PDA

View Full Version : A somewhat more secure method for text chatting on the Web than Skype or iChat



Paul
6th January 2015, 05:29
I've been looking for sometime for a way for ordinary, non-geek, Web users to text chat, that was more secure than Skype or iChat or anything that the Avalon forum can provide.

Skype and iChat are proprietary systems owned by the "big boys", so presumably the "big boys" can capture whatever they want to capture.

All posts and PM's on the Avalon forum are sent over the Web as plain text, so presumably the "big boys" can easily capture whatever of that they want as well. Using https rather than http would make such capture more difficult, but due to technical limitations of the vBulletin software we use, we are unlikely to be able to provide https. Ilie has spent considerable effort on this, with the conclusion that it is not likely to happen.

For a while, some of us on the Avalon moderators team worked with unseen.is, and some mods still have active accounts there. That's probably more secure than Skype, but due to the proprietary nature of unseen.is, it is quite difficult for me to know just how much confidence we should place in their security.

I have now just starting trying another alternative, that offers an improved likelihood of being reasonably secure from all but the most determined black ops efforts. Of course, if they really want your data, they can sneak into your house and plant secret bugs on your hardware, or even kidnap you for a few hours, drug you, extract what they want, wipe your mind, and return you to a confused awakening in the morning.

The key piece of technology is called ChatCrypt. It is a simple (perhaps I should say primitive) text chat facility that works in any reasonably current browser, and encrypts all messages in the browser before sending them out. Nothing is saved or stored along the way, and only those in the same chat room, online at the same time, will ever be able to decode the message and read it.

Anyone can use the facility - go to https://www.chatcrypt.com/ and create a 'chat room' (any unique name), give yourself a name to use in that room, and create some really random looking and long (I'd recommend at least 20 or more characters) password. Send that password to those you want to chat with, and the name of the chat room you made up. They login to the same chat room, using the same password, and whatever login name they want, and all are able to text chat with each other. The interface uses a separate window/tab in your web browser.

The key remaining problem is how to share that password, without it being logged by the NSA's massive computers while it passed over the Web as plain text. One way to solve that problem would be for everyone in your group to get $10/year accounts on fastmail.com, which allows moderate use of sending email back and forth (using a most excellent web interface via https). If both sender and receiver of the message are on fastmail.com, then the email message will never have to go over the Internet as plain, unencrypted text that the NSA can easily capture and store. I am a long time user of Fastmail.com and I recommend it highly -- the best email provider on the planet in my view.

But if you have other ways to share the chatcrypt.com password secrectly, or if you decide its not worth the worry and send the password one time over the Web in some way that probably can be easily read by the NSA (Skype, iChat, email, Avalon PM, ...) then that's probably still more secure than using Skype or iChat directly, as at least your actual chats are encrypted, and only if "they" bother going through all their captured data for you to find that message you sent your friend with the password will they be able to decode your encrypted chat messages.

Paul
6th January 2015, 05:36
Generating a good and actually random password is important for the level of security of the above. There are several online websites that will do this, using calculations locally on your computer (Javascript within your own browser). See for example https://lastpass.com/generatepassword.php. Here's a 30 character long password I just generated there: UaljySsXnLG3xC4inlSzkTHT9Vb06H

A Voice from the Mountains
6th January 2015, 06:41
The NSA can crack anything. TOR, any kind of encryption, anything. If it's too much work to do remotely then they just go to the companies hosting the servers and threaten lawsuits if they're not allowed to install logging software directly onto the servers themselves. Trying to hide your messages really well only makes them that much more interested in reading them.

The best thing to do is hide in the open. If you have something bad to say about the government, for example, then I suggest you just say it anywhere and everywhere and forget who may be reading it. I'm sure we're both already on some kind of list. If Snowden's leaks are accurate (as they apparently are by implicit NSA admission) then the NSA alone wiretapped or otherwise illegally gathered data on 100,000,000 Americans. That's about 1 out of every 3 people in this country.

I feel like if we have to try to go into hiding to communicate then we've already lost. With endless budgets and the way they recruit the best hackers to work for them, you'd be hard pressed to beat them that way. But they can't come after everyone they'd like to, because there's way too many people they are apparently suspicious of. Might as well be proud and open about it and see how many of us they can get that way.


But if you have something to say that you really don't want anybody else reading, my recommendation is to do what the crooks themselves do: put it in a handwritten note and deliver it personally. :P

Tangri
6th January 2015, 07:43
There are 2 kind of BBW methods. First you are individually targeted and particularly observed for your all info( voice, data), second way is filtering, word fishing(by AI)

Avoiding first one is little hard but not impossible(time consuming but viable) if I write here they will have a fiesta.

In second way, AI is not as smart as you think, it rely on given data with mathematical logic(multiple dictionaries with character recognition, it decides which language is on use for wording Latin, Russian, Greek, Arabic, Persian, Japanese, Chinese. First it checks with dictionary , secondly checks if it is encrypted(you can self encrypt the text with different alphabet with your language or your chosen one) Then it try to determine if there is any pattern to solve encryption.(trick point is changing pattern randomly which you must be agreed it earlier with your party(also, you can inject items in food recipe or bed time stories), it(ai) can not handle such thing No Pattern No Logic)or using metaphorical conversation( AI is really stupid to understand metaphorical terms.(most time observers are in that category) If you are definitely in need of privacy you must accept to do some, time consuming work.

lucidity
6th January 2015, 07:45
my understanding is that the US Govt can crack messages sent with 1024 and 2048 bit keys.
If you're using a 4096 bit key... or larger.. you're safe....
.. that is, until the day when they invent quantum computers, then all bets are off.

be happy

lucidity :-)

Daozen
6th January 2015, 07:45
1) I'm not paranoid, but I wouldn't be surprised if the NSA are running most proxies and encrypted servers.

2) I don't like having my privacy invaded, but we have nothing to fear from them...

phillipbbg
6th January 2015, 08:07
I use Vsee as a back up to skippy as I call it because it keeps kicking me in the .....

I was quietly informed that Vsee is a platform they TPTB train with by trying to crack the system... best time so far is 50min by the US Navy boys so to my thinking its a 40 min window of anonymity but one never knows.

http://vsee.com/

The other that I know a few diplomats use for their family connections is Unseen but I have not used it as yet...
https://unseen.is/

For email alternative to gaggle or coldsnail is

Tutanota. With the free email service from Germany we are able to easily send end-to-end encrypted emails. communicate confidentially and fight against mass surveillance of the internet!

Simply sign up here:
https://app.tutanota.de/#register

PS: Tutanota encrypts all our data automatically, in addition it is open source: https://github.com/tutao/tutanota

Daozen
6th January 2015, 08:11
Unseen is developed by the Before it's News cowboys, they admit it on their site.

https://unseen.is/about.html


Unseen brings consumers and businesses very strong secure and private communications. Our skilled and experienced team have been building popular web sites and services since 1995. Before starting Unseen, we developed Before Its News, a leading source of alternative news and information. Because of this, weve had numerous people share with us their concerns about internet communications security. Weve been aware of most of the recent revelations for years.

Aragorn
6th January 2015, 08:22
I've been looking for sometime for a way for ordinary, non-geek, Web users to text chat, that was more secure than Skype or iChat or anything that the Avalon forum can provide. [...]

Just out of curiosity, Paul, what would be wrong then with the good old, tried and tested IRC protocol (http://en.wikipedia.org/wiki/Internet_Relay_Chat)?


Most IRC server software is FOSS (http://en.wikipedia.org/wiki/Free_and_open-source_software) ("Free & Open Source Software").



Many FOSS IRC clients exist and are offered freely for download. My personal favorite is KVIrc (http://en.wikipedia.org/wiki/KVIrc), which I've been using ever since the beta versions. As a former IRC network founder and NetAdmin, I've also had very good experiences with its developers.



IRC clients can use encryption, both on account of the connection itself (via SSL ("Secure Sockets Layer")) and for transmission of the message itself inside the chat windows.



IRC channels can be set up with a range of different options, some of which depend upon the IRC network's IRC daemon and services package, but most are standardized, e.g.:
- moderated channels -- one has to have at least VoiceOp status in order to be able to talk
- a limit on the number of users who can enter a channel
- limiting channel access to users with a registered nickname
- setting an optional key which must be supplied by the user before they can enter the channel
- invite-only channels



Private conversations between two individuals are possible as well...
- via normal "queries" (i.e. chat windows)
- via DCC (i.e. the IRC clients bypass the server after having used the server only for finding out the client IP addresses)
- via notices: they generally appear in the channel window, but are only seen by the sender and the receiver


There are several other advantages to IRC as well. For instance, one can easily exchange files with one another. Communication is also real-time -- it depends of course on whether that is what you want, or whether you need off-line messaging, but if the network runs a services package, then that too is possible (via MemoServ). You can keep logs, but this is done on a personal and individual basis, because a trustworthy IRC network does not intercept or log the communications in the channels -- DCC would either way render that impossible, because it completely bypasses the server. One can also set up a notify list so that you get to see when a particular user is on-line, or conversely, one can also maintain an ignore list for people one does not wish to communicate with -- it completely hides them from one's view.

The main downside of IRC is that one can get temporarily disconnected from the network, depending on what server one is logged into and how far that server is geographically located from your own residence. Netsplits do happen.

Freenode (http://en.wikipedia.org/wiki/Freenode) is one of the oldest, largest and most secure IRC networks. FLOSS developers use it all the time, and Freenode has very strong ideals on account of freedom and fairness. However, you could also always set up your own IRC network, if you so desire. I ran an IRC network together with a couple of other people for about seven years. It wasn't big and it wasn't very well known, but it worked rather well and it was fun to do -- well, not counting the DDoS attempts and flood joins by scr1pt k1dd13s, of course. Eventually it went down due to some ego issues among the team, but that's another matter.

IRC used to be very popular -- even among non-geeks -- during the 1990s and the early 2000s, but then instant messaging protocols became more popular, not in the least because every version of Microsoft Windows shipped with MSN Messenger installed by default. Nowadays, it's mostly the geeks who still use IRC, but it's still very much alive. Freenode currently has over 100'000 users on-line globally, of which 15'000 on the particular server I'm connected to right now.

A Voice from the Mountains
6th January 2015, 08:24
Speaking of using metaphors, this is what drug dealers do to avoid incriminating themselves when investigators are intercepting and reading their text messages (which of course is also done -- not just for drug dealers but for everyone possible). Something like "bag of marijuana" becomes "some potato salad." So texts or a phone call is made: "Hey man you still have any that good potato salad left that your wife made?" Sounds innocent enough, huh?

The problem with this kind of code is that both parties have to understand beforehand what it means, and obviously you can't decide on that online or you'd basically be saving the cipher for your code in another NSA database, lol. So you'd have to talk about it in person or else use metaphor to communicate about the other metaphors, which could be difficult. But once it's established, I agree that AI wouldn't be able to crack it, and neither would a human being without being in on the metaphors (as long as the context of the conversation is not so obvious as to give you away -- ie, no one smokes potato salad :P ).

Tangri
6th January 2015, 08:37
Speaking of using metaphors, this is what drug dealers do to avoid incriminating themselves when investigators are intercepting and reading their text messages (which of course is also done -- not just for drug dealers but for everyone possible). Something like "bag of marijuana" becomes "some potato salad." So texts or a phone call is made: "Hey man you still have any that good potato salad left that your wife made?" Sounds innocent enough, huh?

The problem with this kind of code is that both parties have to understand beforehand what it means, and obviously you can't decide on that online or you'd basically be saving the cipher for your code in another NSA database, lol. So you'd have to talk about it in person or else use metaphor to communicate about the other metaphors, which could be difficult. But once it's established, I agree that AI wouldn't be able to crack it, and neither would a human being without being in on the metaphors (as long as the context of the conversation is not so obvious as to give you away -- ie, no one smokes potato salad :P ).

No Pattern and no continuum is key to avoid tracking, Drug dealers are smart but not wise.;)

Snoweagle
6th January 2015, 09:49
Super thread.
However, protecting your privacy online does assume that each of us are running secure computers in the first place. Should your computer's own security be compromised without your knowing, any protection instantiated, regardless of claims, simply brings the hack with you into your own domain of secure congress with remote contacts.

I have endured hacking throughout 2014, so around October/November I installed Linux Debian Wheezy and dutifully installed the recommended updates. All the while focussing on staying safe online. Within weeks I was hacked.

All the initial attempts to hack me were failing. At Boot up my system displayed reams and reams of assembly langauge error messages, often pausing, so were readable by me and my camera, a full five minute video which I might put onto you tube. Eventually the hack succeeded, as I allowed it to, as it was important to understand the methods and tricks used against us. Finally whenever I booted and logged into the (KDE) system, I was logging into a virtual drive inside somebodiy elses root system ON MY COMPUTER.

If you use Microsoft, Apple or Linux there is every chance, virtually 100%, you have all the tools and components available on your system for a hacker to exploit.

To overcome this, I took another drive (IDE) and installed the same system, KDE, but this time I encrypted the drive with a loooong passphrase which I input manually everytime I log in. The passphrase does not exist digitally. It will have to be stolen. (Secretly hoping to be honey potted).

Furthermore, I do not do automatic updates either as this is how the tools to hack are placed on your system if not already present. Below, shown here, is a screenshot immediately after installing the encrypted drive. This list contains ALL the tools required by a third party to interrogate my computer and take control.

I draw your attention to my computers need to update all the programming libraries especially LGPL Crypto lirary - runtime library, which IT doesn't, nor do I want it installed either. Afterall, we use computers for OUR purposes not for those sat in spunky pants trying to be clever for a pay check.

I no longer do automatic updates. I do updates for the things I need and I do them manually. This was my first drive and immediately required I install eighteen updates all related to hacking. A second drive prepared in the same way a short while later, produced an update list with fifty eight updates all related to hacking my system.
It appears now that my computer is subject to "coaching" these up and coming wannabe programmers as I do not believe I am seen in any way a threat though useful as being an advocate of free thinking.

28508

The point of my story here in respect to Paul's advice to us, we cannot leave our house safely if the bandits are already here with us anyway.

My advice to you the reader, whomever you are, consider the tools you are using at home (your computer) before you venture into the darkness.

Anchor
6th January 2015, 11:44
my understanding is that the US Govt can crack messages sent with 1024 and 2048 bit keys.
If you're using a 4096 bit key... or larger.. you're safe....
.. that is, until the day when they invent quantum computers, then all bets are off.

Properly implemented security is secure against NSA and others Cryptanalysis - but this is quite hard to do by untrained/inexperienced people who don't know the basics.

Quantum computers have not yet been able to do anything much that is of use in the context of cryptography and I doubt they ever will be the magical decryption machines that people assume they will become. They might help substantially with cryptanalysis - and may be very effective against weakly implemented systems.

The NSA would like you to be scared into thinking that they have these powers. Be afraid be very afraid!

Your post about "key lengths" is an example. It is incomplete and lacks the necessary context, in this case, the ones you are quoting (and I am guessing based on the fact that these are common key lengths for key exchange) are most likely of the kind use for asymmetric algorithms used for key exchange rather than the smaller keys used for symmetric algorithms that are used once all the shared secrets are shared so data can be transmitted in secret.

By your "numbers" AES (a strong symmetric cypher in common use) with a 256 bit key is totally broken - wheras that is not true at all. It isn't broken at all - but this is with the proviso that your systems are "properly" implemented from end to end and all the parts are operated with strict disciplines.

That is where it gets tricky there is no "formula" which says use this algorithm with this key length and you are "ok", you have to know why and what to select based on the circumstances you are dealing with at the time.


-- Update --

I have not seen http://en.wikipedia.org/wiki/Off-the-Record_Messaging mentioned yet in this thread - should be here for completeness.

I read the FAQ on unseen.is, it does not mention forward secrecy and the source code is not available for review. Personally, I wont be wasting my time with it.

Aragorn
6th January 2015, 12:25
[...]
I have endured hacking throughout 2014, so around October/November I installed Linux Debian Wheezy and dutifully installed the recommended updates. All the while focussing on staying safe online. Within weeks I was hacked.[...]

Although no operating system is ever going to be 100% secure, the above seems very unlikely to me, and it is not uncommon for people new to GNU/Linux to assume that they've been hacked when something occurs that they didn't expect.

Either way, if you disallow root access over SSH, and you keep your system behind a router with network address translation, then the chances of your system being broken into are very slim. I've been exclusively using GNU/Linux for over 15 years now -- half of which time I wasn't even behind a router -- and I've never had a single one of my machines broken into. I do maintain stricter security rules than those which come applied "out of the box" at any new install of the operating system, but generally speaking, GNU/Linux is already pretty secure by default.

In addition to that, most malware is specifically targeted at Microsoft Windows -- which, I have to mention, ships from Microsoft with two deliberate backdoors already coded in: one for Microsoft itself and one for the NSA (and then I'm not even getting into the fact that Microsoft actively sells zero-day exploits to the NSA before they push out a patch to their paying customers).

We did have some of our servers broken into a few times when we were running the IRC network I spoke of higher up, but that was not a system-level break-in. They were merely compromises of our website due to a security hole in the PHP framework. The intruders had set up our website as part of a phishing operation. We took it down again as soon as we were alerted to the problem. We also did a traceback on some of the IP addresses, and it turned out that our website was being accessed via the website of a US American company, and that the perpetrators were from somewhere in Eastern Europe.

Here are some of the things I do for securing my systems:


Disallow direct root logins, whether over SSH or at the console. You do this by commenting out all entries in the file /etc/securetty and by setting "AllowRootLogin" to "no" in /etc/ssh/sshd_config. Do make sure that you've created at least one unprivileged user account which is part of the wheel group (so that you have access to /bin/su) before you disallow direct root logins.



If you are going to use /usr/bin/sudo, then set your user account up in /etc/sudoers and set up the sudo access to require the target user's password, rather than your own user account's password (as the Ubuntu and Mint distributions do).



I always install my distribution across multiple hard disk partitions, which are then mounted into the tree with specialized mount options:
- /boot (mounted read-only)
- / (i.e. the root filesystem; mounted writable during boot-up but remounted read-only afterwards)
- /usr (mounted read-only)
- /usr/local (mounted read-only)
- /opt (mounted read-only)
- /var
- /tmp (on tmpfs, which is a virtual memory-based filesystem, and I mount it with the noexec option)
- /home (mounted with the nosuid option)
- /srv



Limit the amount of services which are started at boot time to the bare essentials. By all means, do not enable anything relating to UPnP -- so no avahi-daemon, for instance.



Limit the amount of processes which run with root privileges. I myself don't even run a display manager on my machines. I start the graphical user interface manually with startx after logging into a character mode console.



Only install packages from the trusted repositories of your distribution, or compile the software from source code (if you know what you're doing). If you encounter a problem or a security leak on your system, report this with your distribution package handlers via their Bugzilla system. That way, you are not only contributing back to the community, but you are also kept in the loop via e-mail on any progress the package wranglers make at hunting down the problem and fixing it.



Don't use passwords which are easy to guess, such as "123456", "password", "letmein", or the name of your spouse, or of one of your children or your pet. Preferably, your password should be at least 7 characters long -- longer is better -- and should not be a dictionary word. Passwords with camelcase -- i.e. mixed upper- and lowercase -- and special characters will be harder to guess. There would still be a chance that a brute force attack might accidentally come up with the correct password string, but that chance is so small that it's negligible.



If you're going to allow SSH access into your machine, make sure that you're using a non-standard port on the router -- the standard port is 22, so pick something else -- and restrict the range of IP addresses that you will allow this access from. You can do this via /etc/ssh/sshd_config directly -- do read the man page first. Also make sure in that case that you run something like fail2ban or bfd ("brute force defender"). It will allow only a limited number -- commonly three -- of failed logins, with a delay between each allowed login attempt, and if after the specified number of allowed attempts the login still has not succeeded, the IP address will automatically be added to a block list in the firewalling rules.


Lastly, never forget that the weakest link in any operating system is always going to be the biological unit between the keyboard and the chair. And with that in mind, do not take the root account in vain. Only use it for system administration tasks, not for anything else. You don't need root access to do any daily work on a GNU/Linux (or other UNIX) system.

Paul
6th January 2015, 13:39
I've been looking for sometime for a way for ordinary, non-geek, Web users to text chat, that was more secure than Skype or iChat or anything that the Avalon forum can provide. [...]

Just out of curiosity, Paul, what would be wrong then with the good old, tried and tested IRC protocol (http://en.wikipedia.org/wiki/Internet_Relay_Chat)?
Yes, IRC is more feature rich, and has been in wide spread usage by many more users, in many more situations, for far longer. I've used it myself, in times past.

Sometimes I (or others) want to communicate with someone who can much more easily figure out a (really) simple browser based tool (just enter Room name, User name and Password, and start typing away in the chat box that pops up) than can work in with a downloaded program, the details, for both installing and using, of which vary between Windows, Linux, Mac, or tablet, and in any case will usually be less familiar to those whose main Internet experience is via modern web browsers.

SSL (https) encryption is rather weak - sufficient to keep out common thieves and nosey relatives, but likely easily cracked by anyone with serious compute power available. The 256 bit AES encryption used in the chatcrypt I recommended above is actually hard to crack with current technology ... very hard ... perhaps years to centuries if one has chosen a really random 30 or 40 byte password, using the world's fastest supercomputers publicly known to be running (http://en.wikipedia.org/wiki/TOP500).

The key however is, as I just mentioned, being Javascript web browser based. That substantially widens the easily accessed potential user base. That, plus stronger encryption, a simple auditable open source code base, and an architecture that is very resistant to legal or technical attacks anywhere except on the client machines of the actual participants in a particular chat, were the key features that I was looking for at present.

By "very resistant" I mean that I could physically own and control every inch of the entire web and all servers, from your Internet modem through to your colleagues Internet modem, with a multi-billion dollar budget, a large staff of engineers, and a room full of super computers, and if I couldn't catch that initial password sharing between you and your colleague, and I couldn't get a snooping program actually inside your PC or browser, or your colleague's PC or browser, or a hidden camera watching the screen of one of you, then so far as I am aware, I could not crack your communication. And if I didn't store every byte transmitted between the two of you, I could never hope to crack that communication in the future, since nothing is stored on any intermediate server longer than the few seconds needed to retransmit to the other chat room participants.

Paul
6th January 2015, 13:50
The NSA can crack anything. TOR, any kind of encryption, anything. If it's too much work to do remotely then they just go to the companies hosting the servers and threaten lawsuits if they're not allowed to install logging software directly onto the servers themselves. Trying to hide your messages really well only makes them that much more interested in reading them.
The chatcrypt only sees your encrypted data stream.

If it turned out that the Chatcrypt server -was- NSA written code, running on the NSA data center in Utah, USA (https://nsa.gov1.info/utah-data-center/), it would still be secure, to the best of my knowledge. Admittedly, verifying this would require a careful audit of the actual javascript code that your client runs, when using chatcrypt, which would take some effort.

The actual, quite small, chatcrypt server doesn't store anything longer than the few seconds it takes to retransmit to the other participants in the same chatroom, but even if it did store everything, forever, cracking 256 bit AES encrypted data is very compute intensive ... years or centuries with a sufficiently good password.

The weak spots, as usual in such systems include the humans at either end, their personal compute equipment, and the means used to exchange that initial password.

joeecho
6th January 2015, 14:01
..........But once it's established, I agree that AI wouldn't be able to crack it, and neither would a human being without being in on the metaphors (as long as the context of the conversation is not so obvious as to give you away -- ie, no one smokes potato salad :P ).

Metaphors are essentially code when you break them down to their basic elements like zeros and ones.

Btw, that potato salad sounds great! ;)

Paul
6th January 2015, 14:09
my understanding is that the US Govt can crack messages sent with 1024 and 2048 bit keys.
If you're using a 4096 bit key... or larger.. you're safe....
.. that is, until the day when they invent quantum computers, then all bets are off.
Those necessary key lengths are for asymmetric (public-private key) encryption methods.

For symmetric encryption methods, such as the AES encryption used by chatcrypt, 128 bit AES is thought to be "practically impossible" to crack using publicly known super computers, and 256 bit AES thought to be "practically impossible" for conjectured, large scale, quantum computers.

Paul
6th January 2015, 14:20
The NSA can crack anything. TOR, any kind of encryption, anything. If it's too much work to do remotely then they just go to the companies hosting the servers and threaten lawsuits if they're not allowed to install logging software directly onto the servers themselves. Trying to hide your messages really well only makes them that much more interested in reading them.
...
But if you have something to say that you really don't want anybody else reading, my recommendation is to do what the crooks themselves do: put it in a handwritten note and deliver it personally. :P
That viewpoint, though popular, is a bit defeatist in my personal view. We actually can make their snooping much more difficult, using available tools.

The NSA cannot issue the same level of personalized, multi-million dollar, efforts they might attempt to crack Vladimir Putin's or Angela Merkel's communications against -all- of us. Most attacks have to be bulk data collection of plain text or easily cracked text of data flowing through major communication networks.

So rather than throwing up our hands and making no effort to use more secure communication tools, instead we should be making their job more difficult. Even if we have nothing to hide, we raise the costs of their tracking someone who does have something to hide. Reducing the surveillance coverage and increasing the surveillance costs of the bastards in power is worth doing, in my view.

... delivering a handwritten note from Texas, where I live, to Romania, where Ilie lives ... is outside my normal operating budget.

Aragorn
6th January 2015, 16:06
... delivering a handwritten note from Texas, where I live, to Romania, where Ilie lives ... is outside my normal operating budget.

There was a time when they used pigeons for that. But okay, granted, considering the distance from Texas to Romania, it would have to be a bionic pigeon. :p

TrumanCash
6th January 2015, 18:38
If a communication requires that much secrecy/confidentiality, why not send an old-fashioned, handwritten letter with a stamp on the envelope? For extra security wrap it in aluminum foil. One can also register the letter if it's really that important.

Paul
6th January 2015, 18:45
If a communication requires that much secrecy/confidentiality, why not send an old-fashioned, handwritten letter with a stamp on the envelope? For extra security wrap it in aluminum foil. One can also register the letter if it's really that important.
That depends on the time constraints ... if one requires to engage in a back and forth discussion over the period of a day or two, involving dozens of iterations, the postal service is too slow.

A Voice from the Mountains
6th January 2015, 21:55
I get where you're coming from Paul and this makes me more interested to learn the actual encryption techniques being used.

Coincidentally, if anyone is interested, there are 100% free college and university courses online (video lectures, quizes, homework, everything) at the website coursera.org: https://www.coursera.org/

They have multiple courses on cryptography there, going on right now (even if you join late you'll have access to all the videos and other materials forever). I know they have one from Stanford University and another from the University of Maryland, College Park. I'm skeptical of anything being uncrackable, even in a relatively short period of time, for the simple fact that covert aspects of our government often have technology many years in advance of what the public does, and are pioneering the research and techniques to be able to best use this advanced technology. But nonetheless I realize this is a field that people can get PhD's in and still have to always be reading up on new developments. I'm trying to decide whether or not this for me woud be a good investment of my time. As much as I have going on already, probably not. But for any others who are, I can at least post these classes.

EYES WIDE OPEN
6th January 2015, 23:22
I've been looking for sometime for a way for ordinary, non-geek, Web users to text chat, that was more secure than Skype or iChat or anything that the Avalon forum can provide.

...

Fibre and various other Crypto wallets do this sort of thing already. http://www.fibrecoin.com/

Or darkwallet or shadowcash.

Paul
6th January 2015, 23:30
Fibre and various other Crypto wallets do this sort of thing already. http://www.fibrecoin.com/
It seems that Fibre does "this sort of thing" ... as part of a more substantial framework involving a particular form of crypto currency.

That's not the same thing :).

The ChatCrypt.com facility that I describe and link to is a simple, single purpose, in browser, secure chat facility that I would expect many Avalon users could have up and running in minutes. Just agree with those you want to chat with on a name for the "Chat Room", and on the long and random password, and everyone logs in, using that same room name and password, and away you go.

Tangri
7th January 2015, 00:50
Fibre and various other Crypto wallets do this sort of thing already. http://www.fibrecoin.com/
It seems that Fibre does "this sort of thing" ... as part of a more substantial framework involving a particular form of crypto currency.

That's not the same thing :).

The ChatCrypt.com facility that I describe and link to is a simple, single purpose, in browser, secure chat facility that I would expect many Avalon users could have up and running in minutes. Just agree with those you want to chat with on a name for the "Chat Room", and on the long and random password, and everyone logs in, using that same room name and password, and away you go.

Since 5 years ago white hat philosophers were using mail account's draft option to leave message to each other (since message is not delivered, no proof or item was provided)
3 letters group of Big Bro found out it somehow and they forced mail providers with terrorist are using this method for a "terror planning" reasoning to act to stop them using same mail account in different geographical location.(Now there is an Amber alert of their version, for that act)
It is almost impossible to send any data without seen by third parties now days since their compute devices are 20 years ahead of our currently available (in Market) tech and our base OS are monopolistic. Unless you have unknown compute device (by them)or transportation root, you are using their yard to pass or they are living in your yard.

Doesn't matter which software you are using, they can hold and handle the data. You can only make them frustrated and or their effort become expensive. (or you can try my first post, combine with your already be formed opinion.(don't make me write here:rolleyes:)

If they lost first part of your communication, it is very hard to understand the rest of it.

The Alley Cat
7th January 2015, 00:51
The NSA can crack anything. TOR, any kind of encryption, anything. If it's too much work to do remotely then they just go to the companies hosting the servers and threaten lawsuits if they're not allowed to install logging software directly onto the servers themselves. Trying to hide your messages really well only makes them that much more interested in reading them.
...
But if you have something to say that you really don't want anybody else reading, my recommendation is to do what the crooks themselves do: put it in a handwritten note and deliver it personally. :P
That viewpoint, though popular, is a bit defeatist in my personal view. We actually can make their snooping much more difficult, using available tools.

The NSA cannot issue the same level of personalized, multi-million dollar, efforts they might attempt to crack Vladimir Putin's or Angela Merkel's communications against -all- of us. Most attacks have to be bulk data collection of plain text or easily cracked text of data flowing through major communication networks.

So rather than throwing up our hands and making no effort to use more secure communication tools, instead we should be making their job more difficult. Even if we have nothing to hide, we raise the costs of their tracking someone who does have something to hide. Reducing the surveillance coverage and increasing the surveillance costs of the bastards in power is worth doing, in my view.

... delivering a handwritten note from Texas, where I live, to Romania, where Ilie lives ... is outside my normal operating budget.

This is a super thread, think I just had a big shift in my accepting defeat outlook :) also, and strangely, even though I have no real knowledge about computing data code-language or syntax, it really goes down well in me. I'm surprised to find myself exited.. thought I was more of a philosophical cat.

:)

Tangri
7th January 2015, 01:08
This is a super thread, think I just had a big shift in my accepting defeat outlook :) also, and strangely, even though I have no real knowledge about computing data code-language or syntax, it really goes down well in me. I'm surprised to find myself exited.. thought I was more of a philosophical cat.
.
:)

Philosophical cats prone to be a warrior(not as practice as a common idea) when time comes

Carmody
7th January 2015, 01:57
Speaking of using metaphors, this is what drug dealers do to avoid incriminating themselves when investigators are intercepting and reading their text messages (which of course is also done -- not just for drug dealers but for everyone possible). Something like "bag of marijuana" becomes "some potato salad." So texts or a phone call is made: "Hey man you still have any that good potato salad left that your wife made?" Sounds innocent enough, huh?

The problem with this kind of code is that both parties have to understand beforehand what it means, and obviously you can't decide on that online or you'd basically be saving the cipher for your code in another NSA database, lol. So you'd have to talk about it in person or else use metaphor to communicate about the other metaphors, which could be difficult. But once it's established, I agree that AI wouldn't be able to crack it, and neither would a human being without being in on the metaphors (as long as the context of the conversation is not so obvious as to give you away -- ie, no one smokes potato salad :P ).

Marley Records!

I knew guys that even in the early 80's had a big sticker on their phone that said:

"ASSUME THIS LINE IS TAPPED".

The Alley Cat
7th January 2015, 02:50
Philosophical cats prone to be a warrior(not as practice as a common idea) when time comes

I guess there's the fascination for problem solving or chasing the end of the tail at both sides. But it is like you say it's a programmed good agents bad agents and daft when it comes to reading anima. ?.. haha and that thought gave me peace for a mille second. I dream lucid and just remembered a dream I had about 15 years ago. I was pulled-transported to what seems to be the abode of whales on an etheric plane. I have a detail recollection of every nuance.. and presence there but not the code that they downloaded.. and as the code was entering I was aware of its significance and kept thinking I must remember it when I wake up.. and struggled to but was told it was not for me but for humanity, my memory was wiped clean of all but the code.. so I'm not sure how advanced or 'organic' a code can be-have. It has no life itself but it can carry or hold its imprint.. no? isn't all breakable into algorithms? I will think about it.. this cat is off to the basket :)

A Voice from the Mountains
7th January 2015, 03:29
What if you hand-write a code, using normal English (so it doesn't look like a code, and isn't per se), that consists of nothing but metaphorical language regarding something you know you'll want to talk about in the future. Use pretty sloppy handwriting while you're at it.

Then you take a picture of it or scan it, and send that image to the party to which you intend on having future conversations with. Send it far enough in advance and through a completely different service than your later talks, so that hopefully it will be forgotten or lost or simply not connected (whether through IP address or email address or anything, ideally) to what follows.

Then make communications later, maybe also in handwritten notes that are scanned and sent as images, in this metaphorical language that was explained some time ago through a totally digitally-unrelated channel and they'll now have to go hunt for.


Is that enough to give someone a headache?

Tangri
8th January 2015, 00:04
What if you hand-write a code, using normal English (so it doesn't look like a code, and isn't per se), that consists of nothing but metaphorical language regarding something you know you'll want to talk about in the future. Use pretty sloppy handwriting while you're at it.

Then you take a picture of it or scan it, and send that image to the party to which you intend on having future conversations with. Send it far enough in advance and through a completely different service than your later talks, so that hopefully it will be forgotten or lost or simply not connected (whether through IP address or email address or anything, ideally) to what follows.

Then make communications later, maybe also in handwritten notes that are scanned and sent as images, in this metaphorical language that was explained some time ago through a totally digitally-unrelated channel and they'll now have to go hunt for.


Is that enough to give someone a headache?

It is enough, as much as mine, to cause a headache.

You made me laugh.

It is very difficult to give an advice at public forum on how you can veil your self from public screening, even idea is funny. I only hoped on my writing ;undeserved, uninvited eyes can not not read or understand what I wrote. Of course it gives a headache to the unwanted s brain,( even to me when I read it again)

The challenges are; you have to write and make sure subject is clean to the target but not that much as clean as to everyone, like child safe bottle cap. We can only hope that uninvited ones are stupid enough to grasp the idea what we try to reveal here.(in definition of "somewhat more secure method")
Sorry Paul, for headache if we caused you.:rolleyes:

Aragorn
8th January 2015, 07:38
What if you hand-write a code, using normal English (so it doesn't look like a code, and isn't per se), that consists of nothing but metaphorical language regarding something you know you'll want to talk about in the future. Use pretty sloppy handwriting while you're at it.

Then you take a picture of it or scan it, and send that image to the party to which you intend on having future conversations with. Send it far enough in advance and through a completely different service than your later talks, so that hopefully it will be forgotten or lost or simply not connected (whether through IP address or email address or anything, ideally) to what follows.

Then make communications later, maybe also in handwritten notes that are scanned and sent as images, in this metaphorical language that was explained some time ago through a totally digitally-unrelated channel and they'll now have to go hunt for.


Is that enough to give someone a headache?

We could of course all start communicating by way of CAPTCHAs (http://en.wikipedia.org/wiki/CAPTCHA) to circumvent the heuristics algorithms used by the spook agencies. :p

Better keep a box of painkillers handy when you start with that. :p

EYES WIDE OPEN
8th January 2015, 08:39
Captchas has screwed so many times when trying to get tickets online.

Aragorn
8th January 2015, 08:51
Captchas has screwed so many times when trying to get tickets online.

I usually have to refresh the page and request a few new CAPTCHAs before I can actually read them. :p

Anchor
15th January 2015, 07:13
The Electronic Freedom Foundation recently released the "Secure Messaging Scorecard"

This is a good reference on information about different systems and their effectiveness in different contexts.

Read here:

https://www.eff.org/secure-messaging-scorecard

Please pay careful attention to the usage notes that page.

-- edit -- changed from disclaimer to usage notes --

Paul
15th January 2015, 23:24
The Electronic Freedom Foundation recently released the "Secure Messaging Scorecard"

This is a good reference on information about different systems and their effectiveness in different contexts.

Read here:

https://www.eff.org/secure-messaging-scorecard

Please pay careful attention to the disclaimer on that page.

Thanks - good stuff.

I don't however see the word "disclaimer" on that page ... I see "About", "Methodology", and "Change Log" ... perhaps you were referring to one of them?

Anchor
16th January 2015, 07:15
Paul

You are correct, it isn't really a disclaimer. I was referring to the top text box, in particular this part:


As such, the results in the scorecard below should not be read as endorsements of individual tools or guarantees of their security; they are merely indications that the projects are on the right track.

Paul
23rd January 2015, 09:11
The key remaining problem is how to share that password, without it being logged by the NSA's massive computers while it passed over the Web as plain text.
A more secure alternative now exists for sending such a password - a new email service that I describe in the thread Secure, encrypted, easy to use, free email: ProtonMail (http://projectavalon.net/forum4/showthread.php?79250-Secure-encrypted-easy-to-use-free-email-ProtonMail).