Is Hushmail Still Safe?

Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication: "For a long time, Hushmail was considered a very secure email provider until an affidavit (PDF) from a DEA agent in 2007 showed that they had handed over 12 CDs of possibly decrypted data to law enforcement. Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?"

Is Hushmail still safe?

[Naughty+Bob]

The answer depends on how naughty you are.

For the kind of low-level crimes I like to commit, Hushmail is safe as milk.

If you like to blow up American stuff, it's not so safe anymore.

Re:Is Hushmail still safe?

[Ryukotsusei]

What if you're lactose-intolerant?

Re:Is Hushmail still safe?

[Naughty+Bob]

What's the worst that can happen?....

exactly

Re:Is Hushmail still safe?

[danceswithtrees]

Then you can still blow stuff up.

Stay away from matches.

Re:Is Hushmail still safe?

Well no more buying 2c-i, 5-MeO-DMT, MDMA, GBL, GHB, 2c-t-7, DOC, pakistani heroin (which sucks anyway), and hundreds of benzo's through hushmails email servers!

Re:Is Hushmail still safe?

Even for low level crime, I would go offshore, far away from the US, Canada and the EU. If they get a court order, they have to follow it. There are plenty of other secure email providers out there.

Re:Is Hushmail still safe?

RIP, JLF Fine Poisonous Non-consumables...

this has been the case all along

[spune]

you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

Re:this has been the case all along

[jjohnson]

Generally yes, but Hushmail offered two methods of encrypting emails: on their servers and in a Java applet that did it locally. What came out during the earlier revelations was the company handed over email that they decrypted on their servers, but couldn't do so for the applet based encryption. They said up front that the applet was far more secure.

Re:this has been the case all along

[Naughty+Bob]

you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

RTFAs much? Hushmail provide you with an optional, open app to encrypt things before they leave your computer. But now it seems that (based on differing hashes) the code used 'in the field' is not the same as the reference source code they show on their site.

I'd be inclined, given Hushmail's excellent track record on openness, to believe that this is more an oversight, i.e. something not updated, than a turn to the dark side.

Re:this has been the case all along

you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

Errr, with what exactly? PGP/GPG? Some other freeware encryption that still uses a published algorithm? Think our Government doesn't have the capability of decrypting them all, or more to the point the capability of demanding unencrypted data be handed over?

I congratulate you on your zenlike elevation of being. Ignorance must be very blissful.

Re:this has been the case all along

[Troed]

No, they don't have that capability. Please read any beginners book on crypto.

Re:this has been the case all along

[arcade]

Think our Government doesn't have the capability of decrypting them all,

No.

or more to the point the capability of demanding unencrypted data be handed over?

Well, if you mean by actually torturing you? Well, depends on whether you believe your government does that to americans or not.

If you refuse, you refuse. They then can't get to your data.

Unless you use debian, of course. :-P

Re:this has been the case all along

[AmiMoJo]

If only popular email clients would ship with encryption built in, set up by the account creation wizard and turned on by default...

Once everyone had the ability to check signatures and decrypt encrypted mail, and the client defaulted to encrypted if a key was available we would be half way there. Unfortunately there is no good system at the moment for hiding the address of who the mail is being sent to, and at least in the UK ISPs are required to log that data.

I'm somewhat surprised that Thunderbird hasn't done it. GPG is free, plugins already exist and it would finally be something that can separate it from the crowd of other email clients with similar or better features. Even better would be if MS integrated it into Outlook or Mail. Maybe Apple could market it as a feature?

Re:this has been the case all along

[TubeSteak]

What came out during the earlier revelations was the company handed over email that they decrypted on their servers, but couldn't do so for the applet based encryption. They said up front that the applet was far more secure.

IIRC, Hushmail started passing out 'bad' java applets so that they could grab encryption keys.

Re:this has been the case all along

[SignOfZeta]

Apple has PGP keys that you can use for submitting encrypted email to them; they tell you to use it for sending in proof of security issues. While they don't include the functionality in Mail, there's always MacGPG (command-line tools, plus a nice Aqua-fied port) and the GPGMail plugin.

Why Apple and Mozilla make no official inclusion, I have no idea. Probably due to licensing, no doubt. (It goes without saying that Microsoft doesn't include it because they're Microsoft.)

Re:this has been the case all along

[AmiMoJo]

GPG is open source, GPL licenced and patent free, so really there is no excuse for not including it.

Even GPG doesn't solve the recipient-in-plain-text problem. It's the same with SSL - the encryption is encrypted by your ISP can still see the address of the site you are visiting.

Re:this has been the case all along

[FilterMapReduce]

Some other freeware encryption that still uses a published algorithm?

If this made any difference, the algorithm would suck anyway.

Re:this has been the case all along

[yabos]

They have built in S/MIME

Re:this has been the case all along

[legirons]

If you're encrypting email yourself then hushmail is just unnecessary. Use fireGPG with gmail and you've already got better privacy than hushmail (i.e. no need to trust their java applications)

plus you get the entertainment of watching google struggle to choose adverts for your "----BEGIN PGP MESSAGE----" email

Re:this has been the case all along

[SignOfZeta]

Assuming that Apple has no problem with the GPL, then I suppose the Mac users of the world should submit feedback. Thunderbird users can leave feedback here. Hell, leave feedback for both. Widespread adoption of GPG can't hurt anyone.

And you're right, GPG doesn't encrypt headers. If we did encrypt headers, we'd have to find a replacement for SMTP⦠SMTPSEC? Given the popularity of DNSSEC compared to DNS, I don't see that happening.

Re:this has been the case all along

[legirons]

If only popular email clients would ship with encryption built in, set up by the account creation wizard and turned on by default...

But how do you swap keys?

At this point, it would be nice for some organisation to just start signing PGP keys when you fax them a driving license or something, the equivalent to a CA but for PGP keys which traditionally needed huge effort to figure-out if the key matches the person.

Re:this has been the case all along

[roystgnr]

Well, if you mean by actually torturing you? Well, depends on whether you believe your government does that to americans or not.

Torture isn't the only way of getting data out of people, which is fortunate because as Bush said, "We don't torture." What we do is called using "Enhanced Interrogation Techniques", which aren't torture because they don't cause organ failure, except when they do and the organ was in a guy who wasn't going to live forever anyway.

Re:this has been the case all along

[legirons]

with SSL - the encryption is encrypted by your ISP can still see the address of the site you are visiting.

Well, they can see the server/domain name, although not the URL surely (the URL being sent inside HTTP, which is encrypted...)

Re:this has been the case all along

[legirons]

If you refuse, you refuse. They then can't get to your data.

This really cuts to the core of why encrypting yourself is better than trusting someone to do it for you (or worse, trusting someone to store plaintext data for you) -- someone may be able to get the data (by using fascist tools like the UK's RIP act, or the US' torture methods) but they will never be able to do so without your knowledge and once it's broken you will no longer trust that key.

well, unless your PC is insecure...

Re:this has been the case all along

[SanityInAnarchy]

Generally yes, but Hushmail offered two methods of encrypting emails: on their servers and in a Java applet that did it locally.

The problem is that the applet can't be verified. And, honestly, this should never have been the first indication of that.

Or rather, the applet could be verified -- you'd just have to verify it every time. The only way I know of to make this easy would be with a Firefox extension -- but at that point, to borrow the other poster's idea, why use Hushmail in the first place?

Hushmail is really a way of making GPG easy for people who don't understand how it works. The flaw in this is that to use GPG at all securely, you need to have a fair understanding of how it works.

Re:this has been the case all along

[Mistshadow2k4]

Hushmail is really a way of making GPG easy for people who don't understand how it works.

From my own admittedly anecdotal experience, I'd say Hushmail is just a way to make money. Not only do they constantly bombard you with pleas to upgrade to their paid service, but they are supposed to delete your account if you don't check it every 3 weeks. But my account was deleted under this claim when it had been only 1 week since I checked it. Yes, I'm sure. Not only that, but when I tried to create an account with the same name, whenever I pressed okay I got an error message that I couldn't use that name without upgrading. After that I'd started using GPG with Gmail. Both are free.

I guess I'm old-fashioned, or just learned better because I was raised in a poor rural area, but it's better to learn how to do something yourself if it's easy anyway than to pay someone too much to do it for you.

Re:this has been the case all along

[mlts]

For email that was decrypted on their servers using the Outlook plugin, they were pretty much forced to hand it over or be shut down bu the Powers that Be in their country.

Hushmail offers one service that no other E-mail company provides -- decryption of E-mails on the local client. I can sit at any machine that has a JVM and that is trusted to not have a keylogger, log onto Hushmail, and decrypt any new mail locally. The mail remains encrypted on Hushmail's servers.

Another advantage of Hushmail is their nym service. Not nyms with the same prefix like Yahoo's that someone can figure out are owned by a single person, but pretty much any name. This comes into handy when dealing with suspect people who you want to interact with E-mail, but whom you do not want to risk having them know who you are really are or have your real E-mail to spam (Craigslist transactions for example.)

Re:this has been the case all along

They do? Nice, S/MIME offers something really superior to PGP. The national ID cards that have been rolled out by many countries. Those offer full blown PKI, without need for key signing and distributing anything. I can very conveniently converse securely with people if I choose to. Although I have to admit that you might not want to use such as your government is probably not as trustworthy as mine... ;)

Re:this has been the case all along

[AmiMoJo]

Encrypted SMTP would not help, if you are using the SMTP servers of someone who is required to log the addresses since obviously the server needs to read them. The only real solution is to set up your own SMTP server which does not log anything. I don't know how that stands with current UK law, i.e. if only ISPs are required to log or if anyone running a server is. You could always get one in a safe country I suppose.

Re:this has been the case all along

[thetoadwarrior]

i.e. no need to trust their java applications)

You still have to trust a bit of software which isn't a problem. The problem always arises when another human is involved.

Re:this has been the case all along

[SignOfZeta]

True, but you'd have the sender's and recipient's data in the headers. For example, I've culled these headers from one of Slashdot's email notifications. Every SMTP server between the sender and the receiver would have to be encrypted and/or removing some of these headers:

Received: by 10.141.26.16 with SMTP id d16cs144104rvj;
Sun, 3 Aug 2008 12:05:06 -0700 (PDT)

Received: by 10.65.242.7 with SMTP id u7mr980867qbr.41.1217790306248;
Sun, 03 Aug 2008 12:05:06 -0700 (PDT)

Return-Path: <slashdot@slashdot.org>

Received: from ck4jzd1.ch3.sourceforge.com (slashdot.org [216.34.181.45])

by mx.google.com with ESMTP id p31si10509010qbp.18.2008.08.03.12.05.05;
Sun, 03 Aug 2008 12:05:06 -0700 (PDT)

Received-SPF: pass (google.com: best guess record for domain of slashdot@slashdot.org designates 216.34.181.45 as permitted sender) client-ip=216.34.181.45;

Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of slashdot@slashdot.org designates 216.34.181.45 as permitted sender) smtp.mail=slashdot@slashdot.org

Received: from localhost ([127.0.0.1] helo=ck4jzd1.ch3.sourceforge.com)
by ck4jzd1.ch3.sourceforge.com with smtp (Exim 4.63)
(envelope-from <slashdot@slashdot.org>)
id 1KPit7-0008FV-Hu
for [lol, my email address]; Sun, 03 Aug 2008 19:05:05 +0000

Subject: [Slashdot] Reply to "Re:this has been the case all along" by AmiMoJo

Date: Sun, 3 Aug 2008 19:05:05 +0000

Message-Id: <1217790305.540059-31690-slash-ck4jzd1.ch3.sourceforge.com@slashdot.org>

From: slashdot@slashdot.org

In doing so, you would lose a vital piece of anti-spam and anti-phishing technology. Although privacy is nice, some of these headers more than likely aren't going anywhere soon.

Re:this has been the case all along

[Deanalator]

Except for the fact that every character you type into the gmail compose field gets sent over the network in clear text, as does your session key. Google does it so they can provide on the fly features like spellcheck and suggestions etc, but it is a huge risk.

http://news.cnet.com/8301-10784_3-9755575-7.html

Re:this has been the case all along

[Leading+Stoker]

Not only do they constantly bombard you with pleas to upgrade to their paid service, but they are supposed to delete your account if you don't check it every 3 weeks.

Thanks for reminding why I gave up on Hushmail years ago. Was using it back in '99, and had to wait more than 3 weeks to repair a computer (motherboard died). If the email can't sit in the inbox for 6 weeks, folks really don't have to worry about encryption, they need to worry about even having any email to read!

But again, this all shows services that claim to provide security, often have backdoors that can circumvent exactly what they claim is locked down. For the paranoid and near paranoid, it's not a comforting thought. Glad the computer saved me from all this hassle...good, computer, good!

Re:this has been the case all along

[Tony+Hoyle]

gmail uses https - nothing is sent clear text.

Re:this has been the case all along

[morethanapapercert]

Except that not every Gmail user goes to the website and logs in to compose and send email. Some, (like myself) use an offline email client to compose messages and then connect via a SSL encrypted SMTP connection. (That way I am not exposed to even Google's well chosen ads.)

Re:this has been the case all along

Think our Government doesn't have the capability of decrypting them all,

No.

Really? Seriously? Really think you're all that l33t using published crypto? Zenlike ignorance. Must be a fucking rush.

As another poster skillfully pointed out, unless you write your own encryption and know your OWN code, open/published standards should be considered compromised, especially when talking about our Government (or any other one for that matter).

Good old fashioned pen and paper secured by cold steel and lead seemed to secure many a secret for far longer than we've been clicking "encryt and send"

Re:this has been the case all along

[v1]

I can send a signed or encrypted email anytime I want from mail, with no extensions. I just have to have my public and private key loaded into it (which I do) and have to have a copy of your public key. Then I just click the padalock. Oh, thank you for the reminder, my key was expired last week, heh.. got another one just now for free. Anyway, now I can click the "sign" badge and sign my email to you even if you don't have any keys. If I have your public key and I receive an email from you, it will show it has been signed by you so I can verify you sent it. If you encrypted it using my public key, only I can decrypt it, and vice versa. You need to have sent me a signed email after getting yourself a key before I can send you anything encrypted.

Whenever someone sends me a signed email, their public key is automatically added to my keychain too. So it's all built-in, and mostly automatic. No plugins or anything else to hassel with. Just download your key, (which installs into your keychain automatically) and relaunch mail and you're done.

The biggest hassel is dealing with Thawte to get a key if I want to sign or encrypt anything. But its free and has come a long ways since I started using it.

Re:this has been the case all along

And since when did MTAs start using HTTP?

Re:this has been the case all along

[Deanalator]

You would think so, but check again.

It will post your password to an HTTPS action, but then it reverts back to clear text. Also try firing up wireshark sometime and notice that every single keypress (last time I checked) in the compose mail field sends out an xmlhttprequest. Web 2.0 is awesome.

There is a firefox plugin http://www.customizegoogle.com/ that will force https if you want, but even if you type https into the bar, gmail will attempt to downgrade your session back to http.

Re:this has been the case all along

[lord_sarpedon]

You're trusting FireGPG at that point. As well as Firefox, GPG, and (the majority of the time) Windows XP or Vista. Those last two worry me the most.

The main FireGPG download page (http://getfiregpg.org/install.html) as well as the xpi are both served over plain http, not https, and the package is not signed. Author not verified, huh. Here's my unencrypted text and password for my key anyway.

I'll give the benefit of the doubt to Firefox and GPG due to being a bit more high-profile, and last I checked the Firefox installer is always signed.

Weakest link and all. Scary stuff with recent laws to combat terr'ists like us.

Re:this has been the case all along

[lord_sarpedon]

Not if you use https://mail.google.com/ as your login page. Handy trick, but it should be the default.

Re:this has been the case all along

[AcerbusNoir]

The problem always arises when another human is involved.

Don't humans write the software?

Re:this has been the case all along

But how do you swap keys?

The same way as you swap email addresses? Maybe "mailto:" needs a "?pgp=[your public key]" on it.

Re:this has been the case all along

[Coniptor]

This only applies to the web based client.
If you use Thunderbird or any other mail client then the account+domain.tld are in the mail headers as the From: instead of the pseudonym address because you can't login to the servers with a client unless you use account+hushdomain.tld in which case it IS your From address regardless of if that's what you want or not. They use postfix and cyrus just like I do but I believe because they are using virtual domains you HAVE to specify your full login account information. So your last point ONLY applies if using the web front end and not a client. THIS REALLY SUCKS!

So what do you do if your NOT interested in paying for business class internet connectivity to allow in bound and out bound mail ports for HOME use because your NOT running a home business!? Without exceeding the cost your currently paying for Hush's service?

Re:this has been the case all along

[profplump]

Really, seriously? You must be uber-leet to spout off 20-year-old propaganda about how the NSA can break anything ever -- the easiest way for them to break you crypto is to convince you it's not worthwhile to do in the first place.

Now, it's possible that there is some algorithmic flaw in AES or RSA that the NSA has discovered and no one else has noticed. But neither algorithm is something that some no-name math student slapped together and got published, nor was the NSA even vaguely involved in their development, which is where many of the concerns (and FUD) about DES originated.

And I actually have studied the GPG implementations of both AES and RSA, and verified by hand that their binaries produce the same output as my calculations. I've also studied the primes and nonce selection and padding algorithms and have likewise convinced myself that they are valid. There may be other bugs in the program, but I have satisfied myself that they are not broken in any way that produces known exploits.

Do you have any specific reason to doubt the algorithmic soundness of RSA or AES, to believe that GPG doesn't have valid implementations, or to believe that the NSA or anyone else has the ability to crack either algorithm in a reasonable amount of time without a flaw in the algorithm or implementation?

Re:this has been the case all along

[rawtatoor]

And don't forget gmail HTML only mode to prevent sending the unecrypted message. Web 1.0 ftw!

Re:this has been the case all along

[Free+the+Cowards]

People's perceptions of the NSA tend to be somewhat behind the times.

Used to be that this idea that they could crack all of your crypto was based somewhat in fact. Back when DES was being developed, the NSA had design input on it but people didn't really understand what their changes did. Decades later, a whole new field of cryptanalysis was discovered (differential cryptanalysis) and, lo and behold, turns out the changes that the NSA made to DES made it resistant to this technique, decades before anybody in academia knew it even existed.

Much later, SHA-0 was published by the NSA and then quickly withdrawn. SHA-1 was then published a bit later, with one minor change. No real explanation was given. Years later, an attack on SHA-0 was discovered which SHA-1 is resistant to.

Notice it went from decades to years. Although it's very tough to tell, indications are that the NSA is now just a few years ahead of the state of the art in academia. Back in the 70s they had a radical cryptanalysis technique that nobody else even knew existed, and which no doubt allowed them to crack all kinds of stuff. Today, it's extremely unlikely that they know about any fancy techniques that would work against modern ciphers well enough to actually come up with a practical break.

Those acres of supercomputers at the NSA aren't doing codebreaking against modern ciphers. They're breaking old ciphers, ones which largely have breaks known to the public, weak implementations of modern ciphers (Debian, I'm talking to you) and they're doing non-codebreaking tasks like traffic analysis, data mining, keyword scanning, etc.

If you use a good AES implementation to encrypt your communications to Mohammed in Afghanistan, it's a very safe bet that the NSA has no idea what you're saying. But it's also a good bet that they know you're talking to him, unless you've taken extreme care. But "they know" really means that it exists in their big database somewhere, to be called up if anyone ever ends up caring about you, not that your name goes in a personalized report to the director.

Re:this has been the case all along

[Toonol]

'Published Crypto' is going to be far, far safer than any super-secret unpublished crypto you might ever happen across. It's been vetted. Properly encrypted text, using even simple algorithms, is effectively unbreakable with a large enough key. The only way to break it is to find the key by social engineering, or by brute forcing it. There are no secret backdoors the NSA has... that's like claiming the NSA can square a circle with a compass and straightedge. It's a mathematical problem, and it is known that there is no shortcut. The NSA has code breaking computers, true... but the only real advantage they have is speed. Instead of a thousand years, maybe they'll only take months or weeks. Do you think the NSA is going to spend that computer power trying to see what warez you've stolen, or spy on the 'free Tibet' mailing list you're on?

If you respond, please don't use the phrase 'Zenlike ignorance' again. Use words with meanings.

Re:this has been the case all along

[arcade]

Really?

Yes.

Seriously?

Yes.

Really think you're all that l33t using published crypto?

No, I consider it to be just a regular part of my day.

Zenlike ignorance. Must be a fucking rush.

No.

As another poster skillfully pointed out, unless you write your own encryption and know your OWN code, open/published standards should be considered compromised, especially when talking about our Government (or any other one for that matter).

Heh. If you write your own encryption, there is a huge possibility that you're pretty *dumb*. Unless you open it so that others, not just your friends, can verify what you've just done. You don't necessarily need to open it to the general public, but you need to open it for review by a bunch of equally good or better cryptanalysts.

Open/published standards should by no means be considered compromised. Encryption methods NOT opened, which are UNPUBLISHED should be considered compromised. It's a pretty old adage these days that the encryption methods should be open - and the key information should be secret.

And why on earth do you think that your government is so much smarter than non-government types? It's not like they're superhumans.

Good old fashioned pen and paper secured by cold steel and lead seemed to secure many a secret for far longer than we've been clicking "encryt and send"

Encrypting the data you store away in your cold steel and lead cabinet (or on your own harddrive) would obviously be even more secure.

Re:this has been the case all along

[julesh]

IIRC, Hushmail started passing out 'bad' java applets so that they could grab encryption keys.

No, this is not what they did. If they had changed their applet in order to achieve this, myself and lots of other regular hushmail users would have noticed when we were prompted to approve a new version to execute in our browsers.

What they did do was introduce a javascript-only version which sends the keys to their servers, and make it an insecure-by-default choice. Anyone not paying attention could have easily uploaded their keys.

Re:this has been the case all along

[julesh]

At this point, it would be nice for some organisation to just start signing PGP keys when you fax them a driving license or something, the equivalent to a CA but for PGP keys which traditionally needed huge effort to figure-out if the key matches the person.

See, e.g., http://www.verisign.com/authentication/individual-authentication/digital-id/index.html or look for similar services from a CA you trust.

Re:this has been the case all along

[hesaigo999ca]

I think what he meant is on your pc with a PGP type encryption, then upload it into that email repository

Re:this has been the case all along

Those acres of supercomputers at the NSA aren't doing codebreaking against modern ciphers. They're breaking old ciphers, ones which largely have breaks known to the public, weak implementations of modern ciphers (Debian, I'm talking to you) and they're doing non-codebreaking tasks like traffic analysis, data mining, keyword scanning, etc.

... and multiplying prime numbers, saving the products into huge lookup tables to make factorization easier.

Re:this has been the case all along

[everdred]

It recently became possible to ask Gmail to default to https, albeit on a per-account basis.

Re:this has been the case all along

[thetoadwarrior]

Yes but a human writes the java app and the other app so each are just as likely to have problems in the future.

Re:this has been the case all along

[Walter+Carver]

Yes, no man in the middle attacks with SSL, but Google itself still receives your message in plain text.

Simple Answer

[fluch]

...one can't trust encryptinon if it is done off site. Point.

If you want your communication secure encrypt it on your computer which you trust. This is the only way to keep it secure...

Re:Simple Answer

[icydog]

The whole point of Hushmail's program is that you do it on a computer which you trust. They also offer a version where you send stuff to their servers in plaintext and then they encrypt it for you, which is harder to trust.

The problem here is that the program doing the encrypting on your computer, which comes from Hushmail, is not the same program that they provide the (trustable) source code for.

Re:Simple Answer

[Just+Some+Guy]

The problem here is that the program doing the encrypting on your computer, which comes from Hushmail, is not the same program that they provide the (trustable) source code for.

The other problem is that it's not GPG. Honestly, there is no way I'd trust any other file crypto software today. Why should I? GPG is there and works and people use it. Anything else is just rolling dice.

This is maybe the one area where I don't think there's a lot of room for options. Crypto is almost unbelievably hard to get right, and the odds of more than a tiny handful of programs pulling it off is slim. Putting all of your eggs in one basket is risky, but I'd rather trust one titanium roll cage of a basket than 100 made out of tin foil and rusty nails.

Re:Simple Answer

[doublebackslash]

Crypto is almost unbelievably hard to get right, and the odds of more than a tiny handful of programs pulling it off is slim.

Cryptographic algorithms are difficult to design, but they are documented, implemented, and made publicly available. GPG is not the only secure encryption program out there, it is simply a common and well designed one. RSA and AES encryption libraries are widely available. They are even embedded in the Linux kernel for use by programs that call the openssl library so that the kernel can use its bultin algorithms or offload to a piece of hardware, if it is available. This is, in fact, what GPG does. It calls the openssl library where available and embeds (links) openssl's algorithms where it is not.

I will, however, grant you the point that in designing a system to properly use the algorithms there are places where developers can go wrong. That is where peer review and open source shine. Anyone can review the program, and in popular projects they often do.

For a good primer on encryption pick up Bruce Scheiner's Applied Cryptography. You can also find a lot of resources online, like wikipeida, though those articles can get a bit technical. I hope that you can learn that encryption can be utilized by almost any competent programmer, and that it is not the program you should distrust, but rather third parties. That is, after all, the heart of encryption, knowing who and what to trust and giving everyone else hell.

Re:Simple Answer

Beh. All crypto can be broken, with enough time and cycles.

Better to use a code. Build the codebook, physically bring it to your friend, and do all decoding in pencil on onionskin in the middle of the night with night-vision goggles.

Because Glops may mean "Attack now!" or "I had a good day!" depending on what the codebook says it does... you want crazy? Add time for coded meaning, encrypt it all anyways, and then code the encrypted bits.

THAT'S security... and absurdity.

Re:Simple Answer

[Just+Some+Guy]

For a good primer on encryption pick up Bruce Scheiner's Applied Cryptography. You can also find a lot of resources online, like wikipeida, though those articles can get a bit technical. I hope that you can learn that encryption can be utilized by almost any competent programmer, and that it is not the program you should distrust, but rather third parties. That is, after all, the heart of encryption, knowing who and what to trust and giving everyone else hell.

I think you need to re-read it. What I took away from the book is that even if the crypto library is perfect, even good programmers are likely to screw up its usage. For example, see the recent Debian SSH mixup. That guy wasn't an idiot, but made a subtle yet completely fatal mistake.

No, I don't trust the program. Unless it's been heavily vetted like GPG (or OpenSSL as you mentioned), I assume that it has a subtle vulnerability that makes it worthless. If you don't feel the same, then I doubt whether you actually read "Applied Cryptography".

Re:Simple Answer

[skeeto]

Unless you write it yourself using an algorithm so simple that, once tested for correctness, is hard to get wrong. :-)

Re:Simple Answer

[Phroggy]

If you want your communication secure encrypt it on your computer which you trust. This is the only way to keep it secure...

Yes, but a "computer which you trust" could include Hushmail's servers. Perhaps that trust is misplaced, but isn't that what we're talking about?

Re:Simple Answer

On the other hand, the titanium roll cage sure stands out due to the number of eggs in it. Assuming it's true that encryption is difficult to get right, how do you judge whether the egg owners or the egg seekers drawn to a particular basket have done the better job? Once that basket is compromised, it's compromised for everyone. Maybe it's better to keep low-interest eggs in tin foil after all.

The former chief scientist of the NSA, Robert Morris, has remarked on the benefits of obfuscation, so it's not just the technically illiterate who see its value. Then again Mr. Morris is known for letting cats lick pudding out of his beard, which, like the rest of his hair, is a rat's nest of impressive disarray. But maybe he's always kept it this way as part of his overall obfuscation strategy, in order to be able to disappear behind a veil of hair and homeless people/mathematicians.

Re:Simple Answer

[julesh]

The other problem is that it's not GPG. Honestly, there is no way I'd trust any other file crypto software today. Why should I? GPG is there and works and people use it.

There are a lot of reasons to use hushmail over GPG. They may not apply to you. If they don't, then go ahead and use GPG. The reasons I use hushmail is that I need to access my email from sites where I don't have permission to install software. Since GPG is therefore impossible for me to use, I use hushmail as a next-best option.

Crypto is almost unbelievably hard to get right, and the odds of more than a tiny handful of programs pulling it off is slim

Bullshit. The requirements of a good cryptography implementation are well known and can be implemented as well as they are in GPG by anybody with a reasonable understanding of the processes involved. Sure, there are pitfalls waiting for the unwary, but they're all well documented if you know where to look.

Re:Simple Answer

[Just+Some+Guy]

Sure, there are pitfalls waiting for the unwary, but they're all well documented if you know where to look.

That's typically in the source and changelogs of a known-working crypto app, where you get stuff like "this blocks on Sun hardware" or "this fixes a data-exposing race condition on Linux prior to 2.6.14p23". Like another poster suggested, read "Practical Cryptography". It's clearly, obviously, utterly possible to write solid crypto code. In theory. In practice, there are a million and one gotchas that make it extremely difficult to get right.

faggot

of course it is.

no encryption that YOU didn't write is safe

[TheGratefulNet]

its just that simple.

unless you can review (and understand) what's going on, line by line, you can't REALLY trust it.

what is at stake, here? the gov's are at an all-time power-grabbing frenzy for violating your personal privacy. corporate, too, for that matter.

it was once said that no one would be allowed to sell or market encryption tech that 'the big guys' would not be able to break; meaning our government. I once worked at a picture phone company (mid 80's) that was starting to go down the 'encrypt your video phone call' path (using old switched56 tech) and we were told we could NOT do our own encryption unless it was 'breakable' by, well, certain agencies.

believe what you want, but no commercial (or even freeware) encryption that is avaiable to YOU AND I will be worth anything other than 'for show'.

I fully believe that. you would do well to mistrust your government, too, given how greedy they have become on the rights-grab thing.

locks only keep honest people out. there is NO WAY to keep the gov out, anymore. and that means that others, too, have backdoors (you think the gov is the only entity that can 'get to' this kind of stuff?)

anyone who trusts encryption for their life, in this day and age, is deluded.

Re:no encryption that YOU didn't write is safe

[icydog]

And unless you're Bruce Scheiner, encryption that you do write probably isn't safe either.

Re:no encryption that YOU didn't write is safe

[Iamthecheese]

Several kind of encryption have been inspected for years by some of the brightest minds in the field. Are you claiming that they are somehow vulnerable as well? RSA, Diffie-Hellman key exchange, 3DES, AES...

Re:no encryption that YOU didn't write is safe

[LighterShadeOfBlack]

Anyone who thinks the government is a magical entity that can automatically undo the work of independent researchers and mathematicians is deluded.

I'm sure any major government's capabilities to obtain information are beyond what they are commonly percieved to be, but that does not mean that every encryption scheme is instantly rendered null and void. No one government has control over everyone, so if you think the US government is stifling innovation in America do you also think they're doing the same in Japan, Europe, China, and anywhere else? Or do you think that those governments are all collaborating on this - now that really would be deluded.

If all available encryption mechanisms were crackable then why would governments have gone to to such lengths to try and hinder their development in years gone by - and why would many governments now be trying to attack encryption methods via other means, eg. the recent British law that makes refusal to give up keys to encrypted material punishable by up to 5 years in prison. Why be the bad guy and make those laws if they're unnecessary anyway? I suppose you could claim it's to try and mask their true abilities, or to play up to the anti-terror idiots, but I don't see that as likely.

Re:no encryption that YOU didn't write is safe

[Naughty+Bob]

And unless you're Bruce Scheiner, encryption that you do write probably isn't safe either.

Necessary but not sufficient- You'd also need to be a black-belt in Silicon whittling.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

You mean like that incident with Debian recently where some genius commented some lines that were spouting a warning in GnuPG, and it turns out that the keys generated for SSH were MUCH weaker to brute force crack than the usual ones? Yeah, most brilliant minds tend to miss things. Expert worship is a way to get one's self killed or maimed while waiting for the experts to verify that said incident actually COULD cause the maiming or killing to occur.

Be real... nothing is 100% safe. Your only real safety is to be A) a hardass who takes no shit from anyone.. and B) not play the government's game. Don't ask anything of them, do not answer their questions. Play your game... let the serfs get what they got coming. Not your problem. Not mine either. Fuck'em, they wanted nanny state to exist, now let them live with their beloved papa guv'.

Re:no encryption that YOU didn't write is safe

[Cheesey]

We got past this in the 90s; initially they said that all encryption would have to be weak (e.g. 40 bit) or go through their chips (Clipper, etc.). But they found that this didn't stand up to the reality of WWW era. What worked in the 80s for the few users of encryption at that time simply couldn't scale up for web commerce. Strong encryption was a commercial necessity, so the attempts to control the industry had to be dropped. The export restrictions disappeared, and because DES was now too weak to be useful, the new AES standard was introduced.

Is AES full of back doors for the NSA? Almost certainly not, since these could also be used by any resourceful group of cryptographers, including the Chinese version of the NSA.

Is quantum computing already being used to crack AES? No. Quantum computing is the cold fusion of our industry.

Re:no encryption that YOU didn't write is safe

[AmiMoJo]

believe what you want, but no commercial (or even freeware) encryption that is avaiable to YOU AND I will be worth anything other than 'for show'.

Truecrypt is freeware (open source) and is secure. In fact, it's more secure than any commercial offering I know of, due to its plausible deniability features. The source is there, it has been examined by experts and you can take a look yourself. Encryption options include both AES and Twofish, both known to be secure.

Encryption is well understood and researched by academics working in public. Sure, governments have their own secret research, but a lot of very clever people all around the world have been testing AES and Twofish for weaknesses for years and so far have found none. Governments don't have any magical ability to find flaws in encryption that ordinary academics don't.

Having said that, perhaps if you are Osama Bin Laden you might want to be a little bit paranoid. In theory, with a few billion dollars you could build a machine capable of cracking AES in months. So far there is no evidence such a machine exists, but... Most people don't have to worry about that though, even if they are doing something that could get them in serious trouble - certainly the national police, Interpol or even secret services (MI6/CIA) don't have any chance of breaking AES by brute force. Of course they could torture you now but even that isn't much of a threat to anyone not labelled a terrorist by the US.

Re:no encryption that YOU didn't write is safe

[thomasw_lrd]

The only problem with being a hardass, is that there is always a bigger hardass out there, willing to prove it to you.

Re:no encryption that YOU didn't write is safe

While I do believe that many commercial RSA-based encryption algorithms have back doors or are easily breakable, the sheer simplicity of Blowfish leads me to believe otherwise. Sixteen rounds through S-boxes of your own choosing is nigh unto impossible to crack even with a dedicated supercomputer for top-secret 'research' (like Roadrunner).

While I did not write the source code that I use, I have inspected every last character wit full understanding of what its supposed to do, and I didn't need a PhD from MIT to understand the algorithm.

Oh, and for the trolls out there, Twofish is supposedly better. It changes keys faster, but I see this as a weakness being that the only known cryptanalysis of *fish is brute force with a few minor optimizations if they know your S-boxes or part of your plaintext.

Re:no encryption that YOU didn't write is safe

[djcapelis]

>3des is not vulnerable but computer power has
>passed the point on which an individual could
>mount an actual attack.

I believe that would likely be DES you're referring to, not 3DES.

Whether the NSA can attack 3DES or not is an entirely different matter. But an individual? Not yet. 3DES is about 112 bits of key if you account for meet in the middle.

DES is ~56 bits and can be cracked in hours with special purpose hardware.

n Hours * 2^(112-56) = 72057594037927936n hours.

So... I think it's out of reach for an individual at the moment. Even if we could break DES in minutes...

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

Rules for dealing with government are simple. Do not get involved in their business, do not play their games, do not volunteer anything, do not agree to anything, do not play with them, or for them. Once you do, your ass is theirs. They own you, with your consent at that.

By the same principle, don't fuck around, don't trespass, don't steal, and don't be a crook. Learn the law VERY carefully, keep a copy of Black's Law Dictionary (I think 6th edition is out now) in several different versions. Look up innocent looking terms and verbs in forms. DO NOT consent to anything period. Sign nothing. Be sure you know what is "your name" and what is what someone may call you. Practice your rights. Yes... all of them. A right practiced doesn't need to be infringed, because you already don't have it.

Be very suspicious not of your neighbors but of men in "special" uniforms or funny hats that supposedly give them power over you. Don't let strangers into the house. Homeschool your kids and do a god job, history, law and the local mythology are especially important subjects. Several languages and a good grasp of self defense, tactics and strategy are also quite important. Those with kids who choose to be politically active are extra vulnerable, since kids are the ultimate Achilles Heel.

Never ever trust strangers. Trust people in uniforms even less. Never ever get into a stranger's car, despite what you see in the movies. If they want to talk to you, they can get into yours. If you are confronted by a "friend from high school" and like most average people you can't remember who you met yesterday, nevermind back then, look behind you, you're probably about to get cattle prodded in the back and shoved into a van.

These were simple coping strategies for those who were not average plebeians and who survived the cullings of communism. I lost relatives who were educated, men I could've learned much from. I never met them because they were taught that self defense was for cops and soldiers. And when the king's men were gone, and the cops were coopted to communism... there was nobody to protect the smart, educated, "civilized" (i.e. willingly helpless) men from the cleansings. The ones who weren't "lifted" and sent off to Siberia, were enrolled into a front line regiment and given crap gear and no real training. Very few returned, most scarred for life. All I saw of them while growing up were pictures over mantelpieces. Grandmothers mourning long lost brothers or maimed cousins. That is the fate of the helpless of those who depend on others for their protection...

And what governments are preparing today, the police states being built now, they are so much more insidious, in that they're so much better concealed behind "feel good" intentions and bullshit propaganda about "the good of man". Oh well, fools get what they deserve. There's no stopping it at this point, fools gave up that chance a long time ago. All one can do now is get out of the way and let the Leviathan leap off the cliff with all the fools aboard. Watch the splatter and feel not sorry... they laid their own beds. Trying to save the stupid from their stupidity is what got the world into its sorry state in the first place. The stupid should have been permitted to perish, and Darwin should've been allowed to have his laugh. Instead the stupid were forced to live against their best attempts, so they outbred those who merited survival and to thrive.

Re:no encryption that YOU didn't write is safe

[Breakfast+Pants]

It doesn't have to be anywhere near that elaborate: just assume lawmakers have about the same level of information as us, so they think (rightfully I believe) that encryption is sound, and therefore they need that law.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

And what does a total weakling prove? That even those who aren't hardasses can walk all over him? I've known a few when I was in high school. Their girlfriends slept with everyone but them. They were the "nice guys". I even tried being one for awhile. Very depressing existence. I think those who enjoy it, deserve it... and all that comes with it.

Re:no encryption that YOU didn't write is safe

[hacker]

"Anyone who thinks the government is a magical entity that can automatically undo the work of independent researchers and mathematicians is deluded."

...and those who think they're the top in their field, are regularly and quickly shown up by those who are smarter than themselves. Just remember that for every person you're beating in any field (math, basketball, chess, whatever), there are people out there MUCH smarter, faster, better than you are.

Just because one brilliant researcher publicly puts his stamp of approval on an algorithm, does not mean that any government doesn't have a team of similarly-brilliant researchers poking holes in that algorithm that are never made public.

Re:no encryption that YOU didn't write is safe

[quitte]

Sarah Connor? Is that you?

Re:no encryption that YOU didn't write is safe

...Of course they could torture you now but even that isn't much of a threat to anyone not labelled a terrorist by the US.

But people who don't hand over their laptops and their encryption keys to DHS are terrorists! Right?

Re:no encryption that YOU didn't write is safe

[Nikker]

If minds alone are the root that provides the fruit then isn't it curious that governments harvest and continually employ a majority of these?

If this is the fruit we see and share what type of fruit do they eat?

Re:no encryption that YOU didn't write is safe

[roguetrick]

You're one sad, scared little dude, chest puffing on slashdot.

Re:no encryption that YOU didn't write is safe

[LighterShadeOfBlack]

Yes, but that goes both ways. For every brilliant person who chooses to work for the government there is another that chooses to work commercially or academically. Which is why I believe it's highly unlikely that the government could be so far ahead of the curve as the GP suggests. That is unless they were actively hindering those who work outside of the government, in which case I'd find it very difficult to believe that such efforts would be unknown.

Re:no encryption that YOU didn't write is safe

[ScrewMaster]

Homeschool your kids and do a god job, history, law and the local mythology are especially important subjects. Several languages and a good grasp of self defense, tactics and strategy are also quite important.

Mr. Heinlein, is that you?

Not that I can find much to dispute about your post.

Re:no encryption that YOU didn't write is safe

[shaitand]

If the brilliant minds missed it, how is it you know about it?

Re:no encryption that YOU didn't write is safe

[djdavetrouble]

Obviously you've never seen 24 and that room full of awesome computer at CTU HQ,
and Jack Bauer's cell phone that works EVERYWHERE.

I mean all that stuff is real, its basically a documentary.

All it takes is one determined tow headed ex special forces DUDE with a license to ill,
and your whole encryption thingy comes tumbling down.

Re:no encryption that YOU didn't write is safe

[Lincolnshire+Poacher]

> where some genius commented some lines that were spouting a warning in GnuPG

Point 1:

No-one changed anything in GnuPG. Valgrind issued warnings regarding OpenSSL which resulted in some unfortunate changes in one distro of one OS.

GnuPG and OpenSSL are entirely discrete projects, please don't confuse people with supposition and half-truths.

Point 2:

Neither you nor I can write a robust encryption algorithm. On the contrary, Rindjael and Twofish have been published in the wild now for eight years and no-one has demonstrated a weakness. If the former is acceptable as AES for US Government crypto then it is secure enough for the rest of us. Even if we assume that the NSA is 20 years ahead of the field in mathematics, if you're not dealing with the NSA then you've got 20 years lead time before Company-X can crack your files.

Re:no encryption that YOU didn't write is safe

[trewornan]

Governments don't have any magical ability to find flaws in encryption that ordinary academics don't

But they do have lots of academics, and often some of the very best. Case in point: the NSA discovered differential cryptanalysis years before anyone else (that we know of) and was aware that several commercially important algorithms were susceptible.

Re:no encryption that YOU didn't write is safe

Sarah Connor? Is that you?

T-1000-in-cop-uniform: "Are you John Galt?"

Re:no encryption that YOU didn't write is safe

[Lincolnshire+Poacher]

> Sixteen rounds through S-boxes of your own choosing is nigh unto impossible to crack even with a dedicated supercomputer

Err, actually that's a particulary BAD thing. Random selection of S-box values can lead to differential cryptanalysis vulnerabilities. For example, IBM's original arbitrary values for Lucifer's S-boxes were corrected by the NSA prior to adoption as DES.

Nothing in cryptography comes down to chance.

Re:no encryption that YOU didn't write is safe

[turbidostato]

"You mean like that incident with Debian recently where some genius commented some lines"

You seem to forget that:
a) It was an implementation problem, not one with the algorithm.
b) The problem was discovered *and* already corrected

Both things quite far from "government conspiranoids".

Re:no encryption that YOU didn't write is safe

[mccabem]

if I may:

"Is AES full of back doors for the NSA? Almost certainly not, since these could also be used by any resourceful group of cryptographers, including the Boogey Man."

Re:no encryption that YOU didn't write is safe

[jd]

Upgrade the EFF's DES cracker to modern processors or GPU cores (whichever would be better at cracking DES), and decryption times of a few minutes would be realistically achievable. Depending on how efficient their code was (eg: could it fit entirely into L2, with data?), there may be room for improvement there. Add in superior cooling and overclocking techniques, you can probably get another 10-20% speedup. So if you really wanted, you could probably crack DES in under a minute, using off-the-shelf components. Triple DES is many orders of magnitude harder, I know of no machines currently out there that could make a serious dent in it. You'd need to find a weakness caused by how the DES algorithms interacted to mount a serious challenge using today's technology.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

Because as we all know, the answer everyone should give is "Yes, I am John Galt."

LOL

Nice one.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

Brilliant minds hear so much praise that they forget they fuck up just like anyone else.

Re:no encryption that YOU didn't write is safe

[Jerry+Coffin]

Truecrypt is freeware (open source) and is secure. In fact, it's more secure than any commercial offering I know of, due to its plausible deniability features. The source is there, it has been examined by experts and you can take a look yourself. Encryption options include both AES and Twofish, both known to be secure.

They're not"known to be secure". They're simply not known to be insecure.

One of the basic problems in cryptography is that security is essentially impossible to prove -- about the best you can hope for is to prove that if X is true, then Y is also true, and Y implies that this algorithm is difficult to attack in some specific way.

To give a concrete example, RSA encryption is based (as most people already know) on publishing a key that's (basically) the product of a couple of large prime numbers (which are not published separately). It's pretty easy to say that RSA is secure against an attack based on factoring if and only if factoring is sufficiently difficult. It's possible, however, that a much easier/faster algorithm for factoring could exist -- nobody knows for sure.

There's also the possibility of attacking RSA encryption in other ways. Even though factoring the public key is an obvious route, there may be entirely unrelated attacks. For example, Seifert invented an attack on RSA-based digital signatures that does not involve factoring the public key at all (though the attack does have some requirements that aren't necessarily easy to meet).

The same general idea is true with most symmetric encryption algorithms, but the proofs involved are much more difficult to reduce to something easy to explain in a short post -- they mostly involve group theory that even people who major in things like math or CS never study (at least in any detail).

In the case of AES, there is a type of algebraic attack (XSL) that's never been proved to work, but shows reasonable promise. In particular, it has been shown to work against what are basically reduced versions of AES, which is usually a strong clue that an attack against the full cipher may work as well (though making it work isn't necessarily easy, of course).

In theory, with a few billion dollars you could build a machine capable of cracking AES in months.

I'm not at all sure that's true. For it to be true, there would have to be an attack that was substantially faster than simply exhausting the key space. If somebody can make something like XSL work, breakage might even be a lot easier than that. An attack based on trying every possible key, however, is completely out of the question. There's not enough silicon in the solar system to build enough cipher engines to do the job before the sun has become a red dwarf. In fact, it's open to question whether there's enough matter/energy in the universe to do the job before the universe is in heat death.

Re:no encryption that YOU didn't write is safe

[djcapelis]

Err.. no L2 cache in this type of specially built hardware. All done directly in hardware. COPACOBANA replicated it all in FPGAs for a few thousand dollars. You don't use generic cores of any sort for this type of thing GPU or not.

You have to remember that Deepcrack was a custom built ASIC specifically designed just for cracking DES as fast as possible. They clocked it as far as they could. These things aren't like normal processors.

Anyways, yes, even if we could brute-force DES in under a second, brute forcing 3DES would still take centuries.

Re:no encryption that YOU didn't write is safe

[MostAwesomeDude]

Having said that, perhaps if you are Osama Bin Laden you might want to be a little bit paranoid. In theory, with a few billion dollars you could build a machine capable of cracking AES in months. So far there is no evidence such a machine exists, but...

In theory, not practice. 256-bit AES simply isn't crackable at full strength; we'll need to find some weaknesses first.

Serpent and Blowfish offer the same kind of protection, too, although obstensibly the government doesn't consider them as secure despite supporting longer key lengths.

Re:no encryption that YOU didn't write is safe

[Beryllium+Sphere(tm)]

>In theory, with a few billion dollars you could build a machine capable of cracking AES in months

2**256 is a bigger number than that. Run some order-of-magnitude calculations assuming you can turn the entire universe into a computer and see how long it would take to get through half an AES keyspace even assuming some mathematical breakthroughs that give you a work factor reduction.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

Bingo. So long as you make sure never to invent something the NSA might have interest in, like you know, solving the world hunger or fuel problems. Should you be unfortunate to do so, you will be silenced... otherwise you would shift the paradigm and it would cause a lot of thugs and intelligence people to go unemployed, without purpose in life. Professional voyeurs and killers don't like that, you know.

So if you come up with nothing inventive, you don't have to worry. If you do, tough shit for you. The scarcity paradigm is wonderful, so I personally hope that nobody stumbles onto a new idea in my lifetime. The stupid don't deserve free goodies.

People deserve the government they vote for, and they deserve to get it good and hard. (Ye gods I love that quote.) I seem to recall that international espionage was used mostly to acquire business secrets, and steal pending patent work... it was done by Americans, Brits, Russians and Chinese. From Echelon to whatever the hell they're using now. The excuse is "terrorism" the truth is theft... pure outright idea theft. The only reason Piracy concerns them is because some clever geek might steal from them what they've already stolen from others.

Why am I not worried? Because I gave up on any dreams of changing the world. See once you get out of school, you can go directly into the workforce, or go into a family business or start your own... That gives you some time to observe people, and society, and learn what you don't learn in the 9 to 5 life. I've no reason to risk my ass even if I COULD change the world... the people of the world don't deserve the sacrifice of even a single sane man.

Re:no encryption that YOU didn't write is safe

[DancesWithBlowTorch]

Quantum computing is the cold fusion of our industry.

I assume you are implying that Quantum Computing does not have any sound physical validity, will never work, and is only backed by scientists with questionable track records.

I disagree. Quantum Computing is the hot Fusion Energy of your industry: It is much more complex than most people understand, it takes much longer to pull off than most people think, and it will take much longer to arrive than most people expect. But it has a sound theoretical foundation and is, at this point, purely a (very hard) engineering challenge, rather than pure conjecture, mixed with a few highly questionable experimental results.

Re:no encryption that YOU didn't write is safe

[Jerry+Coffin]

I believe that would likely be DES you're referring to, not 3DES.

You're probably right, but technically it's still wrong. To clarify: DES stands for the "Data Encryption Standard". It was originally published in FIPS 161. That was later replaced by FIPS 161-1 and FIPS 161-2, both of which were essentially unchanged.

That, however, was then replaced by FIPS 161-3 -- which has a major change. In particular, as of FIPS 161-3, the standard requires three applications of the algorithm (EDE, in case you care) -- i.e. what most of us think of as triple-DES or 3DES.

Re:no encryption that YOU didn't write is safe

[djcapelis]

>You're probably right, but technically it's
>still wrong.

Actually if you refer to DES as DES is a scientific paper, no one will complain even a little bit. I don't know what technical definition you're using, but it doesn't exist in any of the main cryptographic research or scientific communities I've been exposed to.

I'm all for being pedantic, but let's be pedantic in a manner which also reflects the idea that sometimes meanings change you should use the proper meaning for the present date, not an archaic one.

DES is DES, 3DES is 3DES and Rijndael is AES.

This is all very well understood by anyone actually in the field. By "correcting" people who say DES and implying that 3DES is technically now known as DES because of a succession of FIPS from NIST, you're probably causing more harm than good.

Re:no encryption that YOU didn't write is safe

[schon]

that incident with Debian recently [...] most brilliant minds tend to miss things.

Sorry, but the person who did that was *not* brilliant, by any stretch of the imagination.

Unless you're trying to tell us that Whitfield Diffie, Adi Shamir, or Leonard Adelman personally signed-off on the Debian packages, in which case I'd challenge you to provide a link.

Attempting to draw parallels between actual crypotgraphers who have created state-of-the-art cryptography, and some numbnuts who doesn't actually understand what he's doing is really, really poor logic.

If the Debian fiasco is the best example you have to prove your point, I'd say that you've pretty much admitted you're wrong.

Re:no encryption that YOU didn't write is safe

[Jerry+Coffin]

The NSA (among others) does actively hinder research on cryptography outside the government, and those efforts are fairly well known. For example, the although the limits on things like key size have been raised, there are still controls on the export of some types of cryptography. They have attempted (at times) to apply these to publication that should clearly have been immune to it, such as a researcher publishing information about an algorithm, rather than attempting to export a working system.

It's also NOT necessarily true that for every brilliant person in the government, there's another who works elsewhere, at least specifically on cryptography. In particular, the NSA is one the largest employers of mathematicians on earth. Most other employers who hire mathematicians have other jobs for them to do, so most of their time is occupied with other problems. By contrast, the NSA can (apparently) afford to hire quite a few who are allowed to concentrate entirely on cryptology.

Given the secrecy of the NSA in general, it's essentially impossible to come up with numbers that are either exact or concrete, but it certainly seems possible and reasonable that government agencies (in general) could have considerably more time and effort to devote to this subject than the entire rest of the world.

My feeling, however, is that the gap has been narrowing for quite a while now. From the design of DES, it appears that the NSA was aware of differential cryptanalysis (but not linear cryptanalysis) at that time; it became publicly known quite a bit later. As for AES, however, the rest of the world has caught up to the point that AES can be used on DOD Secret data, and the variants with 192- and 256-bit keys are cartified for DOD Top Secret data.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

I never said government conspiracy, someone else corrected me, yes it was SSH, not GPG... pardon me for that. Yes it was implementation. We're talking about "brilliant people" making utterly reliable software. obviously even a perfect algorithm can be FUBAR'ed by someone commenting out a line in the encrypting program that uses the algorithm. Obviously brilliant people (since IMHO the CVS maintainers are quite brilliant people) do fuck up, and their fuckups, can REALLY cost you, just like Microsoft fuckups really cost lots of paying customers each time. Difference is the mistakes in the OSS side are to be found. Easier... before the victims line up. For that and for accepting that they make mistakes and fixing them, I commend them. I recall the fixed code/executable were available less than a week later.

Re:no encryption that YOU didn't write is safe

Holy freaking tinfoil hat! Or maybe the poster above me has an entire tinfoil raydome surrounding the immediate 10 feet around him?

Re:no encryption that YOU didn't write is safe

[not_hylas(+)]

its just that simple.

unless you can review (and understand) what's going on, line by line, you can't REALLY trust it.

what is at stake, here? the gov's are at an all-time power-grabbing frenzy for violating your personal privacy. corporate, too, for that matter.

it was once said that no one would be allowed to sell or market encryption tech that 'the big guys' would not be able to break; meaning our government. I once worked at a picture phone company (mid 80's) that was starting to go down the 'encrypt your video phone call' path (using old switched56 tech) and we were told we could NOT do our own encryption unless it was 'breakable' by, well, certain agencies.

believe what you want, but no commercial (or even freeware) encryption that is avaiable to YOU AND I will be worth anything other than 'for show'.

I fully believe that. you would do well to mistrust your government, too, given how greedy they have become on the rights-grab thing.

locks only keep honest people out. there is NO WAY to keep the gov out, anymore. and that means that others, too, have backdoors (you think the gov is the only entity that can 'get to' this kind of stuff?)

anyone who trusts encryption for their life, in this day and age, is deluded.

1st question: Is Hushmail even safe to use anymore?"

Short answer: no

Comment from "TheGratefulNet ":

Amen Brother.

Does this look like a .sig answer file to you?

[WON'T DISPLAY]

(I hit preview and everything below it disappears except the first letter - typical)

From: PGPDesktop983.dmg.sig, for PGPDesktop983.dmg.

Feeling it yet?

Ex Machina- Subversion Hack of 2005:
I've been alluding to this ^ ^ problem for awhile, someone else has surfaces with remarkably similar complaints.

https://tagmeme.com/exmachina/a/002450.html

https://tagmeme.com/index.html

Hidden text: really, it's there, honest.

Ã

Re:no encryption that YOU didn't write is safe

[HiThere]

Well, a rising ocean drowns all seacoasts.

You may not care what happens to the world, but what happens to the world WILL affect YOU.

Re:no encryption that YOU didn't write is safe

[Literaphile]

Are you kidding me?

Re:no encryption that YOU didn't write is safe

[HiThere]

Quantum computing is NOT the cold fusion of our industry. The fusion, perhaps. It may be just too technically difficult to implement except in an extremely trivial manner. But that kind of barrier does tend to fall in time. And unexpectedly.

I expect us to go from "20 years to fusion" to "fusion whenever we decide to build it" in one day.

Re:no encryption that YOU didn't write is safe

[AmiMoJo]

It's true that on occasion a government will discover some cryptographic attack before the rest of the world, but there are a few important things to remember. Firstly, it is unlikely that AES will be "broken" in any significant way - i.e. to the point where it can be cracked by the resources available to most law enforcement, secret service or government organisations. As I said, given enough money even AES can be broken in months or years, that the rapid progress of computers seems to be much more of a threat than potential cryptanalysis. Many governments and militarys, including the US, trust it enough to use it for their most secret information, so presumably they agree with this conclusion.

Secondly, even if they do know how to do it, if they use that knowledge there is always a danger of it becoming public. We have secret evidence in trials here now, unfortunately, but if they broke a strong password in what seems like an unfeasable amount of time, it would send signals to the world that they know something we don't. This actually happened recently when the US cracked encryption on weapons plans being sold on the black market. A few years since finding and decrypting the plans passed, so either they spent a few billion on a supercomputer to do it or someone used a poor password. The former seems more likely.

Re:no encryption that YOU didn't write is safe

[tacarat]

Anyways, yes, even if we could brute-force DES in under a second, brute forcing 3DES would still take centuries.

One of the major weaknesses for any security system is the overestimation of it's abilities by the user or seller. It might take a couple of centuries to brute force every possible key for a message, but you'll stop once you find it.

Weak passphrases greatly contribute to this, but in the end one should consider all methods of encryption and security to be nothing more than a stalling tactic. The question you need to ask yourself is what the minimum amount of time you need an attacker to be held off and what level of resources they have to dedicate to you. For folks that aren't being directly targeted most of this conversation is academic. For folks with something real to hide, perhaps protection from corporate espionage and the like, then consider something that should last at least until product launch if attacked by a company that would allocate slightly less resources than it would take to do the project themselves.

Re:no encryption that YOU didn't write is safe

[AmiMoJo]

I'm not at all sure that's true. For it to be true, there would have to be an attack that was substantially faster than simply exhausting the key space. If somebody can make something like XSL work, breakage might even be a lot easier than that. An attack based on trying every possible key, however, is completely out of the question. There's not enough silicon in the solar system to build enough cipher engines to do the job before the sun has become a red dwarf. In fact, it's open to question whether there's enough matter/energy in the universe to do the job before the universe is in heat death.

You are assuming that you are going to try every possible key, but there is no need. All you need to do is try every possible password that can be typed on a computer keyboard. Okay, Truecrypt allows you to use keyfiles to prevent this, but a lot of software does not and by default neither does Truecrypt. Long passwords help a lot of course, but even so...

Re:no encryption that YOU didn't write is safe

[djcapelis]

Well yes. Anyone who wasn't aware that the discussion we were having in this thread was an academic one that doesn't take into account a real threat model needs their brain checked.

You'll noticed I very clearly said "brute forcing" everywhere, not "breaking." Naturally cryptosystems are much easier to break than it is to brute force the underlying algorithms.

Re:no encryption that YOU didn't write is safe

[jimicus]

Holy freaking tinfoil hat! Or maybe the poster above me has an entire tinfoil raydome surrounding the immediate 10 feet around him?

There are plenty of countries in Eastern Europe and Western Asia full of people who haven't forgotten a repressive government and what it can do when it's sufficiently organised.

For all we know, DaedalusHKX may come from one such country - and history tends to repeat itself partly because humans as a race are very bad at learning from it.

Re:no encryption that YOU didn't write is safe

[Jerry+Coffin]

You are assuming that you are going to try every possible key, but there is no need. All you need to do is try every possible password that can be typed on a computer keyboard.

There's little essential difference between the two -- most systems allow you to enter nearly any random character from the keyboard. For example, under Windows, you can use [alt]0xxx to enter arbitrary characters (e.g: ÃÃ), or you can (for most programs) choose and paste them from the "character map" utility. In the end, you simply need to ensure you've entered enough entropy -- and, of course, the more predictable that data is, the more you have to enter to achieve enough entropy.

I tend to agree with what I think you're saying though: most people, most of the time, probably use passwords that are small and predictable enough that they're a lot easier to break than the algorithm with which they're typically used. Poor passwords, however, are a lot simpler for most people to fix than poor algorithms. The problem is that "simple" does not imply "easy" -- it's trivial to tell people to each important password should be unique and unpredictable. Without something like a smart-card to store passwords, however, it's a lot harder to get people to really do it in practice though...

Re:no encryption that YOU didn't write is safe

[tacarat]

Well, yes and no. The real threat model is still needed academically to spin it off into other areas such as "how big of a botnet do I need to rent to break my cheating spouse's encrypted email" sort of thing.

Re:no encryption that YOU didn't write is safe

[djcapelis]

Not really. If you even glanced at the size of the integer involved you'd quickly see the answer is "too large." This isn't even in the range of "throw more hardware at it."

Which I think, was my point. :)

Brute forcing 3DES is not effective at this point in time.

Unless you're talking about DES, in which case you can get your own little box to do it for under 10,000 and it's entirely trivial.

Neither DES or 3DES are at a point where the problem of brute forcing them is interesting at the present time. DES because it's too easy and 3DES because it's too hard.

Anyways... :)

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

*chuckle*

Yep, check some of my past posts. I actually do. I got to spend a dozen or so of my formative years in such a lovely "democracy" as it was. Very easy to spot this stuff growing here. Most Americans I talk to say "it'd never happen here, we'd vote them out of office long before that."

Hah... kinda how they voted Lincoln out of office for violating his oath (regardless his views on slavery or the independence of the southern states, he violated an oath he took that had his life as remedy for violation, execution was the price of treason to that oath)... or how they voted Wilson out for taking them into the war despite having gotten elected solely on his promise to "keep us out of the war" ?

My folks came here with me and built a business from scratch, amidst "go back where you came from" idiocies and "they came to take jobs away from Americans" stupidity. Hell we all built businesses as time went on and GAVE jobs to Americans. Many of whom were proven to not deserve them. Some of whom even cost us in the price of citations for their own negligence or laziness. Finding good people was very hard. Eventually we all retired... and I can tell you it wasn't soon enough, IMHO.

Some of the stupidest people I've ever met were here. Provide them with a good job and high pay, and they make fun of your origins or slack off when you're not around. None of them think... "hey, if this foreigner goes out of business, my 17 bucks an hour are out and I go back to the regular payscale of 15 tops! and no chance at a raise!"

So yes, I reserve the right to be quite pissed looking at Americans, as some of the most materially blessed people in history, and some of the stupidest fools to ever have lived. I view the immigrants the same way. All of them were given a nation like no other, codified protection for quite a few important rights. And what do they do? They bring that nanny state shit with them from abroad, and as if they couldn't get it, raise it on a pedestal as if it was not the same damn thing they had fled from just a few years before. Mine were different, but only because they built businesses and learned that government was nobody's friend. Not even the handout seekers. It won't be too long now... one good economical crash, and one loud cry for help from the stupid ones... and down the drain it all goes... clampdown and all. Man it'll be worth watching the stupid finally get theirs, just like I'm sure the Titanic was worth watching sink.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

You don't know how to sail or fish, do you?

Re:no encryption that YOU didn't write is safe

Wow, your e-penis must be huge. Be careful, you might poke your eye out with that thing.

Re:no encryption that YOU didn't write is safe

[unger]

On Sunday August 03, @08:48AM, AmiMoJo wrote:

Truecrypt['s] . . . source . . . has been examined by experts

from where are you getting this information?

no independent cryptographer has ever publicly stated that they have performed an audit of truecrypt's source, iirc.

Re:no encryption that YOU didn't write is safe

[thomasw_lrd]

Being a weakling doesn't help anything either. Just no matter how great you are, somebody is always going to be better.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

I keep enjoying the fact that some quote the bible to me on this issue... you didn't, and that's good... but they often quote "and the weak shall inherit the earth"... anyone notice it says "the meek" and not "the weak" in the actual texts (English ones)? There is a difference. Meek means more to the tune of, you can be strong as hell, you just don't go and kick the neighbor's door in for no reason at all except that you can. The weak inheriting the earth makes sense... because that's where the weak majority always get buried in mass graves when the strong minority and their willing enforcers get done with them. However the meek inheriting the earth is a simple logic. The not so meek will fight each other and kill each other off while they also massacre the weak as they always do. The strong and wise who are meek will step back and let the fools kill each other and only retaliate against those who draw close and start a fight... otherwise they stay clear. in the end, after all the idiots have slaughtered each other, the meek are left to enjoy the remains... if a smouldering ruin is "enjoyable" of course.

Re:no encryption that YOU didn't write is safe

[jimicus]

Man it'll be worth watching the stupid finally get theirs, just like I'm sure the Titanic was worth watching sink.

Apart from the knowledge that there were still hundreds of innocent people on board going to their deaths, maybe.

In any case, you wouldn't want to have been on it when it did.

Re:no encryption that YOU didn't write is safe

a hardass who takes no shit from anyone.

Reminds me, were you able to convince your Mom that Cherry Pop-Tarts aren't something dirty, or are you still stuck with Cinnamon flavor?

Re:no encryption that YOU didn't write is safe

[dk.r*nger]

Several kind of encryption have been inspected for years by some of the brightest minds in the field. Are you claiming that they are somehow vulnerable as well?

From the Bruce Schneier article, The Legacy of DES:

So, how good is the NSA at cryptography? They're certainly better than the academic world. They have more mathematicians working on the problems, they've been working on them longer, and they have access to everything published in the academic world, while they don't have to make their own results public. But are they a year ahead of the state of the art? Five years? A decade? No one knows.

It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art.

The article also states that the mentioned tweaks to the DES (NSA basically called up and said, "Your algorithm is wrong. Do this, I'm not saying why, and you can't say I called. Cheers.") pioneered the entire field of cryptanalysis, so the gap may very well have narrowed, but for the sake of being paranoid, I'd rather stick with believing that the US government can read what I write.

Want to be safe? Burn up a stack of DVDs with atmospheric static, and use those as one-time pads. They may be able to break RSA, but they are not above the laws of mathematics.

Re:no encryption that YOU didn't write is safe

[AmiMoJo]

http://yro.slashdot.org/article.pl?sid=08/07/17/2043248

Re:no encryption that YOU didn't write is safe

[gnud]

Well, I made this genious encryption scheme. It's so efficient, and totally hard to guess!

Think I'm gonna call it wheel-13 or 13rotate. Not sure which yet.

Re:no encryption that YOU didn't write is safe

[unger]

On Sunday August 03, @03:10PM, AmiMoJo wrote:

http://yro.slashdot.org/article.pl?sid=08/07/17/2043248

this research was specifically directed at analyzing truecrypt's deniable file system technology--which did *not* include an analysis of the truecrypt's crypto algorithms.

the researchers went out of their way to point this out. from their research paper:
"We do not describe the details of the TrueCrypt encryption and decryption algorithms since we (largely) treat TrueCrypt as a black box."

i'm frankly surprised at the degree to which truecrypt has been accepted given the lack of an independent review.

Re:no encryption that YOU didn't write is safe

Even with all the money in the world it is impossible to brute force an AES key. It's been said that it will take more than the total yearly solar output (much more) in energy, to just count to 2^256 using an IDEAL computer (ideal meaning, it is the thermodynamically best computer possible).

Re:no encryption that YOU didn't write is safe

[p3on]

This was written by someone much more eloquent than myself, and I think you should take care to read it: "Have fun in your little made-up universe where the government comes to round you up and you manage to fight it off. In the real world, fascism is when the corporations and governments work as a single entity, and you can wander around with your fucking gun all you want. In fact, you'll have to wander around, because the government/corporations took your house and your car, and no one will hire you. At which point you'll be arrested, not as some big anti-government hero by jackboot thugs, but for stealing bread to live on, by a perfectly normal cop who's just doing his job, a job that absolutely no one except you disagrees with, so when you shoot and kill him you're getting the electric chair and no one thinks you're a hero at all. There are different types of totalitarian governments, and assuming a fascist one operates like a communist one is faulty. Fascist governments don't put troops in the streets...they work with corporations to make sure 'the wrong sort of people' do not have any economic power, and do not have anywhere to peddle their ideas. Modern fascist states don't even bother to kill those people, and pretending they're going to show up in some stormtrooper outfit and start a gun battle with you is insane. They'll show up with a court order to evict you from your home because you failed to pay your mortgage, because pressure came from the top at your company to let you go. Or they'll just sue you and ruin your finances. America is not a bunch of tiny castles where, as long as you can hold off the invading armies, you will be fine. The idea that that is how the world works is astonishingly naive. Almost all the population of America lives in housing they do not fully own, they get food from places they do not control like the supermarket, they require operating in society for money to obtain said food and shelter, a society where economics are controlled by some very large players that can crush them like bugs. And a fascist state isn't going to 'assume control', you asshat. There's not going to some insane coup, there's a going to be a slow change, which has, in fact, already happened, or have you not looked at the telecom immunity stuff? That's classic fascism. The government breaks the law, the government gets private companies to break the law, the government gives said companies huge amounts of cash, the government attempts to make such behavior legal retroactively. We've got government officials and AT&T officers leaping back and forth between each other in an incestuous loop. Your government spying on you, sponsored by AT&T. It's not 'totalitarian' yet, as evidenced by the fact Democrats managed to stop the immunity, but it is fascism, at least the start of it. (And the same thing's happened with Blackwater.) Oh, and before you start ranting about gun control some more, be forewarned I'm against it. I'm just not stupid enough to think that the US government being slowly corrupted by business is something that can be fought off with gunpowder. Guns are useful to deter crime and to deter invasion. They aren't useful against a corrupt government in any meaningful way." (source) http://science.slashdot.org/comments.pl?sid=346351&cid=21193115

Re:no encryption that YOU didn't write is safe

[Cheesey]

Yeah, that's fair. I should have said "fusion". I was trying to reference the old joke about fusion, "the energy source of the future and always will be", but recent news about a company called D-Wave made me think about Pons and Fleischmann.

Re:no encryption that YOU didn't write is safe

[thomasw_lrd]

I had actually thought of quoting the bible in this instance, but didn't figure it would matter. I prefer Heinlein. "I prefer being a live lion" Or as you put it. "The Meek shall inherit the earth in plots 6 x 9"

Re:no encryption that YOU didn't write is safe

[DMUTPeregrine]

I introduce people to KeePass Password Safe and teach them how to use it to store and generate passwords. It can auto-fill in passwords, stores them in an AES encrypted database, can store attachments (say, your GPG private key,) and supports keyfiles. It's small enough to fit on a USB key, and open source. It has autotype, and that checks the URL. This reduces the risk of typing your password into a phishing site. Because of this program, almost all my passwords are >20 characters of random junk, and I don't know any of them.

Re:no encryption that YOU didn't write is safe

Bruce Schneier is his name.

I'd say that, given you don't run the servers, you cannot be sure they aren't tampered with. Heck, even if you run your own servers you cannot be sure on this.

In this sense [i]no hardware that YOU didn't develop is safe[/i] may just as well apply.

Bottomline, as with all these safe harbous counts Hakim Bey's TAZ principles.

Re:no encryption that YOU didn't write is safe

I once worked at a picture phone company (mid 80's) that was starting to go down the 'encrypt your video phone call' path (using old switched56 tech) and we were told we could NOT do our own encryption unless it was 'breakable' by, well, certain agencies.

That was 20 years ago when they tried to enforce such prohibitions. They have since realized that anybody can download rijndael or blowfish from the internet and there isn't any use in trying to restrict them because it's a lost cause.

Re:no encryption that YOU didn't write is safe

While I believe that Rijndael probably is safe for the near future, the fact that it's acceptable as AES is hardly a proper endorsement, considering that it's predecessor was known even at the time of adoption to have an entirely insufficient key length...

Re:no encryption that YOU didn't write is safe

Is quantum computing already being used to crack AES? No. Quantum computing is the cold fusion of our industry.

Quantum computing can't crack AES anyway. Well, it can, sort of. What it does (for symmetric ciphers AKA search problems) is reduce the keyspace from 2^n to 2^(n/2). That is to say, a 256-bit key becomes as difficult to break with a quantum computer as a 128-bit key with a classical computer. Which is to say, still not breakable. On the other hand, 128-bit keys may be of some concern -- 64-bits is not enough keyspace.

What quantum computers, once anybody has one with sufficiently many qubits, are really lethal to is RSA and public key algorithms. In that case the speedup is exponential -- right now factoring is 2^n, quantum computers bring it down to n.

Re:no encryption that YOU didn't write is safe

[OverflowingBitBucket]

Your posting on experiences with fascism are interesting, educational, and good reading.

It's a terrible shame that you tarnish your own words shortly afterward with bigotry and hypocrisy.

I would like to hope that you are intelligent enough to be able to examine your own words and question your own assumptions. Consider rethinking the assumption you appear to have made that because some people of a particular class are stupid, all are stupid- except a few you've selectively chosen.

Stupidity and genius transcend any class or arbitrary grouping.

What you do with these words is up to you.

Re:no encryption that YOU didn't write is safe

[philljcool]

Implementing an encryption algorithm is one thing; a whole secure system is another. Any competent programmer can use an RSA or 3DES library, but implementing an entire system securely is another thing. One of the scary things is that people hear an algorithm is being used but forget about things like remote buffer overrun vulnerabilities caused by poor programming.

No fancy algorithm, even one written by Bruce, can make up for insecure code.

Re:no encryption that YOU didn't write is safe

[John+Marter]

If you are referring the DES cracker in the book Cracking DES - Secrets of Encryption Research, Wiretap Politics & Chip Design - How federal agencies subvert privacy, one of the points made was that "an ordinary computer is ill-suited for use as a DES Cracker." Their cracker was a hardware device that ran at 40 MHz which parallelized the decryption process in hardware. 36864 search units according to one chart.

Re:no encryption that YOU didn't write is safe

[rprycem]

Agreed!

The only passwords I know are my windows local user, my trucrypt partitions and my Keepass DB password. Am I paranoid if I keep my keepassDB in side a truecrypt partition?

Re:no encryption that YOU didn't write is safe

> In theory, with a few billion dollars you could build a machine capable of cracking AES in months

The government has a few billion dollars to spend. Who has they haven't spent it already?

Re:no encryption that YOU didn't write is safe

[jd]

That does depend on the nature of the encryption. A one-time pad is unbreakable, completely and utterly, provided the key is not directly available to the attacker. This is not theoretical, it is absolute. This is because a OTP will decrypt equally to EVERY possible message of the known length or shorter, with no possibility of knowing which of the apparent solutions is valid. Technically, they all are.

OTPs are a bugbear because you have to physically supply the decryption key by some method, but if that method was truly secure, then it would be equally possible to send the message that way. Workarounds include sending excessively large keys, then at message time, use a synchronization method to provide a random offset into the key. This is the method used by the British military's "C-Corp" (communications group). Makes random intercepts much much harder, as the key alone wouldn't be sufficient. More recent attempts have included using random radio sources from space as part of the key, as a short message using conventional encryption giving the coordinates is much much harder to crack. This is much harder than it sounds - radio telescopes need careful designing and placement to avoid terrestrial interference. That's not something you can implement just anywhere.

What of conventional encryption? Well, you obviously want to get as close to the characteristics of a one-time pad as possible - that is to say, it's less important as to whether an attacker finds the right key as it is that the attacker should not realize they have done so.

One popular method (though mathematically difficult to prove) is to use extremely heavy lossless compression first. The result will appear random. If you have chosen the compression algorithm well, tests for whether it is random or not should fall below whatever the accepted threshold is, so that it is rejected as a valid decrypt.

THEN you want to apply a strong encryption algorithm. If it is a block algorithm, the blocking mode should be non-trivial, so as to make it harder to attack potential vulnerabilities in the algorithm. There are many extremely good modes out there now. EAX, CCM and GCM are NIST-approved. OCB is also very reasonable. Use of AES as an encryption mode was not examined by NIST, but the proposal is on their site and it does sound interesting. A good mode without a good cipher is not terribly useful, and there are several ciphers listed on the block cipher lounge that do not have known weaknesses.

Yes, all of this is no better than the encryption key (or the seed + algorithm used to generate a key). A weak key is useless, as is a strong key if generated by a seed that can be deduced easily (a very common social engineering attack). However, there is really nothing to stop a competent user from ensuring that no decryption system will extract the original file in any meaningful timeframe, even if one of the methods listed above is broken. The more competent the user, the more of those methods have to have vulnerabilities.

The ideal is to make the total cost per message broken exceed the total value of the messages that have been broken. Then, you have added social engineering as an additional level of protection. If the probable cost is too high, nobody will bother, even though there is a random chance they'd hit the right solution immediately. It's similar to Douglas Adams' "Somebody Else's Problem Field".

Re:no encryption that YOU didn't write is safe

I say, it's in really poor taste to rant about the Soviet and gulags and antigovernmental paranoia like this without at least nodding toward today's news of the death of Aleksander Solzhenitsyn. Hell, you sound like him. Give the departed the credit they're due.

And what exactly is accomplished by nonanonymous rants against the system? That's hardly a way to not call attention to yourself, eh?

Oh, and that bit about knowing one's name? Call me what you want, as long as it isn't late for supper.

Re:no encryption that YOU didn't write is safe

I think it's Bruce Schneier you want ;-)

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

I wouldn't have been on it... See that's the whole point of due diligence. I didn't buy a house at the top of the bubble either, thinking I was going to flip it. I helped my friends sell theirs though.

Why? Called due diligence. Some people like to justify why being a victim is okay, and why the government should rob those who had the foresight to protect themselves... and pay for those who were stupid and jumped on the back of a trend. In evolution, if those people really did stand by their beliefs, the willing victims would've been allowed to get theirs, and the human race would've been better off for it.

But hey, why let things take their course when we can fight hard to correct the markets, and people's consequences for their behaviors? Its not like it will be much more painful later, is it? Remains to be seen of course.

Re:no encryption that YOU didn't write is safe

Get some sleep, hon.

Re:no encryption that YOU didn't write is safe

...but trust me on the sunscreen.

Re:no encryption that YOU didn't write is safe

[randyest]

we were told we could NOT do our own encryption unless it was 'breakable' by, well, certain agencies.

No, you weren't. Now go take your meds and try to relax.

Re:no encryption that YOU didn't write is safe

[randyest]

Someone has said it to you once already in this thread, but I think it bears repeating: You're one sad, scared little dude, chest puffing on slashdot.

Re:no encryption that YOU didn't write is safe

Keep telling yourself that...

*sent from my fusion-powered quantum computer

Re:no encryption that YOU didn't write is safe

[Antique+Geekmeister]

Nonsense. Almost no one _uses_ the keys that you describe, partly because many password programs will reject them inconsistently, especially as they go through various internationalized "language" settings.

Unfortunately, people are also extremely careless about their passwords, and it's often quite simple to get their passwords from a poorly secured environment, such as a system that uses DES by default (typical htpasswd command in Apache and passwd command in many old UNIX systems), and then use that broken password in more secure environments. This is why many security standards suggest using multiple passwords for multiple uses.

Unfortunately, then people tend to write them down to remember them.

Re:no encryption that YOU didn't write is safe

You're one sad, scared little dude, chest puffing on slashdot.

The pot(head) calling the kettle black

Re:no encryption that YOU didn't write is safe

[hazxperience]

Who are you man?

Whomever you are, you got my attention.

Re:no encryption that YOU didn't write is safe

Whether they merit it or not, it doesn't change the fact that you can't get ahead without being extremely aware.

By that I mean, it's necessary to make sure you milk every second of your life for all its worth, because riding the same roller coaster everyone else is on is just ... plain ... stupid.

I hate it when people say, I'm not going to cook for myself because I make so much in that amount of time so I might as well buy my food.

No, dumbass. When you are home you are no longer at work. You make zip nada zilch nothing at that time.

People find a billion excuses not to do things they can do.

Never was and never will be...

[Arimus]

Depending on how you define secure then no, Hushmail is not.

Personally if I want to send encrypted mail I will do so on a PC I have direct control over, I will carry out the encryption before the email goes anywhere. And depending on the type of encryption used, I might even carry out the encryption on a terminal which has no network connections etc and after encrypting the mail will shutdown the PC and leave it shutdown for a while - this setup would have no swap partition etc, or if it did it would be a minimum of baseline encrypted.

As for Hushmail - its secure if you trust them to use suitable encryption algorithm, key material, psuedo random number generator, secure processes (not the program kind, the how to do the job kind), secure network, no shady or otherwise agreements with third parties (inc. governments) to provide decrypted data, not to store your orginal plain-text mail for any longer than the time it takes to encrypt it, securely erase the plain-text version etc etc etc. Probably enough holes to drive a bus through...

Re:Never was and never will be...

[hacker]

"Personally if I want to send encrypted mail I will do so on a PC I have direct control over, I will carry out the encryption before the email goes anywhere. And depending on the type of encryption used, I might even carry out the encryption on a terminal which has no network connections etc and after encrypting the mail will shutdown the PC and leave it shutdown for a while - this setup would have no swap partition etc, or if it did it would be a minimum of baseline encrypted."

Of course you also bring your own bootable ISO cd/dvd to run the OS from which you compose and encrypt that email, and your own keyboard to ensure there are no hardware key loggers installed, right?

Re:Never was and never will be...

[Arimus]

If its my own terminal under my own control I know what I've installed on it... that's the whole point - a PC I have direct control over also applies to the terminal without a network connection :)

Re:Never was and never will be...

[ColdWetDog]

... bring your own bootable ISO cd/dvd to run the OS from which you compose and encrypt that email, and your own keyboard to ensure there are no hardware key loggers installed, right?

OK, I'll bite (and I know the you are being a bit sarcastic) but:

What are you all doing on your computers? If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis. Really now. From your respective basements?

Re:Never was and never will be...

[hacker]

"If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis. Really now. From your respective basements?"

Isn't that the point? Shouldn't we be portraying that EXACT image to the respective governments who are trying to overthrow us? Seriously, isn't that EXACTLY what they're trying to do with the false security theater that is being thrust upon us with each new day of news reports from the Middle East and domestic?

You might find the article "Fascist America, in 10 easy steps" interesting in this context.

In short, the government SHOULD be afraid of the power of the people, because it is exactly those people, who gives the government their power, not the reverse. We all COULD be harboring plans to overthrow the government, and we should anyway, if they cease to support our rights and needs as a populace. In other words, do what we're expecting of you, or expect to get overthrown. Period.

Re:Never was and never will be...

[turbidostato]

" What are you all doing on your computers?"

What's this? Another turn of the old argument "but if you have nothing to hide...?" or what?

I don't need to give *any* explanation to protect my intimacy.

Re:Never was and never will be...

[TheRaven64]

If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis

Well, what else does one do on rainy Sunday afternoons?

Re:Never was and never will be...

That's nice and all, and I certainly do not disagree in principle, but the government has already shown it is willing to make American citizens disappear. It (famously) sent out a questionnaire asking service men if they would have any moral reservations killing American citizens (the answer was "no"). And they have one of the most highly trained armies in the world.

You can want to overthrow your government all you want, but it isn't happening without the support of the US military. Talk about frying pans and fires.

Re:Never was and never will be...

[Ghubi]

What are you all doing on your computers? If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis.

You would think the average slashdotter was in favor of open source production. It works great for software and encyclopedias why not laws?

Maybe that's what they're so keen on encrypting. I for one welcome our new big brother surveillance overlords.

Re:Never was and never will be...

[jimicus]

Depending on how you define secure then no, Hushmail is not.

Personally if I want to send encrypted mail I will do so on a PC I have direct control over, I will carry out the encryption before the email goes anywhere. And depending on the type of encryption used, I might even carry out the encryption on a terminal which has no network connections etc and after encrypting the mail will shutdown the PC and leave it shutdown for a while - this setup would have no swap partition etc, or if it did it would be a minimum of baseline encrypted.

You still need to guarantee that the person on the other end will take similar precautions.

Furthermore, the government doesn't necessarily need to read your email to know that you're of interest to them - being in regular communication with someone else who is of interest is often quite enough.

Why do you think most successful terror organisations are formed of loosely-organised cells with little communication between them?

Re:Never was and never will be...

[Arimus]

Still more secure than relying on a third party to do the encrypt/decrypt for me...

I'd probably not bother though ;)

Just stick the really meaty bits in the middle of a load of mail text culled from all the spam I've received... watch it get earthspiked by the listening systems as just more spam ;)

Re:Never was and never will be...

[turbidostato]

"Read: "I'm a pedophile.""

It's up to you to provide enough indications so a judge will sign an order to go after my PC. Till then, please remember you are very near of a criminal offense calling someone "pedophile" without proofs.

Re:Never was and never will be...

[Keybounce]

If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis.

I've been trying to overthrow the federal government of the U.S. every 4 years since Raygun came in.

You?

Re:Never was and never will be...

hint: intimacy!=privacy

Re:Never was and never will be...

[julesh]

As for Hushmail - its secure if you trust them to use suitable encryption algorithm,

Their encryption algorithm is available for public inspection as part of the source code of their applet. You can decompile their applet using any of several commonly available java decompilers to check it corresponds to the source code they publish, if you wish.

key material, psuedo random number generator,

Similarly, you can see the source code of their key generator and PRNG which use mouse motion as a source of random data.

secure processes (not the program kind, the how to do the job kind), secure network, no shady or otherwise agreements with third parties (inc. governments) to provide decrypted data

Because of how their software works, none of this seems particularly relevant. They don't have enough information to provide decrypted data (as long as you don't use their javascript-based service).

not to store your orginal plain-text mail for any longer than the time it takes to encrypt it,

The encryption occurs on your machine. There's no storage of plaintext other than in your browser's memory.

securely erase the plain-text version etc etc etc.

This is the only place the security of hushmail actually falls down. Because it runs using java in a web browser, there is no way to securely lock the plaintext in RAM, so you would need to securely wipe your swap area after using it if you wanted to be sure no trace of plaintext remained. As the entire point of hushmail is that you can use it on just about any random PC you encounter without needing admin priveleges, there's no possible solution to this problem.

Probably enough holes to drive a bus through...

Only if its a particularly small bus, with a particularly skilled and somewhat lucky driver.

Re:Never was and never will be...

[Just+Some+Guy]

What are you all doing on your computers? If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis.

If there is one universal quality among geeks, it's an irresistable attraction to problem solving. It doesn't matter if the problem is even one that we want someone to solve; we still try to figure it out.

"How would you overthrow the government?"

"How would you assassinate someone?"

"How would you rob a bank?"

"How would you sent untraceable messages to the NSA?"

It's not that we'd actually do those things, but that we can't help trying to figure how we'd go about it. That's just the way geeks are constructed. Tell us something is difficult or impossible and something drives us to prove you wrong.

For what it's worth, there are military people who sit around and try to figure out how to attack American cities. The idea is that if we can figure it out, then maybe an enemy could as well. I mention this as an example of where this mindset is considered valuable and useful, and not creepy like most non-geeks would think if they read this post. ("That 'Just Some Guy' fella? He wants to make bombs!")

Old News?

[zifn4b]

It appears that this was reported back in 2007 on The Register.

There is indeed a clause in the clarified terms of service mentioned by the above article that states that your data is not safe from law enforcement authorities with a court order from Supreme Court of British Columbia, Canada:

We are committed to the privacy of our users, and will absolutely not release user data without a court order from the Supreme Court of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such court order refer specifically by email address to any account for which data is required. However, if we do receive such a court order, we are required to do everything in our power to comply with the law. Hushmail will not accept a court order issued by any authority or investigative agency other than the Supreme Court of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that a court order be issued by the Supreme Court of British Columbia, Canada.

do not use the internet

[jacquesm]

if your communications are such that you think they require encryption. It's really that simple. As soon as those packets leave your premises you can simply assume that whatever is in them even if it is encrypted to the hilt is public knowledge.

rely on face to face contact if you want your communications to be secure.

Re:do not use the internet

rely on face to face contact if you want your communications to be secure.

Are you smoking?

Meeting face to face is the worst possible way for secure communications. It allows for easy snooping by anyone on you and the person you're meeting, and even the fact that you are meeting with a person can taint you if they are on the terrorist list or "watch list".

Public email such as thepiratebay's slopsbox is way better. Be sure to post and read from a public library or similar, with no cameras.

Huh??

What the hell is Hushmail??

Re:Huh??

[Vectronic]

Shhhh!... keep your voice down.

Decentralize Aggregated Services

[Bob9113]

One way to help mitigate this risk is to decentralize aggregated services. If there were five hundred different equivalents to Hushmail, one of them going down would be less of a threat, and many of them going down would be impossible to keep quiet.

The main problem I can come up with is market differentiation; Mom & Pops work in meatspace because physical proximity matters. With the Internet, when a product (like encrypted email) is difficult to differentiate, it is hard for more than a handful of competitors to gain traction.

A solution to that is to make end-user tools easier to use and more common. For example, everyone could use a GPG plugin for their email client without the risk associated with one of the handful of major providers being breached.

Which leads, I think, to the conclusion that one very good thing one could do to support free speech would be to promote GPG and personal asymmetric keys. You might do this by helping develop the tools, or even just by using GPG to sign your own emails, and adding a .sig that explains what you're doing.

Just thinking out loud...

Jars embed date of creation - More Info Needed

[KrisWithAK]

Any developer that has worked closely with jar (zip) files should have immediately notice a possible issue with this announcement. If you use the jar tool to create a jar archive with its default options, it embeds a new MANIFEST.MF file which has a new creation time; therefore, you will get a different jar checksum even if you are archiving the same exact contents. It would have been simply possible that the Hushmail build process created a new jar file (with identical files) for each type of software distribution that they use. The only way we can be sure is to compare the file list and checksum for each file inside of the jar archives.

Re:Jars embed date of creation - More Info Needed

[omega_dk]

Bah, accidental moderation post.

The file is obfuscated

[tkinnun0]

The jar-file is obfuscated, bringing its size down to 270KB from 485KB. The source code archive contains a file verification.txt with this text:

For those who wish to verify that the class files downloaded when accessing
Hushmail are genuine, they can be compared against class files compiled from
source using the following tools.

Sun JDK 1.5.0_05 for Windows
Microsoft Java SDK 4.0
Proguard 3.5 (http://proguard.sourceforge.net)

Usage of these tools can be determined from the included Makefile and
proguard.conf. Note that the signing steps in the Makefile cannot be
accomplished, and so the class files must be compared individually. You cannot
compare the entire archive.

The Bouncy Castle Lightweight API Version 1.31
can be downloaded here:

http://www.bouncycastle.org/download/lcrypto-jdk11-131.tar.gz

The archives used by Hushmail are located here:

https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
https://mailserver1.hushmail.com/shared/HushEncryptionEngine.jar

Please ensure that you are comparing the same versions. Sometimes the release
of source code may lag a few days behind the update of Hushmail.

Questions can be directed here: https://www.hushmail.com/contact

I haven't done this verification, but neither has the cryptome author, so I suspect this is a non-story.

Re:The file is obfuscated

[datajack]

Agreed, it is very clear from opening the jar files that the published one has undergone obfuscation.

Re:The file is obfuscated

[xded]

Definitely non-story. And parent is the first post in the flaming-bitching-i'm-a-crypto-conspiracist-geek row that leads, that actually makes sense.

Just take a look at the updated Cryptome FA:

Date: Sun, 03 Aug 2008 09:04:38 -0700
Subject: CRYPTOME: Response to hushmail-pry.htm
From: "S Brian Smith"

Hello,

This post is in error:

http://cryptome.org/hushmail-pry.htm

The post refers to the wrong file for the comparison. The check
should have been done against this file:

applets/HushEncryptionEngine.jar

That is the file actually used on the website. It is processed
with Proguard to reduce the download size, and has no debug
information. If you checksum that file, the checksum will match
the file on the website.

The file mentioned in the post, HushEncryptionEngine_3-0-0-30.jar,
contains debugging information and is not processed by Proguard.
Therefore it does not match the file for download on the website.

Regards,
Brian Smith
Hush Communications

It's sad that all the Hushmail's openness efforts go completely unnoticed in the rush to scoop or to find conspiracy evidence.

And, just for the record, I tried to carry on the verification process and (even if I didn't have the right combination of jdk/proguard/libs versions on my system) I got a jre with all the classes just off some bytes in size from the actual jar run by Hushmail.

-ded

Comment removed

[account_deleted]

Comment removed based on user account deletion

They've always stated openly that it's not secure

[Joce640k]

...when you encrypt via the web interface.

The only secure way is to download the encryptor (source code available) and encrypt before it leaves your machine.

Or you could do what the terrorists do and encrypt a file with one of the bazillion encryption utilities and openly send it as an attachment via hotmail. Duh!

Mixmaster

[trewornan]

If you want encryption guaranteed against major governments you have to go with a one time pad. Even then you've got to worry about Van Eck Phreaking or FPGA eavesdropping.

In general it's a bad idea to be confident in your encryption - if the Germans hadn't been so confident in Engima they might have done much better militarily.

Any provider like this can ultimately be compelled to cooperate with security services and you've therefore got to assume they are working with major governments to compromise your communications. Common sense really.

That said, something like Mixmaster is a good place to start. Makes it very difficult to be located by any legal process although (of course) it won't help if the NSA takes an interest.

Hushmail? Compromised almost as soon as it was set up I'd wager.

Re:Mixmaster

[DNS-and-BIND]

Yeah, that's pretty much why the NSA is so fanatic about being able to break encryption. Being able to read the Japanese and German codes was a decisive advantage in winning WWII. Just imagine how different the world would be if the free nations had lost. Even accepting a peace treaty that ended the war but left Germany or Japan still standing would be an entirely different world today.

Re:Mixmaster

[quitte]

one time pads don't help against brute forcing encryption. They just prevent brute forcing authentication.

Re:Mixmaster

[trewornan]

Learn something about elementary encryption before shooting your mouth off.

Re:Mixmaster

[ivantheshifty]

If you want encryption guaranteed against major governments you have to go with a one time pad. Even then you've got to worry about Van Eck Phreaking or FPGA eavesdropping.

In general it's a bad idea to be confident in your encryption - if the Germans hadn't been so confident in Engima they might have done much better militarily.

Wait wait wait...Somebody on slashdot's read Cryptonomicon? I'm shocked.

Re:Mixmaster

[Lincolnshire+Poacher]

> If you want encryption guaranteed against major governments you have to go with a one time pad.

Well yes, but what proportion of encrypted communications are intended to be elided from government view?

When Insurance_Company_A uses 3DES to encrypt rate files sent to Field_Agent_A, they're doing so because they don't want Insurance_Company_B reading their trade secrets.

When I connect to Amazon via SSL using 256-bit AES, I do so because I don't want HaXX0R_C from grabbing my debit card details.

When I GPG-encrypt e-mails to friends it is to prevent Bored_Sysop_D from reading my e-mails as they spool on the recipient's MX.

I contend that the fear of Government snooping accounts for a very small proportion of encrypted data.

Re:Mixmaster

[Just+Some+Guy]

Skipped that chapter, huh?

Re:Mixmaster

[trewornan]

We'll . . . yes, but I recommend Simon Singh's Codebook as a much better intro. Cryptonomicon was a bit of a tedious read actually.

Re:Mixmaster

[bcrowell]

If you want encryption guaranteed against major governments you have to go with a one time pad.

Oh, please. You've done a good job of using impressive terms to sound like you know what you're talking about. If you want to talk about the real-world risks of having your crypto broken, then you need to consider all the real-world methods by which your crypto could be broken. It doesn't matter that a one-time pad can be theoretically proved to be invulnerable to certain kinds of attacks, to which various symmetric and asymmetric ciphers are theoretically vulnerable. What matters is the actual types of attacks that are practical and likely, and the actual problems you'll have in the practical implementation of a particular method. If you're using a one-time pad, then there are several obvious, well-known things that can go wrong: (1) you have to physically exchange the one-time pads, which may be difficult to do (and do securely) if the NSA is really following you everywhere, opening your mail, etc.; (2) both parties have to maintain the security of their own copies of the one-time pads, which may be difficult to do if the NSA is really determined to get them; (3) there is a tendency for users to get lazy and reuse a one-time pad, which then makes you vulnerable to certain kinds of attacks. Standard symmetric and asymmetric ciphers are more or less immune to these problems (#1: swapping passwords securely is a lot easier than swapping large amounts of binary data securely; #2: you can keep the password in your head instead of stuffing a keychain drive under your mattress; #3: no such issue). Yes, there are also certain kinds of attacks to which standard ciphers are vulnerable and one-time pads invulnerable (e.g., dictionary attacks on your password, shoulder-surfing,...) One-time pads are not magic pixie dust for cryptography. There is no magic pixie dust for cryptography. The good news is that we're living in a golden age of privacy, in the sense that you can legally, publicly get software to do encryption so good that essentially your main worry is no longer the encryption, it's the social/personal/legal issues surrounding its implementation.

Re:Mixmaster

[rcastro0]

>Being able to read the Japanese and German codes was a decisive advantage in winning WWII

Decisive? In the sense that without it the war would be lost? Hardly. Imperial Japan and Nazi Germany are made more formidable than they actually were, in the wave of pride that came after the allies defeated them. They were heroic, as were the allies. But it was never an equal match of forces once both the US and the USSR were on the side of the allies.

I recommend reading "The Prize",by Pulitzer Prize winning author Daniel Yergin, in order to have an economic perspective on WWII. You will see how once the oil embargo was placed on Japan, and once Germany decided to break its alliance with the Soviets (thereby cutting its supply of Oil) the outcome of the war was pretty much decided. Essentially once that happened both Japan and Germany had a ticking clock to run against: their dimnishing stock of oil. That made it necessary for both to be very audacious, taking great risks and placing all their hopes in a few bold moves. Pearl Harbour for the Japanese, the drive towards the heart of Russia for the German.

These two bets didn't pay off, and from then on they were essentially on the defensive, trying to make do with very limited amounts of oil.

Re:Mixmaster

[Jerry+Coffin]

If you want encryption guaranteed against major governments you have to go with a one time pad. Even then you've got to worry about Van Eck Phreaking or FPGA eavesdropping.

Actually, the one-time pad is almost never a good choice. In particular, to be completely effective you must ensure that your pad is entirely random. The recent problem in Debian, like a much older one in Netscape 4 (or thereabouts) were both with generating random numbers, not with the encryption algorithms themselves.

The bottom line is that the one-time pad cures a difficult problem, but substitutes one that's generally even more difficult in its place. For the average person, the chances of security from something like AES or RSA are much better than from a one time pad.

Re:Mixmaster

[DNS-and-BIND]

It's tempting to assume that WWII was a foregone conclusion, but it's classic 20/20 hindsight.

is Hushmail still safe? - NO !!!

[rs232]

"Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication"

No, it's most probably controlled by one of the brancges of the security services .. :)

Comment Summary

"Is Hushmail even safe to use anymore?"

Depends on the laws you intend to break.

God knows

[Mishotaki]

God know everythign, he is everywhere and sees everything... so he knows what kind of data you encripted, he knows what program you used and what the key to unlock is.... so the next time you go see a priest, you better not mention it, he might had a little talk with God about it.

Re:God knows

[theblondebrunette]

God may know, but what the f**k does a priest knows and have to do with God?

Re:God knows

[causality]

I don't really subscribe to a major religion, but I have studied most of them and I can probably clear that up for you (the GP's joke, that is). The whole point of a priest is to act as an intermediary between yourself and God, usually with the implication that you could not speak to God yourself. That's what makes a priest different from a preacher, who is merely a teacher of what he believes to be true while the actual interaction with God is up to you. The basis of rejecting the concept is the idea that God is equally available to everyone and therefore, priests are not special and do not deserve any extra status.

I won't comment on whether either or both ideas are valid. That's something each person needs to make up their own mind about and you seem to have taken your stance on it. I was just explaining the GP's reasoning when he made a joke about not letting a priest learn about your encryption.

Re:God knows

http://ap.google.com/article/ALeqM5iP_263PdSxt7YuqYP6BA0e0qvujQD924US9G1

QED

"Still safe"

[betterunixthanunix]

Hushmail was never safe, not from a cryptographic perspective. Hushmail kept a copy of your private key, AND the passphrase for that key would be sent to their servers. The drug investigation demonstrates why that is unsafe, but anyone with a basic understanding of cryptography knew that it was a possibility long ahead of time.

It is a matter of convenience trumping security.

Re:"Still safe"

[julesh]

Hushmail was never safe, not from a cryptographic perspective. Hushmail kept a copy of your private key, AND the passphrase for that key would be sent to their servers.

Hushmail is available in two versions. In one of them, the passphrase is sent to their servers. In the other one it isn't. The article is talking about the latter version (implemented via java applet) not the former (implemented via javascript).

Probably not ...

[ScrewMaster]

Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?

I think the submitter answered his own question.

Re:Probably not ...

[julesh]

Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?

I think the submitter answered his own question.

Except the submitter just revealed that they didn't understand what was going on. The original author of TFA only did a hashcode comparison between the compiled sources and the copy served up by hushmail. They didn't bother reading the instructions for verification which state that you need to run the compiled code through a particular configuration of compiled code compressor.

My encryption is fool proof

[Puffy+Director+Pants]

I just write nonsense anyway.

Re:My encryption is fool proof

[ScrewMaster]

So we've noticed.

Sorry, couldn't resist.

Newsletter Time

1 Your high-school girlfriend cheated on you
2 The Government can't be trusted
3 Peer review of published encryption standards is worthless

Fascinating. Are you asserting "1 AND 2 ERGO 3" or "1 ERGO 2 ERGO 3"?

First rule of Hushmail...

[MsGeek]

...is that nobody talks about Hushmail.

Oh please, safe?

[mlwmohawk]

No person or entity can remain true to two or more masters. As long as there is an "agent" involved who must answer to some other authority, the punishment of not cooperating the "other" master will be weight against protecting you.

The best bet is to encrypt locally with your own self-certified keys, only give the public keys on a need-to-know basis.

If you can add an obscure encryption scheme on top of that, so much the better. If underneath all that you can use an obscure document encoding and character format, or even unused language like Navaho, you're good to go.

Comment removed

[account_deleted]

Comment removed based on user account deletion

All Encryption Can be Cracked

[tobiah]

It's just a matter of time. This almost always happens faster than the designer imagined it would take.

Crap

Is every story posted on Slashdot now inaccurate or completely false?

Read & Learn, And Legalize Marijuana

Since the article is often pulled from websites, the first article you should read and burn into your mind is this, Google for the title and archive a copy for yourself:

"A break-in to end all break-ins"
"In 1971, stolen FBI files exposed the government's domestic spying program"

It's an amazing story, and in 2008, how much has this expanded into every corner of our lives? The majority of Americans are brainwashed sheep consumers with a limp wet noodle for a brain, thrashing around with their Wii and Paris Hilton media like a fat dinoasaur in a tar pit. Stay informed, we have no privacy, encryption is good but useless with acoustic monitoring, reflections in the eye and objects in your environment, etc.! If it's electronic, there's always a loophole. You shine brighter with each electronic device you use, in many ways. Don't trust Hushmail or any web based mail service to keep anything of yours secure or to provide any reasonable degree of security. Secure your computer room and rig your computer to shut down if you use encryption like Truecrypt or other when your environment is entered by someone other than you or those you permit and trust (you shouldn't trust anyone, everyone has a price)

Compromising Reflections or How to Read LCD Monitors Around the Corner
http://www.infsec.cs.uni-sb.de/~unruh/publications/reflections.pdf

And more:

http://www.eff.org/wp/detecting-packet-injection
http://en.wikipedia.org/wiki/Anonymous_remailer
http://cryptome.org/tempest-law.htm
http://seclab.uiuc.edu/pubs/LeMayT06.pdf
http://www-users.cs.umn.edu/~dfrankow/files/lam-etrics2006-security.pdf
http://cryptome.org/nsa-vaneck.htm
http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php
http://www.nononsenseselfdefense.com/five_stages.html
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
http://csrc.nist.gov/itsec/guidance_WinXP_Home.html
http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf
http://all.net/books/document/harvard.html
http://www-128.ibm.com/developerworks/library/l-keyc.html
http://www-128.ibm.com/developerworks/library/l-keyc2/
http://www-128.ibm.com/developerworks/library/l-keyc3/
http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html
http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.wiley.com/legacy/compbooks/mcnamara/links.html
http://lifehacker.com/software/home-server/geek-to-live--set-up-a-personal-home-ssh-server-205090.php

Re:Read & Learn, And Legalize Marijuana

[Datamonstar]

This is one of the best posts in /. history and quite possibly the best AC post ever.

Note from Hushmail

The guy who posted on Cryptome checksummed the wrong file. He should have compared the website file (HushEncryptionEngine.jar) against applets/HushEncryptionEngine.jar not HushEncryptionEngine_3-0-0-30.jar.

Rubber-hose cryptanalysis

[AmishElvis]

Ha, I found this on Wikipedia, attributed to Marcus J. Ranum -

...the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive)

Re:Rubber-hose cryptanalysis

[mrogers]

That used to be funny before we discovered our governments were actually torturing people. Nowadays I don't find it funny.

Re:Rubber-hose cryptanalysis

[Antique+Geekmeister]

The US has a fine history of torture going right back to before the Declaration of Independence. It's much smaller than many countries, and it was declared to be illegal surprisingly quickly, but there is nothing new about the USA governments torturing prisoners, at local, state, and federal levels.

Re:Rubber-hose cryptanalysis

[mrogers]

I didn't realise that - not sure whether it makes me feel better or worse. :-)

Snail mail FTW.

[ohxten]

I use snail mail. It's safer because it's sealed. Snail mail FTW.

Re:Snail mail FTW.

[Jerry+Coffin]

I use snail mail. It's safer because it's sealed. Snail mail FTW.

Nice try, but generally trivial to break. For starters, there's the always popular method of steaming envelopes open.

Of course, that's pretty easy to prevent -- for example, people who cared have used wax seals for centuries.

That's still a long ways from secure though. For example, one trick (also known for a long time) uses a thin metal rod, split along its length. You insert the rod under the end of the envelope flap, where there's no seal. You catch the letter where it's folded, with one side of the fold on each side of the split, then twist the rod to roll the letter up, and remove it back out the end. When you're finished reading it, you reverse the process to re-insert the letter into the envelope.

It's no accident that, historically, most countries' code-breaking agencies have been attached to their postal services...

Keys

Every bit of information that travels across the internet is recorded and logged somewhere, whether it be with the ISP, in a data-warehouse like those that AT&T maintains, or even administrations like the NSA themselves.

So long as the means of encryption (including the public keys) have been transferred over the internet, you are susceptible to a man-in-the-middle attack.

The only way to have truly secure and encrypted communications is if all keys involved, including public keys, were swapped privately (without the internet, such as with a disk).

Encryption does well to protect you from identity theft, some hacking, and minor illegalities such as piracy, but if you really need it to protect yourself from the State, it is worse than worthless against an ISP or government (because not only can they decrypt it, but they know that something is up) unless all keys were traded privately, person to person.

Security against governments

[Beryllium+Sphere(tm)]

>If you want encryption guaranteed against major governments you have to go with a one time pad.

The NSA permits AES for the government's own data.

Google "Venona": a one time pad only protects you if you do everything else right. That's a general lesson: assuming you stick with something semi-respectable, operational doctrine and procedures matter more than your algorithm.

My guess

[symbolset]

Was either Thomas Jefferson or Lazarus Long. Both of them were well worth listening to.

You've seen the list, then?

[mccabem]

You make it sound like not just anyone can be (of those who haven't already been) declared a terrah-ist. It doesn't take much - and as with so many things these days, they don't even need a warrant to get you into "the club". All they need is for you to have a laptop and you're fair game. If you have a laptop and they haven't picked you at the airport, don't get high and mighty - remember there's literally nothing to stop them from doing it when you're 100% legal or not. Habeus Corpus and all that jazz we learned in High School is more or less out the window at this stage.

Have you seen the watch list or heard of some rules surrounding this or something?

-Matt

Article is misleading

[Beryllium+Sphere(tm)]

Hushmail only stores your private key in encrypted form, encrypted with your passphrase. It gets decrypted only on your machine, by the Java applet. Yes, this does mean your security depends entirely on the strength of your passphrase. Use http://www.diceware.com./

As for hashes being easy to crack, please. A dictionary attack isn't a crack of a hash, and reversing a hash algorithm is still beyond the state of the published art. Making collisions, yes, but recovering original text, no.

Re:Article is misleading

[julesh]

Hushmail only stores your private key in encrypted form, encrypted with your passphrase. It gets decrypted only on your machine, by the Java applet.

1. Note that hushmail now has a "no-java" option. Don't use it. It sends your passphrase to them so they can do server-side decryption.

2. The article doesn't seem to be misleading in the slightest. All it does is attempt to call into question whether or not the applet hushmail serve up is the same one they've provided source code for, but instead just shows up the ignorance of its author.

Nothing to see here. Move along.

begging the question

[Eil]

Why are we posting so many rhetorical questions to Slashdot lately?

Encryption + web-based don't mix well

[mcrbids]

Anytime your private encryption key is "over there" you are at risk. If your private key is stored on *their* servers in such a manner that *they* can get to it, your privacy is at risk.

As a software developer, I'm in a pilot program to use encryption for digital signatures. Despite the relative simplicity of using openSSL functionality, it's been surprisingly painstaking and laborious to put everything together.

See, real security requires outright paranoia. How do you prevent your CA key from being compromised, in such a way that you can all-but guarantee that it hasn't been? To do this, you have to make it not only unlikely, but impossible to be compromised in every conceivable way. How do you prevent your client's private key from being compromised, in such a way that you can all but guarantee it? How do you prevent a malicious client from obtaining a signed certificate? How do you prevent 3rd parties from MITM attacks? How do you provide high-level security for all the above, while still providing redundancy for disaster recovery? How do you prevent compromises stemming from a social engineering attack?

Not including implementation and ongoing maintenance of these procedures, the cost of just proving that you have all these measures in place runs to many thousands of dollars!

A solution that answers all these and every conceivable related question is surprisingly difficult, and many, if not most, of the problems are not technical, but social.

Re:Encryption + web-based don't mix well

[julesh]

Anytime your private encryption key is "over there" you are at risk. If your private key is stored on *their* servers in such a manner that *they* can get to it, your privacy is at risk.

The originally-advertised benefit of hushmail over other web-based services was that your private key is not stored on their servers in such a manner that they can get to it. It was stored AES256 encrypted on their servers, sent encrypted to a java applet running on your machine and decrypted via passphrase locally.

The problems came when they introduced a javascript based version of the service that uploaded the passphrase. Using this was optional, but a lot of people did it because (a) it's more convenient and (b) hushmail rather stupidly made it the default.

I did some investigating

I wrote a little article on it here http://handbookrevolutionary.com/2008/08/03/is-hushmail-still-safe

Also, the Cryptome post has been updated. Apparently the Java checksums do match (or at least do now, who knows if they changed it when caught).

Safe??

[Sonnekki]

"Is Hushmail even safe to use anymore?"

When was Hushmail ever safe?
When was ANY kind of encryption "safe"?
All you need is a high level of persistence given a level of encryption.

I guess you could call something safe if the time required to "crack" a encryption scheme is greater than a human lifetime.

PDF

Have you seen what's under the black boxes in this pdf: http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf

My acrobat reader version (for linux) displays the letter, and then it applies black box overlays, so for a short moment I can see what's behind them. E.g.

page 9 (of pdf doc - not the letter itself). ... is subscribed to Tyler S, STUMBO, DOB: ** 09-14-19xx **....

the same applies to other black boxes (SSNs and so on).

Re:PDF

Have you seen what's under the black boxes in this pdf: http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf

My acrobat reader version (for linux) displays the letter, and then it applies black box overlays, so for a short moment I can see what's behind them. E.g.

page 9 (of pdf doc - not the letter itself). ... is subscribed to Tyler S, STUMBO, DOB: ** 09-14-19xx **....

the same applies to other black boxes (SSNs and so on).

wow!, nice.

Re:PDF

[J111]

I can see it too!

Re:PDF

[Tatsh]

what version? I have version 8.1.2. Shows black boxes correctly for me.

Re:PDF

> what version?

8.1.2

> Shows black boxes correctly for me.

http://rapidshare.com/files/134638801/test.avi.html

Seems like additional CPU utilization (the app dumping my desktop animation) intensify the process.

Re:PDF

[X0563511]

Convert the PDF to postscript, then you should be able to either edit the postscript by hand, or use an editor to remove the boxes. The actual document is probably a jpg or other image format.

Iz Ur Head in the sand?

it NEVER WAS. What were you thinking?

-----BEGIN PGP MESSAGE-----

[Chris+Acheson]

I bet they show you advertisements for Hushmail.

Privacy is more than Encryption

[Nom+du+Keyboard]

Privacy is more than encryption. Who is more likely to store and hand over your IP information to anybody trying to track down the owner of an e-mail address? If they find you then they can force you to decrypt it for them - unless you want to spend the rest of your life in a cell, that is.

Re:Privacy is more than Encryption

[X0563511]

Good, they can pay for my living quarters and food for me. If they want to go around arresting people for not forfeiting their privacy, they can pay for it.

Encryption Question

[Nom+du+Keyboard]

What about encrypting the message twice with two different algorithms for better security? The question here is that brute-force decrypting a message with a computer requires some way of knowing when it's decrypted. Normally one would assume that means that you actually get reasonable message text out of it. But if the correct decryption still only gives you random appearing garbage how can you even know when stage 1 is complete and you know which cipher text to start working on as stage 2? This approach would appear to multiply the problem by the number of possible keys in stage 1, yet isn't known to be widely used.

Re:Encryption Question

[DavidRawling]

This does not always increase the security of the content - or at least, not in the ways you would expect. For example, 3DES is 3 lots of 56-bit encryption (in the form Encrypt with key A, Decrypt with key B, Encrypt with key C) yet provides only 112 bits of security not the 168 bits that might be expected.

Trust no one. Nothing is safe.

Only the Paranoid Survive. They've been working on this for fifty years- while the rest of the world was fighting gooks and commies, these men have been secretly negotiating a planned Armageddon.

Is anything still safe?

This will unmask the black boxes.

pdf2ps steroids.source.prod_affiliate.25.pdf

perl -pne 's/^\d+ \d+ \d{3,10} \d+ rf$//' lt steroids.source.prod_affiliate.25.ps gt original.ps

Replace lt with less than sign and replace gt with greater than sign. Just feeding the file into the perl and outputting the result.

Actually, Gmail has it built-in

[Jeremy+Visser]

As of just over a week ago, Gmail has a built-in option for forcing HTTPS. See the official blog entry regarding it.

To enable this, you can do this:

• Log into Gmail.
• Click Settings.
• At the bottom, tick "Always use https".

If it's a company based in the US, forget it

[Casandro]

Seriously if it's a commercial company based in the US, forget about security. They can easily be pressured to do everything the government wants.

If you want security you have to do it yourself. Install Gnu Privacy Guard and encrypt all your e-mails. Then use TOR hidden services to set up your own e-mail servers to be sure your traffic information will stay private.

FireGPG writes plaintext passphrases to disk

[DamnStupidElf]

Since Mozilla plugins have a braindead interface for calling other programs (no way to directly work with file descriptors) it's impossible to securely pass the passphrase into the gpg executable without either sticking the passphrase on the command line (which shows up in process lists, etc.) or writing it to disk and redirecting the file to standard input when running gpg. FireGPG opts for the temporary file method. Look at ./content/cgpgaccess.js for details.

The upshot is that it's stupid to use FireGPG on any untrusted computer, or any computer where you might at some point lose control of the disk, since it probably has both the encrypted private key and the passphrase on it somewhere. The temporary passphrase files aren't even wiped before they're deleted, at least as of revision 454.