New Crypto-OS

gormanly writes: "m-o-o-t is a new open-source cryptography project begun to defeat the R.I.P. Act here in the U.K. "and make it look silly". The project aims to ship a new BSD-based OS on a bootable CD, which will disable all local storage and store encrypted user files in remote "data havens," split and hidden in random data for deniability. The government can't even know a user's sending e-mail, much less store it for 7 years." It's a nice idea, but right now, that's all it is.

Re:What's the point - Illegal doesn't mean 'Wrong'

If you're not doing anything wrong, you shouldn't have anything to worry about?

Bullshit. B-U-L-L-S-H-I-T.

In the U.S. and in the U.K., I'm certain, overzealous law enforcement will do anything they can to a) raise the number of arrests, b) promote their own financial, moral, or religious interestes, and c)justify that they need more power to accomplish a and b

This is the way all law enforcement has worked since the dawn of society. This is the way that law enforcement always will work. This is the reason why U.S. prisons are full of non-violent drug users while murderers and rapists are frequently given shortened sentances due to overcrowding.

Case in point: Maybe you've heard of the McCarthy trials? Communism and being communist is *not* illegal in the United States, regardless of how much the wwii and boomer generation wishes it was. In fact, the right to assemble and belong to organizations such as the Communist Party is guaranteed under the U.S. constitution. That sure as hell didn't stop Hoover and the FBI from illegally tapping phone lines and extracting confessions of communist involvement under duress in the 50's and 60's.

Even if something *is* illegal, that doesn't make it wrong. Here's one for you DMCA ranters: If you use DeCSS to crack your DVD's to play under linux, you have commited a crime by circumventing the encryption on the disk. Is that wrong? Is it immoral? Will the FBI or RIAA come down on your ass if they find out?

Large-scale disk storage and access is easy and cheap. If you think that U.K. law enforcement can't easily run a grep or equivalent on the whole mess they've collected and look for people who have discussed DeCSS, then you are quite sadly mistaken, and probably deserve what they'll do to you when they bust your ass on airy charges.

A solution? Yes. To the wrong problem.

[rjh]

First, the RIP act requires that communications be archived for seven years, draconian penalties for refusal to hand over decryption keys, etc., etc. Let's ignore the fact that the RIP probably violates the EU's human-rights agreement, of which the UK recently signed acceptance--after all, the UK seems to be ignoring it.

So. Communications must be archived for several years, with decryption keys available on request. Supposing we had some ultrasecure OS which encrypted absolutely everything out there, as well as as much of the TCP/IP packet as is possible. That basically leaves only the address field and routing information unencrypted.

Now we have a person using this machine, A, to communicate over a fundamentally insecure network (the Internet) with machine B. The authorities think that either A or B want to be doing something un-American (err--un-British?) like, I don't know, sharing the recipe for Colonel Sanders' secret blend of herbs and spices. What do the authorities do?

They start listening on the machine, of course. So what if every packet is encrypted--they can still look at TCP/IP headers and discover where the packets are going. If, in fact, it turns out that packets are going out addressed for B, then that's a pretty clear sign the machines are communicating. Suddenly, B gets a knock on the door and a warrant served, and told to hand over those conversations "oh, and don't tell A a word of all this".

That only covers direct peer-to-peer connections, though. The naieve counter to this is that relayed connections, such as email, are immune to this because they don't get sent directly to the target machine. Well, maybe... but that just means there are more points of failure for the authorities to exploit.

Even something as dramatic as establishing an IPsec connection with a mail relay in Seahaven wouldn't be proof. The American government seems to think that using encryption is evidence of malfeasance (see the recent story about the FBI using a keysniffer to defeat PGP). The British government, which is even more behind-the-times than the American government when it comes to encryption, will probably take it as evidence of high treason, or something similarly melodramatic and groundless.

If they can tell a judge, "look, milord, this bloke 'ere's got hisself a highly encrypted network with a rogue nation-state that's know t' be a haven f'r data pirates", the judge will probably spend all of three seconds before deciding that yes, you're a threat, and you really ought to hand over your decryption keys just so the government can be sure.

In other words, this solves nothing.

To every social problem, there is a technological solution which is hip, cool, sexy and broken. This is it.