maybe sudoroom should run an email server that encrypts messages on the
disk as well offers end to end encryption over the air.
On Tue, Jun 11, 2013 at 4:07 AM, GtwoG PublicOhOne <g2g-public01(a)att.net>wrote;wrote:
Hi Max, YOs-
Speaking from more than casual knowledge of the subject matter, as a few
of us here know:
1) If you read the denials issued by Google and Facebook, you'll
discover that they used almost identical language. And while it's true
that corporate PR-speak and legal-speak are usually as bland as baked
beans, this stuff reminds one of the story where Mrs. Jones and Mrs.
Smith each had a baby that bears more than a slight resemblance to the
guy who delivers both of their newspapers:
Google: "First, we have not joined any program that would give the U.S.
government—or any other government—direct access to our servers."
Facebook: "Facebook is not and has never been part of any program to
give the US or any other government direct access to our servers."
Google: "We had not heard of a program called PRISM until yesterday."
Facebook: "We hadn't even heard of PRISM before yesterday."
Google: "Our legal team reviews each and every request..."
Facebook: "When governments ask Facebook for data, we review each
request carefully..."
2) Of course they didn't "join" a program or become "part of" a
program.
NSA isn't a "club" that you can just "join." What Facebook and
Google
did was become ASSETS of a program.
That is a very subtle but important distinction. If you were to ask
their lawyers if they "had become assets or had acted in any capacity as
assets of any entity within the United States Intelligence Community
(USIC)," they would clam up right quick. One needs to know how to ask
the question in order to get at the answer.
Also, it is the case that the assets of a program or operation rarely if
ever know the name of the program or operation involved. Knowing the
name of the program or op would give the assets the ability to compare
notes and possibly compromise the program or op. Very often, even the
names of programs or ops are themselves classified.
By the way, some of y'all may have heard my comments about Steve Jobs'
application for a security clearance, shortly after Jobs died and his
bio was published. The media were preoccupied with the usual celebrity
gossip about how he could have gotten a clearance when he'd admitted to
taking LSD and building blue boxes (naughty phone-phreak devices). But
the real story, as I said at the time, was that the purpose of the
clearance was to facilitate relationships with certain agencies
regarding surveillance opportunities in the Macintosh operating systems
and other products. It is almost 100% certain that Microsoft and certain
of the commercial companies involved in Open Source operating systems,
had similar relationships. ("Intel Inside", anyone?;-)
One more item. Watch for the names Cisco, Comcast, and Symantec, in the
news.
Aww hell, one more after that. Twitter claims to have refused to
participate in PRISM. That's very convenient for them to say, because
Twitter itself is a complete intel collection platform with fully open
access, and a variety of software tools for analysis. Twitter is the
easiest of the bunch to intercept and fully exploit. You too can play at
that game (just a little but enough to get the flavor of it), if you
want to pay for the software.
3) Yes, NSA can monitor traffic without a carrier or service provider
knowing it. This is done by intercepting the traffic at the carrier
level. By analogy, if I want to tap your broadband service, I don't have
to break into your house to do it: I can do it from any point between
your house and the service provider's central office.
4) Telcos and broadband providers are required to have CALEA intercept
equipment (such as the infamous Naris box of EFF fame) installed in
their racks. This equipment enables authorized entities to siphon the
data streams in realtime, either in whole or in part depending on
various assigned levels of privilege.
If everything that's on a server has gotten there via a connection that
is being intercepted constantly in real-time, there's no need to get
inside the server itself.
5) NSA and real-time decryption: There is reason to believe, based on
published accounts, that certain types of decryption are routine and
automated. I also know from unpublished but not classified sources, that
there are automated tests that examine ciphertext to determine
specifically which encryption method and key length were used to encrypt
the data. I would conclude that automated decryption exceeds the
capabilities that have been reported in the press.
Further, I would strongly suggest that we compile versions of PGP and
GPG from source code, and modify them to eliminate the upper limit on
key sizes. I can explain further how to perform that modification of the
source code, once we have it downloaded. It's remarkably easy.
6) Compromise of private keys: Given the number of methods available,
and given the track records of the various entities involved, I would
not be surprised.
"Mary had a private key, with which to open PGP.
The key fell into hostile hands. Now Mary's hiding, with her lambs."
7) Did Google and Facebook lie?
Do bears shit in the woods?
8) A modest prediction, and y'all can file this under "he wasn't crazy
after all."
I've been saying this stuff for a while now, but recent news makes it
more, uhh, "topical":
The entire advertising-based model of internet services, with its
reliance on "free" services "supported" by advertising that
"requires"
pervasive tracking of every user's every activities and whereabouts,
will be demonstrated to have been an enormous cover story of
convenience, for a degree of mass surveillance that far exceeds anything
has been reported thus far.
The goal is to have 100% collection of all communications and location
data, online and face-to-face, every conversation as well as metadata,
to be permanently archived for retrieval and analysis at any later point
in time. (This has not yet been achieved, but they're working on it.)
The goal of that, in turn, is to enable making accurate predictions
about the activities and location of any person, at any point in the
future. What gets done with those accurate predictions is a matter of
discretionary policy by those who control the data.
Orwell: "He who controls the past controls the future. He who controls
the future controls the present." Me: "Knowledge is power. When they
know all about you, and you know nothing about them, who has the power?"
9) Lastly, Max, you might especially appreciate this bit of history:
In the 1970s, GCHQ was engaged in targeted surveillance of various
dissident groups in the UK. But since GPO Telephones' switching systems
were entirely electro-mechanical (Strowger switches), GCHQ had to depend
on the GPO engineers to execute every request by making physical
connections to the lines at the Central Offices.
The GPO engineers' sympathies were often with the dissidents. So,
shortly after the GCHQ officers left, the GPO engineers would quietly go
about undoing the unwanted connections or otherwise rendering them
useless. Such are the advantages of electro-mechanical analog switching
systems, maintained by skilled workers, with a strong union, and strong
class consciousness.
Cheers-
-G.
"You search Google, and Google searches you. Deal?"
======
On 13-06-10-Mon 11:46 PM, Max B wrote:
I have a quick question to throw out for anyone
with opinions:
When the NSA PRISM program was exposed, it was leaked that the NSA has
the capabilities to monitor the content of communications taking place
through any of the list of companies they mentioned. Then Google,
Apple, and crew came out and denied it.
Would it be possible for the NSA to be monitoring traffic without them
knowing it/allowing a backdoor? Would that require NSA servers doing
128-bit SSL decryption at real-time speeds? Or perhaps only when
specific emails needed to be read? Could they have covertly
compromised the private keys of all of these establishments? ("US
Government hacked google" seems like a great Guardian headline)
Or do folks think that those companies are just lying through their
teeth?
On Mon 10 Jun 2013 10:43:42 PM PDT, Rabbit wrote:
Yes, let's have a end-user focused crypto
workshop!
I'm not an expert but I can help OS X users get set up with
Tor
Adium + OTR
Making encrypted disk images
Truecrypt
And I wanna learn about web of trust, keysigning, gpg for email
Also I'm really wishing for a better social network for people to
switch to. Any thoughts on that?
On Mon, Jun 10, 2013 at 7:55 PM, GtwoG PublicOhOne
<g2g-public01(a)att.net <mailto:g2g-public01@att.net>> wrote:
YES! a crypto party.
PGP and GPG won't protect your metadata from traffic analysis ("TA"),
which is what's been revealed that Anagram Inn has been up to. But
protecting your content is a good start, and building email
servers that
are end-to-end encrypted is the next step.
-G.
=====
On 13-06-10-Mon 7:13 PM, William Budington wrote:
There was some discussion about this at the last
meeting, mostly
around
securing personal data on physical devices, but
it would be good
to have
another end-user based cryptoparty, even have it
be a full-day event
stemming from Today I Learned. I'll bring this up at the meeting on
Wednesday.
Bill
On 06/10/2013 07:02 PM, William Gillis wrote:
> Hey Sudoroomers,
>
> I've been deluged by friends this weekend suddenly interested
in things
> like finally figuring out how to install that
there tor, or god
forbid
> venturing into the realm of pgp. I offered my
nonstop 1:1
handholding
> services over facebook to any and all friends
and have been a
little
> overwhelmed by the number.
>
> Someone local suggested a teach day at Sudoroom and I thought
I'd check
to
> see if anyone else is interested and, you
know, what actual
members have to
> say.
>
> There has never been a more opportune moment for cryptoparty
outreach, and
> yet I haven't seen anyone declare
anything yet. Am I just out
of the loop?
>
>
>
> _______________________________________________
> sudo-discuss mailing list
> sudo-discuss(a)lists.sudoroom.org
<mailto:sudo-discuss@lists.sudoroom.org>
>
http://lists.sudoroom.org/listinfo/sudo-discuss
>
_______________________________________________
sudo-discuss mailing list
sudo-discuss(a)lists.sudoroom.org
<mailto:sudo-discuss@lists.sudoroom.org>
_______________________________________________
sudo-discuss mailing list
sudo-discuss(a)lists.sudoroom.org
<mailto:sudo-discuss@lists.sudoroom.org>
http://lists.sudoroom.org/listinfo/sudo-discuss
_______________________________________________
sudo-discuss mailing list
sudo-discuss(a)lists.sudoroom.org
http://lists.sudoroom.org/listinfo/sudo-discuss
_______________________________________________
sudo-discuss mailing list
sudo-discuss(a)lists.sudoroom.org
http://lists.sudoroom.org/listinfo/sudo-discuss
_______________________________________________
sudo-discuss mailing list
sudo-discuss(a)lists.sudoroom.org
http://lists.sudoroom.org/listinfo/sudo-discuss