Government snooping, backdoors and #necessaryhashtags - Page 26

ewmayer · 2013-09-11, 23:00

Quote:

Originally Posted by Nick

The NSA's next move: silencing university professors?
Full article:
http://www.theguardian.com/commentis...-johns-hopkins
The university later backed down.

From the article, annotations mine:

Quote:

And another thing: America's system of research universities is the best in the world. No one argues with that. It's one of biggest advantages this nation has. IfNow that it clearly has becomes captive to government and handmaiden to the surveillance state, ~~that would be~~ we academics find ourselves as having partaken in an economic and cultural crime of monstrous proportions. What happened to Matthew Green's blog post yesterday is no small matter.

There, fixed it for you, Prof. Rosen.

Having once ['93-'99, assistant professorship in engineering at a fairly-highly-ranked research school] been part of the academic establishment, I can vouch for the fact that it is entirely non-immune to the rule that "money corrupts everything."

I wonder how many NSA-and-other-DoD/NatSec-sponsored academics will put their money where their academic-freedom mouths are and return their unused grant monies? A wrenchingly difficult step, to be sure. But that's how the saying "talk is cheap" came about, isn't it?

xilman · 2013-09-12, 06:22

Quote:

Originally Posted by chalsall

An excellent question.

Imagine the deafening silence in response....

Same as the old boss. We don't get fooled again.

Nick · 2013-09-12, 11:57

There is a new recruiting puzzle from Britain's GCHQ:
https://canyoufindit.co.uk/

You must be a UK resident if you want to take part for real.
In the terms and conditions the promises on data protection and privacy are followed by:

Quote:

GCHQ reserves the right to amend these rules at any time.

Perhaps they should inscribe that above the entrance...

Nick · 2013-09-12, 15:07

By the way, has anyone ever tried a FOIA request to see if the NSA knows about Mersenne primes that we haven't found yet?

kladner · 2013-09-12, 19:25

Quote:

Originally Posted by Nick

By the way, has anyone ever tried a FOIA request to see if the NSA knows about Mersenne primes that we haven't found yet?

And get an unpleasant visit from the Men in Gray? Nope.

ewmayer · 2013-09-12, 20:27

Quote:

Originally Posted by Nick

By the way, has anyone ever tried a FOIA request to see if the NSA knows about Mersenne primes that we haven't found yet?

While it's possible that they do, I consider it unlikely - large-prime-searching algos have far to little "weaponization potential" to be interesting to the spooks.

retina · 2013-09-12, 22:06

With the introduction of fingerprint readers on phones this picture is appropriate food for thought:

http://wurstball.de/143010/

ewmayer · 2013-09-16, 00:14

Your tax dollars at work, NSA-style

Got Cash? (That will probably be made illegal soon.)

cheesehead · 2013-09-17, 03:27

Bruce Schneier's latest (Sept. 15) monthly Crypto-Gram Newsletter is out ... and it's a whopper. I think it's the longest issue I've ever received. Its topic list on https://www.schneier.com/crypto-gram-back.html is definitely the longest of any he's published.

(Guess why. Hint: this thread's topic.)

Read it at https://www.schneier.com/crypto-gram-1309.html

Topic list:

Quote:

15 Sep 2013 Take Back the Internet, more on the NSA commandeering the Internet, detaining David Miranda, government secrecy and the generation gap, conspiracy theories and the NSA, the NSA's cryptographic capabilities, how to remain secure against the NSA, protecting against leakers, NSA/Snowden news, our newfound fear of risk, human-machine trust failures, excess automobile deaths as a result of 9/11, iPhone fingerprint authentication, hacking consumer devices, Syrian Electronic Army cyberattacks, the cryptopocalypse, measuring entropy

I've long admired Schneier's reasoning about security, cryptography, and so on. I'd love to post quotes from all of the first ten or so of this month's topics, but I'll limit myself to the one that may be of most practical use to most of us here:

Quote:

How to Remain Secure Against the NSA

Now that we have enough details about how the NSA eavesdrops on the Internet, including recent disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story -- it was in process well before I showed up -- but everything I read confirms what the Guardian is reporting.

At this point, I feel I can provide some advice for keeping secure against such an adversary.

. . .

How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."

I believe this is true, despite today's revelations and tantalizing hints of "groundbreaking cryptanalytic capabilities" made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.

Snowden's follow-on sentence is equally important: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

Endpoint means the software you're using, the computer you're using it on, and the local network you're using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn't matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.

With all this in mind, I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections -- and it may have explicit exploits against these protocols -- you're much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA -- so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my Password Safe program from the command line; I've been using that as well.

I understand that most of this is impossible for the typical Internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA.

ewmayer · 2013-09-17, 20:08

Fugitive Snowden in running for European rights prize: BRUSSELS (Reuters) - Fugitive U.S. intelligence analyst Edward Snowden is in the running for a European human rights prize whose past winners include Nelson Mandela and Myanmar opposition leader Aung San Suu Kyi.

Alas, Mr. Snowden has apparently done too much actual good for the benefit of mankind to be eligible for the (ig)Nobel "Peace" prize. But, if he managed to add some cred like "carpet-bombing Cambodia" [a la Kissinger] or "master of soaring-but-hollow rhetoric" [Obama] or "debt-enslaver of worlds" [Barroso et al] to his résumé, he could help himself in that regard.

CRGreathouse · 2013-09-17, 23:43

Quote:

Originally Posted by Nick

By the way, has anyone ever tried a FOIA request to see if the NSA knows about Mersenne primes that we haven't found yet?

In the unlikely (see ewmayer, above) case that they do, I would guess that it would have cryptographic implications (else why would they put in the effort?) and so I doubt they'd admit any FOIA-responsive records.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
I'm rich AND on a government check.	jasong	jasong	18	2013-08-12 18:21
How does proper government manifest in regulation?	cheesehead	Soap Box	10	2011-04-17 02:29

2013-09-12, 15:07	#279
Nick Dec 2012 The Netherlands 29·59 Posts	By the way, has anyone ever tried a FOIA request to see if the NSA knows about Mersenne primes that we haven't found yet?

2013-09-12, 22:06	#282
retina Undefined "The unspeakable one" Jun 2006 My evil lair 2²·3²·173 Posts	With the introduction of fingerprint readers on phones this picture is appropriate food for thought: http://wurstball.de/143010/

2013-09-16, 00:14	#283
ewmayer ∂²ω=0 Sep 2002 República de California 2D7F₁₆ Posts	Your tax dollars at work, NSA-style Got Cash? (That will probably be made illegal soon.)

2013-09-17, 20:08	#285
ewmayer ∂²ω=0 Sep 2002 República de California 11647₁₀ Posts	Fugitive Snowden in running for European rights prize: BRUSSELS (Reuters) - Fugitive U.S. intelligence analyst Edward Snowden is in the running for a European human rights prize whose past winners include Nelson Mandela and Myanmar opposition leader Aung San Suu Kyi. Alas, Mr. Snowden has apparently done too much actual good for the benefit of mankind to be eligible for the (ig)Nobel "Peace" prize. But, if he managed to add some cred like "carpet-bombing Cambodia" [a la Kissinger] or "master of soaring-but-hollow rhetoric" [Obama] or "debt-enslaver of worlds" [Barroso et al] to his résumé, he could help himself in that regard.