[cryptome] Re: 3 Cryptographers at Dinner Mathematical Model
- From: Jason Iannone <jason.iannone@xxxxxxxxx>
- To: "cryptome@xxxxxxxxxxxxx" <cryptome@xxxxxxxxxxxxx>
- Date: Tue, 18 Nov 2014 09:50:39 -0700
It looks like the high performance exit node weakness has been exploited.
https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf&;
On Tue, Nov 11, 2014 at 2:10 PM, Jason Iannone <jason.iannone@xxxxxxxxx> wrote:
> Dougie,
>
> While I have no direct information, history and common sense suggest that
> a failure of operational security rather than a failure of tools is to
> blame. Your scenario talks to that as well. Investigative techniques can
> validate and deanonymize users of a tool before they make use of it.
> That¹s not to discredit the very interesting attack surface presented by
> the exit node selection criteria that Tor utilizes, but any exploits
> utilizing such a feature would likely be added to the pile rather than
> represent a key point of entry. Driving known targets to your sniffer box
> is more valuable when you know which flows are theirs.
>
> Jason
>
> -----Original Message-----
> From: doug <douglasrankine2001@xxxxxxxxxxx>
> Reply-To: <cryptome@xxxxxxxxxxxxx>
> Date: Tuesday, November 11, 2014 at 10:35 AM
> To: <cryptome@xxxxxxxxxxxxx>
> Subject: [cryptome] 3 Cryptographers at Dinner Mathematical Model
>
>
>
> Hi Jason,
>
> Not being a mathematician or a logician, I can't argue the
> point...wouldn't know how to.
> However, the problem I have with mathematical modelling is that it is
> limited by its nature...i.e. the limitation of numbers compared with
> words. It's like computer modelling of the environment. Global warming
> and Doomsday all rolled into one, depending on how one sets the
> parameters. it is no good having anonymity and unbreakable encryption
> if the anonymity is not secure. Over a period of time, as the scenario
> develops, along comes one system, only to be outdone by another system.
>
> I notice that the article is getting on a bit. Let me put a different
> scenario. 3 cryptographers decide to have a secret dinner at a secret
> hotel. They are going to discuss software like TOR and decide to prove
> that TOR works by using it anonymously and one of them, yet to be
> decided will be paying it via Bitcoin. They have used anonymising
> software and a variety of methods to communicate with one another. they
> are all experts in TOR...which means that each one of them must have
> used it. As they have all used it, then they all went to the website to
> download it, or find out more about it.
>
> Unbeknownst to them, the NSA, The CIA, The FBI and the Chinese
> Intelligence State Corporation, already knows that they are having a
> meeting, when it is, and what the topic is, and even have copies of the
> menu. Accordingly, they have arranged for the waiter to listen in, and
> for the Maitre D'Hotel to take the payment on his card machine, which
> has been compromised by all 4 intelligence services. The windows are
> bugged, the dinner table is bugged, their cars bugged with travel
> information Not only that, but one of the cryptographers works for GCHQ,
> the other for Mossad and the third one for the Chinese intelligence
> Agency. The French have got wind of it and a honey trap set up for
> after the meeting, for the one who has paid the bill....
>
> As happened at Bletchley, it wasn't just the cracking of the codes,
> using brute force, Collossus, or the bombes...it was the cribs and all
> the other methods which was used. Some encryption was easy to break, it
> wasn't all that important, other encryption was much more difficult,
> particularly that at the highest governmental decision making levels.
> See url:
> http://chris-intel-corner.blogspot.gr/2013/04/decoding-prime-minister-chamb
> erlains.html
> for some stuff on Hitler and his leading Chamberlain up the garden path
> pre Second world War, or the fact that Churchill and Roosevelt's secure
> communication system was broken by the Germans.
>
> I see on cryptome that the FBI and the CIA use and trust TOR to get them
> anonymity on social networks. The more people that use TOR, then the
> more credibility it gets and the more they can hide behind the nodes.
> They trust it. It allows them to work on the dark web. I can see why
> they trust it...because, unlike most of the rest of us they are the only
> ones who have the tools, the resources and the facilities to break it.
> It is a crypto-war between the world's intelligence and security
> services, and if any of them puts a back door into any of their secure
> software, then it isn't long before the others either get to hear about
> it, or find out for themselves.
>
> ATB
> Dougie.
>
> On 11/11/14 16:21, Jason Iannone wrote:
>> The author of the Pando article spends a great deal of time discussing
>> the motivation for developing tor and tying the developers to defense.
>> While those ties are interesting and notable, saddling the first
>> thirty paragraphs with this information leaves a bad taste in my
>> mouth. The discussion of exit node management and the protocol's
>> focus on performance are key. NSA's efforts to build in weakness are
>> well known and it's not much of a stretch to associate built-in
>> weakness to the decision to favor high performance nodes[1].
>>
>> The fact that tor has many use cases doesn't mean its broken. In
>> fact, the government use case may be one of its more valuable selling
>> points. If it's good enough for CIA, it's good enough for me. The
>> foundation is, so far as we know, solid[2].
>>
>> [1]
>>http://csrc.nist.gov/groups/ST/crypto-review/documents/dualec_in_X982_and_
>>sp800-90.pdf
>>
>>
>>[2]https://dl.dropboxusercontent.com/u/23931727/Dining%20Cryptographers%20
>>-%20Chaum.pdf
>>
>>
>> On Tue, Nov 11, 2014 at 7:49 AM, Shaun O'Connor
>><capricorn8159@xxxxxxxxx> wrote:
>>> that was a good one Douggie and I agree entirely with your sentiments on
>>> privacy, security etc.
>>> what bothers me is the way people are being misled into entrusting their
>>> privacy to third parties in the mistaken belief that so doing will give
>>>them
>>> more freedom to get on with whatever they are doing.
>>>
>>> Personally my view is if one wants to maximise operational security (
>>>i'll
>>> call it opsec in future) then it behoves them to get their hands dirtly
>>>and
>>> learn the craft rather then rely on someone else to do it for them.
>>>there is
>>> always a tradeoff between convenience and control.
>>>
>>> ATB
>>> Shaun
>>> ps
>>> Will look at the links later .
>>>
>>> On 11/11/2014 13:08, doug wrote:
>>>
>>> http://pando.com/2014/07/16/tor-spooks/
>>>
>>> I thought that this was an interesting article. I don't use TOR, I have
>>> never tried it because I know its origins...and I can't think of any
>>> knowledge or activities I pursue as being so valuable or secret as to
>>>be a
>>> threat to the state.
>>> Using technology for hiding the online activities of spooks is a
>>>different
>>> ball game from ordinary users using it thinking that their activities,
>>>legal
>>> or otherwise will be anonymous, is a product of too much cannabis oil.
>>>TOR
>>> has different functions for different people and organisations. It is
>>>used
>>> to hide the activities of spooks behind the activities of other users,
>>>the
>>> thinking is that the more of the public that use it, the easier it is
>>>for
>>> them to hide. rAnother advantage is that if enough of the security
>>> community is convince, then they will recommend its use to every one
>>>else.
>>> The US government gives such stuff away to liberation fighters and
>>> revolutionaries whilst its private enterprise sells the antidotes to the
>>> software to those very secret services to which it is opposed. And the
>>> politicians, in my view, know very little about it, believing that they
>>>are
>>> spreading human rights, American, British and Western style, all over
>>>the
>>> dictatorial world. However, the growth of the technology, the
>>>cheapness of
>>> software and storage and the increasing sophistication and wealth
>>>expended
>>> on intelligence and security in the world community has undermined any
>>> superficial safety in using such software as TOR, truecrypt and some
>>>secure
>>> operating systems, in my view. I am not an expert in such matters,
>>> particularly the technical side, but so often in history people have
>>>been
>>> misled into thinking that their communications are secure that they have
>>> been sorely decieved when "the weel laid plans o' mice and men, gang
>>>aft
>>> astray..." as Robert Burns said in "To A Mouse", and they finish up
>>>with
>>> their homes, their lives and their families, as well as their dreams
>>> destroyed.
>>>
>>> Apart from communications with my banks, I don't use encryption,
>>>though I
>>> have experimented with it a little bit. I know of old that if the
>>>security
>>> or intelligence agencies want to access such information then they can.
>>> All
>>> encrypted communications are recorded until they are deciphered...as
>>>policy.
>>> All TOR communications, from going to the website, downloading and
>>> installing, as well as using are monitored. Wouldn't you, if your
>>>mission
>>> put you in charge of the safety security and intelligence on behalf of
>>>the
>>> people and government? It's a bit naive to think otherwise, in my
>>>humble
>>> opinion.
>>>
>>> When using the internet, one has to access it at some point, and
>>>that is
>>> generally through an ISP and an i.p. address, the same thing occurs
>>>when one
>>> receives a communication. It doesn't matter whether it is a phone, or a
>>> laptop, even a wireless connection. As soon as one goes onto the
>>>internet
>>> then the activity is recorded, if not acknowledged. Those are the
>>>weakest
>>> points in my view. When one boils a kettle one knows where the energy
>>> comes from, one knows that the kettle is a container, and, though one
>>>may
>>> not know exactly where the bubbles arise when the container boils, one
>>>knows
>>> when it will boil, the length of time it takes to boil and one can
>>>record
>>> the degree of entropy and the physical emergence of the bubbles of gas
>>>into
>>> the liquid topography. Doesn't take a lot to find out the cause and
>>>effect.
>>>
>>> Studying the materials at Bletchley Park methods are still of much
>>>relevance
>>> in my view. see url:
>>> http://www.bletchleypark.org.uk/
>>> There is plenty of stuff on the website, well worth a visit and lots of
>>> links to all sorts of information, from books to memoirs and memories.
>>> Encryption wasn't the only system which got cracked there. It was the
>>>cribs
>>> which were really important, everything from user mistakes and habits,
>>>to
>>> user locality, from timing and types of coding, from frequency of
>>> transmission and patterns within the signals, to different kinds of
>>>coding
>>> and encyphering machinery. It wasn't all about betrayal by agents.
>>>All of
>>> those, and more, were collated, subjected to analysis and disparate
>>> findings put together, to provide a cohesive picture of the intentions,
>>> habits and wherewithalls of the enemy (or friendly and not so friendly
>>> alien). I dare say that there are even more sophisticated methods
>>>around
>>> today, particularly mathematically and statistically, the software and
>>> storage are so cheap, and many brilliant and educated minds are put
>>>together
>>> collectively in huge warehouses and think tanks to solve the problems.
>>> Poachers become gamekeepers and vikki verki.
>>>
>>> From recent utterings by various personalities, political leaders and
>>>senior
>>> officers of agencies involved in the collection of information and its
>>> analysis, they aren't about to stop any time soon, and I cannot see a
>>> situation in the near future where personal privacy and security are
>>>going
>>> to improve. The safety of the system compared with the privacy and
>>> security of the individual is deemed more important, though they would
>>>say
>>> that they are protecting both. The fear and the pressure is too great
>>>for
>>> all information, all data not to be collected so that governments aren't
>>> taken by surprise. We also know of course, that governments, more often
>>> than not, often do get taken by surprise, even when the information is
>>> presented to them on a plate...they don't believe it, much in the same
>>>way
>>> as analytical thinking can sometimes get in the way of truth and
>>>reality.
>>> Belief systems play a very important role, compared with evidence based,
>>> factual analysis, I have noticed.
>>>
>>> Also, the temptation to go that one step further and to continue
>>>interfering
>>> in the natural processes of historical development in the name of
>>> anti-communism, anti-Cuba, anti-Sovietism and now anti-Russia and
>>>anti-China
>>> and anti Islam and pro western democratic belief systems means, just
>>>like
>>> that "Inside the CIA" book of the 1970's about Latin America, the world
>>>of
>>> international politics will remain a morass and a jungle, with the rule
>>>of
>>> law, international, or national, playing little role, with plots and
>>>plants
>>> blowing up in the faces of the perpetrators as well as destroying the
>>>lives
>>> of the innocent. Did the US intervention in Latin America change the
>>>course
>>> of history? Did it save the world from Communism and bring about human
>>> rights and democracy to the peoples of the world? Did it leave the
>>>people
>>> of the United States in a better world economic, political and
>>>sociological
>>> and cultural position in the world of today...who knows. Hollywood has
>>>all
>>> the answers.
>>> Just a few thoughts on the current developments.
>>> ATB
>>> Dougie.
>>>
>>>
>>>
>>> --
>>> PRIVACY IS A BASIC RIGHT - NOT A CONCESSION
>>
>
>
>
Other related posts:
