Submit a link Features Reviews Podcasts Video Forums More ▾

Deriving cryptographic keys by listening to CPUs' "coil whine"

In RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis [PDF], a paper by Daniel Genkin and Eran Tromer of Tel Aviv University and Adi Shamir, the authors show that a sensitive microphone (such as the one in a compromised mobile phone) can be used to infer a secret cryptographic key being used by a nearby computer. The computer's processor emits different quiet sounds ("coil whine...caused by voltage regulation circuits") as it performs cryptographic operations, and these sounds, properly analyzed, can reveal the key.

It's a pretty stunning attack, the sort of thing that sounds like science fiction. But the researchers are unimpeachable (Shamir is the "S" in RSA), and their paper is very clear.

Read the rest

GNU Privacy Guard crowdfunding for new infrastructure

GNU Privacy Guard (GPG) is the free/open version of Pretty Good Privacy (PGP), the gold standard in secure email and other kinds of eavesdropping-proof, authenticated, private storage and communication. The GPG project relies on donations and voluntary subscriptions to keep up-to-date and support new platforms. They're running a crowdfunding campaign that's shooting for €24,000, which they'll spend on rolling out an all-new site (with Tor access!), as well as GPG 2.1, tutorials, subscription management, material for people throwing Cryptoparties (security-training events) and many other laudable goals. I rely on GPG every day, so I've put in €100. I hope you'll give, too.

Read the rest

FreeBSD won't use Intel & Via's hardware random number generators, believes NSA has compromised them

The maintainers of the security-conscious FreeBSD operating system have declared that they will no longer rely on the random number generators in Intel and Via's chips, on the grounds that the NSA likely has weakened these opaque hardware systems in order to ease surveillance. The decision is tied to the revelations of the BULLRUN/EDGEHILL programs, wherein the NSA and GCHQ spend $250M/year sabotaging security in standards, operating systems, software, and networks.

Read the rest

Cyanogenmod adds encrypted SMS from WhisperSystems

The latest (unstable) build of Cyanogenmod (a free/open version of Android) incorporates a secure, encrypted SMS program called TextSecure, which was created by Open WhisperSystems. Open WhisperSystems's chief engineer is the respected cryptographer and privacy advocate Moxie Marlinspike, and the source for the Cyanogenmod integration is open and available for inspection and scrutiny. The new encrypted SMS is designed to be integrated with whatever SMS app you use on your phone, and allows for extremely private, interception- and surveillance-resistant messaging over the normally insecure SMS. It requires that both parties be using TextSecure, of course -- if you send a TextSecure message to someone without secure messaging, the message will fall back to unencrypted text.

Read the rest

$147M Bitcoin transaction

A Bitcoin address with a history of large transactions just conducted a transfer worth $147M, more or less.

Bletchley Park's archives being digitised

The archives of Bletchley Park are being digitised for online use, bringing to life the records of the legendary codebreaking effort whereby Alan Turing and colleagues invented modern computing, modern crypto, and took years off the war, saving millions of lives. HP underwrote the effort, which aims "to put everything into the public domain."

Read the rest

NIST trying to win back crypto-cred after NSA sabotage

The National Institution for Standards and Technology is one of the key players in setting standards for cryptography. Following the Snowden-leaked revelation that its standards-setting efforts had been infiltrated and sabotaged by the NSA, it is embarking on a charm-offensive to lure cryptographers back into its processes. It's reassessing all of its standards, and then conducting a public consultation on its conclusions. And they're having independent auditors to look at their process.

Read the rest

HOWTO protect yourself from Internet surveillance, EFF edition

The Electronic Frontier Foundation's Danny O'Brien has ten important suggestions for things you can do right now to minimize the extent to which you are surveilled on the Internet. The most important one for me is number ten:

Read the rest

How NSA-proof is your VPN?

In an excellent Torrentfreak feature, representatives from several prominent privacy-oriented VPN provider explain whether, and to what extent, their services are safe from NSA spying. They cover the state of crypto, the structure of their companies, and the jurisdictional and legal questions they've resolved since the news broke that Lavabit shut down because it was ordered to redesign its service to make snooping possible.

Read the rest

Rebutting Apple's claim of Imessage security: Apple can too spy on users

Ios jailbreaker and security researcher Cyril Cattiaux presented his work on Apple's Imessage software at the Hack in the Box conference in Kuala Lumpur. Apple had previously stated that its messaging software was resistant to Prism-style surveillance because of its secure key-handling, through which the company itself could not see what its users were saying. Cattiaux called this "basically lies" and showed that there was scope for undetectably swapping out keys, allowing the company (or anyone it cooperates with) to spy on users. Cattiaux worked with other researchers, including Moxie Marlinspike, and showed that there were ways of designing Imessage such that users could detect key-substitutions and other attacks on the integrity of their messages, but that Apple had chosen to implement their system in a less secure way.

Read the rest

Silk Road prosecution: how does the US criminal justice system actually work?

Popehat's Ken White (a former federal prosecutor) uses the arrest of alleged Silk Road founder Ross "Dread Pirate Roberts" Ulbricht to explain how the criminal justice system works, including the difference between a grand jury indictment and a criminal charge, and how to understand sentencing guidelines and "maximum possible sentences." It's a great way to use current events to deepen your understanding of important, complicated systems.

If you enjoy that, you should also check out Ed Felten's post that contrasts the Silk Road story with the shut down of Lavabit to explore how crypto does -- and doesn't -- change the criminal justice system.

Read the rest

Bruce Schneier: how to make the world freer with the Internet

Bruce Schneier's TEDxCambridge talk "The Battle for Power on the Internet" is a fascinating analysis of how networks have magnified, in turn, the power of individuals, then companies, then governments. Importantly, it neither dismisses the Internet as insignificant in the service of fair and free societies, nor does it presume that the Internet automatically makes the world better. Rather, it offers a prescription for using the Internet to make the world better, and to resist the use of technology to confiscate liberty.

The Battle for Power on the Internet: Bruce Schneier at TEDxCambridge 2013 (Thanks, Bruce!)

EFF: the NSA has endangered us all by sabotaging security

The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm look at the NSA's Bullrun program, through which the US and UK governments have spent $250M/year sabotaging computer security. Cindy is the lawyer who argued the Bernstein case, which legalized civilian access to strong cryptography -- in other words, it's her work that gave us all the ability to communicate securely online. And so she's very well-situated to comment on what it means to learn that the NSA has deliberately weakened the security that ensures the integrity of the banking system, aviation control, embedded systems in everything from cars to implanted defibrillators, as well as network infrastructure, desktop computers, cloud servers, laptops, phones, tablets, TVs, and other devices.

Read the rest

Unsealed Lavabit docs show that Feds demanded SSL keys

Lavabit founder Ladar Levison speaking at the 2013 Liberty Political Action Conference (LPAC) in Chantilly, Virginia. Photo: Gage Skidmore.

Edward Snowden. Photo: The Guardian/Reuters.

Ever since Lavabit, the privacy-oriented email provider used by whistleblower Edward Snowden, shut down abruptly in August, we've been wondering what, exactly, the Feds had demanded of founder Ladar Levison. As he wrote in his cryptic note, he felt that he was facing an order that would make him "complicit in crimes against the American people" but he was legally unable to say more.

But now, thanks to unsealed records, we're able to get some insight into what the NSA and the Feds demanded of Lavabit (and, presumably, of other companies that have not shut down): first they asked him to decrypt the communications of one of their customers (almost certainly Edward Snowden). When they were told that this wasn't technically possible, they demanded that the system be modified to make it possible, and when Lavabit balked, they got a court order requiring that Lavabit turn over its SSL keys, compromising all of the company's users' communications. Funnily enough, Levison "complied" with this court-order by turning over the keys as 11 pages of 4-point type, but the court didn't go for that.

Read the rest

Celebrate Software Freedom Day by hacking on STEED, a way to make email crypto easier

Georg sez, "End to end cryptography is one of the few truly effective ways in which privacy and security can be protected. GnuPG is the central tool for this, recommended and used by security icons such as Bruce Schneier. While the software itself is easier to use than most people realize, key exchange is cumbersome. The authors of GnuPG have developed a concept that will solve this issue: STEED. So this is a call to action for tomorrow's Software Freedom Day. Help spread the word so one of the biggest obstacles to pervasive end to end cryptography will be solved for good. Let the STEED run!"

Read the rest