> Used condom wrapper: It fits in your wallet. It's easy to come by. Almost > nobody will stop to pick up and investigate your used condom wrapper for > secret passwords.
> Pros: [snip]
> Cons: > - If you keep it in your pocket and it gets washed, you might have some > 'splaining to do to your committed girlfriend or wife
"Honey, it's not what you think it is, I swear!! In this condom wrapper were vital secrets I needed to get in...I mean, to gain access to, uhhmmm...you know....login? And I always had to have it with me cuz I didn't know when I was gonna need it, especially when I'm away from you on business trips in some cheesy hotel. Sometimes just like that you just gotta take it out and use it...I mean, it's like an emergency then, you know dear? Like when I was with Suzie from the Help Desk for the conference in Atlanta...she called me from the other room and said "I'm havin' a hot situation here...please come over right now and bring what you need to get on my system!"...you see, how handy this was?? Couldn't have done it without my perfect preparation for just such a situation, I mean, she later said, she was very pleased I was around and that I am a true hero who saved her day and stuff!...You understand, right?"... "OK, I'll sign the divorce papers.":-(
The SO happens to love Youtube for finding songs she can use with her music students. So she downloads them and then converts/burns the audio tracks to CD. So far only on Windows with some Youtube video downloader&converter program. Anyone have suggestions how she can do this process under Linux (Ubuntu)? Difficulty: It should preferably be a GUI-solution...she's willing to try, but not that technically inclined. I'll help her get set up though if needed.
> You pay money to certificate providers so that your customers won't be > frightened away by scary browser warnings.
Which they get anyway....and next ignore. Yippie Skippy!
While the SSL crypto part is pretty neat, I always felt the commercial CA thing is one of the biggest money-making rip-off's in the entire IT field. Nor do I believe it to be secure or "trust" it. We always assume MITM's to be someone without access to the CA's themselves. Frankly, the people I worry more about are those, that DO have access to the CA's and are thus able to create perfectly valid certificates at a whim for any application, incl. a chained MITM attack. SSL is, IMHO, not in any shape safe from certain government intrusions. Ironically, likely due to the so-called "trust" model it employs.
> why not reverse the distributions, so that lots of Q,W,X,Y are present, and > only a handful of E,T,A,I,O,N, and use that to generate a random password ?
When some characters have more chance to appear than others then it's by definition more longer 'random'. Random is, when they all have equal chances of being drawn, so you want 26 tiles, one per letter of the alphabet.
> An irrelevant note I might add. All PGP/GPG encrypted data is symmetrically > encrypted using a randomly generated key. It is only that resulting key that > is then encrypted using the public key, for speed reasons.
Purely from method you're correct. But the distinction made prior between public key and straight-symmetric is quite relevant to this discussion. If the files were encrypted with public key encryption and the private key is lost, you have no other choice but brute-force attacking the cipher with associated cracking-time. Attacking the password is not even an option anymore, as opposed to having the files symmetrically encrypted where you can still choose between attacking the cipher or the passwords.
> If the encryption software works as advertised, they would need the private > key file to exploit this.
You are confusing public key encryption (1 private key & 1 public key) with conventional/symmetric encryption (gpg -c) where no separate key per se is required. The encrypted file is all you have.
> I was under the impression that crypto like PGP was based on stuff which > would (in theory) take millions of years to crack even with every machine on > earth dedicated to it?
That's true if everything's equal. Including your passphrase. If the cipher for encryption is 128-bit strong, then your password/passphrase needs to match that. If it doesn't it's the weakest link, easier to attack than the actual crypto algorithm and will take accordingly less time to crack.
Example: For a password composed only of lower-case a-z english characters, you'd need 28 characters chosen in a true random fashion (think scrabble tiles pulled out of a hat) to actually achieve a strength of 128-bit, that matches a 128-bit crypto or hash algorithm. The strength of TFA 'sweetspot' passwords were somewhere around 60-bits. Since even RC5 has been broken at 64-bits (distributed.net - though it took some time), such passwords are OK for low-priority stuff but not, if say, the NSA is after you;-)
> I said *I* didn't care if people read MY emails. I didn't say *I* didn't > care if PEOPLE read ALL emails, now did I? Learn to read and stop making > assumptions. Context is important.
Learn to think. Unless you're talking to yourself via e-mail, there are two parties in the exchange. So forget about that self-centered "MY" e-mails.
> Hey, cheaper turbines making cheap electricity. We're preserving the > American Way of Life.
No, we don't. At least when you look beyond tomorrow morning. If all we can afford is cheap and ever more cheaper, our standard of living will eventually be just that: cheap crap. While in the meantime the Chinese raise theirs, have better and more quality products and can afford it easily.
The Chinese are incredibly clever...they produce everything 'for cheap' just as we idiots want them to in our penny-wise, pound-foolish attitude. We give them our precious fruits of 'research and development' to produce the actual products. So even if they produce at a loss, it's a huge win-win-win-win-win-etc situation for them. They practically leapfrog over what took our economy years and decades to develop. For every factory producing goods according to our blueprints is one shadow factory a few miles further, producing the same exact item minus the brand-name. That will then be sold across all of Asia, including the 'chinese market' our western capitalists like to salivate over, for half the price than the identical 'original' item. In the end they not only got the know-how for free, but also manufacturing methods, perhaps even the machines to produce and then make money at the end with their own copies while our business has to fold as it can't compete by any margin at least on their asian market. That they sell turbines of all things to us should be shaking us to the core!
> the US Gov't that they are reading the to, from, and subject on ALL mail. Of > course, that means all mail that they can snoop, but that's a lot of mail. I > sincerely doubt they have the processing power to search all email for all > keywords
I don't doubt they have the processing power. Remember...it doesn't have to be real-time, although that'd be the ideal situation for them. All they need to do is copy the stream and then, at their relative leisure, search through it. The private black-rooms for just that seem to have existed for a long time now, according to the ATT whistleblower. If Google can store every damn search string ever entered, it can't be that hard to compress and store all e-mail traffic, even if quite large in volume. Disk space is just as cheap for the NSA as for anyone else...perhaps even cheaper due to massive bulk orders.
> only mail which fits or doesn't fit a particular pattern gets internal > inspection
That's where the keywords come in, which may be actual words from the conversation bodies, or one of the participants name/address/number etc.. Then, as far as is known, the intercept gets tagged and forwarded to a human analyst.
> If this doesn't get appealed away, say hello to widespread email encryption > and encryption in general.
It won't matter to most people ("nothing to hide"). It's a psychological issue: they don't see the people reading their e-mails, cuz if they would, they WOULD have a problem with it.
It would help to actually capture and publish random plain-text e-mails for all to see until it clicks in that it's not private. Then, maybe then something would change.
> Other packages detected by dog were allowed to continue, and surveillance > was set up based on that.
So you're telling me the decision of whether I get subjected to surveillance gets made by a dog?? Sometimes I think, even the communist countries had more stringent requirements to do their crap...
> I don't use PGP (I don't give a fuck if people read what I send in email, > but that's just me)
Actually you may not give a fuck about your privacy, which is all good and well as it's your decision. But you also, and that's conveniently forgotten, not 'giving a fuck' about the privacy of anyone you converse with, regardless of *their* views on the subject.
> Oh certainly, if everyone you get email from uses PGP, you're already good.
I am still waiting for true opportunistic encryption between mail clients. Think E-mail header "Opp_Crypto: Yes" and "Crypto_MUA_Public_key: keygoeshere". It could encrypt completely in the background between two parties, or rather, between their respective MUA's, without user intervention. Imagine this as default in Thunderbird. For true verifiable privacy the users could still actively engage in key exchanges and planned/user-driven encryption and signing.
Another option would be the principle remailers use. The various mail servers could have their own public keys, so you'd (super)encrypt to the receiving mail server. Example: you want to send to cooldude@yahoo.com. Cooldude, despite his handle, does not use encryption actively and does also not have a cool MUA that does opportunistic encryption. However, you can encrypt your mail to mailserver@yahoo.com, who then decrypts the mail and puts it in cooldude's e-mail box as usual. This would be the next-best-thing to end-to-end and, perhaps more importantly, remove the chicken-and-egg issue of using encryption programs.
> ECHELON already reads the To:, From: and Subject: lines of all email sent > over any significant hops
Actually Echelon reads and hears just about everything, incl. the actual conversations (e-mail bodies, phone conversations, IM's etc.pp). Hence the keyword searches they then perform on the text of the given conversation.
The To:, From: and Subject reading is already done by the various national wanna-be-Echelon databases for data retention (the actual conversation/e-mail bodies will soon follow, read my lips).
> Do you know what happens to a captain (or any pilot, for that matter) when > they are terminated? They start at the bottom of any airline that hires > them.
Perhaps as baggage handlers. I'd be very surprised if any airline would willingly engage in the potential public relations disaster by hiring a pilot "who already previously has put several hundred lives at risk".
> Likely the fighters would escort the passenger jet for awhile trying to > gather as much information as possible.
Since civilian planes are pretty slow in comparison (remember that golfer's Chessna incident a few years ago where they escorted him across half the country)...just how slow can such an F-16 actually fly without dropping like a rock?
> Sneaker net people or meet and greet with an understanding of one-time pads:)
I am still hoping for some bright person to come up with public key encryption that does not involve a computer and its math power, but can be done with pencil and paper...
Slashdot Mirror
> In other news... by putting a banana in the exhaust pipe of the car or van
> thats been watching you, they cant follow you.
Axel...is that you?
> Used condom wrapper: It fits in your wallet. It's easy to come by. Almost
> nobody will stop to pick up and investigate your used condom wrapper for
> secret passwords.
> Pros:
[snip]
> Cons:
> - If you keep it in your pocket and it gets washed, you might have some
> 'splaining to do to your committed girlfriend or wife
"Honey, it's not what you think it is, I swear!! In this condom wrapper were ... :-(
vital secrets I needed to get in...I mean, to gain access to, uhhmmm...you
know....login? And I always had to have it with me cuz I didn't know when I
was gonna need it, especially when I'm away from you on business trips in some
cheesy hotel. Sometimes just like that you just gotta take it out and use
it...I mean, it's like an emergency then, you know dear? Like when I was with
Suzie from the Help Desk for the conference in Atlanta...she called me from
the other room and said "I'm havin' a hot situation here...please come over
right now and bring what you need to get on my system!"...you see, how handy
this was?? Couldn't have done it without my perfect preparation for just such
a situation, I mean, she later said, she was very pleased I was around and
that I am a true hero who saved her day and stuff!...You understand, right?"
"OK, I'll sign the divorce papers."
The SO happens to love Youtube for finding songs she can use with her music students. So she downloads them and then converts/burns the audio tracks to CD. So far only on Windows with some Youtube video downloader&converter program. Anyone have suggestions how she can do this process under Linux (Ubuntu)? Difficulty: It should preferably be a GUI-solution...she's willing to try, but not that technically inclined. I'll help her get set up though if needed.
In Soviet Russia government googles you!
> You pay money to certificate providers so that your customers won't be
> frightened away by scary browser warnings.
Which they get anyway....and next ignore. Yippie Skippy!
While the SSL crypto part is pretty neat, I always felt the commercial CA
thing is one of the biggest money-making rip-off's in the entire IT field.
Nor do I believe it to be secure or "trust" it. We always assume MITM's to be
someone without access to the CA's themselves. Frankly, the people I worry
more about are those, that DO have access to the CA's and are thus able to
create perfectly valid certificates at a whim for any application, incl. a
chained MITM attack. SSL is, IMHO, not in any shape safe from certain
government intrusions. Ironically, likely due to the so-called "trust" model
it employs.
No longer 'random' I meant to say ;-)
> why not reverse the distributions, so that lots of Q,W,X,Y are present, and
> only a handful of E,T,A,I,O,N, and use that to generate a random password ?
When some characters have more chance to appear than others then it's by
definition more longer 'random'. Random is, when they all have equal chances
of being drawn, so you want 26 tiles, one per letter of the alphabet.
> An irrelevant note I might add. All PGP/GPG encrypted data is symmetrically
> encrypted using a randomly generated key. It is only that resulting key that
> is then encrypted using the public key, for speed reasons.
Purely from method you're correct. But the distinction made prior between
public key and straight-symmetric is quite relevant to this discussion. If the
files were encrypted with public key encryption and the private key is lost,
you have no other choice but brute-force attacking the cipher with associated
cracking-time. Attacking the password is not even an option anymore, as
opposed to having the files symmetrically encrypted where you can still choose
between attacking the cipher or the passwords.
> If the encryption software works as advertised, they would need the private
> key file to exploit this.
You are confusing public key encryption (1 private key & 1 public key) with
conventional/symmetric encryption (gpg -c) where no separate key per se is
required. The encrypted file is all you have.
> (from wikipedia) English-language editions of Scrabble contain 100 letter
> tiles
I meant using scrabble tiles in principle. So obviously 26 a-z :-)
characters/tiles, not 100 with uneven and therefore non-random distribution.
> I was under the impression that crypto like PGP was based on stuff which
> would (in theory) take millions of years to crack even with every machine on
> earth dedicated to it?
That's true if everything's equal. Including your passphrase. If the cipher
for encryption is 128-bit strong, then your password/passphrase needs to match
that. If it doesn't it's the weakest link, easier to attack than the actual
crypto algorithm and will take accordingly less time to crack.
Example: For a password composed only of lower-case a-z english characters, ;-)
you'd need 28 characters chosen in a true random fashion (think scrabble tiles
pulled out of a hat) to actually achieve a strength of 128-bit, that matches a
128-bit crypto or hash algorithm.
The strength of TFA 'sweetspot' passwords were somewhere around 60-bits.
Since even RC5 has been broken at 64-bits (distributed.net - though it took
some time), such passwords are OK for low-priority stuff but not, if say, the
NSA is after you
> I said *I* didn't care if people read MY emails. I didn't say *I* didn't
> care if PEOPLE read ALL emails, now did I? Learn to read and stop making
> assumptions. Context is important.
Learn to think. Unless you're talking to yourself via e-mail, there are two
parties in the exchange. So forget about that self-centered "MY" e-mails.
> Hey, cheaper turbines making cheap electricity. We're preserving the
> American Way of Life.
No, we don't. At least when you look beyond tomorrow morning. If all we can
afford is cheap and ever more cheaper, our standard of living will eventually
be just that: cheap crap. While in the meantime the Chinese raise theirs, have
better and more quality products and can afford it easily.
The Chinese are incredibly clever...they produce everything 'for cheap' just
as we idiots want them to in our penny-wise, pound-foolish attitude. We give
them our precious fruits of 'research and development' to produce the actual
products. So even if they produce at a loss, it's a huge
win-win-win-win-win-etc situation for them. They practically leapfrog over
what took our economy years and decades to develop.
For every factory producing goods according to our blueprints is one shadow
factory a few miles further, producing the same exact item minus the
brand-name. That will then be sold across all of Asia, including the 'chinese
market' our western capitalists like to salivate over, for half the price than
the identical 'original' item. In the end they not only got the know-how for
free, but also manufacturing methods, perhaps even the machines to produce and
then make money at the end with their own copies while our business has to
fold as it can't compete by any margin at least on their asian market.
That they sell turbines of all things to us should be shaking us to the core!
> the US Gov't that they are reading the to, from, and subject on ALL mail. Of
> course, that means all mail that they can snoop, but that's a lot of mail. I
> sincerely doubt they have the processing power to search all email for all
> keywords
I don't doubt they have the processing power. Remember...it doesn't have to be
real-time, although that'd be the ideal situation for them. All they need to
do is copy the stream and then, at their relative leisure, search through it.
The private black-rooms for just that seem to have existed for a long time now,
according to the ATT whistleblower. If Google can store every damn search
string ever entered, it can't be that hard to compress and store all e-mail
traffic, even if quite large in volume. Disk space is just as cheap for the
NSA as for anyone else...perhaps even cheaper due to massive bulk orders.
> only mail which fits or doesn't fit a particular pattern gets internal
> inspection
That's where the keywords come in, which may be actual words from the
conversation bodies, or one of the participants name/address/number etc..
Then, as far as is known, the intercept gets tagged and forwarded to a human
analyst.
> If this doesn't get appealed away, say hello to widespread email encryption
> and encryption in general.
It won't matter to most people ("nothing to hide"). It's a psychological
issue: they don't see the people reading their e-mails, cuz if they would,
they WOULD have a problem with it.
It would help to actually capture and publish random plain-text e-mails for
all to see until it clicks in that it's not private. Then, maybe then
something would change.
> Other packages detected by dog were allowed to continue, and surveillance
> was set up based on that.
So you're telling me the decision of whether I get subjected to surveillance
gets made by a dog?? Sometimes I think, even the communist countries had more
stringent requirements to do their crap...
> I don't use PGP (I don't give a fuck if people read what I send in email,
> but that's just me)
Actually you may not give a fuck about your privacy, which is all good and
well as it's your decision. But you also, and that's conveniently forgotten,
not 'giving a fuck' about the privacy of anyone you converse with, regardless
of *their* views on the subject.
> Oh certainly, if everyone you get email from uses PGP, you're already good.
I am still waiting for true opportunistic encryption between mail clients.
Think E-mail header "Opp_Crypto: Yes" and "Crypto_MUA_Public_key:
keygoeshere". It could encrypt completely in the background between two
parties, or rather, between their respective MUA's, without user intervention.
Imagine this as default in Thunderbird.
For true verifiable privacy the users could still actively engage in key
exchanges and planned/user-driven encryption and signing.
Another option would be the principle remailers use. The various mail servers
could have their own public keys, so you'd (super)encrypt to the receiving
mail server.
Example: you want to send to cooldude@yahoo.com. Cooldude, despite his handle,
does not use encryption actively and does also not have a cool MUA that does
opportunistic encryption. However, you can encrypt your mail to
mailserver@yahoo.com, who then decrypts the mail and puts it in cooldude's
e-mail box as usual. This would be the next-best-thing to end-to-end and,
perhaps more importantly, remove the chicken-and-egg issue of using encryption
programs.
> ECHELON already reads the To:, From: and Subject: lines of all email sent
> over any significant hops
Actually Echelon reads and hears just about everything, incl. the actual
conversations (e-mail bodies, phone conversations, IM's etc.pp). Hence the
keyword searches they then perform on the text of the given conversation.
The To:, From: and Subject reading is already done by the various national
wanna-be-Echelon databases for data retention (the actual conversation/e-mail
bodies will soon follow, read my lips).
> What's the signal for "Windows has crashed and I have to wait for it to
> reboot"?
Or rapping with 7 stretched-out fingers against the cockpit window while grimacing blue-faced.
> What's the signal for "Windows has crashed and I have to wait for it to
> reboot"?
You wave furiously with the blue card at the fighter pilot...
> Do you know what happens to a captain (or any pilot, for that matter) when
> they are terminated? They start at the bottom of any airline that hires
> them.
Perhaps as baggage handlers. I'd be very surprised if any airline would
willingly engage in the potential public relations disaster by hiring a pilot
"who already previously has put several hundred lives at risk".
> Likely the fighters would escort the passenger jet for awhile trying to
> gather as much information as possible.
Since civilian planes are pretty slow in comparison (remember that golfer's
Chessna incident a few years ago where they escorted him across half the
country)...just how slow can such an F-16 actually fly without dropping like a
rock?
> It's amusing and interesting to see what people have to say on forums when
> they are really able to be anonymous (trolling aside).
I CAN HAZ CHEEZBURGER?!
> Sneaker net people or meet and greet with an understanding of one-time pads :)
I am still hoping for some bright person to come up with public key encryption that does not involve a computer and its math power, but can be done with pencil and paper...