PRISM

nmop_apisdn

NSA-proof encryption exists. Why doesn’t anyone use it?

Can the NSA Break AES?

Khannie wrote: »

SSL

Capt'n Midnight wrote: »

Freedom Eagle

silentrust wrote: »

PGP

"Freedom", "SSL" and "PGP" are keywords the NSA ironically deems to be red flags.

:pac: (Strike 2 Silent)

scully, haha.

The NSA has us snared in its trap – and there's no way out

However

Don’t Panic, But We’ve Passed Peak Apple. And Google. And Facebook.
(Good...insight)

But whatever company rises/takes the mantle will just recieve the Yahoo treatment so it doesn't matter. And now that prism is out and nobody cares, (57% Fear Government Will Use NSA Data to Harass Political Opponents) may as well be in yo face about from now on.

IRS tracks your digital footprint

it's also acquiring a huge volume of personal information on taxpayers' digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records

http://www.presstv.ir/usdetail/308630.html




http://phys.org/news/2013-06-secret-prism-bigger-seizure.html

Any company in the communications business can expect a visit, said Mike Janke, CEO of Silent Circle, a company that advertises software for secure, encrypted conversations. The government is eager to find easy ways around security.

Onion Pi Tor proxy


Richard Stallman calls Ubuntu “spyware” because it tracks searches

GCHQ intercepted foreign politicians' communications at G20 summits

Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian.

The G20 spying appears to have been organised for the more mundane purpose of securing an advantage in meetings. Named targets include long-standing allies such as South Africa and Turkey.

Receiving reports from an NSA attempt to eavesdrop on the Russian leader, Dmitry Medvedev, as his phone calls passed through satellite links to Moscow.

Six reasons why choosing Hong Kong is a brilliant move by Edward Snowden




How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did

silentrust

Capt'n Midnight wrote: »

/me opens a facebook account in silentrust's name and starts phishing

I've told my friends and family I am leaving and given them my e-mail so they can stay in touch, suggest anyone leaving social networks do the same for the reasons the good Captain states. :-)

AnCatDubh

For anyone curious: 4pm BST today - a live chat with Snowden.

http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower?CMP=twt_gu

EDIT: Oh and....

An important caveat: the live chat is subject to Snowden's security concerns and also his access to a secure internet connection. It is possible that he will appear and disappear intermittently, so if it takes him a while to get through the questions, please be patient.

silentrust

AnCatDubh wrote: »

For anyone curious: 4pm BST today - a live chat with Snowden.

http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower?CMP=twt_gu

EDIT: Oh and....

Just read the answers to the questions. He claims that strong encryption does work which is a relief but apparently the NSA are quite good at snooping on security endpoints - I take this to mean if you want to communicate securely you'd have to do so entirely within Tor, I2P and the like?

nmop_apisdn

Father of Edward Snowden urges son not to commit 'treason,' to return home

Khannie

nmop_apisdn wrote: »

Father of Edward Snowden urges son not to commit 'treason,' to return home

Ouch. He must be under tremendous pressure. Oh look....it's on Fox. :pac:

I read the AMA there yesterday. A classic line in it about Cheney and it being an honour to be called treasonous by him.

Khannie

silentrust wrote: »

Just read the answers to the questions. He claims that strong encryption does work which is a relief but apparently the NSA are quite good at snooping on security endpoints - I take this to mean if you want to communicate securely you'd have to do so entirely within Tor, I2P and the like?

I took it to mean that the machine hosting your key is the weak point (and let's be honest, it is). If you're using strong encryption end to end there are only two options for decryption:

1) Try to break it
2) Try to get the key

silentrust

Khannie wrote: »

I took it to mean that the machine hosting your key is the weak point (and let's be honest, it is). If you're using strong encryption end to end there are only two options for decryption:

1) Try to break it
2) Try to get the key

Think you're right Khannie, it is a weakpoint of Tor certainly that the first "hop" to the network makes it trivial to detect your running it so presumably they could force an ISP to search for connections of this kind and come hoof in your door so they can subject your machine to forensic analysis.

Khannie

For me it's more that if you're using PGP and you were someone that I wanted to snoop on, I would try and get inside your computer to steal the private key, then just happily decrypt away.

silentrust

Khannie wrote: »

For me it's more that if you're using PGP and you were someone that I wanted to snoop on, I would try and get inside your computer to steal the private key, then just happily decrypt away.

Good thinking Khannie.

One of my new buddies on SR told me he saved time by putting his GPG program in his "Skydrive" which of course included his keyring... he thought that the fact that the private key is itself encrypted would be enough to put of snoopers.

No, no a thousand times no! Your private key needs to be kept safe! I keep mine in a secure container using an encrypted USB stick. One of the many advantages of using Ubuntu is that like most flavours of Linux it can encrypt an entire drive without you needing any special software/

Similarly there are those people who use LiveCD's to do the dirty, generate a keypair and then act all surprised when they can't decrypt e-mails the following week. Sad to say you do need to keep a copy of your keys safe somewhere... :-)

silentrust

bedlam wrote: »

Use hardware to protect your sub keys for day to day use and have an encrypted backup of your master key which you access with a trusted offline system when you want to update subkeys.

Interesting link thanks Bedlam. I suppose what's always put me off about having an Ironkey style device is in case the secret police hoof in your door and demand the password (as they can in the UK under the Regulation of Investigatory Powers Act) - not sure where Irish law stands on this but would be interested to hear from anyone in the know about this.

The advantage of encrypting entire USB keys with Truecrypt is that it's virtually impossible to distinguish between encrypted and random "chaff" data so you can plausibly say that you've simply used one of the many programs available to wipe the USB stick and that it contains no data at all. The burden of proof would be on the Prosecution to show otherwise.

You also have the option to create a hidden partition so you can place some plausible looking stuff in the main area and then hand over your "safe" password if compelled to do so.

As such, while I think hardware based encryption is more secure in theory, there are ways it could be less helpful in practice. Of course if you can't be punished for remaining silent here in Ireland, go for it! :-)

silentrust

bedlam wrote: »

Sorry, may not have been clear, not storing keys on USB, storing them on a smart card (example howto here). Putting your keys onto the card is a one way process, they can not be taken off. The weak point (assuming no hardware backdoors) is they are protected by a pin, though get the admin pin incorrect x number of times and the card will be destroyed.



You must disclose your password here too.

Thanks for this, forgive my stupidity Bedlam, if you can be compelled to decrypt data though, wouldn't possession of said smart card still raise the problem we discussed before in that it's then possible to prove that you're in possession of encrypted data (or else why would you own the card?)

I suppose you could just give them a few fake pin numbers so that the key would be lost to everyone?

I think these devices might be useful as a blind insofar as that you could use it to encode some important looking e-mails/files which you can use as red herrings but if the actual security offered is no better than the 4096 bit key already on my USB stick then I'd rather just carry the password around in my head and let them prove the stick contains encrypted data...

...Perhaps I'm being overly paranoid though?

silentrust

bedlam wrote: »

They'll know you are using crypto when they see encrypted emails anyway.



The keys can not be stolen from a smart card, you have to physically take the card to make use of the keys on it. The keys on your USB key are at risk of theft any time you decrypt/mount the key.

Ok so we're looking at a situation where the US subpoena your Google Mail account for instance and see you've been sending encrypted e-mails. You're frogmarched to the local Police Station along with your smart card but as you say possession of it in itself does them no good.

So presumably they'll try and use Irish law to compel you to give up the PIN number in this case? Is there a way for you to retrieve your own data if they let you go but keep the card?

My only experience of these is with Yubikeys, the experts on the Silk Road told me to stay away for the reasons I mentioned, perhaps they were being too dismissive.

silentrust

bedlam wrote: »

Yes. You have your master key backed up else where. All they have are a copy of the sub signing / encryption keys. Once 'safe' you send out your revocation cert to contacts and key servers and they generate new sub keys for your master key.

I am a little confused at who you see you adversary being. In one post you are talking about using closed source cloud services to store data with out a worry in the world and the next you are bring up scenarios where two nation states conspiring to get you. If you are planning for the latter, realistically you don't have much hope and you've already fscked up by discussing in public your security setup, they now know what to look for



Not the same thing. take some time, read up on what they both do.



Are these the same experts who store their GPG keys in the cloud unprotected because they think the private key is encrypted?

To answer your questions:

- I am trying to hope for the best and plan for the worse. It may well be the case that someone who doesn't take proper precautions could be detected by the kind of "passive" surveillance being exploited by PRISM and then could find themselves on the receiving end of some much more direct observation.

I don't worry about discussing my security setup any more than the good people at the Tor Project do - security by obscurity is notoriously unreliable as if someone were to say they can't discuss the methods used then it would show they aren't much good when subjected to scrutiny. The short answer is that I am looking for ways to protect my personal info from both passive and active surveillance, as I hope is anyone else interested in privacy.

- I understand the principles behind the YubiKey, they seem to operate along much the same lines as the OpenPGP cryptostick that was linked above. I still fail to see much of an advantage over software based encryption, perhaps combined with a keyfile but I will take your advice and do some more reading all the same.

- The experts in this case were not the geniuses who left their private key exposed for all to see. Perhaps unsurprisingly the young man in question disappeared shortly after making this announcement. So much for OPSEC...!

Capt'n Midnight

Khannie wrote: »

I took it to mean that the machine hosting your key is the weak point (and let's be honest, it is). If you're using strong encryption end to end there are only two options for decryption:

1) Try to break it
2) Try to get the key

3) bypass all the security by using a key logger or listen to they keypresses if you control the mic

also doesn't rule out the possibility of man in the middle in the cases where such a thing might be possible

and the lovely cover all where in some cases it's an offence to withhold your password

silentrust

Capt'n Midnight wrote: »

3) bypass all the security by using a key logger or listen to they keypresses if you control the mic

also doesn't rule out the possibility of man in the middle in the cases where such a thing might be possible

and the lovely cover all where in some cases it's an offence to withhold your password

Yes, apparently it's an offence in Ireland as it is in the UK. God bless hidden volumes is all I can say. Plausible denial is paramount in countries like this.

I suppose the "evil maid" attack can be countered by good physical security although I don't hold with those smug so and so's who say, "If someone has your computer, it's not your computer," - I've been down this road when the powers that be seized my encrypted laptop and after six months of bellyaching about the fact they couldn't get into it, they meekly handed it back.

nmop_apisdn

At the Supreme Court, Divisions and Signs of Trouble to Come

In Salinas v. Texas, the justices gave prosecutors a gift by upholding the murder conviction of a man whose silence during questioning was subsequently at trial used to help convince jurors of his guilt. What the decision really means is that to invoke your right to remain silent you have to initially speak up.

dalta5billion

nmop_apisdn wrote: »

At the Supreme Court, Divisions and Signs of Trouble to Come

Same in Ireland, inferences can be drawn from you failing to explain evidence they find on you.

Fascinatingly, if you stay silent during Garda questioning when you have an alibi/evidence exonerating you, they can also draw inferences at trial.

nmop_apisdn

DuckDuckGo Passes 3 Million Searches, Just 8 Days After Hitting 2 Million

clairefontaine

Its like another mccarthy era.

Can anyone explain how to protect your emails?

This legislation is an excuse. the real criminals are using things like hushmail and putting their communications in the draft folder and not transmitting. The US govt is well aware of this. They are definitely not using gmail.

silentrust

clairefontaine wrote: »

Its like another mccarthy era.

Can anyone explain how to protect your emails?

This legislation is an excuse. the real criminals are using things like hushmail and putting their communications in the draft folder and not transmitting. The US govt is well aware of this. They are definitely not using gmail.

Hi Claire,

Although I don't think criminals would use Hushmail due to their rather lackadaisical attitude towards sharing encrypted data with the government, I take your point! I suggested before the program GPG4USB - as the name suggests it can be stored on a USB stick and the website itself contains some great beginners' info on how and why we can protect e-mails, so by all means take a look and if you need any help do send me a PM.

I was a member of the Silk Road website for a time and they insisted on using GPG encrypted e-mails with the e-mail provider Tormail which without going into excessive detail makes interception near nigh impossible. We've yet to see a case where someone was caught that way although as the good folks here have already pointed out, it won't protect you against your machine being seized, you being forced to hand over your passwords through draconian laws or someone installing a virus on your machine to record what you type... still I live in hopes this will serve to help people take privacy more seriously!

nmop_apisdn

https://arkos.io/
http://freedomboxfoundation.org/learn/

900913

Google challenges U.S. gag order in NSA flap

silentrust

bedlam wrote: »

Not discussing your security setup is not security through obscurity. Not telling people you use truecrypt, Tor, gpg, e.t.c has no detrimental effect to your security/privacy. I'd go so far as to say in certain cases (you planning for the possibility of becoming a person of interest) it is better to stay quiet, disclosing things means that the adversary can narrow the scope of their attack and knows what to look for or target, I'll refer you back to grugq's talk, the human element is what will fsck you over be it you or someone close to you.

The Tor Project discussing the development of Tor is not the same as you discussing your operational security, in the case of Tor (or any other tool) development it is beneficial to disclose everything so 1) the system can be trusted and 2) the tools can be properly audited.



Or they know when to STFU™.



As I mentioned before, the biggest benefit is your keys can not be stolen from the device, each and every time you use gpg4usb from your USB key your keys are at risk. A keyfile will not work with a smart card.

Yes it's a difficult one I admit as we discussed in the other thread on here for ways to live PRISM free - personally I would be much more worried about people who say they've their own mail server at home as opposed to those people who've admitted to using tormail or switching to a provider less likely to provide data to the US.

Of course I suppose this can be a self defeating argument as if you're not already a person of interest there is little danger of stormtroopers coming for you in the night and seizing your machines.

I really am interested in hearing everyone's thoughts on this and hope you'll forgive me failing to see how one of these crypto sticks for instance can provide better security, though I am sure you're right in saying they can!

I do stand by my point though that this is something we should all be thinking about more often and any kind of setup we have should be able to withstand some scrutiny - it is a calculated risk I admit but it's also Schneier's first rule of security that anyone can invent a system that they themselves can't break into! :-)

Capt'n Midnight

conspiracy theorists can make what they want of NSAkey.dll ("you called it WHAT ?!") but I'm sure that most large software and hardware companies have put backdoors in their systems for their governments. Some have even been acknowledged.

And that's not counting the possibility that others may have snuck them in, Microsoft have nearly 100,000 employees world wide and you want to convince me that none of them have links to spooks ? despite the huge financial savings that could be made vs. building massive code breaking computers back in the bunkers.

Also most commercial software has vulnerabilities, and sometimes they aren't patched until they have outlived their usefulness.

And a compromised BIOS could possibly read the keyboard and send packets to the local lan.

silentrust

dalta5billion wrote: »

Same in Ireland, inferences can be drawn from you failing to explain evidence they find on you.

Fascinatingly, if you stay silent during Garda questioning when you have an alibi/evidence exonerating you, they can also draw inferences at trial.

Wow really? It's even worse than England then!

The last exchange I had with a Criminal Defence Solicitor he told me that it simply wasn't in the interest of a truly innocent person to let things get things the trial stage if they had evidence that would exonerate them.

Aside from the fact that he seemed to draw a line between the deserving and undeserving innocent I did point out that it might well be the case that people who've been subject to a miscarriage of justice in the past might well take delight in wasting Police time and being as obtuse as possible.

Especially important in this case as people might assume that the only reason you wouldn't give up your key is because you're hiding something illegal.

silentrust

nmop_apisdn wrote: »

DuckDuckGo Passes 3 Million Searches, Just 8 Days After Hitting 2 Million

Thanks for this nmop, I have made the switch from Google and couldn't be happier.

Khannie

On not handing over your password / it being an offence - The issue here is whether you have anything illegal worth hiding. It seems ludicrous to me that you can have a quick think about it and decide whether it's worth spending the year in prison for refusing to hand over your password or donkeys in prison for whatever uglies you may have on your hard drive. For a nasty person, it's surely an easy trade off. That seems like a badly designed law to me.

silentrust wrote: »

personally I would be much more worried about people who say they've their own mail server at home as opposed to those people who've admitted to using tormail or switching to a provider less likely to provide data to the US.

I'm happy to admit that I intend running a mail server from home. It would be trivial for anyone with any knowledge to determine this quickly anyway. I will need a static IP address. A quick reverse DNS on that will tell you that it's a home IP.

The question is - do I have the knowledge to secure it from someone who would attempt to gain access over the network? The answer to that (conveniently for me) is that I believe that I do.

It's a bit of a cost / benefit thing though. I'll invest some effort in it, because I value privacy. However I don't have anything worth hiding so that effort will be limited in its scope because I've better things to be doing with my time.

Capt'n Midnight wrote: »

3) bypass all the security by using a key logger or listen to they keypresses if you control the mic

You assume that physical access = compromised. It's not beyond possibility to set up a machine in such a way that this is not the case. I linked one earlier.

Now I remember reading Kevin Poulsens book and there was an incredibly elaborate method of retrieving his decryption key from RAM used (though it relied on the machine being on). It is safe to say that nobody will be arsed pulling that kind of thing on me and if they do, well sure fair play to them. I'm pretty sure they will be sorely disappointed with what they reap from their investment.

Khannie

silentrust wrote: »

people might assume that the only reason you wouldn't give up your key is because you're hiding something illegal.

Agreed. I understand why that law is in place, I just don't want to be subject to it. Let's be honest here: Unfortunately for people living under threat of it, no scumbag terrorist is going to hand over their decryption key under any circumstances, so the law seems relatively pointless.

silentrust

Khannie wrote: »

On not handing over your password / it being an offence - The issue here is whether you have anything illegal worth hiding. It seems ludicrous to me that you can have a quick think about it and decide whether it's worth spending the year in prison for refusing to hand over your password or donkeys in prison for whatever uglies you may have on your hard drive. For a nasty person, it's surely an easy trade off. That seems like a badly designed law to me.



I'm happy to admit that I intend running a mail server from home. It would be trivial for anyone with any knowledge to determine this quickly anyway. I will need a static IP address. A quick reverse DNS on that will tell you that it's a home IP.

The question is - do I have the knowledge to secure it from someone who would attempt to gain access over the network? The answer to that (conveniently for me) is that I believe that I do.

It's a bit of a cost / benefit thing though. I'll invest some effort in it, because I value privacy. However I don't have anything worth hiding so that effort will be limited in its scope because I've better things to be doing with my time.



You assume that physical access = compromised. It's not beyond possibility to set up a machine in such a way that this is not the case. I linked one earlier.

Now I remember reading Kevin Poulsens book and there was an incredibly elaborate method of retrieving his decryption key from RAM used (though it relied on the machine being on). It is safe to say that nobody will be arsed pulling that kind of thing on me and if they do, well sure fair play to them. I'm pretty sure they will be sorely disappointed with what they reap from their investment.

Yes, I've read about the so-called cold boot attack- seems you've about ten minutes after a machine is shut down to retrieve encryption keys from the RAM or of course if the machine is on your job is much easier.

Home mail server might be a great project for my Raspberry Pi but aren't you worried that it could be seized?