Encrypt all the things!

Posted on
Page
of 99
Prev
/ 99
Last Next
  • I'd also like to add something else.

    If the only people who use encryption are those with something to hide, then you've consciously outed every political dissenter in the world.

    Encryption isn't just something terrorists or criminals use, it's a fundamental part of securing communication and information. It is extremely telling that Iran shut down SSL (port 443) on the anniversary of last year's uprising, thereby preventing any dissenters any private communication or ability to organise.

    One of the best things people can do to support the right to free speech is to help make free speech the very basis of all communication, which implies strongly that it can be both anonymous and private. It need not be both, but certainly it should be capable of both.

    If you feel in any way that the world needs more people able to take a stand, and like most in the West you feel that this isn't you... fine, but one thing you can do is help to popularise encryption such that those who do risk everything to enact change are able to do so because they're aren't immediately identified.

    Anyone who added green to their icon on Twitter or Facebook last year should be doing the minimal step now of using encryption whenever possible.

  • Isn't there something we can sign? A protest movement? A demonstration to take part in? In addition to encrypting everything?

    Encrypt everything first, sign silly petitions later.

  • Yes but how widely known and understood is this threat outside geek-world?
    In order to publicise the need to do this and educate people in how to encrypt some mass communication of this issue needs to happen

  • They are going to be sifting through a lot of shit....

  • 1,745 comments on the BBC article in the first 24 hours would suggest that it's pretty well understood as a major threat to privacy by the UK populace:
    http://www.bbc.co.uk/news/uk-politics-17­576745

    I'm not sure how many fundamentally understand that without privacy you cannot really have democracy.

  • They are going to be sifting through a lot of shit....

    You deeply and seriously under-estimate how much traffic can be analysed, and fast it can be done, and how much can be stored.

    Most ISPs already apply DPI (Deep Packet Inspection: meaning that they will read the contents of the traffic and not just the headers) for traffic shaping, copyright enforcement (if you ever received a letter from your ISP warning you not to download illegal files, this is how they knew), and some even suggested it would be a way to add advertising to the white space on the sites that you read (see: Phorm).

    This is not CSI style science fiction. It's trivial. And with a budget to pay for storage of traffic, that too is trivial.

  • Encrypt everything first, sign silly petitions later.

    My point was more, that the BBC comments are all of the like:

    How dare they? How very dare they!

    But there is something you can do about it. You can just encrypt all the things.

  • No democracy without privacy

    So encrypt everything!
    At least we have a campaign slogan

  • If I use Relakks am I going to have issues accessing sites?

    I tried using TOR to access this site before but wouldn't let me due to attacks or something (think you blocked certain countries), so I changed IP address still using TOR and it then enabled me which I thought was weird.

    I have deactivated my facebook, am I safe? Should I permanently delete it?

    I remember encrypting part of my hard drive with TrueCrypt and then forgot the password and lost everything, was not a fun experience.

  • So encrypt everything!
    At least we have a campaign slogan

    There's such a thing as democracy?

  • If I use Relakks am I going to have issues accessing sites?

    I tried using TOR to access this site before but wouldn't let me due to attacks or something (think you blocked certain countries), so I changed IP address still using TOR and it then enabled me which I thought was weird.

    I have deactivated my facebook, am I safe? Should I permanently delete it?

    I remember encrypting part of my hard drive with TrueCrypt and then forgot the password and lost everything, was not a fun experience.

    Relakks and VPNs do change some thiings... for example the BBC check your IP address to determine whether you can access iPlayer, and you now appear to be in Sweden.

    So at times you might wish to disable the VPN, re-enabling it afterwards.

    TOR was blocked on LFGSS because of some trolls, but I thought I'd lifted that block a while ago. I don't really use IP addresses for troll management nowadays. There are better ways which are more reliable.

    Facebook risk is about them storing your data. The only way you can have some confidence that they're not storing it and passing it on to third parties is for them not to have your account in any state. It means deleting your account.

    Twitter are much better, they're very hippy (I've been on quite a few calls with some of their top guys). Generally the knowledge that it's all public means you moderate your own behaviour in advance, which at least means that you protect yourself as you go along.

    There's such a thing as democracy?

    There's an idea of it, and the idea is strong enough to help protect what is left of privacy.

    There's also an idea of intimacy, which thankfully the erosion of privacy hasn't yet intruded upon. Give it time though.

  • But you don't encrypt your email V.. I am disappoint.

  • I encrypt all my rockets.

  • I wish I could.

    I wish email could be made secure, but in the current state of things it cannot.

    PGP doesn't even work as there is no JavaScript implementation (it's not really possible).

    And because of the prevalance of webmail systems (which I too use), such things are out of the control of individuals.

    I've been considering moving my email back to my own domain, but even then... I could only encrypt a few emails with people who I know would be able to decrypt them.

    Email sucks.

    We need a new, decentralised and open source, secure communications thing.

  • Le Hmmm

  • Cloud based encrypted version of Whatsapp. Key exchange could be tricky though.

  • Wouldn't it be feasable to create a new email protocol that uses one of the secure ports and can be point to point or spread around like with tor?

  • Wouldn't it be feasable to create a new email protocol that uses one of the secure ports and can be point to point or spread around like with tor?

    I'm no expert in cryptography but I suspect that would be a futile endeavor. I expect David or others will correct me.

    Most email server platforms already contain the ability to communicate encrypted data with other email servers however certificates need to be exchanged and configured before this can work. This would allow you to send encrypted email between servers on a company WAN for example, perhaps using MS Exchanges TLS but would would not allow you to send encrypted email to an email server that had not been preconfigured to communicate with you using encryption.

    I haven't studied encryption in over ten years so this might well have changed but most applicable encryption technologies rely on being able to verify the identity of the sender and the recipient and also share something called a public key to allow one another to decrypt each others messages. This issue is further clouded by the fact that certificate providers own something called a root cert that has to be kept secure in order to be able to securely authenticate certificates issued to people and domains/servers.

    This is the problem that Velocio alludes to earlier in the thread. He could enable encrypted email for himself but it would only work with friends who had the same mechanism preconfigured in their email clients or who used an email server that has been configured to communicate securely with Velocio's server.

    I could probably be talking bollocks. It has been a while.

  • That's pretty much it.

    Well, on the server side. Then you get stuck on clients and how they present and cache the unencrypted email.

    You also get stuck on where to store the decryption private keys. Ideally the end consumer would hold them, and not the service provider. But given that most people can't even deal with 2-step authentication, and will no doubt lose the key... it's also pretty doomed.

    Email encryption isn't yet ready for consumption by the general public.

  • My wife works for the government. Will she know when I've been looking at pictures of girls with no tops on?

  • She already knows...
    ...wives know these things with or without encryption

  • That's pretty much it.

    Well, on the server side. Then you get stuck on clients and how they present and cache the unencrypted email.

    You also get stuck on where to store the decryption private keys. Ideally the end consumer would hold them, and not the service provider. But given that most people can't even deal with 2-step authentication, and will no doubt lose the key... it's also pretty doomed.

    Email encryption isn't yet ready for consumption by the general public.

    Hushmail is a good case study for an encrypted email service. If the sender and recipient are on the Hushmail then the message is encrypted however:

    Hushmail does not put you above the law

    We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such order refer specifically to the account for which data is required. However, if we do receive such an order, we are required to do everything in our power to comply with the law. Hushmail will not accept an order from any authority or investigative agency that is not enforceable under the laws of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that the Canadian government obtain an order that is legally enforceable in British Columbia, Canada.

    But I thought the data was always encrypted

    When one Hushmail user sends an email to another Hushmail user, the body and attachments of that email are kept on our server in encrypted form, and under normal circumstances, we would have no access to that data. We can’t just pick an arbitrary encrypted email message off the server and read it. However, since Hushmail is a web-based service, the software that performs the encryption either resides on or is delivered by our servers. That means that there is no guarantee that we will not be compelled, under an order enforceable under the laws of British Columbia, Canada, to treat a user named in an order differently, and compromise that user’s privacy.

  • Yeah, that's my major concern... secure encrypted email systems currently only exist in the form of "all users must be on the service".

    But what makes email successful is precisely the opposite, users on any network can email any other.

  • Would still be a step forward to have a service such as Hushmail that was distributed and truly offshore and not subject to national and international law.

    Of course, the flip side is that it would immediately be used for serious criminality. Entire offshore services have been shut down on the basis of the US proving that a handful of users have been engaging in illegal activity that crosses US borders. In the same way that Howard Marks was jailed in the US despite never having sold drugs there.

    E-Gold is a good example. They were shut down in 2009 because the US were able to prove that a few transactions had been completed between some known US resident child pornographers.

  • “Privacy is the space bad people need to do bad things in.”

    Paul McMullan, former deputy features editor for the News of the World, to Leveson Inquiry, 29 November 2011

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Encrypt all the things!

Posted by Avatar for Velocio @Velocio

Actions