General Paranoia

You obviously missed the point that everyone else seemed to grasp - that statement was a general one, not about details. No matter what method you use, once it has left your hands, you can not guarantee its security. Some methods are more secure than others; most are 10x more than you'll ever need for securing transmissions about your Aunt Judy's nail fungus. The point, though, was that nothing is secure enough to become complacent over.

anonymizer rules in almost every way.. the F-secure software they offer with their subscription is pretty decent. (though it isn't required to use)

JAP is decent and free : http://anon.inf.tu-dresden.de/index_en.html

[c]... another neat tool to use in conjunction with surfing for windows is Proxomitron: http://www.proxomitron.org/

The nice thing about proxomitron is you can put it on a spare windoze box that you never use, and let it be a crap-filter for your *NIX boxen that you surf with also. Too bad there is not a linux version of it..

Well, great. Since we've both admitted that we've got a fairly rudimentary understanding of the topic at hand, let's drop that part of the equation. Let's focus instead on the lack of tact on your behalf that got us to this point. I don't parrticularly appreciate having someone making what seem like snide replies to a comment I post in reply to someone else.

Well, if there's nothing to fear, I'm sure you won't mind posting your full name, home address, any telephone numbers you may have, your social security number (or equivalent), and the numbers of any major credit cards you may hold along with their expiry dates. Personally, my evidently-overwhelming sense of paranoia unreasonably keeps me from doing things like this, but seeing as how I'm just unreasonably cautious, you'll be just dandy with showing me how wrong I am.

[Allow me to spell it out: MODERATION.]


As I said before in a rather more roundabout manner: the question wasn't the problem, the tone was. Further, it seems odd that *none* of the other people participating in this thread - regardless of the technical merit of their answers or otherwise - received the reaction I did from you. Odd, that. Made me wonder somewhat how serious you really were.

Fair enough. Hard to tell that until you mention it, though.

Hey, you drop it as well and use more tact in the future and I'll do you the same courtesy.

no, I didn't miss the point. I agree, there is no assurance once it leaves you and there is no tool that allows you to be complacent enough to not worry. my point is that I don't agree that a generalized statement can sum up reasons why a tool is useless, just because the statement says so. and that is why I asked for more data from the person who made the statement.

I have no beef with skroo and this is not a pissing contest. maybe the question I should have asked to him should have been: why do you believe that 'it's already broken'.

I agree that my original statement had no tact and might have come off snide. I have tried to correct that by being thorough and direct in my response. I have a lot of respect for you (thought the talk you and grifter gave at dc10 was cool) and did not mean to get into it with you. but I suspect your response to the other comment was alot like mine: quick, off the cuff and not complete thought out.


again, I am not disagreeing with you. But healthy paranoia is something that you deal with in MODERATION, tempered with some common sense and experience.


as I said before, the original tone of my response was not as it was meant. I will admit that it frustrates me when people put off the cuff answers that generalize issues that aren't that clear. hence my curiousity.

ok, I'm cool with that, on 2 conditions: first, can you explain why you believe crypto in general is broken and second, you let me buy you a couple beers at dc11 to make it all good. either that, or a warp core breach at Quarks.

Glad you liked the talk. And no, I was not being considered in my reply, simply reacting to what I saw. Either way, let's just dump it and move on.


I'll answer this in reverse: yes, thanks, either one works :)

As for the first part: by 'broken' I didn't mean non-functional, but rather already cracked. My personal theory, based on what I've read and heard, is that pretty much all crypto we currently use is fine for keeping the casual shithead out of your business, but under a government/military level of scrutiny, it's pretty well useless.

My reasoning for this is based on a couple of things. And again, I'm not a cryptographer by any means, so if I'm off-base on any of this I'd like to know.

Most hardcore cryptographic algorithms rely on factoring large primes and processing the results of those factors. This is all well and good, but if the algorithm itself is flawed, the encryption scheme is as well. Granted, it'll take time to find where the breakage is, but there's a number of ways to do that: code review, pattern analysis, and, as always, brute force.

Of course, that assumes that it's necessary to undertake any of these steps to begin with in order to derive the unencrypted data. Heavy encryption (at least in this country) is classified as a munition for good reason: it can be brought under government and military control *before* its release into the wild. In fact, there is a legal requirement for software companies to submit code dealing with heavy crypto for examination prior to an export licence being granted. And given the nature of software transfer, not having that licence is not worth the potential penalties if testing is skipped.

In addition, we have an historical precendent for consumer-grade crypto products being backdoored. Remember the fuss over the Clipper chip? Privacy until, say, Law Enforcement wants to listen in on your calls. Same thing with the 'secure' fax machines that had to be so severely hobbled as to be useless in terms of truly protecting information.

One other recent thing that's bothered me: for a few days last year, I heard reports on the radio of an Indian mathematics professor who may have found a shortcut to deriving large primes - meaning that all current crypto would be instantly rendered useless. It was all over the news, and then... Nothing. Yeah, it could've been that that was all there was to it and that the hype was unjustified, or it could be that the guy is now living a very comfortable life figuring out better ways of obviating private communications.

So, while I don't consider crypto pointless, I feel that much of the sense of security it gives is just that - a feeling of well-being that it's being used, but not as much in the way of actual protection as one might think. Useful for keeping the neighbours from snooping your cordless traffic, but otherwise not so great if they *really* wanna know what you're up to.

Very well articulated skroo.

Not being a part of the government(s) myself, I can only imagine that a lot of things become "not important and worthless" with the right persuation and cash flow... or maybe we really do spend $500 a pop on toilet seats

While crypto is cool and all to keep fuckwads from viewing information certain information I care a little about... I personally don't put a lot of faith in it, nor any of the leading crypto freaks... for all I know, Zimmerman's role is a total charade

From a purely commercial perspective, I *CAN* say that encrypted disk technology is a must for anyone doing security assessments for organizations. I'm simply not comfortable leaving confidential or hazardous information about network vulnerabilities on a drive that isn't encrypted. I've heard too many stories about people losing their laptop or having it stolen. That doesn't generate loads of customer trust.