i'd rather pretend CIA doesn't know its business than write something like this to nsapao at nsa.gov. if i wuz trying to send you electronic info from zimbabwe (where much technical research goes on,) i'd still be looking to send you an attachment - i might not have the nerve to launch the blueprints for a new pipe threader off to that other address as a pdf attachment, or i might not think it was up their ally. what i WOULD do is go to sourceforge.net and download bcrypt and put the executable and attending dll file in windows backslash system32 folder. at that point bcrypt -r filename becomes an internal command, executable from a dos prompt. if i forget to put the -r, it wipes the source file off my system, leaving only the encrypted .bfe file. As a passphrase my favored choice would be the first 56 chars of the public key I cannot retrieve for nsapao at nsa.gov from http://keyserver.veridis.com:11371/search?q=cia%40cia.gov&searchformsubmit=Search
website. bcrypt only takes 56 chars, sooooo.... there really ought to be a way for black hat to contact you - a plurality of 'breakme.txt.bfe' might not be all you'd get. i realize that you already know how encrypt anything you seriously need to, so the whole e-mail from me ought to be superflous. i do not know why i am compulsive about this kind of thing.
CC nsapao at nsa.gov
CC dallas at fbi.gov
Mistake is this: If WE put OUR public key up there, THEY can put a FAKE key up there where ours should be. Then EITHER we get an important message we can't decrypt, OR they get the relevant message and catch the defector before we even hear about him. RSA is good enough for most things, but won't do to fight a war anymore.
I've thought about it and: A web form demands free submissions. An email address invites encrypted submissions to negotiate payment for passwords. If financial inducements are necessary, spies can send to NSA email. Otherwise, CIA has a web form that uses SSL - no password needed on either end, even though the browser takes the microscopic data-packs and duly encrypts before sending packets everywhere on the web in pieces, like postcards mailed all over town, all going to the same address in Podunk. You can TRUST that thing if you really think they need to know. The weak link is perennially people not the box.
things I've learned since then:
- If NSA thinks the public knows and can use bcrypt, they will take it away.
- A blue editors markup pen, like a blueprint will not photocopy. Hollywood may make better use of this than 'anybody.'
- a color laser printer can reproduce a letter completely in editor's mark-up powder blue.
- a color photocopier can defeat the editor's magic wand.
- You should be able to discern how far down the road to sell-out I go, by counting occurrences of the passive voice. I will make mistakes :-)
- a reliable hack to avoid automatons that by-pass Google and search "@" signs, is to use character-spelled-out-bracketed-by-spaces. Automatons can't recognize the similarity.
- Open OfficeGL from open source provides a (likely two-fish algorithm,) encryption for it's PDF export facility - it's in the 'security' tab when you save/export. Call it 'padlocked,' and you can actually thwart online copying and adoption of credit for your shit. You can't stop theft of telepathic kaleidoscope pictures. I rely on pig-latin to encrypt my telepathic shit, and lose the password regularly. Other people call this forgetting; memory is an open invitation to the Russians to steal prototypes and competition grade sarcasm.
- I can't reliably read minds or download Bulgarian blueprints. Numbers and letters are hard too. As a pilot program, I expect this means the Russians are hard to read that way too. I CAN reliably channel 12th century judicial figures.
- Nomenclatures vary even within conventions. Just because a thing is derived from a pattern doesn't mean it can be reversed. IE: Take the Quaran and select the 2nd letter from all words, and put these letters in a file. This is now a hash of the Quaran. The problem for cryptanalysts is that somewhere out there, in time and space there exists at leats one other book, written in English, such that the second letter of every word in THAT book makes the VERY SAME hash. Learn at least this much. To be useful, hashes must be put in able hands. Other than that, it ain't encrypted - it's disorganized.
- A tip of the hat to Bruce Schneier's diligent efforts: If a guy can't verify his own algorithm (like XORing stuff,) he can't WRITE encryption. He relies on you not being able - he takes your honest buck, and doesn't worry about the actual guy out there who CAN. The ones that work depend completely on the password for entropy. The rest should be available so you can take it to an assembler guy and have him tell you what it does, just like taking a random pill to a pharmacy and asking the pharmacist "What's this?" The answer isn't crafted to deceive. Learn this much at least - if the password isn't long enough, it doesn't have enough entropy IN it to make encryption worth it. If a table is password protected, it OUGHT to be saved in a manner that makes the password part of the mess; if it's an ASCII file that takes your password for permission to look, I just electronically won't ask permission. Open Office's PDF's actually encrypt.
That ought to be ample grist for the mill.
Felicitations.
No comments:
Post a Comment