It’s (crypto)party time!

With our advanced free democracies resembling George Orwell’s “1984″ more and more (your TV is spying on you, NSA global mass-surveillance, pre-crime repression of free speech  etc), there surely couldn’t be a better time to throw a CryptoParty!

Where?

New Academic Building
Goldsmiths, University of London
New Cross
London SE14 6NW
(OpenStreetMap)

When?

Saturday 30th November, 11am onwards

Cost/audience

The event is free & open to the public. Anyone who worries about the privacy and ultimately freedom of expression of their loved ones should attend.

Great lineup of speakers/presenters – check out the event schedule!

I will be doing a few workshops on mobile device privacy, encrypted Internet phone calls and using a computer without leaving any traces behind.

If you’re around on the 30th, join us for a day of practical tinkering with privacy tools!

…and here are the slide decks of the workshops I ran:

Qubes OS – a secure operating system: https://apapadop.files.wordpress.com/2013/12/qubes1.pdf

TAILS – This session never happened: https://apapadop.files.wordpress.com/2013/12/tails1.pdf

VoIP- Private voice calls: https://apapadop.files.wordpress.com/2013/12/voip1.pdf

Mobile privacy – how to keep your smartphone communications private: https://apapadop.files.wordpress.com/2013/12/mobile5.pdf

OTR – a gentle introduction to chatting Off The Record: https://apapadop.files.wordpress.com/2013/12/otr1.pdf

NSA whistleblower Thomas Drake: “US using the Stasi playbook”

NSA whistleblower Thomas Drake testifying before the European Parliament Committee on Civil Liberties, Justice and Home Affairs on September 30, 2013. The Committee has called an inquiry into NSA Mass Surveillance of EU Citizens.

Hat tip to Government Accountability Project

Thank you to the European Parliament and the Civil Liberties, Justice and Home Affairs Committee for inviting me to speak before your critically important public hearings – and the challenge you collectively face regarding the National Security Agency’s surveillance programs and their impact on your respective member countries as well as the privacy of citizens in my country and yours.
The fundamental issue before your Committee is a foreign government (often in league with the intelligence apparatus of other countries as well as cooperating internet, phone and data service providers), spying on you under the guise of protecting its own interests in the name of national security – a convenient constraint of monitoring and control especially when conducted in secret – outside the purview of law and public debate – while subverting your sovereignty.

I used to fly as a crypto-linguist on RC-135 reconnaissance aircraft in the greater European theater during the latter years of the Cold War. My primary target of interest was East Germany. The Stasi became monstrously efficient using surveillance to enable their pathological need ‘to know everything’ – their very operating motto. However, I never imagined that the US would use the Stasi playbook as the template for its own state sponsored surveillance regime and turning not only its own citizens into virtual persons of interest, but also millions of citizens in the rest of the world. Do we really want to become subject to and subjects of a secret surveillance state?

In a surveillance state everybody is suspicious and laws protecting privacy and citizen sovereignty are regarded as inconvenient truths bypassed in the name of keeping the rest of us safe and secure as justification for the wanton and surreptitious bulk copy collection and unbridled access to vast amounts of data about our lives. Unfortunately, this surveillance regime has now grown into a globe girdling system that has gone far beyond prosecuting terrorism and other international crimes and wrongdoing.
Your Committee faces the challenge of dealing with a secret hidden shadow surveillance state dissolving the very heart of freedom and liberty and our respective citizen rights and using this power to expand sovereign-free zones – even when it undermines the very fabric of society, breaks trust between nations and endangers the very mechanisms we use for commerce and trade.
This exceptionalism gives rise to an ends justifying the means mentality in violating the sovereignty of other nations and citizens far beyond the real threats we do face from those who would cause us real harm, but often exaggerating those very threats in public for access to all of our data behind the scenes.

When national security services are more than willing to deliberately compromise the very information technology services and protocols that so many citizens as well as commercial and private enterprises rely upon and enjoy for legitimate confidentiality, data protection, and security in order to conduct their day to day business, it becomes very difficult to maintain trust in those systems.

Nothing less than the very sovereignty of our citizens and states are at stake in the face of an unfettered surveillance state apparatus.
From the recent disclosures of Edward Snowden, the US government has routinely violated on a vast industrial scale the Constitutional protections afforded its own citizens, while also disregarding the internal integrity of other states and the fundamental rights of non-US citizens.

I know. Because I was eyewitness to the very foundations of a persistent surveillance state expanded in the deepest of secrecy right after 9/11. I was there at the beginning.
While a senior official at the National Security Agency, I found out about the use of a top secret domestic electronic eavesdropping program that collected and accessed vast amounts of digital data (including phone numbers, e-mail addresses, financial transactions and more), turning the US into the equivalent of a foreign nation for the purposes of blanket dragnet surveillance and data mining – blatantly abandoning and unchaining itself from the Constitution and a 23 year legal regime enacted due to earlier violations of citizen rights by US government’s use and abuse of national instruments of power against Americans in the 60s and 70s.
These secret surveillance programs were born during the first few critical weeks and months following 9/11, as the result of willful decisions made by the highest levels of the US government. Such shortcuts and end-runs were not necessary, as lawful alternatives existed that would have vastly improved US intelligence capability with the best of American ingenuity and innovation, while fundamentally protecting the privacy of citizens at the same time.
I raised the gravest of concerns through internal channels, spoke directly with the NSA Office of the General Counsel, and then became a material witness and whistleblower for two 9/11 congressional investigations in 2002, and then exposing massive fraud, waste, abuse and mismanagement at NSA during a multi-year Department of Defense Office of Inspector General audit from 2003-2005 regarding a multi-billion dollar NSA flagship intelligence collection program under development that was far more costly and far less effective in supporting critical intelligence requirements than a readily available and privacy protecting alternative.
I followed all the rules as a whistleblower until it fundamentally conflicted with my oath to uphold and defend the Constitution, and made a fateful choice in 2006 to exercise my First Amendment rights and went to the press with critical information about which the public had a right to know regarding the fraud, waste and abuse as well as the secret and unconstitutional surveillance programs.
However, rather than address the illegality and wrongdoing, the government made me a target of a huge federal criminal “leak investigation” into the exposure of the secret surveillance programs and subjected me to severe retaliation, reprisal and retribution that started with forcing me out from my job as a career public servant. I was subsequently blacklisted, no longer had a stream of income, while simultaneously incurring substantial attorney fees and other huge costs, necessitating a second mortgage on my house, emptying of my bank accounts, including retirement and savings. And that was just the beginning.
What I experienced as a whistleblower sends the most chilling of messages about what the government can and will do when one speaks truth to and of power—a direct form of political repression and censorship.
And yet once exposed, these unconstitutional detours were (and still are) predictably justified by often vague and undefined claims of national security, while aided and abetted by shameless fear mongering on the part of the government.

And yet we are now in an era where sharing issues of significant concern in the public interest, which do not in any way compromise national security, are often now considered criminal acts of espionage aided and abetted by reporters and the press – yet anathema to a free, open and democratic society.
I did everything I could to defend the inalienable rights of all U.S. citizens and the sovereignty of the individual which were so egregiously violated and abused by my own government—when there was no reason to do so at all, except as an excuse to go to the proverbial ‘dark side’ by exercising unaccountable, irresponsible and “off the books” unilateral executive power in secret.
I blew the whistle because I saw grave injustice, illegality and wrongdoing occurring within the National Security Agency. I was subsequently placed under intense physical and electronic surveillance, raided by the FBI in 2007 and two and half years later under the Obama Administration criminally charged under a 10 felony count indictment including five under the Espionage Act, facing 35 years in prison. The extraordinary charges that were leveled against me by the US Department of Justice are symptomatic of the rising power of the national security state since 9/11 and a direct assault on freedom of speech, thought, innovation, and privacy.
The government found out everything they could about me and turned me into an Enemy of the State. I became the first whistleblower prosecuted in the decades since Daniel Ellsberg, under the draconian World War I-era Espionage Act, a law meant to go after spies, not whistleblowers.
Having the secret ability to collect and analyze data with few if any substantial constraints – especially on people, is seductively powerful – and when done without the person’s permission and in secret against their will – is the ultimate form of control over others.

When government surveillance of this magnitude hides behind the veil of secrecy, when it professes openness and transparency while practicing opaqueness and deceit, that’s when citizens need to become very aware and wary of what the future might hold – when their very liberties are eroded and even taken away in the name of national security — without their consent.
The fear engendered through the invocation of threats (real and imagined), creates a climate where rights are ignored as the unifying cause for obsessing over national security and the use of fear by the government to control the public and private agenda.
My criminal case is direct evidence of an out of control and ‘off the books’ government that is increasingly alien to the Constitution and democracy at home and abroad. The rise in this form of a contrary alien form of government assuming the shape of a national security state under surveillance evidences the all too distinct and historically familiar characteristics of an alarming ‘soft tyranny’ and is an anathema to all forms of democracy.
As Montesquieu wrote, “No tyranny is more cruel than that which is practiced in the shadow of the law and with the trappings of justice: that is, one would drown the unfortunate by the very plank by which he would hope to be saved.”
One could make the case that the government chose to make me (and others) targets as part of a much broader campaign against whistleblowers in order to send the strongest possible message about what the government can and will do to suppress dissent and speech it doesn’t like.
And yet the United States’ brutal and unrelenting crackdown on whistleblowers is outdone by the magnitude of what it is now trying to hide or continue as a result of the Snowden disclosures. NSA is not just eavesdropping on all Americans and building the architecture for a police state in the US, it has created the largest set of mass surveillance programs in the history of the world, while covertly weakening Internet security and privacy for everyone on the planet. Without privacy and robust data protections under the law, no real individual citizen sovereignty within a state and society is possible.

NSA is doing this deliberately, systematically, and in secret. Even if we take NSA at its word—its intention to only target persons suspected of terrorism as it relates to foreign intelligence— they’re clearly now collecting and storing as much of our communications as possible.
NSA has inverted and perverted the heart of the democratic paradigm in which the government acts in public and our personal lives are private. Now everyone’s personal and private lives and associated transaction and data history becomes the equivalent of secret government property, held for years as pre-crime data just in case it is needed in the future – secret dossiers of the State – while attempts to expose the government are met with the heavy hand of criminal prosecution.

The words of US Senator Frank Church during the hearings he conducted on the abuses of national security power in the 1970s are worthy of reminding us what can happen when a state sponsored surveillance regime is used as the excuse to keep us safe at the expense of liberty and freedom.
“If a dictator ever took charge in this country, the technological capacity that the intelligence community has given the government could enable it to impose total tyranny, and there would be no way to fight back because the most careful effort to combine together in resistance to the government, no matter how privately it was done, is within the reach of government to know. Such is the capacity of technology.”

People in America and around the world should not have to worry about protecting themselves from an unhinged United States government, unchained from its own Constitution, but worry they must. And the government should not, under the guise of protecting its own citizenry, conduct mass dragnet surveillance in secret, let alone the rest of the entire world while publicly crushing anyone who tries to expose it.
I respectfully suggest that your Committee duly examine the critical need for transparency and legal accountability to enforce fundamental and vitally precious citizen rights to speech and association while protecting those who expose government malfeasance and wrongdoing as well as providing for robust protections against unwarranted “search and seizure” by any foreign power, state surveillance agency or corporate entity.
I hope that your Committee will consider a European Union-wide law that all EU-to EU Internet links and nodes must be encrypted, with open source encryption technology made available for the widest possible use wherever practical, while also audited by the EU.

What we see now revealed on a global scale creates the power of mass- surveillance and eludes effective control by current data and privacy protection regulations.
How do your member states protect themselves from the predations of the surveillance regime?

There is a distinct need for policies that prohibit third party countries and commercial concerns from accessing and compromising personal data, while also covering vendors and suppliers of IT systems and products.
There is also the need to put in place the power to prosecute and hold accountable those transnational companies and entities from secretly compromising the very infrastructure that society depends on for business and trade – even considering the need for a comprehensive data protection treaty between member states and the US.
‘Prism-proofing’ your member state Internet hosting and service providers is now critical given how data is not so much broken into as it is taken and renditioned by the surveillance state.
It is the constant possibility of the unequal gaze and reality of surveillance and observation (real or imagined) that stultifies society, renders creativity mute, and erodes our freedom with the acid served up by the potent brew of secrecy and surveillance for the sake of security while forsaking our liberties as the price we must pay. I fundamentally reject this dystopian premise given what happened to me.

In conclusion, I was fortunate that I did not end up in an actual prison for coming out of the system and speaking truth to and of power – a dangerous act of civil disobedience and individuality for sure in these times.

The last thing a free and open society needs is a digital fence around us – with the barbed wire of surveillance not only keeping track of our comings and goings, yet now increasingly wanting to know what we think and feel – the very essence of who we are and share as human beings.

The Battle for Your Digital Soul

apapadop:

Silent Circle’s CEO takes a rather optimist view on the state of the cryptowars. If only we could reasonably assume that the all-star team of technologists he mentions are incorruptible by the full weight of the nexus of global government/corporate complex, we should see the sunny side of things too.
Yes, learning at least part of the truth due to Snowden is a reason to celebrate – we now know what is done in our name. But what we have learned is so sobering and matches our most dystopian projections so well, at the same time generating so little outrage around the world, that I still cannot be optimistic about a better future.

Originally posted on Silent Circle Blog:

There have been so many disclosures, revelations and speculations since Snowden fled and the media trickled out one tantalizing slide after the next- that it’s hard not to get overwhelmed. It’s hard not to get angry.

Now that the sheer scope and massive worldwide surveillance of the NSA has come to light over the last few months, it seems as if a veritable cloud of “Privacy Depression” has set in lately among citizens and the technology community at large. Adding to that hot mess is the willing complicity of the tech giants, backbone providers and hardware manufactures. Fuel to the fire.

Yes, there are some feigning outrage, some with true concern, and others calling for heads-on-a-platter while western intelligence agencies and big technology firms hunker down and hope it all goes away. It won’t. It’s only going to get worse for them and the government.

Through the great work of…

View original 1,022 more words

How to kill meaningful social change

Ok, so, say you’re a person the US government doesn’t like very much. Say you’re charismatic, and give great speeches, and you have ideas they don’t care for. I dunno, maybe that we shouldn’t be killing people without a trial. You know, one of those weird liberal ideas, that extrajudicial executions are bad. And you’ve got some real political momentum, to the point that you might actually cause dicomfort to the military-industrial complex.

 

So, in years prior, they’d have been kind of hampered in their ability to fight you. No more. Now, they can know every friend you have, and possibly every friend you’ve had since 2001. All your lovers, all your enemies, your social groups, your online groups, and so on.

 

If you’re male, did you ever stick your dick in crazy? Well, guess what, she’s now on CNN, talking about you. Did you ever get into an intemperate argument? Suddenly, that’s national news. If you haven’t been absolutely perfect in all respects, everyone is going to know all about it.

 

But, let’s say you have been perfect. That doesn’t matter. Somewhere in your friends network, and you will have a very large friends network if you have real political influence, there will be people that have been imperfect, maybe very badly imperfect.

 

Everyone that you’ve ever known that has, up until now, gotten away with stuff, is going to suddenly get a visit from the FBI, and they’re going to use their false-recording tactic, where the second agent writes that they said things they never said. Suddenly, they’re in deep shit. And the FBI has them by the balls. They can either go to jail, or they can say really horrible, awful things about you. Like you raped them, maybe. Rape is a really good one.

 

In a world with ubiquitous government surveillance, there cannot be meaningful social change, because the conservatives in the government will use their unlimited power to stifle and suppress all dissent. Leaders will not be able to develop, because they will be discredited as soon as they start to form. And major social change without central leadership is very rare.

 

If the US had had these powers in the 1960s, the Civil Rights movement would not have been successful, and everyone important in Martin Luther King’s terrorist network would be in prison, or perhaps in unmarked graves.

Shamelessly copied from malor’s comment on What the NSA can do with “big data”.

Using GnuPG with QubesOS

So Alice and Bob want to exchange private emails and files.

They realise that secure endpoint operating systems are an absolute requirement for any real privacy. What’s the point of protecting data in transit with PGP, when the spooks can remotely take over your machine and grab your stuff from the source? So they’ve taken the time to learn how to use Qubes OS – a security-by-separation operating system based on Xen and Fedora GNU/Linux.

Alice and Bob will use the non-networked “vault” AppVM to create and store their master cryptographic keys. They will then create a “daily use” keypair which will be available to their “personal” AppVM to send emails to each other.

Note: OpenPGP key management is complicated. To protect you from mistakes, this tutorial sets the expiry date of keys to one week after their creation. Once you are comfortable with this process you can always extend the life of your keys.

Create a new keypair

[user@vault ~]$ gpg --gen-key
gpg (GnuPG) 1.4.14; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/home/alice/.gnupg' created
gpg: new configuration file `/home/alice/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/alice/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/alice/.gnupg/secring.gpg' created
gpg: keyring `/home/alice/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1w
Key expires at Thu Aug 22 18:38:49 2013 BST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Alice
Email address: alice@domain.com
Comment:
You selected this USER-ID:
"Alice <alice@domain.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter passphrase: <Alice's long passphrase>
Repeat passphrase: <Alice's long passphrase>
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 246 more bytes)
..............+++++
gpg: /home/alice/.gnupg/trustdb.gpg: trustdb created
gpg: key 32D49659 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2013-08-22
pub   4096R/32D49659 2013-08-15 [expires: 2013-08-22]
Key fingerprint = 0346 5C7A 6412 A70B ED13  0196 9652 5380 32D4 9659
uid                  Alice <alice@domain.com>
sub   4096R/E19F81C0 2013-08-15 [expires: 2013-08-22]

[user@vault ~]$

Set strong cipher preferences

[user@vault ~]$ gpg --edit-key alice
gpg (GnuPG) 1.4.14; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC
trust: ultimate      validity: ultimate
sub  4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E
[ultimate] (1). Alice <alice@domain.com>

gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP
Set preference list to:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y

You need a passphrase to unlock the secret key for
user: "Alice <alice@domain.com>"
4096-bit RSA key, ID 32D49659, created 2013-08-15

Enter passphrase: <Alice's long passphrase>
pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC
trust: ultimate      validity: ultimate
sub  4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E
[ultimate] (1). Alice <alice@domain.com>

gpg> save
[user@vault ~]$

Add a signing subkey

[user@vault ~]$ gpg --edit-key alice
gpg (GnuPG) 1.4.14; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC
trust: ultimate      validity: ultimate
sub  4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E
[ultimate] (1). Alice <alice@domain.com>

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Alice <alice@domain.com>"
4096-bit RSA key, ID 32D49659, created 2013-08-15

Enter passphrase: <Alice's long passphrase>
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1w
Key expires at Thu Aug 22 18:53:32 2013 BST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 269 more bytes)
.+++++
...........................+++++

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC
trust: ultimate      validity: ultimate
sub  4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E
sub  4096R/29E78F35  created: 2013-08-15  expires: 2013-08-22  usage: S
[ultimate] (1). Alice <alice@domain.com>

gpg> save
[user@vault ~]$

Generate a revocation certificate

A general-purpose revocation certificate that specifies no reason why you are revoking your keys:

[user@vault ~]$ gpg --output revocation.cert --gen-revoke alice

sec  4096R/32D49659 2013-08-15 Alice <alice@domain.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
>
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Alice <alice@domain.com>"
4096-bit RSA key, ID 32D49659, created 2013-08-15

Enter passphrase: <Alice's long passphrase>
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
[user@vault ~]$

Backup your precious master keys and revocation certificate

Create a backup of Alice’s private key:

[user@vault ~]$ gpg --export-secret-keys --armor alice > alice_gpg_private.key

Create a backup of Alice’s public key:

[user@vault ~]$ gpg --export --armor alice > alice_gpg_public.key

Keep these files safe!

[user@vault ~]$ tar -cf gpg_master_keys.tar alice_gpg*.key revocation.cert

The file gpg_master_keys.tar contains everything one needs to fully impersonate Alice or invalidate her keys, except for her passphrase.

Shred the files we backed up – now everything is in the tar file:

[user@vault ~]$ shred -u alice_gpg*.key revocation.cert

Create a daily-use keyring

This keyring will *not* include your master signing key. It will be a restricted, lesser keyring, which you can expose to untrusted environments (like your smartphone, or your networked AppVMs).

Export all subkeys to a temporary file:

[user@vault ~]$ gpg --export-secret-subkeys alice@domain.com > subkeys

Delete your master signing key from your keyring:

[user@vault ~]$ gpg --delete-secret-key alice@domain.com
 gpg (GnuPG) 1.4.14; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
sec 4096R/32D49659 2013-08-15 Alice <alice@domain.com>
Delete this key from the keyring? (y/N) y
 This is a secret key! - really delete? (y/N) y
 [user@vault ~]$

Re-import the subkeys we exported earlier.

[user@vault ~]$ gpg --import subkeys
 gpg: key 32D49659: secret key imported
 gpg: key 32D49659: "Alice <alice@domain.com>" 1 new signature
 gpg: Total number processed: 1
 gpg: new signatures: 1
 gpg: secret keys read: 1
 gpg: secret keys imported: 1
 [user@vault ~]$

Get rid of the temporary file:

[user@vault ~]$ shred -u subkeys

Verify that the master signing key is missing:

[user@vault ~]$ gpg -K
 /home/alice/.gnupg/secring.gpg
 -----------------------------
 sec# 4096R/32D49659 2013-08-15 [expires: 2013-08-22]
 uid Alice <alice@domain.com>
 ssb 4096R/E19F81C0 2013-08-15
 ssb 4096R/29E78F35 2013-08-15
[user@vault ~]$

See that “#”? That means that the master signing key is not there. Congratulations – this is your daily-use, lower-risk keyring! It only contains Alice’s encryption and signing subkeys, but no master (certification) signing key.

Move the daily-use keyring to Alice’s “personal” AppVM

Alice runs her email client and exchanges email with Bob using her “personal” AppVM. She therefore needs to have her daily-use keyring there.

Export Alice’s “lesser” private key:

[user@vault ~]$ gpg --export-secret-keys --armor alice > alice_gpg_private_lesser.key

Export Alice’s “lesser” public key:

[user@vault ~]$ gpg --export --armor alice > alice_gpg_public_lesser.key

Copy these out of the vault and into Alice’s networked “personal” AppVM:

[user@vault ~]$ qvm-copy-to-vm personal alice_gpg_p*_lesser.key
sent 14/15 KB
[user@vault ~]$

You will be prompted by Qubes if you want to allow this transfer. Click “Yes” to allow your “vault” AppVM to write to your “personal” AppVM.

Install Alice’s daily-use keyring in the “personal” AppVM

First, Alice needs to import the keys into her keyring:

[user@personal ~]$ cd QubesIncoming/vault/
[user@personal vault]$ gpg --import alice_gpg_p*_lesser.key
gpg: directory `/home/user/.gnupg' created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
gpg: key 46205B22: secret key imported
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 46205B22: public key "Alice <alice@domain.com>" imported
gpg: key 46205B22: "Alice <alice@domain.com>" 1 new signature
gpg: Total number processed: 2
gpg:               imported: 1  (RSA: 1)
gpg:         new signatures: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
[user@personal vault]$

Verify that the keys are there, but not the master certification key:

[user@personal vault]$ gpg -K
/home/user/.gnupg/secring.gpg
-----------------------------
sec#  4096R/46205B22 2013-10-04 [expires: 2013-10-11]
uid                  Alice <alice@domain.com>
ssb   4096R/DB739DBC 2013-10-04
ssb   4096R/E58DA355 2013-10-04
[user@personal vault]$

Good. That “#” means the certification key is not there.

Alice can now get rid of the exported key files:

[user@personal vault]$ shred -u alice_gpg_p*_lesser.key

At this point, Alice’s setup is done.

Here is what Alice has achieved:

  1. Alice has generated new OpenPGP keys in a secure environment (the vault)
  2. Alice created a “lesser” version of her keyring that excludes the all-important certification key. This “lesser” version will be used for daily use to communicate with Bob and anyone else using OpenPGP. If this “lesser” version of her keys is stolen (e.g. because the attacker compromises Alice’s “personal” AppVM), the attacker will not be able to create more keys in Alice’s name, or assign Alice’s trust to other keys. Alice only has to revoke her key and the attacker is left with nothing.
  3. Alice created a backup of her full certification keyring in a secure environment, the vault.

Publishing your public key on a keyserver for others to find

She should publish her key on the keyservers so that her friend Bob can easily find it: (note that the key to be sent must be selected with its key ID:

[user@personal ~]$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
-----------------------------
pub   4096R/32D49659 2013-08-15 [expires: 2013-08-22]
uid                  Alice <alice@domain.com>
sub   4096R/E19F81C0 2013-08-15 [expires: 2013-08-22]
sub   4096R/29E78F35 2013-08-15 [expires: 2013-08-22]

[user@personal ~]$

So, let’s send key ID 32D49659 to the keyservers:

[user@personal ~]$ gpg --keyserver sks.keyservers.net --send-keys 32D49659
 gpg: sending key 32D49659 to hkp server sks.keyservers.net
 [user@personal ~]$

By knowing her public key’s fingerprint…

[user@personal ~]$ gpg --fingerprint alice@domain.com
 pub 4096R/32D49659 2013-08-15 [expires: 2013-08-22]
 Key fingerprint = 0346 5C7A 6412 A70B ED13 0196 9652 5380 32D4 9659
 uid Alice <alice@domain.com>
 sub 4096R/E19F81C0 2013-08-15 [expires: 2013-08-22]
 sub 4096R/29E78F35 2013-08-15 [expires: 2013-08-22]
[user@personal ~]$

…Alice can verify her key has been successfully published. All she needs to do is visit http://sks.keyservers.net/ and search for her email or name, then verify that the fingerprint shown matches the one of her local key.

In the meantime, Bob has been busy doing these exact same steps on his computer, for his name and email address. His key, tied to his email address bob@domain.com has also been published to the keyservers. He has also taken a proactive security precaution and only exposed a “lesser” version of his keyring to his networked AppVMs, with his certification key safely stored in the vault.

Communicating

Alice and Bob want to send private emails to each others. Emails about apple pie and silly gossip and deep meaningful conversations. It doesn’t matter. They just want to keep their conversations private. If they’ve both followed the steps above, this is what they need to do to email each other in private.

Importing Bob’s key

Alice needs to import Bob’s (public) key from the keyservers. She asks the keyserver to find Bob’s key:

[user@personal ~]$ gpg --keyserver sks.keyservers.net --search-keys bob@domain.com
gpg: searching for "bob@domain.com" from hkp server sks.keyservers.net
(1)	Robert <bob@domain.com>
	  4096 bit RSA key F19F159D, created: 2013-08-15, expires: 2013-08-22
(2)	Waldemar Retzlaff (Schlüssel zur domain.) <bob@eu-wedding.com>
	  1024 bit DSA key 96268EF6, created: 2003-12-16
Keys 1-2 of 2 for "bob@domain.com".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key F19F159D from hkp server sks.keyservers.net
gpg: key F19F159D: public key "Robert <bob@domain.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[user@personal ~]$

Whoops – found multiple keys – but once she selected Bob’s key, it was automatically imported into Alice’s keyring.

Verifying Bob’s key

Alice can already use this key to send Bob private email messages or files, but she wants to be really really certain that is Bob’s key, and not some impostor’s! Alice either meets or calls Bob on the phone and asks him to read out to her his key’s fingerprint. She verifies it matches the fingerprint of the key she imported from the keyservers:

[user@personal ~]$ gpg --fingerprint bob@domain.com
pub   4096R/F19F159D 2013-08-15 [expires: 2013-08-22]
      Key fingerprint = FF24 73AF 8658 5280 85A4  C2BD 4440 516C F19F 159D
uid                  Robert <bob@domain.com>
sub   4096R/E12896F5 2013-08-15 [expires: 2013-08-22]
sub   4096R/734A2C3B 2013-08-15 [expires: 2013-08-22]

[user@personal ~]$

While they’re on the phone, Bob quickly imports Alice’s key from the keyserver and asks her to confirm her key’s fingerprint as well. Alice reads out her key’s fingerprint:

[user@personal ~]$ gpg --fingerprint alice@domain.com
pub   4096R/32D49659 2013-08-15 [expires: 2013-08-22]
      Key fingerprint = 0346 5C7A 6412 A70B ED13  0196 9652 5380 32D4 9659
uid                  Alice <alice@domain.com>
sub   4096R/E19F81C0 2013-08-15 [expires: 2013-08-22]
sub   4096R/29E78F35 2013-08-15 [expires: 2013-08-22]

[user@personal ~]$

Fingerprints of public keys are public information. So Alice and Bob don’t need to worry about other people listening in. Their fingerprints are not secret.

Great! So far Alice and Bob have generated and successfully exchanged keys. Now all they need to do is use an application like Thunderbird with the Enigmail plugin (on Windows/Mac/Linux) or K9 with the APG app (on Android) to exchange encrypted and signed emails and files, being pretty certain that nobody can read or alter the contents of their messages.

When disaster strikes

Oh no! Alice’s smartphone has been stolen! Or one of her AppVMs might have opened an infected PDF, or ran some suspicious Java applet that might have installed a trojan on her personal AppVM. Nothing in that AppVM can be trusted any longer. This includes the GnuPG keys she was using on a daily basis.

Luckily Alice is prepared.

Revoking compromised keys

Alice needs to use her safe environment (the vault) to revoke the compromised subkeys (she only exposed subkeys to her networked AppVMs and devices, remember?) and optionally issue new ones.

The beauty of this is that she does not have to throw away the whole key. Alice can carry on using the same master key, which may, over the years, have accumulated a lot of trust from other Web Of Trust members. She just needs to revoke the compromised subkeys and issue new ones.

Working with our master key

Alice fires up her vault and imports the master keyring she had backed up when she created her keys:

[user@vault ~]$ tar xvf gpg_master_keys.tar
alice_gpg_private.key
alice_gpg_public.key
revocation.cert
[user@vault ~]$ 

Here are the files Alice backed up. Let’s import them to start using them – but first temporarily move .gnupg out of the way to ensure we’re not upsetting any preexisting configuration in the vault:

[user@vault ~]$ mv .gnupg .gnupg-ORIG
[user@vault ~]$ gpg --import alice_gpg_p*.key
gpg: directory `/home/user/.gnupg' created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
gpg: key 32D49659: secret key imported
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 32D49659: public key "Alice <alice@domain.com>" imported
gpg: key 32D49659: "Alice <alice@domain.com>" 1 new signature
gpg: Total number processed: 2
gpg:               imported: 1  (RSA: 1)
gpg:         new signatures: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
[user@vault ~]$

Verify what we imported:

[user@vault ~]$ gpg --edit-key alice
gpg (GnuPG) 1.4.14; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E   
sub  4096R/29E78F35  created: 2013-08-15  expires: 2013-08-22  usage: S   
[ unknown] (1). Alice <alice@domain.com>

gpg>

Yup, there they are.

  • The all-important master key with usage: SC (for “sign & certify”, which means to sign other keys)
  • One subkey with usage: E – for “encrypt”
  • One subkey with usage: S – for “sign”

Revoking compromised subkeys

gpg> list

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E   
sub  4096R/29E78F35  created: 2013-08-15  expires: 2013-08-22  usage: S   
[ unknown] (1). Alice <alice@domain.com>

gpg> key 1

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC  
                     trust: unknown       validity: unknown
sub* 4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E   
sub  4096R/29E78F35  created: 2013-08-15  expires: 2013-08-22  usage: S   
[ unknown] (1). Alice <alice@domain.com>

gpg> key 2

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC  
                     trust: unknown       validity: unknown
sub* 4096R/E19F81C0  created: 2013-08-15  expires: 2013-08-22  usage: E   
sub* 4096R/29E78F35  created: 2013-08-15  expires: 2013-08-22  usage: S   
[ unknown] (1). Alice <alice@domain.com>

gpg> revkey
Do you really want to revoke the selected subkeys? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
Your decision? 1
Enter an optional description; end it with an empty line:
> 
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Alice <alice@domain.com>"
4096-bit RSA key, ID 32D49659, created 2013-08-15

You need a passphrase to unlock the secret key for
user: "Alice <alice@domain.com>"
4096-bit RSA key, ID 32D49659, created 2013-08-15

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC  
                     trust: unknown       validity: unknown
This key was revoked on 2013-08-16 by RSA key 32D49659 Alice <alice@domain.com>
sub  4096R/E19F81C0  created: 2013-08-15  revoked: 2013-08-16  usage: E   
This key was revoked on 2013-08-16 by RSA key 32D49659 Alice <alice@domain.com>
sub  4096R/29E78F35  created: 2013-08-15  revoked: 2013-08-16  usage: S   
[ unknown] (1). Alice <alice@domain.com>

gpg> save
[user@vault ~]$

As you can see the all-important certification key has the power to revoke subkeys. Good thing Alice kept it safe in her offline vault all this time!

Export the revoked keys in a ASCII file

[user@vault ~]$ gpg --export -a > revoked_keys.asc

Move the revoked keys in your networked AppVM

[user@vault ~]$ qvm-copy-to-vm personal revoked_keys.asc 
sent 7/8 KB
[user@vault ~]$

From your networked AppVM now, tell the world you have revoked the subkeys

[user@personal ~]$ gpg --import QubesIncoming/vault/revoked_keys.asc 
gpg: key 32D49659: "Alice <alice@domain.com>" 2 new signatures
gpg: Total number processed: 1
gpg:         new signatures: 2

[user@personal ~]$ gpg --edit-key alice
gpg (GnuPG) 1.4.14; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/32D49659  created: 2013-08-15  expires: 2013-08-22  usage: SC  
                     trust: ultimate      validity: ultimate
This key was revoked on 2013-08-16 by RSA key 32D49659 Alice <alice@domain.com>
sub  4096R/E19F81C0  created: 2013-08-15  revoked: 2013-08-16  usage: E   
This key was revoked on 2013-08-16 by RSA key 32D49659 Alice <alice@domain.com>
sub  4096R/29E78F35  created: 2013-08-15  revoked: 2013-08-16  usage: S   
[ultimate] (1). Alice <alice@domain.com>

gpg> quit

[user@personal ~]$ gpg --keyserver sks.keyservers.net --send-keys E19F81C0
gpg: sending key 32D49659 to hkp server sks.keyservers.net
[user@personal ~]$ gpg --keyserver sks.keyservers.net --send-keys 29E78F35
gpg: sending key 32D49659 to hkp server sks.keyservers.net
[user@personal ~]$ rm QubesIncoming/vault/revoked_keys.asc
[user@personal ~]

That’s it!

You have now revoked the two compromised subkeys and may create new subkeys with your untainted master key that was kept safe in your vault all along. Whoever managed to compromise your keys may be able to read everything encrypted with those keys (if they kept copies of the ciphertext).

Notes

Restricted keys (missing the master signing key, as we created above) can not currently be used by APG on Android. Use Mike Cardwell’s version of APG that works with such keys: download the apk from here.

Bill Binney on the NSA’s domestic surveillance “Stellar Wind” program

Preview of the documentary film “The Program” by Laura Poitras, as covered in the New York Times:

http://archive.org/details/TheNsaDomesticSpyingProgram

If you want a quick under-10-minute summary of what the big deal with the NSA, GCHQ etc hoovering up all of your data, this is a good one to watch. Remember, they are not only hoovering up Americans’ data – they are hoovering up any data they can get their hands on. This means that if you use any of the big American technology services (Google mail, Google search, Youtube, Microsoft Hotmail, Skype, Yahoo! Mail, Dropbox, Apple services, Amazon etc), your data is being collected.

A few good men

Here’s a few people who had both the guts and the skill to improve our world.

Stallman, Assange, Snowden

The guy on the left is Richard Stallman, founder of the Free Software Foundation, intellectual leader of the Free Software movement, who has tirelessly, often in the face of mockery, preached his gospel: Software is knowledge, and knowledge should be free for all.

Here he’s grinning alongside Julian Assange, Wikileaker extraordinaire, persecuted by the world’s most powerful governments, for months now unable to leave the Ecuadorian embassy in London. Assange had the balls to give us knowledge and to not stand down when the powers that be threatened him and came after him.

They are holding a picture of Edward Snowden, the latest NSA whistleblower who had the balls to throw away his comfortable, high-earning, high-status life to give us all some of the raw truth about how our governments operate. About how we have allowed our societies to resemble George Orwell’s 1984 to a worrying degree. He’s also prosecuted by the most powerful governments of this world.

Here’s a well-written biography of Edward Snowden, which captures the issues the world is facing after his brave disclosures succinctly. Highly recommended reading.

Edward Snowden (person) on Everything2

Secrets: A memoir of Vietnam and the Pentagon Papers – by Daniel Ellsberg

Some powerful excerpts from Daniel Ellberg’s book on Vietnam and the leaking of the McNamara study on US decision making in Vietnam that came to be known as The Pentagon Papers (freely available online by the US National Archive)
secrets_cover

Note: Page numbers are from the Penguin edition ISBN 978-0-14-200342-8

p.41: Proof that the US have been capable of global-range drone missions at least as early as the early 1960s:

One morning just before eight o’clock John (ed: McNaughton) came back from McNamara’s office minutes after he’d gotten a call and dashed out. He said to me, “A Blue Springs drone has gone down in China. Bob is seeing the press at eight-thirty. We have ten minutes to write six alternative lies for him.”

It was the only time I remember the actual word “lies” being used. Blue Springs was the code name for an espionage program for reconnaissance photographic flights by unmanned drone planes.

p.213: On the responsibility of people who do not actively oppose wrongdoing:

Nearly all evildoing, she pointed out, like nearly all coercive power, legitimate and illegitimate, depends on the cooperation, on the obedience and support, on the assent or at least passive tolerance of many people. It relies on many more collaborators than are conscious of their roles; these include even many victims, along with passive bystanders, as in effect accomplices.

p.237: Ellsberg’s advice to Henry Kissinger on the psychological and behavioural effects of secret clearances on people:

“Henry, there’s something I would like to tell you, for what it’s worth, something I wish I had been told years ago. You’ve been a consultant for a long time, and you’ve dealt a great deal with top secret information. But you’re about to receive a whole slew of special clearances, maybe fifteen or twenty of them, that are higher than top secret.

“I’ve had a number of these myself, and I’ve known other people who have just acquired them, and I have a pretty good sense of what the effects of receiving these clearances are on a person who didn’t previously know they even existed. (ed: emphasis in original) And the effects of reading the information that they will make available to you.

“First, you’ll be exhilarated by some of this new information, and by having it all – so much! incredible! – suddenly available to you. But second, almost as fast, you will feel like a fool for having studied, written, talked about these subjects, criticized and analyzed decisions made by presidents for years without having known of the existence of all this information, which presidents and others had and you didn’t, and which must have influenced their decisions in ways you couldn’t even guess. In particular, you’ll feel foolish for having literally rubbed shoulders for over a decade with some officials and consultants who did have access to all this information you didn’t know about and didn’t know they had, and you’ll be stunned that they kept that secret from you so well.

“You will feel like a fool, and that will last for about two weeks. Then, after you’ve started reading all this daily intelligence input and become used to using what amounts to whole libraries of hidden information, which is much more closely held than mere top secret data, you will forget there ever was a time when you didn’t have it, and you’ll be aware only of the fact that you have it now and most others don’t… and that all those other (ed: emphasis in original) people are fools.

“Over a longer period of time – not too long, but a matter of two or three years – you’ll eventually become aware of the limitations of this information. There is a great deal that it doesn’t tell you, it’s often inaccurate, and it can lead you astray just as much as the New York Times can. But that takes a while to learn.

“In the meantime it will have become very hard for you to learn (ed: emphasis in original) from anybody who doesn’t have these clearances. Because you’ll be thinking as you listen to them: ‘What could this man be telling me if he knew what I know? Would he be giving me the same advice, or would it totally change his predictions and recommendations?’ And that (ed: emphasis in original) mental exercise is so torturous that after a while you give it up and just stop listening. I’ve seen this with my superiors, my colleagues… and with myself.

“You will deal with a person who doesn’t have those clearances only from the point of view of what you want him to believe and what impression you want him to go away with, since you’ll have to lie carefully to him about what you know. In effect, you will have to manipulate him. You’ll give up trying to assess what he has to say. The danger is, you” become something like a moron. You’ll become incapable of learning from most people in the world, no matter how much experience they may have in their particular areas that may be much greater than yours.”

p.254: On the arrogance of power plaguing the US administration:

There was some realistic basis for the belief that many Vietnamese were naive and misled in their notions of what a Communist-led victory would do for them. But as I now realized, we American officials were no less ignorant or self-deceptive, in turn, about the nature of French rule or of the various Saigon regimes we supported or imposed later or the incentives that would lead people to take up and persist in armed struggle against greatly superior forces – and above all, about the burden of the war on the rural population. In any case, to presume to judge what was best for them, with life and death at stake, was the height of imperial arrogance, the “arrogance of power,” as Senator Fullbright later called it.

p.269 On the difficulty of stepping out of line and doing something you believe in for the first time:

Something very important had happened to me. I felt liberated. I doubt if I could have explained that at the time. But by now I have seen this exhilaration often enough in others, in particular people who have just gone through their first action of civil disobedience, whether or not they have been taken to jail. This simple vigil, my first public action, had freed me from a nearly universal fear whose inhibiting force, I think, is very widely underestimated. I had become free of the fear of appearing absurd, of looking foolish, for stepping out of line.

p.289 On how the Thai Khac Chuyen murder case blew the lid off Ellsberg’s passive tolerance of official lies and helped him decide to do something about it:

I lay in bed that Tuesday morning and thought: This is the system that I have been working for, the system I have been part of, for a dozen years – fifteen, including the Marine Corps. It’s a system that lies automatically, at every level from bottom to top – from sergeant to commander in chief – to conceal murder.

That described, as I had come to realize from my reading that month, what that system had been doing in Vietnam, on an infinitely larger scale, continuously for a third of a century. And it was still going on. I thought: I’m not going to be a part of it anymore. I’m not going to be part of this lying machine, this cover-up, this murder, anymore.

It occurred to me that what I had in my safe at Rand was seven thousand pages of documentary evidence of lying, by four presidents and their administrations over twenty-three years, to conceal plans and actions of mass murder. I decided I would stop concealing that myself. I would get it out somehow.

p. 394 On the surveillance capabilities of the FBI in the 1970s. We can only imagine how much this has changed, in the favour of the government, in our current era of pervasive wholesale surveillance:

The main secret to avoid being found by the FBI (in the 1970s) seemed to be: Don’t use your home or office phone.

[...]

On one occasion, “Mr Boston” went downstairs and across the street to a phone booth on the corner, about fifty yards from the apartment building where were staying that afternoon. He talked for about ten minutes to my friends Lloyd Shearer in Los Angeles, relaying some questions I had for Shearer, who was giving me advice on whom to deal with in the media. We happened to be looking out the front window when he left the booth and came back. Just as he entered the front door, perhaps twelve minutes from the time he placed the call, four police cars converged on the phone booth from two directions. Brakes screeched, and police jumped our with guns drawn, though the booth was now empty. Evidently Shearer’s line was tapped.

p.413 A glimpse into the administration’s psyche and why leaking hard evidence hurts their license to do whatever they want. It’s not so much the content of the leaks – but bringing to light the fact that the administration will sometimes be wrong. That’s why accountability, checks and balances at all levels are important:

H. R. Haldeman to President Nixon, Oval Office tapes, June 14, 1971, on the impact of the Pentagon Papers:
To the ordinary guy, all this is a bunch of gobbledygook. But out of the gobbledygook comes a very clear thing: you can’t trust the government; you can’t believe what they say; and you can’t rely on their judgement. And the implicit infallibility of presidents, which has been an accepted thing in America, is badly hurt by this, because it shows that people do things the president wants to do even though it’s wrong, and the president can be wrong.

p.418 People who have lost touch with reality casually discussing mass murder from their ivory tower – the Oval Office:

Two hours later, at noon, H. R. Haldeman and Ron Ziegler joined Kissinger and Nixon:
President: How many did we kill in Laos?
Ziegler: Maybe ten thousand – fifteen?
Kissinger: In the Laotian thing, we killed about ten, fifteen…
President: See, the attack in the North that we have in mind… power plants, whatever’s left – POL [petroleum], the docks… And, I still think we ought to take the dikes out now. Will that drown people?
Kissinger: About two hundred thousand people.
President: No, no, no… I’d rather use the nuclear bomb. Have you got that, Henry?
Kissinger: That, I think, would just be too much.
President: The nuclear bomb, does that bother you? … I just want you to think big, Henry, for Christsakes.

p.426 The (disgusting) light side of mass murder:

[...] the president was particularly concerned that the bombing of Cambodia in early 1969 and later (code-named Menu, for a series of raids initially code-named Breakfast, Lunch and Dinner) might be about to be revealed.

p.428 How the system of secrecy was used to mislead Congress and to hide entire bombing campaigns:

Moreover, Congress, which had to appropriate the money for these operations, had been given false top secret documentation on what country they were paying to bomb. Hundreds of military staffers in MACV and CINCPAC headquarters were kept busy faking classified flight plans and after-action reports of the bombing raids, falsifying the coordinates of the actual targets to indicate they were in South Vietnam rather than in Cambodia. When in 1970 Nixon ordered secret bombing of the Plain of Jars in Laos (which had no relation to infiltration routes), he used the same system of dual bookkeeping he had used to conceal the bombing of Cambodia.

[...]

A modern president’s practical ability to drop secretly several hundred thousand tons of bombs in a country with which we were not at war was a considerable tribute to the effectiveness of the postwar secrecy system. It gives our presidents a capability to initiate and escalate a war in secret that was scarcely possessed by monarchs of the past.

p. 431 James Madison‘s words on the importance of an informed public:

A popular government, without popular information or the means of acquiring it, is but a prologue to a farce or a tragedy; or, perhaps, both. Knowledge will forever govern ignorance: And a people who mean to be their own governors, must arm themselves with the power knowledge gives.

p.457 Powerful closing remarks of an excellent book:

As Judge Byrne in Los Angeles was issuing his dismissal of our indictment, which had been anticipated all morning in the Oval Office discussions, the president addressed the situation in anguish and perplexity:

For example, on this national security thing, we have the rocky situation where the sonofabitching thief is made a national hero and is going to get off on a mistrial. And the New York Times gets a Pulitzer Prize for stealing documents… They’re trying to get at us with thieves. What in the name of God have we come to?

What we had come back to was a democratic republic – not an elected monarchy – a government under law, with Congress, the courts, and the press functioning to curtail executive abuses, as our Constitution envisioned.