My copy of this finally arrived. Stand by for transcripts and useful concepts sometime in the near future.
The only problem I see with Netwar (which is, really, the only reason Hierarchies have worked this long) is that even a single spy in the group gets ALL the information. Where everyone is, what they're doing, and what colour underwear they all have on. Is there a way to address this?
Two-layered networks. An outer layer who are only informed on a "need to know" basis until they can be trusted, then another level, made up of all the nodes and hubs who are in on it all. It makes the network less flat, to a degree, but not entirely since once they are in on it, it flattens out again. A common reference and code system, adopted among the group can help too, though thats more interception than infiltration.
Al-Qaeda adopted a 4 ring model along similar lines, where only the top two rings really act as networks, then the organization is hierarchical in its dealings with the bottom two rings.
Interesting. I've got some skill in encryption and counter-espionage tactics so I could set up a vignere cypher if you want.
It could be useful.
The only problem I see is trying to get people outside this site to use it. It might be best until we have a working network before introducing it.
But I for one would be very interested in anything cryptographical that could help us. I've been playing around with TrueCrypt and only finished The Cryptocomnicon the other week...so my interest in that particular area is piqued, you could say.
I should really start transcribing notes on this book too. And find someone who knows how to play go.
LHX plays Go. I think Net also plays Go.
I play a littlebit of Go, i've probably played 3 games in my life, on smaller boards. An interesting learning experience. It seems progress in the game comes automatically with Zen-type lessons, which is really cool.
why the interest in Go?
also, about encryption. i have some experience with it, too. the question you need to ask yourself first is "what do i want to achieve [with this encryption]?", in order to avoid the mistake peregrineBF made, "let's just slap https on top of it!".
questions like, who do you want to hide from?
- the cops coming in your house claiming your computer?
- someone sniffing/listening on your internet connection?
- to distribute documents on a need-to-know basis?
for the last option, you don't need encryption at all. just passwords. unless you're dealing with hackers.
another thing is, you can't just say "i wanna be 100% secure", there will at the very least always be this huge black swan looming in the shadows that you just didn't notice until it was too late.
you can however say "i wanna be 99.999999% secure from attacks X, Y and Q".
I just finished up a two year multi-million dollar encryption project here, so I have some experience there as well.
For communication purposes, sharing data 'one way', anonymous options etc... I think a Asymmetric Key solution would be best, like PGP. In this situation, you have two keys, a private key and a public key. The public key can be passed out to anyone. They can encrypt anything with it and it can only be decrypted by someone with the matching private key.
So
Cain posts his public key. I want to communicate with Cain, anonymously. I take his public key, encrypt some text and post it here (using proxies to hide my path). Everyone can see the encrypted text, everyone can have Cain's Public Key, but ONLY Cain can decrypt the message.
If we replace Cain with HIMEOBS or GASM-COMMAND, the same thing applies. Better yet, the private key for HIMEOBS or GASM-COMMAND can be held by multiple TRUSTED people. The Anyone can encrypt but ONLY those with the private key can decrypt.
*PGP or GPG if you want the open source version
Quote from: triple zero on February 08, 2008, 07:34:33 PM
LHX plays Go. I think Net also plays Go.
I play a littlebit of Go, i've probably played 3 games in my life, on smaller boards. An interesting learning experience. It seems progress in the game comes automatically with Zen-type lessons, which is really cool.
why the interest in Go?
also, about encryption. i have some experience with it, too. the question you need to ask yourself first is "what do i want to achieve [with this encryption]?", in order to avoid the mistake peregrineBF made, "let's just slap https on top of it!".
questions like, who do you want to hide from?
- the cops coming in your house claiming your computer?
- someone sniffing/listening on your internet connection?
- to distribute documents on a need-to-know basis?
for the last option, you don't need encryption at all. just passwords. unless you're dealing with hackers.
another thing is, you can't just say "i wanna be 100% secure", there will at the very least always be this huge black swan looming in the shadows that you just didn't notice until it was too late.
you can however say "i wanna be 99.999999% secure from attacks X, Y and Q".
I would say that passwords aren't secure... even from a casual attack. I think our current password cracking tools take out several hundred network password in about two hours. If the password contained letters, numbers and ASCII... then we'd have to attack the lock rather than the password, but we have successfully broken Word and Excel in the past. I agree entirely about your black swan comment though :)
Hey! I didn't know you played Go, 000. We should meet up on Kisiedo sometime.
I play Go at about the 5 kyu level, which is mediocre amateur. It roughly corresponds to a blue belt in Tae Kwon Do, if black belt is 1st dan.
I also have a pretty good grasp on the nomenclature if you have questions, Cain.
I need to look into it more, before I can ask any sensible questions.
I also need to finish the damn book and start making notes. I'll do that after enrolling today.
XD My experience with encryption is along different lines than the ones you're discussing..... I'm more skilled in straight text-to-text translation like in the olde days. I can name and use several ciphers, and the one I was talking about- the Vignere cipher- is neigh uncrackable. It took Ben Franklin to figure out how to break it, and the answer was a painful one: Logic. You have to feel around the code and work at it for weeks and weeks before you can even come close to having enough information to attempt to advance, so if the information is only relevent for a short period of time, by the time anyone's solved the damned thing it's no longer important- and you could've already changed the keyword, so they'd have to start all over again for the next message!
If you needed to encode something you were mailing, or wished to hide things on this site so that only a few people could read them, I'm your man.
says here it's breakable.
http://en.wikipedia.org/wiki/Vigenère_cipher#Cryptanalysis
and from its description, it doesn't seem that hard either, doing it by hand, yeah i believe that, but add a bit of computing power and you're set.
there's another cipher that you can encrypt and decrypt by hand, where the key is a shuffled deck of playing cards:
http://www.schneier.com/solitaire.html
it's mentioned in cryptonomicon (which i still need to read) and it is in fact strong security (because of the vastness of the key size).
000, you want an e-book copy of the Cryptonomicon?
I can direct you to a download, if you want...
Quote from: Cain on May 08, 2008, 08:41:42 PM
000, you want an e-book copy of the Cryptonomicon?
I can direct you to a download, if you want...
thanks, but i've seen it in the shops (unfortunately it was the dutch translation), it's rather big, no way i'm going to read that off the screen.
i'm barely halfway through AoM :)
Quote from: triple zero on May 08, 2008, 08:40:01 PM
says here it's breakable.
http://en.wikipedia.org/wiki/Vigenère_cipher#Cryptanalysis
and from its description, it doesn't seem that hard either, doing it by hand, yeah i believe that, but add a bit of computing power and you're set.
there's another cipher that you can encrypt and decrypt by hand, where the key is a shuffled deck of playing cards:
http://www.schneier.com/solitaire.html
it's mentioned in cryptonomicon (which i still need to read) and it is in fact strong security (because of the vastness of the key size).
This is the correct cryptocycle. Polyalphabetic substitution is not a secure way of encrypting anything anymore. Either one time pads (which includes the deck of cards method), symmetric encryption of at least 128 bits or asymmetric encryption of at least 1024 bits is necessary to defeat common cryptanalysis. For NSA level analysis, well, who knows...
I would have been looking at PGP or one time pads myself.
Aw... that's sad to hear. I knew the one-time pad was the best option, but I've read it's too inflexible when it comes to ways you can apply it. A simple vignere cypher at least keeps n00bs and people who don't know much about cracking codes out of your hair.
I'm just starting to learn C++ programming, but the site I'm taking notes from ( http://www.cprogramming.com/begin.html ) isn't very thorough. They leave alot of stuff out that somebody who knows nothing about programming would need to know, and it's getting abit irritating; a couple lessons in and I feel like I'm learning stuff I'm not ready to use yet. Anybody know if there's a better "C++: the n00b edition!" sorta guide out there?
Quote from: Cain on May 09, 2008, 05:33:07 PM
I would have been looking at PGP or one time pads myself.
OTP's are very very secure... in some sense, but they have some serious flaws, particularly in a decentralized situation. OTP's require very random data, a secure transport mechanism and physical security of whatever pads exist.
Asymmetric encryption, on the other hand, like PGP or GPG can use a public channel for distributing the public key and all the random (plus key sizes) are handled in software.
I would probably recommend a GPG or PGP solution for the sort of stuff discussed here.
Basically, every member of the group would need to install GPG or PGP and create their own Public/Private keypair. They could then cut/paste the public key into a thread here at PD.com and anyone could then send encrypted communication to anyone else with GPG/PGP. A single message can be encrypted with multiple keys so if I wanted to send a encrypted message to Hoopla, Cram and Cain, I could do so... and each of them would only need their own private key and the passphrase they use to protect that key.
Basically it could work like this:
Write text -> Use Public Key for pd.com users x, y and z -> post encrypted message at PD.com -> Users x, y and z can decrypt the data... no one else can.
If we use pseudonyms and proxies for those posts, it also tangles any lines connecting us rather well.
Quote from: Ratatosk on May 09, 2008, 03:12:35 PM
This is the correct cryptocycle. Polyalphabetic substitution is not a secure way of encrypting anything anymore. Either one time pads (which includes the deck of cards method), symmetric encryption of at least 128 bits or asymmetric encryption of at least 1024 bits is necessary to defeat common cryptanalysis. For NSA level analysis, well, who knows...
I worked at the NSA, so I know. While I can't give details, let's just say that if there's something the NSA wants to know they have the means to know it. Sounds conspiracy-nut-like for me to say that, but like I said, I worked there for six years.
-R
Quote from: Pataphoros on May 09, 2008, 06:00:34 PM
Quote from: Ratatosk on May 09, 2008, 03:12:35 PM
This is the correct cryptocycle. Polyalphabetic substitution is not a secure way of encrypting anything anymore. Either one time pads (which includes the deck of cards method), symmetric encryption of at least 128 bits or asymmetric encryption of at least 1024 bits is necessary to defeat common cryptanalysis. For NSA level analysis, well, who knows...
I worked at the NSA, so I know. While I can't give details, let's just say that if there's something the NSA wants to know they have the means to know it. Sounds conspiracy-nut-like for me to say that, but like I said, I worked there for six years.
-R
I have had a number of friends that have worked with various Three Letter Acronyms and I have gotten that same line from some of them... except for my friend from Navy Intel. He told me to shut up and not ask him questions about such things (even though we talked about all sorts of other Military stuff).
While I find the other responses to be in line with my thinking... I've often wondered if Simon was really the only one 'in the know'. He also spoke Pharsee which is cool.
Thats a point, if you want to keep something secret, learn Farsi and Arabic, since the in-thing seems to be firing people who can speak the language for being gay and letting the paperwork pile up.
Quote from: Cain on May 09, 2008, 06:14:07 PM
Thats a point, if you want to keep something secret, learn Farsi and Arabic, since the in-thing seems to be firing people who can speak the language for being gay and letting the paperwork pile up.
HorrorMirth ITT
Rata, I never understood the PGP/GPG concept until now... The simplicity is mind-bogglingly amazing. Thanks for the explanation.
By the way, I just started working for an online banking company... Most of my work will at least involve security/validation procedures, so training has really got me thinking about security. Any recommended book to read as a first general introduction to information-age security? I'm thinking this job can be a great opportunity to experience real-life cases to get my head around security. I also have a distinct feeling that far too much of the company's security depends on hoping fraudsters don't figure out our procedures... Meaning I should eventually be able to figure out a foolproof way to scam the company, if my hunch is right. Would be a sweet way to wow my superiors and possibly get a more interesting position...
As someone who is not a programmer but has an abiding interest in security of all sorts, I highly recommend:
Bruce Schneier - Applied Cryptography
Dennis Gluth - A beginner's guide to hacking computing systems
The Institute for Security Technology Studies - Cyberwarfare
Kevin Mitnick - The Art of Deception
i looked up PGP on the Internet last week and the web sites promoting /it offering free downloads seem to be claiming near invulnerability true or not??
Not sure; this is the first I've heard of it. If your company's interested in security, you might want to get BugTraq (sp?) mailing list. Don't get too many- it'll fill your box up real quick.
I found out how to hack a Mitsubishi from that list; they post all sorts of new exploits and ways to counter it. Good stuff.
According to Bruce Schneier, PGP's as good as it gets, and as close as a civilian will come to military grade encryption.
In US vs Boucher, federal investigators complained it was nearly impossible to access the defendants computer and actually impossible to read drive Z (where they were looking for illegal photos), which was 2 years ago.
Furthermore, if you are in the USA, your encryption passwords are protected by the Fifth Amendment.
i take the 5th
sounds cryptocool, if i get PGP and figure it out all i will need is some one to send secret messages to and something worth keeping secret
Just send e-books (from Project Gutenburg) back and forth among your friends, encrypted.
It'll wind up the NSA no end.
if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-if you are reading this you work for the nsa-
encrypt and send
extra windup if sent to Islamic organisations
Thx for the tips, Cain.
Not a problem. If you want them uploaded, give me the word. I have all of them in PDF format, along with about 300 MB of other books on programming, hacking etc
Could you perhaps upload one or two of them really fast? I'm leaving for Berlin in half an hour, I can read them on my laptop on the way there... Otherwise not much point in uploading anything right now, I have too many books to read and I usually read AFK only.
Apologies, I was messing around
http://mihd.net/4ewxlc8 Here's one for you
My gratitude, dear sir. :)
thanks trying to download now..
Quote from: triple zero on February 08, 2008, 07:34:33 PM
LHX plays Go. I think Net also plays Go.
I play a littlebit of Go, i've probably played 3 games in my life, on smaller boards. An interesting learning experience. It seems progress in the game comes automatically with Zen-type lessons, which is really cool.
Only if you were inclined that way in the first place. At the moment I think that it makes people more of themselves, if that makes sense.