Skip to comments.N.S.A. Foils Much Internet Encryption
Posted on 09/05/2013 12:14:05 PM PDT by Alter Kaker
click here to read article
Have your brother at least, install DoNotTrackMe from the FF apps.
I use cash everywhere, regardless of business size.
there is a solution.
of course, I won’t put it out without being able to properly monetize it
which is the sticky wicket
The only way I see to insure privacy is to encrypt and decrypt on a separate, standalone computer that is never connected to the network.
Microsoft is one of the companies that has installed a back door into their vaunted ‘Bitlocker’ encryption protocol:
One of my recent (and now unused) passwords was FUBO01202017
It’s be a shame if that went totally wasted on some Democrat at the NSA.
Commercial encryption is already non-useful with regards to national level eavesdropping.
It’s not the specific communications that are necessarily vulnerable, it’s the exploits sold by international corporations to anyone who is willing to pay. The exploits allow access for further information gathering (such as key logger software).
Do you have a new printer? Do you have a new mouse? Do you have the most recent update of Acrobat? Exploits of drivers and productivity software is major business these days.
Guess who pays megabucks for these exploits? Every major intelligence organization.
However, criminal enterprises worry me most; and now my perception is that many overseas criminal enterprises work hand in hand with state sponsored cyber eavesdropping organizations.
Sorry to wax long winded. Just my reason for keeping as minimal an internet presence as possible.
Problem though is to remember all those characters.
Revolt is coming.
Soon it will all fail.
That is incorrect advice. It is MUCH more important that passwords are long, than it is to use random characters.
For example the password “Cat1-Dog2” is ~100 times harder to crack than “dF*$j)J4” just because it has one more character.
Each character you add makes the password 10-100 times harder to crack depending on what characters you use.
See here: https://www.grc.com/haystack.htm
I thought SSL used Diffie-Hellman key exchange, which is susceptible to a man-in-the-middle attack unless at least one party to the communication can send the other a “signed” copy of a hash of its random key, but would not allow for retrospective analysis—even by someone who had access to all of the information that parties to the communication would typically retain afterward (the parameters necessary to generate the per-session key are typically generated randomly at the start of a conversation and, along with the key, discarded afterward)
The problem is a dictionary attack will find something like cat1-dog2-texas or whatever combination of those in seconds. They can search trillions of combinations instantly. A shorter random one will have more entropy and often be harder to guess.
IMO for online stuff using keepass is the best and just have 1 file that they’d have to get and remember one password for it. Use a separate keyfile for it if you want as well. It still might not help much against the NSA, but at least if someone hacks into say your PSN account they won’t have any leads to go after your Yahoo ones.
Even one time codes?
A major problem with one-time pads is that it's necessary to share an amount of key data equal to the amount of real data that is going to be exchanged, and unless both parties destroy their key data as they use it, capture of the key data held by either party will allow retrospective decoding of previously-captured transmissions. That having been said, improved flash densities would seem to make such an encryption approach (including the destruction of used key data) more practical than in years past.
I suspect the biggest weakness with many encryption protocols stems from a desire to have them be usable for establishing initial contact between strangers who have not previously exchanged other secret information. That requires both parties have a third party whom they can trust, and who is worthy of that trust.
Is the Navajo language still available?
This is a key part of this document, Null. I know we had our discussions earlier, but having just read this article, I believe this is game, set, match for anyone trying to secure their privacy online.
Short of going completely "dark," folks, you cannot conduct any private business electronically anymore.
It's over. Pack it up and hit the trail.
In the comments to the article at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html, Bruce Schneier, the creator of Blowfish and codesigner of Twofish, said in response to a comment:
Commenter: “On the crypto bits in your guardian piece, I found especially interesting that you suggest classic discrete log crypto over ecc. I want to ask if you could elaborate more on that.”
Bruce: I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.
In other words, ECC is probably compromised.
You could just use an ARM chip to make a secure crypto box...ez-pz
Raspberry Pi and an Altoids tin.....
it is pfwhhy ekdy to wfjre a mdsdwge tgwt a cuhkydwr hws a hewd tjee rwafikg bit pkjefe chn fujefe ogt.
Yup, the Pi might work.
You could write a small secure OS for the Pi and use it as the link to the web. It would be mighty hard to compromise a Pi with a secure OS :-)
Broadcom made the SOC for the Pi, it’s not an open SOC and you have to sign a non-disclosure to get the nitty-gritty on it.
Perhaps a small and cheap secure computer built with the guts all inside an FPGA would be better still.
No, just build a dedicated encryption/decryption box, not connected to the net. Sneakernet the messages between the 2 for encryption / decryption. The net never touches the encryption box so keys can’t be discovered, short of physical access to the box.
There is the point that it is better known not than previously.
The Japanese were of two minds about their intercepts of the Navajo: Some thought it was a language, others thought it wasn’t and was just random gibberish designed to mislead.
I agree. NSA and others will generally not know your dogs name, cousin’s name, or reading habits in order to exploit those in an attack. Their computers will just keep grinding away, dumb but hard working.
Feyneman told a story of how he cracked a co worker’s safe because the coworker used the first digits of “e” backwards as his combo. He had tried pi, pi backwards, e and e backwards while waiting in the guy’s office. Left him a note in his safe that those were not good combos to choose.
Feyneman doesn’t work at the NSA breaking your codes.
Ever heard of Google®?
Steganography must still be a huge problem ...
So is blatant!
‘Twas brillig in the mimsywabe, and...
Not really. I store mine in PASSWORDS.txt
I leave all my secret messages just sitting on the desk.
I store mine in an encrypted Excel worksheet. Excel is AES protected, so even if someone copied it, they would have their work cut out for them reading it.
Back in the old days, we sent our secret stuff by teletype to Langley.
We had a one-time roll of random(?) stuff on one tape, and our data on another. We exclusiveored the two tapes together and sent the message.
Back at headquarters they had the same tape as we did.
When they received our encrypted data, they exclusiveored their tape against it, and the clear data then reappeared.
I know that we destroyed our encryption tape, and assume they did the same at their end.
In this S3ntAnc3 which word is my password?
Design a filter to capture passwords out of bit stream....
Require passwords to be certian way.
Safes are easier to crack, since the numbers are a bit sloppy in execution. The mechanical precision allows one to merely get close to the number needed.
Are you aware of public key encryption? Public key algorithms, unlike symmetric key algorithms, do not require a secure initial exchange of one (or more) secret keys between the parties.
The Venona decrypts were the result of “sometime” (as opposed to one-time) pads used by the Soviet Embassy in Washington. Soviet “sometime” pads consisted of books containing pages and pages of keys. Ideally, every page was unique and random. Under wartime production pressure, some pages were simply copies of pages in other books. American cryptographers noticed unlikely “collisions” (coincidences) in the headings of certain messages, and were able to deduce that the same “one time” pad had been used to “encrypt” the two or more messages. With this realization, it was apparent that searching for further coincidences would bear fruit, which, indeed, it did.
'When I use a word,' Humpty Dumpty said, in a rather scornful tone,
' it means just what I choose it to mean, neither more nor less.'
'The question is,' said Alice, 'whether you can make words mean so many different things.'
'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'
The Ministry of Truth, Winston's place of work, contained, it was said, three thousand rooms above ground level, and corresponding ramifications below.
It costs $85.
There are some silver linings, but honestly, for a bulk of “secure” Internet traffic, they know.
Buy a copy of Matt Bracken’s latest book Castigo Cay on Amazon? They know.
Buy a few crates of milsurp ammo on CTD? They know.
Buying survival supplied from Cabelas? They know.
It was revealed a month or so ago that they were very obviously collecting unsecured Internet traffic (i.e. FreeRepublic), but now the cat’s out of the bag and the revelation is that they’re collecting all traffic, regardless of security, and are able to decrypt it thanks to back doors peppered into the protocols.
We could all go the route of symmetric cryptography vs. PKI, but I don’t think it’ll make a lick of difference any more. They’re likely recruiting mathematical mensches straight out of college to put them to work on algorithmic decryption across the board.
Some idiot was saying, “Oh, well at least it’s the ‘good guys’ with the keys and not someone like China or Iran.”
Really? People have zero concept of liberty. There will come a time, very soon I believe, when we will be unable to live from when we wake to when we bed without our every breath being surveilled, watched, monitored, cataloged, and databased. “Going dark” will literally mean nothing.
Unless you completely eschew technology in all of its forms, they’ll have a way to watch you. No phones, no television, no computers. Hell, you can’t even read books without either buying them, which is tracked, or borrowing them from a library, which is tracked. There’s almost nothing in our day-to-day lives that can’t be monitored. I would challenge anyone to come up with an activity that can’t be directly monitored by some government agency.