> You mean changing the number of "2048" to "4096"?

No, certainly not. I agree with you; the change from 2048 to 4096 isn't interesting.

The interesting part is that he 1) generated a new key (okay, not actually interesting in itself), 2) is using it in an isolated install, 3) this isolate install is on entirely separate hardware, not just a VM, 4) this separate hardware is new hardware that has never been networked.

Tinfoil Hat Linux was never really about using large PGP keys, you could use large PGP keys on a co-located RHEL box just as well as you could on an old crusty THL box covered with shoes and bluejeans in your closet. Rather, Tinfoil Hat Linux was about cautious (really, hyper-paranoid for the hell of it) treatment of private keys and plaintext. Extremely cautious treatment of plaintext and private keys is what he is currently going out of his way to do.

Is going to such an extreme (new hardware that has never been networked?) really necessary? I don't have the expertise to say. What I can say is that is nearing the sort of baseline paranoid treatment of private keys and plaintext that THL is known for. He's not blinking out leaked documents in morse code yet, he isn't worried about white vans down the street reconstructing the images on his monitor or RF leakage from his CPU giving them bits of his private key, but we are at the point where that is the next logical step.

(And no, aliens never landed at Roswell (or anywhere else), JFK was shot from the Book Depository (and only the Book Depository), and Stanley Kubrick did not film the moon landings (that was done with television cameras mounted on tripods, the LEM lander legs, and the astronauts' chests))

> Is going to such an extreme... really necessary?

Since Schneier's now doing analysis of unreleased Snowden documents for the Guardian, he now has reason to believe that the NSA has a strong motive to see what documents he's working on.

Seems to me that the level of tin-foil-hattery that's reasonable to protect against an organisation likely to be targeting you specifically needs to be an order of magnitude greater than that which is reasonable to protect against a general-population surveillance dragnet.

Well, tin-foil-hattery traditionally refers not only to the paranoia associated with the probability of being watched but also with the malicious or manipulative intent of those people or groups. Schneier needs to protect himself from the possibility of either his data being used in a manner to prosecute or punish or action taken to stifle work he has so far kept private. It's more than reasonable for him to give credence to the threat of a self-interested government agency acting maliciously toward him.

However, Schneier was a target well before this due to the nature of his work. It is exactly the scope of the recent revelations that throws the conventional thinking on where the fuzzy line between an appropriate risk assessment based on position of interest and the general population. When the potential dragnet is widespread and permanent I no longer have to only consider how important I am now (which I'm not), but I also have to consider if I will ever be take on a role that IS important not just now, but then.

I am using 8192 bits, just in case ;-) also applying one time pads when I can.

How do you get the one time pad to the recipient?

I really hope no one is using just one OTP.

Personally.

Just out of curiosity - assume you took a key of 8096 bits - and it is super long - could you then make a hash of the key which were shorter, and provide the hash, with instructions on how to reverse it, and then use the hash to produce the 8096 keylength with less digits between you and the recipient?

Are you asking whether you can compress an RSA key?

Anyways: don't use 8192 bit keys. Whatever kills the 4096 bit keys is going to kill RSA along with them. Honestly, I think 4096 bits is also kind of a you're-kidding-yourself key length; if attacks on 2048 bit keys became tractable, RSA is probably in serious trouble.

Dude, Get your ass to SF so I can buy you the many beers I owe you!

I get truly excited when I see your replies, I'd love to banter in [inebriated] public! With that said, may I please make the humble request;

Yoou have contributed a shitload of awesome comments on the state f "who-the-fuck-are-we-kidding" with respect to encryption and privacy in light of what we actually know now related to the NSA....

Would you please create a post, in an Explain-Like-I-Am-Five-Years-Old manner on both the state of the capabilities of the NSA, the state of current encryption tech/methods we rely on, AND what the heck I, as and individual, could/can/should do about protecting myself.

---

I can speculate all day long about all sorts of things, but I am asking - given the NSA-Fatigue I suffer from - fr your help.

I WILL PAY YOU FOR THIS SERVICE; Set the price at $20 for the best recommendation. Crowd-source your network of people who have enough info to contribute to the recommendation...

Aside from smashing my machines and cancelling my power utility, I have no clue how to regain privacy at this point.

Then we will drink, and e Merry, Pippin and Sam!

EDIT: Tawny Port May be responsible for this post.

No - one of the main points of a hash is that it is non-reversible.

Also, if you had a short string that could be expanded into the larger key, then what you really have is a short key to a slightly different crypto system, which is less secure than the original key in the original system.

Also, if you can significantly compress a string of truly random data, you can also probably compress digital video by a significant factor as well, and should therefore found a startup selling your groundbreaking compression technology.