TrueCrypt

TrueCrypt is a free, open source tool for creating encrypted hard drive partitions as well as virtual encrypted disks.

The cool thing about TrueCrypt is it offers tons of options that let you choose your level of paranoia. For example, for the really paranoid, TrueCrypt can create a hidden volume inside an encrypted volume, so even if you’re forced to give up the password to the encrypted volume, the hidden volume is still password protected and undetectable.

You’ve also got your choice of encryption algorithms including, AES-256, Blowfish, CAST5, Serpent, Triple DES, and Twofish.

My kind of software.

Would Encryption Controls Have Prevented the 9/11 Attack?

After the terrorist attack on the United States, politicians and security experts are emerging from the woodwork to essentially revive the Clipper chip initiative. All cryptographic systems, these folks claim, should have built-in backdoors which government authorities could use to decrypt messages if need be. Aside from the civil liberties issues, the main problem is that this seems to be based on a false premise — that the terrorists were able to pull of their brazen attack because, at least in part, they encrypted their communications.

Piecing together what little has been publicly revealed, it seems that rather than rely on PGP or other encryption schemes, the terrorists used plain old unencrypted web mail, public access terminals, and the ages old practice of code words to talk about their plans. According to a story in The Guardian,

FBI investigators had been able to locate hundreds of email communications, sent 30 to 45 days before the attack. Records had been obtained from internet service providers and from public libraries. The messages, in both English and Arabic, were sent within the US and internationally. They had been sent from personal computers or from public sites such as libraries. They used a variety of ISPs, including accounts on Hotmail.

According to the FBI, the conspirators had not used encryption or concealment methods. Once found, the emails could be openly read.

In fact, as a security expert told The Guardian, if the terrorists had used PGP their plot would have had a higher chance of being uncovered since the steady stream of encrypted messages would have stood out.

Terrorists and criminals who are not already known to authorities can hide in this way because of the sheer volume of communication over the Internet. The NSA, for example, is reportedly building one of the largest electronic archival systems in the world, capable of holding up to 20 million gigabytes of information … an amazing amount of information, but according to The Guardian, only enough space to archive intercepted Internet communications for 90 days.

And just think how much larger that traffic is going to be 5 or 10 years from now, as the rest of the world starts to become as wired as the United States and Europe already are, and new applications and uses for the Internet take off within the already Internet-saturated countries.

Crack Down on Prime Numbers!

ZDNet reports that some members of Congress want a worldwide ban on “uncrackable” computer encryption in the wake of the terrorist attacks on the United States.

First, no existing system of computer encryption is uncrackable. Very difficult to crack if implemented correctly, but not uncrackable. Even systems using what should be an uncrackable scheme — one time pads — usually end up being cracked given enough time due to human factors that for a number of reason are almost impossible to eliminate.

Second, we need “uncrackable” computer encryption. As computers have gotten faster and advances in mathematical theory and programming have occurred, we’ve seen one after another encryption scheme brought down to the ground by some creative folks. Look at SSH, for example, which is a widely deployed and extremely secure system, except it is possible in theory to crack it because of idiosyncracies about how people tend to type (i.e. in theory, you might be able to guess my password by seeing how long it takes me to go from one letter to the next and then inferring from that which keys I must be typing). The more uncrackable, the better.

Third, even if it were a good idea, the possibility of a global ban on something like public-key encryption is ludicrous. There is no way such a ban could ever work. Would they really want to go around and arrest anyone who posts a PGP key? It’s just a silly proposal, especially when it comes to terrorists. Afghanistan let Osama bin Laden set up terrorist training camps in that country — does Congress really think they would have demanded that he relinquish his copy of PGP?

The Uproar over Dmitri Sklyarov’s Arrest

Last week, in an action instigated by Adobe, the Federal Bureau of Investigation arrested Russian programmer Dmitri Skylarov. Skylarov is accused of violating the Digital Millenium Copyright Act.

Basically, Adobe has a copyprotection scheme which encrypts PDF files. The system has a number of weaknesses, however, and Sklarov wrote a program that can quickly remove such copy protection measures.

A lot of the debate over the arrest online focuses on the DMCA and the elimination of “fair use.” For example, there are a number of programs which read aloud the text of documents for blind people (or anyone else for that matter). The encryption system used by Adobe typically renders such programs useless, even though such use clearly falls within the fair use provision of traditional copyright law — proving the main point of DMCA critics, that the end result of the legislation will be to eliminate any sort of fair use.

What really concerns me, however, is an issue that I haven’t really seen discussed. This program was created in and is sold by a company based in Russia where the DMCA does not apply. American companies, U.S. citizens and many politicians have been concerned that countries with restrictive speech laws would go after Internet communications that originate in the United States where laws are generally more expansive.

But here the shoe is on the other foot — the United States is attempting to legally enforce its copyright laws on a product that is completely legal to produce and sell within the country it was created.

This is definitely not the road the United States should be going down. In fact, you have to wonder if prosecutors in France and Germany aren’t licking their chops. After all both countries have brought cases against American Internet-based companies such as Yahoo! and Amazon on the grounds that the companies weren’t doing an effective job of not selling illegal contraband (such as books) that are legal in the U.S. but illegal in Germany. Prosecuting Skylarov simply buttresses the legal arguments made by those governments that they can prosecute a business for engaging in activities that are completely legal within a company’s home country.

It will be interesting to see how the United States would react if, say, Jeff Bezos went on vacation to Saudi Arabia and was arrested for violating Saudi Arabian law. Or if some police agency in India set a similar trap for Yahoo!’s Terry Semel for real or imagined slights against Hindus on Yahoo!’s discussion boards.

Sklyarov’s arrest really sets a dangerous precedent in this area.

Is Osama Bin Laden Using Encryption?

A few years ago I read an interview with a professor of journalism who argued that reporters needed to become advocates for particular views rather than simply reporters of facts. I have always thought this was a very bad idea, and USA Today demonstrated why today.

USA Today’s Jack Kelly filed a fluff piece basically repeating spook nonsense that strong encryption is helping out terrorists. After going through a long bit of nonsense claiming that Bin Laden has even moved into steganography, Kelly laments,

It’s no wonder the FBI wants all encryption programs to file what amounts to a “master key” with a federal authority that would allow them, with a judge’s permission, to decrypt a code in a case of national security. But civil liberties groups, which offer encryption programs on the Web to further privacy, have vowed to fight it.

Give me a break. This is just like gun control — the criminal elements aren’t going to use systems that require master keys. It comes across almost as if the spooks themselves don’t have any idea what they’re talking about.

The story, and others based on the same material, is surprisingly lacking in any sort of evidence other than the fact that terrorists use e-mail and in the pasth ave used relatively weak encryption schemes to hide some data. I’d like to see some proof that Bin Laden and his group are putting coded messages into pornography and placing it on the Internet (as folks on Slashdot noted, that might explain why porn takes so long to download!) or that they’re using Internet chat rooms to plan terrorist acts.

Remember this is the same group that claimed they had absolute incontrovertible proof that a Sudanese pharmaceutical plant was being used to manufacture chemical weapons. Bill Clinton bombed the plant based on that claim which turned out to be a complete lie.

This is just the last gasp of the intelligence agency to try to retain their monopoly on secrecy. Tune in next week when USA Today will discuss how child pornographers are using very big prime numbers to get away with their crimes.

When prime numbers are criminalized, only criminals will have prime numbers.

Source:

Terror groups hide behind Web encryption. Jack Kelley, USA Today, February 6, 2001.