Tag: Crypto-Anarchism

TANSTAAFL

One of the most important things for anybody to know is that there ain’t no such thing as a free lunch. Everything comes at a cost, even “free” things. Consider public Wi-Fi networks. Companies seemingly provide free Wi-Fi to customers as a courtesy. But those free Wi-Fi networks are revenue generator:

According to an article, which mall officials say they co-wrote, “while being an attractive guest feature, the (Wi-Fi) service simultaneously provides the mall with enough data to fill digital warehouses with information about what people do both online and in the real world while on the property.”

“This type of tracking can happen at any business, any location, any place that there’s any Wi-Fi networks,” Schulte said.

He explained that when your phone connects to Wi-Fi, it’s actually exchanging information with the network.

“You’re telling the Mall of America when you go to the mall, what door you go in, what stores you visit, what level you’re on, as well as what you’re doing on your phone.”

Asked if that means that mall officials could potentially know about it if someone logs onto Facebook while using the mall’s Wi-Fi network, Shulte answered, “Absolutely they know that you’re going to Facebook.”

This is the same paradigm used by websites that rely on ad networks for revenue. Instead of charging the user directly the provider simply snoops on the user and sells the information it collects to advertisers. In this way the advertiser becomes the customer and the user becomes the product.

I recommend against using public Wi-Fi networks. If you have to use one I recommend doing so through a Virtual Private Network (VPN). A VPN encrypts your traffic from your device to the VPN provider’s server. That means your data isn’t visible to the local Wi-Fi network and therefore cannot be snooped on by local network surveillance. Tor can work to a lesser extent in that you can conceal traffic that can be run through the Tor network but it’s not as effective in this case since most systems, with the exception of specially designed operating systems such as Tails, don’t route all traffic through Tor.

Whenever anybody offers you something for free you should try to figure out what the catch is because there is one.

John Brennan is an Idiot

You probably read the title of this post and wondered what Brennan did this time to piss me off. Truthfully he didn’t really piss me off this time. What he did was make a public statement that really requires being an idiot to make.

Everything old is new again. As before, the United States government is busy debating whether or not mandatory backdoors should be included in civilian encryption. Security experts have pointed out that this is a stupid idea. Crypto-anarchists have pointed out that such a law would be meaningless because the Internet has enabled global communications so finding foreign encryption algorithms that don’t include a United States backdoor would be trivial. Hoping to refute the crypto-anarchists, John Brennan made this statement:

Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.

“US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them,” Brennan said.

“So although you are right that there’s the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues.”

Theoretical ability? Let’s have a short discussion about the Advanced Encryption Standard (AES). AES is one of the most prolific encryption standards in use today. Most full disk encryption tools, many Transport Layer Security (TLS) connections, and a load of other security tools rely on AES. Hell, many devices even include hardware acceleration for AES because it’s so heavily used. AES was originally a competition held by the National Institute of Standards and Technology (NIST) to find a modern encryption standard. In the end an algorithm called Rijndael won. Rijndael was created by Joan Daemen and Vincent Rijmen. If those two names sound foreign it’s because they are. Joan and Vincent are Belgians. So one of the most common encryption algorithms in use today, an algorithm chosen by an agency of the United States government no less, was created by two foreigners. I’d say foreign encryption tools are a bit beyond theoretical at this point.

Adding insult to injury, let’s discuss Theo de Raadt. Theo, for those who don’t know, is the creator and lead developer of both OpenBSD and OpenSSH. OpenBSD is an operating system known for being security and OpenSSH is probably the most common secure remote connection tool on the planet. Both of them are developed in Canada:

It’s perhaps easy to forget, but the cryptographic landscape was quite different in 1999. A lot has changed since then. Cryptographic software was available, but not always widespread, in part due to US export controls. International users either had to smuggle it out printed on dead trees, or reimplement everything, or settle for the 40 bit limited edition of their favorite software. Many operating systems originated in the US, so it was difficult to integrate cryptography top to bottom because there needed a way to build the export version without it. OpenBSD had the advantage of originating in Canada, without such concerns. The goto public key algorithm of choice, RSA, was encumbered by a patent for commercial use. The primary symmetric algorithm was still DES. You could use blowfish, of course, but it wasn’t officially blessed as a standard.

Again, the availability of foreign encryption tools is more than theoretical. I would think the director of the Central Intelligence Agency (CIA), which is supposedly tasked with spying on foreign countries, would be very aware of that. But the CIA has a long history of failure so it being unaware of very real encryption tools originating in foreign countries isn’t really that surprising.

The Bill Of Rights Won’t Save You

You really need to use full disk encryption on all of your electronic devices. Modern versions of OS X and Linux make it easy. Windows is a bit hit or miss as BitLocker tries its damnedest to share your key with Microsoft’s servers. iOS has included full disk encryption by default — so long as you set a password — since version 8 and Android also includes support for full disk encryption. Use these tools because the Bill of Rights won’t protect your data from government snoops:

The government can prosecute and imprison people for crimes based on evidence obtained from their computers—even evidence retained for years that was outside the scope of an original probable-cause search warrant, a US federal appeals court has said in a 100-page opinion paired with a blistering dissent.

The 2nd US Circuit Court of Appeals ruled that there was no constitutional violation because the authorities acted in good faith when they initially obtained a search warrant, held on to the files for years, and built a case unrelated to the original search.

The case posed a vexing question—how long may the authorities keep somebody’s computer files that were obtained during a search but were not germane to that search? The convicted accountant said that only the computer files pertaining to his client—who was being investigated as part of an Army overbilling scandal—should have been retained by the government during a 2003 search. All of his personal files, which eventually led to his own tax-evasion conviction, should have been purged, he argued.

From my layman’s understanding of the Fourth Amendment, it’s supposed to protect against government shenanigans such as snooping through your data that was obtained under a valid warrant but was unrelated to the case the warrant was issued for to build another case against you. Although the quote is most likely false, Mr. Bush supposedly said, “It’s just a goddamned piece of paper!” in regards to the Constitution. While the quote is probably false the statement is not.

The Constitution cannot protect you. It is literally a piece of paper with words written on it. If you want some semblance of protection against the State you have to implement it yourself. Encrypting your devices’ storage would guard against this kind of nonsense assuming you weren’t foolish enough to decrypt the data for the State at any point. This is where features such as VeraCrypt’s (a fork of TrueCrypt that is being actively developed) hidden partition feature are nice because you can have a sanitized encrypted partition that you can decrypt and a hidden partition with your sensitive data. Since the hidden partition isn’t detectable the State’s agents cannot know whether or not it exists and therefore cannot compel you to decrypt it.

Utilize the tools available to you to protect yourself. Anybody who has been paying attention to recent American history knows that the supposed legal protections we all enjoy are little more than fiction at this point.

Fly, You Fools

In addition to creating fake terrorist attacks so it can claim glory by thwarting them, the Federal Bureau of Investigations (FBI) also spends its time chasing brilliant minds out of the country:

FBI agents are currently trying to subpoena one of Tor’s core software developers to testify in a criminal hacking investigation, CNNMoney has learned.

But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system — and expose Tor users around the world to potential spying.

That’s why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany.

Because of the State’s lust for power, the United Police States of America are becoming more hostile towards individuals knowledgable in cryptography. The FBI went after Apple earlier this year because the company implemented strong cryptography so it’s not too surprising to see that the agency has been harassing a developer who works on an application that utilizes strong cryptography. Fortunately, she was smart enough to flee before the FBI got a hold of her so none of its goons were able to slap her with a secret order or any such nonsense.

What’s especially interesting about Isis’ case is that the FBI wouldn’t tell her or her lawyer the reason it wanted to talk to her. It even went so far as to tell her lawyer that if agents found her on the street they would interrogate her without his presence. That’s some shady shit. Isis apparently wasn’t entirely dense though and decided it was time to go while the going was good. As this country continues to expand its police state don’t be afraid to follow her example.

I’m Satoshi Nakamoto! No, I’m Satoshi Nakamoto!

The price of Bitcoin was getting a little wonky again, which meant that the media must be covering some story about it. This time around the media has learned the real identify of Satoshi Nakamoto!

Australian entrepreneur Craig Wright has publicly identified himself as Bitcoin creator Satoshi Nakamoto.

His admission follows years of speculation about who came up with the original ideas underlying the digital cash system.

Mr Wright has provided technical proof to back up his claim using coins known to be owned by Bitcoin’s creator.

Prominent members of the Bitcoin community and its core development team say they have confirmed his claims.

Mystery sovled, everybody go home! What’s that? Wright provided a technical proof? It’s based on a cryptographic signature? In that case I’m sure the experts are looking into his claim:

SUMMARY:

  1. Yes, this is a scam. Not maybe. Not possibly.
  2. Wright is pretending he has Satoshi’s signature on Sartre’s writing. That would mean he has the private key, and is likely to be Satoshi. What he actually has is Satoshi’s signature on parts of the public Blockchain, which of course means he doesn’t need the private key and he doesn’t need to be Satoshi. He just needs to make you think Satoshi signed something else besides the Blockchain — like Sartre. He doesn’t publish Sartre. He publishes 14% of one document. He then shows you a hash that’s supposed to summarize the entire document. This is a lie. It’s a hash extracted from the Blockchain itself. Ryan Castellucci (my engineer at White Ops and master of Bitcoin Fu) put an extractor here. Of course the Blockchain is totally public and of course has signatures from Satoshi, so Wright being able to lift a signature from here isn’t surprising at all.
  3. He probably would have gotten away with it if the signature itself wasn’t googlable by Redditors.
  4. I think Gavin et al are victims of another scam, and Wright’s done classic misdirection by generating different scams for different audiences.

Some congratulations should go to Wright — who will almost certainly claim this was a clever attempt to troll people so he doesn’t feel luck a schmuck for being too stupid to properly pull off a scam — for trolling so many people. Not only did the media get suckered but even members of the Bitcoin community fell for his scam hook, line, and sinker.

FBI Claims Its Method Of Accessing Farook’s Phone Doesn’t Work On Newer iPhones

So far the Federal Bureau of Investigations (FBI) hasn’t given any specific details on how it was able to access the data on Farook’s phone. But agency’s director did divulge a bit of information regarding the scope of the method:

The FBI’s new method for unlocking iPhones won’t work on most models, FBI Director Comey said in a speech last night at Kenyon University. “It’s a bit of a technological corner case, because the world has moved on to sixes,” Comey said, describing the bug in response to a question. “This doesn’t work on sixes, doesn’t work on a 5s. So we have a tool that works on a narrow slice of phones.” He continued, “I can never be completely confident, but I’m pretty confident about that.” The exchange can be found at 52:30 in the video above.

Since he specifically mentioned the iPhone 5S, 6, and 6S it’s possible the Secure Enclave feature present in those phones thwarts the exploit. This does make sense assuming the FBI used a method to brute force the password. On the iPhone 5C the user password is combined with a hardware key to decrypt the phone’s storage. Farook used a four digit numerical password, which means there were only 10,000 possible passwords. With such a small pool of possible passwords it would have been trivial to bruce force the correct one. What stood in the way were two iOS security features. The first is a delay between entering passwords that increases with each incorrect password. The second is a feature that erases the decryption keys — which effectively renders all data stored on the phone useless — after 10 incorrect passwords have been entered.

On the 5C these features are implemented entirely in software. If an attacker can bypass the software and combine passwords with the hardware key they can try as many passwords they want without any artificial delay and prevent the decryption keys from being erased. On the iPhone 5S, 6, and 6S the Secure Enclave coprocessor handles all cryptographic operations, including enforcing a delay between incorrect passwords. Although this is entirely speculation, I’m guessing the FBI found a way to bypass the software security features on Farook’s phone and the method wouldn’t work on any device utilizing Secure Enclave.

Even though Secure Enclave makes four digit numerical passwords safer they’re still dependent on outside security measures to protect against bruce force attacks. I encourage everybody to set a complex password on their phone. On iPhones equipped with Touch ID this is a simple matter to do since you only have to enter your password after rebooting the phone or after not unlocking your phone for 48 hours. Besides those cases you can use your fingerprint to unlock the phone (just make sure you reboot the phone, which you can do at anytime by holding the power and home buttons down for a few seconds, if you interact with law enforcement so they can’t force you to unlock the phone with your fingerprint). With a strong password brute force attacks become unfeasible even if the software or hardware security enhancements are bypassed.

An Encrypted Society Is A Polite Society

Playing off of my post from earlier today, I feel that it’s time to update Heinlein’s famous phrase. Not only is an armed society a polite society but an encrypted society is a polite society.

This article in Vice discusses the importance of encryption to the Lesbian, Gay, Bisexual, and Transgender (LGBT) communities but it’s equally applicable to any oppressed segment of a society:

Despite advances over the last few decades, LGBTQ people, particularly transgender folks and people of color, face alarming rates of targeted violence, housing and job discrimination, school and workplace bullying, and mistreatment by law enforcement. In the majority of US states, for example, you can still be legally fired just for being gay.

So while anyone would be terrified about the thought of their phone in the hands of an abusive authority figure or a jealous ex-lover, the potential consequences of a data breach for many LGBTQ people could be far more severe.

[…]

LGBTQ people around the world depend on encryption every day to stay alive and to protect themselves from violence and discrimination, relying on the basic security features of their phones to prevent online bullies, stalkers, and others from prying into their personal lives and using their sexuality or gender identity against them.

In areas where being openly queer is dangerous, queer and trans people would be forced into near complete isolation without the ability to connect safely through apps, online forums, and other venues that are only kept safe and private by encryption technology.

These situations are not just theoretical. Terrifying real life examples abound, like the teacher who was targeted by for being gay, and later fired, after his Dropbox account was hacked and a sex video was posted on his school’s website. Or the time a Russian gay dating app was breached, likely by the government, and tens of thousands of users received a message threatening them with arrest under the country’s anti-gay “propaganda” laws.

Systematic oppression requires information. In order to oppress a segment of the population an oppressor must be able to identify members of that segment. A good, albeit terrifying, example of this fact is Nazi Germany. The Nazis actually made heavy use of IBM counting machines to identify and track individuals it declared undesirable.

Today pervasive surveillance is used by state and non-state oppressors to identify those they wish to oppress. Pervasive surveillance is made possible by a the lack of the use of effective encryption. Encryption allows individuals to maintain the integrity and confidentiality of information and can be used to anonymize information as well.

For example, without encryption it’s trivial for the State to identify transgender individuals. A simple unencrypted text message, e-mail, or Facebook message containing information that identifies an individual a transgender can either be read by an automated surveillance system or acquired through a court order. Once identified an agent or agents can be tasked with keeping tabs on that individual and wait for them to perform an act that justified law enforcement involvement. Say, for example, violating North Carolina’s idiotic bathroom law. After the violation occurs the law enforcement agents can be sent in to kidnap the individual so they can be made an example of, which would serve to send a message of terror to other transgender individuals.

When data is properly encrypted the effectiveness of surveillance is greatly diminished. That prevents oppressors from identifying targets, which prevents the oppressors from initiating interactions entirely. Manners are good when one may have to back up his acts with his life. Manners are better when one doesn’t have to enter into conflict in the first place.

Apple Gives The Feds Another Middle Finger


Me right now.

A lot of people are claiming Apple’s decision to fight the Federal Bureau of Investigations (FBI) is nothing more than a marketing play. But I swear that I can hear Tim Cook yelling, “Fuck the police!” because his company keeps making announcements that it’s going to make its products more secure:

WASHINGTON — Apple engineers have begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts.

[…]

The company first raised the prospect of a security update last week in a phone call with reporters, who asked why the company would allow firmware — the software at the heart of the iPhone — to be modified without requiring a user password.

One senior executive, speaking on the condition of anonymity, replied that it was safe to bet that security would continue to improve. Separately, a person close to the company, who also spoke on the condition of anonymity, confirmed this week that Apple engineers had begun work on a solution even before the San Bernardino attack. A company spokeswoman declined to comment on what she called rumors and speculation.

Independent experts say they have held informal conversations with Apple engineers over the last week about the vulnerability. Exactly how Apple will address the issue is unclear. Security experts who have been studying Apple’s phone security say it is technically possible to fix.

In addition to senior executives talking about upcoming security enhancements, Apple has also added an interesting figure to its payroll:

Frederic Jacobs, for those who don’t know, was one of the developer of the iOS version of Signal, the secure messaging application created by Open Whisper Systems that I highly recommend.

It seems to me that Apple is doing more than marketing here. The company seems dedicated to offering a secure product to its customers. My greatest hope is that this encourages other companies to follow suit.

You Can’t Stop The Signal

What would happen if the United States government passed a bill mandating the inclusion of backdoors in cryptographic algorithms? Not much. The politicians in Washington DC, like many denizens of this nation, forget that there is an entire world outside of this nation’s borders. A recent report put together by actual security experts shows that any domestic laws hindering encryption will be futile because a lot of cryptography software comes from abroad:

An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.

The report, prepared by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials. Although the Obama administration is no longer asking Congress for legislation requiring them, it continues to lobby private industry to include ways law enforcement agencies can decrypt encrypted data sent or stored by criminal or terrorism suspects.

We’re told that mandatory backdoors are necessary to make the lives of law enforcers easier. But passing a law mandating backdoors in systems that utilize cryptography would only effect domestic companies. Most devices are manufactured outside of the United States. Any law mandating ineffective cryptography would only applies to domestic devices, which means the mandated backdoors would likely only be included in devices meant for sale in the United States. That means avoiding a purposely weakened device would be as simple as ordering it from a foreign reseller.

Most of the boogeymen the politicians point to to justify mandating backdoors are primarily based in foreign countries. The terrorist and sex trafficking organizations are already buying their communication equipment outside of the United States so they will be entirely unaffected by any new domestic laws. Furthermore, being criminal organizations, nothing will change for them since they’re already breaking numerous laws.

At most a mandatory backdoor law will put the denizens here, at least those dumb enough to continue buying domestic devices, at risk of being exploited by domestic and foreign governments as well as malware producers.

Freely Accessing Scientific Publications Behind A Paywall

On the one hand we’re told that pure science can only be performed under the “neutrality” of government funding while on the other hand we’re told the research we were forced to fund isn’t ours to access. Having to pay to access research papers that I was forced to fund has been a pet peeve of mine since college. Even though I enjoyed free access to most scientific papers in college the simple fact that I would lose that access as soon as I graduated really rubbed me the wrong way. Fortunately I’m not alone. A group of people have developed a service aimed at pirating scientific research papers:

Sci-Hub uses university networks to access subscription-only academic papers, generally without the knowledge of the academic institutions. When a user asks Sci-Hub to access a paid article, the service will download it from a university that subscribes to the database that owns it. As it delivers the user a pdf of the requested article, it also saves a copy on its own server, so that next time someone requests the paper, they can download the cached version.

Unsurprisingly, Elbakyan’s project has drawn the ire of publishers. Last year, Elsevier sued Sci-Hub and an associated website called Library Genesis for violating its copyright. The two websites “operate an international network of piracy and copyright infringement by circumventing legal and authorized means of access to the ScienceDirect database,” Elsevier’s lawyers wrote in a court filing, referring to the company’s subscription database.

[…]

But even if the new domain gets shut down, too, Sci-Hub will still be accessible on the dark web, a part of the Internet often associated with drugs, weapons, and child porn. Like its seedy dark-web neighbors, the Sci-Hub site is accessible only through Tor, a network of computers that passes web requests through a randomized series of servers in order to preserve visitors’ anonymity.

Sci-Hub can be accessed via the normal Internet here and via Tor here. That second link is important to have since Sci-Hub was already shutdown once. While it’s feasible for the State to censor the normal Internet it’s not feasible for it to censor Tor hidden services since there is no centralized name server to threaten.

I don’t hide my opposition to intellectual property in all forms but I especially detest copyright applying to criminally funded research. A thief should make reparations to right the wrong they have caused so the only way to right the wrong of the State stealing money to fund favored researchers it to make the findings of their research freely available to everybody.