• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Lavabit

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Lavabit

    So that's that, it's as good as national print, if you send any message that passes through the US is as good as read.

    If you have a report you need sending to a client marked 'commercial in confidence' - how would you send it?

    BBC News - Snowden link to Lavabit encrypted email service closure

    An encrypted email service thought to have been used by fugitive US intelligence leaker Edward Snowden has abruptly shut down.

    My Fellow Users,

    I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

    What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

    This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
    "Never argue with stupid people, they will drag you down to their level and beat you with experience". Mark Twain

    #2
    Still at least they don't spy on their citizens as much as the Uk you can sleep soundly at night now
    Doing the needful since 1827

    Comment


      #3
      I used to have an anonymous email address through anon.penet.fi but that seems to have shut down some time back.
      Best Forum Advisor 2014
      Work in the public sector? You can read my FAQ here
      Click here to get 15% off your first year's IPSE membership

      Comment


        #4
        Originally posted by scooterscot View Post
        So that's that, it's as good as national print, if you send any message that passes through the US is as good as read.
        Is this news? A few years back Blackberry's were not allowed at some companies due to the fact that all data would route via US servers, so was considered unsecure.

        Originally posted by scooterscot View Post
        If you have a report you need sending to a client marked 'commercial in confidence' - how would you send it?
        That depends on how secure you need to be, what the data contains, and who the data belongs to.
        If it needs to be fully secure then it should not be passed anywhere online.
        If it's information about your Ltd, then do you really think the US are going to be interested? It's unlikely they'll want to use that info for a commercial advantage.

        Security is all about scaling as appropriate. The more secure you need to be, generally the less convenience you'll have.

        Comment


          #5
          I once had a Client who when approached about sending sensitive information the said "Its ok, we use the password on the MS Word Document"
          Originally posted by Stevie Wonder Boy
          I can't see any way to do it can you please advise?

          I want my account deleted and all of my information removed, I want to invoke my right to be forgotten.

          Comment


            #6
            Originally posted by Ticktock View Post
            Is this news? A few years back Blackberry's were not allowed at some companies due to the fact that all data would route via US servers, so was considered unsecure.



            That depends on how secure you need to be, what the data contains, and who the data belongs to.
            If it needs to be fully secure then it should not be passed anywhere online.
            If it's information about your Ltd, then do you really think the US are going to be interested? It's unlikely they'll want to use that info for a commercial advantage.

            Security is all about scaling as appropriate. The more secure you need to be, generally the less convenience you'll have.
            That's ironic as a company I know that are paranoid about security heavily use Blackberrys, supposedly they have some agreement with Blackberry that nothing goes on but I think they're kidding themselves

            It's about as useful as GCHQ getting Huewai to audit themselves over whether there's any root kits in the telecoms hardware
            Doing the needful since 1827

            Comment


              #7
              Originally posted by Ticktock View Post
              Is this news? A few years back Blackberry's were not allowed at some companies due to the fact that all data would route via US servers, so was considered unsecure.



              That depends on how secure you need to be, what the data contains, and who the data belongs to.
              If it needs to be fully secure then it should not be passed anywhere online.
              If it's information about your Ltd, then do you really think the US are going to be interested? It's unlikely they'll want to use that info for a commercial advantage.

              Security is all about scaling as appropriate. The more secure you need to be, generally the less convenience you'll have.
              The analysis regards a EU product built for a US client. It is 'commercial in confidence' that analysis would most certainly benefit competitors.
              "Never argue with stupid people, they will drag you down to their level and beat you with experience". Mark Twain

              Comment


                #8
                Encryption

                The only form of encryption that I can guarantee the NSA can't crack by interception is a one time pad.

                Generate a USB stick full of random noise.

                For each byte in your message XOR it with the next byte in the noise
                Only ever use one byte of randomness, ever, so increment the pointer.

                The data structure you send the client is thus a header saying where in the sequence you start, then data, then some extra crap to bulk up the message so that the interceptor can't say "aha, this message is longer !" Also of course you need to send messages at random intervals so they can't work out that "X happened after he sent this message"

                The client has a copy of your USB stick

                Generating the random numbers is an interesting problem, give up all thoughts now of using the rand() function in whatever language you use.

                The best thing to do is sample the sound card in your PC to produce a file of N billion randomish bytes
                When you have enough bytes, loop and XOR the file with new randomish numbers until you are satisfied it is random enough
                The use an SHA or similar has because you're paranoid, and finally because you're really paranoid run a loop that uses noise to choose pairs of values to swap within the large file.

                That sounds a bit paranoid, but there are some patterns in the randomish noise you get from sampling a sound card that doesn't have a microphone attached.

                Then visit client, give them the USB, and entreat them to keep it really safe.

                With the key, decryption is trivial and fast, though if you're a defence contractor you will need to make it look more complex to justify the bill.

                This is because exclusive OR-ing undoes itself

                ie for all A and all B

                (A XOR B) XOR B = A

                Since there is no repitinio or pattern in the key and because the key is longer than the plaintext, it cannot be cracked, all all. This is not a "life time of the universe" scale problem it just can't be done, just like you can't count all the fractions.



                The only way possible to hack this is if the bad/good guys intercept you without you knowing or by some other means get access to the USB sticks or the machines it runs on.

                Since you're serious about this, you don't just carry one USB stick with you, but N which have to be combined to give the right key this method existing only in your head, again XORing them, with some other process you can think up.

                This also serves as authentication, since key holders can encrypt in a way that can be decoded.

                Ideally, you should send multiple keys by multiple routes as well.
                Last edited by Dominic Connor; 9 August 2013, 09:14.
                My 12 year old is walking 26 miles for Cardiac Risk in the Young, you can sponsor him here

                Comment


                  #9
                  Originally posted by amcdonald View Post
                  That's ironic as a company I know that are paranoid about security heavily use Blackberrys, supposedly they have some agreement with Blackberry that nothing goes on but I think they're kidding themselves

                  It's about as useful as GCHQ getting Huewai to audit themselves over whether there's any root kits in the telecoms hardware
                  Everything that goes through BlackBerry goes through one of their NOC's, originally these were just in Canada but have now them in Europe too. GCHQ have approved BlackBerry for upto IL3 (Restricted), I know this as I was on the project that got them accredited when I worked for the Police
                  Originally posted by Stevie Wonder Boy
                  I can't see any way to do it can you please advise?

                  I want my account deleted and all of my information removed, I want to invoke my right to be forgotten.

                  Comment


                    #10
                    Originally posted by SimonMac View Post
                    Everything that goes through BlackBerry goes through one of their NOC's, originally these were just in Canada but have now them in Europe too. GCHQ have approved BlackBerry for upto IL3 (Restricted), I know this as I overheard someone talking about it when I was detained by the Police
                    FTFY
                    Best Forum Advisor 2014
                    Work in the public sector? You can read my FAQ here
                    Click here to get 15% off your first year's IPSE membership

                    Comment

                    Working...
                    X