The Crypto Project Revives Cypherpunk Ethic 77
Trailrunner7 writes "When a small group of activists announced the debut of The Crypto Project earlier this year, for many, ahem, mature, security and privacy advocates it brought to mind memories of the original cypherpunk movement that began in the 1990s and that group's seminal efforts to encourage the use of strong cryptography and anonymity online, as well as its successes and failures. The two groups are not allied by anything other than ideology, but The Crypto Project's leaders are aiming to follow in the footsteps of the cypherpunks, build on their accomplishments and make security and privacy tools freely available to the masses. The group is working on a number of projects right now, including setting up an anonymous remailer, putting up a Convergence notary and setting up a Tahoe-LAFS grid. Threatpost has an interview with Sir Valiance, one of the leaders of the project, who talks about the need for better privacy and anonymity online and why the cypherpunks are still important today."
I CRIED (Score:1)
The day I could no longer log in to the NYT site with the credentials "cypherpunk:cypherpunk".
Ah. Innocence so fragile. How soon it departs...
Re: (Score:2)
cpunks:cpunks has been working fine... CP's not dead ;)
So it does, thank you!
Better keep this a secret.
Re: (Score:2)
Also cypherpunk2:cypherpunk
Re: (Score:1)
Thanks! Wish you were logged in so I could mod you up.
Privacy and anonymity online... (Score:1, Interesting)
That will never be possible when you're on their wire. never never never... The entire concept is absurd.
Re:Privacy and anonymity online... (Score:5, Interesting)
The whole point of encryption is making it so that sending your stuff over somebody else's wire doesn't let them know what it is.
As for anonymity, there are ways for that as well, like what Tor does.
True, the owner of the wire has quite a lot of control, but to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful. And then people will come up with some way around that, like adhoc wifi networks or something of that sort.
But that's unnecessary (Score:5, Interesting)
to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful.
Ah, but to defeat Tor or encryption, it doesn't have to be made impossible - it just has to be made so as to be not trustworthy. So let's say a friendly agency captured a few (or more) Tor nodes, and co-opted a few root certificates (ahem, Iran). These tools don't have to be defeated 100% of the time, they just have to be defeated in principle for them to crumble.
It's sort of like privacy terrorism - the targets are largely symbolic rather than practical, and the goal is to instill fear rather than defeat in a straightforward manner.
And then people will come up with some way around that, like adhoc wifi networks or something of that sort.
Which, I fear, would allow even easier avenue of attack for certain organizations who like to do that. Anything ad-hoc has to be able to find a way to trust something it's never met before (by definition). That's prone to attack too. There are advantages and weaknesses to both centralization and decentralization.
Re:Privacy and anonymity online... (Score:4, Interesting)
True, the owner of the wire has quite a lot of control, but to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful.
Whishful thinking. How many people do you know personally that run a Tor exit node? How many of them would you consider 100% trustworthy? Compromised exit nodes offer a lot of possibilities: browser ID'ing, code injection, traffic analysis. How about the programs you run over Tor. Are you 100% sure they don't leak private information? Have you checked their source code and internet protocols? What about the endpoints? Are they secure? Do they use SSL? Which SSL encryption do they use, super-secure RC4 like Google search? Can you be identified from your browsing behavior?
Agencies like the NSA have the expertise, the money, and the infrastructure to own the majority of exit nodes. Not only that, if they wanted to and got the funding, they could easily own the majority of all Tor nodes. I'm not saying that they do or that you should assume they do (they might not have an incentive, as they are probably already drowning more valuable data), but that you shouldn't rely on Tor's anonymity too much.
Moreover, bear in mind what others have already pointed out. There are many dirty tricks to undermine the trustworthiness of projects, especially since it's highly likely that many private crypto implementors are on the secret payroll of some government. Take e.g. a look at Wikileaks for the results of such campaigns.
However, if a government wants to get rid of Tor officially there is a much easier way. They just prohibit it and that's it. Use of Tor is easy to identify. The same for encryption in general. Or you just make it illegal not to give away the password to authorities when they want it like in the fascist UK.
Re:Privacy and anonymity online... (Score:4, Interesting)
You're not supposed to trust a Tor exit node. Every Tor instruction I've seen mentions that you should use an anonymizing proxy to erase the things that allow browser IDing.
For leaking private information, there exist programs that monitor traffic and tell you when for instance DNS requests are made without going through Tor.
Yes, getting all this right is certainly tricky. But it's not a new idea, and countermeasures for untrustworthy exit nodes are already in place.
But that's where what I said about making the internet less useful comes in. Yes, the government can forbid encryption. But what about the countless VPNs used by foreign companies, internet banking and shopping, the myriad of old or embedded systems that automatically do encrypted transfers, the encryption built into operating systems?
In some backward third world country that might be possible, but anywhere else such a thing would carry a very high cost attached.
Then if it still happens, people will figure out how to transfer data in a hidden way.
Re: (Score:1)
But that's where what I said about making the internet less useful comes in. Yes, the government can forbid encryption. But what about the countless VPNs used by foreign companies, internet banking and shopping, the myriad of old or embedded systems that automatically do encrypted transfers, the encryption built into operating systems?
Key escrow where the government has a master key. This has been suggested, demanded, or even implemented by governments already in the past. (Regarding the "older embedded systems", I'd doubt any of them is secure btw...)
That being said, there might be a political problem in many democratic countries with weakening encryption in this way nowadays. But that depends on the circumstances. Add another major economic crisis and a few terrorist attacks and you might have to say good-bye to encryption without gove
Re: (Score:1)
> Agencies like the NSA have the expertise, the money, and the
> infrastructure to own the majority of exit nodes.
Or own Google...
Re: (Score:2)
If you want any sort of guarantee for the confidentiality and integrity of your data, you do the same thing over tor that you would have to do without it: Never initiate any non-SSL or non-certified connection, configure your browser not to transmit any identifying data (user agent, referer, cookies) and for heaven's sake do not run any scripts or plugins.
Without these precautions, all that tor does is expose your information to unknown spies (the exit node) in addition to known spies (your ISP, the carrier
Re: (Score:2)
Agencies like the NSA have the expertise, the money, and the infrastructure to own the majority of exit nodes.
I do not think anyone realistically believes that they can defeat the NSA. Yet there are numerous other government agencies in various countries around the world who do not have the capabilities that the NSA has, and who can do far greater harm than the NSA. Just because it would be difficult to defeat the world's most powerful and best funded signals intelligence agency does not mean that Tor or the anonymous remailer network are worthless.
Re: (Score:2)
Are they still out there and still functioning?
Re: (Score:2)
Re:Privacy and anonymity online... (Score:4, Interesting)
I'm not so sure about that. There is no end to the layers of obfuscation and detection which leads to an arms-race where (for short periods) anonymity and privacy are theoretically (and for those committed enough, practically) possible.
However as far as arms-races go, I believe this one is asymmetric. It eventually has only one solution (for the state): outlaw encryption.
Re: (Score:2)
Re: (Score:1)
That word. I do not think it means what you think it means.
Re: (Score:3)
On the third hand, maybe you could make a stenographic system that would require analysing so much data that it'd be too expensive to try to detect even if the adversary knew about the stenographic channels? Like hiding it in a protocol that has grotesque traffic volumes (eg., bittorrent)?
Re: (Score:2)
Re: (Score:2)
Stenography is the way a court reporter types up a transcript of what was said.
Steganography is secret writing hidden in something else.
Two different words.
Re: (Score:2)
Re: (Score:1)
Re: Stenography (Score:2)
And have you actually seen anybody doing stenography [wikimedia.org] the last decade or two? Those people have been pretty much invisible since the Cypherpunks movement started - they were part of one of our great successes, Silent Trystero's Typing Pool...
Stenography is different from what court reporters do, though both of them are trying to capture speech in real time. It's a shorthand version of writing that a well-trained secretary could use to capture notes that she'd then type up, and Dictaphones were a technica
Re: (Score:2)
Re: Stenography vs. Steganography (Score:2)
No, I actually was talking about stenography, as was CryptoJones, more or less (though we were also making fun of the people who'd used that term instead of steganography.) It's becoming a lost art, but some of the older folks here will remember those Gregg Shorthand books, and typing pools.
With Steganography, some of the interesting directions to look are how to hide stuff in various video formats, both from the standpoint of how much you can hide from programs and also how much you can hide from visual p
Re: (Score:2)
However as far as arms-races go, I believe this one is asymmetric. It eventually has only one solution (for the state): outlaw encryption.
At which point we bring out the myriad crypto schemes that make encrypted content indistinguishable from plain text. It is really easy to "encrypt" a text not into bytes, but into english words. Yeah, it won't give you a meaningful sentence - label it as an avant-garde poem and you're good.
There are more refined ways that work even better. I think there even was one that generated Shakespearean sonnets as output.
Then there's the whole stego area. Google for "snow" and have fun.
In the end, outlawing crypto i
It will only make governments more ruthless (Score:2)
Encryption isn't good enough to stop extraordinary rendition. The government essentially views anyone who uses encryption in an ubiquitous opportunistic way as a terrorist. Encryption didn't protect Bradley Manning from Adrian Lamo. Encryption will only force the governments to rely on informants, which means the government which can't break your code will focus instead on breaking you.
So if you don't give up your key prepare to be tortured until you do. That's how code breaking actually works. Also prepare
Re: (Score:3)
Re: (Score:2)
I use encryption to mitigate the consequences of my computer being physically stolen (by an opportunistic thief, I can't imagine a scenario where someone would target my data...).
XKCDs wrench-wielding gibbons do not speak to that use.
Re: (Score:2)
Of course it's worth it, because the cost of a wrench (and using it) is astronomical compared to passively intercepting plaintext. And wrench-use is much more easily detected, too.
Re: (Score:1)
Of course it's worth it, because the cost of a wrench (and using it) is astronomical compared to passively intercepting plaintext. And wrench-use is much more easily detected, too.
Only this isn't going to be the case 90% of the time.
Re: (Score:2)
I think that what he means is, most data that we encrypt are things that we'd be more than willing to surrender to a force-wielding attacker. Similar to how one gives one's wallet to muggers, it's pretty straightforward to say "Oh, that drive. That's my encrypted drive of family photos and baby videos."
Re: (Score:2)
The mugger analogy is excellent, because even though most people will just hand their wallets over to a mugger, the mugger doesn't know which people actually have money in their wallets and which ones don't, until after he's mugged them. And every mugging carries some risk to the mugger, even though it's fairly low.
If you work as a mugger on a fairly small scale (mug ten people per day), perhaps you can eventually make enough money to retire before you get killed or arrested. I don't know.
But if you set o
Re: (Score:2)
Re: (Score:2)
What's interesting is, regardless of whether he actually experienced it (or if the experiences he has are correctly explained by his explanations), a lot of it seems like it WOULD work. Social pressure is pretty interesting, and one could certainly imagine a group of teens harassing someone in some of those ways.
But yes, just looking at the headings of the main page makes it easy for one to think he's a crackpot.
Re: (Score:1)
Rather than reading (possibly schizophrenic) ramblings on the Internet, go see Das Leben der Anderen [imdb.com] ("The Lives of Others"; I think it's out in English now), about a writer who becomes the target of surveillance by the East German Stasi. Very, very frightening stuff, even with the relatively low-tech equipment they had back then.
Re: (Score:2)
Re: (Score:2)
This is a great example of failure to apply the "you're just not that important" rule of paranoia.
Re: (Score:2)
Increasing the attacker's costs is a good thing. I don't know about your government, but my government can't afford (either economically or politically) to torture hundreds of thousands of their own citizens per day. And they can't do it without those citizens finding out that it's happening ("um.. what's this pain in my knee? Oh, hi there. What are you doing?" "Give me the key!!!"). That's a big step up from the current sit
Re: (Score:1)
Increasing the attacker's costs is a good thing. I don't know about your government, but my government can't afford (either economically or politically) to torture hundreds of thousands of their own citizens per day. And they can't do it without those citizens finding out that it's happening ("um.. what's this pain in my knee? Oh, hi there. What are you doing?" "Give me the key!!!"). That's a big step up from the current situation.
Resisting abusive power doesn't make it more ruthless; it reveals and exposes its ruthlessness. Call their bluff, and if it's not a bluff, then they will be voted out.
This is because you assume torture would cost a lot of money. When the government knows everything about you, it's only a matter of time before their trained psychologists learn which buttons to push. And if all else fails they can simply threaten your family and you'd give up the keys. So I don't think it really would cost very much for any government to do that to thousands of people or even millions, since the same torture tactics will probably work on thousands of people it's not like they'd have much
The global web of trust and TSA gate rape (Score:2)
PGP vs keyloggers (Score:1)
Usually results in PGP being cracked. So just telling everyone to use PGP will only make the government rely more on wiretaps, bugging, keyloggers, hacking into your computer and waiting for you to type your passwords, and only when all that fails, physically raiding you.
Re: (Score:1)
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
In a way that is a good thing. It means that a repressive government has to crack down and actively attack its citizens as opposed to just quietly watching traffic flow by and the few people that are firebrands, have them disappear.
A tyrannical government has a higher chance of falling if their citizens know that this is happening as opposed to just people vanishing off the edges.
No, encryption won't stop a rubber hose, but it means that a government has to have a thug system in place, with the corresponding blowback from that.
How is that good? There is no one to protect those citizens. Just knowing it is happening doesn't mean the government has a higher chance of failing. Citizens around the world know governments hate encryption and that includes citizens within the USA who know their government tortures and kills. It's not that people don't know, it's more that people can't do anything about it because governments work together to crack codes, torture and kill individuals.
On top of that, individual citizens cannot trust corpo
there is conflict of interest of state and citizen (Score:2)
"... Pakistan has now officially told all of the country's ISPs that they need to block all encrypted VPNs since content running over such services cannot be monitored by the government."
It is not only Pakistans government who has interests like this but also the US and the EU ( and every other government ) They justify spying, eavesdropping, wiretapping and backdoor-peeping with fighting criminal activities, move over to terrorism and end up with the dilemma t
Re: (Score:3)
France went through this phase themselves. You could use only trivially broken crypto. They got over it. It will be interesting to see what happens in Pakistan.
Re: (Score:2)
Except Amazon erased my copy of 1984, so I have no idea what you're talking about.
Just about time, if not a bit too late (Score:3)
Unreliable CA (all over the world)
Online censorship (in China and Australia)
Spying on citizens to different degrees (from "surfing history only" - in EU and Australia - to "everything that goes online" in Iran)
With hundreds of millions not caring enough to protect whatever identifies them on Faecebook, G+ and others.
Re: (Score:2)
1. censorship - ISP voluntary filtering [zdnet.com.au] is up an' kicking (and don't give the "change your ISP", some of us can't do it [itnews.com.au])
2. Web [zdnet.com.au] browsing [zdnet.com.au] history [zdnet.com.au] retention - quote: ZDNet Australia broke the news on Friday that the Federal Government Attorney-General's Department was considering how it could best implement a data retention regime in Australia..
Please note: not "If it could implement..." but "how it could best implement...".
Now, sleep tight and sweet drea
Tahoe-LAFS has been ported to I2P (Score:2)
I2P provides the anonymity layer for the filesystem.