On Wed, Sep 16, 2009 at 5:01 PM, Rich Jones <rich@anomos.info> wrote:

http://www.reddit.com/r/IAmA/comments/9kwph/i_am_a_guy_who_writes_covert_sof...

Thoughts?

also, I realized that two of the posts I've made this this list have now been reddit-related. Sorry about that. But I'd really like to know what you all make of this. He doesn't give very many specifics, unfortunately. What do you think his 'sidestepping' is?

R

Well, I'm not entirely convinced that this guy is legit, or if he is that his equipment is really as powerful as he implies. On the other hand, I've only been casually studying cryptology for a few years, and in that short time I've encountered more mind-blowing "you can do that!?" moments than I can count on one hand (in binary). Everyone knows that there are side channels in any system if not properly and carefully implemented/operated. DNS lookups, search bar suggestions, software update checks, etc., all have the potential for subverting your privacy with Tor by not using the configured proxy settings. Based on a bunch of the comments, I'm going to guess this sort of thing (and probably many other equally simple but largely non-obvious channels) are a big part of what he does (assuming he does it). I think he (or someone else) also implied that traffic analysis is a big part of it. This has been another one of those "holy crap!" fields for me; the idea that an intelligent and diligent person can uncover a significant amount of information from encrypted communications without even breaking any of the encryption, is surprising but apparently very realistic. Lastly, I can't help but recall the early years of modern crypto, when the public/academic sector was impossibly far behind the more clandestine government/military sector. We like to think that this has changed, but we can't really be sure, can we? I feel fairly comfortable putting a good amount of stock in modern publicly available cryptography, but then again I'm not doing too much that could get me in trouble if I'm wrong, so it's not a high wager. My point is that I personally wouldn't put it completely outside the realm of possibility that a government agency has the capacity to just straight up break modern public cryptography. I think the poster pretty explicitly denied this, but then again, he would, wouldn't he? -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE