OnPoint by Keith Ng

Read Post

OnPoint: BTW, the NZ Police can use PRISM against you now

85 Responses

First ←Older Page 1 2 3 4 Newer→ Last

  • Thomas Beagle,

    I'm still kind of annoyed that @techliberty got its highest number of retweets (55+) for linking to your article rather than from any of our own work. :)

    New Zealand • Since Nov 2007 • 50 posts Report Reply

  • Idiot Savant,

    So, is it worth both encrypting and signing? If so, what's the preferred order?

    I'm planning on doing my own key-signing party this weekend. I've got some cards with my key ID and fingerprint on them to hand out; people I meet can then import my public key from the kerservers, verify it, and sign it.

    Palmerston North • Since Nov 2006 • 1717 posts Report Reply

  • Matthew Poole, in reply to Idiot Savant,

    So, is it worth both encrypting and signing? If so, what’s the preferred order?

    Depends what you’re after. Signing validates the integrity of the message and verifies the sender. Encryption is, well, encryption.

    Encrypting then signing puts the signature in the clear, allowing it to be viewed by anyone (or stripped off entirely by "them"). Signing then encrypting verifies the clear-text message, and any tampering with the encrypted message will result in the message failing to decrypt.

    Signing means the recipient knows who the sender was. Encryption provides no verification of the sender, which may or may not matter. If your aim is to send a deniable tip to a journo, don’t sign. If you want the journo to know that it’s proof of your bona fides, do sign.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Stephen R, in reply to Idiot Savant,

    If you wanted to post something publicly that you thought someone else might edit, signing it but not encrypting it would provide anyone who looked at it (and cared enough to check) with confidence that it was what you actually wrote.

    Assuming that nobody else has your private key, it's also good evidence if you were making a contract that you actually agreed to it, but I'm not sure that it's considered valid by the laws yet.

    Wellington • Since Jul 2009 • 259 posts Report Reply

  • Juha Saarinen,

    The size and scale of the "e-surveillance" is enormous and started some thirty years' ago, maybe longer. Paul Brislen wrote about it in the late 90s, Nicky Hager has covered it lots, and more and more pieces of the puzzle are falling into place - like your blog post Keith. Good work there.

    Since Nov 2006 • 529 posts Report Reply

  • BenWilson,

    I was already on ”Depression”, and forgot that everyone else was still on ”Anger”.

    I moved to Acceptance some time in the 1990s when I realized that the rubber hose method will always work if they want your data.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Idiot Savant, in reply to BenWilson,

    I moved to Acceptance some time in the 1990s when I realized that the rubber hose method will always work if they want your data.

    There's a hack for that.

    Palmerston North • Since Nov 2006 • 1717 posts Report Reply

  • Martin Lindberg, in reply to Idiot Savant,

    Attachment

    There’s a hack for that.

    not really

    http://xkcd.com/538/

    Stockholm • Since Jul 2009 • 802 posts Report Reply

  • Stephen R, in reply to Idiot Savant,

    There's a hack for that.

    Only if you don't tell anyone you're using it. The problem is that truecrypt makes it very difficult to prove you haven't got a hidden encrypted disk (short of filling the HD with cat pictures) in which case, being innocent won't stop the rubber hoses.

    Plausibly deniable is not enough for some people.

    Wellington • Since Jul 2009 • 259 posts Report Reply

  • "chris",

    Attachment

    _________________________________________________________________

    location, location, locat… • Since Dec 2010 • 250 posts Report Reply

  • B Jones, in reply to Stephen R,

    (short of filling the HD with cat pictures)

    Even that wouldn't work.

    Wellington • Since Nov 2006 • 976 posts Report Reply

  • kiwicmc, in reply to "chris",

    now there's a lovely clear piece of hand writing to OCR. I reckon I could have got about 80% of that using a piece of neural network kit that's 15+ years old

    Auckland, New Zealand • Since May 2008 • 88 posts Report Reply

  • Sacha, in reply to kiwicmc,

    lovely clear piece of hand writing

    reckon

    Ak • Since May 2008 • 19745 posts Report Reply

  • Tim Michie,

    lovely clear piece of hand writing

    font, surely...

    Auckward • Since Nov 2006 • 614 posts Report Reply

  • "chris", in reply to kiwicmc,

    Attachment

    _________________________________________________________________

    location, location, locat… • Since Dec 2010 • 250 posts Report Reply

  • "chris", in reply to Tim Michie,

    font, surely…

    Yeah it's (s)nans.

    location, location, locat… • Since Dec 2010 • 250 posts Report Reply

  • kiwicmc, in reply to "chris",

    much better

    Auckland, New Zealand • Since May 2008 • 88 posts Report Reply

  • Chris Waugh, in reply to "chris",

    That strikes me as two textbook examples of Chinese internet censorship evasion - also evading Weibo character limits, but more importantly getting stuff out there in formats the censor spiders won't immediately pick up on rather than regular text. Well done. Especially the second.

    Wellington • Since Jan 2007 • 2401 posts Report Reply

  • "chris", in reply to kiwicmc,

    Thanks, it took me nigh on 1/2 an hour though so...

    location, location, locat… • Since Dec 2010 • 250 posts Report Reply

  • "chris", in reply to Chris Waugh,

    Yeah, you got me, totally Chinese net practices. In the unlikely event I were to ever go renegade I'd be quite partial to the idea of using more pinyin for this kind of thing.

    location, location, locat… • Since Dec 2010 • 250 posts Report Reply

  • Ian Dalziel,

    oversight, outtasight...

    Australian intelligence sources have also told Fairfax Media that Singaporean intelligence co-operates with Australia in accessing and sharing communications carried by the SEA-ME-WE-3 cable which lands at Tuas on the western side of Singapore Island.

    Access to this major international telecommunications channel via Singapore's government-owned operator SingTel and the country's Defence Ministry has been a key element in an expansion of Australian-Singaporean intelligence and defence ties over the past 15 years.

    It also underpinned the former Howard government's approval of SingTel's takeover of Australia's second largest telecommunications company, Optus, in 2001.

    Doesn't look like NZ gets any crumbs from our buddy's table either...

    The Great Game continues...

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • BenWilson, in reply to B Jones,

    Even that wouldn’t work.

    Yup, hiding data is pretty easy. The security guy at a firm I was in once challenged me to get a picture file past his extensive filters. It took me about 10 minutes to code it up. It was in a spreadsheet file. He was shocked and said that the scanner looked for files in spreadsheets. But he didn't expect to have to scan the data cells in the spreadsheet itself, analysing them for the patterns associated with picture files. The sheet itself contained the code, presented as a big fat button on the front sheet, which decoded the data into a file in a location of your choice. To anyone looking at it, it was a spreadsheet of financial time series data.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Keith Ng, in reply to "chris",

    Thanks, it took me nigh on 1/2 an hour though so...

    *LIKE*.

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • Chris Waugh, in reply to BenWilson,

    Was he looking simply for a picture or content within the picture? Because "chris"'s two examples above are a technique for posting sensitive content to Weibo, the idea being that the keyword filters that alert the censors can't read text in an image file because it's a picture, or at least that's how I understand it and I could well be wrong. I'd be worried if they could look for particular content in an image, though.

    Wellington • Since Jan 2007 • 2401 posts Report Reply

  • Colin Fleming,

    I actually posted about this over on Pundit with respect to John Key's assertions that the GCSB bill won't allow wholesale spying - I'll paste it below because I think it's relevant (and I can't seem to link to a comment on Pundit):

    I'm a little late to this discussion, not least because the GCSB bill is now sadly law. But I'd like to thank everyone involved for some unusually level-headed discussion on this topic and I think it's worth continuing the debate - maybe we'll get to argue for it to be repealed or amended one day.

    I want to talk a little about the technical capabilities of current surveillance organisations, especially the NSA, and why this potentially makes many of John Key's assurances worthless. He has stated several times that the GCSB will not be spying wholesale on the NZ public, but as far as I know has refused to answer questions on whether the GCSB will face any legal restrictions on data on New Zealanders obtained from our intelligence partners, and the bill (again, as far as I know) contains no clarification on this.

    The NSA has recently been caught out several times using interesting interpretations of words like "surveillance". Their current stance seems to be that they can collect data on everyone but it's not considered surveillance until a human looks at it. There's very little clarity on all this of course, since it's all secret. However any legal niceties there are only related to Americans - they have absolutely no restrictions at all on their ability to store anything and everything on New Zealanders. Lt Gen Keith Alexander (head of the NSA) was quoted in one of the GCHQ documents leaked by Snowden as saying "why can't we collect all the signals, all the time?" and this is clearly the NSA's intention. Their new data centre in Utah is estimated by William Binney (ex-NSA operative turned whistleblower) to store 5 zettabytes - this is sufficient storage to store all worldwide internet traffic for about 7.5 years. Of course, they can probably fairly easily skim out youtube and porn, which leads Binney to conclude that the new data centre (only one of two they are currently building) would be capable of storing all internet human-to-human communications for over 100 years and have plenty of space left over.

    So unless we can get some legal protection to prevent the GCSB obtaining our data from the NSA, I think it's reasonable to assume that within, say, one to two years, all our online communications and activity will be stored and are probably accessible to the GCSB.

    I'm no expert on data mining and machine learning, although I am a software developer and understand it reasonably well. It's clearly incredibly powerful technology that could be used by law enforcement to do real good - given a single contact known to be a terrorist you can easily identify all their known associates and anyone they have communicated with online, ever. Using the storage I described above you could then go back and listen to all those communications, or more likely have them automatically analysed to identify suspicious keywords. The state of the art in voice transcription is actually pretty good now (my Google Voice account in the US sends me transcriptions of voice messages left for me by email - it's surprisingly good), and it's reasonable to assume that the NSA's state of the art is way ahead of even Google - they're by far the biggest employer of mathematicians in the US.

    The main problem is that to look for patterns in the data you do need all the data and I think these capabilities are just too powerful for governments to refuse - sooner or later total collection will happen whether we like it or not. John Key's assertions that the GCSB would require a lot of analysts to look at any mass collected data are just not true these days and it may not be long before these agencies don't need analysts at all to detect keywords of any type in any kind of communication, and they'll be able to do this for any of your communications since total collection began. My personal suspicion is that the NSA will collect everything on everyone, then analyse the data automatically and then flag the results of that analysis to an analyst who would then get a warrant to look at the data. Note that this is a fairly significant change - the warrant would no longer be for future communications but past and future communications.

    Unless we can get a lot more clarity on the relationship between the GCSB and the NSA/GCHQ and on the legal restrictions on data obtained from them, John Key's assertions are basically meaningless. What's interesting is that, like tax law, purely national laws are becoming increasingly irrelevant as technology advances, and the law is clearly incapable of keeping up with the new surveillance techniques.

    It's a frightening time.

    Auckland • Since Aug 2013 • 3 posts Report Reply

First ←Older Page 1 2 3 4 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.