Welcome to European Tribune. It's gone a bit quiet around here these days, but it's still going.
Display:
Sure, but rubber hose cryptanalysis, while computationally inexpensive, is difficult to perform unnoticed. And it is frowned upon in most jurisdictions.

Besides, if someone is prepared to beat you over the head to read your mail, then you probably have bigger problems than people reading your mail.

- Jake

Friends come and go. Enemies accumulate.

by JakeS (JangoSierra 'at' gmail 'dot' com) on Wed Jul 6th, 2011 at 03:30:13 PM EST
[ Parent ]
Besides, most people aren't going to find it easy to remember a 256k key, unless it's stored as a passphrase.

The UK has legislation that allows the police to jail anyone who doesn't supply keys on demand. But if you're really serious about security you can use advanced crypto to hide the fact that you have things to hide.

While the NSA might not be fooled, the local plod may well be.

by ThatBritGuy (thatbritguy (at) googlemail.com) on Wed Jul 6th, 2011 at 03:51:14 PM EST
[ Parent ]
They don't have to remember it. Just build a public key encryption scheme into the phone, and assign it (or the SIM card) a random key from the factory. It shouldn't be possible to compromise that without hardware access (and if they have hardware access then you are, as a rule, pretty much fucked anyway). The secret police will probably insist that the keys are stored so they can be made available on demand, but that should still keep most governments and the lion's share of corporations out of your phone.

- Jake

Friends come and go. Enemies accumulate.

by JakeS (JangoSierra 'at' gmail 'dot' com) on Wed Jul 6th, 2011 at 04:06:17 PM EST
[ Parent ]
their conversations could still have been over-heard if enough time, energy, and money had been thrown at the problem.
by Colman (colman at eurotrib.com) on Wed Jul 6th, 2011 at 04:06:19 PM EST
[ Parent ]
A 256k key makes getting the data expensive. If someone wants to badly enough they can get it. The attacks on the phones were on known individuals. Encryption is most useful to prevent trawling attacks - it's too expensive to decrypt all traffic or work around its encryption (you're quite sure there's no keylogger on your machine, right? right?). If your opponent is well resourced and targeting you directly, you're screwed unless you're extremely disciplined.
by Colman (colman at eurotrib.com) on Wed Jul 6th, 2011 at 04:05:41 PM EST
[ Parent ]
Yes, I'm quite sure I don't have keyloggers on my box. And we're talking about defending yourself from some script kiddie private eye, not from the KGB.

- Jake

Friends come and go. Enemies accumulate.

by JakeS (JangoSierra 'at' gmail 'dot' com) on Wed Jul 6th, 2011 at 04:09:12 PM EST
[ Parent ]
Well, my wife's ATM card was hacked a few weeks ago after she used it exactly once. In Dulles airport, unfortunately--the same place my card got hacked about a year ago. I don't know if it was somebody watching her or one of those add-on things that intercept the card reader--I wasn't there--but she is reasonable aware of her surroundings and was completely flummoxed. Moral: Never use your credit or ATM card in an airport.

I think there is a fundamental law of information physics involved in all this. If you want a paper to be secure, you put it in a "secret" folder in a locked file cabinet in a locked room in a locked building. It's a hassle to get at it, but it's pretty secure. If you want to keep your file secure, you encrypt it, you use a good key distribution system, you require complex passwords, and you force people to change their access routine regularly. It's a hassle to get at it, but it's pretty secure. Fundamentally, I propose, the difficulty of access for approved users (you) is a proxy for the fundamental security of the overall system--regardless of the access method, physical or electronic.

by asdf on Wed Jul 6th, 2011 at 06:21:01 PM EST
[ Parent ]

Display:

Occasional Series