Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protecting IM From Big Brother

Posted by Zonk on from the another-mark-in-my-file dept.

holden writes "Ian Goldberg, leading security researcher, professor at the University of Waterloo, and co-creator of the Off-the-Record Messaging (OTR) protocol recently gave a talk on protecting your IM conversations. He discusses OTR and its importance in today's world of warrant-less wire tapping. OTR users benefit from being able to have truly private conversations over IM by using encryption to obtain authentication, deniability, and perfect forward secrecy, while working within their existing IM infrastructure. With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important. An avi of the talk is available by http as well as by bittorrent and a bunch of other formats."

10 of 185 comments (clear)

  1. Encryption by nurb432 · · Score: 4, Insightful

    Its time to implement encryption of ALL traffic from ALL applications. Perhaps even IPC encryption incase you have some sort of 'tap' installed on your computer.

    Sure, it eats resources, but do you want others reading your information? I dont. Not even when its "we are out of milk, please pick some up on the way home", as its NONE OF THEIR BUSINESS.

    --
    ---- Booth was a patriot ----
    1. Re:Encryption by QuantumG · · Score: 4, Insightful

      Blah, that's a load of shit. It's an academic answer to how to fix the problem of people logging your conversation with them.

      When the log is presented in court the person who logged it will be asked "is this log an accurate representation of the conversation you had with the accused?" and they say "yes, it is" and the defense then has to show not that it is possible that the log was doctored but that person who has just sworn, under penalty of perjury, is lying. They typically do this by showing instances in the past where the person has submitted false evidence to a court, or they can try to show that the person has something to gain by changing the log and that they had the skills (if any special skills are required, which they wouldn't be). It would be a very tough sell and a jury is more likely to believe that the log is accurate because what kind of idiot would lie in court when the punishment is so severe.

      Consider that email is so trivial to fake and yet emails are considered official correspondence in many many many court cases. It's not about the technology, it's about the people making the claims.

      --
      How we know is more important than what we know.
    2. Re:Encryption by thegrassyknowl · · Score: 4, Interesting

      The beauty of OTR messaging is that it claims to guarantee perfect forward secrecy. In other words, if you lose control of your private keys no previous conversation is compromised. This is a big plus, because even if they force you to turn over the keys they can't see the previous conversations.

      It works (as I understand) by using your key pair to derive and exchange public session keys. The session keys then are used to do actual encryption and are changed frequently. The private key at each end is only ever stored in RAM and is discarded when the session ends or after a timeout.

      It's neat because even listening in to the whole session and obtaining the public session keys isn't enough to compromise the session. Of course, having the public keys and obtaining the master private key may go a long way to helping with a mathematical attack of the algorithm.

      --
      I drink to make other people interesting!
    3. Re:Encryption by Kadin2048 · · Score: 4, Informative

      Encrypting by default still doesn't prove the *log* is legit and only prevents a 3rd party from secretly watching along the way, so i don't see me encrypting everything effecting that. Huh? OTR is specifically designed not to prove that the log is legit. It goes to a lot of work, actually, to ensure that there's a trivial way to fake messages after the fact, just not when a conversation is occurring.

      That means that when you're having a chat with someone, you know that what they're saying to you is their actual words, but that the same cryptography that's giving you privacy can't (theoretically) be used to hang you later, by proving absolutely that you said certain things.

      OTR's logs are designed to be easily forgeable. This is a major difference in its design from many corporate IM clients (e.g. Sametime), which offer encryption but also create authoritative logs that can be referred back to later.

      The point of OTR Messaging is to allow you to have the equivalent of a face-to-face, "off the record" conversation, in the digital, computer-mediated world. Just like when you have an in-person conversation, there's nothing stopping the other person from walking back to their car and blabbing about the whole thing to anyone who'll listen, the encryption itself tries to not serve as authentication after the fact as to what was said.
      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  2. Encrypted RAM and HDD Storage by EmagGeek · · Score: 4, Interesting

    You can't have perfect secrecy unless your RAM contents are also encrypted. Wasn't there some case recently where the RAM contents of some server were subpoenaed in a court case? If your RAM is unencrypted, then your IM conversation is stored in plain text SOMEWHERE, even if it is encrypted on the network stack. Of course, having encrypted RAM would be a HUMONGOUS performance hit, but it could be done. Hmmm..

    Off to the patent office I go..

    1. Re:Encrypted RAM and HDD Storage by Cracked+Pottery · · Score: 4, Insightful

      Fine, let me get those chips out for you. Bring the back after you get the information off of them.

  3. Encryption is only part of the solution by compumike · · Score: 4, Insightful

    This is a good step, and I wish that more people would use encrypted messaging systems. This includes IM, e-mail, and voice.

    However, while encryption can protect against "big brother", you can never eliminate the risk from the other end of the line. What happens if the person you are talking to has a rootkit, or prints out the conversation, or otherwise compromises the data? There's no real way to protect your entire conversation.

    --
    Educational microcontroller kits for the digital generation -- great gift!

  4. The real problem is U.S. government corruption. by Futurepower(R) · · Score: 5, Insightful

    Quote: "With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important."

    The real problem is U.S. government corruption. See this example from Cooperative Research, a complete 911 Timeline of 3962 events: U.S. Government corruption TimeLines.

    The government should serve the people, not spy on them.

  5. Re:Pfft. Don't talk to me, I log all my IM session by the_brobdingnagian · · Score: 4, Informative

    I log all my IM messages too. But you can not prove those messages are written by some specific person. They are plaintext and everyone can edit them. The "problem" with most encryption protocols is signing. If I write a message to you and I sign it, you can prove I wrote it. OTR provides encryption and authentication that can't be used to prove to anyone else you wrote it. I suggest you watch the video for more information.

  6. HR 1955 by CranberryKing · · Score: 5, Informative

    If this bill passes, you won't be able to use OTR without being carted off. Call your senator and tell them to vote NO.