In the connected age, every day it appears privacy is becoming more and more of an idealistic fantasy as opposed to a basic human right. In our latest privacy debate per [TechCrunch], apparently the FBI is taking some shots at Apple.
You may recall the unfortunate events, leading the FBI to ask Apple to unlock an iPhone belonging to a person of interest. Apple did not capitulate to the FBI’s request on the basis of their fundamental commitment to privacy. The FBI wasn’t really thrilled with Apple’s stance given the circumstances leading to the request. Nevertheless, eventually, the FBI was able to unlock the phone without Apple’s help.
You may find it somewhat interesting that the author of the news piece appears to be more upset with the FBI for cracking the phone than at Apple (and by extension other tech companies) for making phones that are crackable to begin with.
Maybe we should take solace in knowing that Apple stood their ground for the sake of honoring their privacy commitment. But as we saw, it didn’t really matter in the end as the FBI was able to hire a third party to help them unlock the phones and were later able to repeat the process in-house. The article also noted that there are other private companies capable of doing exactly what the FBI did. We understand that no encryption is 100% safe. So it begs the question, “Is anything really private anymore?” Share your thoughts in the comments below.
Wrote an AES265 plugin for social media so you could encrypt your posts in images.
Was basically an alternate private layer of the Facebook.. Twitter etc.
Only the ones that have your key could read it anc the html would take the decrypted data and display them like a normal post.
Others would see just the image.
Think 4x downloaded and never seen anything like it….
So no… Nobody cares. If you do your a freak almost today’s world.
Surely asymmetric is better? PGP? Otherwise anyone could pretend to be you by abusing your AES256 key.
You’d want both… encrypt the message with AES256, then encrypt the AES256 key with an asymmetric key.
This is, in fact, how PGP works.
AES265 is just 9 bits better than AES256 then?
9 bits better might not sound like much.
But that actually means its 512 times harder to brute force.
And analytical attacks is also going to be noticeably slower.
Though, considering how AES encryption works, just throwing in another 9 bits would mean that our code would need to do a lot more work… Adding in 8 more bits is easier. Since we then don’t need to read only a portion of a byte.
But symmetric encryption does usually have the advantage that one can use any combination of 1 and 0 as the key. Unlike asymmetric encryption that needs to follow certain rules. This is why a fairly “low end” RSA encryption key is 2048 bits these days. And a “secure” one is usually at least 8192 bits or more.
Though, the real kicker with asymmetric encryption is that the attacker already has half your key and can make very reasonable assumptions about your other key and therefor minimize the scope of what to check. (they can still need to check trillions or more possibilities, but that is a drop in the bucket compared to what a 2048 bit value is able to express.)
So in short, symmetric encryption can use any random value as its key, asymmetric encryption can’t really even use a percent of all bit combinations, since most of these combinations aren’t going to follow the rules that are needed for our asymmetric encryption.
A shared symmetric key encryption is actually safer, but key exchange is then the real problem. Most key exchanges are done with RSA encryption, or elliptic curve encryption these days. (though, transporting a thumb drive in person isn’t all that hard nor suspicious. But it’s inconvenient for the vast majority of people. Though, some organizations actually does this.)
“But it’s inconvenient for the vast majority of people. Though, some organizations actually does this.)”
https://www.newscientist.com/article/2229673-china-has-developed-the-worlds-first-mobile-quantum-satellite-station/
“ the real kicker with asymmetric encryption is that the attacker already has half your key and can make very reasonable assumptions about your other key”
Er, wot?!
In the vast majority where asymmetric encryption is used, one of the keys is send over the insecure channel. Ie, anyone listening in can see that key.
And from there, we can work out what the other key is.
Now, the whole idea with asymmetric encryption is that it isn’t easy to just reverse the process used to generating the key as to get to the other one.
But if the attacker wouldn’t have any of the keys, then its suddenly a lot harder, since one doesn’t have a known point to start from.
So first off, you have to decide who are you trying to prevent from reading your data? If its FB neural net “algorithms” or the kid down the street, base64 alone would probably be enough. A regular human at fb? DES would probably suffice, even with a null key. A government hahahaha, good luck. It certainly can be done, but even governments have trouble with encryption security! Let me just say that AES256, likely in ECB mode since the op didn’t specify, reusing keys (since the op didn’t specify a key management system) is not much better than the DES with the null key. I didn’t even mention about 100 (no exaggeration) other things that could go wrong with your scheme. It turns out, encryption is actually very very very hard to get right. So many traps.
That said, the trouble with a platform like fb is that everyone has to be managing keys, using encryption/decryption systems, and be fully bought into security. Including your parents, grandparents, hippy friends who mostly hate tech (but still use fb), everyone. Anyone who decides its too much effort, will just not communicate with you. (that will be most people, as you experienced). So if fb decided to implement it, yes there could be privacy. If people like me had more time, there could be better platforms with better privacy. (Still have to monetize the platform, so your posts would at the very least, need to be scanned…and certain criminal elements would need to be reported to authorities, so it wouldn’t be 100%, but would be 10,000,000,000,000x better than fb, though fb set the bar pretty low!)
“So it begs the question, ‘Is anything really private anymore?’ ”
My thoughts. Dare anyone to read them.
Well, there’s research into brain-computer interfaces now, though it’ll probably be a while before that goes anywhere.
Hmmm this man is having thoughts he has to keep private.
Someone report him!
We better glass Silicon Valley now, because they’re gonna be coming for that next. I mean they’re already pretty good at predicting people’s thoughts and behavior. Like seriously, if we don’t stop them it’ll be happening sooner or later. I find it astounding that the world suffers that place to live.
Actually others can get the thought out of your head quite easily, just hit your head with a hammer long enough until the thoughts come out verbally or in small chunks of grey matter.
No
It’s not like there aren’t secure services and strong crypto available, it’s just that few people seem to actually care enough to use it.
Lol just don’t think too much about who funds Tor or Signal. If you’re so sure those aren’t honeypots…
I mean I know they’re open source, but there could still be obfuscated and intentional zero-days in there that they are sitting on. The CIA sold flawed encryption machines all over the world for decades to spy on the exact communications that people were trying to hide. And that was mechanical encryption! Anybody could have taken in apart and investigated it. But people didn’t really discover the flaw for a very long time. FOSS is good, but it’s not magical. Also try not to think too hard about who makes the most contributions to FOSS projects and hires the most hackers :D
tldr we’re all boned, even the ones who think they’re clever. Especially them.
Boo FUDDy defeatist.
Signal is pretty solid.
Even if you take the premise that every tool you didn’t make yourself is flawed by design using a combination of techniques can make it nearly impossible to break – assuming you are not broadcastng to everyone exactly what ordering of methods you use so those deliberate flaws can be used correctly one at a time in the proper order.
That said no amount of privacy settings can really stop folks if they are determined to spy on you in particular. Any concealing you do just means nobody is going to casually hoover up everything, and those that want to spy on you will have to work a harder. Which for 99% of users 99% of the time more than needed. And as many many people are now using VPN’s TOR etc its no longer shouting out you might be worth watching…
If you really really need security and to communicate with others stick with the good ol’ one time pad system, make sure everyone involved keeps their pads hidden, secure and self-destructing under duress etc – while bruteforcing such a cypher is possible its as close to impossible as you can get – is this an image/text/video/audio and what encoding system does it use? If that is known with enough computing time it becomes plausible somebody dedicated enough could break a OTP within a timeframe that the data stolen still has some relevance.. without that narrowing of search parameters it really isn’t going to be, though of course any scrambling can be unscrambled when it starts taking longer than a few months it starts to become unimportant.
You can’t break a OTP. It’s mathematically impossible. You can steal it, or beat the secrets out of someone, but you can’t break a OTP used properly.
Not true at all, just theoretically true – OTP’s are made and never made perfectly and its the flaws in generation that can be used to potentially crack them. You will need very very large data set to use up lots of the pad to have any hope though, and you can’t expect to get everything back out of them even once you find a flaw – periodic features, or heavy bias for example.
If for example you generated a OTP using D20’s and rolled the same 10 in the same order you would get something that seemed random – but each die will have a bias so every 10th bit you can eventually figure out is most likley to be on a particular side of the die. Which cuts down the randomness enough to then use normal cracking methods and get some degree of confidence – if you figure out the bias of the surrounding dies then you have 3 bits out of 10 you can have some confidence in. So you get a series of guess the blanks puzzles to solve, you won’t know for sure which number it really was. But if those 3 bits spell out recognisable common parts of words using some combination of the most likely result its likely to be correct.
Obviously this is difficult and using a better generated OTP, keeping your generation methods secret so any flaws will have to be found the hard way does make it very very hard to get anything out. But even perfect use of a OTP that is imperfectly generated isn’t truly unbreakable, and if you go and use the same start point on the same pad all day it suddenly becomes very much easier (though from a practical point of view even that bad practice with a halfway decent OTP is going to be very very hard to break).
If your OTP was truly perfectly generated the only way to to get data out would be highly guess based – from length and timing of transmissions etc. And you are quite correct that can’t be broken to decode the content but if its the right length and time to be the weather report you can be reasonably sure its the weather report, if its out of the usual communication pattern you can guess something is happening etc..
You could have a very random source for generating OPT. e.g. radioactive decay, white noise generator. OTP are used only once and throw away, so a very large dataset won’t help you.
The bigger problem with OPT is how to get the data stream to the receiver securely. :P
Indeed tekkieneet the hardest part with OTP is distrubuting the pads in the first place. The large data set helps – because every pad made with the same hardware and ‘random’ sources can be considered the same pad. So it doesn’t matter if they throw a pad away after use the next one contains the same flaws – as the most commonly added flaws are from the generation methods, and those endure through every pad made that way.
But to be 100% clear I am not saying even with those flaws being present its easy to crack a OTP, just that it becomes possible as soon as you fail the perfect randomness and the cracker figures out how your pads are imperfect. You are still talking an expected time to make any real progress (with OTP’s made better than my earlier dice example) high enough to be considered ‘safe’.
It is far easier of course to intercept and/or duplicate the pads – like most security systems even the ‘perfect’ ones there are human and procedural elements outside of the theoretically perfect encryptions many of which will be trivial to exploit if there is a real want to spy on you.
Complexity of use. e.g. PGP.
Given what people put on Faeces Book people realy don’t care about privacy or they really are stupendously ignorant.
Found the New address of a runaway tenant just from Photos she posted on her FB page.
Privacy and attention seeking behavior have always been opposites.
Much like a lot of security, I would say that if it’s just a matter of time and effort, until either someone breaks what ever protection you’ve put in place or all the copies of that thing have been eradicated.
If it’s digital media and in the could then it’s probably not so easy to do compared to ye’olde physical media, which takes a lot more effort to get it (a hardcopy) from yourself.
So maybe nothing was ever truly private unless you could keep your thoughts to yourself, otherwise it’s just a matter of time, visibility and effort to get it.
I am responsible for my own privacy.
If I talk to someone face to face.
If I make a phonecall.
If I send a written letter.
If I use any phone/computer/internet app.
The information is all available if someone cares enough.
I can make it harder and more expensive for the snoopers; make them need to care more to acquire my data.
But there is a time and cost associated with that.
How much do you trust your neighbour, your friend, your family, your employer, your supplier, your bank, your govenment?
How much do you care?
I am responsible for my own privacy.
Yeah that’s a nice little individualist argument that makes sense if you don’t think very hard. What happens when increasingly digitized, non-local, and opaquely surveilled communication and data use becomes massively mandatory for normal life? We can’t all be Ted Kaczynski. We can’t all live in a shed in the woods and eschew all technology, although that sure would be nice. You’re not being smart or fair by just shoving the responsibility on the end users. There has to be a coordinated movement to seize and maintain our privacy or else it will absolutely disappear and poems won’t stop that.
Yeah, thats a nice little collectivist argument if you don’t think very hard. We dont even have to ask “what happens when..” because right now collectivists have created huge power bases that regularly, and as a default, invade privacy rights whenever they deem it desirable. If they cant, then they threaten other groups with violence to give them keys so they can further destroy privacy. This happens now and your idea is that this same behemoth will protect
You from itself? That you can vote your will into existence when it defies their ability to control?
No. You can try to shame people, call them Ted Kaczynski or other names. But the only path to privacy is through individual efforts because privacy destroys collective force. That in no way means hiding in the woods. It means working with other individuals to create privacy. Cryptocurrencies. Signal. Tor. And tools that glue these together.
None of these toolS required lobbying or subsidies or tax breaks or voting to create. They were a small group privacy centric individuals who brought these to life for other people concerned about privacy.
Poems?
Anyway.
Feel someone is eavesdropping, don’t talk.
Don’t trust Facebook, don’t use it, you really don’t need to.
Don’t trust Amazon or Google, other suppliers are available.
Don’t trust your current Government, use your vote.
Use whatever mitigating method/technologies you you have the resources/inclination for.
I’m not a technophobe, far from it – would I be here If I were.
Why would anyone want to be like a domestic American terrorist? Not that I understand why you would give his name publicity in this forum or anywhere.
I use the mail to send my Mother a letter.
I use email to converse with a distant friend.
I use as secure a computing platform as I can to perform financial transactions.
I have little use for social media. If I did I am aware the price is to give up some privacies.
I don’t knowingly use location aware apps or devices unless I need to.
Talk of movements that “seize” and “maintain” feels uncomfortable to me.
Dissing poetry as a means of advocacy is uncool and shows some ignorance.
Though where you see poetry in my post eludes me.
Form a privacy movement, don’t just call for one, and good fortune to you.
Its members, though, will all be individuals who are responsible for their own privacy.
Even in the most dystopian future of surveillance states you can be responsible for your own privacy – say and do nothing carelessly in the wrong places. At least as long as direct brain interfaces remain largely fictional.
That said I do agree with you I don’t want to live in a world that goes that far, so a deliberate effort to keep it from happening, or anybody being able to get away with doing it in their corner for long is well worth it!
When you, personally, value your own privacy at zero, then at best others will equally value it as zero, and at worse something below. No one is going to value your own thoughts at a higher amount than you do.
Not only is it unreasonable to expect others to do so, but we are offended at the very notion. It is selfishness and narcissistic of the highest order to place that burden on others while unwilling to shoulder even the tiniest amount of it yourself.
You can claim it isn’t possible all day long if that really is your belief, but at the end of the day it is your actions alone that cause result. When you throw your private thoughts out into the world, the only possibility that can happen is that your private thoughts are now out in the world, known to anyone that cares to know.
https://stuartl.longlandclan.id.au/blog/wp-content/uploads/2016/07/IMG_20160722_144332_972.jpg
I really need to finish those lyrics…
Want privacy? buy offgrid land in remote area or blue water yacht any electronics newer than 90ties tech keep in faraday cage bin that is also soundproof. Et voila you have privacy now only things you share is your land taxes or yacht registration and insurance. Question is how are you going to earn money to survive? To fix things when they break – on land its easier basic good quality tools are almost indestructable but on water you do not want broken water maker, engine, sails or leaking hull.
Your land record is available too. If you ever own a car or a driver’s license, congratulations it’s in the DMV database available to every scummy corporations for $$$. Hopefully your info is out of date.
I’m not buying these stories about US authorities being unable to crack open a freakin iPhone. Would be hilarious if after all the zero-days they’ve been hoarding, all the backdoors they have been sneaking into everything for years, their spying-on-everybody-all-the-time efforts were suddenly thwarted by a shiny toy for spoilt kids.
Remember it was a “civilian” agency, FBI, so whatever the spook level can do, even if they help the civs, they can’t admit to what they can do. So plausible that FBI already knew what was on the phone from the spooks, just couldn’t admit they knew, so they needed to do a parallel construction to play act that that was the way they got the info.
They also have their own capabilities that if brought into the spotlight would be regarded as less than legal or constitutional, so they also do a lot of run around play acting to make parallel construction cases for evidence that they unearth with those.
Which stories are those? The ones I read said the feds “only” wanted Apple to push an automatic update that would allow them to brute-force the PIN without the device erasing itself. In the end they just did some deep data recovery from the silicon- without the OS’s help- which they certainly could have, and I think they should have, simply done first. ISTR someone suggested that the whole silly show was about finding out whether they could pull strings, trying to (re)define the nature of their relationship with big tech.
Yeah, the FBI’s spat with Apple was little more than a publicity stunt. If they really wanted the information on the iPhone, they could have taken it to the NSA. Of course, if they really thought the iPhone held any useful information they wouldn’t have held a press conference about leads in an ongoing investigation.
What the FBI wanted was a PR event where they could accuse Apple of ‘defending terrorists’ and get public support for a government backdoor.
They tried to spin it as a one-time thing, but unfortunately (for the FBI) police departments around the country went full Keystone Kops with announcements that they’d subpoena Apple to use that same backdoor for anything south of jaywalking. Cops pretty much bragged about their “I want an unlimited fishing license” mindset, which is a lot harder to sell than “we need powerful but carefully controlled tools to defend ourselves from terrorism”.
After a few days, even the most gullible and hysteria-prone minds — the press — started to say, “hey, maybe this isn’t such a good idea.”
Nothing was ever private. Privacy is always a contest between the resources you were willing to invest in your desire to keep information hidden and the resources somebody else is willing to invest in getting that information. At the far end of that continuum is always a guy with patience, handcuffs, a length of pipe, and no compassion.
Worth of the information, and for how long. e.g. KFC secret recipe.
I hereby dock 1 point off your hackaday card for failing to cite xkcd as appropriate…
https://xkcd.com/538/
Ouch!
You are Merciless!
Correct. But why make it easy for them? It’s citizen’s duty to resist omnipotent state. They always wanted to chain us, and we always resisted.
Privacy is hard for the individual… and the big companies don’t actually care about you (you’re just a product – 1 out of billions in the inventory) Even when you know how to use encryption, do your parents? Can they securely manage the keys? Can *YOU* securely manage the keys??? Are you sure?????? No seriously, are you sure? (Hint: If you are sure, you are most likely ignorant of the problem, since key management is an incredibly hard issue even for people with nearly infinite resources)
Oh, and if smaller tech companies would actually try to solve their own problems rather than trying to emulate google/fb/(big “tech” company) maybe we could have privacy, but the worship of these companies by software engineers across the world, and the fact that those companies have a vested interest AGAINST privacy, means no one in development is actually interested in privacy. So yes, if you’re a software engineer you’re probably part of the problem. If not, you probably hate your own profession as well.
not so much worried about the corporations as much as anyone else who gets that data. not limited to the government, other governments, other companies, extremist organizations, my enemies, the aliens behind the moon, and especially my cats.
We are no longer questioning if something is private or not. From 80’s when you could use credit card there was a hope of privacy. Now with mobile phones, internet there is no hope. And at the moment that you have Siri, Alexa, Cortana, Google and whatever other assistant on Your devices or in home there is no privacy. Period. You have willingly (or not so willingly) sold it for a glimpse of future.
Question that should be asked how interesting you are to giants. Retail giants, tech giants, government giants….
nah. that ship sailed a long time ago. unless you want to manually verify ever circuit path, every chip and every one of millions of lines of code that make it work, disassemble all closed source blobs. search the whole thing for hidden input devices like microphones and cameras. its all third party stuff and you can not trust them either. open source helps but it is by no means a guarantee that every design document and code file has been thoroughly investigated.
you would have to go to pretty extreme measures to secure a device and there is a good chance that you have gimped it to the point where all you can no longer use it for its intended purpose.
I’m personally developing a multi dimensional temporal graphics based encryption algorithm. The mission was to make it unbreakable even using quantum computing. The issue currently is that when encrypted the files increase in size a little too much with respect to the original but I’m betting people will thankfully pay a few extra kilobytes per message, to send something only the designated recipients can open. Fast – Good – Cheap : Pick any two.
The entire premise of this post is flawed. It assumes ‘privacy’ is a binary thing, and invites equally flawed arguments over the binary options.
The useful discussion starts with the premise that ‘privacy’ can mean many things, and that there are options between ‘squatting in an unknown abandoned salt mine’ and ‘Sergei Brin installing a gas spectrometer in your toilet so he can get better data for targeted advertising’.
One such option is ‘making it illegal for private companies or the government to do things that are physically and technically possible’.. pretty much the same as we do for dumping hazardous materials and beating confessions out of suspects with a rubber hose. It doesn’t change the fact that those things are possible, but creates penalties for anyone caught doing them.
Right now, there are few limits on what private companies can do with information about individuals, and few liabilities associated with collecting all they can. If there was a law saying people could demand $50k each time a private company was caught distributing information that could be traced back to the individual, companies would have to weigh their options differently than they do now.
At the governmental level, giving suspects immunity to prosecution if the government is caught holding information obtained without proper authorization — not just excluding that information from the prosecution and letting anything obtained by ‘independent methods’ stay — would turn the NSA’s archives of phone records into toxic waste dumps.
The question isn’t, “is privacy possible?” but “how much power to enforce privacy do I have, and should I have?”
If you want privacy, use snail mail. Nobody in the chain gives a rats… If you are a person of interest to law enforcement, then all bets are off anyway.
The issue is you can’t escape this privacy creep, unless you become a recluse. This data collection is being baked into literally everything, which makes it yet more difficult for your average person who minds to avoid it. What benefit does all this data collection have for the user? I haven’t experienced any benefit personally, the opposite really. The world existed before the big data acquisition, did well enough, if the internet imploded tomorrow, the world would trudge on somehow. This is about big buisness making big money selling personal information based off lawyer speak terms and services most people don’t understand, that also happens to be pages and pages long, often with multiple links, where opting out where you can, which isn’t too many places, will conveniently make whatever software not work properly. Want to buy that same software outright? Guess what, still collects data, if you can even buy it outright. There is no denying this data collection is wrong, if there were choices, meaning you had to ‘click’ to allow data harvesting, instead of jumping to hoops of fire to opt out of whatever you can, I would say collect away if I allow it. Again, being baked I to everything, which whittles down choice.