Protecting IM From Big Brother

holden writes "Ian Goldberg, leading security researcher, professor at the University of Waterloo, and co-creator of the Off-the-Record Messaging (OTR) protocol recently gave a talk on protecting your IM conversations. He discusses OTR and its importance in today's world of warrant-less wire tapping. OTR users benefit from being able to have truly private conversations over IM by using encryption to obtain authentication, deniability, and perfect forward secrecy, while working within their existing IM infrastructure. With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important. An avi of the talk is available by http as well as by bittorrent and a bunch of other formats."

Encryption

[nurb432]

Its time to implement encryption of ALL traffic from ALL applications. Perhaps even IPC encryption incase you have some sort of 'tap' installed on your computer.

Sure, it eats resources, but do you want others reading your information? I dont. Not even when its "we are out of milk, please pick some up on the way home", as its NONE OF THEIR BUSINESS.

Encryption is only part of the solution

[compumike]

This is a good step, and I wish that more people would use encrypted messaging systems. This includes IM, e-mail, and voice.

However, while encryption can protect against "big brother", you can never eliminate the risk from the other end of the line. What happens if the person you are talking to has a rootkit, or prints out the conversation, or otherwise compromises the data? There's no real way to protect your entire conversation.

--
Educational microcontroller kits for the digital generation -- great gift! [nerdkits.com]

Re:Encrypted RAM and HDD Storage

[Cracked Pottery]

Fine, let me get those chips out for you. Bring the back after you get the information off of them.

The real problem is U.S. government corruption.

[Futurepower(R)]

Quote: "With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important."

The real problem is U.S. government corruption. See this example from Cooperative Research, a complete 911 Timeline of 3962 events: U.S. Government corruption TimeLines [cooperativeresearch.org].

The government should serve the people, not spy on them.

how to boil a frog

[CranberryKing]

Isn't EVERYONE very upset that we need these types of applications these days? Why does it seem reasonable that EVERYONE needs to hide their communications from their own governments? Shouldn't we be more upset that things have gotten so out of hand?

Software freedom gets you software you can trust.

[jbn-o]

Except that it's completely untrustworthy because it's non-free software. If a major feature of the software is that you can trust it to keep your secrets or protect your privacy, you should be able to trust that it's only going to do what you want it to do. Non-free software inherently doesn't work this way, so none of it is useful for encryption. This program disallows modification, so if you discover that it doesn't do what you want you have no permission to make it do what you want. Forget about helping your community by distributing improved versions of the program: distribution is only allowed gratis and if one distributes the software they distributed to you in its original (software) packaging.

The license for the program is so over-the-top in its restriction it's laughable. It claims to prohibit talking about the software (section 3.a.iv). Users are prohibited from any translation or localization of the software as well (section 3.a.i), so if the interface isn't in your language you're out of luck.

The solution is simple: use only free software, relish your software freedom, help your community by distributing free software, and encrypt your communications to your heart's content. This way only your limitations keep you from fully understanding what your computer is doing with your data and you can draw on the talents of other trustworthy people to help you whenever you need their assistance.

Re:how to boil a frog

[b1scuit]

Dude, move, you're blocking the TV.

Re:Encryption

[Anonymous Coward]

WHAT???? You think mom and pop know WTF those messages mean???

IE6/firefox: Everyone just click's "okay" except for nerds like us that know what it means.

IE7: Everyone clicks the "recommended" link a few times, until they figure out it doesn't let them view the website. Then they get conditioned to click the "continue to site". Note that at least this message works for a while, as long as it's not displayed a lot.

Re:Encryption

[QuantumG]

Blah, that's a load of shit. It's an academic answer to how to fix the problem of people logging your conversation with them.

When the log is presented in court the person who logged it will be asked "is this log an accurate representation of the conversation you had with the accused?" and they say "yes, it is" and the defense then has to show not that it is possible that the log was doctored but that person who has just sworn, under penalty of perjury, is lying. They typically do this by showing instances in the past where the person has submitted false evidence to a court, or they can try to show that the person has something to gain by changing the log and that they had the skills (if any special skills are required, which they wouldn't be). It would be a very tough sell and a jury is more likely to believe that the log is accurate because what kind of idiot would lie in court when the punishment is so severe.

Consider that email is so trivial to fake and yet emails are considered official correspondence in many many many court cases. It's not about the technology, it's about the people making the claims.

Re:Or, technology for terrorists

[Anonymous Coward]

INEVITABLY, this encryption will be used to kill people. Lots of them. Let's not delude ourselves.

Toss toss. Everyone keeps bringing up that piss-ant September 11 event. 3000 people is not a lot in the grand scheme of things. How many people has the Farce on Terror killed? How many died in Vietnam or Hiroshima? How many people die of cancer or AIDS related problems each year? Let's stop and look at how many people die on the roads or from gunshot wounds (non war) annually around the world.

Encryption can certainly be used by the bad guys, but the bad guys are used as an excuse by the government for reigning in civil liberties and spying on the citizens. The book should have been called 2014 because that's about how far I see we have left at the current rate before they listen and log everything you do in your shitty little life to use against you.

If the government (particularly the US gumbiment) were serious about saving lives wouldn't they implement stricter gun control laws? Wouldn't they spend more money on cancer and HIV research instead of blowing it all on a farce against some unknown army of people who don't actually exist. Can't they build safer roads and find ways of solving problems that don't involve invading other countries shooting up the place and taking what they want.

There are so many things that kill more and regularly than a couple of planes crashed into a couple of buildings. This continual using it as an excuse for all the bullshit that governments are doing is just frustrating. We all know that pollies have small cocks. When the two American penises were leveled the pollies all got together and needed to find new ways of proving the enormity of their willies. It shits me!!

We have a very US friendly government here. It's also election day and people have the shits with all of the things our current government has done to bring us more in line with the US. There's workplace reform, terrorism legislation that really means nothing, copyright reform, free trade agreements that actually impede more on our rights and give the US whatever they wanted, etc. At least the people here haven't bought into the "we'll keep you safe" arguments that I heard from the current government during the campaign. It'll be interesting to see who actually wins the election and what the new evil overlords of the country do in their first term toward reversing some of the anti-terror rules that have come about and dont' really add anything to security.

End rant!

Now, don't get me wrong; I don't support extremists killing innocent people for whatever reason it is they dream up. There needs to be some law allowing control and prosecution of people like that. I just don't believe that the government needs far reaching and sweeping authoritarian power to do it.

It's enough in many places to simply say "we think you're a terrorist" and get someone. If they can't catch you in the act of planning or committing some event (with actual written plans, explosives, weapons, etc in your possession) then they shouldn't catch you.

Why does it use a separate keyring?

[Grendel Drago]

I have four sets of keys on my machine--keys for SSH, for PGP, for WASTE and for OTR. Why does every app using encryption insist on using its own wrappers for public keys? What's wrong with the infrastructure already present in the OpenPGP standards?