Here are a few interesting pieces in the wake of the most recent revelations that the NSA may be cracking commonly-used encryption methods:
- Google is speeding up their effort to encrypt all transmission between their datacenters, and encrypt all data on their servers.
- Bruce Schneier has a good Q&A (along with James Ball) and a column, both at the Guardian, discussing the practical implications of the possibility of a NSA breakthrough on people who have a need to keep secrets on their computers. This includes, lawyers who need to exchange and store information about their clients.
- Matt Buchanan at the New Yorker discusses the Guardian / NYT / ProPublica stories and adds some detail from New Yorker reporters.
Here’s a real-world example of how this might change the way people do business. Lawyers apparently use DropBox to store and share case documents. DropBox owns the keys to the encryption that it uses, which means they could at any time be compelled to give the unencrypted data from a law firm’s account to some external authority. There are other services, like SpiderOak, that support “zero knowledge” data encryption, which means that the user holds the keys and the company is unable to decrypt the data. Of course, you need to trust that no back door has been built into their service. If you’re looking for a greater level of security, Schneier has some examples of open-source software that uses algorithms that the NSA probably hasn’t broken, though in the end:
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
Botsplainer
Not this lawyer. No NSA fears, but hacker and business collapse fears a-plenty.
Botsplainer
Not this lawyer. No NSA fears, but hacker and business collapse fears a-plenty.
me
The NSA also got permission to store and examine anything it intercepted, domestic or not, without a warrant for up to 6 years.
Va Highlander
Kind of ironic, really. Reading Schneier’s, Applied Cryptography, some years ago led me to the exact same conclusion. But I guess those bandwagons aren’t going to fill themselves.
Xantar
And you know what? If the police want into my house, they’re in. Period.
brendancalling
if I’m reading this right, Canada is recommending “strengthening network sovereignty”. “Canadian originated transmissions that travel to a destination in Canada via a U.S. switching centre or carrier are subject to U.S. law – including the USA Patriot Act and FISAA. As a result, these transmissions expose Canadians to potential U.S. surveillance activities – a violation of Canadian network sovereignty.”
Fallows, I believe, warned this would happen. Fewer countries wanting to do business with US tech due to spying and surveillance.
Snarki, child of Loki
Which is why you should keep all your secrets on a glitchy old Win-ME system. If it suddenly starts working better, you’ll know the NSA fixed it up so that they could snoop around.
mistermix
@Botsplainer:
You don’t understand the latest revelations if you can’t make the connection between them and the possibility of hacker attacks.
MomSense
Lawyers who operate out of the trunk of their car, maybe. You do not want to hire a lawyer who uses dropbox.
Poopyman
@Xantar: The difference being, if the police come in your house you’ll almost certainly know it. Not so much with NSA, or the Chinese Army units, or the Russians, or the Israeli’s, or ….
It’s a jungle in there and I’m shocked – SHOCKED – that people are shocked at the idea of government entities vying for ways to defeat security.
MikeJ
And if the feds show up at the lawyers office with a warrant, the lawyer will have to turn over his encryption keys or go to jail. All encryption fails at the point where you care how long you spend in jail.
Which isn’t to say that lawyers shouldn’t encrypt things. They should. But they aren’t protecting information from people with warrants.
kc
@Xantar:
Er, yeah, with a warrant.
Poopyman
@MomSense: Maybe they mean Greenwald.
(duckin’ and runnin’)
Davebo
The Guardian? Seriously?
geg6
Boy, what a genius! I pretty much knew this when I bought my first computer.
Keith P
You can also translate your documents into Apache and hope that the NSA doesn’t have any code talkers.
Poopyman
@geg6: This is what kills me. Anyone with a very rudimentary understanding of how computers and networks work can understand that there are zillions of access points there for people clever and patient enough to exploit them. That people are honestly shocked by these capabilities just points out how very detached people are from the technology they rely on, and that, IMO, is not a good thing at all.
Poopyman
@Keith P: Probably not. That’d be more the FBI’s bailiwick. Not that there isn’t any overlap amongst the NINETEEN different US intelligence agencies, mind you.
Botsplainer
@Snarki, child of Loki:
You mean in between crashes?
Botsplainer
@Snarki, child of Loki:
You mean in between crashes?
Poopyman
@Botsplainer: For an extra $9.95 per month, the NSA will keep it from crashing. What a deal!
Betty Cracker
@Poopyman:
I think it’s pretty clear people are shocked by it, and not just a subset of Obama haters who would latch onto anything to criticize the administration. Millions of people work on smartphones and computers every single day without giving much thought to how it works, just as people drive without understanding auto mechanics.
Probably 15% of this thread will be devoted to pointing out how dumb people who are surprised by this are, and another 15% of the total pixel count will be expended on denouncing the first 15%’s sanguine acceptance of what the second group sees as Big Brotherish intrusion, etc.
I’m more interested in knowing who has access to the data, the level of vetting is required for them to gain access, how well FISA regulates surveillance activities, how well the NSA controls its contractors, etc.
I’m not personally worried about the NSA cracking my recipe files, but I am worried about the fallout this could have on the economy, the potential for contractor abuse of private data, the possibility that agencies like the NSA are feeding data to agencies like the DEA, etc.
mk3872
Ahhhh, the thick, sweet smell of paranoia!
Because the NSA CAN decrypt encrypted messages does not mean that you should think the NSA gives a single rat’s butt about what is on your computer!
It is much more likely that the marketing departments of Microsoft and Google care about what you are doing and viewing, not the NSA.
cleek
i do like this notion that the NSA a) gives a shit about the actions of everybody on the planet and b) has the resources to pay attention to those actions.
oh noes, the NSA is looking at my holiday pictures and stealing the source code to my image processing libraries! and they accessed my DVD player and turned on Spanish sub-titles!
BrianM
You “I knew that, neener-neener” people don’t understand Schneier. He has always been about there being no such thing as perfect security: the more security you want, the more hassles you have to accept. His current message is that, whoever you are, your current level of hassles has bought you much less security than you could have previously reasonably believed.
Reading Schneier’s recent stuff has moved me into the “there’s a there there” camp. The man has cred. Whoever picked him to review NSA crypto links knew what they were doing.
AnonPhenom
@Xantar:
“…so fuck y’all & yer silly 4th Amendment ya dirty fuckin’ hippies”
We’ll put Xantar down as an ‘Empire’ on that whole ‘Democracy or Empire’ thingy.
geg6
@Poopyman:
I’m about as ignorant as one can be as to how today’s technology works, but I always assume that any technology can be insecure. And I also always assume the government can access any information it really wants. In addition, I also know that I am not interesting enough for the government to give a shit about me. Personally, I worry much more about giant corporations gleaning everything they can about me but the Greenwaldians don’t care about that because libertarianism!
Poopyman
@mk3872: Microsoft and Google should be (and are) more concerned about the Chinese and Rooskies’ cyber activities than they are about NSA’s, because that has a greater potential for a catastrophic impact.
Botsplainer
@Poopyman:
Judging by what I’ve seen of St. Snowjob, these overpaid dudebros are basically the dorks from Geek Squad who got lucky.
Ben Franklin
Senate shaky, and the House shows more cracks
http://www.politico.com/blogs/politico-live/2013/09/mcgovern-withdraw-authorization-request-172039.html
Oh, sorry. This isn’t the Syria thread.
Wait. There isn’t any Syria thread. Oh noes.
Poopyman
@cleek: … and made it keep flashing “12:00”.
Xantar
@kc:
Exactly. We should insist that the NSA obtain a warrant through an open and transparent process with true oversight powers before they use any encryption backdoors to get anybody’s data. That’s been what this whole issue has been about since the beginning.
The fact that the NSA has the capability of cracking secure transmissions is analogous to how the police have the capability of breaking doors and knocking down walls in people’s homes. It’s completely beside the point.
mk3872
@me: Dude, did you actually READ that? That is a story based on declassified (not stolen) NSA rules that say the NSA can COLLECT the data, then search it using the well-known NSA rules of warrants and reasonable request.
Botsplainer
@Xantar:
You understand that the issuance of traditional warrants is done on an ex parte basis, with no opposition or oversight, right?
Brandon
I wonder how much of this actually overstates NSAs capabilities and how much the widespread notion of an omnipotent NSA helps the NSA. When in fact that NSA is likely to be far from omnipotent. Without strong arming US telecom and internet firms into cooperating, what would they have? And yeah sure, you throw enough resources at it and anyone can break encryption or break into any machine. But because resources must be targeted, they obviously cannot break every encryption alogrythm or break into every machine. What we are coming close to now with this type of talk is many people and organizations saying “screw it” when that is exactly what helps the NSA. While it is true that the NSA can do a lot, when they put their immense resources to bear on something, they cannot do everything. Judging by the fact that the VSP bed wetting over Snowden has been reduced to a trickle, my sense now is that these “revelations” help the NSA and probably any new revelations are being leaked by the NSA deliberately to overstate their capabilities. It means that they look super competent which helps secure themselves even bigger budgets.
Betty Cracker
@geg6: The fact that the government is using giant corporations to handle a lot of its surveillance work is a huge concern. Theoretically, corporations like Snowden’s former employer could mine all kinds of data captured for national security purposes to boost bottom line profits in their other divisions. That might not concern libertarians, but maybe it should concern the rest of us.
mk3872
@Xantar: Agreed. FISA rules need to be updated.
Poopyman
@Xantar: Exactly. And the fact that there is a process (FISA) in place that is clearly broken is what I have a problem with. The fact that it’s “broken” in a way that’s convenient for the Executive Branch (both sides do it!) is what’s troubling me the most.
YellowJournalism
@Poopyman: Reminds me o what happened last night when Hubby tried to explain what The Cloud is to my in-law. First reaction from IL was: “So Apple will be spying on me?!” My response: “You have an iPhone. Consider yourself spied on.”
Four different times Hubby had to explain it and the way iTunes works. This was not an old man, either.
cleek
@Va Highlander:
indeed.
from Applied Crypto’s sub-chapter on the NSA, 2nd edition (1996):
same as it ever was.
it’s almost like that’s the NSA’s job or something.
FlipYrWhig
@Betty Cracker:
But this is getting to the point where people who don’t understand auto mechanics are afraid that their mechanic is probably sabotaging their car.
Poopyman
@Brandon: I wish you’d use “US and foreign intelligence agencies”, because IMO everything you’ve said about NSA you can say in spades about the Chinese.
Botsplainer
@Poopyman:
I’m not seeing broken. I’m seeing thorough.
ruemara
Why would I want internet and network security to not be outfoxed by government security? I expect that. It’s why there’s national security in the first place. Jesus, all those times computers need to be cracked by drug dealers or pedos-this is why it happened. If I want things to be secure, I write it down and hand deliver it to the person in question. My secure machine only connects to the internet when I need to bank. I’m not shocked, surprised nor upset about the NSA being able to do what it should be able to do. I only am concerned regarding the lack of FISA stringency and our stupid Congressional critters who are too lazy to do it.
@cleek: It’s like god but with less prayers answered. Oh, wait.
Baud
Some of the other NSA issues are solvable.
I’m not sure how you tell a spy agency not to engage in code breaking.
azlib
My takaway from the Q and A is we “geeks” tend to focus more on the technical aspects of the issue and ignore the political and social aspects. It becomes very clear ot me almost all of our lawmakers here in the US have no clue what the NSA is doing and how dangerous it is to a democracy. As a result we get laws like the Patriot Act which get passed out of ignorance and fear.
Meanwhile we have an agency which is essentially out of control with little in the way of meaningful oversight.
Poopyman
@FlipYrWhig: Yeah well, if you’ve ever dealt with my (former) mechanic you might come to the same conclusion.
But snark aside and making the analogy dangerously creaky, it’s like people then concluding “all mechanics, bad!”.
burnspbesq
@Botsplainer:
I use Dropbox, but not for anything that’s privileged. That stuff is backed up, encrypted in transit and at rest, to servers in Switzerland and Germany, and the service provider doesn’t have the encryption keys.
Perry Como
@Poopyman:
Including that no-nothing luddite, Bruce Schneier!
MomSense
@Botsplainer:
Most people do not know how the process works at all so the NSA stories are serving as the introduction.
Betty Cracker
@FlipYrWhig: Or it’s like finding out a government agency can override your car’s steering, brakes and gas pedal remotely. Of course, the cops can pull you over, T-bone you at an intersection or tow your car away at any moment using conventional means, so why worry?
Dumb analogy. But my point was, people don’t necessarily understand or think through the implications of using technology, and yet rely on it utterly. I think it’s counterproductive to insist that anyone who is alarmed by this is stupid, particularly when leading technology experts are also saying there are concerning elements here.
different-church-lady
@FlipYrWhig:
I wonder if people with OnStar ever sit there and think, “OMG, MY CAR IS SPYING ON ME!”
Perry Como
@Betty Cracker:
Apparently Comrade Greenwald is dropping something tonight about the NSA using data to benefit US corporations.
burnspbesq
@Xantar:
So you want to hold NSA to a higher standard than the FBI or your local cops? That’s fine, but you need to explain why.
From the beginning of time, and for reasons which are both obvious and sound, warrants have always been issued ex parte. The sanction for lying on a warrant application is that everything you get as a result of the tainted warrant is excluded from evidence. Now, you can argue that suppression of evidence isn’t a meaningful sanction in the case of the NSA, which by and large isn’t trying to gather evidence for use in prosecutions, but then you’d better have an idea about a sanction that will work.
different-church-lady
@Perry Como: Does the 24 hour clock start when he drops the teaser, or when he posts the article itself?
Poopyman
@Perry Como: Meaning what? He should be one of the least surprised by all of this.
mericafukyea
Figured it would be muckymux to be the first ball juicer to post about the latest security porn shiny object. Clearly he does not understand basic math or even the first damn thing about encryption.
You cannot put a “backdoor” on encryption. If you could then it’s not inherently an ‘encryption’ system. Just so much fail in whoever the clown is that invented this “backdoor” story. Get your facts straight if you are going to post about this or be like every single fuking other idiot posting about this latest outrage porn that pretty much has it ALL wrong. Yes even the NYT. All signs of a failed public education system teaching basic math skills.
Botsplainer
@Perry Como:
They have email connections to the NSA complex, and analysts could send out docs if they wanted to.
Remember, in Griftwald’s mind, capability is the same as doing.
piratedan
@Betty Cracker: that’s that “private sector does everything better” meme coming back to haunt us. As for the cluelessness that people have about computer capabilities, how technology works you have to look no further than the failbook section of ICHC. These are the people suddenly outraged that their secrets might get out, right after they’ve posted n entry detailing the illegal activity that they’ve performed to their page.
Poopyman
@mericafukyea: You’re an idiot.
Botsplainer
@different-church-lady:
I start mine on each teaser, because he usually says “tomorrow”. It usually takes about two minutes for me to debunk his latest claim with a perfunctory search.
burnspbesq
@Poopyman:
I would have gone with “Well, if you’re so fucking smart, why don’t you explain to all of us morans,” but yours works just as well.
Ben Franklin
@Poopyman:
But ‘ball juicer’ was inspiring
Felonius Monk
It is not just NSA that you should be worried about — actually they are probably the least of our worries. Consider this:
Poopyman
@Ben Franklin: Don’t they sell those at Williams-Sonoma?
cleek
@mericafukyea:
of course you can. for example, “Clipper”.
you had to give the NSA a copy of your key in order to use it. of course nobody wanted to do that, so it went nowhere. but the system, as designed, had a backdoor.
Snarki, child of Loki
@FlipYrWhig:
Well, there was The Case of the Missing Lugnuts, but I just put that down to sloppiness.
FlipYrWhig
@Betty Cracker: I’m still hung up on the dissolution of the distinction between “they could theoretically do something to someone” and “they are materially doing something to all of us right now.” Municipal water treatment plants could poison people, and people have been sickened by incidents in the past, and few of us know the technical specs on water treatment, but no one dreads turning on the faucet — well, except within the Marcellus Shale area, I suppose. Nor do they dread Government Water.
There are reasons to be vigilant and skeptical, but I feel like people are dreading slippery slopes and hypotheticals out of all proportion to their likelihood.
Snarki, child of Loki
@burnspbesq:
Drone strikes?
Perry Como
@Poopyman:
Meaning I don’t understand all of the “nothingburger” calls when one of the most respected cryptographers out there says he’s surprised by these revelations. It’s surprising that the NSA would be so stupid as to cripple algorithms and backdoor hardware and software when those tricks can also benefit the Russians and Chinese. Stuff like that makes everyone less secure.
a hip hop artist from Idaho (fka Bella Q)
@MomSense: QFT. That’s like a lawyer who has a billboard, only worse.
Tripod
Don’t blame me. I keep my passwords under my keyboard rather than taped to my monitor like my dopey co-workers.
cleek
@Perry Como:
true, but the Chinese do the same thing.
and i’m sure Russia would, too, if they had a tech industry worth tampering with.
different-church-lady
@a hip hop artist from Idaho (fka Bella Q): Point of order: if one is going to “QFT” somebody, one must actually quote that person.
different-church-lady
@Tripod:
Poopyman
@Perry Como: I read his Guardian article and rather thought his slipping into passive voice at times was telling. I don’t think he’s surprised by anything that he’s read. If he is, it’s only because he hasn’t made the assumption that everything that stands in the way of gaining access will be defeated sooner or later by just about every government that puts forth the cyber effort to do so. And I would assume that the Russians, Chinese, Americans, Israelis, etc, etc can and have attacked enough of the same systems that they can find each others’ exploits and recognize whence they came. Like I said up above, it’s a jungle out there, and there are cat and mouse games going on over the networks every day. Think of all of the targets available, from public infrastructure to corporate secrets. I’d bet the Chinese are as eager to get Google’s technical secrets as they are the US nuclear codes.
Jim, Foolish Literalist
Better call Saul.
Davis X. Machina
@Baud:
It’s been done. The expertise just moved into the private sector, and leaked for cash — cryptographers have to eat and pay the mortgage, too — and the government capability was re-created for the next international crisis.
Poopyman
@different-church-lady: Hey, at least it wasn’t read off his disk drive by some cyber code.
Keith P
@Brandon: Slashdot posted an article claiming that the NSA can already crack standard Diffie-Hellman at 1024 bits and that they’ve had reps and surrogates both on crypto committees sabotaging efforts to strengthen encryption methods by slowing down the process and pushing weaker algorithms.
a hip hop artist from Idaho (fka Bella Q)
@different-church-lady: Busted. And I acknowledge that there are legitimate uses of dropbox for legal work. But my confidence in most attorneys’ capacity to distinguish between dumb and appropriate uses of technology is slight.
Poopyman
@Davis X. Machina: Mortgage? I thought they all lived in their mother’s basement.
Omnes Omnibus
@a hip hop artist from Idaho (fka Bella Q): Also, I haven’t seen anything that indicates that using dropbox waives privilege. That would be the biggest concern most attorneys would have. FWIW, I have not used dropbox in my legal work.
Davis X. Machina
@Omnes Omnibus: Thought experiment re security and attorney-client privilege.
If you performed strong. symmetrical-key encryption yourself on a file before putting the document up on Dropbox, Dropbox would be in a position where they could be forced to surrender via NSL, e.g. but only be able to turn over gibberish.
That kind of container isn’t readily openable — isn’t openable at all in practicable terms, right now, as per Schneier.
Any coercion that could be applied to you in this situation could be applied to any documents physically retained by you — i.e. under the status quo.
Tripod
@Poopyman:
I’m sure it was all some sort of Skyfall-ish honey pot to penetrate MI6.
Ted & Hellen
These NSA threads would be 2/3 shorter without all the authoritarian Bots talking about how there’s nothing to talk about here and then talking about it and telling other people who talk about it to STFU because they really don’t want to talk about it even though they’re talking about it.
Botsplainer
@Davis X. Machina:
Ah, the old ethics question about waivers of privilege.
I always used three simple rules – no sex with clients, no working against clients and no dumping their info public.
burnspbesq
@Omnes Omnibus:
The theory is that if you’re using Dropbpx, which is notoriously insecure, you’re not taking reasonable steps to preserve the confidentiality of privileged communications. I’m not aware of any case in any jurisdiction where the issue has been litigated.
And knowing how few lawyers actually live by clean-desk and locked-file-cabinet policies when they know that the cleaning service and God knows who else are going to be in their offices every night, this whole conversation has an air of unreality to it.
J R in WV
I have a degree in couputer science, and bought my first computer in 1984. My first job using a computer was in 1973, and the programs were on mylar tape. I actually keyed in program instructions in octal and hex back then. One step advanced from punch cards.
I worked a whole career – and I do NOT do bank functions on the internet, ever. I use a credit card with no connection to an y bank accounts to buy stuff on the innertubes. They have called me to verify transactions for amounts under $3.
I remember learning about disk drive security when surplusing old computers – wiping disk drives is not the same thing as deleting the files, which only removed the indexs pointing to that data, the data remains on the drive more-or-less forever, especially if you delete everything, and then turn off the machine to load it into the disposal vehicle.
The DOD file delete function removes indexes to files, and then writes dummy data over the indexes AND the files. And the NSA can still read that drive platter, although it depends upon how many times the files were overwritten.
They (back then, I dunno about nowadays) used electron microscopes to identify 1s and 0s, so it could be labor intensive, and would probably only come into play if you were Dr. Wen Ho [probably not the exact name, I don’t recall for sure and don’t care enough to look it up, you can if you care] of Los Alamos weapons labs, who was found to be not guilty and got a huge settlement. But the whole story revolved around missing hard drives at a high-security facility.
I dispose of hard drives with a pistol and a bucket of bleach – then they go to a landfill in a bag of corrosive slop. I think those are rendered harmless. Mostly this is because it is fun to shoot high tech hardware with a weapon, and security is a good excuse.
And don’t do banking over the internet, the Bulgarians balance their budget on that money… I kid, but only a tiny bit…
Also, too, there’s was a program, famous for a little while, called Echalon, which involved all the English-speaking countries intercepting all the electronic communications in the world… and sharing it. Back in the late 90s maybe. Look it up, there’s nothing new in Snowden’s data. Nothing.
Omnes Omnibus
@burnspbesq: Yeah, I understand the theory and I’ve never used dropbox for anything privileged.
That is really the thing, isn’t it?
ETA: All of this is purely on the privilege side of the question. If one has confidential data, corporate or otherwise, that someone might want to get his sticky little hands on, it is a different matter.
a hip hop artist from Idaho (fka Bella Q)
@Omnes Omnibus: Yup, that really is the thing. Burnsie put it succinctly:
Corner Stone
@Betty Cracker:
Eternal vigilance!
Corner Stone
If you’re an attorney and you have clients that allow you to use Dropbox then you must be doing nothing but pro bono work.
Corner Stone
@Omnes Omnibus:
On the privilege side I guess my question is, “If it’s ruled you have no expectation of privacy using a third party’s phone network, then how could you have an expectation of privacy contracting for storage with a third party?”
Corner Stone
@brendancalling:
Why didn’t all those countries already know this was happening? Everyone here did!
Maybe the PM’s of those countries should slot a little BJ into their daily NatSec briefings.
Omnes Omnibus
@Corner Stone: Offsite data storage isn’t the problem in and of itself. A lawye ror law firm can store boxes of files in a facility owned by someone else. It just needs to be reasonably secure. There is a minor industry in the secure storage of physical documents for other parties.
@Corner Stone:
My guess is that those counties with functioning intelligence services did know.
Corner Stone
@Omnes Omnibus:
I am familiar with this, thanks.
Mary
@burnspbesq: maybe the sanction should be transparency, as in the target is notified???
Also…this notion that any law enforcement agency is not interested in little ‘ol, boring me is wrong, I think. My analogy to illustrate this would be to think of a cop walking down a dimly lit alley, in a bad neighborhood, in the dead of night. She trusts no one and every innocent, hoodie-clad person with a bag of skittles can be mistakenly identified as a threat.
The most innocent of actions can be deemed menacing. Law enforcement, by their very nature, are suspicious, sometimes to the point of paranoia… especially when looking for an ever expanding classification of “potential terrorists”. I’m surprised there’s been no comparison to the lesson we can learn from Stasis Germany. The government doesn’t know who it can trust, so it trusts no one. And will use whatever source it can to ‘vet’ citizens.
I foresee more intrusive programs similar to the “Inside Threat” program at DHS being legalized within our workplaces with our employers routinely reporting to the FBI and local law enforcement.
Betty Cracker
@FlipYrWhig: I don’t disagree — there’s definitely unwarranted paranoia. On the other hand, some people are dismissing the concerns of respected security experts out of hand too. Confirmation bias? Could be.
Mart
Thinking of dusting off the electric typewriter. They still make ink belts?
different-church-lady
@Mart: I have two really sophisticated ones from the mid-80s I could sell you — fresh ribbons and correction tape, spell checking, a couple of memory cards… oh, wait…
fuckwit
@MikeJ:
That’s really it. I do believe that none other than Julian Assange himself, in one of the only examples of software he’s written that I can think of, created a steganography program called “Rubber Hose” that hid secure data among garbage data, so that you could plausibly deny you had any keys to give up at all.
More to the point, though less an issue here than in other countries, all encryption fails also at the point where you care how many beatings and how much abuse you take, or your family takes.
And, even more to the point, all encryption fails at the point where you get social-engineered into making a slip-up that outs you.
Also, yeah, it also fails if someone installs a Trojan or otherwise hacks your computer, it doesn’t matter what encryption you have, they install a keylogger on your box and you’re fucked. This has been done (with warrants, and publicaly documented) on several occasions in FBI investigations of the mafia and drug gangs. Use PGP all you like, but if there’s a keylogger on your box, you will be hacked.
I’m thrilled that so many non-geeks are getting smart about encryption in particular and computer security in general. I think that’s the best thing to come out of these Snowden/Greenwald leaks: more people reading and understanding Schnier.
After reading Schneier’s book, which I still have a copy of, I came to the conclusion the only way to keep a computer secure is to not ever plug it in, or connect it to the internet, or install anything on it. Beyond that, it’s al deciding acceptable risk for what you’re doing and who you are protecting against and what their capabilities and resources are.
Against the NSA targeting you? Forget it, they’ll get whatever they want. At this point I’m more interested in protecting myself against skript kiddiez, Russian mafia fraudster haxx0rs. I’m only minimally doing what I can to deter casual bulk data-gathering by Comcast/T-Mobile/AT&T/Google/Yahoo/Facebook/Apple/MSFT and the NSA, but I try my best.
Tripod
@Omnes Omnibus:
Fucking Canadian freeloaders have been leveraging cross border infrastructure since like forever:
The NANP is all up in mah freedumz!
cleek
@fuckwit:
the problem with this is that nobody keeps “garbage data”. if law enforcement sees a big chunk of what looks like garbage in a file, they’re going to assume it’s encrypted (because encrypted data looks exactly like garbage data, deliberately).
pseudonymous in nc
Alex Payne rolled out a thing called Sovereign, which is a way to build a personal cloud storage and email server starting with a vanilla VPS install. As he says, it’s not going to resist a direct assault from the NSA, but it’s a means of reasserting sovereignty over your own data.
I have friends at EFF and they think the tech for roll-your-own “local clouds” is still a year or two away from being within, let’s say, comfortable reach of a small company IT person. But the consolidation of data (and more importantly, identifiable online presence) on half a dozen large online services deserves a bit more pushback.
pseudonymous in nc
@mericafukyea:
Oh, go back to fapping at Hacker News, spectrum case. You can compromise the PRNG; you can compromise root certs; you can compromise private keys.
Avery Greynold
Everyone who thinks the NSA has no effect on you: Someday, you and others may oppose the powers-that-be. Your opposition will need leaders (yes, not you). If those in power have perfect knowledge of their opposition and plans, your leaders will be made ineffective. That means you have lost your ability to achieve change.
Examples: J. Edgar Hoover and Martin Luther King, Nixon and just about everyone. These were failures to control the opposition. Successes remain secret forever.
cleek
@Avery Greynold:
we’ll just wear Guy Fawkes masks. problem solved.
burnspbesq
@cleek:
You can make it hard for them by using steganography to hide the real data inside a huge cache of pr0n.
And yes, that pun was intended.
Perry Como
U.S. government spied on Brazil’s Petrobras oil firm: Globo TV. ‘Cause turrism.
mericafukyea
@pseudonymous in nc: lol…just wow. You have absolutely no clue. You fit right in around here.