#261807 - 07/12/13 03:53 PM
Why you don't use large vendors computerencryption
|
Pooh-Bah
Registered: 03/13/05
Posts: 2322
Loc: Colorado
|
SAN FRANCISCO — Microsoft Corp. worked closely with U.S. intelligence services to help them intercept users' communications, including letting the National Security Agency circumvent e-mail encryption, the Guardian reported Thursday. http://www.denverpost.com/nationworld/ci...uardian-reportsYou can't "allow encryption to be circumvented". What that really means is that Microsoft either intentionally put back doors in their encryption scheme, or intentionally created default keys for decryption that they then kept for themselves (then shared them with the government), etc. This is Microsoft intentionally leaving themselves a way into your supposedly private data, no matter how they try to spin it. This is not someone discovering a flaw in an encryption algorithm and then exploiting it. This is intentional. I'm sure Microsoft is not the only big-player doing this. And it illustrates why you should never trust any "black box" encryption and take the vendors word for it that it is secure. You need to use open source encryption software. "Open source" allows anybody to read the source code and compile the code themselves to verify it truly is secure. While most here would not have the expertise to review encryption code, you can bet that other more advanced computer users are doing exactly that. So use what they use, and have reviewed. Which is open source encryption. Basically, if you have to pay for what you're using for encryption, then it should be considered suspect and you should do your due diligence in researching it before using it. And if the encryption "came for free with the product", as this Microsoft offering no doubt did - red flag!
|
Top
|
|
|
|
#261810 - 07/12/13 04:08 PM
Re: Why you don't use large vendors computerencryption
[Re: Bingley]
|
Pooh-Bah
Registered: 03/13/05
Posts: 2322
Loc: Colorado
|
Another article, with more details: How Microsoft handed the NSA access to encrypted messages
• Secret files show scale of Silicon Valley co-operation on Prism • Outlook.com encryption unlocked even before official launch • Skype worked to enable Prism collection of video calls • Company says it is legally compelled to comply
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data
|
Top
|
|
|
|
#261811 - 07/12/13 04:23 PM
Re: Why you don't use large vendors computerencryption
[Re: haertig]
|
Member
Registered: 04/19/12
Posts: 170
Loc: Iowa
|
This is why I like open-source encryption products. The source code is posted, it is peer reviewed, and you can compile it yourself from source if you have any doubts. I have a pretty good trust in TrueCrypt and PGP, but even with Truecrypt, you will want to make sure the files you want to protect are NOT on automatically mounted on boot as there are forensic kits out there that can scan the computers memory on boot through a firewire exploit to glean the keys from memory. In fact, one of the safest methods in my opinion is to TrueCrypt a drive, then create a second virtual drive inside of that one, hide the encrypted file way down in the operating system somewhere and give it a .DLL or similar system extension. By doing this, you are effectively obscuring the obscured. If you have a drive that is encrypted, then they know you are hiding something. If they want in bad enough, they will get in. However, if you have somehthing you want to hide, and you hide IT inside of something that is hidden, you at least can give yourself plausable deniability. One more comment on all of this, apparently the Android OS Pattern Lock security is very secure as well, per this story - http://news.yahoo.com/blogs/technology-b...-192617057.htmlAnd finally.... it really all comes down to what I call the "The Principal Rule of all Thievery is covetry. something. You cannot steal what you do now know exists."
|
Top
|
|
|
|
#261813 - 07/12/13 04:29 PM
Re: Why you don't use large vendors computerencryption
[Re: haertig]
|
Carpal Tunnel
Registered: 11/13/06
Posts: 2989
Loc: Nacogdoches, Texas
|
I use Mac and I followed Apple's security guidebook to make it more secure. Is there a reason for me to be concerned?
Jeanette Isabelle
_________________________
I'm not sure whose twisted idea it was to put hundreds of adolescents in underfunded schools run by people whose dreams were crushed years ago, but I admire the sadism. -- Wednesday Adams, Wednesday
|
Top
|
|
|
|
#261817 - 07/12/13 04:56 PM
Re: Why you don't use large vendors computerencryption
[Re: haertig]
|
Pooh-Bah
Registered: 09/15/05
Posts: 2485
Loc: California
|
I'm sure Microsoft is not the only big-player doing this. Unfortunately, as much as they want to do damage control, these companies are legally gagged from really talking about it. RedactedAlthough suspected for a long time, these recent revelations confirm that you should assume that all emails, chats, telephone calls, SMS text messages, Facebook posts, Tweets, even Skype videochats, are being logged and stored. Doesn't really matter if you're using services from Microsoft, Google, Yahoo, Facebook, Verizon, AT&T, Vonage, etc. The NSA claims that they have procedures in place to avoid collecting the information of Americans because NSA is prohibited by law from domestic operations and "spying" on Americans, but c'mon, who are they kidding? It's only been about decade since this kind of information collection was considered totally unacceptable by these same agencies. We're all familiar with the housing bubble and the tech bubble, etc., but we totally miss the intelligence gathering bubble that has grown since 9/11. Government agencies have swelled and hundreds of private companies have sprung up in the name of gathering "intelligence". Granted, much of it is directed towards overseas threats, but so much of it is putting friends and family under the microscope, too. I'm particularly disappointed that the government has forced Microsoft to build some sort of "back door" into Skype. When it originally came out, it's automatic use of strong encryption and the decentralized peer-to-peer nature of its routing made it an attractive alternative for communication. Even good old postal mail is not immune. Largely due to the anthrax attacks, the information on the outside of every piece of mail is scanned and recorded now by the USPS and the information stored forever. I think we'll have to go back to Cold War tactics to communicate with friends and family now. I'll have to start scouting out "dead drop" locations to pass secret messages. Now where did I pack away that trench coat and Fedora hat...
Edited by chaosmagnet (07/16/13 09:53 PM) Edit Reason: Inappropriate political commentary
|
Top
|
|
|
|
#261818 - 07/12/13 05:02 PM
Re: Why you don't use large vendors computerencryption
[Re: Bingley]
|
Pooh-Bah
Registered: 09/15/05
Posts: 2485
Loc: California
|
From now on I'll type out all my ETS posts on my antique typewriter and keep them in a drawer, under lock and key! Speaking of typewriters, although the purchase decision was made a year ago, it just recently was reported in the news that the Russian Federal Guard Service (protects high ranking officials, sort of like the US Secret Service, I think) has purchased a couple dozen specialized typewriters from Germany. Each has its own slightly different typeface, so leaked documents can be traced back to the originating typewriter.
|
Top
|
|
|
|
#261819 - 07/12/13 05:08 PM
Re: Why you don't use large vendors computerencryption
[Re: Bingley]
|
Carpal Tunnel
Registered: 08/03/07
Posts: 3078
|
In the wake of the US surveillance scandal revealed by the US whistleblower Edward Snowden, Russia is planning to adopt a foolproof means of avoiding global electronic snooping: by reverting to paper.
The Federal Guard Service (FSO), a powerful body tasked with protecting Russia's highest-ranking officials, has recently put in an order for 20 Triumph Adler typewriters, the Izvestiya newspaper reported.
Each typewriter creates a unique "handwriting", allowing its source to be traced, the report said. Looks like the NSA are to going have to get their hands dirty once more. They may have to begin rummaging through latrines in Eastern Europe to collect typewritten documents due to a shortage of lavatory paper back in the 1980s once more. Sending secure encrypted email using burst radio transmissions might be handy in an emergency http://www.youtube.com/watch?v=5nBqKGKSLe0I already have PGP installed on Thunderbird. https://support.mozillamessaging.com/en-US/kb/digitally-signing-and-encrypting-messagesThe problem is that recipients have trouble reading the email messages if they haven't installed the Thunderbird PGP plugin.
Edited by Am_Fear_Liath_Mor (07/12/13 05:09 PM)
|
Top
|
|
|
|
#261820 - 07/12/13 05:13 PM
Re: Why you don't use large vendors computerencryption
[Re: Jeanette_Isabelle]
|
Pooh-Bah
Registered: 03/13/05
Posts: 2322
Loc: Colorado
|
I use Mac and I followed Apple's security guidebook to make it more secure. Is there a reason for me to be concerned? Securing your computer from attacks and break-ins is one thing. And you need to do that, as you have already done. However, if someone DOES manage to get your data despite those security precautions, that is where encryption comes in. At that point they have your data, but they can't read it because it's encrypted. Do most people have data that needs to be encrypted? That depends. I would personally recommend encrypting things like tax returns, financial data (e.g., your user data files from a program like "Quicken"), etc. If you have a list of username/passwords that you keep in a file on your computer then IMHO that should be encrypted too. I also feel the need for encryption is much higher for a laptop than a desktop computer. Laptops are stolen all the time. Desktops, not so much, unless they happen to be stolen alongside a bunch of other stuff in a house break-in. If you store files on one of the online backup "cloud" services, I think that needs to be encrypted too. But not using the storage-providers encryption. This thread illustrates just how little you can trust the providers of that service. Do they have backdoors into their encryption schemes? Well, Microsoft certainly does. 'nuff said. That was my point in starting this thread. To make people aware. Encrypt your data separatedly yourself, using open source encryption, before it gets uploaded. Personally, I like and trust Truecrypt and PGP. Somebody else already mentioned these two. They are open source, free, and well vetted.
|
Top
|
|
|
|
#261821 - 07/12/13 05:21 PM
Re: Why you don't use large vendors computerencryption
[Re: Arney]
|
Carpal Tunnel
Registered: 08/03/07
Posts: 3078
|
Each has its own slightly different typeface, so leaked documents can be traced back to the originating typewriter. Are we allowed to mention No, we're not
Edited by chaosmagnet (07/16/13 09:53 PM) Edit Reason: Inappropriate political commentary
|
Top
|
|
|
|
|
|
|
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
30
|
31
|
|
|
0 registered (),
856
Guests and
103
Spiders online. |
Key:
Admin,
Global Mod,
Mod
|
|
|