Protecting IM From Big Brother

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://it.slashdot.org/article.pl?sid=07/11/23/1324201


- --
Jesus Cea Avion                         _/_/      _/_/_/    
   _/_/_/
jceaargo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jceajabber.org         _/_/    _/_/         
_/_/_/_/_/
                               _/_/  _/_/    _/_/         
_/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/ 
_/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/       
_/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de
otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iQCVAwUBR0tRv5lgi5GaxT1NAQKPdwQAg3CBogwNeMZphniU2yntyopdpg5w
yhPG
Dmy9e11HGyX67WLoUpGgI1a/ddM5iM0C4/0ObrAToKL8tTySrjZ72c1oTBom
i51I
UwoK8NeA4fVQfF0ncvMuKoWerH2xrduauwzifFLgfKxM5TxLmjS8UyWCLsB3
JXr9
MCfmnw7ABe8=
=FJFE
-----END PGP SIGNATURE-----

Jesus Cea wrote:
> http://it.slashdot.org/article.pl?sid=07/11/23/1324201


If only we had a way to protect ourselves from the idiot
commenters at
Slashdot...

Hi Jesus,

Interesting topic...  who are
they kidding ?

The long and short of it is that nothing you can short of
setting up  
your own bunkers is going to keep your conversations
private.

In my country, we have a non-spying agreement with our
allies, but  
guess what, whilst we follow it, the bigger guys don't. They
even brag  
about how they spy on people (my country).

All IMs end up going through the United States. Their
government reads  
all traffic with powerful filtering computers.

Their computers are bigger and better than anything you can
even dream up.

So no point in you even thinking you can hide anything.

It probably isn't that sinister, either. Unless you are
unfortunate  
enough to get your country invaded. But that is unlikely to
happen in  
your case.

Anyway, I just suggest you go back to work... and not worry
about it.  
Cos there is little you can do.

Further reading, you can check www.governmentsecurity.org

Some interesting reading there...

Take care

David


Quoting Jesus Cea <jceaargo.es>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://it.slashdot.org/article.pl?sid=07/11/23/1324201

>
> - --
> Jesus Cea Avion                         _/_/     
_/_/_/        _/_/_/
> jceaargo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
> jabber / xmpp:jceajabber.org         _/_/    _/_/         
_/_/_/_/_/
>                                _/_/  _/_/    _/_/      
   _/_/  _/_/
> "Things are not so easy"      _/_/  _/_/   
_/_/  _/_/    _/_/  _/_/
> "My name is Dump, Core Dump"   _/_/_/       
_/_/_/      _/_/  _/_/
> "El amor es poner tu felicidad en la felicidad de
otro" - Leibniz
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

>
>
iQCVAwUBR0tRv5lgi5GaxT1NAQKPdwQAg3CBogwNeMZphniU2yntyopdpg5w
yhPG
>
Dmy9e11HGyX67WLoUpGgI1a/ddM5iM0C4/0ObrAToKL8tTySrjZ72c1oTBom
i51I
>
UwoK8NeA4fVQfF0ncvMuKoWerH2xrduauwzifFLgfKxM5TxLmjS8UyWCLsB3
JXr9
> MCfmnw7ABe8=
> =FJFE
> -----END PGP SIGNATURE-----
>

On Nov 27, 2007, at 00:07, Jesus Cea wrote:

> http://it.slashdot.org/article.pl?sid=07/11/23/1324201


FYI, Adium and Pidgin implement OTR on top of XMPP.

andy

On Tuesday 27 November 2007 02:55:16 Andreas Monitzer
wrote:
> On Nov 27, 2007, at 00:07, Jesus Cea wrote:
> > http://it.slashdot.org/article.pl?sid=07/11/23/1324201

>
> FYI, Adium and Pidgin implement OTR on top of XMPP.
>
> andy
Not just these two. XMPP have specification for pgp usage on
top of xmpp, I 
use it sometimes with Psi client and I am sure that at least
some other 
clients support it as well.

I'll explain it for the others who are less familiar with
encryption: both 
methods (OTR and PGP) are the end-to-end encryptions. Big
brother will never 
waste his resources to crack these unless you are highly
wanted criminal (and 
even in this case it will be not too easy for him to crack
it).

-- 
Respectfully
Alexey Nezhdanov

On Tue Nov 27 16:19:38 2007, Alexey Nezhdanov wrote:
> Not just these two. XMPP have specification for pgp
usage on top of  
> xmpp, I use it sometimes with Psi client and I am sure
that at  
> least some other clients support it as well.
> 
> 
And there's ESessions, and S/MIME, and XTLS... The problem
isn't so  
much encrypting the traffic, which is simple enough, it's
all the  
other additional properties. ESessions and OTR are both
geared very  
heavily toward IM, whereas S/MIME and PGP both leverage
existing  
cryptography designed for email and deploy it on IM, and
finally XTLS  
treats chat sessions like connections, and does TLS over
them.  
(That's SSLv4, in effect).

> I'll explain it for the others who are less familiar
with  
> encryption: both methods (OTR and PGP) are the
end-to-end  
> encryptions. Big brother will never waste his resources
to crack  
> these unless you are highly wanted criminal (and even
in this case  
> it will be not too easy for him to crack it).

Well, you can - if you really want - calculate the computing
power  
required to decrypt all XMPP messages. Note that you have to
be able  
to decrypt them in near-real-time, at least, you need to
decrypt as  
fast as you intercept, which amounts to more or less the
same thing I  
think.

Now, I don't know how much computing resource NSA, or GCHQ,
actually,  
have, but we can do another calculation, too - we can
translate the  
MIPs into Watts of electrical power, based on the power
consumption  
of the individual CPUs required for this MIPpage.

Then divide by 2*10^8. This magical figure will then tell
you how  
many power stations will need to be fairly close by Fort
Meade. (Or  
Cheltenham, for the Brits).

(Of course, I'm assuming a 200MW reactor, here, as I can't
really be  
bothered to look up what wattage a nuclear power station can
generate  
these days).

Once all this is done, simply count the power stations in
the target  
area (Google Maps, or simply go and look - you can certainly
drive  
around the Doughnut in Cheltenham).

Now, if you see a vast array of power stations - big
complexes with  
vast cooling towers, you can't miss them - conveniently
located  
within a useful range of the big brother of your choice,
then hold  
onto your tinfoil hats and grab your one-time pads, because
it's the  
only chance you have. (And, please note, that's one-time
pads  
generated very carefully.)

Alternately, if you happen to notice that cooling towers
are, in  
fact, conspicuous only by their absence in leafy Cheltenham,
then you  
can simply reuse your tinfoil hat as a convenient bowl to
hold your  
crisps in while you watch the lotto on telly purely to see
if you've  
one. (The latter not being a hint to use it as the source
for your  
one-time pad, of course, since that would be foolish in the
extreme,  
of course).

Of course, if you're a fully paid up member of the black
helicopter  
spotting brigade, then you'll refute such arguments as being
the  
ravings of an evil spook. But then, you'll also note that
it's too  
late, because I've infiltrated you now.

Dave.
-- 
Dave Cridland - mailto:davecridland.net - xmpp:dwdjabber.org
  -
acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

On Nov 27, 2007 12:17 PM, Dave Cridland <davecridland.net> wrote:
> Once all this is done, simply count the power stations
in the target
> area (Google Maps, or simply go and look - you can
certainly drive
> around the Doughnut in Cheltenham).


Here's another take on this: As it turns out, most people
don't
encrypt their IM traffic.  If you're Evil Big Brother of
Choice
(EBBOC), picking out encrypted IM streams from the
unencrypted
haystack makes finding interesting needles much easier.

At that point, you use some other exploit (undisclosed,
unpatched vuln
in OS of choice, for example)  to install a keystroke
logger.  Much
simpler, and fewer greenhouse gases emitted.

"[I]t would be nice if everyone routinely used
encryption for all
their email [and IM activity], innocent or not, so that no
one drew
suspicion by asserting their email [and IM]  privacy with
encryption."
[1]  It would be nice, but unfortunately, that's not
currently the
case.

-David


[1] http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.ht
ml


-- 
David Eisner     http://cradle.brokengla
ss.com

Quoting Alexey Nezhdanov <snakerugmail.com>:

> On Tuesday 27 November 2007 02:55:16 Andreas Monitzer
wrote:
>> On Nov 27, 2007, at 00:07, Jesus Cea wrote:
>> > http://it.slashdot.org/article.pl?sid=07/11/23/1324201

>>
>> FYI, Adium and Pidgin implement OTR on top of
XMPP.
>>
>> andy
> Not just these two. XMPP have specification for pgp
usage on top of xmpp, I
> use it sometimes with Psi client and I am sure that at
least some other
> clients support it as well.
>
> I'll explain it for the others who are less familiar
with encryption: both
> methods (OTR and PGP) are the end-to-end encryptions.
Big brother will never
> waste his resources to crack these unless you are
highly wanted criminal (and
> even in this case it will be not too easy for him to
crack it).

Depends which country of course.. you are talking about.

They crack codes for a variety of reasons...

begs the question; if you are not a highly wanted criminal..
why encrypt ?



David

2007/11/27, david.lyonpreisshare.net <david.lyonpreisshare.net>:
> begs the question; if you are not a highly wanted
criminal.. why encrypt ?

For example, because you don't want the highly wanted
criminal to
capture the password of your bank account which you are
receiving in
real-time over a secured XMPP connection...

For example, because you are a reporter in a country like
Myanmar.

For example, because you don't want other people to capture
your
gossips using a tool like Wireshark.

For example, because you use untrusted wireless access
points.

-- 
Mvg, Sander Devrieze.

Quoting Sander Devrieze <s.devriezepandora.be>:

> 2007/11/27, david.lyonpreisshare.net
<david.lyonpreisshare.net>:
>> begs the question; if you are not a highly wanted
criminal.. why encrypt ?
>
> For example, because you don't want the highly wanted
criminal to
> capture the password of your bank account which you are
receiving in
> real-time over a secured XMPP connection...
>
> For example, because you are a reporter in a country
like Myanmar.
>
> For example, because you don't want other people to
capture your
> gossips using a tool like Wireshark.
>
> For example, because you use untrusted wireless access
points.

Yes... well I believe you are right in those examples 

Take care

David