OnPoint by Keith Ng

Read Post

OnPoint: The Gift that Keeps on Making Me Barf

42 Responses

First ←Older Page 1 2 Newer→ Last

  • BenWilson,

    The short answer is that you can't be sure, and the long answer is that it only matters if you're really intending to hide your data from some seriously powerful institutions. If you're not, then public key encryption is secure enough. If you are, then consider that the security of the algorithm is the least of your worries, and the security of your skin might be of more concern.

    Auckland • Since Nov 2006 • 10488 posts Report Reply

  • Kumara Republic,

    Nicky Hager's latest column: Wikileaks details how NZ spies will work

    The southernmost capital … • Since Nov 2006 • 5312 posts Report Reply

  • Keith Ng, in reply to BenWilson,

    There's really not that much point worrying about what access to your data intelligence services have (unless, of course, you are a spook yourself), because they have the power to coerce from you anything you care to hide.

    Though I keep talking about PRISM and other NSA systems, this is not the same as "avoiding the NSA". Avoiding active surveillance by the NSA is, obviously, some next level shit. However, avoiding passive surveillance by the NSA is not.

    The main threat for journalists in NZ is the use of NSA systems by the GCSB, probably at the behest of the Police. That means they have access to some NSA systems, but it doesn't mean they can bring the full force of the NSA to bear.

    PRISM data can be acquired by lawful search/interception, which is why allowing NZ to use it isn't a big deal. Giving NZ access to a system which cracks encryption would reveal their capability to crack encryption, which would be a big deal. This limits what we have to worry about.

    Nor, presumably, would TAO be part of what NZ can access. So in that sense, we can speculate about all the amazeball capabilities of the NSA, but it doesn't all automatically transfer to the GCSB.

    And yeah, we've seen instances where they've gone to the boundaries of the law, and then took a few more steps. But that doesn't mean they're completely rogue and would go around renditioning and waterboarding New Zealanders.

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • BenWilson, in reply to Keith Ng,

    we can speculate about all the amazeball capabilities of the NSA, but it doesn’t all automatically transfer to the GCSB.

    Yup, you might as well keep using as good encryption as you can. There’s no law against it, no particular reason they’d think you’re a terrorist, and as for the GCSB, you might as well make them go to all the trouble of getting a warrant and demanding your keys.

    Mind you, I remember I once got system admin rights to the whole domain at one large workplace, just by nagging the admin with minor legitimate requests. I can well imagine a level of trust would build up between the USA and NZ. So whilst it’s not automatic, it might not be a very high bar before they’re routinely getting some decent crackpower. Depends on whether it’s cheaper than just getting a warrant. I do not know the answer to that.

    Auckland • Since Nov 2006 • 10488 posts Report Reply

  • Paul Campbell,

    Well there's the problem isn't it - do you trust them to keep within the law? And how can you tell if they don't?

    The recent example of the DEA is instructive they've been tapping away to their heart's content but then building cases backwards until they can find something that will meet legal scrutiny how could we discover something similar happening here?

    To my mind we've already seen them go a bit rogue, assuming they won't do the same in the future is IMHO a bit naive

    Dunedin • Since Nov 2006 • 2550 posts Report Reply

  • Rich of Observationz,

    I imagine that there is pressure to escalate the use of the GCSB/NSAs very expensive toys - the Dotcom case is an example - time was when a cop (or even FBI agent) with that sort of case would have been shown the door in short order.

    We'll one day get to a world where e.g:
    - everyone present (based on cellphone/bank tracking) in a suburb where a serious crime happens will get an email from the cops requesting an account of their movements.

    - knowing a suspect drug sealer on Facebook will get you pulled over at customs

    - criticizing the US government online will get you pulled aside at LAX

    - spending too much money on liquor will get you pulled over every time a cop sees your car and has a spare moment

    Whether people will lose tolerance at any point in this process remains to be seen.

    Back in Wellington • Since Nov 2006 • 5528 posts Report Reply

  • Matthew Poole,

    Oh, the other thing which makes me think that "they" haven't managed to defeat public-key encryption completely: Snowden used GPG or similar to establish his initial contact and then send proof of bona fides. He explicitly said that the risk was uber-powerful brute force, and we already knew that that was possible (though I hadn't really thought of it in terms of "a trillion guesses per second"). If there was wholesale pwnage of public-key going on - and we've seen pretty good evidence that Snowden was able to see into any compartment - Snowden wouldn't have dared put anything more than a request for a face-to-face meeting into an email.

    Auckland • Since Mar 2007 • 4090 posts Report Reply

  • Andrew E,

    Readers interested in this subject might also be interested in Bruce Schneier's guide to staying secure in The Guardian.

    174.77 x 41.28 • Since Sep 2008 • 200 posts Report Reply

  • Paul Campbell,

    well of course we're not really worried about people getting our public keys - if they're breaking in to our computers to get our private keys, or cracking them by brute force means that's another thing.

    On the other hand because we now know they own all the routers "man-in-the-middle" attacks are a real problem - I'd always sort of thought of them as a cute academic exercise (apart from people trying to break cable/satellite TV systems) now they're part of our every day reality

    Dunedin • Since Nov 2006 • 2550 posts Report Reply

  • Rich of Observationz, in reply to Paul Campbell,

    As I've said before, MIM attacks are likely to be a last resort for governments because of their extreme detectability - if you determine that a site is presenting a different certificate for one connection than another, or that your site is not presenting the certificate you are serving, then there's an MIM attack going on.

    Back in Wellington • Since Nov 2006 • 5528 posts Report Reply

  • Andrew E,

    I'm not so sure about that. Quite a few workplaces use web filtering software such as Web Marshal. My (possibly incorrect) understanding of that tool is that it does intercept employees https connections to web mail or online banking sites using man-in-the-middle type certificate fraud. Given what we've learnt about the NSA weakening security standards and software, I would not be at all surprised to find such software enabling agencies to monitor workplace Internet usage.

    174.77 x 41.28 • Since Sep 2008 • 200 posts Report Reply

  • Matthew Poole,

    Today’s latest news: The NSA can pwn your smart-phone (yes, even your Crackberry).

    Auckland • Since Mar 2007 • 4090 posts Report Reply

  • Rich of Observationz, in reply to Andrew E,

    WebMarshal doesn't (at least at v6.5 https://www.trustwave.com/support/kb/article.aspx?id=12936) try and MITM https traffic. I believe there are tools that do (and one could do this with squid) and a corporate could distribute a root certificate to stop messages appearing (at least in IE). But they'd be very unwise to do so, since the moment a rogue sysop absconded to Bolivia having drained the entire workforce's bank accounts, they'd very likely be liable.

    Back in Wellington • Since Nov 2006 • 5528 posts Report Reply

  • Stephen R,

    From der Spiegel:

    The documents state that it is possible for the NSA to tap most sensitive data held on these smart phones, including contact lists, SMS traffic, notes and location information about where a user has been.

    Do you remember that thing in the news about how Apple was storing all the cell-sites you went near while you were travelling?

    http://online.wsj.com/article/SB10001424052748704123204576283580249161342.html

    The location data appear to be collected using cellphone towers and Wi-Fi access points near a user's phone and don't appear to be transmitted back to Apple.

    The combination of that stuff seems to mean that if the NSA want to know where you've been, they can ask the portable tracking device you're carrying with you without having to ask the various cell providers you might have connected to on your travels...

    Am I being paranoid to wonder if the reason the iphone keeps that list at all is for that very purpose?

    Wellington • Since Jul 2009 • 253 posts Report Reply

  • BenWilson, in reply to Stephen R,

    Am I being paranoid to wonder if the reason the iphone keeps that list at all is for that very purpose?

    I'd say that's paranoid. I expect their reason is to monetize it somehow. Also, there are actually quite a lot of people who just aren't worried about being tracked, they'd find the information actually useful.

    Auckland • Since Nov 2006 • 10488 posts Report Reply

  • David Hood,

    Forbes on the lack of anonymity in Bitcoin (the clustering analysis techniques used are actually pretty straightforward).

    http://www.forbes.com/sites/andygreenberg/2013/09/05/follow-the-bitcoins-how-we-got-busted-buying-drugs-on-silk-roads-black-market/

    Dunedin • Since May 2007 • 1441 posts Report Reply

  • Jarno van der Linden, in reply to Rich of Observationz,

    As I’ve said before, MIM attacks are likely to be a last resort for governments because of their extreme detectability

    Seems the NSA has been running out of ideas then.
    http://www.motherjones.com/politics/2013/09/flying-pig-nsa-impersonates-google

    Nelson • Since Oct 2007 • 81 posts Report Reply

First ←Older Page 1 2 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.