[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: "I Write Mass Surveillance Software"



On Wed, Sep 16, 2009 at 5:01 PM, Rich Jones <rich@xxxxxxxxxxx> wrote:
> http://www.reddit.com/r/IAmA/comments/9kwph/i_am_a_guy_who_writes_covert_software_that_runs/
>
> Thoughts?
>
> also, I realized that two of the posts I've made this this list have now
> been reddit-related. Sorry about that. But I'd really like to know what you
> all make of this. He doesn't give very many specifics, unfortunately. What
> do you think his 'sidestepping' is?
>
> R
>

Well, I'm not entirely convinced that this guy is legit, or if he is
that his equipment is really as powerful as he implies. On the other
hand, I've only been casually studying cryptology for a few years, and
in that short time I've encountered more mind-blowing "you can do
that!?" moments than I can count on one hand (in binary).

Everyone knows that there are side channels in any system if not
properly and carefully implemented/operated. DNS lookups, search bar
suggestions, software update checks, etc., all have the potential for
subverting your privacy with Tor by not using the configured proxy
settings. Based on a bunch of the comments, I'm going to guess this
sort of thing (and probably many other equally simple but largely
non-obvious channels) are a big part of what he does (assuming he does
it).

I think he (or someone else) also implied that traffic analysis is a
big part of it. This has been another one of those "holy crap!" fields
for me; the idea that an intelligent and diligent person can uncover a
significant amount of information from encrypted communications
without even breaking any of the encryption, is surprising but
apparently very realistic.

Lastly, I can't help but recall the early years of modern crypto, when
the public/academic sector was impossibly far behind the more
clandestine government/military sector. We like to think that this has
changed, but we can't really be sure, can we? I feel fairly
comfortable putting a good amount of stock in modern publicly
available cryptography, but then again I'm not doing too much that
could get me in trouble if I'm wrong, so it's not a high wager. My
point is that I personally wouldn't put it completely outside the
realm of possibility that a government agency has the capacity to just
straight up break modern public cryptography. I think the poster
pretty explicitly denied this, but then again, he would, wouldn't he?

-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net