Inspired by XKCD's classic diceware strip, a programmer named Alice created an open-source algorithm to randomly generate secure passphrases in Welsh. As difficult as it would be for any human or computer to figure out a nonsense phrase like, "correct horse battery staple," it would be even more difficult to guess, "stwffwl batri ceffyl cywir," especially when there are only about 700,000 Welsh speakers to begin with.

While I'm no cryptologist, I did run a few of the passwords through HowSecureIsMyPassword.net and My1Login.net and they seemed to work out all right. According to those sites, it would take 11 quattuordecillion years or 1 trillion trillion trillion years for a computer to crack "DrefnasidRhyd-y-meirchSefydlogiad6*." Similarly, "GlaeruchdyrauGymreigeiddiaiBarcdir0**" would take 429 tredecillion years, or 94 billion trillion trillion years, respectively.

However, as Alice the programmer warns: "It's probably not a good idea to actually use this, since the wordlist is freely available along with the algorithm being used."

So it might not stop a really clever hacker from getting into your email. But it will almost certainly stop a mythic Welsh dragon from stealing your identity. Probably. I'm assuming their claws are pretty clumsy on the keyboard.

Welsh Password Generator [WheresAlice.info]

Image via Lewis Ogden/Flickr (altered)

*Google Translate tells me this means, "The ford of the horses was arranged." I don't know that I trust it—Google Translate is famously sloppy with the grammar of some Celtic languages—but it certainly sounds epic.

**Similarly, this became "Parkland was a Welsh occupation" which sounds like something you would hear on the Breton version of InfoWars. Read the rest

Ross Anderson (previously) is one of the world's top cryptographers; the British academic and practitioner was honored by having his classic, Security Engineering, inducted into The Cybersecurity Canon; however, he was not able to attend the awards gala himself because the US government sat on his visa application for months, and ultimately did not grant it in time. Read the rest

Banksy's anonymity makes it hard to authenticate his pieces and prints, so Banksy has created a nonprofit called "Pest Control" that issues certificates of authenticity: you send them an alleged Banksy print and £65 and if they agree that it's authentic, they'll return it with a certificate that has a torn-in-half "Di-faced" fake banknote with Lady Diana's face on it, with a handwritten ID number across the bill. Read the rest

Steganography is the art of hiding things in plain sight: for example, secretly encoding a message in an image by flipping the least-significant bit in each pixel to create a binary string that can be decoded as text. Read the rest

When lawmakers and cops propose banning working cryptography (as they often do in the USA), or ban it outright (as they just did in Australia), they are long on talk about "responsible encryption" and the ability of sufficiently motivated technologists to "figure it out" and very short on how that might work -- but after many years, thanks to the UK's spy agency MI5, we have a detailed plan of what this system would look like, and it's called "ghost users." Read the rest

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates. Read the rest

A rare, fully-operational Enigma cipher machine from World War II will go up for auction at Sothebys tomorrow as part of an amazing History of Science & Technology auction (also including Richard Feynman's Nobel Prize). The Enigma is expected to go for around $200,000.

From a 1999 article I wrote for Wired:

German soldiers issued an Enigma were to make no mistake about their orders if captured: Shoot it or throw it overboard. Based on electronic typewriters invented in the 1920s, the infamous Enigma encryption machines of World War II were controlled by wheels set with the code du jour. Each letter typed would illuminate the appropriate character to send in the coded message.

In 1940, building on work by Polish code breakers, Alan Turing and his colleagues at the famed UK cryptography center Bletchley Park devised the Bombe, a mechanical computer that deciphered Enigma-encoded messages. Even as the Nazis beefed up the Enigma architecture by adding more wheels, the codes could be cracked at the Naval Security Station in Washington, DC - giving the Allies the upper hand in the Battle of the Atlantic. The fact that the Allies had cracked the Enigma code was not officially confirmed until the 1970s.

"Something like ten percent of the web flows through Cloudflare's network," states Nick Sullivan, Head of Cryptography for internet "gatekeeping" service Cloudflare.

So, in order to keep their client's protected, they need to generate a lot of unpredictable, completely random numbers. That's where this wall of lava lamps comes in.

Cloudflare's "Wall of Entropy" sits in the lobby of their headquarters in San Francisco. It uses the unpredictability of its flowing "lava" to assist in randomly generating numbers.

On their blog, they explain how it works, for people both with technical and non-technical backgrounds. This is an excerpt from their non-technical explanation:

At Cloudflare, we have thousands of computers in data centers all around the world, and each one of these computers needs cryptographic randomness. Historically, they got that randomness using the default mechanism made available by the operating system that we run on them, Linux.

But being good cryptographers, we’re always trying to hedge our bets. We wanted a system to ensure that even if the default mechanism for acquiring randomness was flawed, we’d still be secure. That’s how we came up with LavaRand.

LavaRand is a system that uses lava lamps as a secondary source of randomness for our production servers. A wall of lava lamps in the lobby of our San Francisco office provides an unpredictable input to a camera aimed at the wall. A video feed from the camera is fed into a CSPRNG, and that CSPRNG provides a stream of random values that can be used as an extra source of randomness by our production servers.

Zero-knowledge proofs are one of the most important concepts in cryptography: they're a way to "validate a computation on private data by allowing a prover to generate a cryptographic proof that asserts to the correctness of the computed output" -- in other words, a way to prove that something is true without learning the details. Read the rest

Jenna McLaughlin at The Intercept writes that Apple CEO Tim Cook “lashed out at the high-level delegation of Obama administration officials who came calling on tech leaders in San Jose last week.”  Read the rest

A rare Enigma machine, the proto-computer used by the Nazis to send codes during World War II, just sold at auction for $233,000 to an unnamed buyer. Of course, the Enigma code was cracked by Alan Turing and the other cypherpunks at Bletchley Park. Read the rest

The Wall Street Journal just discovered what some of us have known for a long time: Moxie Marlinspike is really cool, and the work he does is important. Read the rest

Wikipedia: "Cicada 3301 is a name given to an enigmatic organization that on three occasions has posted a set of complex puzzles and ARGs to recruit capable cryptanalysts from the public. Read the rest

Kim Zetter: "It took more than eight years for a CIA analyst and a California computer scientist to crack three of the four coded messages on the CIA’s famed Kryptos sculpture in the late ’90s. Little did either of them know that a small group of cryptanalysts inside the NSA had beat them to it, and deciphered the same three sections of Kryptos years earlier — and they did it in less than a month, according to new documents obtained from the NSA." [Wired] Read the rest

Buzzing around the internet this week: Polish security researcher and professor Wojciech Mazurczyk (left) claims to be developing a way to hide secret, un-eavesdroppable messages in "silent" packets transmitted within Skype conversations. He and his team plan to present SkypeHide at a steganography conference in Montpellier, France, this coming June. VentureBeat has a writeup here. The ease with which Skype can be snooped by law enforcement is well-known. I'll be interested to hear what other security researchers make of Mazurczyk's project, when and if it is eventually released. Read the rest

In a Washington Post op-ed, Google's executive chairman (and former CEO) Eric Schmidt and Google Ideas director Jared Cohen argue the case for technology as a tool to aid citizen activists in places like Juarez, Mexico. Schmidt and Cohen recently visited the drug-war-wracked border town, and describe the climate of violence there as "surreal."

In Juarez, we saw fearful human beings — sources — who need to get their information into the right hands. With our packet-switching mind-set, we realized that there may be a technological workaround to the fear: Sources don’t need to physically turn to corrupt authorities, distant journalists or diffuse nonprofits, and rely on their hope that the possible benefit is worth the risk of exposing themselves.

Technology can help intermediate this exchange, like servers passing packets on the Internet. Sources don’t need to pierce their anonymity. They don’t need to trust a single person or institution. Why can’t they simply throw encrypted packets into the network and let the tools move information to the right destinations?

In a sense, we are talking about dual crowdsourcing: Citizens crowdsource incident awareness up, and responders crowdsource justice down, nearly in real time. The trick is that anonymity is provided to everyone, although such a system would know a unique ID for every user to maintain records and provide rewards. This bare-bones model could take many forms: official and nonprofit first responders, investigative journalists, whistleblowers, neighborhood watches.

I'll be interested to hear what people in Juarez, and throughout Mexico, think of the editorial. Read the rest

Michael O'Hare is a public policy researcher. He teaches at UC Berkeley and specializes in the arts and the environment. He does not sound like a very threatening guy. But, since the early 1980s, Michael O'Hare has been the subject of another man's obsessive quest to find the true identity of the Zodiac Killer.

Let's be clear. Michael O'Hare is not the Zodiac Killer. He's got a pretty good alibi—namely the fact that he was nowhere near California when the murders happened. In fact, his name only entered the field because an enthusiast named Gareth Penn analyzed some of the famous Zodiac cryptograms and somehow came up with the name "Michael O". How that led Penn to O'Hare isn't exactly clear, but however it happened, Penn has spent the last 30 years telling anyone who will listen that Michael O'Hare is the Zodiac Killer.

And that has made O'Hare's life rather ... interesting. This weekend, I ran across a 2009 essay, written by O'Hare, describing his experience as the unwitting subject of somebody else's conspiracy theory. This is old, but I wanted to share it because it's such a rare perspective on this kind of thing. In the age of the Internet, it's easy to read up on conspiracy theories covering just about any topic. For most of them, you can also find extensive debunking sources. It's much less common for somebody at the center of the story to talk about what that experience has been like. Totally fascinating.

The decades since Penn fixed his sights on me have not been a living hell, much as that would spice up this story.