Report: RSA endowed crypto product with second NSA-influenced code Extended Random – like “dousing yourself with gasoline,” professor warns.

Allstaractivist’s note:

As you read the below editorial, think back to what I said in my previous post; “Thank God For Puppy Linux! – (and Barry Kauler too)” about random number generators (RNG) and their importance in cryptography. Remember also that I said to stay away from Google and MSN search engines too. It goes without saying of course to avoid Microsoft’s Internet Explorer browser, ditto for Google’s Chrome (I don’t care if it is partially open source now) and Firefox.

Truecrypt uses you as it’s RNG, is totally open source and the programmers who wrote it have never been identified. They gave the program to the world for free and, for two very good reasons. First, had they identified themselves they would have been attacked or coerced by the NSA to adulterate their program and compromise their principles (or worse). Second, the patent laws are such that only big corporations or fascist collaborators are able to avail themselves of their protections. (the patent laws). It takes huge sums of money to legally defend your patent, corporations are the only ones able to do it, most times. Best to open source and derive your income from consulting.

The reason that I stick with an old version of Opera and stay away from Firefox is because in the early stages of Opera’s development, security and innovation were still an ethic of it’s developers. They hadn’t sold out yet. Funny, I do remember that for a time in the beginning, Opera was being touted as the browser of choice for communists, I started seeing communist based themes offered as skins. Don’t know where that was comming from, Opera was the anti-establishment tool of the time.

Firefox has sullied itself by using talent that works with the NSA, as the editorial below details. Even though it is open source and not proprietary like Opera, it is so popular that it attracts large numbers of hackers. Opera on the other hand, is used by less than %0.05 of all users of desktop browser applications. With such a small user base, Opera is not worth the time for a hacker to try to attack. No payoff. This same principle is the reason that I stay away from other popular browsers too, don’t care if they are open source.

As for using an email program that is totally secure, the government will not allow that. There used to be only two, for pay security focused email service providers however, our government pressured them so bad that it was impossible for them to stay in that business. One of them was Silent Circle. If you are going to do email, don’t say or send anything sensitive. Better yet, have every one of your contacts use software that allows for strong encryption. I don’t know what those programs are (I don’t do email) but I know they are out there.

***************************************************************

excerpted from:   Ars Technica

by Dan Goodin – Mar 31 2014, 8:49am -0700

Security provider RSA endowed its BSAFE cryptography toolkit with a second NSA-influenced random number generator (RNG) that’s so weak it makes it easier for eavesdroppers to decrypt protected communications, Reuters reported Monday.

Citing soon-to-be-published research from several universities, Reuters said the Extended Random extension for secure websites allows attackers to work tens of thousands of times faster when breaking cryptography that uses the Dual EC_DRBG algorithm to generate the random numbers that populate a specific cryptographic key. Dual EC_DRBG is a pseudo-random number generator that was developed by cryptographers from the National Security Agency and was the default RNG in BSAFE even after researchers demonstrated weaknesses so severe that many suspected they were introduced intentionally so the US spy agency could exploit them to crack encrypted communications of people it wanted to monitor. In December, Reuters reported that the NSA paid RSA $10 million to give Dual EC_DRBG its favored position in BSAFE.

Extended Random was a second RNG that would presumably make cryptographic keys more robust by adding a second source of randomness. In theory, the additional RNG should increase the entropy used when constructing a new key. In reality, the algorithm made protected communications even easier for attackers to decrypt by reducing the time it takes to predict the random numbers generated by Dual EC_DRBG, which is short for Dual Elliptic Curve, Reuters reported Monday.

“If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline,” Matt Green, a professor specializing in cryptography at Johns Hopkins University and one of the authors of the upcoming academic report, told Reuters. Monday’s report continued:

The NSA played a significant role in the origins of Extended Random. The authors of the 2008 paper on the protocol were Margaret Salter, technical director of the NSA’s defensive Information Assurance Directorate, and an outside expert named Eric Rescorla.

Rescorla, who has advocated greater encryption of all Web traffic, works for Mozilla, maker of the Firefox Web browser. He and Mozilla declined to comment. Salter did not respond to requests for comment.

Though few companies appear to have embraced Extended Random, RSA did. The company built in support for the protocol in BSafe toolkit versions for the Java programming language about five years ago, when a preeminent Internet standards group—the Internet Engineering Task Force—was considering whether to adopt Extended Random as an industry standard. The IETF decided in the end not to adopt the protocol.

The researchers said it took them about an hour to crack a free version of BSAFE for Java using about $40,000 worth of computer gear, Reuters reported. Cracking was 65,000 times faster when BSAFE used Extended Random, an improvement that reduced attacks to seconds.

Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.

Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.

 

Homeland Security Exercise Targets “Free Americans Against Socialist Tyranny”

allstaractivist note: Unfortunately, I have discovered the infowars site to be a disinformation site. As with all disinformation, much of it is true however, motives are duplicitous. Let the reader continue with caution.

Blogs, websites and personalities that I’ve discovered to be disinformation shills

– Infowars – http://www.infowars.com –

Homeland Security Exercise Targets “Free Americans Against Socialist Tyranny”

Posted By yihan On March 24, 2014 @ 9:28 am

Leaked documents reveal plan to counter online dissent during martial law

Paul Joseph Watson
Infowars.com
March 24, 2014

Leaked Homeland Security documents obtained by Infowars reveal details of a joint DHS/FEMA national exercise set to take place this week, one of the components of which revolves around an effort to counter online dissent by a group called “Free Americans Against Socialist Tyranny,” which is disgruntled at the imposition of martial law after an earthquake in Alaska.

Image: DHS (Wiki Commons). 

The document again underscores the federal government’s obsession with characterizing libertarians and conservatives as some kind of extremist radical threat.

The document (PDF) was leaked by an individual affiliated with Stewart Rhodes’ Oathkeepers organization and passed on to Infowars. It is entitled National Exercise Program – Capstone Exercise 2014 – Scenario Ground Truth.

The document is intended for “U.S. Department of Homeland Security Trusted Agents Only” and is “disseminated only on a
need-to-know basis.” Even the role players involved in the exercise itself are prohibited from seeing the files.

The exercise is designed to evaluate readiness in preparation for a catastrophic incident, natural disaster or major act of terrorism. Some of the scenarios which will be in play during the exercise include a series of earthquakes, tsunamis and a nuclear weapons accident.

On page 125 of the document, a scenario is outlined whereby a group calling itself “Free Americans against Socialist Tyranny” responds to “The U.S. Northern Command mission of Defense Support to Civil Authorities” (or the imposition of martial law) by launching a protest campaign on social media and potentially engaging in cyber attacks.

According to the scenario, the campaign is driven by suspicion that “the government is responsible for the Alaska earthquake and a “hacktivist” manifesto.”

“The U.S. Northern Command mission of Defense Support to Civil Authorities has led to increased activity by some anti-government organizations,” states the document. “Currently, the most vocal organization is Free Americans against Socialist Tyranny; using social media, they advertise anti-U.S. rhetoric focusing on the Department of Defense as well as to recruit like-minded individuals to join their “cause”.

“While some Free Americans against Socialist Tyranny members are capable of conducting adverse cyber operations, the greatest threat is current government employees sympathetic to their cause,” the document adds. “It is believed that there are employees within US Northern Command, U.S. Air Force, U.S. Army, National Guard, and Defense Information Systems Agency that may support Free Americans against Socialist Tyranny doctrine based on individual comments on social media sites. Free Americans against Socialist Tyranny sympathizers may include both former and current members of the military with training on satellite communications, computer network defense, network operations, as well as military command and control.”

The scenario also suggests that Northern Command members sympathetic to Free Americans Against Socialist Tyranny may attempt to hack the North American Aerospace Defense Command as a form of retaliation.

This is by no means the first time that the Department of Homeland Security has characterized anti-big government Americans as domestic extremists.

A study funded by the Department of Homeland Security, details of which emerged in 2012, characterized Americans who are “suspicious of centralized federal authority,” and “reverent of individual liberty” as “extreme right-wing” terrorists.

As we have exhaustively documented on numerous occasions, federal authorities and particularly the Department of Homeland Security have been involved in producing a deluge of literature which portrays liberty lovers and small government advocates as extremist radicals.

The document also mentions the threat posed by “disgruntled military and Department of Defense civilians,” which ties into the talking point, repeatedly promoted by the DHS and other federal agencies, that returning veterans pose a major domestic terror threat.

The Capstone Exercise 2014 document makes it clear that a key part of the Department of Homeland Security and FEMA’s preparation for the aftermath of major catastrophic incidents in the United States is centered around combating online dissent which will be sparked as a result of federal authorities and military assets instituting martial law, or what the document refers to as “Defense Support to Civil Authorities”.

This is particularly chilling given reports that emerged in 2006 concerning a nationwide FEMA program under which Pastors and other religious representatives were trained to become secret police enforcers who teach their congregations to “obey the government” in preparation for a declaration of martial law, property and firearm seizures, and forced relocation.

The fact that the DHS is focusing its cyber security efforts during a major national exercise not on targeting foreign state actors or terrorists but on combating online dissent by conservatives is sure to increase concerns that the federal agency once again has libertarians, patriots and small government activists in the crosshairs.

Facebook @ https://www.facebook.com/paul.j.watson.71
FOLLOW Paul Joseph Watson @ https://twitter.com/PrisonPlanet

*********************

Paul Joseph Watson is the editor and writer for Infowars.com and Prison Planet.com. He is the author of Order Out Of Chaos. Watson is also a host for Infowars Nightly News.

Article printed from Infowars: http://www.infowars.com

URL to article: http://www.infowars.com/homeland-security-exercise-targets-free-americans-against-socialist-tyranny/

Click here to print.

Copyright © 2013 Infowars. All rights reserved.

Thank God For Puppy Linux! – (and Barry Kauler too)

I’m about to break a cardinal rule regarding security, I’m about to reveal my whole security scheme for anyone who cares to take a look.

I do this in holding to my philosophy that information which is beneficial to the advancement of humanity should be shared, perhaps bartered or sold, but definitely not kept to one’s self (the smallest minority). I wrote about this personal belief in an earlier post entitled, “We Are All RETARDED.” I believe that humanity advances or fails based upon how much we are willing to help each other, mutual cooperation for mutual benefit. Our most perfect state as fallible beings. With this thought in mind, I impart what I have learned in hopes that it will be of use to someone in need.

Computer security, somewhat of an oxymoron, since such a thing will intrinsically be forever elusive. It’s just when you feel totally secure that you are most at risk, we are never secure, never safe. To think so is to become a fool. We can however, do as best as one can and a great place to start on the road to that goal is with the operating system, the foundation that all other tech activity is built upon. I’m talking about old fashioned desktop boxes and laptops of course, I don’t even own a Smart-phone nor any other mobile device. To me, these things by design are impossible to secure in any meaningful way, their dependence on networks and all.

Bored yet? Good. Then let’s begin.

The most perfect, well thought out, bug free and just plain works operating system for the common man or woman ever designed in the whole wide world is… PUPPY LINUX! YEAAAA! Here’s why;

1. It’s Linux, duh. Need I really say more?
2. Is totally free under the GNU license.
3. Has a strong community of knowledgeable users willing to pitch in and help when you get stuck.
4. Is incredibly useful in repairing broken boxes and breathing new life into old ones. The operating system is one of the few that loads totally into RAM memory and can be fully functional in a computer that has no hard drive at all. A HUGE plus for security as well as performance. For example, once the power is cut, EVERYTHING VANISHES WITHOUT A TRACE.
5. Depending upon the distribution that you choose, Puppy has many repositories available to it full of all sorts of useful and free software.
6. Has an excellent GUI with many different window managers and themes to choose from. Puppy is a fully functional operating system either with or without a GUI. As with any UNIX variant, it is native to the command line. Did I mention that many UNIX utilities and apps (both command line and GUI based) are ported and portable to Puppy too?
7. Is a single user operating system which means that only one person can be logged on at a time. This virtually eliminates privilege escalation attacks.
8. Is extremely portable, just pop CD or DVD into optical drive and boot. Can also be installed on a bootable USB flash drive with or without encryption. Can be stored in a “pupsave” file either encrypted or not, which contains all personal files (needing only the original CD to boot). Can network boot using PXELinux and finally, can run live off a CD/DVD (the last method being absolutely hack proof).
9. You can custom tailor Puppy to your liking with it’s native package manager and then save the build in a pupsave file, ISO image, bootable USB drive or live CD/DVD.
10. Can dynamically load and unload programs on the fly using the .sfs package system. These packages are self contained with all necessary dependencies, no installation necessary. Big, resource intensive programs can be loaded or unloaded so as not to hog resources. Trouble free.
11. Can run Windoze .exes and programs of many other Os’s with emulators such as Wine, Virtualbox (for total guest OS emulation) and many others. Run one at a time or all at once if your machine is strong enough. All network resources can be shared too.
12. Can mount or unmount both local and network drives, an extra measure of security and safety.
13. Understands and can read and write to many other OS’s filesystems such as fat, vfat, ntfs, ext, etc.,
14. Boots very fast and eliminates constant writing to drives, thereby extending their service life.
15. Is in continual development and testing the world over. Bugs are fixed quickly and the OS just keeps getting more and more robust with contributions from the Puppy Linux community.
16. Finally, is the perfect, unbreakable, fully customizable and safe operating system for kids. Just pop in the CD and if the little angels break something, simply reboot. All brand new again. (Just make sure they don’t have the mount command available, any connected hard drive might not survive their playful keystrokes).

By no means is this list all that Puppy can do, these are just some of the things that I like best. I’m no Geek nor Guru, just a “power user” who values his privacy and appreciates things that work and don’t break all the time. There are many people out there much smarter than me that can make Puppy Linux do some amazing things that I can’t even imagine. So is the wonderful world of Linux (as well as other UNIX variants). for a better explanation, check out the official HOWTO at http://puppylinux.com/development/howpuppyworks.html

Thank you so, so much Mr. Barry Kauler, for giving us this fantastic gift. Barry is a master programmer and computer scientist who invented Puppy Linux and named it after his now departed Chihuahua. He lives in Australia.

Now for the security stuff.

Truecrypt

Truecrypt is also a free, open-source (meaning the source code is available to anyone) program that encrypts whole drives, partitions, individual files, creates encrypted archives and can also make hidden encrypted partitions.

Truecrypt enables the user to choose between three different types of encryption (AES, Serpent and Twofish) and has the ability to use all at the same time to encrypt (this is called cascading). Cascading doesn’t increase hardness very much however, but does increase overhead. This means you’ll make your machine work harder to decrypt while reaping minimal gain. Just stick with either AES or Serpent, these two seem to be the best.

The program encrypts and decrypts in duplex mode on the fly, in other words in both read and write mode in real time, instantly. The overhead is very low and not noticeable to the end user. Extremely strong encryption can be achieved without slowing down your machine. An entire hard drive can be dynamically encrypted and decrypted in both read and write modes utilizing strong encryption without ever seeming to bog down. Only on bandwidth demanding tasks such as transcoding (converting one file format to another) can one notice the difference. As for my personal experience me any lag time is unnoticeable. The damn thing just works beautifully, all the time.

Another nice thing about truecrypt is that if you have a sudden power failure before you have a chance to unmount your encrypted media, no harm, no foul. None of your data gets corrupted. Just mount it up again when the power comes back and pick up where you left off. It doesn’t save the previous state but it doesn’t corrupt whatever files you were working with either. If you were in the middle of a project, you will just have to start all over again, thats all.

Something that is kind of weird but totally in keeping with encryption best practices is what Truecrypt uses as it’s random number generator, the heart of any encryption scheme. The random number generator that Truecrypt uses is YOU. That’s right, you are the RNG. After all, what could be more random than nature at it’s finest. Whenever you encrypt something with Truecrypt, whether it be an individual file, partition or an entire hard drive, there is a point in the process where your active input is encouraged. Truecrypt instructs you to take the mouse and jiggle the cursor around on the screen in as random of a manner for as long as possible, at least for thirty (30) seconds. What this does is randomly generate encryption keys that the program them stores and uses to accomplish the encryption. Kind of genius, don’t you think? If I am encrypting an entire hard drive, I sit there for at least an hour and move the cursor around as frantically as I can until my arm burns off. The reason that I do this is because I am being Gangstalked by government sanctioned creeps who probably have access to quantum computers for cracking. I’m going to make their Satanic job as much of a pain in the arse as I can. 🙂

What I like best about Truecrypt though, is that Truecrypt allows the use of Keyfiles.

Keyfiles

A Keyfile is pretty much what it sounds like, a file that has been turned into a key of sorts. The file itself isn’t changed however, it is just used as part of (more accurately in addition to) the password.

A Keyfile can be any kind of file. It can be an audio file, a graphic file, a text document, an archive of many different files etc., etc., etc.,… Any file extension known to man can be used, of any length, of any size and quantity. A Keyfile can be on the local drive, a network drive, several different local or network drives if using more than one file or, reside on the Internet itself in a web-page or something. Whatever you can access with your machine can be incorporated into your password in the form of a keyfile and only you know what that is (or are). One word of warning though, lose access to the keyfile and your data is unrecoverable. That is, unless you have your own quantum computer handy. My suggestion is to store several copies of your chosen keyfile or keyfiles in the cloud, locally hidden on the hard drive and finally on some form of non-volatile ram like CD or DVD. Only you have to know what file is what.

I would never store nor upload to the cloud any sensitive data that I wanted to keep private without first encrypting it with Truecrypt, using all of the tricks enumerated in the aforementioned.

Search engines

Not really much to say here, except you should stay as far away from Google, Bing and MSN as possible. ixquick and Startpage are the only ones I use, exclusively.

Browsers

I’m partial to Opera although I will use Firefox every now and then. I used to use a stripped down version of Chrome called Iron however, it just doesn’t take care of all of my needs. There are other ones out there too, some exclusive to Linux only. When feeling extra paranoid I switch to one of the more arcane ones. Sometimes I even fire up Virtualbox and run Windoze IE right along with Opera, Firefox or Iron, just to foul up the noses of any packet sniffers smelling my traffic. When I feel even more paranoid I tap into a select set of proxy servers that make it appear as though I’m living in Germany, Columbia or Brazil. This is kind of troublesome though, and kind of slow so I don’t do this much anymore. You also never know when a proxy might go off-line for whatever reason. When I need real privacy (or as close as a mere power user like me can get) I bust out Tor. Seems like overkill as I’m not involved in anything illicit anyway, but with the revelations of Snowden I somehow feel it is my duty to be as in the dark as possible. The only thing that I can think of even more secure than Tor would be a Virtual Private Network or VPN however, the problem with all of these technologies is that they are all vulnerable to end point capture, as in your ISP selling you out. Since I am being Gangstalked by government sanctioned creeps, I assume this near undefinable attack is my very situation. Thanks AT&T and Comcast, for feeding me to your real customer, the guberment.

SYNCHRONICITY UPDATE 06/13/14

***********************************************************************************************************************************************

Dan Nois of Channel 7 news (I Team) did an investigative report on the TOR browser less than two months (1 month 24 days) after I first wrote about it in the above paragraph…

Too many coincidences to be coincidences. Media control to this degree? 1 month 24 days after writing about TOR in this post.

Then this guy on May 31, 2014 (2 months 11 days after my post)…”FBI Says San Francisco Bomb Suspect Ryan Chamberlain Sought Toxins Via ‘Deep Web’”. click to goto story at CBS.

Then, 2 months and 8 days after saying that I like and use Truecrypt, this warning is posted on May 28, 2014! WTF!! Coincidence or something far more ominous?

************************************************************************************************************************************

Smoke signals and Carrier Pidgeons (just kidding)

At long last, physical access to your machine. Don’t ever let anyone have physical access to any machine or device that you want to keep clean and secure. Do all maintenance and repairs yourself, keep the thing in a locked and secure cabinet when not in use (or in the case of a desktop or server, always in a locked cabinet) and never trust anyone. Use software that will render it no better than a brick should it ever get out of your possession.

As for my very last words remember this, human beings make excellent random output generators.