Deep packet inspection in the USA?

[Requia ☣]

ok snide cynicism aside, one concept in crypto security is that as long as everybody is writing on postcards, anyone sending a letter in an envelope will stand out of the crowd, regardless of how hard it is to open and read the envelope.

The last company I worked for encrypted literally everything meant for transmission over public infrastructure, sometimes with 3 or 4 layers of the stuff (huge pain in my ass really).  Most of the internal stuff was encrypted too.

[Rumckle]

Good points, I'd say you're right about getting people to encrypt the majority of what they do, unfortunately the public isn't educated about a) how to do it and b) why to do it, so it will probably take a while to the movement to get to the mass public, by which time technology would have changed anyway.

I actually thought stego was like random noise, but then again I don't know a whole lot about encryption.

they don't need to DPI communications in order to torture suspected dissidents either.

Doesn't mean they won't use it as "evidence" to justify their actions. But if more people encrypt then it wouldn't be that much of a problem.

it is something to be aware of, yes. but fortunately not impossible to get around.

Good to know.

[Bebek Sincap Ratatosk]

Stego is good if you have lots of stuff and the stego bit looks like an unsuspecting piece of useless stuff. So if I have some data hidden away in some jpgs on my disk, along with 1000 non-stego jpgs, its a good way to hide stuff.... to use it as a regular communication tool though weakens the 'needle in haystack' layer of its security.

There are a couple things you can do to deal with deep packet inspection. However, which you choose depends greatly on what you're trying to protect yourself from. Let's say I live in a free country where corporations want to spy on my packets for marketing purposes. In that case, personally encrypted traffic is fine. I am stopping their ability to LOOK, but its OBVIOUS. My ISP probably won't do much about it and will just ignore my packets.

If on the other hand I live in a country where I am not free and the government is doing DPI in order to find dissidents... encryption will make me stick out like a sore thumb. Even if everyone uses some encryption, it is trivial to statistically see who is sending way more encrypted traffic than normal. To get past this sort of snooping you need chaff. Cory Doctorow's book Little Brother, hypothesis about Paranoid Linux, which is designed specifically to create this kind of chaff. There was some movement on a real world project like that but its currently dead on the vine

[Requia ☣]

Torrents are a great way to create chaff, most torrent clients have a way to send encrypted traffic, and its normal enough.  The only real thing you'd need is a way to hide things inside something that looks like torrent info.

[Bebek Sincap Ratatosk]

I'm actually kinda surprised more groups aren't using Spam as a covert channel.

[Triple Zero]

Stego is good if you have lots of stuff and the stego bit looks like an unsuspecting piece of useless stuff. So if I have some data hidden away in some jpgs on my disk, along with 1000 non-stego jpgs, its a good way to hide stuff.... to use it as a regular communication tool though weakens the 'needle in haystack' layer of its security.

unless encryption is somehow illegal, I'd opt for TrueCrypt first, stego second.

you can still stego your stuff in any layer of TrueCrypt, and on top of that, you can hide the entire TrueCrypt partition with stego, just insert a 30 meg TrueCrypt partition somewhere in the middle of an AVI file. if you do it properly (frame boundary, thing), the AVI will even still play without as much as a hiccup.

If on the other hand I live in a country where I am not free and the government is doing DPI in order to find dissidents... encryption will make me stick out like a sore thumb. Even if everyone uses some encryption, it is trivial to statistically see who is sending way more encrypted traffic than normal. To get past this sort of snooping you need chaff. Cory Doctorow's book Little Brother, hypothesis about Paranoid Linux, which is designed specifically to create this kind of chaff. There was some movement on a real world project like that but its currently dead on the vine

this is why we need to get the MASSES to start using PGP as soon as possible.

let me repeat myself:

the proper way to get this right is to take a look at our postal system. the solution is already in the example I gave. most snail mail is encased in envelopes ("encrypted") and only a small part of the mail is on postcards ("plaintext"). it is regarded as "normal" to put your mail in an envelope, and not regarded as "he has something to hide".
if much more people would get into the habit of using PGP on their email, even, no especially if they have nothing to hide, it would just become the normal thing to do "yeah of course I PGP my email, who knows where the data might end up? this way only aunt Betty can open the message. that just makes sense, right"

the bolded bit should become common sense to (most) people. just like it's common sense to keep your CC info to yourself.

now, I'm gonna be honest, and tell you I have never really used PGP (or GPG) myself. I never generated a private/public key pair and am not encrypting my emails.

HOWEVER, I am going to make it a point of figuring out how to do this (I bet it's really easy). I think of myself as being pretty good in explaining computer stuff to people that normally struggle with computers (as long as I can explain my Machine Learning topics to my mum, and teach economy/business students to program Java) and then I'm gonna see how many people I can get "over" to at least install a kind of plugin that allows them to read my encrypted messages.

cause I think the time is right, and it's now or never. assume that DPI is already there, make encrypting communications be the norm instead of the exception, so that when the time comes DPI is used to weed out "dissidents", they first need to outlaw encryption, and if that's widespread enough, people might get a clue what's up and protest. ... ok it's a small chance, but enough recent events concerning privacy and freedom of information have convinced me that, it's on bitches.

[fomenter]

i like what you are saying  000, i looked into it a bit and it was beyond me at the time to figure out tec talk for tec guys, but if you find a plug in and run email encryption and can explain it i would like to learn

[Bebek Sincap Ratatosk]

Stego is good if you have lots of stuff and the stego bit looks like an unsuspecting piece of useless stuff. So if I have some data hidden away in some jpgs on my disk, along with 1000 non-stego jpgs, its a good way to hide stuff.... to use it as a regular communication tool though weakens the 'needle in haystack' layer of its security.

unless encryption is somehow illegal, I'd opt for TrueCrypt first, stego second.

you can still stego your stuff in any layer of TrueCrypt, and on top of that, you can hide the entire TrueCrypt partition with stego, just insert a 30 meg TrueCrypt partition somewhere in the middle of an AVI file. if you do it properly (frame boundary, thing), the AVI will even still play without as much as a hiccup.

Yep, I use Trucrypt almost every day Though I haven't used it in combination with Stego, that's an interesting idea. The hidden encrypted disk option is nice and I use it on a thumb drive for transferring encryption keys from one environment to another.

If on the other hand I live in a country where I am not free and the government is doing DPI in order to find dissidents... encryption will make me stick out like a sore thumb. Even if everyone uses some encryption, it is trivial to statistically see who is sending way more encrypted traffic than normal. To get past this sort of snooping you need chaff. Cory Doctorow's book Little Brother, hypothesis about Paranoid Linux, which is designed specifically to create this kind of chaff. There was some movement on a real world project like that but its currently dead on the vine

this is why we need to get the MASSES to start using PGP as soon as possible.

let me repeat myself:

the proper way to get this right is to take a look at our postal system. the solution is already in the example I gave. most snail mail is encased in envelopes ("encrypted") and only a small part of the mail is on postcards ("plaintext"). it is regarded as "normal" to put your mail in an envelope, and not regarded as "he has something to hide".
if much more people would get into the habit of using PGP on their email, even, no especially if they have nothing to hide, it would just become the normal thing to do "yeah of course I PGP my email, who knows where the data might end up? this way only aunt Betty can open the message. that just makes sense, right"

the bolded bit should become common sense to (most) people. just like it's common sense to keep your CC info to yourself.

now, I'm gonna be honest, and tell you I have never really used PGP (or GPG) myself. I never generated a private/public key pair and am not encrypting my emails.

HOWEVER, I am going to make it a point of figuring out how to do this (I bet it's really easy). I think of myself as being pretty good in explaining computer stuff to people that normally struggle with computers (as long as I can explain my Machine Learning topics to my mum, and teach economy/business students to program Java) and then I'm gonna see how many people I can get "over" to at least install a kind of plugin that allows them to read my encrypted messages.

cause I think the time is right, and it's now or never. assume that DPI is already there, make encrypting communications be the norm instead of the exception, so that when the time comes DPI is used to weed out "dissidents", they first need to outlaw encryption, and if that's widespread enough, people might get a clue what's up and protest. ... ok it's a small chance, but enough recent events concerning privacy and freedom of information have convinced me that, it's on bitches.

I've used PGP since 1994. I remember people then saying exactly the same thing... "We gotta get everyone to encrypt email" However, until Outlook Express and GMail do it automatically, I don't think its gonna happen. People are just too ignorant of the security issues involved or fail to see what value they get out of the extra work. It's not like a Web of Trust is all that easy to explain to the world at large. And at the end of the day, unless we have huge signing parties on a very regular basis, among people we can trust implicitly, there are a lot of potential holes and abuses a malevolent government could implement.

The current GPG/PGP solutions are pretty good. I implemented PGP Universal here at the office and basically the users have no idea what's going on. They just know that if a message should be encrypted they put a key word in the Subject and it gets encrypted by policy.

[Requia ☣]

I use firegpg (firefox plugin), ridiculously simple, integrates flawlessly with gmail.

[Bebek Sincap Ratatosk]

I use firegpg (firefox plugin), ridiculously simple, integrates flawlessly with gmail.

Ohh nice, haven't tried it yet. I'll have to give it a go!

[Rev. Stanley Baldwin]

yea, i think i once had a problem with something they call "illegal numbers" or somehting.

apparently, if the US gov. cannot decrypt the cypher, then that string of numbers is illegal...

therefore, all US-available encryption protocols are breakable
(not to mention quantum computing, which I hear is doing well at solving Factors)

Not that it matters, i mean, transparency is all, still, it is an option that people
should truly believe they have?

[Rev. Stanley Baldwin]

PGP in the USA runs on breakable RSA...

[Rev. Stanley Baldwin]

the new versions are all RSA

I think you have to go down to 7.x?

[Bebek Sincap Ratatosk]

Rev Stan is false on every post in the last three.

1) Quantum Computing is not anywhere near factoring anything.
2) The US Government cannot decrypt a lot of stuff currently and a 'string of numbers' doesn't even make sense in the context. 
3) RSA has had some issues, but none of them make cracking PGP trivial. In fact, with the corrected PKCS padding algorithm and no access to the hardware generating the key, any attack would be extremely difficult and its likely that the attacker would revert to trying to crack the key via brute force.

[Rev. Stanley Baldwin]

uh, I think you implicitly agreed to all and then qualified by adding "hard to do"