On Fri, Jul 5, 2013 at 11:10 AM, Reinier Zwitserloot <[email protected]>wrote:
> Even if this government has managed to convince a cert authority to give > up the goods (where, again, their 'upside' is tiny and the potential PR > nightmare is gigantinormous, so if I was a shareholder of a cert authority > and they pulled that stunt, I'd consider a legal battle for gross > mismanagement), it takes some serious tech skill to translate this into the > ability to read the email. What would be scary is tools, presumably built > by western companies, that automate the process. These may or may not > exist. Let's hope they don't. There are ways to protect yourself against > this though (such as verifying the signature of gmail's TLS certificate), > and there are ways in which you can't stop this in any way or form > whatsoever (if the government has compromised the very machine you're > working on, there is nothing you can do, at all, assuming they have enough > technical skill). I think the main concern is one of those getting hacked. The target space to man in the middle someone is not just the companies at the end points, but any of the companies in your cert list. (That make sense?) > > standard crypto is certainly a lot less tricky from a technical > perspective, but it is simply not a solution in the face of physical > violence. Steganography is specifically the study of how to hide the fact > that you're communicating at all, and that is _EXACTLY_ what you need to > truly solve this issue. Yes, it is tricky. You send each other innocuous > pictures of cats or something but if you take the lowest order bits of each > pixel's RGB info (which will hardly affect the image much), line them up, > and then use decryption on that, you get your message. One of the nice > aspects of almost all encryption algorithms is that you can't tell the > difference between encrypted data and random data. > > Just a small nit, you wouldn't even send the cat picture to your friend. You would just both visit and post pictures on reddit. :) > The main issue with steganography is that you need to be extremely > tech-savvy to use it properly. If you aren't extremely familiar with how it > all works it is very easy to leave something behind that indicates presence > of steganographic data. For starters, you need a self-destruct mechanism or > hide the software used to obtain and decrypt the data from the > steganographic carrier (the images of kittens). If the malicious authority > finds the software, the jig is up. One solution to this is multiple layers > (where the first layer is not all that compromising, just barely enough > that you can believably claim that you went through the effort of sending > this data securely, but that data itself has MORE steganography in it, > which the same tool could also unpack, provided you give the second > password. This loop is endless, so if you are being interrogated, the > interrogator doesn't know when you're 'done'. This is extremely difficult > to do right, and generally requires huge data overhead). > But, again, we are arguing for something that is widely feasible. If a "critical mass" of people are doing this, then it is just using an encoding and transport that the attacker doesn't know. Consider, to someone that doesn't know what radio and the internet are, it might as well be steganography. -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/javaposse. For more options, visit https://groups.google.com/groups/opt_out.
