(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Crypto’ Category

2018 Krypt3ia Kryptos Crypto Challenge!

leave a comment »


Ok kids, here it is. You may start now.

Why now?

Well, because it’s hard and no one has time during DEFCON.

Solve the puzzle and you’ll know what to do.

Good luck.


Written by Krypt3ia

2018/06/27 at 13:24

2017 Krypt3ia Kryptos Crypto Challenge!

leave a comment »


Solve the cipher.

Follow the instructions.

Collect your prize.

You have until 7.30.17 to complete.








No one managed to crack the cipher it seems so here is the solution for it and how it was made. As you can see the image that I used as a logo for this contest was not the cipher itself. However, it did hold a clue, in fact one of the two keys to the initial cipher was embedded within the image.

The image itself is a rendering of the last part of the KRYPTOS art piece at CIA HQ. In the text in white within the image above had you Googled, you would have come up with “BERLIN” This was key one to the initial cipher. The rest is below.


Four Square Cipher

Cipher Text Decrypt:

Condor is an amateur Hes lost unpredictable perhaps even sentimental He could fool a professional Not deliberately but precisely because he is lost doesnt know what to do Unlike Wicks who has always been entirely predictable

go to <REDACTED DARKNET ADDRESS> slash condor dot html locate hidden instructions and follow them


Homophonic Cipher

MUL: 47

ROT 62


59 10 56 10 90 55 89 80 02 92 74 65 45 16 28 44 31 24 62 17 61 80 17 65 63 33 95 34 79 89 64 16 57 55 31 78 51 77 74 74 07 78 56 16 61 05 24 51 23 90 02 81 64 23 44 24 98 55 45 20 53 88 27 97 10 39 29 90 02 11 74 10 84 35 01 03 20 90 61 51 48 16 18 70 63 83 44 91 33 69 36 33 37 16 28 50 14 90 09 17 86 20 57 09 41 02 16 28 03 26 41 97 09 77 98 09 63 37 63 28 65 35 92 99 33 71 84 13 82 57 44 63 18 57 08 37 17 08 06 83



Written by Krypt3ia

2017/07/21 at 00:00

Darknet Numbers Pages Proof of Concept

leave a comment »



Numbers Station:

So with all the kerfuffle over crypto I decided to give everyone a big fuck you and do something low-tek just to mess with the narrative. Right, so you all know what numbers stations are right? Well, I decided that it was time that the internet have one all it’s own but not on the clearnet no sir-ee! I wanted a darknet spooky spooky impenetrable super scary numbers station! So I began to hatch a dastardly nation state level of fuckery that surely will have the gubment all  up in arms over my crypto darknet wizardry! I set up a site and I communicated with some people secretly and securely and no one was the wiser. Not one federal agency that I know of saw the site, no scripted scouring of the darknet cached my page that I am aware of (and I asked) and generally, I just pulled off the new age of tradecraft that the KGB should be jealous of!

Here’s how I did it.

Proof of Concept

The Plan

As I was thinking about a means of communication using the darknet to avoid prying eyes and to do so securely I came to the conclusion that I sure could use PGP and some email service out there but gee, lately those have been pwn3d too so fuck that. Instead I wanted to be more old skewl and opted for two way comms through OTP and a static page that could live on the darknet at periods of the day and night of my choosing with those I want to communicate with in the know as to timetables with, well, a timetable. Commonly on the air Numbers stations beacon at specific times of the day and week so this is kind of the same thing. So I set to making a highly portable TOR capable platform that I could take with me and connect to WIFI at hotels, bars, cafe’s, rando people’s houses etc. I could effectively have a transient site that would be hard to track and harder to narrow down where it lives because it is not in some rack somewhere stationary and waiting to be deanonymized and pwn3d.


I opted for a netbook that I had laying around after doing the math on a Raspberry Pi. It was far cheaper to use an old old netbook I had than go spend money on a pi and it was just as portable. Once I got the laptop up and running on backbox, I then installed the TOR system and configured it for having it’s own hidden site. I then installed lighthttpd and created a very small stripped down page of text and color which I then hid the encoded text in the black space. No need to be all fancy here and it was a flourish anyway. It doesn’t have to be pretty to work and yet this lightweight site and the server it was on allowed me to communicate well enough while the whole thing was secure from being hacked. I had testing run on it and the tester was unable to own the box nor the site.

Once the testing was over I let the site run. It was up and down per specific times and communication was made using a second site on the darknet where people could post to a pasteit where we could have coded signals (basically; understood and complying) so that the communications stream would be innocuous enough using code words. You could use images on chan’s or the old trope of putting up an ad for something and even having more code in the text of that if you wanna get fancy and all.

The Tools

  • Net top laptop
  • Backbox linux distro
  • TOR
  • Lighthttpd
  • One Time Pads (plenty of places on the net to create them)
  • Timetable for uptime and downtime for comms
  • Assets to communicate with

The Tradecraft

Using this method of secret communication one could plan out all kinds of badness if they wanted to. Having a stealth site that is transient too also allows for more security but as always the people are the weak point. If an asset is caught then the means of communication is blown. Just like the analog counterparts (AM/SW Numbers Stations) this type of communication could go on untouched and unbroken for a long time because of the frequency changes, the IP address changes, and mobility of the asset. Just imagine if the analog version of Numbers Stations were actually not just in some building but in a backpack eh?

The hardest part of all of this is that you have to train your assets to use OTP and to have proper OPSEC. It can be done though, so this is a viable means of secret communication that is low tek enough yet high tek enough for the average person to easily carry out if they are determined to. It would bypass all the email shenanigans as well as texts, calls, chats, that can be intercepted by warrants to companies like Apple and AT&T. After all, how hard is it today to get a distro of linux on a box, install TOR, set up a hidden site, and start using OTP?

Wait… Ok maybe it is a little hard.

Still doable though… I mean it worked for me and my “assets”

Enjoy kids!


Written by Krypt3ia

2016/10/25 at 20:41

Posted in 1984, Crypto, DARKNET


leave a comment »




Play starts August third 2016 and ends August sixth at midnight

The image above is your clue. Solve the puzzle(s) crypto and WIN a cleaned Roman coin from two thousand years ago!

Good luck.

Dr. Krypt3ia

Written by Krypt3ia

2016/08/03 at 00:01

Posted in Crypto

1984… 1993… 2016.

with 2 comments


I remember seeing the Apple commercial back in the day when it came out that depicted 1984 as the catchy advertising plot point for the Mac computer at the time. If only Woz and Jobs has known just how prophetic those images would be today. I remember too back in 1993 when the idea was floated and a governmental movement began to have a back door (aka a clipper chip) inserted into systems to allow access by the government *cough NSA cough* to be able to see the “evil doers” and stop them. I also remember the sane stopped that from happening. Well, that was then and this is now, well past 9/11 and nigh on 16 years later, we are faced with not only a government toying with the idea again but a federal body demanding through writ of law that a company break the system they have created for what is being touted as the greater good.

Friends while I agree terrorism is bad (I was there a day after 9/11 and worked with the red cross there) I have to stop short at believing that the GWOT needs for us all to give up ALL semblance of personal privacy to fight the terrorists. In fact, I would like to call bullshit on the FBI’s and Comey’s desires to break the systems of cryptography for an alleged boon to the fight on terror. It has become clear that the director of the FBI is not a tech guy and does not understand crypto very well but that is no excuse to continue to leverage the courts to try to induce a company to break it’s system for one phone let alone the notion that this one instance would not be re-used and re-packaged to do so again whenever they (the FBI) liked. This is precedent time, not just a one off issue with a terrorists phone that may or may not have any data on it concerning other actors who may have radicalised Sayed Farook and his wife.

Clearly we are at a precipice here in our digital democracy that has been building for some time. I have attended more than a few seminars by the ACLU and the Electronic Frontier Foundation on the 4rth Amendment and the digital domain and I have to tell you we are all behind the 8 ball on this one with the way the government lawyers tend to think. I have seen people compelled to give their passwords against the 5th Amendment as well and folks it’s time for you to be rather concerned about this. This is the time to really fund the EFF and to bone up on your own rights where these matters are concerned. It is also time for the cypherpunks out there to double and triple in numbers. I hate to say it but I will put it in the common derpy vernacular that is all the rage now…

We are all at cyber war.

When you are at cyber war with a nation state you will lose.

Now, the US and the FBI are becoming the definition of a Nation State Actor. Though, not on a foreign nation. They are targeting you too.

Over reach by the FBI has been a thing for a long time and if you just Google it you will be able to read quite a lot about it. Now consider all of the machinations of the TAO and all of the legal wrangling their lawyers have done to make what they are doing rationalize as legal. Remember John Yoo? Well you should and if you don’t Google him up. It’s easy for lawyers to fuzz the legalities and the moralities into an ethics-less pile of phrases that only allow them to get away with things. I am going to guarantee you now that if this order goes through and Apple is forced to back door the iPhone at a base level, it will be re-used and it will be abused just like the use of STINGRAYS have been lately and it won’t stop there. Once the precedent has been set in law, the legal bar has been set and then it is just a matter of how long until the rights we all have been granted in the US under the Constitution get even more eroded by slick ideas and arguments by those with an agenda of fear.

Honestly, if you look at the history of the terrorism that has occurred these people are known quantities already and that is without the use of back doors or breaking hacking and negating rights. This is not a crypto issue but more so a law enforcement issue of not being able to keep up with their own databases. Please people, don’t buy into crypto being a clear and present danger to you and yours. Crypto is no existential threat, instead the abuse of the laws we have on the books is. Ordering Apple is just the next worst step on the slippery slope to becoming that which we have seen in the 1984 commercial.

Dr. K.


Written by Krypt3ia

2016/02/18 at 20:39

Posted in Crypto

Shmoocon Crypto Roman Coin Challenge

with 2 comments




Crack this cipher.

Find me at Shmoocon 2015

Give me the decrypt and the meaning of the crypted text.

I will give you a two thousand year old Roman coin.


For those who tried to solve this here are the particulars to the cryptogram

  • The crypted text was a Vigenere Cipher
  • The text was obfuscated
  • This was a tough one to solve because of the nature of the decrypted text. It would have been tough to determine through frequency analysis if there were any patterns because the text is random.


gwaid clurp awtap jpjxt tfdmz zsydg inznw yboxo evibq svmts fjlry yyoyl
adxfs uuefj ajcsa cbjet bxqih rszvc iyoin fkawt oudjh mhdbz fnbac qwfjs
ypklf fiqzb rcifq iqssw tkcuq fkppb qdeql mnslw tcypw tpsaa forcw nkdxw
tvmcj ypbfm urixx gapoz fgpye fiuwl cqzik xlslc lpwsz lxjsq hoevb bdrrz
tdkba sptvp moolr mlkhm eodqn ophfx krrvm jvrjh dltkt mackh fsttn wukrl
spwmj mfbkd rtrux exwya hlikb htcuo yywgk otjup rcsxt ovkzi krzpu ogces
ajahg bqzld fkazh wpkgm maieb kjsau nvlan hydvc pbrid jzvzn whnbw vehuh
uzhov hxvlm oqzhj gvrsy ozcmf wlurj ozric pgmfb jtyxy innej rcjoc xhhag
ceskl yzywd xtqkq ugipd yngqp dbqpq hszmk tzrlk nfpok tuerf sqogk rwepb
ulobf pxmxq iuhru afira nosua khgso jxfwy zwdwp fjcmm gtfjy fxjkp fjbna

What is that? The decrypted text is the phonetic transcription of the E10 Numbers Station

What is a numbers station?

Maybe next year will be the lucky one for you…


Written by Krypt3ia

2014/12/24 at 01:30

Posted in Crypto

The DARKNET: Operation Legitimacy?

leave a comment »


gaiuaim ioi dui pln!


The “Darknets” You’ve all heard of them. Some of you out there may have traversed their labyrinthine back alleys. However, have you ever thought that someday the darknet would be just as legitimate as the “clearnet” is today? With the recent bust of DPR and the Silk Road there has once again been great interest in the “Deep Web” and this interest was sparked once again for me too. It seems that the darknet is the new black once again and people are flocking to it just like onlookers at a traffic accident. Others though seem to be aiming to use the darknet technology (TOR and hidden services) to support free speech and to pass information as a legitimate whistle blower.

Still Mos Eisley but….

I loaded up TOR & Tails and took a trip once again into the digital Mos Eisley. It is still dark and full of crazy things and if you go there you too will see black market items, services like Assassinations for Bitcoins, and run of the mill blogs. You can (allegedly) buy just about any kind of drug in quantity just as easily as buying/mining bitcoins and paying for your drugs with them. All anonymously (once again allegedly as you can see from the DPR fiasco) via the Onion hidden services and backed by other services from anonymous email on TOR to bitcoin exchanges. However one can now see other sites out there that aren’t so black market oriented as well.

One such site is pictured above. The New Yorker decided post Ed Snowden’s revelations, that it was a good idea to put their new “secure dropbox” on the hidden services. This is a legit site that has been talked about on the clearnet as well as in the media a couple months ago. This is one of the first more legit sites I have seen out there that is offering a secure means to talk to reporters using the security that others on the darknets are using to carry out illegal activities. I have yet to really look at the site’s security but overall I see this one site being the key to showing others out there how the darknet can be used for something other than crime. Of course then again, if you ask the Obama Administration even this site could be considered illegal or an accessory to illegal leaking I guess. It’s really a matter of perspective.


So what about other sites? What would you out there use the darknet for that is not “illicit” but requires some security and anonymity? I can foresee other sites popping up perhaps in the arena of free speech or even political movements that might like this model to pass their ideals on. I honestly think this is a turning point for the darknet. Of course this is all predicated on the darknet being “secure” after the revelations from the Snowden Archive of late. It seems the NSA is really trying pretty hard to de-anonymize anyone they want to and would love to have it just not anonymous at all. Well, let me re-phrase that.. Have them THINK it’s anonymous while it is not so much to the NSA.

Other sites out there include an online Koran as well as all kinds of other non criminal sites that are.. Well.. Kinda goofy or fringe. I think that perhaps now things might shift as the technology becomes easier to manage making it easier with global connectivity for us all to hang up a shingle in the darknet.

Time will tell though I guess…


L’affaire du Petraeus: Electronic Communications (ELINT) and Your Privacy

with 2 comments


Afsrtbnfmzndopeezygpmcmvgbcnlstmcgthozr rkmrkmjlskkmgecuvgi


Thoughts On The Politics, Media Frenzy, and Schadenfreude

As you all now know, general Petraeus (aka P4) was caught using a dead drop Gmail acct with his lover (Broadwell) because the lover got jealous over another woman who was perhaps flirting with her down low guy. Many out there have made this all into a Greek tragedy though because of the perceived rights to privacy we all are supposed to enjoy as US citizens and bemoan the whole affair because it was all leaked to the press. Personally I think that it was necessary for the general to step down from the DCI post as well as be outed because he was DCI to start however, generally this thing has become the new digital slow speed chase in a white bronco all over again for me.

Sure, the schadenfreude is fun, and there are many gawkers and rubber necks out there watching with glee but in the end there is much more to this debacle than just getting some on the side within the political sphere. The bigger picture issues are multiple and I will cover them below, but to start lets just sit back and watch the calamitous demolition of those who partook and their hubris.

*pours whiskey into glass and watches*

Petraeus and His Fourth Amendment Rights as Director Central Intelligence (DCI)

Some (namely Rob aka @erratarob) bemoaned the general’s 4rth amendment rights being contravened and thusly, expanding to everyone’s in general as being egregious. My answer to Rob yesterday still stands today for me. As DCI of the CIA the general had no right to privacy in this vein. Why? Because as the leader of the CIA he was the biggest HVT that there ever was for some kind of blackmail scheme so common to the world of spooks. Though the general tried to be cautious, his lover began the downfall with her threatening emails to someone else. Now, usually this type of case would not even be one at all for the FBI were it not for the sordid affair of the SA who Kelley knew and went to to “look into” this matter for her as a favor. This was inappropriate in and of itself and a case never should have been logged never mind any investigation carried out by the SA to start with.

That the FBI agent began looking into the emails and actually tasked the FBI’s lab boys to look into it, well, then it became a case. OPR is looking into it all now and sure, something may come of that investigation (i.e. the SA will be drummed out maybe) it all changed timbre once Petraeus’ name became part of the picture. As DCI P4 held the top most clearance possible as well as the data attendant to that designation. As such, any kind of activity like this would immediately call for an investigation into what was going on as well as what kind of damage may have occurred through compromise of his accounts or his credibility. So, anyone who asks why this is such a big deal and why the FBI did what they did, you need to just look at that one salient fact. The problem isn’t that they investigated, the problem instead is that P4 was doing this in the first place and may have actually given Broadwell more access than he should have to information he had within his possession.

This of course still has to be investigated and reported on and that’s why it all came to pass.

The Expanded Powers of The US Government (LEA’s) To Search Your Emails and the Fourth Amendment

Meanwhile, the civil libertarians are all over this from the perspective that “We the people” have little to no privacy online as the government and LEA’s can just subpoena our email in/outboxes without any oversight. This has been a problem for some time now (post 9/11 really PATRIOT Act) so it should not be new to anyone who’s been paying attention. It is true though, that those powers have been expanded upon since the Patriot Act was passed but overall, the technologies have outstripped the privacy possibilities for the most part in my book. For every countermeasure there’s always another that can be used against it to defeat your means of protection. Add to this that the general populace seems to be asleep at the digital wheel as well and the government has a free hand to do whatever they like and get away with it.

Frankly, if you are ignorant of the technology as well as the laws being passed surrounding it then it is your fault if you get caught by an over-reaching LEA. It’s really that simple. If the general populace is not out there lobbying against these Orwellian maneuvers by law enforcement as well as using any and all technology to communicate securely then it’s their God damned fault really when they get pinched or spied on. It’s all of your jobs out there to know the laws, know what’s going on, and most of all, to know how to protect your communications from easy reading by LEA’s and others. I firmly believe that the laws on the books and the slip-space between where LEA’s and governments are abusing them is egregious but I as one person can do nothing to stop it from happening at a legal level. At a technical level though, that is a completely different story.

Your “Papers and Effects” Digitally… 

Now we come to a real sticky bit in this whole debacle. The Founding Fathers listed “Papers and Effects” while today the law and the government seem to think that electronically, neither of these terms apply to your online communications. Last year I sat through a tutorial by the EFF on this very thing and was not completely shocked by what they were saying as much as wondering just how people let this slide. According to the EFF the LEA’s see no relevance to the words papers and effects when it comes to an email inbox or a Dropbox. What this means is that they can just sneak and peek in some cases without a warrant or a subpoena. If you have email or files being hosted anywhere online, not on a system within the confines of your home, then it’s really fair game to them. I also assume the same can be said for any files/emails on any intermediary servers that they may pass through and are cached as well. So really, once you log in and create the email outside of your machine at home (i.e. being logged onto Gmail for example) it’s already not a paper or effect within the confines of your domicile.

Once again, the law is outdated and should be amended to cover discreetly the nature of email, its ownership and the protections that you “think” you have already as it is a paper of yours and thus covered by the Fourth Amendment. Will this happen though? I am not overly optimistic that it will even make the table with or without the likes of the EFF trying to push the issue frankly. The government has it the way they want it as well as their machinations via Patriot Act allow for so much latitude just to make their lives easier to snoop against anyone for fear of terrorism. Face it folks, we are pretty much Borked here when it comes to our online privacy, and not only from the LEA/Gov perspective either. Just take a look at all of the corporate initiatives out there in EULA’s and lobbying such as RIAA or MPAA. Any way you look at it, your data, once out of your local network, is no longer legally yours.

The Only Privacy Today That YOU Have Is That Which YOU Make For Yourselves With Crypto

This brings me to what you can do about all of this today. The only way to really have that privacy you desire is to make it yourself and to insure that it can withstand attacks. By using strong cryptography you can in fact protect your fourth amendment rights online. You have to insure that the crypto is strong, tested, and not back door’d but there are more than a few products out there on the market that will do the job such as PGP/GPG. In fact, Phil Zimmerman got into trouble with the US Government in the first place because PGP, to them, was considered to be a munition! So really, what is stopping you all from using it en mass? Well, i am sure there’s a healthy dose of lazy in that mix but I would have to say for many its the lack of comprehension on how it works and how to manage it that stops the general populace. Of course I have to say that PGP on a Windows box is really really easy to use so, once again we are back to lazy.

Anyway, unless you assiduously apply crypto to your communications, whether it be a PGP encrypted email or a chat session using OTR (Off The Record Messaging) consider yourself open to LEA abuse. The other side of that coin unfortunately is that if you are encrypting all your communications, the LEA’s may get to wondering just what you are up to and force the issue. I guess it’s much better to have them wondering and FORCE them to get a warrant to search your home then to just roll over and allow them to see all your dirty laundry (looking at you P4) because it’s open for the taking on a Gmail server somewhere. I mean, yeesh people, you worry about your second amendment rights all the time, moaning and whining about your need to carry a gun but you don’t do shit about encrypting your traffic?


TRADECRAFT and OPSEC Are Important As Well

Another component that the general tried to use and failed so miserably at (which scares the living shit outta me as he was DCI after all) was the old “dead drop” method. The modern twist on this is the use of a Gmail account where you just log into it shared and leave draft emails for the other party. This has been something the AQ guys have been using for a long time and once again, it is futile to stop the LEA’s from seeing it all unless you encrypt it! This was the main failure in the case of P4 and his squeeze. No crypto allowed all the lascivious emails to be read in situ and that was just stupid. They through they were being so smart using a tactic that we have been monitoring AQ on for how long?


The second massive failure on the part of both P4 and Broadwell (other than P4’s bad judgement of crazy women) was that neither of them were anonymizing their logon’s to the email properly and consistently. It seems perhaps this may have been more Broadwell than P4 but meh. In the end it was the downfall as the FBI tracked the IP addresses from the Google logons across the country to hotels where she was staying. All they needed to do in the end was match names for each hotel and BING they had her. At the end of the day, OPSEC is king here and both military veterans failed miserably at understanding this which is really frightening frankly. If you want to play the game know the OPSEC and TRADECRAFT and APPLY them properly. The same goes for you all out there who are crying about your privacy. You too will succumb in the same way if you do not pay attention.

Welcome To The Digital Panopticon

Finally, a parting thought. I have said this before and I am saying it again here. “Welcome to the digital Panopticon”  No longer are you in a place where there are corners to hide easily. With the governments of the world trying to gain control over the way we communicate electronically we will see increasing measures of privacy stripped in the name of anti-terrorism as well as transparency. Have no doubts that the governments that apply this logic will of course have back doors for their own secrecy but surely not yours. It will remain your problem and your duty to protect yourselves if you are using the infrastructure to communicate to anyone. Know this, say it as a mantra. If you do nothing about it, then you have nothing to complain about.

So I exhort you, learn and use encryption properly. Go to a cryptoparty near you and learn from the cipherpunks! Deny the governments of the world the ability to easily just look in on your lives whenever they feel the need without due process. Until such time as the laws are amended and some fairness put into it, you are just cattle for them to herd and cull.

There’s no excuse…


Written by Krypt3ia

2012/11/14 at 18:27

Chimps With Guns and The Bloggers Who Give Them Ammo: The Mysteries of Crypto and Privacy Elude Many

leave a comment »

Out of the Mouth of the Ill Informed and Lacking Perspective….

Once again Quinn Norton takes on a subject not so much as a reporter, but as a pom pom cheerleader of notions that she has little claim to comprehending only to espouse them on as fact. Of course when questioned on the validity of her ideals being spewed onto the internet and the reporting thereof she has done, she once again looks hurt and demands a retraction of sorts to the author. Well, now it’s my turn to put my two cents in and jerk another jewel like tear from her eye. The story this time concerns “Cryptocat“, an ostensibly download free service for chatting online with people in an encrypted session.

Now, this would be all grand and wonderful if the chat program/session/technology were in fact bullet proof, however, as Quinn fails to understand, there are problems with the implementation that have been brought up by others and there are valid arguments that the system is indeed subvert-able with the right attacks against it. Of course another failure on the part of Quinn is to also understand that the end point (i.e. the end users machine) may also be pre-pwn’ed and thus, your idea of having a “sekret chat” are, well, null and void.. But, I digress here. Quinn just doesn’t have the technical background nor it seems the ability to think a bit laterally while making dangerous statements about “overthrowing governments” with such tools as Cryptocat.

“This Cute Chat Site Could Save Your Life and Help Overthrow Your Government”

Really? You want to make this statement and get people to actually use a system that is as yet untested against attacks for overthrow of governments or saving lives? Wow, you really have no idea what you are talking about. The hubris alone of the quote/title is enough to send me into apoplectic fits of Tourretts Syndrome. Then, today I see you in a tweetup about how you want the author of the paranoia article to apologize or something along those lines for calling you out in his piece? I really look forward to your reply to this then because I am going to tear this ideal down just like your slanted reporting on Anonymous and OWS. It seems you have a paradigm issue with reality and you need to sit back a bit and listen to the community at large who may know a bit more than you do.

It might save some lives in the end….

Crypto: A Munition Not Long Ago…

Crypto has been around since the dawn of time. As such over time it has been used in many ways and in many implementations. Many of these uses though have been around the idea of war or espionage. Up until rather recently even, the type of cryptographic schemes we are talking about in Cryptocat were in fact considered “munitions” depending on their strength here in the US and in other places. At the time of this writing though, it is no longer considered a munition per se, however, it is illegal to port out some high end types of crypto to nation states on the naughty list. This does not mean though that they don’t get their hands on the tech, but, there is an attempt by governments anywhere to keep the crypto genie in the bottle to protect their own data.

In the case of Cryptocat though, this is not a munition strength solution and due to its flaws, should not ever be considered a viable means to real privacy or security. In fact, if you really want to keep something secret the only good way is to have a one time pad, but, even that can be subverted if the pad is stolen or replicated (as the Russians found out during the cold war) So, suggesting that Cryptocat be used in any kind of serious situation other than maybe wanting a little privacy (i.e. nothing illegal or perceived thereof as being so by anyone) is just plain stupid as well as dangerous.

Crypto and it’s use by the masses is a convenience to secure their data from being stolen. Military strength crypto is a different matter, and neither systems usually come in an easily accessible and no install required fashion. We have seen lately all of the attacks on the online forms of crypto including CHAPP this last week at Defcon20. These systems will always be under attack and at some point they may all be subverted. Hell, look at Quantum Crypto being broken! NOTHING IS A SURE THING and we all need to understand the perils of what we do with such systems. So, once again I say that it takes a bit more forethought than just logging onto a site or even downloading a plug in for a browser and believing the stories about it’s safety by pundits on Wired.

Frankly, you’d be better served by just using TOR and going to the DARKNET and chatting on an IRC or chatroom.. It’d be safer.. Until you give up too much info about yourself….

Once Upon A Time, Spies Used Crypto and Tradecraft…

All of this though, all of the technology always has had a means of being carried to the intended recipient. In the spy business this was carried out by “Tradecraft” Tradecraft means the tricks to hide things as well as of techniques to meet in secret to pass information. In the case of today’s internet world, the idea of having a server or site that offers a “secret meeting space” is a bad one because you are advertising it, thus making it a target and you as well by proxy of using it. Instead I would put it to you that if you really care about privacy and you have something to convey to someone else secretly, you do so in a way that no one will know it ever happened in the first place.

Dead drops, chalk markers on fence posts, or even the ubiquitous X in tape on a window with a light shining on it (X-Files) is better than advertising you are going to a place like cryptocat to have a conversation with anyone. In fact, you have to tell the other person about the meeting to start with and provide intel to anyone looking to snoop on you anyway, and this is done by those unaware of tradecraft, in the open. Even the “Illegals” who were caught here in the US a couple years back, were using tradecraft as well as crypto programs on laptops etc to pass data and have conversations. In the end these were foiled as well (bad implementations of crypted chat and bad habits with passwords) which only helped bring the Russian program down. These people were meeting at underpasses as well as having drive by’s with vans hosting an adhoc network via wifi.

So, when I look at this drivel on Wired about being safe and secure, lacking any real understanding of how security works never mind cryptographic systems, I kinda get a little peeved. You wanna play in the grown up world? You need to learn how to play.

Geopolitics of The Internets and Civil War…

Today we are seeing great changes attempting to happen in the Middle East as well as all over the globe. We are also seeing the governments of the world attempt to keep their control over things by using technology as well. For every piece of technology someone like Moxie comes up with, someone else is going to come out with another piece that will subvert it. This is the nature of things today and unfortunately, there are some governments out there who lack any kind of empathy for their citizens. In many cases, as we have seen in the Arab Spring and all of the things post it’s blooming, people have been killed or disappeared for speaking their minds. Syria is the latest in this and we are seeing it live today. While the government tried to keep the people down and the nets dark, others tried to keep them open.

It’s war.

Anonymous and the movements against overzealous prosecution as well as those advocating civil and privacy rights are being watched and infiltrated as we speak. Technology is a means to an end, unfortunately that technology can be subverted and used against those using it to protect themselves. One must know the technology and the problems with it before using it cognizantly. This unfortunately is not the case in what is being advocated and advertised by Quinn Norton on Wired with regard to Cryptocat. This I say specifically where she makes declamations about overthrowing governments with things like untested crypto schemes.

Doing so does a disservice to anyone looking to make a change.

Know Your Technology and Your Methods Before You Plan A Revolution…

In the end, I just wanted to point all of this out. The people who are in the know (cipherpunks) should be listened to. In the case of Quinn, she seems to have a distorted view that they are elitist and bad. Maybe they are elitist, maybe they are eggheads who can’t park a bicycle right, either way, they should be listened to and their counsel taken into account. Without comprehension of the technology you will fail in the end. As Quinn liked to point out in her piece on wired, it was a “no install” program and seems to have a bent on getting the “common man” to use it, the only way it really being so is if the masses need not comprehend how to install something on a computer. This too is a real disservice to everyone and a dangerous precedent.

I mean.. To drive a car you have to have a license.. So you want to load crypto and plan a revolution with unlicensed drivers?


If you are going to use Cryptocat just be aware of the limitations. If you want to just have a private chat with a friend go right ahead.. If you think you are the next Sabu or Che Guevara.. I’d think twice.


Written by Krypt3ia

2012/08/02 at 16:43

Posted in .gov, .mil, 1984, Crypto

Paddy O’Neil can sleep at night. In fact he probably enjoys the irony. She’s not Irish; she’s English.

leave a comment »

Written by Krypt3ia

2012/03/20 at 15:41

Posted in Crypto, Games