Secure Communication, App for that, and Comments on ISIL

There is a lot “chatter” from various “Agencies” and in the news about the need for “Silicon Valley” to roll over and play dead on your personal security, putting back doors into encryption and encrypted communications apps so that the Police States (globally… what? You think only the NSA will demand / get the data?…) can have easy and quick access to facilitate “every word you speak, every text you sneak, every breath you take” they’ll be watching you…

Frankly, I think the whole effort is a bit daft.

Most folks are already wide open and vulnerable, doing 1001 stupid things each day to leave them exposed to hacking. This would just add a few more holes for hackers to exploit. Don’t think so? Originally DES was the Government Choice. It was hacked. Then 3DES (triple DES). It was hacked. Then, reluctantly, The Government allowed that Public Key Encryption using hash methods like MD5 were acceptable, though folks thought them uncrackable. MD5 has been hacked. (Though only a weak hack that took a long time). SHA is now the “preferred” hash method to use… Set your timers now… Ooops! Too Late:

https://duckduckgo.com/?q=MD5+hash+cracked&ia=answer

CrackStation – Online Password Hash Cracking – MD5, SHA1 …

Crackstation is the most effective hash cracking service. We crack: MD5, SHA1, SHA2, WPA, and much more…
[Search domain crackstation.net] crackstation.net

md5cracker.org | The Cracking Engine for MD5-Hashes

Crack your md5 hash! md5cracker.org is a multi md5 crack engine, which searchs in various databases and rainbow tables to decrypt your md5 hash.
[Search domain md5cracker.org] md5cracker.org

MD5 Cracker – MD5.net

How do we crack MD5? MD5 hashes are a result of running the message-digest 5 algorithm on a piece of data. This can be simple strings, passwords, or entire files.

[Search domain http://www.md5.net] md5.net/md5-cracker/

MD5 Decrypter – MD5 Decryption , Free MD5 Decryptor,
The MD5 decryption results will be displayed in this box. Please use the textbox to the left to specify the MD5 hashes you wish to decrypt / crack.

[Search domain http://www.hashkiller.co.uk] hashkiller.co.uk/md5-decrypter.aspx

MD5 Crack | A free online MD5 hash and password cracker and …

A free online MD5 hash and password cracker and decrypter using Google and Rainbow Tables.

The simple fact is that all cyphers (mechanical / mathematical mutation based encryption) are a race condition between the method and current hardware v.s. future decryption attack methods and Moore’s Law faster hardware. It is about a 5 year offset. (+/- a year or three at times). Government decision cycles run just about that long, and then there is a ‘build and ship it’ lag. As demonstrated by DES, the total ends up just about the same as the cracking cycle. ANY “approved” method from Government will be shipped just about the same time the crack for it is posted to the internet.

The reason the Government has been hacked so often (and many they don’t even know about or admit) is simply that they are perpetually behind the curve and always will be. I won’t go into the myriad reasons why, but just one: To apply for a job in I.T. near Dallas for a city, I had to fill out my resume on their job application. Phone number, address, work history, contacts. It is a “public record” so stated at the bottom that it would be made public… Now do you think anyone REALLY interested in security will want their name, address, phone number, occupation, etc. etc. a matter of “public record”? And if they do, you have just published your “Bribe or Extort Here!” list. That kind of thing is all over Government at all levels. This means that those folks most prone to being ‘security aware’ and with skilz (i.e. slightly Professionally Paranoid as that is what works best) are least likely to finish filling out that application and turning it in…

The decision cycle for computer and network security is measured in days, on a slow cycle, and minutes when it’s “hot”. Not months to years and after The Committee comes back from vacation research in Paris…

Oh, and just one sidebar on this. H1b Visas. There are a HUGE number of I.T. folks in the USA on H1b visas. Most of them from India. India that is on track to surpass Indonesia has THE largest Muslim population in the world. I’ll wait while that sinks in, in case any Democrat politicians are reading… it takes them a while to see things right in front of them. Especially security issues.

So in I.T. shops globally we have a boat load of folks from India, many Muslims, well skilled in I.T. and tinkering with the guts of the systems. Think maybe, just maybe, the Jihadis have noticed this and “planted a few”? Think maybe, just Maybe, the H1B Visa Muslim who write your encryption application in Silicon Valley will remember how to do it when he “goes home” and gets recruited? The day when US Citizens controlled our data infrastructure and technology are long gone, killed by the H1B visa.

(Obligatory Discrimination Disclaimer: I’ve hired folks on H1B visas. They generally know their stuff, though ‘new ones’ are a bit long on theory and often with little real hardware contact. Most are very nice folks, easy to work with, and can point you to THE best Indian food locally ;-) It can take a little while to get them to warm up to you and accept that you are not a British Colonial but an American equal; but after that, they are less clannish / reserved. That’s a good time to ask about the best local restaurant… I have no ill will toward them, just toward the rampant flood of H1b visas from my own government being used to run Americans out of the job market. Yes, it DOES do that. I’ve been on both sides of it, as employer and as unemployed. I’ve written the job listing tailored to only attract the H1b Visa applicant, so don’t tell me it doesn’t happen. My POV comes only out of the Professional Paranoia of a Security Guy handing the ‘keys to the city’ to a new hire from a foreign country who I don’t know, and as a Dad who told his son “don’t go into computing, there’s a flood of cheap Indian H1b visa guys making it a poor choice of career”. He is now happy and in Marketing.)

There’s Already An App For That

There’s a dozen or two Apps already out there with decent end-to-end encryption. IF you start to bugger them, folks can just not upgrade.

IFF you block that and force / push an upgrade, folks can “jail break” their device and install their own app (or one they download from JihadAzon I.T. Services…) Right now it is mostly the ‘hacker class’ that does jail-breaking and installing their own apps. But it isn’t hard and as one of that sort of person, I can tell you we all have a long list of ‘family and friends’ who consider us ‘local tech support’…

But is isn’t just me and folks like me. The Jihadis already have their own in-house tech support and in-house crypto apps.

http://thehackernews.com/2014/05/al-qaeda-encryption-tool.html

Terrorist Group Al-Qaeda Uses New Encryption Softwares After NSA Revelations
Wednesday, May 14, 2014 Mohit Kumar

Note that the dateline is 2014. It has been this way for a while.

In response to the NSA revelations, the terrorists at Al-Qaeda have started using strongest encryption techniques in order to bypass the standard cryptographic protections in its various communications, according to the recent report released by the Threat Intelligence company, Recorded Future.

The analysis carried out by the intelligence firm revealed that the Infamous Terrorist Organizations, Al-Qaeda that attacked civilian and military targets in various countries, has switched to new encryption software for the first time in seven years, following the revelations of the US National Security Agency (NSA) by former contractor Edward Snowden.

Al-Qaeda is a global militant Islamist and takfiri organization which operates as a network comprising both a multinational, stateless army and a radical Sunni Muslim movement calling for global jihad.

This makes an attribution to the NSA leaks, but then turns right around and says, basically, it was a maintenance release based on their earlier platform…


Since 2007, Al-Qaeda was using their own built encryption software, Mujahideen Secrets for the online and cellular communications
, but the intelligence firm has noticed that now they are using number of new encryption tools and adopting new services like mobile, instant messaging, and Mac as well, to mask its communications with overseas’ operatives.

“The nature of these new crypto products indicates strategy to overlay stronger and broader encryption on Western (mainly US) consumer communication services,” states the report. “We do not find evidence of abandonment of US-based consumer communication services. Likely risks are still greater to hide outside the consumer crowd, and non-US-based services may be exposed to even stronger lawful intercept.”

The three different terrorist organisations associated with Al-Qaeda – GIMF, Al-Fajr Technical Committee and ISIS – released three new major encryption tools within a three-to-five month period of the Snowden leaks, according to the report.

These three tools bolster the original ‘Mujahideen Secrets’ tool that have primarily been used for email by Al-Qaeda since 2007.

So these folks have their own I.T. shop. BTW, everybody does updates and upgrades and a whole slew of folks tightened up exposures after the NSA leaks happened. It is now too late to “un-know” that EVERYTHING is being buggered and you need to ‘roll your own’ to be sure of security. Smart folks were pretty sure of it even before then. (But it was nice to have confirmation and be able to tell family and friends “See! I wasn’t paranoid!”… even if they did answer “That just says you were right, you could still be paranoid and right. ;-)” Yeah, “friends” 8-{

But back at the main plot line…

NEW Al-Qaeda ENCRYPTION TOOLS

Tashfeer al-Jawwal, a mobile encryption platform developed by the Global Islamic Media Front (GIMF) and released in September 2013.

Asrar al-Ghurabaa, another alternative encryption program developed by the Islamic State of Iraq and Al-Sham and released in November 2013, around the same time the group broke away from the main Al-Qaeda following a power struggle.

Amn al-Mujahid, an encryption software program developed by Al-Fajr Technical Committee which is a mainstream al Qaeda organization and released in December 2013.

Things to note: Al-Fajr Technical Committee. They have an I.T. department with a focus on encryption and security. They already have the software and tools for that.

“Mobile Encryption Platform” from “Global Islamic Media Front”. They have a telco department and know how to make mobile apps.

Do you REALLY think this folks are going to just say “OH well, Twitter is now buggered by the NSA, let’s just use it anyway…”?

They use the commercial products for one reason only, to diffuse the “fingerprint” of their application and make it harder to “contact trace” everyone. Note that the cell phone found in Paris sent the ~”Let’s go now” text in the clear with NO encryption. It isn’t needed for an idiot code like that. You can’t tell if it is “let’s go to the library” or “let’s go bomb the football game”.

So as just ONE example of The Stupid That Burns in this rush to take everyone’s pants off in public:

A hypothetical App. It just is a translation application. You set up your own dictionaries. (It will be darned hard to say it is evil and prevent it from being put up as a public app). Now you make a dictionary that maps common phrases to code phrases. That gets distributed to folks via one secret channel (encrypted, or ‘hand to hand’ in the Mosque, or..) As long as both parties have THAT app, (and you-the-Agency don’t have the dictionary), they type in their phrase, and it translates and sends the other over the buggered open comms app.

NSA gets a load of “Time for lunch” and “Hey! Pizza anyone?” and “Johnny is sooo cute!” and other crap. Not much can be done with it. With proper choice of dictionary it will be very hard to even distinguish it from ordinary 13 year old drivel.

Now consider that I’m not even all that good at making apps…

That article also makes a couple of good points about “why blame Snowden”:

WHY BLAME SNOWDEN?

But, should Edward Snowden be blamed for this situation? No, because some analysts also point out that Al-Qaeda and like-minded militant groups were already aware of the enormous capabilities of the NSA to snoop on their communications, and had already taken measures to try to evade detection.

In 2011, German Intelligence officials revealed that militants in Germany had developed some effective encryption tools for secure communication over the Internet with terrorist operatives in Pakistan, CNN reported.

In 2009, An American-Yemeni cleric personally instructed European militants in Yemen how to use the encryption software so they could communicate without their e-mails being intercepted.

Now we have a load more apps out there for the rest of us. We don’t need to go to Jihadi Tech Support to get secure communications.

This site has a very nice ‘feature map’ showing just how secure each app is. It looks like they update it regularly, so “hit the link” and pick your favorite:

https://www.eff.org/secure-messaging-scorecard

European Privacy and Safe Haven Law

For decades, there was a ‘safe haven’ exit from European Privacy Laws. Folks running data centers in the USA were assumed to be secure and private. That changed with the PRISM program. Now even companies like Microsoft are building European data centers to house their ‘cloud’ (and contracting out operations to 3rd parties so THEY are not subject to USA warrants).

http://www.fiercecio.com/story/microsofts-new-german-data-center-adds-new-twist-safe-harbor-wranglings/2015-11-11

Microsoft’s new German data center adds new twist to Safe Harbor wranglings
November 11, 2015 | By Robert Bartley

In response to a recent change in the data protection regulations in Europe, Microsoft announced plans today to open a data center in Germany that will be controlled by a German company.

The idea is to allow Microsoft to comply with strict European customer data privacy regulations by handing over control of that data to German telecommunications company Deutsche Telecom. Any requests for access to the customer data, including from the U.S. government, will have to go through Deutsche Telecom and German government authorities, according to the Financial Times. The data center will open late next year, Microsoft said.

“These new data center regions will enable customers to use the full power of Microsoft’s cloud in Germany … and ensure that a German company retains control of the data,” said Microsoft CEO Satya Nadella at a press conference in Berlin, according to the Financial Times.

They aren’t the only ones.
http://www.techrepublic.com/article/cloud-vendors-seek-refuge-in-germany-to-comply-with-eu-data-laws/

Therein lies the problem—the extent to which it is possible to secure data stored in the cloud against government inspection remains an open question. This situation has been further complicated in the “Microsoft Ireland” case, in which the US Government is attempting to compel Microsoft to produce private emails stored in an Irish data center.

Last month, the European Court of Justice ruled that the EU-US “Safe Harbor” decision for the protection of personal data was invalid—in part, on the basis of the activities of US government intelligence agencies—making businesses that use US servers to process or store the information of customers in the European Union in violation of EU privacy protection laws.
[…]
JotForm provides German servers for EU users

JotForm, a provider of embeddable remotely-hosted web forms, announced in late October that the company now supports restricting the data of EU customers to new servers located in Germany. The newly-deployed servers are operated by Hetzner in Nuremberg, and by Amazon at the AWS Frankfurt center. Data for all new accounts for EU customers will be automatically hosted in Germany, with existing account holders able to request immediate migration. Gradually, all preexisting accounts for EU customers will be moved to the European facilities. This change brings it into compliance with EU law, following the ruling which invalidated the previous Safe Harbor decision.

JotForm is no stranger to interference from the US government—in 2012, the US Secret Service seized the company’s domain name seemingly without a court order, interrupting service for 700,000 users. Despite cooperation from the CEO, and a willingness to disable any user-generated form and provide account information for offending users, the Secret Service agent provided as the primary point of contact indicated it would take a few days to merely review the case.

So “bugger the USA apps” and you will see a flood of new data centers and apps stores in Europe, India, Dubai, Japan, China, and maybe even Somalia… I’ve already signed up with an offshore email provider with encryption. (Though I haven’t actually used it for encrypted messages yet. The problem of a boring life… nothing really worth encrypting. Maybe I’ll do it for Christmas Cards ;-)

In short, the tech genie is out of the bottle and the legal walls are going up already.

Now add a layer of frosting from folks who already have source code archives for all the present encryption, are scattered all over the world, and can make new encryption methods and apps as desired… well, it’s just not going to be ended any time soon. BTW, some of the existing apps are already “Open Source”… and China has built their own secure computing platform based on BSD Unix (Kylin), so don’t expect them to be on your pre-buggered platforms.

In short: The rest of the world is NOT going to just sit back and accept that your buggery is “ok with them”.

At best, hobbling US communications applications will open ALL of the US communications to cracking by the rest of the world. That’s it.

You can be secure, or you can be backdoor buggered and wide open to hacking. There is no stable third choice.

(In a short term you can have a hidden backdoor, but it will be found and exploited eventually).

In Conclusion

So that’s why this whole push to bugger the USA source OS and applications is just so daft. It can pull our own pants down in public. It can drive companies to other countries. It can’t get into Jihadi Tech Support applications. So just what is the point of it?

BTW, there’s a sweet new telephone being offered with what at first blush looks like decent security on it. Doesn’t come for a US Company, though… Just saying…

http://www.dailytech.com/BlackBerry+Priv+is+an+Amazing+Android+So+Secure+You+May+Never+Hear+of+It/article37522.htm

BlackBerry Priv is an Amazing Android So Secure You May Never Hear of It
Jason Mick (Blog) – November 2, 2015 2:46 PM

Shockingly BlackBerry has produced one of the best available Android devices, but so far AT&T is the only U.S. carrier to commit to it

For years Canadian phonemaker Research in Motion — later renamed as BlackBerry, Ltd. (TSE:BB) fought the good fight in the smartphone space. – […]
Unlocked, the device retails for $699 USD — a price which sounds high given BlackBerry’s history, but which actually isn’t bad when you fully consider the value of what you’re getting. Trust me — even I was skeptical. But the more you dig in, the more you realize that this device against all odds and expectations is a winner — BlackBerry’s first winner in a long, long time, arguably.

The bigger storyline, though, is the salient shift in BlackBerry’s strategy with the new device. The Priv is the first BlackBerry smartphone to swap out the QNX derived BB10 OS for Google’s Android. The phonemaker pitches it as a “BlackBerry Secure Smartphone, Powered by Android”.
[…]
II. No More SELinux Backdoor Fears — Why Priv Wins on Security

And BlackBerry strengthens the pitch with what’s lurking deep in the device’s software. While it’s technically running the latest version of Android — Lollipop 5.1.1 (presumably to be upgraded in upcoming months to Android 6.0 Marshmallow) — the distribution is heavily modified with a grsecurity kernel. For those unfamiliar this is sort of a big deal as grsecurity is a long-standing Linux effort with its fair share of cred:

Grsecurity is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for grsecurity is available through Open Source Security, Inc.

What perhaps sets BlackBerry’s device a notch above most existing offerings of similar premise — e.g. Samsung’s Knox — is that it’s not based on the SELinux version of Android. While grsecurity Linux and SELinux share similar algorithms and methodology there’s a key difference that will quickly cause many to favor the BlackBerry backed variant over Samsung’s chosen one — SELinux is developed and maintained by the U.S. National Security Agency (NSA).

Which point, BTW, is why I’m not keen on most Android systems…

There’s a bunch of links scattered all through this quote, so ‘hit the link’ to get a lot more, including some way cool pictures of the phone.

While it would be nice to think that the NSA works on SELinux out of the goodness of its heart, revelations from former contractor turned whistleblower Edward Joseph Snowden suggest otherwise. To my knowledge there weren’t any direct reports of subversion of the project in particular and it is worth noting that the project is open source which means that its been publicly scrutinized. Thus it’s fair to say if there are backdoors in SELinux — and Samsung’s Knox — they’re likely of the deep and devious variety. Google itself supports SELinux but has been wary and critical of NSA efforts. So ostensibly it would object to any known backdoors to persist in the distribution.

But what about unknown backdoors? That’s the real dark side of SELinux. Given the NSA’s broad agenda of subversion of global encryption standards and leading smartphone platforms chances are high that the project’s creator the NSA indeed has built in some highly obfuscated entryway. After all, the NSA has been implicated in zero-day exploitation of the Heartbleed flaw in the https protocol, in addition to having been more conclusively outed in a number of tricky and platform-specific or hardware-specific backdoors. Blackberry appears to even subtly allude to this risk in its ads for the Priv.
[…]
Ultimately this might not be a big deal for businesses in the U.S., but particular for overseas enterprise users in regions like France and Germany which the U.S. government spies upon for troubling indeterminate reasons, BlackBerry may be the only commercial option. And suffice it to say that as cooking your own alternative secured Android kernel is a tall task even for firmware experts, that means the market for this device are potentially huge. Add in BlackBerry’s growing portfolio of exclusive Android apps and services such as Picture Password, Password Keeper, BlackBerry Protect.

In the U.S., too, it may find buyers for a number of reasons including fears of domestic NSA surveillance, its devotion to the underappreciated slider form factor, and its solid overall spec.

That is a phone from Canada. From a company with a cheap stock price. http://money.cnn.com/quote/quote.html?symb=BBRY puts it at $3.9 Billion at the moment.

Think just for a minute. Could, say, Turkish Telecom, or a nice rich Arab Sheik, buy the technical rights? Or even the whole company and move the official tech HQ to, say, Kuwait?

We are basically one relatively small ‘deal’ away from a major competitor to US companies selling like hotcakes in the entire Muslim World and all located beyond the reach of US Law. Just how does strong-arming Apple to bugger their OS change that?

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

13 Responses to Secure Communication, App for that, and Comments on ISIL

  1. Larry Ledwick says:

    How do you rank GnuPGP encryption for email?

    I was recently looking at this and it seems to be a good option for an encryption tool you can use with common email clients to use PGP on email, that has good enough support and documentation that a person new to encryption can get it up and running without too much brain damage.

    My understanding is that if GnuPGP is setup with a good (strong) passphrase it is very good encryption especially if you force it to use AES256.

    Enigmail
    https://www.enigmail.net/home/index.php

    Enigmail is a security extension to Mozilla Thunderbird and Seamonkey. It enables you to write and receive email messages signed and/or encrypted with the OpenPGP standard. Enigmail can also be used with Eudora OSE and Postbox (using a Postbox extension).

    Enigmail is an email plugin. It cannot be run by itself. You need to use one of the supported email clients, the GNU Privacy Guard (GnuPG), and a little patience. You may also need to install the proper Enigmail language pack.

    https://securityinabox.org/en/guide/thunderbird/windows

  2. E.M.Smith says:

    OpenPGP has one major issue. We’ll get to that in a moment.

    First, in general, it’s really Darned Good Privacy. I’ve not heard of anyone cracking the product.

    Where it falls down is in key management and key exchange (and having a trusted key authority…).

    This article pretty much lays out the issues with it:

    http://thehackernews.com/2014/08/cryptography-expert-pgp-encryption-is_19.html

    So basically if you can handled the key management and get a key authority outside the NSA sphere and that you trust, it’s pretty good…

    Note that the article is basically a critique of the key management and then a plea for integrated up front encryption, but doesn’t offer any better alternative.

    Some useful ways to use PGP (called ‘hacks’ in the article, not to be confused with ‘hacking in’ through the security…):
    http://www.linuxjournal.com/article/8732

    The last copyright on this page is 2010, so it might be a bit out of date, or maybe nothing new has come up in the last few years. Not a comprehensive list, but a nice sample. Basically the kind of ‘issue’ looked at, and the reality of exposure, make it pretty slim pickings for a cracker:

    http://www.rossde.com/PGP/pgp_weak.html

    http://www.cert.org/searchresults.cfm?q=OpenPGP+expsosure&x=0&y=0

    There were no documents found that met your search criteria.
    

    Searching only for OpenPGP at CERT gives 3 entries, all of which look to be “go use OpenPGP” in some form or another:

    Sending Sensitive Information | The CERT Division

    … We prefer OpenPGP standard cryptography, which usually means Pretty Good Privacy (PGP) or the GNU Privacy Guard (GnuPG or GPG). …
    https://www.cert.org/contact/sensitive-information.cfm – 38k – 2015-09-30

    IN-2001-06 … http://www.pgp.com/ Information about GNU Privacy Guard, a freely available OpenPGP-compliant implementation, can be found at. …
    http://www.cert.org/historical/incident_notes/in-2001-06.cfm – 40k – 2013-09-03

    [PDF] Handbook for Computer Security Incident Response Teams …
    Page 1. Handbook for Computer Security Incident Response Teams (CSIRTs) Moira J. West-Brown Don Stikvoort Klaus …
    resources.sei.cmu.edu/asset_files/handbook/2003_002_001_14102.pdf – 2003-05-02

    I think that pretty much shows it’s “Pretty Good Privacy”… as long as you don’t mind the PITA of key management and trust your key authority to not screw you over.

    GPG has the “web of trust” model and so you can just have “key signing parties” and limit your exposure to folks you have validated personally. In that case there is less dependence on a central key authority.

    https://www.gnupg.org/gph/en/manual.html#AEN533

    Personally, I’d have a 2 level system. Personally known / signed keys on one system. Public signed keys from “randoms” on another. That way email from “some guy” with a PGP key and you must depend on the signing authority can never bugger your machine with ‘real secrets’ on it. As that requires all of a $5 “chip” on the Raspberry Pi Model 2, it isn’t exactly a burden…

    In short, the only real problems are key management PITA and web of trust management.

  3. Terry Jay says:

    These posts add to my pathetic tiny tech knowledge base, but in my real world, I am not sure it matters. I get daily incoming from mass providers and send out a few docile and innocuous posts of personal drivel. My role is to plug up the system with dreck. Anything connected to the internet is insecure, which is why the heat pump installer and refrigerator guy of recent years were told not only no but….NO! The internet of things is stupid..

    Were I to engage in nefarious activity, the use of USPS to a general delivery dropped in a USPS box, or the services of UPS or FedEx at a cost would suffice. The Postal Statutes are potentially a wonderful encryption substitute. This clearly would become less feasible the wider and more dispersed the network, but for a discrete cell would be workable.

    Carry on.
    Terry

  4. Larry Ledwick says:

    Based on your responses above (have just scanned them quickly).
    The cryptographic security of messages encrypted with GnuPGP are for all practical purposes are absolutely secure IFF good security principles were used in generating the encrypted message, (ie a long completely random passphrase or the diceware method). So in that aspect the cryptographic security of the message itself is really not of concern if those involved are diligent users who understand how to make strong pass phrases.

    Cryptographic what if’s get very interesting as you play the “what if” game on possible outcomes and problems.
    I think I need to play with GnuPGP a bit and try some ideas out, just to understand how it works and get comfortable with the process as an educational exercise and decide how much brain damage I am willing to incur to use a secure email system vs how much real risk there is to having your email compromised.

    Your risk goes way down if you are disciplined enough to not communicate really sensitive information by email in the first place. The question becomes, how much security does the average user really need? If all your emails are things like your favorite recipe or what the dog did last night, it is really a useless exercise. If you are a Secretary of State with an off the books email server then just maybe it might be a good idea to think about who might want your emails and how much info might bleed out of the system if those emails are compromised.

    Short of a 1984 or Logan’s Run sort of scenario where you are trying to dodge the attention of “Big Brother”, really high security communication is probably not something most folks should spend a lot of effort on provided they use a little commons sense and discretion on what they put in their emails. Besides there is the issue that if you use really secure encryption, it might make people wonder just what you are up to. If nothing else it would guarantee that those communications would be put into the keep for ever files maintained by certain agencies who capture and retain all encrypted communications on the off chance they need to peak under the covers and see what is in them.

  5. E.M.Smith says:

    @Larry:

    Basically “yes”, but the key length need not be excessive. A common phrase is good enough. The bigger issue, IMHO, is the key authority ‘trust’. IF, for example, AOL provides the ‘key authority’, then someone can register their key with (i.e. get it from) AOL. Now you have a potential ‘man in the middle’ attack. JoeJihadi sends you an email. You reply using your key, but AOL in fact sustitutes the text from NSA and uses THEIR key in the reply. JoeJihadi now replys, but it goes to the NSA and they decrypt with their key. (Or invert it. You send an email to J.Joe, but NSA subs their message and key, that goes to him, who replies with an encrypted message, so the reply goes to them. They look it over and forward to you, encrypted with their key… All the keys ‘validated’ by the “AOL Authority”)

    That doesn’t work if you and JoeJ have had a ‘key signing party’ and already know to only trust the key you got directly from each other…

    So essentially for “random contacts” you have an exposure to a ‘man in the middle’ attack from an agency in bed with the key signing authority that you choose to trust.

    Yeah, pretty arcane for anyone not a Jehadi…

  6. E.M.Smith says:

    @Terry Jay:

    In fact, that “dreck” traffic is of value. TOR, for example, encourages folks to use it for trivial and ordinary things specifically to mask what traffic is of value and what wastes agency time.

    It is also why I now use https: whenever possible on ordinary web contacts. Just more volume of encrypted dreck… and why many browsers now default your connection to https … along with making ‘man in the middle’ attacks harder on things like banking.

    BTW, ALL US postal mail is now ‘outside recorded’ for doing the contact tracing. I’d suggest not putting return addresses on things when it isn’t critical.

    There are also rumors of some scanners looking through the envelopes. Not that hard, really… So it may not be as ‘secure’ as you think. Rights and laws don’t seem to matter much these days. The theory seems to be “IF we can get the information, then you really didn’t have a ‘reasonable expectation of privacy’, so it must be OK for us to get the information.” Kind of a catch-22 IMHO.

  7. Larry Ledwick says:

    Here is an interesting play on your book code comments and the use of diceware to generate secure random passphrases. It uses dice to pick the page, column and word from a pre-selected book, (or if you are using it for your own use only any random book you have handy)

    http://www.instructables.com/id/Diceware-Anywhere/

  8. Larry Ledwick says:

    I just found an interesting paper on password security using the diceware method and some suggestions on how to improve it. It is an interesting read and reveals some shortcomings of the traditional diceware system that I had not thought of and some very simple ways to strengthen the final choice by intentional tampering with the original words selected to increase the universe of possible solutions to be larger than the theoretical limits.

    http://www.postcogito.org/PublicationsInEnglish/improving-diceware-v100-final.pdf

  9. Terry Jay says:

    @E.W.Smith
    Glad to know my dreck has a use, chuckle. And yep, should have been more specific that USPS in the drop box has no return address.

    One issue with USPS is that it seems anything in a 100 mile range has a postmark “Tacoma, WA”. Likely is not entirely true, but for mail dropped in a USPS drop box, it would make sourcing the origin a bit harder.

    My silly side is active, suggesting the perfect cover is as an Amway rep, muti-level marketing contacts and motivational prodding. Think what you could bury in the onslaught of simple email.

  10. Larry Ledwick says:

    If anyone wants to play with it, a simple ksh script to simulate the diceware method of generating passwords from a list of small words. I copied one of the diceware lists on line as my source list, and added line numbers so it has 3 columns, first column is the decimal line number, second column is the traditional diceware number (ie the rolls of 5 cubical dice) and the third column is the words associates with those diceware numbers.

    #!/bin/ksh
    # written by Larry Ledwick 11/19/15 last updated 11/20/15
    # simple script tool to generate random numbers between 1 and 7776
    # for a computer analog of diceware using the RANDOM command.
    # uses a diceware table with 3 columns called dice_list_decimal
    # column 1 = decimal line count
    # column 2 = diceware number generated with 5 dice
    #     (ie composed of strings of 5 numbers each digit between 1 and 6)
    # column 3 = word/letter group associated with the diceware number
    ######################################################################
    #                       Variables used
    #
    # $1 = value used for number of rounds to run
    # COUNT = counter for the rounds
    # RNUM = value of random number generated for this round
    # MAXLINES = maximum allowed number of data lines in diceware table used
    #
    #######################################################################
    #######################################################################
    #                       USAGE
    # script requires a single parameter for the number of rounds you want to run
    #
    ######################################################################
    # set MAXLINES value
    MAXLINES=7776
    
    # setup counter of how many rounds you are running and provide usage message
    
        if [[ $1 -lt 1 ]]
        then
        echo
        echo "You forgot to tell me how many rounds you want to execute"
        echo "please enter a decimal number parameter after the script name."
        echo
        fi
    COUNT=0
    
        while [[ $COUNT -lt $1 ]]
        do
        COUNT=$((COUNT+1))
    # Make sure that the random value used is less than max table size MAXLINES
    # $MAXLINES = maximum size of diceware 3 column table used for lookup
    # set starting value of random number variable RNUM
    # then prune it until it is below MAXLINES ( or the number appropriate to the table size being used )
    RNUM=$RANDOM
    
         while [[ $RNUM -gt $MAXLINES ]]
         do
         RNUM=$(( $RNUM - $MAXLINES ))
         done
    # now that RNUM is less than 7776 we can grep for the line in the diceware table and format for output
    grep $RNUM ./dice_list_decimal | awk '{ printf "%6s\t %-10s\n", $1,  $3  }'  | head -1
    done
    
  11. Larry Ledwick says:

    Here is a link that points to a new improved Tor like anonymizer system called Hornet which can move data much faster.

    http://www.ibtimes.co.uk/hornet-tor-style-dark-web-network-allows-high-speed-anonymous-web-browsing-1512359

  12. Lars Silén: Reflex och spegling says:

    Generating “dreck” can be made slightly more interesting for NSA or whatever listener. Set up a script that sends good sequences of random number formatted as email messages. Good random sequences are essentially identical to well encrypted messages as seen by an outside observer.

    If 99% of the messages look like encrypted messages but they can’t be decrypted simply because they don’t contain any information then that’s something for NSA to put their teeth into. They can never know if it is a master piece of encryption or an empty message but it will for sure cost time and effert :) !

  13. E.M.Smith says:

    @Lars:

    I used to make “file blobs” that contained things like repeated copies of Microsoft Word, then encrypt them with fairly strong encryption. These were left with file names like “New Killer Design” and “Macintosh of the future” on our “honeypot” system… In one case, it was a very large file full of mostly zeros with the text “The password to this file is ‘I am but an idiot!’, but you know that now”.

    As they were not particularly instrumented to measure downloads, I don’t have statistics on how often they were ‘taken’. We were mostly interested in observing the “tools” and “warz” in use so assure they would not make it into our real and hardened systems…

    But sometimes I wonder just how many “system cracker” cycles they consumed… all up… ;-)

    So that’s also why I do things like browse various benign web sites using https and sometimes use TOR just to read the news…

Comments are closed.