[sudo-discuss] Sudden public interest in basic crypto/security tools.

Tue Jun 11 07:54:46 PDT 2013

G,

Have you heard of cjdns? Do you have any thoughts on it? The ideal goal is
to replace the Internet (current) with a new one. ProjectMeshnet.org

Alcides Gutierrez
http://e64.us
On Jun 11, 2013 7:41 AM, "Andrew" <andrew at roshambomedia.com> wrote:

> maybe sudoroom should run an email server that encrypts messages on the
> disk as well offers end to end encryption over the air.
>
>
> On Tue, Jun 11, 2013 at 4:07 AM, GtwoG PublicOhOne <g2g-public01 at att.net>wrote:
>
>>
>> Hi Max, YOs-
>>
>> Speaking from more than casual knowledge of the subject matter, as a few
>> of us here know:
>>
>>
>> 1) If you read the denials issued by Google and Facebook, you'll
>> discover that they used almost identical language. And while it's true
>> that corporate PR-speak and legal-speak are usually as bland as baked
>> beans, this stuff reminds one of the story where Mrs. Jones and Mrs.
>> Smith each had a baby that bears more than a slight resemblance to the
>> guy who delivers both of their newspapers:
>>
>> Google: "First, we have not joined any program that would give the U.S.
>> government—or any other government—direct access to our servers."
>>
>> Facebook: "Facebook is not and has never been part of any program to
>> give the US or any other government direct access to our servers."
>>
>> Google: "We had not heard of a program called PRISM until yesterday."
>>
>> Facebook: "We hadn't even heard of PRISM before yesterday."
>>
>> Google: "Our legal team reviews each and every request..."
>>
>> Facebook: "When governments ask Facebook for data, we review each
>> request carefully..."
>>
>>
>> 2) Of course they didn't "join" a program or become "part of" a program.
>> NSA isn't a "club" that you can just "join." What Facebook and Google
>> did was become ASSETS of a program.
>>
>> That is a very subtle but important distinction. If you were to ask
>> their lawyers if they "had become assets or had acted in any capacity as
>> assets of any entity within the United States Intelligence Community
>> (USIC)," they would clam up right quick. One needs to know how to ask
>> the question in order to get at the answer.
>>
>> Also, it is the case that the assets of a program or operation rarely if
>> ever know the name of the program or operation involved. Knowing the
>> name of the program or op would give the assets the ability to compare
>> notes and possibly compromise the program or op. Very often, even the
>> names of programs or ops are themselves classified.
>>
>> By the way, some of y'all may have heard my comments about Steve Jobs'
>> application for a security clearance, shortly after Jobs died and his
>> bio was published. The media were preoccupied with the usual celebrity
>> gossip about how he could have gotten a clearance when he'd admitted to
>> taking LSD and building blue boxes (naughty phone-phreak devices). But
>> the real story, as I said at the time, was that the purpose of the
>> clearance was to facilitate relationships with certain agencies
>> regarding surveillance opportunities in the Macintosh operating systems
>> and other products. It is almost 100% certain that Microsoft and certain
>> of the commercial companies involved in Open Source operating systems,
>> had similar relationships. ("Intel Inside", anyone?;-)
>>
>> One more item. Watch for the names Cisco, Comcast, and Symantec, in the
>> news.
>>
>> Aww hell, one more after that. Twitter claims to have refused to
>> participate in PRISM. That's very convenient for them to say, because
>> Twitter itself is a complete intel collection platform with fully open
>> access, and a variety of software tools for analysis. Twitter is the
>> easiest of the bunch to intercept and fully exploit. You too can play at
>> that game (just a little but enough to get the flavor of it), if you
>> want to pay for the software.
>>
>>
>> 3) Yes, NSA can monitor traffic without a carrier or service provider
>> knowing it. This is done by intercepting the traffic at the carrier
>> level. By analogy, if I want to tap your broadband service, I don't have
>> to break into your house to do it: I can do it from any point between
>> your house and the service provider's central office.
>>
>>
>> 4) Telcos and broadband providers are required to have CALEA intercept
>> equipment (such as the infamous Naris box of EFF fame) installed in
>> their racks. This equipment enables authorized entities to siphon the
>> data streams in realtime, either in whole or in part depending on
>> various assigned levels of privilege.
>>
>> If everything that's on a server has gotten there via a connection that
>> is being intercepted constantly in real-time, there's no need to get
>> inside the server itself.
>>
>>
>> 5) NSA and real-time decryption: There is reason to believe, based on
>> published accounts, that certain types of decryption are routine and
>> automated. I also know from unpublished but not classified sources, that
>> there are automated tests that examine ciphertext to determine
>> specifically which encryption method and key length were used to encrypt
>> the data. I would conclude that automated decryption exceeds the
>> capabilities that have been reported in the press.
>>
>> Further, I would strongly suggest that we compile versions of PGP and
>> GPG from source code, and modify them to eliminate the upper limit on
>> key sizes. I can explain further how to perform that modification of the
>> source code, once we have it downloaded. It's remarkably easy.
>>
>>
>> 6) Compromise of private keys: Given the number of methods available,
>> and given the track records of the various entities involved, I would
>> not be surprised.
>>
>> "Mary had a private key, with which to open PGP.
>> The key fell into hostile hands. Now Mary's hiding, with her lambs."
>>
>>
>> 7) Did Google and Facebook lie?
>>
>> Do bears shit in the woods?
>>
>>
>> 8) A modest prediction, and y'all can file this under "he wasn't crazy
>> after all."
>>
>> I've been saying this stuff for a while now, but recent news makes it
>> more, uhh, "topical":
>>
>> The entire advertising-based model of internet services, with its
>> reliance on "free" services "supported" by advertising that "requires"
>> pervasive tracking of every user's every activities and whereabouts,
>> will be demonstrated to have been an enormous cover story of
>> convenience, for a degree of mass surveillance that far exceeds anything
>> has been reported thus far.
>>
>> The goal is to have 100% collection of all communications and location
>> data, online and face-to-face, every conversation as well as metadata,
>> to be permanently archived for retrieval and analysis at any later point
>> in time. (This has not yet been achieved, but they're working on it.)
>> The goal of that, in turn, is to enable making accurate predictions
>> about the activities and location of any person, at any point in the
>> future. What gets done with those accurate predictions is a matter of
>> discretionary policy by those who control the data.
>>
>> Orwell: "He who controls the past controls the future. He who controls
>> the future controls the present." Me: "Knowledge is power. When they
>> know all about you, and you know nothing about them, who has the power?"
>>
>>
>> 9) Lastly, Max, you might especially appreciate this bit of history:
>>
>> In the 1970s, GCHQ was engaged in targeted surveillance of various
>> dissident groups in the UK. But since GPO Telephones' switching systems
>> were entirely electro-mechanical (Strowger switches), GCHQ had to depend
>> on the GPO engineers to execute every request by making physical
>> connections to the lines at the Central Offices.
>>
>> The GPO engineers' sympathies were often with the dissidents. So,
>> shortly after the GCHQ officers left, the GPO engineers would quietly go
>> about undoing the unwanted connections or otherwise rendering them
>> useless. Such are the advantages of electro-mechanical analog switching
>> systems, maintained by skilled workers, with a strong union, and strong
>> class consciousness.
>>
>>
>> Cheers-
>>
>> -G.
>>
>> "You search Google, and Google searches you. Deal?"
>>
>>
>> ======
>>
>>
>>
>> On 13-06-10-Mon 11:46 PM, Max B wrote:
>> > I have a quick question to throw out for anyone with opinions:
>> >
>> > When the NSA PRISM program was exposed, it was leaked that the NSA has
>> > the capabilities to monitor the content of communications taking place
>> > through any of the list of companies they mentioned. Then Google,
>> > Apple, and crew came out and denied it.
>> >
>> > Would it be possible for the NSA to be monitoring traffic without them
>> > knowing it/allowing a backdoor? Would that require NSA servers doing
>> > 128-bit SSL decryption at real-time speeds? Or perhaps only when
>> > specific emails needed to be read? Could they have covertly
>> > compromised the private keys of all of these establishments? ("US
>> > Government hacked google" seems like a great Guardian headline)
>> >
>> > Or do folks think that those companies are just lying through their
>> > teeth?
>> >
>> > On Mon 10 Jun 2013 10:43:42 PM PDT, Rabbit wrote:
>> >> Yes, let's have a end-user focused crypto workshop!
>> >>
>> >> I'm not an expert but I can help OS X users get set up with
>> >>
>> >> Tor
>> >> Adium + OTR
>> >> Making encrypted disk images
>> >> Truecrypt
>> >>
>> >> And I wanna learn about web of trust, keysigning, gpg for email
>> >>
>> >> Also I'm really wishing for a better social network for people to
>> >> switch to. Any thoughts on that?
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Mon, Jun 10, 2013 at 7:55 PM, GtwoG PublicOhOne
>> >> <g2g-public01 at att.net <mailto:g2g-public01 at att.net>> wrote:
>> >>
>> >>
>> >> YES! a crypto party.
>> >>
>> >> PGP and GPG won't protect your metadata from traffic analysis ("TA"),
>> >> which is what's been revealed that Anagram Inn has been up to. But
>> >> protecting your content is a good start, and building email
>> >> servers that
>> >> are end-to-end encrypted is the next step.
>> >>
>> >> -G.
>> >>
>> >>
>> >> =====
>> >>
>> >>
>> >>
>> >> On 13-06-10-Mon 7:13 PM, William Budington wrote:
>> >> > There was some discussion about this at the last meeting, mostly
>> >> around
>> >> > securing personal data on physical devices, but it would be good
>> >> to have
>> >> > another end-user based cryptoparty, even have it be a full-day event
>> >> > stemming from Today I Learned. I'll bring this up at the meeting on
>> >> > Wednesday.
>> >> >
>> >> > Bill
>> >> >
>> >> > On 06/10/2013 07:02 PM, William Gillis wrote:
>> >> >> Hey Sudoroomers,
>> >> >>
>> >> >> I've been deluged by friends this weekend suddenly interested
>> >> in things
>> >> >> like finally figuring out how to install that there tor, or god
>> >> forbid
>> >> >> venturing into the realm of pgp. I offered my nonstop 1:1
>> >> handholding
>> >> >> services over facebook to any and all friends and have been a
>> >> little
>> >> >> overwhelmed by the number.
>> >> >>
>> >> >> Someone local suggested a teach day at Sudoroom and I thought
>> >> I'd check to
>> >> >> see if anyone else is interested and, you know, what actual
>> >> members have to
>> >> >> say.
>> >> >>
>> >> >> There has never been a more opportune moment for cryptoparty
>> >> outreach, and
>> >> >> yet I haven't seen anyone declare anything yet. Am I just out
>> >> of the loop?
>> >> >>
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> sudo-discuss mailing list
>> >> >> sudo-discuss at lists.sudoroom.org
>> >> <mailto:sudo-discuss at lists.sudoroom.org>
>> >> >> http://lists.sudoroom.org/listinfo/sudo-discuss
>> >> >>
>> >> > _______________________________________________
>> >> > sudo-discuss mailing list
>> >> > sudo-discuss at lists.sudoroom.org
>> >> <mailto:sudo-discuss at lists.sudoroom.org>
>> >> > http://lists.sudoroom.org/listinfo/sudo-discuss
>> >> >
>> >>
>> >> _______________________________________________
>> >> sudo-discuss mailing list
>> >> sudo-discuss at lists.sudoroom.org
>> >> <mailto:sudo-discuss at lists.sudoroom.org>
>> >> http://lists.sudoroom.org/listinfo/sudo-discuss
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> sudo-discuss mailing list
>> >> sudo-discuss at lists.sudoroom.org
>> >> http://lists.sudoroom.org/listinfo/sudo-discuss
>> > _______________________________________________
>> > sudo-discuss mailing list
>> > sudo-discuss at lists.sudoroom.org
>> > http://lists.sudoroom.org/listinfo/sudo-discuss
>> >
>>
>> _______________________________________________
>> sudo-discuss mailing list
>> sudo-discuss at lists.sudoroom.org
>> http://lists.sudoroom.org/listinfo/sudo-discuss
>>
>
>
>
> --
> -------
> Andrew Lowe
> Cell: 831-332-2507
> http://roshambomedia.com
>
>
> _______________________________________________
> sudo-discuss mailing list
> sudo-discuss at lists.sudoroom.org
> http://lists.sudoroom.org/listinfo/sudo-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sudoroom.org/pipermail/sudo-discuss/attachments/20130611/fad82dbe/attachment.html>