Privacy and Secure Communication Discussion
Hello All,
Recently at Noisebridge, cryptographer Jon Callas led a solid discussion on digital privacy.
The following are the BAHA notes from this discussion, taken by Travis, reviewed and linked to relevant articles by myself. Enjoy!
Traffic Analysis
Signals intelligence based on metadata
Ricardo Bettati - statistics on packet times = crypto, VPN, ssh
TOR can see if you are looking at site X - hypothesis confirmation
Email Headers and metadata
Broadwell/Petraeus - communication via gmail drafts
Common Misconceptions
McNealey Trap - you have no privacy, get over it... defeatist and false.
Brin Trap - nobody has privacy, even the powerful... systems get gamed and power corrupts.
Signals Stupidity
Crypto works far better than nothing!
Big Data = Can't collect more needles by collecting more hay
EFF browser fingerprinting
p0f - passive fingerprinting
Clock Drift - tellings bots from humans
Fourier analysis & sd - bell curve with comb pattern
Economic aid paper
Waterboarding was torture in WWII, laws change based on interest?
Why are advertisers sucking on Do-Not-Track?
After Clipper Chips, we never had secure calls
CALEA
implies that operator does not know that it is ongoing
concern was to limit the number of people knowing what was going on
sort of self-service
limits baked into interface
know that a warrant happens, can challenge in court
"implementation is crap"
Two books:
Privacy on the Line - Susan Landau, Whitfield Diffie
The Eavesdroppers (1958)
Crime Prevention is Humankind's Highest Virtue
= put everyone in solitary...
people obey parking laws, cars are dangerous, it's not a felony
Data Camouflage
a columnist who wrote of "civic duty to lie to pollsters"
Turnkey totalitarianism = using RICO on PETA
TORsploit was massive, warrantless hacking
Silent Circle originally focused on mobile
SC uses:
SIP, XMPP
SDES uses SDP to use cert to get key
Then negotiate ZRTP
Then throw away SDES key
For texting, jabber XMPP, TLS, SKIMP (kinda like OTR)
ZRTP has its own authentication based on DH and indexing into word table
SKIMP has something similar
On TLS, they pin the certificates
With voice, there's no stored data
With text, it's harder - stored logs
With email... very hard, basically stored communications
github - SilentCircle (code)
ZRTP is RFC ID
Lots of questions about GPG
liberation-tech mailing list
cryptography@randombit.net
gpg-developers mail lists
PGP Universal = auto-generate keys, gateway email encryption
Can never have true peer-to-peer with NAT
STUN and ICE used to do peer-to-peer routing
Bluecoat works well to catch APTs
OTR over XMPP
Recently at Noisebridge, cryptographer Jon Callas led a solid discussion on digital privacy.
The following are the BAHA notes from this discussion, taken by Travis, reviewed and linked to relevant articles by myself. Enjoy!
Traffic Analysis
Signals intelligence based on metadata
Ricardo Bettati - statistics on packet times = crypto, VPN, ssh
TOR can see if you are looking at site X - hypothesis confirmation
Email Headers and metadata
Broadwell/Petraeus - communication via gmail drafts
Common Misconceptions
McNealey Trap - you have no privacy, get over it... defeatist and false.
Brin Trap - nobody has privacy, even the powerful... systems get gamed and power corrupts.
Signals Stupidity
Crypto works far better than nothing!
Big Data = Can't collect more needles by collecting more hay
EFF browser fingerprinting
p0f - passive fingerprinting
Clock Drift - tellings bots from humans
Fourier analysis & sd - bell curve with comb pattern
Economic aid paper
Waterboarding was torture in WWII, laws change based on interest?
Why are advertisers sucking on Do-Not-Track?
After Clipper Chips, we never had secure calls
CALEA
implies that operator does not know that it is ongoing
concern was to limit the number of people knowing what was going on
sort of self-service
limits baked into interface
know that a warrant happens, can challenge in court
"implementation is crap"
Two books:
Privacy on the Line - Susan Landau, Whitfield Diffie
The Eavesdroppers (1958)
Crime Prevention is Humankind's Highest Virtue
= put everyone in solitary...
people obey parking laws, cars are dangerous, it's not a felony
Data Camouflage
a columnist who wrote of "civic duty to lie to pollsters"
Turnkey totalitarianism = using RICO on PETA
TORsploit was massive, warrantless hacking
Silent Circle originally focused on mobile
SC uses:
SIP, XMPP
SDES uses SDP to use cert to get key
Then negotiate ZRTP
Then throw away SDES key
For texting, jabber XMPP, TLS, SKIMP (kinda like OTR)
ZRTP has its own authentication based on DH and indexing into word table
SKIMP has something similar
On TLS, they pin the certificates
With voice, there's no stored data
With text, it's harder - stored logs
With email... very hard, basically stored communications
github - SilentCircle (code)
ZRTP is RFC ID
Lots of questions about GPG
liberation-tech mailing list
cryptography@randombit.net
gpg-developers mail lists
PGP Universal = auto-generate keys, gateway email encryption
Can never have true peer-to-peer with NAT
STUN and ICE used to do peer-to-peer routing
Bluecoat works well to catch APTs
OTR over XMPP