The Null Device
Posts matching tags 'cryptography'
Details of how the NSA hacked cryptography machines from Swiss company Crypto AG, inserting an undetectable security hole which allowed them to read the traffic of users (including Iranian government orders to assassins and terrorists including the Lockerbie bombers):
On the day of his assassination and one day before his body was found with his throat slit, the Teheran headquarters of the Iranian Intelligence Service, the VEVAK, transmitted a coded message to Iranian diplomatic missions in London, Paris, Bonn and Geneva. "Is Bakhtiar dead?" the message asked.
"Different countries need different levels of security. The United States and other leading Western countries required completely secure communications. Such security would not be appropriate for the Third World countries that were Crypto's customers," Boris Hagelin explained to the baffled engineer. "We have to do it."
Juerg Spoerndli left Crypto AG in 1994. He helped design the machines in the late '70s. "I was ordered to change algorithms under mysterious circumstances" to weaker machines," says Spoerndli who concluded that NSA was ordering the design change through German intermediaries.
The ownership of Crypto AG has been to a company in Liechtenstein, and from there back to a trust company in Munich. Crypto AG has been described as the secret daughter of Siemens but many believe that the real owner is the German government.
Former Australian defense minister Kim Beazley has revealed that the Australian security services cracked US a defence code in the 1980s, to enable them to reprogram their US-built Hornet fighters to identify potentially hostile aircraft. The Hornets, you see, were shipped pre-programmed with the profiles of Warsaw Pact aircraft, of which there weren't many in the Asia/Pacific region, and thus would have been somewhat less than useful when faced with, say, Indonesian or New Zealand fighters. This setting was impossible to change without top secret codes, which the US promised to provide but somehow never came up with. Given that there's no consumer complaints commission that can order the return of jet fighters should they prove unfit for purpose, the Australians (which, presumably, means ASIO/ASIS/DSD) did the only thing they could: they spied on the Americans and stole the codes. What happened to whoever authorised the purchase of the aircraft without ensuring that they were fit for purpose is not known.
"In the end we spied on them and we extracted the codes ourselves and we got another radar that could identify (enemy planes).
Mr Beazley said the Americans knew what the Australians were doing and were intrigued by the progress they made.I wonder whether the Australian department of defense has learned enough from this to demand the source code to the Joint Strike Fighter, as the British are doing. Or whether, indeed, Australia has the clout to make such requests.
A look at the U.S. Secret Service's tools for breaking encryption on seized data. Not surprisingly, they use a network of distributed machines to help brute-force keys. Cleverly enough, before they do so, they assemble a custom dictionary of potential keys/starting points from all data on the seized machine (including files, web browsing histories, and presumably terminology associated with the areas of interest visited web sites relate to). (via /.)
"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.
Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup.
This technique apparently works surprisingly well, because people (including organised criminals) tend to choose relatively predictable passwords.
The moral of this story is: if you're planning the perfect crime using computers and encryption, you may find it wise to develop an obscure interest and not mention it by electronic means. Or, for that matter, let it show up in credit card receipts, library records, personal effects, or any other information the authorities could get. Which could be trickier than it sounds.
Also on the subject of people subconsciously giving away more than they think: this IHT article on "psychological illusionist" Derren Brown (via bOING bOING):
He produces a sheet of blank paper and issues an instruction: Draw a picture. "Try to catch me out; make it a bit obscure," he orders. "Don't draw a house; don't draw a stick man." Walking to another room and out of sight, he decrees that the picture should be concealed until the end of the interview - whereupon, he claims, he will reveal what it is.
Recently, he said, he used his talents to defuse a situation in which an aggressive youth approached him on the street, yelling, "What are you looking at?" (Brown responded with a rapid series of diversionary non sequiturs, he said; the man burst into tears.)
Instructing me to concentrate, he pulls out a blank sheet of paper and begins sketching, chatting all the while. He tells me he "sees" a conical shape with spots on it - some sort of decorated lamp with a blob on top. And knock me down if he does not produce a near-exact replica of my drawing, the only differences being that his has more dots than mine, and his stripes are horizontal, not vertical.
Channel 4 has a Derren Brown microsite here, with streaming video and explanations of some of the tricks (such as making people fall asleep in phone booths). Think of it as the human equivalent of the buffer overrun attack.
The SHA-1 hash function, touted for a few years as more secure than MD5, has apparently been broken. What this means is that (assuming that the details check out), for any file (such as a digital signature) with a SHA-1 checksum, an attacker can create an alternative file with the same checksum in a sufficiently short time to make it practical. Which means that, with a modern computer, script kiddies, online fraudsters and others will soon be able to create genuine-looking digital signatures on demand. (via Techdirt)
Two former WW2 codebreakers from Bletchley Park have turned their attention to a coded message on a garden monument in Staffordshire. The 18th-century inscription, on a garden monument, reads "D OUOSVAVV M". Oliver and Sheila Lawn have examined 48 hypotheses about the code, with the two leading categories being those connected to the Knights Templar/Freemasonry and the Holy Grail, pointing right into Holy Blood Holy Grail/Da Vinci Code territory. Other hypotheses involved UFOs, Nostradamus, Turkish maritime maps and occultism. Then again, it could have just been a dedication from the estate owner to his late wife. (via bOING bOING)
Ultramagnetic is a fork of gaim for paranoids. While gaim is designed to let you chat with your friends on several different instant-messaging systems at once, Ultramagnetic is designed to allow you and your anarchovegan agitator comrades, anti-NWO militia buddies and/or fellow UFO conspiracy researchers to communicate without Them watching you. It uses libcrypt and Hacktivismo's 6/4 anonymous routing protocol. No idea whether it looks like AIM/ICQ or whatever else under all that or whether it interfaces with the overt IM networks at all. (via bOING bOING)
Blogging has now become more paranoiac-friendly with Invisiblog, a new online blogging tool devised by cypherpunk cryptoanarchist types. Invisiblog uses anonymous remailers for posting, making it (theoretically) impossible to trace their authorship (except, of course, by the NSA's quantum supercomputers, but they can probably read your thoughts before you post anyway, and already know that you've been a very naughty boy/girl/android).
This looks interesting: DIBS, the Distributed Internet Backup System, a peer-to-peer system designed for data backup. Rather than sharing files, you share your surplus disk space for other users to store encrypted backups in; in return, they do the same for you. Which sounds promising, though I can see some potential problems with reliably getting things back. (How many redundant copies of data are backed up? What happens when peers disappear from the network?) Perhaps what this needs is some sort of "heartbeat contract" mechanism; where peers agree that if they don't communicate for a period (say, a week, or perhaps a month), the other peer has disappeared, and its disk space can be reclaimed for new backup partners. (via Slashdot)
Cambridge academic debunks "crypto menace" myth. (NewScientist)
Think what England was like when the government didn't really exist: anyone with any wealth or property had to design their house to withstand infantry-strength assault. That's not efficient. National governments and policemen will survive the electronic revolution because of the efficiencies they create.
If I were to hold a three-hour encrypted conversation with someone in the Medellín drug cartel, it would be a dead giveaway. In routine monitoring, GCHQ (Britain's signals intelligence service) would pick up the fact that there was encrypted traffic and would instantly mark down my phone as being suspect. Quite possibly the police would then send in the burglars to put microphones in all over my house. In circumstances like this, encryption does not increase your security. It immediately and rapidly decreases it. You are mad to use encryption if you are a villain.