[cryptography] ICIJ's project - comment on cryptography tools
In a project similar to Wikileaks, ICIJ comments on tools it used to secure its team-based project work: ICIJ’s team of 86 investigative journalists from 46 countries represents one of the biggest cross-border investigative partnerships in journalism history. Unique digital systems supported private document and information sharing, as well as collaborative research. These included a message center hosted in Europe and a U.S.-based secure online search system. Team members also used a secure, private online bulletin board system to share stories and tips. The project team’s attempts to use encrypted e-mail systems such as PGP (“Pretty Good Privacy”) were abandoned because of complexity and unreliability that slowed down information sharing. Studies have shown that police and government agents – and even terrorists – also struggle to use secure e-mail systems effectively. Other complex cryptographic systems popular with computer hackers were not considered for the same reasons. While many team members had sophisticated computer knowledge and could use such tools well, many more did not. http://www.icij.org/offshore/how-icijs-project-team-analyzed-offshore-files hattip to Lynn Wheeler's lynn'o'gram. iang. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 4/04/13 21:43 PM, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 4, 2013, at 6:27 AM, ianG i...@iang.org wrote: In a project similar to Wikileaks, ICIJ comments on tools it used to secure its team-based project work: ICIJ’s team of 86 investigative journalists from 46 countries represents one of the biggest cross-border investigative partnerships in journalism history. Unique digital systems supported private document and information sharing, as well as collaborative research. These included a message center hosted in Europe and a U.S.-based secure online search system. Team members also used a secure, private online bulletin board system to share stories and tips. The project team’s attempts to use encrypted e-mail systems such as PGP (“Pretty Good Privacy”) were abandoned because of complexity and unreliability that slowed down information sharing. Studies have shown that police and government agents – and even terrorists – also struggle to use secure e-mail systems effectively. Other complex cryptographic systems popular with computer hackers were not considered for the same reasons. While many team members had sophisticated computer knowledge and could use such tools well, many more did not. http://www.icij.org/offshore/how-icijs-project-team-analyzed-offshore-files Thanks! This is great. It just drives home that usability is all. Just to underline Jon's message for y'all, they should have waited for iMessage: Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, it is impossible to intercept iMessages between two Apple devices even with a court order approved by a federal judge. The DEA's warning, marked law enforcement sensitive, is the most detailed example to date of the technological obstacles -- FBI director Robert Mueller has called it the Going Dark problem -- that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication. When Apple's iMessage was announced in mid-2011, Cupertino said it would use secure end-to-end encryption. It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers. http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/ iang, who never even knew it was encrypted! ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Apr 4, 2013, at 4:51 PM, ianG i...@iang.org wrote: On 4/04/13 21:43 PM, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 4, 2013, at 6:27 AM, ianG i...@iang.org wrote: In a project similar to Wikileaks, ICIJ comments on tools it used to secure its team-based project work: ICIJ’s team of 86 investigative journalists from 46 countries represents one of the biggest cross-border investigative partnerships in journalism history. Unique digital systems supported private document and information sharing, as well as collaborative research. These included a message center hosted in Europe and a U.S.-based secure online search system. Team members also used a secure, private online bulletin board system to share stories and tips. The project team’s attempts to use encrypted e-mail systems such as PGP (“Pretty Good Privacy”) were abandoned because of complexity and unreliability that slowed down information sharing. Studies have shown that police and government agents – and even terrorists – also struggle to use secure e-mail systems effectively. Other complex cryptographic systems popular with computer hackers were not considered for the same reasons. While many team members had sophisticated computer knowledge and could use such tools well, many more did not. http://www.icij.org/offshore/how-icijs-project-team-analyzed-offshore-files Thanks! This is great. It just drives home that usability is all. Just to underline Jon's message for y'all, they should have waited for iMessage: Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, it is impossible to intercept iMessages between two Apple devices even with a court order approved by a federal judge. The DEA's warning, marked law enforcement sensitive, is the most detailed example to date of the technological obstacles -- FBI director Robert Mueller has called it the Going Dark problem -- that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication. When Apple's iMessage was announced in mid-2011, Cupertino said it would use secure end-to-end encryption. It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers. http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/ There's a long thread on Twitter (look for Julian Sanchez, @normative) on this, with comments from me, Matt Blaze, Nick Weaver, and others. Also see Julian's blog post at http://www.cato.org/blog/untappable-apple-or-dea-disinformation --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Thu, Apr 4, 2013 at 3:51 PM, ianG i...@iang.org wrote: On 4/04/13 21:43 PM, Jon Callas wrote: This is great. It just drives home that usability is all. Just to underline Jon's message for y'all, they should have waited for iMessage: Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. [...] But note that this doesn't mean that iMessage can't be MITMed or otherwise be made susceptible (if it isn't already) to MITM attacks or plain traffic analysis. iMessage relies on Apple as a trusted third-party. Therefore Apple can MITM its users. The best case scenario is that the iMessage clients can add jey pinning to force the TTP to either never MITM or always MITM any pair of peers. But since the TTP also distributes the client software... Online we have lots of security problems that are difficult to resolve, from physical security of devices (there's not enough) to the lack and general difficulty/impossibility of reliably open-coding or reviewing everything that one has to trust (mostly software, and some firmware too). Basically, this is complaint by the DEA is disinformation or misinformation (or both!). If the former case we might even be staring at the start of a new crypto wars period. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
ianG i...@iang.org writes: An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, it is impossible to intercept iMessages between two Apple devices even with a court order approved by a federal judge. So Louis Freeh has joined the DEA? Or did they just strike the mid-90s dates on the reports and add today's date? Peter (still waiting for the sky to fall 20 years later). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 2013-04-05 10:47 AM, James A. Donald wrote: How does it work? Is it really secure, and if it is, how did they manage a not one click for security user interface? Already answered by others on this list. Not secure, apple can MIM it. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 5/04/13 05:36 AM, James A. Donald wrote: On 2013-04-05 10:47 AM, James A. Donald wrote: How does it work? Is it really secure, and if it is, how did they manage a not one click for security user interface? Already answered by others on this list. Not secure, apple can MIM it. Seems like. However, the barrier for that seems somewhat higher than an intercept or pen register. (Entering into full speculation mode here) I suspect that one would need a direct court order akin to a full search seizure in order to give the feds access to the messages; it seems to involve handing over the entire device key to clone the full personality. The original CNN article doesn't pass muster, a far more skeptical and analytical one is here: http://securitywatch.pcmag.com/none/310015-the-real-reason-the-feds-can-t-read-your-imessages iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
