Boing Boing » crypto

3D printed guns and the law: will judges be able to think clearly about digital files when guns are involved?

Cory Doctorow — Mon, 13 May 2013 12:09:36 +0000

My latest Guardian column is "3D printed guns are going to create big legal precedents," and it looks at an underappreciated risk from 3D printed guns: that courts will be so freaked out by the idea of 3D printed guns that they'll issue reactionary decisions that are bad for the health of the Internet and its users:

More interesting is the destiny of the files describing 3D printed guns. These model-files have been temporarily removed from the internet at the behest of the US State Department, which is investigating the possibility that they violate the International Traffic in Arms Regulations. Wilson says that he's on safe ground here, because the regulations do not cover material in a library, and he says the internet is like a library. As this is taking place in the US, there's also the First Amendment to be considered, which limits government regulation of speech.
Here's where things get scary for me. Defense Distributed is headed for some important, possibly precedent-setting legal battles with the US government, and I'm worried that the fact that we're talking about guns here will cloud judges' minds. Bad cases made bad law, and it's hard to think of a more emotionally overheated subject area. So while I'd love to see a court evaluate whether the internet should be treated as a library in law, I'm worried that when it comes to guns, the judge may find himself framing the question in terms of whether a gun foundry should be treated as a library.

3D printed guns are going to create big legal precedents

Apple can decrypt iPhones for cops; Google can remotely "reset password" for Android devices

Cory Doctorow — Sun, 12 May 2013 15:49:04 +0000

Apple apparently has the power to decrypt iPhone storage in response to law-enforcement requests, though they won't say how. Google can remotely "reset the password" for a phone for cops, too:

Last year, leaked training materials prepared by the Sacramento sheriff's office included a form that would require Apple to "assist law enforcement agents" with "bypassing the cell phone user's passcode so that the agents may search the iPhone." Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.
Ginger Colbrun, ATF's public affairs chief, told CNET that "ATF cannot discuss specifics of ongoing investigations or litigation. ATF follows federal law and DOJ/department-wide policy on access to all communication devices."
...The ATF's Maynard said in an affidavit for the Kentucky case that Apple "has the capabilities to bypass the security software" and "download the contents of the phone to an external memory device." Chang, the Apple legal specialist, told him that "once the Apple analyst bypasses the passcode, the data will be downloaded onto a USB external drive" and delivered to the ATF.
It's not clear whether that means Apple has created a backdoor for police -- which has been the topic of speculation in the past -- whether the company has custom hardware that's faster at decryption, or whether it simply is more skilled at using the same procedures available to the government. Apple declined to discuss its law enforcement policies when contacted this week by CNET.

It's not clear to me from the above whether Google "resetting the password" for Android devices merely bypasses the lock-screen or actually decrypts the mass storage on the phone if it has been encrypted.

I also wonder if the "decryption" Apple undertakes relies on people habitually using short passwords for their phones -- the alternative being a lot of screen-typing in order to place a call.

Apple deluged by police demands to decrypt iPhones [Declan McCullagh/CNet]

(via /.)

Ben Laurie on BitCoin

Cory Doctorow — Sun, 05 May 2013 21:40:19 +0000

I wrote yesterday about Dan Kaminsky's excellent thoughts on BitCoin, and wished aloud for comparable work from Ben Laurie. It turns out such work exists: here's Ben's critique of BitCoin, and here's his proposal for an alternative. Both are short, clear, excellent reads.

How cognitive blind-spots compromise security systems

Cory Doctorow — Wed, 10 Apr 2013 17:25:14 +0000

Tanya Khovanova has a fascinating and illuminating story about the blind-spots that can leave security systems vulnerable. She describes a clever one-way function using real-world tools:

Silvio Micali taught me cryptography. To explain one-way functions, he gave the following example of encryption. Alice and Bob procure the same edition of the white pages book for a particular town, say Cambridge. For each letter Alice wants to encrypt, she finds a person in the book whose last name starts with this letter and uses his/her phone number as the encryption of that letter.
To decrypt the message Bob has to read through the whole book to find all the numbers. The decryption will take a lot more time than the encryption. If the book increases in size the time it takes Alice to do the encryption almost doesn’t increase, but the decryption process becomes more and more draining.
This example is very good for teaching one-way functions to non-mathematicians. Unfortunately, the technology changes and the example that Micali taught me fifteen years ago isn’t so cute anymore. Indeed you can do a reverse look-up online of every phone number in the white pages.

Then she explains how a student pointed out her own blind-spot that made the system trivial to defeat:

I still use this example, with an assumption that there is no reverse look-up. I recently taught it to my AMSA students. And one of my 8th graders said, “If I were Bob, I would just call all the phone numbers and ask their last names.”
In the fifteen years since I’ve been using this example, this idea never occurred to me. I am very shy so it would never enter my mind to call a stranger and ask for their last name. My student made me realize that my own personality affected my mathematical inventiveness.

As Bruce Schneier points out, the young student is demonstrating "security mindset," imagining an attack on a security system that works on the weakest flank.

One-Way Functions (via Schneier)

Numbers stations on Twitter and other spook-y tweets

Cory Doctorow — Mon, 11 Mar 2013 23:38:39 +0000

Ken Layne takes us on a tour of weird, possibly espionage-related Twitter accounts, from a "numbers station" that has tweeted 318,000 hexadecimal numbers since 2009 (possibly from Khabarovsk), to a "joke" CIA account that seems to have a lot of inside dope, to a massive cluster of accounts that tweet nothing but "Iowa City schools ask state for an audit," over and over again.

Here are some of the 38 followers of an inscrutable account called @googuns_staging—many of these are obvious fraudulent accounts with randomly generated profiles such as, "I like Jonathan Richman/The Modern Lovers to listen and Lord of the Rings: The Return of the King, The to watch. I'm brave and chivalrous." Well, of course you are!
GooGuns posts nothing but strings of letters and numbers, like b39e65fa00000000 in intervals of about five minutes on average. The string of characters always ends with zeroes, occasionally with the location service turned on, so you can see that 554705fa00000000 was allegedly tweeted from the "Region of Khabarovsk." This has been going on all day and all night, for years, with more than 318,000 tweets posted since 2009. But why?
There is an iOS game called GooGun with its own website and a dubious iTunes graphic with the words "No Longer Available" over it. "Space robots are attacking," says the promotional video showing game play on this game that is not available to play.

The Real Weird Twitter Is Espionage Twitter [Ken Layne/The Awl] (via Wil Wheaton)

Access files on locked, encrypted Android phones by putting them in a freezer for an hour

Cory Doctorow — Wed, 06 Mar 2013 17:42:50 +0000

This is alarming, if true: according to a group of German security researchers at the University of Erlangen, if you put a locked, encrypted Android phone in the freezer for an hour and then quickly reboot it and plug it into a laptop, the memory will retain enough charge to stay decrypted, and can boot up into a custom OS that can recover the keys and boot the phone up with all the files available in the clear. The attack is called FROST: "Forensic Recovery Of Scrambled Telephones," and it requires a phone with an unlocked bootloader to work.

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.
We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung. To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking. However, we show that cold boot attacks are more generic and allow to retrieve sensitive information, such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked.

FROST: Forensic Recovery Of Scrambled Telephones

Cypherpunks: articulates and challenges Internet freedom

Cory Doctorow — Thu, 14 Feb 2013 16:58:51 +0000

Cypherpunks -- a quick, stirring, scary read -- transcribes a wide-ranging conversation between Wikileaks co-founder Julian Assange, Jacob Appelbaum (Wikileaks/Tor Project), Andy Müller-Maguhn (Chaos Computer Club) and Jérémie Zimmermann (La Quadrature Du Net).

Edited together in thematic chapters (The Militarization of Cyberspace, Fighting Total Surveillance With the Laws of Physics, Private Sector Spying), Cypherpunks exceeded my expectations. I know some of the book's protagonists personally and know how smart and principled they are. But I was afraid, going into this, that what would emerge would be a kind of preaching-to-the-choir consensus, because all four of the participants are on the same side.

Instead, I found Cypherpunks to be a genuine debate, where each speaker's best arguments -- well-polished, well-spoken, and convincing -- were mercilessly tested by the others, who subjected them to hard questions and rigorous inspection. Most of our discussions about Wikileaks lack nuance, and they're often hijacked by personal questions about Assange. Whatever you feel about Assange, he is not Wikileaks -- Wikileaks is an activity, not an organization, and its participants, including Bradley Manning, are engaged in something important and difficult and fraught, and there is a place for a debate about whether the tactics of Wikileaks best serve a the strategic end of a free and open Internet in a just and humane society.

The debate recorded in Cypherpunks -- though leavened with humor and easy to follow -- covers a lot of nuance of the sort that has been missing from the discussion. The wider points -- that the universe's in-built mathematics favor the keeping of secrets because it is easier to encrypt a message than decrypt it, say -- may dazzle, but the getting down to cases afterward, the chewing the point over and challenging it, that's where the book shines.

There aren't many titles that pack as much argument, ambiguity and theory into as small a package as Cypherpunks. It's a book you can read in an hour or two, but you'll be thinking about it for years.

Cypherpunks

Letter from a young Homeland reader

Cory Doctorow — Sun, 10 Feb 2013 20:50:46 +0000

As you've no doubt gleaned, I'm on tour with my new novel, Homeland. A lot of people commiserate with me about the grueling pace -- and it is! a new city practically every day and nowhere near enough sleep and continuous interviews and presentations from o-dark hundred to late at night -- but for all that, it's actually something I love. That's because I get to meet readers, especially young readers (I do a lot of school presentations) and readers tell me about how my books have affected them, and it's generally both humbling and delightful.

But every now and again, I hear from a reader whose description of her or his experience with my work leaves me, well, speechless. This is one such letter, from a young man named Brian, who emailed me this morning, and graciously gave me permission to post his letter. I'm posting it to let you know -- and to remind me -- that for all that touring is sometimes a lot of work, the end result is that my books end up in the hands of people for whom they can be revelatory. It's such an awesome responsibility, and such a wonderful one. Thank you, Brian.

I started reading Homeland the day it came out, and finished it the day after. I had it on pre-order on my kindle, which I proceeded to bring with me everywhere for the following two days. I have read Little Brother, For The Win, Pirate Cinema, and Chicken Little. Each one amazed me (though Chicken Little is slightly less related to my point). By the time I got to the last page of Homeland, I was incensed. I didn’t have time to read the afterword, I was going to get started right away!
I looked up TrueCrypt, and was shocked to find it actually existed. Immediately downloaded. I had known about TOR before, but hadn’t thought much about it. My next move was to install it into my TC drive and begin using it. I found out about the CryptoParty movement, and I’m trying to figure out a Party in my hometown.
My point is, your book introduced me to practical cryptography and to a side of the movement for “freedom of people,” as you called it, that I had never before seen.
And then I read the afterword.
Related to my cryptography search, I had recently re-read some of the news articles and documents pertaining to Aaron’s suicide. The moment I saw his name on the afterword, I put the book down and started crying. I’m not normally a person to cry, but I couldn’t take it right then. Slowly, I picked my kindle back up and started reading again. As I read, tears welled in my eyes. I was very moved by your book, but (with all respect), these words from beyond the grave – from a real person beyond the grave – affected me more than any book ever could.
I didn’t know Aaron personally, but even so that passage made me cry. I can’t say I know how you felt, but I can say that I think it would have been hard for me to include his afterword. I’m damn grateful you chose to keep it. It is even more important now. When I read it, I was touched, but I was also pissed. My immediate, gut reaction was that no one has the right to do that to someone. The attacks and case against him were ridiculous, and I hope those who targeted him feel ashamed. My ensuing reaction was to do something, to really get out and do something. What, I’m not quite sure: I don’t know many internet activists, and my hometown isn’t exactly the center of internet activism, but that’s what the internet’s for, isn’t it? The internet lets anyone anywhere join in global movements that impassion them, and now I’m ready to join in a global initiative toward freedom on the internet across the world.
So, to summarize: your book worked. I read the Huffington Post article of an excerpt of their interview with you. Well, I am your ideal kid: I’m 14, here in 2013, and I my reaction was to “rush to a search engine and figure out proxies, free/open operating systems, freedom of information requests, local makerspaces, campaigns for political accountability…the whole package.” (Well, really I’m still working on some of those.)
Anonymous

SkypeHide promises to hide secret messages in silent Skype packets, even when authorities are listening

Xeni Jardin — Wed, 09 Jan 2013 21:25:36 +0000

Buzzing around the internet this week: Polish security researcher and professor Wojciech Mazurczyk (left) claims to be developing a way to hide secret, un-eavesdroppable messages in "silent" packets transmitted within Skype conversations. He and his team plan to present SkypeHide at a steganography conference in Montpellier, France, this coming June. VentureBeat has a writeup here. The ease with which Skype can be snooped by law enforcement is well-known. I'll be interested to hear what other security researchers make of Mazurczyk's project, when and if it is eventually released.

Inception: a tool for compromising the slumber of computers with full-disk encryption

Cory Doctorow — Fri, 04 Jan 2013 01:45:01 +0000

Inception is a tool for breaking into computers with full-disk encryption. It assumes that you have access to a suspended/screen-locked computer whose disk is encrypted. You access the machine over its FireWire interface (or, if it doesn't have FireWire, you plug a FireWire card into one of its slots, and the machine will automatically fetch, install and configure the drivers, even if it's asleep), and then use the FireWire drivers to directly access system memory, and from there, patch the password-checking routine and walk straight into the computer.

This (and its predecessors, like winlockpwn) is a substantial advance on previous attacks against sleeping full-disk encrypted systems, which involved things like plunging the RAM into a bath of liquid nitrogen. As the author, Carsten Maartmann-Moe, points out, this can't be easily remedied with a FireWire driver update, since FireWire requires direct memory access to effect high-speed transfers.

So, two things: First, shut down your computer when it's not in your possession; second, "Inception" is an inspired name for an attack that breaks into the dreams of a sleeping computer, directly accesses its memory, and causes it to spill its secrets.

Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.
An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception.
After running the tool you should be able to log into the victim machine using any password.

Inception (via JWZ)

Great Firewall of China nukes VPNs on sight

Cory Doctorow — Mon, 17 Dec 2012 15:07:11 +0000

A new rev of the Great Firewall of China seeks out VPN connections (including, I assume, connections over The Onion Router) and terminates them. Only companies who register official VPNs with the Chinese government will be able to run them without interference. Registration is only available to Chinese companies, and I'll bet it involves escrowing your keys with the Chinese net-cops so they can spy on it.

Users in China suspected in May 2011 that the government there was trying to disrupt VPN use, and now VPN providers have begun to notice the effects.
Astrill, a VPN provider for users inside and outside China, has emailed its users to warn them that the "Great Firewall" system is blocking at least four of the common protocols used by VPNs, which means that they don't function. "This GFW update makes a lot of harm to business in China," the email says. "We believe [the] China censorship minister is a smart man … and this blockage will be removed and things will go back to normal."
But the company added that trying to stay ahead of the censors is a "cat-and-mouse game" – although it is working on a new system that it hopes will let it stay ahead of the detection system.

China tightens 'Great Firewall' internet control with new technology [Charles Arthur/The Guardian]

Crypto and Bletchley Park podcast from BBC's Infinite Monkey Cage

Cory Doctorow — Fri, 07 Dec 2012 20:01:24 +0000

BBC Radio 4's great math and science show "The Infinite Monkey Cage" did a great (and very funny) episode on crypto and Bletchley Park, with Robin Ince, Brian Cox, Dave Gorman, Simon Singh and Dr Sue Black.

Secret Science

MP3

(via Schneier)

Amazing, invisible work that goes on when you click an HTTPS link

Cory Doctorow — Wed, 05 Dec 2012 20:00:48 +0000

Jeff Moser has a clear, fascinating enumeration of all the incredible math stuff that happens between a server and your browser when you click on an HTTPS link and open a secure connection to a remote end. It's one of the most important (and least understood) parts of the technical functioning of the Internet.

People sometimes wonder if math has any relevance to programming. Certificates give a very practical example of applied math. Amazon's certificate tells us that we should use the RSA algorithm to check the signature. RSA was created in the 1970's by MIT professors Ron *R*ivest, Adi *S*hamir, and Len *A*dleman who found a clever way to combine ideas spanning 2000 years of math development to come up with a beautifully simple algorithm:
You pick two huge prime numbers "p" and "q." Multiply them to get "n = p*q." Next, you pick a small public exponent "e" which is the "encryption exponent" and a specially crafted inverse of "e" called "d" as the "decryption exponent." You then make "n" and "e" public and keep "d" as secret as you possibly can and then throw away "p" and "q" (or keep them as secret as "d"). It's really important to remember that "e" and "d" are inverses of each other.
Now, if you have some message, you just need to interpret its bytes as a number "M." If you want to "encrypt" a message to create a "ciphertext", you'd calculate:
C ≡ Me (mod n)
This means that you multiply "M" by itself "e" times. The "mod n" means that we only take the remainder (e.g. "modulus") when dividing by "n." For example, 11 AM + 3 hours ≡ 2 (PM) (mod 12 hours). The recipient knows "d" which allows them to invert the message to recover the original message:
Cd ≡ (Me)d ≡ Me*d ≡ M1 ≡ M (mod n)

The First Few Milliseconds of an HTTPS Connection (via O'Reilly Radar)

Internet of the Dead: the net's collision course with death

Cory Doctorow — Mon, 26 Nov 2012 15:41:56 +0000

My latest Locus magazine column is "The Internet of the Dead," which discusses the collision course the Internet is on with death. It was inspired by my work to preserve the personal data of my old friend Erik "Possum Man" Stewart, who died unexpectedly and tragically in June:

It was while I sat in Possum’s room that I began to think about his computer. It was a homemade Franken-PC that sat under his desk, its wheezy fan making a racket like an ancient refrigerator. After I’d left Possum’s house and headed back to the airport, I got to thinking about that computer. I strongly suspected that Possum would have copied over all the data of his life – all the e-mails and lists and photos and movies and programs and essays and stories and, well, *everything* – onto each new machine, keeping it all live and handy. After all, hard-drives are cheap – especially if you’re building your own tower PC with lots of full-height drive bays – and their capacity increases exponentially, year on year. It’s been a long time since it made sense to keep your archives in a shoebox full of Zip cartridges or floppy drives. If you buy a PC every couple of years, your new machine will almost certainly have more than twice the hard-drive space of your old one. Keeping your data on your live, spinning platter means that it will get saved every time you do your regular backup (assuming you perform this essential ritual!), and if the drive starts to fail, you’ll know about it right away. It’s not like dragging an old floppy out of a dusty box and praying that it hasn’t succumbed to bitrot since it was put away.
Possum never uploaded his consciousness to a computer, but he approximated such a transfer, one keystroke at a time, year after year, filling those noisy, full-height drives with all his secrets, all his creative outpourings, all his minutiae and mundane trivialities and extraordinary profundities. It’s a transfer we’re all effecting, but Possum got a head start on most of us, kicking off the project in the 1980s. That homely, rackety tower under Possum’s desk was him, in some important sense – in the same sense that my laptop holds a good deal of what it means to be me.

Cory Doctorow: The Internet of the Dead

Breaking a 18th C cipher reveals hidden history of Freemasonry and freethought

Cory Doctorow — Fri, 23 Nov 2012 18:11:46 +0000

Noah Shachtman's long Wired feature "They Cracked This 250-Year-Old Code, and Found a Secret Society Inside," tells the intriguing story of the cracking of the "Copiale" cipher, a strange text left behind by a mid-18th-century secret society called the Oculists. The Oculists had formerly been remembered as being concerned with performing and perfecting eye surgeries, but the Copiale cipher revealed them to have been either spies within Freemasonry, or Freemasons who'd formed another secret society to record and safeguard Mason rituals in the face of persecution from the Catholic church. I was particularly intrigued by the parallels Shachtman draws between members of secret societies and contemporary online secret groups, both using cryptography to guard their freethought from intolerant state snooping.

Hundreds of thousands of Europeans belonged to secret societies in the 18th century, Önnerfors explained to Megyesi; in Sweden alone, there were more than a hundred orders. Though they were clandestine, they were often remarkably inclusive. Many welcomed noblemen and merchants alike—a rare egalitarian practice in an era of strict social hierarchies. That made the orders dangerous to the state. They also frequently didn’t care about their adherents’ Christian denomination, making these orders—especially the biggest of them, Freemasonry—an implicit threat to the authority of the Catholic Church. In 1738 Pope Clement XII forbade all Catholics from joining a Masonic lodge. Others implied that the male-only groups might be hotbeds of sodomy. Not long after, rumors started that members of these orders actually worshipped the devil.
These societies were the incubators of democracy, modern science, and ecumenical religion. They elected their own leaders and drew up constitutions to govern their operations. It wasn’t an accident that Voltaire, George Washington, and Ben Franklin were all active members. And just like today’s networked radicals, much of their power was wrapped up in their ability to stay anonymous and keep their communications secret.
After reading the Oculists’ cipher, Önnerfors suggested that it described one of the more extreme groups. Forget the implicit threats to the state or church. In part of the Copiale, there’s explicit talk about slaying the tyrannical “three-headed monster” who “deprive[s] man of his natural freedom.” There’s even a call for a “general revolt.” Remember, Önnerfors told the code-breakers, this book was written in the 1740s—30 years before the Declaration of Independence. “To someone at the time,” he added, “this would be like reading a manifesto from a terrorist organization.”

They Cracked This 250-Year-Old Code, and Found a Secret Society Inside

What do we do about untrustworthy Certificate Authorities?

Cory Doctorow — Sat, 17 Nov 2012 23:40:27 +0000

OpenSSL maintainer and Google cryptographer Ben Laurie and I collaborated on an article for Nature magazine on technical systems for finding untrustworthy Certificate Authorities. We focused on Certificate Transparency, the solution that will shortly be integrated into Chrome, and also discuss Sovereign Keys, a related proposal from the Electronic Frontier Foundation. Both make clever use of cryptographic hashes, arranged in Merkle trees, to produce "untrusted, provable logs."

In 2011, a fake Adobe Flash updater was discovered on the Internet. To any user it looked authentic. The software’s cryptographic certificates, which securely verify the authenticity and integrity of Internet connections, bore an authorized signature. Internet users who thought they were applying a legitimate patch unwittingly turned their computers into spies. An unknown master had access to all of their data. The keys used to sign the certificates had been stolen from a ‘certificate authority’ (CA), a trusted body (in this case, the Malaysian Agricultural Research and Development Institute) whose encrypted signature on a website or piece of software tells a browser program that the destination is bona fide. Until the breach was found and the certificate revoked, the keys could be used to impersonate virtually any site on the Internet.

Secure the Internet (PDF)

EFF delivers easy full-disk encryption for Ubuntu

Cory Doctorow — Fri, 09 Nov 2012 13:57:00 +0000

Douglas sez,

18 months ago Boing Boing posted about EFF's effort to get Ubuntu to make full disk encryption (FDE) easy upon install. EFF has delivered.
I'm sure many of us have had and continue to have the experience of trying to nudge someone (or ourselves) over from OS X or Windows to GNU/Linux and LUKS full disk encryption, but the process got roadblocked at some point because using the alternate installer to config the partitions and all for FDE was just too much of a hassle for parties involved. Now in Ubuntu 12.10, FDE is just a tickbox in the default installer. How cool is that?
This means it's a good time to donate to EFF. And if you're using Ubuntu 12.10, don't forget to fix the privacy problems for which EFF provides a tutorial (thanks again!).

(Thanks, Doug!)

Crypto 101: free Stanford course online

Cory Doctorow — Wed, 07 Nov 2012 00:00:58 +0000

Stanford's Dan Boneh is offering a free Cryptography course through Coursera. It has a 5-7 hour/week workload, and runs for six weeks. It's just started.

Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field.

Cryptography I

CryptoParty: like a Tupperware party for learning crypto

Cory Doctorow — Fri, 12 Oct 2012 17:00:54 +0000

CryptoParty is a global movement for people who want to teach their neighbors how to use cryptography to protect themselves from snoopers, especially broad government surveillance. It was kicked off by @Asher_Wolf in response to the broad, sweeping Australian Internet surveillance bill, and involves throwing parties where folks who know how to use disk encryption, email encryption, and similar projects teach their neighbors to use it too.

There's a crowdsourced book -- "The CryptoParty Handbook," 400+ pages written in less than 24 hours by activists all over the world -- and other instructional materials to help you get started.

What is CryptoParty? Interested parties with computers, devices, and the desire to learn to use the most basic crypto programs and the fundamental concepts of their operation! CryptoParties are free to attend, public, and are commercially non-aligned.

CryptoParty (via Techdirt)

Exhaust all of DES and crack any MS-CHAPv2-based VPN for a mere $20

Cory Doctorow — Mon, 24 Sep 2012 23:31:03 +0000

Moxie Marlinspike and David Hulton's Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate presentation from Defcon is now a reality. If you want to crack a MS-CHAPv2 PPTP authentication handshake (like the one I use when I connect to IPREDator, the secure proxy I favor), they'll exhaust all of the DES keyspace for you for a mere $20, usually in less than a day.

Basically, MS-CHAPv2-based VPNs should now be considered insecure and not fit for purpose. Plus Moxie and David can brute force all of DES for $20. Yowza.

A Week Of Discounted Cracking
For this week (9/23/2012), we will be offering deeply discounted MS-CHAPv2 cracking jobs by reducing the price from $200 to $20. This means that any PPTP VPN connection or intercepted MS-CHAPv2 WPA Enterprise wireless credentials can be cracked and decrypted with a 100% success rate for only $20.
The one major caveat is that an influx of additional jobs might increase the pending queue depth and cause MS-CHAPv2 jobs to take slightly longer than ususal, but we'll see how it goes.

Cheaper MS-CHAPv2 Cracking (via Hacker News)

Wikipedia will encrypt to fight UK spying

Cory Doctorow — Fri, 07 Sep 2012 01:21:04 +0000

Jimmy Wales says that he'll configure Wikipedia to encrypt all user traffic to undermine the UK government's "Snooper's Charter," which will institute bulk, warrantless Internet spying on the whole nation. (via /.)

Password cracking goes into hyperdrive

Cory Doctorow — Tue, 21 Aug 2012 13:11:34 +0000

Dan Goodin's Ars piece on the state of password security is a must-read overview of the way that the password cracking landscape has changed in surprising ways. It's not just that computers have gotten faster -- it's the confluence of several factors, including: more sites that require passwords, which encourages password re-use; sites that use weak password hashing, unsalted hashing, or no hashing at all; and titanic dumps of real-world passwords that provide insight into how users choose their passwords. Put them all together and you get a situation like the LinkedIn dump, where 90 percent of the encrypted passwords were extracted in short order -- and where many of those passwords could be used to take over other user accounts, thanks to password re-use.

The RockYou dump was a watershed moment, but it turned out to be only the start of what's become a much larger cracking phenomenon. By putting 14 million of the most common passwords into the public domain, it allowed people attacking cryptographically protected password leaks to almost instantaneously crack the weakest passwords. That made it possible to devote more resources to cracking the stronger ones.
Within days of the Gawker breach, for instance, a large percentage of the password hashes had been converted to plaintext, a feat that gave crackers an even larger corpus of real-world passwords to inform future attacks. That collective body of passwords has only snowballed since then, and it grows ever larger with each passing breach. Just six days after the leak of 6.5 million LinkedIn password hashes in June, more than 90 percent of them were cracked. In the past year alone, Redman said, more than 100 million passwords have been published online, either in plaintext or in ciphertext that can be readily cracked.
"Now, it's like once a quarter you get another RockYou," Redman said.
In the RockYou aftermath, everything changed. Gone were word lists compiled from Webster's and other dictionaries that were then modified in hopes of mimicking the words people actually used to access their e-mail and other online services. In their place went a single collection of letters, numbers, and symbols—including everything from pet names to cartoon characters—that would seed future password attacks.
"So it's no longer this theoretical word list of Klingon planets and stuff like that," Redman said of the RockYou list. "It's literally 'dragon' and 'princess' and stuff like that, and [the list] may crack 60 percent of a newly compromised website. Now you have 60 percent of the work done and you haven't done any thinking at all. You've just used your previous knowledge."

I wrote a novella about where all this stuff ends up, called Knights of the Rainbow Table, for Intel's Tomorrow Project. I don't believe sf writers predict the future, but I sure feel like that one predicted the present.

Why passwords have never been weaker—and crackers have never been stronger

How do we make web stuff that's secure enough for human rights workers?

Cory Doctorow — Fri, 10 Aug 2012 16:06:13 +0000

Patrick Ball sez, "Lots of people in the world depend on electronic security. That means it has to be seriously strong, and I have been worrying that lots of folks -- esp media folks -- are eager for easy-to-use shortcuts, even if those shortcuts aren't actually secure. CryptoCat is one such shortcut, as was Hushmail, and I believe neither are adequate for the hard case of protecting human rights information. There are solid security solutions, though we have a long way to go to improve user interfaces and overall user experience."

Any host-based system that delivers the encryption engine to you each time you log in, and in which your keys reside on the server, you are never secure against the host (there’s new research on this called “host-proof hosting,” but it’s a long way from being ready to use in real applications). That means that if the host attacks you, or they fail to protect themselves, your encrypted data will be available to them. Remember that the host might attack you because someone evil has taken control of the host. If you are the hypothetical dissident in the Middle East, your government might contract a hacker to break into the CryptoCat server, Hushmail, or other host-based server, and thereby get access to all your data. Or they could bribe an employee at a host-based service. Again: in host-based security, all your security rests on your personal trust for the people at the host, and their ability to protect the server. There’s no real security in a technical sense.
This means that Hushmail is no more secure than any other email service, like Gmail. In fact, Gmail might be more secure than Hushmail, if we think that Gmail has better personnel screening and more skillful engineers protecting their servers against malicious attacks than Hushmail does (many experts do believe this). By the same logic, CryptoCat is no more secure than Yahoo chat.
At Benentech, we’ve been working with human rights data for over twenty years, and providing secure software for ten. Martus has been downloaded by users in more than 100 countries. We’ve learned that, unfortunately, security is hard, and people who tell you that it’s easy or that there are shortcuts are probably fooling you — and maybe themselves. Our best efforts have all come from building security into the applications we already want to use, like Martus, which has security built into a database. For both email and chat, there are real security solutions (GPG and Pidgin/OTR). They’re a little harder to use, but their security is real.

When It Comes to Human Rights, There Are No Online Security Shortcuts (Thanks, Patrick!)

Crack the crypto in Agrippa, win every William Gibson book ever published

Cory Doctorow — Wed, 11 Jul 2012 04:23:46 +0000

Quinn DuPont writes in with "A cracking challenge to cryptanalyse a William Gibson poem ('Agrippa', written in 1992). The winner will receive a copy of every William Gibson book published. Project is academic (non-commercial)."

Gibson's poem is a beautiful work, and it came on a floppy disk that erased itself after displaying the poem's text a single time. Of course, it was cracked almost immediately (..f. all DRM, ever) but that wasn't really the point. The challenge site includes a System 7 emulator, an image of the floppy, some of the sourcecode for the app (which was apparently written in Lisp?!), and more.

Based on the pioneering work of Alan Liu and his team at The Agrippa Files, working in collaboration with Matthew Kirschenbaum at the Maryland Institute for Technology in the Humanities and the Digital Forensics Lab, a a bit-for-bit copy of this application has been recovered, along with numerous archival documents.
The first person to successfully crack the code will win a copy of every William Gibson book ever published (except Agrippa). Every runner-up will have their name (if provided) posted on this website. To win you must submit a technical description of your cryptanalysis below, under Creative Commons usage rights (the results of which will be used to further research on Agrippa). The technical description should explain what kind of encryption is used (if any), how it functions, and how it was reversed or cracked (and what the key is, if there is one). Should there be no encryption at all (a possibility), or should the application merely “scramble” or “destroy” the data, this must be technically demonstrated or proved. Since the plain text is known, the cryptanalysis is purely for fun and academic curiosity, and thus the description should provide technical details.

Cracking the Agrippa Code (Thanks, Quinn!)

HOWTO think like Alan Turing

Cory Doctorow — Mon, 18 Jun 2012 15:01:23 +0000

In early celebration of the Turing centenary this week, Ars Technica's Matthew Lasar has a lovely list of seven of Alan Turing's habits of thought, including this one: Be Playful.

There was something about Turing that made his friends and family want to compose rhymes. His proud father openly admitted that he hadn't the vaguest idea what his son's mathematical inquiries were about, but it was all good anyway. "I don't know what the 'ell 'e meant / But that is what 'e said 'e meant," John wrote to Alan, who took delight in reading the couplet to friends.
His fellow students sang songs about him at the dinner table: "The maths brain lies often awake in his bed / Doing logs to ten places and trig in his head."
His gym class colleagues even sang his praises as a linesman: "Turing's fond of the football field / For geometric problems the touch-lines yield."
Turing's favorite physical activity, however, was running, especially the long-distance variety. "He would amaze his colleagues by running to scientific meetings," Hodges writes, "beating the travelers by public transport." He even came close to a shot at the 1948 Olympic Games, a bid cut short by an injury.

The highly productive habits of Alan Turing

(Image: Alan Turing in 1927, Sherborne school archives)

HOWTO securely hash passwords

Cory Doctorow — Mon, 11 Jun 2012 22:00:25 +0000

In the wake of a series of very high-profile password leaks, Brian Krebs talks to security researcher Thomas H. Ptacek about the best practices for securing passwords. The trick isn't to merely hash with a good salt -- you must use a slow password hash that takes a lot of work, so that making rainbow tables is impractical.

Ptacek: The difference between a cryptographic hash and a password storage hash is that a cryptographic hash is designed to be very, very fast. And it has to be because it’s designed to be used in things like IP-sec. On a packet-by-packet basis, every time a packet hits an Ethernet card, these are things that have to run fast enough to add no discernible latencies to traffic going through Internet routers and things like that. And so the core design goal for cryptographic hashes is to make them lightning fast.
Well, that’s the opposite of what you want with a password hash. You want a password hash to be very slow. The reason for that is a normal user logs in once or twice a day if that — maybe they mistype their password, and have to log in twice or whatever. But in most cases, there are very few interactions the normal user has with a web site with a password hash. Very little of the overhead in running a Web application comes from your password hashing. But if you think about what an attacker has to do, they have a file full of hashes, and they have to try zillions of password combinations against every one of those hashes. For them, if you make a password hash take longer, that’s murder on them.
So, if you use a modern password hash — even if you are hardware accelerated, even if you designed your own circuits to do password hashing, there are modern, secure password hashes that would take hundreds or thousands of years to test passwords on.

The problem is that you really need to make this design decision from the start -- it's hard to retrofit once you've got millions of users.

How Companies Can Beef Up Password Security

HOWTO make a papercraft Enigma machine

Cory Doctorow — Sat, 02 Jun 2012 03:00:35 +0000

Franklin Heath, a UK security consultancy, offers plans for printing and assembling your own papercraft Enigma machine, approximately like the ones that Alan Turing and the Polish cryptographers and co broke at Bletchley Park. Now all we need are papercraft bombes, and a papercraft Collosus, and several thousand papercraft young women to work on code intercepts through the night...

The instructions note: "Using low-tack 'removable' sticky tape can make it easier to swap round and reuse the rotors if you want to do that, but it's not essential."

If you seriously want to explore paper computing, a good followup project is the legendary CARDiac computer.

Enigma/Paper Enigma

Security researcher: I found secret reprogramming backdoors in Chinese microprocessors

Cory Doctorow — Mon, 28 May 2012 12:58:37 +0000

Sergei Skorobogatov, a postdoc in the Security Group at the Computer Laboratory of the University of Cambridge has written up claims that reprogammable microchips from China contained secret back-doors that can be used to covertly insert code:

Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.
Key features of our technology:
* scans silicon/hardware for backdoors, Trojans and unexpected behaviour
* low cost
* very fast result turnaround time
* high portability
* adaptable - scale up to include many types of chip
Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.
Currently there is no economical or timely way of ascertaining if a manufacturer's specifications have been altered during the manufacturing process (99% of chips are manufactured in China), or indeed if the specifications themselves contain a deliberately inserted potential threat.

This block of text is undated, though it appears on a page whose last-modified date is reported as 14-05-2012. I couldn't find any further information on which chips were affected or the methodology used to discover the backdoors.

Hardware Assurance and its importance to National Security (via MeFi)

Alan Turing's obituaries

Cory Doctorow — Thu, 26 Apr 2012 04:13:44 +0000

David Stutz has posted a small collection of obituaries for Alan Turing after he was hounded to suicide as a punishment for being gay. Here's my favorite:

“For those who knew him here [at Sherborne] the memory is of an even-tempered, lovable character with an impish sense of humour and a modesty proof against all achievement. You would not take him for a Wrangler, the youngest Fellow of King’s and the youngest F.R.S. [Fellow of the Royal Society], or as a Marathon runner, or that behind a negligé appearance he was intensely practical. Rather you recollected him as one who buttered his porridge, brewed scientific concoctions in his study, suspended a weighted string from the staircase wall and set it swinging before Chapel to demonstrate the rotation of the Earth by its change of direcction by noon, produced proofs of the postulates of Euclid, or brought bottles of imprisoned flies to study their “decadence” by inbreeding. On holidays in Cornwall or Sark he was a lively companion even to the extent of mixed bathing at midnight. During the war he was engaged in breaking down enemy codes, and had under him a regiment of girls, supervised to his amusement by a dragon of a female. His work was hush-hush, not to be divulged even to his mother. For it he was awarded the O.B.E. He also adopted a young Jewish refugee and saw him through his education. Besides long distance running, his hobbies were gardening and chess; and occasionally realistic water-colour painting.
In all his preoccupation with logic, mathematics, and science he never lost the common touch; in a short life he accomplished much, and to the roll of great names in the history of his particular studies added his own.” — The Sherbornian, Summer Term 1954

obituary quotations

AnonPaste: anything-goes, zero-knowledge version of PasteBin, hosted by some Anons

Cory Doctorow — Fri, 20 Apr 2012 21:00:33 +0000

Jeroen Vader, the owner of PasteBin (a service that provides a simple way to share blobs of text, originally popular for sharing code-fragments and error messages, now also very popular as an anonymous repository for leaked documents and manifestos, especially those affiliated with Anonymous) has revealed that he sometimes shares his server logs with law enforcement agencies, and sometimes censors the material posted by Pastebin's users. People acting under the Anonymous banner and the People's Liberation Front have responded by creating a PasteBin clone called AnonPaste, running a free/open zero-knowledge PasteBin implementation called ZeroBin. AnonPaste's administrators claim that they will not censor or cooperate with law-enforcement, though as far as I can tell, there is no facility in ZeroBin for auditing the admins' adherence to these promises (that is, they could be censor-happy snitches and it wouldn't be easy to learn this fact or prove it to third parties). ZeroBin does have a facility for encrypting the data between the browser and ZeroBin, which means that to the extent that ZeroBin is free from defects, and the hosts of a ZeroBin instance have not added malicious (or incompetent) modifications, ZeroBin's administrators can't know what content is being hosted there.

AnonPaste's admins expressed their intentions in a press-release posted to their own service (of course!):

And so the PLF and Anonymous have teamed up to offer a paste service truly free of all such nonsense. Here is a brief list of some of the features of AnonPaste: 1) No connection logs, period. 2) All pastes are encrypted BY THE BROWSER using 256 bit AES encryption. This means there is no usable paste data stored on the server for the authorities or anyone else to seize. 3) No moderation or censorship. Because the data on our servers is unreadable by us (or anyone), the responsibility for the legality or appropriateness of any paste is the sole responsibility of the person posting. So there will be no need for us to police this service, and in fact we don't even have the ability of deleting any particular paste. 4) No advertisements. This service will be totally user supported through donations. Links for this are available on the web site. Paste services have become very popular, and many people want to post controversial material. This is especially so for those involved in Information Activism. We feel that it is essential that everyone, and especially those in the movement - have a safe and secure paste service that they can trust with their valuable and often politically sensitive material. As always, we believe in the radical notion that information should be free. SIGNED -- Anonymous and the Staff of the Peoples Liberation Front

Megan Geuss of Ars Technica has more detail:

Indeed, without the possibility of deleting information, authorities might argue the site poses a threat to personal privacy and institutional operations. Vader told Ars, "Here at Pastebin.com we think freedom of speech is very important, but we do think there should be some form of content moderation, because people do abuse paste websites, and if there is really no delete option, this could cause major harm." He added that yesterday his site released a "My Alerts" feature, which allows people to track names or keywords on Pastebin, so if illegal information shows up they can submit a takedown request to Pastebin in a timely manner.
And InfoWeek notes that ZeroBin has not been stress-tested against the kinds of DDOS and other attacks that might threaten AnonPaste's operation and philosophy of anonymity. As of this afternoon, access to AnonPaste has been on-and-off, suggesting there are still many hurdles for the endeavor to function at all.

Anonymous builds its own Pastebin-like site