumvent the PM's scaremongering machinations....
-
August 24th 2019
The Opening of the Chatham Island State Prison.
President Collins steps forward to address the huge crowd."For many years, the enemies of our happy nation have been laughing at us with their devious practices of encryption. Subversives and paedophiles have been free to spread their filth and terror, our children constantly under threat of falling prey to their perverted minds."
"Now we have a final solution. Now we can stop them. Now we can go back to One Nation New Zealand - free of this 'secret society' that has been living amongst us in the shadows." (much cheering)
"As we have ALWAYS said 'nothing to hide - nothing to fear' but that's not good enough for some." (Much nodding and mutterings of agreement from the officials in attendance)
"Well now They have a choice. Now They can choose a life behind bars or a trial by a jury of truly decent people like those gathered before me"
"It's a fair and simple decision and in Their hands - so let's remind them!"
Smiling, she raises her fist and the crowd erupts into chants of the Presidents Official Campaign Slogan - GIVE US THE KEY OR YOU'RE NOT FREE!! -
Or alternatively - maybe I should stop eating cheese before bedtime
-
I guess the first part of the article nicely disposes of ex-GCSB head Bruce Ferguson's claim that the GCSB only provided assistance to Police by seconding staff to them.
-
Ian Dalziel, in reply to
dairy heirs...
...maybe I should stop eating cheese before bedtime
No, no, I recognise your nocturnal Rarebit Friends
and their lair out on the (Orange) Roughy Justice Rise......what happened next?
-
Amanda Wreckonwith, in reply to
…what happened next?
wont know till tonight...
That was on Edam.
Got some Gorgonzola.
Bit scared to try... -
This looks like a promising adjunct product for encryption further down the tcp stack: http://tcpcrypt.org/index.php
I shied at the package compilation hurdle, but perhaps Keith with his doctorate in geekery can make sense of it..?
-
Stephen R, in reply to
It would also be great to see some information on anonymous browsing via Tor (this is now fairly easy to set up - I posted this via Tor) and darknets such as I2P if you have the time or inclination.
I've read suggestions that some Tor gateways might already be either provided by or compromised by the NSA et al, and therefore not nearly as anonymous as you might like to hope. Along with a firefox exploit that waits till you're not using TOR then phones home (with enough information to tell them what your tor link had been.
Paranoia? Maybe. Maybe not. Bugs and exploits are sufficiently common (and people trying to break them very clever) that I'm not sure you can guarantee security unless you have throw-away hardware you never use for anything else but your secure coms. Combine something like a cheap laptop bought with cash and cafe-net or cbd-free and never put your real name on the laptop (and never link it to your home network) and you're probably Ok. Although at that point, you have difficulty proving you are who you say you are to people you talk to, and it's a lot of work. Oh, and probably you don't want to carry your cell-phone to the place you use to hook into the net (or that metadata they're collecting will tell them a list of everyone in the area when your clean laptop logs on), and you don't want to buy coffee there with anything but cash while you're using their network...
I'd also note that being this paranoid is hard work, and most people don't think it's worth it. It's sufficiently hard work that the head of the CIA was unable to keep his affair secret, even though he went to some effort...
If the spooks really want to break PGP, they break into your house, copy your private key and install a keylogger to get your passphrase. (or hack your PC and do the whole lot remotely.) It's just easier than trying to crack the encryption.
-
Ian Dalziel, in reply to
Curds awhey...
Got some Gorgonzola.
Bit scared to try…...point taken, I can see the shattered
Redcoated carapace giving way to
those Blue Green veins!
(such a redolently political palette)Maybe you could ease on in with Bries
or some other French cheeses on the cross
from The Netherlands to Italy? -
The two reasons I gave up bothering with PGP ten years ago was
a) The number of people I wanted to exchange email with who had a public key and could remember their passphrase was practically nil
b) Wanting to access mail from multiple locations/devices makes private key management (especially across platforms) a real pain."Little Brother" by Cory Doctorow has some nice scenes about how to set up a secure comms network with people you know under monitoring. Cory actually knows a bit about this stuff too, so it's probably worth reading, even for readers who aren't in the "Young Adult" category it's aimed at.
-
B Jones, in reply to
Chatham Island State Prison
Because that worked so well last time.
Maybe this is a silly question, but given that I understand encryption that can't be cracked by governments isn't supposed to be publicly available (limit to number of keys) - isn't there a risk with encryption that using it attracts attention in and of itself, and that with small volumes of encrypted traffic, agencies can comfortably handle the processing power to crack it? I've assumed for years that everything I put on the internet, including email, can be harvested, it's just that nobody cares enough to do it provided I don't stick obvious keywords in there, or correspond with known agitators, or have offline activities that might draw attention. Security by obscurity.
Of course, if enough people use encryption, the appearance of secrecy doesn't stand out as noteworthy. Another thought - a really good code doesn't look like a code.
-
Ian Dalziel, in reply to
“Little Brother” by Cory Doctorow
and available as a free download from Cory 'boing boing' Doctorow at Craphound
...and while you're there, grab Makers as well for a FAB read...
Cory actually knows a bit about this stuff too, so it’s probably worth reading...
-
Keith Ng, in reply to
Maybe this is a silly question, but given that I understand encryption that can't be cracked by governments isn't supposed to be publicly available (limit to number of keys) - isn't there a risk with encryption that using it attracts attention in and of itself, and that with small volumes of encrypted traffic, agencies can comfortably handle the processing power to crack it?
a) I don't think this is true yet, and b) this is why we need to increase the volume of encrypted traffic.
I've assumed for years that everything I put on the internet, including email, can be harvested, it's just that nobody cares enough to do it provided I don't stick obvious keywords in there, or correspond with known agitators, or have offline activities that might draw attention. Security by obscurity.
That's not security by obscurity, that's just obscurity.
Of course, if enough people use encryption, the appearance of secrecy doesn't stand out as noteworthy. Another thought - a really good code doesn't look like a code.
-
Keith Ng, in reply to
I guess the first part of the article nicely disposes of ex-GCSB head Bruce Ferguson's claim that the GCSB only provided assistance to Police by seconding staff to them.
Hang on though - this was not quite the same, in that they believed (genuinely or not) that Kim Dotcom was a foreign national, and therefore there was no need for a firewall between them and the investigation, which is what the secondment process is designed for.
-
Stephen R, in reply to
Maybe this is a silly question, but given that I understand encryption that can't be cracked by governments isn't supposed to be publicly available (limit to number of keys) - isn't there a risk with encryption that using it attracts attention in and of itself, and that with small volumes of encrypted traffic, agencies can comfortably handle the processing power to crack it?
That hasn't been true since PGP escaped into the wild. Phil Zimmerman invented PGP which was promptly classified as a weapon in the USA and not to be exported. So he published a book with the source-code in it (since publishing is a protected right) which he was allowed to export, and which was then scanned, corrected, compiled and that's where a lot of people got PGP from.
There was an attempt in the 90s under Clinton to limit key lengths or force every encryption system to have a back-door in it the US government could use to read the plaintext, but various people (Bruce Schneier among them) who pointed out that making the US have sub-standard encryption when the rest of the world (who also had smart people who knew about encryption) had proper encryption was just asking for trouble.
The US government backed down, and now there is encryption out there that theoretically Governments can't decrypt. The devil is in the detail though. As I mentioned above, installing keyloggers is one tactic the FBI have used to get plaintext, and if you can find the private key you can attempt to brute force the password (passwords are, in general, crap security).
There's also man-in-the-middle attacks where they pretend to be each party to the other party, and encrypt/decrypt in the middle leaving both parties feeling secure (which is why getting the fingerprint to their public key directly from them via voice or written on paper in hand-writing, rather than via email is a good step for the paranoid) - For instance, NoRightTurn just published his fingerprint in the same post as his key. If someone can hack the page to change what people see as the key, then they can do the same to the fingerprint, so in that case, it's not more secure than just posting the key. If someone was getting the key from a public keyserver or via another route, and could then verify the fingerprint from his website or a sig on all of I/S's mails then that would be more useful. (It would be difficult for attackers to compromise all the examples of I/S's signature, and I/S would probably notice.)
-
General comment: Baby steps, folks. Tor, Truecrypt, everything else will come.
-
Stephen R, in reply to
Fair cop guv.
-
David Hood, in reply to
a) I don’t think this is true yet
My impression is that, at the moment, intelligence agencies are more likely to take an interest in you if you are using encryption (because it is seen as suspicious) but can't read the contents (so will be concentrating on who you send it to and get stuff from). That said, they are also more likely to store a copy of your encrypted messages.
-
And it started out so hopeful...
The more I read from you boffins, the more it seems to me that the solution to this problem is political rather than technical.How about a Green/Labour promise to release the details (on request) of all the NZ people that have had their data collected once they are in power? (minus any that are actively being investigated for genuine 'terrorist' activity)
Would public opinion on the value of civil liberty shift somewhat once they knew the scale of what was really happening? -
Idiot Savant, in reply to
-
Second Little Brother. I'm wondering if I need to have a key-signing party sometime.
Re: Key fingerprints, you're right. The problem is that I'm currently managing multiple key pairs for different accounts. But I've stuck it on my Twitter profile, I'll stick it on my filedump website to increase the number of places that have to be hacked, and make PASystem a target to by posting it here as well:
AE1C 445F 7A5E CAAF DA11 3CAE 7C56 FCD4 C60A A494
(I'm kidding about the "target". I don't seriously expect anyone to hack me to man-in-the-middle me, because I actually don't have that much to hide and am completely unimportant. But why make it easy? Also, by encryptin ght eodd bit of traffic, I provide a penguin defence to those who actually need it)
-
If you have keys in multiple places, then any man-in-the-middle or other hacking attempt becomes obvious, and is likely to reveal more about the attacker and their methodology than they would like.
(For this reason, I'd regard M웃M intereption of SSL traffic by government agencies as unlikely, even if they have (as they possibly do) root private keys. The moment they did it at any scale, someone would pick up on the altered key and raise a flag, revealing the technique).
-
izogi, in reply to
it's just that nobody cares enough to do it provided I don't stick obvious keywords in there, or correspond with known agitators, or have offline activities that might draw attention
(Emphasis mine) That's one of the ones that concerns me a lot, among others. Possibly also corresponding with unknown agitators, and corresponding with people who correspond with agitators. If you send an email to someone like Andrea Vance or Keith Locke for instance, or someone of their ilk, does it provide enough of an excuse behind the scenes for all of your correspondence to be sifted through, or for all of your other contacts to be graphed and analysed?
I used to be really keen on GPG and PGP a long time ago, but as others have noted it's very impractical if you want to actually communicate usefully, given so few people use it as habit. By itself, it also doesn't do anything to obscure the network of people with whom you're communicating, and a lot can already be derived (correctly or not) from that information. -
Idiot Savant, in reply to
(Emphasis mine) That's one of the ones that concerns me a lot, among others. Possibly also corresponding with unknown agitators, and corresponding with people who correspond with agitators.
The NSA was leaked as using three hops. So if you talk to someone who talked to someone who talked to a "known agitator", then you're in the net. Which in a country the size of NZ, means everyone is.
Also note the "correspondence" could mean using the same pizza joint.
Post your response…
This topic is closed.