Wednesday, November 12, 2014

NeoCash Radio and The First Crypto War

NeoCash Radio has put up the short talk we had concerning the "First Crypto War", being, in my opinion, the time period from when Phil Zimmerman wrote PGP, to when the International Trafficking In Arms Regulations on the export of strong encryption were repealed.

I recommend my earlier post, "When The Net Was Young", if you haven't read it.

Spoiler: Geeks vs. NSA, Geeks won the battle, the war continues.

But there are elements to the story that I was not able to get into on the air, so I will spend a little while creating this blog post with links and additional materials concerning my comments in the radio show

Phil Zimmerman was a long-time activist prior to his writing PGP in 1991. He has said of his activism that he "felt like a flea on the back of a Tyranosaurus Rex." And after writing PGP? "Now I feel like a small barking dog on the back of a Tyranosaurus Rex."

He wrote it in order to sell it, and in 1991 the Free Software concept was still being thrashed out. However, the government claimed a patent on the RSA algorithm, and they got into a legal scrap about it. The Wikipedia page above will do a better job of the details than my 20 year old memory.

Because of the International Trafficing in Arms Regulations, the RSA algorithm, "Public Key" cryptography, IDEA, and basically all of what the government called "strong encryption", was illegal to export.

When they told Phil that he couldn't sell PGP, someone, somehow, put the PGP source code on a public FTP server (you can look up that acronym yourself, youngster) and it just "got out" to the rest of the world.

Needless to say, the NSA was not happy about this, and proceeded to persecute Mr. Zimmerman for years. Shakedowns at airports long before the TSA started doing that to everyone, missed flights, and on and on, all while he was highly in demand on the lecture circuit because of this infamy.

During this time, PGP was exported perfectly legally from the US. Some genius realized that a published book was impossible to restrict, because of that pesky First Amendment. So they printed the source code in a book, flew overseas perfectly legally, and scanned it back into computer code.

Byte magazine in/around 1983 published the RSA public key encryption algorithm in BASIC. I typed it in, made it work, and it worked quite well. It wasn't secure by any stretch of the imagination, because I was using very small prime numbers for the keys. When I heard about the RSA patent that was being enforced against Mr. Zimmerman, I was baffled. Wasn't Byte published worldwide? Wasn't this 10 years later, after it had been so widely known?

In 1992, the movie "Sneakers" had a throw-away line that gives real pause to the "conspiracy theory" types. "Sneakers" is all about a chip that some genius created that does mathematical factoring at impossible speeds.

Remember what I wrote above, about my using "small prime number" keys in 1983? Programs like PGP work because they use BIG prime numbers, numbers so large that it's effectively impossible to reverse the math used to create the "public key", and by doing so be able to get the "private key" and open the encrypted messages.

Well, what happens if the math isn't hard? All the keys become easy to crack, all the messages become easy to read. Or to paraphrase the movie, "No More Secrets".

The Soviets didn't use that kind of encryption. The "Sneakers" plot device is useless against "One-Time Pad" encryption. So the only secrets that everyone was fighting over in that movie were yours. Ours. The "west". The so-called "Free World".

Now for some real conspiracy stuff. As I wrote in "When the Net was Young", the basic functions of the Internet were "privatized" in 1993, creating the vast boom that is the public Internet you know and are using to read this article.

There are really only a handful of basic functions that make up what is the Internet. Before 1993, the US government ran all of them. After 1993, it was all supposedly all "privatized". Some are just more private than others.

Peering between different Internet Service Providers was "privatized" the way an Austrian economist would use the word, that is, made completely private and regulated through competition.

Addressing was "privatized" by being handed over to the "Internet Assigned Number Authority", and DNS, that wonderful function that lets you type in "google.com" instead of some string of numbers, was handed directly to the NSA.

The company that got the "Domain Name Service" was "privatized" the way AFSCME defines it, that is, handed over to well connected political cronies. Verisign was handed the "authority" over all ".com", ".net", and other popular name categories. They're not just located in Mordor on the Potomac, their board of directors was (and is?) a who's-who of NSA spooks, such as Bobby Ray Inman. Funny how that connection has been left off his Wikipedia entry.

And while the NSA still tracks, saves, and analyzes, pretty much every packet of data that crosses the Internet, and you should consider everything you type, and every click you make, online to be completely open to them, the world Panopticon isn't as transparent as they would like it to be.

The ITAR laws against exporting strong encryption were repealed. Phil Zimmerman was able to found his company, PGP Inc, and make a living giving people "Pretty Good" privacy.

For a while, Skype provided end-to-end voice encryption to the world. However, Skype was purchased by Microsoft, and then appeared on the NSA Prism list of directly compromised services.

GnuPG provides a Free Software alternative to PGP, practically feature-for-feature compatible with PGP, and easily integrated with many off-line mail programs such as Kmail and Sylpheed.

RedPhone and TextSecure are apps for Android that claim to provide end-to-end encryption for your phone calls and SMS messages, if the person you're connecting to is also using the app.

However, while these make the content of the call or mail private, all the "meta-data" is still wide open. They know who you contacted and when.

The NSA never gives up. They can't. They have the best cryptographers, all the money they can spend, and a mandate to save the US Federal Government from anyone and anything all over the world.

The NSA writes the encryption standards for the Feds, and through the NIST they try to set the standards for everyone in the United States, too. Do you really think they would publish encryption methods that anyone in the world can use, that they can't crack?

These people are not insane. They're not necessarily evil. As Ludwig von Mises wrote in his wonderful book "Bureaucracy", the problem lies in the nature of bureaucracy itself. From the standpoint of "regular" people, bureaucracies seem insane because of the perverse incentives which underlie the nature of bureaucracy itself.

The NSA, CIA, FBI, and others, are huge bureaucracies, and the perverse incentives are magnified by their inherent secrecy not just from each other, but even from themselves (called "compartmentalization").

Anyone interested in cryptography and computer security should read Bruce Schneier's Blog.

Here is Bruce Schneier talking with Democracy Now about how the NSA continues to make the world a less safe place.

Mr. Schneier, in one of his talks (which I might hunt down and link here) makes an exceptionally good distinction that needs to be understood:

The difference between Surveillance, and Wiretapping.

If you're being wiretapped, then the contents of your communications are being transcribed. Aunt Miltie's apple pie recipe, how much your knee hurts, and so on. All this is personal, and folks generally consider it impolite to listen in. This is also a huge problem for the NSA, and why they have to build that multi-billion-dollar datacenter in Utah: Everybody's phone calls, cat pictures, and spam email, add up to so much data that they simply cannot deal with it all.

Those famous questions to the Director of the NSA about "metadata", however, concern Surveillance. James Clapper lied to congress, because he understood what surveillance really means. It was his job to know.

From his body language, it's obvious to me that Mr. Clapper isn't a naturally dishonest man. Since so many other people in his place have avoided lying by saying "I believe this should be discussed in executive session", that is, without the cameras and witnesses, his dishonesty in this case is rather baffling. Why lie about it when there is a well-known avenue to avoid answering the question entirely? Could it have been his way of letting the world know without his being the one to say it?

That "metadata" is where you are, who you're talking to, when, for how long, every minute of every day. The actual content of your phone calls and emails is secondary to that kind of information about you as a person, and the NSA has been collecting that data on everyone they possibly can, for as long as they have been able to do so.

That cell phone in your pocket is the most effective surveillance tool ever created, and you and I willingly carry them everywhere we go.

I know it, you know it, and James Clapper sure as hell knew it when he lied about it.

I highly recommend James Bamford's book, "The Puzzle Palace", if you want to better understand just how awful the NSA really is, and just how big a lie is was when Clapper denied gathering information on American citizens.

Additional note: Brazil builds its own fiber optic network, to avoid NSA tapping. 

Curt-

No comments:

Post a Comment