CryptoParty: like a Tupperware party for learning crypto


14 Responses to “CryptoParty: like a Tupperware party for learning crypto”

  1. sgtdoom says:

    Great blog posting, and for another great book (and believe me, I don’t normally recommend Forbes’ staff writers):

    Andy Greenberg’s This Machine Kills Secrets  —- truly stupendous!

  2. J'Marinde Shephard says:

    If I remember my history correctly, the US EXCELS at code-breaking.

  3. Octavio says:

    But then there  is this…

    • FoolishOwl says:

      Jacob Appelbaum’s response is worrisome. As one of the key people behind the TOR Project, he’s an expert on the subject. I hope he goes into more detail on his criticisms

      I had been thinking about whether I could help organize a key signing party or something of the sort for local people in Friends of Wikileaks. I’d been distressed to find that none of the people I’ve heard from through have PGP/GPG keys registered, which is disappointing, given that the site emphasizes security and privacy in connecting people to begin with, and suggests posting a PGP public key in your profile. I’m no expert on security, but I’m trying to learn

      So organizing a CryptoParty would have seemed like just the thing to do. Except that there’s that worrying note from Appelbaum.

  4. Gordon Stark says:

    You know, Cory, people always talk about crypto like it’s secure, which is deceptive to the young, and gives them a false sense of confidence.

    It is relatively secure, and decrypting is a matter of how badly someone wants to decrypt it.

    Encryption is a great way to keep things private from the average person, but to someone seeking secrets it is merely a sign of where some may be, and decrypting is usually just a matter of time and money and processor power, and far less than one might imagine, where not just a process of using a back door.

    I would like to see more discussion of how secure crypto is NOT, and how easy it is for anyone who is determined to crack even “strong” encryption algorithms.

    By leading the young to imagine that so-called “strong encryption” is hard for those with supercomputers and/or legislated back doors to crack, they are given a false sense of security which is counter- productive to their needs and intentions and comprehension of the limits of the relative security afforded by “strong encryption”.

    As a rule, I consider encryption to be a good way to protect data from other commonplace and “unauthorized” people, while bearing in mind that authorities have made themselves authorized people, and that cracking encryption, while comparable to rocket science, is still just science, and not hard for those with the resources to accomplish.

    • Cory Doctorow says:

       Sorry, this is just wrong. Assuming a modern cipher, a reasonable keylength, and a well-chosen key/passphrase, crypto is unbreakable in human (or geological) timescales, assuming no major breakthroughs in quantum computing or factoring the products of long primes.

      The weaknesses of crypto are:

      * Bad implementations

      * Bad keyphrases

      * “Rubber hose cryptanalysis” (beating people up for their keys)

      * Keyloggers/hidden cameras/rootkits

      But not brute-force attacks on ciphertexts. It’s trivial to use an off-the-shelf PC to encrypt data to the point where it would take all the compute power on the planet billions of years to decrypt it (again, assuming a good implementation and no unforeseen advances in quantum computing or prime-product factoring).

      • Luther Blissett says:

        Thanks for this clear and important comment, Cory.

        Could you get Jacob to elaborate on the above-quoted tweet? I’m even thinking about linking the handbook to colleagues, and trying to promote e-mail encryption.

        Just BTW: I came across a lot of weird things considering the acceptance of crypto in a private environment, but I was really surprised when was informed by a close friend working for aerospace institution that they are discouraged to use encryption. I mean, they are planning and launching satellites, developing stuff which gets patented and whatnot!

        • Thomas Shaddack says:

          It may be because of the balance between the benefits (added secrecy, which can be suboptimal if there’s a mistake in implementation or procedure), and costs (added work, added need to audit procedures so the work makes sense, possible trouble with data recovery – leaked data may be the less costly option than lost data).

          • Luther Blissett says:

            Hm, I somehow doubt it. I mean, they are responsible for constructing parts of the ISS and don’t even sign their mails. What could possibly go wrong if someone has a real interest in fucking things up, badly? SCADA is a joke compared to that.

Leave a Reply