Ask Slashdot: Echelon Protection?

An unidentified submittor had a worthy question and I want to submit it to you all for discussion: "How confidant should we be in private sector encrytion as a defense against ECHELON intercepts. The NSA probably has toys we will never hear about. Can we really trust PGP and FreeSWAN to defend personal and corporate data from the spooks? Should corporations begin hiring encryption experts to defend their data stream?" Slashdot has covered Echelon before, and in the midst of all the recent concern from Congress one can only sit and wonder how long it is before 'privacy' (or if you prefer, the illusion of privacy) becomes a thing of the past.

RE: NSA Tactics...

I used to be in the US Army... in USAEUR (Germany)... in the Intelligence field... I was aware of some of my former instructors who did some covert stuff for NSA and other intelligence agencies. Someone once told me that in cities like Cincinnati, in some rooms, there are computers that capture voice communications (most likely, the conversations span across international borders. Funny, when I was in, we were supposed to stop recording conversations when we either heard mention of a US citizen's name or one of us Americans speaking (on military channels). In fact, for my TS security clearance, no other than NSA agents interviewed me in Basic Training and then did background checks at my high school. Unless you take into account of the Democrats pursuance for encroaching into our private lives, I think that NSA (and CIA) are focusing upon industrial espionage. Nonetheless, I did hear of a US professor (specializing in Cryptography) that had a court injunction against his publishing the DES protocol. I believe that he later got permission (3+ years later). Other than that, I can't go into any operational details of my military duties, as I signed a statement that could find me liable for making certain statements. Take a gander at a book called, "Puzzle Palace". It has some interesting things inside (nothing too revealing, unless you're talking about secure document headings, etc.).

doubt ->Re:Strong Cyrpto would protect you.

I am not a crunch head, but it seems like *non-differential*
cryptoanalysis could be working for the 3-letter-agencies.
Wasn't there some fast card sort code floating around? I am imagining
a giant dictionary of cypher text made with all/most of the keys
and then just trying a match based on some clever known clear
text type attack. This method would be too expensive to use
in an echelon type system, but would crack PGP/GPG/RSA stuff if it
was found by echelon and from an interesting source.

With the above possible, the NSA could just be trying to slow
PGP use down because it is not possible to crack _everything_
all the time. In the past, the U.S.A. has been able to crack any
code. The Nazis were cracked early in WWII.

** On the flip side, can any /. folks enlighten us on elliptical crypto?
One of Steve's pals came up with it. It is supposed to be stronger than PGP.

Re:doubt ->Re:Strong Cyrpto would protect you.

[samiladanach]

IMHO, the most amusing "weakest link" that I have ever heard of was also during WWII, only in the Pacific. It seems that someone picked up a piece of carbon paper out of the water, and that carbon happened to have been used several times by the secretary of some Japanese admiral. Unfortunately, I can't quote sources, but the long and short of it was that this sheet of carbon paper had all sorts of goodies - and was obtained in a very providential way. So it is most likely that which you are not now able to see that will come back and bite you in the ass. As is mentioned before, NSA strengthened DES against a type of cryptanalysis that would not be "discovered" for years yet.

-Chris

Re:doubt ->Re:Strong Cyrpto would protect you.

[PureFiction]

The 'dictionay' you are talking about to store all keys would be prohibitively large. It is not possible for even a fraction of the 2^128 keys possible with 128 bit encryption.

As for elliptic curve cryptography, this is a relatively new type of public key crypto. These algorithms are thought to be more resitant to cryptanalysis than RSA, which is used in PGP.
Specificaly index calculus discrete logarithm attacks will not work. Also, they tend to be faster and require smaller key sizes than comparable public key cyphers like RSA.

Reference: Applied Cryptography Vol2

Re:doubt ->Re:Strong Cyrpto would protect you.

[mjg]

In the past, the U.S.A. has been able to crack any code. The Nazis were cracked early in WWII.

If you are referring to the Engima machine, you are completely wrong. The US wasn't involved with the deciphering project until 1942, for a start. And although the Polish had discovered how to crack Engima ciphered messages from 1932, it was not until very late in the war that the British were able to regularly decode a large number of intercepted messages. Alan Turing was the chief designer of the 'Bronze Goddesses', which helped calculate the keys used with the Enigma machine.

And do not forget that the Germans also had 'Secret Writer' (known to the Allies as 'Fish') which was far more difficult to decipher than Enigma, and led to the creation of the first electronic computer, 'Colossus', built by a Cambridge mathematics professor and a Post Office engineer. Colossus didn't start working on ciphered messages until 1943.

I would not consider this 'early in WWII', and the US contribution to the effort came quite late, compared to the Polish and British, who had been working in various forms since the early 1930s, and set up Bletchley Park as a central location for cryptography work.

And a big part of the reason why Enigma ciphers were broken was not the fault of the code itself, but the poor training and laziness of the operators who often used insecure keys and 'known' words.

As you will have heard people say before, security is as strong as it's weakest link. Often you will find than lazy or poorly trained humans will be a weaker link than anything else. Why have a fantastic cipher if the user is going to enter their passphrase via cleartext telnet?

Re:doubt ->Re:Strong Cyrpto would protect you.

[paul+r]

The amount of data that you would have to stored to have a useful dictionary is mind boggling. Suppose that the people you want to listen to use just 1024 bit encryption. According to the prime number theorem the frequency of primes among the numbers near m is about 1/log(m). For 2^1024 that's about a prime every 308 numbers. 2^1024 is 1.88*10^308. That's about 6*10^305 primes. Can you say the volume of the universe in cubic centimeters and still not be close?

That also assumes that you know exactly what they will send. Using any good system "Attack at dawn." will encrypt to something totally different from "Attack at dawn!" A dictionary attack is almost totally worthless with a well designed system.

The real attacks will not come against the math but against the implementation or the people using the system. Check out Why Cryptosystems Fail

Re:doubt ->Re:Strong Cyrpto would protect you.

[paul+r]

Sorry, I must have just taken a big toke off the old crack pipe when I wrote the first paragraph of the last message. According to Applied Cryptography a 1024bit public key is about as secure as a 90 bit symmetric key which is still a hell of a lot of messages to keep around.
You can't compare public keys like I did.
oops

Just bob ;-)Re:This should be a dilbert cartoon...

Naaa....that's just bob young and the
Red Hat Black Ops ;-)

The /. effect

Want to fuck with the Echelon project? Put the words "nuclear technology transfer funding" in the subject line of all of your email and encrypt it.

You're onto something. If everyone did this, then perhaps we could overload their abilities to snoop.

-Nuclear technology transfer funding.

Re:The /. effect

[shogun]

Everyone used to do this years ago, by putting a .sig with a whole lot of 'interesting' keywords in it on every usenet post.

Re:128-bit keys

Consider this:

The NSA has a nice budget and talented people. They probably have the budget to build an entire computer on a single plate of semiconductor -- ram and all --, cool it to superconduct and link it in parallel clusters. Also they dont design general purpose processors, they design code cracking machines.

I would imagine that they are on the level of "wow!" that surrounded the Manhatten project in the 40's. Optical processors anyone?

Re:Sigint to noise ratio

Better yet, put "nuclear technology transfer funding" in the subject line, and then a stream of random text.

Perhaps 'they' would make a key/cypher scheme up to make it say what 'they' want.

Re:nothing to fear, except fear itself

Local officals are a million times more likely to just raid your house and use "find" rather than try to tape your phone line. In fact I've never heard of a single case where local officals have tapped a modem-line and decrypted a message. It's much easier, cheaper, and faster to go straight to the source. This leads me onto something I been looking for for a while - an encrypted hard drive partition that when I save/read files to it they are automatically encrypted/decrypted. Of course the security of this relies upon what you use to unlock this partition on boot up - password/ Private Key on Floppy - Smart Card (Preferred) - 2 factor Token .... Perhaps even just a dedicated Encrypted File Server box that is either NFS mapped to your workstation (Or Samba). If the channel can be sniffed then use IPSEC between workstation and server. Any ideas ??? Any software that is close to this ??? Shaun

P != NP

P (problem can be solved in polynomial time, t^n, where n has to do with the size of the problem)
NP (non-deterministic polynomial, algorithm will succeed only sometimes)

There are examples of NP problems that are clearly not P. NP is harder than P.

Re:P != NP

Nice to see there are people who know about theoretical computer science :-).

The P ?= NP question doesnt have to be solved to break through popular public-key encription based on factorization of large numbers. While this problem is certainly in NP, it is unkown whether or not it is NP-complete. (NPC basically means that it is as difficult to solve as any other problem in NP). The fastest known deterministic algorithm for factorization of an n bit number runs in O(2^ n/n), which means that for 1024 bit codes and above, our sun will collapse before any conceivable computer would break the code using this algorithm. However, is has also been shown (dont know the referance on this one, sorry!) that factorization lies in QP, which is polynomial time on a Quantum Touring Machine. Specifically, factorization on a QTM is solvable in O(n^2).
In light of recent developments in the field of quantum computers, namely quantum registers and quantum logical gates, the most interesting question that all crypto-experts must ask themselvers these days is whether a quantum computer will become feasible in the forseeable future. If the answer is yes, then all crypto-algorithms based on factorization (and dicrete logarithms) will be worth less than a 40 bit DES cipher is worth today in terms of security.

Micha

Re:P != NP

[MatanZ]

Even if P=NP, it might not help to solve the actual problem of factroing small numbers (as in no more than a few millions of digits).
Suppose I prove P=NP by giving a Turing machine that factors a number of n digits in A(6)n^2 steps (where A(6) is Ackerman function of 6), how do you use it to factor a 2048 bit number in a reasonable time?
(Actually, I have a proof for the existence of such a machine, but the margin is too ... )

Re:P != NP

[hpa]

Uh, could you give such an example? It's probably worth a Turing Award at the very least.

In case you didn't know, P ?= NP is probably the biggest unproven assumption in theoretical computer science today. Although it is widely believed to be true, noone has succeeded in proving it.

Furthermore, your definition for class NP is wrong (your definition instead most closely applies to a different class often called RP); NP is most easily described in the following way: if you are given a solution, you can verify that it is indeed a true solution in polynomial time.

In addition, your definition for polynomial time is wrong! Polynomial is time n^k where n is the size of the problem, and k is a constant; not k^n which rather would be exponential time (class EXP). For exponential time, it has been proven that EXP = NEXP; i.e. that nondeterminism buys you nothing when you have exponential time to play with (because you can simply enumerate all the possibilities and try them all.)

Now, public-key cryptography (but not traditional cryptography) relies on the assumption that P != UP, where UP is the class of problems solvable in polynomial time on something called a unambiguous nondeterministic Turing machine; UP is a subset of NP and a superset of P. The assumption P != UP is actually stronger than P != NP.

It is widely believed that P != UP != NP, but neither has been proven.

Reference: Papadimitriou, Christos H.: Computational Complexity, Addison-Wesley, ISBN 0-201-53082-1. Excellent book.

Re:Another Question, or two...

Network Associates has such a thing. Nice GUI, plugins for Eudora and Outlook. Also has 4096-bit security in v 6.0.2, which is an awful lot.
Get it from http://www.pgpi.com (note the i)

Quantum Computer & DNA Computer

Anyone notice the recent breakthrough
in Quantum Computer at NEC. May be those NSA fucker have built their own Quantum toys. If it was the case, then no matter how many keys u use to encrypt, it can be decoded pratically.

What about using DNA to do the maths ...

We should check with Echelon to see they intercept any NSA secret on that!

Re:nothing to fear, except fear itself

CFS, Cryptographic File System. I use this on my laptop in case it be stolen.

Check out www.replay.com/redhat and then the cfsd RPM. It is kind of low performance, as you should expect, but should keep your data safe. ("LILO? What the hell is that?" "That's funny.. All these Linux files have names like 87a8fc89dadf0." )

Re:Sigint to noise ratio

Maybe use NSA as the input to a zeta function? Then send that?

Re:Talent at the NSA

Supposedly, the NSA knew about public-key encryption (the stuff that makes it work), *before* the academic world knew about it.

Re:A bit paranoid, aren't we?

No, The US Government is a threat. I have a sense/right of privacy. That is not illegal as yet.

I know people that do drugs and if I'm writing about a party I went to, I don't want that used against my friends. There are so many things people I know do, which are illegal. It's unreal. All of my cassette collection is illegal, mp3s are illegal. Copying software is illegal. I'm hard pressed to find any one under forty who strictly speaking hasn't commited two or three felonies.

This is not a reasonable country, in two days black over coats could be illegal. And when thats over turned, they could just keep you for everything else.

Your just assuming that they are not going to filter down to all the little people, but they will when they can. The US is not building schools as fast as they are building prisions. Crypto is important because what they can't do now, I don't want them to be able to do to my children.

Conspiracy Theory

Some believe NASA faked the moonlandings because they couldn't have to tech to get there. Some believe the NSA is so far ahead of the crypto game that they look over their shoulder all the time.

NSA is government so it's acronym should probably stand for 'Not So Advanced'. Okay, with that kind of money they can screw up an aweful lot and still be on the front side of the curve, but really, if you're concerned about them, you're just paranoid... even if they are out to get you.

Re:Conspiracy Theory

[nuts]

Some believe NASA faked the moonlandings because they couldn't have to tech to get there. Some believe the NSA is so far ahead of the crypto game that they look over their shoulder all the time.

Ok, that is plain paranoia, right.

NSA is government so it's acronym should probably stand for 'Not So Advanced'.

Huh? I hear you say "US Army is government so it's acronym [...] stands for 'Not so Advanced' ".

And that's plain wrong.

If you're concerned about them, thats not paranoid. Being concerned is, IMHO, our duty, and we should give the average users a slight idea about whats going on.

I am surprised that ppl, that are not so much into computers and stuff know almost NOTHING about NSA, crypto and so on. You almost never hear anything about that on TV, Newspapers...

I am concerned, not paranoid. There's a difference.

nuts


-----

Re:Sigint to noise ratio

It does apply if the amount of work suddenly increase by 3-4 orders of magnitude because a lot larger percentage of the messages are encrypted - even if it is with keys that are short enough to break.

That's the whole point. You'll need huge keys to be sure that they don't crack it. But if the only messages being encrypted are the ones that are of value for NSA, then they will throw enough resources at it. But what if everyone starts encrypting? Suddenly it will be a whole lot more difficult for them to determine which messages are interesting enough to warrant further inspection.

If you manage to up the volume of encrypted messages 1000 times or even more, and all of the extra volume is just uninteresting garbage, then you'll make them waste huge resources.

Also, if you ever really need encryption, think about it: Maybe it's time you start using encryption for even the most trivial messages - if you do, chances increase a lot that they'll decrypt a few messages, finding only garbage, and decide you're one of those privacy nuts, and ignore you.

Another issue is that it seems like it's time to start deploying mailservers that use SSL or similar internally. Combine a totally encrypted channel point to point (extensions to SMTP and POP3/IMAP) with encryption of the actual email, and we start getting some privacy.

It's not just about govt secrets

One thing that's important to remember is that we're in a post-Cold War world, where the military users of a system like Echelon take a back seat to commercial concerns.

While it's easy to imaging spying, nuclear arms trading and such fun as the target of it, it's much more likely that the data gathered is used for economic gain. Remember that the french and british have no compunction about using it for this, and the americans pay lip service to 'fair trade'.

All those spooks have to justify themselves somehow. Echelon is a very, very dangerous thing, if misused like some evidence suggests. That's what all the fuss is about.

Re:It's not just about govt secrets

[Zappa]

Well, AFAIK there are quite a few known cases of industrial espionage in the last years, none of them was brought in contact with gouvernmental acions. But on the other hand it has been stated by various highstanding people, that the advance in technology in fact *is* a matter of national security....
At least I would hope, that the Echelon project and that are not used together, this would mean that all commercial data transfer could be checked for buseness secrets which will be abused ba American comanies.
According to the german CT magazine, there are a few cases known, where transmission of engineering data was spied and tha plans have been patented in the US right after. Noone mattered that the original companies Logo was still on the drawings ....

At least the keep me thinking and we should stay aware ....

If its got a value: Encrypt ASAP (as strong as possible)

Best wishes !

Re:Privacy isn't about shame. It's about the balan

Heh.. I won't get into the debate on whether "communist" governments ever have existed (we'd probably never agree) - I'll just call the governments I expect you are referring to as stalinist instead...

This isn't a matter of stalinist governments ability to understand symbolism. It's about an inherent problem with censorship. If a stalinist government tried blocking everything that might have a symbolic meaning that ridiculed them, they would make biggert fools of themselves than the writings did.

The same holds true for any authoritarian government. When the nazis invaded Norway the spring of 1940, there was a fairly active opposition right away. Apart from the armed underground resistance, one of the things that kept things going, was people constantly making fool of the nazis.

The game was easy: Whenever the nazis issued a decree to stop people from wearing some type of symbol, we introduce a new one. Make them make big fools of themselves by seeing resistance symbols everywhere. Some of the examples included wearing a paperclip or a match visible on your jacket, and other small things. Can you take a government that pass a law against wearing a paperclip seriously?

Another way people made fun of it, was through plays where you instead of "hidden" symbolism were seemingly overly friendly to the Germans. People made a big issue of German culture in general, and nazi ideology particularly, in a way that to the nazis seemed like a tribute, since they agreed with what happened on stage, but that to everyone else was hilarous.

How can you take a short little man with a Chaplin type moustache that march around and raises his right arm all the time seriously?

The point is that you can a regime can't stop something that, for a "believer", is a blatant tribute to them, without seeming like complete idiots even to their own people. And it can't stop everything that might be interpreted as symbolising a struggle against them, since almost anything can be interpreted any way you want, and the more innocent things they stop, they'll also end up looking like idiots.

And looking like idiots isn't a got thing to an authoritarian regime. Looking like a big, mean, bully? Sure. That makes people scared, and keep them in place, even if they think your ideology is stupid. But if you look like a complete idiot, people will start thinking that maybe crossing you isn't as dangerous after all - since they'll think that you obviously have no grasp of reality.

Re:invalidate the results

You're making the (wrong) assumption that all governments would want to jail you for stopping NSA... There's lots and lots of governments that don't like the US at all out there, you know...

Re:I can successfully brute force any key...

It depends on the encryption algorithm. Specifically, it depends on whether the algorithm used defines something that mathematicians call a "group". If your crypto algorithm defines a group, then multiple encryption is non-productive, because there is always an equivalent single encryption.

However, if the algorithm does not define a group, then multiple encryption may increase the strength, as there may be no equivalent single encryption. This is why triple DES is more secure than regular DES. Evidently the DES algorithm does not define a group.

IANACryptologist
IANAMathematician
IANAAnonymousCoward, just too lazy to log in.

--
nathan wagner
nw@hydaspes.if.org

Re:nothing to fear, except fear itself

If only those with something to hide use strong (>2048 bit) encryption, it is massively easier to determine who has something to hide. And knowing who has something to hide can be almost as useful as knowing what they are hiding.

So, help people sell nuclear weapons (or whatever) and strongly encrypt your mail.
--
AFNI

Hi. Im the signature immune system. Why dont you copy me into your .sig?

Re:Sigint to noise ratio

Communications worldwide have been increasing so rapidly that NSA has *much* more stuff to listen to than they did ten, twenty, or thirty years ago. In those days most people would think twice before calling long-distance, and email was called "Telegrams" and arrived on flimsy paper.

Now just accessing the slashdot home page moves more data than the average town's telegraph office moved in a day. Millions regularly broadcast their conversations on walkie-talkies quaintly called "cellphones" and "portable phones". Each geosync satellite has several big antennas listening to every bit it transmits. Every undersea cable is tapped. There is even a network of microphones scattered underwater all over the world, which pick up ship and wildlife noises and send them to the spooks for analysis of Soviet submarine movements. (This was somewhat declassified a few years ago, and they now give filtered data to marine researchers listening for whalesongs and etc.)

As long as the volume of unencrypted communications continues to grow, there'll be plenty of hints for the spooks to pick up. Perhaps they can't listen to your super encrypting cellophone, but they know ever time you move it to another cell! They know who talks to who because your phone calls are surrounded by billing info that goes in the clear.

I believe that widespread deployment of FreeS/WAN will protect its users against Echelon style wiretapping. That's why we're working so hard to make it automatically encrypt traffic to any other FreeS/WAN site without needing anyone to sysadmin it. (We aren't there yet.) It won't protect against traffic analysis though -- you'll need anonymizers for that, such as the Navy's Onion Routing, Zero Knowledge's "Freedom", etc.

I agree with the poster who said that even 40-bit crypto would, if widely deployed, hurt NSA's ability to scan for keywords. (Wouldn't hurt their traffic analysis tho.) But if we're going to all the effort to widely deploy crypto, we might as well protect against active, targeted wiretaps as well as against Echelon-style passive "vacuum cleaner" wiretaps.

Re:Open Source...

Open source definately helps and overcomes *one* potential weak link. In practice most people use what is presented to them and the NSA relies on that (see Lotus Notes and Swedish government debacle). All major software today has an NSA backdoor, but people aren't going to give up the convenience of their favourite applications in exchange for the added security.

The way to get around Open Source is to flaw the algorithm. Even if it's perfect in theory, it's not difficult to flaw the implementation to introduce a weakness that can be exploited. No-one but an experienced cryptanalyst will be able to detect this.

When it comes down to it, you have to trust someone...

Re:This should be a dilbert cartoon...

Perhaps you haven't read the billions won/lost mentioned in the report?

Re:Sigint to noise ratio

Here's what I have in my current .signature:

--
http://nils.jeppe.de/ - --------------------------------------------- -
Echelon Bait: Bioweapons, China, Guns, Assasination, President, Militia


Do you think that's good enough? I don't encrypt, however, because most people would never be able to decrypt.. ;-(

Re:Strong Cyrpto would protect you.

Shamir just published a paper on a machine which can crack a 768 bit asymmetric key in reasonable time. This suggests that 1024 bit keys are perhaps just out of reach but aren't secure for the long-term.

Re:Sigint to noise ratio

You're right, most people can't decrypt. This is because it's not built in as standard, and until it becomes de facto the NSA are going to continue to do as they please!

Re:Another Question, or two...

Good question. There will always be a weakest link, no matter how much you tighten each one. The current solution is to use a large asymmetric key for transmission (2048 bit normally), and then store this key encrypted locally using a symmetric key (128-bit).

Thus your key is stored encrypted on your drive. When you want to send an email, you type in a password which then decrypts your key. This key is then used to encrypt the email.

Re:Sigint to noise ratio

If sending and/or composing mail in Emacs, use the spook command. Emacs people are thinking about NSA for a long time. I like it most when it says also "Hello to all my fans in domestic surveillance".

Re:Some Issues in This Regard

Some more details to follow up the previous follow-up. Lotus encrypt half the key with
the NSA public-key. Thus only the NSA can crack the messages in reasonable time. They claim this is more secure than simply crippling the security (phhst, yeah right). It also checks that you have used the NSA key in a challenge/response to stop you trying to patch the program.

Re:A bit paranoid, aren't we?

What planet are you on? How do you think the top executives keep in contact? Echelon has proved to have been used in winning billions of dollars in business. Electronic espionage is live and well. This is currently the greatest threat.

Oh, and enjoy the benign government whilst it's there. Then imagine what the power could do in other hands (eg China)...

Re:For the truly concerned (read: paranoid)...

It's a well known truism that security through obscurity is worse than none at all. The NSA have documents on every security type. If they detect a stray radio wave, they can instantly identify it (be it an encoded transmission or simply interference from a nearby central heating system)

Re:a few points to consider...

a) there is no reason to ever send an decryption key to the recipient since the advent of Public Key Cryptography. Verifying you have the genuine PK of the recipient is another problem...

b) you will never be safe if targetted individually by the government, but if everyone used encryption it would prevent them from mass trawling through all citizens emails to try and put them on hit-lists

c) don't bother inserting junk. Just compress the data first and encrypt using a well-tested algorithm with appropriate key-length (having checked against 'weak keys')

Re:Decoy packets! Scriptkiddies useful? Naaah.

Like the 'net isn't slow enough already? Better off making the NSA and Echelon publically accountable.

Re:NSA

There was a guy here at CMU who was working on data recovery from hard drives was shut down by the NSA as well.

Re:Sigint to noise ratio

Wouldn't it be funny if the guys at the NSA were sitting there in Ft Meade reading all these posts and laughing their asses off...?

Re:A bit paranoid, aren't we?

Look. This is the biggest argument I've seen tossed in the faces of people who worry about privacy. It is VITAL that we keep check on our government. We cannot simply say that "I don't have anything to hide, so I don't care".

What happens when the government finally gets TOO big for its britches? When it finally DOES become a totaliarian police state? Then you, who said you had nothing to hide, might find youself in direct opposition with the government. Then you'd be damn happy that you could communicate free of survelliance, wouldn't you?

This country's liberty was won by revolution -- conflict with the government -- and, if necessary, revolution is a last-ditch desperate measure to perpetuate that liberty. That's MUCH harder without secrecy on the part of the revolutionaries.

"The tree of liberty must periodically be watered with the blood of patriots."
-Thomas Jefferson

Re:Privacy isn't about shame. It's about the balan

"The game was easy: Whenever the nazis issued a
decree to stop people from wearing some type of
symbol, we introduce a new one. Make them make
big fools of themselves by seeing resistance
symbols everywhere. Some of the examples included
wearing a paperclip or a match visible on your
jacket, and other small things. Can you take a
government that pass a law against wearing a
paperclip seriously?"

Yes, if its soldiers are quite prepared to shoot me on the smallest of pretexts. Power *still* grows out of the barrel of a gun.

Re:Sigint to noise ratio

Hilarious. ;)

No doubt they are, or will be ...

So A BIG Howdy boyz!

Re:Sneakers...

Too many secrets -- ESO test Acronym.
*LOL*

Re:nothing to fear, except fear itself

Even if you use PGP to trade child pron

Don't be so sure of this. The feds may not take warez'ing or DoS attacks seriously, but you can be DAMN sure they take kiddie pr0n seriously. I awoke one morning to find some feds in my living room interrogating my roommate. A client of his little ISP had a kiddie pr0n website. The site was small and had not been running for very long, so I think they have an active program going to fight this.

emm... I wouldn't say that

Trust me; they tend to run about ten years ahead of the current technology curve. It's not been uncommon for them to make "recommendations" regarding, say, an encryption algorithm, that are subsequently (say, eleven or twelve years down the road) found to address analysis techniques that at the time of the recommendation wouldn't be "discovered" for another ten years.

Re:emm... I wouldn't say that

Yeah, Schneier pointed this out about DES - NSA changed the S-boxes IBM had suggested/made up, and when diffential cryptanalysis was publically discovered (years later), those changes were found to resist it.

Re:emm... I wouldn't say that

I have to agree that current publicly known cryptanalysis is crap compared to the NSA i remember hearing a similar story. something about when the nsa allowed others to use des, people had no clue what the hell a certain part of it was for. 15 (i think) years later, differential was publicly known, and the rest has been stated.

another concern i would like to voice involves the recent lifting of export restrictions on source code. is the nsa fighting this? if not, why the hell don't they care?!? what if they can already crack PGP etc. WITHOUT brute forcing. i haven't heard a thing about the nsa fighting the decision, and it scares the living shit out of me.

Re:a few points to consider...

Hmmmmm. If you want to have fun, could not one just write and distribute a daemon whose sole purpose was to send pseudo-random garbage, encrypted with large keys? e.g. using gpg, perhaps DSA or Blowfish, w/ large key sizes?

There'd be a rather poor chance of a known-plaintext attack, and one could probably simulate 'interesting' traffic.

So when will Slashdot be behind a S/WAN box?

...so that we can read Slashdot in a secure manner?

THERE'S a blow for strong crypto!

Oh, Rob, are you listening?

Re:NSA

Wow, that's an interesting little story.

Let's see:
The NSA gathers up young talent (see little story below). They try to crack codes. They gather information and watch (Echelon). They now also apparantly have the resources to not only track down suspected publishers, but also to deny publication.

{btw, I'm not a computer scientist and am definitely no crypto person, so forgive me if I mess up the proper "naming" or term use below.}

One of the two computer groups at the U of Chicago at the time once was just mentally toying with the idea of how to generate unique ids; part of the fun was just thinking about the concept, the other side was seeing if it was a feasible solution to something the group was sorta of working on (hell, there was a lot of stuff we "worked" on but never really did much with).

Anyways, one of the math grad students in the club, who the NSA "recruited" while he was an undergrad majoring in math at Harvard, once mentioned/hinted to our club that one of the md (I think it was md3, but I always mix up my mds) wasn't the best solution because it was "umm...known to have problems." [Yes, he wasn't suppose to say anything per the NDA he probably had to swear to to even work a summer or two with the NSA.]

About half a year later, I read someone had made some inroads against the main algorithm used. I think a year and a half total later, that md algorithm was considered too weak to use.

The thing that got my attention was that supposedly the last time he had spent time at the NSA was at some sort of summer camp 2 summers previous. That means he mentioned his little tidbit to us about 15 months after he had learned about it. 15 months extends out to a longer time if you consider that he was a low man on the totem pole, so the time that higherups in the NSA probably knew about it was far longer.

So you have at least 20 months (15 months plus 5-6 months of time from the public report of suspected weakness/evidence in that algorithm) of time before the public community really had an inkling of swaying evidence something was wrong.

Re: NSA Tactics...

The Dictionaries are merely lists of words or combinations of words which define which subjects in the intercepted communications the various agencies would like to "peek" at.

Re:Talent at the NSA

Due to a lot of external factors (i.e., KOSOVO) the NSA has had some of its funding apparently taken away for other uses (i.e., more bombs), so they aren't doing as many of the "free rides" to good schools this year. It's kind of sad-- they've been helping a lot of employees pay for their educations for a while now.
I've been talking to a lot of NSA employess recently (I'm considering applying there), and I've asked about the publishing restrictions.

Generally, most folks at the NSA don't publish. Unlike the academic world, there is no "publish-or-perish" situation. You do your job, you get paid. So that may explain a great deal of it.

There are a few employees that *do* publish, though. Whenever an NSA employee wishes to publish a paper, he or she has to submit it for approval. However, unlike many other government agencies/groups/contractors, the people who decide what is considered classified are the people working closest to the author. That way, a person who knows the subject is assessing the sensitivity of the information. While the NSA is still government, they are *not* clueless.

Also, the NSA makes use of a lot of the published literature. Contrary to what a lot of people think, the NSA isn't twenty years ahead of everybody in every subject. In some areas, they're just barely there with the academic world. Granted, they're still ahead of academic cryptology by a wide margin (which is, from all reports, narrowing), but the SIGINT and COMSEC groups don't revolve completely around cryptology. There's monitoring the encrypted data, there's a boatload of information theory work, and there are people who need to file, manage, and oversee subcontractors. It's a very diverse place, so they can't be ahead in EVERY aspect...

Re:Talent at the NSA

The NSA is a somewhat closed organization, but they get some interesting problems, I would think.

I'm a mathematician who doesn't work for them, but I know they have recruited colleagues of mine who were no slouches.

Private vs Public key size Re:doubt ->.

Yes, it was the private key size that I was thinking about. As others have shown in replies, I am not a crunch head :)

How can one get a bigger private key size?

You seem to know :) Re:doubt ->

Thanks for clearing this up. I had read cracking Enigma helped end the offensive in Africa early, and also the war in general. So was it the Brits who cracked Enigma?

I still suspect the NSA has tricks to use against PGP/GPG/RSA. Their budget is like 10x that of the CIA (granted, the CIA has been worthless in an intel gathering/reporting capacity of late! Maybe they are snorting too much of that coke they are smuggling)

Is eliptical crypto too 'young' to be trusted?

I also noted that many of the new cyphers proposed in the latest contest to replace DES (the fishes etc.) have small private key sizes (64 bit I think). Should this be of concern?

Thanks for the good info!

Re:You seem to know :) Re:doubt ->

[mjg]

The British were certainly involved, they set up the site at Bletchley Park for the purpose of deciphering intercepted messages. However the Polish were involved far before the British (as early as 1932 I think) and made alot of the early discoveries, especially reguarding Enigma. They actually started to be able to crack the Enigma cipher before the war even started...

The Americans became involved in Bletchley fairly late (around 1942 IIRC), and I dare say clever people from other Allied sides were involved as well at some stage.

Unbeatable encryption using current methods.

Unbeatable encryption using current methods.

1) Encrypt message with 3+ methods.
2) Splice the output with any method to make all (3) encrypted messages fit together into one (3) times larger than the original.
Note:(Try using a large key as a seed to a predictable number system which can have its output set to 1 - 3. Then use that to splice together the bytes (or if more paranoid, bits) of each method's output.
3) Now if you desire repeat 1-2 as many times as you like using the output as the new input. Make sure to record the process (methods, splice method). Note: Be sure to have both parties agree to how to process messages.
4) Splice the message into a large bmp, jpg, or gif (some programs to do so exist on win9x) Now just write a message to accompany the picture so that it will look as if it is in place.

If this is detected, then cracked, you should not be bothering with encryption in the first place as your entire life must be under 24/7 survilenece.

Variation: Use a algorithim and a chart to determine how to process messages based on date and time. Using this method, and (once again) patching your exe into a large game or such, you could still have the whole thing automated. But untracable.

Tip: Find or create a implementation of the above for (5 second) encryption of realtime voice. (IE--Your message is recorded and encrypted while the other parties message is decoded and played back) I would use this on all phone conversations too. If nothing else get some decent old algorithims, some micro-486 boards, and build portable boxes for all of your friends to use.

Any comments/suggestions?

Re:Big Brother

Yeah, so the have no more than 1000 registered taps, here in the Netherlands we have more registered taps than the USA, do you *REALLY* believe that a tiny country (15M people) needs more taps than a world leading nation? Or that the USA has less taps because they have less criminals?

Come on people these numbers are damn wrong.

Re:FreeS/wan and Linux 2.2

Yeah, its called OpenBSD.

--
This is OpenBSD land, one a quiet night
you can hear windows users scream...

Re:So what about crypto file systems, anyway?

Well, CFS is not the same as a filesystem mounted encrypted. That is out there, I have gotten copies of it and the source from one of the kindly maintainers, and I am setting up six (right now) high bandwidth sites around Texas that will do what needs to be done to distribute it legally (block non-US traffic, keep logs, and I will probably require 128 bit ssl to further hamper things -- it won't stop the gurus and it will keep non-US nationals from being able to easily download with the normal point 'n' click browsers, at least nominally)(yes, I know to whom I speak, that wasn't a criticism).

One of the key issues will be seeing if the hooks can be legally added to the setup in most Linux distributions (only .deb stuff right now, and I am not sure about how I would best handle a bare metal installation where everything is fully encrypted). This would allow the general distros to stay uniform with the actual crypto picked up from a US/Canada site or from a ROW site and added (on a floppy, for instance, mounted during the build). It could also allow this to be bundled with commercial distros. The documentation is actually where I was going to start, to give "cookbook style" instructions so that anyone who can read can set it up and set it up transparently.

What prompted my interest was actually a Linux Journal article and a spate of laptop thefts at work. I liked my laptop, and while I had nothing to exciting on it, I did have stuff like scripts for work, some of which had passwords and similar stuff in it. I have been living with PGP, but I would like something transparent. It is a Thinkpad with 10GB/288MB and a 266, dang it -- it should be able to handle the load, even with AccelX and CDE pulling the power. And so I have wound up with the source, .debs (2.0.36), and a number of friends with a lot of bandwidth.

What I am going to do and in what order:

1.build the damned web site and figure out how to roll the logs off and keep them, as well as staying on the good side of the Feds. I am half done -- I know what to do to make the Feds happy.

2.open the site and have friends do the same, allowing three sites with multiple T3s, two with cable modems, and one with ADSL (thank you, Southwestern Bell). Get listed (if we can) with Debian.

3.Get someone to do packages for Caldera, Red Hat, SuSE, and other things that I have never seen, in the US or Canada, by US or Canadian citizens know to us or trusted parties (trojans and so on ...). Put those up as well. At the same time, set up a user's guide with very clear instructions.

ETA is 60 days, possibly a lot less if I and/or others have time.

This is efs, not cfs, so this may not exactly be what you were talking about.

I will be getting to it as soon as I am getting home from work before midnight, regularly.

So on second thought, I am going to stay an AC for now, because badgering me would only prompt me to hunt you down like an animal, not post it faster (well, as long as I could hunt you down in the greater Houston area). Bad mood? This is the middle of a 20 hour day for me.

So, please keep an eye on Freshmeat (I think that this would be an appropriate place, even if this isn't a release and I didn't write any part of this).

And if you have an interest in helping with the documentation and testing, please keep me/us/efs in mind, because we would like to have people who can benchmark it to provide a SWAG table for the performance hit, people who can break it, people who can help integrate it into the distros, and so on.

I can successfully brute force any key...

if it's at the beginning of the key combinations I try. I don't care how many bits it is, if by chance it's the first key I try, i've got it. Solution: encrypt stuff twice or more.

P.S. You know all the NSA guys/gals are laughing their asses off as they read this.

Re:I can successfully brute force any key...

[bluGill]

double encryption should NEVER lower the strength of encryption. That would mean the encryption is insecure. OTOH, it doesn't have to increase the strenght.

In the case of DES, there is a known attack on double encryption that makes double encryption equal to single. Tripple DES (where you encrypt with DES three times) is more secure. Typical implimentations of tripple DES only use two keys, so you only have two keys to break. Not all tripple DES uses only two keys, some use three. There are also several different ways to apply this. (Typical is to encrypt with key A, decrypet with key B, and then encrypt with key A. Not the only possibal one)

Please, before you comment on issues of encryption you owe it to everyone to read Bruce Schinder's work Applied Cryptography

Re:I can successfully brute force any key...

[DragoonAK]

Beware. I've heard that double-encrypting messages can actually lower the strength. IANACryptologist, but check before doing this.

Re:I can successfully brute force any key...

[delmoi]

I would think that encripting somthing twice at the same bit lenth with with the same function wouldn't produce anything more secure, I don't really know much about "real" encription, but take the example of XOR encription:

((m xor b) xor b) = x, so b is your key.

if (((m xor b) xor c)) = y, then you might be tempted to think that you'd need to use (((y xor c) xor b) to find x. but you could also use (y xor (b xor c)) as well, and if you were searching the entire keyspace, you might find (b xor c) first... but I assume that the stuff there talking about is nothing like xor encription...

If you used two keys of diffrent lengh though, it would be more difficult, especaly ones that don't "resonate" for instance if you used a 64-bit key, and a 128 bit key, it would be the same as using one 128-bit key, just make sure they arn't both factors of any small number...
---------------
Chad Okere

How to decrypt any message instantly

Abduct the sender and start cutting fingers off until he gives up the pass phrase to his private key.

All that factoring and math stuff is just a red herring.

Re:How to decrypt any message instantly

[Neil]

An AC wrote:

Abduct the sender and start cutting fingers off until he gives up the pass phrase to his private key.

Which is, of course, why PGP users shouldn't use the "encrypt to self" option if they are operating in a hostile environment.

If the sender is using a public key crypto system and encrypts the session key with only the recipient's public key (and not their own) then you're going to have to find and torture the recipient.

Re:How to decrypt any message instantly

[DragoonAK]

Works fine until you run into the wacko libertarian fanatics that would rather die an unpleasant death than give in. Same with any other group this could happen to: a poison tooth's always effective.

Actual (well, paraphrased) conversation I overheard:

Parent: So, this PGP key you made for me, what's the chances of it being broken?

Child: Universe will die of heat-death first. Only real chance anyone would have is to get the passphrase.

Parent: So, if the NSA held my life for your passphrase?

Child: Oh, I'd give it to them... Parent sighs right now. I haven't done anything that would justify that... yet. Mutterings of 'paranoia'

Privacy is already a thing of the past!

Here, in MN our attorney general just filed suit against US Bank because they are selling our private information to marketing companies who then (w/out permission) access the bank account for payment (which appears on the statement as a "service fee"). The state sells information to these same companies from lisences and other "public documents" (like court records, deeds, and so on). Even our school transcripts are fair game!

What happens to your name when you enter a contest? That too goes into a big databank somewhere. When you write your grocer or super-store a check you give them your name, address, telephone number (and in most cases your work number). All this ends up in the same databank, it is information the retailer sells about you!

At a minimum, Big Corporate Brother knows more about you than you would wish him to. He knows your approxamate income, he knows where you live, who you live with and wether you own or rent. He knows where you work, what you drive and where you shop. He knows your interests and your hobbies.

He knows too damned much.

Re:Privacy is already a thing of the past!

[fishbowl]

"Here, in MN our attorney general just filed suit against US Bank because they are selling our private information"

Sounds like the system is working.
It's not like the AG is in on the conspiracy...

NSA

When I was studying math at UCLA, one of the number theorists there was blocked from publishing an article by the NSA. They 'classified' his work. They were nice enough to offer him a job, though!

Re:NSA

[jonathanclark]

I don't believe the RSA can stop someone from publishing. There are several court case that ruled crypto and other elements of national security are protected by the first amendment. The most famous case was the first publishing of how to make a nuclear bomb in scientific america.

The RSA can intervien if he trying to patent something (in which case RSA can claim they are knew how to do it) or he was being funded by government grants in which case sometimes the government can decide what he publishes.

Re:NSA

[Weezul]

This is why people should distribute (electronicqally) things that the NSA might have an interest in to as many people as possible. It would be nice if there were groups of non-math people who tried to follow the research specifically to keep the NSA from being able to fuck with people. Luckaly, most research dose not occure in a vacume and there are to many people working to try and understand it for the NSA to stop things. You have made me curious now, what was he working on? (I'm a math person)


This brings up an intersting and related point.. How do we best discurage/save smart people from working for the NSA? We need to explain to people with an interest in number theory and algorithms research that they really do not want to spend their lives keeping secrets. It's hard enough to not be able to talk to people because they can't understand you.. I can not imagine not being allowed to talk to them.. Communication is a part of being human.

Sigint to noise ratio

Ever wonder why the US government seems just as afraid of low level encrytion that they can crack fairly easily as of high level stuff that would take them weeks? Its because if PGP keys became common and the use of even light encryption became standard policy, it would bring the Echelon sniffers to a grinding halt.

Think about the traffic that any sort of large sigint operation like this needs to filter through. If it took even a couple of seconds to descramble each message just to check for any red-flag words the entire system would rapidly backlog.

Want to fuck with the Echelon project? Put the words "nuclear technology transfer funding" in the subject line of all of your email and encrypt it. It could be fun ...

Re:Sigint to noise ratio

[gavinhall]

Posted by Stephen "The Carp" Carpenter:

better yet...setup a server in china that
throws all emails away. Have a few differnt
people start emailing it with streams of random
data. have them call a phone there which
connects to a tape recorder with a looped
tape in it...have it send random tones made
to sound like an encrypted message yet
in actuality random.

scare the shit out of them that some new
encryption scheme exists thatthey don't know about
and looks like random data :)

Re:Sigint to noise ratio

[DrJolt]

I hope you're right, but I feel that all you'd achieve is tax hikes to pay for some hefty hardware upgrades - look at all the SGI supercomputers marked 'Classified' in the top 500 supercomputers list...

Re:Sigint to noise ratio

[kbonin]

I agree completely in principal. However, there are issues that change the magnitude of the work. The classic question - what if fundamental breakthrough exist that allow the NSA to decrypt ciphers in use with a trivial workload? Most ciphers in use today rely either on the difficulty of factoring large numbers or on the complexity of Feistel networks.

The number sieve is one of the best techniques known publicly to reduce the workload of factorization by orders of magnitude, and work progresses on methods beyond differential and linear cryptanalysis. Who knows what techniques are known to the NSA? Additionally, the figures that have been published in regards to the abilities of massively parallel custom hardware for brute force or more elegant attacks are grossly underestimating the capabilities of both chip designers and system integrators.

I do still agree that massive deployment of crypto would greatly help by significantly increasing the resources needed to decrypt all flagged traffic. IPSec without key escrow, or transparent systems like Swan would do nicely for this. Monitoring will still be done, albeit "dragnet" style monitoring would be severely curtailed.

Re:Sigint to noise ratio

[kbonin]

Current USGOV policies remain merely a holding action to deter the widespread deployment of a PKI (public key infrastructure) and its integration into commonly used electronic messaging products, such as email, until they can figure out how to make domestic use of encryption illegal or force key escrow.

When the letter instituting this policy was finally released under FOIA, I placed a copy up on the wall next to my desk.

The NSA is not concerned about message traffic volume, this remains a red herring despite the growth of the internet. Parallelism works fine in this application, and traditional budgetary issues simply do not apply. Think about it.

invalidate the results

[nlucent]

The way I understand this, basically a computer sits on the line between point a and point b, then searches for keywords on communications between the two. In theory couldnt the world just invalidate the results by making all (non business related obviously) personal communication have the keywords in it? Like have your .sig say "Im going to bomb building X on date Y"? I realize that it would probably be virtually impossible to do, but its an interesting idea. Another idea (for the conspiracy theorist) would be that the govt's could use distributed computing (seti, distrib.net) through some kind of front (like seti or distrib.net) so we would be "chaining ourselves unknowingly" (for lack of better term), by giving the govts the data they want to monitor. We would never know since the clients are binary only, sure we could decompile it, but being the govts of the world they would be able to jail you or whatever before you were able to tell many people since they are monitoring all personal communications.

Re:invalidate the results

[SirWinston]

This idea of placing keywords in lots of ho-hum com chatter is similar to an idea that Zimmerman espoused ever since he coded the first release of PGP: if a whole bunch of everyday folks, not anarchists or terrorists or _____ists, use PGP, then PGP messages won't be at all conspicuous or assumed to contain something worth hiding--and the SIGnals INTelligence community would be out of business. Freedom, peace-love-dope, etc. etc. would be fostered. I agree, that's why I started using a PGP signature recently--put the sig on all your posts and e-mail, and anyone who uses PGP can see you use it and look up your public key on the MIT server and crypt you a message. See:

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBN2CVVbJesMZKJNtrEQKtIQCgyQoREfAwDeHEOq2A qH9Fh2tcYQQAn3GZ
QE++G7XaNv8Gu68WkzZu5taZ
=TS5U
-----END PGP SIGNATURE-----

(Almost) Uninformed Tired CFS Rambling

[cduffy]

Hmm... If it's any hope, an AC up above said that this is what he does. Unfortunetely, as he IS an AC, not much can be done 'bout that.

It doesn't appear that CFS will quite do what you're looking for... Poking through the CFS documentation (what I can make out at the moment, being rather tired), I take it that you presently need to enter your password when starting each shell, before being able to access files under the CFS-mounted region.

The clearing of passwords on suspend is not presently supported as best I know (If apmd lets you have a script to run before a suspend, that would help... but you'd have to be careful about what happens to open files), and I'm not sure if you can just put in your password on boot (as opposed to each login). This is something you could figure out by playing around with it a bit, though.

Of somewhat more concern, it appears (from-what-I-can-make-out) that CFS may not work with the GNU linker (something about not supporting holes in files, though later it says that such holes are supported but filled with garbage... I'm tired, damnit!).

It sounds like you could quite safely start a small directory tree under /crypt or somesuch; Indeed, it seems that an unencrypted bootstrapping area (at the very least) is required to get the machine up and running before CFS comes in. In this kind of limited testing, a reformat-and-reinstall is very unlikely to happen (and you could move files in gradually, as you gain trust for/experience with the thing).

I hope this is at least slightly parsable and usable (though not necessarily in that order).

For the truly concerned (read: paranoid)...

[gavinhall]

Posted by Ydeologi:

Just for the sake of it, I created a 4DOS batch routine a while ago which automatically encrypts/encodes/compresses the file through a ridiculous number of steps. The companion batch routine, which unpacked the beast, was stored on a floppy...

I used more than fifteen archivers, several of which had their own crude internal encryption schemes, PGP plus two encryption programs, a uuencoder, and two steganography utilities, all variously arranged, with, of course, PGP, 2048+, at the beginning and end...

The loose theory was, so many different things were used-- and of them, so many obscure-- that even if someone actually found the file, they wouldn't know what the hell to do with it...

...or if they were like me, and they did, they'd be frustrated as hell going through all the steps to undo it all. :)

--YDeO
"It's not down on any map;
true places never are." --Melville

Re:For the truly concerned (read: paranoid)...

[delmoi]

well, the problem with that is, if you use encription a, b, c, and d, you only get a*b*c*d security, where as if you just add 32 to the number of bits in a message, you make it 4 billion times as hard to crack, so all that crap may not be worth the time in comperison to just using longer bit lengths,

besides, I'm sure the NSA knows about every encryption system, from RSA to delmoi's wacky ass 8-bit xor encryptor :)


---------------
Chad Okere

Fundamental mathematical mistake...

[gavinhall]

Posted by Kevin "The Hose" Ingersoll:

In the interests of averting a lecture that would prove to be a HUGE digression, let me just make 2 points here:

1) If you eliminate ANY key choices (say, based on the fact that you think they are uncomfortably close to the "beginning" of they key space), you have just shrunk the space of possible keys & weakened your cryptosystem!!!

2) Depending on the crypto scheme you are using, applying multiple "encryptions" could easilly weaken your security. There are SOME cryptosystems where doing so can be provably more secure (DES, for instance), but my point is that this is not something you should be doing unless you fully understand what you are messing with...

Re:NSA/classifying

[gavinhall]

Posted by Stephen "The Carp" Carpenter:

Well they can always do "The right thing"
and immediatly distribute as many copies as
they can as widely as they can and get copies
(electronic and otherwise) into as many hands
as they can before the NSA has a chance to stop
them.

Sure it will bring legal wrath down on them
and if they patent then they don't care about
doing the "right thing" anyway...hell they
half deserve it...their intention was to keep
it to themselves legally so they could make
money...and instead the NSA said no..we are just
going to keep it to ourselves and forbid you
to use it openly.

almost fitting but...the NSA shouldn't be allowed to keep secrets. They are the greater evil

So what about crypto file systems, anyway?

[Jamie+Zawinski]

I have a laptop. I have, periodically, searched around for information on how to use a cryptographic file system. I've found a few references to CFS:

• In the Security HOWTO;
• RPMs at replay.com;
• Matt Blaze's developer-oriented announcement message;
• And something called TCFS that claims to be an ``improved'' version of CFS.

There is something notable missing from all of these pages: simple, easy-to-follow instructions on how to install and effectively (and securely!) use a file system like this.

From the dearth of documentation, I get the feeling that this has only ever been attempted by file-system gurus, which means that I wouldn't even want to consider attempting it, because reformatting my disk and reinstalling the system is not something I look forward to.

Here is what I would like to end up with:

• I power on my machine;
• Early in the boot process, it prompts me for a pass-phrase;
• If I don't type the correct one, the machine is useless, and all non-trivial data on the disk is encrypted;
• If I do type the pass-phrase, the machine boots up normally;
• When I put the machine into suspend mode, it again prompts me for a pass-phrase when I try and un-suspend. If I don't type it, the machine remains effectively halted until I get it right.

Is this dream even remotely realizable?

Basically, the situation I want to protect against is simply that of the laptop being stolen while I'm away from the keyboard -- whether it is powered on at the time, or powered off.

The problem here is that the usual crypto-heads are the types who use ssh and pgp and are already used to having to perform nontrivial system-administration tasks to get things up and running, and who don't mind wading through a command-line alphabet soup to do simple tasks, all day long. What we need is someone who is both a crypto-head, and who understands that their agenda is best served by taking the time to make this software be drool-proof.

It doesn't matter how good the math is if no real users are actually using it. Crypto is only effective if widely deployed. If not, those few who use crypto stand out for targetting.

Re:So what about crypto file systems, anyway?

[Jamie+Zawinski]

as far as I remember, there is a step-by-step description how to configure.

Where? I haven't found it.

i would suggest not to do this during startup, as you would immediatly reveal that you have crypted data.

Then you believe in security through obscurity. Security through obscurity doesn't work. Repeat it until you believe it.

I think the power of such software relies on the fact, that it is NOT stuffed into a corset of GUI and foolproof(impossible) usage.

Then you believe that software is made more powerful by being obscure enough that only a vanishingly tiny minority of potential users are able to use it. You believe that software that is used by a thousand people is, for that reason, more powerful than software that is used by a million people.

You are wrong.

The more people who use crypto, the more effective cryptography will be for everybody. If one has to even understand what ``NFS'' is in order to install a package like this, then it's still too hard.

That's why PGP and S/MIME are still so marginal that they can be completely discounted: only gurus use them, because they aren't so completely transparent that you don't even know that they're there until they have something to warn you about.

Designing easy-to-use interfaces for crypto is one of the hardest UI tasks there is -- I know, I've tried. But, if you believe in cryptography at all, it's also one of the most important.

Re:So what about crypto file systems, anyway?

[Jim+McCoy]

While you statement that most current crypto needs better UI work is quite correct, you are quite wrong when it comes to security through obscurity. Obscurity works as a part of the overall strategy but must never be relied upon. Just because obscuring the details is a part of the security you should not assume that it is the only part. Unfortunately in this case you are correct that the attempt to hide the existence of the encrypted data will not work, the person who is trying to do this needs to think long and hard about what sorts of results I would get if I searched his hard disk for long, contiguous chunks of data which seemed to be very random...

Too much current crypto uses iron doors to secure houses with tissue-paper walls anyway. Crypto does not just need a better UI, it needs to be integrated into the system from the very beginning. Unfortunately it is already too late for Linux (and unix in general), security cannot be added as an afterthought or it will never work as well as it should. If security is not a part of the foundation then the structure built will never be as strong as you think it is...

Re:So what about crypto file systems, anyway?

[DragoonAK]

Che... I hate to say it, but something like this exists for Win9x. The new PGP 6.0i (always go for the International version!) has a PGPDisk which creates encrypted drives that unmount when a key combination is hit or a screensaver goes on.

Hopefully, a similar product will be come from them for Un*x type OSes soon.

Re:So what about crypto file systems, anyway?

[nuts]

Is this dream even remotely realizable?

no problem right now :)

I am using CFS for quite a while now.
Hm, I don't think it's too complicated, (ok, maybe it took me some time to make it work ;) as far as I remember, there is a step-by-step description how to configure.

after installing the daemon with an init.d script you can mount crypted filesystems. It's straight forward.

i would suggest not to do this during startup, as you would immediatly reveal that you have crypted data. ... but if you need that, you could add the corresponding command to the init.d script.


If you think about crypting your whole filesystems, that might be possible, but you would lose LOTS of performance. Just create a directory for your sensitive data.

Then, inside your favorite Windowmanager, you may have two icons, that let you attach and detach the crypted directory

hm...about reentering the passphrase after suspension...
I personally would add a line to my log-watcher (something like "SWATCH" or "WOTS") that looks after apmd's messages to syslog. if a "resumed after suspend" (dont know the exact text and my notebook is at home ;) ) appears -> detach the crypted fs.

I think the power of such software relies on the fact, that it is NOT stuffed into a corset of GUI and foolproof(impossible) usage.

if you need help, send mail.

nuts

p.s.
Has anybody here experience with sfs ?
Steganographic FS :)) fscking cool.


-----

Re:So what about crypto file systems, anyway?

[nuts]

Then you believe in security through obscurity.

No, that's not my point.
I just don't want anybody to see AT THE FIRST GLANCE, that there's something crypted.

Ok, you are right when someone takes a closer look, that doesnt help.
But if you have to enter the key all the time you
reboot your machine, you must always unlock the
crypted fs. Ain't i right?

The more people who use crypto, the more effective cryptography will be for everybody. If one has to even understand what ``NFS'' is in order to install a package like this, then it's still too hard.

You are right. Maybe RedHat or Suse will add it to
their distributions. Then it will come correctly set up. Oh, wait, it seems RedHat has included it already: http://www.replay.com/redhat/cfs.html

That's why PGP and S/MIME are still so marginal that they can be completely discounted: only gurus use them, because they aren't so completely transparent that you don't even know that they're there until they have something to warn you about.

Try KDE's kmail. Or read Pine's documentation on how to embed pgp.

But it will always be the users part to understand what he does, why there are public/secret keys and so on. I think it can never get fully transparent.

I've written a PGP-GUI too, 2 years ago. The problem is, a user always has to worry with his keyrings manually, there are some points that cannot be automated.

Re:So what about crypto file systems, anyway?

[nuts]

Excuse me, i forgot:

There is a short howto, for setting up cfs:
ftp://ftp.research.att.com/dist/mab/cfs.notes.ms



----

Re:So what about crypto file systems, anyway?

[SirWinston]

Several products have done what you mentioned PGP6.0i doing, and better, for Win/DOS for a long time. Problem is, Windows is so insecure, it hardly matters--look at my post below about user.dat files. If you use virgin DOS with it, that's secure, but Windows f*cks it up by strewing sensitive data all over the place...

Crypto references & bibliography

[coats]

In response to various musings on this page about key lengths, etc., a good reference is the paper "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" by M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Weiner. Note that the claim "Moore's Law will catch up with encryption" is decidedly false: Both Moore's Law and decryption effort are exponential growth problems (Moore having a smaller growth factor)), while encryption effort is polynomial or less (N log N, generally). So encryption can get 'way ahead of even decryption aided by Moore's Law.

Another interesting paper is "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, by H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, P. Neumann, R. Rivest, J. Schiller, and B. Schneier.

An interesting bibliography is on Bruce Schneier's Counterpane site.

That wouldn't be the first electronic computer . .

[hawk]

The ABC was built *prior* to the war, and was an electronic digital computer. The colosus may have been the first to do something important, but it certainly wasn't the first.

Another Question, or two...

[BadlandZ]

I have never had an interest in crypto, or even used it. I never thought I had anything worth hiding... But that hasn't stoped me from occasionally pondering the theory of it.

Ok, I guess I understand a bit more that "it just takes the right password to decript a message." But basically, key management is the bigest risk I would see, isn't it? Because your "secret key" or whatever is kept somewhere on your computer, and it takes the right key to decript something. So, if your key is say 128 bit, it would take some serious horse power to crack it, BUT, wouldn't it be way easier for someone to crack into your system and steal your key, then just crack the password for the key? To me, stronger and stronger encription seems pointless if this is all it would take to break it.

Also, I guess since I am getting older (and lazier), I wouldn't mind trying some pgp or gpg thing just for the heck of it, but a nice GUI front end, and maybe a Netscape Mail Plugin for it would be nice. Is there such a thing, a full GUI front end for pgp or gpg that is gpl and generates keys, incripts mail for easy sending, key management, and everything? the only thing I found is gpgp and that seems to be only key management. So, is there anyone who has done such a thing, or am I just going to have to spend 15 minutes reading the docs, and not have a good mail plugin, and realize that my less technical friends will never be able to read anything I would send them encripted. I guess it's not a big consern, because like I said, I don't think I have anything to hide, but I guess if it was an easy thing to do, I might just consider playing around with it.

Re:Another Question, or two...

[algae]

How about your root password, is that worth hiding? Let's not forget that ssh is also crypto.

You say, "wouldn't it be way easier for someone to crack into your system and steal your key?" Well, then use crypto to prevent people from cracking your system. Shut down services that aren't needed, and only allow ssh logins.

--Alex

Re:Another Question, or two...

[NatePuri]

Postilion has a pgp autosiging option. That's a GPL app so you need linux or a *BSD.

Re:Open Source...

[steve_bryan]

Not really ("you have to trust someone..."), but you do have to not distrust everyone. If the source code is open then anyone can examine it including people with sufficient mathematical knowledge. If any such person finds something of "interest" it will quickly become a matter of intense discussion on relevent newsgroups, mailing lists, and hallway conversations.

There seems to be a repeated effort to convince people that an all powerful NSA will thwart any attempts to insure privacy. I guess the hope is that people won't bother to use what is easily and in many cases freely available thus making the prediction true by default. If people want to wallow in their cynicism, that is their privilege. I think the efforts to evesdrop promiscuously are doomed and the listeners know it. It is mainly a question of how long they can get away with their claims to "pay no attention to the man behind the curtain..." (quoting from the Wizard of Oz)

Re:A bit paranoid, aren't we?

[lorax]

You Said:
You don't need anything higher than 40-bit encryption to protect your computer, since you don't have anything worthy of stealing

Oh really? Whats the value of a credit card number? 2-5 thousand dollar credit limit, and the number is good for a couple of years. Someone could spend a few $$$ on computers and crack it in a few days with 40 bit encryption, then move on to someone else's card number. The initial money spend on computers would be got back in a matter of weeks. Plus, I would have to deal with the hassle of convincing the card company that it wasn't really me.

It really is no harder for me to use 128bit encryption instead of 40 bits. If it is worth encrypting, it is worth encrypting well.

Re:NSA/classifying

[PG13]

I knew the NSA reserved the right to classify thw work of its employees but this is particularly scary. The fact that it is being classfied implies the work either A) contained a method for breaking a used cryptosystem or B) contained information that could lead to the development of a secure crypto system

either option implies that they have methods of breaking most crypto software out their b/c otherwise they wouldn't care.

That is both very nifty from a mathematical point of view and interesting from a political point of view

Open Source...

[Snapple]

Can we trust the strength of the encryption? All I know about encryption is that some program, I enter a password, and it scrambles the text. BUT, when you have the source to an application, you can make sure there are no secret back doors that sends a copy of your e-mail to some government agency. I seem to remember something a while back about CC-Mail having a back door for some governments. It is kind of hard to hide a back door when you have the source exposed so that everyone can see, and compile their own "CLEAN" copy...

Re:Open Source...

[Kevinv]

Echelon doesn't need a secret backdoor in your source code. It's about intercepting the stream of data as it crosses the network.

The open source part comes from making sure your encryption is pretty darn strong (and not just trusting some one else) -- not in preventing interception.

NSA (and UK & AUS equivalents) has gobs more money and dedicated circuits to use in decrypting messages -- but they aren't light years ahead of everyone else. So I believe estimates as to how long it would take to decrypt an x-bit encrypted messages using xxx method under todays technology are probably good ball park estimates.

Re:Open Source...

[strat]

I suspect it's a little more complicated than that. Many of us have compiled our share of crypto source code, professionally and avocationally, can certainly disassemble things if we have to, but how many of us are mathematicians? Even if you can read the code, can you vet the math?

Much more importantly, how good is the key management? You can have the best algorithm in the world, but if you do sloppy key management, it's worse than useless, because you _think_ you're actually protected.

I've done security work, and I've watched people type PGP passphrases over unencrypted TELNET sessions. Bang. They're dead. Don't blame the crypto.

Until commercial key management options reach the levels of integrity that are necessary to avoid shooting ourselves in the foot, AND people learn how to use them properly, don't expect much.

Just wait. Even if the US lightens up on the algorithm export issues, watch how they handle advanced key management mechanisms. Should prove instructive.

Probably not assymetric

[The+Creator]

The almost so called 1024 bit encryption they are talking about is probably not one of the as. it's brobably one of these large-key symmetric algos that all kinds of laymen are writing. Thease normally have a variable key size and require so 1Mbit of true random to be stored somewhere to be reasonably safe.

To the gui above: PGP is not a assymmetric scipher. It's a program that uses one(You probably knew this(You just expressed yourself poorly)).

Just a phew notes.

[The+Creator]

You mean NSA not RSA? I don't think that an algo. is much interested in peoples data, i don't see one being interested in much anything.

It doesn't take any energy to move something. I guess that if one calculated the maximal number of times that elecron could be moved at the speed of light and divided this with the number of times this operation could be done in parallell. Then chose a reasonabe time. Then chose a risc factor like 10^-100 and said that only the risc factor times the key space could be seached in this time you get a key size to fit your req's.

A one-time pad can be cracked! Even though the method for this whould be a joke for longer messages. Here goes: Use traffic analysis to figure out possible topics for the message. Use a dictionary attack to get all possible messages that confirm to the message lenght. Then filter out anything that doesn't confirm to the possible topics. Of course this can't tell the difference between "I HATE You!" and "I LOVE You!", but this would unscramble with old fashion psychosocial-analysis. |=8)

Fundamental mathematical mistake...Again!

[The+Creator]

The chance that double encrypting a message weakens it is so small that there is no risk involved in doing so. Any system that whould commit suicide like this IS already weak since the attacker can doit too. I mean if you have a 128bit system then if it's more likely than 2^-128 that it gets weaker when repeated, then the attacker can benefit from either you or him doing it and it doesn't matter if you doit or not. That system IS weak anyway!
Point: Cryptosystems that are vorse than "groups" are already crap repeat or no repeat.

Here's how to choose a sufficent key size: Choose a risc-faktor(1k year). Ok now make sure that now one can search 1/10^100th of all the keys within that time. If someone can search 7e12keys a year and that doubles every 18monts you figure it out.

jes but their spe d en cr e a ses e x

[The+Creator]

yes but their peed encreases exponentially.
It whould only be 10^18 3 years from now...
6: 10^16
9: 10^14
12: 10^12
15: 10^10
...
??

a few points to consider...

[beh]

If you're trying to protect what you're saying, there are a few points to consider:

a) If you send your key over the Internet (or
phone lines), then it's completely
compromised (in case of symmetrical
encryption), because Echelon will get a copy
of the key as well... In case of PGP, if
you transmit one half of the key, this might
also give them something to work on to find
out the other half.
Remember: It's also no use to send a new
key encrypted with an old one (that was
transmitted electronically before).

b) You won't get around having your email
snooped by them, but we could all make
their lives a hell of a lot more difficult
if everyone were to encrypt everything they
send over the Internet. Even if they have
the keys, or if they can crack it easily -
they will have to decrypt your message to
be sure, that you don't do anything
forbidden. And if everyone would do that,
they would certainly spend a good deal of
CPU time just trying to decrypt rubbish.

c) If you want a good protection for your data,
use a good encryption program, and then do
something with the data, that isn't covered
by any program, e.g. put a certain amount
of random junk into your message (at places
and using blocksizes that the recipient
knows, like: add 1937 bytes of random junk
at the beginning of the file, and then
another 7 bytes of random junk after every
234 bytes of encrypted data plus 1234 bytes
of random junk at the end.
Using that info, the recipient can easily
restore the encrypted file and then decrypt
it.
Another way would be to swap blocks in the
received file, e.g. swap the first two bytes
then the next 2*2 bytes, then the next 2*4
bytes of encrypted data.
As long you tell the recipient in person,
what to do with the file, you should be
fairly safe (again, if you transmit the
information on how to descramble the files,
everything might very well be in vain, since
that mail/phone call/fax/... is as likely
intercepted, that your precious (or useless
but still encrypted) data is.




Let's put it this way, the worst part of the NSA is, that they either

- in spite of having an undoubtedly HUGE budget,
couldn't prevent China from getting the USs'
nuclear secrets, or (even worse)

- might even have China let them have
knowingly (willingly even?)...

Re:a few points to consider...

[Software+Cowboy]

NSA is responsible for COLLECTING intelligence. They are not counter espionage. The people who should have been looking for spies at the labs were 1) The FBI (they are counter espionage inside the US) and 2) The CIA (they are counter espionage outside the US).

Let's not try to blame everything on the NSA. Actually, they are the most harmless of the bunch. They don't have field operatives with guns and itchy trigger fingers.

I think way too many of you believe everything you see in the movies....

What the NSA can/can't do

[Kythe]

This is the fundamental problem of information protection outside the U.S. Government -- no one besides some ex-NSA'ers know exactly what the agency can and can't do. They employ more mathematicians than any other single employer, which is an impressive resource. And they do have tremendous computing power/research and development capabilities, with their own semiconductor fab facillities, etc.

On the other hand, some of the worlds best and brightest rigorously pursue very public encryption research, and provide some indication of how difficult cracking an encryption scheme can be.

Today's systems rely upon difficult mathematical functions and permutations for which, in over 2000 years of research (in some cases), shortcuts have yet to be found. Whether the NSA, in the space of 50 years or so, could break these riddles is, indeed, an open question. But I have my doubts. I think they tend to rely heavily upon people NOT using encryption.

Kythe
(Remove "x"'s from

Re:128-bit keys

[MenTaLguY]

--- snip ---

So let's assume that the government has a hypercluster of computers that are a billion billion times faster, en masse, than the ENTIRE
distributed.net.

It would still take them 1e20/1e18=100 years to break _ONE_ 128 bit key.

--- snip ---

That's only true if they don't know about any analysis techniques or weaknesses in the algorithm that we don't. I don't think that's a safe assumption.
---

Re:Strong Cyrpto would protect you.

[samiladanach]

Sorry, that is not correct. It is the specification of a machine which can not currently be built which will speed up one portion of a factoring process. It would make possible the factoring of 512 bit numbers in approximately 9-10 weeks, but 768 bit numbers will be factorable in 1038 years (Shamir's estimate), and 1024 bit keys in 10^6 years. This is not a very practical device, even if it could be built.

IPSEC & microsoft

[LinuxGeek]

Interesting error messages from w2kb3 system & application logs.

syslog: IPSec Policy agent started successfully.

applog: Failed to obtain Kerberos server credentials for ISAKMP/Oakley service. Kerberos authentication will not function. The most likely reason for this is lack of domain membership.

applog: The IP Security policy for ISAKMP/Oakley specified an encryption algorithm that is invalid due to export cryptography restrictions. All 3DES encryption used by ISAKMP/Oakley is weakened to standard DES encyption. Generally, this is benign. ISAKMP/Oakley will still be able to negotiate IP security parameters, and protect that negotiation with DES encryption. This should only be of concern if you demand that the ISAKMP/Oakley negotiation be protected with 3DES encryption. If this is the case, please contact your network administrator.

I sure am glad I'm moving to a job that involves a Linux based company. M$ is limiting local subnet negotiations because of export restrictions? Big Brother is alive and well. Little Brother lives just outside Redmond.

Re:128-bit keys

[h2odragon]

nono, it's the GREENs who LIVE underground what are doing the experiments on trailer park residents and politicians...

The GREYs are merely observing. It's a lot like a big undergrad anthropology project. Rabbits are actual remote controlled, self-replicating monitoring devices DIRECTLy under their control...

or maybe I just need to up my dosage...

Making grepping more difficult

[Jon+Luckey]

Y..d..n..n..t..e..t..m..i..s..G..l..m..d .o..o..o..e..o..n..o..a..n..t..R..i..o..i ..u.....t..e.....c.....k..f..r..E..v..r..f ............d.....r.....e..o..e..P..e..e..f ...................y........r..a..e..s.....i ....................p........m..m..r........c .....................t........a.....'........u ...............................t.....s........l ................................i..............t .................................o............... ..................................n............... Even....you......unassisted........to.read....fair ly....... .....if.....want............humans.........it..... ...simply

Re:Making grepping more difficult

[Jon+Luckey]

You know, that worked in preview before I submitted it

Re:Making grepping more difficult

[Jon+Luckey]

Y..d..n..n..t..e..t..m..i..s..G..l..m..d
.o..o..o..e..o..n..o..a..n..t..R..i..o..i
..u.....t..e.....c.....k..f..r..E..v..r..f
............d.....r.....e..o..e..P..e..e..f
...................y........r..a..e..s.....i
....................p........m..m..r........c
.....................t........a.....'........u
...............................t.....s........l
................................i..............t
.................................o...............
..................................n...............

Even....you......unassisted........to.read....fair ly.......
.....if.....want............humans.........it..... ...simply

Um, CmdrTaco, the preview screen strips the tags out of the comment field of the form, so if you submit from there you lose all your formatting. Sorry it made a junk post

Only a thought...

[Signal+11]

Why do they need to crack your message at all?

Traffic analysis, tempest, conventional espionage... I see no reason why they would even bother trying to decrypt anything. Unless your security methodology makes the encryption absolutely necessary to crack to obtain the information required... it's kinda pointless to bother with decryption.



--

A bit paranoid, aren't we?

[Grave]

I don't quite know why everybody is scared of the US government reading their e-mail or seeing what they send to other people. Honestly, the US government does not care that much either. People who are going to blow up a building do not announce it in advance over the internet.

The only form of electronic espionage being done over the internet from inside the US is that of smuggling high-level secrets out of the country (ie. nuclear warhead data). In those situations, the US government clearly was unable to intercept the data, despite it being taken without heavy encryption. In my honest opinion, Echelon is a lot of FUD.

The only practical uses of complex encryption areby corporations transmitting valuable or sensative information over the internet, and, of course, government research labs. You don't need anything higher than 40-bit encryption to protect your computer, since you don't have anything worthy of stealing (if you do, you're either a corporation or you're holding something illegal).

The US government is not the threat here, folks. Nor is it any other government trying to steal the data of the people. The only threat is from inter-governmental espionage resulting in the proliferation of advanced nuclear weapons systems (ie. Chinese/Russian spies dating from the late 1930's).

Re:A bit paranoid, aren't we?

[laban]

I guess most people don't have anything to hide from the government...but the point is that they *shouldn't* be reading our mail...that's why people get so upset, why should they even be scanning through my mail (or phonecalls or whatever...) when I haven't done anything wrong at all?

Re:128-bit keys

[Maserati]

that's not as unlikely as it seems on the face of it. there are some very clever people out there...

Re:128-bit keys

[PD]

> At this rate, it would take Distributed Net over 10e20 years to break a 128 bit RC5 key.

>Recent calculations by astronomers say that the universe is about 10e12 years old.

Don't you mean that the universe is 12x10^9 years old?

"M-x spook" and "X-NSA:" ain't gonna cut it

[mdecerbo]

I don't think the NSA not already being interested in you is going to keep you from popping up on their radar screens. I bet their topic ID can spot subjects of interest and distinguish it from "fribble drug deal bomb" gobbledygook.

The NSA was selling topic identification in 1994 that sounds better than today's state of the art. See Bruce Schneier's note inside this linked article.

And I'm not willing to bet my life they haven't maintained their light-years-ahead headstart in breaking crypto (don't forget, these guys' predecessor had COLOSSUS with 56k I/O during WWII), and can read all our PGP messages.

If I ever really have to hide something as I send it over the 'net, I'm gonna use steganography (layer 1) to hide the image of a handwritten note (layer 2, make 'em use OCR) that's in a dead non-Latin-alphabet language (layer 3) written in a mirror (layer 4) inside a PGP-encrypted (layer 5) Pamela Anderson pic.

Well, maybe not. But I at least feel very confident that would be safe. I trust and use PGP, but I'm always uncomfortably aware that NSA has some very very smart people.

Strong Cyrpto would protect you.

[PureFiction]

strong encryption (128 bit+ for block cyphers, 2048 bit+ for asymetric - like PGP) should be adequate to protect any data from evesdropping. Even our US goverment with all the crays and clusters in the world could not brute force keys this big with much success. Cyptanalysis attacks are different, but good cyphers are resistant to this type of breaking. FreeSWAN and PGP would be a good, quite secure solution. Learn about cyptography if you are truly interested in this subject (Applied Cyrptography - second edition by Bruce Schneier is a great book) And remember, cyphers are only a part of your security solution. Your security is only as strong as the weakest link, and if you have other security problems (key management, training, etc) it wont matter how good your cyphers are.

Re:Strong Cyrpto would protect you.

[Wayfarer]

An article in Business Week (May 31, 1999), of all places, has the following to say about Echelon:

"Encryption is no guarantee of privacy either. The NSA, which is bigger than the Central Intelligence Agency and runs Echelon from its headquarters at Ft. Mead, MD., has little trouble unscrambling messages encoded with most commercial encryption software. With a little more time, NSA can probably break 'crypto' schemes with so-called Keys almost 1,000 bits long, says Lisa S. Dean, vice-president for technology at the Free Congress Research and Education Foundation..."

I'm assuming they're talking about asymmetric ciphers here. However, if these numbers are to be believed, it does seem to imply that 1024-bit keys are on the verge of being vulnerable to attacks currently used in Echelon. So strong-er encryption (namely longer keys, as suggested above) would be advisable for anyone worried about Echelon. :) Do it before they get their hands on a Beowulf cluster. Of Crays.

Hmm, I wonder why the U.S. government has banned the export of strong encryption... 8)

Output of M-x spook (for the Echelon folks):

South Africa Clinton supercomputer kibo Legion of Doom PLO Serbian
cracking terrorist colonel [Hello to all my fans in domestic
surveillance] North Korea Ft. Meade fissionable ammunition

-W-

Re:If they could crack it...

[VValdo]

The thing I thought of recently is that given Moore's law, eventually even all the long keylength stuff we're using to encrypt stuff is going to be crackable... And that's assuming someone like the NSA doesn't already have a crack, or some other weakness isn't discovered sooner.

So...don't post anything securely on Usenet or any other archived public place that you don't want people reading in ten years (in case a security hole is revealed at a later date).

W

PS - It'll be fun to go back say in 2010 and crack all those PGP'd messages from 1995 and see what people were saying on Usenet and in other public places when they thought it was "safe"...

W
-------------------

Re:128-bit keys

[Ex+Machina]

Well its not just about brute Force attacks... Some encryption scheme may have backdoors, intentional or not, that make it easier to break them. With all the sepculationa bout quantum(sp? :) ) computers and DNA computers, who's to say the NSA doesn't already have one?
xm@GeekMafia.dynip.com [http://GeekMafia.dynip.com/]

Corporate cryptographers

[Cally]

A friend who works at A.N. Major global financial institution tells me that they do indeed have their own internal crypto group. They really seem to know their stuff; they have a largish number (~50) of throbbing-brained academic mathematicians, programmers, cryptographers etc. Eg: I'm no expert, but apparently the generation of as-random-as-possible random numbers is a crucial part of the deal; well this organisation allegedly were or are planning to install dedicated cards in all their PCs that use (IIRC) radioactive decay to seed the RNG for the hard-core crypto they use on all sensitive internal stuff.

OTOH I have personally worked for [another large business services firm] with tons of extremely sensitive info on clients. We're talking billion-dollar deals on a daily basis, market-moving deals too. Naturally they take client security to paranoid lengths; yet they're completely clueless when it comes to IT security (eg: straight win95 as standard, no intrusion detection whatsoever, not even a formal written RFC-site security handbook - style security policy.) They just happened to be based in the US ... (I'm in Europe.) Of course it would be pure paranoia to suspect that they might be deliberately allowing all this sensitive commercial info to whizz around the net in plain text to make it easy for ECHELON to intercept ...

Echelon Bait -- Easy to Counter

[dschuetz]

Okay, everyone's talking about putting a mess of keywords in their .sig to overload Echelon systems. I suggest that such efforts are worthless:

Flag Message If
(~ [keywords])
Unless
(~ ([keyword]\s*[keyword]){3+})

(or something like that). The point is, it should be fairly easy to auto check a message to see if it contains a string of keywords in a row.

Better to randomly distribute keywords throughout your text, methinks.


Also, correct me if I'm wrong, but this whole discussion centers around traffic going out of the country, right? There's (to my knowledge) no real way for the NSA to monitor every single internet pipe in the country (and the backbones are far too busy to sniff--can we really build a terabit sniffer?)

david.

Re:128-bit keys

[floop]

Maybe Distributed Net is a dummy org for the NSA and they've duped the world into participating in monitoring itself.

Work Factor

[Detritus]

I suspect that any widespread use of encryption, even "weak" 40-bit encryption, would cause severe problems for Echelon. The amount of work required to decrypt and scan the traffic would be enormous.

If the NSA or other TLA is seriously interested in what you are doing, PGP is not going to help. Not because they have cracked PGP, but because there are many other easier ways to get the information.

FreeS/wan and Linux 2.2

[Doviende]

From what i've heard, the freeswan guys have to do a huge re-write before it will work with 2.2.x kernels, so this is definitely useless for those of us who have upgraded their kernel in the past year....i can hardly remember the last time i used a 2.0.x kernel.

Does anyone know of an alternate that doesn't force you to use ancient kernels?

-Doviende

"The value of a man resides in what he gives,
and not in what he is capable of receiving."

Re:FreeS/wan and Linux 2.2

[Checkered+Daemon]

The present up-to-date FreeSwan snapshots work quite well with 2.2.x kernels. Get a new snapshot, rather than the v1.0.

Sneakers...

[Deus+Ex+Machina]

*LOL* Right now I'm on Slashdot and taping the movie "Sneakers", one of my favourite movies - and one that deals with the NSA. Curious the coincedences that abound...

Know ye not that ye are Gods???

Re:Sneakers...

[endgame]

Yes! I'm glad someone else loves that movie. It pretty much put my childhood spy fantasies up on the big screen for me.

Re:nothing to fear, except fear itself

[Grey]

except for one-time pads, encryption methods today cannot be "proven" in a rigid scientific manner, which means that you can never trust them 100%. There have been a number of conspiracy theories over the years about NSA. For example DES, was initially developed by IBM. NSA suggested a change to S-box which supposedly made the algorithm more secure. I believe IBM never commented as to why they accepted this change, but many people feared it added a backdoor. Through the years many symmetrical algorithms have come and gone and DES was one of the few that held it's ground against newer crypto-analysis.

Depends on your definition provably. Since transfering a one time pab is as hard as the orginal message this is not a very interesting method. A more reaonable soultion is the time X money cost to break, eg. $ 6M and two years, if this is good enough for the given secret then this is a good system for that secrect. This is sort of an insureance policy way to look at cryptography. There is a new class of public key systems which are secure provided P!=NP. Meaning if you could break this system then P=NP. This is as hard as a public key system can get since you can aways guess someone key and try and decript it.

Check out

Generating Hard Instances of Lattice Problems M. Ajtai. ECCC on line Tech reports TR96-007 http://www.eccc.uni-trier.de/eccc/

of course I'm not say the system proposed is pratical at the moment.

Won't happen w/out better software

[Sloppy]

Funny thing. I use a mailer called Voodoo that makes transparent use of PGP very easy. It uses some standard (or at least I thought it was a real standard) called PGP/MIME. Once you get Voodoo set up, day to day use is effortless. I had great plans for switching over all of my email communications, at least among close friends, to PGP encrypted.

Know what I found out? Most emailers don't support PGP very well at all. You have to manually save the message to a file, run it through PGP, and read it. Not hard, but not nearly as easy as reading a "regular" email message.

My friends weren't using Amigas, so they couldn't run Voodoo. Stuck with elm, pine, etc. They eventually got sufficiently annoyed with all my PGP messages that I was asked to stop. They were happy with encryption, but didn't have the tools to make it easy. So now I just use PGP for "secret" stuff. Kinda defeats the whole purpose, no?

I don't think that widespread casual use of PGP is going to happen anytime soon, unless better email readers start to become more common.

FreeSWAN installfest Saturday 6/12/99, SFO

[Adam+J.+Richter]

A coalition of San Francisco bay area GNU/Linux user groups and Bay Area Cypherpunks are sponsoring a (the first?) Linux-IPSEC (FreeSWAN) installfest at the Oakland convention center at the "Austin Computer Show" 12-4pm this coming Saturday (6/12/99). The "Austin Compuer Show" is basically a computer flea market. There is a $5 admission charge to the show, but apparently you can get in free if you register at http://www.robertaustin.com in the "VIP passes" section. You can also get the travel directions there.

One time pads.

[AJWM]

While it's true that a one time pad may be as hard to transfer securely as an original message, you only have to do it once and then you can transfer as many other original messages, in complete security, as you want (until you use up the pad).

And you may not even have to transfer the whole pad if you can both (again, by secure channel) agree on some commonly available text to serve as the one time pad (which has the advantage to looking innocuous if you're subjected to physical search.)

Consider that pressings (from the same master) of, say, a music CD would make a great ~650 Mb worth of one-time pad.

Re:One time pads.

[es-mo]

True, but consider also the fact that that 650MB of data is not terribly random, given that I could easily bring it down to, say, ~60MB with some good compression. Ergo, it's a tad more breakable than a true random bitstream.

-- Es Mo

A somewhat paranoid view of things

[Macross]

I'm rather surprised nobody has mentioned this before. First off, when people say, "Oh, distributed.net is the fastest computer in the world, and look how long it's taking to crack only 64-bit keys...". We do not know the full extent of NSA's hardware. It is believed that a quantum computer would be able to crack a RSA-encrypted message rather quickly, generally regardless of length. Why? Because a quantum computer will attempt to solve all the possible keys *at once*. Bah, but there is no such thing as a quantum computer (yet), right? Recently (at least 3-6 months ago now) IBM completed testing on a very simple quantum computer capable of adding 2 'qbits' or quantum-bits together. While this might seem elementary, there exists a chance that the NSA already has a fully functioning quantum computer. Considering that they decided not to classify such technology, despite their paranoia in classifying other crypto-related technology, it makes one wonder. Granted, the immediate use for quantum computers is not crypto-cracking I would think.

Secondly, if one looks at the top 10 supercomputers in the world, they will notice that around 3 of them are of the "classified" category. Combined, these three supercomputers provide more power than the top computer which is at Sandia. Some of these have been in operation for at least 2-3 years. It has also been acknowledged that dedicated systems with custom-designed chips are able to crack DES, etc, at much higher rates than conventional technology - DeepCrack or whatever by EFF is a good example, and that only cost them $100k-200k. Imagine what an intelligence agency with a multi-billion dollar budget can do. So I wouldn't rely on distributed.net to be the benchmark in crypto cracking.

Finally, there is the matter of limited manpower. Yes, the NSA's weak point would probably have to be their inability to focus on *everybody* cause they just don't have the resources to do so, however, the nature of Echelon lends itself to more economic interests as well as national security ones. Thus, there has been concern that corporations which donate mucho $$ to the current administration might be slipped occasional interceptions of their competition. Given the willingness of our current administration to cater to the Chinese government, I'm not sure they wouldn't hold back against our own national companies. But unless you're some major multinational corp w/ some big competitors sitting around, I wouldn't be too worried.

So for the most part, I must agree with the rest of the posts that one need not be too concerned with NSA intercepting their transmissions - even if they did, the odds of it being used for malaligned purposes is very slim. While the NSA might possess the technology (and the money), there are many other factors which appear to work in our favor.

128-bit keys

[Checkered+Daemon]

Distributed Net is presently working on breaking a 64 bit RC5 key. They are presently testing about 70 GigaKeys per second. (70,000,000,000/sec).
Distributed Net is undoubtedly the fastest computer on the planet, even assuming that the NSA has some pretty state of the art stuff.

At this rate, it would take Distributed Net over 10e20 years to break a 128 bit RC5 key.

Recent calculations by astronomers say that the universe is about 10e12 years old.

Re:128-bit keys

[delmoi]

I doubt it, no one would ever say "12e9" they'd all say 1.2e10... :)
---------------
Chad Okere

Re:128-bit keys

[mistabobdobalina]

maybe nsa is a front for gray aliens who are conducting underground medical experiments on trailer park residents.

Re:128-bit keys

[Edison+Noside]

So let's assume that the government has a hypercluster of computers that are a billion billion times faster, en masse, than the ENTIRE
distributed.net.

It would still take them 1e20/1e18=100 years to break _ONE_ 128 bit key.

2099: "Well, Fred, it took a hundred years, but we finally decoded the message! And those pesky Slashdotters thought they were so smart."
"What does it say, Bill?"
"It's printing out now... M... A... K... E... space... M... O... N... E... Y... space... F... A... S... T... space..."

FreeSwan is just IPSEC for Linux

[Checkered+Daemon]

It should be noted that the FreeSwan project - which I've been following for quite a while now - is merely an implementation of the IPSEC standards from IPv6. As such, the FreeSwan team is highly concerned that it interoperate with any other program, commercial or free, that also uses IPSEC. Much of their present work is interoperability testing, and so far, FreeSwan works with almost all of the IPSEC products its been tested against. They're working on the others.

Those of us in the US owe a tremendous debt to the people in the free worls who are doing this. We can't help, but we can test and report. If you want to help, or just see what's going on, go to the FreeSwan site at http://www.xs4all.nl/~freeswan

Echelon and Freeswan

[Checkered+Daemon]

When properly used and configured, FreeSwan, using high quality encryption, should be proof against even the NSA. (And yes, it DOES work with 2.2.x kernels.) BTW John Gilmore refused (thanks, John!) to include standard DES in the FreeSwan implementation, even though some people wanted it for backwards compatibility.

High level encryption, 128 bit symmetrical keys and 1024 bit public-private keys, would take more computational power to crack than presently exists on the planet. Check out how long Distributed.net has been working on a 64 bit key.

The problem with all this is traffic analysis. Even though they can't read the messages, they can tell a LOT about things just by keeping track of who's talking to whom.

So just by keeping track of who is sending encoded messages to whom, they can find out a lot.

The real power of FreeSwan, and especially IPSEC, won't be seen until it operates as a standard, and everybody uses it. Then Echelon disappears into history, along with all the other police states that have plagued us recently.

Re:Some Issues in This Regard

[hli]

Look at
http://www.heise.de/tp/english/inhalt/te/2898/1. html (it is in english)
-----------
Giant US software manufacturer Lotus has been
lowering the profile of information about how
they have installed an NSA-only trapdoor into e-mail and conference systems used by many European governments,
including the German Ministry of Defence, the
French Ministry of Education and Research and the
Ministry of Education in Latvia.
----------------

Re:That wouldn't be the first electronic computer

[mjg]

Really? Sorry. I was getting my information from a WWII book, and I didn't cross-check everything. I don't remember any mention of the ABC in any computing history books I've read, I shall have to go and have another look...

For people who don't fear the government

[Kaa]

In Germany they came first for the Communists, and I didn't speak up because I wasn't Communist.
Then they came for the Jews and I didn't speak up because I wasn't a Jew.
Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist.
They they came for the Catholics and I didn't speak up because I was a Protestant.
Then they came for me, and by that time there was no one left to speak up.

Martin Niemoeller


For people who are having difficulty relating to this, here is a modernized version:

First they came for the fourth amendment, and I did not speak out, because I didn't deal drugs.
Then they came for the fifth amendment, and I was silent because I owned no property involved in crimes.
Then they came for the sixth amendment, and I did not protest because I was innocent.
Then they came for the second amendment, and I said nothing because I didn't like guns.
And then they at last came for the first amendment, and I could say nothing at all.

Unknown

Think about it, OK?




Kaa

Some Issues in This Regard

[The+Infamous+TommyD]

First: Closed source encryption products shouldn't be trusted. There are quite a few stories about leaking key bits in headers and the like. None are confirmed, but the NSA did manage to infiltrate Crypto AG. One of the "merits" of the Digital Signature Algorithm is that there is the possibility of a subliminal channel where key bits are leaked in a cryptographically secure way to an eavesdropper. This is possible by very careful choice of the random number used in the signing.

Second: Open source ones must be closely scrutinized. Consider that it took 10 years for anyone to find a problem in the key generator in Kerberos IV. (Lodin and Dole at COAST, 94?) Everyone assumed that it was safe because it was open and many people had surveyed the code. Lodin and Dole could break the session keys in ~1 second on a Sparc 5.

This should be a dilbert cartoon...

[Rombuu]

I can see it now... hard working guys (and gals) at Black Helicoper Central working hard over their super-duper-computers....

G-Man 1: I finally got into Foo, Inc.'s email...
G-Man 2: Ohhh, Ohhh, what does it say...
G-Man 1: Quick, wake the President this says they are going work on improving their customer satisfaction and ultilize syngeries between units of their company to beat their competitors...

Talent at the NSA

[noom]

Does anyone think it is likely that the NSA has mathematicians/computer scienties working for them who might have solved (or are close to solving) the problems upon which most cryptographic protocols are based (i.e. factoring or NP completeness)? An AC posted that a mathematics professor had his work censored by the NSA and I heard a rumor that someone at Berkeley had proven that P=NP (this was last fall some time), although I haven't heard anything about it since (although I'd guess it was because his 'solution' was WRONG).

Somehow, I doubt that the most talented people end up working for the NSA. How many intellectuals could bare to work in secrecy? It would be as if Shakespeare never showed anyone else his works, never had them performed, and burned them upon his death. It seems pretty unlikely that any creative person could work in such an environment...

... but I suppose there's always a chance...

Re:Talent at the NSA

[Morrigu]

Think of the bennies -- able to work on your project with little funding hassles (beyond simple office politics), no recognition but you get to work with some of the best mathematicians in the business.

The NSA recruits a LOT of EE's and mathematicians, mostly the really good ones. A hacker friend of mine from HS ended up working at Fort Meade thanks to a full ride to school from the NSA... they do a lot of that sort of stuff.

Re:Talent at the NSA

[Reziac]

Someone said
"Somehow, I doubt that the most talented people end up working for the NSA. How many intellectuals could bare to work in secrecy? It would be as if Shakespeare never showed anyone else his works, never had them performed, and burned them upon his death. It seems pretty unlikely that any creative person could work in such an environment... "

Actually, I know one programmer who would PREFER to work in such an environment, and has said it in so many words. This guy is not all =that= much different from many talented people (including some others of my acquaintance) who haven't got much confidence in how the public will receive their work, so prefer to keep it hidden. If the public never knows they created whatever, so much the better.

So don't discount the ability of any security agency to recruit *very* talented people. Some will see that closed environment as *IDEAL*.

Re:Talent at the NSA

[Weezul]

Every year somone proves P=NP.. and it's wrong.

Actually, I don't believe any encryption algorithms are based on P != NP .. if there were they would be more secure then RSA. The problem with using P != NP in an encryption algorithm is that there are normally LOTS of special case to a problem that are P, i.e. you don't know how to pick a good key frpm the set of possible keys (a good key being one that is not in any of the special cases). Note: a quantum computer can factor numbers in polynomial time, but can not solve NP compleate problems as far as we know.

Re:NSA teams up with M$!

[Finni]

"Government cryptanalysis may have been ahead in WW2, but this is a drastically different time. Now, crypto is in the hands of Universities and hackers. We've literally taken the field of cryptology from the hands of the NSA, and they're annoyed. That's why they come up with insane ploys like Echelon. " But SigInt was initiated in 1947-1948. http://www.theage.com.au/daily/990523/news/news3.h tml

Did you say frees/wan on 2.2?

[Cowards+Anonymous]

(And yes, it DOES work with 2.2.x kernels.)

From http://www.xs4all .nl/~freeswan/freeswan_trees/freeswan-1.00/INSTALL :

FreeS/WAN does NOT work with 2.2.xx kernels yet, and fixing that is not simple.

Has this changed? I've been interested in trying it out, but the fact that "2.0.36 only!" is plastered all over the site and documentation kept me from looking at it more than cursorily. I wound up using tunnelvision for now, which is probably equally as difficult to intercept (and a fsck-load easier to set up, from the look of the freeswan docs!) although not necessarily as strong in terms of authentication.

If so, what's the lowdown on getting it to work in a 2.2 kernel environment?

Echelon traditions on the net

[Argyle]

In the earlier days of the net, it was quite common to see .sig files that looked somethign like this:

------
Chet Blodack, Yoyodyne University |
argyle@mindspring.com |
"You are in a maze of twisty tunnnels" |
libya soviet nuclear encryption Reagan warhead money secret israel china |
oil submarine NSA CIA FBI KGB MI6 IRA Basque communist russia |

The idea was that if everyone put Echelon keywords in their email, the Echeleon system would flag way too many emails and make the system unworkable. Now that the vast majority of people on the net have no idea what a .sig file is, the tradition has fallen to the wayside.

Anyone else remember doing this? Any other good sig files?

Re:Echelon traditions on the net

[gerikson]

If you use Emacs as your editor, typing M-x spook
will give you something like this:

Saddam Hussein AK-47 Mossad Serbian genetic Marxist assassination ammunition Semtex BATF World Trade Center Nazi Delta Force kibo Legion of Doom

(Note how this targets Echelon *and* Kibo!)

This is easily inserted into mail messages. I've
hacked together a Swedish version too, for those
pesky internal monitors at work.

/g.

--

RSA, NSA diffrent things

[delmoi]

I believe you have the NSA and RSA confused the NSA, or National Security Agency is a part of the government that I believe is responsible for some sort of spying. They also ran the ECHELON
project that had, (and still has) the capability to tap any and all communications. RSA, who's name stands for the people who founded the company and figured out public key cryptography

the NSA would have no reason to try and keep any cryptography "off the shelves" so to speck, because they aren't a for profit company. While they couldn't forcibly get someone not to post there ideas, there's nothing stopping them from buying them off...

---------------
Chad Okere

Public Key's and who knew about them when...

[delmoi]

There was a big artical in a recent issue of wired about some guy in england who though up Public key stuff. he worked for the intelegence agency, and no one there beleved it could work, then when RSA figured it out as well, he got a lot of internal credit, I doubt they would have told the NSA though, (but maybe they were listening in??)
---------------
Chad Okere

GPL Frontend for

[webmaven]

Try Geheimnis (previously kPGPShell). It may suit your needs if you're on a Linux box.

I remember this system ...

[craven]

I vauguely recall a system where the transmitter would send clear text, and the legitimate reciever would create random interference. The legit reciever knew what kind of interference it was generating, so it could filter it out and retrieve the message. The result of this setup is a situation where there can be only one reciever; if someone tried to intercept the transmission they'd just get garbage.

Does anyone know if this is feasible?

nothing to fear, except fear itself

[jonathanclark]

Except for one-time pads, encryption methods today cannot be "proven" in a rigid scientific manner, which means that you can never trust them 100%. There have been a number of conspiracy theories over the years about NSA. For example DES, was initially developed by IBM. NSA suggested a change to S-box which supposedly made the algorithm more secure. I believe IBM never commented as to why they accepted this change, but many people feared it added a backdoor. Through the years many symmetrical algorithms have come and gone and DES was one of the few that held it's ground against newer crypto-analysis.

I think most conspiracies are just that. While symmetrical algorithms are breakable by brute force, there is very little else you can do. The field symmetric encryption has enough study that many cryptographers would be willing to risk their life on such methods. Choosing a long enough key will make brute force impossible (considering the amount of energy required to move a single electron that many times the distance of one nanometer).

Asymmetrical encryption is a different matter. RSA (used by PGP and SSL) has the largest amount of study, so it is often trusted more than Elliptical, or some of the newer matrix based asymmetrical algorithms. RSA's breakability depends on the ability to factor large numbers. Over the years new factoring methods such as quadratic sleeve factoring have been invented that make RSA weaker and weaker. In general you need N*N number of bits to be as secure as symmetrical algorithm. Improvements to factoring have been incremental and not ground breaking and many people they will never go beyond ~O(sqrt(N)).

But there are practical reasons why you shouldn't be afraid of the government snooping on you. First, you are most likely boring. Unless you work for a foreign government, or you are involved in the weapons industry the RSA probably doesn't care about you. Even if you use PGP to trade child pron, the RSA has bigger problems to worry about. If they RSA had some magically decryption algorithm, there is so much information out there, that they cannot dedicate hardware to decrypting messages unless they believe it is a matter of national security. Most, if not all, of the information they collect is in plain-text form. If everyone used PKZIP to encode their messages, this would be probably require more processing power than they could handle to scan the data.

Local officals are a million times more likely to just raid your house and use "find" rather than try to tape your phone line. In fact I've never heard of a single case where local officals have tapped a modem-line and decrypted a message. It's much easier, cheaper, and faster to go straight to the source.

Bottom line is using PGP with any length key is probably safe. Use keys >2048 bit keys if you are selling nuclear weapons.

Re:No responses?

[Lotek]

"They" were making sure that this article meshed with "their" plans...

Lotek---

Interesting idea, but not with distributed.net

[Rommel]

You can download the source code for the distributed.net client. Since this is the case, I very much doubt that distributed.net is being used to "chain ourselves unknowingly." It's an interesting idea though. I wonder when the other distributed computing projects will make their source code available for review.

Re:IPSEC & microsoft

[Paul+Johnson]

I was at a Microsoft briefing on Win2K where this came up. It seems that MS are probibited from:

1. Exporting strong cryptographic modules.
2. Exporting the SDK for developing cryptographic modules
3. Signing any modules that happen to be created in spite of these restrictions in order to make Win2K accept them as secure.

This stinks.

However, much as I dislike MS, bear in mind that if MS decided to break these rules then it is Bill Gates personally who gets up to 20 years in the slammer. I really don't think we can blame him for not doing this.

(Of course, if he was put in a privatised prison he could just buy the prison).

Paul.

Privacy isn't about shame. It's about the balance

[cynicthe]

of power. It doesn't take a whole lot to get a mob going once you tell a few rednecks some thing controversial someone else has been doing. Even if that hasn't been tabu for centuries.

That's the danger. On the other hand Communist authorities have such a lack of understanding of symbolism that it was relatively easy to sneak anti-Communist writings past them.

True communism never existed. I wholeheartedly ag

[cynicthe]

ree.

THAT is why we have a fourth amendment!

[Cpt_Kirks]

>If only those with something to hide use strong (>2048 bit) encryption, it is massively easier to determine who has something to hide. And
knowing who has something to hide can be almost as useful as knowing what they are hiding.

> So, help people sell nuclear weapons (or whatever) and strongly encrypt your mail.
--
That is the DUMBEST f**king thing I have heard in days! And I have heard a LOT of dumb shit of late.

That is the same as saying:

"If you have nothing to hide, you shouldn't mind us police comming into your house a few times a week and looking around, just to be sure"

The WHOLE government opposition to strong encryption is just total BULLSHIT! The suppossed reasons for weak encryption, terrorists and criminals (if they are smart enough to cover their tracks, most aren't) don't use ANY encryption other than one time pads, which are UNBREAKABLE. They want to read your mail, plain and simple.

/rant

But what about Everyone Else???

[ljavelin]

The scary part is that INDIVIDUALS can't reasonably build their own crypto expertise. These days, some large corporations are significantly more wealthy and powerful than many countries combined - they can buy the brightest and best crypto experts, and they probably should, considering how much power they control and how many other big companies are trying to further their own power.

These big companies also have the power to shape the laws to satisfy their own needs. I'm talking companies in the order of magnitude of Exxon and Aetna and Citigroup (or whatever the heck they're called these days)

But it's the individuals who are fairly powerless in this game. Only a semi-counter-culture organization can protect their rights with the knowledge and information (and software!) they need to protect themselves, without corporate (aka government) intervention.

Perhaps that's where we come in. Just watch out for pretenders.

If they could crack it...

[Hobbex]

As a rule of thumb, I would feel happy using any crypto that the NSA doesn't want me using...

Unless they are doing a whole reverse psychology thing to make us feel safe with strong crypto by making a big deal about it. But, no matter how many mathemticians they have indoctrinated, they are still government, and as such, by defenition, stupid.

Re: NSA Tactics...

[Muttley:]

Alledgedly Echelon uses powerful computers called Dictionaries (dig that crazy name) that grep all phone conversations for 'suspect' keywords.

If you're really being paranoid then you need to scramble all telephone calls and faxes and none of this bullshit stuff you get from places like SpyMaster (a business security firm in England playing on the paranoia and ignorance of yer average suit) which merely shift the signal 90 degrees out of phase.

Re:OPEN SOURCE, Vendors I Kinda Trust, & t

[Reziac]

Someone says of a file encryption scheme,
"...the program mounts the file as a "virtual drive" when the decryption passphrase is input: the data remains in encrypted form even when mounted, and is decrypted only to memory/swapfile."

Er... in that case, remember to thoroughly nuke your swapfile afterward. When I rooted thru my own Windows swapfile with a simple hex viewer, I found data more than 6 months old!! Also, compressed volume files (such as created by Stacker/Doublespace) can contain all sorts of supposedly-deleted data from months previous. (Yes, I've also rooted thru my 286's CVF :)

Second, remember that word processing documents are inherently insecure (most especially Word docs, which can even contain random chunks from your swapfile, from other applications entirely!)

Much better for security purposes to add memory sufficient that Windows (or whatever you use, other OSs and some DOS programs use swapfiles too) never needs to swap out, and set Windows to have NO swapfile.

I know someone whose dad worked for some U.S. gov't agency under high security, & who worked at home sometimes. The gov't provided him with a PC that had 1 gig of RAM and no hard disk, and a high-speed tape backup that he dumped all his data to and from after every work session. It did occur to me to wonder what happened if someone hijacked him and his backup tapes on his way to or from work.

Flood the system

[laetus]

I say flood the system: as in randomly [ bomb ] sprinkle comments [ big bomb ] throughout your communications [ VERY BIG BOMB ] so their automatic scanning software [ AN AUSTIN POWERS SIZED BOMB ] continually spits out false positives [ Hillary Rodham is SHAGALICIOUS ]. Maybe we could even invent an email add-on that randomly inserts these for us. Ain't technology fun????

Worry about directed surveillance

[anticypher]

So many of these posts are concerned about echelon picking up every little bit of data going around on the net. It is probably true the NSA can monitor all traffic at various international chokepoints, as well as a large percentage of phone conversations. They keep logs of suspicious activity, while dumping the content and most of the innocuous stuff immediately. Chances are most slashdotters and everyone else doesn't make it past the first level of filters, but I would bet a copy of this discussion makes it to someone's desk for analysis(buy me a pint, J) and a good laugh.

What worries the ones who are paid to worry about things like this is directed surveillance. If the echelon filters pick up something and it gets you onto a watch list, then any messages from/to you get collected and analyzed by a human. At that point they can determine whether you are just some snot-nosed college brat using PGP for fun or whether you should be monitored more closely.

The watch lists can probably number around 100,000 to 300,000 targets, with AI-like knowledge engines flagging only the most interesting changes to the watch list for humans to review. I understand there is a much fought over pecking order within the ranks of echelon/NSA analysts to get their filter to be on one of the higher tier alerts when they think their project is important. Each target gets a dossier opened on them and stored in a big case management database [remember INSLAW?], with various bits of info and analysis added as necessary.

Directed surveillance of embassies, terrorist communication channels, high ranking political types, and business leaders is the highest tier of alerts, producing reports of activity every day. Lesser tiers cover suspected drug activity, crackpot political fringe groups, key players in telecoms operators and military suppliers, and business and entertainment movers and shakers.

On the back end, post-event analysis of collected material can often reveal a bunch of information to analysts and law enforcement liasons, giving them all kinds of leads. [did anyone notice how the gay navyman on AOL just happened to have the exact same name as a convicted terrorist? coincidence, or the result of a very deep analysis of stored material?]

I'm too lazy to log out to AC, I figure someone [them!] grabs the /. logs on a regular basis and use the IP address to match AC postings to possible accounts. C-taco and Hemos have never stated they dump the logs on a regular basis or never back them up, so AC is a bit of a farce if it ever comes down to serious law enforcement action.

the AntiCypher

P.S. I especially like the people who go through tons of iterations just to hide something, is what you do so important that it needs hiding?

Re:NSA/classifying

[forii]

Actually, the NSA can classify any work that is submitted to the patent office. The way it works is that if the NSA sees something that is submitted for a patent and they think that it is interesting enough to them, they have the authority to classify that patent. So what happens is that a crypto researcher will attempt to patent their method for encryption/decryption, and it comes back that while they got the patent, it's been classifed, and there isn't a whole lot you can do about it!

Wrong...

[cameldrv]

If you use the same key for both, maybe. If you
use a different key for each, then no way. Think
about it -- if that were true then the first thing
the spooks would do to make it easier to decrypt
would be to encrypt it again. Does that make any
sense?

paradigm shifts...

[MythoBeast]

The real danger to encryption isn't the apparently inexhorable advance of computer speed, it is in a very sudden shift to a different form of technology. I heard about optical computers that will increase computing speed by a factor of 1000. Big deal - that's ten bits of encryption. I have plenty to spare.

It is always possible that some wise guy mathematician is going to suddenly figure out the trap door that makes encryption meaningless. Because of this, I only use encryption to hide thing that I don't want people to know right now. Who cares what my policial plans were for last year's campaign?

Another real danger is that someone will just completely forgo the current concept that it takes transisters to crack code. Does anybody here remember that we have the ability to sequence DNA? I wouldn't put it past the NSA to whip up 85 gallon barrels of DNA coded with a key, add a few buckets of solutions and have 6.022x10^23 computations done in an afternoon. I'm certain that there are plenty of eggheads who can tell me why this would be impossible - there always are - but this is just one possibility.

Of course, even THAT is only 77 more bits of encryption, right?

OPEN SOURCE, Vendors I Kinda Trust, & the USER

[SirWinston]

I've been interested in encryption & security ever since I went to a college where the college president was former deputy director of the CIA. I use Windows, which is so insecure I'd never trust it if I were doing anything "naughty." I mean, have you actually *read* the Windows user.dat file?? I almost think the FBI/NSA/CIA talked Microsoft into doing it, because it contains an in-depth list of the names and complete paths of just about every file you access. Even if you put that folder "AE-35 Warhead" and its companions in an encrypted drive, the user.dat and its user.da0 and user.bak backups, would still give away "E:\Chinese\Docs\AE-35\blueprint002.gif" or whatever. Kinda sucks if you're into espionage, tax evasion, Traci Lords pics, or terrorism. :-)

On the bright side, there are a few Windows products which will successfully hide the contents of files, though not their names & paths (unless you're brave enough to f*ck with the user.dats), from even the boys in Langley & Ft. Meade. I test drove many encryption & security progs for a webpage I did on Windows security utilities. BestCrypt, from Finland via http://www.jetico.sci.fi , is probably the best & most trustworthy commercial encryption product for Windows, not for e-mail but for anything you want to keep on your own HD or floppies--they even have released source code, for security verification and third-party development. You create a file of any size you want, and the program mounts the file as a "virtual drive" when the decryption passphrase is input: the data remains in encrypted form even when mounted, and is decrypted only to memory/swapfile. When mounted, it appears like any other drive, with whatever drive letter and file structure you give it; when unmounted, it looks like a big file in the root of C:\ and is encrypted with either 256-bit Blowfish, 256-bit Twofish, DES, GOST, or 128-bit IDEA. IDEA was added by a third-party developer. The only annoying thing about them is that they don't mention on their site that DES has been broken. They include a file overwriting utility which is slow and crappy, so I suggest Kremlin 2.21 from http://www.mach5.com because it is configurable, fast, and they even have a "sentry" which can wipe specified files on shutdown or whenever, with as many passes as you want. Kremlin also encrypts file-by-file, so any paranoids could double-encrypt their files if they were that...careful?... nuts?... who knows.

ScramDisk is supposed to be similar, but designed to encrypt a real partition, and is wholly DOS-based, and best of all is FREE and coded mostly by a regular at alt.privacy . I have never tried it though so can't personally recommend it.

The only thing I really use encryption for personally is keeping the nosy friends'n'family out of my private e-mail archives, pictures of the girlfriend, etc., and for the crypto hobby and my belief that we all should use crypto to foster it so that the gov't can't take away our privacy or single out individuals who do use it. We should all use crypto on principle, even those of us who don't really need it.

Re:Scramdisk/Linux ought offerto port BestCrypt

[SirWinston]

Huh, looks like I haven't been paying attention to Scramdisk enough. Is it possible that in an earlier incarnation, ScramDisk was DOS-based, or have I been completely out to lunch about this?

Of course, most of what I heard about ScramDisk came from third-party peaople with privacy pages and FAQs, so it's likely I picked up that error there. I'll check on which source said it. Then of course I came to alt.privacy and saw some first-person experiences with ScramDisk. Since I've been using BestCrypt since a few generations back, I never had much impetus to try ScramDisk--esp. since I'd heard it was DOS-based. BestCrypt is awesome, very clean and intuitive GUI, and the fact that its authors created a hardware "cryptoprocessor" for GOST several years back kind of inspires confidence in their crypto expertise. That they let you download a development kit with some source code also inspires some confidence, although it doesn't include source for the main engine it does include the keygen and encryption "modules". I've e-mailed them several times, and they are the nicest people you could imagine--cute imperfect English too, since they're Finnish.

I'M SURPRISED (hint hint, nudge nudge, wink wink) that no one in the Linux crypto community has contacted them with an offer to port it over, since it's the most awesome Windows crypto app and they could probably be persuaded, after all: their market would improve greatly, though they'd have to lower their price for the Linux version (which should be easy to talk them into doing, if others are willing to do the work).

Like I said, Windows *bites* about security--user.dat -.da0 -.bak is bordering on a conspiracy, it's so bad, and mm256.dats and mm2048.dats are almost as bad about logging Net usage. You can overwrite the mm*.dats from DOS, and sometimes Kremlin can even do it, but the user.dat files I don't know what to do about. Anyone hiding something with a telling name, like "F:\Freemen\TerrorismRules\Bombplans\LA.doc" is screwed. ;-) So, Linux with a BestCrypt or Scramdisk would be as airtight as it gets... Any hackers up for a porting job? :-)

P.S.--anyone who might be interested, free full-function 30-day demos, and development kits, are at http://www.jetico.sci.fi

Re:OPEN SOURCE, Vendors I Kinda Trust, &am

[SirWinston]

>Er... in that case, remember to thoroughly nuke
>your swapfile afterward. When I rooted thru my
>own Windows swapfile with a simple hex viewer, I
>found data more than 6 months old!!

Yeah, the swap file...the bittersweet voodoo that made it possible for me to run Paint Shop Pro on my old i486 with palty 8Megs RAM!! Thank God for my new 64Meg K6-2 400... Actually, the swap file is where Kremlin 2.21 comes in handy: it can be configured to overwrite not only the swap, but the system RAM as well, *and* those annoying mm*.dats which track your Net visits. Of course, I have it configured to only clear the Windows and browser, etc., histories because I'm not hiding much Big Brother would be interested in, except maybe that manifesto... ;-) I'm more concerned with Little Sister finding the pics of me boning an old friend of hers, hehe. I do the crypto/security thing as a hobby & political statement, but I do have Kremlin delete the mm*.dats once a week because they can get to be a few hundred KB. :-( If only I could figure out how to pare down the user.dats--which are 500-600KB each.

> Also,
>compressed volume files (such as created by
>Stacker/Doublespace) can contain all sorts of
>supposedly-deleted data from months previous.

You know, I never thought when I got my new box w/ 8.4 Gig HD, that I'd ever be wanting for space again, since my old 8Meg i486 laptop had only 650Meg HD--well, I went nuts with the expansion room, installed every game I've been wanting to disk and even put the whole Encarta on my HD, plus a 650Meg encrypted archive (sized for when I get a CD-R) and a backup, so I'm at 5.9Gigs and it's only been a month. A-hem...

Seriously, I can hardly wait for a stable, well-GUI'd Linux and good easy Linux volume encryption--I'd dump half the crap on my disk for that, surely. Windows is like an information sieve--anyone using it is not entirely safe, even with encryption. If anyone wants to know bad enough what files you access on that encrypted disk, or what sites you visit on the Net, they *will* know.

Big Brother

[Wubby]

Does anyone remember a few years back when a little bill passed at the tail end on the 103rd Congress here in the US? It required half a BILLION dollors be spent to put remote wire tapping equipment on all communication carries. It has a capability of 10000 taps at once. The us has NEVER required more then 1000 taps PER YEAR! That's state and federal combined... No newspaper ever printed that story! Yes we need STRONG encryption (preferably OSS)!

NSA teams up with M$!

[Enoch+Root]

People, there's healthy paranoia, and lunatic rambling. When cryptographers say, 'this algorithm is unbreakable by brute force', there's no point in answering, 'yeah, but what if the NSA has quantum computers/omniscience/an infinity of monkeys on typewriters'.

It's possible that the NSA has superior tech, but the orders of magnitude we're talking about in strong-encryption would require computers light-years ahead of our own.

As for NSA being more advanced in cryptology than the general public: I very much doubt it. Why do you think they created strong-encryption export policies? It's because they can't decrypt it all, and they're scared of a foreign power being able to use unbreakable ciphers.

For instance, I doubt they ever proved P=NP. If such a proof is made, it'll come from Universities, not a Government agency.

Government cryptanalysis may have been ahead in WW2, but this is a drastically different time. Now, crypto is in the hands of Universities and hackers. We've literally taken the field of cryptology from the hands of the NSA, and they're annoyed. That's why they come up with insane ploys like Echelon.

Hence my subject header: public cryptography is to the NSA what GNU is to M$. It's a revolution, and it's taking the adversary by surprise.

In both cases, the NSA or M$ has tried to impede the progress made by individuals with a desire for freedom around the world, but they're being overtaken by sheer freedom of communication and exchange of ideas.

I'm not saying the NSA is behind in crypto; I'm saying they're losing ground fast. And even if they hand-pick the finest scientists and cryptologists, there's still many, many more out there in Universities or in their basement, being paranoid, and creating stronger and stronger algorithms.

The NSA claims it invented public-key crypto ten years before PGP, but they never came up with proof. Even then, they were being beat.

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Scramdisk, etc. Someone want to write UMScramDOS?

[Myself]

I haven't tried BestCrypt yet, so I can't comment. Mmmm, Traci Lords. :)

Scramdisk is NOT DOS-based! It's 95 and 98 only, and it requires that sd.vxd be in windows\system\ at boot time. (Other than that, there's no installation, per se.) And we all know that VXDs don't load when you're plain-DOS-booted.

Scramdisk IS very cool. The user interface is a bit less than intuitive at first (the sequence of events in order to mount a drive, for example, needs work.) but it's overall very easy to use once you get used to it. You can unmount on delay, unmount on hotkey, or unmount on menu command.

I'd like to see a Dblspace replacement that lets me get at Scramdisk drives from DOS. (I'd also like to see compression built in, because mounting a scramdisk volume which is stored on a compressed volume is just plain ugly! But hey, disks are cheap now.)

Kremlin rules! Particularly the name. I don't like the file-by-file encryption, it's just as limited as old PGP was in that respect. But the Sentry is awesome, I set mine to wipe the slack space at the end of clusters, clear my browser cache, nuke c:\temp, and do some other system cleanup every morning. The clatter of the hard drive serves as my alarm clock. (Well actually no, it's a nearly-silent Caviar, and I work nights anyway.)

The problem is that none of this awesome stuff is written for Linux. I don't know Aman's feelings on the issue, but I'd like to see a Linux driver to read/write Scramdisk files, in the fashion of UMSDOS. I ought to post this to alt.privacy when I get home.

Decoy packets! Scriptkiddies useful? Naaah.

[Myself]

With all the distributed.net and seti@home packets flying around thet 'net, if we just encrypted them, Echelon would have a coronary just trying to figure out dbaker's next song lyrics quote in the "The keyserver says:" line.. Hehehe..

Seriosuly tho. What if we do a little social engineering of our own, and give all the scriptkiddies a little decoy program to put on all the systems they compromise? It just sends out 10-50 packets per second of "nuclear secret refinery dmsetup compromise echelon sigint sigterm sighup hehe China Russia comrade" junk, targeted at random hosts. Or if you want to make it REALLY useful, have it send to UDP port 139 on those random hosts. The kiddies will LOVE it, Echelon will HATE it, it'll be on a dozen new systems every day, and life will be good!

Who watches the watchmen? Who cares? What matters is who educate those who the watchmen want to watch.

Alan Turing is NOT the NSA predecessor!

[try67]

Alan Turing who was mainly responsible for the creation and operation of the COLOSSUS machine cant be reffered to as the NSA predecessor!
He was a scientist, a computer pioneer and a brilliant mathematician but by no means was he a spy or some kinda privacy-breaking, human-rights-violating, US-goverment-working guy!

All of us owe(?) him a hell of a lot...