
Laura Poitras on the Crypto Tools That Made Her Snowden Film Possible - antimora
http://www.wired.com/2014/10/laura-poitras-crypto-tools-made-snowden-film-possible/
======
s_q_b
Comforting to see my own privacy stack is almost exactly the same:

Tails running specially configured Tor (five hop circuit, permanent guard
nodes, and routes through countries unlikely to cooperate with one another),
GPG for email, OTR for IM, Signal for mobile, and True Crypt + Apple disk
encryption.

Funny thing is, I don't even have any particular use for it other than kicking
around vulnerability and security discussions with friends and colleagues that
I highly doubt anyone is even trying to intercept. But it is very comforting
to know that it's the same set of tools relied upon by those with something
highly significant at stake.

~~~
iwwr
>five hop circuit, permanent guard nodes, and routes through countries
unlikely to cooperate with one another

Won't that make your circuits more predictible as a consequence?

~~~
domenzain
Assuming not all the machines are compromised, the longer the path, the less
likely any agent is to follow it along in its entirety. Even if the whole path
were compromised (but by different antagonistic parties) this would still
hold.

------
diminoten
Oh hey look, TrueCrypt.

Despite the more vocal members of the security industry basically hating the
software, it turns out to be one of the few tools folks have successfully used
to maintain their privacy.

~~~
tedunangst
Did it? Seems like a claim that could use some elaboration. In what way would
her privacy have been compromised by not using truecrypt? How do we know her
privacy wasn't compromised despite using truecrypt?

~~~
diminoten
The same way we know unicorns aren't real -- we have no evidence to think so.

~~~
noinsight
Absence of evidence is not evidence of absence.

~~~
tptacek
Greenwald and Snowden also used Cryptocat in Q1 2013. Now, there's no
_evidence_ to think that NSA decrypted all those messages... but in Q1 2013,
Cryptocat was breakable; by NSA in June, and by _anyone with a laptop_ from
May all the way back to October 2011. These attacks are passive. If you've
been hoovering up all the raw Internet traffic, you can go back through your
archives and decrypt all the Cryptocat traffic from those time periods.

So my point being, when your adversaries are nations, there usually isn't
going to _be_ "evidence" that your comms were decrypted, at least not until
you're indicted. You're right: that doesn't mean it didn't happen.

I don't think anything interesting happened with Truecrypt, though.

~~~
diminoten
This is a great argument in favor of wild speculation and fear mongering, but
in no way does it follow from any rational line of thought.

Besides, "anyone with a laptop" hasn't been "hoovering up all the raw Internet
traffic", and frankly the NSA hasn't been either.

Again, there's wild speculation, but there's no evidence. Again though, here
you are preaching the fear and the wild speculation.

~~~
tptacek
I'm not sure I follow. Let me connect the dots:

1\. Stipulate that NSA is hoovering up all of Internet traffic, that being the
motivating reason why people want encrypted messaging tools.

2\. Cryptocat hosted egregious cryptographic errors for several years.

3\. Those errors made it trivial for NSA, given a pcap file containing
Cryptocat traffic such as would be generated by a Narus box, to decrypt and
read Cryptocat messages.

4\. Greenwald and Snowden used Cryptocat during this window of time.

5\. Even if NSA didn't care about Cryptocat, Snowden, or Greenwald in June
2013, the vulnerabilities we're talking about allow them to retroactively
decrypt those messages today, now that it's obvious that those messages were
worth reading. We aren't talking about flaws that would let NSA MITM
Cryptocat; we're talking about the worst possible vulnerability in a
cryptosystem: retroactive arbitrary message decryption.

Which of these assertions to you dispute? We can go into lots more detail. I'm
pretty familiar with Cryptocat's code[1], and I'd consider Steve Thomas a
friend, in that he's been to my house a couple times and I gave a Black Hat
presentation with him which in part involved Cryptocat.

[1]: _31580544b27c10736ebe1bdd05a56d96c486823d563d4493c317548976c3d8db_ \--- I
had to write my own CC client to get this, which is 2 hours of my life I'm
never getting back :)

~~~
diminoten
That's all very interesting, and the only thing I dispute is (1), where I'd
just say I don't think we have any direct evidence that the NSA is literally
logging _every_ packet sent anywhere within the US. Maybe some indirect
evidence, but nothing that points to all the packets.

I think your source of confusion is related to the association you may have in
your mind between me and Cryptocat, though in actuality there is literally
none. In my previous comment I was referring to TrueCrypt, not Cryptocat.

As for your citation, what's that for?

~~~
tptacek
What's the point of an encryption tool that only works if your adversary can't
see your raw packets? That's like a health insurance policy that only pays out
if you never get sick.

 _Later: sorry, I missed the other question you had; here 's an answer:

[https://hn.algolia.com/?query=author:diminoten%20cryptocat&s...](https://hn.algolia.com/?query=author:diminoten%20cryptocat&sort=byPopularity&prefix&page=0&dateRange=all&type=comment)
_

~~~
diminoten
I think you've mentioned CryptoCat more than I have in this conversation, and
someone I know (and you surely adore) once said, "Fun message board trick:
someone says something dumb about crypto? Search for their name and
“cryptocat”."

If I gave you/anyone a TrueCrypt volume, could you/anyone crack it? No? Then
stop trashing it. It's that simple.

Edit: I'd just like to say I'm glad you're developing a sense of humor
regarding our conversations. I was worried you were a robot.

