Donate for the Cryptome archive of files from June 1996 to the present

8 March 2013

Where We Are Right Now on Comsec


From: Tom Ritter <tom[at]ritter.vg>
Date: Fri, 8 Mar 2013 13:05:30 -0500
Subject: Re: Summary of where we are right now
To: <cypherpunks[at]al-qaeda.net>, <cypherpunks[at]lne.com>

> So they figured it was easier to just get suckers to use some form of
> encryption (including and specifically TOR) to send the red flag that
> someone wanted to hide something, so "look over here!".

I don't agree that the NRL [Naval Research Laboratory] funded Tor for this purpose, but I do agree that our tools today (Tor, mixmaster/mixminion, PGP mail, RedPhone, TextSecure, OTR, etc) are easily distinguishable in traffic streams, and that this is a problem. Just as Riseup collects a bunch of people who care a lot about privacy onto one mailserver - people using these tools are likely to be interesting.

Skype, Facebook, Gmail - for all their problems, they are ubiquitous, and don't draw attention.

> 3. But we are going to win. Yeah, we're gonna win. Why? Because we want to.
> It's not enough to encrypt: The type and context of encryption had to be
> hidden as well. Kind of the network version of Rubberhose. But these young
> kids who grew up not watching TV because it didn't interact with them, it's
> they who will create a stego virus to propagate fake stego everywhere on
> Facebook or whatever. It's them who are going to create TOR services that
> operate ubiquitously behind the scenes, so that most users dob't even know
> they are using it. Hiding the form of encryption will itself be the final
> frontier as crypto becomes ubiquitous.

A friend I talked with recently told me he thought it was easy to set up an anonymity system that worked great for you and your friends, and near impossible to build one that worked well for everyone else. Once it got popular or you became a target of investigation, people would put the effort into detecting it. Otherwise, it would continue along, looking like another TLS/SSH/Skype/whatever that just a little bit odd... Tor faces this problem immensely.

I don't see us as having won, I see us as now knowing how to fight.

We know the devices they will use to easily detect our traffic, and in most cases we can get access to them. We must make our protocols indistinguishable on the wire. We know the ubiquitous services and protocols that we must work within or disguise ourselves as.

We know (some of? most of?) the statistical attacks adversaries of the future can conduct - we must make them as difficult and expensive as possible for them to achieve.

We know how woefully inadequate the user interfaces and requirements of the first generation of tools were, and we know where we must go: to browsers, smartphones, tablets, and consumer operating systems.

We have a much better idea of how normal people will react to our tools, and thus how much effort we must make to make them usable, and push for ubiquity.

We know what requirements are unreasonable of us to make upon people, and that we must design systems where those requirements are worked around, dulled, or the single 'sharp edge' of the system.

-tom


[Beginning of thread:]

From: Tyler Durden <camera_lumina[at]hotmail.com>
To: <cypherpunks[at]al-qaeda.net>, <cypherpunks[at]lne.com>
Subject: Summary of where we are right now
Date: Thu, 7 Mar 2013 21:28:32 -0500

Since I haven't seen anything come off of the list for a while and since I've imbibed some nice single-malt, I will for the fuck of it summarize where things are. Any Cypherpunk with some kinda balls will tell me I'm completely and absolutely full of shit, but at least I tried, so do better.

1. We won. With Bitcoin and Silk Road along with encrypted peer-to-peer sharing networks (oh yeah and TOR), it's pretty clear we won. There's a lotta popular literature out there now discovering Cypherpunks anew. Some form of Crypto is out there, for those that want to use it, that can can make it real pain in the ass for TLAs to discover that your "Afghan" is really just a form of 80s retro-pot.

2. No, we didn't win yet: TOR is a honeypot. That's right, motherfucker: You do know who really gave TOR its initial impetus, right? And you know why they did that? They did it precisely because it was too obvious and too expensive to pull EVERYTHING back to Virginia or wherever. So they figured it was easier to just get suckers to use some form of encryption (including and specifically TOR) to send the red flag that someone wanted to hide something, so "look over here!". Anything TOR'd is certainly backhauled to the greater DC area and, if there are any additional meta-meta-data risk flags, they'll red light it to begin cracking. If they can't crack within reasonable time/cost budgets (given the risk), and if they for some reason feel a little nervous about you, well they'll just find out where you are and attack your shitty machine. Oh, you use Linux? Well that's totally different. It's not like they hired any brilliant math or crypto geek coming out of college or grad school.

3. But we are going to win. Yeah, we're gonna win. Why? Because we want to. It's not enough to encrypt: The type and context of encryption had to be hidden as well. Kind of the network version of Rubberhose. But these young kids who grew up not watching TV because it didn't interact with them, it's they who will create a stego virus to propagate fake stego everywhere on Facebook or whatever. It's them who are going to create TOR services that operate ubiquitously behind the scenes, so that most users dob't even know they are using it. Hiding the form of encryption will itself be the final frontier as crypto becomes ubiquitous.

4. Bitcoin, motherfucker. Crazy old cackling May was right. Or at least, he was right enough. Right enough for me to buy pot or 'cid or shrooms over the internet and have them sent to my Unabomber shack. Even less...tasteful...forms of porn will be tolerated precisely because THEY can't reveal what they can do, at least not unless their own salaries are in jeopardy. Adrian Lamo? No doubt THEY looked for someone who had contact Manning so that they could hide what they had intercepted and what they could do. But they will keep hiding what they can do while a real economy takes over and sorts out its own.

Yeah, that's it. It's downhill from here. Cypherpunks are dead because they are no longer needed, so long live the King of the Anarchy.