Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Protecting IM From Big Brother

Zonk posted more than 6 years ago | from the another-mark-in-my-file dept.

Security 185

holden writes "Ian Goldberg, leading security researcher, professor at the University of Waterloo, and co-creator of the Off-the-Record Messaging (OTR) protocol recently gave a talk on protecting your IM conversations. He discusses OTR and its importance in today's world of warrant-less wire tapping. OTR users benefit from being able to have truly private conversations over IM by using encryption to obtain authentication, deniability, and perfect forward secrecy, while working within their existing IM infrastructure. With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important. An avi of the talk is available by http as well as by bittorrent and a bunch of other formats."

Sorry! There are no comments related to the filter you selected.

Encryption (4, Insightful)

nurb432 (527695) | more than 6 years ago | (#21458267)

Its time to implement encryption of ALL traffic from ALL applications. Perhaps even IPC encryption incase you have some sort of 'tap' installed on your computer.

Sure, it eats resources, but do you want others reading your information? I dont. Not even when its "we are out of milk, please pick some up on the way home", as its NONE OF THEIR BUSINESS.

Re:Encryption (3, Informative)

rainman_bc (735332) | more than 6 years ago | (#21458319)

Check out SiMP-Lite [secway.fr]

It's a fantastic product, I just wish it was multi-platform... Really nice for Windows though...

Re:Encryption (1)

AnyoneEB (574727) | more than 6 years ago | (#21458761)

Although OTR and gaim-encryption (now pidgin-encryption) were originally for AIM (as far as I can tell), if you are using pidgin, I see no reason other than possibly some quirks in the plug-in why you could not use them on MSN or any other protocol. I think I have used pidgin-encryption on Jabber.

Re:Encryption (2, Interesting)

jmcnaught (915264) | more than 6 years ago | (#21458881)

I regularly use OTR in Pidgin with MSN and Jabber (Gmail chat) and have never had a problem. Adium X on the Mac also includes OTR support out of the box.

I try to use OTR as much as possible, all of the time. I figure if I only protect the stuff that needs to be secret, it sticks out like a sore thumb. And the more encrypted traffic on the internet in general, the harder it is for them to break it all even if they do have magic quantum computers.

Trying to get more people to use PGP/GPG with me over email for the same reasons, but it's a little harder to understand and get started so I'm not making as much progress.

Software freedom gets you software you can trust. (2, Insightful)

jbn-o (555068) | more than 6 years ago | (#21459049)

Except that it's completely untrustworthy because it's non-free software. If a major feature of the software is that you can trust it to keep your secrets or protect your privacy, you should be able to trust that it's only going to do what you want it to do. Non-free software inherently doesn't work this way, so none of it is useful for encryption. This program disallows modification, so if you discover that it doesn't do what you want you have no permission to make it do what you want. Forget about helping your community by distributing improved versions of the program: distribution is only allowed gratis and if one distributes the software they distributed to you in its original (software) packaging.

The license for the program is so over-the-top in its restriction it's laughable. It claims to prohibit talking about the software (section 3.a.iv). Users are prohibited from any translation or localization of the software as well (section 3.a.i), so if the interface isn't in your language you're out of luck.

The solution is simple: use only free software, relish your software freedom, help your community by distributing free software, and encrypt your communications to your heart's content. This way only your limitations keep you from fully understanding what your computer is doing with your data and you can draw on the talents of other trustworthy people to help you whenever you need their assistance.

Re:Software freedom gets you software you can trus (1)

Brian Gordon (987471) | more than 6 years ago | (#21459215)

From the readme [cypherpunks.ca] :

This program is free software; you can redistribute it and/or modify it under the terms of version 2 of the GNU General Public License as published by the Free Software Foundation.
??

Re:Software freedom gets you software you can trus (1, Informative)

Anonymous Coward | more than 6 years ago | (#21459499)

Read the grandparent, he was replying to the availability of another encryption package.

Re:Encryption (2, Funny)

Anonymous Coward | more than 6 years ago | (#21458323)

Honey, is that you? We are out of milk, please pick some up on the way home.

Re:Encryption (1)

Mantaar (1139339) | more than 6 years ago | (#21458387)

A woman on slashdot that addresses her husband as 'honey' and not with his screen name??

You're a faker, Mister, and not a good one!

Re:Encryption (2, Interesting)

shikadi (1100921) | more than 6 years ago | (#21458393)

It's not just about encryption, it's about privacy too. Do you want instant messaging to be used as evidence against you in the future? The reason it is called OTR is because it really is off the record. Recording of conversations is not evidence that a conversation ever occurred, since it purposely lets anyone forge messages after the conversation is over. If the person you were talking to decides to record everything you say to them, it doesn't matter, since you can easily show that what you said could have been forged. In fact, tools are created specifically for this purpose.

Re:Encryption (1)

nurb432 (527695) | more than 6 years ago | (#21458431)

Encrypting by default still doesn't prove the *log* is legit and only prevents a 3rd party from secretly watching along the way, so i don't see me encrypting everything effecting that..

And I do agree i have to trust the person at the other end not to divulge/record/forge that i need to get milk.

Re:Encryption (4, Insightful)

QuantumG (50515) | more than 6 years ago | (#21459771)

Blah, that's a load of shit. It's an academic answer to how to fix the problem of people logging your conversation with them.

When the log is presented in court the person who logged it will be asked "is this log an accurate representation of the conversation you had with the accused?" and they say "yes, it is" and the defense then has to show not that it is possible that the log was doctored but that person who has just sworn, under penalty of perjury, is lying. They typically do this by showing instances in the past where the person has submitted false evidence to a court, or they can try to show that the person has something to gain by changing the log and that they had the skills (if any special skills are required, which they wouldn't be). It would be a very tough sell and a jury is more likely to believe that the log is accurate because what kind of idiot would lie in court when the punishment is so severe.

Consider that email is so trivial to fake and yet emails are considered official correspondence in many many many court cases. It's not about the technology, it's about the people making the claims.

Re:Encryption (1)

RaceCarDriver (856347) | more than 6 years ago | (#21458883)

IANAL, but Encryption(in the USA at least) seems pretty pointless once the government/law is after you. As far as I know; if requested(with a warrant), citizens must turn over any keys or pass phrases or be held in contempt/whatever(bad)...

Re:Encryption (1)

epee1221 (873140) | more than 6 years ago | (#21459361)

The government probably has the computing resources necessary to break any encryption people are likely to use. Even so, those resources can't be allocated/used lightly, so they simply can't afford to run huge fishing expeditions. They are forced to only try to read messages they already have reason to believe contain evidence of wrongdoing. As for subpoenaing keys themselves, it's fairly common to discard keys used for communication once the communication is done.

Re:Encryption (4, Interesting)

thegrassyknowl (762218) | more than 6 years ago | (#21459777)

The beauty of OTR messaging is that it claims to guarantee perfect forward secrecy. In other words, if you lose control of your private keys no previous conversation is compromised. This is a big plus, because even if they force you to turn over the keys they can't see the previous conversations.

It works (as I understand) by using your key pair to derive and exchange public session keys. The session keys then are used to do actual encryption and are changed frequently. The private key at each end is only ever stored in RAM and is discarded when the session ends or after a timeout.

It's neat because even listening in to the whole session and obtaining the public session keys isn't enough to compromise the session. Of course, having the public keys and obtaining the master private key may go a long way to helping with a mathematical attack of the algorithm.

You are still assuming (0)

Anonymous Coward | more than 6 years ago | (#21459209)

that encryption has not been cracked. Want to really hide the data? Use steganography. Why? Encrypted streams say that you want to hide. If the algo has been cracked, then you just pin-pointed what to examine. OTH, if you expand the search space by embedding in a stream, well, then you will make it difficult to know what and where.

Re:Encryption (1)

glitch23 (557124) | more than 6 years ago | (#21459275)

Its time to implement encryption of ALL traffic from ALL applications.

If I was actually doing something questionable where I thought someone would care enough to listen to what I am doing or what I have to say then I might consider that. As it is, I don't worry about it and even if I was type where I'd worry about it on the principle of the matter, the fact is I won't ever see the person doing the sniffing (b/c I'm not doing anything wrong) so they can listen to my boring chats all they want. Just my opinion. By the way, out of curiousity, you don't think someone hearing you say "we're out of milk" is their business. You aren't the type of person to use your cell phone in public with an "outside" voice when you are inside so everyone can hear you, are you? I just want to make sure you are consistent with what is other people's business.

Re:Encryption (1)

nurb432 (527695) | more than 6 years ago | (#21459469)

Actually, I dont use a cell phone in public anyway, so that isnt an issue. ( i think public use of cell phones is rude. And i try to not be a hypocrite )

As far as sniffing, It has nothing to do with my content, i just dont feel its anyone else's business what im talking about.

Re:Encryption (1)

VGPowerlord (621254) | more than 6 years ago | (#21459315)

I can think of two reasons not to encrypt everything:
  1. Encryption adds overhead.
  2. A certain popular protocol's encrypted version [ietf.org] 's clients pop up all sorts of warnings if the server certificate is not signed by a known entity.

    Of the three most popular browsers these days, a site with a self-signed certificate shows the following:
    1. IE6 [vgmusic.com]
    2. Firefox 2 [vgmusic.com]
    3. IE7 [vgmusic.com]

    While the average person may know that this is not necessarily bad, mom and pop are probably going to avoid sites that bring up these errors, particularly if they're using IE7.

So, yes, there are reasons to not encrypt everything.

Re:Encryption (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21459769)

WHAT???? You think mom and pop know WTF those messages mean???

IE6/firefox: Everyone just click's "okay" except for nerds like us that know what it means.

IE7: Everyone clicks the "recommended" link a few times, until they figure out it doesn't let them view the website. Then they get conditioned to click the "continue to site". Note that at least this message works for a while, as long as it's not displayed a lot.

Encrypted RAM and HDD Storage (4, Interesting)

EmagGeek (574360) | more than 6 years ago | (#21458281)

You can't have perfect secrecy unless your RAM contents are also encrypted. Wasn't there some case recently where the RAM contents of some server were subpoenaed in a court case? If your RAM is unencrypted, then your IM conversation is stored in plain text SOMEWHERE, even if it is encrypted on the network stack. Of course, having encrypted RAM would be a HUMONGOUS performance hit, but it could be done. Hmmm..

Off to the patent office I go..

Re:Encrypted RAM and HDD Storage (1)

idiotwithastick (1036612) | more than 6 years ago | (#21458359)

Encrypted RAM is pointless. If you want to read it, you have to unencrypt it anyways, so the key has to be stored somewhere that can be read by the computer. If your computer is subpoenaed, you would have to provide it's contents anyways. As if you could.

Re:Encrypted RAM and HDD Storage (2, Interesting)

uofitorn (804157) | more than 6 years ago | (#21458541)

Exactly. But you can take steps to limit the lifetime of sensitive data in memory.

See Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation http://www.stanford.edu/~blp/papers/shredding.pdf [stanford.edu]

Re:Encrypted RAM and HDD Storage (1)

Cheesey (70139) | more than 6 years ago | (#21458637)

Encrypted RAM would be very secure, but it would need hardware support. The key would be stored within a CPU register, having been generated from random noise on bootup. Hitting reset/power should be all the security you need. We effectively have this now in free software with encrypted swap space, and I think the TCPA spec says that bus encryption keys need to be negotiated using public key algorithms. The curious thing is that there doesn't need to be much access time overhead, because you do all the decryption to burst transfers on the RAM side of the instruction cache.

Re:Encrypted RAM and HDD Storage (4, Insightful)

Cracked Pottery (947450) | more than 6 years ago | (#21458389)

Fine, let me get those chips out for you. Bring the back after you get the information off of them.

Re:Encrypted RAM and HDD Storage (1)

MichaelSmith (789609) | more than 6 years ago | (#21458391)

Off to the patent office I go..

Have fun proving that you had the idea before Theo [wikipedia.org] .

Re:Encrypted RAM and HDD Storage (3, Funny)

EmagGeek (574360) | more than 6 years ago | (#21458557)

Well, the idea of encrypting RAM would be obvious to the person skilled in the state of the art, and therefore on its face not patentable. However, there are invariable many novel ways to solve obvious problems that would be patentable. Whether or not I could obtain a patent on the method and apparatus would depend upon the novelty of said method and apparatus.

Re:Encrypted RAM and HDD Storage (1)

Ash-Fox (726320) | more than 6 years ago | (#21458909)

Wasn't there some case recently where the RAM contents of some server were subpoenaed in a court case?
Yes, but it didn't help them at all.

Re:Encrypted RAM and HDD Storage (1)

M. Baranczak (726671) | more than 6 years ago | (#21459791)

Wasn't there some case recently where the RAM contents of some server were subpoenaed in a court case?
No, there wasn't. That was just a really misleading Slashdot summary. Assuming we're actually talking about the same thing.

Ok (-1, Redundant)

cachimaster (127194) | more than 6 years ago | (#21458293)

d008960fa6b395dca1c8362165bb31be!

Re:Ok (2, Funny)

sethawoolley (1005201) | more than 6 years ago | (#21458545)

d41d8cd98f00b204e9800998ecf8427e

Re:Ok (1)

Ash-Fox (726320) | more than 6 years ago | (#21458887)

d008960fa6b395dca1c8362165bb31be!
Your "!" was not hashed and you should start sentences off with a big letter. In your case, a large "F".

Encryption is only part of the solution (4, Insightful)

compumike (454538) | more than 6 years ago | (#21458297)

This is a good step, and I wish that more people would use encrypted messaging systems. This includes IM, e-mail, and voice.

However, while encryption can protect against "big brother", you can never eliminate the risk from the other end of the line. What happens if the person you are talking to has a rootkit, or prints out the conversation, or otherwise compromises the data? There's no real way to protect your entire conversation.

--
Educational microcontroller kits for the digital generation -- great gift! [nerdkits.com]

Re:Encryption is only part of the solution (1)

Z80xxc! (1111479) | more than 6 years ago | (#21458325)

Although someone could do those things, if it were something truly private, chances are the other person isn't going to want to print it out any more than you are. As for rootkits, well, then you're screwed, but if you've got a root kit, you probably have better things to worry about than someone seeing your IM.

Re:Encryption is only part of the solution (1)

Mantaar (1139339) | more than 6 years ago | (#21458437)

What happens if the person you are talking to has a rootkit, or prints out the conversation, or otherwise compromises the data? There's no real way to protect your entire conversation.
Easy enough:

Don't speak with noobs.

Re:Encryption is only part of the solution (1)

caluml (551744) | more than 6 years ago | (#21458443)

Jabber + PSI + SSL + GPG = Safe in transit, at least. However, there's no way you can be sure someone isn't logging everything at their end. It's the whole DRM problem, but just with messages, instead of videos/music.

Direct Mail (1)

cheapestbloghost (1190703) | more than 6 years ago | (#21458501)

Dear All,

I know all about instant messaging! Simon, my technical wizard, explained about electronic post today. Do all of you know about it too? It's really great since I can just talk to a few people at a time instead of it going to everyone who has their computer switched on. Now I can ask my sons about my grandkids every hour without it filling up the internet!

The best thing is that I have an electronic post address for Simon, so now I can write my s.o.s. messages directly to him. He said that if my computer breaks I should write to him at once to let him know.

Yours,

Mildred

This Internet 2.1 blog for user Mildred [sys-eng.co.uk] is powered by The Cheapest Blog Host On The Internet! [sys-eng.co.uk] , the revolutionary web 2.0 metalayer. Get yours now!

blog navigation [sys-eng.co.uk] | previous post [slashdot.org] | first post [slashdot.org]

a link to the next post will be in a comment to this post

Re:Encryption is only part of the solution (0)

Anonymous Coward | more than 6 years ago | (#21458719)

Off-the-Record Messaging offers deniability. Your privacy may be lost, but at least nobody (not even your conversation partner) can prove messages you sent originated from you.

Thank you, Captain Obvious (1)

Logic and Reason (952833) | more than 6 years ago | (#21459061)

However, while encryption can protect against "big brother", you can never eliminate the risk from the other end of the line. What happens if the person you are talking to has a rootkit, or prints out the conversation, or otherwise compromises the data? There's no real way to protect your entire conversation.
Uh, no shit? Obviously you're screwed if the other party is untrustworthy, since the whole point of the communication in question is to transmit your sensitive information to that party. Keep in mind, though, that a plaintext log or printout doesn't prove you said anything; one of the neat things about OTR is that it preserves this deniability while still allowing the other party to verify during the conversation that you are who you say you are.

Re:Thank you, Captain Obvious (1)

liquidpele (663430) | more than 6 years ago | (#21459807)

That doesn't make sense. If they could prove themselves during the conversation, and your side has total control of the computer, you can preserve whatever trust was there for that moment in time. Like a recording of an actual voice conversation. Sure, a rootkit probably wouldn't get that complicated and I would never expect that with any normal person talking to other normal peole, but if you're talking to an undercover FBI agent, well maybe they would like evidence that would hold up in court.

Deniability may sound fine (1)

EdZep (114198) | more than 6 years ago | (#21458307)

But, it WILL be hacked. Then, a user's smug denial could lead to obstruction of justice charges, or some such.

Re:Deniability may sound fine (0)

Anonymous Coward | more than 6 years ago | (#21458333)

But, it WILL be hacked. Then, a user's smug denial could lead to obstruction of justice charges, or some such.

"I do not recall." If it's good enough for the administration to use and get away with, it's good enough for me.

Re:Deniability may sound fine (3, Interesting)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21458397)

"I do not recall." If it's good enough for the administration to use and get away with, it's good enough for me.

Unless you're in the administration, that will get you tossed in jail. Normal citizens require plausible deniability. For hard drive encryption, this can be accomplished by saving dummy data accessible with a second password. For IM, perhaps we need something similar. If an IM client were to give a user the option of using a dummy password which would still initiate encrypted messages, but with a warning flag to the user on the other end, we might have parity.

Encryption technologies that provide plausible deniability are possible, but I doubt they will enter widespread use (or even encryption in general) until the big players champion them. Why one of the major IM providers has not jumped on this as a differentiating feature is beyond me. I guess I see why Google would not include it in GTalk, seeing as they want to use the data to target ads (ditto yahoo and MS), but why isn't it built into ichat yet?

Re:Deniability may sound fine (1)

pigscanfly.ca (664381) | more than 6 years ago | (#21458697)

OTR actually has deniability built in to it. Once the conversation is finished it impossible to prove what the conversation text was. Its really cool. It even has a built in tool to help you forge the logs :)

Re:Deniability may sound fine (1)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21458845)

OTR actually has deniability built in to it. Once the conversation is finished it impossible to prove what the conversation text was.

Which is pretty decent. The only item lacking is if the feds demand your password so they can impersonate you talking to someone else. A nice dummy password that will allow them to do that, but presage the first message with a warning that the channel is compromised.

Re:Deniability may sound fine (1)

Logic and Reason (952833) | more than 6 years ago | (#21458937)

Unless you're in the administration, that will get you tossed in jail. Normal citizens require plausible deniability.
I don't know about where you're from, but here in the U.S. we still (for now, at least) have something called the Fifth Amendment. You just have to change your answer from "I do not recall" to "on the advice of my counsel, I respectfully decline to answer the question based on the protection afforded to me under the Fifth Amendment of the United States Constitution."

Re:Deniability may sound fine (1)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21459219)

I don't know about where you're from, but here in the U.S. we still (for now, at least) have something called the Fifth Amendment.

The 5th amendment only applies if you in particular are charged with a crime. If you are subpoenaed or being sued and the court orders you to reveal the password, you will go to jail for contempt of court if you refuse to submit it. Even when charged with a criminal offense, not being testimony as to your actions, it may well hold up in court to charge you. Finally, in many parts of the world legislation requiring this has already been passed and at least three bills in congress have specifically required this, although to my knowledge none have yet passed.

Basically, unless you have a whole buttload of money to burn and are feeling lucky and are charged with a crime, don't count on the 5th amendment.

Re:Deniability may sound fine (1)

Logic and Reason (952833) | more than 6 years ago | (#21459369)

The 5th amendment only applies if you in particular are charged with a crime. If you are subpoenaed or being sued and the court orders you to reveal the password, you will go to jail for contempt of court if you refuse to submit it.
Source? IANAL, but my understanding is that you may invoke the Fifth whenever your testimony could be used to convict you of a crime, whether the testimony in question would occur in a civil or criminal case, and whether or not you actually stand accused of a crime.

Even when charged with a criminal offense, not being testimony as to your actions, it may well hold up in court to charge you.
Insofar as the act of producing the password to an encrypted document can be used to establish the authenticity of the document, I believe it can indeed constitute self-incriminating testimony. See United States v. Hubbell [wikipedia.org] .

Re:Deniability may sound fine (1)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21459467)

Source? IANAL, but my understanding is that you may invoke the Fifth whenever your testimony could be used to convict you of a crime, whether the testimony in question would occur in a civil or criminal case, and whether or not you actually stand accused of a crime.

All the prosecutor has to do in such a case is invoke "use immunity" which says they won't use that evidence itself in a future criminal trial. Here's a discussion [findlaw.com] of the general topic. If you're not under threat of prosecution for an actual crime and they agree not to pursue such, then your testimony can be compelled.

See United States v. Hubbell.

That's pretty interesting if it is a criminal proceeding against you, it does allow you to indirectly apply the 5th amendment. Cool.

Re:Deniability may sound fine (1)

CastrTroy (595695) | more than 6 years ago | (#21459575)

Didn't that OJ Simpson cop (Mark Ferman??) plead the 5th when he was put on the stand during the OJ Simpson trial? He wasn't the one being tried, but because he knew what he said would incriminate him, he chose to take the 5th? Seems to me that if you're not required to give evidence against yourself, you could just argue that the encrypted data could hold evidence against you, and therefore, you should not be required to give them the key.

Re:Deniability may sound fine (1)

JoelKatz (46478) | more than 6 years ago | (#21459571)

So what? They'll just grant you immunity. You'll be forced to divulge the key or spend the rest of your life in jail. They won't be able to use the fact that you knew the key or what the key is against you, but they can use the documents that the key decrypts -- even against you in a criminal prosecution.

It's the same with documents. If you have documents they want, they can compel you to produce them. If you plead the fifth, they'll grant you immunity from them using the fact that you had the documents against you. They can still use the contents of the documents against you.

The fifth amendment does not protect the contents of documents in any place other than your head.

Re:Deniability may sound fine (1)

Goaway (82658) | more than 6 years ago | (#21459087)

Deniability is based on the revelation of information, not hiding. How do you hack something so that it is becomes no longer known?

OTR is classy (1)

Anonymous Coward | more than 6 years ago | (#21458311)

OTR is a really cool program, I just wished more people used it.

Re:OTR is classy (1)

pigscanfly.ca (664381) | more than 6 years ago | (#21458673)

I don't know about you, but I find a lot of people use it. That could be because I'm at the University where Professor Goldberg is from :P.
Continuing your thought however, I think OTR, and other encryption programs like it, could receive a substantial boost in usage if we could get popular distributions like Ubuntu to include and enable them by default. You and I may think about the security of our conversations, but the majority of people probably do not bother. I can't see much of a good reason to not make this the default.

Terrorist collaborator? (1)

tommyhj (944468) | more than 6 years ago | (#21458341)

How long until this guy gets the attention of the government and is brought down as a terrorist collaborator? And if people actually start using this kind of software to make private conversations, how long until the presence of it on ones HD can be used against you? Wasn't there a case where the presence of an "Eraser" program on the defendants hard drive was used against him, because then he "Must have had something to hide"?

In the meantime... (1)

ceeam (39911) | more than 6 years ago | (#21458365)

... I hate to say it, but the most practical secure kind of IM right here right now is probably Skype. Well - you read that story about German police and Skype's chat traffic (like other kinds) is carried over the same encrypted p2p transport as its voice traffic.

Re:In the meantime... (1)

Cheesey (70139) | more than 6 years ago | (#21458941)

Skype isn't very trustworthy. My favourite link about Skype security [blackhat.com] . You can't necessarily trust a closed source app with confidential information.

If you need a "ghetto" works-almost-anywhere free secure instant messenger to talk to Alice or Bob, create an account for your friend on your Linux machine and let them SSH in using PuTTY. Then use "write" to talk to each other, or if you're really fancy, use "talk". SSH is great for this because it (a) uses strong crypto, (b) lets you check for man-in-the-middle attacks with it's "host key", and (c) destroys the session keys after use. Get Alice and Bob to reboot from a Knoppix CD and you're secure against Windows spyware as well.

Re:In the meantime... (1)

CastrTroy (595695) | more than 6 years ago | (#21459597)

You could probably also boot into a VM and run Linux from within there, possibly off a LIVE CD, which would mean that you could still maintain a secure channel without having to reboot your computer. A windows virus could still spy on the VM, but if would have to be pretty advanced, and not your standard run of the mill spyware to spy on the contents of a VM.

Join the Encryps (1)

Mitchell Bogues (1058890) | more than 6 years ago | (#21458469)

It's like a Cypherpunk, but more likely to get shot (perhaps by the NSA).

AIM encryption (1)

br00tus (528477) | more than 6 years ago | (#21458509)

We use AIM for communication at my company. One problem is half the people use GAIM, the other half use Trillian, and each have separate standard encryption plug-ins which are incompatible. Of course it is free software and I could jump in and work on this but I am too busy. The main reason we had encrypted conversations was to send passwords to one another.

What's the problem? (1)

Junta (36770) | more than 6 years ago | (#21458611)

I use Gaim OTR, and my buddy used Trillian OTR (without him even realizing it incidently). There was a Gaim encryption plugin before the OTR plugin, but I don't know anyone using that anymore.

Zonealarm's IM security (1)

danwat1234 (942579) | more than 6 years ago | (#21458539)

I have the Zone-Alarm Security Suite software (software firewall, anti-virus, anti-spyware, Ad blocking, Cookie control, Identity protection), and it comes with "IM Security". It encrypts all IM conversations when both sides of the conversation have the software installed. I don't know how strong the encryption is, but it is something.. Makes me feel secure when I am talking about government conspiracies...

Re:Zonealarm's IM security (1)

the_brobdingnagian (917699) | more than 6 years ago | (#21458905)

Most crypto will sign your messages. So now the government can take your friend's computer and mathematically prove you signed the messages talking about conspiracies. OTR provides encryption and authentication without the ability to prove to anyone else what you wrote. And talking about government conspiracies: I would not trust closed source crypto if I where you.

Just days before... (1)

mattdev121 (727783) | more than 6 years ago | (#21458549)

This slashdot story, just days before a talk [uwaterloo.ca] about how the csclub servers handled slashdot the last time [slashdot.org] .

The real problem is U.S. government corruption. (5, Insightful)

Futurepower(R) (558542) | more than 6 years ago | (#21458563)

Quote: "With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important."

The real problem is U.S. government corruption. See this example from Cooperative Research, a complete 911 Timeline of 3962 events: U.S. Government corruption TimeLines [cooperativeresearch.org] .

The government should serve the people, not spy on them.

1984 (3, Funny)

dotancohen (1015143) | more than 6 years ago | (#21458585)

I find it fitting that someone named Goldberg is warning us about Big Brother.

goldberg is a kike name (0, Funny)

Anonymous Coward | more than 6 years ago | (#21458765)

what a fucking zionist jew. Don't trust it and use it. Chances are he is working under the U.S. ZIonist occupied goverment.

Re:1984 (1)

mordejai (702496) | more than 6 years ago | (#21459013)

Wouldn't it be funnier if it was someone named GoldSTEIN?

Oh, I get it, all ashkenazim are the same to you... ;-)

Re:1984 (1)

garbletext (669861) | more than 6 years ago | (#21459189)

I find it ill-fitting that someone named Ian is not teaching us about Debian.

Pfft. Don't talk to me, I log all my IM sessions (2, Interesting)

NotQuiteReal (608241) | more than 6 years ago | (#21458609)

They are sitting in plain text on my HDD.

Anyone who is IM'ing with super-secret encoding and hoping that they are safe better not be IM'ing me, or someone like me who checks the "log" button...

Sorry, sometimes I like to refer back to them, and that is the way they are kept. I am too lazy to do anything about it.

I always assume I am just part of the noise in the s/n ratio that "they" are listening to.

What's the opposite of tin-foil hat?

Re:Pfft. Don't talk to me, I log all my IM session (0)

Anonymous Coward | more than 6 years ago | (#21458661)

What's the opposite of tin foil hat?

You, bent over, assuming the position.

Re:Pfft. Don't talk to me, I log all my IM session (0)

Anonymous Coward | more than 6 years ago | (#21458771)

They are sitting in plain text on my HDD.

Anyone who is IM'ing with super-secret encoding and hoping that they are safe better not be IM'ing me, or someone like me who checks the "log" button...

Sorry, sometimes I like to refer back to them, and that is the way they are kept. I am too lazy to do anything about it.

I always assume I am just part of the noise in the s/n ratio that "they" are listening to.

What's the opposite of tin-foil hat?
An asshat by the sound of it (sorry, couldn't resist :-)

Re:Pfft. Don't talk to me, I log all my IM session (4, Informative)

the_brobdingnagian (917699) | more than 6 years ago | (#21458855)

I log all my IM messages too. But you can not prove those messages are written by some specific person. They are plaintext and everyone can edit them. The "problem" with most encryption protocols is signing. If I write a message to you and I sign it, you can prove I wrote it. OTR provides encryption and authentication that can't be used to prove to anyone else you wrote it. I suggest you watch the video for more information.

Re:Pfft. Don't talk to me, I log all my IM session (0)

Anonymous Coward | more than 6 years ago | (#21458863)

"What's the opposite of tin-foil hat?"
- paper slippers?

Re:Pfft. Don't talk to me, I log all my IM session (0)

Anonymous Coward | more than 6 years ago | (#21458967)

Soap, pillowfill and lampshades.

Re:Pfft. Don't talk to me, I log all my IM session (1)

SonicRED (15265) | more than 6 years ago | (#21459233)

What's the opposite of tin-foil hat?
Dunce cap.

Re:Pfft. Don't talk to me, I log all my IM session (1)

Jeian (409916) | more than 6 years ago | (#21459375)

What's the opposite of tin-foil hat?

Sane?

Re:Pfft. Don't talk to me, I log all my IM session (0)

Anonymous Coward | more than 6 years ago | (#21459393)

What's the opposite of tin-foil hat?

Autotrepanation.

I downloaded the ogg (1)

gQuigs (913879) | more than 6 years ago | (#21458619)

The Presentation in the video appears completely blank to me. Anybody else see this?

Re:I downloaded the ogg (0)

Anonymous Coward | more than 6 years ago | (#21459243)

For me too.

Too bad, because I am really interested.

Semi-random (webcam of the CSC office) (1)

pigscanfly.ca (664381) | more than 6 years ago | (#21458717)

The organization that is serving the talk has a <a href="http://csclub.uwaterloo.ca/office/webcam.html">wecbcam ( http://csclub.uwaterloo.ca/office/webcam.html )</a> in there office. Despite serving an avi file linked directly from the slashdot page, there doesn't seem to be fire :P

Re:Semi-random (webcam of the CSC office) (1)

metaoink (1192657) | more than 6 years ago | (#21458823)

The organization that is serving the talk has a <a href="http://csclub.uwaterloo.ca/office/webcam.html">wecbcam ( http://csclub.uwaterloo.ca/office/webcam.html [uwaterloo.ca] )</a> in there office. Despite serving an avi file linked directly from the slashdot page, there doesn't seem to be fire :P
I think you meant to say: The organization that is serving the talk has a wecbcam ( [uwaterloo.ca] http://csclub.uwaterloo.ca/office/webcam.html [uwaterloo.ca] ) in there office. Despite serving an avi file linked directly from the slashdot page, there doesn't seem to be fire :P

This is easy with jabber! (0)

Anonymous Coward | more than 6 years ago | (#21458731)

Jabber is an open-source, cross-platform and well-documented instant messaging solution.

Jabber is easy to use with strong SSL certificates.

Problem solved.

Shared Secret FTW (no more finger print checking) (1)

metaoink (1192657) | more than 6 years ago | (#21458751)

One of the really cool things I think with the new versions of OTR is the shared secret. How many people actually bothered identifying the hash fingerprints? I'd bet almost none. However, with a simple shared secret it becomes very easy to protect against man in the middle attacks.

Re:Shared Secret FTW (no more finger print checkin (0)

Anonymous Coward | more than 6 years ago | (#21458923)

While it would certainly be better if everyone verified fingerprints, there is still a benefit even if you don't -- unless the MiM attack happens in your first conversation, the fingerprint won't match the cached version when they start attacking.

Shared secrets are a bad idea anyway. If you're willing to do the work to communicate securely out-of-band with your contacts then they buy you nothing extra. In fact, they are actually somewhat harder to use because each contact pair needs a different secret (otherwise it's not a secret), whereas the fingerprint is not secret and can be published shared between contacts. Moreover, most people would be unwilling or unable to securely communicate out-of-band for the initial key exchange, and would simply disable encryption entirely, or email/IM the unencrypted key before starting their first encrypted conversation, which puts us right back in to the "secure only if the first connection is not monitored" boat, except in the shared secret case only passive monitoring is needed, rather than an active attack, to compromise any future conversations.

Zonk you suck (-1, Troll)

lennyhell (869433) | more than 6 years ago | (#21458773)

Please 2 stop chocking on donkey's dongs, ok? And fuck off my internets.

how to boil a frog (2, Insightful)

CranberryKing (776846) | more than 6 years ago | (#21458939)

Isn't EVERYONE very upset that we need these types of applications these days? Why does it seem reasonable that EVERYONE needs to hide their communications from their own governments? Shouldn't we be more upset that things have gotten so out of hand?

Re:how to boil a frog (2, Insightful)

b1scuit (795301) | more than 6 years ago | (#21459365)

Dude, move, you're blocking the TV.

HR 1955 (5, Informative)

CranberryKing (776846) | more than 6 years ago | (#21458995)

If this bill [govtrack.us] passes, you won't be able to use OTR without being carted off. Call your senator and tell them to vote NO.

Re:HR 1955 (2, Informative)

iminplaya (723125) | more than 6 years ago | (#21459263)

`The Congress finds the following: ...

The Internet has aided in facilitating violent radicalization, ideologically based violence, and the homegrown terrorism process in the United States by providing access to broad and constant streams of terrorist-related propaganda to United States citizens.


Uuuh huh.

Ian Goldberg (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21459173)

..lectures to me Tuesdays and Thursdays. I'm in his undergraduate course "Computer Security and Privacy". Cool to log on Slashdot and see your prof on the front page.

-Ryan

Or, technology for terrorists (0)

Anonymous Coward | more than 6 years ago | (#21459181)

This technology is likely to be illegal (already) in Burma, China, Cuba, Venezuela and other regimes beloved of the Left. It won't help democracy and human rights activists who say, want Chinese citizens to have a voice in their own government or Cubans who don't want hereditary rule by the Castros.

Meanwhile, it's a bonanza for terrorists who need ways to communicate in secret on how to kill thousands or millions of people. IM and PGP encrypted emails as well as Moussoia's (spelling) laptop (containing encrypted files) allowed the 9/11 plotters to communicate and carry out the murder of 3,000 people. [Moussauie's laptop was not searched by the FBI due to privacy concerns.]

Now, you might be of the opinion politically that your civil liberties absolutism is worth 3,000 lives (or more, next time) but that's not likely to be practical. Most people expect in the real world their government to do what it takes to prevent the slaughtering of masses of their fellow citizens.

The real threat is not consensual, PC-fearful, queasy-liberal Western governments eavesdropping on your comments about getting together for a beer run. It's Google or Yahoo selling out your personal data to China or other bidders, or those companies selling out Chinese/Burmese democracy activists. Meanwhile you'll see these tools used to kill people.

INEVITABLY, this encryption will be used to kill people. Lots of them. Let's not delude ourselves.

Re:Or, technology for terrorists (1)

ChameleonDave (1041178) | more than 6 years ago | (#21459871)

In amongst all your right-wing smearing and ranting, I discern one valid point: that the most repressive governments are likely to declare encryption illegal and punish all encryptors as harshly as they punish people caught openly opposing them. This would render encryption useless.

However, few governments are quite that bad. Most will punish encryptors less harshly. Furthermore, most governments (such as the Western ones that we are able to put political pressure on) can be forced not to criminalise encryption. Encryption can then help to avoid government interference in certain protests.

Note that it is these very governments that kill thousands, and more. If you are worried about the almost negligible amount of private terrorism in the West, then you ought to be trying to stop the killing that fuels it.

Testing out IM spying (1)

LilGuy (150110) | more than 6 years ago | (#21459473)

A friend of mine recently questioned whether all our IM conversations were being watched by the NSA. I said most likely it all runs through a computer of theirs at some point thanks to AT&T. He decided the best way to find out was to say everything that we could think of that might throw some red flags and see what happened.

Needless to say neither one of us vanished in the night, and neither of us received any unwanted visitors.

Re:Testing out IM spying (1)

JoelKatz (46478) | more than 6 years ago | (#21459589)

You don't know any of the keywords they would be searching for.

Re:Testing out IM spying (1)

spikedvodka (188722) | more than 6 years ago | (#21459615)

that you know of...

They might have carted him off, and be impersonating him, waiting for you to incriminate yourself :-p

Pidgin w/encryption (1)

sdhoigt (1095451) | more than 6 years ago | (#21459623)

Maybe a bit off topic (I haven't watched the lecture yet either) but anyone using Pidgin with the Pidgin-encryption plugin?

I've used it for about a half a year (via Jabber's servers), and it has been a great experience.

However, I only use it w/one of my other nerd IM contacts. There's just no way I could get everyone else to get this set-up. That's the problem.

Same goes for encrypted email. Encryption just needs to be baked in from the get go.

https://mail.google.com/mail/ (1)

sdguero (1112795) | more than 6 years ago | (#21459673)

Encrypted chat. Case closed.

Hmm (2, Interesting)

ILongForDarkness (1134931) | more than 6 years ago | (#21459813)

Nice how a Canadian researcher is looking into solutions to a mostly US problem, at least it is always US media talking about wiretaps. Perhaps if ~21% of the US budget wasn't blown on the military and God knows how much more on espionage, everyone wouldn't have to be as paranoid. My solution: if big brother gets the brillant idea to tap innocent people for no reason, big brother should invest in a gun and blow his brains out.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?