Crypto-Autonomist

Police raid blogger, seize his hardware, data. Are you prepared?

Autonomist0 — Fri, 03 Apr 2009 22:51:00 GMT

Phoenix police raided the home of a blogger who has been highly critical of the department.

Jeff Pataky, who runs Bad Phoenix Cops, said the officers confiscated three computers, routers, modems, hard drives, memory cards and everything necessary to continue blogging.

They broke into my safe and took the backups of my backups,” he said in a phone interview with Photography is Not a Crime on Wednesday.

“I can’t even file my taxes because all my business plans are gone. They took everything.”

I'm posting this not to point out the U.S. government's violation of its Constitution (what else is new?), but two make two points:

If someone took all your hardware, your backups, and the "backups of your backups," how much trouble would you be in? Is your critical data encrypted and stored offsite? Is disaster one flood, fire, or police raid away?
Using some simple anonymity tools could prevent the raids in the first place. If you think you're immune because you're not criticizing the government, read this.

Any interest in crypto services on Mises.org?

HeroicLife — Fri, 09 Jan 2009 04:40:00 GMT

I would like to take advantage of the open platform and volunteer interest in Mises.org by offering some crypto services. For example, we could integrate secure messaging into the forum, offer a secure email service, host a Tor node, or some open-source projects. Recipes/source codes for everything we do will be provided on the site as well. What do you think?

Here is a basic sample service to get the conversation started: this secure messaging page allows you to send anonymous, encrypted messages that any recipient with a PGP/OpenPGP public key can read. If you want to try it out, my PGP key is here and can be send to webmaster@mises.org.

Best PGP/GPG software?

Autonomist0 — Sun, 04 Jan 2009 11:59:00 GMT

I have been evaluating different PGP applications trying to pick the best PGP desktop software. I use Gmail on both Windows and OS X, so I want something cross platform and free.

I've tried both the open source Gpg4win package for GnuPG and the commercial PGP Desktop. In my experience, the open-source applications I tried were too buggy, incomplete, and unfriendly to be worth it, especially to the non-technical user. By contrast, if you are willing to pay $99, PGP Desktop is much easier. For occasional use, the freeware mode (tutorial) of PGP Desktop works just fine. I did find a GnuPGP tutorial for OS X, but my experience with the Windows front-ends has discouraged me from trying it.

I also tried FireGPG, a Firefox extension that integrates with Gmail. FireGPG still requires GnuPG (and must be reinstalled if you don't install that first!) but it seems to be the simplest cross-platform PGP + Gmail solution. FireGPG works well enough, although the whole process may still be too difficult for the average user, and the buginess of the GnuPG suite let me to stick with PGP Desktop.

Until something radically easier comes along, I'm going to continue recommending the free or paid version of PGP Desktop for the average user.

Real privacy requires encryption

Autonomist0 — Fri, 08 Feb 2008 17:13:00 GMT

Are you using encryption software for all your data and communications yet? If not, are you aware that the government may inspect and/or seize any digital device (phones, media players, laptops) without a search warrant or cause when you travel internationally, and search any digital device during routine traffic stops?

The Association of Corporate Travel Executives, which represents 2,500 business executives in the United States and abroad, said it has tracked complaints from several members, including Udy, whose laptops have been seized and their contents copied before usually being returned days later, said Susan Gurley, executive director of ACTE.

I was assured that my laptop would be given back to me in 10 or 15 days," said Udy, who continues to fly into and out of the United States. She said the federal agent copied her log-on and password, and asked her to show him a recent document and how she gains access to Microsoft Word. She was asked to pull up her e-mail but could not because of lack of Internet access. With ACTE's help, she pressed for relief. More than a year later, Udy has received neither her laptop nor an explanation.

Think that virtual worlds like Second Life are a refuge? Think again:

U.S. intelligence officials are cautioning that popular Internet services that enable computer users to adopt cartoon-like personas in three-dimensional online spaces also are creating security vulnerabilities by opening novel ways for terrorists and criminals to move money, organize and conduct corporate espionage.
...
"Virtual environments provide many opportunities to exchange messages in the clear without drawing unnecessary attention," the IARPA paper said. "Additionally, there are many private channels that can be employed to exchange secret messages."
...
Officials from Linden Lab have initiated meetings with people in the intelligence community about virtual worlds. They try to stress that systems to monitor avatar activity and identify risky behavior are built into the technology, according to Ken Dreifach, Linden's deputy general counsel.

The government's message is clear: no thought or conversation in the digital realm is allowed to be private. Unless you believe that a private existance "lets the terrorists win," you'd better be using encryption software. (See the Links section to get started.)

TrueCrypt 5.0 is out!

Autonomist0 — Wed, 06 Feb 2008 07:46:00 GMT

TrueCrypt is an essential drive encryption application for Windows, Mac OS X, Linux users who want to encrypt real or virtual drive partitions. It's free, easy to use, and it even runs on Windows Vista 32/64 bit. The 5.0 release allows you to encrypt the boot drive partition in Windows, so if your server or laptop falls into the wrong hands, no data whatsoever can be gleamed from it.

An interesting feature of TrueCrypt is the “plausible deniability” option, which allows you to encrypt any number of hidden partitions in the empty space of an outer partition, so even if you are forced to reveal the outer partition, you can plausible deny the existence of inner partitions. Get it now!

How many of the 79 million personal records compromised in 2007 could have been avoided simply by installing this program?

The government's paranoia machine at work

Autonomist0 — Wed, 06 Feb 2008 03:00:00 GMT

After 9/11, the U.S. government didn't have much trouble blasting away any expectation of privacy when conducting financial transactions or traveling across the country. It's a little harder to justify destroying fundamental freedoms when it comes to spying on people's email and instant messaging conversations. What is the state to do? If recent actions by the NSA and CIA are any indication, it is to invent ridiculous threats about the danger that "hackers" pose to us all.

First, Michael McConnell, Director of National Intelligence of the United States claimed that "the U.S. government should have unfettered and warrantless access to U.S. citizens' Google search histories, private e-mails and file transfers" in the January 21^st edition of the New Yorker.

One of his claims is that cyber crime costs $100 billion per year. This number was made up by Valerie McNevin, who happened to have once served as an advisor to the U.S. Treasury department. Wired reports that "within two hops, CNN was reporting the $105 billion as an official Treasury Department estimate of global cyber crime profits." Before long, the number was used by Information Week, Slashdot, Reuters, reputable security firms such as McAfee - and the Director of the NSA.

The second preposterous claim is that "a massive cyber-attack on a single U.S. bank would be worse for the economy than the deadly terrorist attacks of September 11." It takes a computer security specialist to appreciate the sheer ignorance of that claim. The head of the NSA is surely familiar with highly secure computing environments. Just like the government, banks employ data centers that are both physically and cryptographically isolated - you have to physically break into the bank's data center before you can even think about causing havoc in a large scale. The website you use to access your bank account is far removed from the servers that actually hold your account information. It's easy to steal bank account information, and maybe even take away your online account access for a day. But that is hardly a "911" type of event. Without physical access to the data centers, hackers cannot erase traces of their work, so the transactions can be easily reversed. It's hard to withdraw $100 billion of cash from a bank in a day.

Regardless, McConnel believes that a recent federal ruling which decided that "any telephone transmission or e-mail that incidentally flowed into U.S. computer systems was potentially subject to judicial oversight" has reduced the "capacity of the NSA to monitor foreign-based communications ... by seventy per cent." No worries, because the Protect America Act passed this summer, and allows "Gmail's servers and AT&T's switches [to be] de facto arms of the surveillance industrial complex without any court oversight."

This latest attack on American's privacy is just the latest act for McConnell - he was one of the main backers of the Clipper Chip, a plan to force an NSA backdoor into encryption product. More recently, the NSA has attempted to sneak in a backdoor into encryption by creating flawed security standards.

In case you still have any delusions that this attack on American's privacy has anything to do with terrorism, the testimony of Qest CEO Joseph Nacchio makes clear that the NSA was out to spy on Americans at least seven months before September 11, 2001.

Michael Tanji, an ex-spook who spent 20 years in the intelligence community observes that monitoring all traffic is basically an admission that the government has no effective means of detecting or stopping legitimate threats, cyber or otherwise:

It's bad enough that the Director of National Intelligence is trotting out a bogus threat so the government can snoop on all Internet traffic. What's worse is that this kind of mass surveillance is a pretty lame way to catch the honest-to-God bad guys.
Of more interest to observers of intelligence activities is the issue of quality vs. quantity and the slow creep towards doom that these efforts foretell. The fact that we are essentially attempting to gill-net bad guys is a fairly strong indicator that the intelligence community has yet to come up with an effective strategy against information-age threats.

The NSA is not alone in scaremongering Americans. The CIA claims that hackers "turned out the lights in multiple [foreign] cities after breaking into electrical utilities and demanding extortion payments before disrupting the power." Of course, no details on where or when the outages occurred were provided, so it's hard to evaluate this claim. I wonder whether some power utilities around the globe are really dumb enough to connect critical components to the public Internet, or whether the "hackers" simply broke into the facilities and flipped a switch.

The Dept of Homeland Security wants a piece of the horror-fest action too: it "produced a video showing commands quietly triggered by simulated hackers having such a violent reaction that an enormous generator shudders as it flies apart and belches black-and-white smoke." "Simulated" hackers?

Some people might look at the relentless attack by governments on privacy and personal liberty and ascribe it to some kind of enormous, sinister plot. Yet reality is much more ordinary and mundane. Countless nameless bureaucrats are just doing what they always do -- fighting for power and influence using the only currency they have - the public's money and liberty.

Do you have something to hide?

Autonomist0 — Mon, 07 Jan 2008 23:29:00 GMT

We all have information we want to keep private. If you look at the links on the left of this blog, you will notice a growing list of tools which can help. I would like to collect resources and write a number of tutorials on the technical and social steps you need to take to secure your data with minimal technological experience.

So, what would you like to know first? Secure instant messaging? Private email? Keeping the data on your hard drive from private eyes? Anonymous publishing on the web? Steganography? Anonymous web surfing? Anonymous digital currency?

Are you knowledgeable on any of these subjects? Please consider writing a tutorial or contributing links.

NY Times: Don't trust the state to respect your privacy; use encryption

Autonomist0 — Mon, 07 Jan 2008 22:30:00 GMT

Adam Liptak reveals the digital privacy we can expect from the state:

While "one lonely voice" argued that

“Electronic storage devices function as an extension of our own memory...They are capable of storing our thoughts, ranging from the most whimsical to the most profound.”

The consensus seems to be that

"a computer is just a container and deserves no special protection from searches at the border."

The implications are quite ominous, according to the EFF:

“Under the government’s reasoning,” the brief said, “border authorities could systematically collect all of the information contained on every laptop computer, BlackBerry and other electronic device carried across our national borders by every traveler, American or foreign.”

The question of whether you can be punished for refusing to reveal a encryption key is far from being settled, yet several lessons are clear:

One is that the border [and your car/person/digital communications] seems be a privacy-free zone. A second is that encryption programs work.

Court ruling protects encryption keys as a Fifth Amendment right

Autonomist0 — Tue, 18 Dec 2007 01:09:00 GMT

Good news for Americans:

U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

If this becomes a precedent, it will be distinctly different from European countries such as the U.K, where a new law provides for up to two years of jail time simply for refusing to reveal a key.

As people's digital storage increasingly becomes an integrated part of their identity, the right to keep certain data private will become increasingly important. The right to keep encryption keys private will increasingly mean the freedom to keep certain thoughts private, whether they are stored in wetware or digital form.

More: Crypto and Self-Incrimination FAQ

Microsoft to include NSA backdoor algorithm in Windows Vista SP1

Autonomist0 — Tue, 18 Dec 2007 00:50:00 GMT

Various tech bloggers are reporting that Microsoft will include the NSA-recommended random algorithm suspected of containing a backdoor vulnerability in the upcoming Windows Vista service pack. According to Microsoft, the "Dual Elliptical Curve (Dual EC) PRNG from SP 800-90 is also available for customers who prefer to use it," so this algorithm is an option, not the default. Why would Microsoft intentionally include an inefficient and unsecure algorithm? Very likely, because it will eventually be required in governments contracts.

It is hard to blame Microsoft for not wanting to lose government contracts, or to alienate customers who depend on them. The real danger is the (inevitable?) attempts by the state to force this algorithm on everyone else, including requirements that make it mandatory for government contracts, and thus attempt to influence the default configuration by virtue of the state's dominant market share.

Did the NSA put a backdoor in a new encryption standard?

Autonomist0 — Fri, 16 Nov 2007 00:04:00 GMT

Because the government is a major consumer of crypto products, government entities create or approve most of the encryption standards used in the industry. One of the key ingredients of crypto technology are random number generators. Getting random numbers from a computer is a very tricky problem, so the U.S. government actually publishes random number algorithms created by computer scientists and government agencies. This year, the government produced a new standard, which may soon be integrated into crypto software worldwide. Three of the four algorithms in the standard are based on industry standards, but one comes from the National Security Agency. The NSA's algorithm is more complex and slower than the others, so many people wondered why the NSA pushed to have it included.

In a recent CRYPTO 2007 conference, some computer scientists discovered that the algorithm has a possible backdoor key, which allows the numbers it generates to be predicted. While we don't know whether the NSA has the key, we can be sure that either it has the key or it released a dangerously broken standard. (Now that the vulnerability is known, vendors are unlikely to use it, so the NSA wouldn't have knowingly released a faulty standard unless it had the key.)

A paranoid person might wonder if having failed to force broken crypto on us at the hardware level, the government has some kind of nefarious plan to sneak one in. Simply requiring that the standard be used by government contractors might be sufficient to get it adopted by the industry due to its market share. People take much more care in selecting and testing encryption algorithms than random number generators.

Reassuring answers on this issue are not likely to be forthcoming, so here are some rules of thumb:

Real security requires evaluating the whole process, not just a good encryption algorithm.
Don't trust a security solution just because it is widely used or government approved.
Don't trust a security solution that is isn't open to peer review.

Crypto-autonomy: a call for freedom and privacy in the digital realm

Autonomist0 — Mon, 12 Nov 2007 20:59:00 GMT

Welcome to crypto-autonomy. The purpose of this blog is to discuss the movement commonly known as "crypto-anarchism," including both theoretical and practical considerations. I would like to make this a collaborative blog, so contributions and comments are welcome. With that out of the way, let's talk crypto:

The information age is a harbinger of a social paradigm shift

Human civilization is currently in the midst of a paradigm shift, a change in the basic assumptions of the way our society works. This change will be at least as important as the invention if the printing press and perhaps much more so. The enabling tool behind the transformation is information technology. More broadly, it is the automation of intelligence into non-biological automatons. The true meaning and possibility of the "information age" is only grasped by a few of the most far-reaching of technologists and futurists. The changes made possible by the electronic age will transform society in fundamental ways, and question the very basic premises of government, commerce, intellectual property, and individual autonomy and identity.

The threat and promise of the information age

Information technology is a tool, and like any tool, it may be used for good or evil. It brings the possibility of universal connectedness, privacy, and surveillance. This is both a promise and a threat: we may finally be free of the threat of an omnipotent State, or we may become victims of total surveillance and control. Once a staple of dystopian novels and films, the threat of ever-present electronic surveillance by the state is no longer just a staple of science fiction - not with the existence of Carnivore, Echelon, and millions of surveillance cameras. Current surveillance programs are very crude analogs of the intelligent content analysis that will be possible with further evolution of technology. Just as banking companies use artificial intelligence to discover fraudulent transactions in your credit card record, digital agents will soon be able to sift through audio and video recordings, purchases, bank records, and electronic communications to determine the meaning of conversations, build complete profiles on individuals, and uncover anomalous or suspicious behavior. Unchecked, such unprecedented control over our lives will turn individuals into cogs in the machinery of the State, and lead to social and economic disaster.

The power of the individual

Despite the risk, there are two substantial advantages enjoyed by individuals over states. First, free and open societies are inherently more prosperous than interventionist ones, and total control is likely to lead to total social collapse in short order. (Though that would not be very comforting knowledge to those in the midst of the collapse.) Second, the same technologies that make ubiquitous surveillance possible also allow ubiquitous secrecy. Individuals finally have the power to keep their communications private and virtually undecipherable by even the most powerful computers. As an increasing share of the values being traded by our civilization takes the form of digital information, the possibility of maintaining a private life will exist even when physical freedoms are restricted. With technologies such as 3D printers and virtual reality, even material values will become information goods. The potential will exist for large-scale organization and trade of information goods beyond the reach of the state. These developments will make it both more difficult and more tempting for states to restrict trade and interaction between individuals. As distant as such a scenario might seem today, present action is necessary to create and distribute the enabling crypto-technologies, so that when the state awakens to its full potential, crypto-technology will be too integrated into the social framework to eradicate.

Substantially legitimate usage is crucial

The key to the success of crypto technology is to make it ubiquitous. If people only use crypto when they have something to hide, the use of encryption and anonymity will automatically be suspicious. However, if everyone uses crypto because it is automatic and transparent, then not only will forbidden behavior be easier to hide, but there will be a public outcry at the (inevitable) attempts to ban crypto and end privacy. This is why it is essential to communicate the threat of the surveillance state and the promise of practical application of crypto. It is also important that programmers make easy-to-use crypto tools and make it the default (or at least an option) for all electronic communications and transaction. These considerations are my motivation for writing this.

Why crypto-autonomy?

I prefer the term "crypto-autonomy" to "crypto-anarchism" because it is more accurate. "Anarchy" refers to the absence of a government, or alternatively to a lack of any authority. Cipherspace does not require any particular political system, and it is not opposed to (naturally arising) rules and authority. Existing communities in cyberspace have organizational structures which are both democratic and dictatorial. They key is the freedom of individuals in cipherspace is, to quote Ludwig von Mises, "that the individual is in a position to choose the way in which he wants to integrate himself into the totality of society."

Further posts to this blog will elaborate on the following concepts and enabling technologies of crypto-autonomy:

Essential concepts of crypto-autonomy

Privacy: privacy is the ability of individuals to control information about them, or created by them.
Anonymity: is the ability to conceal information that connects our actions and statements to our material identities. Complete anonymity is impossible, so anonymity is always relative to the current monitoring technology.
Plausible deniability: the ability to conceal the use of crypto, or to connect crypto to a particular individual. In situations where even the use of cryptographic technology may be dangerous, steganography allows information to be encoded in commonplace media such as images. Also, encrypted messages may be hidden inside an encrypted envelope so that the existence of the information can be plausibly denied even if forced to reveal the outer message.
Trust: despite the lack of material identities, reputation and accountability are essential to any community.
Cipherspace: a domain in cyberspace where ubiquitous encryption ensures the anonymity of all participants. For example, Tor.
Public key infrastructure: an arrangement that allows users to security identify each other and send encrypted messages by means of a trusted authority.
Digital currency: a representation of value that may be tied to a commodity such as gold, or tradeable for a real-world currency.

Crypto-autonomy and Austrian Economics

The crypto-anarchist movement has been strongly influenced by free-market thinkers. That's not surprising - the ciphersphere is in a way, the ultimate market. It is neither the "perfect competition" model of the neo-classical economists, nor a non-material realm, but a place where all institutions evolve organically, and coercive monopolies are very difficult to maintain.