Saturday, May 2, 2015

Encryption

Hillary Clinton Just Keeps On Going

I knew I had to get this out given what Hillary Clinton has said in terms of both Edward Snowden and her promise to give the government agencies and most especially the FBI the tools to decipher enciphered material including PK (public key) enciphered data.

Before I get started I must say that the gushing articles on both the Washington Post and the Guardian about Hillary Clinton made me mighty suspicious.  I wouldn't be surprised that they and MSNBC or what ever TV news channel the Democrats watched didn't have all the news people at those organizations hypnotized by the Psychiatrists at these various organizations.  How do they do it?  Over the phone.  How can you tell they are doing it?  Well, if you have a dB meter on the phone and it registers volume that a non-listener can see but the listener doesn't hear anything then you are very likely to be hypnotized.  It is one of the most potent weapons the FBI has.

Have I heard Hillary Clinton backtracking on this issue? Chug, chug, chug, chug, Chug, chug, chug, chug, Chug, chug, chug, chug, ...  I tell you she is like the energizer bunny.  She just keeps going and going and she never stops.


Other Representatives Disagree

I read this surprise article in the Washington Post on a legislative hearing on encryption:

Encryption Back-Doors

I don't know whether I would use the term that the back doors are technologically stupid.  I would say it is more like the idea that the encryption back-doors are either technologically dubious or technologically impossible.  That is because I write from the viewpoint of an advanced encryption user who has vetted GnuPG's code several times and came to it from a mathematical background.  Right off hand I don't think you can do it.  I saw them going this way once before with the Clipper chip in the 1990s.  Here is a good central point on what it was:

Escrowed Encryption

What they don't say on that page is that somebody was able to hack the Clipper system.  That is why it is not with us today.  Ergo, maybe the statement that back doors are technologically stupid is more appropriate after all.  What they probably are saying is that what you keep telling us we are going to do is impossible so why do you keep saying it?  By the way, Representative Ted Lieu, have you considered a run to become President of the United States?  The Democratic party needs somebody besides Hillary Clinton.  Don't even consider being Vice President.  I realize that if Hillary wins she will die in office with each of her years being like everybody else's four years in aging her.  But we need somebody to hit the ground running with the right idea on this and other issues.  The Republican party leaders have already de-facto announced that all elements of the draconian Patriot Act will be renewed as is.  Thankfully some of the Republicans have broke ranks on this issue.  They finally realized just how important protecting the fourth amendment to the US Constitution is.  We need somebody to think about that and many other things.  I am not in favor of the Patriot Act at all.  Hillary Clinton is in favor of it.  She is back-tracking fast on other issues important to Democrats now that Bernie Sanders is stealing some of her thunder.  Disclaimer: I have donated to Bernie Sanders campaign.  I think he is one of the few people that can turn this country around.  He cannot do it alone.  We need people in the United States to understand that the only rule that will work is to treat others the way you want to be treated (love your neighbor the same as yourself).

One of the commenters in the Washington Post article said something about what happens if you use OpenPGP security to send a message to multiple recipients.  I don't know what they were attempting to say but I know what happens.  First note that you are not prompted for your OpenPGP pass-phrase.  Why not?  Because you are enciphering it using the public side of everybody's key in the recipient list.  But you have a public key for each and every one of them!  So what happens?  The Enigmail plugin for Thunderbird and the equivalent thereof in Claws Mail and other clients makes a separate message for each and every one of the recipients.  Everybody gets their copy of the message and everybody else's copy as well, at least with Enigmail doing the sending.  Don't fret because that is following the standard.  So what if the intelligence community came along and specified that there should be only one message for all?  That is technologically impossible.  It is also technologically stupid.  So I agree with the congress Representatives after all.


A New Paradigm

But with the NSA hacking Gemalto by exploiting the people that work for them by using those people's Facebook and Twitter accounts it didn't take long before Symantec and others took notice of what was going on.  Symantec purchased PGP Corporation.  Why?  Their business is protecting companies and people from having their financial accounts and other things exposed.  They have provided me with a PDF file of a new way of doing things.  I have it here:

Perfect Forward Secrecy

What is the difference between that and what we have now?  They don't depend on permanent PK keys the way we are doing it now.  Instead they use randomly generated transient session keys.  It won't be something that is used with something like OpenPGP which will change to elliptic curve encryption in the future.  But these people are always thinking forward.  Now in this case I can agree with Representatives.  Thinking you can put a third key way of doing things into a session key really is stupid.  And on this we have more than the NSA to fear.  The Chinese, Russians, and other political powers will want to hack enciphered messages.  So will black-hat hackers who will want to do it for monetary gain.

Rest assured of at least two things.

First, much will change in the future.  Encryption has never been a static field.  It is constantly changing to meet new threats.

Second I don't buy those arguments that the people that are putting encryption into everything including even smart phones are aiding and abetting the commission of crimes.  Daniel F Conley and others are just going to have to learn how to do better police work.  You cannot tell me that enciphering of encryption means they are careful about everything.  The Germans using the enigma machine used outside / inside session keys for each message.  The outer session key was three characters long and was not enciphered using the enigma machine. It was sent in plain text  The inner session key of three letters lenght was enciphered using the outer session key plus message and daily settings  and should have been pretty hard to attack.  So what did they use with outside three first, then a dash, then the inside three keys?  LON-DON, MAD-RID, BER-LIN, and on and on.  The most interesting one was TOM-???  The Bletchley Park cryptanalysts finally came upon TOM-MIX. He was the American cowboy film actor during mostly the silent era.  Why did they do it this way?  "We will use these session keys because they are easy."  That is what the German enciphering teams thought would be good enough.  Why?  They were convinced that the Enigma made them completely invulnerable.  It didn't and neither will enciphering the message today unless you do things carefully.  My OpenPGP pass-phrase is so convoluted it depends on my muscle memory to type it.  If I am too tired I have to rest before I can use my OpenPGP keys.

We still have human rights workers whose very lives depend upon the encryption we provide today.  How far will the FBI go in their lies?  I have had I don't know how many people that supposedly live at my apartment.  I have even had the local police at my apartment claiming that an individual by a given name (why don't they ever show me the written name?) lived at my apartment.  When I asked who gave them the name one of the officers either lied through his teeth or the name given was given to them by the FBI because they said they had it on highest authority that person lived at my apartment.  I showed them around and they must have realized they had a red herring.  Yet again less than a month ago a private investigator came calling with yet another name.  Do these police officers or the FBI ever do anything but lie?  They are awfully sloppy in the data that they collect and they don't do a very good job analyzing it.  I suggest they do much better analysis of data and eliminate spurious garbage.  Adding more data with data harvested from the Internet will do nothing but make it ever harder to do the analysis

On the weakness introduced by the intelligence community we have one more.  I believe I discovered the FREAK problem.  If I didn't here is a good report on it from Symantec:

Symantec FREAK Vulnerability Report

To that you can add the new LogJam MITM (Man In The Middle) attack that exploits the Diffie-Hellman encryption.


Cookie-Safe Lite Block List 

On this one went through a lot of gyrations with Ubuntu 10.04 (the last gasp of the Gnome 2 GUI).  Carefully preserving what I  had I tried both Firefox 37 and Firefox 38.  Cookie-Safe no longer works.  I was able to import Cookie-Safe Lite and it worked with the cookie block list that I provide:

Microsoft Cookie-Safe Lite Package
Unix Cookie-Safe Lite Package
Cookie-Safe Lite block list (active)
Cookie-Safe Lite block list (visual)

If you have problems here is the downloads folder which isn't linked to in and of itself:

SecureMecca Downloads folder

You will need to install 7-Zip or have some zip program that can handle that zip format.  But it is tested and it works so it is good to go.  Unfortunately for me on Linux with the old version of flash, it crashes every time I encounter flash media that is too new.  That is because Adobe froze Flash for Linux at version 11.  I suppose Mozilla could have embedded it in the browser ala like Chome did.  On that point I did download the new version of Chrome and tried to install it:

# dpkg --install  google-chrome-stable_current_i386.deb
# blah, blah, blah
dpkg-deb: file `google-chrome-stable_current_i386.deb' contains ununderstood data member data.tar.xz     , giving up

I didn't have xz-utils installed so I installed them:

# apt-get install xz-utils

They installed successfully.  I was able to tar my hosts file build folder (Hosts, and everything on 'nix is case sensitive).  Then I compressed the tar file with xz.  Here are some of the results of the various compression routines:

1078068   Hosts.tar.xz
1119844   Hosts.7z
2090641   Hosts.tbz
2343760   Hosts.tar.gz

So xz-utils is worth it when you have spongy files (lots of white space).  I can do this with the Hosts.tar.xz file so tar does understand it:

tar -xf  Hosts.tar.xz

I guess dpkg on my older system doesn't understand it so one of these days I will have to upgrade to kubuntu.  For now I just did the same thing that I did with Firefox 38 that I did  to Firefox 37 (being sure to close the browser first with the Exit):

cd ; umask 077 # this my default but for others I shift to 022
mv .mozilla mozilla.ff37
pak mozilla.ff37

Then I just copied my backup of my Firefox 20 mozilla user folder in place, unzipped it, took the extra PATH to /usr/local/lib/firefox out of my profile (actually dot profile) which was added to the start of the path and logged out and then logged back in.  Oh, what I made to backup up my user Firefox and Opera user folders:

http://www.securemecca.com/public/LinuxBrowserBackup.txt

You will have to alter the variables for your particular setup and choose your zip routine.  Just be aware that for something that is not squishy like my Quarantine folder that contains the zips of the PDF and inary files there is almost NO difference between gzip, 7-Zip, bzip2, or xz.  This is where I keep the malware that I ship off to the malware companies.  It makes you wonder what Google is up to by shifting to xz.  Since at least the Linux executables, gif and other image files, and binary files don't benefit by any particular zip routine.  In other words, if it isn't broke, don't fix it!

I am having the same problem with somebody who wants to make all kinds of changes to my PAC filtes.  He doesn't understand that all the people using it are on Linux.  They have that pull folder I provide that compares (diffs) what I had with what I have now and alter their files accordingly.  Ergo me making a huge amount of changes is unwarranted since it will leave them bamboozled.  He is of course free to modify it to his hearts content and distribute the changed file.  He is going to be in for a rude shock on the differences of REGEXP in JavaScript compared to say PERL.  Can he release the changed version?  Certainly!  He just needs to folllow the requirements of the least restrictive GPL license that I could find.