The Principles of NAS (Near-Absolute Security)

We must accept the fact that internet-connected devices are not securable.  If a professional wants your information, they are going to get it–if you started from a device that touches, has touched, or can itself touch, the internet.  The issue is that the end points–the devices sending and receiving, encrypting and decrypting– must be secure.  Without secure end points, encryption is easy to defeat and becomes a joke.

The internet is a gigantic collection platform whose complexity will always work in favor of criminal elements and other malicious types. We now live in an age of spying, and the spies have many advantages.  The interesting thing, on the other hand, is that it is actually easy to defeat them if one first disconnects and starts with an off-line system (genuinely air-gapped) and learns how to use encryption properly.

All guarantees of absolute security for internet users–for privacy and anonymity–are false.

But near-absolute security (NAS) can be realized if the following steps are observed:

1. Start from an air-gapped device that has never touched the internet and whose firmware is clean.  No Wifi, no network interface card, no Bluetooth, no audio/microphone jack, no hard drive, and no wireless antenna. Start from a live USB or Disc whose download was verified as to its source and its integrity.

2. Make sure the air-gapped device is physically secure

3. Encrypt off-line with unweakened encryption

4. Use a cascade of encryption and compression

-the cascade can involve different types of encryption, or different implementations of the same kind of encryption, or both.  Compression is important and should not be excluded. Good compression makes attacks much more difficult.

5. Move encrypted files one way so that the electronic trail is broken

-from safe device to unsafe internet-connected device, methods such as using a DVD-R to transport encrypted files once (and then destroy the disc) are acceptable.  Using a USB is not acceptable at all.

-moving from collection-platform-connected device to safe device is dangerous and requires attention to detail.  But it can be done. One must be careful not to transport malicious code from the collection-platform-connected device to the safe device.

6. Metacontent is erased (metadata)

-we need to stop using the word “metadata” and use the word “metacontent”

-metacontent should be erased every time a file is about to be moved

7. Use steganography or TOR for anonymity

8. Use passwords that are truly random that use at least 90 characters and are at least 36 characters long. (most keyboards have 94 characters:  26 + 26 + 10 +32)

-this is not easy to do, but it is necessary.  Patriot COMSEC has come up with a way to make it easy.

You are on the way to winning the game. Congratulations.

Now you are ready to get on a “secure” internet-connected computer and send your stuff.

Let’s Un-Schmendrick the Password Nightmare

At this moment, people all over the world are pecking a password into a computer.  It is often some weak password that can be broken in less than a second. A truly random password of eight characters drawn from a pool of sixty-eight characters can be broken by one good desktop computer in less than three days.  What people are doing today is not working.

If we have 93 possible symbols and our password is 36 symbols long, then we have this many possibilities if the symbols are in random order:

9336 = 7.334764054 E+70



How can we give that number some kind of meaning that we can relate to?

How many sandwiches is that?  If Franz Kafka were hungry and every atom in his body could eat 10 billion sandwiches in one second, and he could clone himself 10 billion times, to reach the number of sandwiches above, he and his clones would have to eat for about 230,000 times longer than the universe has been here.  At least, for a while, he would have to give up his obsession with what space burial is about.

The chances of this password breaking to a brute force attack are astronomically low.

Patriot COMSEC has the answer to the password problem.  How can we have people make and use effective passwords?  Please stay tuned.  When our patent comes through, you too might want to use our innovative solution.

Patriot COMSEC

Encryption offers valuable security for many important things in our daily lives.  This site hopes to make strong encryption easy:  it offers free professional advice on how to protect yourself and your information. We also talk about wider security issues, such as physical security and national security  vis-à-vis information technology.  But  our focus is on helping people keep their information private.  In today’s interconnected world, that is not an easy task.
We hope to get people jazzed about cryptography.  It has a fascinating and curious history, and its modern methods are central to our lives.  Everything on this site is already publicly available, and so it is free.  We will help you make informed decisions as to which security products and encryption methods to choose. We will also show you, step-by-step, clearly and from the beginning, how set up and use strong encryption so that it actually works.
Trust and privacy do not have to go out the window in our connected world.  The main ideas that you will find on this site are that all internet-connected devices are unsecure; that big companies such as Google and Microsoft want to deceive you, which could be very dangerous in the future; that you must have a secure device that never touches the internet– is air-gapped; and that simple means exist so that can enable you to enjoy a high expectation of privacy and anonymity on the big collection platform and gladiator’s battlefield that we all love, the internet.
We enable trust.

NSA Historical Materials: Insight Into the Vietnam War

Vietnam War (1954-1975)

Below is a list of NSA/CSS historical publications. PDF or text file versions are available for most of the monographs and brochures. Printed copies of publications marked with an asterisk (*) may be requested from the Center for Cryptologic History via our online form.  (Click on the link “Monograph” below)

Subject Title Author Date Available Format
Vietnam Essential Matters: History of the Cryptographic Branch of the People’s Army of Vietnam 1945-1975 * Translated and edited by David W. Gaddy 1994 Monograph

Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client

Why Johnnie Still, Still Cannot Encrypt


Here is an excerpt:

In our study of 20 participants, grouped into 10 pairs of participants who attempted to exchange encrypted email, only one pair was able to successfully complete the assigned tasks using Mailvelope. All other participants were unable to complete the assigned task in the one hour allotted to the study. This demonstrates that encrypting email with PGP, as implemented in Mailvelope, is still unusable for the masses.

Using Code Words

Using code words in a normal-looking message is a cheap and effective way to communicate. 


Several American businessmen are in Kuala Lumpur, Malaysia, trying to get a contract signed for a lucrative mining deal Malaysian government. Mike, the head negotiator, communicates with his iPhone over a 4G GSM network, and he uses his corporate e-mail account via his laptop.

Before he left home he came up with a series of code words to use when he communicates with his boss. This simple and cheap method will defeat and mislead national-level eavesdropping, hackers, competitors who eavesdrop, and anyone else who wants to spy on him. He just needs to keep his special word list safe. Beware of thinking that old school is somehow wrong, or that it offers flimsy security. The opposite is true. Flying under the radar is a very good idea these days, and simple is good.  He printed his little code word table on a piece of paper and he hid that paper inside his wallet.

Here is the code word list for the above scenario:

SPECIAL WORD(s)                                           MEANING

NORTH                                          THE BUSINESS DEAL DID NOT GO THROUGH

SOUTH                                          THE BUSINESS DEAL DID GO THROUGH

EAST                                             THINGS LOOK PROMISING BUT NOT YET COMPLETE

WEST                                             HUGE SUCCESS

NORTHEAST                                 UTTER FAILURE

NORTHWEST                                 WE NEED MORE TIME

NICE PLACE                                   WE ARE BEING WATCHED


CHINESE                                        THEY SIGNED THE CONTRACT SECRETLY WITH US

JAPANESE                                      THEY REFUSED TO SIGN THE CONTRACT

INDIAN                                            THEY SIGNED THE CONTRACT WITH US OPENLY

THAI                                                THEY ARE NOT CORRUPT

KOREAN                                           THEY ARE CORRUPT



One can then write a misleading message containing special words with special meanings.   So here is the letter Mike writes:


I am very sorry to say that the deal did not go through. We are extremely disappointed by the behavior of their people. Tonight we are going to take a break after all these days of hard work. We are going to that Chinese restaurant west of here that you said is a nice place. Call you tomorrow.


The character in this story came up with traffic that sounded reasonable given the context. In the scenario above, one would expect that a Chinese, Thai, Japanese, or Indian restaurant really does exist somewhere west of the speaker’s location. He told everyone else involved in the business transaction to stay mum over the deal, and emphasized to them to be especially careful over the phone or on the internet. Best practice would be to assure that as few people know about it as possible. Only those who need to know should be told about it.

The message and code word table above is for a specific purpose.  A longer table can be the basis for extended conversations on varying subjects.  Keeping the code word table secret is a priority.  One can write it down, one can print it at home on a small piece of paper, or one could encrypt it with a strong PGP key and use it on a netbook that is never attached to the internet.

The point of all this is that simple human means can defeat elaborate technological threats.  It does not take high technology to defeat the masters of high technology.  It simply takes a little thoughtful effort. If Big Brother ever comes, old-school tools like this might be useful.

(Dietrich, 2014)

Punycode and Homograph Attacks

From Xudong Zheng, a Web application developer:


“Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “” is equivalent to “短.co”.

From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “”, which is equivalent to “а”. It may not be obvious at first glance, but “а” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.

Fortunately modern browsers have mechanisms in place to limit IDN homograph attacks. The page IDN in Google Chrome highlights the conditions under which an IDN is displayed in its native Unicode form. Generally speaking, the Unicode form will be hidden if a domain label contains characters from multiple different languages. The “а” domain as described above will appear in its Punycode form as “” to limit confusion with the real “”.

The homograph protection mechanism in Chrome, Firefox, and Opera unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “”, bypasses the filter by only using Cyrillic characters. You can check this out yourself in the proof-of-concept using Chrome, Firefox, or Opera.

Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate. This Go program nicely demonstrates the difference between the two sets of characters. Safari, along with several less mainstream browsers are fortunately not vulnerable.”



Veracrypt is Your Friend: Cascading Ciphers

Veracrypt does good work, and they have excellent documentation.  Their discussion of their cascading ciphers shown below.


Cascades of ciphers


Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Twofish (256-bit key) in XTS mode and then with AES (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.


Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode, then with Twofish (256-bit key) in XTS mode, and finally with AES (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.


Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with AES (256-bit key) in XTS mode and then with Serpent (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.


Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with AES (256-bit key) in XTS mode, then with Twofish (256- bit key) in XTS mode, and finally with Serpent (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.


Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode and then with Twofish (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.

Signal Does Not Work

If the end points are not secure, it does not matter how pretty the code is or how strong the cryptographic primitives are.  So what is the use of pretending to offer people real privacy?

These people need to start over and get away from the iPhone and from Android as the places to encrypt and decrypt.

Yes, Signal has done impressive work, they have been repeatedly recommended by Snowden, and we even hear, from illegally-disclosed NSA documents, that the NSA regarded Signal as a major threat in 2012. From those same documents we learned that TAILS, TOR, and TrueCrypt were regarded as even more dangerous, as catastrophic. So why the difference in threat level? What is the difference between “major threat” and “catastrophic”? Isn’t it reasonable to guess that the difference is between subvertible and we-can’t-own-it? In other words, if it were an inaccessible system to the U.S. in its actual employment, I think we would be hearing the FBI scream.

An Ugly Situation: The Appalling Lack of Safety in Thailand

If you are going to take a vacation in Thailand, you need to think about safety. Thailand can be incredibly dangerous. It is good to be aware of the safety issues before you go.

Websites such as Tripadvisor are very happy to encourage you to travel to exotic locations, but the problem is that they may not be eager to tell you about certain problems, such as bombings and the number of people who get hurt or killed for one reason or another at an exotic tourist spot. Pattani is a particularly dicey place to visit because there have been several bombings there. Don’t expect Tripadvisor to discourage you from spending your money with them on a wonderful trip to Pattani.

On May 9th, two bombs went off in a Big-C in Pattani and 56 people were injured. These attacks occur often in the south, but they are less frequent around Bangkok.

The extreme south of Thailand is in the grip of a Muslim insurgency, and there are a lot of killings, even in broad daylight. Vacationing in the extreme south is out of the question.

As far as Thailand goes, I have never met anyone else who has traveled so much across that country. I have done that because I want to write a book about Thailand—its history, its art, its society, its regions. I started this task in 1997, and I made over thirty trips from overseas before I decided to live here.

Thailand can be very dangerous, and a lot of people make a one-way trip. My intention is not to scare people, but I want to be clear about the threats. The point is that a cascade of problems can overtake the unaware tourist, and that is usually how a one-way trip results.

Thailand has the second-most dangerous highways in the world. Poor road maintenance; poor police supervision; slow, non-professional emergency services; people driving with a fake license that cost them 200 Baht; widespread use of drugs and alcohol; bad, or completely fake, medical care; and a devil-may-care attitude about safety—these all add up to a scary situation. After seeing several foreigners get severely hurt and others pass away due to accidents, I decided that I must say something. The roads are out of control in Thailand, and excessive alcohol consumption is fueling an incredible problem.

It seems that a lot of tourists die from drowning, from being attacked while isolated, and from falling through roofs. Why in the world people want to walk on a roof while drunk is beyond me, but a lot of people seem to do this and pay the price.

There are a lot of suicides in Thailand, especially in Pattaya. Pattaya is a center of international crime, and if you go there you are taking a huge risk. Read the local news in Pattaya if you are thinking of going there. Every violent crime in the book, every scam, they are all there.

If you are from a developed country, you take certain things for granted, such as the safety of electrical devices, chairs, lights, etc. In Thailand, you need to be careful. Exposed wiring, unsafe fans, electrocution, and falling over from an unsafe chair, are just examples of what can go wrong. I know of a man who just passed away because his chair collapsed and he hit his head on the stone floor. The safety of everyday objects is not what it should be in Thailand. Exposed wiring and electrocution are real problems.

Rabies is a problem too. Thailand is the third-worst place in the world for rabies. If a dog bites you, clean the wound immediately and go to a hospital for the prophylaxis. Do not wait.

Information security is also an issue. Rootkits are common in Thailand, ones that allow for remote terminal access with root priviledges onto your device. Whatever else you do, don’t purchase pirated software because it often comes with crimeware buried inside. Patriot COMSEC has found crimeware inside pirated Windows 7 versions. Buying pirated software is just not worth it.

You can enjoy yourself in Thailand, but you have to keep control of yourself and be aware that the Thais are not good at safety. They are very good at having fun and taking it easy, but not so good at driving, giving real medical care, doing emergency services, repairing airplanes, or warning people of danger.

Before you buy that ticket for a Thai airline, get on the internet and check out the ICAO safety rating of your prospective airline. Some Thai air carriers are unsafe.

When a tourist gets killed in Thailand the locals look at the event and wonder what the toursit must have done wrong in his or her past lives. That is how insoluble the safety problem is in Thailand. Thais don’t like to talk about bad things; they do not like to speak about things that can kill you. In fact, they think that talking about something bad will make it happen. It is all smiles. And that tourst who just got attacked, hurt, or killed, in the same place that you are thinking of going—do you think the local Thais are going to tell you about it, warn you?

The party atmosphere that is common to tourist areas creates situations that can result in people not coming home, and this is the worst problem. Yes, enjoy yourself, but keep your head clear and do not think that you are visiting the safest place on the planet. You cannot expect Thais to care about safety as most societies do in fully-developed countries.

Moving Downstream Across an Air Gap

If a device emits electrons, or operates by electrons, it is dangerous.  So the point about air gapping, an important topic which few seem to focus on, is to break the trail of electrons, upstream and downstream.

Consider the internet-connected device to be compromised, even though we will take standard precautions as to its security.  The cipher text that arrives onto this device will be heavily encrypted, and it may even be hidden.  What we are going to do is print it to a piece of paper.  For example, it might be a PGP-encrypted email.  That PGP-encrypted email may be buried in a photo–to avoid traffic analysis.

Then we will carry that paper to our secure device, and at that device we will scan the document and turn it into readable text.  Then we can begin decryption.

Encrypting and decrypting off-line is the one of the salient features of secure internet communication.

The air-gapped device needs to be distant from the unsecure device, perhaps as much as possible.  It is also needs to be in a place with strong physical security.  A complete absence of Wifi in the area of the air-gapped device is recommended, even though the air-gapped device has no Wifi capability.

Ebury/Operation Windigo Rootkit in Southeast Asia and the Far East

If you live in Southeast Asia or the Far East, try running Ubuntu and then scan your computer with chkrootkit and rkhunter.  Rootkits have been unleashed with impunity in several Asian countries–rootkits that enable remote terminal with root privileges onto your device.

If you find Ebury/Operation Windigo on your device, you must wipe it completely.  This rootkit has been tweaked to manipulate chkrootkit, so be very attentive when you look at your results.

To be frank, there are countries in Southeast Asia and the Far East in which it would be unreasonable to assume that your computer is not dorked.

Moral Guidance

  1.  Admit Nothing
  2.  Deny Everything
  3.  Make Counter-accusations
  4.  Trust No One Unnecessarily
  5.  Destroy the Evidence
  6.  Become Indispensable
  7.  Become a Saint
  8.  Remain Above Reproach
  9.  If you cannot ride two horses, don’t join the circus.

More Bad News: Your Wifi Can Become a Radar System to Map Its Area

In his blog, Bruce Schneier brings attention to the fact that a Wifi system can be used like radar: to map out the space it occupies.

This has an obvious military application, and it could easily be abused in a totalitarian state.

If the concerned general user is trying to decide between LAN or wireless for an internet connection, this fact of radar mapping is just one more factor that tells us to choose LAN.

It has long been known that the waves coming from a Wifi can be manipulated with other waves from an active attack–for various purposes.

Again, this is just one more reason to choose a hard-wired connection for a non-air-gapped system.