Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Media Government Privacy

The Register: 4 Ways the Guardian Could Have Protected Snowden 233

Frosty Piss writes with this excerpt from The Register: "The Guardian's editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online. And his reporters must fly around the world to hold face-to-face meetings with sources ('Not good for the environment, but increasingly the only way to operate') because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ. 'It would be highly unadvisable for any journalist to regard any electronic means of communication as safe,' he wrote. El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips – most of them based on the NSA's own guidance."
This discussion has been archived. No new comments can be posted.

The Register: 4 Ways the Guardian Could Have Protected Snowden

Comments Filter:
  • by jasno ( 124830 ) on Friday August 23, 2013 @06:13PM (#44660565) Journal

    Johnny Mnemonic anyone?

    • spoiler alert (Score:5, Informative)

      by noh8rz10 ( 2716597 ) on Friday August 23, 2013 @06:16PM (#44660603)
      here are the four things, pulled from the article:

      1. Encryption: It's not hard
      * Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)
      * Meet the Advanced Encryption Standard

      2. Use clean machines

      3. How to shift the data securely

      4. Using hidden services
      • by sjbe ( 173966 ) on Friday August 23, 2013 @06:52PM (#44660821)

        Encryption: It's not hard

        Yes it is. It fails the mom test badly. More properly it is key management that is too difficult. The actual key generation can be automated mostly. Distribution and use of keys is inherently difficult with no obviously easy solution.

        • by Immerman ( 2627577 ) on Friday August 23, 2013 @08:02PM (#44661225)

          But there's no reason it has to be. The newspaper could easily create/bundle a basic application that runs of a flash drive to handle all the encryption/decryption, tor tunneling, etc. The stripped down version:

          The informant-to-be downloads and launches the "Guardmail Program" for the first time
          - Personal public and private keys are generated silently and stored in a data file alongside the program
          - User writes an email and adds attachments as per normal
          - User provides destination address and public encryption key + CRC code available on The Guardian's contact page
          - CRC code is checked to ensure that there are no typos in the encryption key (is this normal? It should be if not)
          - email, attachments, and P.S.ed personal public encryption key are encrypted
          - Resulting data-file is then sent to the destination via whatever origin-obscuring pathways they decide to integrate.

          - Later the program is run again and told to "check mail" - it goes to whatever anonymized dropbox is being used, via whatever hidden pathway, and looks for messages directed to the User
          - Any messages are downloaded and decrypted. Attachments can be decrypted and saved just as you would from a webmail site

          From the users perspective all they did was fire up a special "magic" email program that lets them send things much more secretly, from an interface that looks essentially like any webmail frontend, but the data never sits anywhere unencrypted unless attachments are "saved" (exported) from Guardmail. Does such a program truly not already exist? If so, the why the $#@! not? Sure it's a bit limited and inflexible, but it would put reasonably secure communication in the hands of anyone who had a need for it, no technological knowledge required.

          • I recently came across an interesting app/middleware platform in the google play store for android called musubi group chat. It uses a type of encryption called "Identity based encryption" (first theorized by shamir of rsa fame). It is dead simple to use with all the key management being done without user intervention. In order to send someone an encrypted message you only need their email address (you generate the public key for them). You do need a trusted 3rd party involved but I think that drawback
            • I'm not a cryptography geek, but I doubt a trusted third party requirement can be conveniently overcome when "the opposition" has the sort of resources the NSA can bring to bear.

              Onion routing has a similar problem in that it only really provides security-through-obscurity. They come right out and warn you that if the entrance and exit nodes are monitored then it's trivial to trace your communication - and considering the pervasiveness of admitted NSA monitoring it seems naive to not asume that every known

        • Re: (Score:3, Insightful)

          It fails the mom test badly.

          Yes, but any moms who are editors of respected international journalistic institutions are probably smart enough to understand and use encryption.

      • The first thing I got from the article is that it was submitted by Frosty Piss.
      • If this is data that the American and British spooks presumably already have, why not just post it publicly? What's the point of keeping a copy of data they already have hidden from them?

        • 1)Snowden was way short on resources to hide from the NSA, and until he proved he had something of real value, who with resources would help him?
          2) It was a ton of data, the NSA certainly detects the leak before it gets fully transferred to anyone, and shutdown before full transfer.
          3)In Snowden's case many of the original archives themselves had digital fingerprints in them indicating who could have downloaded them to begin with. If you break it up enough to disrupt the fingerprints, then it loses credibil

      • Comment removed based on user account deletion
  • by Anonymous Coward on Friday August 23, 2013 @06:14PM (#44660575)

    "most of them based on the NSA's own guidance"

    Should you take guidance from people who have been proven to lie?

    • by Mr. Slippery ( 47854 ) <tms&infamous,net> on Friday August 23, 2013 @09:00PM (#44661515) Homepage

      Should you take guidance from people who have been proven to lie?

      The NSA is a deeply schizophrenic organization. On one side you have people seeking to defend and secure Americans' computer systems and networks against crackers, foreign spies, and the like. They'll propose BS like key escrow [wikipedia.org], but they're actually fairly honest: they know if there is a backdoor they can use, their adversaries can use it too.

      On the other hand you have people seeking to break into computer systems and networks, including those of Americans. They oughta be first against the wall when the revolution comes.

      • by thoth ( 7907 )

        The NSA is a deeply schizophrenic organization.

        Not schizophrenic - they just have 2 conflicting missions. That would be signals intelligence [nsa.gov] (gather and decrypt) and information assurance [nsa.gov] (protect and defend).

        It could be that a split and reorg would be good - say move the information assurance folks and merge them with DISA [disa.mil]. Then clamp down on any out of control signals intelligence programs.

  • What if... (Score:4, Interesting)

    by MRe_nl ( 306212 ) on Friday August 23, 2013 @06:17PM (#44660617)

    When secret police come with secret orders based on secret laws signed by a secret court we secretly dispose of their bodies?

    • by slick7 ( 1703596 )

      When secret police come with secret orders based on secret laws signed by a secret court we secretly dispose of their bodies?

      Don't forget double secret probation.

  • Wasn't so long ago all the British press were under scrutiny in the wake News Of The World Phone Hacking Scandal. I think it's still fresh on the minds of many editors in the British press and more scrutiny is not something they would welcome. In this light it was probably intentional not to go out of their way to protect him.

    • by globaljustin ( 574257 ) on Friday August 23, 2013 @08:23PM (#44661335) Journal

      it was probably intentional not to go out of their way to protect him

      I agree...and I think you are being overly fair to the Guardian and Greenwald. They could have done this completely differently and Snowden would still have his job and hot 'girlfriend'...

      Anonymous source.

      IMHO, Greenwald and the Guardian led Snowden around like a sheep, taking advantage of his internal motivations for releasing the info.

      The truth is, Snowden's info isn't actually revealing of any *new* info, only operational details of already-reported on programs...and seriously it's common knowledge that the Feds could spy on us via the Patriot Act.

      Read it for yourself [usatoday.com], from USA Today in 2006:

      The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.

      He broke the law technically, revealing info that was Top Secret, but it's not exactly "news"....unless you muckrake and take advantage of the fact that most journalists never understood what the Patriot Act allows.

      It's all hype...we definitely could have had a "national conversation about privacy and surveillance" without all this flap!

      • by Obfuscant ( 592200 ) on Friday August 23, 2013 @08:32PM (#44661369)

        The truth is, Snowden's info isn't actually revealing of any *new* info, only operational details of already-reported on programs...

        Our local senator is one of the ones who has been hinting to us that this is going on since early this year. He couldn't tell us what it was, but ...

        He also didn't think it was enough of a problem to bother trying to stop it.

    • In spite of the headline, really the article isn't about protecting the source, it's about preventing the authorities from preventing you from publishing, or detaining your partner/data-mule under a vile security law that makes not incriminating yourself a serious criminal offence.

      (It doesn't say, but the paranoia exhibited in the article reinforces the recent claims that we're going to see less precaution from press in the future. They will just dump everything online at once, making no attempts to redact

  • Employ Mentats. [wikipedia.org] Problem solved.

  • If is meant to be eventually public, then just make it public. As Linus said "Only wimps use tape backup. REAL men just upload their important stuff on ftp and let the rest of the world mirror it [goodreads.com]" (ok, maybe not ftp right now, some more updated/social alternatives), The consequences of not releasing it (even in human lives) could eventually be worse than doing it unedited.
    • I think that's the idea behind insurance files and multiple secret deadman switches - if all else fails the data *will* get out.

      But it can be very irresponsible to simply dump it into the public eye without first thoroughly reviewing it, which the leaker themselves can't realistically be expected to do - they stumble across a treasure trove of incriminating data (probably all mixed in with lots of junk and legitimate secrets) and they just want to get it into the hands of a responsible journalist as fast as

  • by Adult film producer ( 866485 ) <van@i2pmail.org> on Friday August 23, 2013 @06:24PM (#44660655)
    The Freenet network is still alive and is very useful for this kind of thing.

    https://freenetproject.org/ [freenetproject.org]
  • by Anonymous Coward

    I might be part of the few people in the world who are able to implement attacks on cryptography or busting advanced malware in random hardware firmwares in a breeze.
    Still there might always be someone who knows some trick I'm not aware of, who is cleverer and more prepared, thus i don't feel safe.

    The Guardian's staff is in my opinion well aware of how to use Tor and such countermeasures. They just don't want to try their luck, because if they happen to fail this is ultimate failure.

    The Guardian is right a

    • by ackthpt ( 218170 )

      I might be part of the few people in the world who are able to implement attacks on cryptography or busting advanced malware in random hardware firmwares in a breeze.
      Still there might always be someone who knows some trick I'm not aware of, who is cleverer and more prepared, thus i don't feel safe.

      The Guardian's staff is in my opinion well aware of how to use Tor and such countermeasures. They just don't want to try their luck, because if they happen to fail this is ultimate failure.

      The Guardian is right and The Register is a usual a bundle of same sized wooden sticks.

      Also possible they fear relying upon any "safe" technology because they won't know when it is no longer "safe". Not like the NSA is going to send them a card saying "We are now watching you".

  • by VinylRecords ( 1292374 ) on Friday August 23, 2013 @06:28PM (#44660689)

    1.) Encryption: It's not hard

    Shouldn't really be a factor now that Snowden is known publicly. When Snowden was trying to escape the U.S. it was necessary for him to be paranoid and secretive. Now he's already given a full copy of all of his information to Greenwald in person. Snowden was protected well by his news contacts. They had him reveal himself to the world on his own time and not have his name leak before he wanted it to leak. He was safe when it mattered. The Guardian did an acceptable job getting Snowden to safety.

    2.) Use clean machines

    Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.

    3.) How to shift the data securely

    The governments of the world can potentially intercept ANYTHING. Phone calls, emails, text messages, picture messages, faxes, voices through a hidden microphone, credit card transactions, smoke signals, bank statements, parabolic intercepts. Nothing is truly secure in this day and age. A reporter can use a courier by land or plane and that person can be held in a cell for nine hours while being interrogated. But an in-person intercept is known to both parties. A phone intercept is tough to fully know about unless you have an inside source telling you "your personal phones and prepaid phones are all tracked". Thanks to Snowden I now assume that EVERYTHING is tracked by the government.

    4.) Using hidden services

    The government is cracking down on those. Lavabit could not stop the government. Why would any other black site or anonymous exchange be able to stop the government? The government can stop billion dollar companies from operating overnight. Like a small email or messaging company can withstand the onslaught of a multi-national cyber-military operation?

    • by dgatwood ( 11270 ) on Friday August 23, 2013 @06:55PM (#44660855) Homepage Journal

      2.) Use clean machines

      Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.

      Not difficult at all. It's called an air gap. You buy a laptop specifically for the purpose of decrypting the messages. You set it up without connecting it to the Internet. You generate your private-public key pair on this machine and use a flash drive to manually copy the public key to a different machine so that you can provide it to whoever needs it. When you receive a message, you copy that to a flash drive, then copy it to the other machine, then extract it.

      Ideally, the private key should also be stored on a (different) USB key that you carry with you, to reduce the risk of physical theft by (hopefully) ensuring that the key and the encrypted data are never in the same place except when you are decrypting that data. If you are really paranoid, you can split the key into pieces so that multiple key dongles held by separate people must be stolen or confiscated before encryption is compromised.

      This is how high-security data handling works everywhere. If intercepting it could mean the end of (the|your) world, you build an air gap, and you ensure that the computers on the inside of that gap are never connected to the public Internet in any way, shape or form. And when you're done with the machine, you destroy its hard drive in accordance with DoD manual 5200.01.

      Of course, this ignores TEMPEST/Van Eck phreaking; chances are, you aren't that important, but if you are, you should also take precautions to physically secure your air gap room against any EM emissions from the computer in question.

      And as always, Keep Calm and Carry a Towel.

      • by Dunbal ( 464142 ) * on Friday August 23, 2013 @07:24PM (#44661011)
        You are assuming that when you tell your computer to turn off the WiFi, the WiFi stays off. Now if cell phones that are "off" can record the conversations of mobsters without them knowing it, what makes you trust your computer all of a sudden? It would have to be an "air gap" somewhere in the countryside away from any wifi signal...
        • Open up the laptop and remove the wifi antenna (at least in mine you could remove it with a pair of scissors, but other models may require mucking with board).

          • Open up the laptop and remove the wifi antenna

            On most of the Dell systems I've dealt with over the last few years, the WiFi is on a small add-in board.

            Or you can just operate in a Faraday cage and avoid Tempest and WiFi and Bluetooth and all kinds of issues at the same time.

        • by AmiMoJo ( 196126 ) *

          It isn't hard to physically remove the wifi card from most laptops. Typically it is located just under a hatch or the entire base of the laptop can be removed.

          Also, even if the wifi were turned on with you knowing, unless there is an unsecured network or the government and a backdoor into a nearby AP what use would it be?

        • by Teun ( 17872 )
          Lots of people told me Linux sucks for WIFI support :)
      • Of course, this ignores TEMPEST/Van Eck phreaking; chances are, you aren't that important, but if you are, you should also take precautions to physically secure your air gap room against any EM emissions from the computer in question.

        The article isn't about being monitored. It's about delaying detection long enough to a) get the source out of the country, b) publish before they raid you. If you are known enough to be actively monitored (and you're not a foreign spook or tech-company), then you've already been raided, your hdds seized or smashed, and/or your partner jailed, without warrant, lawyer, or trial.

    • by Dan East ( 318230 ) on Friday August 23, 2013 @07:15PM (#44660957) Journal

      2.) Use clean machines

      Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.

      I call BS on this one. "You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored." No, you don't. It only takes ONE expert to find that Dell, HP, Microsoft, Apple, OSX, Windows, Linux, has all these supposed backdoors to blow the whistle. While we have cases where various cloud / online services have been forced to turn over information, none of what you're claiming has been reported with hardware and OS vendors.

      You're missing one important thing in your paranoia. Existing networks still have to be utilized to transfer this data. If every home PC had such a backdoor, then they still would have to use the internet connection to transmit that data. And yes, there are experts that do watch for this kind of thing, and keep an eye on what their machines are connecting to and why. Unless you're also positing the conspiracy theory that every machine has some totally secret wireless communication built in that talks to some government ghost network that no one has discovered either.

      Yes, the NSA is reaching way too far, but even so you've got your tin foil hat way too tight.

      • It only takes ONE expert to find that Dell, HP, Microsoft, Apple, OSX, Windows, Linux, has all these supposed backdoors to blow the whistle.

        What is your point? In all of these cases, you can count people with complete access to the source code with your fingers. Even in Linux there are binary blobs with no source. Each of these backdoors is known to 1-5 people in the world, so no one will blow any whistles.

    • It is amazingly unlikely that you buy a brand new machine at Best Buy and it is already set up to monitor all the communications you send from the moment it's turned on. Sure it might happen, but that would mean that everyone everywhere is being spied on every minute of the day, in which case the NSA will never be able to find the needle in the haystack. Instead a clean machine means that you use that brand new machine machine only for that task; you don't re-use an old machine, you don't install extra so

    • 3.) How to shift the data securely
      The governments of the world can potentially intercept ANYTHING. ... A reporter can use a courier by land or plane and that person can be held in a cell for nine hours while being interrogated. But an in-person intercept is known to both parties.

      Taking this concept further: after encrypting your data, xor the data with a onetime pad. Send only the pad by courier first; once the courier arrives at the destination with the onetime pad unmolested, send the other part of

  • by stanlyb ( 1839382 ) on Friday August 23, 2013 @06:29PM (#44660707)
    You wannt to use a compromised OS to generate secret keys!!! For.Real.?
    What about this:
    1.Use some old machine, very old machine, like CPU-486 Pentium, or even better, some chip on computer (Raspberry Pi) to install some minimal linux.
    2.Use some proven package to generate the private keys.
    3.Store them, write them down, on some piece of paper, and hide it somewhere secret. Even better, generate a set of PK, for every conceivable case.
    4.During all this steps, never, i repeat NEVER TURN ON THE ETHERNET ADAPTER.
    5.Once you have done with the PK generation, burn the damn computer, literally.
    6.Now you have a set of PK that are really secret.
    7.From now on, never forget, once you run Windows/Mac/Ubuntu, you are exposed. So try to use only some community build, with minimal set of features Linux, and also without any fancy GUI interface. And keep close track of all the services that you run n your computer. And log all the network traffic going to, or out of your little linux box.
    • by msobkow ( 48369 )

      Unless you're planning to build a distro from source and read all the source to make sure it has no back doors, you can't guarantee anything is "clean."

    • Rather than burning a 486 with lots of ram which can run linux, which I find evil, a dd if=/dev/zero of=/dev/sda will do.

      • zeroing a drive is no guarantee of security. In fact, it won't stand up to much more than a casual analysis. The DoD specification is a 3-pass method involving zeroing, populating with 1's and then populating with randoms. Now you're in electron microscopy territory to recover *anything*.

        The absolute *minimum* I would in fact recommend if you're intent on making life difficult for any would-be data snooper is dd if=/dev/urandom of=/dev/sda. I would also take the hard drive and zero it with a *different* ker

        • by donaldm ( 919619 )

          The absolute *minimum* I would in fact recommend if you're intent on making life difficult for any would-be data snooper is dd if=/dev/urandom of=/dev/sda.

          You are quite correct if you wish to reuse the disk drive although that is still no 100% guarantee, however if your data is so sensitive and you wish to completely erase it then destroying the drive by shredding and burning the platter(s) are the only option. Because disk drives are fairly cheap it would be better to just use a new disk and shred the old one. Of course then you have to seriously take into account what to do with all backups if any have been performed.

          I think the question that is worth ask

  • by Anonymous Coward on Friday August 23, 2013 @06:35PM (#44660733)

    Snowden and the reporters he communicated with did use encryption and other means to preserve secrecy while he was initially doing the leaks. But once it became front-page news, he wanted the publicity, and he told them to go public.

  • So how is that any safer . . . ? The government knows if you are a journalist. They can check fly lists to know where you are flying to. They can alert their own folks or their pals in the place where you are flying to. They can put a tail on you right after you step off the plane . . . or even as you board the plane.

    Oh, you could get a friend to go for you. But the government know who your friends are . . . etc., etc., etc. . . .

    Sound like a bunch of paranoid spy fiction . . . ? Not any more, reall

    • Are they doing this to every journalist everywhere? I don't think so. They will do it to higher profile journalists working in certain areas. Ie, the reporters who worked with Snowden had already been harrassed in airports quite a lot so they had reached this risky level already. But you're sort of stuck here, the other journalists were probably all off writing stories about kittens or repeating verbatim what happened in a press conference, and those may not be the ones you can trust.

      And yet they were a

  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Friday August 23, 2013 @06:58PM (#44660865)

    From TFA:

    "El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips â" most of them based on the NSA's own guidance".

    Since the NSA gets a lot more information from metadata than from the message itself, I imagine they'd be delighted to have journalists encrypting everything important (lazy buggers that they are, they probably wouldn't bother with anything that wasn't).

    By jumping through all the hoops in the NSA guidelines, you just sorted yourself into a tiny minority that has something to hide. You can guarantee you'll have spooks from every spy agency in the free world tracking where you go, who you talk to, who THEY talk to and what all of you do all day, where you keep your money, where you spend it, and who makes your morning coffee when the wife's out of town.

    And laughing. You just KNOW they'll be laughing.

  • by ikhider ( 2837593 ) on Friday August 23, 2013 @07:13PM (#44660937)
    As much as the NSA/CIA/FBI whatever like to make you think they are God, they are in fact not. There are MANY ways to make a secure chat between two parties. No organization can be on top of all computers and all software all the time. If the parties involved have a chance to avoid physical surveillance, they are set. How will the spooks going to know which channel to listen in on? All of them? Fine. Needle in a haystack. Good luck.
  • by Jane Q. Public ( 1010737 ) on Friday August 23, 2013 @07:44PM (#44661119)
    It is ridiculously easy to agree on continuously changing keys for one-time-pad encryption. All you need is a bit of imagination.

    If the media companies are really so afraid that they will spend millions to do face-to-face encounters, I would happily take half of those millions and give them a far easier, faster, at-least-as-secure alternative.

    Seriously. This is utter madness based on ignorance.
    • Addendum:

      TFA implies that public-key is a panacea. This is not true either. SOME of the vulnerabilities are mentioned. But while security through obscurity is not itself real security, the FACT is that public-key cryptography is simply not suitable for all situations.

      In fact, given THIS situation, public-key cryptography presents exactly the SAME vulnerabilities as other methods that might be more secure in these circumstances. Namely, key management.
    • It is ridiculously easy to agree on continuously changing keys for one-time-pad encryption. All you need is a bit of imagination.

      "The one-time-pad is the binary from the current 'This Week in the NSA' podcast."

      • "The one-time-pad is the binary from the current 'This Week in the NSA' podcast."

        Maybe I missed the morning news, but I'm not sure what you're saying there.

        One Time Pad is the only encryption that mathematics says is not even theoretically breakable. As long as, that is, you use proper key management. Which isn't trivial, but it also isn't hard.

        • Maybe I missed the morning news, but I'm not sure what you're saying there.

          I'm saying that finding a common set of suitably pseudo-random bits to use as a one-time-pad is rather trivial -- an MP3 (at least the bits that are the compressed data and not the text tags), a wav file from a commercial audio CD track, the jpeg image from an online newspaper, etc. And that you can display irony by using something the NSA itself produces (which of course there is no real podcast by that name or source, but irony needs not be factual to be irony) such as from here. [nsa.gov] You just have to agree a

          • "I'm saying that finding a common set of suitably pseudo-random bits ..."

            Hah! Yes, I'm feeling a bit dense today. I should have picked up on what you meant right away.

            Exactly. It doesn't have to be "random", it only has to be "random enough", which a podcast (starting at, say, 8 minutes 22.000 seconds) certainly is. As long as the key is unknown to others, and is halfway well-chosen, it might as well be "completely" random.

          • A lot of people (including many cryptographers today) seem to have forgotten that effective entropy and actual, objective entropy are two different things. It all has to do with available information. If you don't have the information necessary to put semi-random bits into perspective, they may as well be completely random.

            But again, it still depends on the bits being "random enough". What that is varies by circumstance.
  • When you're considering moving files around like that the transfers won't be random. They'll happen at specific prearranged times. As in "I am talking to you on the phone, send me the file now"... in such an environment, you could turn a home system into a file server for a couple minutes... pull the file down or push it or whatever... and then after the transfer was complete turn the file server software off. When things only blink into existence and are gone when called for it gives the black hats less ti

  • by Burz ( 138833 ) on Friday August 23, 2013 @08:36PM (#44661389) Homepage Journal

    5. Protect against remote exploits with an OS like Qubes. [qubes-os.org] Use its TorVM and DisposableVM features to isolate different communication domains from each other. (Certain late-model hardware configurations are best used with Qubes.)

    6. Go one better than Tor and use I2P. [geti2p.net] It uses routing that is more decentralized than Tor, and since everyone shares routing bandwith by default there is bandwidth to handle virtually all kinds of traffic... even bulk transfers and bittorrent. Security is also enhanced by having more users route traffic, and by communicating only with other I2P users by default. I2P have so far been successfully testing a distributed email system (I2P-Bote) which is far less vulnerable to attack than what you find on Tor (e.g. TorMail).

    • "Go one better than Tor and use I2P. "

      No. What you want is OneSwarm [oneswarm.org].

      Not only does it store data in an encrypted, distributed fashion, it makes sure that it is not even theoretically (today) possible to tell what nodes on the network are supplying any particular data. That puts it a step above most other solutions, because it protects the sources, not just the downloader.

    • Most importantly. (Score:5, Insightful)

      by FatLittleMonkey ( 1341387 ) on Friday August 23, 2013 @10:41PM (#44661981)

      7. Start doing steps 1-6 NOW. Routinely. Across your entire media organisation. When you don't need it.

      Don't wait until you're doing something you want to hide, then suddenly start using high-end crypto and data obfuscation and special networks to shout "LOOK AT ME, I HAVE SOMETHING TO HIDE".

  • What a BS title. Snowden and Greenwald -were- using GPG/PGP ... long-established fact.

  • The recent approach of releasing encrypted insurance files is a good way to go. You put the data on a torrent and create thousands of copies, then give the key to a few dozen trusted friends. If shit goes down, one of the friends posts the keys in a public forum. It is simple and reliable.

  • by DaveAtFraud ( 460127 ) on Friday August 23, 2013 @11:16PM (#44662093) Homepage Journal

    One interesting side effect of this article and others like it is the spook job just got much harder. Lots of people will be looking into using encryption and some actually will becuase they simply don't want someone else reading their e-mail. Previously, the very use of encryption flagged an e-mail as being suspicious since the spooks could assume that peope with nothing to hide (e.g., no plots or plans for nefarious deeds) wouldn't bother with encrypting their data. Now lots of people with nothing to hide will encrypt their messages just becuase they don't like the idea that someone could read it.

    Think about what happens if encrypted e-mail goes traffic from .1% to 1% of all e-mail (I have no idea how many people use something like GPG now).

    Cheers,
    Dave

  • I am an inveterate letter writer. I dislike sending e-mail to friends, preferring to commit my thoughts and comments to paper. It seems that this is the most secure form of communication available since I can take steps to ensure that the recipient knows that the envelope was not steamed open in transit. That leaves the photos the postal service has been taking of the front and back of every envelope going through the mail [washingtontimes.com], and I can even sabotage that a bit by using phone a phony name and return addres

  • how good The Guardian is at protecting sources.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...