[cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
This was expected. As Skype definitely ruined its reputation as free end-to-end application for secure communication, other products are taking their chances. Agencies showing sudden interest in encrypted comm --- http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-com m.aspx From the article: ... The company has benefited from current events, particularly recent revelations about the National Security Agency's surveillance of Internet and telephone communications. Growth, already a strong 100 percent month-over-month, rocketed to 420 percent in the last two-and-a-half weeks. ... Danilo! On Wed, May 22, 2013 at 10:30 AM Danilo Gligoroski danilo.gligoro...@gmail.com wrote: ... 3. I see a chance for some other product like: Zfone (that never took significant popularity),maybe Pidgin, maybe Cryptocat, ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
On 2013-06-30 5:13 PM, Danilo Gligoroski wrote: This was expected. As Skype definitely ruined its reputation as free end-to-end application for secure communication, other products are taking their chances. Agencies showing sudden interest in encrypted comm --- http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-com m.aspx Silent Circle expects end users to manage their own keys, which is of course the only way for end users to be genuinely secure. Everything else is snake oil, or rapidly turns into snake oil in practice. (Yes, Cryptocat, I am looking at you) However, everyone has found it hard to enable end users to manage keys. User interface varies from hostile, to unbearably hostile. Silent Circle publish end users public keys, which would seem to create the potential for a man in the middle attack. I would like to see a review and evaluation of Silent Circle's key management. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 2013-06-29, at 11:48 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Natanael: I'm not seeing that many options though. The Phantom project died pretty fast; https://code.google.com/p/phantom/ https://groups.google.com/forum/#!forum/phantom-protocol http://phantom-anon.blogspot.se/ So who's out there developing any useful protocols for anonymization today? *Anybody*? Could we try to start a new project (if needed) to create one? (I would like one with at least the same level of functionality as I2P, even if it would have to have a very different architecture.) I guess you might be interested in this project called Tor? A few of us have spent a decade working on it: https://www.torproject.org/ There should be a disclaimer somewhere that Tor is a competitor to I2P, is far from perfect itself (actually has a few glaring weaknesses, such as exit nodes), and the guy critiquing I2P works for Tor. I'm a Tor supporter personally, but those things should be clarified! NK I'd suggest if you want to experiment with Tor and i2p, to try Tails: https://tails.boum.org All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
that if Snowden has access to them - other people who wish to have access may also have these document - too bad none of them seem to care to educate the public or to expose the incredibly illegal interpretation The incidence/depth of leakers/leaks over time seems to be increasing. Whether or not the outcome of this particular one will change that remains to be seen. There could be a bit of wait and see going on here. Snowden himself said that these controls are irrelevant - his leaks are ... 1) More detail on how direct NSA's accesses are is coming ... He clearly doesn't think that privacy by policy is as effective as privacy by design - where by design, he clearly endorses the use of cryptography with the caveat that NSA breaks into computer systems: Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it. A note: this was a quote in the context of users asking if their use of crypto would defeat the NSA, not as to internal NSA policy/application. Even under what might be this new post 911 open sharing model, it would seem reasonable to assume that information regarding actual cryptanalysis capabilities would be compartmented [perhaps far and securely] away from the areas that have produced the current stream of news stories. There hasn't been much said of those capa's, no? After more than a decade of talking with people about these issues, it is incredible to see this shift happen and it was nearly over night for some people! Unfortunately, unlike those with their ear to the ground for these sort of things (which really doesn't require any hearing aid to begin with), some people just refuse to get it until it's on newsprint in front of them. Now they're begging for help to the very same people they laughed off earlier. As much as we might want to say get lost, it still feels good to finally be recognized as having been right all along. And the advice is still the same in general: encrypt everything. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
There should be a disclaimer somewhere that Tor is a competitor to I2P, is far from perfect itself (actually has a few glaring weaknesses, such as exit nodes), and the guy critiquing I2P works for Tor. There should be a table somewhere that shows that all these different systems have different *features*. One such feature is exit to clearnet, which is not in itself a 'weakness' unless further supporting information as to how the feature is broken, not its mere presence, is supplied. Note also that I2P 'exits' as well, albeit from one of any particular list of known exits configured by the user. Furthermore, such wikitable could very well include actual weaknesses, whether by design limitations/concessions or work in progress. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
I'm not seeing that many options though. The Phantom project died pretty fast; https://code.google.com/p/phantom/ https://groups.google.com/forum/#!forum/phantom-protocol http://phantom-anon.blogspot.se/ I would bet that Phantom both ran out of developer time and has discouraged further takeup by using the unfamiliar HESSLA instead of say the simply free 2-clause BSD. As opposed to having been proven to use an [unfixably] flawed protocol design, no? (this being more on topic). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
On 29/06/13 13:23 PM, Jacob Appelbaum wrote: http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower One of the most interesting things to fall out of this entire ordeal is that we now have a new threat model that regular users will not merely dismiss as paranoid. They may want to believe it *isn't* true or that policy has changed to stop these things - there is a lot of wishful thinking to be sure. Still such users will not however believe reasonably that everyone in the world follows those policies, even if their own government may follow those policies. Yes, but I don't think the penny has yet dropped. One of the things that disturbed me was the several references of how they deal with the material collected. I don't think this is getting enough exposure, so I'm laying my thoughts out here. There is a lot of reference to analysts poking around and deciding if they want that material or not, as the sole apparent figleaf of a warrant. But there was also reference to *evidence of a crime* : http://www.cnsnews.com/news/article/intelligence-chief-defends-internet-spying-program —The dissemination of information incidentally intercepted about a U.S. person is prohibited unless it is necessary to understand foreign intelligence or assess its importance, *is evidence of a crime* , or indicates a threat of death or serious bodily harm. The way I read that (and combined with the overall disclosures that they are basically collecting everything they can get their hands on) the NSA has now been de-militarised, or civilianised if you prefer that term. In the sense that, information regarding criminal activity is now being shared with the FBI friends. Routinely, albeit secretly and deniably. This represents a much greater breach than anything else. We always knew that the NSA could accidentally harvest stuff, and we always knew that they could ask GCHQ to spy on Americans in exchange for another favour. As Snowden said somewhere, the American/foreigner thing is just a distracting tool used by the NSA to up-sell their goodness to congress. What made massive harvesting relatively safe was that they never shared it, regardless of what it was about, unless it was a serious national security issue. Now the NSA is sharing *criminal* information -- civilian information. To back this shift up, the information providers reveal: http://www.counterpunch.org/2013/06/20/spying-by-the-numbers/ Apple reported receiving 4,000 to 5,000 government requests for information on customers in just the last six months. From December 1, 2012 to May 31, 2013 Apple received law enforcement requests for customer data on 9-10,000 accounts or devices. Most of these requests are *from police for robberies, missing children* , etc. Facebook said something similar about missing children, I think. Elsewhere, someone sued the NSA to reveal information on his whereabouts to assist his defence against a crime [0]. So we have moved almost full circle from national security to local crimes. And nobody blinked! The NSA, FISA, administration, FBI, DoJ, media, google, facebook, apple... everyone really, have not thought this strange [1]. Indeed, reading the media reports, it's almost as if they are preparing the American public for a fait accompli. The only thing left is civil cases. But we've already seen a number of elements of that (e.g., l'affair Petraeus) and I suspect it is only a matter of time before (say) the SEC gets in on the game and uses civil discovery and civil cases against some scumbag boiler room operation [2]. To put this in context, the endgame in civil cases is divorce, which can already be dressed up as criminal if we add in some claims of assault, etc. Do Americans believe the local police and the FBI can show restraint given the availability of NSA and friends' intel? Use of secret letters? Do Americans consider that allowing their criminal and civil courts access to this stuff is a reasonable thing? Am I the only one to find the American psyche response to be rather weird? They seem to be focussing on the breaking of (constitutional) rules, and saying tut, tut, naughty NSA. Must phone my Congressman. But they -- Americans -- seem to be ignoring the real danger writ large to them, the very reason for those rules. iang ps; to drag this back to crypto, I think crypto can help, and it is encouraging to see that upswing. But the wider issue here is going to require a complete rethink of the threat model. [0] If Apple and Facebook and the rest are accepting secret national security letters for local crimes, he should get that info. Perhaps EFF should file a friends of the court brief arguing that we are now in a society where civilians are now entitled to the NSA's support. But I digress... [1] This is without even considering the twin corruptions of the policing forces, being (1) war on drugs,
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
On 30-06-13 09:44, James A. Donald wrote: On 2013-06-30 5:13 PM, Danilo Gligoroski wrote: This was expected. As Skype definitely ruined its reputation as free end-to-end application for secure communication, other products are taking their chances. Agencies showing sudden interest in encrypted comm --- http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-com m.aspx [...] expects end users to manage their own keys, which is of course the only way for end users to be genuinely secure. Agree However, everyone has found it hard to enable end users to manage keys. User interface varies from hostile, to unbearably hostile. Disagree. Not everyone. I believe this below to be a way out of the unencrypted web into an crypto-by-default web that is easy for the end user. It should be so easy that the users do not realize that they are using cryptography. It should be part of the account creation and log in process. Imagine: - forget passwords and password accounts; we use client certificates; - place a certificate signer at each website signing only for that site; - every CSR is signed without ado as long as the CN is unique at that site; - the CN is really the account name; - end user decides the CN; - the user uses a local agent to manage - the user agent logs in with the certificate at the site; To protect the user against an external party performing a MitM we publish the servers' TLS certificate in DNSSEC with DANE. This makes the sites CA unique and the certificate world wide recognizable identities. (Anonymous identities as there is no need to hand any personal identifying information at certificate signup). With the public and private key pair, the users can encrypt and sign messages between each other with message delivery either via the site or via any third party message delivery. To protect the user against a sites' signer creating a shadow certificates of its own users we deploy a global registry of client certificates. The registry monitors if a site ever signs two certificates for the same CN. If so, the site loses all respect. Users' agents are expected to check that registry before signup at a site, and when starting to communicate with another user at the site. Once a few messages have been send and received by any two end users, they have sufficient trust there is no MitM. There can be even more advanced benefits with a small change in web browsers: - phishing protection; - XSS, CSRF protection, making javascript web applications secure. It's here: http://eccentric-authentication.org/ Cheers, Guido. PS. It needs Tor to protect against traffic analysis, it needs Capability operating systems for the end user to protect the users' keys. PPS. I'd love to see some funding to keep me going with this. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
Fully agree. I suspect the released figures showing a spike in FBI wire-taps may be cover/laundry and indicative of receiving domestic targetted crime tips from NSA. Another vector: the UK GCHQ have reportedly on their list of authorized spying motivations economic well being. That translates to economic espionage. It seems to be strongly suspected by informed political commentators that the US (and secondarily echelon partners) are conducting economic espionage against Europe. It seems beyond the ken and political will of national security spies to restrict the information collected to narrow national security use. Once they slide it into law enforcement, if historically falls into increasingly more trivial or even arguable crimes. We also see hints such information is being abused for political reasons, eg the IRS audits. The other aspect of this is that I dont think Americans can expect even the most positive constitutional or legal re-evaluation and adjustment to actually fix the problem. It seems to me to be already established that ISPs can be required to keep records for some period. eg GSM location, and call information for years; email bodies for periods of time. Therefore it seems obvious to me that as soon as there is any legal threat to the NSA storing their own information, they'll just get some laws to require the ISPs to do it for them. Probably they can fix it with a few leases, and contracts and carry on as is. The people working on this stuff at the ISPs are going to already have the same security clearances as the NSA, and the NSA apparently already sub-contracted to the private sectore 70% of its budget. So how hard is it going to be for them to ask the ISPs and telcos to form a privately owned telecommunications consortium, that harvests and stores information. Apparently private sector sub-contracting already forms part of the legal shenanigans in the abuse of the FISA. Though I do think it is a politically useful exercise for people to press for legal changes, it seems that with the extent of lying and manipulation, information related power, and scale of economic lobbying; the mil-ind complex in the US has effectively become above the US law and constitution. So I think the only answer is lots of crypto. Per the cypherpunks credo: write code not laws. Adam On Sun, Jun 30, 2013 at 01:30:34PM +0300, ianG wrote: On 29/06/13 13:23 PM, Jacob Appelbaum wrote: http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower One of the most interesting things to fall out of this entire ordeal is that we now have a new threat model that regular users will not merely dismiss as paranoid. They may want to believe it *isn't* true or that policy has changed to stop these things - there is a lot of wishful thinking to be sure. Still such users will not however believe reasonably that everyone in the world follows those policies, even if their own government may follow those policies. Yes, but I don't think the penny has yet dropped. One of the things that disturbed me was the several references of how they deal with the material collected. I don't think this is getting enough exposure, so I'm laying my thoughts out here. There is a lot of reference to analysts poking around and deciding if they want that material or not, as the sole apparent figleaf of a warrant. But there was also reference to *evidence of a crime* : http://www.cnsnews.com/news/article/intelligence-chief-defends-internet-spying-program —The dissemination of information incidentally intercepted about a U.S. person is prohibited unless it is necessary to understand foreign intelligence or assess its importance, *is evidence of a crime* , or indicates a threat of death or serious bodily harm. The way I read that (and combined with the overall disclosures that they are basically collecting everything they can get their hands on) the NSA has now been de-militarised, or civilianised if you prefer that term. In the sense that, information regarding criminal activity is now being shared with the FBI friends. Routinely, albeit secretly and deniably. This represents a much greater breach than anything else. We always knew that the NSA could accidentally harvest stuff, and we always knew that they could ask GCHQ to spy on Americans in exchange for another favour. As Snowden said somewhere, the American/foreigner thing is just a distracting tool used by the NSA to up-sell their goodness to congress. What made massive harvesting relatively safe was that they never shared it, regardless of what it was about, unless it was a serious national security issue. Now the NSA is sharing *criminal* information -- civilian information. To back this shift up, the information providers reveal: http://www.counterpunch.org/2013/06/20/spying-by-the-numbers/ Apple reported receiving 4,000 to 5,000 government requests for information on customers in just the last six
Re: [cryptography] Potential funding for crypto-related projects
Nadim Kobeissi: On 2013-06-29, at 11:48 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Natanael: I'm not seeing that many options though. The Phantom project died pretty fast; https://code.google.com/p/phantom/ https://groups.google.com/forum/#!forum/phantom-protocol http://phantom-anon.blogspot.se/ So who's out there developing any useful protocols for anonymization today? *Anybody*? Could we try to start a new project (if needed) to create one? (I would like one with at least the same level of functionality as I2P, even if it would have to have a very different architecture.) I guess you might be interested in this project called Tor? A few of us have spent a decade working on it: https://www.torproject.org/ There should be a disclaimer somewhere that Tor is a competitor to I2P, is far from perfect itself (actually has a few glaring weaknesses, such as exit nodes), and the guy critiquing I2P works for Tor. Ha. There isn't a competition. This isn't zero sum. We're all interested in similar goals and in some cases, the designs are totally different and for good reason. Also, the security properties and reviews of claims have different results. I didn't just critique i2p offhand because I work on Tor - which I disclosed by saying a few of us have spent a decade working on it - I linked to a paper that broke it! I'm a Tor supporter personally, but those things should be clarified! Read my email more carefully next time. I specifically encouraged experimentation in a way that seems reasonably safe: I'd suggest if you want to experiment with Tor and i2p, to try Tails: https://tails.boum.org All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 2013-06-30, at 9:40 AM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-06-29, at 11:48 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Natanael: I'm not seeing that many options though. The Phantom project died pretty fast; https://code.google.com/p/phantom/ https://groups.google.com/forum/#!forum/phantom-protocol http://phantom-anon.blogspot.se/ So who's out there developing any useful protocols for anonymization today? *Anybody*? Could we try to start a new project (if needed) to create one? (I would like one with at least the same level of functionality as I2P, even if it would have to have a very different architecture.) I guess you might be interested in this project called Tor? A few of us have spent a decade working on it: https://www.torproject.org/ There should be a disclaimer somewhere that Tor is a competitor to I2P, is far from perfect itself (actually has a few glaring weaknesses, such as exit nodes), and the guy critiquing I2P works for Tor. Ha. There isn't a competition. This isn't zero sum. We're all interested in similar goals and in some cases, the designs are totally different and for good reason. Also, the security properties and reviews of claims have different results. I didn't just critique i2p offhand because I work on Tor - which I disclosed by saying a few of us have spent a decade working on it - I linked to a paper that broke it! I'm a Tor supporter personally, but those things should be clarified! Read my email more carefully next time. I specifically encouraged experimentation in a way that seems reasonably safe: There's no need to be so patronizing — I'm aware that you recommended TAILS (which is also a Tor project). NK I'd suggest if you want to experiment with Tor and i2p, to try Tails: https://tails.boum.org All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
Nadim Kobeissi: Read my email more carefully next time. I specifically encouraged experimentation in a way that seems reasonably safe: There's no need to be so patronizing — I'm aware that you recommended TAILS (which is also a Tor project). I'm sorry to write with more bad news - it certainly isn't meant to be patronizing though writing to correct and update people is often viewed that way - sadly it seems important to correct the record, again: Tails is an independent project from the Tor Project - Tor supports the development of Tails and we are not the only group to do so. Just to clear it up more explicitly: They have their own development cycles, their own funding management, their own development teams and so on. Obviously our two communities are very related but not so obviously, we are two different projects. I wouldn't for example ship i2p - though part of me is glad that someone does... All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
I don't think they are doing this (as I said, they only bother with the low hanging fruit) but they could. Is there a tool that detects changes of CA? Certificate Patrol does it for you on client-side: https://addons.mozilla.org/de/firefox/addon/certificate-patrol/ Our own Crossbear does it for you on server-side - and will aggressively start tracerouting to get an idea of where the MITM must be. Note that we are currently revising Crossbear to be implemented as an OONI test - called OONIBear. The Firefox plug-in has been broken by Mozilla's lovingly frequent changes in API; we're fixing at the moment. [1] https://addons.mozilla.org/de/firefox/addon/certificate-patrol/ [2] http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/holz_x509forensics_esorics2012.pdf [3] http://www.youtube.com/watch?v=29h21n-tyfEt=46m26s Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
So who's out there developing any useful protocols for anonymization today? *Anybody*? Could we try to start a new project (if needed) to create one? I'd love to see a revitalisation of remailer research, focussing on unlinkability (which we know many people would benefit from) rather than sender anonymity (which fewer people need, and which is prone to abuse that discourages people from running mixes). Cheers, Michael ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
Michael Rogers: So who's out there developing any useful protocols for anonymization today? *Anybody*? Could we try to start a new project (if needed) to create one? I'd love to see a revitalisation of remailer research, focussing on unlinkability (which we know many people would benefit from) rather than sender anonymity (which fewer people need, and which is prone to abuse that discourages people from running mixes). I'd also like to see revitalisation of remailer research. Though anonymity as Tor is designed is specifically about unlinkability. To reduce it to sender anonymity is pretty ... ridiculous. What one does with an anonymous communications channel is up to them - many people do actually want that feature for chatting, web browsing, news, email, etc. All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 100 Gbps line rate encryption
The fastest hardware implementation of RC4 that I know is 2 bytes/clock. I personally programmed a 1 byte/clock RC4 in a FPGA, it's quite simple. At 2 bytes/clock you still need a clock of 10 gigahertz to encrypt 100 Gbps. That's unfeasible, the way it's done is using paralelism, then you can use any algorithm you want as long as you have silicon available. Consider there are 400 Gbps systems coming online. Using a PC for that kind of workload is a waste of money and power. FPGAs are not that expensive nowadays. Just as a data point, on x86 processors with AESNI you can encrypt AES in, say, XTS mode with about 0.75 cycles / byte on each core. On an Intel Xeon E5-2690 'openssl speed -multi 4 -evp aes-128-xts' tops out at 13.5 GB/s for 8k blocks, which is 108 Gbps. That's only using half the physical cores and no hyperthreading. However, that's unlikely a realistic benchmark for whatever context the original question was referring to. On Sat, Jun 22, 2013 at 5:25 PM, Peter Maxwell pe...@allicient.co.ukwrote: On 22 June 2013 23:31, James A. Donald jam...@echeque.com wrote: On 2013-06-23 6:47 AM, Peter Maxwell wrote: I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough). I would be surprised if it is faster. Given the 100Gbps spec, I can only presume it's hardware that's being talked about, which is well outwith my knowledge. We also don't know whether there is to be only one keystream allowed or not. However, just to give an idea of performance: from a cursory search on Google, once can seemingly find Salsa20/12 being implemented recently on GPU with performance around 43Gbps without memory transfer (2.7Gbps with) - http://link.springer.com/chapter/10.1007%2F978-3-642-38553-7_11 ) - unfortunately I don't have access to the paper. On a decent 64-bit processor, the full Salsa20/20 is coming in around 3-4cpb - http://bench.cr.yp.to/results-stream.html - and while cpb isn't a great measurement, it at least gives a feel for things. Going on a very naive approach, I would imagine the standard RC4 will suffer due to being byte-orientated and not particularly open to parallelism. Salsa20 operates on 32-bit words and from a cursory inspection of the spec seems to offer at least some options to do operations in parallel. If I were putting money on it, I suspect one could optimise at least Salsa20/12 to be faster than RC4 on modern platforms; whether this has been done is another story. Fairly sure Salsa20/8 was faster than RC4 out-of-the-box. As with anything though, I stand to be corrected. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
I believe Anonymity is a problem orders of magnitude bigger than privacy. Tor seems like the only serious project aiming at solving it but I think you should be wise by choosing your enemies and Tor in its current state is useless against government-type surveillance for the following reasongs (IMHO): 1) Endpoint security: Tor is a big C project, needs much more code review until it's considered safe. 2) Network analysis: Tor is vulnerable to network analysis. FBI has made arrests to people that were specifically using TOR to hide their activities, and their use of network analysis to unmask them is documented (Jeremy Hammond, Stratfor case). Given those shortcomings I think is not wise to recommend it unless your enemy doesn't have the resources of a country. That being said, it's the best tool at the moment, lights year ahead of other popular software like Cryptocat, whose end-point security should be considered not only sub-par but dangerous. (who in their right mind will consider browser crypto?) Some months ago I tried to fix some shortcomings of Tor by wrapping it in a higher layer and using it for simple network-analysis resistant chat. The result was a protocol so slow that's almost unusable, if someone want to take a look at it it's here: https://github.com/alfred-gw/torirc I would like to see a tor configuration flag that sacrifices speed for anonymity. Michael Rogers: So who's out there developing any useful protocols for anonymization today? *Anybody*? Could we try to start a new project (if needed) to create one? I'd love to see a revitalisation of remailer research, focussing on unlinkability (which we know many people would benefit from) rather than sender anonymity (which fewer people need, and which is prone to abuse that discourages people from running mixes). I'd also like to see revitalisation of remailer research. Though anonymity as Tor is designed is specifically about unlinkability. To reduce it to sender anonymity is pretty ... ridiculous. What one does with an anonymous communications channel is up to them - many people do actually want that feature for chatting, web browsing, news, email, etc. All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] 100 Gbps line rate encryption
Oops, miscalculation. That should be a 6.5 Ghz clock for 100 Gbps. ((100 Gbps/8)/2) . Anyway I don't think anybody has hardware that fast except maybe for IBM with the Power8. The fastest hardware implementation of RC4 that I know is 2 bytes/clock. I personally programmed a 1 byte/clock RC4 in a FPGA, it's quite simple. At 2 bytes/clock you still need a clock of 10 gigahertz to encrypt 100 Gbps. That's unfeasible, the way it's done is using paralelism, then you can use any algorithm you want as long as you have silicon available. Consider there are 400 Gbps systems coming online. Using a PC for that kind of workload is a waste of money and power. FPGAs are not that expensive nowadays. Just as a data point, on x86 processors with AESNI you can encrypt AES in, say, XTS mode with about 0.75 cycles / byte on each core. On an Intel Xeon E5-2690 'openssl speed -multi 4 -evp aes-128-xts' tops out at 13.5 GB/s for 8k blocks, which is 108 Gbps. That's only using half the physical cores and no hyperthreading. However, that's unlikely a realistic benchmark for whatever context the original question was referring to. On Sat, Jun 22, 2013 at 5:25 PM, Peter Maxwell pe...@allicient.co.ukwrote: On 22 June 2013 23:31, James A. Donald jam...@echeque.com wrote: On 2013-06-23 6:47 AM, Peter Maxwell wrote: I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough). I would be surprised if it is faster. Given the 100Gbps spec, I can only presume it's hardware that's being talked about, which is well outwith my knowledge. We also don't know whether there is to be only one keystream allowed or not. However, just to give an idea of performance: from a cursory search on Google, once can seemingly find Salsa20/12 being implemented recently on GPU with performance around 43Gbps without memory transfer (2.7Gbps with) - http://link.springer.com/chapter/10.1007%2F978-3-642-38553-7_11 ) - unfortunately I don't have access to the paper. On a decent 64-bit processor, the full Salsa20/20 is coming in around 3-4cpb - http://bench.cr.yp.to/results-stream.html - and while cpb isn't a great measurement, it at least gives a feel for things. Going on a very naive approach, I would imagine the standard RC4 will suffer due to being byte-orientated and not particularly open to parallelism. Salsa20 operates on 32-bit words and from a cursory inspection of the spec seems to offer at least some options to do operations in parallel. If I were putting money on it, I suspect one could optimise at least Salsa20/12 to be faster than RC4 on modern platforms; whether this has been done is another story. Fairly sure Salsa20/8 was faster than RC4 out-of-the-box. As with anything though, I stand to be corrected. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 30, 2013, at 12:44 AM, James A. Donald jam...@echeque.com wrote: Silent Circle expects end users to manage their own keys, which is of course the only way for end users to be genuinely secure. Everything else is snake oil, or rapidly turns into snake oil in practice. (Yes, Cryptocat, I am looking at you) However, everyone has found it hard to enable end users to manage keys. User interface varies from hostile, to unbearably hostile. Silent Circle publish end users public keys, which would seem to create the potential for a man in the middle attack. I would like to see a review and evaluation of Silent Circle's key management. This isn't quite correct. You have the gist of it, though. Silent Phone uses ZRTP, which is ephemeral DH with hash commitments for continuity, in the style of SSH. The short authentication string is there for explicit MITM protection. There's no explicit public key. Silent Phone uses SCIMP, which is also a EDH+hash commitment protocol, and also has no explicit public keys. The problem there is that unlike a voice protocol when you can use a voice recitation of a short authentication string, there's no implicit second channel in a text protocol. We're working on improvements there. There's a SCIMP paper up on silentcircle.com. Please look at it. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFR0KhvsTedWZOD3gYRAiYEAJ4w96a0qdNjeDRAlii7qaF/dZ1TsACfUVJI zfGnH862J4muQrTHag9sL48= =ZqZE -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
On 2013-06-30, at 3:44 AM, James A. Donald jam...@echeque.com wrote: On 2013-06-30 5:13 PM, Danilo Gligoroski wrote: This was expected. As Skype definitely ruined its reputation as free end-to-end application for secure communication, other products are taking their chances. Agencies showing sudden interest in encrypted comm --- http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-com m.aspx Silent Circle expects end users to manage their own keys, which is of course the only way for end users to be genuinely secure. Everything else is snake oil, or rapidly turns into snake oil in practice. (Yes, Cryptocat, I am looking at you) You seem to be implying that Cryptocat does not manage keys on the end-user side. This is false — Cryptocat users do manage their own keys on the client side, in fact. I would recommend reading our paper for more information: http://arxiv.org/abs/1306.5156 We also have quite a bit of documentation, threat modelling and so on on our development wiki: https://github.com/cryptocat/cryptocat/wiki/Threat-Model NK However, everyone has found it hard to enable end users to manage keys. User interface varies from hostile, to unbearably hostile. Silent Circle publish end users public keys, which would seem to create the potential for a man in the middle attack. I would like to see a review and evaluation of Silent Circle's key management. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
On 2013-07-01 8:55 AM, Nadim Kobeissi wrote: On 2013-06-30, at 3:44 AM, James A. Donald jam...@echeque.com wrote: On 2013-06-30 5:13 PM, Danilo Gligoroski wrote: This was expected. As Skype definitely ruined its reputation as free end-to-end application for secure communication, other products are taking their chances. Agencies showing sudden interest in encrypted comm --- http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-com m.aspx Silent Circle expects end users to manage their own keys, which is of course the only way for end users to be genuinely secure. Everything else is snake oil, or rapidly turns into snake oil in practice. (Yes, Cryptocat, I am looking at you) You seem to be implying that Cryptocat does not manage keys on the end-user side. This is false � Cryptocat users do manage their own keys on the client side, in fact. According to the paper, there are no long term public and private keys. ID is therefore wholly username and password Cryptocat does not currently store long-term key pairs (see x 9.2), need to be generated, along with DSA pa-rameters, each time the application is launched Which of course does not make cryptocat inherently insecure, or fatally flawed, but nonetheless, does not provide the security that would come from users managing their own keys, if ever we managed to provide an interface where users successfully managed their own keys without screwing up. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] post-PRISM boom in secure communications (WAS skype backdoor confirmation)
On 2013-06-30, at 7:36 PM, James A. Donald jam...@echeque.com wrote: On 2013-07-01 8:55 AM, Nadim Kobeissi wrote: On 2013-06-30, at 3:44 AM, James A. Donald jam...@echeque.com wrote: On 2013-06-30 5:13 PM, Danilo Gligoroski wrote: This was expected. As Skype definitely ruined its reputation as free end-to-end application for secure communication, other products are taking their chances. Agencies showing sudden interest in encrypted comm --- http://gcn.com/blogs/cybereye/2013/06/agencies-sudden-interest-encrypted-com m.aspx Silent Circle expects end users to manage their own keys, which is of course the only way for end users to be genuinely secure. Everything else is snake oil, or rapidly turns into snake oil in practice. (Yes, Cryptocat, I am looking at you) You seem to be implying that Cryptocat does not manage keys on the end-user side. This is false � Cryptocat users do manage their own keys on the client side, in fact. According to the paper, there are no long term public and private keys. ID is therefore wholly username and password Ah, but there are no usernames and passwords either. Sessions are completely ephemeral. Cryptocat does not currently store long-term key pairs (see x 9.2), need to be generated, along with DSA pa-rameters, each time the application is launched Which of course does not make cryptocat inherently insecure, or fatally flawed, but nonetheless, does not provide the security that would come from users managing their own keys, But yes, long-term keys are worth investigating. NK if ever we managed to provide an interface where users successfully managed their own keys without screwing up. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
aort...@alu.itba.edu.ar: I believe Anonymity is a problem orders of magnitude bigger than privacy. I agree - though most people think the two terms mean the same thing. Lots of different terms are a similar set of things for different people. Tor seems like the only serious project aiming at solving it but I think you should be wise by choosing your enemies and Tor in its current state is useless against government-type surveillance for the following reasongs (IMHO): Whenever I see the above statement, I think to myself gosh, I really wonder what this person suggests I should do? or I wonder what they would do in my shoes or the shoes of any of my friends who do not get to choose if they're playing? - usually, there isn't much of a response. The advise of don't do anything is not useful - rather - do something but understand the limits, and understand the limits of what we know is much more useful. So then - what do you suggest to someone who wants to leak a document to a press agency that has a GlobaLeaks interface? What do you suggest to someone who wants to use a web email account that properly supports HTTPS? What do you suggest to someone who wants location privacy from their chat service? What do you suggest to someone who wants to buy themselves time and not link their entire past to some event they think might matter, thus attracting retroactive searches in the future? 1) Endpoint security: Tor is a big C project, needs much more code review until it's considered safe. I agree - all C programming projects need help in this area. This is why we have multiple static analysis tools, regular code audits, multiple people doing code review for every commit, a design process for features, a design process for protocol changes, cryptographic review at an academic level and at an implementation level, and so on. It is also why we have multiple implementations as well. There is a Java version of Tor that is nearly ready for release and it will solve a number of the C implementation concerns and exchange them for Java related concerns. There are a few other Tor implementations in the wild, each serving an interesting subset of users. Diversity is important. Still - having a bug in Tor as a client is a lot less likely than in whatever application you'll use with Tor - web browsers come to mind here but other chat clients, like Pidgin or Thunderbird, they also come to mind. 2) Network analysis: Tor is vulnerable to network analysis. FBI has made arrests to people that were specifically using TOR to hide their activities, and their use of network analysis to unmask them is documented (Jeremy Hammond, Stratfor case). What is public about Jeremy Hammond is worth reading. It suggests the FBI has the lamest of all Network analysis techniques - a very simple traffic confirmation attack. They appear to disconnect a person's internet and then they ask their snitch if the person signs off from their chat service. There are solutions - one of them is to run a second machine reachable by (Stealth) Tor Hidden Service with your chat client in gnu screen - login to that system, attach to the screen and chat away - sometimes, you'll get disconnected but no one will see it. There are social issues that are more concerning though - if you normally are quite chatty, only to stop chatting, they might suggest that not speaking is confirmation, etc. So this issue issue, like any solution, is partially a technical issue and partially a social issue. It is not fair to blame Tor for the times that you have no internet. Tor can't protect you from an internet blackout when you need to reach a service on the public internet. Given those shortcomings I think is not wise to recommend it unless your enemy doesn't have the resources of a country. That being said, it's the best tool at the moment, lights year ahead of other popular software like I think if you put all countries in the same category you're doing a disservice to well, everyone. There are different behaviors - chatting to a jabber service that is a Tor hidden service is probably fine - especially if you also use TLS anyway. I do that on a daily basis - I also consider that there are nation state attackers going after me - what would be a better option? Living in the forest and writing with a pen? Hardly. People who are working on important work can protect themselves with Tor and they do so. Without Tor and without a complex education, I think they have little to no chance. Barebacking with the internet is like barebacking with Big Brother. Don't do it. Cryptocat, whose end-point security should be considered not only sub-par but dangerous. (who in their right mind will consider browser crypto?) Oh man, you just opened up a can of worms that I won't even touch. If I even comment, an entire community of people will send me hate mail - which I suppose is enough said already. :( Some months ago I tried to fix some shortcomings of Tor by
[cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
Speaking of which... If you had an extra $2-3K to give to a liberationtech or crypto project, who do you think would benefit the most? Thanks, Yosem ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
Yosem Companys: Speaking of which... If you had an extra $2-3K to give to a liberationtech or crypto project, who do you think would benefit the most? Tails. They could use support: https://tails.boum.org All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
Though it wouldn't necessarily advance anonymity or cryptography knowledge I think funding of a public repository that had reviewed, stable packages or for the most popular distributions fnginx, apache and openssl that came with the most secure stuff enabled; for example today Redhat doesn't ship packages with ECDH enabled and for many server administrators building your own packages is too complicated. This could further the adoption of strong cryptography. -Original Message- From: cryptography [mailto:cryptography-boun...@randombit.net] On Behalf Of Jacob Appelbaum Sent: Sunday, June 30, 2013 7:11 PM To: cryptography@randombit.net Subject: Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects] Yosem Companys: Speaking of which... If you had an extra $2-3K to give to a liberationtech or crypto project, who do you think would benefit the most? Tails. They could use support: https://tails.boum.org All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
hRyan Hurst: Though it wouldn't necessarily advance anonymity or cryptography knowledge I think funding of a public repository that had reviewed, stable packages or for the most popular distributions fnginx, apache and openssl that came with the most secure stuff enabled; for example today Redhat doesn't ship packages with ECDH enabled and for many server administrators building your own packages is too complicated. This could further the adoption of strong cryptography. I find it hilarious that Redhat cripples their cryptographic security software. In the sense that it makes me wonder about the rest of their security processes and software. What the... All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]
Humor or depression so hard to decide. -Original Message- From: Jacob Appelbaum [mailto:ja...@appelbaum.net] Sent: Sunday, June 30, 2013 7:23 PM To: Ryan Hurst Cc: cryptography@randombit.net Subject: Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects] hRyan Hurst: Though it wouldn't necessarily advance anonymity or cryptography knowledge I think funding of a public repository that had reviewed, stable packages or for the most popular distributions fnginx, apache and openssl that came with the most secure stuff enabled; for example today Redhat doesn't ship packages with ECDH enabled and for many server administrators building your own packages is too complicated. This could further the adoption of strong cryptography. I find it hilarious that Redhat cripples their cryptographic security software. In the sense that it makes me wonder about the rest of their security processes and software. What the... All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
The way I read that (and combined with the overall disclosures that they are basically collecting everything they can get their hands on) the NSA has now been de-militarised, or civilianised if you prefer that term. In the sense that, information regarding criminal activity is now being shared with the FBI friends. Routinely, albeit secretly and deniably. The NSA became demilitarised that is, involved in civilian law enforcement, when it stopped being the AFSA (Armed Forces Security Agency) and the NSA was created in 1952. But even prior to that in it's earlier form as the AFSA, ASA, and etc, the NSA did some civil law enforcement work with the FBI. For example Project Shamrock which started in 1945 (seven years before the AFSA became the NSA) involved: Intercepted messages were disseminated to the FBI, CIA, Secret Service, Bureau of Narcotics and Dangerous Drugs (BNDD), and the Department of Defense. Earlier forms of the NSA were also involved in cryptanalysis of pirate radio stations and prohibition era booze barons. The case of their abuses was Project MINARET 1967-1975 which spied on US citizens that suspected of being dissidents or involved in drug smuggling. This information was passed on to the FBI and local law enforcement. Project MINARET that uses “watch lists” to electronically and physically spy on “subversive” activities by civil rights and antiwar leaders such as Dr. Martin Luther King, Jr, Jane Fonda, Malcolm X, Dr. Benjamin Spock, and Joan Baez—all members of Richard Nixon’s infamous “enemies list.” The NSA has been a civil law enforcement organisation in practice if not always in principal since before it's inception (its charter broadened its role beyond its previous role as a military support organisation). On Sun, Jun 30, 2013 at 6:30 AM, ianG i...@iang.org wrote: On 29/06/13 13:23 PM, Jacob Appelbaum wrote: http://www.guardian.co.uk/**world/2013/jun/17/edward-**snowden-nsa-files- **whistleblowerhttp://www.guardian.co.uk/world/2013/jun/17/edward-snowden-nsa-files-whistleblower One of the most interesting things to fall out of this entire ordeal is that we now have a new threat model that regular users will not merely dismiss as paranoid. They may want to believe it *isn't* true or that policy has changed to stop these things - there is a lot of wishful thinking to be sure. Still such users will not however believe reasonably that everyone in the world follows those policies, even if their own government may follow those policies. Yes, but I don't think the penny has yet dropped. One of the things that disturbed me was the several references of how they deal with the material collected. I don't think this is getting enough exposure, so I'm laying my thoughts out here. There is a lot of reference to analysts poking around and deciding if they want that material or not, as the sole apparent figleaf of a warrant. But there was also reference to *evidence of a crime* : http://www.cnsnews.com/news/**article/intelligence-chief-** defends-internet-spying-**programhttp://www.cnsnews.com/news/article/intelligence-chief-defends-internet-spying-program —The dissemination of information incidentally intercepted about a U.S. person is prohibited unless it is necessary to understand foreign intelligence or assess its importance, *is evidence of a crime* , or indicates a threat of death or serious bodily harm. The way I read that (and combined with the overall disclosures that they are basically collecting everything they can get their hands on) the NSA has now been de-militarised, or civilianised if you prefer that term. In the sense that, information regarding criminal activity is now being shared with the FBI friends. Routinely, albeit secretly and deniably. This represents a much greater breach than anything else. We always knew that the NSA could accidentally harvest stuff, and we always knew that they could ask GCHQ to spy on Americans in exchange for another favour. As Snowden said somewhere, the American/foreigner thing is just a distracting tool used by the NSA to up-sell their goodness to congress. What made massive harvesting relatively safe was that they never shared it, regardless of what it was about, unless it was a serious national security issue. Now the NSA is sharing *criminal* information -- civilian information. To back this shift up, the information providers reveal: http://www.counterpunch.org/**2013/06/20/spying-by-the-**numbers/http://www.counterpunch.org/2013/06/20/spying-by-the-numbers/ Apple reported receiving 4,000 to 5,000 government requests for information on customers in just the last six months. From December 1, 2012 to May 31, 2013 Apple received law enforcement requests for customer data on 9-10,000 accounts or devices. Most of these requests are *from police for robberies, missing children* , etc. Facebook said something similar about missing children, I think. Elsewhere,
Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)
Ethan Heilman: The way I read that (and combined with the overall disclosures that they are basically collecting everything they can get their hands on) the NSA has now been de-militarised, or civilianised if you prefer that term. In the sense that, information regarding criminal activity is now being shared with the FBI friends. Routinely, albeit secretly and deniably. The NSA became demilitarised that is, involved in civilian law enforcement, when it stopped being the AFSA (Armed Forces Security Agency) and the NSA was created in 1952. But even prior to that in it's earlier form as the AFSA, ASA, and etc, the NSA did some civil law enforcement work with the FBI. For example Project Shamrock which started in 1945 (seven years before the AFSA became the NSA) involved: Intercepted messages were disseminated to the FBI, CIA, Secret Service, Bureau of Narcotics and Dangerous Drugs (BNDD), and the Department of Defense. Earlier forms of the NSA were also involved in cryptanalysis of pirate radio stations and prohibition era booze barons. The case of their abuses was Project MINARET 1967-1975 which spied on US citizens that suspected of being dissidents or involved in drug smuggling. This information was passed on to the FBI and local law enforcement. Project MINARET that uses “watch lists” to electronically and physically spy on “subversive” activities by civil rights and antiwar leaders such as Dr. Martin Luther King, Jr, Jane Fonda, Malcolm X, Dr. Benjamin Spock, and Joan Baez—all members of Richard Nixon’s infamous “enemies list.” The NSA has been a civil law enforcement organisation in practice if not always in principal since before it's inception (its charter broadened its role beyond its previous role as a military support organisation). Call them what they are: a domestic political secret police with international capabilities That the collaborate with the FBI and CIA is especially terrible - the others have little to next to no clue about cryptography, exploitation or well - traffic analysis of computer networks. All the best, Jacob ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Potential funding for crypto-related projects
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote: I would like to see a tor configuration flag that sacrifices speed for anonymity. You're the first person, perhaps ever, to make that feature request without it being in a mocking tone. At least, I think you're not mocking! :) I would second that, it would be a desirable feature. As it happens, I have been pondering this very problem for a while now, even before information came to light about GCHQ's pervasive tapping of fibre cables. While I doubt any government agency is at the moment running any decent traffic analysis on the Tor network - as was alluded to in previous posts, it's hardly worth their while at the moment - conceptually it wouldn't take a massive leap to do so. If you have visibility of a large proportion of the internet with very accurate time stamps, it will almost certainly be possible to break the anonymity protection that Tor currently provides. There are some naive models that can combat that type of traffic analysis but they all introduce new problems as well. For example, if one creates a new mode of operation so that nodes forward entire messages instead of packets and that those messages have a lower and upper bound delay field, it would seem on the face of it that one could thwart traffic analysis because the data forwarding times are almost completely disassociated from the sender. However, because it is a larger message instead of packets, a new statistical bias is introduced in terms of message size and reduction in frequency of forwarding events. So in this naive model, it may actually have made the situation worse. So, yes, being able to sacrifice speed for improved anonymity is a desirable feature but I doubt it's going to be particularly easy to design or implement. There's also the problem of having applications that can utilise a mode of operation that has potentially much higher latency. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography