SoylentNews is people
SoylentNews
The hidden world in short-wave.
I was interviewed a few weeks back for my website priyom.org [Javascript recommended] which is a community that tracks and logs Numbers Station and military radio stations from all over the world.
The article on The Daily Beast can be found here: http://www.thedailybeast.com/articles/2016/03/06/the-stupidly-simple-spy-messages-no-computer-could-decode.html
When I was 10 years old, I found a shortwave radio in a crumbling old leather trunk where we kept family photos and other memorabilia. As I spun the dial, tinny, modulating noises, like the song of an electronic slide whistle, emanated from the radio's small speaker. Staticky cracks and pops competed for airtime. The sounds swished and swirled, unintelligible and unremarkable. But then, emerging through the clamor, was a voice.
I might have run right over it with the dial, but the voice's rhythmic, steady pacing caught me up short. It wasn't a deejay. Nor a commercial. And he wasn't singing. He was just speaking. The same line, over and over again.
"7...6...7...4...3." Pause. "7...6...7...4...3."
I don't remember if those were the exact numbers. But they were numbers. A repeated sequence which had no obvious meaning, and was entirely devoid of context. To find him here, amidst the screeches and howls of the shortwave frequencies, was like coming upon a man standing in the middle of a forest, talking out loud to no one.
How long had he been here? Who was he talking to? He had that officious tone of the recorded telephone operators who chastised you for dialing a wrong number. "Please hang up, check the number, and dial again." And the same distracting static I'd heard in those messages filled the background. I wasn't sure if he was speaking live, or if he'd been recorded and set loose to play into the air.
It's well-written and a good introduction into the world of number stations and short-wave. I think the Soylent community will enjoy the article, maybe prompt some of you to dig a radio out of your attic and have a listen. Alternatively, you can listen to some stations online. Different stations broadcast at different times; check out the listings on the station schedule page (Javascript required).
Some other resources to check out on the scene:
Enigma 2000 group http://www.brogers.dsl.pipex.com/enigma2000
Simon Mason's website http://www.simonmason.karoo.net/
[Ed. addition.] These stations apparently depend on previously-distributed one-time pads:
In cryptography, the one-time pad is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key. Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition.
(Score: 1) by ComaVN on Friday April 29 2016, @07:57AM
No it's not. Mersenne Twister has good randomness properties for simulations and the like, but is NOT cryptographically secure: http://crypto.stackexchange.com/questions/12426/is-a-mersenne-twister-cryptographically-secure-if-i-truncate-the-output [stackexchange.com]
(Score: 2) by JoeMerchant on Friday April 29 2016, @04:40PM
And there's a cryptographic variant of Mersenne which is more appropriate for crypto applications.
Now, if you have a 19937 bit key, you can choose any of 2^19937 - 1 starting points in the Mersenne sequence, which would take quite some time to brute force, but has the vulnerability that once guessed, the attacker can be reasonably sure they have the correct key. Using the cryptographic variant removes that predictability.
Either is ridiculously secure as compared to asymmetric prime factor schemes.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by stormwyrm on Saturday April 30 2016, @01:05AM
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by JoeMerchant on Saturday April 30 2016, @11:35AM
I lived/worked through the era where the officially promoted crypto protocols (endorsed by "professional" widely published cryptographers) were later exposed as vulnerable and even containing back doors for government agencies.
The essential property of a OTP that makes it resistant to analysis is randomness. Certainly use your asymmetric scheme to exchange keys, if you must, or more secure methods, if you can. My assertion is that the symmetric (OTP) scheme is superior for bulk transfer of data, especially large streams of data that would be vulnerable to frequency analysis if the masking key were not random.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by stormwyrm on Saturday April 30 2016, @01:05PM
But do make sure you use a REAL one-time pad, not one that is effectively a stream cipher designed by amateurs as you have tried to recommend. If you really do care so much about your security and are that paranoid, build the hardware for your own true random number generator yourself (since you really shouldn't trust any third party to do this properly, since they could give you a fake random number generator and you'd be none the wiser) and use its output as the key for your OTP. An avalanche diode or a radioactive isotope should do nicely. Using an algorithm to generate "random numbers" is essentially equivalent to using a cipher algorithm designed by someone who might or might not know what they are doing.
A true random sequences is one which cannot be expressed as the output of a program shorter than the size of the sequence itself. This is the only definition of randomness that will give you all of the very strong security guarantees of a one-time pad. The digits of Pi for example, by this definition, are NOT random, because you can write a very short program that will produce them. The output of your favoured Mersenne Twister is equally not random by this definition, because there is a short program that can generate it. Look up the definition of Kolmogorov complexity and look into a field called algorithmic information theory if you really want to understand what randomness really means. Gregory Chaitin has several very accessible books on the subject.
I'd wonder what cryptographic algorithms you are thinking about that have been shown to have weaknesses or back doors for government agencies. There's the Dual_EC_DRBG CPRNG algorithm endorsed by NIST which was suspected to contain an NSA back door ever since it was published, and no one was ever foolish enough to use. That's the only example I can think of that actually contains a back door, and no one who had a choice in the matter ever used it. Notably the NSA did not recommend its use by classified government systems despite its being a FIPS. AES/Rijndael has withstood fifteen years of cryptanalytic attempts and has received an NSA endorsement that allows it to be used to protect US government classified data. The NSA would not do such a thing if they found any major weaknesses in it or if it had a back door, as the chance that a foreign intelligence agency or a sufficiently clever academic cryptographer might someday figure it out independently are rather high. Even DES has remained solid enough that the best known attack against it is hardly better than brute force, and it's only because brute force is now feasible with today's hardware that nobody uses it.
The TLS/SSL suite has its problems, mostly thanks to government meddling in the days of Crypto War I. But other cryptographic protocols out there have been shown to be even worse mainly because they were designed by amateurs who make amateur mistakes, and were shown insecure after a pro had a look at them.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by JoeMerchant on Saturday April 30 2016, @08:11PM
DES was highly suspect in the early 1990s, elliptic curve was pushed in every academic course as a "standard" around that time, too. I think DES proved somewhat legit, while elliptic curve was never thought to be any good by "people who cared." Then there was the whole NSA deal with this: https://en.wikipedia.org/wiki/Dual_EC_DRBG [wikipedia.org]
I do live in a world where "good enough" randomness is, infact, good enough. The secrets I protect are not to be shrouded for all time, and noone would likely bother to try to break ROT-13 on most of it. However, I also live in a world exposed to "common attacks" which are developed on commonly used algorithms, so, when someone breaks a standard tool - if we happen to be using said standard tool, our names will be dragged through the press as "insecure, negligent, etc." As such, a little creativity, even if it results in something less secure, is often preferable to following on the bandwagon of the latest idea of unbreakable. Assuming quantum computers continue to develop at a roughly Moore's Law rate, they'll likely be breaking most current asymmetric key schemes before I retire... but, as inadvisable as it is in many circles, a touch of security through obscurity will keep the standard hacks from forcing a recall on our products.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by stormwyrm on Sunday May 01 2016, @01:54AM
DES was suspect until academic cryptographers (re)discovered differential cryptanalysis in the late 1980s, and found that when they applied it to DES, they found that the S-boxes for it seemed to have been chosen in such a way as to make their new attack nearly useless, when it positively destroyed other contemporary ciphers. Later, some guy from IBM fessed up and told everyone that they knew all about differential cryptanalysis in the 1970s, the NSA's mysterious change in the S-boxes was guided by it, and that the government then told them it was classified. I mentioned Dual_EC_DRBG, and also said that no one who had any choice in the matter tried to use it, as not only was it a couple orders of magnitude slower than most other CPRNG algorithms, it also made use of magic numbers that no one could explain that made everyone strongly believe that it had a back door put there by the NSA.
The thing is, the only reason we know that ciphers are any good is that people study and analyse them for weaknesses. This is, like many fields, a difficult and specialised one that takes years to master, and we laypersons can only know that the specialists in the field are any good by looking at track records of what they have done. It's the same as in any field where expertise is difficult to obtain. To imagine that one is able to do better than folks like Schneier, Rijmen, or Rivest just by reading a few random articles from a Google search is an instance of something called the Dunning-Kruger Effect.
While yes, doing the odd bit of security by obscurity may help keep you secure, but if you're trying to communicate securely with anyone outside of yourself at some future time, you have to convince them to use your non-standard system. That is easier said than done, and if the circle of people with whom you wish to communicate becomes large enough, your enemies will also obtain your encryption tools and study them for weaknesses. If you don't really know what you're doing, and chances are you don't (see above), your enemies will eventually find one or more weaknesses and penetrate your security. So much for security by obscurity.
There is plenty of research being done on post-quantum cryptography and hopefully before quantum computers become practical they will see wide use.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by JoeMerchant on Sunday May 01 2016, @02:40AM
Of course, we accept our vendor's word that their "certified security" is as good as they say, and we, along with dozens of our competitors, use them to tunnel packets under this wonderful blanket of VPN goodness.
Judging from their technical depth in other areas, I'm assuming that a flaw will be found in their implementation sooner than later, and when it happens I want the people who start looking at our AMQ packets to see mostly white noise, instead of names, addresses, etc. in plaintext. The vendor will scramble and figure out a patch in a month or two, we'll all have a big rollout circus, and things will get back to normal. I just want our department to be able to answer the questions from on-high with "yes, we use them, but our additional layer of security will prevent any exposure." With all the other crap out there in plaintext during the breach, I doubt anybody will care enough to grab our internal communications and try to get into them, and even if they do - we should be clearly shown to be trying harder than the next guy... Yes - this is really only good in closed systems, but when you have the luxury of operating a closed system, why not take advantage of the low hanging fruit?
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end