Cicada 3301 is a mysterious organization seeking "highly intelligent individuals"

Wikipedia: "Cicada 3301 is a name given to an enigmatic organization that on three occasions has posted a set of complex puzzles and ARGs to recruit capable cryptanalysts from the public.

Read the rest

NSA cracked CIA "Kryptos" sculpture before CIA

Kim Zetter: "It took more than eight years for a CIA analyst and a California computer scientist to crack three of the four coded messages on the CIA’s famed Kryptos sculpture in the late ’90s. Little did either of them know that a small group of cryptanalysts inside the NSA had beat them to it, and deciphered the same three sections of Kryptos years earlier — and they did it in less than a month, according to new documents obtained from the NSA." [Wired]

SkypeHide promises to hide secret messages in silent Skype packets, even when authorities are listening

Buzzing around the internet this week: Polish security researcher and professor Wojciech Mazurczyk (left) claims to be developing a way to hide secret, un-eavesdroppable messages in "silent" packets transmitted within Skype conversations. He and his team plan to present SkypeHide at a steganography conference in Montpellier, France, this coming June. VentureBeat has a writeup here. The ease with which Skype can be snooped by law enforcement is well-known. I'll be interested to hear what other security researchers make of Mazurczyk's project, when and if it is eventually released.

Google execs: our technology can be used to fight narcoviolence in Mexico

In a Washington Post op-ed, Google's executive chairman (and former CEO) Eric Schmidt and Google Ideas director Jared Cohen argue the case for technology as a tool to aid citizen activists in places like Juarez, Mexico. Schmidt and Cohen recently visited the drug-war-wracked border town, and describe the climate of violence there as "surreal."

In Juarez, we saw fearful human beings — sources — who need to get their information into the right hands. With our packet-switching mind-set, we realized that there may be a technological workaround to the fear: Sources don’t need to physically turn to corrupt authorities, distant journalists or diffuse nonprofits, and rely on their hope that the possible benefit is worth the risk of exposing themselves.

Technology can help intermediate this exchange, like servers passing packets on the Internet. Sources don’t need to pierce their anonymity. They don’t need to trust a single person or institution. Why can’t they simply throw encrypted packets into the network and let the tools move information to the right destinations?

In a sense, we are talking about dual crowdsourcing: Citizens crowdsource incident awareness up, and responders crowdsource justice down, nearly in real time. The trick is that anonymity is provided to everyone, although such a system would know a unique ID for every user to maintain records and provide rewards. This bare-bones model could take many forms: official and nonprofit first responders, investigative journalists, whistleblowers, neighborhood watches.

I'll be interested to hear what people in Juarez, and throughout Mexico, think of the editorial. The notion that crypto, Tor, or other anonymity-aiding online tools might help peaceful observers is not a new one, and not one that activists in Mexico need outsiders to teach them about. There are plenty of smart geeks in Mexico who are well aware of the need for, and usefulness of, such tools. But Google execs speaking directly to the conflict, and how widely-available free tools might help, is a new and notable thing. Red the rest here. (thanks, @martinxhodgson)

What it's like to be the subject of a conspiracy theory

Michael O'Hare is a public policy researcher. He teaches at UC Berkeley and specializes in the arts and the environment. He does not sound like a very threatening guy. But, since the early 1980s, Michael O'Hare has been the subject of another man's obsessive quest to find the true identity of the Zodiac Killer.

Let's be clear. Michael O'Hare is not the Zodiac Killer. He's got a pretty good alibi—namely the fact that he was nowhere near California when the murders happened. In fact, his name only entered the field because an enthusiast named Gareth Penn analyzed some of the famous Zodiac cryptograms and somehow came up with the name "Michael O". How that led Penn to O'Hare isn't exactly clear, but however it happened, Penn has spent the last 30 years telling anyone who will listen that Michael O'Hare is the Zodiac Killer.

And that has made O'Hare's life rather ... interesting. This weekend, I ran across a 2009 essay, written by O'Hare, describing his experience as the unwitting subject of somebody else's conspiracy theory. This is old, but I wanted to share it because it's such a rare perspective on this kind of thing. In the age of the Internet, it's easy to read up on conspiracy theories covering just about any topic. For most of them, you can also find extensive debunking sources. It's much less common for somebody at the center of the story to talk about what that experience has been like. Totally fascinating.

The decades since Penn fixed his sights on me have not been a living hell, much as that would spice up this story. They have been an ordinary life, punctuated by one or another flurry of fuss from Penn, sometimes involving pages of numbers (for example, the data pages from my PhD thesis) with this or that sequence picked out, circled, and "decoded" into words that fit somehow into Penn’s model of the crimes.

My favorite episode was the phone calls. Sometime in the 1980s, I started getting them at two and three in the morning. When my wife or I answered, a male voice would say something vaguely threatening like "I’m coming north, and I’m going to get you soon!" .... The calls were supposed to be transmitting coded messages via numbers—in particular, the time of the call! Apparently, Penn’s assumption was that when the average person is aroused by the phone in the middle of the night, the first thing he does, before woozily answering, is to note the time of the first ring on the digital clock he keeps by the bed—which is, of course, synchronized with the clock in the Naval Observatory. If your clock (or his) is off by just a couple of minutes, the call that was supposed to register as "2:14"—code for "Got you dead to rights this time"—will be misinterpreted as "2:16," which I think means "The Sox can’t make the playoffs without a closer." (Sadly, I’ve lost the magic decoder ring I got in exchange for cereal box tops as a child, so I can’t be sure.) The story got even better years later, when I discovered that a Penn skeptic had been calling him at home at times that figured into Penn’s theory, whereupon Penn assumed the calls came from me and "returned" them to my house, so he thought he was having a conversation with me, all in three-digit numbers.

Read the rest of O'Hare's essay at Washington Monthly

Wiretapping and crypto: those who snoop can still snoop

Matt Blaze analyzes the contents of The 2010 U.S. Wiretap Report: "Despite dire predictions to the contrary, the open availability of cryptography has done little to hinder law enforcement's ability to conduct investigations." (crypto.com)

Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:
Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera. At no time was there any intent to commit fraud; the journalist's account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense. I would not consider such an experiment to require a reference to our ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was entirely in the public domain. The French television programme was clearly in the public interest, as it made it more difficult for banks in France to defraud their customers by claiming that their systems were secure when they were not.

You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.

A Merry Christmas to all Bankers

Letter to bankers (PDF)

(via /.)

Gift Idea: Wikileaks Jewlery

pico.jpg

Having trouble figuring out what to get this holiday season for the web/media/privacy/security nerd in your life? Might I suggest the Wikileaks "Insurance" file on a swanky micro USB drive like the Pico-C? My friend SFslim suggested this on twitter the other day and I promptly jumped on the idea and bought one for myself. I love it. These little drives are super sturdy and barely looks like a piece of technology. At around $30 for the 16GB version, they offer many additional practical uses. Smaller versions are available too, but you need at least 2GB for the Wikileaks "insurance" file. I got a silver one and stuck it on a $5 stainless steel ball chain, but you could probably class it up a bit more with an "actual" jewelry-class necklace. Cypherpunks will get a kick out of this, and their friends and family will have new fodder with which to mock them.

"Kryptos" sculptor teases clues to C.I.A. cryptosculpture

21code-span-articleLarge.jpg

(photo: Drew Angerer/The New York Times)

In today's New York Times, the artist and cryptographer behind an enigmatic sculpture on the grounds of the CIA reveals long-awaited clues to Times reporter John Schwartz.

Kryptos,” the sculpture nestled in a courtyard of the agency’s Virginia headquarters since 1990, is a work of art with a secret code embedded in the letters that are punched into its four panels of curving copper.

“Our work is about discovery — discovering secrets,” said Toni Hiley, director of the C.I.A. Museum. “And this sculpture is full of them, and it still hasn’t given up the last of its secrets.”

Not for lack of trying. For many thousands of would-be code crackers worldwide, “Kryptos” has become an object of obsession. Dan Brown has even referred to it in his novels.

The code breakers have had some success. Three of the puzzles, 768 characters long, were solved by 1999, revealing passages — one lyrical, one obscure and one taken from history. But the fourth message of “Kryptos” — the name, in Greek, means “hidden” — has resisted the best efforts of brains and computers.

And Jim Sanborn, the sculptor who created “Kryptos” and its puzzles, is getting a bit frustrated by the wait. “I assumed the code would be cracked in a fairly short time,” he said, adding that the intrusions on his life from people who think they have solved his fourth puzzle are more than he expected.

Sculptor Dangles Clues to Stubborn Secret in C.I.A.'s Backyard (NYT).

See also: Original Decoding Charts for 'Kryptos' (NYT).

Related coverage at Wired News, and an earlier Wired article here.

UPDATE: "Berlin."

Screen-shot-2010-11-20-at-12.00.jpg

Obama administration wants encryption backdoors for domestic surveillance

In a New York Times article today by Charlie Savage, news that the Obama administration is proposing new legislation that would provide the U.S. Government with direct access to all forms of digital communication, "including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct 'peer to peer' messaging like Skype."

Sound familiar? As Glenn Greenwald points out in his Salon analysis piece,

In other words, the U.S. Government is taking exactly the position of the UAE and the Saudis: no communications are permitted to be beyond the surveillance reach of U.S. authorities. The new law would not expand the Government's legal authority to eavesdrop -- that's unnecessary, since post-9/11 legislation has dramatically expanded those authorities -- but would require all communications, including ones over the Internet, to be built so as to enable the U.S. Government to intercept and monitor them at any time when the law permits. In other words, Internet services could legally exist only insofar as there would be no such thing as truly private communications; all must contain a "back door" to enable government officials to eavesdrop.
On Twitter last night, Ryan Singel pointed out this relevant snip from a National Research Council report rejecting the idea of mandated backdoors in encryption... in 1996.

It is true that the spread of encryption technologies will add to the burden of those in government who are charged with carrying out certain law enforcement and intelligence activities. But the many benefits to society of widespread commercial and private use of cryptography outweigh the disadvantages.
And the lack of backdoors doesn't seem to have put much of a damper on domestic surveillance, anyway:

Law enforcement officials have long warned that encryption technology allows criminals to hide their activities, but investigators encountered encrypted communications only one time during 2009's wiretaps. The state investigators told the court that the encryption did not prevent them from getting the plain text of the messages.

Read the rest

Allen Dale June, original Navajo Code Talker and code developer, dies at 91

Allen Dale June, one of the 29 original Navajo Code Talkers who encrypted American military communications during World War II using principles of indigenous language, died Wednesday night in Prescott, Arizona, at age 91.
The Code Talkers took part in every assault the Marines conducted in the Pacific from 1942 to 1945. They sent thousands of messages without error on Japanese troop movements, battlefield tactics and other communications critical to the war's ultimate outcome.

Several hundred Navajos served as Code Talkers during the war, but a group of 29 that included June developed the code based on their native language. Their role in the war wasn't declassified until 1968.

One of original Navajo Code Talkers dies in Arizona

(azcentral.com)