Almost OT: Encryption now illegal?

Well, yes - certainly bribery and blackmail could count as social engineering, and there are many other social engineering tricks that could be used. ("The Art of Deception" by Kevin Mitnick is an excellent introduction to some of them.) I don't know if burglary is social engineering or not - that might depend on your definitions. And rubber hose cryptoanalysis is downright anti-social.

I have heard that "the three B's" was a term used for somewhat less than legal information gathering techniques used by intelligence services. I've no idea if it is common term or just something I heard from one place, but the phrase stuck in my memory.

The principle, however, is that when "the bad guys" (or "the good guys", depending on which side you are on) want to pry into your secrets, they will use the cheapest, fastest and most convenient method available. If you use weak encryption, decrypting your messages could be that method. If you use strong encryption that puts that out of practical possibility, they will find other methods if they really want your secrets.

I suspect folks using PEM see a bit more scrutiny of their mail than folks who don't.

Many mail systems "snoop" content -- just like your HTTP (as well as other well-known protocols) traffic is snooped by your ISP (even the smaller ISPs are starting to get in on the act).

You'd have to have an /ad hoc/ scheme for the sender/recipient to decide how to interpret any "uncategorized" (mime) attachment. And, invent some code to process it.

Encryption isn't for the uneducated; there are too many silly flaws you're likely to make in your choice of algorithm that would be exploitable.

[As is generating "random" data]

And, the wrapper is not encrypted. So, even if there is no interest (effort) to examine content, it's easy for folks to see who you are interacting with -- along with everyone else you (and they!) are interacting, how often, the size of your messages/payloads, etc.!

All of these things leak information when you look at "large numbers".

isn't that what https is for?

Hell yes you can't publish a book if it contains regulated materials. You can do math research and find the paper you submitted for publication has been declared classified material, munitions. That has happened and the courts uphold it.

Prior restraint of publication is ok to most, yet people resent not being able to gather in large numbers to prevent the spread of a deadly contagion or not being able to get a hair cut.

Your cell phone calls are also encrypted. So why would anyone need extra encryption? Because the government has access to the keys.

The people behind this company may not be convicted. But the process of fighting the government has effectively shut them down. I see the feds have usurped the web site. Weird. I just wanted to see if they actually said what the accusation claims.

"As part of its services, Sky Global guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised."

Isn't that how guns are sold in the US?

robert

Yeah, but guns are different. We have an amendment about them. There is no amendment to the Constitution about privacy or encryption.

This is Amurica! I have freedoms and you don't.

I knew I had some references on the subject (I use encrypted tunnels between all of my IoT devices, here, so am keenly interested in how those tunnels can be compromised). Here's one:

Remember, you use encryption when you are trying to hide some aspect of your activities. It's not as trivial as your spouse checking your browser history ("Why are you visiting that HotYoungEasyDatesForBoredSpouses.com website?").

Many sites serve pages in HTTP *and* HTTPS. So, your use of an https:// URL only hides the name of the page (and its content) for *that* reference. But, if I *profile* the entire web site (logging packet sizes and traffic patterns -- using the HTTP or HTTPS protocol), I can examine the patterns of your encrypted traffic and deduce what pages you are actually visiting.

If it is an illegal activity and the site has invested in keeping its content secret, an insider (informant) can provide "legitimate" access to folks who could profile the site just as above.

Anyone observing your traffic always sees the IP address and port to which your request is directed. Granted, they can't know, for sure, if you are trying to access cathaters.com or catlovers.com -- if both are served up by the same physical server. But, one can snoop your DNS traffic to see what your resolver has requested just prior to the WWW access ("Ah! I see we have another cat hater!")

Additionally, as I said (elsewhere), once you know of an "interesting" site, you can watch for other accesses to that site (perhaps by having some packet sniffing technology in a hidden room in a communications center -- oops!). This lets you identify other people with a similar interest.

Likewise, watching for other interactions -- phone conversations, SMS, physical presence at social gatherings, etc. All increase the likelihood that these other individuals are likely to share a similar interest or commitment.

Any *one* of them screwing up is an opening to gain access to content that you may not, otherwise have.

And, of course, you can seize the asset without having to notify the folks using that asset that all of their transactions are now visible to you, despite any encryption that they are using!

Once you have a population of likely "co-conspirators", all you have to do is get one to "crack" and give you an opening to the others.

Note that simply accessing a site/page can be indicting!

We used to have photo traffic enforcement, here (until voters prohibited it). If you "ran" a red light or exceeded the speed limit, a camera would photograph front and back of your vehicle (we don't require a front license plate, here so the back photo catches the plate, the front photo catches the driver -- front windows can not be heavily tinted, by law!)

Some time later, you receive a "notification" (I hesitate to call it a ticket or citation as both of those have formal legal definitions). The notification shows thumbnails of the photos that were captured -- along with an enumeration of your (alleged) violations. You are "invited" to promptly remit some amount of money to avoid an appearance in court.

[It's typically less than $500]

As part of your pleading, you agree to waive the right to service. (!!)

[Note that it is possible that your "invitation" got lost in the mail; or, you could argue that in court and the court would have to concede that it is entirely possible -- mail gets lost every day!]

Once the time (a few weeks) expires, those who have not accepted the "invitation" to fork over their fines are formally "served" (again, no idea what the proper term for the document that is presented to you by the process server).

This costs money as a "process server" has to find you (often appearing on your doorstep at supper time or in the wee hours of the morning; he wants to make contact you on the FIRST visit as a second visit just increases his cost/effort for no additional "gain"). There is an upper limit on how long after the "violation" you remain in jeopardy; e.g., you can't be served 5 years later (the limit is actually ~90 days)!

Unless you are served, you don't have an obligation to the Courts! (this is why they want you to waive that right when you accept the "invitation"!)

So, if you manage to avoid the process server for those ~2 months (remember, he won't be dispatched until after the initial "invitation period" has expired and can't be dispatched after the 90th day), you're home free.

This isn't always easy. ANYONE who answers your door is obligated to convey the "service" to you. So, you can't just let your wife handle all visitors, etc.

Additionally, if the process server can reasonably claim that you were inside and just not willing to open the door, he can "complete the service" and just leave the paperwork outside the door. At that point, your failure to appear (in court) can result in issuance of a bench warrant for your arrest. (the traffic violation now is even more consequential)

Now, the tie in to the thread's subject:

On the "invitation", each photo is annotated with a URL where you can view a "better" copy of the photo. I'd wager most people do exactly this -- if only to see themselves in greater detail.

But, the URLs are of the form:

<salt>/photo.jpg <salt> is a pseudo-random (unpredictable) identifier in a HUGE address space. It is unlikely that you would be able to find ANY photo in that space without mechanically generating URLs. And, the photo will only be there for that

2 month window so your attempts to access it have to be "timely".

If the web server administrator can prove that "someone" accessed your particular photos, an obliging judge will likely reject your claim that you weren't notified of the violation when you eventually try to argue out of it on that technicality (e.g., "We all know how unreliable the mail system is, your Honor!). If the reward for your conviction was higher, the web admin could chase down the IP address of the client that accessed those particular pages and further prove your knowledge of the fact.

Similarly, a prosecutor can argue (to a friendly jury or Grand Jury) that your repeated access to cathaters.com in the days leading up to KittyKat's untimely demise lends FURTHER credibility to the other evidence that is being presented against you.

Or, an obliging judge can be influenced to authorize a more invasive (search/surveillance) warrant when presented with evidence that you are LIKELY engaged in an illegal activity ("The party in question visits WeRobBanks.com on a daily basis")

There's a reason the law says "beyond a reasonable doubt" or "a preponderence of the evidence"; there's no requirement for *certainty*!

If you're thinking of using encryption, ask yourself if the activity you're trying to hide is something in which you REALLY want to be engaged! Would you want your neighbors/family to know of that activity?

I'm sure that someone who knowingly sells guns to someone who intends to use then for illegal purposes will face the same consequences as anybody else, amendment or not.

Pride in the nation one happens to be born in is great for those who have no achievements of their own. Good for you!

robert

You must be a riot at parties. Are you completely unable to appreciate sarcasm? I suppose you actually think people in the US talk like that?

Don Y snipped-for-privacy@foo.invalid wrote in news:s2u205$51c$ snipped-for-privacy@dont-email.me:

There was a time when coming up with a better, more robust encryption scheme was encouraged in the open realm.

I think folks should work on the logistic particulars of how to pass a key to an intended recipient, without interception. Then, when they come up with the perfect hardware level (IC Chip, MEMS, Etc.)Random Number Generator, we can incorporate it and use networks without (as many) fears and also do personal message interactions without (as many) fears of intimate oversight.

On a sunny day (Sat, 20 Mar 2021 12:44:56 +0000 (UTC)) it happened snipped-for-privacy@decadence.org wrote in <s34qo7$f25$ snipped-for-privacy@gioia.aioe.org>:

No way, just beam it up to qo100 :-) Who listens? Who is going to bear you out?

You do not need large numbers to say "Attack on capitol at 21:00 ET" encryped with OTP both sides have,

Indeed Probably half of stuff shipped from China holds keys.... ;-) (1) Say you ordered a cheap radio... but the one YOU got has the key in FLASH and you have been told how to JTAG it.

And microchips are so small, just stick one on Biden's plane in the next country someone will clean it ..

Usenet

My text was encrypted with OTP, it says: "attack ...." When I wrote this newsreader I added the encryption feature.

Usenet is one to many

Although these days many groups seem dead.

(1) Paranoia Biden and his club recording everything somebody recently stole expensive homing pigeons here from 2 places. microchip .... GB data transfer.. easy.

3QILQ32PRdcjxzlfnq32orjfwed

Supper computahs bah

That's the appeal of public-key systems; there's no need to "hide" what you are passing.

With multiple public key repositories, you can minimize (but mot eliminate) the chance of "someone" subverting ALL of them.

Note that, for two specific parties, there is no need to rely on a public repository -- if they can agree on a where-when of public-key exchange ("I'll leave a slip of paper in a certain obscure place at a certain time...")

Again, I think the motivation for that hiding has to be considered. If you're hiding "undesirable" things, there will be an incentive for someone (gummit) to WANT to see what you are hiding.

OTOH, if you are hiding primarily to prevent interference with some banal operation, then the desire to break the encryption is lessened.

E.g., if the connection to a surveillance camera is via encrypted tunnel (to prevent the video from being corrupted or subverted), the only real motivation to break that encryption is someone who wants to interfere with YOUR video feed; the imagery being passed over the link is already known: just look in the same direction that the camera is facing and you can see (and record!) it for yourself!

Sadly, I know too many (also on this newsgroup from which I've been abstinent several years) so I can't reliably tell apart sarcasm and honest opinion any more when it comes to politics. I recently learned that there are people who seriously blame the recent Texas power poutage on the green new deal.

robert

Don Y snipped-for-privacy@foo.invalid wrote in news:s356tm$kg0$ snipped-for-privacy@dont-email.me:

Remember the drone video capture that was intercepted by unintended parties? We no longer make that 'open channel' mistake on drone comm feeds.

Robert Latest snipped-for-privacy@yahoo.com wrote in news: snipped-for-privacy@mid.individual.net:

While intelligent folks across the nation and even the entire planet know it had nothing to do with it.

Now all Texans need to do is sue the pants off the power companies trying to filch billions of dollars from them for their usage during the crisis.

Perhaps you don't understand the meaning of "public" key encryption. The message is encoded with your own private key, then with the other parties public key. Then only the other party can decrypt it with your public key and their private key. The issue is making sure the implementation is strong enough.

The talk of one time pad as being the ultimate cryptography solution is a bit bogus. The idea that it is unbreakable is based on the algorithm generating the one time pad. That still has to be done in a way that is adequately secure.

The news reports have focused on the amounts of the bills and not explained why the bills were so high. Was it a scarcity raising prices thing? That would imply bidding where excess consumers were bidding for the same electricity. (I don't mean individual consumers) Seems like once the price was high enough for every producer to be generating there should not be further increases.

I have seen peak prices on a normal summer day increase by more than 10 fold. But that doesn't last long. Again, I'm not clear why the price would go up so much. I would think it would be more like restaurant menus rather than the stock market. Each generator publishes prices they have to stick to, more like a sealed bid. When the price reaches that level you are obligated to supply electricity. Bidding like the stock market would clearly produce very erratic prices.

In many states, that seems to be how it works.

Texas is different. Its electrical-supply market has much less state regulation than is true elsewhere.

Yup.

The problem seems to have hit hardest for consumers who had signed up with an electricity vendor which contracted to provide power at "market rate" - that is, they "passed through" the going wholesale price on any given day (or hour). The vendor marketed this along the lines of "You get better prices, 95% of the time, than you would get from pre-contacted-price suppliers." When things were going well, this worked out well for this vendor's customers. The risk is that the customers don't have any guarantee of what the maximum price will be.

From what I've read, it sounds as if most electricity vendors have longer-term contracts for a lot of their power (a guaranteed amount at a guaranteed rate, but perhaps "use it or lose it"), and buy a portion of it on the day-to-day spot market depending on actual demand (the spot price may well be lower than is available from guaranteed-contract suppliers).

As I understand it, things went to hell in a handbasket during the freeze, because a lot of the supply dropped off-line (some due to loss of solar and wind, more due to gas-line freeze-up and other problems with carbon-based generators).

This left most of the vendors with a shortage in supply, at the same time that there was a surge in demand. In order to avoid blackouts, they ended up competing for the small amount of excess capacity remaining available for spot-market sale on the Texas grid, and the wholesale prices soared.

Consumers who had contracted to pay "wholesale plus a small service charge" ended up having to pay prices far higher than usual.

Reportedly, the vendor in question did try to warn its customers to switch suppliers ASAP, in advance of the freeze, but a lot of the customers weren't able to do so or didn't get the message in time.