Notacon 5

Notacon5

Back in Cleveland for another great time. This was more of a social time for me, and as I found from the people who run it, that was exactly their intentions. I met a lot of new people, got in touch with a few that I haven’t seen in a year. Got drunk and had a blast. I also got to see more of Cleveland this year, including the soapbox racetrack and the science center.

I only went to two talks this time, which was twice as many talks as last year. Mainly because I had to heckle Aestetix on his talk about art and programming. It was an interesting experiment really on what talks would get accepted, that turned into a halfway serious discussion on perception and code. I will definitely be interested in helping him expand this talk for the future.

Hypatia gave a more academic but completely enjoyable talk on how Internet has been treated by the social sciences, which has been quite poorly. As someone who’s evangelical about technology and cryptography, the presentation gave me some insights on who I need to target. It also reaffirmed my belief that the hype curve isn’t guided by those promoting their wares but by misinformed people with good intentions.

The social aspect is very important. Most of the year, at least for myself, we’re in our little isolated areas wondering half the time if other people share our love for art and technology. Notacon is where we can come together and share the fruits of our labor, bounce ideas of each other, and even combine them into a new beast. Or get drunk and take over Hard Rock Café.

Easy to make Strong Crypto

If someone asked you to code a strong crypto tool from memory, it wouldn't be surprising to feel a bit overwhelmed, but that's exactly Arnold Reinhold has been able to do. With CipherSaber, he has been showing people that strong crypto is accessible by anyone and not some divine blessing that can be given or withdrawn by the government.

CipherSaber is a protocol, implementing the Arcfour algorithm, that is simple enough for entry level programmers to understand. Once someone understands how simple it is to code their own tools, they can do so anywhere in the world, quickly. With one small step, CipherSaber has been able to easily negate present and future cryptographic export and control laws. We're not even talking about free speech here, but free thought.

Another important component of CipherSaber is that it requires you to hand make your own tools, teaching you that you never have to be unarmed. However, there are some weaknesses that the developer should keep in mind and CipherSaber-2 was developed to address some of these issues.

Once a person has begun this training, they can augment further with TEA and the D-H key exchange for understanding Feistel and asymmetrical ciphers, respectively. Thanks to CipherSaber, a budding programmer can be on the road to a well rounded Cypherpunk.

Critique on Port Knocking

When it comes to security through obscurity, everyone has their favorite quote. There's Kerckoff's principle, Shannon's maxim, and Raymond's "Security through transparency." I prefer Schneier's summary, "every secret creates a potential failure point."

Port knocking depends obscurity, a secret series of false connections. Using port knocking with multiple people requires a means of communicating and updating the secret. The more users involved means the more people who know the secret and the greater likelihood that the secret will be shared or observed.

Port knocking doesn't protect from sniffing, man-in-the-middle attacks, or spoofing from an established source. Proponents of port knocking claim that it's useful in protecting your sensitive ports from exploitation, but port knocking itself is software (in one form or another) which leaves itself susceptible to vulnerabilities.

In contrast, VPN technology offers the same protection as port knocking, but also has measures to protect the confidentiality and integrity of the communications. The secret is reduced to user authentication, which (aside from being more manageable) can be implemented in a pin protected smartcard.

Hidden Tor Node on a USB Stick

Recently I launched https://jn52gdac73recgxu.onion/

A Hidden Tor Server using 375mb on a USB stick. A full featured web server, hiding behind a firewall, somewhere in North America.

It was all pretty simple to setup, it took more time finding the suitable software than it did to install and configure them.

Step 1: Download Portable Tor
Step 2: Download xAMPP for Windows
Step 3: Configure TOR for hidden service, Sample Torrc file

Notes: If you run XeroBank, OperaTor or TorPark, be sure to launch Portable Tor first.
xAMPP is not as portable as I'd like, due to its config files including the drive letter that XAMPP was installed on. Best way around this is to use the DOS command SUBST to convert whatever drive you're on to the same letter as when it was installed.

Public Keys and IDs

My OpenPGP key ID is 0x2E5FE831

your key id :

If you trust that...
-----BEGIN---
My current OpenSSH Authorized_keys is:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAsw1eoATPLJ6UCLzvFg1zb+4mmbN3zjBqEVODpn1KGCePFTm+P1hw4vXJjlivbEl2WlT/bqQac/mWK/KdH/a7qHUoHAgFedQnRqbHiB0ATHpJFvSoyY85AlWdHUU3ks3qZHat6+3Q0ipxL9H5REpC2LcRHMuGkpaW3rBfidYECCM= rsa-key-20070928

My OTR Fingerprints are:
Chris.Gragsone@Bonjour: 58BFD428 C0160FDC B2D38E25 0ECE9222 834C80C4
Maetrics@AIM: 7740E49E FD643730 072DD305 85CE0B55 49B9E287
Sinchume@gmail: 8D737C1C AC4D1BC5 DC0A3729 C1D18C4B 474BCC5B
Sinchume@yahoo: 4347B3DD 3E508ECA 1701F75F 9C57A7AE 54892C31
Maetrics@irc.2600.net: C65D4DD5 84CD2831 CBFFDEF2 8355BE4C 51DD890C
-----END-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQBHAYBqMFUeNy5f6DERAp2FAJ4h+u1Bx6HKp8VzG0N1YvUmybjzOgCgu0NR
FJTme6u083nA4NwKz15Lutc=
=l14X
-----END PGP SIGNATURE-----

If you'd want my x.509 Cert, just request via email.

Crypto by Default

For a while, I've used Aim's encryption feature to securely chat with a few friends. This week I decided to try Pidgin (formally Gaim) with Off-The-Record (OTR). My first worry with encryption is always the user base. No sense in having crypto around if no one uses it, eventually you end up with dead keys and forgotten passwords (not that OTR needs passwords). To my shock, not only did my crypto using friends also use OTR, but so did people I considered crypto-novices.

Turns out they all happened to be Apple Mac users running an IM client called Adium. While OTR has an optional plugin's for Pidgin and and a proxy for AIM, Adium has it built-in and running by default. Seamless crypto, the kind that thousands of users experience when give their credit card information to a stranger over the Internet. Why other IM clients aren't Crypto by Default is beyond me.

To the programmers out there, design "Crypto by Default," and include TLS and OTR libraries. To the users, expect nothing less.

Project Idea

This is more of a note to myself of various crypto projects

• a putty app that extracts the host keys from the registry and stores them in .ppk or openssh format. This will make it easier to transfer trusted keys to another client machine. (thanks to Elonka for this idea)
• crypto key swiss army knife. Convert sshkeys, x.509 keys, openpgp keys into each other's formats.
• bartpe image to support ironkey and various portable apps
• TOR Hidden Server, USB key (Completed, read about it here)
  
• .Onion DNS server, (Using Wide Area DNS-SD didn't pan out, read why. Continuing on a different approach suggested by a friend.)
• OTR for finch and Second Life