PRISM

Khannie wrote: »

Ah it was more an intellectual exercise tbh. I'll be honest, it took quite a bit of messing around to get done. I have about 10 years using linux as my every day OS now and I was glad of every minute of experience doing it. I mostly followed an article that I'll dig out for you if you like? I had to digress from it at a few points because of my own setup and the fact that I only wanted to use 1 USB key (the article calls for 2 - 1 for /boot and 1 for the key where I have both on the same key).

edit: actually having the key would be only semi-useful. My /home partition is stored as a further password encrypted partition on that already encrypted root partition. Nothing a good beating wouldn't reveal though.

It's a cost / benefit thing though. There's nothing of interest on my machine, so you wouldn't really be arsed investing much effort in getting it.

Capt'n Midnight wrote: »

What if DuckDuckGo is really a honeypot ? :eek:

Capt'n Midnight wrote: »

/me opens a facebook account in silentrust's name and starts phishing

AnCatDubh wrote: »

For anyone curious: 4pm BST today - a live chat with Snowden.

http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower?CMP=twt_gu

EDIT: Oh and....

Khannie wrote: »

I took it to mean that the machine hosting your key is the weak point (and let's be honest, it is). If you're using strong encryption end to end there are only two options for decryption:

1) Try to break it
2) Try to get the key

Khannie wrote: »

For me it's more that if you're using PGP and you were someone that I wanted to snoop on, I would try and get inside your computer to steal the private key, then just happily decrypt away.

bedlam wrote: »

Sorry, may not have been clear, not storing keys on USB, storing them on a smart card (example howto here). Putting your keys onto the card is a one way process, they can not be taken off. The weak point (assuming no hardware backdoors) is they are protected by a pin, though get the admin pin incorrect x number of times and the card will be destroyed.



You must disclose your password here too.

bedlam wrote: »

Yes. You have your master key backed up else where. All they have are a copy of the sub signing / encryption keys. Once 'safe' you send out your revocation cert to contacts and key servers and they generate new sub keys for your master key.

I am a little confused at who you see you adversary being. In one post you are talking about using closed source cloud services to store data with out a worry in the world and the next you are bring up scenarios where two nation states conspiring to get you. If you are planning for the latter, realistically you don't have much hope and you've already fscked up by discussing in public your security setup, they now know what to look for



Not the same thing. take some time, read up on what they both do.



Are these the same experts who store their GPG keys in the cloud unprotected because they think the private key is encrypted?

Capt'n Midnight wrote: »

3) bypass all the security by using a key logger or listen to they keypresses if you control the mic

also doesn't rule out the possibility of man in the middle in the cases where such a thing might be possible

and the lovely cover all where in some cases it's an offence to withhold your password

bedlam wrote: »

Not discussing your security setup is not security through obscurity. Not telling people you use truecrypt, Tor, gpg, e.t.c has no detrimental effect to your security/privacy. I'd go so far as to say in certain cases (you planning for the possibility of becoming a person of interest) it is better to stay quiet, disclosing things means that the adversary can narrow the scope of their attack and knows what to look for or target, I'll refer you back to grugq's talk, the human element is what will fsck you over be it you or someone close to you.

The Tor Project discussing the development of Tor is not the same as you discussing your operational security, in the case of Tor (or any other tool) development it is beneficial to disclose everything so 1) the system can be trusted and 2) the tools can be properly audited.



Or they know when to STFU™.



As I mentioned before, the biggest benefit is your keys can not be stolen from the device, each and every time you use gpg4usb from your USB key your keys are at risk. A keyfile will not work with a smart card.

dalta5billion wrote: »

Same in Ireland, inferences can be drawn from you failing to explain evidence they find on you.

Fascinatingly, if you stay silent during Garda questioning when you have an alibi/evidence exonerating you, they can also draw inferences at trial.

Khannie wrote: »

On not handing over your password / it being an offence - The issue here is whether you have anything illegal worth hiding. It seems ludicrous to me that you can have a quick think about it and decide whether it's worth spending the year in prison for refusing to hand over your password or donkeys in prison for whatever uglies you may have on your hard drive. For a nasty person, it's surely an easy trade off. That seems like a badly designed law to me.



I'm happy to admit that I intend running a mail server from home. It would be trivial for anyone with any knowledge to determine this quickly anyway. I will need a static IP address. A quick reverse DNS on that will tell you that it's a home IP.

The question is - do I have the knowledge to secure it from someone who would attempt to gain access over the network? The answer to that (conveniently for me) is that I believe that I do.

It's a bit of a cost / benefit thing though. I'll invest some effort in it, because I value privacy. However I don't have anything worth hiding so that effort will be limited in its scope because I've better things to be doing with my time.



You assume that physical access = compromised. It's not beyond possibility to set up a machine in such a way that this is not the case. I linked one earlier.

Now I remember reading Kevin Poulsens book and there was an incredibly elaborate method of retrieving his decryption key from RAM used (though it relied on the machine being on). It is safe to say that nobody will be arsed pulling that kind of thing on me and if they do, well sure fair play to them. I'm pretty sure they will be sorely disappointed with what they reap from their investment.