Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Encryption Security Your Rights Online

The Crypto Project Revives Cypherpunk Ethic 77

Trailrunner7 writes "When a small group of activists announced the debut of The Crypto Project earlier this year, for many, ahem, mature, security and privacy advocates it brought to mind memories of the original cypherpunk movement that began in the 1990s and that group's seminal efforts to encourage the use of strong cryptography and anonymity online, as well as its successes and failures. The two groups are not allied by anything other than ideology, but The Crypto Project's leaders are aiming to follow in the footsteps of the cypherpunks, build on their accomplishments and make security and privacy tools freely available to the masses. The group is working on a number of projects right now, including setting up an anonymous remailer, putting up a Convergence notary and setting up a Tahoe-LAFS grid. Threatpost has an interview with Sir Valiance, one of the leaders of the project, who talks about the need for better privacy and anonymity online and why the cypherpunks are still important today."
This discussion has been archived. No new comments can be posted.

The Crypto Project Revives Cypherpunk Ethic

Comments Filter:
  • The day I could no longer log in to the NYT site with the credentials "cypherpunk:cypherpunk".

    Ah. Innocence so fragile. How soon it departs...

  • That will never be possible when you're on their wire. never never never... The entire concept is absurd.

    • by vadim_t ( 324782 ) on Wednesday August 31, 2011 @01:44AM (#37262126) Homepage

      The whole point of encryption is making it so that sending your stuff over somebody else's wire doesn't let them know what it is.

      As for anonymity, there are ways for that as well, like what Tor does.

      True, the owner of the wire has quite a lot of control, but to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful. And then people will come up with some way around that, like adhoc wifi networks or something of that sort.

      • by Mr. Underbridge ( 666784 ) on Wednesday August 31, 2011 @02:07AM (#37262210)

        to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful.

        Ah, but to defeat Tor or encryption, it doesn't have to be made impossible - it just has to be made so as to be not trustworthy. So let's say a friendly agency captured a few (or more) Tor nodes, and co-opted a few root certificates (ahem, Iran). These tools don't have to be defeated 100% of the time, they just have to be defeated in principle for them to crumble.

        It's sort of like privacy terrorism - the targets are largely symbolic rather than practical, and the goal is to instill fear rather than defeat in a straightforward manner.

        And then people will come up with some way around that, like adhoc wifi networks or something of that sort.

        Which, I fear, would allow even easier avenue of attack for certain organizations who like to do that. Anything ad-hoc has to be able to find a way to trust something it's never met before (by definition). That's prone to attack too. There are advantages and weaknesses to both centralization and decentralization.

      • by aaaaaaargh! ( 1150173 ) on Wednesday August 31, 2011 @03:57AM (#37262586)

        True, the owner of the wire has quite a lot of control, but to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful.

        Whishful thinking. How many people do you know personally that run a Tor exit node? How many of them would you consider 100% trustworthy? Compromised exit nodes offer a lot of possibilities: browser ID'ing, code injection, traffic analysis. How about the programs you run over Tor. Are you 100% sure they don't leak private information? Have you checked their source code and internet protocols? What about the endpoints? Are they secure? Do they use SSL? Which SSL encryption do they use, super-secure RC4 like Google search? Can you be identified from your browsing behavior?

        Agencies like the NSA have the expertise, the money, and the infrastructure to own the majority of exit nodes. Not only that, if they wanted to and got the funding, they could easily own the majority of all Tor nodes. I'm not saying that they do or that you should assume they do (they might not have an incentive, as they are probably already drowning more valuable data), but that you shouldn't rely on Tor's anonymity too much.

        Moreover, bear in mind what others have already pointed out. There are many dirty tricks to undermine the trustworthiness of projects, especially since it's highly likely that many private crypto implementors are on the secret payroll of some government. Take e.g. a look at Wikileaks for the results of such campaigns.

        However, if a government wants to get rid of Tor officially there is a much easier way. They just prohibit it and that's it. Use of Tor is easy to identify. The same for encryption in general. Or you just make it illegal not to give away the password to authorities when they want it like in the fascist UK.

        • by vadim_t ( 324782 ) on Wednesday August 31, 2011 @04:39AM (#37262700) Homepage

          Whishful thinking. How many people do you know personally that run a Tor exit node? How many of them would you consider 100% trustworthy? Compromised exit nodes offer a lot of possibilities: browser ID'ing, code injection, traffic analysis. How about the programs you run over Tor. Are you 100% sure they don't leak private information? Have you checked their source code and internet protocols? What about the endpoints? Are they secure? Do they use SSL? Which SSL encryption do they use, super-secure RC4 like Google search? Can you be identified from your browsing behavior?

          You're not supposed to trust a Tor exit node. Every Tor instruction I've seen mentions that you should use an anonymizing proxy to erase the things that allow browser IDing.

          For leaking private information, there exist programs that monitor traffic and tell you when for instance DNS requests are made without going through Tor.

          Yes, getting all this right is certainly tricky. But it's not a new idea, and countermeasures for untrustworthy exit nodes are already in place.

          However, if a government wants to get rid of Tor officially there is a much easier way. They just prohibit it and that's it. Use of Tor is easy to identify. The same for encryption in general. Or you just make it illegal not to give away the password to authorities when they want it like in the fascist UK.

          But that's where what I said about making the internet less useful comes in. Yes, the government can forbid encryption. But what about the countless VPNs used by foreign companies, internet banking and shopping, the myriad of old or embedded systems that automatically do encrypted transfers, the encryption built into operating systems?

          In some backward third world country that might be possible, but anywhere else such a thing would carry a very high cost attached.

          Then if it still happens, people will figure out how to transfer data in a hidden way.

          • by Anonymous Coward

            But that's where what I said about making the internet less useful comes in. Yes, the government can forbid encryption. But what about the countless VPNs used by foreign companies, internet banking and shopping, the myriad of old or embedded systems that automatically do encrypted transfers, the encryption built into operating systems?

            Key escrow where the government has a master key. This has been suggested, demanded, or even implemented by governments already in the past. (Regarding the "older embedded systems", I'd doubt any of them is secure btw...)

            That being said, there might be a political problem in many democratic countries with weakening encryption in this way nowadays. But that depends on the circumstances. Add another major economic crisis and a few terrorist attacks and you might have to say good-bye to encryption without gove

        • by Anonymous Coward

          > Agencies like the NSA have the expertise, the money, and the
          > infrastructure to own the majority of exit nodes.

          Or own Google...

        • If you want any sort of guarantee for the confidentiality and integrity of your data, you do the same thing over tor that you would have to do without it: Never initiate any non-SSL or non-certified connection, configure your browser not to transmit any identifying data (user agent, referer, cookies) and for heaven's sake do not run any scripts or plugins.

          Without these precautions, all that tor does is expose your information to unknown spies (the exit node) in addition to known spies (your ISP, the carrier

        • Agencies like the NSA have the expertise, the money, and the infrastructure to own the majority of exit nodes.

          I do not think anyone realistically believes that they can defeat the NSA. Yet there are numerous other government agencies in various countries around the world who do not have the capabilities that the NSA has, and who can do far greater harm than the NSA. Just because it would be difficult to defeat the world's most powerful and best funded signals intelligence agency does not mean that Tor or the anonymous remailer network are worthless.

          • You know, I used to play with the nym remailers, and the mixmaster stuff....I tried to set up a nym acct. awhile back and could never get it to work again.

            Are they still out there and still functioning?

            • Remailers are still functional, although as far as I know they are mostly used for posting to Usenet. I am not sure if pseudonymous remailers are widely used these days, but mixmaster and cypherpunks remailers get a lot of traffic.
    • by BlackSabbath ( 118110 ) on Wednesday August 31, 2011 @01:50AM (#37262156)

      I'm not so sure about that. There is no end to the layers of obfuscation and detection which leads to an arms-race where (for short periods) anonymity and privacy are theoretically (and for those committed enough, practically) possible.
      However as far as arms-races go, I believe this one is asymmetric. It eventually has only one solution (for the state): outlaw encryption.

      • by Skreems ( 598317 )
        At which point undetectable encryption methods like stenography become a lot more interesting...
        • by Anonymous Coward

          That word. I do not think it means what you think it means.

          • You only need to make it "prohibitively expensive" to detect? On the other hand, you still need to invent and distribute the steganography software. If the listener knows the stenographic channels then the game is up, yes?
            On the third hand, maybe you could make a stenographic system that would require analysing so much data that it'd be too expensive to try to detect even if the adversary knew about the stenographic channels? Like hiding it in a protocol that has grotesque traffic volumes (eg., bittorrent)?
            • you hide your steganographic messages in alt.binaries.boneless, the traffic is monumental and the retention on some servers is amazing...
            • by plover ( 150551 ) *

              Stenography is the way a court reporter types up a transcript of what was said.
              Steganography is secret writing hidden in something else.
              Two different words.

            • The game is not up. Properly encrypted data is statistically indistinguishable from random data. Just encrypt your data and hide it in the last 8 bits of noise in 24 bit 192 kHz audiophile grade FLAC torrents. And then you're only expanding your data by somewhat less than a factor of 3 (FLAC compresses the first 16 bits). That's actually not particularly worse than the existing anonymous nets (Tor, Freenet, i2p).
        • Undetectable? Anyone can goto school for stenography. [westvalley.edu]
          • And have you actually seen anybody doing stenography [wikimedia.org] the last decade or two? Those people have been pretty much invisible since the Cypherpunks movement started - they were part of one of our great successes, Silent Trystero's Typing Pool...

            Stenography is different from what court reporters do, though both of them are trying to capture speech in real time. It's a shorthand version of writing that a well-trained secretary could use to capture notes that she'd then type up, and Dictaphones were a technica

            • Since you missed it above, the word you're looking for is steganography [wikipedia.org].
              • No, I actually was talking about stenography, as was CryptoJones, more or less (though we were also making fun of the people who'd used that term instead of steganography.) It's becoming a lost art, but some of the older folks here will remember those Gregg Shorthand books, and typing pools.

                With Steganography, some of the interesting directions to look are how to hide stuff in various video formats, both from the standpoint of how much you can hide from programs and also how much you can hide from visual p

      • by Tom ( 822 )

        However as far as arms-races go, I believe this one is asymmetric. It eventually has only one solution (for the state): outlaw encryption.

        At which point we bring out the myriad crypto schemes that make encrypted content indistinguishable from plain text. It is really easy to "encrypt" a text not into bytes, but into english words. Yeah, it won't give you a meaningful sentence - label it as an avant-garde poem and you're good.

        There are more refined ways that work even better. I think there even was one that generated Shakespearean sonnets as output.

        Then there's the whole stego area. Google for "snow" and have fun.

        In the end, outlawing crypto i

  • Encryption isn't good enough to stop extraordinary rendition. The government essentially views anyone who uses encryption in an ubiquitous opportunistic way as a terrorist. Encryption didn't protect Bradley Manning from Adrian Lamo. Encryption will only force the governments to rely on informants, which means the government which can't break your code will focus instead on breaking you.

    So if you don't give up your key prepare to be tortured until you do. That's how code breaking actually works. Also prepare

    • Obligatory : xkcd tells it as it is [xkcd.com]. (and yet, even knowing this, I still encrypt data I think is worth it)
      • by maxume ( 22995 )

        I use encryption to mitigate the consequences of my computer being physically stolen (by an opportunistic thief, I can't imagine a scenario where someone would target my data...).

        XKCDs wrench-wielding gibbons do not speak to that use.

      • by Sloppy ( 14984 )

        Of course it's worth it, because the cost of a wrench (and using it) is astronomical compared to passively intercepting plaintext. And wrench-use is much more easily detected, too.

        • by elucido ( 870205 )

          Of course it's worth it, because the cost of a wrench (and using it) is astronomical compared to passively intercepting plaintext. And wrench-use is much more easily detected, too.

          Only this isn't going to be the case 90% of the time.

        • by gknoy ( 899301 )

          I think that what he means is, most data that we encrypt are things that we'd be more than willing to surrender to a force-wielding attacker. Similar to how one gives one's wallet to muggers, it's pretty straightforward to say "Oh, that drive. That's my encrypted drive of family photos and baby videos."

          • by Sloppy ( 14984 )

            The mugger analogy is excellent, because even though most people will just hand their wallets over to a mugger, the mugger doesn't know which people actually have money in their wallets and which ones don't, until after he's mugged them. And every mugging carries some risk to the mugger, even though it's fairly low.

            If you work as a mugger on a fairly small scale (mug ten people per day), perhaps you can eventually make enough money to retire before you get killed or arrested. I don't know.

            But if you set o

    • by c0lo ( 1497653 )
      "The more you tighten your grip, Tarkin, the more star systems will slip through your fingers."
    • by Anonymous Coward

      Rather than reading (possibly schizophrenic) ramblings on the Internet, go see Das Leben der Anderen [imdb.com] ("The Lives of Others"; I think it's out in English now), about a writer who becomes the target of surveillance by the East German Stasi. Very, very frightening stuff, even with the relatively low-tech equipment they had back then.

    • by Skreems ( 598317 )
      The article you linked includes claims that he caught on to FBI surveillance because he noticed that the name on a piece of spam email was the same as a character in a movie he'd watched. That man is obviously unbalanced, and needs proper medical attention.

      This is a great example of failure to apply the "you're just not that important" rule of paranoia.
    • by Sloppy ( 14984 )

      the government which can't break your code will focus instead on breaking you.

      Increasing the attacker's costs is a good thing. I don't know about your government, but my government can't afford (either economically or politically) to torture hundreds of thousands of their own citizens per day. And they can't do it without those citizens finding out that it's happening ("um.. what's this pain in my knee? Oh, hi there. What are you doing?" "Give me the key!!!"). That's a big step up from the current sit

      • by elucido ( 870205 )

        the government which can't break your code will focus instead on breaking you.

        Increasing the attacker's costs is a good thing. I don't know about your government, but my government can't afford (either economically or politically) to torture hundreds of thousands of their own citizens per day. And they can't do it without those citizens finding out that it's happening ("um.. what's this pain in my knee? Oh, hi there. What are you doing?" "Give me the key!!!"). That's a big step up from the current situation.

        Resisting abusive power doesn't make it more ruthless; it reveals and exposes its ruthlessness. Call their bluff, and if it's not a bluff, then they will be voted out.

        This is because you assume torture would cost a lot of money. When the government knows everything about you, it's only a matter of time before their trained psychologists learn which buttons to push. And if all else fails they can simply threaten your family and you'd give up the keys. So I don't think it really would cost very much for any government to do that to thousands of people or even millions, since the same torture tactics will probably work on thousands of people it's not like they'd have much

  • just a few messages earlier slashdot reports:

    "... Pakistan has now officially told all of the country's ISPs that they need to block all encrypted VPNs since content running over such services cannot be monitored by the government."

    It is not only Pakistans government who has interests like this but also the US and the EU ( and every other government ) They justify spying, eavesdropping, wiretapping and backdoor-peeping with fighting criminal activities, move over to terrorism and end up with the dilemma t

    • France went through this phase themselves. You could use only trivially broken crypto. They got over it. It will be interesting to see what happens in Pakistan.

    • by plover ( 150551 ) *

      Except Amazon erased my copy of 1984, so I have no idea what you're talking about.

  • by c0lo ( 1497653 ) on Wednesday August 31, 2011 @03:26AM (#37262490)
    DNS hijacking (DHS doing MAFIAA a favor)
    Unreliable CA (all over the world)
    Online censorship (in China and Australia)
    Spying on citizens to different degrees (from "surfing history only" - in EU and Australia - to "everything that goes online" in Iran)
    With hundreds of millions not caring enough to protect whatever identifies them on Faecebook, G+ and others.
  • I2P provides the anonymity layer for the filesystem.

One person's error is another person's data.

Working...