Encrypted Message Passing In The Clear

This posting is unlikely to be very interesting to most folks. It will, if it works correctly, have “nothing happen”.

It is a test of passing an encrypted message “in the clear” using a public file store visible to all. Even the recipient does not know the password I used to encrypt the file. I’m going to use a descriptive phrase that he ought to understand and be able to make the password from it (while others can not due to a ‘shared secret’ – something we know but anyone not at the dinner would not know. Though in this case I’m using one that other folks who know the folks involved could likely guess. In an actually important use, I’d choose a harder to guess shared secret).

So the first test will just be “Can the file be uploaded and downloaded” without corruption?

The second test is “Can the intended recipient decode it?”

The final step is “Are others blocked?”

Also, in a real test, the encryption method would not be public, so that would be an added hurdle.

With this case, I’ve encrypted the container as a very small file system (FAT) using TrueCrypt. It can be downloaded here:

http://www.truecrypt.org/downloads

The file is a .pdf file qualifier, but not actually a pdf file.

TestCase

So in FireFox, it tries to open as a PDF and complains that it doesn’t start with %PDF, but then let me save it anyway. At that point, I mounted it with TrueCrypt and opened the container to find my text file inside. It ought to be 300 kB (the minimum size for a FAT file system).

Now the fun bit. In theory, only P.G., me, and our spouses can figure out the password from this clear text “Coded Message”:

P.G., the password is the name of the dish we ordered twice at dinner. No spaces, just the letters. Each word capitalized.

(In a real case, such things as how spaces and capitals are handled would be a previously shared secret or left for the recipient to get by trial and error. As P.G. has no idea I’m doing this, I’m giving excessive clues ;-)

Why P.G.? Well, we have recently had dinner together so there is something we share. If I picked, say, Simon, we don’t have a shared experience base from which to pick a shared secret. Kind of limits my options on who to pick. In real circumstances, one would presumably have more shared life experience with folks important to you and could pick more private means of key sharing. Hopefully P.G. will take the challenge and see if the process works ;-)

If anyone wants to try “cracking the container” feel free (but I think it is likely to be hard, even with a dictionary attack it would take a while as I think you would need to write code to do the TrueCrypt key entry – typing them all by hand would be way slow…)

In Conclusion

So here is an example of a semi-secure communication “in the clear”. It ought to allow a bit of communications to happen with folks watching, but unable to read it, at least not without some good crypto-breaking tools. I also used a relatively weak password and gave enough clues that it could be cracked by a brute force attack. Again, in a real case one could use things like a public / private key set ala PGP or other encryptions.

The other major exposures to this method are that I created it on a PC connected to the internet. A key logger or screen scraper on the machine would make the rest pointless. In a real use, the content creation and file encryption would be done on a dedicated isolated machine and moved via something like a burned CD ( so no USB based dongle malware could crawl into the generating machine. NO read/write media goes into it…)

Finally, as I’ve stated who is to do the download / test, and as “TLAs” could simply monitor WordPress or ask for access records, “contact tracing” can be done on this transfer. Folks would know who talked to whom. In a real case, I could make a “disposable identity” for the upload and the recipient would be left anonymous. They would then do the download at a public place (like a Starbucks parking lot) with a dedicated / disposable machine and remain relatively unknown.

Using systems like Tor and Freenet make even that circumlocution optional as they hide the contact trace information anyway. For actual paranoia needs, one would use Tor from the Starbucks parking lot on a disposable machine with a disposable dongle (or writable MAC address). Realize that the anonymizing networks include tools to do private communications and file passing so this circumlocution of file transfer via a public site is theoretically not needed. I’m doing it partly just to demonstrate how you can choose to not completely trust that downloaded software. Sometimes you want belt, and suspenders, and hold the pants up too ;-)

So, in theory at least, this is an example of how to do a private encrypted message passing, including “key exchange” via a “shared secret” in a visible and public system. It is the lowest level of security. All added layers go up from here. It isn’t really any more secure (due to the contact trace being open) than sending the file as an email attachment. I’m doing it here as it IS possible to hide some of the contact trace information using things like the Tor Browser; so can generalize a bit more than email.

https://www.torproject.org/download/download.html.en

At that point the “putting up” of the file is visible, but who downloads it is hidden. Using a bogus ID to create the upload and using Tor to do it would also hide the origination. Oh, and WordPress lets you make private pages that take a password to open, so you could even password protect the download. While that would not stop TLAs, it would prevent random Looky Lous..

FWIW, TrueCrypt looks to be pretty solid and very hard to crack. At least one Agency brought suit to get someone to divulge their key (and they lost the case in this jurisdiction). IMHO that indicates they couldn’t get it cracked. It is possible that the US National TLAs could crack it if they cared to devote enough hardware and time, but if you are worried about that level, then you need to be putting encrypted files inside the encrypted disk and not showing up on folks radar anyway. ( Some “Security by Obscurity” can help…)

So why am I doing this? Partly because as an old Unix Systems Admin I’ve spent decades doing “protect the data” and need to keep some skills up and have the historical interest. Partly it is just cussedness at the way the Police of all nations are starting to “confiscate computers first” and ask questions later. So my stuff is living in encrypted containers now just to keep them busy if they DO decide I ought to have a “Tallbloke and the Constable” moment. Since those constables whacked someone just for being contacted by a random on his blog, I have to assume I could be at the same risk. Better prepared and not needing it than watching my laptop go out the door and wondering what happened. As to where MY encrypted containers might live in The Cloud: “That would be telling.” ;-)

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , . Bookmark the permalink.

32 Responses to Encrypted Message Passing In The Clear

  1. p.g.sharrow says:

    @EMSmith; I have truecrypt installed but I am having trouble getting the file and container to work. Password is no problem. As I have been up too many hours I need a nap and will return to the task in the morning. pg

  2. Chuckles says:

    You just can’t get the staff these days, can you?

    E.M., following on from you last sentence, legalistically, one might argue at some length whether virtual data that exists in virtual files in a virtual file system in a virtual cloud on virtual computers, exists at all?

    And what would they stipulate as the ‘location’ or the ‘premises to be searched’ or ‘goods to be seized’?

    Authorities might also claim that it is real and incriminating data, I might claim that it is a subsection of the infinite length digits of pi. Who is correct?

    :)

  3. Tony Hansen says:

    I was wondering just what the defition of ‘dish’ might be?
    I know some who still fondly cling to the notion that a meat pie and a six-pack is a seven course meal (and might argue that a ‘ColdBeer’ must therefore be, by definition, a”dish”).

  4. Pingback: Daily Linkage – July 15, 2012 | The Second Estate

  5. E.M.Smith says:

    @P.G.:

    If you got a saved file of 300 kB or so it is likely correct. Then in TrueCrypt, you have to pick a dive letter to mount on (like, oh, P: for “PO’ed” ;-) Then you “select” the file (from whereever you saved it, such as “downloads” or “desktop”). At that point click the “mount” button and answer the prompt for the password.

    At that point the P: drive ought to be mounted and with MS File Explorer (or whatever they call their Finder or file window) you ought to see a Text document and preview with the text visible if previews are set on for you.

    @All: In a day or two I’ll post the password so all of you can join in the fun…

    @Chuckles:

    In fact, in TrueCrypt, they have the neat feature of one level of steganographic hiding. So your file (or bit bucket or container) can have one password that shows things in the outer encrypted area (like “My Secret Cookie Recipe”) and a different password that gets into the really hidden part (like “My Magic Cookie Ingredient Location”). It is not possible to know if there is, or is not, the second level; so you can simply say “I gave them the password and they found my cookie recipe” and it isn’t possible to prove anything else existed…

    Some systems have up to 8 or 9 levels of stego… so you can even be forced to give your “secret key” and not have the real good stuff show up (but the amount of storage it takes grows quite large). I’m comfortable with the TrueCrypt limit of 2 levels. (Heck, don’t think I could keep 7 passwords straight for one file anyway…)

    BTW, one of the “mind games” of security is to name things such that they become problematic to even talk about. So a hidden archive can be named “deleted files”… “Your honor, we demanded that he give the key to the ‘deleted files’ files.” response: “There are no keys for deleted files, they are gone.”… Or “His files were stored in ’empty space'” or “His files were stored in ‘lost in virtual space’ and he refused to provide the key”.

    Puckish sorts can name things like “police brutality” as in “We demanded the key to ‘police brutality’ but he refused”. Response: “Why would I agree to Police Brutality?” Or even just “What did you do with the files?” Response: “I put them in ‘The Recycle Bin’ “….

    The other fun thing to do is put a variety of non-printing characters into a name or password. “So the files were in “Oh-[blank]-you” were they not?”…. “I BEG your pardon!”… and ever try to write out a copy of “Tab-blank-blank-backspace-cr”? Like using iIlL in various combinations wtih oO0 and the odd 7 L 2 Z 5 3 together… When typing a password I’ll sometimes put in a few random shift keys while not actually typing letters. Folks counting key hits then get more “clicks” than letters observed and start to doubt themselves. The odd backspace can be fun to use too…

    So wrap all that around an encrypted stego canister sitting in cyberspace and it gets kind of hard to say what’s what. The Freenet folks https://freenetproject.org/ even go so far as to have the “payment” for their product be use of some of your disk space. Everyone has their “stuff” scattered in encrypted bits on the “collective space”. (with redundancy if I read it right). So even having machines come and go doesn’t erase ‘your stuff’ and capturing any given machines doesn’t let them see the stuff either…) Oddly, I had separately thought of that ‘feature’ of a distributed redundant store with heavy CRC… A giant ‘RAID’ in distribution.

    At some point I’ll try adding a node to Freenet, but for now I’m just reading about it. In that case, I’d put my encrypted canister inside their encrypted pipes and encrypted redundant diffused storage. Now just try to show that something is “there”…. where ever “there” is… and whatever “something” might be…

    At any rate, that’s the kind of thing I’m building. One step at a time.

    Oh, and one other fun thing to do: Make bits of storage that are filled with “crap”. Then encrypt them. Someone who gets inside of it gets “crap”…

    I’d regularly take disks I was leaving and delete my files. Then make a new file into which I would put many copies of M.S. software… (usually repeating a few times). Then that ‘fill’ is deleted. This ends up with all of the ‘free list’ of blocks full of fragments of M.S. Software. Now attempts to recover data from the free list gets results that look like someone did it wrong ;-) I’ve also been known to put up large files, encrypted, that have as their only content the decryption key… “Dohh!”… “Congratulations! After thousands of hours cracking, you have found the encryption key! It is ‘Foo-Bar’. Don’t you just feel proud of that?!”

    So then someone gets to show that any real ‘bag of bits’ isn’t also just a garbage collection dredge that you encrypted…

    Sometimes I miss the security business…

    @Tony Hansen:

    Well, if you have a date, then the six pack and entree can become an 8 course dish… or 7 course meal and a dish… or something…

  6. jim says:

    I’m thinking that if you used Freenet that you could be charged with obstruction of “justice.” But IANAL.

  7. Pascvaks says:

    Not up to the game but this occured to me, and some others of my ‘limited’ to ‘non-existant’ decryption ability might care to take this track as well, say for the sake of chit-chat while the spooks of programming do their thing–
    Locks are for Average Everyday People (and their kids;-): Your front door (or car door, etc.) lock will probably only keep out a drunken neighbor or ding-bat stranger at Wal-Mart, not a Pro (or Semi-Pro, or someone that want’s your laptop et al in the backseat). In a nutshell: Locks are for Honest Average Everyday People.
    BIG LOCKS are for Bad People and for safeguarding valuables like $$$$, diamonds, gold, photographs, trade-industrial-state-national-other secrets. Who people think you are is not a secret, at least to them. If you’re a computer wiz, or say a genius with his own blog who talks about everything and anything, it’s very likely you don’t have much in your ‘secure’ lock boxes to worry about. If you’re also a rather big mouth anti-government blogger you just might get on someone’s radar at “Big Sis and DHS, Inc.” since they’re rather paranoid of Americans; and, if etc. etc. you potentially have something, or know something, that you’ve put in a computer, or may have, the real spooks will probably think it’s cheaper to waste, delete, zap you and take your computer. War is hell!
    OK! Let’s boil down the issue to the basic questions of “Why do we put locks on our doors?” and “Are we really any safer when the door is locked?”

    PS: Not to take this to the next level, but it did occure to me just now: “Why do people buy pistols and rifles for security?” and “Are these people any safer?”

  8. EM – you happened to have mentioned the password earlier. Look at https://chiefio.wordpress.com/2012/06/26/wip-on-first-differences/#comment-37308 for the detail. You didn’t say you’d ordered it twice, though, so it was a lucky guess.

    Oh well, I’ve now got TrueCrypt installed, and might even use it. It may be useful to send files to Bob if we can find a password that I don’t have to spell out.

  9. Paul Hanlon says:

    Great find, Simon!!. I was thinking I’m sure he mentioned something about eating with PG in another thread. Now, are the first letters capitalised or not? That might have a bearing on the decryption.

  10. j ferguson says:

    hard pressed to come up with the password? Duck Soup.

  11. p.g.sharrow says:

    @EMSmih;After 2 more hours I have to give up for now. Not sure what I am doing wrong. I seem to be creating and mounting the “drive” and putting the file inside. But notepad just sees a machine code file. There is the possibility that our rendition of the password is not the same. I tried several, Paul is correct. But, that is not the correct name. Too much fun for me at this time, as I have other chores to do. That Almond Pressed Duck was good. :-) pg

  12. pg – if you can see the file you’re there. I opened it in Gedit, and it was fine. You may have to open it in a hex editor rather than Notepad, which is a bit unforgiving of file formats.

  13. pg – volume name truecrypt1, file name Test Message.txt. I’ve just checked and it seems to be in Windoze format so should be OK with Notepad.

  14. adolfogiurfa says:

    @E.M.: You are dealing with a very interesting issue. It is a known fact, for example, that a very educated, cool and refined by consensus science individual, won´t even understand anything which coud be described as “common sense” (such and encryption we, commoners, understandt from the moment of birth)..LOL.
    This phenomenon not only happens this way but it has been used since ancient times by cultures of the past which have succesfully “encrypted” knowledge not only not be seen but usually rejected or totally misinterpreted by such “intelligent” minds. Examples of these are all traditional symbols and documents.

  15. tckev says:

    E.M.
    I’ve always toyed with the idea of the password being hidden in plain sight.
    An image, or part of it, is the key. For instance the image at the top of the page.
    Pixel dimensions: 940 x 198
    Resolution: 72 x 72 ppi
    File size: 60,696 bytes
    Number of pixels: 186120
    Hashes –
    md5sum:282b9e255548286a5cb517c73752f549
    SHA1:43916d5173eeff812ffdbf8ead64578db031a554
    SHA256:db29bf454212678e5897fe67120c95ac33365478cd252becfdd3699b0617e178
    From this basic information software uses a formula of these parameters and that generates the password.

    Just a thought.

  16. p.g.sharrow says:

    Sorry guys I keep getting a pdf in the volume and it “reads” as a code file. If Simon can make it work from the information given, it must be must be my bad. ?????????????? Not sure what I am doing wrong. But I am dyslexic, must have something backwards or upside down. ;-( pg

  17. pg – open TrueCrypt. Select the first disk slot available – in my case was 1. Select the file testcase.pdf as the file to open into that volume – click on “select file” then navigate to where you put the file. Click on Mount. Key in the password with capitals starting both words and no space between them. Since I’m using Linux it also asks me for the system password. In slot 1 (maybe E in Windoze) you now have …../testcase.pdf, so double-click on it to open this encrypted volume. The file is the only thing in that volume, so double-click on that as well. Notice EM got the password wrong in the text file – he left a space in it. I hope this helps.

  18. p.g.sharrow says:

    Ah! finally success.
    “This is a test message.

    It is inside an encrypted container.

    The password to the container is “XXXXXXXXXXX”; but you must know that by now as you have opened the box ;-)”

    After Many hours of mistakenly using the wrong password, Poor communication, Simon pointed to my mistake.
    Thank you Simon! pg

  19. pg – you sort of implied you were using three words not two, so a hint seemed in order. I’m glad you got there. If EM hadn’t talked so much earlier I would have been totally stumped on opening it too – capitalise it wrong and it doesn’t work. The system may well be of use to me in putting files up in plain sight yet keeping them private – if only I can get the password to people who need to know yet stop others. tckev’s idea of using the parameters from a picture seems a pretty nice sneaky idea, too, but needs the receiving person to be at least a bit geeky.

  20. BobN says:

    Hi all – this is a most interesting subject and worthy of a lot of discussion. It seems like everything is getting hacked these days, especially out of China and Russia. Before everyone starts Encrypting and sending messages into or out of the US be aware there are some serious penalties and restrictions on encryption. I’m not sure of the rules, but be careful about any transactions, big sis may be upset!

    If anyone knows the law it would be great to post.

  21. adolfogiurfa says:

    Just use a wise conversation which it would be impossible to understand by those who consider themselves more “intelligent” than you. They do not know their circuitry, is able only to receive VLF transmmisions while ours are UHF.

  22. p.g.sharrow says:

    @Simon;”but needs the receiving person to be at least a bit geeky.”
    The exact problem.
    While I use computers as tools, and have for over 30 years I am not a “geek”. It took several mount and dismounts to get the program to work and then I “knew” too much and got the password wrong. At times instruction is in order first before testing.
    More important this exercise/post was for concept testing so we all learned from it as to the needed parts to make the idea work. A beginning, not the end. pg

  23. Pascvaks says:

    I’m surprised, I actually thought it was going to take a little longer; indeed, I’m actually surprised anyone other than PG got it at all;-)

    PS: The next knock on your door may be two guys dressed in black suits and wearing dark sunglasses and holding what looks like a little flashlight that they shine in your eyes. I hope you remember, but you probably won’t;-)

  24. Pascvaks says:

    PPS: After I hit “Enter” I thought… wait a minute! EM hasn’t officially said anything yet, the clock is still running.. please consider what I said above as premature, I’ll call NSA and tell them to hold off on the Men in Black a little while longer;-)

  25. Don’t you point that flashy thing at me!

  26. adolfogiurfa says:

    @Simon: That´s all what they have: TOYS to play their silly “hide and find” game. When the time comes kids end crying for mommy and daddy….

  27. Incidentally, I feel it is somewhat dangerous storing your information in the cloud, even in encrypted containers/files. In the same way as the anonymiser networks, it’s reliant upon everyone doing their job correctly and being honest, when it’s precisely because you don’t trust them to be honest and reliable that you want to do such things in the first place.

    For me, having my own data under my watchful eye is better. I know when it’s backed up, and can store backup disks elsewhere in case of fire etc.. Disseminatiing the important stuff to friends is also a good tactic – my important stuff is now in 3 countries (some in a 4th), and what I have here is the data I downloaded in order to think it up.

    Losing everything here would be a pain in the butt but not a calamity. Losing access to the cloud, if that’s where your data is, would be a problem (let’s say you stop renting Windoze8, so all access to the net is stopped). If the cloud loses your data, who do you go to in order to get it back?

  28. adolfogiurfa says:

    BTW: Is it true that your GOVERNMENT invented the INTERNET, as I heard today somebody saying it….was it not “Al Baby”?

  29. Adolfo – It was Tim Berners-Lee, but I don’t think he had anything to do with any government. Try http://www.ibiblio.org/pioneers/lee.html for something that looks about right. Can’t trust anything anyone writes, really…. I remember installing Mosaic and going on the net somewhere in ’93 or so and finding the amazing libraries online, but that really must have been a bit later on – I can’t even trust what I remember, especially dates.

  30. E.M.Smith says:

    @Pascvaks:

    Tyranny ought to be resisted, especially by those with nothing to hide.

    As Tallbloke was denied access to his property (computer) and information on it for an indeterminate period of time and only because he was contacted by a “random” who was doing something “power” did not like; I have to find a way to assure ongoing possession of my “data” even if there isn’t much of interest in it to anyone but me AND in a form that can rapidly be moved to any other platform. At the same time, I don’t want the container of it to be visible to everyone wandering past some public drop box… They may not care that I wrote crappy poetry, but I might care about their comments ;-)

    Yes, folks who own guns are safer. Large body of statistics…

    @All:

    The comments show much more fun happening than I’d expected. Some comments:

    I knew that the password version INSIDE the box was not the same as the actual password. “This behaviour is by design” ( to quote a Microsoft Support page about a bug I was looking up once…) Just a little ‘tail tweak’ in case someone posted the text but didn’t explain it or notice…

    I also knew I’d posted a comment with the key phrase in it (part of why I hinted so much). Wasn’t sure if it was “enough” for folks to work it out, but kind of hoped… The point to illustrate is that a “code” is not crackable, but a “code book” can be stolen or leaked. So when passing a password as a code, it is very important to assure the ‘code book’ is a secret. FWIW, in the real world I’d have used a much different method.

    One very common method is to have a pre-agreed book. Often the Bible. Then you can just sent a set of numbers that is the “key lookup”. For example: 3:1:12:7 Third Book, First Chapter, 12th Sentence, 7th word. You can also have a prior agreement that, for example, only the first 4 letters of any given word will be used, or that the same NUMBER of words will be used as match the number of the book (or dozens of other variations). As long as the particular book is a secret, the method is damn near unbreakable. (So have a common dictionary, a couple of popular books, a Bible or Koran or…, and a travel guide or cookbook. You could even have a different number for each of them.) This can even generalize to, for example, “I will use the newspaper of your home town on the day sent”…

    There are a whole bunch of password passing schemes. Sadly, most of them have been rendered obsolete by Public Key Encryption. (Guess what the next article in this series will be about ;-) In public key encryption I publish 1/2 of a ‘key pair’. You can encrypt anything with my “public key” and I’m the only person who can decrypt it. No private key passing needed… (but where is the fun in that? ;-)

    At any rate, I was hoping to get a couple of more folks to try installing Truecrypt and play with it, and it looks like that did happen.

    @BobN:

    I had to deal with this in the ’90s as our Cray was considered a “munition” as it could do massive decryption. ( They even built in a particular low level instruction just to do population counts for code breaking…)

    Generally (though it does vary by country) the US didn’t care if you exported an encrypted data block; but if you exported embargoed encryption or decryption technology or code you got to visit Club Fed. I had some folks employed by Apple in foreign countries where I could not let them have a login on the Cray as use of it from their country would amount to Export Of A Munition and I’d go to the pokey.

    Much of that has changed now as so many bits of encryption are in the public domain. So I can say “use this code” and you can fetch it from a site legal for you, and I’m pretty much not doing any “export”.

    The legal theory on keys has been that you can be ‘compelled to divulge the key’, so if the government didn’t like you sending an encrypted message, they would lean on you for the key and you were legally compelled to cough it up. In at least one jurisdiction (IIRC it was California) that has been overturned as self incrimination. In foreign countries YMMV and at the National Defense level it will not apply (due to various evil laws per “terrorism”). But, frankly, I’d find it a bit fun to be “compelled” to cough up my key and then watch them get frosted at discovering my “secret file” had my canonical collection of chocolate cookie recipes ;-)

    “But I told you you had the wrong guy… can I have my cookie recipes back now?”

    (And I’d LOVE to hear the transcript of the ‘interrogation’ read in court ;-)

    The innocent can be much more brave than the guilty…

    @P.G. Sharrow:

    That you got it all correct OTHER than the password says that you were plenty geeky enough!

    That the “open code” was too obscure mostly just means we don’t know each other all that well. You knew the full name of The Dish and I only knew it by the final two words. PressedDuck. In a real case, you would have said some code words for ‘failed to get it’ (and we’d have already shown familiarity with the tools so that would not be part of the problem set.) so you might have said “I don’t understand you.” as code for ‘try again’ and I’d have done a new encryption with a new password (perhaps something like “The Latin for the plant we collected together” or “the common name for it that I can’t pronounce well”)

    That kind of problem isn’t “geeky” issues but “shared code book” issues.

    @Tckev:

    All sorts of things can be password generators. The “key” is to have something that isn’t too obviously ‘guessable’ and to keep the “code book” secret. Guessing “method” is one of the standards for an attack on such things, so keeping the actual method used a secret is rather important.

    Code Books can be custom made (and in fact you could make one out of all sorts of things, put it on two “chips” on two USB drives, and each person takes one) and shared. Then as long as the book is not captured, you have pretty good shared secrets. All it takes is an agreement to the exchange and a brief exchange process (which can be silent). Heck, you can even put it in a box (say the check in locker at Disneyland – IIRC it uses a combination) then call the other person and give them the combination to the box. They pick it up and go. Now you have left a ‘contact trace’ but as long as ‘not much time’ passes between the call and the pickup, you know that nobody else had time to copy the code book.

    “Many such things are possible”…

    @Pascvaks:

    Remember what? Do I know you?

    ;-)

    @Simon:

    Kudo’s for remembering the prior link AND for figuring out how to find it. (And for ignoring my distractor comments about there being ONLY 4 folks who could know – in reality it could also be our waiter, the chef, the clerk at checkout, and any TLA guy who was sitting at a table next to us or willing to look up the purchase records… and anyone who had Chinese dinner with the Sharrow clan and knew folks favorite foods)

    I was hoping someone could work it out, but expected it was unlikely…

    But at least now you, too, have TrueCrypt working ;-)

    Well, there is the cloud, and then there is The Cloud ;-)

    BTW, encryption is always a race condition between present hardware / software and the future. Things that were uncrackable when I started in computing now can be cracked in minutes. The first “uncrackable” RSA keys can now be cracked in about 20 minutes on dedicated hardware for about $20,000 (or some such). So any encrypted container put in ‘the cloud’ today will likely be readable by anyone with a small budget in 30 years. So I always use ‘way overkill’ in encryption for anything I care about. The latest public opensource encryption is Way Way Overkill… (the officially approved encryptions were more or less approved at the level where TLAs could crack them if they cared but ‘poor nations’ could not. But with ARM chips being as cheap as they are now, I could build a decryption cluster for about $10,000 that would be way more performance than my old Cray… so even the US Govt has realized that it is probably better for US security to have commercial traffic on tighter encryption…)

    My own stuff is in fact mostly protected by “depot” in encrypted form in unknown places. Not publicly visible at all and with “security by obscurity” keeping it ‘uninteresting’. So you name the encrypted container something like “Pig Feeding Manure Analysis Data” and put it in a place “owned” by Bob Farmer…. Nobody would even waste the time on it without a reason…

    @Adolfo:

    DARPA invented the basic technologies of Internet Routing and things like DNS. Private enterprise invented all the software, web browsing etc. built on top of that communications layer (everything folks care about). AlGore voted to fund DARPA…

    @All:

    BTW, I was not here for a while as I was writing the rather long posting I just put up as an amusing “intro” to Economics…

  31. E.M.Smith says:

    Found a summary update of the present crypto law and pointers to more detail here:

    http://www.cryptography.org/getpgp.htm#IS_PGP_LEGAL_

    (Yes, I’m working on “step two” a posting on getting and using PGP or similar… but need to be sure I’m not headed into trouble in the process ;-) Looks like as long as I post “pointers to places” but not the actual code for crypto, I’m OK and don’t need to send notices to any TLAs… maybe ;-)

    Using and distributing Pretty Good Privacy is legal if you are careful to obey the intellectual property and export rules, as well as any local rules that may apply in the nation you are in.

    U. S. export regulations are not as bad as they were, but you may be required to give a notice to the U. S. Government to export or publicly post source code (and the executable compiled from it) under license exception TSU. You can’t intentionally export PGP or GPG from the USA to certain forbidden destination (state sponsors of terrorism, etc.) Check the Department of Commerce web site at http://www.bxa.doc.gov/Encryption/Default.htm for current rules.

    The RSA patent caused considerable expense in the USA for PGP users, until the Diffie-Hellman patent expired and DSA was offered by the U. S. Government as not infringing. Some people still like to use older versions of PGP that use RSA, especially outside of the USA. Fortunately, the RSA patent is dead and anyone in the USA may use RSA for either business or personal use without restrictions, just like people in the rest of the world have been able to do for many years.

    If you want to use PGP for commercial use, the most legal approach is to use Gnu Privacy Guard ( http://www.gnupg.org ) for free, but you may also be able to buy a license for the commercial version of PGP, still.

    If you are in a country where the IDEA cipher patent holds in software (including the USA and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially, or avoid it by using Gnu Privacy Guard or a version of PGP that allows the use of alternate algorithms like CAST, instead. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec:

    Erhard Widmer, Ascom Systec AG, Dep’t. CMVV
    Phone +41 64 56 59 83
    Peter Hartmann, Ascom Systec AG, Dep’t. CMN
    Phone +41 64 56 59 45
    Fax: +41 64 56 59 90
    e-mail: IDEA@ascom.ch
    Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland)

    Network Associates, Inc., has an exclusive marketing agreement for commercial distribution of Philip Zimmermann’s copyrighted code. (Selling shareware/freeware disks or connect time is OK, as is building on older GPL versions of PGP or the new GPG.)

    If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don’t call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann’s permission.

    Within the U.S. there is no legal obstacle for use of strong encryption. Export regulations used to be quite draconian in the USA, and are still partially irrational, but they have greatly improved to the point where U. S. Citizens no longer need to hesitate to publish (even on the Internet) and use strong cryptography, as long as they send the required notices of export and/or posting on the Internet described by http://www.bxa.doc.gov/Encryption/Default.htm .

    In an ideal world every honest person would have the right to use encryption. Unfortunately, this isn’t an ideal world.

    France used to be quite restrictive, but now that nation allows its citizens to use strong cryptography, recognizing its value in preventing some crimes and strengthening electronic commerce.

    Germany once considered banning the use and distribution of strong cryptographic software in the name of “national security,” but now the German government has actually endorsed and helped fund the development of Gnu Privacy Guard.

    In Russia, you can be arrested for using cryptography and even be put in jail for using a GPS receiver.

    U. S. Citizens may want to view travel advisories at http://travel.state.gov before visiting another country.

    For a recent update on the legal situation see The Crypto Law
    Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm

    I just need to not go to Russia or use a GPS there ;-)

  32. p.g.sharrow says:

    @EMSmith; This link is to an interesting article on using modern technique to decipher a 250 year old code.
    http://www.wired.com/dangerroom/2012/11/ff-the-manuscript/all/

    Even the article is a who done it! pg

Comments are closed.