Steganography is the art of hiding things in plain sight: for example, secretly encoding a message in an image by flipping the least-significant bit in each pixel to create a binary string that can be decoded as text. Read the rest

When lawmakers and cops propose banning working cryptography (as they often do in the USA), or ban it outright (as they just did in Australia), they are long on talk about "responsible encryption" and the ability of sufficiently motivated technologists to "figure it out" and very short on how that might work -- but after many years, thanks to the UK's spy agency MI5, we have a detailed plan of what this system would look like, and it's called "ghost users." Read the rest

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates. Read the rest

A rare, fully-operational Enigma cipher machine from World War II will go up for auction at Sothebys tomorrow as part of an amazing History of Science & Technology auction (also including Richard Feynman's Nobel Prize). The Enigma is expected to go for around $200,000.

From a 1999 article I wrote for Wired:

German soldiers issued an Enigma were to make no mistake about their orders if captured: Shoot it or throw it overboard. Based on electronic typewriters invented in the 1920s, the infamous Enigma encryption machines of World War II were controlled by wheels set with the code du jour. Each letter typed would illuminate the appropriate character to send in the coded message.

In 1940, building on work by Polish code breakers, Alan Turing and his colleagues at the famed UK cryptography center Bletchley Park devised the Bombe, a mechanical computer that deciphered Enigma-encoded messages. Even as the Nazis beefed up the Enigma architecture by adding more wheels, the codes could be cracked at the Naval Security Station in Washington, DC - giving the Allies the upper hand in the Battle of the Atlantic. The fact that the Allies had cracked the Enigma code was not officially confirmed until the 1970s.

"Something like ten percent of the web flows through Cloudflare's network," states Nick Sullivan, Head of Cryptography for internet "gatekeeping" service Cloudflare.

So, in order to keep their client's protected, they need to generate a lot of unpredictable, completely random numbers. That's where this wall of lava lamps comes in.

Cloudflare's "Wall of Entropy" sits in the lobby of their headquarters in San Francisco. It uses the unpredictability of its flowing "lava" to assist in randomly generating numbers.

On their blog, they explain how it works, for people both with technical and non-technical backgrounds. This is an excerpt from their non-technical explanation:

At Cloudflare, we have thousands of computers in data centers all around the world, and each one of these computers needs cryptographic randomness. Historically, they got that randomness using the default mechanism made available by the operating system that we run on them, Linux.

But being good cryptographers, we’re always trying to hedge our bets. We wanted a system to ensure that even if the default mechanism for acquiring randomness was flawed, we’d still be secure. That’s how we came up with LavaRand.

LavaRand is a system that uses lava lamps as a secondary source of randomness for our production servers. A wall of lava lamps in the lobby of our San Francisco office provides an unpredictable input to a camera aimed at the wall. A video feed from the camera is fed into a CSPRNG, and that CSPRNG provides a stream of random values that can be used as an extra source of randomness by our production servers.

Zero-knowledge proofs are one of the most important concepts in cryptography: they're a way to "validate a computation on private data by allowing a prover to generate a cryptographic proof that asserts to the correctness of the computed output" -- in other words, a way to prove that something is true without learning the details. Read the rest

Jenna McLaughlin at The Intercept writes that Apple CEO Tim Cook “lashed out at the high-level delegation of Obama administration officials who came calling on tech leaders in San Jose last week.”  Read the rest

A rare Enigma machine, the proto-computer used by the Nazis to send codes during World War II, just sold at auction for $233,000 to an unnamed buyer. Of course, the Enigma code was cracked by Alan Turing and the other cypherpunks at Bletchley Park. Read the rest

The Wall Street Journal just discovered what some of us have known for a long time: Moxie Marlinspike is really cool, and the work he does is important. Read the rest

Wikipedia: "Cicada 3301 is a name given to an enigmatic organization that on three occasions has posted a set of complex puzzles and ARGs to recruit capable cryptanalysts from the public. Read the rest

Kim Zetter: "It took more than eight years for a CIA analyst and a California computer scientist to crack three of the four coded messages on the CIA’s famed Kryptos sculpture in the late ’90s. Little did either of them know that a small group of cryptanalysts inside the NSA had beat them to it, and deciphered the same three sections of Kryptos years earlier — and they did it in less than a month, according to new documents obtained from the NSA." [Wired] Read the rest

Buzzing around the internet this week: Polish security researcher and professor Wojciech Mazurczyk (left) claims to be developing a way to hide secret, un-eavesdroppable messages in "silent" packets transmitted within Skype conversations. He and his team plan to present SkypeHide at a steganography conference in Montpellier, France, this coming June. VentureBeat has a writeup here. The ease with which Skype can be snooped by law enforcement is well-known. I'll be interested to hear what other security researchers make of Mazurczyk's project, when and if it is eventually released. Read the rest

In a Washington Post op-ed, Google's executive chairman (and former CEO) Eric Schmidt and Google Ideas director Jared Cohen argue the case for technology as a tool to aid citizen activists in places like Juarez, Mexico. Schmidt and Cohen recently visited the drug-war-wracked border town, and describe the climate of violence there as "surreal."

In Juarez, we saw fearful human beings — sources — who need to get their information into the right hands. With our packet-switching mind-set, we realized that there may be a technological workaround to the fear: Sources don’t need to physically turn to corrupt authorities, distant journalists or diffuse nonprofits, and rely on their hope that the possible benefit is worth the risk of exposing themselves.

Technology can help intermediate this exchange, like servers passing packets on the Internet. Sources don’t need to pierce their anonymity. They don’t need to trust a single person or institution. Why can’t they simply throw encrypted packets into the network and let the tools move information to the right destinations?

In a sense, we are talking about dual crowdsourcing: Citizens crowdsource incident awareness up, and responders crowdsource justice down, nearly in real time. The trick is that anonymity is provided to everyone, although such a system would know a unique ID for every user to maintain records and provide rewards. This bare-bones model could take many forms: official and nonprofit first responders, investigative journalists, whistleblowers, neighborhood watches.

I'll be interested to hear what people in Juarez, and throughout Mexico, think of the editorial. Read the rest

Michael O'Hare is a public policy researcher. He teaches at UC Berkeley and specializes in the arts and the environment. He does not sound like a very threatening guy. But, since the early 1980s, Michael O'Hare has been the subject of another man's obsessive quest to find the true identity of the Zodiac Killer.

Let's be clear. Michael O'Hare is not the Zodiac Killer. He's got a pretty good alibi—namely the fact that he was nowhere near California when the murders happened. In fact, his name only entered the field because an enthusiast named Gareth Penn analyzed some of the famous Zodiac cryptograms and somehow came up with the name "Michael O". How that led Penn to O'Hare isn't exactly clear, but however it happened, Penn has spent the last 30 years telling anyone who will listen that Michael O'Hare is the Zodiac Killer.

And that has made O'Hare's life rather ... interesting. This weekend, I ran across a 2009 essay, written by O'Hare, describing his experience as the unwitting subject of somebody else's conspiracy theory. This is old, but I wanted to share it because it's such a rare perspective on this kind of thing. In the age of the Internet, it's easy to read up on conspiracy theories covering just about any topic. For most of them, you can also find extensive debunking sources. It's much less common for somebody at the center of the story to talk about what that experience has been like. Totally fascinating.

The decades since Penn fixed his sights on me have not been a living hell, much as that would spice up this story.

Matt Blaze analyzes the contents of The 2010 U.S. Wiretap Report: "Despite dire predictions to the contrary, the open availability of cryptography has done little to hinder law enforcement's ability to conduct investigations." (crypto.com) Read the rest

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera.

Having trouble figuring out what to get this holiday season for the web/media/privacy/security nerd in your life? Might I suggest the Wikileaks "Insurance" file on a swanky micro USB drive like the Pico-C? My friend SFslim suggested this on twitter the other day and I promptly jumped on the idea and bought one for myself. I love it. These little drives are super sturdy and barely looks like a piece of technology. At around $30 for the 16GB version, they offer many additional practical uses. Smaller versions are available too, but you need at least 2GB for the Wikileaks "insurance" file. I got a silver one and stuck it on a $5 stainless steel ball chain, but you could probably class it up a bit more with an "actual" jewelry-class necklace. Cypherpunks will get a kick out of this, and their friends and family will have new fodder with which to mock them. Read the rest