Saving the Internet from the NSA

Post Reply
User avatar
JimC
The sentimental bloke
Posts: 74306
Joined: Thu Feb 26, 2009 7:58 am
About me: To be serious about gin requires years of dedicated research.
Location: Melbourne, Australia
Contact:

Re: Saving the Internet from the NSA

Post by JimC » Sun Dec 01, 2013 8:52 pm

jaydot wrote:dial-up was my first experience online and i found that i spent more time updating my security software (i was using windows then) than i did surfing. it made the whole effort painful. when i got broadband and switched to linux, i toyed with encryption and found it gave me the same sort of headache dial-up did. i realised that being safe on the internet did not depend upon encryption, but not putting online anything sensitive and, being inherently lazy, i quit nearly all forms of security and "watch my mouth" as it were.

i adhere to the old adage "if you want to keep a secret, keep it to yourself."
Too late for me. The entire internet knows about my gin and cardigan addiction...

:sigh:
Nurse, where the fuck's my cardigan?
And my gin!

Seth
GrandMaster Zen Troll
Posts: 22077
Joined: Fri Jan 28, 2011 1:02 am
Contact:

Re: Saving the Internet from the NSA

Post by Seth » Sun Dec 01, 2013 9:28 pm

rEvolutionist wrote:You are shifting the goal posts. You said the vulnerability is in the private key being intercepted.


No, I said "the key," I deliberately did not specify public or private for a reason, which was to make the threat simple to understand. To make it even simpler, if you physically lock the secret in a box and mail me the key, it's vulnerable to being intercepted and copied by the mail handler. It's (once again) called a "man in the middle" attack and it's a known weakness of public key encryption systems.
Now you are talking about spoofing the public key. That's a real threat, but not the original threat we were talking about. I can implement encryption on my computer independent of a digital certificate agency. In fact, that's exactly what Tor does. It's peer to peer encryption (as long as you download the Tor client from the proper site).
You still don't understand what I'm talking about. Even Tor is vulnerable to a man in the middle attack, as you yourself admit. What if the Tor project is entirely under the control of the NSA? Is it? I don't know. Could it be? Yes. Would that compromise every message sent over Tor? Absolutely. And if the NSA has a way to tag traffic on Tor so it can see where it enters the pipeline and where it exits, Tor becomes a giant waste of time because the whole purpose of Tor is not "encryption" it's "obfuscation." Encryption is used by Tor to (theoretically) conceal the true origin and true destination of a packet so that someone trying to identify those two points cannot do so because the message has been bounced around to random servers to break the trail. Simplistically, it's like handing an envelope to a friend and asking him to give it to someone you don't know for delivery to a third party so that someone following the envelope will lose track of it. That's all Tor is. The message you send over Tor is encrypted for transmission between servers, but the content itself is only encrypted to the degree that you encrypt it before sending it. When it exits the Tor network for delivery to the final IP address, the Tor encryption is stripped when it reaches your computer, leaving only the message itself. The vulnerability is, of course, if there is a tracker on that packet that informs the NSA of where the packet left the system (your ISP) for delivery to your IP address, it can determine that you received the message and potentially intercept it for analysis at the ISP level.

Tor is not a method of encryption, it's a method of confidential delivery via routing obfuscation, and it appears that the NSA has figured out how to render that obfuscation ineffective.

Yes, you can encrypt your message on your computer using any system you want, including an open-source program like PGP, which if you're technically competent you can decompile, inspect and recompile (or just inspect and compile) to ensure there are no back doors. Your message will then have all the protections that RSA and other algorithms provide against decryption sans decryption key. Keeping your files private on your computer is highly amenable to encryption, the main risk thereof being the vulnerability of the passphrase used to decrypt the information.

But when you try to send an encrypted message to someone else, that person MUST have a decryption key to read it. Therefore, in some manner the decryption key MUST be transmitted to the recipient. You can hand-write the key on a piece of paper and mail it to me, or have it hand delivered to me, you can call me on the phone or by radio and read it to me digit by digit, you can openly put it in an email if you want. Or, you can encrypt your message to me with a public key that I provide to you, which can be delivered by any of the methods mentioned above, or which can reside on a public key server where you can simply download it. If things go the way they are supposed to go, the message you encrypt with my public key will have all the protections mentioned and should be secure against all but a brute force attack or physical coercion. But what I'm telling you is that you have no actual way to be certain that the public key you get from a public key server is actually my public key. I've explained the man in the middle process for compromising the public key already so I won't do it again.

The point is that in order for me to decrypt a message from you I must have the decryption key. How that decryption key is managed or transmitted varies, but in one way or another, a key is passed. In the case of private key encryption, I pass the encryption key to you either directly or indirectly and you use MY key to encrypt the message, and my private key allows me to decrypt it. But again, that's only secure if the public key you use to encrypt the message actually is my public key and is not one belonging to the NSA.

You're niggling about terminology without understanding the big picture which is a fundamental precept of any encryption technology, from the Vigenère cipher of 1553 to PGP, which is that any cipher is only as secure as the security of the possession of the key which is used to decrypt it. The primary compromise to any encryption system is always a "man in the middle" attack that gives someone who is not authorized to decrypt the message an opportunity to access the decryption key while the message is in transit. How that happens can be complex or simple, but the nature of the threat remains the same.

Public key encryption is "more secure" than a Vigenère cipher because of the methods used to distinguish the encryption and decryption keys from one another, but as I've described, if you encrypt using the wrong public key the message becomes unsecure. And then there's compromise of the private key and/or the passphrase used by the recipient to access the private key to decrypt the message, which are both subject to "man in the middle" attacks through covert surveillance of the recipient's computer via TEMPEST, key loggers, worms and other things that can potentially reveal or transmit the necessary decryption information to the man in the middle.

My point is that NO encryption system is absolutely secure. If the NSA really wants to know what's in a message they can have the CIA pick up the author or recipient and waterboard them if necessary.

So unless you are a criminal or terrorist you might as well just go about your daily business under the assumption that the three-letter agencies of the world can read everything you write and listen to everything you say and track your movements 24/7 and quit worrying about it, because they either are or they can if they want to. If you are a criminal or a terrorist I'm highly in favor of your inability to communicate covertly which far outweighs any interest the NSA might have in my bloviating.
"Seth is Grandmaster Zen Troll who trains his victims to troll themselves every time they think of him" Robert_S

"All that is required for the triumph of evil is that good men do nothing." Edmund Burke

"Those who support denying anyone the right to keep and bear arms for personal defense are fully complicit in every crime that might have been prevented had the victim been effectively armed." Seth

© 2013/2014/2015/2016 Seth, all rights reserved. No reuse, republication, duplication, or derivative work is authorized.

Seth
GrandMaster Zen Troll
Posts: 22077
Joined: Fri Jan 28, 2011 1:02 am
Contact:

Re: Saving the Internet from the NSA

Post by Seth » Sun Dec 01, 2013 9:34 pm

jaydot wrote:dial-up was my first experience online and i found that i spent more time updating my security software (i was using windows then) than i did surfing. it made the whole effort painful. when i got broadband and switched to linux, i toyed with encryption and found it gave me the same sort of headache dial-up did. i realised that being safe on the internet did not depend upon encryption, but not putting online anything sensitive and, being inherently lazy, i quit nearly all forms of security and "watch my mouth" as it were.

i adhere to the old adage "if you want to keep a secret, keep it to yourself."
And then there's the other adage, "Three people can keep a secret...if two of them are dead."
"Seth is Grandmaster Zen Troll who trains his victims to troll themselves every time they think of him" Robert_S

"All that is required for the triumph of evil is that good men do nothing." Edmund Burke

"Those who support denying anyone the right to keep and bear arms for personal defense are fully complicit in every crime that might have been prevented had the victim been effectively armed." Seth

© 2013/2014/2015/2016 Seth, all rights reserved. No reuse, republication, duplication, or derivative work is authorized.

User avatar
pErvinalia
On the good stuff
Posts: 60983
Joined: Tue Feb 23, 2010 11:08 pm
About me: Spelling 'were' 'where'
Location: dystopia
Contact:

Re: Saving the Internet from the NSA

Post by pErvinalia » Mon Dec 02, 2013 2:02 am

You don't actually read anything I write, Seth. Tor is open sourced. Do you even know what that means? You're an old guy who understands technology from 20 years ago, but doesn't understand how it all works now. I'm not wasting any more time trying to educate you.
Sent from my penis using wankertalk.
"The Western world is fucking awesome because of mostly white men" - DaveDodo007.
"Socialized medicine is just exactly as morally defensible as gassing and cooking Jews" - Seth. Yes, he really did say that..
"Seth you are a boon to this community" - Cunt.
"I am seriously thinking of going on a spree killing" - Svartalf.

Seth
GrandMaster Zen Troll
Posts: 22077
Joined: Fri Jan 28, 2011 1:02 am
Contact:

Re: Saving the Internet from the NSA

Post by Seth » Mon Dec 02, 2013 3:18 am

rEvolutionist wrote:You don't actually read anything I write, Seth. Tor is open sourced. Do you even know what that means? You're an old guy who understands technology from 20 years ago, but doesn't understand how it all works now. I'm not wasting any more time trying to educate you.
Good idea, since you don't know what you're talking about and are therefore not qualified to educate anyone.

Yes, Tor is open-sourced. Can the NSA tag a Tor data packet? Yes, it reportedly can. That's brand new information, so who's the "old guy" who doesn't understand present technology now?

All you have to do is read the Wiki entry for public key encryption carefully and it will tell you that public key verification is an unresolved problem.

Then continue shutting up.
"Seth is Grandmaster Zen Troll who trains his victims to troll themselves every time they think of him" Robert_S

"All that is required for the triumph of evil is that good men do nothing." Edmund Burke

"Those who support denying anyone the right to keep and bear arms for personal defense are fully complicit in every crime that might have been prevented had the victim been effectively armed." Seth

© 2013/2014/2015/2016 Seth, all rights reserved. No reuse, republication, duplication, or derivative work is authorized.

User avatar
Mysturji
Clint Eastwood
Posts: 5005
Joined: Thu Feb 26, 2009 4:08 pm
About me: Downloading an app to my necktop
Location: http://tinyurl.com/c9o35ny
Contact:

Re: Saving the Internet from the NSA

Post by Mysturji » Mon Dec 02, 2013 4:20 pm

JimC wrote:I don't see Snowden as a "white knight hero", but neither do I see him as a villain. Technically, he could be classified as a traitor, but it would be hard for anybody to say he did it for personal gain. Living under the control of the Russian security services, with their own agenda is not like a lazy escape to a wealthy life on a tropical beach...

I can understand Ian being fairly cranky - it is a consequence of the position he has within the US services. But darkly hinting of "special knowledge" which, if known, would make anyone recoil from Snowden in horror will not impress a skeptical audience wanting evidence and logic.

It is clear that Snowden's information releases have had a deleterious effect on the US government, diplomats and security apparatus. It has caused much embarrassment to allies such as Australia, too, with revelations about eaves-dropping in Indonesia. Also, I know that people argue that diplomacy itself works best if some aspects are kept secret.

However, weighing up all these negative consequences against the public value, world wide, of knowing that an agency of the US government has clearly over-stepped the bounds, I support, in balance, what he has done, however murky his motives may have been. It is for the public good, where the public is the whole of humanity.
:this:
Sir Figg Newton wrote:If I have seen further than others, it is only because I am surrounded by midgets.
Cormac wrote:Doom predictors have been with humans right through our history. They are like the proverbial stopped clock - right twice a day, but not due to the efficacy of their prescience.
IDMD2
I am a twit.

User avatar
Blind groper
Posts: 3997
Joined: Sun Mar 25, 2012 3:10 am
About me: From New Zealand
Contact:

Re: Saving the Internet from the NSA

Post by Blind groper » Mon Dec 02, 2013 7:43 pm

Based on what Seth has just said, that the NSA might own Tor, it is more vital than ever that whistle blowers be active and let everyone know what is going on.

Seth
GrandMaster Zen Troll
Posts: 22077
Joined: Fri Jan 28, 2011 1:02 am
Contact:

Re: Saving the Internet from the NSA

Post by Seth » Mon Dec 02, 2013 8:32 pm

Blind groper wrote:Based on what Seth has just said, that the NSA might own Tor, it is more vital than ever that whistle blowers be active and let everyone know what is going on.
If you don't trade in kiddie porn or espionage, why would you care?
"Seth is Grandmaster Zen Troll who trains his victims to troll themselves every time they think of him" Robert_S

"All that is required for the triumph of evil is that good men do nothing." Edmund Burke

"Those who support denying anyone the right to keep and bear arms for personal defense are fully complicit in every crime that might have been prevented had the victim been effectively armed." Seth

© 2013/2014/2015/2016 Seth, all rights reserved. No reuse, republication, duplication, or derivative work is authorized.

User avatar
JimC
The sentimental bloke
Posts: 74306
Joined: Thu Feb 26, 2009 7:58 am
About me: To be serious about gin requires years of dedicated research.
Location: Melbourne, Australia
Contact:

Re: Saving the Internet from the NSA

Post by JimC » Mon Dec 02, 2013 8:52 pm

Seth wrote:
Blind groper wrote:Based on what Seth has just said, that the NSA might own Tor, it is more vital than ever that whistle blowers be active and let everyone know what is going on.
If you don't trade in kiddie porn or espionage, why would you care?
I would have thought that you in particular would object strongly to a big brother government poking its nose into your affairs, whether they are legal or not... :tea:
Nurse, where the fuck's my cardigan?
And my gin!

Seth
GrandMaster Zen Troll
Posts: 22077
Joined: Fri Jan 28, 2011 1:02 am
Contact:

Re: Saving the Internet from the NSA

Post by Seth » Mon Dec 02, 2013 9:21 pm

JimC wrote:
Seth wrote:
Blind groper wrote:Based on what Seth has just said, that the NSA might own Tor, it is more vital than ever that whistle blowers be active and let everyone know what is going on.
If you don't trade in kiddie porn or espionage, why would you care?
I would have thought that you in particular would object strongly to a big brother government poking its nose into your affairs, whether they are legal or not... :tea:
I'm just asking what you think. I know what I think.
"Seth is Grandmaster Zen Troll who trains his victims to troll themselves every time they think of him" Robert_S

"All that is required for the triumph of evil is that good men do nothing." Edmund Burke

"Those who support denying anyone the right to keep and bear arms for personal defense are fully complicit in every crime that might have been prevented had the victim been effectively armed." Seth

© 2013/2014/2015/2016 Seth, all rights reserved. No reuse, republication, duplication, or derivative work is authorized.

User avatar
JimC
The sentimental bloke
Posts: 74306
Joined: Thu Feb 26, 2009 7:58 am
About me: To be serious about gin requires years of dedicated research.
Location: Melbourne, Australia
Contact:

Re: Saving the Internet from the NSA

Post by JimC » Mon Dec 02, 2013 10:21 pm

Seth wrote:
JimC wrote:
Seth wrote:
Blind groper wrote:Based on what Seth has just said, that the NSA might own Tor, it is more vital than ever that whistle blowers be active and let everyone know what is going on.
If you don't trade in kiddie porn or espionage, why would you care?
I would have thought that you in particular would object strongly to a big brother government poking its nose into your affairs, whether they are legal or not... :tea:
I'm just asking what you think. I know what I think.
Well, I dislike it on principle, even though I'm not (as it happens) an international drug dealer, kiddie porn manufacturer or terrorist... :tea:

And as for your thoughts, I sense a certain amount of conflict on this issue between your libertarian principles and a "go USA" attitude...
Nurse, where the fuck's my cardigan?
And my gin!

User avatar
Blind groper
Posts: 3997
Joined: Sun Mar 25, 2012 3:10 am
About me: From New Zealand
Contact:

Re: Saving the Internet from the NSA

Post by Blind groper » Mon Dec 02, 2013 11:35 pm

I agree with Jim.
I see Seth betraying his libertarian values by promoting a form of information slavery to the government. As far as I am concerned, the US government has no right to knowledge about what I am doing or thinking. Big Brother can go take his spies and stick 'em where the sun don't shine!

User avatar
pErvinalia
On the good stuff
Posts: 60983
Joined: Tue Feb 23, 2010 11:08 pm
About me: Spelling 'were' 'where'
Location: dystopia
Contact:

Re: Saving the Internet from the NSA

Post by pErvinalia » Tue Dec 03, 2013 1:40 am

JimC wrote:
Seth wrote:
JimC wrote:
Seth wrote:
Blind groper wrote:Based on what Seth has just said, that the NSA might own Tor, it is more vital than ever that whistle blowers be active and let everyone know what is going on.
If you don't trade in kiddie porn or espionage, why would you care?
I would have thought that you in particular would object strongly to a big brother government poking its nose into your affairs, whether they are legal or not... :tea:
I'm just asking what you think. I know what I think.
Well, I dislike it on principle, even though I'm not (as it happens) an international drug dealer, kiddie porn manufacturer or terrorist... :tea:

And as for your thoughts, I sense a certain amount of conflict on this issue between your libertarian principles and a "go USA" attitude...
Exactly.
Sent from my penis using wankertalk.
"The Western world is fucking awesome because of mostly white men" - DaveDodo007.
"Socialized medicine is just exactly as morally defensible as gassing and cooking Jews" - Seth. Yes, he really did say that..
"Seth you are a boon to this community" - Cunt.
"I am seriously thinking of going on a spree killing" - Svartalf.

User avatar
Azathoth
blind idiot god
blind idiot god
Posts: 9418
Joined: Wed Nov 04, 2009 11:31 pm
Contact:

Re: Saving the Internet from the NSA

Post by Azathoth » Tue Dec 03, 2013 2:52 am

Public key crypto isn't going to be around much longer
http://www.sciencecodex.com/quantum_sea ... age-122287

Sent from my Nexus 7 using Tapatalk
Outside the ordered universe is that amorphous blight of nethermost confusion which blasphemes and bubbles at the center of all infinity—the boundless daemon sultan Azathoth, whose name no lips dare speak aloud, and who gnaws hungrily in inconceivable, unlighted chambers beyond time and space amidst the muffled, maddening beating of vile drums and the thin monotonous whine of accursed flutes.

Code: Select all

// Replaces with spaces the braces in cases where braces in places cause stasis 
   $str = str_replace(array("\{","\}")," ",$str);

Seth
GrandMaster Zen Troll
Posts: 22077
Joined: Fri Jan 28, 2011 1:02 am
Contact:

Re: Saving the Internet from the NSA

Post by Seth » Tue Dec 03, 2013 3:01 am

JimC wrote:
Seth wrote:
JimC wrote:
Seth wrote:
Blind groper wrote:Based on what Seth has just said, that the NSA might own Tor, it is more vital than ever that whistle blowers be active and let everyone know what is going on.
If you don't trade in kiddie porn or espionage, why would you care?
I would have thought that you in particular would object strongly to a big brother government poking its nose into your affairs, whether they are legal or not... :tea:
I'm just asking what you think. I know what I think.
Well, I dislike it on principle, even though I'm not (as it happens) an international drug dealer, kiddie porn manufacturer or terrorist... :tea:

And as for your thoughts, I sense a certain amount of conflict on this issue between your libertarian principles and a "go USA" attitude...
It's purely pragmatic. I would prefer to live in a world where monitoring of electronic communications was not necessary, but I recognize that this is not the world we live in, and pragmatically such intelligence gathering can be both necessary and beneficial under the circumstances, and that it's going to happen whether I like it or not. I also recognize that in order to separate the wheat from the chaff, one has to thresh all the grain and that refusing to thresh the grain because some of the grain may be damaged in the process means that the entire crop rots in the field. Therefore, the best I can do is to argue for limiting the ways in which such information can be legally used against citizens of this country. As I have said, one of the ways that I would limit the potential harm of government intelligence gathering and surveillance efforts is to amend the US Constitution to state specifically that any information gathered under the mantle of national security may only be used against a citizen of the United States to pursue criminal prosecution only for legitimate cases of domestic or foreign terrorist activities with national security implications directly involving that citizen, and for no other criminal or civil purpose whatsoever. Further, releasing or revealing any information gathered for the purposes of national security outside of the national security system would be a felony with a mandatory 25 year federal prison sentence for anyone involved in, or with knowledge of the release of such information.

The Constitution guarantees our right to be free of unreasonable search and seizure, not any search and seizure. But the nature of the threat and the medium of communications technologically requires the scanning (searching) of digital communications for keywords related to the legitimate national security concerns, which means that in order to find the messages that have national security implications some examination of all messages passing through the system for those keywords, but not necessarily the retention of any of the information in messages that do not contain such keywords.

The postal paradigm is useful in examining the reasonableness of such message scanning. It has always been lawful for the Post Office to keep track of where letters and parcels in the system are sent from, sent to, and by and to whom. That's public information that appears on the outside of the package by necessity, and therefore "searching" the address is not unreasonable because there is no expectation of privacy in that information.

To delve more deeply into a particular letter or parcel on the other hand requires a warrant issued pursuant to probable cause issued by a judge, at which point a Postal Inspector can intercept, open, examine and copy (or seize) the contents lawfully if it's contraband or evidence in a crime.

The same has been true of telephonic communications since its invention, and the location of both parties, as well as the time, date and duration of the call are also not privileged under the 4th Amendment because it must be revealed to a third party in order to make the connection. Intercepting the contents of the conversation still requires a warrant.

Where things begin to go grey is when the location information that's inherent in a cell-phone call is collected by law enforcement without a warrant and without any particularized suspicion of the individual making the call under the rubric of being non-privileged merely because the automated systems must make such a determination of location in order to connect the call. The challenge posed to the courts goes beyond what was contemplated by the Founders of course, because they never imagined that such particularized and ubiquitous tracking was even possible. But they did proved guidance in writing the 4th Amendment broadly and I believe that it clearly does cover this sort of intrusion by the government on personal privacy where it says that a person has a right to be free of unreasonable search and seizure in his person, houses, papers and effects absent particularized suspicion of wrongdoing and/or probable cause supported by a duly-issued warrant. While most people focus on "papers and effects" when they think about police searches, such as whether your cell phone messages and other data are the functional equivalent of "papers and effects," the issue of surveillance of the individual falls under the "person" requirement. Placing someone under physical surveillance, which includes gathering information on the person's location and his activities, is, I believe, precisely what the Founders were concerned with when they said a person has a right to be free from unreasonable search of his person. Following someone around or recording their location is a "search" in every sense of the word. Thus, it is my belief that even in public places, absent probable cause that the person is, is about to be, or has been involved in a crime, law enforcement has no lawful authority to initiate a "search" that is intended to determine the location of the individual, whether it is limited to determining a single location or keeping track of every location the individual visits.

This right conflicts with the right of police to observe what's going on around them and to themselves travel freely about the public domain in the performance of their duties that may happen to include following someone who has raised a reasonable suspicion in the officer's mind to a limited extent, this being the duty and purpose of the police.

If a person's activities has brought them to the attention of the police and given rise to a reasonable suspicion of criminality, then the officer is certainly empowered to follow that person about in the public domain as much as any other person is authorized to do, which is pretty broad in scope and limited only when the surveillance turns into stalking or harassment as defined in the law. Short of this, any person can follow any other person about in public as a matter of right.

But IMHO the police actually have less authority to tail people than an average citizen does precisely because of the 4th Amendment, which to me imposes a strict requirement on the agents of government scrutiny that they have prior or contemporary knowledge or suspicion of a crime before they can legitimately "search" an individual's "person" by keeping track of his location.

So, IMO the police must have at least a reasonable, articulable suspicion that the individual they are following or tracking is, has been, or is about to be involved in a crime before initiating any such tracking that involves a particularized interest in the person's movements.

To me, this clearly prohibits the police acquiring or using tracking information on individuals who are not under suspicion, which should prohibit the gathering of cell-phone location information from non-suspects, either on an individual or group basis or information about a legitimate suspect's location at any time before a search warrant for tracking the individual has been issued by a judge based on a finding of probable cause.

This seems to comport with the recent SC ruling that placing a GPS tracker on a suspect's car requires a warrant.
"Seth is Grandmaster Zen Troll who trains his victims to troll themselves every time they think of him" Robert_S

"All that is required for the triumph of evil is that good men do nothing." Edmund Burke

"Those who support denying anyone the right to keep and bear arms for personal defense are fully complicit in every crime that might have been prevented had the victim been effectively armed." Seth

© 2013/2014/2015/2016 Seth, all rights reserved. No reuse, republication, duplication, or derivative work is authorized.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 27 guests