Misdirecting The Enemy

Lots of encrypted files full of rubbish can mislead searchers, especially if you do not have the keys and never did. See Stealth on the point.

In article <coSdnfPef5QuNc_UnZ2dnUVZ_vSdnZ2d@posted.docknet>,
   David E. Ross <nobody@nowhere.not> wrote:
> In the UK, the law mandates that those accused of a crime (and perhaps
> others) comply with a demand from the police for their passphrases and
> private keys.  Failure to comply is itself a crime punishable by
> imprisonment.  Thus, the news report in the Guardian does not mean that
> PGP has been broken.

Of course, you can also download utilities (such as my own FakeFiles - see
www.vigay.com/software/fakefiles.html) which use PGP to generate 100s of
genuinely encrypted but fake messages for which you *CANNOT* produce a key,
because the computer has randomly generated the key, encrypted junk data
and then deleted the key.

This provides a valid level of "plausible deniability", as you can prove
that you have genuinely PGP encrypted messages for which you do not know
(and have never known) the passphrase. These files/messages are
indistinguishable from genuine encrypted files.

--
Paul Vigay                         __\\|//__                 Life,
                                   (` o-o ')             the Universe
--- http://www.vigay.com/ --------ooO-(_)-Ooo----------- & Everything ------

Quality Internet Services, Broadband & Hosting - www.orpheusinternet.co.uk
 

 

In message <5012ea4a2cinvalid-email@invalid-domain.co.uk>
          Paul Vigay <invalid-email@invalid-domain.co.uk> wrote:

> In article <coSdnfPef5QuNc_UnZ2dnUVZ_vSdnZ2d@posted.docknet>,
>    David E. Ross <nobody@nowhere.not> wrote:
>> In the UK, the law mandates that those accused of a crime (and perhaps
>> others) comply with a demand from the police for their passphrases and
>> private keys.  Failure to comply is itself a crime punishable by
>> imprisonment.  Thus, the news report in the Guardian does not mean that
>> PGP has been broken.

> Of course, you can also download utilities (such as my own FakeFiles - see
> www.vigay.com/software/fakefiles.html) which use PGP to generate 100s of
> genuinely encrypted but fake messages for which you *CANNOT* produce a key,
> because the computer has randomly generated the key, encrypted junk data
> and then deleted the key.

> This provides a valid level of "plausible deniability", as you can prove
> that you have genuinely PGP encrypted messages for which you do not know
> (and have never known) the passphrase. These files/messages are
> indistinguishable from genuine encrypted files.

Or you can use software such as my utility Stealth (see
http://www.queen.clara.net/pgp/acorn.html), which provides plausible
deniability by hiding multiple directories inside a container file,
each encrypted with its own passphrase, in such a way that no one
without a knowledge of the passphrases can determine how many actually
exist.  With the right software, Big Brother snooping can be defeated!

Nat

--
Dr. N.M. Queen         | Phone: +44 121 414 6590 Fax: +44 121 414 3389
School of Mathematics  | PGP-encrypted e-mail preferred. Public key at
Univ. of Birmingham    | http://www.queen.clara.net and on keyservers.
Birmingham B15 2TT, UK | Info: http://www.queen.clara.net/pgp/pgp.html
 

 

 

 

 

<5012ea4a2cinvalid-email@invalid-domain.co.uk> <7f58f61250.queen@clara.co.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Paul Vigay wrote in alt.security.pgp on December 25, 2008 03:12 in
Message-ID: <50131e930cinvalid-email@invalid-domain.co.uk>:

> In article <7f58f61250.queen@clara.co.uk>,
>    Nat Queen <n.m.queen@bham.ac.uk.invalid> wrote:
>
> [Snip]
>
>> exist.  With the right software, Big Brother snooping can be
>> defeated!
>
> Actually, you make a very valid point. It's all well and good having
> useful software to hand, but the biggest problem I find is that of
> *educating* people. Too many people seem to be apathetic to what's
> going on around them in the world. Too many people have the "I've got
> nothing to hide so why should I bother" type mentality.

Paul, you've hit the nail right on the head, here. One of the dreams of the
Cypherpunks for was for universal adoption of crypto to render massive
surveillance of the type we've seen in recent years essentially impossible.

I well remember how law-enforcement officials, such as the FBI's then-
Director Louis Freeh, were publicly proclaiming how the sky was falling due
to the adoption (by criminals) of non-key-escrowed cryptographic software.
They were literally /terrified/ of this prospect.

What they (and the Cypherpunks) didn't count on was the exceeding sloth and
disinterest of the general public.

Even amongst those who /did/ have some desire to make use of encryption,
they didn't want to *learn* anything--they wanted instant gratification,
complete with a point-and-drool interface. As a result, they flocked en-
masse to services like Hushmail that violated the basic principle of public-
key cryptography--i.e. the separation of public and private key pairs. By
keeping both halves of the keypair, and using a modified Java applet to
snag the passphrase, Hushmail made it simple for law-enforcement to pierce
the veil of secrecy afforded by the encryption; additionally, since all the
alleged perpetrators were using Hushmail, they provided the authorities, in
essence, with one-stop-shopping or a single point of failure. [*]

> Big Brother snooping will only be defeated when everyone routinely
> uses secure encryption for all electronic communications, irrespective
> of how trivial it may be.

Precisely. This was the philosophy espoused by the Cypherpunks; they assumed
that: "If you build the tools, they will come" and unfortunately for all of
us, it didn't turn out that way.

> Generations of people have fought and died for freedom and liberty,
> yet a worryingly high percentage of the current generation seem to be
> squandering (or trading) it away.

The sad fact of the matter is that they don't know any better. I've spoken
with young people, and they've described the world wars as "ancient history."
Even in the former East Bloc nations, there is now a generation born and
raised after the fall of Communism, who know little of what their parents
and grandparents went through.

Here in the West, there are fewer and fewer people with direct experience
of fascism. I've read comments made by ostensible former East Bloc citizens
who spoke of wanting to return to their countries of origin. They stated
that the signs they were seeing in Bush's America post-9/11 reminded them
of what they had fled the East Bloc to get away from. Some further commented
that they felt more free back in their home countries now than they do in
the so-called 'free' United States. I've seen others comment that the
surveillance they'd experienced in Britain by far exceeded anything that
they had endured under the Communist regimes.

I've also seen travelers comment that travelling to the United States today
and dealing with U.S. Customs is more reminiscent of entering the Soviet
Union in the mid-1970s than anything else.

> One of my favourite sayings is Benjamin Franklin's "Those who would
> give up Essential Liberty to purchase a little Temporary Safety,
> deserve neither Liberty nor Safety." which seems even more relevant
> today.

Excellent advice, then, and now--but then Franklin and his contemporaries
had direct experience of governmental abuses by the British Crown.

> You owe it to yourself as well as future generations, to protect your
> privacy and freedom. Make a New Year resolution to start using strong
> encryption (such as GnuPG) NOW!!

Agreed. I fear that you are preaching to the converted, however. The great
unwashed masses have their creature comforts, convenient enemies to hate,
e.g. Dateline NBC's "To Catch A Predator," (TCAP), etc. (I've described TCAP
as 1984's two-minute hate expanded to a full hour, including commercials.)

It's the old Roman maxim, as described by Juvenal:  Panem Et Circenses or
Bread and Circuses. 

> Paul

[*] Excellent summary of Hushmail debacle:

   Posted by JimC to http://forum.no2id.net/viewtopic.php?t=20244

   Posted: Sat, 12 Jan 2008 10:19:53 +0000   
   Post subject: Reasons to avoid Hushmail

   Until September 2007, Hushmail received generally favorable reviews
   in the press.[1] [2] It was believed that possible threats, such as
   demands from the legal system to reveal the content of traffic through
   the system, were not as imminent in Canada as they are in the United
   States and if data were to be handed over encrypted messages would
   only be available in encrypted form. However, recent developments
   have led to doubts among security-conscious users about Hushmail's
   security and concern over a backdoor in an OpenPGP service. Hushmail
   has turned over cleartext copies of private e-mail messages associated
   with several addresses at the request of law enforcement agencies under
   a Mutual Legal Assistance Treaty with the United States.[3] One example
   of this behavior is in the case of U.S. v. Tyler Stumbo. [4],[5], [6].
   In addition, the contents of emails between Hushmail addresses were
   analyzed, and a total of 12 CDs were turned over to US authorities.

   The issue originally revolved around the use of the non-java version of
   the Hush system. It performed the encrypt and decrypt steps on Hush's
   servers and then used SSL to transmit the data to the user. The data
   is available as cleartext during this small window; additionally the
   passphrase can be captured at this point. This facilitates the
   decryption of all stored messages and future messages using this
   passphrase. Hushmail has stated that the java version is also
   vulnerable in that they may be compelled to deliver a compromised
   java applet to a user. [7] [8] Hushmail recommends using non web-
   based services such as GnuPG and PGP Desktop for those who need
   stronger security. [9]

   References:

   1 http://www.pcmag.com/article2/0,1895,1136652,00.asp
   2 http://www.npr.org/templates/story/story.php?storyId=5227744
   3 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
   4 http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf
   5 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html]
   6 http://blog.wired.com/27bstroke6/hushmail-privacy.html
   7 http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
   8 http://blog.wired.com/27bstroke6/hushmail-privacy.html
   9 http://www.hushmail.com/about-security

   SOURCE: http://en.wikipedia.org/wiki/Hushmail


Baal <Baal@Usenet.org>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1E92C0E8
PGP Key Fingerprint: 40E4 E9BB D084 22D5 3DE9  66B8 08E3 638C 1E92 C0E8
Retired Lecturer, Encryption and Data Security, Pedo U, Usenet Campus
- --

"Sed quis custodiet ipsos Custodes?"  --  "Who will watch the Watchmen?"
                              -- Juvenal, Satires, VI, 347. circa 128 AD

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJJZqzsAAoJEAjjY4weksDo3igH+gOoxwVFtti7zj1mPYDn1s4S
8L+U7uKilQAjtGUXZOrChuSmh1YDpEfBpHf7axgsUL0FTTv3+8A8mblYXs8dmrML
Y+Nompu5EkKUq2OmmJZ5uNtBcnFbMKzaOQu0fiMXi1aZD0TGsSeLkMhYT/i9M+2X
2N5gKVbQFOdPUYcQCeZk0EjoiRmykA6/7fd1R5vvvNsvqzhdzCwuSe0kyCin4hxt
/Fx9aHE9uruaX+qpV6H9RQo7VE+/AaT8kPjSCyLR7xbzbYPFoeTp4NlMkwqbUqMt
86h4VRB0B1Ojtr58DEUOMdlZtK5msve7CWDNdXZSPuQpfWr/1MPcTiszTu6jECQ=
=5dBS
-----END PGP SIGNATURE-----

 

 

 

 


> That makes the answer to my question quite clear... but that also makes
> the whole electronic signature scheme in jeopardy if you ask me.
>
> As JTF wrote, once the key is in the hand of the authorities (or anyone
> else but the owner for that matter) we can only consider the key as
> compromised. I am not a privacy rights activists, but I see many things
> wrong with this. UK is a democracy right?
>
> Marc Moisan, C.D.

Actually, this is where having a revocation certificate in the hands
of a third party would help...Once the "phone call" is made, the
revocation can be made immediately from the outside.