End-to-end Encryption Denies Big Brother Access… Really?

A new campaign in the crypto wars is now afoot.  Today, if you have read the international news, you know that Great Britain, Russia, and China have all made some kind of announcement about the dangers of VPN’s and end-to-end encryption.  Your freedoms are now on notice.

The British Foreign minister says that no one needs encryption that works.  She insists that it only benefits bad people such as terrorists.  Bullocks.

Well, if Great Britain had the guts to expel Jihadists, and if it were not so namby-pamby, cotton candy as to actually finance people living in their country who hate Great Britain and its values, that would go a long way to make them safer.

Take the Manchester bomber for example:  the British government enabled and even facilitated a terror attack on their own soil.  Talk about stupid.  It challenges belief.  So you hate Great Britain, have dropped out of college, and you want to go to Libya for some Jihadist training?  Need some money?  Here you go!

As far as Great Britain goes, INGSOC is not yet running the show. Some buffoons are in charge, yes, and they should not be allowed to make slaves out of the whole population.

Free people deserve the right to use encryption and have privacy.  The British Government has failed miserably in allowing jihadists to live and thrive in their country, and they have ignored many hate-filled rants from people who later killed others on British soil.  What is therefore the reasonable conclusion to this appalling situation being allowed to exist and fester?  The only reasonable conclusion is that their government simply does not care. Equality at all costs.

The Brits need to first expel the nutcases who have openly spoken against their country and the West.  That would be a good start.

Encryption is valuable.  Many end-to-end encryption services are available right now.  Tutanota and Protonmail come to mind:  http://www.protonmail.com and http://www.tutanota.com

But there is an enormous fallacy about E2E systems.  Yes, Protonmail is very nice, but I would not bet my life on it.  First, of course, it does nothing for your anonymity.  You still leave a trail of metadata (metacontent).  But, for the average user, Protonmail or Tutanota will serve you well because it does give you a high expectation of privacy.  Just remember one thing:  these email systems do not supply absolute privacy because the end points (the iPhone, computer, smartphone, etc., are not securable).

The only way to get near-absolute security (NAS) is to encrypt offline on an air-gapped computer that is never compromised (no movement of USBs or discs, etc., from anything that has touched the internet).  Then use you Protonmai, Hushmail, Tutanota, etc., as a wrapper.

Anyone on the earth can take a pencil, a piece of paper, and two dice, and make a code that no one else on earth can break.  This is what should give human beings hope against any future INGSOC and its cronies.  Unweakened PGP probably still works with large key sizes and proper variables, etc. Wrapping different kinds of PGP inside other kinds, and using symmetric systems and asymmetric systems together, is highly recommended for someone who wants real privacy:  a lawyer, a business negotiator, a clergyman, someone in law enforcement, someone running for office, etc. The amazing truth is that national-level players and sophisticated criminals can be stopped with simple, cheap encryption and true air-gapping.  Real defense works, and it is cheap.

Those of us who still live in free societies must stand up for our rights as patriots and law-abiding citizens.  Just because governments fail appallingly on the issues of controlling classified information (the OPM disaster, Snowden, Shadow Brokers, etc.) and controlling immigration (Germany in particular, Belgistan, etc.), does not mean that we must accept the numbskulls of INGSOC and the enablers of the West’s decline who want to take away the God-given freedoms of decent people.

People like Amber Rudd need to be run out of town because they are doing nothing effective against the real problems of creating terrorists, facilitating terror, and not controlling immigration.

Advertisements

Punycode and Homograph Attacks

From Xudong Zheng, a Web application developer:

 

“Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “xn--s7y.co” is equivalent to “短.co”.

From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.

Fortunately modern browsers have mechanisms in place to limit IDN homograph attacks. The page IDN in Google Chrome highlights the conditions under which an IDN is displayed in its native Unicode form. Generally speaking, the Unicode form will be hidden if a domain label contains characters from multiple different languages. The “аpple.com” domain as described above will appear in its Punycode form as “xn--pple-43d.com” to limit confusion with the real “apple.com”.

The homograph protection mechanism in Chrome, Firefox, and Opera unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters. You can check this out yourself in the proof-of-concept using Chrome, Firefox, or Opera.

Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate. This Go program nicely demonstrates the difference between the two sets of characters. Safari, along with several less mainstream browsers are fortunately not vulnerable.”

 

See:  https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/

Veracrypt is Your Friend: Cascading Ciphers

Veracrypt does good work, and they have excellent documentation.  Their discussion of their cascading ciphers shown below.

From:  https://veracrypt.codeplex.com/wikipage?title=Cascades

Cascades of ciphers

AES-Twofish

Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Twofish (256-bit key) in XTS mode and then with AES (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.

AES-Twofish-Serpent

Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode, then with Twofish (256-bit key) in XTS mode, and finally with AES (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.

Serpent-AES

Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with AES (256-bit key) in XTS mode and then with Serpent (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.

Serpent-Twofish-AES

Three ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with AES (256-bit key) in XTS mode, then with Twofish (256- bit key) in XTS mode, and finally with Serpent (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.

Twofish-Serpent

Two ciphers in a cascade [15, 16] operating in XTS mode (see the section Modes of Operation). Each 128-bit block is first encrypted with Serpent (256-bit key) in XTS mode and then with Twofish (256-bit key) in XTS mode. Each of the cascaded ciphers uses its own key. All encryption keys are mutually independent (note that header keys are independent too, even though they are derived from a single password – see the section Header Key Derivation, Salt, and Iteration Count). See above for information on the individual cascaded ciphers.

Signal Does Not Work

If the end points are not secure, it does not matter how pretty the code is or how strong the cryptographic primitives are.  So what is the use of pretending to offer people real privacy?

These people need to start over and get away from the iPhone and from Android as the places to encrypt and decrypt.

Yes, Signal has done impressive work, they have been repeatedly recommended by Snowden, and we even hear, from illegally-disclosed NSA documents, that the NSA regarded Signal as a major threat in 2012. From those same documents we learned that TAILS, TOR, and TrueCrypt were regarded as even more dangerous, as catastrophic. So why the difference in threat level? What is the difference between “major threat” and “catastrophic”? Isn’t it reasonable to guess that the difference is between subvertible and we-can’t-own-it? In other words, if it were an inaccessible system to the U.S. in its actual employment, I think we would be hearing the FBI scream.

An Ugly Situation: The Appalling Lack of Safety in Thailand

If you are going to take a vacation in Thailand, you need to think about safety. Thailand can be incredibly dangerous. It is good to be aware of the safety issues before you go.

Websites such as Tripadvisor are very happy to encourage you to travel to exotic locations, but the problem is that they may not be eager to tell you about certain problems, such as bombings and the number of people who get hurt or killed for one reason or another at an exotic tourist spot. Pattani is a particularly dicey place to visit because there have been several bombings there. Don’t expect Tripadvisor to discourage you from spending your money with them on a wonderful trip to Pattani.

On May 9th, two bombs went off in a Big-C in Pattani and 56 people were injured. These attacks occur often in the south, but they are less frequent around Bangkok.

The extreme south of Thailand is in the grip of a Muslim insurgency, and there are a lot of killings, even in broad daylight. Vacationing in the extreme south is out of the question.

As far as Thailand goes, I have never met anyone else who has traveled so much across that country. I have done that because I want to write a book about Thailand—its history, its art, its society, its regions. I started this task in 1997, and I made over thirty trips from overseas before I decided to live here.

Thailand can be very dangerous, and a lot of people make a one-way trip. My intention is not to scare people, but I want to be clear about the threats. The point is that a cascade of problems can overtake the unaware tourist, and that is usually how a one-way trip results.

Thailand has the second-most dangerous highways in the world. Poor road maintenance; poor police supervision; slow, non-professional emergency services; people driving with a fake license that cost them 200 Baht; widespread use of drugs and alcohol; bad, or completely fake, medical care; and a devil-may-care attitude about safety—these all add up to a scary situation. After seeing several foreigners get severely hurt and others pass away due to accidents, I decided that I must say something. The roads are out of control in Thailand, and excessive alcohol consumption is fueling an incredible problem.

It seems that a lot of tourists die from drowning, from being attacked while isolated, and from falling through roofs. Why in the world people want to walk on a roof while drunk is beyond me, but a lot of people seem to do this and pay the price.

There are a lot of suicides in Thailand, especially in Pattaya. Pattaya is a center of international crime, and if you go there you are taking a huge risk. Read the local news in Pattaya if you are thinking of going there. Every violent crime in the book, every scam, they are all there.

If you are from a developed country, you take certain things for granted, such as the safety of electrical devices, chairs, lights, etc. In Thailand, you need to be careful. Exposed wiring, unsafe fans, electrocution, and falling over from an unsafe chair, are just examples of what can go wrong. I know of a man who just passed away because his chair collapsed and he hit his head on the stone floor. The safety of everyday objects is not what it should be in Thailand. Exposed wiring and electrocution are real problems.

Rabies is a problem too. Thailand is the third-worst place in the world for rabies. If a dog bites you, clean the wound immediately and go to a hospital for the prophylaxis. Do not wait.

Information security is also an issue. Rootkits are common in Thailand, ones that allow for remote terminal access with root priviledges onto your device. Whatever else you do, don’t purchase pirated software because it often comes with crimeware buried inside. Patriot COMSEC has found crimeware inside pirated Windows 7 versions. Buying pirated software is just not worth it.

You can enjoy yourself in Thailand, but you have to keep control of yourself and be aware that the Thais are not good at safety. They are very good at having fun and taking it easy, but not so good at driving, giving real medical care, doing emergency services, repairing airplanes, or warning people of danger.

Before you buy that ticket for a Thai airline, get on the internet and check out the ICAO safety rating of your prospective airline. Some Thai air carriers are unsafe.

When a tourist gets killed in Thailand the locals look at the event and wonder what the toursit must have done wrong in his or her past lives. That is how insoluble the safety problem is in Thailand. Thais don’t like to talk about bad things; they do not like to speak about things that can kill you. In fact, they think that talking about something bad will make it happen. It is all smiles. And that tourst who just got attacked, hurt, or killed, in the same place that you are thinking of going—do you think the local Thais are going to tell you about it, warn you?

The party atmosphere that is common to tourist areas creates situations that can result in people not coming home, and this is the worst problem. Yes, enjoy yourself, but keep your head clear and do not think that you are visiting the safest place on the planet. You cannot expect Thais to care about safety as most societies do in fully-developed countries.

Moving Downstream Across an Air Gap

If a device emits electrons, or operates by electrons, it is dangerous.  So the point about air gapping, an important topic which few seem to focus on, is to break the trail of electrons, upstream and downstream.

Consider the internet-connected device to be compromised, even though we will take standard precautions as to its security.  The cipher text that arrives onto this device will be heavily encrypted, and it may even be hidden.  What we are going to do is print it to a piece of paper.  For example, it might be a PGP-encrypted email.  That PGP-encrypted email may be buried in a photo–to avoid traffic analysis.

Then we will carry that paper to our secure device, and at that device we will scan the document and turn it into readable text.  Then we can begin decryption.

Encrypting and decrypting off-line is the one of the salient features of secure internet communication.

The air-gapped device needs to be distant from the unsecure device, perhaps as much as possible.  It is also needs to be in a place with strong physical security.  A complete absence of Wifi in the area of the air-gapped device is recommended, even though the air-gapped device has no Wifi capability.

Ebury/Operation Windigo Rootkit in Southeast Asia and the Far East

If you live in Southeast Asia or the Far East, try running Ubuntu and then scan your computer with chkrootkit and rkhunter.  Rootkits have been unleashed with impunity in several Asian countries–rootkits that enable remote terminal with root privileges onto your device.

If you find Ebury/Operation Windigo on your device, you must wipe it completely.  This rootkit has been tweaked to manipulate chkrootkit, so be very attentive when you look at your results.

To be frank, there are countries in Southeast Asia and the Far East in which it would be unreasonable to assume that your computer is not dorked.

Moral Guidance

  1.  Admit Nothing
  2.  Deny Everything
  3.  Make Counter-accusations
  4.  Trust No One Unnecessarily
  5.  Destroy the Evidence
  6.  Become Indispensable
  7.  Become a Saint
  8.  Remain Above Reproach
  9.  If You Cannot Ride Two Horses, Don’t Join the Circus
  10.  Learn to Lighten the Mood by Engaging in Irony by Imperceptible Stages
  11. Money Tends to Corrupt, and Money from Certain Folks Corrupts Absolutely