As if they need another.
-
Be sure to read this post! Beware of scammers. https://www.indianagunowners.com/threads/classifieds-new-online-payment-guidelines-rules-paypal-venmo-zelle-etc.511734/
Tech companies should be required...
- Thread starter poptab
- Start date
The #1 community for Gun Owners in Indiana
Member Benefits:
Fewer Ads! Discuss all aspects of firearm ownership Discuss anti-gun legislation Buy, sell, and trade in the classified section Chat with Local gun shops, ranges, trainers & other businesses Discover free outdoor shooting areas View up to date on firearm-related events Share photos & video with other members ...and so much more!
Member Benefits:
As if they need another.
One of the curious things of late is how political questions once answered seem to be coming up again. The government even went so far as to find that encryption is a “munition,” and thus banned for export. This whole silly idea was settled, in part, when PGP creator Phil Zimmermann published his encryption program, PGP (Pretty Good Privacy), and sent it abroad. The trick? He wrote the code in a book; a book that was easily disassembled and sold with software included that could scan the pages and compile the code. Thus, software became speech and the FBI for all its protestations cannot undo the first amendment. They can chip away, they can do things in the shadows, but speech is a far sturdier category than munitions.
So, unless this is going to be redone – a case in which I fully expect the FBI to fail the inevitable Supreme Court challenge that would result. (Left and Right alike are fond of the First Amendment; I mean, I really like my Second, but I /love/ the First.)
With that said, the specters of pedophilia, terrorism, and to a lesser extent drugs will always be the arguments used when trying to roll back rights. It is easy to divide people, after all, and who wants to give “bad guys” protection? It is real easy to look the other way, but a precedent gets set and its hard to undo. If we are equally protected and we find that pedophiliacs don’t have said rights and protections, than neither do you; the same goes for terrorists, and the same goes for drug pushers.
Now, if I were cynical, I could say that this is Apple and Google trying to regain trust, the trust lost here at home and abroad when it seemed they were playing nice with the NSA. US-based technology businesses were hurt by the Snowden revelations (and rightfully so, especially RSA – how can a security company intentionally weaken its product for all users?). This public fight could go a ways to easing fears, and, again, if you’re cynical, you could chalk it up to damage control; that these devices are still compromised and this is all an act.
Here’s what I know, though. If you want to use encryption, there is almost never anything stepping in the way. Avoid centralized access control systems; if Google has the key, then they may be compelled to produce said key. Thus, you have user-to-user encryption methods where Apple doesn’t have the keys; they have nothing to provide law enforcement even if they are served with a subpoena. If you want to secure your computer, there isn’t any shortage of encryption solutions ranging from the now defunct True Crypt (which I wager is still secure, but I’m a lot less sure than I was a year ago) and its hopeful successors, VeraCrypt and, eventually, Ciphershed. All of which are free to use and open source. (I’ve more trust for open source, personally, as it can potentially be reviewed; commercial companies often operate under the “security through obscurity” model, which means flaws are almost never mentioned and tend to go unnoticed by the company – and since no one else can find the flaws, they figure fixing them isn’t worthwhile. It’s bad practice, that stuff.) Nevertheless, you can go with Symantec’s encryption, which is based on PGP; BitLocker, which is built into higher versions of Windows; and others as well.
(Quick note: I am not capable of cryptanalysis, and even with open source software, I have to trust that it is good. Sooner or later, if you’re going to use technology, you’re going to have to figure out who you trust. Personally, I’ve more trust in a company that puts its work out there for all to see rather than those who run on a magic black box, whose inner workings are never acknowledged or published, and thus cannot be confirmed to be strong.)
In the end, though, encryption only does certain things. The strongest encryption won’t save you if you use the weakest passwords. (If your password is password, you’re doing it wrong; if your password is less than 12 characters, you should fix that; if it doesn’t include numbers [preferably not just at the beginning and/or end], you are more vulnerable; if it doesn’t mix upper and lower case characters, you should see about fixing that; and, most of all, if you can work in a special character or two [preferably not simply replacing a with @ or s with %], you can radically increase the difficulty in brute forcing access.
Example, using an eight character password (and only eight character!) that allows only alphanumerics and isn’t case sensitive (36 possible choices per character) versus a six character password that is case sensitive, allows numbers and special characters:
Case-Insensitive Alphanumeric: (26+10)^8; or, 36^8; which yields, 2,821,109,900,000 possible combinations.
Case Sensitive, Alphanumeric w/ Special Characters and Punctuation: (26+26+10+33)^8; or 95^8, which yields 6,634,204,300,000,000 possible combinations. (Both are radically higher if you extend possibilities such as allowing for less than 8 characters; also worth mentioning is the fact that big numbers like these offer a false sense of security as computers can try many, many code combinations every second.)
In short, it matters. Still, even if you use Whole Disk Encryption, all one needs is malware that captures keyboard input or a keyboard microphone to figure out the password, and that is assuming the password isn’t one of the easy to guess ones. Humans are the weak link here, unfortunately.
Either way, the FBI is wrong. Intentionally including backdoors into systems is like having a shiny red button that’ll exploded the world that is protected only by a modicum of technical sophistication and a stern warning that touching the button would be very, very bad. There is no reason to expect such a button wouldn’t get pressed, there are just too many lunatics, curious idiots, and criminals that would like to give it a try. Any backdoor will be used by the black hats. Look at what harm can be done just inadvertent software mistakes? Now imagine what could be done with a system that was intentionally weak, intentionally vulnerable, and that is open for anyone sly enough to figure out to take over fully.
It is a profoundly short sighted, dangerous idea.
But for all that, maybe it would be a good thing for society to sit down and contemplate priorities. What is more important: preserving rights for all or assuring that any criminal act will be noticed? It was my understanding that we, as a society, agreed to the following general rules: it is better for some guilty people to go free than for some innocent people to get wrongfully imprisoned; that the privacy of all is assured so long as the government does not have cause enough to be granted a warrant; and that being private doesn’t automatically translate into having something to hide, and thus isn’t reason enough to spur a search or provide cause for a warrant. If we’re going to a new “At all costs” crime and punishment mentality, I feel like that should come to a vote. It’s one of those important things that should really be discussed, right?
So, unless this is going to be redone – a case in which I fully expect the FBI to fail the inevitable Supreme Court challenge that would result. (Left and Right alike are fond of the First Amendment; I mean, I really like my Second, but I /love/ the First.)
With that said, the specters of pedophilia, terrorism, and to a lesser extent drugs will always be the arguments used when trying to roll back rights. It is easy to divide people, after all, and who wants to give “bad guys” protection? It is real easy to look the other way, but a precedent gets set and its hard to undo. If we are equally protected and we find that pedophiliacs don’t have said rights and protections, than neither do you; the same goes for terrorists, and the same goes for drug pushers.
Now, if I were cynical, I could say that this is Apple and Google trying to regain trust, the trust lost here at home and abroad when it seemed they were playing nice with the NSA. US-based technology businesses were hurt by the Snowden revelations (and rightfully so, especially RSA – how can a security company intentionally weaken its product for all users?). This public fight could go a ways to easing fears, and, again, if you’re cynical, you could chalk it up to damage control; that these devices are still compromised and this is all an act.
Here’s what I know, though. If you want to use encryption, there is almost never anything stepping in the way. Avoid centralized access control systems; if Google has the key, then they may be compelled to produce said key. Thus, you have user-to-user encryption methods where Apple doesn’t have the keys; they have nothing to provide law enforcement even if they are served with a subpoena. If you want to secure your computer, there isn’t any shortage of encryption solutions ranging from the now defunct True Crypt (which I wager is still secure, but I’m a lot less sure than I was a year ago) and its hopeful successors, VeraCrypt and, eventually, Ciphershed. All of which are free to use and open source. (I’ve more trust for open source, personally, as it can potentially be reviewed; commercial companies often operate under the “security through obscurity” model, which means flaws are almost never mentioned and tend to go unnoticed by the company – and since no one else can find the flaws, they figure fixing them isn’t worthwhile. It’s bad practice, that stuff.) Nevertheless, you can go with Symantec’s encryption, which is based on PGP; BitLocker, which is built into higher versions of Windows; and others as well.
(Quick note: I am not capable of cryptanalysis, and even with open source software, I have to trust that it is good. Sooner or later, if you’re going to use technology, you’re going to have to figure out who you trust. Personally, I’ve more trust in a company that puts its work out there for all to see rather than those who run on a magic black box, whose inner workings are never acknowledged or published, and thus cannot be confirmed to be strong.)
In the end, though, encryption only does certain things. The strongest encryption won’t save you if you use the weakest passwords. (If your password is password, you’re doing it wrong; if your password is less than 12 characters, you should fix that; if it doesn’t include numbers [preferably not just at the beginning and/or end], you are more vulnerable; if it doesn’t mix upper and lower case characters, you should see about fixing that; and, most of all, if you can work in a special character or two [preferably not simply replacing a with @ or s with %], you can radically increase the difficulty in brute forcing access.
Example, using an eight character password (and only eight character!) that allows only alphanumerics and isn’t case sensitive (36 possible choices per character) versus a six character password that is case sensitive, allows numbers and special characters:
Case-Insensitive Alphanumeric: (26+10)^8; or, 36^8; which yields, 2,821,109,900,000 possible combinations.
Case Sensitive, Alphanumeric w/ Special Characters and Punctuation: (26+26+10+33)^8; or 95^8, which yields 6,634,204,300,000,000 possible combinations. (Both are radically higher if you extend possibilities such as allowing for less than 8 characters; also worth mentioning is the fact that big numbers like these offer a false sense of security as computers can try many, many code combinations every second.)
In short, it matters. Still, even if you use Whole Disk Encryption, all one needs is malware that captures keyboard input or a keyboard microphone to figure out the password, and that is assuming the password isn’t one of the easy to guess ones. Humans are the weak link here, unfortunately.
Either way, the FBI is wrong. Intentionally including backdoors into systems is like having a shiny red button that’ll exploded the world that is protected only by a modicum of technical sophistication and a stern warning that touching the button would be very, very bad. There is no reason to expect such a button wouldn’t get pressed, there are just too many lunatics, curious idiots, and criminals that would like to give it a try. Any backdoor will be used by the black hats. Look at what harm can be done just inadvertent software mistakes? Now imagine what could be done with a system that was intentionally weak, intentionally vulnerable, and that is open for anyone sly enough to figure out to take over fully.
It is a profoundly short sighted, dangerous idea.
But for all that, maybe it would be a good thing for society to sit down and contemplate priorities. What is more important: preserving rights for all or assuring that any criminal act will be noticed? It was my understanding that we, as a society, agreed to the following general rules: it is better for some guilty people to go free than for some innocent people to get wrongfully imprisoned; that the privacy of all is assured so long as the government does not have cause enough to be granted a warrant; and that being private doesn’t automatically translate into having something to hide, and thus isn’t reason enough to spur a search or provide cause for a warrant. If we’re going to a new “At all costs” crime and punishment mentality, I feel like that should come to a vote. It’s one of those important things that should really be discussed, right?
I remember watching that first case, the Boucher case. In all honesty, I was hoping it would rise up to the Supreme Court level. Really, I would like it to be widely confirmed that the Fifth Amendment applies to passwords and being forced to incriminate oneself. Obviously lower judges don't mind testing this assertion every so often.
I am a bit wary of the eventual ruling in that case, given that I believe one can decide to apply the Fifth even after being amenable to searches initially. Nevertheless, he did decrypt the laptop in front of federal agents; however, he may not have known he had a right to refuse, so I could see arguments on both sides holding up to some degree. I’m also wary of wide net customs and the TSA has for inspecting computers and similar devices; I understand the rationale for the border searches, but have those terrorists stolen my freedom and tried smuggling it out on some cheap laptop?
Anyway, I hope this remains. Otherwise, I can foresee all sorts of situations where someone could land in all manners of troubles by forgetting a password (easy to do as they grow longer and more complex) or having a device that isn’t their own assumed to be their property. If Dan killed Jan and documented it on his laptop, a laptop they come to believe is mine, I’m going to be absolutely unable to provide a key. Even if Dan left it at my house, even if I was repairing that particular unit. Perhaps I sold this Dan my old laptop, so they could trace ownership, then what can I do but stutter, flail, and be found to be in contempt of court? And that’s all assuming they are right about evidence being on a device that they cannot know the contents of!
It is a whole can of worms that is better left sealed. At least, that’s how I see it.
Lets step back a few decades. Can I be compelled to divulge a combination to a vault? Or is this apples/oranges in the courts eyes? HM? Kirk?
Kirk Freeman
Grandmaster
Right here. I assume you are speaking in a criminal context instead of civil (lawsuit, divorce, etc.)?
Both actually. Trying to figure out (as a layman) if the "you must divulge your iphone unlock code/disk encrypytion key/etc or go to jail" per the courts is new, or just an extension of "Whats in that vault in your basement Mr. Monkey? Give us the code or rot in jail"
CathyInBlue
Grandmaster
Correction. Phil Zimmerman did not export his PGP source code in a book. Phil Zimmerman took PGP on a set of floppies and drove up the California coast, hitting as many BBSes as he could along the way, uploading it to those systems. He included header information in his posts for cross-posting to Usenet newsfeeds. Usenet newsfeeds include header information to restrict distribution of individual messages. Zimmerman was careful to include distribution information to restrict his PGP source code to distribute only within the United States of America. All was well for these BBS uploads until one of the postings made its way to a Usenet news server in St. Louis, MO, a news server run by the federal government. This government news server was misconfigured to ignore the distribution header. This misconfigured federal government news server bounced the PGP source code abroad, and from there, it went 100% global.
The federal government tried to try Zimmerman for violating the export in munitions statutes, but the evidence was overwhelming that it was the federal government itself, and nothing that Zimmerman did, that let that genie out of the CONUS bottle. They didn't have a legal leg to stand on and after putting him through Hell for over a year, they were forced to drop all charges.
The federal government tried to try Zimmerman for violating the export in munitions statutes, but the evidence was overwhelming that it was the federal government itself, and nothing that Zimmerman did, that let that genie out of the CONUS bottle. They didn't have a legal leg to stand on and after putting him through Hell for over a year, they were forced to drop all charges.
And for the record, I kinda like this new approach. Not that I worried before, but no more worry about "is the carrier in the gov'ts back pocket or will they be forced to hand over data in my trial?" No more. I like the fact that they have made it so they cant even peek at my stuff if they WANTED to.
THough I wont even begin to think it was in MY best interest. They just wanted a way out of the quagmire of being hassled by the law every time one of their millions of customers did something stupid (or was suspected as such). What better way to make lawyers go away than to absolutely distance yourself from the perp. "sorry boys, I cant possibly due to my lack of access... now go away" (as opposed to having to do the legwork on every discovery, subpoena, etc. whether it was beneficial or not.) Now they can honestly tell the law to pound sand and not waste their time/resources. "not my circuis, not my monkeys" is always easier than being involved.
THough I wont even begin to think it was in MY best interest. They just wanted a way out of the quagmire of being hassled by the law every time one of their millions of customers did something stupid (or was suspected as such). What better way to make lawyers go away than to absolutely distance yourself from the perp. "sorry boys, I cant possibly due to my lack of access... now go away" (as opposed to having to do the legwork on every discovery, subpoena, etc. whether it was beneficial or not.) Now they can honestly tell the law to pound sand and not waste their time/resources. "not my circuis, not my monkeys" is always easier than being involved.
The thing with open source is that you can examine the code. It's not just that it's open source; it's actually open source. If you're conversant in C#, python, or whatever, and that's what the code is written in, you can find any backdoor that's there, eliminate it, and recompile. No backdoor and "oh, I forgot the password", and your stuff requires hard decryption. How are they going to compel you to remember something you "can't remember"? Then the fun begins. Use secure encryption for everything. Inoffensive emails, pictures of cats, whatever. Make them work hard for it, and find out there's nothing there. If you do happen to have something they may be interested in, use steganography or somesuch to bury it among the chaff. They'll most likely give up before even trying to dig it out. There are ways to defeat them, if only by tiring them out.
No problem. Where is the warrant?
Credit should be given where credit is due; and this time around, it goes to CathyInBlue.
Seriously, I could have sworn I read about a book, but I haven't been able to track down a source (though, admittedly, I haven't spent much time on that endeavor). Perhaps it was my own little plot to work around such restrictions, but it seems more sly than my usual plottings.
I have to say I'm still a little suspicious of PGP ever since the .gov backed off of Zimmerman. The whole "oh, now we don't have a leg to stand on. You're free to go." thing just feels contrived. The expression I heard years ago is that it's "too pat".
Admittedly, my skepticism is rooted in a lack of knowledge; I don't know C++ or Python or whatever PGP was written in, so even if I saw the source code, I'd not be able to interpret it, and in the absence of personal verifiability, a healthy skepticism is not a bad thing. It just would not surprise me if there was, in fact, a vulnerability that only a Cray could make use of or some such.
And yes, I'm fully aware that my tinfoil is fitting tightly.
That's the best way to keep the alien mind control rays out.Blessings,
Bill
I have to say I'm still a little suspicious of PGP ever since the .gov backed off of Zimmerman. The whole "oh, now we don't have a leg to stand on. You're free to go." thing just feels contrived. The expression I heard years ago is that it's "too pat".
Admittedly, my skepticism is rooted in a lack of knowledge; I don't know C++ or Python or whatever PGP was written in, so even if I saw the source code, I'd not be able to interpret it, and in the absence of personal verifiability, a healthy skepticism is not a bad thing. It just would not surprise me if there was, in fact, a vulnerability that only a Cray could make use of or some such.
And yes, I'm fully aware that my tinfoil is fitting tightly.
Blessings,
Bill
It is pgp pretty good privacy
It's not the best privacy in the world.
Encryption like that is used for time sensitive data. As by the time someone cracks it its irrelevant.
It would be best if everyone was doing it for everything. Then they would really have to focus on what they want to break.
CathyInBlue
Grandmaster
The idea that software was 1st Amendment fodder came from a college professor of cryptology who wanted to teach a distance learning class in it and was getting flak from the ITAR folks who claimed that crypto software was munitions in all forms, whether source code or machine code. He sued saying the source code he wanted to send to his students, some of whom were outside of the U.S.A., was more akin to a published book/written work than they were to an operable mechanism/weapon. He sued and won, and ever since, source code has been free to send and receive in America, regardless of wherefrom or whereto.
HeadlessRoland
Shooter
I have to say I'm still a little suspicious of PGP ever since the .gov backed off of Zimmerman. The whole "oh, now we don't have a leg to stand on. You're free to go." thing just feels contrived. The expression I heard years ago is that it's "too pat".
Admittedly, my skepticism is rooted in a lack of knowledge; I don't know C++ or Python or whatever PGP was written in, so even if I saw the source code, I'd not be able to interpret it, and in the absence of personal verifiability, a healthy skepticism is not a bad thing. It just would not surprise me if there was, in fact, a vulnerability that only a Cray could make use of or some such.
And yes, I'm fully aware that my tinfoil is fitting tightly.
Blessings,
Bill
A properly-rendered and executed algorithm is resistant to brute-force and hash collision and all those fun theoretical problems that adversaries try to make experiential. The problem is that while there are a few suspect implementations of certain algorithms, such as the undermining of a formerly-perfectly good algorithm, RSA (Rivest, Shamir, Adelman) in various key lengths, the problem is that company's collusion with NSA, especially as it concerned the elliptical curves utilized to generate keys - if one knows the properties of the ellipses used in generating the key pair in question, it weakens RSA incredibly. So much so that one would be well-justified in accusing the NSA of undermining and blatantly trying to backdoor one of the most formerly-popular algorithms in the world. As a whole, the internet really was not designed or implemented with security as a main feature.
When Dan Kaminsky accidentally broke the entire Domain Name System, it wasn't malice, but poor design that brought the whole thing down and which lead researchers to rapidly scramble to try to improve the abysmal security of DNS via DNSSEC. The problem thus isn't even necessarily malice (although there's plenty of actors looking for ways to game the system), but design. In the early days of the internet, there was little need - or ability - to encrypt communications sent from one server to another, nor was there any particular problem except perhaps delays or messages being blackholed if messages weren't properly routed. But now, in an age of international banking and social media and porn and business usage? It becomes exponentially more critical to have proper and well-implemented systems in place, so humanity has basically had to go in reverse, making things more secure as time has gone on, rather than building what we didn't know we would later need into a system not able to withstand it. There were a few pioneers like Phil Zimmerman and Timothy May and Richard Stallman, but very few people at the time could see the necessity or even envision the development of the networks of then into the tangled sprawling webs we have today.
All of which to say, if an encryption algorithm is properly designed and implemented - the theory being sound and the implementation leaving no room for exploitation by an adversary - it's virtually impossible to break that encryption. Unless one colludes with the powers that be and deliberately undermines those implementations or designs, which may or may not have happened with RSA. We do know for a fact that the NSA gave RSA something like $10 million USD to alter their implementation to modify their elliptical curve to suit the NSA. So the question then becomes how much do you trust any company willing to accept double-digit millions from government not to collude with government - and how much do you trust government to respect your privacy? I think you and I both have exact same answer to that question.
Exclusive: NSA infiltrated RSA security more deeply than thought - study | Reuters
Assuming a proper implementation of the Diffie-Hellman-Merkle key exchange, PGP/GPG is immutably sound. Coupled with things like properly-designed and properly-implemented disk encryption to keep the private key safe, I'd trust any private information to be sent via PGP/GPG. The only problem with it is that it has limitations like not being able to encrypt sender/recipient nor subject line. However, for ultra-top-secret information in the body of the message, it's a perfectly sound design and implementation. Questions do arise, but PGP is not implicated in them, such as 'Can I trust the person to whom I am sending this, as well as the physical and electronic security of their machine?' 'Can I be certain of the identity of the intended recipient of this information?' 'Is my own system physically and electronically secure, or could I be susceptible to intrusion (keylogging, trojans, viruses, etc.)?' 'Is it legal to send this message to this recipient, who has been deemed unsavory by government, since I cannot encrypt sender/receive headers?' PGP/GPG has been audited by the public ever since its inception, and is very resistant to adversarial attack by virtue of being open-source and auditable by anyone with enough interest and capability to do so.
Phil Zimmerman NEVER distributed PGP outside the United States. He did send it to a few domestics which did not respect his US-only header, but Zimmerman himself didn't do a single thing to export PGP, even though he did publish PGP domestically. The government thus had to eventually concede that it really didn't have a case against Zimmerman, who never exported PGP as defined by law. Cody Wilson is now fighting much the same battle, and doing so fairly successfully so far, by deliberately wrapping the Second Amendment up in the First Amendment and utilizing that to challenge the overreach of the State Department and ITAR. Here's to the wailing and gnashing of teeth of government.
As for all code being legal to send/receive regardless of origin/destination - no, there are still some restrictions:
Export of cryptography from the United States - Wikipedia, the free encyclopedia
As though Iran or the DPRK not having access to encryption will prevent them from getting the bomb or something. Pointless, overwrought, and technologically unfeasible ideas - from our government? Surely not.
Site Supporter
Members online
- BD63
- fireball168
- slims2002
- mmpsteve
- hhi7410
- 04FXSTS
- gpasp101
- JR50
- Winamac
- bullet
- Greg1
- deo62
- krvincen
- mcoppers
- Tradesylver
- 257robertsimp
- DoggyDaddy
- 223 Gunner
- jwamplerusa
- Cavman
- joe138
- mcapo
- indyartisan
- jhopson
- Mounty09
- magic man
- Fallschirmjaeger
- snapping turtle
- Magyars
- 22LRFan
- Drewfus
- rkweber
- 63PGP
- HoosierLife
- efd1295
- maxipum
- rkwhyte2
- Dog1
- Gunguy317
- Hoosier Carry
- jsharmon7
- Oppman24
- Bhart89
- SnoopLoggyDog
- jwalt01
- Glocktard
- Trapper Jim
- TJ Kackowski
- 812 rimfire
- led4thehed2
