Crypto-Anarchism – Page 15 – A Geek With Guns

The Conspiracy Theory that Annoys Me the Most

Conspiracy theories are fun even when you don’t buy into them hook, line, and sinker. I enjoy reading about all of the wonky theories people have come up with, especially if that theory involves lizard people. But amongst the conspiracy theories out there the one that annoys me the most is that the government is all omnipotent. This theory is very prevalent in libertarian circles, which is ironic considering that most libertarians view the government has being entirely incompetent. Whenever I try to discuss tools to secure one’s self against the National Security Agency’s (NSA) surveillance apparatus there are usually a few people who start making up bullshit and claiming that using such tools with either make you a target, are backdoored by the NSA (even if the project is open source and the code has been thoroughly reviewed for such shenanigans), or that the NSA has magical super computers that can instantly break all encryption protocols.

Unlike most conspiracy theories, which usually contain some kernel of factual information that wild theories are based off of, the claim that the government NSA can render all computer security tools impotent is entirely baseless. As Bruce Schneier pointed out in a recent blog entry the NSA isn’t magic:

I am regularly asked what is the most surprising thing about the Snowden NSA documents. It’s this: the NSA is not made of magic. Its tools are no different from what we have in our world, it’s just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the backbone. The NSA breaks crypto not with super-secret cryptanalysis, but by using standard hacking tricks such as exploiting weak implementations and default keys. Its TAO implants are straightforward enhancements of attack tools developed by researchers, academics, and hackers; here’s a computer the size of a grain of rice, if you want to make your own such tools. The NSA’s collection and analysis tools are basically what you’d expect if you thought about it for a while.

The NSA is little more than the combination of well known hacking tools, massive funding, and privileged positions on the main infrastructure. Edward Snowden has said numerous times that encryption works. Anybody who claims that the NSA can render all known encryption protocols impotent is literally making shit up. It’s no different than the conspiracy theory that lizard people secretly control all of the governments of the world. Zero evidence exists supporting the claim.

My theory is that people who claim nobody should bother using encryption because it’s futile are simply too lazy to learn how to use the tools and don’t want to admit it. To make themselves feel better they justify their actions by claiming doing otherwise is pointless.

[Digital] Papers Please

As the popular phrase “On the Internet nobody know that you’re a dog.” tries to explain the Internet is a bastion of anonymity. You can be whoever you want to be when posting online and if you properly utilize effective anonymity tools there is no practical way for anybody to connect your online identity to your real identify. This shield of anonymity enables truly free speech, which means the government wants to stop it. Meet the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, an attempt by the executive branch to force people to obtain a license to use the Internet. This license isn’t merely are method for the state to identify you as being qualified to use the Internet, it’s an attempt to remove the shield of anonymity that protects free speech online:

The draft NSTIC says that, instead of a national ID card, it “seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions,” which can be obtained “from either public or private sector identity providers.” (p. 6) In other words, the governments want a lot of different companies or organizations to be able to do the task of confirming that a person on the Internet is who he or she claims to be.

Decentralized or federated ID management systems are possible, but like all ID systems, they definitely pose significant privacy issues. ¹ There’s little discussion of these issues, and in particular, there’s no attention to how multiple ID’s might be linked together under a single umbrella credential. A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy (pp. 125-132). Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).

Providing a uniform online ID system could pressure providers to require more ID than necessary. The video game company Blizzard, for example, recently indicated it would implement a verified ID requirement for its forums before walking back the proposal only after widespread, outspoken criticism from users.

Pervasive online ID could likewise encourage lawmakers to enact access restrictions for online services, from paying taxes to using libraries and beyond. Website operators have argued persuasively that they cannot be expected to tell exactly who is visiting their sites, but that could change with a new online ID mechanism. Massachusetts recently adopted an overly broad online obscenity law; it takes little imagination to believe states would require NSTIC implementation individuals to be able to access content somehow deemed to be “objectionable.”

I will go so far as to argue that truly free speech isn’t possible without the availability of anonymity. We see this whenever a company sues a customer who wrote a bad review, the state kidnaps a businessman, somebody is kidnapped for holding the wrong political belief. Imagine how much easier it would be for a business to sue anybody who left a negative review of their products if the NSTIC initiative was realized. Confirming the identify of the reviewer would be simple and that would put anybody leaving a negative review at risk of a lawsuit.

The only reason I can perceive for the executive branch’s push for its NSTIC initiative is for squashing political dissidence and suppressing critics of its corporate partners. Problems of authentication, authorization, and accounting have already been solved in numerous ways that allow an individual to keep their online identity separate from their real life identity. There are even methods that allow a user’s real life identify to be verified (which is what my certificate provider does). Nothing in the NSTIC initiative solves a problem that hasn’t been solved already. It merely introduces another way to solve these problems in a manner that centralized information for easy federal and corporate access.

Google May Be Looking at Prioritizing Encrypted Sites in Search Results

One of the things that I believe to be unnecessary this day and age are unencrypted sites. When certificate authorities offer free certificates for personal use there are no real barriers left preventing the adoption of HTTPS on every website. Google may agree as it appears that it is looking into prioritizing websites that use HTTPS in its search results:

In a move that experts say could make it harder to spy on Web users, Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference.

The executive, Matt Cutts, is well known in the search world as the liaison between Google’s search team and website designers who track every tweak to its search algorithms.

Cutts also has spoken in private conversations of Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.

I hope that the person familiar with the matter is correct. The information leaked by Edward Snowden demonstrated to all of us that an insecure Internet is no longer a viable option. We need to move to an Internet where all information is encrypted. Doing so wouldn’t just make it harder for organizations like the NSA to spy on our communications but it would also make it more difficult for malicious hackers to intercept user authentication information. By prioritizing encrypted sites Google could help convince more site administrators to use HTTPS for their sites.

Applied Crypto Hardening

I spend a lot of time urging people to utilize available cryptographic tools to secure their data. While I also admit that using cryptographic tools is less convenient that not and involves a learning curve, I believe that everybody has a duty to take their online self-defense into their own hands. To this end a group of people have gotten together and written a white paper that helps individuals utilized cryptographic features in popular software packages:

This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.

Initiated by Aaron Kaplan (CERT.at) and Adi Kriegisch (VRVis), a group of specialists, cryptographers and sysadmins from CERTs, academia and the private sector joined forces to write such a concise, short guide.

This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.). It is completely open sourced, every step in the creation of this guide is public, discussed on a public mailing list and any changes to the text are documented in a publicly readable version control system.

The document itself can be downloaded here [PDF]. I haven’t read through the entire guide but it is obviously still being written as there are quite a few omissions. But what is there is good information albeit information devoid of theory, which is OK, you have to start somewhere and enabling these features without fully understanding them is still better than not enabling them at all.

A Promising Steganography Tool

Encryption is a wonderful tool that grants us information control. But there is one thing that encryption generally fails to do, conceal the fact that you’re using encryption. This is where steganography comes in. Steganography is the art of concealing hidden messages in plain sight. There are numerous tools that allow you to do this, most of which conceal data inside of image files. The creator of BitTorrent is developing a new steganography tool can conceal data inside of any file type:

For the last year Cohen, who created the breakthrough file-sharing protocol BitTorrent a decade ago, has been working on a new piece of software he calls DissidentX. The program, which he released over the summer in a barebones prototype and is now working to develop with the help of a group of researchers at Stanford, goes beyond encryption to offer users what cryptographers call “steganography,” the ability to conceal a message inside another message. Instead of merely enciphering users’ communications in a scramble of nonsensical characters, DissidentX can camouflage their secrets in an inconspicuous website, a corporate document, or any other, pre-existing file from a Rick Astley video to a digital copy of Crime and Punishment.

“What you really want is to be as unsuspicious as possible,” says Cohen, who spoke with me about DissidentX at the Real World Crypto conference in New York Tuesday. “We don’t want an interloper to be able to tell that this communication is happening at all.”

As world governments become more tyrannical I believe it will become critical to have means of communicating securely in a way that doesn’t reveal the use of secure communications. Embedding an encrypted message inside of a picture of a cat, for example, is likely to go undetected on the Internet. Communications could be setup in such a way that uses embed a message in an image, upload it to a specific image sharing site, and decrypted by the recipient without anybody else knowing the image contains a message.

Just Because You’re Paranoid Doesn’t Mean They’re Not Out to Get You

Back in the day you could call a person paranoid when they claimed that the government was spying on everybody. Today, thanks to Edward Snowden, such paranoid has proven to be justified:

And while the NSA story alone undoubtedly gives the “paranoid” plenty of reasons to say “I told you so,” a slew of other reports from this year gave them even more reasons to retreat into the wilderness and start subsistence farming.

[…]

For instance, the ACLU released a cache of documents showing that police around the country are collecting license plate scanner information that could be used to track physical locations of many Americans without consistent retention policies.

[…]

Speaking of being tracked, an enterprising hacker discovered that the E-Z Pass he used to make paying tolls simpler was being read all around New York City. Turns out, the city had been tracking E-Z Passes for years as a way to measure traffic patterns.

[…]

Speaking of technology with obviously exploitable surveillance capabilities: Someone might be watching you through your laptop’s webcam – without even activating the warning light.

[…]

Oh, and to top it all off: There was suspicious aerial activity going on at Area 51. Although no admissions of alien activity have emerged, much to John Podesta’s dismay, recently released documents reveal that the CIA tested its first drones at the Nevada military base.

2013, above most other years, has demonstrated how widespread surveillance has become. The Orwellian present we find ourselves in has been made possible through advancing technology. This has lead many people to blame technology and seek a Luddite existence that they believe will keep them safe from surveillance. While technology has made widespread surveillance possible it is also the tool that allows us to fight widespread surveillance.

Cryptography allows us to conceal our communications from prying eyes and even to conceal the source and destination of communications. Tor allows you to access the Internet anonymously (so long as you use it correctly). Tails is a Linux distribution that can be booted from a CD or USB drive that attempts to anonymity all of your online activity. GnuPG allows you to encrypt the contents of your e-mail so those bastards at the National Security Agency (NSA) can’t see what you and your correspondent are discussing. Off-the-Record Messaging does the same thing for instant messages. Many other tools exist that allow you to maintain anonymity and privacy.

The only way to stop the widespread surveillance apparatus of the state and corporations is to use technology to counter their technology. Hiding in a hole may sound effective but the surveillance state can watch you even if you don’t carry a cellular phone, use a computer, or drive a car. Cameras are everywhere in our society and you can’t avoid their soulless stare unless you board yourself up in your home and refuse to come out (and even then your home could be bugged). But we can make the cost of surveillance so high that it bankrupts the spies.

Test Firing of Liberator in Japan

I that 3D printable firearms will destroy gun control. Once individuals are able to easily manufacture firearms from their homes it will be impossible for any government to restrict ownership. But beliefs and demonstrations are two different things. Today I have a demonstration of 3D printable firearms apparently skirting gun control laws. Japan isn’t know for being a weapon friendly island. Throughout Japanese history rulers have disarmed segments of the population. Disarming people took the form of sword hunts, which eventually concluded in the disarmament of the samurai in 1876. Today acquiring a firearm in Japan is extremely difficult [PDF]. Even possessing parts of a handgun can get you into legal trouble. So seeing a Liberator pistol being fired in Japan is pretty exciting:

My understanding of Japanese weapons laws leads me to believe that the video is showing an illegal act but I’m not entirely sure as the demonstrator was willing to show his face. Either way I think this thoroughly demonstrates the viability of producing 3D printable firearms in localities with strict gun control laws. Gun control advocates will be quick to point out that 3D printable firearms aren’t yet viable, which is true today. Tomorrow will be a different story. 3D printer technology is advancing rapidly and we will see affordable printers capable of manufacturing reliable firearms in the near future. After we reach that technological achievement gun control laws will be unenforceable and thus gun control will be dead.

Scott Adams: Possible Future Anarchist

I work in an office environment so it should go without saying that I’m a fan of the Dilbert comic. In a strange but positive turn of events, a recent post by Dilbert’s author, Scott Adams, leads me to believe he’s traveling down the road to anarchism:

I have a hundred-year plan to eliminate government.

The key to making this work is picking one element of government at a time and using technology to eliminate it. Remember, we have a hundred years to develop and test lots of little plans. So we won’t permanently eliminate any part of government until citizens have seen proof it can work on a state level, or for a brief test period nationally, or in another country.

He gives several examples of how technology could be used to replace government functions. If you’re a neophile anarchist, such as myself, what he’s saying is nothing new. I’ve been advocating the use of technology to eliminate the state by providing competition and alternatives to its programs. One of the state’s greatest weaknesses is its inability to adapt to long term changes. We see this whenever the state moves to regulate a new technology, often before the ramifications of that technology are understood.

Its regulations are seldom sensible and usually take the form of outright prohibitions or licensing. My favorite example of this is Wisconsin’s ban using electromagnetic weapons for hunting. Electromagnetic weapons, as far as hunting goes, are still fantasy but the Wisconsin government has already banned such usage even though we have no understanding of how such technology would effect hunting.

I theorize that the state’s hatred of new technologies stems from its fear of being supplanted by them.

Understand the Tools You’re Using

When people first become interested in computer security they have a habit of downloading and using tools before they understand how they work. This is a major mistake as a Harvard University student recently learned when he attempted to use Tor to make an anonymous bomb threat:

A Harvard student was charged Tuesday with making a hoax bomb threat just so he could get out of a final exam.

Eldo Kim, 20, of Cambridge, Mass., was scheduled for a hearing Wednesday in U.S. District Court. He could face as long as five years in prison, three years of supervised release and a $250,000 fine if convicted of communicating the bomb threat that cleared four large buildings Monday.

[…]

Kim took several steps to hide his identity, but in the end, it was the WiFi that got him, the FBI said.

Kim said he sent his messages using a temporary, anonymous email account routed through the worldwide anonymizing network Tor, according to the affidavit.

So far, so good. But to get to Tor, he had to go through Harvard’s wireless network — and university technicians were able to detect that it was Kim who was trying to get to Tor, according to the affidavit.

Had Mr. Kim invested 15 minutes of reading time on Tor he would have learned that Tor doesn’t attempt to conceal the fact that you’re using Tor. Anybody monitoring the network you’re using can detect that you have a connection to the Tor network. With that knowledge in hand Mr. Kim would have been able to understand that being one of the few, if not the only, Tor users on the campus Wi-Fi would be a red flag when the campus received a bomb threat sent over Tor. This is especially true when his Tor connection times closely correlate to the time the bomb threat was sent.

So today’s lesson is this: make sure you fully understand the workings of any tools you use to enhance your security. Failing to do so will leave you vulnerable and often no better, and sometimes even worse, then you would have been if you hadn’t used the tool at all.

Bitcoin Versus Gold: Or How I Learned to Stop Caring About Economic Internet Arguments

I think it’s time we took a moment to chat. If you pay attention to economic, crypto-anarchism, libertarianism, or other similarly intersecting online forums you have probably picked up on the recent Bitcoin versus gold debate that has been raging on. The latest exchange started with Peter Schiff posted this video touting gold over Bitcoin:

This kicked the Bitcoin community into holy crusade mode. The most well written counterargument to Schiff’s video, in my opinion, is this one from Reddit.

I have a problem with both sides of the argument. There is no reason one has to win. We, as a species, are actually capable of using more than one thing as a medium of exchange. For example, gold and silver have historically been found together as mediums of exchange in markets based on precious metals. Today we see the use of dollars, yuan, yen, pounds, euros, and many other currencies used to facilitate transactions. In fact I would submit that having a single medium of exchange is just as dangerous as any other monopoly.

Bitcoin is a new and exciting newcomer. It’s attractive to us neophiles, in part, because it’s an unknown quantity that could greatly shake the foundation of the current monetary systems. Neophobes tend to shy away from Bitcoin because it’s new and unproven. For them gold is a better option because it’s been around forever. I’m a fan of diversification. If Bitcoin takes a dump and gold excels then I’m happy to have gold. If the opposite happens I’m happy to have Bitcoin. If both excel as currencies I’ll be happy to have both. The only way this debate will be determined once and for all is when time leads us to a result. I just hope that whatever result we arrive at is unexpected by all involved interests. Nothing is worse than minds not being blown.