lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJVRA1TYgV-na+hwZikm49F_ks-K+jj2Z0vnf53bH-UL4tTMkg@mail.gmail.com>
Date: Thu, 17 Oct 2013 22:03:00 -0700
From: coderman <coderman@...il.com>
To: catsandd0gz.dinosaursandwh0res@...hmail.com, 
 Full Disclosure <full-disclosure@...ts.grok.org.uk>,
 cpunks <cypherpunks@...nks.org>
Subject: Secure whistleblowing feedback / reporting
 systems in the content of compartmented information,
 endpoint security [was: [NSA bitching] [formerly Re: PRISM][]]

regarding the inability for NSA employees to report ethical violations
in a manner that did not assure retribution:

this is actually a somewhat difficult anonymity / privacy question in
the context of highly compartmented information and operations, where
knowledge of a subset of specific details is sufficient to imply
strong suspicion and scrutiny to a very small number of individuals...

... assuming you don't circumvent the apparently mediocre constraints
to this information in the information systems that contain it. ;)


---


while academically interesting, in all practical terms we should
render this question moot and provide absolute communication
origin[0], destination[1], and content[2] privacy to all network users
in all locations under all circumstances guaranteed by constitutional
law, prosecutorial discretion, and practical realities (read:
implementations resistant to Tailored Access Operations like efforts
(NSA TAO / CNE related programs)

this latter guarantee will require a bit more design, coding and deployment,
 fun problems to solve![3]



0.,
1.  "peer communication endpoint privacy" - this is a hard problem.
the existing implementations are not usable and insufficiently large
in anonymity set (too few users): zero knowledge high latency mail
like messaging mixes, even if the twitter mixes are pretty cool.

a proper solution would be datagram based, NAT busting, low latency
(read: sufficiently real-time for video and voice), the majority
protocol across the Internet and local intranets and ad-hoc mesh nets
and other networks,

in an implementation that resists all known general purpose (wide
scale) and specialized (highly targeted and/or weaponized bleeding
edge and/or privileged positioned) attacks.



2. strong encryption like: alligator wrapped forward secrecy intended
streams, and equivalent techniques, solve this problem.
  clearly there is much work to do in the implementation and protocol
side of crypto integrity.  very, very much work...



3. "NSA TAO / CNE related programs" resistance is a very tall bar.
they rolled this out at DEF CON, of course. the soon departing .gov
Alexander rolled into town with some world class shit, no doubt...  is
it really going to be 33 years before we can talk about it?  for
better or for worse we won't have Snowden to disclose this
(http://cryptome.org/2013/10/26-years-snowden.htm) as he's too classy
to drop dox on specific field operations and highly technical method
and tools information. hmmm...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ