PRISM

Khannie wrote: »

Thanks for the links there nmop.



Interesting article. I consider everyones keys compromised now tbh. I will only trust my own. My data is secure between me, google and the NSA. That's something at least. :pac:

This bit:



I can confirm to be absolute bollox. It does require quite a bit of compute power to decrypt large volumes of SSL encrypted traffic, even with the keys. HOWEVER (and it's a big however - do you see what I did there?) if you were using any of the following and have a large budget, you would be well able to decrypt the sh*t out of everything:

- hardware assist (pretty sure AES-NI on the new intel chips can be used to help decrypt SSL, though I haven't fully read into it)
- hardware acceleration (there are SSL decrypt cards out there)
- commodity hardware in a decent compute cluster (a la the goog)

Well....really it's only a question of cost when you have the keys.

Khannie wrote: »

Meh, I have a box set up where it will only boot with a USB key containing both the /boot partition (to avoid getting the shaft from a malicious initrd) and the decrypt key for the root partition (a 256bit key). It was fun doing it. I learned a lot.

Of course in a situation like that you have to keep the USB key secure.

Khannie wrote: »

They are definitely not. Private industry overtook what governments could achieve many years ago. Intels R&D budget just blows the crap out of whatever the US government can and should spend on trying to create its own hardware. Why bother?

Now the flip side to this is that they obviously have a massive budget so not much is beyond them if they really want it. It's clear that they think they're acting in their nations best interests. Many (most?) Americans believe some intrusion into privacy is worth the security benefits and I find it difficult to argue strongly against that. It's easy for us living in our nice peaceful land that nobody wants to see burn to the ground to say that it's all nasty and terrible. When you're dealing with nations like Afghanistan where 92% of the population have never heard that 9/11 happened (WTF? link) and they think you're there to crush their religion, well how do you combat that?

Again though - you'd want to be some idiot to be:

1) planning something (this is your first mistake - you are an idiot to plan doing something because you probably have not got a good enough understanding of all the underlying technologies or how to exploit them to your benefit to save yourself from getting caught and when you are caught you haven't got the knowledge or the stones to look after yourself properly)
2) talking about it
3) using anything other than your own privately, properly secured communications method to do it

That opsec talk that I believe bedlam linked to earlier discussed someone exchanging password information over facebook chat. Those people deserve to get caught. If you are doing that, you may as well be handing yourself over for a good spanking. Tools.

Khannie wrote: »

Ah it was more an intellectual exercise tbh. I'll be honest, it took quite a bit of messing around to get done. I have about 10 years using linux as my every day OS now and I was glad of every minute of experience doing it. I mostly followed an article that I'll dig out for you if you like? I had to digress from it at a few points because of my own setup and the fact that I only wanted to use 1 USB key (the article calls for 2 - 1 for /boot and 1 for the key where I have both on the same key).

edit: actually having the key would be only semi-useful. My /home partition is stored as a further password encrypted partition on that already encrypted root partition. Nothing a good beating wouldn't reveal though.

It's a cost / benefit thing though. There's nothing of interest on my machine, so you wouldn't really be arsed investing much effort in getting it.

Capt'n Midnight wrote: »

What if DuckDuckGo is really a honeypot ? :eek: