[sudo-discuss] Sudden public interest in basic crypto/security tools.
GtwoG PublicOhOne
g2g-public01 at att.net
Tue Jun 11 08:19:00 PDT 2013
Re. Andrew: YES and YES.
(I gotta scoot for work now, back this evening.)
-G.
On 13-06-11-Tue 7:41 AM, Andrew wrote:
> maybe sudoroom should run an email server that encrypts messages on
> the disk as well offers end to end encryption over the air.
>
>
> On Tue, Jun 11, 2013 at 4:07 AM, GtwoG PublicOhOne
> <g2g-public01 at att.net <mailto:g2g-public01 at att.net>> wrote:
>
>
> Hi Max, YOs-
>
> Speaking from more than casual knowledge of the subject matter, as
> a few
> of us here know:
>
>
> 1) If you read the denials issued by Google and Facebook, you'll
> discover that they used almost identical language. And while it's true
> that corporate PR-speak and legal-speak are usually as bland as baked
> beans, this stuff reminds one of the story where Mrs. Jones and Mrs.
> Smith each had a baby that bears more than a slight resemblance to the
> guy who delivers both of their newspapers:
>
> Google: "First, we have not joined any program that would give the
> U.S.
> government—or any other government—direct access to our servers."
>
> Facebook: "Facebook is not and has never been part of any program to
> give the US or any other government direct access to our servers."
>
> Google: "We had not heard of a program called PRISM until yesterday."
>
> Facebook: "We hadn't even heard of PRISM before yesterday."
>
> Google: "Our legal team reviews each and every request..."
>
> Facebook: "When governments ask Facebook for data, we review each
> request carefully..."
>
>
> 2) Of course they didn't "join" a program or become "part of" a
> program.
> NSA isn't a "club" that you can just "join." What Facebook and Google
> did was become ASSETS of a program.
>
> That is a very subtle but important distinction. If you were to ask
> their lawyers if they "had become assets or had acted in any
> capacity as
> assets of any entity within the United States Intelligence Community
> (USIC)," they would clam up right quick. One needs to know how to ask
> the question in order to get at the answer.
>
> Also, it is the case that the assets of a program or operation
> rarely if
> ever know the name of the program or operation involved. Knowing the
> name of the program or op would give the assets the ability to compare
> notes and possibly compromise the program or op. Very often, even the
> names of programs or ops are themselves classified.
>
> By the way, some of y'all may have heard my comments about Steve Jobs'
> application for a security clearance, shortly after Jobs died and his
> bio was published. The media were preoccupied with the usual celebrity
> gossip about how he could have gotten a clearance when he'd
> admitted to
> taking LSD and building blue boxes (naughty phone-phreak devices). But
> the real story, as I said at the time, was that the purpose of the
> clearance was to facilitate relationships with certain agencies
> regarding surveillance opportunities in the Macintosh operating
> systems
> and other products. It is almost 100% certain that Microsoft and
> certain
> of the commercial companies involved in Open Source operating systems,
> had similar relationships. ("Intel Inside", anyone?;-)
>
> One more item. Watch for the names Cisco, Comcast, and Symantec,
> in the
> news.
>
> Aww hell, one more after that. Twitter claims to have refused to
> participate in PRISM. That's very convenient for them to say, because
> Twitter itself is a complete intel collection platform with fully open
> access, and a variety of software tools for analysis. Twitter is the
> easiest of the bunch to intercept and fully exploit. You too can
> play at
> that game (just a little but enough to get the flavor of it), if you
> want to pay for the software.
>
>
> 3) Yes, NSA can monitor traffic without a carrier or service provider
> knowing it. This is done by intercepting the traffic at the carrier
> level. By analogy, if I want to tap your broadband service, I
> don't have
> to break into your house to do it: I can do it from any point between
> your house and the service provider's central office.
>
>
> 4) Telcos and broadband providers are required to have CALEA intercept
> equipment (such as the infamous Naris box of EFF fame) installed in
> their racks. This equipment enables authorized entities to siphon the
> data streams in realtime, either in whole or in part depending on
> various assigned levels of privilege.
>
> If everything that's on a server has gotten there via a connection
> that
> is being intercepted constantly in real-time, there's no need to get
> inside the server itself.
>
>
> 5) NSA and real-time decryption: There is reason to believe, based on
> published accounts, that certain types of decryption are routine and
> automated. I also know from unpublished but not classified
> sources, that
> there are automated tests that examine ciphertext to determine
> specifically which encryption method and key length were used to
> encrypt
> the data. I would conclude that automated decryption exceeds the
> capabilities that have been reported in the press.
>
> Further, I would strongly suggest that we compile versions of PGP and
> GPG from source code, and modify them to eliminate the upper limit on
> key sizes. I can explain further how to perform that modification
> of the
> source code, once we have it downloaded. It's remarkably easy.
>
>
> 6) Compromise of private keys: Given the number of methods available,
> and given the track records of the various entities involved, I would
> not be surprised.
>
> "Mary had a private key, with which to open PGP.
> The key fell into hostile hands. Now Mary's hiding, with her lambs."
>
>
> 7) Did Google and Facebook lie?
>
> Do bears shit in the woods?
>
>
> 8) A modest prediction, and y'all can file this under "he wasn't crazy
> after all."
>
> I've been saying this stuff for a while now, but recent news makes it
> more, uhh, "topical":
>
> The entire advertising-based model of internet services, with its
> reliance on "free" services "supported" by advertising that "requires"
> pervasive tracking of every user's every activities and whereabouts,
> will be demonstrated to have been an enormous cover story of
> convenience, for a degree of mass surveillance that far exceeds
> anything
> has been reported thus far.
>
> The goal is to have 100% collection of all communications and location
> data, online and face-to-face, every conversation as well as metadata,
> to be permanently archived for retrieval and analysis at any later
> point
> in time. (This has not yet been achieved, but they're working on it.)
> The goal of that, in turn, is to enable making accurate predictions
> about the activities and location of any person, at any point in the
> future. What gets done with those accurate predictions is a matter of
> discretionary policy by those who control the data.
>
> Orwell: "He who controls the past controls the future. He who controls
> the future controls the present." Me: "Knowledge is power. When they
> know all about you, and you know nothing about them, who has the
> power?"
>
>
> 9) Lastly, Max, you might especially appreciate this bit of history:
>
> In the 1970s, GCHQ was engaged in targeted surveillance of various
> dissident groups in the UK. But since GPO Telephones' switching
> systems
> were entirely electro-mechanical (Strowger switches), GCHQ had to
> depend
> on the GPO engineers to execute every request by making physical
> connections to the lines at the Central Offices.
>
> The GPO engineers' sympathies were often with the dissidents. So,
> shortly after the GCHQ officers left, the GPO engineers would
> quietly go
> about undoing the unwanted connections or otherwise rendering them
> useless. Such are the advantages of electro-mechanical analog
> switching
> systems, maintained by skilled workers, with a strong union, and
> strong
> class consciousness.
>
>
> Cheers-
>
> -G.
>
> "You search Google, and Google searches you. Deal?"
>
>
> ======
>
>
>
> On 13-06-10-Mon 11:46 PM, Max B wrote:
> > I have a quick question to throw out for anyone with opinions:
> >
> > When the NSA PRISM program was exposed, it was leaked that the
> NSA has
> > the capabilities to monitor the content of communications taking
> place
> > through any of the list of companies they mentioned. Then Google,
> > Apple, and crew came out and denied it.
> >
> > Would it be possible for the NSA to be monitoring traffic
> without them
> > knowing it/allowing a backdoor? Would that require NSA servers doing
> > 128-bit SSL decryption at real-time speeds? Or perhaps only when
> > specific emails needed to be read? Could they have covertly
> > compromised the private keys of all of these establishments? ("US
> > Government hacked google" seems like a great Guardian headline)
> >
> > Or do folks think that those companies are just lying through their
> > teeth?
> >
> > On Mon 10 Jun 2013 10:43:42 PM PDT, Rabbit wrote:
> >> Yes, let's have a end-user focused crypto workshop!
> >>
> >> I'm not an expert but I can help OS X users get set up with
> >>
> >> Tor
> >> Adium + OTR
> >> Making encrypted disk images
> >> Truecrypt
> >>
> >> And I wanna learn about web of trust, keysigning, gpg for email
> >>
> >> Also I'm really wishing for a better social network for people to
> >> switch to. Any thoughts on that?
> >>
> >>
> >>
> >>
> >>
> >> On Mon, Jun 10, 2013 at 7:55 PM, GtwoG PublicOhOne
> >> <g2g-public01 at att.net <mailto:g2g-public01 at att.net>
> <mailto:g2g-public01 at att.net <mailto:g2g-public01 at att.net>>> wrote:
> >>
> >>
> >> YES! a crypto party.
> >>
> >> PGP and GPG won't protect your metadata from traffic analysis
> ("TA"),
> >> which is what's been revealed that Anagram Inn has been up to. But
> >> protecting your content is a good start, and building email
> >> servers that
> >> are end-to-end encrypted is the next step.
> >>
> >> -G.
> >>
> >>
> >> =====
> >>
> >>
> >>
> >> On 13-06-10-Mon 7:13 PM, William Budington wrote:
> >> > There was some discussion about this at the last meeting, mostly
> >> around
> >> > securing personal data on physical devices, but it would be good
> >> to have
> >> > another end-user based cryptoparty, even have it be a
> full-day event
> >> > stemming from Today I Learned. I'll bring this up at the
> meeting on
> >> > Wednesday.
> >> >
> >> > Bill
> >> >
> >> > On 06/10/2013 07:02 PM, William Gillis wrote:
> >> >> Hey Sudoroomers,
> >> >>
> >> >> I've been deluged by friends this weekend suddenly interested
> >> in things
> >> >> like finally figuring out how to install that there tor, or god
> >> forbid
> >> >> venturing into the realm of pgp. I offered my nonstop 1:1
> >> handholding
> >> >> services over facebook to any and all friends and have been a
> >> little
> >> >> overwhelmed by the number.
> >> >>
> >> >> Someone local suggested a teach day at Sudoroom and I thought
> >> I'd check to
> >> >> see if anyone else is interested and, you know, what actual
> >> members have to
> >> >> say.
> >> >>
> >> >> There has never been a more opportune moment for cryptoparty
> >> outreach, and
> >> >> yet I haven't seen anyone declare anything yet. Am I just out
> >> of the loop?
> >> >>
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> sudo-discuss mailing list
> >> >> sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>
> >> <mailto:sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>>
> >> >> http://lists.sudoroom.org/listinfo/sudo-discuss
> >> >>
> >> > _______________________________________________
> >> > sudo-discuss mailing list
> >> > sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>
> >> <mailto:sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>>
> >> > http://lists.sudoroom.org/listinfo/sudo-discuss
> >> >
> >>
> >> _______________________________________________
> >> sudo-discuss mailing list
> >> sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>
> >> <mailto:sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>>
> >> http://lists.sudoroom.org/listinfo/sudo-discuss
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> sudo-discuss mailing list
> >> sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>
> >> http://lists.sudoroom.org/listinfo/sudo-discuss
> > _______________________________________________
> > sudo-discuss mailing list
> > sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>
> > http://lists.sudoroom.org/listinfo/sudo-discuss
> >
>
> _______________________________________________
> sudo-discuss mailing list
> sudo-discuss at lists.sudoroom.org
> <mailto:sudo-discuss at lists.sudoroom.org>
> http://lists.sudoroom.org/listinfo/sudo-discuss
>
>
>
>
> --
> -------
> Andrew Lowe
> Cell: 831-332-2507
> http://roshambomedia.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sudoroom.org/pipermail/sudo-discuss/attachments/20130611/76a44fe4/attachment.html>
More information about the sudo-discuss
mailing list