OnPoint by Keith Ng

Read Post

OnPoint: Ich bin ein Cyberpunk

94 Responses

First ←Older Page 1 2 3 4 Newer→ Last

  • Idiot Savant,

    Is there a preferred keyserver for NZ keys?

    Palmerston North • Since Nov 2006 • 1717 posts Report

  • Ian Dalziel, in reply to TonyWebb,

    latchkey kids...

    Key security is a biggy...

    There is a certain irony in using a Key to circumvent the PM's scaremongering machinations....

    Christchurch • Since Dec 2006 • 7953 posts Report

  • Amanda Wreckonwith,

    August 24th 2019
    The Opening of the Chatham Island State Prison.
    President Collins steps forward to address the huge crowd.

    "For many years, the enemies of our happy nation have been laughing at us with their devious practices of encryption. Subversives and paedophiles have been free to spread their filth and terror, our children constantly under threat of falling prey to their perverted minds."
    "Now we have a final solution. Now we can stop them. Now we can go back to One Nation New Zealand - free of this 'secret society' that has been living amongst us in the shadows." (much cheering)
    "As we have ALWAYS said 'nothing to hide - nothing to fear' but that's not good enough for some." (Much nodding and mutterings of agreement from the officials in attendance)
    "Well now They have a choice. Now They can choose a life behind bars or a trial by a jury of truly decent people like those gathered before me"
    "It's a fair and simple decision and in Their hands - so let's remind them!"
    Smiling, she raises her fist and the crowd erupts into chants of the Presidents Official Campaign Slogan - GIVE US THE KEY OR YOU'RE NOT FREE!!

    Since Sep 2012 • 171 posts Report

  • Amanda Wreckonwith,

    Or alternatively - maybe I should stop eating cheese before bedtime

    Since Sep 2012 • 171 posts Report

  • Thomas Beagle,

    I guess the first part of the article nicely disposes of ex-GCSB head Bruce Ferguson's claim that the GCSB only provided assistance to Police by seconding staff to them.

    New Zealand • Since Nov 2007 • 50 posts Report

  • Ian Dalziel, in reply to Amanda Wreckonwith,

    dairy heirs...

    ...maybe I should stop eating cheese before bedtime

    No, no, I recognise your nocturnal Rarebit Friends
    and their lair out on the (Orange) Roughy Justice Rise...

    ...what happened next?

    Christchurch • Since Dec 2006 • 7953 posts Report

  • Amanda Wreckonwith, in reply to Ian Dalziel,

    …what happened next?

    wont know till tonight...
    That was on Edam.
    Got some Gorgonzola.
    Bit scared to try...

    Since Sep 2012 • 171 posts Report

  • AndrewH,

    This looks like a promising adjunct product for encryption further down the tcp stack: http://tcpcrypt.org/index.php

    I shied at the package compilation hurdle, but perhaps Keith with his doctorate in geekery can make sense of it..?

    Wellington • Since Nov 2008 • 33 posts Report

  • Stephen R, in reply to TonyWebb,

    It would also be great to see some information on anonymous browsing via Tor (this is now fairly easy to set up - I posted this via Tor) and darknets such as I2P if you have the time or inclination.

    I've read suggestions that some Tor gateways might already be either provided by or compromised by the NSA et al, and therefore not nearly as anonymous as you might like to hope. Along with a firefox exploit that waits till you're not using TOR then phones home (with enough information to tell them what your tor link had been.

    http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

    Paranoia? Maybe. Maybe not. Bugs and exploits are sufficiently common (and people trying to break them very clever) that I'm not sure you can guarantee security unless you have throw-away hardware you never use for anything else but your secure coms. Combine something like a cheap laptop bought with cash and cafe-net or cbd-free and never put your real name on the laptop (and never link it to your home network) and you're probably Ok. Although at that point, you have difficulty proving you are who you say you are to people you talk to, and it's a lot of work. Oh, and probably you don't want to carry your cell-phone to the place you use to hook into the net (or that metadata they're collecting will tell them a list of everyone in the area when your clean laptop logs on), and you don't want to buy coffee there with anything but cash while you're using their network...

    I'd also note that being this paranoid is hard work, and most people don't think it's worth it. It's sufficiently hard work that the head of the CIA was unable to keep his affair secret, even though he went to some effort...

    If the spooks really want to break PGP, they break into your house, copy your private key and install a keylogger to get your passphrase. (or hack your PC and do the whole lot remotely.) It's just easier than trying to crack the encryption.

    Wellington • Since Jul 2009 • 259 posts Report

  • Ian Dalziel, in reply to Amanda Wreckonwith,

    Curds awhey...

    Got some Gorgonzola.
    Bit scared to try…

    ...point taken, I can see the shattered
    Redcoated carapace giving way to
    those Blue Green veins!
    (such a redolently political palette)

    Maybe you could ease on in with Bries
    or some other French cheeses on the cross
    from The Netherlands to Italy?

    Christchurch • Since Dec 2006 • 7953 posts Report

  • Stephen R,

    The two reasons I gave up bothering with PGP ten years ago was
    a) The number of people I wanted to exchange email with who had a public key and could remember their passphrase was practically nil
    b) Wanting to access mail from multiple locations/devices makes private key management (especially across platforms) a real pain.

    "Little Brother" by Cory Doctorow has some nice scenes about how to set up a secure comms network with people you know under monitoring. Cory actually knows a bit about this stuff too, so it's probably worth reading, even for readers who aren't in the "Young Adult" category it's aimed at.

    Wellington • Since Jul 2009 • 259 posts Report

  • B Jones, in reply to Amanda Wreckonwith,

    Chatham Island State Prison

    Because that worked so well last time.

    Maybe this is a silly question, but given that I understand encryption that can't be cracked by governments isn't supposed to be publicly available (limit to number of keys) - isn't there a risk with encryption that using it attracts attention in and of itself, and that with small volumes of encrypted traffic, agencies can comfortably handle the processing power to crack it? I've assumed for years that everything I put on the internet, including email, can be harvested, it's just that nobody cares enough to do it provided I don't stick obvious keywords in there, or correspond with known agitators, or have offline activities that might draw attention. Security by obscurity.

    Of course, if enough people use encryption, the appearance of secrecy doesn't stand out as noteworthy. Another thought - a really good code doesn't look like a code.

    Wellington • Since Nov 2006 • 976 posts Report

  • Ian Dalziel, in reply to Stephen R,

    “Little Brother” by Cory Doctorow

    and available as a free download from Cory 'boing boing' Doctorow at Craphound

    ...and while you're there, grab Makers as well for a FAB read...

    Cory actually knows a bit about this stuff too, so it’s probably worth reading...

    ...even Google listens...

    Christchurch • Since Dec 2006 • 7953 posts Report

  • Keith Ng, in reply to B Jones,

    Maybe this is a silly question, but given that I understand encryption that can't be cracked by governments isn't supposed to be publicly available (limit to number of keys) - isn't there a risk with encryption that using it attracts attention in and of itself, and that with small volumes of encrypted traffic, agencies can comfortably handle the processing power to crack it?

    a) I don't think this is true yet, and b) this is why we need to increase the volume of encrypted traffic.

    I've assumed for years that everything I put on the internet, including email, can be harvested, it's just that nobody cares enough to do it provided I don't stick obvious keywords in there, or correspond with known agitators, or have offline activities that might draw attention. Security by obscurity.

    That's not security by obscurity, that's just obscurity.

    Of course, if enough people use encryption, the appearance of secrecy doesn't stand out as noteworthy. Another thought - a really good code doesn't look like a code.

    Steganography!

    Auckland • Since Nov 2006 • 543 posts Report

  • Keith Ng, in reply to Thomas Beagle,

    I guess the first part of the article nicely disposes of ex-GCSB head Bruce Ferguson's claim that the GCSB only provided assistance to Police by seconding staff to them.

    Hang on though - this was not quite the same, in that they believed (genuinely or not) that Kim Dotcom was a foreign national, and therefore there was no need for a firewall between them and the investigation, which is what the secondment process is designed for.

    Auckland • Since Nov 2006 • 543 posts Report

  • Stephen R, in reply to B Jones,

    Maybe this is a silly question, but given that I understand encryption that can't be cracked by governments isn't supposed to be publicly available (limit to number of keys) - isn't there a risk with encryption that using it attracts attention in and of itself, and that with small volumes of encrypted traffic, agencies can comfortably handle the processing power to crack it?

    That hasn't been true since PGP escaped into the wild. Phil Zimmerman invented PGP which was promptly classified as a weapon in the USA and not to be exported. So he published a book with the source-code in it (since publishing is a protected right) which he was allowed to export, and which was then scanned, corrected, compiled and that's where a lot of people got PGP from.

    There was an attempt in the 90s under Clinton to limit key lengths or force every encryption system to have a back-door in it the US government could use to read the plaintext, but various people (Bruce Schneier among them) who pointed out that making the US have sub-standard encryption when the rest of the world (who also had smart people who knew about encryption) had proper encryption was just asking for trouble.

    The US government backed down, and now there is encryption out there that theoretically Governments can't decrypt. The devil is in the detail though. As I mentioned above, installing keyloggers is one tactic the FBI have used to get plaintext, and if you can find the private key you can attempt to brute force the password (passwords are, in general, crap security).

    There's also man-in-the-middle attacks where they pretend to be each party to the other party, and encrypt/decrypt in the middle leaving both parties feeling secure (which is why getting the fingerprint to their public key directly from them via voice or written on paper in hand-writing, rather than via email is a good step for the paranoid) - For instance, NoRightTurn just published his fingerprint in the same post as his key. If someone can hack the page to change what people see as the key, then they can do the same to the fingerprint, so in that case, it's not more secure than just posting the key. If someone was getting the key from a public keyserver or via another route, and could then verify the fingerprint from his website or a sig on all of I/S's mails then that would be more useful. (It would be difficult for attackers to compromise all the examples of I/S's signature, and I/S would probably notice.)

    Wellington • Since Jul 2009 • 259 posts Report

  • Keith Ng,

    General comment: Baby steps, folks. Tor, Truecrypt, everything else will come.

    Auckland • Since Nov 2006 • 543 posts Report

  • Stephen R, in reply to Keith Ng,

    Fair cop guv.

    Wellington • Since Jul 2009 • 259 posts Report

  • David Hood, in reply to Keith Ng,

    a) I don’t think this is true yet

    My impression is that, at the moment, intelligence agencies are more likely to take an interest in you if you are using encryption (because it is seen as suspicious) but can't read the contents (so will be concentrating on who you send it to and get stuff from). That said, they are also more likely to store a copy of your encrypted messages.

    Dunedin • Since May 2007 • 1445 posts Report

  • Amanda Wreckonwith,

    And it started out so hopeful...
    The more I read from you boffins, the more it seems to me that the solution to this problem is political rather than technical.

    How about a Green/Labour promise to release the details (on request) of all the NZ people that have had their data collected once they are in power? (minus any that are actively being investigated for genuine 'terrorist' activity)
    Would public opinion on the value of civil liberty shift somewhat once they knew the scale of what was really happening?

    Since Sep 2012 • 171 posts Report

  • Idiot Savant, in reply to Amanda Wreckonwith,

    Smiling, she raises her fist and the crowd erupts into chants of the Presidents Official Campaign Slogan - GIVE US THE KEY OR YOU'RE NOT FREE!!

    That's already the law. See s130 and s178 Search & Surveillance Act 2012.

    Palmerston North • Since Nov 2006 • 1717 posts Report

  • Idiot Savant,

    Second Little Brother. I'm wondering if I need to have a key-signing party sometime.

    Re: Key fingerprints, you're right. The problem is that I'm currently managing multiple key pairs for different accounts. But I've stuck it on my Twitter profile, I'll stick it on my filedump website to increase the number of places that have to be hacked, and make PASystem a target to by posting it here as well:

    AE1C 445F 7A5E CAAF DA11 3CAE 7C56 FCD4 C60A A494

    (I'm kidding about the "target". I don't seriously expect anyone to hack me to man-in-the-middle me, because I actually don't have that much to hide and am completely unimportant. But why make it easy? Also, by encryptin ght eodd bit of traffic, I provide a penguin defence to those who actually need it)

    Palmerston North • Since Nov 2006 • 1717 posts Report

  • Rich of Observationz,

    If you have keys in multiple places, then any man-in-the-middle or other hacking attempt becomes obvious, and is likely to reveal more about the attacker and their methodology than they would like.

    (For this reason, I'd regard M웃M intereption of SSL traffic by government agencies as unlikely, even if they have (as they possibly do) root private keys. The moment they did it at any scale, someone would pick up on the altered key and raise a flag, revealing the technique).

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • izogi, in reply to B Jones,

    it's just that nobody cares enough to do it provided I don't stick obvious keywords in there, or correspond with known agitators, or have offline activities that might draw attention

    (Emphasis mine) That's one of the ones that concerns me a lot, among others. Possibly also corresponding with unknown agitators, and corresponding with people who correspond with agitators. If you send an email to someone like Andrea Vance or Keith Locke for instance, or someone of their ilk, does it provide enough of an excuse behind the scenes for all of your correspondence to be sifted through, or for all of your other contacts to be graphed and analysed?


    I used to be really keen on GPG and PGP a long time ago, but as others have noted it's very impractical if you want to actually communicate usefully, given so few people use it as habit. By itself, it also doesn't do anything to obscure the network of people with whom you're communicating, and a lot can already be derived (correctly or not) from that information.

    Wellington • Since Jan 2007 • 1142 posts Report

  • Idiot Savant, in reply to izogi,

    (Emphasis mine) That's one of the ones that concerns me a lot, among others. Possibly also corresponding with unknown agitators, and corresponding with people who correspond with agitators.

    The NSA was leaked as using three hops. So if you talk to someone who talked to someone who talked to a "known agitator", then you're in the net. Which in a country the size of NZ, means everyone is.

    Also note the "correspondence" could mean using the same pizza joint.

    Palmerston North • Since Nov 2006 • 1717 posts Report

First ←Older Page 1 2 3 4 Newer→ Last

Post your response…

This topic is closed.