Flaws in Tor anonymity net­work spot­lighted. At the Chaos Com­puter Club Con­gress in Berlin, Ger­many on Mon­day, researchers from the Uni­ver­sity of Regens­burg deliv­ered a new warn­ing about the Tor anonymizer net­work, a sys­tem aimed at hid­ing details of a com­puter user’s online activ­ity from spy­ing eyes.

The attack doesn’t quite make a surfer’s activ­ity an open book, but offers the abil­ity for some­one on the same local network—a Wi-Fi net­work provider, or an ISP work­ing at law enforce­ment (or a régime’s) request, for example—to gain a poten­tially good idea of sites an anony­mous surfer is view­ing. [Ars Tech­nica]

There are things users can do to pro­tect them­selves. From the article:

Users them­selves can guard against this type of fingerprint-based eaves­drop­ping rel­a­tively eas­ily, Her­rmann noted. Down­load­ing or request­ing more than one site at a time through the net­work will muddy the pat­tern enough that cer­tainty will be very dif­fi­cult for the eaves­drop­per to establish.

And from one of the comments:

This attack should be sig­nif­i­cantly less effec­tive as well if the tar­get in ques­tion is a fully func­tional and qual­ity relay­ing node. In that case other peo­ple access­ing through the node would ran­dom­ize things sig­nif­i­cantly, and their access would be impos­si­ble to dif­fer­en­ti­ate from a local user with­out the kind of phys­i­cal access that makes the entire thing moot.

Cryp­tog­ra­phy Suc­cess Story. From Brazil: the moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files. [Schneier on Secu­rity]

The files were encrypted using True­crypt and an unnamed algo­rithm, report­edly based on the 256-bit AES stan­dard. In the UK, Dan­tas would be com­pelled to reveal his passphrase under threat of impris­on­ment, but no such law exists in Brazil.

The Brazil­ian National Insti­tute of Crim­i­nol­ogy (INC) tried for five months to obtain access to the encrypted data with­out suc­cess before turn­ing over the job to code-breakers at the FBI in early 2009. US com­puter spe­cial­ists also drew a blank even after 12 months of efforts to crack the code, Brazil’s Globo news­pa­per reports.

I use True­Crypt to pro­tect the Win­dows lap­top I use for work. Unfor­tu­nately, the Mac ver­sion doesn’t sup­port whole disk encryption.

How To Talk So The Gov­ern­ment Can’t Lis­ten. Part 1: how to encrypt your e-mail in Gmail with GPG (for use with Gmail or other web mail inter­faces on Fire­fox in Win­dows) [Rad Geek People’s Daily]

A good detailed tuto­r­ial on how to use GPG to pro­tect your email within Gmail. The parts deal­ing with key man­age­ment are Windows-specific–the state of Mac sup­port for GPG is con­sid­er­ably infe­rior and Linux sup­port (at least in the Ubuntu dis­tri­b­u­tion) is bet­ter, but the details are different.