On 07/09/13 17:38, David Bolton wrote:
Hi Anna (& list)
Unfortunately, I'm not sure that a cryptoparty quite cuts it any more, in this post-Snowden world. It all feels a little too "last year".
Besides, what would we teach people?
We could watch the X files, that would cover the "trust no one" concept
As the various articles have revealed, actually using PGP/GPG is simply a flag to the spooks to monitor you even more closely. Personally, I don't really trust any of the PGP versions released this century (I used DOS PGP in the 90s - as part of my job - but v3.6.3i is the last one I ever published a key for). Even Phil Zimmerman no longer uses PGP - as he stated in this interview last month: http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-proble... GPG might be more secure, but I've not messed with it since last year, when I found that the key generation module in GPG4Win wasn't working properly.
GPG offers strong algorithms but they are not used by default due to backwards compatibility with PGP users (that argument could well be something created by the NSA)
We've known for a while that SSL can't be trusted on mobile browsers - as the telecoms providers perform a man-in-the-middle decrypt/re-encrypt on the stream (ostensibly so they can squeeze graphics to speed up page loading - but we now know who else gets to see the "temporary" plaintext). And the latest revelations show that VPNs can be cracked, if the spooks really want to look inside.
Modern SSL clients (mobile browsers or even free operating systems like Debian and Fedora) come with a bucket load of CA certs. The SSL libraries trust them all equally but the (insert your favourite bad guy acronym here) only need to compromise one of those 100 CAs in order to trick you.
I could even see TOR being rendered useless soon - as fewer exit nodes can be trusted (many will already be run by government agencies - the others are going to be raided one-by-one using whatever bogey-man excuse works best under the laws of the resident's country). The recent botnet surge on TOR is probably a sign of the end-times: http://arstechnica.com/security/2013/09/sudden-spike-of-tor-users-likely-cau...
Not just that - I already predicted in an earlier blog that with the extent of coverage they have in internet exchange points and cross border networks, the bad guys may be able to gain enough insight or use statistical methods to trace the real source of ToR sessions.
Online privacy/security is a massively complex topic - and (IMO) quite a fascinating one. There are many more techniques left in the armoury - OTR could be a useful one (maybe) - but many are not developed enough yet for use by "the masses", and are more like curiosities for academic study than practical tools.
If you've not seen it, read this piece by Bruce Schneier: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-survei...
But you are right, Anna, in that this is now a very hot topic. The Mailpile project, on IndieGoGo, is currently at 147% of its $100K funding target, with 4 days to go - and the comments show that donors are mostly concerned about email privacy: http://www.indiegogo.com/projects/mailpile-taking-e-mail-back
A cryptoparty may still be a good idea - but it might just have to be Cryptoparty Ver2 (post Snowden).
There is some value in it, even in going back to basics and helping people do something like using a map and compass instead of a smartphone GPS.