curtwill
-
Posts
10 -
Joined
-
Last visited
Posts posted by curtwill
-
-
The entire one time pad thing is, of course, massive overkill. I like a program called FineCrypt. There used to be both free and paid versions out there. The reason I like it is availability of the Mars and RC6 algorithms. A lot of people don't use FineCrypt because of problems with the key generation part of the program. Not random; not secure. I figured out the format for FineCrypt generated keys and started generating my own, then infuse them into the program. Now I have key generation that is as random and secure as I can make it, combined with 2048 bit RC6 or 1248 bit Mars encryption.
Way overkill for anyones needs unless your name happens to be Osama.
-
Using GnuPG (or some variant there of) is currently the most trusted methodology.
By default GnuPG will use RSA which is an asymmetric (public key) cipher. However it also has options for encrypting files using various symmetric key algorithms. Symmetric keys are generally perceived to be less secure because of the difficulty of exchanging the key securely and keeping it a secret.
If you have a strong key and you can keep it a secret, even the XOR algorithm can be nearly impossible to crack. (Especially if you never reuse the same key.)
There are other asymmetric algorithms besides RSA, notably the ones based on elliptic-curves. The Snowden leaks have indicated that certain elliptic curve algorithms (or perhaps just their implementations) may be compromised. However there are others which are believed to still be secure. The reason elliptic curves are important is because it is believed that RSA will become obsolete within the next decade or two, however elliptic curves may remain secure for longer.
(These predictions are based on the specific math problems that each method relies on to make it mathematically difficult to break the crypto, and progress which is being made in academia toward solving those math problems with better speed. If you're interested in the specifics of the math I can link some introductory explanations to get you started.)
The take away is that RSA is secure enough for now. EC is currently the best candidate for the future. And if you can secure the key exchange, then XOR is all you need.
Yes indeed. XOR can make a fine one time pad if you can share the key securely. There are ways to do this. I'll give some hints and leave the rest to the student as an exercise.
First think about what a one time pad is. You start out with a source file, which can be anything (including a cyphertext). You then need a keyfile at least as large as the source file. It must be entirely random (or in our imperfect world, as random as possible). Each byte of the source file is XOR'd by a byte from the padfile. So, a six million byte source file requires a six million byte key. Attacks against this method include attacking the key generator or exploiting anomolies when same pad is repeatedly used.
I am told that some US security agencies generate keying material by shifting a gps stream in a particular way. This is rumoured to be the method used to encrypt the US/Moscow hotline. Both sides sync up and read the gps stream; then do something special to it. Ensuring that "something special" is unpredictable and produces a unique random stream every time is the trick.
So think about how you can do the same thing using something other than the gps data. There must be something that both sides have access to (the more random the better). Then you transform it (into a temporary keystream) in a way that isn't known to the bad guys, ensuring that it becomes "more random" than it was when it started. Then you XOR. Afterward you destroy the pad. Simple.
So put some creativity into developing ways to do this. You need a reference signal of some sort, the more random the better, and a way to sync it so both parties can access it identically. Then you have a preshared means to transform the reference signal. Then you XOR. Then you destroy all traces.
-
Say I want to send a text file to a friend over the internet. I want to encrypt the file so nobody can read it without the key. What type of program should I use to encrypt single files? What if I want to use multiple layers of encryption?
Anybody have some ideas?
Of course, encrypting it at all might attract unwanted attention. So use any file level encryption with 256 encryption with a cypher feedback mode. Set up a throw-away email account at both ends and run through a proxy server like tor for setting up the bogus accounts and sending/receiving the emails. Also, go to a busy starbucks when you set up the bogus accounts or access them, preferably not near home.
Or better yet, set up a single bogus email account and manually share account name and password with your friend. Instead of emailing them the message just save it to the drafts file. That way it never hits the grid except when you create and read it. Follow all other rules as above. I'm told some US black ops groups are communicating this way.This method makes the key distribution problem harder, but if you have a small number of friends it might not be a problem.
Once you're finished communication this way, you can erase your memory of the message by applying a 4000 volt shock......
-
I used to work for US Department of State. We spent more time securing computers and communications againt attack by CIA than by any foreign government. Stae doesn't trust CIA; CIA doesn't trust DIA; DIA doesn't trust CIA; NSA spies on everybody.....
Oh, nobody trusts State. After all, they're all ivy league faggots over there in the Truman Bldg.
-
I hadn't watched the movie Sneakers in a long time so pulled it out last night and was surprised how related it is to current events. For those unfamiliar with movie a team of hacker security testers black mailed by our government to seal a decryption device that can breaking into all other American agencies servers. The CIA is doing the blackmailing and use the hackers because CIA isn't allowed to operate domesticly. Well Snowden has shown that is BS. End of movie you have hackers get the box, but get blackmail by friendlier goverment agency to turn the decryption box to them. So CIA wants the box to spy on all other American agencies and FBI is trying to make sure no one get the box or knows such a thing even exists. So I wonder if in 1992 when movie came out they had any idea how on target they were about the CIA they were.
I used to work for US Department of State. We spent more time securing computers and communications againt attack by CIA than by any foreign government. Stae doesn't trust CIA; CIA doesn't trust DIA; DIA doesn't trust CIA; NSA spies on everybody.....
-
I'm a complete noob to wifi pineapple so I might be full of it here; but I do have about 30 years experience with various unix and unix-like systems.
In the old days before we had unix systems administrators to worry about running our machines, we used to type "sync" three times before powering down a unix box. My fingers just automatically do it without thinking. Interestingly, I just ssh'd into my pineapple and issued "shutdown -h now" and found that the pineapple doesn't understand shutdown. It does understand both reboot and sync. Reboot doesn't help when you want to power down the box, so I don't see an alternative to unplugging the power supply.
Wifi Pineapple is definitely the coolest toy I've had to play with in a while. I'm already thinking about building a clone on the ODROID X2. The lust for power never diminishes.
What if you saw someone using a pineapple in public, clearly using it illegally? Would you kung-fu them?
in Everything Else
Posted
I have other hardware that looks very similar to the pineapple MK4 anyway. It could be real embarassing for you if you grabbed me in public. So my advice would be to do nothing.