Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #81  
Old 4 July 2013, 12:16
Purple36's Avatar
Purple36 Purple36 is offline
Swimming Upstream
 
Join Date: Nov 2002
Location: East Coast
Posts: 8,762
I knew about mail covers...but I didn't realize this had been put in place...wow.

http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html?pagewanted=all&_r=0
__________________
- Faith involves believing in the veracity of the unprovable and unobservable, whether that consists of religion or theoretical physics, which at the very subatomic level start looking rather similar. -ET1/SS Nuke
Reply With Quote
  #82  
Old 5 July 2013, 06:32
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by Purple36 View Post
I knew about mail covers...but I didn't realize this had been put in place...wow.

http://www.nytimes.com/2013/07/04/us...anted=all&_r=0
How wonderful, I feel safe. What used to take a search warrant (and even that would only catch current or past mail in the residence), or a team of guys checking your *unlocked* mail box for months on end...is now general practice. Yay. Quote the slaves saying "Ricin!" or "Anthrax!". Typical abuse based on events so rare, they almost don't occur. And Ricin ain't killing anybody anyway, so we're down to 5 deaths in 238 years - SCAN IT ALL!

P
Reply With Quote
  #83  
Old 6 July 2013, 18:03
assertnull's Avatar
assertnull assertnull is offline
Confirmed User
 
Join Date: May 2011
Location: SE Texas
Posts: 3,024
Quote:
Originally Posted by Purple36 View Post
I knew about mail covers...but I didn't realize this had been put in place...wow.

http://www.nytimes.com/2013/07/04/us...anted=all&_r=0
not to worry, it's easily defeated like so:

http://i.imgur.com/c5hiDdu.jpg

(writing a lowercase 'g' sucks when you dont use the bottom line)
Reply With Quote
  #84  
Old 8 August 2013, 18:36
Armitage12 Armitage12 is offline
Confronting the Reckoning
 
Join Date: Jan 2013
Location: Old North West
Posts: 994
Well that just stinks. Lavabit (which has not been accepting new subscribers for about a month now) shut down rather than accept government snooping on the servers. The statement by Ladar Levison on why he is shutting while still pursuing a 4th Amendment challenge through the courts is just despair-inducing.

http://arstechnica.com/tech-policy/2...yptic-message/

Options?
Reply With Quote
  #85  
Old 8 August 2013, 22:26
mdavid's Avatar
mdavid mdavid is offline
Been There Done That
 
Join Date: Jul 2003
Location: High Springs, FL
Posts: 638
Was discussing redPhone at work with friends. They are a U.S. company, located within the NSA/telco infrastructure, subject to our war on terror requests for data...we couldn't figure out why folks thought it would be a good choice for securing data against our government.
Heck that idiot snowden probably has gigs of redphone conversations that low level contractors browse just for fun...which is now being data mined by his new rusky buddies.
I think the only option is using a different paradigm altogether, like encrypted, bursts of information using HF radio, lots of power and a big antennae...course that will get you other types of attention.
It's really a choice, you want guys in suits from the fbi raiding you or airforce sensor planes and dudes in vans with directional antennae breaking down your door?
Reply With Quote
  #86  
Old 9 August 2013, 01:14
assertnull's Avatar
assertnull assertnull is offline
Confirmed User
 
Join Date: May 2011
Location: SE Texas
Posts: 3,024
Quote:
Originally Posted by mdavid View Post
Was discussing redPhone at work with friends. They are a U.S. company, located within the NSA/telco infrastructure, subject to our war on terror requests for data...we couldn't figure out why folks thought it would be a good choice for securing data against our government.
Heck that idiot snowden probably has gigs of redphone conversations that low level contractors browse just for fun...which is now being data mined by his new rusky buddies.
I think the only option is using a different paradigm altogether, like encrypted, bursts of information using HF radio, lots of power and a big antennae...course that will get you other types of attention.
It's really a choice, you want guys in suits from the fbi raiding you or airforce sensor planes and dudes in vans with directional antennae breaking down your door?
They can store all of the redphone data they like; it will be encrypted, and there's not a thing they can do to touch it.

There is no central arbiter of of keys, that's somewhat the point, the Whisper folks couldn't give up your keys even if they wanted to.

ZRTP, OTR, and their ilk, work under the assumption that "folks" can and are capturing and reviewing any and everything we send over the wire.

If it were based on a CA-type system I'd share that concern. But I simply can't see what any curious intermediary could do, short of a flaw in the implementations themselves, except for sit there and stare with bewilderment at a bunch of encrypted data.
Reply With Quote
  #87  
Old 9 August 2013, 08:17
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
Yep. They can store all they want and spend the next several hundred years trying to break the encryption.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #88  
Old 9 August 2013, 09:11
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by Armitage12 View Post
Well that just stinks. Lavabit (which has not been accepting new subscribers for about a month now) shut down rather than accept government snooping on the servers. The statement by Ladar Levison on why he is shutting while still pursuing a 4th Amendment challenge through the courts is just despair-inducing.

Options?
Isn't that just great. Strike another one for freedom and liberty So Lavabit got an NSL, how quaint. So much for (again) "not sending jets after a 29yo hacker".

Silent Circle just shut down their email as well - per-emptively.

Options? Not US based, that's for sure (actually nor British, Canadian, Australian, or New Zealand)...for a start.

Countermail if you have $60 a year, or run your own server.

P
Reply With Quote
  #89  
Old 9 August 2013, 09:24
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by mdavid View Post
Was discussing redPhone at work with friends. They are a U.S. company, located within the NSA/telco infrastructure, subject to our war on terror requests for data...we couldn't figure out why folks thought it would be a good choice for securing data against our government.
I'm the third one, but:

RedPhone has very little info to turn over - on purpose. It basically is just a registration and signaling server. Ie:

"Hello RP server, phone number xxx.xxx.xxx is now at this IP"

"RP server is getting a call to xxx.xxx.xxx, where do I send it...ok, there..."

That's it. ZRTP is client side encryption on each end, with man in the middle protection. They can capture and store the encrypted stream all they want (and they are, as we know now...encryption = terrorism), but they can't do anything until they either find an implementation flaw (and there was one in ZRTP recently, but it got fixed quickly), or have the computing power to brute force 256bit keys or break the algorithm... HIGHLY UNLIKELY for the foreseeable future.

You *can* beat them, but it takes knowledge/work...we're only East Germany Lite at the moment.

The trick is to have nothing to give them, so you have to set up your service that way from the beginning.

P
Reply With Quote
  #90  
Old 9 August 2013, 09:29
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,162
Quote:
Originally Posted by Polypro View Post
Countermail if you have $60 a year, or run your own server.
Or do what I do (when I converse with someone smart enough to do so, which is the only time I send anything sensitive in the least) and write your mail in a text file, encrypt with your choice of encryption, and send as an attachment.

It's unwieldy, but...it works...assuming you can get your correspondents to use encryption...
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #91  
Old 9 August 2013, 13:56
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Yup. The absolutely easiest way is to use a self-decrypting archive and symmetric encryption. The only thing you need to do is get the pass-phrase to the person securely.

Second easiest is almost the same, but have them use the basic feature of opening a TC container...send that as an attachment.

P
Reply With Quote
  #92  
Old 9 August 2013, 16:49
Sharky's Avatar
Sharky Sharky is offline
Administrator
 
Join Date: Dec 1999
Location: SOCNET
Posts: 17,748
Quote:
Originally Posted by mdavid View Post
Was discussing redPhone at work with friends. They are a U.S. company, located within the NSA/telco infrastructure, subject to our war on terror requests for data...we couldn't figure out why folks thought it would be a good choice for securing data against our government.
Heck that idiot snowden probably has gigs of redphone conversations that low level contractors browse just for fun...which is now being data mined by his new rusky buddies.
I think the only option is using a different paradigm altogether, like encrypted, bursts of information using HF radio, lots of power and a big antennae...course that will get you other types of attention.
It's really a choice, you want guys in suits from the fbi raiding you or airforce sensor planes and dudes in vans with directional antennae breaking down your door?


Pretty sure they can break it given enough time and resources. Thing is, why would they waste time and resources to break some random data call? If there is more reason other than an encrypted call to go on, such as multiple calls to someone known to be an AQ associate, then the odds go up that they might focus those resources on you. But, breaking every cell phone call just because it is encrypted? Not happening.
__________________
Out of the night that covers me,
Black as the Pit from pole to pole,
I thank whatever gods may be
For my unconquerable soul.
In the fell clutch of circumstance
I have not winced nor cried aloud.
Under the bludgeonings of chance
My head is bloody, but unbowed.
Beyond this place of wrath and tears
Looms but the Horror of the shade
And yet the menace of the years
Finds, and shall find, me unafraid.
It matters not how strait the gate,
How charged with punishments the scroll,
I am the master of my fate
I am the captain of my soul.
-Invictus
Reply With Quote
  #93  
Old 9 August 2013, 18:51
Armitage12 Armitage12 is offline
Confronting the Reckoning
 
Join Date: Jan 2013
Location: Old North West
Posts: 994
Quote:
Originally Posted by Polypro View Post
Isn't that just great. Strike another one for freedom and liberty So Lavabit got an NSL, how quaint. So much for (again) "not sending jets after a 29yo hacker".

Silent Circle just shut down their email as well - per-emptively.

Options? Not US based, that's for sure (actually nor British, Canadian, Australian, or New Zealand)...for a start.

Countermail if you have $60 a year, or run your own server.

P
Countermail it is. Switched to Thunderbird with PGP today. All the more motivated after the fun stories that came out still again today. It is reaching the point of being partly a game--will there be a leak several hours before or after a scheduled public statement by a senior official, who will then be caught lying or at least obfuscating? This historian is getting worn out trying to record the narrative.
Reply With Quote
  #94  
Old 10 August 2013, 05:55
assertnull's Avatar
assertnull assertnull is offline
Confirmed User
 
Join Date: May 2011
Location: SE Texas
Posts: 3,024
Quote:
Originally Posted by Polypro View Post
Options? Not US based, that's for sure (actually nor British, Canadian, Australian, or New Zealand)...for a start.
I'm still sifting through laws, what are your thoughts on Germany?

I have an absolutely brilliant, inexpensive host (Hetzner) in Germany that gives you all the access and control you'd ever want. I use them for work, but their prices are so damn cheap I'm contemplating buying a box on my own dime and giving access to a handful of folks (*cough* SOCNETers *cough*) for the sole purpose of anonymizing.

The primary danger I envision is that once an encrypted volume is unlocked, those with physical access can potentially access. But that requires a German NOC playing ball. With the VPN I host here at the house (via my Comcast Business connection) anyone trying to force their way in before I can shut down my encrypted containers is going to be greeted by a hail of bullets. I don't have that luxury with something hosted outside of my premises.

Quote:
Originally Posted by Sharky View Post
Pretty sure they can break it given enough time and resources. Thing is, why would they waste time and resources to break some random data call? If there is more reason other than an encrypted call to go on, such as multiple calls to someone known to be an AQ associate, then the odds go up that they might focus those resources on you. But, breaking every cell phone call just because it is encrypted? Not happening.
GSM encryption is already good and broken
but ZRTP? Mathematically impossible, short of an implementational flaw, for more than "a few" lifetimes.
That's the beauty of it; this is math, we know mathematically how many guesses it would take to brute-force something like ZRTP with a 256bit key. We know that even with the hottest in nanocomputing, supercomputing, what have you, they're still going to have to spend centuries breaking the crypto. Could they "indefinitely detain" someone until then? I suppose, and I suppose that's the real danger, shit like these EO's authorizing indefinite detainment short of PC mean you can rot in jail while they're trying to break your crypto, knowing fully well they can't do so until many lifetimes after your demise.

I only mention that because of the "given enough time and resources". Even that isn't going to happen, again, short of an implementational flaw. Assuming a flawless implementatoin, we're talking centuries, even with compensating for the advances made in parallel processing.

Last edited by assertnull; 10 August 2013 at 06:01.
Reply With Quote
  #95  
Old 10 August 2013, 11:52
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
Hosting at home is the best option, honestly.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #96  
Old 26 August 2013, 15:55
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
I've been using Mullvad for enough time to report on it. The benefits can be summerized as the following. I don't know of many (if any) that are as good. As always, this is a good option to use with OTHER means of protecting your data. It's about layering.
  • DNS leak protection
  • 2048-bit RSA and 128-bit Blowfish OpenVPN encryption
  • Mullvad keeps no logs of any kind
  • Accepts BitCoin AND Cash
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #97  
Old 3 September 2013, 14:48
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Mullvad is good. Air and Bohle have a good rep too.

P
Reply With Quote
  #98  
Old 5 November 2013, 13:09
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
New set up that I'm testing tonight.

Whonix OS (https://www.whonix.org) as a VirtualBox VM. Host machine will be configured with the VPN service. I should have NO leaks. Seems almost perfect :)
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #99  
Old 6 November 2013, 10:21
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Welcome to Whonix

P
Reply With Quote
  #100  
Old 6 November 2013, 10:23
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
Quote:
Originally Posted by Polypro View Post
Welcome to Whonix

P
I'm loving it!
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 20:14.
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Socnet.com All Rights Reserved
SOCNET