Category Archives: Cryptography

Encryption: The Sky *IS* Falliing

The latest revelations about the NSA’s ability to undermine most encryption used online dwarf anything we have learned previously. What is worse, the NSA has worked to insert weaknesses into products — backdoors.

the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

It’s everything, everything that Cypherpunks ever muttered about over their beer.

This is the secret that likely explains why the Obama and Cameron administrations were willing to do almost anything to try to get Snowden, the reporters he leaked to, and the anyone who touched their data.

This is the nuclear winter of data security.

What do we do?

I used to say, we don’t really care if the NSA is reading our traffic, because if they are, the secret is so valuable they won’t waste it on anything but the most important national security matters. The Snowden revelations suggest that wasn’t completely right — there was some information sharing with civilian domestic law enforcement, although it was obfuscated in ways that undermined the constitutional guarantee of the right to confront witnesses against you. More importantly, the fact of the Snowden revelations mean that the cat is out of the bag, so the disincentive to use the information will be greatly reduced.

Bruce Schneier has given this some thought — he had an advance look at the documents — and he says that the IETF and other engineers need to re-engineer the internet to make it safer from surveillance. Meanwhile, there are things we can do individually.

For now, however, it is not hyperbole to say, as Schneier does, that “[b]y subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract.” It’s going to be tough, hard work to rebuild the Internet, and even harder work afterwards to rebuild trust in systems not to mention both public and private institutions.

Are we up to either job?

Posted in Cryptography | 13 Comments

Thoughts on Snowden’s Dead Man’s Switch

It would have been more morally pure for Snowden to choose to stay home and face the consequences after his act of civil disobedience.

I don’t think it follows, however, that Snowden is acting irrationally or treasonously or (wrongly) “taking a hostage” by setting up (or claiming to set up) an information-disclosure insurance policy against reprisals by the US. For evidence for this proposition one need look no further than the very eloquent NYT op-ed by Nasser al-Awlaki, The Drone That Killed My Grandson. Remember that we now live in a country that has a track record of executing US citizens (so-called “targeted killing”) without trial, at least outside the US. The limiting principle, we are told, is that the US only does this when it considers them a grave threat, and cannot get hold of them any other way because they are beyond the reach of arrest — not principles likely to be of great comfort to a Snowden.

For a cryptographer’s analysis of this tactic, see Bruce Schneier’s, Snowden’s Dead Man’s Switch. Schneier suggests it may be counter-productive:

I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it’s important to keep all of them in mind when designing a security system.

A commentator counters that in fact this creates a different incentive:

If the US does not want these secrets released then it is in their interests to keep him alive.

It’s also makes it more imperative to capture him in case anyone else kills him.

Posted in Cryptography, Law: Criminal Law, National Security, Padilla | 2 Comments

Paranoids Really Do Have Enemies

Use of Tor and e-mail crypto could increase chances that NSA keeps your data | Ars Technica

Update: For the point of view that all is well, except for the fact of the leaks, see Stewart Baker, But Enough About You …. Note that to read this post in its true context you need to understand what it means for the NSA to decide a post might be foreign in some way. A good place to start might be Ed Felton’s 51% foreign test doesn’t protect Americans.

Posted in Cryptography | 1 Comment

EFF Is Accepting Bitcoins Again

EFF Will Accept Bitcoins to Support Digital Liberty. This follows a 2-year moratorium.

One key difference from past practice: EFF will liquidate any Bitcoins it receives as soon as it gets them.

EFF’s announcement pointed me to this recent (March 18, 2013) Fincen guidance document, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies which I had missed. Key graph:

A user who obtains convertible virtual currency and uses it to purchase real or virtual goods or services is not an MSB [Money Services Businesses] under FinCEN’s regulations. Such activity, in and of itself, does not fit within the definition of “money transmission services” and therefore is not subject to FinCEN’s registration, reporting, and recordkeeping regulations for MSBs.

Posted in Cryptography, Econ & Money | Leave a comment

Big Brother is WWWatching You (feat. George Orwell)

Rap News 15:

Good stuff! Lots of cute in-jokes too.

Spotted via BoingBoing.

Posted in Civil Liberties, Cryptography, Internet, Law: Privacy | Leave a comment

Checking In With Bitcoin (2)

Hacker steals $250k in Bitcoins from online exchange Bitfloor | Ars Technica

The future of the up-and-coming Bitcoin exchange Bitfloor was thrown into question Tuesday when the company’s founder reported that someone had compromised his servers and made off with about 24,000 Bitcoins, worth almost a quarter-million dollars. The exchange no longer has enough cash to cover all of its deposits, and it has suspended its operations while it considers its options.

This comes on the heels of news of the collapse of what’s been called a giant Bitcoin Ponzi scheme. See Official: Bitcoin Loan Shark ‘pirateat40′ Defaults for details:

A mountain of problems have been growing the past several weeks surrounding the recent drama around massive Bitcoin lender, pirateat40, as reports of fund inaccessibility came out of the wood work.

Purported to have had somewhere around 500,000 BTC in Bitcoin Savings & Trust, his fund that was offering deposit account holders up to 7% weekly interest on their holdings. The lending service provider announced a default on borrowed assets just a short while ago; the estimated value for the defaulted assets is $5,000,000 USD.

Actually, the amazing part is that Bitcoin isn’t totally dead.

Previously: Bitcoin & Gresham’s Law & Botnets (2/22/12); Checking In With Bitcoin (10/25/11) and Why Bitcoin Isn’t As Exciting as it May Sound (6/11/11).

Posted in Cryptography, Econ & Money | Leave a comment

Key Cryptography Concept Explained

I thought this video explanation of Public Key Cryptography: Diffie-Hellman Key Exchange [or, if you prefer, Diffie-Hellman-Merkle key exchange] was unusually clear. Secure key exchange is really important, because exchanging keys securely with someone is an essential prerequisite to creating a secure communications channel with them.

This video is great for people who want an intro to one of the central ideas in modern cryptography:

OK, there was a little math in there, but not so much.

Posted in Cryptography | 1 Comment