This would definitely be the level of security that falls under this statement from Snowden:
Q: Is it possible to put security in place to protect against state surveillance?
A: "You are not even aware of what is possible. The extent of their capabilities is horrifying. We can plant bugs in machines. Once you go on the network, I can identify your machine. You will never be safe whatever protections you put in place."
Further thinking along this line: most people in the world today are dependent on their phones and internet for information and communication. A lot of people suspected total listening capabilities and now we mostly know that's the case. But what if the NSA had total interference capabilities, as Snowden's quote implies? I suspect it does.
I've been finding HN to be a hub for all the facets, ideas, and fallout from this news. And the snowball of issues (privacy, gov't, business, foreign relations, internationl trade, future of the internet) is worrying to me. But what if it were suddenly gone?
And just as I had that thought, I started getting errors reloading this thread and the main page. Maybe HN is straining at the traffic, but what if some of that traffic came from somewhere else or some server was remotely hobbled? What if your ISP had "disruptions" of traffic to _your_ IP addres, or your 3G/4G became spotty?
Imagine if someone with total knowledge could track the spread of keywords through networks (physical and social) and then enable "slow-downs" to keep the level of spreading below a critical threshhold? If I didn't see all the articles subitted to HN or didn't have time to read them all because the servers crashed, then I might not be so alarmed at the situation.
We in the US and other European nations go on happily enjoying freedom to access all this information, unlike many countries, but would we know if or when we couldn't anymore?
Coincidence or not: when I tried to submit this, I got a message saying "Oops, our bad. If you see this a lot, shoot us an email at info@ycombinator.com. Be sure to tell us your IP. Sorry, news.ycombinator.com is currently unavailable. Please try again soon." Maybe I need to take some keywords out of the text...
When I told my grandparents (who now live in Russia/former Eastern Bloc) about what's happening in the US, they brought up this exact issue (with a less tech-oriented example).
My grandmother said that this was the most terrifying part of living in the Soviet Union. Since most of my grandparents were high up military (doctors, not soldiers), aerospace research, and medicine in the Soviet Union, they saw the reality of the USSR with a lot less propaganda. When they went back home or visited family in other parts of the country, they would immediately enter into a surreal world where the reality described by propaganda was starkly different from the reality they had experienced.
What's even more terrifying is that by nature of their isolation from international news sources and dependence on TV, most of America already lives in roughly this reality. The world as they see it is shaped by television.
Today was the first day of WWDC 2013 which announced iOS 7, Mac Pro, OS X Mavericks, and iTunes Radio. Strenuous traffic load is expected this time of year.
Yeah, not sure what I should think about HN when NSA surveillance threads had more points, but Apple announcement thread (MacPro) had more comments (and typical fanboy and haters comments).
"Unlike processors from Intel, Advanced Micro Devices or VIA Technologies, Loongson does not support the x86 instruction set. The processor's main operating system is Linux, while in theory any OS with MIPS support should also work."
Weird phrasing for starters. I mean that isn't how one would describe malware or a rootkit. I can't imagine hardware would be worth the effort if you can just as easily compromise the OS with physical access.
I just don't know what to make of this guys story. He has no high school diploma, started out as a security guard and was then given a diplomat cover as a system administrator?
He further claims that his job as a systems administrator gave him access to NSA analyst intercept software which I find difficult to believe. I can't imagine use of the software isn't physically locked to a machine in a secure environment. You wouldn't expect a systems administrator to have access to everything, which he claims he had, everything is compartmentalized.
But unlike a rootkit, some HW listening device is resistant to OS reinstalls which I can imagine are pretty common with people that the NSA would target. And I can also imagine that it might be more 'cross-platform'.
Any experts firmware / low level OS hackers can chime in? I imagine this would be Windows focused, then I guess all bets are off. MS would surely cooperate.
Now what about an Open Source OS. NSA and DoD loves them some RHEL (Redhat Enterprise Linux). Would they pay RHEL enough to produce binaries that have backdoors in them? Yeah, CentOS compiles the sources and that's cool. But most organizations buy RHEL for support.
Well I would say they would be very stupid to do that as if it ever comes out it will immediately destroy their product.
Now, just like PRISM will most likely damage US companies using or offering cloud services, any revelation of an exploit that _could_ have been developed with cooperation form manufacturer would destroy that company's business.
The hardware would have the backdoor, independent of the software. Think magicpacket http://en.wikipedia.org/wiki/Wake-on-LAN but with a hypervisor rootkit. At least that is what I would do.
Why did he not give even a small technical overview on what they are capable of? He should've been able to given he has a lot of technical expertise and it would've helped his evidence a lot.
Did they figure out how to tap complicated SSL? Is it hardware based? He gave no hints but could have easily.
Instead it's this blanket statement that's supposed to imply that all encryption is pointless.
This is not my area, so excuse the ignorance, but this statement:
A: "The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife's phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards."
Specifically the part about 'all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards'. Does that not imply they have found a weakness in TLS/SSL? Once the information is transmitted (say my Facebook password) to an https endpoint it is already encrypted, no? So them 'sniffing'/intercepting the packets would do no good, unless they could decrypt them.
He was a sysadmin and he didn't finish high school, let alone receive an actual technical education -- he's said a lot of very difficult to believe technical things. I don't mean to imply that only educated people know anything important, but unless he just had an amazing aptitude for learning this stuff on his own, I find it plausible that he had only a slight idea of how consumer encryption works and he actually didn't know what he was looking at when he saw whatever made him leak. Who knows without his documents -- I could be all wrong.
At some point I think he claimed that he could've copied the list of all US intelligence assets, even those undercover. Well, given that the NSA developed selinux to compartmentalize filesystem access in such a way as to make such a breach difficult, I am not sure how to reconcile his statements. I also find it beyond belief that a contractor could actually access what he claims he could've.
Which would be trivial if they had agreements with the various mostly US providers to quickly get man-in-the-middle signed keys from their CA's.
Although this seems like it would be quick to spot since if you were watching certificate fingerprints change then you'd see the switchover and switchback.
I use the Cert Patrol plugin ( http://patrol.psyced.org/ ) and I've noticed periods of a few days to a week where SSL certs on major sites like google have changed rapidly. Usually they were all from the same authority so I didn't think much of it. But now I am even more paranoid. Thanks man.
Me too, I stopped using that plugin because Facebook and Google would constantly change their certificates, so I'd end up just clicking OKOKOKOK, never looking at the certificate, defeating the whole point.
At the time, I assumed it was just a snag with the umpteen layers of caching and content-distribution networks that they must be using. Now it looks quite a bit more sinister.
Yeah, I know nothing about this area (so this is just speculation, ignore it as such if you wish), but it seems getting a firehose feed of all traffic would be easier and less exposure prone, than getting every ISP to allow a MITM and having absolutely no one in the computer security industry notice. Don't get me wrong, I would prefer a MITM, at least then you know they haven't broken crypto that is widely believed secure, the alternative is a bit scarier :)
In what way is he a partisan? He has condemned as equally bad both the Bush and Obama administrations. When Bush was President, Democrats loved him because he regularly wrote scathing criticisms of Bush's overreaching actions, and now that Obama has carried on Bush's programs (and made them worse, apparently) and Greenwald's criticized him with the same level of intensity, Obama's supporters now seem to loathe him. Reading the things people send him on Twitter, it's disturbing how many people have an absolute hatred of him. It's such a coordinated attack against him, all repeating the same talking points, it brings this to mind:
When I read that I see Sam Harris attributing things like "honor killings" to the doctrine of Islam as if Islam is a monolithic entity. He's equating the extremists with the mainstream and that is exactly what the islamaphobes do - insist that the crazies are the ones who have the true interpretation of islam and that the vast majority of regular muslims don't count because they aren't crazy. It is kind of like saying that all christians should be judged by the actions of the Westboro Baptists. The crazies get the headlines but they only define the fringe, not the mainstream.
FWIW, the one thing I can agree with Sam Harris on is that European integration of muslims (and other minorities) is slow compared to the US because they have less of a commitment to freedom of speech. For all of our racial problems, the US does a better job of integrating immigrant communities because we have a culture of airing our dirty laundry, of hashing out our feelings - bigotry and all - and thus working through the differences rather than sheltering people from possibly being offended. Its ugly and frequently unpleasant but in the long run I think we reach a level of accommodation a lot sooner.
FWIW, I'm an atheist who married a woman from an immigrant muslim family although I've probably been in more mosques than she has.
That survey is flawed because it's based on culturally influenced beliefs of Muslims in tribal-based societies where the concept of honor has a higher precedence than religion itself. I believe you would find similar results among Christian and Jewish populations in the Middle-east. For instance, in Egypt, where I've lived for a considerable time, Christians and Muslims share practically the same family values with varying degrees. If a Christian woman and Muslim man, or vice-versa, decide to elope then either of them risk being honor-killed or at the very least disowned.
And similar concepts in certain parts of the US, e.g. the South. "Honor cultures"; correlates with nomadic heritage. Why you can call someone an asshole in NYC and they shrug it off, but south of Mason-Dixon they have to make something of it.
I think it's fair to say "religion X causes honor killings" if and only if X's teachings encourage them (by explicitly saying there's no spiritual punishment for them, for example). It's also fair to say that "religion X doesn't cause honor killings" if there's no correlation between religion X and honor killings. I agree that correlation on its own is never enough.
So: do the teachings of those with a mantle of religion-X authority, on average, encourage or discourage honor killings? This is not a question we should avoid asking just because we want to be nice.
I don't see any evidence that Sam Harris has got this wrong.
Good point about being nice vs. reaching a permanent accommodation.
Greenwald has written many things, most extremely valuable. I also am critical of his exchange with Sam Harris but that's one discussion in hundreds or thousands.
Thanks for bringing that up. I'd have to agree that Glenn Greenwald is an intellectual rotten apple. You don't accuse intelligent atheists of "racist islamophobia" if you're a good actor.
That said, he might just have an irrational us vs. them "liberals vs. racists" complex and be able to speak sensibly on other matters.
I took that to mean that they have exploits they can run once they which will let them take over your machine and install keyloggers etc. to report back any further activity. It wouldn't take much for them to purchase or develop a suite of vulnerabilities for all the major operating systems/browsers which they keep current, and once they have that any encryption is pointless as they can see what you see/type/hear. He mentioned it right after talking about seeing your machine on the network and mentioned hardware bugs separately.
Some major military contractors (Raytheon I think is one, BAH another maybe) were looking to hire security experts to find vulnerabilities. There is a robust black market for 0days and I can't imagine the govt. isn't interested in playing. Especially after the cyber-terror war drum has been beating for a while and Chinese hackers scaring everyone's grandmas (most likely articles seeded by PR agencies in preparation for a major contract award to a military industrial contractor).
I thought it was common knowledge that governments actively buy and use 0days? They certainly do, just look at Stuxnet's astounding and ham handed usage of 4 0days (in the first version) for an easy example all the way back in 2010.
Interesting that he used the word "machines." I wonder if we're talking firmware hacks or even code in firmware that very few people are aware of. Could Intel say no to a NSL without breaking the law?
This doesn't make sense to me. There are two main stages to having your data analysed by such an organisation.
In the first stage everybody's data is run through, let's call it, pattern matching, to narrow down a very specific number of cases that have the highest likelihood of doing, having done or planning "something".
In the second stage, you might apply more resources to gather more data from your suspects, for example, by planting bugs.
But if you avoid triggering suspicion in the first stage, you don't have to worry about their capabilities, you're just not on their radar.
You might then argue that anyone encrypting their chats would then raise suspicion. Ultimately, such organisations have a finite limit of human resources to apply, certainly not enough to deal with any wide-spread usage.
If this were to happen, think from those organisations point of view. They need to stop it and can't scale to deal with every single case. You'll then find that encrypting your chat becomes against Google's T&C, because someone lent on them. And round it all goes.
I was wondering the opposite: How do you get as many people as possible to trigger the match so that it becomes a losing proposition to do this sort of traffic monitoring.
I don't know, I mean that is is a concern: If not enough people fake the attributes you'll get shit-listed. My answer is really that it would depend on the terms of the activity.
I've thought of a couple of ways of doing it.
One is that:
You need to be part of something, I think, that's in general use and automatically sends junk data that can't be read (i.e. encrypted nonsense) between its nodes such that being part of a network isn't distinguishable from the junk connections that the program makes on its own.
The other way I can think of is that:
you have all communications public but encrypted and posted in one (or several depending on the throughput of the service) online bins. Since many people access the same bin and download the same data but can only read their own the meaning of the message becomes dramatically more worthwhile than the traffic-a stuff.
....
The second one might actually - kinda - be being done already in some form or another now I think of it. Encrypt your message, steg it into a meme-pic, stick it on a popular forum. Since the forum is accessed by thousands of people the knowledge of who it's downloaded by doesn't get you very much :/
I've long thought that NSA and CIA would be buyers of access to botnets with backdoor access to people's machines in the US and abroad. You can buy surreptitious installs of your own malware from other malware providers very cheaply - usually under $1. $300 million and you have the whole US covered. It wouldn't surprise me a bit if there is a budget for this, with agents actively interacting on forums, buying (and supporting) certain areas of the cybercrime economy.
Or you know, he's referring to actually physically bugging the machine with a hardware keylogger. Which, for someone you're interested in, is way more reliable then simply hoping they're still using unpatched Windows.
That seems like a lot of work and far more targeted than would be consistent with their recently revealed MO (although I am certain they do this in limited instances where "necessary"). These programs seem to have a primary aim of maximum efficiency and mass surveillance. Deploying hardware doesn't seem to fit that description.
I think he's referring to how the CIA was able to get the Stuxnet/Flame worm to disrupt the Iran nuclear centrifuges.[1] If the CIA or NSA want to put a virus on your machine, they can. Easily.
They can literally plant a worm or virus anywhere they want, because humans make mistakes. Heck, imagine they have hacked into the Windows auto-updater somehow and your own computer downloads and installs software on the first Tuesday every month without you even doing anything.
it seems they would have to specially target you though, basic encryption can evade the passive dragnets. Which is most of the problem - we don't want our free speech of 2013 coming back to haunt us in 2023.
This talk about "bugs" in machines makes one wonder if that is related to why Intel was one of the companies mentioned in a recent article. Intel stands apart from the rest of the companies. Google, Apple, Facebook don't specialize in hardware.
How would you implement a decent backdoor in your hardware? Would it be supported by software? How do you force the TCP/IP stack of someone's FOSS operating system to send unwanted data?
IMHO he was referring to some backdoor in software. How about a nice ubiquitous piece of software? Windows? JVM?
While it's a bit tinfoil hat, it's not impossible that there could be hardware backdoors in processors or other hardware triggered by a very specific sequences of packets.
What would be hard is also making sure that packet sniffers in the middle wouldn't be able to detect it. Specially with all the varieties of router hardware. Are we going to have a backdoor in all of them that prevents passing on that data?
And you know, given the tens of thousands of people involved in chip design, are we to think that absolutely no one, anywhere, would've leaked that there was some anomalous circuitry in the chip designs which they were told not to worry about it?
It could also be added in the firmware, either during manufacture, or via zero-day exploits in the firmware. The largest entries in /lib/firmware are all for network cards. Since the NIC has DMA access and can interrupt the CPU, the NIC firmware could be used to attack the OS.
There's still the question of packet sniffing by an intermediate device. The attacker would need to control (the network interfaces of) every device in the chain, use the ability very rarely to avoid detection, or hide data in packet metadata that is later decoded by interception equipment. This third option is probably fairly straightforward on any NIC with TCP checksum offloading.
"We can plant bugs in machines" doesn't mean that they can do it remotely. That would actually be a serious serious backdoor and would put all kinds of businesses in mortal danger - banking, credit card, online shopping, etc.
Imagine what one rogue NSA employee can do with that kind of backdoor access.
So ENCRYPT EVERYTHING, and don't believe this propaganda. If your hardware has a backdoor, you're fucked no matter what, but businesses are fucked much much more.
> So ENCRYPT EVERYTHING, and don't believe this propaganda.
One of the best things you can do to improve your OPSEC is to stop believing in meaningless panaceas like "ENCRYPT EVERYTHING". There are many weak points in cryptosystems beyond the algorithms (key generation, management, and distribution famously come to mind), and many weak points in data security systems beyond cryptography.
Spouting meaningless catchphrases doesn't help anyone.
I see no reason that this couldn't be true. There are probably many checkpoints to access the backdoors. The reason they don't use it is because once they admit it, there would be a huge backlash
Assuming all hardware has backdoors (an unlikely scenario) and giving up basic encryption that can protect you in case when there are no hardware backdoors (a likely scenario) is counterproductive.
I see no reason that Zeus shouldn't exist. Should I be worried that he would strike me with a lightning? Not until I see evidence of Zeus existing.
It's worse that that. It uses a questionable javascript crypt library (written by a former twitter dev, not a cryptographer) and a fixed IV derived from the password which is re-used for each message. This is oh I read the wikipedia article on AES level cryptography deployed against people who would have written the Wikipedia entry if not for that fact that what they know is probably not public.
Better idea: Just make a plugin that uses OTR[0]. Don't try to roll your own crypto, especially when you are up against people who know what they are doing.
[0] http://www.cypherpunks.ca/otr/
There are 64 bits of randomness (however, they come from Math.random which is not so good...).
The encrypted text produced by this has a distinct signature - all message will contain "U2FsdG". Here's how we break this if you're Google/can force Google to do stuff:
1) Detect messages containing that OpenSSL 'magic number'
2) If detected, push something like this:
// Should check to see if GibberishAES exists to avoid errors if it doesn't...
// Grab target function as a string
var keycode = '' + GibberishAES.openSSLKey;
// Inject something evil
keycode = keycode.replace('key = result.slice(0, 4 * Nk);','key = result.slice(0, 4 * Nk); for (var pos = 1; pos < 4 * Nk; pos++) { result[pos] = 0; };');
keycode = 'EvilGibberish = {}; EvilGibberish.openSSLKey = ' + keycode;
// Execute the modified code to generate the new object
eval(keycode);
// Replace the 'good' keygen routine with the 'evil' one
GibberishAES.openSSLKey = EvilGibberish.openSSLKey;
This will zero all but the first 32 bits of the AES key, allowing easy brute forcing.
Note that this is based on something I wrote for a CTF, and I haven't tested it specifically against GibberishAES, but the technique works.
It's definitely a questionable javascript library, I wrote it back in 2008 after reading the wikipedia article :)
It was designed to interop with OpenSSL's default command line AES crypto, which has some weak points, mostly around the IV selection.
That being said, the biggest weakness will always be that it's running in the browser and open to injection attacks.
But while I think there's definitely better crypto chat solutions out there, it's nice to see people taking an interest in the subject. And let's not kid ourselves, the vast majority of NSA data collection is probably less about sophisticated encryption attacks, and more about the clever application of political/police powers.
If you're asking that question, and really aim to write crypto safe from the NSA, then I think you have a lot more learning to do. Just naming off a different mode isn't going to cut it.
The Matasano crypto challenges seem to be popular lately. That would be a decent place to start.
I'm happy with AES and I don't want to write my own crypto.
I was asking for a better AES javascript library, because I found a couple of different js AES libraries, but, as you said, I don't know anything about cryptography, and I wanted to know if some are better than others.
You don't need a better AES implementation (well, you probably do, but that's just the start). You need higher level primitives. There a thousand ways to use AES, and most of them are insecure, including your implementation.
Your implementation is vulnerable to MITM attacks. That will be the case no matter which AES mode you choose.
You are on the tip of the greatest problem with modern cryptography, which is that there is no real way for widespread confidentiality to be created without trusting a third party such as a CA. But once you trust a CA, then you become vulnerable to the backdoors available through the CA community (not just one CA.)
Personally, I'm hoping for a bitcoin-like protocol (such as namecoin) to create a peer-to-peer trust network for distributing public keys.
PKI is only useful when the root are truly trusted and tightly controlled (or even supervised with highly transparent audit programs). The current generation of Internet CAs don't even come close - they are not trusted by anyone except themselves, and they sure are willing to take your money if it'll make you feel better!
Wait, you're trying to beat NSA by writing your own crypto? This is worse than useless :), all you'll do is flag that communication for further research (which the NSA will then break within a couple of hours if need be), at least with plain text you'll stay in the noise of the masses.
I don't want to beat the NSA, I was just asking for a better javascript AES script.
I have nothing to hide, that's why I would be very happy to get out of the noise of the masses and make the NSA waste a couple of hours :)
While this is a nice effort, why use Google Talk at all for chatting if you're going to do all this effort (per user configuration etc) if you could just use an XMPP client with OTR[1] support, or use an XMPP server you can trust?
Yeah I remember using OTR on kopete when I was in college. I had one instance opened on my laptop and the other on my PC. It was pretty cool and easy to set up. What wasn't easy was finding anyone I knew to talk to with beside the few other linux nerds at school.
Nobody is using this solution either, and setting it up is harder than setting up OTR (provided your conversation partner is already using an app for XMPP).
I can explain my girlfriend and brother how to enable and configure OTR. I would have a hard time getting them to execute the instructions for this addon.
I like this, but the easiest way to do this without pretty much any configuration is to log in to Google Talk with a Jabber client that has OTR support, such as Adium or Pidgin.
Why use Google Chat at all when there're a lot of 3rd party community-run jabber servers available? Then you can use any client you want and get a level of protection you desire (including OTR).
Probably not gonna happened, but it would solve so many problems with public key crypto. Key distribution? No problem, tie your public key to your gmail account. Need to communicate with someone? Just send them your public key. Goole would verify that key X belongs to mail Y, another problem solved. Mix it together with some javascript library (source code available by design) and you have almost perfect and simple to use public key crypto for masses. Oh well time to wake up….
Except for the minor issue that, in the context of PRISM, the NSA mostly collects metadata - who corresponded with who, when and how much.
Public key cryptography is great for this, because it means if you match one person to a key, you've then reliably matched every message they sent and have fairly strong proof it's the same person.
Both Google and Facebook are in excellent position to actually bring public key crypto to the masses in a usable, it-just-works, kind of way. But of course both have every incentive not to do it.
I thought Google were being fingered as complicit? I wouldn't trust them, even if they totally super-secret pinky promise they're not handing everything over, honest!
Why doesn't Google up the security in its own apps? The government may "force" them to provide access, but can it "force" them to remove safeguards like encrypting email/chats/etc? Even if they just gave us the option to check a box, and it wasn't on by default. The problem I'm seeing with all these solutions is that they're very specific to two users, they both need to have everything set up. Well, great, the NSA will see one less conversation when they peek through your stuff. I'd like to have ALL my messages encrypted.
Google, Yahoo, and Microsoft could all make the vast majority of email vastly more secure by implementing PGP-by-default. Send: You enter an email address, a little key appears beside it if it's recognized as having an associated public key, and a warning appears that the email can't be encrypted if an additional email address is entered that doesn't have an associated key. Receive: email encrypted with your public key is colored "green" (for "secure") and the from address is colored "green" if it's been appropriately signed. With (and, I'd argue, only with) a webmail client can PGP be rapidly deployed and almost completely transparent.
But, this would make "intercepts" far more difficult, now, wouldn't it ...
Yup, Google is doubtless completely in cahoots with the NSA.
... Really? Is that what you are thinking? Apply some rational thinking here. It's simpler than that. Google advertises to you based on the contents of your email. It is not in Google's interests to prevent themselves from being able to read your email, and if they can read it so can the NSA.
I don't understand why everyone seems to think this is an issue. It's as though the only alternative to the status quo is local host browser-level crypto.
The implementation I'm referring to doesn't preclude Gmail from reading emails it has of yours. It just means that only Gmail can read them, because only Gmail has your private key, a private key that's associated with two-factor authentication, and a private key you could optionally use elsewhere, too.
The idea that the biggest reason to have PGP is to protect ourselves from some nefarious gov't entity is silly, though in the longer-run it can definitely help make this happen. PGP/PKI affords incredible technological advantages. If webmail providers offered it, OpenID (etc., etc.) would become quickly redundant (e.g.).
This will only work for average email users if you can pull it off without ever using any of the industry language, or requiring anybody to ever actually do anything with a key. Find other descriptive language to use, and make it require zero extra effort, and you've got a winner.
We learn all the time how to do complicated things on the internet. Facebook isn't instantly trivial to use (though it seems that way now that we know how to use it). Neither is Google+.
The whole problem with PGP is that it's not worth learning to use because it depends necessarily on network effects. If Gmail deployed it, the network effects problem would immediately disappear. At first it would only work within the online webclient, obviously, and enabling it would have big consequences for how/whether client-based access (IMAP and POP) worked.
Most people aren't going to get themselves into webs of trust - and certificate authorities and webmail servers and the like can be compromised. The only thing you can vest any significant trust in, with NSLs and so on flying around, is what's on your computer.
And, if you want to be really sure, what's on a computer with no radio protected by an airgap into which you never insert removable media....
I'm not talking about deploying/using PGP to be secure from gov't (or Gmail) monitoring. I'm talking its use in the context of 99% of normal interactions online. Yes, we wouldn't have tinfoil-hat-level security if it was managed by Gmail, Yahoo, etc. But we'd be lightyears further ahead in our ability to interact securely with others online.
I don't think having to sign into other websites is that much of a bother, nor that people are that motivated to talk to their bank or physician on a regular basis that would drive adoption of this sort of thing.
And in return you have to stick all your eggs in one basket, get what would probably end up being a single persistent online identity that goes under your real name (if it's tied to an email address you use for business stuff), and that's owned by a company and may not even be willing to give them back to you (would you even own the private keys if it was being implemented on the server?)
There's really an amazing lack of imagination here, both from a threat avoidance perspective and a potential awesomeness one.
The deployment model is this: one large webmail provider starts doing PGP by default via its webclient. Maybe it provides your with private keys, maybe it doesn't. Fact is that it doesn't much matter, because as soon as a large webmail provider starts doing PGP/PKI, the two biggest problems with adoption (namely, that there's no one to use it with, and it's kind of a pain to use anyhow) are basically solved. And as soon as this happens, there starts being a competitive market where providers can begin improving on each other's implementations. Any provider that doesn't give users their private keys won't have much of an ethical argument for doing so, and so it probably would, anyway. There will, as always happens, be a feature war, except with PGP involved some of that war will involve privacy/encryption/reliability concerns.
So, in practical terms, how would this be more secure than what we have now? The main crux of PRISM is that they have highly automated mechanisms of accessing user data from many major internet companies. If you store your private keys alongside that, what are you trying to protect against?
The point isn't to hide data from the NSA. The point is that widely-used PGP would be really useful for all kinds of reasons, but that we don't have it because it would be inconvenient for the NSA if we did (they wouldn't be able to read the world's email, e.g.).
In practical terms, it would mean we could talk with physicians, brokers, banks. We could sign documents. We could get rid of nearly all spam. I mean, the advantages of widely deployed PKI are MASSIVE. And the quickest way to get there is to have webmail providers deploy it.
I've been using encryption with Adium for a long time, but the problem I have is switching between clients (laptop and mobile) results in me seeing gibberish on the mobile side. I have yet to find a mobile client that supports encryption.
If you want to use the same key on both clients (which carries some additional risks if, say, your phone gets stolen, given that key is stored in plaintext) you may find the Guardian Project's documentation of different OTR key file formats useful: https://github.com/guardianproject/otrfileconverter
I might be missing something here, but where is the passphrase negotiated? Apart from calling or talking to the other person, the only way to define this common key that I can see would be electronically. Isn't this a bit of a problem?
I think a better solution to say hello to NSA would be by sending a letter to your local senator (and other representatives) that you are not going to vote for them in future unless they raise their voice in the concerned house.
I'm sure they are more interested in who you talk to than what about most of the time. I would assume they want to track people close to persons of interest they know about.
Q: Is it possible to put security in place to protect against state surveillance?
A: "You are not even aware of what is possible. The extent of their capabilities is horrifying. We can plant bugs in machines. Once you go on the network, I can identify your machine. You will never be safe whatever protections you put in place."
(from http://www.guardian.co.uk/world/2013/jun/09/nsa-whistleblowe...)