(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Crypto’ Category

2017 Krypt3ia Kryptos Crypto Challenge!

leave a comment »


Solve the cipher.

Follow the instructions.

Collect your prize.

You have until 7.30.17 to complete.








No one managed to crack the cipher it seems so here is the solution for it and how it was made. As you can see the image that I used as a logo for this contest was not the cipher itself. However, it did hold a clue, in fact one of the two keys to the initial cipher was embedded within the image.

The image itself is a rendering of the last part of the KRYPTOS art piece at CIA HQ. In the text in white within the image above had you Googled, you would have come up with “BERLIN” This was key one to the initial cipher. The rest is below.


Four Square Cipher

Cipher Text Decrypt:

Condor is an amateur Hes lost unpredictable perhaps even sentimental He could fool a professional Not deliberately but precisely because he is lost doesnt know what to do Unlike Wicks who has always been entirely predictable

go to <REDACTED DARKNET ADDRESS> slash condor dot html locate hidden instructions and follow them


Homophonic Cipher

MUL: 47

ROT 62


59 10 56 10 90 55 89 80 02 92 74 65 45 16 28 44 31 24 62 17 61 80 17 65 63 33 95 34 79 89 64 16 57 55 31 78 51 77 74 74 07 78 56 16 61 05 24 51 23 90 02 81 64 23 44 24 98 55 45 20 53 88 27 97 10 39 29 90 02 11 74 10 84 35 01 03 20 90 61 51 48 16 18 70 63 83 44 91 33 69 36 33 37 16 28 50 14 90 09 17 86 20 57 09 41 02 16 28 03 26 41 97 09 77 98 09 63 37 63 28 65 35 92 99 33 71 84 13 82 57 44 63 18 57 08 37 17 08 06 83



Written by Krypt3ia

2017/07/21 at 00:00

Darknet Numbers Pages Proof of Concept

leave a comment »



Numbers Station:

So with all the kerfuffle over crypto I decided to give everyone a big fuck you and do something low-tek just to mess with the narrative. Right, so you all know what numbers stations are right? Well, I decided that it was time that the internet have one all it’s own but not on the clearnet no sir-ee! I wanted a darknet spooky spooky impenetrable super scary numbers station! So I began to hatch a dastardly nation state level of fuckery that surely will have the gubment all  up in arms over my crypto darknet wizardry! I set up a site and I communicated with some people secretly and securely and no one was the wiser. Not one federal agency that I know of saw the site, no scripted scouring of the darknet cached my page that I am aware of (and I asked) and generally, I just pulled off the new age of tradecraft that the KGB should be jealous of!

Here’s how I did it.

Proof of Concept

The Plan

As I was thinking about a means of communication using the darknet to avoid prying eyes and to do so securely I came to the conclusion that I sure could use PGP and some email service out there but gee, lately those have been pwn3d too so fuck that. Instead I wanted to be more old skewl and opted for two way comms through OTP and a static page that could live on the darknet at periods of the day and night of my choosing with those I want to communicate with in the know as to timetables with, well, a timetable. Commonly on the air Numbers stations beacon at specific times of the day and week so this is kind of the same thing. So I set to making a highly portable TOR capable platform that I could take with me and connect to WIFI at hotels, bars, cafe’s, rando people’s houses etc. I could effectively have a transient site that would be hard to track and harder to narrow down where it lives because it is not in some rack somewhere stationary and waiting to be deanonymized and pwn3d.


I opted for a netbook that I had laying around after doing the math on a Raspberry Pi. It was far cheaper to use an old old netbook I had than go spend money on a pi and it was just as portable. Once I got the laptop up and running on backbox, I then installed the TOR system and configured it for having it’s own hidden site. I then installed lighthttpd and created a very small stripped down page of text and color which I then hid the encoded text in the black space. No need to be all fancy here and it was a flourish anyway. It doesn’t have to be pretty to work and yet this lightweight site and the server it was on allowed me to communicate well enough while the whole thing was secure from being hacked. I had testing run on it and the tester was unable to own the box nor the site.

Once the testing was over I let the site run. It was up and down per specific times and communication was made using a second site on the darknet where people could post to a pasteit where we could have coded signals (basically; understood and complying) so that the communications stream would be innocuous enough using code words. You could use images on chan’s or the old trope of putting up an ad for something and even having more code in the text of that if you wanna get fancy and all.

The Tools

  • Net top laptop
  • Backbox linux distro
  • TOR
  • Lighthttpd
  • One Time Pads (plenty of places on the net to create them)
  • Timetable for uptime and downtime for comms
  • Assets to communicate with

The Tradecraft

Using this method of secret communication one could plan out all kinds of badness if they wanted to. Having a stealth site that is transient too also allows for more security but as always the people are the weak point. If an asset is caught then the means of communication is blown. Just like the analog counterparts (AM/SW Numbers Stations) this type of communication could go on untouched and unbroken for a long time because of the frequency changes, the IP address changes, and mobility of the asset. Just imagine if the analog version of Numbers Stations were actually not just in some building but in a backpack eh?

The hardest part of all of this is that you have to train your assets to use OTP and to have proper OPSEC. It can be done though, so this is a viable means of secret communication that is low tek enough yet high tek enough for the average person to easily carry out if they are determined to. It would bypass all the email shenanigans as well as texts, calls, chats, that can be intercepted by warrants to companies like Apple and AT&T. After all, how hard is it today to get a distro of linux on a box, install TOR, set up a hidden site, and start using OTP?

Wait… Ok maybe it is a little hard.

Still doable though… I mean it worked for me and my “assets”

Enjoy kids!


Written by Krypt3ia

2016/10/25 at 20:41

Posted in 1984, Crypto, DARKNET


leave a comment »




Play starts August third 2016 and ends August sixth at midnight

The image above is your clue. Solve the puzzle(s) crypto and WIN a cleaned Roman coin from two thousand years ago!

Good luck.

Dr. Krypt3ia

Written by Krypt3ia

2016/08/03 at 00:01

Posted in Crypto

1984… 1993… 2016.

with 2 comments


I remember seeing the Apple commercial back in the day when it came out that depicted 1984 as the catchy advertising plot point for the Mac computer at the time. If only Woz and Jobs has known just how prophetic those images would be today. I remember too back in 1993 when the idea was floated and a governmental movement began to have a back door (aka a clipper chip) inserted into systems to allow access by the government *cough NSA cough* to be able to see the “evil doers” and stop them. I also remember the sane stopped that from happening. Well, that was then and this is now, well past 9/11 and nigh on 16 years later, we are faced with not only a government toying with the idea again but a federal body demanding through writ of law that a company break the system they have created for what is being touted as the greater good.

Friends while I agree terrorism is bad (I was there a day after 9/11 and worked with the red cross there) I have to stop short at believing that the GWOT needs for us all to give up ALL semblance of personal privacy to fight the terrorists. In fact, I would like to call bullshit on the FBI’s and Comey’s desires to break the systems of cryptography for an alleged boon to the fight on terror. It has become clear that the director of the FBI is not a tech guy and does not understand crypto very well but that is no excuse to continue to leverage the courts to try to induce a company to break it’s system for one phone let alone the notion that this one instance would not be re-used and re-packaged to do so again whenever they (the FBI) liked. This is precedent time, not just a one off issue with a terrorists phone that may or may not have any data on it concerning other actors who may have radicalised Sayed Farook and his wife.

Clearly we are at a precipice here in our digital democracy that has been building for some time. I have attended more than a few seminars by the ACLU and the Electronic Frontier Foundation on the 4rth Amendment and the digital domain and I have to tell you we are all behind the 8 ball on this one with the way the government lawyers tend to think. I have seen people compelled to give their passwords against the 5th Amendment as well and folks it’s time for you to be rather concerned about this. This is the time to really fund the EFF and to bone up on your own rights where these matters are concerned. It is also time for the cypherpunks out there to double and triple in numbers. I hate to say it but I will put it in the common derpy vernacular that is all the rage now…

We are all at cyber war.

When you are at cyber war with a nation state you will lose.

Now, the US and the FBI are becoming the definition of a Nation State Actor. Though, not on a foreign nation. They are targeting you too.

Over reach by the FBI has been a thing for a long time and if you just Google it you will be able to read quite a lot about it. Now consider all of the machinations of the TAO and all of the legal wrangling their lawyers have done to make what they are doing rationalize as legal. Remember John Yoo? Well you should and if you don’t Google him up. It’s easy for lawyers to fuzz the legalities and the moralities into an ethics-less pile of phrases that only allow them to get away with things. I am going to guarantee you now that if this order goes through and Apple is forced to back door the iPhone at a base level, it will be re-used and it will be abused just like the use of STINGRAYS have been lately and it won’t stop there. Once the precedent has been set in law, the legal bar has been set and then it is just a matter of how long until the rights we all have been granted in the US under the Constitution get even more eroded by slick ideas and arguments by those with an agenda of fear.

Honestly, if you look at the history of the terrorism that has occurred these people are known quantities already and that is without the use of back doors or breaking hacking and negating rights. This is not a crypto issue but more so a law enforcement issue of not being able to keep up with their own databases. Please people, don’t buy into crypto being a clear and present danger to you and yours. Crypto is no existential threat, instead the abuse of the laws we have on the books is. Ordering Apple is just the next worst step on the slippery slope to becoming that which we have seen in the 1984 commercial.

Dr. K.


Written by Krypt3ia

2016/02/18 at 20:39

Posted in Crypto

Shmoocon Crypto Roman Coin Challenge

with 2 comments




Crack this cipher.

Find me at Shmoocon 2015

Give me the decrypt and the meaning of the crypted text.

I will give you a two thousand year old Roman coin.


For those who tried to solve this here are the particulars to the cryptogram

  • The crypted text was a Vigenere Cipher
  • The text was obfuscated
  • This was a tough one to solve because of the nature of the decrypted text. It would have been tough to determine through frequency analysis if there were any patterns because the text is random.


gwaid clurp awtap jpjxt tfdmz zsydg inznw yboxo evibq svmts fjlry yyoyl
adxfs uuefj ajcsa cbjet bxqih rszvc iyoin fkawt oudjh mhdbz fnbac qwfjs
ypklf fiqzb rcifq iqssw tkcuq fkppb qdeql mnslw tcypw tpsaa forcw nkdxw
tvmcj ypbfm urixx gapoz fgpye fiuwl cqzik xlslc lpwsz lxjsq hoevb bdrrz
tdkba sptvp moolr mlkhm eodqn ophfx krrvm jvrjh dltkt mackh fsttn wukrl
spwmj mfbkd rtrux exwya hlikb htcuo yywgk otjup rcsxt ovkzi krzpu ogces
ajahg bqzld fkazh wpkgm maieb kjsau nvlan hydvc pbrid jzvzn whnbw vehuh
uzhov hxvlm oqzhj gvrsy ozcmf wlurj ozric pgmfb jtyxy innej rcjoc xhhag
ceskl yzywd xtqkq ugipd yngqp dbqpq hszmk tzrlk nfpok tuerf sqogk rwepb
ulobf pxmxq iuhru afira nosua khgso jxfwy zwdwp fjcmm gtfjy fxjkp fjbna

What is that? The decrypted text is the phonetic transcription of the E10 Numbers Station

What is a numbers station?

Maybe next year will be the lucky one for you…


Written by Krypt3ia

2014/12/24 at 01:30

Posted in Crypto

The DARKNET: Operation Legitimacy?

leave a comment »


gaiuaim ioi dui pln!


The “Darknets” You’ve all heard of them. Some of you out there may have traversed their labyrinthine back alleys. However, have you ever thought that someday the darknet would be just as legitimate as the “clearnet” is today? With the recent bust of DPR and the Silk Road there has once again been great interest in the “Deep Web” and this interest was sparked once again for me too. It seems that the darknet is the new black once again and people are flocking to it just like onlookers at a traffic accident. Others though seem to be aiming to use the darknet technology (TOR and hidden services) to support free speech and to pass information as a legitimate whistle blower.

Still Mos Eisley but….

I loaded up TOR & Tails and took a trip once again into the digital Mos Eisley. It is still dark and full of crazy things and if you go there you too will see black market items, services like Assassinations for Bitcoins, and run of the mill blogs. You can (allegedly) buy just about any kind of drug in quantity just as easily as buying/mining bitcoins and paying for your drugs with them. All anonymously (once again allegedly as you can see from the DPR fiasco) via the Onion hidden services and backed by other services from anonymous email on TOR to bitcoin exchanges. However one can now see other sites out there that aren’t so black market oriented as well.

One such site is pictured above. The New Yorker decided post Ed Snowden’s revelations, that it was a good idea to put their new “secure dropbox” on the hidden services. This is a legit site that has been talked about on the clearnet as well as in the media a couple months ago. This is one of the first more legit sites I have seen out there that is offering a secure means to talk to reporters using the security that others on the darknets are using to carry out illegal activities. I have yet to really look at the site’s security but overall I see this one site being the key to showing others out there how the darknet can be used for something other than crime. Of course then again, if you ask the Obama Administration even this site could be considered illegal or an accessory to illegal leaking I guess. It’s really a matter of perspective.


So what about other sites? What would you out there use the darknet for that is not “illicit” but requires some security and anonymity? I can foresee other sites popping up perhaps in the arena of free speech or even political movements that might like this model to pass their ideals on. I honestly think this is a turning point for the darknet. Of course this is all predicated on the darknet being “secure” after the revelations from the Snowden Archive of late. It seems the NSA is really trying pretty hard to de-anonymize anyone they want to and would love to have it just not anonymous at all. Well, let me re-phrase that.. Have them THINK it’s anonymous while it is not so much to the NSA.

Other sites out there include an online Koran as well as all kinds of other non criminal sites that are.. Well.. Kinda goofy or fringe. I think that perhaps now things might shift as the technology becomes easier to manage making it easier with global connectivity for us all to hang up a shingle in the darknet.

Time will tell though I guess…


L’affaire du Petraeus: Electronic Communications (ELINT) and Your Privacy

with 2 comments


Afsrtbnfmzndopeezygpmcmvgbcnlstmcgthozr rkmrkmjlskkmgecuvgi


Thoughts On The Politics, Media Frenzy, and Schadenfreude

As you all now know, general Petraeus (aka P4) was caught using a dead drop Gmail acct with his lover (Broadwell) because the lover got jealous over another woman who was perhaps flirting with her down low guy. Many out there have made this all into a Greek tragedy though because of the perceived rights to privacy we all are supposed to enjoy as US citizens and bemoan the whole affair because it was all leaked to the press. Personally I think that it was necessary for the general to step down from the DCI post as well as be outed because he was DCI to start however, generally this thing has become the new digital slow speed chase in a white bronco all over again for me.

Sure, the schadenfreude is fun, and there are many gawkers and rubber necks out there watching with glee but in the end there is much more to this debacle than just getting some on the side within the political sphere. The bigger picture issues are multiple and I will cover them below, but to start lets just sit back and watch the calamitous demolition of those who partook and their hubris.

*pours whiskey into glass and watches*

Petraeus and His Fourth Amendment Rights as Director Central Intelligence (DCI)

Some (namely Rob aka @erratarob) bemoaned the general’s 4rth amendment rights being contravened and thusly, expanding to everyone’s in general as being egregious. My answer to Rob yesterday still stands today for me. As DCI of the CIA the general had no right to privacy in this vein. Why? Because as the leader of the CIA he was the biggest HVT that there ever was for some kind of blackmail scheme so common to the world of spooks. Though the general tried to be cautious, his lover began the downfall with her threatening emails to someone else. Now, usually this type of case would not even be one at all for the FBI were it not for the sordid affair of the SA who Kelley knew and went to to “look into” this matter for her as a favor. This was inappropriate in and of itself and a case never should have been logged never mind any investigation carried out by the SA to start with.

That the FBI agent began looking into the emails and actually tasked the FBI’s lab boys to look into it, well, then it became a case. OPR is looking into it all now and sure, something may come of that investigation (i.e. the SA will be drummed out maybe) it all changed timbre once Petraeus’ name became part of the picture. As DCI P4 held the top most clearance possible as well as the data attendant to that designation. As such, any kind of activity like this would immediately call for an investigation into what was going on as well as what kind of damage may have occurred through compromise of his accounts or his credibility. So, anyone who asks why this is such a big deal and why the FBI did what they did, you need to just look at that one salient fact. The problem isn’t that they investigated, the problem instead is that P4 was doing this in the first place and may have actually given Broadwell more access than he should have to information he had within his possession.

This of course still has to be investigated and reported on and that’s why it all came to pass.

The Expanded Powers of The US Government (LEA’s) To Search Your Emails and the Fourth Amendment

Meanwhile, the civil libertarians are all over this from the perspective that “We the people” have little to no privacy online as the government and LEA’s can just subpoena our email in/outboxes without any oversight. This has been a problem for some time now (post 9/11 really PATRIOT Act) so it should not be new to anyone who’s been paying attention. It is true though, that those powers have been expanded upon since the Patriot Act was passed but overall, the technologies have outstripped the privacy possibilities for the most part in my book. For every countermeasure there’s always another that can be used against it to defeat your means of protection. Add to this that the general populace seems to be asleep at the digital wheel as well and the government has a free hand to do whatever they like and get away with it.

Frankly, if you are ignorant of the technology as well as the laws being passed surrounding it then it is your fault if you get caught by an over-reaching LEA. It’s really that simple. If the general populace is not out there lobbying against these Orwellian maneuvers by law enforcement as well as using any and all technology to communicate securely then it’s their God damned fault really when they get pinched or spied on. It’s all of your jobs out there to know the laws, know what’s going on, and most of all, to know how to protect your communications from easy reading by LEA’s and others. I firmly believe that the laws on the books and the slip-space between where LEA’s and governments are abusing them is egregious but I as one person can do nothing to stop it from happening at a legal level. At a technical level though, that is a completely different story.

Your “Papers and Effects” Digitally… 

Now we come to a real sticky bit in this whole debacle. The Founding Fathers listed “Papers and Effects” while today the law and the government seem to think that electronically, neither of these terms apply to your online communications. Last year I sat through a tutorial by the EFF on this very thing and was not completely shocked by what they were saying as much as wondering just how people let this slide. According to the EFF the LEA’s see no relevance to the words papers and effects when it comes to an email inbox or a Dropbox. What this means is that they can just sneak and peek in some cases without a warrant or a subpoena. If you have email or files being hosted anywhere online, not on a system within the confines of your home, then it’s really fair game to them. I also assume the same can be said for any files/emails on any intermediary servers that they may pass through and are cached as well. So really, once you log in and create the email outside of your machine at home (i.e. being logged onto Gmail for example) it’s already not a paper or effect within the confines of your domicile.

Once again, the law is outdated and should be amended to cover discreetly the nature of email, its ownership and the protections that you “think” you have already as it is a paper of yours and thus covered by the Fourth Amendment. Will this happen though? I am not overly optimistic that it will even make the table with or without the likes of the EFF trying to push the issue frankly. The government has it the way they want it as well as their machinations via Patriot Act allow for so much latitude just to make their lives easier to snoop against anyone for fear of terrorism. Face it folks, we are pretty much Borked here when it comes to our online privacy, and not only from the LEA/Gov perspective either. Just take a look at all of the corporate initiatives out there in EULA’s and lobbying such as RIAA or MPAA. Any way you look at it, your data, once out of your local network, is no longer legally yours.

The Only Privacy Today That YOU Have Is That Which YOU Make For Yourselves With Crypto

This brings me to what you can do about all of this today. The only way to really have that privacy you desire is to make it yourself and to insure that it can withstand attacks. By using strong cryptography you can in fact protect your fourth amendment rights online. You have to insure that the crypto is strong, tested, and not back door’d but there are more than a few products out there on the market that will do the job such as PGP/GPG. In fact, Phil Zimmerman got into trouble with the US Government in the first place because PGP, to them, was considered to be a munition! So really, what is stopping you all from using it en mass? Well, i am sure there’s a healthy dose of lazy in that mix but I would have to say for many its the lack of comprehension on how it works and how to manage it that stops the general populace. Of course I have to say that PGP on a Windows box is really really easy to use so, once again we are back to lazy.

Anyway, unless you assiduously apply crypto to your communications, whether it be a PGP encrypted email or a chat session using OTR (Off The Record Messaging) consider yourself open to LEA abuse. The other side of that coin unfortunately is that if you are encrypting all your communications, the LEA’s may get to wondering just what you are up to and force the issue. I guess it’s much better to have them wondering and FORCE them to get a warrant to search your home then to just roll over and allow them to see all your dirty laundry (looking at you P4) because it’s open for the taking on a Gmail server somewhere. I mean, yeesh people, you worry about your second amendment rights all the time, moaning and whining about your need to carry a gun but you don’t do shit about encrypting your traffic?


TRADECRAFT and OPSEC Are Important As Well

Another component that the general tried to use and failed so miserably at (which scares the living shit outta me as he was DCI after all) was the old “dead drop” method. The modern twist on this is the use of a Gmail account where you just log into it shared and leave draft emails for the other party. This has been something the AQ guys have been using for a long time and once again, it is futile to stop the LEA’s from seeing it all unless you encrypt it! This was the main failure in the case of P4 and his squeeze. No crypto allowed all the lascivious emails to be read in situ and that was just stupid. They through they were being so smart using a tactic that we have been monitoring AQ on for how long?


The second massive failure on the part of both P4 and Broadwell (other than P4’s bad judgement of crazy women) was that neither of them were anonymizing their logon’s to the email properly and consistently. It seems perhaps this may have been more Broadwell than P4 but meh. In the end it was the downfall as the FBI tracked the IP addresses from the Google logons across the country to hotels where she was staying. All they needed to do in the end was match names for each hotel and BING they had her. At the end of the day, OPSEC is king here and both military veterans failed miserably at understanding this which is really frightening frankly. If you want to play the game know the OPSEC and TRADECRAFT and APPLY them properly. The same goes for you all out there who are crying about your privacy. You too will succumb in the same way if you do not pay attention.

Welcome To The Digital Panopticon

Finally, a parting thought. I have said this before and I am saying it again here. “Welcome to the digital Panopticon”  No longer are you in a place where there are corners to hide easily. With the governments of the world trying to gain control over the way we communicate electronically we will see increasing measures of privacy stripped in the name of anti-terrorism as well as transparency. Have no doubts that the governments that apply this logic will of course have back doors for their own secrecy but surely not yours. It will remain your problem and your duty to protect yourselves if you are using the infrastructure to communicate to anyone. Know this, say it as a mantra. If you do nothing about it, then you have nothing to complain about.

So I exhort you, learn and use encryption properly. Go to a cryptoparty near you and learn from the cipherpunks! Deny the governments of the world the ability to easily just look in on your lives whenever they feel the need without due process. Until such time as the laws are amended and some fairness put into it, you are just cattle for them to herd and cull.

There’s no excuse…


Written by Krypt3ia

2012/11/14 at 18:27