Posts by Stephen R

Last ←Newer Page 1 2 3 4 5 Older→ First

  • Hard News: This time it's Syria, in reply to Ian Dalziel,

    Has it definitely, irrefutably moved from the 'regime's "alleged" use' status...?

    I haven't seen any evidence beyond the victims being on the rebel side.

    Earlier accusations have claimed use of poison gas by both sides. It could have been an accident (artillery hitting stored poison gas); it could have been the rebels trying to trigger US intervention (since the US has previously implied that they were staying out of it unless the regime used gas); or it could have been the Assad regime thinking that nobody found out/did anything the last time they used it so why not...

    As someone said on RadioNZ this morning, the regime was currently winning as long as the US stayed out of it, why would they do the one thing likely to trigger US intervention?

    I'm withholding judgement for the moment.

    Wellington • Since Jul 2009 • 259 posts Report

  • Hard News: Political Idol, or whatever…, in reply to Craig Ranapia,

    Come on, stun me with some actual principles you can be held accountable for!

    I agree with this so much.

    Wellington • Since Jul 2009 • 259 posts Report

  • OnPoint: Ich bin ein Cyberpunk, in reply to Keith Ng,

    In NZ, it's give up your password, or face 3 months in jail.

    In the UK it's worse. From Wikipedia's article on the RIP act

    Especially contentious was Part III of the Act, which requires persons to supply decrypted information (which had been previously encrypted by the owner) and/or the cryptographic key to government representatives. Failure to disclose these items is a criminal offence, with a maximum penalty of two years in jail.

    At least a couple of people have gone to gaol over that clause. The RIP act also requires ISPs to provide the government with technical assistance to intercept their customers' data (at the ISP's expense).

    I had felt somewhat smug for the last 10 years that we didn't have that problem here.

    Smugness has receded now.

    Wellington • Since Jul 2009 • 259 posts Report

  • OnPoint: Ich bin ein Cyberpunk, in reply to Keith Ng,

    Fair cop guv.

    Wellington • Since Jul 2009 • 259 posts Report

  • OnPoint: Ich bin ein Cyberpunk, in reply to B Jones,

    Maybe this is a silly question, but given that I understand encryption that can't be cracked by governments isn't supposed to be publicly available (limit to number of keys) - isn't there a risk with encryption that using it attracts attention in and of itself, and that with small volumes of encrypted traffic, agencies can comfortably handle the processing power to crack it?

    That hasn't been true since PGP escaped into the wild. Phil Zimmerman invented PGP which was promptly classified as a weapon in the USA and not to be exported. So he published a book with the source-code in it (since publishing is a protected right) which he was allowed to export, and which was then scanned, corrected, compiled and that's where a lot of people got PGP from.

    There was an attempt in the 90s under Clinton to limit key lengths or force every encryption system to have a back-door in it the US government could use to read the plaintext, but various people (Bruce Schneier among them) who pointed out that making the US have sub-standard encryption when the rest of the world (who also had smart people who knew about encryption) had proper encryption was just asking for trouble.

    The US government backed down, and now there is encryption out there that theoretically Governments can't decrypt. The devil is in the detail though. As I mentioned above, installing keyloggers is one tactic the FBI have used to get plaintext, and if you can find the private key you can attempt to brute force the password (passwords are, in general, crap security).

    There's also man-in-the-middle attacks where they pretend to be each party to the other party, and encrypt/decrypt in the middle leaving both parties feeling secure (which is why getting the fingerprint to their public key directly from them via voice or written on paper in hand-writing, rather than via email is a good step for the paranoid) - For instance, NoRightTurn just published his fingerprint in the same post as his key. If someone can hack the page to change what people see as the key, then they can do the same to the fingerprint, so in that case, it's not more secure than just posting the key. If someone was getting the key from a public keyserver or via another route, and could then verify the fingerprint from his website or a sig on all of I/S's mails then that would be more useful. (It would be difficult for attackers to compromise all the examples of I/S's signature, and I/S would probably notice.)

    Wellington • Since Jul 2009 • 259 posts Report

  • OnPoint: Ich bin ein Cyberpunk,

    The two reasons I gave up bothering with PGP ten years ago was
    a) The number of people I wanted to exchange email with who had a public key and could remember their passphrase was practically nil
    b) Wanting to access mail from multiple locations/devices makes private key management (especially across platforms) a real pain.

    "Little Brother" by Cory Doctorow has some nice scenes about how to set up a secure comms network with people you know under monitoring. Cory actually knows a bit about this stuff too, so it's probably worth reading, even for readers who aren't in the "Young Adult" category it's aimed at.

    Wellington • Since Jul 2009 • 259 posts Report

  • OnPoint: Ich bin ein Cyberpunk, in reply to TonyWebb,

    It would also be great to see some information on anonymous browsing via Tor (this is now fairly easy to set up - I posted this via Tor) and darknets such as I2P if you have the time or inclination.

    I've read suggestions that some Tor gateways might already be either provided by or compromised by the NSA et al, and therefore not nearly as anonymous as you might like to hope. Along with a firefox exploit that waits till you're not using TOR then phones home (with enough information to tell them what your tor link had been.

    http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

    Paranoia? Maybe. Maybe not. Bugs and exploits are sufficiently common (and people trying to break them very clever) that I'm not sure you can guarantee security unless you have throw-away hardware you never use for anything else but your secure coms. Combine something like a cheap laptop bought with cash and cafe-net or cbd-free and never put your real name on the laptop (and never link it to your home network) and you're probably Ok. Although at that point, you have difficulty proving you are who you say you are to people you talk to, and it's a lot of work. Oh, and probably you don't want to carry your cell-phone to the place you use to hook into the net (or that metadata they're collecting will tell them a list of everyone in the area when your clean laptop logs on), and you don't want to buy coffee there with anything but cash while you're using their network...

    I'd also note that being this paranoid is hard work, and most people don't think it's worth it. It's sufficiently hard work that the head of the CIA was unable to keep his affair secret, even though he went to some effort...

    If the spooks really want to break PGP, they break into your house, copy your private key and install a keylogger to get your passphrase. (or hack your PC and do the whole lot remotely.) It's just easier than trying to crack the encryption.

    Wellington • Since Jul 2009 • 259 posts Report

  • Speaker: Naked Inside the Off-Ramp, in reply to Russell Brown,

    I would be astonished if the inquiry recommended the abolition of the GCSB and SIS.

    As would I. Although I could imagine a political case being made that the GCSB shouldn't be feeding data to the Five Eyes network any more... Think of it like the privacy version of the nuclear free campaign.

    Wellington • Since Jul 2009 • 259 posts Report

  • Hard News: Fluency, ease of manner - and…, in reply to Craig Ranapia,

    Or, you know, you can ask yourself who's running the NSA these days, and whether American liberals who voted for Obama - twice - bear collective blood guilt for ever warrantless interception, drone strike and nonsensical detention conducted on his watch.

    The problem there is that democracy is a bit of a blunt tool. If I were able to vote in the US elections, I might well have held my nose and voted for Obama because the other option was worse.

    Back in NZ, people can be very upset with particular stuff National does, and yet vote for them because they think that Labour (and any parties they stitch up a support deal with) would be worse. That could explain National's re-election with a policy of asset sales, despite polls suggesting two thirds of New Zealanders disapproved.

    But you know all this Craig.

    Personally, one thing that annoys me in the last day or so is John Key saying that the people who oppose the bill just don't understand it. It's like he doesn't believe that intelligent people could have a different opinion about the GCSB or privacy than he does, so we must be stupid.

    Wellington • Since Jul 2009 • 259 posts Report

  • Hard News: Fluency, ease of manner - and…,

    The concept of the Guardian having backup copies (on site or off) never occurred to them?

    I just don't understand what the GCHQ thought they were achieving.

    Wellington • Since Jul 2009 • 259 posts Report

Last ←Newer Page 1 21 22 23 24 25 26 Older→ First