Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

September 05 2013

N.S.A. Foils Much Internet Encryption - NYTimes.com

N.S.A. Foils Much Internet Encryption - NYTimes.com
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all

#NSA documents show that the agency maintains an internal database of #encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.

How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of #Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

August 10 2013

De-Anonymizing Alt.Anonymous.Messages - ritter.vg

De-Anonymizing Alt.Anonymous.Messages - ritter.vg

http://ritter.vg/blog-deanonymizing_amm.html

For the past four years I’ve been working on a project to analyze Alt.Anonymous.Messages, and it was finally getting to a point where I thought I should show my work. I just finished presenting it at Defcon, and because a lot of the people I know are interested in this were not able to make it, I’m making the slides, and more importantly the speaker notes, available for download. This kind of kills the chance anyone will actually watch the video, but that’s all right.

The slides cover the information-theoretic differences between SSL, Onion Routing, Mix Networks, and Shared Mailboxes. It talks about the size of the dataset I analyzed, and some broad percentages of the types of messages in it (PGP vs Non-PGP, Remailed vs Non-Remailed). Then I go into a large analysis of the types of PGP-encrypted messages there are. Messages encrypted to public keys, to passwords and passphrases, and PGP messages not encrypted at all!

http://defcon.org/html/defcon-21/dc-21-speakers.html#Ritter

In recent years, new encryption programs like Tor, RedPhone, TextSecure, Cryptocat, and others have taken the spotlight - but the old guard of remailers and shared inboxes are still around. Alt.Anonymous.Messages is a stream of thousands of anonymous, encrypted messages, seemingly opaque to investigators. For the truly paranoid, there is no communication system that has better anonymity - providing features and resisting traffic analysis in ways that Tor does not. Or so is believed. After collecting as many back messages as possible and archiving new postings daily for four years, several types of analysis on the contents of alt.anonymous.messages will be presented and several ways to break sender and receiver anonymity explained. Messages will be directly and statistically correlated, communication graphs drawn, and we’ll talk about what challenges the next generation of remailers and nymservs face, and how they should be designed.

http://ritter.vg/p/AAM-defcon13.pdf

But what I keep coming back to is the fact that we have no anonymity network that is high bandwidth, high latency. We have no anonymity network that would have let someone securely share the Collateral Murder video, without Wikileaks being their proxy. You can’t take a video of corruption or police brutality, and post it anonymously.
Now I hear you arguing with me in your heads: Use Tor and upload it to Youtube. No, youtube will take it down. Use Tor and upload it to MEGA, or some site that will fight fradulent takedown notices. Okay, but now you’re relying on the good graces of some third party. A third party that is known to host the video, and can be sued. Wikileaks was the last organization that was willing to take on that legal fight, and now they are no longer in the business of hosting content for normal people.
And you can say Hidden Service and I’ll point to size-based traffic analysis and confirmation attacks that come with a low-latency network, never mind Ralf-Phillip Weinmen’s amazing work the other month that really killed Hidden Services. We can go on and on like this, but I hope you’ll at least concede the point that what you are coming up with are work-arounds for a problem that we lack a good solution to.

#remailer #anonymity #encryption #defcon #tor #wikileaks #hiddenservice

July 17 2013

Four short links: 18 July 2013

  1. Ten Rules of the Internet (Anil Dash) — they’re all candidates for becoming “Dash’s Law”. I like this one the most: When a company or industry is facing changes to its business due to technology, it will argue against the need for change based on the moral importance of its work, rather than trying to understand the social underpinnings.
  2. Data Storage by Vertical (Quartz) — The US alone is home to 898 exabytes (1 EB = 1 billion gigabytes)—nearly a third of the global total. By contrast, Western Europe has 19% and China has 13%. Legally, much of that data itself is property of the consumers or companies who generate it, and licensed to companies that are responsible for it. And in the US—a digital universe of 898 exabytes (1 EB = 1 billion gigabytes)—companies have some kind of liability or responsibility for 77% of all that data.
  3. x-OSCa wireless I/O board that provides just about any software with access to 32 high-performance analogue/digital channels via OSC messages over WiFi. There is no user programmable firmware and no software or drivers to install making x-OSC immediately compatible with any WiFi-enabled platform. All internal settings can be adjusted using any web browser.
  4. Google Experimenting with Encrypting Google Drive (CNet) — If that’s the case, a government agency serving a search warrant or subpoena on Google would be unable to obtain the unencrypted plain text of customer files. But the government might be able to convince a judge to grant a wiretap order, forcing Google to intercept and divulge the user’s login information the next time the user types it in. Advertising depends on the service provider being able to read your data. Either your Drive’s contents aren’t valuable to Google advertising, or it won’t be a host-resistant encryption process.

October 26 2011

02mydafsoup-01

September 02 2011

02mydafsoup-01

January 17 2010

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl