<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
Re. Andrew: YES and YES. <br>
<br>
(I gotta scoot for work now, back this evening.)<br>
<br>
-G.<br>
<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 13-06-11-Tue 7:41 AM, Andrew wrote:<br>
</div>
<blockquote
cite="mid:CADWgu_=YXic6zw332E+CWd-QdP2XqmX_bAebATd8ie9OHF2Q4Q@mail.gmail.com"
type="cite">
<div dir="ltr">maybe sudoroom should run an email server that
encrypts messages on the disk as well offers end to end
encryption over the air.<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Jun 11, 2013 at 4:07 AM, GtwoG
PublicOhOne <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:g2g-public01@att.net" target="_blank">g2g-public01@att.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hi Max, YOs-<br>
<br>
Speaking from more than casual knowledge of the subject
matter, as a few<br>
of us here know:<br>
<br>
<br>
1) If you read the denials issued by Google and Facebook,
you'll<br>
discover that they used almost identical language. And while
it's true<br>
that corporate PR-speak and legal-speak are usually as bland
as baked<br>
beans, this stuff reminds one of the story where Mrs. Jones
and Mrs.<br>
Smith each had a baby that bears more than a slight
resemblance to the<br>
guy who delivers both of their newspapers:<br>
<br>
Google: "First, we have not joined any program that would
give the U.S.<br>
government—or any other government—direct access to our
servers."<br>
<br>
Facebook: "Facebook is not and has never been part of any
program to<br>
give the US or any other government direct access to our
servers."<br>
<br>
Google: "We had not heard of a program called PRISM until
yesterday."<br>
<br>
Facebook: "We hadn't even heard of PRISM before yesterday."<br>
<br>
Google: "Our legal team reviews each and every request..."<br>
<br>
Facebook: "When governments ask Facebook for data, we review
each<br>
request carefully..."<br>
<br>
<br>
2) Of course they didn't "join" a program or become "part
of" a program.<br>
NSA isn't a "club" that you can just "join." What Facebook
and Google<br>
did was become ASSETS of a program.<br>
<br>
That is a very subtle but important distinction. If you were
to ask<br>
their lawyers if they "had become assets or had acted in any
capacity as<br>
assets of any entity within the United States Intelligence
Community<br>
(USIC)," they would clam up right quick. One needs to know
how to ask<br>
the question in order to get at the answer.<br>
<br>
Also, it is the case that the assets of a program or
operation rarely if<br>
ever know the name of the program or operation involved.
Knowing the<br>
name of the program or op would give the assets the ability
to compare<br>
notes and possibly compromise the program or op. Very often,
even the<br>
names of programs or ops are themselves classified.<br>
<br>
By the way, some of y'all may have heard my comments about
Steve Jobs'<br>
application for a security clearance, shortly after Jobs
died and his<br>
bio was published. The media were preoccupied with the usual
celebrity<br>
gossip about how he could have gotten a clearance when he'd
admitted to<br>
taking LSD and building blue boxes (naughty phone-phreak
devices). But<br>
the real story, as I said at the time, was that the purpose
of the<br>
clearance was to facilitate relationships with certain
agencies<br>
regarding surveillance opportunities in the Macintosh
operating systems<br>
and other products. It is almost 100% certain that Microsoft
and certain<br>
of the commercial companies involved in Open Source
operating systems,<br>
had similar relationships. ("Intel Inside", anyone?;-)<br>
<br>
One more item. Watch for the names Cisco, Comcast, and
Symantec, in the<br>
news.<br>
<br>
Aww hell, one more after that. Twitter claims to have
refused to<br>
participate in PRISM. That's very convenient for them to
say, because<br>
Twitter itself is a complete intel collection platform with
fully open<br>
access, and a variety of software tools for analysis.
Twitter is the<br>
easiest of the bunch to intercept and fully exploit. You too
can play at<br>
that game (just a little but enough to get the flavor of
it), if you<br>
want to pay for the software.<br>
<br>
<br>
3) Yes, NSA can monitor traffic without a carrier or service
provider<br>
knowing it. This is done by intercepting the traffic at the
carrier<br>
level. By analogy, if I want to tap your broadband service,
I don't have<br>
to break into your house to do it: I can do it from any
point between<br>
your house and the service provider's central office.<br>
<br>
<br>
4) Telcos and broadband providers are required to have CALEA
intercept<br>
equipment (such as the infamous Naris box of EFF fame)
installed in<br>
their racks. This equipment enables authorized entities to
siphon the<br>
data streams in realtime, either in whole or in part
depending on<br>
various assigned levels of privilege.<br>
<br>
If everything that's on a server has gotten there via a
connection that<br>
is being intercepted constantly in real-time, there's no
need to get<br>
inside the server itself.<br>
<br>
<br>
5) NSA and real-time decryption: There is reason to believe,
based on<br>
published accounts, that certain types of decryption are
routine and<br>
automated. I also know from unpublished but not classified
sources, that<br>
there are automated tests that examine ciphertext to
determine<br>
specifically which encryption method and key length were
used to encrypt<br>
the data. I would conclude that automated decryption exceeds
the<br>
capabilities that have been reported in the press.<br>
<br>
Further, I would strongly suggest that we compile versions
of PGP and<br>
GPG from source code, and modify them to eliminate the upper
limit on<br>
key sizes. I can explain further how to perform that
modification of the<br>
source code, once we have it downloaded. It's remarkably
easy.<br>
<br>
<br>
6) Compromise of private keys: Given the number of methods
available,<br>
and given the track records of the various entities
involved, I would<br>
not be surprised.<br>
<br>
"Mary had a private key, with which to open PGP.<br>
The key fell into hostile hands. Now Mary's hiding, with her
lambs."<br>
<br>
<br>
7) Did Google and Facebook lie?<br>
<br>
Do bears shit in the woods?<br>
<br>
<br>
8) A modest prediction, and y'all can file this under "he
wasn't crazy<br>
after all."<br>
<br>
I've been saying this stuff for a while now, but recent news
makes it<br>
more, uhh, "topical":<br>
<br>
The entire advertising-based model of internet services,
with its<br>
reliance on "free" services "supported" by advertising that
"requires"<br>
pervasive tracking of every user's every activities and
whereabouts,<br>
will be demonstrated to have been an enormous cover story of<br>
convenience, for a degree of mass surveillance that far
exceeds anything<br>
has been reported thus far.<br>
<br>
The goal is to have 100% collection of all communications
and location<br>
data, online and face-to-face, every conversation as well as
metadata,<br>
to be permanently archived for retrieval and analysis at any
later point<br>
in time. (This has not yet been achieved, but they're
working on it.)<br>
The goal of that, in turn, is to enable making accurate
predictions<br>
about the activities and location of any person, at any
point in the<br>
future. What gets done with those accurate predictions is a
matter of<br>
discretionary policy by those who control the data.<br>
<br>
Orwell: "He who controls the past controls the future. He
who controls<br>
the future controls the present." Me: "Knowledge is power.
When they<br>
know all about you, and you know nothing about them, who has
the power?"<br>
<br>
<br>
9) Lastly, Max, you might especially appreciate this bit of
history:<br>
<br>
In the 1970s, GCHQ was engaged in targeted surveillance of
various<br>
dissident groups in the UK. But since GPO Telephones'
switching systems<br>
were entirely electro-mechanical (Strowger switches), GCHQ
had to depend<br>
on the GPO engineers to execute every request by making
physical<br>
connections to the lines at the Central Offices.<br>
<br>
The GPO engineers' sympathies were often with the
dissidents. So,<br>
shortly after the GCHQ officers left, the GPO engineers
would quietly go<br>
about undoing the unwanted connections or otherwise
rendering them<br>
useless. Such are the advantages of electro-mechanical
analog switching<br>
systems, maintained by skilled workers, with a strong union,
and strong<br>
class consciousness.<br>
<br>
<br>
Cheers-<br>
<br>
-G.<br>
<br>
"You search Google, and Google searches you. Deal?"<br>
<br>
<br>
======<br>
<div class="HOEnZb">
<div class="h5"><br>
<br>
<br>
On 13-06-10-Mon 11:46 PM, Max B wrote:<br>
> I have a quick question to throw out for anyone
with opinions:<br>
><br>
> When the NSA PRISM program was exposed, it was
leaked that the NSA has<br>
> the capabilities to monitor the content of
communications taking place<br>
> through any of the list of companies they
mentioned. Then Google,<br>
> Apple, and crew came out and denied it.<br>
><br>
> Would it be possible for the NSA to be monitoring
traffic without them<br>
> knowing it/allowing a backdoor? Would that require
NSA servers doing<br>
> 128-bit SSL decryption at real-time speeds? Or
perhaps only when<br>
> specific emails needed to be read? Could they have
covertly<br>
> compromised the private keys of all of these
establishments? ("US<br>
> Government hacked google" seems like a great
Guardian headline)<br>
><br>
> Or do folks think that those companies are just
lying through their<br>
> teeth?<br>
><br>
> On Mon 10 Jun 2013 10:43:42 PM PDT, Rabbit wrote:<br>
>> Yes, let's have a end-user focused crypto
workshop!<br>
>><br>
>> I'm not an expert but I can help OS X users get
set up with<br>
>><br>
>> Tor<br>
>> Adium + OTR<br>
>> Making encrypted disk images<br>
>> Truecrypt<br>
>><br>
>> And I wanna learn about web of trust,
keysigning, gpg for email<br>
>><br>
>> Also I'm really wishing for a better social
network for people to<br>
>> switch to. Any thoughts on that?<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> On Mon, Jun 10, 2013 at 7:55 PM, GtwoG
PublicOhOne<br>
>> <<a moz-do-not-send="true"
href="mailto:g2g-public01@att.net">g2g-public01@att.net</a>
<mailto:<a moz-do-not-send="true"
href="mailto:g2g-public01@att.net">g2g-public01@att.net</a>>>
wrote:<br>
>><br>
>><br>
>> YES! a crypto party.<br>
>><br>
>> PGP and GPG won't protect your metadata from
traffic analysis ("TA"),<br>
>> which is what's been revealed that Anagram Inn
has been up to. But<br>
>> protecting your content is a good start, and
building email<br>
>> servers that<br>
>> are end-to-end encrypted is the next step.<br>
>><br>
>> -G.<br>
>><br>
>><br>
>> =====<br>
>><br>
>><br>
>><br>
>> On 13-06-10-Mon 7:13 PM, William Budington
wrote:<br>
>> > There was some discussion about this at
the last meeting, mostly<br>
>> around<br>
>> > securing personal data on physical
devices, but it would be good<br>
>> to have<br>
>> > another end-user based cryptoparty, even
have it be a full-day event<br>
>> > stemming from Today I Learned. I'll bring
this up at the meeting on<br>
>> > Wednesday.<br>
>> ><br>
>> > Bill<br>
>> ><br>
>> > On 06/10/2013 07:02 PM, William Gillis
wrote:<br>
>> >> Hey Sudoroomers,<br>
>> >><br>
>> >> I've been deluged by friends this
weekend suddenly interested<br>
>> in things<br>
>> >> like finally figuring out how to
install that there tor, or god<br>
>> forbid<br>
>> >> venturing into the realm of pgp. I
offered my nonstop 1:1<br>
>> handholding<br>
>> >> services over facebook to any and all
friends and have been a<br>
>> little<br>
>> >> overwhelmed by the number.<br>
>> >><br>
>> >> Someone local suggested a teach day at
Sudoroom and I thought<br>
>> I'd check to<br>
>> >> see if anyone else is interested and,
you know, what actual<br>
>> members have to<br>
>> >> say.<br>
>> >><br>
>> >> There has never been a more opportune
moment for cryptoparty<br>
>> outreach, and<br>
>> >> yet I haven't seen anyone declare
anything yet. Am I just out<br>
>> of the loop?<br>
>> >><br>
>> >><br>
>> >><br>
>> >>
_______________________________________________<br>
>> >> sudo-discuss mailing list<br>
>> >> <a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a><br>
>> <mailto:<a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a>><br>
>> >> <a moz-do-not-send="true"
href="http://lists.sudoroom.org/listinfo/sudo-discuss"
target="_blank">http://lists.sudoroom.org/listinfo/sudo-discuss</a><br>
>> >><br>
>> >
_______________________________________________<br>
>> > sudo-discuss mailing list<br>
>> > <a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a><br>
>> <mailto:<a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a>><br>
>> > <a moz-do-not-send="true"
href="http://lists.sudoroom.org/listinfo/sudo-discuss"
target="_blank">http://lists.sudoroom.org/listinfo/sudo-discuss</a><br>
>> ><br>
>><br>
>> _______________________________________________<br>
>> sudo-discuss mailing list<br>
>> <a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a><br>
>> <mailto:<a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a>><br>
>> <a moz-do-not-send="true"
href="http://lists.sudoroom.org/listinfo/sudo-discuss"
target="_blank">http://lists.sudoroom.org/listinfo/sudo-discuss</a><br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> sudo-discuss mailing list<br>
>> <a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a><br>
>> <a moz-do-not-send="true"
href="http://lists.sudoroom.org/listinfo/sudo-discuss"
target="_blank">http://lists.sudoroom.org/listinfo/sudo-discuss</a><br>
> _______________________________________________<br>
> sudo-discuss mailing list<br>
> <a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a><br>
> <a moz-do-not-send="true"
href="http://lists.sudoroom.org/listinfo/sudo-discuss"
target="_blank">http://lists.sudoroom.org/listinfo/sudo-discuss</a><br>
><br>
<br>
_______________________________________________<br>
sudo-discuss mailing list<br>
<a moz-do-not-send="true"
href="mailto:sudo-discuss@lists.sudoroom.org">sudo-discuss@lists.sudoroom.org</a><br>
<a moz-do-not-send="true"
href="http://lists.sudoroom.org/listinfo/sudo-discuss"
target="_blank">http://lists.sudoroom.org/listinfo/sudo-discuss</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
-------
<div>Andrew Lowe</div>
<div>Cell: 831-332-2507</div>
<div><a moz-do-not-send="true" href="http://roshambomedia.com"
target="_blank">http://roshambomedia.com</a></div>
<div><br>
</div>
</div>
</blockquote>
<br>
</body>
</html>