"Something like ten percent of the web flows through Cloudflare's network," states Nick Sullivan, Head of Cryptography for internet "gatekeeping" service Cloudflare.

So, in order to keep their client's protected, they need to generate a lot of unpredictable, completely random numbers. That's where this wall of lava lamps comes in.

Cloudflare's "Wall of Entropy" sits in the lobby of their headquarters in San Francisco. It uses the unpredictability of its flowing "lava" to assist in randomly generating numbers.

On their blog, they explain how it works, for people both with technical and non-technical backgrounds. This is an excerpt from their non-technical explanation:

At Cloudflare, we have thousands of computers in data centers all around the world, and each one of these computers needs cryptographic randomness. Historically, they got that randomness using the default mechanism made available by the operating system that we run on them, Linux.

But being good cryptographers, we’re always trying to hedge our bets. We wanted a system to ensure that even if the default mechanism for acquiring randomness was flawed, we’d still be secure. That’s how we came up with LavaRand.

LavaRand is a system that uses lava lamps as a secondary source of randomness for our production servers. A wall of lava lamps in the lobby of our San Francisco office provides an unpredictable input to a camera aimed at the wall. A video feed from the camera is fed into a CSPRNG, and that CSPRNG provides a stream of random values that can be used as an extra source of randomness by our production servers.

Zero-knowledge proofs are one of the most important concepts in cryptography: they're a way to "validate a computation on private data by allowing a prover to generate a cryptographic proof that asserts to the correctness of the computed output" -- in other words, a way to prove that something is true without learning the details. Read the rest

Jenna McLaughlin at The Intercept writes that Apple CEO Tim Cook “lashed out at the high-level delegation of Obama administration officials who came calling on tech leaders in San Jose last week.”  Read the rest

A rare Enigma machine, the proto-computer used by the Nazis to send codes during World War II, just sold at auction for $233,000 to an unnamed buyer. Of course, the Enigma code was cracked by Alan Turing and the other cypherpunks at Bletchley Park. Read the rest

The Wall Street Journal just discovered what some of us have known for a long time: Moxie Marlinspike is really cool, and the work he does is important. Read the rest

Wikipedia: "Cicada 3301 is a name given to an enigmatic organization that on three occasions has posted a set of complex puzzles and ARGs to recruit capable cryptanalysts from the public. Read the rest

Kim Zetter: "It took more than eight years for a CIA analyst and a California computer scientist to crack three of the four coded messages on the CIA’s famed Kryptos sculpture in the late ’90s. Little did either of them know that a small group of cryptanalysts inside the NSA had beat them to it, and deciphered the same three sections of Kryptos years earlier — and they did it in less than a month, according to new documents obtained from the NSA." [Wired] Read the rest

Buzzing around the internet this week: Polish security researcher and professor Wojciech Mazurczyk (left) claims to be developing a way to hide secret, un-eavesdroppable messages in "silent" packets transmitted within Skype conversations. He and his team plan to present SkypeHide at a steganography conference in Montpellier, France, this coming June. VentureBeat has a writeup here. The ease with which Skype can be snooped by law enforcement is well-known. I'll be interested to hear what other security researchers make of Mazurczyk's project, when and if it is eventually released. Read the rest

In a Washington Post op-ed, Google's executive chairman (and former CEO) Eric Schmidt and Google Ideas director Jared Cohen argue the case for technology as a tool to aid citizen activists in places like Juarez, Mexico. Schmidt and Cohen recently visited the drug-war-wracked border town, and describe the climate of violence there as "surreal."

In Juarez, we saw fearful human beings — sources — who need to get their information into the right hands. With our packet-switching mind-set, we realized that there may be a technological workaround to the fear: Sources don’t need to physically turn to corrupt authorities, distant journalists or diffuse nonprofits, and rely on their hope that the possible benefit is worth the risk of exposing themselves.

Technology can help intermediate this exchange, like servers passing packets on the Internet. Sources don’t need to pierce their anonymity. They don’t need to trust a single person or institution. Why can’t they simply throw encrypted packets into the network and let the tools move information to the right destinations?

In a sense, we are talking about dual crowdsourcing: Citizens crowdsource incident awareness up, and responders crowdsource justice down, nearly in real time. The trick is that anonymity is provided to everyone, although such a system would know a unique ID for every user to maintain records and provide rewards. This bare-bones model could take many forms: official and nonprofit first responders, investigative journalists, whistleblowers, neighborhood watches.

I'll be interested to hear what people in Juarez, and throughout Mexico, think of the editorial. Read the rest

Michael O'Hare is a public policy researcher. He teaches at UC Berkeley and specializes in the arts and the environment. He does not sound like a very threatening guy. But, since the early 1980s, Michael O'Hare has been the subject of another man's obsessive quest to find the true identity of the Zodiac Killer.

Let's be clear. Michael O'Hare is not the Zodiac Killer. He's got a pretty good alibi—namely the fact that he was nowhere near California when the murders happened. In fact, his name only entered the field because an enthusiast named Gareth Penn analyzed some of the famous Zodiac cryptograms and somehow came up with the name "Michael O". How that led Penn to O'Hare isn't exactly clear, but however it happened, Penn has spent the last 30 years telling anyone who will listen that Michael O'Hare is the Zodiac Killer.

And that has made O'Hare's life rather ... interesting. This weekend, I ran across a 2009 essay, written by O'Hare, describing his experience as the unwitting subject of somebody else's conspiracy theory. This is old, but I wanted to share it because it's such a rare perspective on this kind of thing. In the age of the Internet, it's easy to read up on conspiracy theories covering just about any topic. For most of them, you can also find extensive debunking sources. It's much less common for somebody at the center of the story to talk about what that experience has been like. Totally fascinating.

The decades since Penn fixed his sights on me have not been a living hell, much as that would spice up this story.

Matt Blaze analyzes the contents of The 2010 U.S. Wiretap Report: "Despite dire predictions to the contrary, the open availability of cryptography has done little to hinder law enforcement's ability to conduct investigations." (crypto.com) Read the rest

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera.

Having trouble figuring out what to get this holiday season for the web/media/privacy/security nerd in your life? Might I suggest the Wikileaks "Insurance" file on a swanky micro USB drive like the Pico-C? My friend SFslim suggested this on twitter the other day and I promptly jumped on the idea and bought one for myself. I love it. These little drives are super sturdy and barely looks like a piece of technology. At around $30 for the 16GB version, they offer many additional practical uses. Smaller versions are available too, but you need at least 2GB for the Wikileaks "insurance" file. I got a silver one and stuck it on a $5 stainless steel ball chain, but you could probably class it up a bit more with an "actual" jewelry-class necklace. Cypherpunks will get a kick out of this, and their friends and family will have new fodder with which to mock them. Read the rest

(photo: Drew Angerer/The New York Times)

In today's New York Times, the artist and cryptographer behind an enigmatic sculpture on the grounds of the CIA reveals long-awaited clues to Times reporter John Schwartz.

Kryptos,” the sculpture nestled in a courtyard of the agency’s Virginia headquarters since 1990, is a work of art with a secret code embedded in the letters that are punched into its four panels of curving copper.

“Our work is about discovery — discovering secrets,” said Toni Hiley, director of the C.I.A. Museum. “And this sculpture is full of them, and it still hasn’t given up the last of its secrets.”

Not for lack of trying. For many thousands of would-be code crackers worldwide, “Kryptos” has become an object of obsession. Dan Brown has even referred to it in his novels.

The code breakers have had some success. Three of the puzzles, 768 characters long, were solved by 1999, revealing passages — one lyrical, one obscure and one taken from history. But the fourth message of “Kryptos” — the name, in Greek, means “hidden” — has resisted the best efforts of brains and computers.

And Jim Sanborn, the sculptor who created “Kryptos” and its puzzles, is getting a bit frustrated by the wait. “I assumed the code would be cracked in a fairly short time,” he said, adding that the intrusions on his life from people who think they have solved his fourth puzzle are more than he expected.

Sculptor Dangles Clues to Stubborn Secret in C.I.A.'s Backyard (NYT). Read the rest

In a New York Times article today by Charlie Savage, news that the Obama administration is proposing new legislation that would provide the U.S. Government with direct access to all forms of digital communication, "including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct 'peer to peer' messaging like Skype."

Sound familiar? As Glenn Greenwald points out in his Salon analysis piece,

In other words, the U.S. Government is taking exactly the position of the UAE and the Saudis: no communications are permitted to be beyond the surveillance reach of U.S. authorities. The new law would not expand the Government's legal authority to eavesdrop -- that's unnecessary, since post-9/11 legislation has dramatically expanded those authorities -- but would require all communications, including ones over the Internet, to be built so as to enable the U.S. Government to intercept and monitor them at any time when the law permits. In other words, Internet services could legally exist only insofar as there would be no such thing as truly private communications; all must contain a "back door" to enable government officials to eavesdrop.

On Twitter last night, Ryan Singel pointed out this relevant snip from a National Research Council report rejecting the idea of mandated backdoors in encryption... in 1996.

It is true that the spread of encryption technologies will add to the burden of those in government who are charged with carrying out certain law enforcement and intelligence activities. But the many benefits to society of widespread commercial and private use of cryptography outweigh the disadvantages.

Allen Dale June, one of the 29 original Navajo Code Talkers who encrypted American military communications during World War II using principles of indigenous language, died Wednesday night in Prescott, Arizona, at age 91.

The Code Talkers took part in every assault the Marines conducted in the Pacific from 1942 to 1945. They sent thousands of messages without error on Japanese troop movements, battlefield tactics and other communications critical to the war's ultimate outcome.

Several hundred Navajos served as Code Talkers during the war, but a group of 29 that included June developed the code based on their native language. Their role in the war wasn't declassified until 1968.

One of original Navajo Code Talkers dies in Arizona

(azcentral.com) Read the rest