Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday May 25 2014, @05:12AM   Printer-friendly [Skip to comment(s)]
from the or-fher-gb-fraq-pelcgb-cnegl-vaivgngvbaf-va-cynva-grkg dept.

Wired has a nice story on a crypto party organized by Edward Snowden shortly before he leaked the NSA documents. He used the same e-mail address to organize this crypto party that he used to contact Glenn Greenwald for the first time, which happened to be 11 days prior to the party. He had even been running Tor exit nodes at the time.

A crypto party is an open, free, and public tutorial on the use of cryptographic technologies, such as Tor, GPG, TrueCrypt, Tails, and others. It looks like a brilliant and practical way to overcome the learning curve of good security.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by black6host on Sunday May 25 2014, @07:58AM

    by black6host (3827) on Sunday May 25 2014, @07:58AM (#47262) Journal

    First, I've deliberately avoided researching Tor for the purpose of this discussion so as to represent the common man/woman who know little of Tor but know it exists. My impression is that it's pretty secure, unless they really want you in which case they need to crack the human behind a server (or gain the keys to the kingdom another way.) Is this correct?

    When I first heard of Tor it was regarded as slow and unless you had absolute need it was not worth the effort. This could have been because there were not a lot of people using it at the time. Is this correct? Is it still true?

    Another impression I have is that if you use Tor you're liable to attract attention to yourself as it's a common avenue for folks who like kiddie porn, etc. Even if you're not using it for illicit purposes it throws you into a school of fish that contains some that are targets for law enforcement. Is this true?

    I readily admit my ignorance and while I could look things up and piece them together I'm afraid I'd miss something key to the concept.

    So, pretend I'm your dad who knows enough to know that everything is under inspection these days and doesn't want to be subject to that, nor draw attention to himself. Is this a case where you don't mess with Tor unless the consequences of not using it outweigh the consequences of a compromise of part of the network? And, can anyone say: use Tor, your absolutely anonymous?

    (I don't believe that last question will be answered in the affirmative as I recall reading a recent story where an exit node was compromised and those looking were able to go upstream from there.)

    So there, questions from an undeniably ignorant user who could benefit from a crpto-party to say the least! :)

    • (Score: 2, Informative) by No.Limit on Sunday May 25 2014, @11:26AM

      by No.Limit (1965) on Sunday May 25 2014, @11:26AM (#47289)

      First of all, I'm quite a newbie on this topic too. I can just write here what I know:

      My impression is that it's pretty secure, unless they really want you in which case they need to crack the human behind a server (or gain the keys to the kingdom another way.) Is this correct?

      I believe it's pretty secure in the sense that the traffic going through TOR will keep you anonymous. It can't really guarantee anything else.
      Just like with all the strong mathematic concepts in cryptography. The crypto is strong and secure, but everything around it may be a potential weakness.

      Another impression I have is that if you use Tor you're liable to attract attention to yourself as it's a common avenue for folks who like kiddie porn, etc. Even if you're not using it for illicit purposes it throws you into a school of fish that contains some that are targets for law enforcement. Is this true?

      I guess it will attract attention. But there is barely any other way to get the anonymity that TOR guarantees. I don't think the additional attention you'll attract is a big problem, though I can't guarantee it.

      And, can anyone say: use Tor, your absolutely anonymous?

      No!
      Reasons why that's not true:
      - You might reveal your own identity in a forum by simply posting it. Thus losing your anonymity.
      - You might visit a website with scripts and allow those script to run. Such script can be used to weaken or 'break' your anonymity. (that's why the TOR browser bundle comes with noscript installed. You shouldn't be running javascript, java, flash, silverlight etc, they might weaken your anonymity.)
      - You might run applications that don't use TOR when available, such as torrent, skype , games etc.

      So just like with every crypto concept, the maths behind it are strong and won't be broken. It's mostly the users or sometimes the implementations that are the weak link.

    • (Score: 5, Informative) by Common Joe on Sunday May 25 2014, @12:58PM

      by Common Joe (33) Subscriber Badge <common.joe.0101NO@SPAMgmail.com> on Sunday May 25 2014, @12:58PM (#47300) Journal

      My impression is that it's pretty secure, unless they really want you in which case they need to crack the human behind a server (or gain the keys to the kingdom another way.) Is this correct?

      This goes for everything: if they want you, they will get you. Now, let me ask this question: if they really want to get you, do they need to decrypt your stuff? They'll just throw fake charges at you. Doesn't matter whether they are true or not. Simply accusing you of kiddie porn (even if you don't seek out kiddie porn and even if you don't use Tor) and your life is ruined. The only time they'll really want to decrypt your stuff is if you have something that is really important to them. For a commoner like you and me, they already have all the information they need: credit card transactions, money in the bank, etc.

      When I first heard of Tor it was regarded as slow and unless you had absolute need it was not worth the effort. This could have been because there were not a lot of people using it at the time. Is this correct? Is it still true?

      I don't use Tor often, but when I do, it doesn't seem to be too slow. It will be slower than regular surfing because your information is hopping through several nodes, but that is what keeps you anonymous.

      Another impression I have is that if you use Tor you're liable to attract attention to yourself as it's a common avenue for folks who like kiddie porn, etc. Even if you're not using it for illicit purposes it throws you into a school of fish that contains some that are targets for law enforcement. Is this true?

      It makes you look more suspicious to common law enforcement should you get caught up in something ugly. So does using TrueCrypt or Linux. They will ask you questions and you'll need to have answers.

      So, pretend I'm your dad who knows enough to know that everything is under inspection these days and doesn't want to be subject to that, nor draw attention to himself. Is this a case where you don't mess with Tor unless the consequences of not using it outweigh the consequences of a compromise of part of the network?

      That is a personal choice that no one here can answer. Only you (or your Dad) can. Who is to say how secure this is? Not even the maintainers can say with certainty. The NSA thought they were secure and then Snowden came along. So far, to my knowledge, no one has been prosecuted only because they were using Tor. (It would be a tough sell in court.) They will use Tor and everything else crypto related to hang you if "they" think you are guilty of something or don't like you. It will be used to turn popular opinion against you. (Popular opinion may mean a jury.)

      Also, I wouldn't really say Windows is secure against people like the NSA. They'll be able to crack your computer if they want bypassing Tor and the rest of it. No proof, only my opinion.

      And, can anyone say: use Tor, your absolutely anonymous?

      There's a reason why most of us laughed when DARPA [soylentnews.org] said they'd come out with a totally secure drone. It can't be done. Very tough to crack? Yes. Totally secure? Not a chance. There are currently rumors that the NSA has a bunch of exit nodes under their control. That is a weakness of Tor. Allow me to elaborate.

      Tor cannot make you totally anonymous. If you look at your email via an unencrypted means and you do so using Tor, your email is totally open between your computer and the entrance node plus the exit node and your email provider. Tor only masks part of the transfer between you and your email provider. In other words, it masks your meta data. In this example, because your data is leaking information about you, you are exposed despite using Tor. If you use encrypted means to access your email and do NOT use Tor, then no one can see your email, but people can know when you are accessing your email, (approximately) how much data is transferred, and how often you check it. If you use encrypted email and Tor to access your email, then you (in theory) are totally masked between your computer and your email provider. (If you use Gmail, Tor and encryption doesn't help you a lot against the government and any entities Gmail may decide to sell your information to. If I use an alias like f.the.nsa@gmail.com and keep out all other private information about myself, then Gmail won't really know who I am. Start leaking information about yourself, and they'll figure out who you are.) If you forget to use Tor just one time, then you are exposed because you can be linked to that particular email address.

      Now, if the NSA has a lot of Tor exits under control, they can trace you some of the time and that is enough to expose you "greatly". (Some information is given here [wikipedia.org] but Tor says this is a bit exaggerated). As soon as they figure out that f.the.nsa@gmail.com is run by Common Joe, they know that every access is probably made by Common Joe and they can watch you access gmail. (a.k.a, your meta data is exposed and it Tor is useless.)

      There is another potential weakness I've read about. If they have both entrance and exit nodes covered, they can see a blip on the entrance correspond to a blip on the exit. (Mathematically, they can figure this out.) That definitively links Common Joe to f.the.nsa@gmail.com for meta data purposes.

      Hope this is what you were looking for.

      (By the way, f.the.nsa@gmail.com is not my real email address. I have no idea if it is in use or not, but I wanted to use a different example address than the real one I give out here on Soylent News.)

    • (Score: 2) by black6host on Sunday May 25 2014, @08:13PM

      by black6host (3827) on Sunday May 25 2014, @08:13PM (#47356) Journal

      Thanks all! It's about what I figured it would be... But very informative to find out some of the reasons why. I wonder how many out there, using Tor, are giving away their identities in other ways but still think they're secure.

      Me, I've given up on anonymity. I don't do anything anyway that anyone would be interested in. However, I think there needs to be a way to accomplish anonymity for those that truly need it. Why they need it is a judgement call I can't make, depends on the circumstances. But I'm sure there are cases where it is called for and would be morally acceptable, to me, IMO.

  • (Score: 4, Insightful) by Anonymous Coward on Sunday May 25 2014, @05:26PM

    by Anonymous Coward on Sunday May 25 2014, @05:26PM (#47326)

    It is good to educate people. It is also good to have tools/weapons(?) to counter suppressive democracies that might derail.

    A well known maxim is "the internetz routes around it". this is all well and dandy and these tools do a good job.
    nevertheless if it comes to human rights (and stuff) the above maxim is a a bad one.
    the insanity must stop and the state surveillance powers have to be reigned in.

    if we keep "routing around the problem" it will escalate until usage of above tools are deemed
    illegal or even a terrorist act.

  • (Score: 0) by Anonymous Coward on Monday May 26 2014, @05:23PM

    by Anonymous Coward on Monday May 26 2014, @05:23PM (#47615)

    Truecrypt uses a vanity license which as not been accepted as an open source license.

    https://en.wikipedia.org/wiki/Truecrypt#License_an d_Open_Source_status [wikipedia.org]