How to remain secure against NSA surveillance -- Bruce Schneier

[GRACIE JIU-JITSU]

No, and I highly doubt it has. 100% of the TrueCrypt source code is open and available to everyone and has been examined by at least two well-known cryptographers who would happily publish papers exposing any backdoor that they discovered. Care to elaborate on this backdoor or at least provide a link that I can look at?

This isn't to say that TrueCrypt doesn't have shortcomings or can't be subverted. It does and it can. But then again, everything can be subverted, and all known attacks utilize vectors that the TrueCrypt security model isn't designed to protect you against.

As I said in my original post, once someone has physical access to your machines then all bets are off and if you are security-conscious you should consider that they own the machine and it can no longer be trusted.


"hacked" is a bit of a sensationalistic title. Like all media reporting on esotetic subjects, they tend to conflate many different issues and to use big words that don't accurately describe the situation.

The simple fact is that tor isn't designed or meant to provide security, and if you use it as a security provider then you shouldn't be surprised when it breaks.

 What would you call " using a malware to get the MAC address of everybody that had/has visit "lolita"?


 Isn't TC has some parts of the code that isn't open?

[avxo]

What would you call " using a malware to get the MAC address of everybody that had/has visit "lolita"?

I don't know what "lolita" is, or what possible use a MAC address could be, really, seeing how it never travels across the Internet (what with being a Layer 2 thing). Plus, much more useful "fingerprinting" information leaks out from browsers on a daily basis in the course of casual use; look at https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick for more details.

As for the use of malware by the government (or really, by anyone), I oppose malware on principle. But it's really nothing new. There are some steps you can take to reduce the risk of this, but unfortunately, you cannot guarantee that you won't fall victim to such software.

Isn't TC has some parts of the code that isn't open?

No. The entire source code is available. Don't take my word for it, visit http://www.truecrypt.org/downloads2 and download the source code yourself. You can even build it if you have the right tools. They are, also, freely available.

[avxo]

Really, who cares?

I do. And many others like me do. Just because you don't value your privacy and believe that it's OK for the government to have access to everything doesn't make it right.

[The Ugly]

I do. And many others like me do. Just because you don't value your privacy and believe that it's OK for the government to have access to everything doesn't make it right.

Yeah, it doesn't bother me at all.

[avxo]

Yeah, it doesn't bother me at all.

That's unfortunate, but not really unexpected.

[GRACIE JIU-JITSU]

I don't know what "lolita" is, or what possible use a MAC address could be, really, seeing how it never travels across the Internet (what with being a Layer 2 thing). Plus, much more useful "fingerprinting" information leaks out from browsers on a daily basis in the course of casual use; look at https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick for more details.

As for the use of malware by the government (or really, by anyone), I oppose malware on principle. But it's really nothing new. There are some steps you can take to reduce the risk of this, but unfortunately, you cannot guarantee that you won't fall victim to such software.


No. The entire source code is available. Don't take my word for it, visit http://www.truecrypt.org/downloads2 and download the source code yourself. You can even build it if you have the right tools. They are, also, freely available.

 They got way more stuff than just a simple MAC address... and by they i mean "feds".

 But you haven't answer my question... doing all the malware/mac address think isn't that hacking?

 Yeah i know the TC code.

 DDG lolita darknet.

[avxo]

 They got way more stuff than just a simple MAC address... and by they i mean "feds".

 But you haven't answer my question... doing all the malware/mac address think isn't that hacking?

 Yeah i know the TC code.

 DDG lolita darknet.

Ahh, yes. I remember reading a paper about that, in addition to quite extensive coverage on tech sites. The name "lolita" had escaped me.

Now, I'm sure they got quite a lot, but you specifically said MAC addresses, and that's what I responded to.

As for malware, I think I was pretty clear that I am opposed to malware on principle. If you want me to clarify my position even further, I believe that surreptitiously installing any software (and I use "software" here to include things like firmware and microcode) on a machine without the informed consent of the machine's owner, whether it is by exploiting zero-day attacks, publicized attack vectors or by physically manipulating the machine or whathaveyou, constitutes "hacking" in the sense that you use the word.

We can argue legal semantics if you want (i.e. whether getting a warrant makes this more palatable) but ultimately what it boils down to is that it is hacking, at least in my book.

[Griffith]

Avxo, what are your thoughts on TOR?

[Red Hook]

I don't do anything secretive enough to go that far, but it's good to know. I don't care if the NSA wants to see me text my wife or friends because it's usually a stupid message about a huge shit that I took in the morning or "meet you at 5pm" messages. But it's disconcerting to know that EVERYTHING is accessible to them.

When I get the time I'll cover my tracks a bit more to make them have to work harder. Kind of sucks to be treated like a terrorist by default. Even in another country, everyone's being spied on.

would you open your door and allow a stranger to search through your mail, computer and phone?

[avxo]

Avxo, what are your thoughts on TOR?

I find it to be an interesting concept and a neat project. Frankly, I think that, theoretically, the most interesting aspect of Tor is hidden services. I don't personally have much use for it, but I can see situations where it might have appeal.

But I think that in presenting it as an infallible "anonymity" tool, promoters are doing a great disservice. It's true that Tor can afford you some anonymity, but it doesn't anonymize you per se. But I guess it depends on what "anonymity" means to someone and who they seek to be anonymous from.

I find that the protocol has “weaknesses” but use the term somewhat loosely. The most important, in my opinion, being inter-node collusion and the overall poor performance of Tor-routed connections. Right now, someone wishing to subvert Tor who could afford to host four or five servers with decent bandwidth, with some acting as entry nodes and some as exit nodes, could collect a lot of information that could be analyzed to look through the onion so to speak.

My suggestion if you use Tor is to always encrypt data before routing it via Tor; the idea is that you only feed encrypted data into the Tor network; never unencrypted data. At that point collusion can, perhaps, reveal the true end points of a connection, but little else.

Of course, that's not new. My suggestion is to always encrypt data. To not encrypt it borders on criminal, in my opinion.

[Griffith]

I find it to be an interesting concept and a neat project. Frankly, I think that, theoretically, the most interesting aspect of Tor is hidden services. I don't personally have much use for it, but I can see situations where it might have appeal.

But I think that in presenting it as an infallible "anonymity" tool, promoters are doing a great disservice. It's true that Tor can afford you some anonymity, but it doesn't anonymize you per se. But I guess it depends on what "anonymity" means to someone and who they seek to be anonymous from.

I find that the protocol has “weaknesses” but use the term somewhat loosely. The most important, in my opinion, being inter-node collusion and the overall poor performance of Tor-routed connections. Right now, someone wishing to subvert Tor who could afford to host four or five servers with decent bandwidth, with some acting as entry nodes and some as exit nodes, could collect a lot of information that could be analyzed to look through the onion so to speak.

My suggestion if you use Tor is to always encrypt data before routing it via Tor; the idea is that you only feed encrypted data into the Tor network; never unencrypted data. At that point collusion can, perhaps, reveal the true end points of a connection, but little else.

Of course, that's not new. My suggestion is to always encrypt data. To not encrypt it borders on criminal, in my opinion.

Thanks for the detailed reply.

[Jack T. Cross]

Yeah, it doesn't bother me at all.

Does the thought of political subversion bother you?

[_aj_]

http://blog.cryptographyengineering.com/2013/09/on-nsa.html