Originally posted by TheFaQQer
View Post
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: Lavabit
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "Lavabit"
Collapse
-
Originally posted by SimonMac View PostI once had a Client who when approached about sending sensitive information the said "Its ok, we use the password on the MS Word Document"
Leave a comment:
-
Originally posted by SimonMac View PostEverything that goes through BlackBerry goes through one of their NOC's, originally these were just in Canada but have now them in Europe too. GCHQ have approved BlackBerry for upto IL3 (Restricted), I know this as I overheard someone talking about it when I was detained by the Police
Leave a comment:
-
Originally posted by amcdonald View PostThat's ironic as a company I know that are paranoid about security heavily use Blackberrys, supposedly they have some agreement with Blackberry that nothing goes on but I think they're kidding themselves
It's about as useful as GCHQ getting Huewai to audit themselves over whether there's any root kits in the telecoms hardware
Leave a comment:
-
Encryption
The only form of encryption that I can guarantee the NSA can't crack by interception is a one time pad.
Generate a USB stick full of random noise.
For each byte in your message XOR it with the next byte in the noise
Only ever use one byte of randomness, ever, so increment the pointer.
The data structure you send the client is thus a header saying where in the sequence you start, then data, then some extra crap to bulk up the message so that the interceptor can't say "aha, this message is longer !" Also of course you need to send messages at random intervals so they can't work out that "X happened after he sent this message"
The client has a copy of your USB stick
Generating the random numbers is an interesting problem, give up all thoughts now of using the rand() function in whatever language you use.
The best thing to do is sample the sound card in your PC to produce a file of N billion randomish bytes
When you have enough bytes, loop and XOR the file with new randomish numbers until you are satisfied it is random enough
The use an SHA or similar has because you're paranoid, and finally because you're really paranoid run a loop that uses noise to choose pairs of values to swap within the large file.
That sounds a bit paranoid, but there are some patterns in the randomish noise you get from sampling a sound card that doesn't have a microphone attached.
Then visit client, give them the USB, and entreat them to keep it really safe.
With the key, decryption is trivial and fast, though if you're a defence contractor you will need to make it look more complex to justify the bill.
This is because exclusive OR-ing undoes itself
ie for all A and all B
(A XOR B) XOR B = A
Since there is no repitinio or pattern in the key and because the key is longer than the plaintext, it cannot be cracked, all all. This is not a "life time of the universe" scale problem it just can't be done, just like you can't count all the fractions.
The only way possible to hack this is if the bad/good guys intercept you without you knowing or by some other means get access to the USB sticks or the machines it runs on.
Since you're serious about this, you don't just carry one USB stick with you, but N which have to be combined to give the right key this method existing only in your head, again XORing them, with some other process you can think up.
This also serves as authentication, since key holders can encrypt in a way that can be decoded.
Ideally, you should send multiple keys by multiple routes as well.Last edited by Dominic Connor; 9 August 2013, 09:14.
Leave a comment:
-
Originally posted by Ticktock View PostIs this news? A few years back Blackberry's were not allowed at some companies due to the fact that all data would route via US servers, so was considered unsecure.
That depends on how secure you need to be, what the data contains, and who the data belongs to.
If it needs to be fully secure then it should not be passed anywhere online.
If it's information about your Ltd, then do you really think the US are going to be interested? It's unlikely they'll want to use that info for a commercial advantage.
Security is all about scaling as appropriate. The more secure you need to be, generally the less convenience you'll have.
Leave a comment:
-
Originally posted by Ticktock View PostIs this news? A few years back Blackberry's were not allowed at some companies due to the fact that all data would route via US servers, so was considered unsecure.
That depends on how secure you need to be, what the data contains, and who the data belongs to.
If it needs to be fully secure then it should not be passed anywhere online.
If it's information about your Ltd, then do you really think the US are going to be interested? It's unlikely they'll want to use that info for a commercial advantage.
Security is all about scaling as appropriate. The more secure you need to be, generally the less convenience you'll have.
It's about as useful as GCHQ getting Huewai to audit themselves over whether there's any root kits in the telecoms hardware
Leave a comment:
-
I once had a Client who when approached about sending sensitive information the said "Its ok, we use the password on the MS Word Document"
Leave a comment:
-
Originally posted by scooterscot View PostSo that's that, it's as good as national print, if you send any message that passes through the US is as good as read.
Originally posted by scooterscot View PostIf you have a report you need sending to a client marked 'commercial in confidence' - how would you send it?
If it needs to be fully secure then it should not be passed anywhere online.
If it's information about your Ltd, then do you really think the US are going to be interested? It's unlikely they'll want to use that info for a commercial advantage.
Security is all about scaling as appropriate. The more secure you need to be, generally the less convenience you'll have.
Leave a comment:
-
I used to have an anonymous email address through anon.penet.fi but that seems to have shut down some time back.
Leave a comment:
-
Still at least they don't spy on their citizens as much as the Uk you can sleep soundly at night now
Leave a comment:
-
Lavabit
So that's that, it's as good as national print, if you send any message that passes through the US is as good as read.
If you have a report you need sending to a client marked 'commercial in confidence' - how would you send it?
BBC News - Snowden link to Lavabit encrypted email service closure
An encrypted email service thought to have been used by fugitive US intelligence leaker Edward Snowden has abruptly shut down.
My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.Tags: None
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: