Uncategorized

The CryptAByte software is free and open source. Anyone can install it on their server and use it without charge.
CryptAByte is also available as a supported service.  If you are interested in using CryptAByte for your business, the following services is available:
Dedicated CryptAByte site for your business: 
  • A custom site will be created just for your business in the Amazon Web Services Cloud.
  • The installation cost is a flat fee of $100.
  • Any additional customization or non-installation-related support is billed at $75/hour.
More details:
  • This service includes installation, but not ongoing support. (Your CryptAByte instance should run indefinitely without any maintenance and the server will auto-install security updates.)
  • You must provide your own Amazon Web Services account.  This does not require any technical knowledge – just create a new account with Amazon, provide temporary access to it, and the rest is done for you.
  • You will be billed an ongoing fee by Amazon based on the instance type you prefer.  This depends on how much usage you expect.  You can increase or decrease the size anytime.
  • Amazon offers hosting locations in the USA, Singapore, Japan, Ireland, Germany, and more. You can choose your preferred country and also to restrict access by IP address.
  • Again, there is no charge for the CryptAByte software itself, only professional support and customization.

If you would like to discuss this or other options, contact us for a quote.

 OneTimePad can be used to generate one-time pads, although it does actually handle Vernam encryption.  (You can get the code for that here.)   It uses a cryptographic Random Number Generator (RNG). 

I suggest using OneTimePad to generate keys for another cipher, such as CryptoPad.

CryptoPad is a simple AES256 encryption/decryption app.

Download the apps from GitHub

OneTimePadCryptoPad

 

 

 

The CryptAByte software does not store the passphrase to any messages and is not able to reveal it, even under court order or coercion.

However, we may be compelled by a court order to secretly add functionality to the website which records passphrases for some or all users.

We have three answers to this possibility:

1) In such a scenario, we promise to immediately shut down the operation of this website until and unless it can be moved to a jurisdiction where we are not forced to spy on users.

2) Furthermore, the latest source code of the code of this website will be available at GitHub and any changes which may compromise the security of the system will be marked accordingly.

3) While all server to browser communications are already encrypted, we are working on moving cryptographic operations to the user’s browser to minimize the possibility of spying or interception.

We encourage you to demand that cloud storage providers implement either our policy or an NSA-sabotage dead-man’s switch.

Phoenix police raided the home of a blogger who has been highly critical of the department.

Jeff Pataky, who runs Bad Phoenix Cops, said the officers confiscated three computers, routers, modems, hard drives, memory cards and everything necessary to continue blogging.

They broke into my safe and took the backups of my backups,” he said in a phone interview with Photography is Not a Crime on Wednesday.

“I can’t even file my taxes because all my business plans are gone. They took everything.”

I’m posting this not to point out the U.S. government’s violation of its Constitution (what else is new?), but two make two points:

  • If someone took all your hardware, your backups, and the “backups of your backups,”  how much trouble would you be in?  Is your critical data encrypted and stored offsite?  Is disaster one flood, fire, or police raid away?
  • Using some simple anonymity tools could prevent the raids in the first place.  If you think you’re immune because you’re not criticizing the government, read this.

 

I have been evaluating different PGP applications trying to pick the best PGP desktop software. I use Gmail on both Windows and OS X, so I want something cross platform and free.

I’ve tried both the open source Gpg4win package for GnuPG and the commercial PGP Desktop. In my experience, the open-source applications I tried were too buggy, incomplete, and unfriendly to be worth it, especially to the non-technical user.  By contrast, if you are willing to pay $99, PGP Desktop is much easier. For occasional use, the freeware mode (tutorial) of PGP Desktop works just fine. I did find a GnuPGP tutorial for OS X, but my experience with the Windows front-ends has discouraged me from trying it.

I also tried FireGPG, a Firefox extension that integrates with Gmail.  FireGPG still requires GnuPG (and must be reinstalled if you don’t install that first!) but it seems to be the simplest cross-platform PGP + Gmail solution.  FireGPG works well enough, although the whole process may still be too difficult for the average user, and the buginess of the GnuPG suite let me to stick with PGP Desktop.

Until something radically easier comes along, I’m going to continue recommending the free or paid version of PGP Desktop for the average user.

TrueCrypt is an essential drive encryption application for Windows, Mac OS X, Linux users who want to encrypt real or virtual drive partitions.  It’s free, easy to use, and it even runs on Windows Vista 32/64 bit.  The 5.0 release allows you to encrypt the boot drive partition in Windows, so if your server or laptop falls into the wrong hands, no data whatsoever can be gleamed from it. 

An interesting feature of TrueCrypt is the “plausible deniability” option, which allows you to encrypt any number of hidden partitions in the empty space of an outer partition, so even if you are forced to reveal the outer partition, you can plausible deny the existence of inner partitions.  Get it now!

How many of the 79 million personal records compromised in 2007 could have been avoided simply by installing this program? 

After  9/11, the U.S. government didn’t have much trouble blasting away any expectation of privacy when conducting financial transactions or traveling across the country.    It’s a little harder to justify destroying fundamental freedoms when it comes to spying on people’s email and instant messaging conversations.  What is the state to do?  If recent actions by the NSA and CIA are any indication, it is to invent ridiculous threats about the danger that “hackers” pose to us all.

First, Michael McConnell, Director of National Intelligence of the United States claimed that “the U.S. government should have unfettered and warrantless access to U.S. citizens’ Google search histories, private e-mails and file transfers” in the January 21st edition of the New Yorker.

One of his claims is that cyber crime costs $100 billion per year.  This number was made up by Valerie McNevin, who happened to have once served as an advisor to the U.S. Treasury department.  Wired reports that “within two hops, CNN was reporting the $105 billion as an official Treasury Department estimate of global cyber crime profits.”  Before long, the number was used by Information Week, Slashdot, Reuters, reputable security firms such as McAfee  – and the Director of the NSA.

The second preposterous claim is that “a massive cyber-attack on a single U.S. bank would be worse for the economy than the deadly terrorist attacks of September 11.” It takes a computer security specialist to appreciate the sheer ignorance of that claim.  The head of the NSA is surely familiar with highly secure computing environments.  Just like the government, banks employ data centers that are both physically and cryptographically isolated – you have to physically break into the bank’s data center before you can even think about causing havoc in a large scale.  The website you use to access your bank
account is far removed from the servers that actually hold your account information.
It’s easy to steal bank account information, and maybe even take away your online account access for a day.  But that is hardly a “911” type of event.  Without physical access to the data centers, hackers
cannot erase traces of their work, so the transactions can be easily reversed.
It’s hard to withdraw $100 billion of cash from a bank in a day.

Regardless, McConnel believes that a recent federal ruling which decided that “any telephone transmission or e-mail that incidentally flowed into U.S. computer systems was potentially subject to judicial oversight” has reduced the “capacity of the NSA to monitor foreign-based communications … by seventy per cent.”  No worries, because the Protect America Act passed this summer, and allows
“Gmail’s servers and AT&T’s switches [to be] de facto
arms of the surveillance industrial complex
without any court oversight.”

This latest attack on American’s privacy is just the latest act for McConnell – he was one of the main backers of the Clipper Chip, a plan to force an NSA backdoor into encryption product.  More recently, the NSA has attempted to sneak in a backdoor into encryption by creating flawed security standards.

In case you still think that this attack on American’s privacy has anything to do with terrorism, the testimony of Qest CEO Joseph Nacchio makes clear that the NSA was out to spy on
Americans at least
seven months before September 11, 2001
.

Michael Tanji, an ex-spook who spent 20 years in the intelligence community observes that
monitoring all traffic is basically an admission that the government has no
effective means of detecting or stopping legitimate threats, cyber or otherwise:

It’s bad enough that the Director of
National Intelligence is trotting out a bogus threat so the government can snoop on all Internet traffic.  What’s worse is that
this kind of mass surveillance is a pretty lame way to catch the honest-to-God
bad guys.

Of more interest to observers of intelligence activities is the issue of quality vs. quantity and the slow creep towards doom that these efforts foretell. The fact that we are essentially
attempting to gill-net bad guys is a fairly strong indicator that the intelligence community has yet to come up with an effective strategy against information-age threats.

The NSA is not alone in scaremongering Americans.  The CIA claims that hackers “turned
out the lights in multiple [foreign] cities after breaking into electrical
utilities and demanding extortion payments before disrupting the power.”  Of course, no details on where or when the outages occurred were provided, so it’s hard to evaluate this claim.  I wonder whether some power utilities around the globe are really dumb enough to connect critical components to the
public Internet, or whether the “hackers” simply broke into the facilities and flipped a switch.

The Dept of Homeland Security wants a piece of the horror-fest action too:  it “produced
a video showing commands quietly triggered by simulated hackers having such a violent reaction that an enormous generator shudders as it flies apart and belches black-and-white smoke.”  “Simulated” hackers?

Some people might look at the relentless attack by governments on privacy and personal liberty and ascribe it to some kind of enormous, sinister plot.  Yet reality is much more ordinary and mundane.  Countless nameless bureaucrats are just doing what they always do — fighting for power and influence using the only currency they have – the public’s money and liberty.

We all have information we want to keep private. If you look at the links on the left of this blog, you will
notice a growing list of tools which can help.  I would like to collect resources and write a
number of tutorials on the technical and social steps you need to take to secure
your data with minimal technological experience.

So, what would you like to know first?  Secure instant messaging?  Private email?  Keeping the data on your hard drive from private
eyes?  Anonymous publishing on the web?  Steganography? Anonymous web surfing?  Anonymous digital currency? 

Are you knowledgeable on any of these subjects?  Please consider writing a tutorial or
contributing links.