Slashdot Mirror
The Crypto Project Revives Cypherpunk Ethic
Trailrunner7 writes "When a small group of activists announced the debut of The Crypto Project earlier this year, for many, ahem, mature, security and privacy advocates it brought to mind memories of the original cypherpunk movement that began in the 1990s and that group's seminal efforts to encourage the use of strong cryptography and anonymity online, as well as its successes and failures. The two groups are not allied by anything other than ideology, but The Crypto Project's leaders are aiming to follow in the footsteps of the cypherpunks, build on their accomplishments and make security and privacy tools freely available to the masses. The group is working on a number of projects right now, including setting up an anonymous remailer, putting up a Convergence notary and setting up a Tahoe-LAFS grid. Threatpost has an interview with Sir Valiance, one of the leaders of the project, who talks about the need for better privacy and anonymity online and why the cypherpunks are still important today."
The day I could no longer log in to the NYT site with the credentials "cypherpunk:cypherpunk".
Ah. Innocence so fragile. How soon it departs...
"Flyin' in just a sweet place,
Never been known to fail..."
won't that just get used for spam?
That will never be possible when you're on their wire. never never never... The entire concept is absurd.
For justice, we must go to Don Corleone
to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful.
Ah, but to defeat Tor or encryption, it doesn't have to be made impossible - it just has to be made so as to be not trustworthy. So let's say a friendly agency captured a few (or more) Tor nodes, and co-opted a few root certificates (ahem, Iran). These tools don't have to be defeated 100% of the time, they just have to be defeated in principle for them to crumble.
It's sort of like privacy terrorism - the targets are largely symbolic rather than practical, and the goal is to instill fear rather than defeat in a straightforward manner.
And then people will come up with some way around that, like adhoc wifi networks or something of that sort.
Which, I fear, would allow even easier avenue of attack for certain organizations who like to do that. Anything ad-hoc has to be able to find a way to trust something it's never met before (by definition). That's prone to attack too. There are advantages and weaknesses to both centralization and decentralization.
Encryption isn't good enough to stop extraordinary rendition. The government essentially views anyone who uses encryption in an ubiquitous opportunistic way as a terrorist. Encryption didn't protect Bradley Manning from Adrian Lamo. Encryption will only force the governments to rely on informants, which means the government which can't break your code will focus instead on breaking you.
So if you don't give up your key prepare to be tortured until you do. That's how code breaking actually works. Also prepare to be burglarized, keylogged, surveillanced around the clock, dumpster dived, and generally treated as a member of a mafia or terrorist group.
If you want an idea of what it's like, here you go http://www.jbhfile.com/harm_gang.html
"... Pakistan has now officially told all of the country's ISPs that they need to block all encrypted VPNs since content running over such services cannot be monitored by the government."
It is not only Pakistans government who has interests like this but also the US and the EU ( and every other government ) They justify spying, eavesdropping, wiretapping and backdoor-peeping with fighting criminal activities, move over to terrorism and end up with the dilemma that it gives them the power to extend these activity unnoticed to every citizen for their own benefit.
Then we have arrived at a totalitarian state of the type the West & NATO ( US and UK mostly ) critiziced and fought in the form of the Sovietunion and their Allies using the same oppressive methods improved by the digital technology!
With the Kindle the observation of the citizien in his very home like in 1984 has become a reality!
What they should do is develop some email client that is absolutely better than any other that ever existed, one that supports encryption in a very, very easy, intuitive way, and make encryption a default configuration option in that new, super awesome client. Then lots of people would use encryption. And after well nigh every Tom, Dick and Harry is using encryption, no one will be deemed a suspect just for using encryption.
DNS hijacking (DHS doing MAFIAA a favor)
Unreliable CA (all over the world)
Online censorship (in China and Australia)
Spying on citizens to different degrees (from "surfing history only" - in EU and Australia - to "everything that goes online" in Iran)
With hundreds of millions not caring enough to protect whatever identifies them on Faecebook, G+ and others.
Questions raise, answers kill. Raise questions to stay alive.
poor fbiiiii
France went through this phase themselves. You could use only trivially broken crypto. They got over it. It will be interesting to see what happens in Pakistan.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Better Than Nothing Security. It's lack of implementation is helping deep packet inspection everywhere.
Except Amazon erased my copy of 1984, so I have no idea what you're talking about.
John
It would be interesting if a semi-rogue group like this implemented a virus that would propagate and install browser plugins like (defunct) firegpg (and similar for email clients, depending on what the user uses), generate keypairs, and submit them to a central key authority, and then just start encrypting peoples' emails for them. True to do it transparently, the keys would have to be stored clear on the users' computer, but even still, it would be a huge boost in privacy.
Mr Kaspersky's empire is propaganda @ Threatpost
Such articles are pro internet ID and anti anonymous and pro establishment cyber-what-ever-the-fuck-emergency-de-jour is. I Hate their site it reminds me of fucking CBS,
I suggest h-online instead
http://www.h-online.com/security/
I was a subscriber on the cypherpunks list in its heyday until the signal to noise ratio put the list out of commission. At the time, the thing that scared people the most was the Clipper chip, and the second boot that would drop, forcing all encryption to use it. That, and ITAR regs.
At this time, people would actually take the time to write a reply, encrypt it manually using PGP, and send it. These days, PGP can be accessed via a couple right clicks. We also have the option of better security as well, especially with smart cards that private keys can reside on, where even if a computer is compromised, key material can't be obtained.
Maybe it is time to go back to some of the concepts that were discussed about back before Eternal September. One of those sounds passe, but can be useful -- a PGP keysigning gathering. Done right, people do not have to bring any computers to the party, just a paper in hand with a printout of people's public key IDs and fingerprints, and as people mingle, check off keys that are printed, and are vetted to your comfort level. Afterwards, go home, sign their keys and distribute them to keyservers.
Over the years, we have lost a lot of PGP keyservers. Right now we have Symantec's keyserver for commercial use, MIT's, and a couple on pgp.net. Ideally, we should have more nodes that replicate with each other.
I'm meaning the old style keyserver (as opposed to the style that one can delete a key explicitly) -- the ones where there is no way to delete a key. A key can be revoked and the revocation cert propagated, but once uploaded, a key will propagate among replicating servers. This, plus some other anti-tamper mechanisms (such as validating keys and WoTs) would help ensure that a compromised keyserver won't affect people using keys for their WoT. Since the keyserver is not a CA, it doesn't need to be trusted as much, especially if there are some integrity checks used such as checking signatures and key fingerprints.
The ironic thing is that going back to having PGP signed/encrypted E-mails and other traffic would make life easier for all parties. If a company needed to be able to recover encrypted E-mails, that is what an ADK [1] is for (with MUAs putting up a warning that they will be encrypting to one.)
[1]: I've encountered people who confused an ADK with key escrow. Those are two completely different mechanisms. An ADK makes sense for a firm that is under Sarbanes-Oxley or other regs mandating retention of communications.
And have you actually seen anybody doing stenography the last decade or two? Those people have been pretty much invisible since the Cypherpunks movement started - they were part of one of our great successes, Silent Trystero's Typing Pool...
Stenography is different from what court reporters do, though both of them are trying to capture speech in real time. It's a shorthand version of writing that a well-trained secretary could use to capture notes that she'd then type up, and Dictaphones were a technical alternative. (I don't watch Mad Men, but they probably had somebody on there doing shorthand, as well as fetching coffee and smoking cigarettes in the office.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Since you missed it above, the word you're looking for is steganography.
The web of trust can also be attacked by terrorists. In order to expand beyond a single city, a dense web of trust requires air travel in order to get participants to and from key signing parties far from home. Over the past decade, terrorists have been successful in convincing national transportation regulators to adopt security-theater measures that end up reducing the likelihood that a given person will fly and thus reduce the appeal of extending your web of trust at foreign key signing parties. This creates bottlenecks in the trust flow at those people who regularly attend international conventions, such as leaders of prominent free software projects, and those bottlenecks can be attacked much like a CA can be attacked.
I2P provides the anonymity layer for the filesystem.
Usually results in PGP being cracked. So just telling everyone to use PGP will only make the government rely more on wiretaps, bugging, keyloggers, hacking into your computer and waiting for you to type your passwords, and only when all that fails, physically raiding you.
No, I actually was talking about stenography, as was CryptoJones, more or less (though we were also making fun of the people who'd used that term instead of steganography.) It's becoming a lost art, but some of the older folks here will remember those Gregg Shorthand books, and typing pools.
With Steganography, some of the interesting directions to look are how to hide stuff in various video formats, both from the standpoint of how much you can hide from programs and also how much you can hide from visual perception.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks