Submit a link Features Reviews Podcasts Video Forums More ▾

John Gilmore explains why spying for "the right reasons" is still wrong

After an NSA cryptographer took to ZDNet to defend his organization's lawless surveillance, EFF co-founder John Gilmore posted a long and thoughtful reply to the Cryptography mailing list (an absolute must-read, these days), in which he explains why the idea that spies should be able to spy on everyone, so long as they do so for the right reasons, is a bad idea. It's a high-level version of an argument a lot of us are having these days, so it's worth reading carefully. The tl;dr is "There will always be 'emergencies', always 'crises', always 'evildoers", always 'opportunities', that would be relieved 'if we could just do X that wasn't allowed until now'."

Read the rest

Kickstarting an electromechanical prime number calculator sculpture

Karl Lautman sez, "Since Boing Boing liked my domino piece, 'Ouroborus,' back in 2010, I thought you might be interested in another of my pieces: 'Primer,' a sculpture that generates prime numbers. I'll be making it in an edition of 60, assuming it funds on Kickstarter by October 9.

Read the rest

How the feds asked Microsoft to backdoor BitLocker, their full-disk encryption tool


As the astonishing news that the NSA spent $250M/year on a sabotage program directed against commercial security systems spreads, more details keep emerging. A long and interesting story on Mashable includes an interview with Peter Biddle, an ex-Microsoft security engineer who worked extensively on BitLocker, a full-disk encryption tool with a good reputation that was called into question by the latest leaks. Biddle (disclosure: a friend of mine) describes how he was approached to add a backdoor to BitLocker, and how he rebuffed various government agencies.

Read the rest

This is the crypto standard that the NSA sabotaged

The New York Times has published further details of last week's leaked documents detailing the NSA's program of sabotage to crypto products and standards. The new report confirms that the standard that the NSA sabotaged was the widely-suspected NIST Dual EC DRBG standard. The Times reports that the NSA then pushed its backdoored standard through the International Organization for Standardization and the Canadian Communications Security Establishment.

NIST has re-opened the comments on its standard with the hope of rooting out the NSA sabotage to the random number generator and restoring trust in its work products.

Read the rest

NSA leaks as a demographic phenomena

Writing in the Financial Times, Bruce Schneier expands on Charlie Stross's demographic theory of US military/espionage leaks, which holds that the end of the "job-for-life" culture in the spookocracy and the corporate America from which it draws its foot soldiers means the end of the deep loyalty of spooks.

Read the rest

Firsthand account of NSA sabotage of Internet security standards


On the Cryptography mailing list, John Gilmore (co-founder of pioneering ISP The Little Garden and the Electronic Frontier Foundation; early Sun employee; cypherpunk; significant contributor to GNU/Linux and its crypto suite; and all-round Internet superhero) describes his interactions with the NSA and several obvious NSA stooges on the IPSEC standardization working groups at the Internet Engineering Task Force. It's an anatomy of how the NSA worked to undermine and sabotage important security standards. For example, "NSA employees explicitly lied to standards committees, such as that for cellphone encryption, telling them that if they merely debated an actually-secure protocol, they would be violating the export control laws unless they excluded all foreigners from the room (in an international standards committee!)."

Read the rest

90 percent of Tor keys can be broken by NSA: what does it mean?

Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM).

This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic.

However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach.

Graham faults the Tor Project for the poor uptake of its new version, though as an Ars Technica commenter points out, popular GNU/Linux distributions like Debian and its derivative Ubuntu are also to blame, since they only distribute the older, weaker version. In either event, this is a wake-up call that will likely spur both the Tor Project and the major distros to push the update.

Yesterday's revelations about the NSA's ability to decrypt 'secure' communications were taken by many to mean that the NSA had made fundamental mathematical or computing breakthroughs that allowed it to decrypt securely enciphered messages. But it's pretty clear that's not what's going on.

Read the rest

Stick-figure AES: crypto explanations for the rest of us


Jeff Moser's "A Stick Figure Guide to the Advanced Encryption Standard (AES)" beautifully presents the history, context, and workings of one of the most important pieces of math in the modern world. AES is at the core of virtually every privacy technology you use, and it holds the promise of building an NSA-proof, unsnoopable Internet.

Read the rest

NSA probably hasn't broken strong crypto


You may have heard speculation that the NSA has secretly broken the strong cryptographic systems used to keep data secret -- after all, why collect all that scrambled data if they can't unscramble it? But Bruce Schneier argues (convincingly) that this is so impossible as to be fanciful. So why have they done this? My guess is that they're counting on flaws being revealed in the cryptographic implementations in the field (or maybe they've discovered such flaws and are keeping them secret). Or they're hoping for a big breakthrough in the future (quantum computing, anyone?).

Read the rest

UK officials detain Glenn Greenwald's partner at Heathrow, question him about Snowden interviews, steal all his gadgets & data


Glenn Greenwald's partner David Miranda was detained at Heathrow Airport under an anti-terrorism law that allows the cops to hold terrorism suspects and question them for nine hours without a lawyer. He was held for exactly nine hours, and questioned -- but not about terrorism. Instead, they questioned him about Greenwald's interviews with NSA leaker Edward Snowden. In other words, they misused a terrorism law to attack a journalist through his loved ones in order to get information on sources in a story that embarrassed the government.

What's more, they stole his laptop, his phone, his memory sticks, his game devices -- basically, all his electronics and gadgets. I say "stole" because there's no indication that they'll ever be returned. And of course, all the data on those devices is forfeit to the UK spookocracy, without any charge, suspicion, or colourable claim of involvement with any crime.

Read the rest

Little Brother inspired Google to encrypt its users' traffic

On yesterday's "This Week in Google," a Google engineer called Matt Cutts revealed that the company started encrypting its queries in 2008 after reading my novel Little Brother, in which one of the plot-elements is a guerrilla movement that gets a friendly ISP to encrypt a lot of its traffic so that the movement's own encrypted connections won't stand out. I am incredibly honored and flattered to learn about this!

Read the rest

Lavabit founder has stopped using email: "If you knew what I know, you might not use it either"

Earlier this week, Xeni reported on the shutdown of Lavabit, the email provider used by NSA whistleblower Edward Snowden. Ladar Levison, Lavabit's founder, has given an interview to Forbes about his reasoning for the shutdown, which comes -- apparently -- as a result of a secret NSA search-warrant complete with a gag order.

After discussing the general absurdity and creepiness of not being allowed to freely criticize the government for the order they brought to his company, he concludes by saying that he's stopped using email altogether, and "If you knew what I know about email, you might not use it either."

Read the rest

Decrypting EFF's DEFCON crypto-challenge tee


For this year's DEFCON conference, the Electronic Frontier Foundation released an encryption-puzzle t-shirt (with glow-in-the-dark clues!) designed by EFF Senior Designer Hugh D'Andrade and Staff Technologist Micah Lee. The puzzle was fiendishly clever and made for a beautiful tee, and now it has been cracked by some of DEFCON's intrepid attendees, the first ten of whom stand to win a beautiful, limited edition, signed print.

Read the rest

Sterling's "The Ecuadorian Library" vs civil liberties groups

Earlier today, Xeni blogged Bruce Sterling's latest essay, "The Ecuadorian Library." I thought this piece had a lot of merit, but was brought up short by one passage that made me think that despite Bruce's keen observations, he hasn't been paying very close attention to what groups like the Electronic Frontier Foundation has been doing since 2005. Indeed, when it comes to the view he presents of Internet activists, Bruce is just plain, flat-out, factually wrong.

Read the rest

Mailpile: crowdfunding a secure, private email client/cloud service

Mailpile is an Iceland-based free/open source email service that's privacy oriented, integrating easy-to-use encryption and scalable searching. The idea is to produce something that'll run well as a cloud-based service or on your own desktop. They want to ship their first milestone in January 2014, and are looking to raise $100K on Indi-egogo to pay for the developer hours to see the project through. With the Mozilla foundation abandoning support for my beloved (but creaky) Thunderbird, I'm very interested in seeing what they come up with, and I've put my money where my mouth is, with a $128 donation. I'm especially impressed by their determination to integrate easy-to-use mail crypto -- the holy grail of email for decades now.

Read the rest