OnPoint by Keith Ng

Read Post

OnPoint: Ich bin ein Cyberpunk

94 Responses

First ←Older Page 1 2 3 4 Newer→ Last

  • Amanda Wreckonwith, in reply to Idiot Savant,

    I understand that.
    But in my dystopia, La Collins was incarcerating merely for act of employing encryption...
    'no smoke without fire' seems to be quite a popular conjecture from what I am hearing on my rounds

    Since Sep 2012 • 171 posts Report

  • Zen,

    NSA spread digital AIDS to the Cloud.

    What encryption options would you recommend there?

    Since Aug 2013 • 1 posts Report

  • Ianmac,

    Wasn't Kim Dotcom's new cloud based on encryption? Be ideal if you wanted to store stuff then retrieve it to yourself.

    Bleneim • Since Aug 2008 • 135 posts Report

  • Andrew C, in reply to Keith Ng,

    General comment: Baby steps, folks. Tor, Truecrypt, everything else will come.

    I like how Truecrypt pads out empty space with random noise. If you create a Truecrypt partition and fill it with your sooper dooper secritz, you can then include this partition inside/within another Truecrypt partition. This way if you are ever somehow forced to reveal your Truecrypt password then you can do the decryption on the outer layer and there is no way of knowing that you have an inner layer - it just looks like the regular and expected random padding made by the top layer.

    Not that I do this, but I just thought it was kinda cool. These guys have thought stuff through.

    Auckland • Since May 2008 • 169 posts Report

  • Keith Ng, in reply to Andrew C,

    Not that I do this, but I just thought it was kinda cool. These guys have thought stuff through.

    Oh yeah. That's precisely why I'm going to go through Truecrypt. This is from the Police Search Manual:

    A specified person may not be required to give any information tending to incriminate themselves. However, this does not prevent you from requiring them to provide information or assistance that is reasonable and necessary to allow you to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the person.

    In NZ, it's give up your password, or face 3 months in jail.

    Auckland • Since Nov 2006 • 543 posts Report

  • Keith Ng, in reply to Idiot Savant,

    Second Little Brother. I'm wondering if I need to have a key-signing party sometime.

    YES. I'll work something out for my next post.

    Auckland • Since Nov 2006 • 543 posts Report

  • Paul Campbell,

    Cool Keith front page of /.

    Discussion of the effectiveness of various forms of cryptography is fraught, it's not to be done by amateurs, and most of the professionals seem to work for 3-letter agencies, don't forget that the NSA helped set up TOR and have blessed various forms of crypto that are in common use - we honestly don't know why they blessed them - because they were good? or because they can be broken by the agency?

    Recently we've all learned that the old maxim "you're not paranoid if they really are out to get you" applies to being worried about secret police reading all your online communications too

    Even your tinfoil hats come from Rio Tinto, they're still great for keeping off the solar radiation though, not so much for wifi http://web.archive.org/web/20120411235930/http://berkeley.intel-research.net/arahimi/helmet/

    Seriously though, given Key's recent almost-admission in parliament (I mean he would have said "no" if he could wouldn't he?) what did the US give the GCSB millions of dollars for?

    Dunedin • Since Nov 2006 • 2623 posts Report

  • Stephen R, in reply to Keith Ng,

    In NZ, it's give up your password, or face 3 months in jail.

    In the UK it's worse. From Wikipedia's article on the RIP act

    Especially contentious was Part III of the Act, which requires persons to supply decrypted information (which had been previously encrypted by the owner) and/or the cryptographic key to government representatives. Failure to disclose these items is a criminal offence, with a maximum penalty of two years in jail.

    At least a couple of people have gone to gaol over that clause. The RIP act also requires ISPs to provide the government with technical assistance to intercept their customers' data (at the ISP's expense).

    I had felt somewhat smug for the last 10 years that we didn't have that problem here.

    Smugness has receded now.

    Wellington • Since Jul 2009 • 259 posts Report

  • HenryB,

    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.12 (MingW32)

    hQEMA4M1NX6HbamyAQgAt9GgDIEMzUtLgD/u/7yM7QWLJoRIzSBpfFaRY8eaLxcp
    F0dDUK6WYHMglrEW6qQr7u2LymFxWQdSHrlyIItwtgj2TqrsxXEYOBBCtZz2lGgq
    /R84A5TZS3RkI4CGLaVshEoDcEuX95CEn3g0p1hJAkr4ibn6ZtH3z1KIwZZEaStB
    fR7+Q98T5dAEppFP5TN4dMqbEC2W/TuM1w4oQTBd60kZIfvLaX0XmOM8T/ELaCgS
    KErNJL5dxFdfSSUX04rmoH/oUFyZPnsS/OGB4hkZ238WMScSe043tuRfX0tAxQiX
    3ls0XLqZQPGXq78kgiKYOrubLjUiX5ZPvtaVc3wtJYUBDAM51OvWrWXIjgEIAKUg
    pB5YsjkwD08fMlEfUL2G3pKmCsWwhHS3VJYDgb/XL3xmHBR13arDi3mEVEOKekVh
    emLE0NTbdWZ79+8u8rs9KO/tFwnwGspUSp+p+FxjIHqRwmflhApo19ZBK9nix9dF
    1/2J96PaYAnLy25XgkLr6yncpc6F0zPdSHFHTx4JOGX+Q7lxLsNv94b0BxgcKX8I
    2SDxpqV926HUKKxXb///ua5wOC76KZDSBEayji4GpHghkXjpQhG7LchiIqZpBC8+
    Km/AicuO7l+htxM9hYnwwy7iNQdoiFXBfpnLhrkGGQHEEN/SFQo5YYEREXXvl0FO
    OciyulidWqvDhU9h6z7S6QF5jGnEFinp+UFPa9vqR7da4uNJXbDzgPrY4+nYcJXh
    9cBuVIE3Y/VSp5LXotlwsn0czalXJosclGLj0YpnysSZtZN8uYmB7lLyBgN4JtvW
    p+6cTchOqtlb0lCvmGZwVy6pLmOxLcQXnYBxfATxNoc00UGQoUhGY/JD5yh0b/Xn
    8wPnvceRpxQyUnAWadKAKivtWU+QzTcjkIzQOpfnI3ykVNfjIGB4IdEmnYT08vba
    wwROS3lWUkBHHp08vC8DwZ5QdCk2xfRfFdqKRWQAl5tHKuPQ1NbL0T+uTTJsHiWN
    sBq2kctBuyiMOPhHUnqRdt6l99STXj2I5rhjByGQmlHt0wk/47o1TeN4DRa2z3Nf
    Rbfpx5n8Sz13efGHN+K8VbTWehdZv55G5xv1ppQWTmkZwNA56NmDc4iXwXzS8lt3
    2a51bf03W4guUYM0zOZ1+fjEZCEId7ijmGbPlqSGOyA21qhmBzbtUR2U0wcOulmz
    7Ri49XwKTu4H02qKleqrNTB/PSMx6uK5KX17bAy48eAt2agaGHlnSDtrkf92KEj9
    j4RpzEvvnZt+R9ePrRxQySZsvAfnFXugGwE0h3Kci6qU3kTaCL0T3bHJg0wr+c+i
    lvD72KvK/pE2AMBMt4GCJhWBoDQFhg2PYxUdc00yZ9bl2V1zJetLZZilCEFaiBi5
    e3D0q5a/1vj9xTBXRPvaxhvdO0dMS9a5kereKqh3kwUZWG6hn1dNLz2PfjRHkhCB
    7/r/fYP76yOo4LXi3GZlj36umjmlyDHWGr00JsXK4MA32gNm3T+M5rOt169QHVNZ
    a4w6nwZhM/1f4tCzh/SYJfcuGQRD5hgU7vtDbg==
    =Ozim
    -----END PGP MESSAGE-----

    Palmerston North • Since Sep 2008 • 106 posts Report

  • Moz, in reply to Stephen R,

    At least a couple of people have gone to gaol over that clause.

    I half expect to go the same way. Not because I'm unusually prone to breaking the law, or doing anything particularly dodgy (I ride a push bike, so I'm not exactly mainstream), but because I have no intention of decrypting anything outside a public courtroom. Hopefully I'll have the guts to stick with that if shit happens.

    One problem is that I share a computer with my partner, who necessarily has the boot passwords which also mount the shared/common disk space.

    Also, I wish TrueCrypt gave some indication of how much random seed is enough... if I watch a half hour TV episode while jiggling the mouse is that much better than a 30 second scribble? How much? Does it matter? Who knows?

    Sydney, West Island • Since Nov 2006 • 1233 posts Report

  • Cameron Junge,

    For those mentioning Little Brother, the main point (that I got) of the book is that if the watchers are looking at you (ie. they're Big Brother) then the response is to look at them (ie. become Little Brother) . Encryption does not stop "them" spying on you, or abusing freedoms (ie. the $5 wrench solution). But letting the world know what they're doing puts the spot light back on them.

    BTW. There's a sequel to Little Brother, Homeland . An unfortunate outcome of using that name means that Fox has issued DCMA takedown requests... morons!

    Auckland • Since Jan 2009 • 45 posts Report

  • BenWilson, in reply to Paul Campbell,

    Recently we’ve all learned that the old maxim “you’re not paranoid if they really are out to get you” applies to being worried about secret police reading all your online communications too

    Isn't the saying "Just because you are paranoid doesn't mean they are not out to get you"?

    Auckland • Since Nov 2006 • 10657 posts Report

  • Martin Lindberg, in reply to Paul Campbell,

    Cool Keith front page of /.

    Now also front page of Ars Technica: New Zealand appears to have used NSA spy network to target Kim Dotcom.

    Stockholm • Since Jul 2009 • 802 posts Report

  • Ian Dalziel, in reply to Martin Lindberg,

    living in the Tron...

    “GCSB doesn’t even operate their own spy cloud.

    ... it's a bit sad that,
    of all countries,
    Aotearoa has no
    intelligence cloud
    to call its own...

    Christchurch • Since Dec 2006 • 7953 posts Report

  • Kumara Republic,

    For browsing, the Tor Network is a good start, even if it means a slight speed penalty.

    The southernmost capital … • Since Nov 2006 • 5446 posts Report

  • Keith Ng, in reply to HenryB,

    -----BEGIN PGP MESSAGE-----

    HenryB: Got it! And thanks!

    Auckland • Since Nov 2006 • 543 posts Report

  • Andrew C, in reply to Moz,

    Also, I wish TrueCrypt gave some indication of how much random seed is enough… if I watch a half hour TV episode while jiggling the mouse is that much better than a 30 second scribble? How much? Does it matter? Who knows?

    No, it itsn't greatly better Moz. It doesn't take much initial randomness to escalate into massive entropy after they start cycling the hashes.

    For anyone interested, Steve Gibson from GRC has a couple of podcast episodes on what Truecrypt is/does which are fairly accessible to the non propeller head types. Below are links to the transcripts. At the top of each transcript it also shows the web address to the podcast mp3's if you would prefer to listen - generally his podcasts are around 1hr long.

    https://www.grc.com/sn/sn-041.htm
    https://www.grc.com/sn/sn-133.pdf

    His "Security Now" podcast series is a great introduction into overviewing cryptography and internet security in general, amongst other things.

    Auckland • Since May 2008 • 169 posts Report

  • william blake,

    if you encrypt you MUST be guilty....therefore METADATA.

    Since Mar 2010 • 380 posts Report

  • Matthew Poole,

    “SECRET//COMINT//REL TO NZL, AUS, CAN, GBR, USA”. In other words, the selectors were entered into a secret communications intelligence system, and this secret system was considered related to Five Eyes:

    umm, not really. It means the request has a classification level of Secret, that its subject relates to communications intelligence (you got that bit right), and that it may be released to the members of Five Eyes.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Matthew Poole, in reply to Rich of Observationz,

    Key distribution, that’s the hard part. Ensuring that you have the public keys of everyone you want to contact and that these haven’t been tampered with.

    It’s a hard problem, partly because of the risk of the man-in-the-middle attack (where somebody intercepts your traffic, substitutes the key and encrypts/recrypts your mail). I think the community got a bit hung up on this though – it should be possible to build an infrastructure that’s strong enough and tamper-evident enough to make systematic monitoring very difficult.

    Taken care of, unless “they” manage to pull off a full-scale compromise of the PGP PKI. How? Key signing and levels of trust. If I meet Keith in person, verify his identity, and sign his PGP (for simplicity I will just say PGP instead of PGP/GPG) key, I will give it a very high level of validity because I have confirmed absolutely that he is Keith and it is his key. He can then take his signed key and put it onto the public key infrastructure (the PKI), complete with the indicator of the level of trust I have used for the signing. This would also happen with him signing my key and me uploading the signed key. Now, people whose keys I sign can trust that Keith’s key belongs to Keith, because they have confirmed that I am me and my key is mine. And so on, in a great big web of trust, where the further you get from an in-person signed key the lower the trust ranking you assign but also where the cumulative trust in all the upstream signers can sum up to near certainty that a key belongs to a given individual.

    Because all the signed keys get uploaded to the PKI, and the original signers have confirmed the original key fingerprints, carrying out some kind of MITM between people who haven’t actually met means secretly subverting the PKI and changing the key fingerprints (which is how one looks up a specific key within the PKI) so that those people will get compromised keys. That subversion also needs to forge all the signatures on the keys, which becomes harder and harder to do as the web grows.

    The most efficient way to get a whole lot of trust going on is a key-signing party (HT’ing to I/S instead of linking direct), which can mean a dozen people or more all establish the highest level of trust in each other’s keys, and if those signed keys are all uploaded to multiple PKI servers it’s an enormous job for “them” to subvert all of those keys and all of the cross-signing. Especially if people have signatures from outside the party, so it’s not just a matter of breaking the keys of that small number of people.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Moz, in reply to Andrew C,

    <q>TrueCrypt how much random seed is enough?

    It doesn’t take much initial randomness to escalate into massive entropy after they start cycling the hashes.</q>

    Thanks. That's handy because I fairly regularly find myself regenerating keys for TB+ drives, and aside from going "gosh, that's a lot of bits", I've never really had a feel for just how much random input is required.

    Sydney, West Island • Since Nov 2006 • 1233 posts Report

  • Matthew Poole, in reply to Adam Shand,

    Get a client that supports OTR (Off The Record), on the Mac that’s Adium. So long as you’ve clicked the “generate key” and both people have OTR installed, messages are encrypted.

    But it’s only worthwhile if you take the key verification seriously, because if you don’t you could be getting man-in-the-middle’d by “them” and not know it. My experience with OTR is in both Adium and pidgin (Adium is the Mac version of pidgin), and both implementations provide for verification through shared-secret, question-and-answer, and manual (off-line) verification of the identity of the key’s creator. I’ve done both Q&A and manual (via SMS) verification of different people with whom I use OTR.

    As with anything related to public-key encryption, the assurance OTR provides that you’re not being MITM’d is only as strong as the effort one puts into validating the association between the key and its purported owner.

    Auckland • Since Mar 2007 • 4097 posts Report

  • nzlemming, in reply to TracyMac,

    You need a third-party-signed certificate, but there are free providers

    And you know these haven't been compromised because...?

    The biggest advantage of rolling your own keypair is KNOWING that there was no compromise in the process, IMHO.

    Waikanae • Since Nov 2006 • 2937 posts Report

  • Brian Murphy,

    http://www.theregister.co.uk/2013/08/22/guardian_snowden_advice

    The register has some sage and tongue in cheek, but true, information here.

    Auckland • Since Nov 2006 • 48 posts Report

  • Matthew Poole, in reply to nzlemming,

    The biggest advantage of rolling your own keypair is KNOWING that there was no compromise in the process, IMHO.

    Provided you assembled the compiler from scratch and verified the source code of the tools you're using the build the keys, of course :P

    You're right, though, that the only way to know the key hasn't been compromised is to have control over the whole process of creation - including complete control over the system used, which rules out Windows 8 courtesy of MS-supplied back-doors.

    Auckland • Since Mar 2007 • 4097 posts Report

First ←Older Page 1 2 3 4 Newer→ Last

Post your response…

This topic is closed.