Encrypt all the things!

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

There's a counter argument that we shouldn't be using so much encryption we should instead be telling our governments to back the fuck away from the internet and let normal people go about their normal business without spying on them.

No they're not. Some might be. Not everything. The NSA just buys and bullies its way into big companies, they don't have some magic key to unlock everything that's encrypted.

The only thing the police have ever compromised is innocent people.

Never said they had a magic key... however, I would not trust most standard encryptions for example. And definitely not Tor given the raids that happened.

There's a counter argument that we shouldn't be using so much encryption we should instead be telling our governments to back the fuck away from the internet and let normal people go about their normal business without spying on them.

Do you trust them not to continue spying after telling you they've stopped? It's what they do.

They haven't actually broken encryption, they realised that computationally it would cost billions and take hundreds of year... why bother doing that when you could effectively hire spies to work inside Verisign, Microsoft, Oracle, Google, etc. Once your spies are embedded, you just steal the private keys used in the encryption frameworks.

It's far far cheaper than actually breaking encryption, and with the private keys you can decrypt virtually everything.

There are strong encryption tools that can prevent this. They use what is known as perfect forward secrecy: http://en.wikipedia.org/wiki/Perfect_forward_secrecy

Those things encrypt with a fresh privately generated key after the initial handshake, and so the NSA can't work around that by stealing keys.

But still... what difference does that make? As the NSA has these spies, and if we encrypt communication they will just ignore that and use the spies to access the storage layer at those companies.

Basically, it is possible to encrypt communication in a way that cannot be decrypted cheaply or efficiently. But very few people are doing this (Google is pretty much the only one).

Once you know that, the real question becomes: Do you trust the company holding your data?

If the company is substantial, it will likely have spies within it. If it's too small, they will likely have security holes. There's a sweet-spot of a medium sized company that could be trusted, but by that virtue it will become popular enough to be a large company and get their spies embedded.

It's a really shitty situation, but the simplest thing to do is carry on encrypting (it does work), and avoid storing data with US companies (most likely to have spies).

Where does the LFGSS server sleep at night?

London.

I'm a bit tinfoil about not wanting to put things on US soil.

Hell, has no-one noticed Microcosm is on an Italian domain name? It wasn't accidental.

Which certificate authority would be immune to a request from the NSA/GCHQ/etc to hand over their private keys?

If there isn't one, would that be a niche that (say) someone in Iceland will eventually fill?

Never said they had a magic key... however, I would not trust most standard encryptions for example. And definitely not Tor given the raids that happened.

What 'raids' are you talking about?

Do you trust them not to continue spying after telling you they've stopped? It's what they do.

Of course I don't but at least some of it is out in the open and has 'normal' people thinking a bit more about their online privacy and the misuse of powers by spy groups.

Do you trust them not to continue spying after telling you they've stopped? It's what they do.

Even some of the 'merican pollies are looking to have the laws changed to restrict agencies' efforts.

http://www.reddit.com/r/technology/comments/1iycdi/fbi_and_nsa_put_heat_on_web_firms_for_ssl_master/

Which certificate authority would be immune to a request from the NSA/GCHQ/etc to hand over their private keys?

If there isn't one, would that be a niche that (say) someone in Iceland will eventually fill?

It's very hard to establish a new source of trust.

Ultimately every browser and web device in the world needs to have that identified in their root certificate store.

Which means, technically it's easy to set up a new certificate authority, but in reality you'd never get Apple, Microsoft and Google to go back and issue updates for every browser to install the new certificate root.

You could get Firefox and Opera to do it, but you'd still be dead in the water.

Best replacement is to decentralise trust, much like DNS is decentralised. And you'd point to your trusted cert provider as a system setting (much like DNS servers in network configs that can be overridden by systems).

What that decentralised trust network looks like has been a matter of academic debate for the last 15 years. We're no nearer it being mainstream.

And then you'd run into attacks similar to the DNS redirection/name-server compromises which the SEA are managing to make look very easy indeed at the moment.

Not really, nothing in a decentralised system of trust says that you must use UDP. Which is basically the root cause of the DNS attacks that spoof the source of a UDP request and ask for large records, knowing that the data will be sent to the source and DDoS it.

I'm talking about social engineering/spear phishing, then simply updating the details with the correct username and password- cf the majority of the SEA attacks.

There's nothing in the concept of a decentralised network of trust that says that it would, or would not, be susceptible to such things.

The mathematical model is sound, whether or not people introduce human elements to create a flawed system is entirely separate from whether it's possible to create a decentralised peer-to-peer network to act as certificate authorities.

True. The human element is the weak spot.

Why is this thread not encrypted?

}€# {! 4>}.} }!}^#]¥. Rbu3£€#$ ?

Wh?

^ Shutting the stable door after the horse has bolted? ;)

Skype alternatives?

https://www.privateinternetaccess.com/blog/2013/09/on-encryption/

The internet was set up by DARPA, the primary reason being to spy and predict movements of the worlds population more easily.They gave you the porn, the chance of being a Facebook star and the funny pictures of cats so you would use it as 'entertainment'
There is no such thing as encryption, only the perception of it.