Slashdot Mirror
The Register: 4 Ways the Guardian Could Have Protected Snowden
Frosty Piss writes with this excerpt from The Register: "The Guardian's editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online. And his reporters must fly around the world to hold face-to-face meetings with sources ('Not good for the environment, but increasingly the only way to operate') because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ. 'It would be highly unadvisable for any journalist to regard any electronic means of communication as safe,' he wrote. El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips – most of them based on the NSA's own guidance."
Johnny Mnemonic anyone?
http://www.masturbateforpeace.com/
(from the article)
1. Encryption: It's not hard
Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)
Meet the Advanced Encryption Standard
2. Use clean machines
3. How to shift the data securely
4. Using hidden services
... using BitMessage and Tahoe-LAFS as a general rule? Both make spying near impractical.
"most of them based on the NSA's own guidance"
Should you take guidance from people who have been proven to lie?
here are the four things, pulled from the article:
1. Encryption: It's not hard
* Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)
* Meet the Advanced Encryption Standard
2. Use clean machines
3. How to shift the data securely
4. Using hidden services
When secret police come with secret orders based on secret laws signed by a secret court we secretly dispose of their bodies?
"Kill 'em all and let Root sort 'em out"
Wasn't so long ago all the British press were under scrutiny in the wake News Of The World Phone Hacking Scandal. I think it's still fresh on the minds of many editors in the British press and more scrutiny is not something they would welcome. In this light it was probably intentional not to go out of their way to protect him.
A feeling of having made the same mistake before: Deja Foobar
Employ Mentats. Problem solved.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
If is meant to be eventually public, then just make it public. As Linus said "Only wimps use tape backup. REAL men just upload their important stuff on ftp and let the rest of the world mirror it" (ok, maybe not ftp right now, some more updated/social alternatives), The consequences of not releasing it (even in human lives) could eventually be worse than doing it unedited.
The Freenet network is still alive and is very useful for this kind of thing.
https://freenetproject.org/
I might be part of the few people in the world who are able to implement attacks on cryptography or busting advanced malware in random hardware firmwares in a breeze.
Still there might always be someone who knows some trick I'm not aware of, who is cleverer and more prepared, thus i don't feel safe.
The Guardian's staff is in my opinion well aware of how to use Tor and such countermeasures. They just don't want to try their luck, because if they happen to fail this is ultimate failure.
The Guardian is right and The Register is a usual a bundle of same sized wooden sticks.
1.) Encryption: It's not hard
Shouldn't really be a factor now that Snowden is known publicly. When Snowden was trying to escape the U.S. it was necessary for him to be paranoid and secretive. Now he's already given a full copy of all of his information to Greenwald in person. Snowden was protected well by his news contacts. They had him reveal himself to the world on his own time and not have his name leak before he wanted it to leak. He was safe when it mattered. The Guardian did an acceptable job getting Snowden to safety.
2.) Use clean machines
Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.
3.) How to shift the data securely
The governments of the world can potentially intercept ANYTHING. Phone calls, emails, text messages, picture messages, faxes, voices through a hidden microphone, credit card transactions, smoke signals, bank statements, parabolic intercepts. Nothing is truly secure in this day and age. A reporter can use a courier by land or plane and that person can be held in a cell for nine hours while being interrogated. But an in-person intercept is known to both parties. A phone intercept is tough to fully know about unless you have an inside source telling you "your personal phones and prepaid phones are all tracked". Thanks to Snowden I now assume that EVERYTHING is tracked by the government.
4.) Using hidden services
The government is cracking down on those. Lavabit could not stop the government. Why would any other black site or anonymous exchange be able to stop the government? The government can stop billion dollar companies from operating overnight. Like a small email or messaging company can withstand the onslaught of a multi-national cyber-military operation?
You wannt to use a compromised OS to generate secret keys!!! For.Real.?
What about this:
1.Use some old machine, very old machine, like CPU-486 Pentium, or even better, some chip on computer (Raspberry Pi) to install some minimal linux.
2.Use some proven package to generate the private keys.
3.Store them, write them down, on some piece of paper, and hide it somewhere secret. Even better, generate a set of PK, for every conceivable case.
4.During all this steps, never, i repeat NEVER TURN ON THE ETHERNET ADAPTER.
5.Once you have done with the PK generation, burn the damn computer, literally.
6.Now you have a set of PK that are really secret.
7.From now on, never forget, once you run Windows/Mac/Ubuntu, you are exposed. So try to use only some community build, with minimal set of features Linux, and also without any fancy GUI interface. And keep close track of all the services that you run n your computer. And log all the network traffic going to, or out of your little linux box.
Snowden and the reporters he communicated with did use encryption and other means to preserve secrecy while he was initially doing the leaks. But once it became front-page news, he wanted the publicity, and he told them to go public.
If you are going to leak some crazy stuff you might as well get paid for it.... (coinlock.com)
So how is that any safer . . . ? The government knows if you are a journalist. They can check fly lists to know where you are flying to. They can alert their own folks or their pals in the place where you are flying to. They can put a tail on you right after you step off the plane . . . or even as you board the plane.
Oh, you could get a friend to go for you. But the government know who your friends are . . . etc., etc., etc. . . .
Sound like a bunch of paranoid spy fiction . . . ? Not any more, really.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
I second this. Using stenography within kitten pictures and pseudonymous identities would be safer.... not that it would be safe - just safer.
Encryption: It's not hard
Yes it is. It fails the mom test badly. More properly it is key management that is too difficult. The actual key generation can be automated mostly. Distribution and use of keys is inherently difficult with no obviously easy solution.
From TFA:
"El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips â" most of them based on the NSA's own guidance".
Since the NSA gets a lot more information from metadata than from the message itself, I imagine they'd be delighted to have journalists encrypting everything important (lazy buggers that they are, they probably wouldn't bother with anything that wasn't).
By jumping through all the hoops in the NSA guidelines, you just sorted yourself into a tiny minority that has something to hide. You can guarantee you'll have spooks from every spy agency in the free world tracking where you go, who you talk to, who THEY talk to and what all of you do all day, where you keep your money, where you spend it, and who makes your morning coffee when the wife's out of town.
And laughing. You just KNOW they'll be laughing.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
How about plain old mail? If you worry about it being intercepted encrypt your data
on a micro flash drive and mail it. You could also use other carriers like FedEx or
UPS. To increase the chance of it getting through use a PO Box for both the destination
and the return address. If it "disappears" then nothing is lost and you can suspect that they
are also reading your mail.
As much as the NSA/CIA/FBI whatever like to make you think they are God, they are in fact not. There are MANY ways to make a secure chat between two parties. No organization can be on top of all computers and all software all the time. If the parties involved have a chance to avoid physical surveillance, they are set. How will the spooks going to know which channel to listen in on? All of them? Fine. Needle in a haystack. Good luck.
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
It is ridiculously easy to agree on continuously changing keys for one-time-pad encryption. All you need is a bit of imagination.
If the media companies are really so afraid that they will spend millions to do face-to-face encounters, I would happily take half of those millions and give them a far easier, faster, at-least-as-secure alternative.
Seriously. This is utter madness based on ignorance.
With all the assets governments have arrayed against citizens of all nations you've got to assume you're going to burn.
STFU, now they're going to start arresting six year old little girls with Hello Kitty motifs on their carry-on...
Operation Guillotine is in effect.
TFA (& everyone else it seems) misses a key option: release anonymously using US First Amendment protection.
The US has **the most journalistic freedom in the world**
Accept it...in fact, the Guardian is working with NY Times to release future Snowden info *precisely* because the US has the 1st Amendment. From The Guardian's editor:
Not only that, in the US, journalists may use **anonymous sources**...they risk their reputation and job, and it has to be cleared by their editors, but it is done routinely (ex: Deep Throat).
If journalists release secret info, they can be subpoenaed to reveal their source. IF THEY REFUSE...the journalist can be jailed ONLY a short period of time, never more than 6-9 months as a 'coercive tactic'...but the gov't HAS TO LET THEM GO if they still don't talk!!!
This process is something every college journalism major learns.
Glenn Greenwald is using Snowden to further his career...the way he's shopping Snowden interviews around proves it.
The Guardian could have done this **completely differently** and Snowden would still have his job, and Greenwald would have a book deal and a ton of street cred...
Thank you Dave Raggett
When you're considering moving files around like that the transfers won't be random. They'll happen at specific prearranged times. As in "I am talking to you on the phone, send me the file now"... in such an environment, you could turn a home system into a file server for a couple minutes... pull the file down or push it or whatever... and then after the transfer was complete turn the file server software off. When things only blink into existence and are gone when called for it gives the black hats less time to mess with it. Sure, they could compromise your machine in addition to that. However, tracking and hacking will be more complicated.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I second this. Using stenography within kitten pictures and pseudonymous identities would be safer.... not that it would be safe - just safer.
300+ gig is a lot of kitten pictures.
You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
Its not just the NSA and GCHQ you have to worry about, that's only 'Two Eyes' and there are 'Five Eyes':
USA – National Security Agency
United Kingdom – Government Communications Headquarters
Canada – Communications Security Establishment
Australia – Defence Signals Directorate
New Zealand – Government Communications Security Bureau
The 'Five Eyes' have ongoing multi-lateral agreements to share information. So, for example, the NSA claims that it does not spy on Americans, and that is 100% true, (cross the heart, pinky swear), *but* they share with others, this is also true, so the CSE (Communications Security Establishment) in Canada 'Intercepts' information on 'Foreign' targets (Americans) and then the CSE shares that information with the NSA. Likewise the NSA doesn't spy on Americans, but *does* spy on Canadians, then shares the information with the CSE. Rinse, repeat. Its not just the CSE gathering American 'Foreign' intelligence, Britain can gather a certain amount of information from the American East Coast via Bermuda and via remote offices in the Grand Cayman Islands and Jamaica. Remember that the NSA can spy on Canadians from Alaska too, and Canada's east coast can be intercepted from either New York or from Britain. Overlap means (We're Watching You)^5. (Australians spy on the Kiwis, the Kiwis spy on the Aussies). There are American bases in Britian with NSA intercepts. But the information is promiscuous, so all information is pooled and shared (Britain can spy on Americans via the CSE, likewise Britain can spy on Canadians via the NSA). Actually 'spy' is not quite the right word here... 'information gathering, sharing and threat assessment'... maybe that's a better term. Oh, they also spy on countries outside of the 5 eyes, pool and share all of that too.
I agree...and I think you are being overly fair to the Guardian and Greenwald. They could have done this completely differently and Snowden would still have his job and hot 'girlfriend'...
Anonymous source.
IMHO, Greenwald and the Guardian led Snowden around like a sheep, taking advantage of his internal motivations for releasing the info.
The truth is, Snowden's info isn't actually revealing of any *new* info, only operational details of already-reported on programs...and seriously it's common knowledge that the Feds could spy on us via the Patriot Act.
Read it for yourself, from USA Today in 2006:
He broke the law technically, revealing info that was Top Secret, but it's not exactly "news"....unless you muckrake and take advantage of the fact that most journalists never understood what the Patriot Act allows.
It's all hype...we definitely could have had a "national conversation about privacy and surveillance" without all this flap!
Thank you Dave Raggett
I can read it on your machine before you encrypt it
The "clean machine" never connects to the 'net. It handles the encryption and is the only machine that sees the decrypted data. The machine that touches the net (somewhere remote to your home/office connection) only sees the encrypted file.
When you realize that I have the power to quickly mobilize any police force almost anywhere in the world to get what I want, you will realize by how much you are screwed.
"If you just want to "stay anonymous from the NSA", or whomever good luck with that. My advice? Pick different adversaries."
Science is all about firing a drunk pig out of a cannon just to see what happens.
5. Protect against remote exploits with an OS like Qubes. Use its TorVM and DisposableVM features to isolate different communication domains from each other. (Certain late-model hardware configurations are best used with Qubes.)
6. Go one better than Tor and use I2P. It uses routing that is more decentralized than Tor, and since everyone shares routing bandwith by default there is bandwidth to handle virtually all kinds of traffic... even bulk transfers and bittorrent. Security is also enhanced by having more users route traffic, and by communicating only with other I2P users by default. I2P have so far been successfully testing a distributed email system (I2P-Bote) which is far less vulnerable to attack than what you find on Tor (e.g. TorMail).
I'm reminded, in Neal Stephenson's Cryptonomicon, that the sultan of a fictional country declared that there, at least, there would be no monitoring, government interference, or strongarm tactics on the local Internet infrastructure. While I didn't learn of underwater-tapping submarines until the christening of the Jimmy Carter in 2004, I felt it was a bit of a stretch to assume that any transcontinental underwater cable wasn't tapped and monitored. Still, it seems it's better than the modern world, where I have yet to hear any country declare that here, at least, your communications, data, files, and so on are safe, even at an official level. I probably wouldn't believe it if one did declare itself a data haven, but still, it might help restore some belief in humanity if every single government wasn't essentially declaring war on its own citizens in the name of security. I don't see how this can end well.
The simplest answer: Encryption.
The huge edifice of intelligence gathering infrastructure, costing billions of dollars, that has been constructed by the NSA (and its foreign associates) can be toppled like a frail house of cards through the use of encryption.
If you don't understand encryption now, then learn. It's not difficult.
Using encryption will make the NSA, et.al. totally powerless now and for all future times.
Open hardware machine, open source operating system, and good encryption.
The hardware is the only tricky part here but, in Snowden's shoes, I'd consider a ThinkPenguin running on battery good enough. For software I'd go with Trisquel or Debian (FOSS only). There are many good pieces of encryption software, just don't try to roll your own or use anything closed source or obscure.
If you're not prepared to go this far then you'll have great difficulty. Most important is to stay off the internet at all times! Maintain a 100% air-gap and transport data in person. This way you can use standard commercial hardware and more popular operating systems (and encryption is not required) but one must be prepared to destroy any hardware so utilised at a moments notice (very difficult). A raid can come at any time and, any such hardware seized in tact is a potential data breach.
I guess the Guardian has never really asked itself about trustless technical security before. However, just seeing that what they want to do can't be reliably done with Window's Dell machines is no justification for "It can't be done". There are plenty of people out there have to take real security seriously and manage.
Why hackers do what they do.
Are they doing this to every journalist everywhere? I don't think so. They will do it to higher profile journalists working in certain areas. Ie, the reporters who worked with Snowden had already been harrassed in airports quite a lot so they had reached this risky level already. But you're sort of stuck here, the other journalists were probably all off writing stories about kittens or repeating verbatim what happened in a press conference, and those may not be the ones you can trust.
And yet they were able to talk to Snowden securely, his cover wasn't blown premature but at a time of his choosing, and there is still secure data that has not been released. So things are not completely to the syfy level yet.
What a BS title. Snowden and Greenwald -were- using GPG/PGP ... long-established fact.
"You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson
The recent approach of releasing encrypted insurance files is a good way to go. You put the data on a torrent and create thousands of copies, then give the key to a few dozen trusted friends. If shit goes down, one of the friends posts the keys in a public forum. It is simple and reliable.
http://michaelsmith.id.au
When the FBI took down Freedom Hosting, apparently most Tor hidden services for obscene material closed down. If all or some significant portion of those people move to Freenet, it'll have lots of traffic. Right?
7. Start doing steps 1-6 NOW. Routinely. Across your entire media organisation. When you don't need it.
Don't wait until you're doing something you want to hide, then suddenly start using high-end crypto and data obfuscation and special networks to shout "LOOK AT ME, I HAVE SOMETHING TO HIDE".
Science is all about firing a drunk pig out of a cannon just to see what happens.
One interesting side effect of this article and others like it is the spook job just got much harder. Lots of people will be looking into using encryption and some actually will becuase they simply don't want someone else reading their e-mail. Previously, the very use of encryption flagged an e-mail as being suspicious since the spooks could assume that peope with nothing to hide (e.g., no plots or plans for nefarious deeds) wouldn't bother with encrypting their data. Now lots of people with nothing to hide will encrypt their messages just becuase they don't like the idea that someone could read it.
Think about what happens if encrypted e-mail goes traffic from .1% to 1% of all e-mail (I have no idea how many people use something like GPG now).
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
How exactly is using shorthand safer? And how do you use shorthand within a picture? What does that even mean?
Or were you perhaps referring to steganography?
300+ gig is a lot of kitten pictures.
Considering 2TB USB 3 external disk drives are fairly cheap you can put six times that and still carry around it in your shirt pocket. In fact you will soon be able to get 512 GB and 1TB USB thumb drives although initially they will not be cheap.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
Why is everyone trying to hide from so-called democratic governments? Entities who are supposed to work for the people and not against them? Why encrypt instead of telling these governments to take a hike?
300+ gig is a lot of kitten pictures.
Considering 2TB USB 3 external disk drives are fairly cheap you can put six times that and still carry around it in your shirt pocket. In fact you will soon be able to get 512 GB and 1TB USB thumb drives although initially they will not be cheap.
The point I was (rather poorly) trying to make is that steganography gives pretty rubbish data ratios. Even assuming you can get as good as something like 1:10, the 300 GB of Snowden files is going to become 3 TB of kitten pictures when you use steganography.
You can't use the same kitten picture for each image because then it is pretty obvious to someone searching your HD that you are using steganography and you are busted, so you have to find about 2.7 TB worth of different kitten pictures.
So, I stand by my statement: that's a lot of kitten pictures.
You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
I am an inveterate letter writer. I dislike sending e-mail to friends, preferring to commit my thoughts and comments to paper. It seems that this is the most secure form of communication available since I can take steps to ensure that the recipient knows that the envelope was not steamed open in transit. That leaves the photos the postal service has been taking of the front and back of every envelope going through the mail , and I can even sabotage that a bit by using phone a phony name and return address and an alias for the recipient. Even the letters I write to and receive from my correspondents in jails and prisons are more secure than my electronic communication. While everything I send and receive has been read first by the jail or prison staff, they're not going to be particularly interested in my political and religious ramblings. They're far more interested in things that affect the security of the jail or prison and the inmates, gang activity, and things of an obvious criminal nature. So, bring on the snail mail!
It's really quite a simple choice: Life, Death, or Los Angeles.
But I can read it on your machine before you encrypt it, cos I'm the NSA and if Microsoft won't give me a back door (usually they do), I just lean on Nvidia, Hewlett Packard, or someone to write me a trojan into their drivers so I can get my back door. It's trivial.
This is one of the reasons that El Reg pointed us to the NSA's own recommendation to USE LINUX. Specifically, use a hardened Linux which is far more secure than any version of Windows, and rather less prone to insertion of back doors into drivers. Here's the relevant bit from El Reg:
"Buy new machines for cash from a shop and harden them against attack: why not (again) take the NSA's own advice and make sure you're using Security-Enhanced Linux, a series of patches for the open-source OS that are now part of Linus Torvalds' official mainline kernel."
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Five dollar wrench neuters the "protection" of #1 and #4.
El Reg are attacking a leftwing paper. Nuff said.
Well this is the paper that was trumpeting how it would sign up to the 'Leveson Report' Recommendations - which is essentially a reduction on press freedom in the UK. Now this Miranda 'hysteria' - man suspected of having classified British Secrets from Snowdon passing through UK gets stopped and questioned (oh the horror!) they decide it is bad?
I'll take the Guardian seriously on this particular stance once they stick two fingers up to Leveson and all it implies. Yes their journalists uncovered a great story with Snowden (and Wikileaks saga too), but the editor - fuck him.
how good The Guardian is at protecting sources.
I followed your link, and it was to a wikipedia article about a questionaire...
I can see it...they probably used a 7-point Likert Scale.
Look, the proof of the pudding is in the tasting. The Guardian editor *himself* contradicts you and the questionaire you linked to...he chose the *UNITED STATES* and his given reason was that it's legal protection is the strongest.
End of story.
Their lawyers looked at all the countries on that list and chose the US.
You're arguing with a questionaire, i'm saying what has happened.
Thank you Dave Raggett
First, your post is full of 'perhaps' and 'probably' and 'likely' and ....'conjecture'...
But I'll address this:
So, let's look at your argument:
Snowden went public because if he tried to release anonymously his identity might become public.
By that logic, I should run every red light b/c if I tried to stop I might cause an accident.
He could have released anonymously AND moved to Russia. Or France. Or West Virginia.
Or not moved at all and relied on the professionalism of The Guardian and Glenn Greenwald to protect him....
And about how he would have 'likely' gotten caught, literally *thousands* of techs at Booz Allen had his access, they would have had no clue...most of it was powerpoints anyway. Even with his name revealed the Feds still don't know all he took!!!
Thank you Dave Raggett
I followed your link as well...
It was to the 'criticism' section of parent's wiki link.
This is what it says:
Later, the words 'United States' are typed...they are in the paragraph, technically, but the criticism is mostly about France.
You're both trolling and I think I know why...it might have something to do with the fact that your rebuttals don't mention the main point of my original post.
Thank you Dave Raggett
I'm still amazed when I see this rubbish, would you rather that countries like Russia and China have these facilities? In those countries, it's quite easy, common even, for people to vanish without trace. At least the UK and USA are reasonably free countries with a open media that is permitted to talk about such things. Frankly, I don't give a sh*t whether people are sad enough to watch what I do online and I'm glad we have these powers, as opposed to say, North Korea or Iran.
Complete privacy on the internet seems unattainable. At the very least, people with power will always be able to access information stored electronically, because technology itself depends on hierarchical levels of control. A more just solution to the privacy problem might not be to try (and fail) to insulate systems, but to make everything available to everyone. It becomes less worrisome that the government can read your Facebook messages if everyone can. And once everyone can, privacy becomes intuitive. If you want to keep something private, write it down.
Five dollar wrench neuters the "protection" of #1 and #4.
http://xkcd.com/538/
The NSA is currently, reportedly, collecting the meta data of every phone call made through the US. It's all simple source/destination/time/duration information, and they collect it regardless of whether the originating phone is owned by Glenn Greenwald or your mother.
(I'm assuming your mother is not a major whistleblower or some other dangerous subversive the government feels the need to keep tabs on.)
So why wouldn't they collect similar metadata from every airline and other transportation concern in the country about every single trip anyone makes that has a termination or origination or both point within the US? There's going to be less data to store than the phone metadata thing, and it's going to be just as useful.
You are not alone. This is not normal. None of this is normal.
Yawn, yet another article on how to navigate a cesspool without hitting a turd.
While public/private keys work as specified, note that if you just run a Diffie-Hellman exchange (preferably using elliptic curve crypto), that protects against wiretap but not against MITM. To do that, one way (thanks Phil Zimmerman) is to get, say, a voice line and by voice compare a few digits of the key or of a
hash of the key (prefer the latter) with someone whose voice you recognize. It is very hard for a MITM to just happen to guess keys in a D-H exchange
that will match several digits of a hash. If you know that the hashes match (at least in part) you can be pretty sure that your exchange is direct with
the person you mean to communicate with, not with some fake.
The problem with certificates is that they can be forged (hack the CA or if you are a government, force the CA to give out a signing key). Direct asymmetric
crypto is good, though you want to be careful of various mathematical pitfalls. At least it does not depend on a CA.
Such methods could be used by the likes of the Guardian to get new copies of the material that was destroyed.
Quantum Entanglement as a means of key distribution.
BTW Stenography should be an important part of anyone's toolkit.
So what you're really saying is that icanhascheezburger is a secret data dump?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
First, the Guardian editor did indeed say that they were coming to the United States for it's 1st Amendment protection...it's right there in my post.
It is because of the laws of the nation not any one publication. Re-read it. Go on. Maybe click the link too and read the whole thing.
Second....
Wrong AGAIN.
The questionaire was of **attitudes** of survey respondents. That kind of data is VERY LIMITED in the conclusions you can draw. It's like asking 1000 people if they are hungry.
The Guardian editor...well HIS ASS IS ON THE LINE and he's in a better position to know the legal specifics.
You're comparing apples and oranges because you think it proves some kind of greater point about Snowden.
Face it, the Guardian editor...the Guardian's lawyers...they were looking at **LAW CODE**
That survey is asks **opinions** of everyday writers about political moods.
This is pointless because you're obviously trolling...
Thank you Dave Raggett
You have an over inflated idea of the technical chops of those in the media the uk especially (cp snows two society is still relevant) most journalists dont have much knowledge of IT and security. I doubt that Duncan Campbell would have made such silly mistakes though.
At least the UK and USA are reasonably free countries with a open media that is permitted to talk about such things.
"Reasonably Free".
Two years ago you would have said, "Free".
Give it another two.
In my opinion, when you can have your house descended upon for making a Google search for pressure cookers, you don't live in a country which is even "reasonably" free. Nor when you can be randomly stopped and frisked on the streets of New York without any compelling reason. Nor when you can have your car and possessions seized for fun and profit by police forces.
But ain't it great that we can still talk about it?
These suggestions might be acceptable for someone under the radar, but for an organization like The Guardian which is no doubt being actively targeted by intelligence agencies, these suggestions are not very useful.
The NSA and its sister agencies are well equipped to monitor unintentional sources of EM emissions: keyboards, monitors, etc. all radiate EM that can allow an advanced attacker to see what you see and what you type in real time at a considerable distance, without any need to physically hack into systems or tap communications links. Faraday cages, physical security, and other surveillance countermeasures would be better suggestions than using GPG and Tor.
The key thought: you run something like a Diffie-Hellman exchange to get a shared key. This will work and not reveal the key even to an eavesdropper.
To keep a MITM from faking both ends, have each end hash the final shared key. Over voice, where you recognize one another's voices,
compare several digits of the hash. If they compare, there's no MITM with high probability. Go ahead and use the key for data transmission.
Repeat this procedure for every bunch of transmissions.
Well, there is a lot of pussy on the net.
Constitutional rights may be respected, repealed, or modified; but they must never be ignored.
Don't wait until you're doing something you want to hide, then suddenly start using high-end crypto and data obfuscation and special networks to shout "LOOK AT ME, I HAVE SOMETHING TO HIDE".
I'm considering it but the friends that could technically do it may not care. They also use gmail for their mail, which even encrypted and pre-Snoden, I've not trusted much*.
Network effect is horrible for this, so I'll never be able to go full encryption. SO... Is there some forum frequented^W dominated by slashdotters (away from bugged FB, Google et al) where we could seriously test this, and maybe implement more lasting trust relationships? of course, the focus would be via communicating with email instead of the commenting system here or at that place. Barring that, is there some #irc channel?
* Stuff like Google Latitude sounded like a bad idea when it came out in pre-android, pre-google plus, pre-wifi-collection scandal days, let alone now.
Meta data means they know when and to whom the phone call was made, and it's saved to be reviewed later when needed. No one is sitting monitoring phones calls of everyone all the time. So you can make headway and sneak around the spying if you're not on the top of the list; it is NOT yet time for journalists to all give up as a hopeless cause and the advice given should be very useful in protecting the sources even after you're discovered.
It may not be news to a lot of veteran computer folks.....It is news to the general public though......Now it's a FACT instead of just a well accepted assumption.
It was **fact** the moment the Bush administration signed the Patriot Act!
Patriot Act. That's where this next level of surveillance started and progressed from there.
I won't argue with you about what 'the public wanted to know' and when...it's a troll-trap, look at the AC comments below...the fact is people have been **screaming their fool heads off about the Patriot Act** and surveillance since it was signed.
Bush's critics were consistent all the way through.
In 2006, the article I linked above, reported that "The NSA has massive database of American's phone calls"
You need to learn something about the news industry right now. I used to be a Republican believe it or not, and I had a promising career in broadcasting at a Fox affiliate in Iowa around 2001. I have worked in a newsroom, so I know what I'm about to tell you from experience:
The editorial function in news, essentially the 'brain' of the newsroom, has been systematically destroyed by bean counters and marketers (and some illuminati types re: News of the World scandal) in a desire to control human behavior through the media. Sure sales is persuasion, but it's like they're slipping us a date-rape drug with modern marketing and news.
THAT...that one factor more than all the others...the rise of mainstream national news networks that function as PR and Propaganda arms of a political interest while claiming to be 'news'...it ruined an industry.
The death of the news editor is why CNN is so awful. It's why, in 2006 when anonymous sources leaked that "The NSA has massive database of American's phone calls" no one had the balls to **challenge the Bush administration**
I hope this clears things up for you. I think you are coming from a genuine place but as a person who's worked in print and TV news it's obvious you don't know how it works.
We should have had a 'national conversation' about this shit in 2001...the mainstream media guides the 'national conversation'...not until after Bush did these stories get any traction...what does that say about the mainstream media and Obama?
Thank you Dave Raggett
Look, I'm copying some relevant parts from my original post:
it's about *codified legal protection*
The US has the strongest laws on the books, with a process that allows someone to **release top secret information** without being charged with a crime. The news entity that *reports* can be only temporarily detained and again it's not a crime to report it.
Also (I mentioned this before too with quotation from Guardian editor), the US forbids prior restraint...something England does not enjoy.
I read the links to those questionaires...I understand that 150 journalists surveyed about their attitudes of press freedom ranked the US lower...that isn't evidence that helps your contention in any way.
I'm saying "Mexican Coke has cane sugar not high-fructose corn syrup" and your rebuttal is, "Wrong! Surveys show people choose Pepsi over Coke 2 to 1 in a head to head blind survey...BAM I win"
AC...look...you're dragging a Red Herring across the trail when you argue against my phrase "The US has **the most journalistic freedom in the world**"...the tactic you're using is to isolate one fuzzy area and create controversy to avoid the other evidence.
Beyond all I've said, the fact that when the Guardian editors were put in this situation, in the real world just recently, they obviously listened to alot of legal advice from some very good lawyers. It is safe to assume they are aware of how journalistic protections compare globally.
They chose the USA. They stated **explicity** why: our codified legal protections are the best in the world...I linked and quoted them above.
As far as Manning goes...after he was caught, tell me what could anyone have done? Are you suggesting Obama by fiat declare that Manning be released? Is that really your contention? If not, what then?
You must answer because you only presented half an argument.
Brad Lee/Chelsea Manning's fate was a legal certainty.
I agree with you, that 35 years is too much...I said s/he should have gotten time served (originally I was in favor of charging him with misdemeanors).
But these are **legal minutia**....yes it matters, but there is no alternative. Obama could not have directly intervened once he was caught without alienating moderates and the military.
Obama could have freed Manning technically, but it would have cost him the election.
Seriously, can you imagine the Fox News headlines "Obama lets terrorist go free"
It would have alienated a sizable portion of his own cabinet as well.
Nope...
Thank you Dave Raggett
It is dead simple to use with all the key management being done without user intervention.
See that is THE problem because how do you know the key management software has not been compromised? How do you revoke and replace the keys without any user comprehension of the process? How do you ensure that a third party has not intercepted the keys during distribution? How do you make sure the keys are securely stored at the end points? That is why it is so hard to automate key management. I'm not going to say it is impossible, I'm just saying that establishing a truly secure communication path is genuinely hard to do and I have yet to see any way to make it truly easy for more than a portion of the process. You can have it easy or you can have it secure but so far easy and secure is a bridge too far. Don't get me wrong, I hope someone figures it out. I'm just not optimistic that anyone will.
You do need a trusted 3rd party involved but I think that drawback can be overcome.
It really cannot in most cases. The whole point of encryption is to ensure that third parties cannot read the document. If you trust a third party then you pretty much by definition have no way to know if your keys have been compromised. The concept of a trusted third party is close to being a non-sequitur. While not impossible (trusted third parties do sometimes exist) it's not a particularly safe state of affairs. Kind of like in physics, three body systems are inherently unstable.
Distribution and use of keys is inherently difficult with no obviously easy solution.
By using a Private/Public key pair, several of the difficulties are simplified.
(The journalist publishes her/his own public key out in the open, and keeps the private key completely hidden and offline).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]