Export-level Encryption Proves Insufficient 517
rossjudson writes: "The Independent is running an article about the shoe bomber terrorist. The interesting bit for Slashdot readers is at the bottom -- apparently the 40-bit encryption in the export version of Windows 2000 was cracked by a set of computers using a brute force method. So let's confront the question: Should the US prohibit the export of high-encryption software? Here is a case where the default values (40 bit) clearly helped recover valuable information from a system." There's another article in New Scientist focusing on the encryption issue.
Yeah (Score:3, Insightful)
It doesn't matter because: (Score:5, Insightful)
Computer +
Low-level programming skills =
High Grade Encryption... Anywhere in the world.
40 bit crypto was _desinged_ to be cracked (Score:5, Insightful)
That limit was
THL.
Why not? (Score:5, Insightful)
Sure, why not? It isn't as if there are any cryptographers [pgpi.org] in any other countries [www.ssh.fi] in the world, is it?
Legislation is pointless, and even damaging in this case. The cryptography playing field is fairly level. That's not inherently a good or a bad thing; just as al-Queda can encrypt their files, they are equally prevented from intercepting sensitive information by the same technology. If legislation restricts crypto, we will find ourselves in a situation in which the FBI can't crack terrorist comms, yet terrorists can intercept commercial data. Airline security information, oilrig blueprints, whatever.
Why YOU should care about crypto freedom. (Score:1, Insightful)
The Internet is an open, decentralized network that was not specifically designed with security in mind. Because communications flow through multiple networks, your communications are vulnerable to the prying eyes of hackers, foreign governments, and -- yes -- even rogue law enforcement agents.
Encryption technologies, which scramble communications so that they can only be read by their intended recipients are vitally important to protect privacy, secure commercial transactions, and prevent crime.
So why isn't encryption widely used? Well....
Current US policy prohibits US companies from selling strong encryption products on the world market. US companies, find it prohibitively expensive to develop two different versions of the same product, and as a result very few strong, easy to use privacy and security products are available inside the United States.
After more than 4 years of debate, the privacy and security of Internet users remain hostage to cold-war era export control regulations and risky, and efforts to compel domestic "key-recovery" systems designed to FBI specifications. Even more, despite the loud objections of privacy advocates and the computer and communications industry, the Administration remains committed to its failed "Clipper" policies.
While the legitimate needs of law enforcement and concerns over National Security are important factors which must be considered, the Administration's continued efforts to push for the world-wide adoption of "key-recovery" or "key-escrow" systems, which would provide guaranteed law enforcement access to private communications, represent a grave threat to privacy and security on the Internet.
Congress has finally gotten the message and has begun to consider legislation to prevent the government from imposing "key-recovery" or "key-escrow" systems inside the US, affirm the rights of Americans to use whatever form of encryption they choose to protect their privacy, and relax the outdated export controls. Bills are moving through the House and Senate with strong bi-partisan support.
Write your Representatives!
What is a Good Law? (Score:2, Insightful)
No, no, no... (Score:2, Insightful)
Re:Yeah (Score:3, Insightful)
Of course.... (Score:2, Insightful)
That's the point.
Don't you think one of the reasons the government would want weak encryption in foriegn (and therefor, possibly adversarial) computers, so it's easier to break into them?
Remember, for the most part, US laws protect US citizens, and are valid only within the confines of the United States. Since we don't really seem to care about how our government gathers information outside our country, It makes sense that the Government would want to make this easy, and one way is through export controls.
Don't like it? You have other options.
And note to Eurotrolls, who might take the chance to cry US-centric, or brute american, or whatever trash you usually spew, don't think for a second your government isn't engaged in every kind of spying it can.
Re:It doesn't matter because: (Score:5, Insightful)
For those who don't know, Blowfish is a very strong cipher that supports up to 448-bit keys.
Just for kicks, I changed 2 lines of the code and made an "exportable" version with 32-bit keys.
Crypto export laws are a complete joke. The US does not have a monopoly on strong encryption; it's not as if we are supplying some scare resource to the rest of the world. If a 17 year old geek could implement strong encryption on a laptop in his bedroom, I am fairly certain a ring of terrorists could do the same.
On the other hand, these laws do cause a considerable hassle for law-abiding organizations that wish to add security to their products. Therefore I believe that these laws are detrimental and should be repealed immediately.
-John
Re:Yeah (Score:3, Insightful)
Lousy analogy.
Primary purpose of cryptography is to hide information. It's not destructive by nature. It has great benefits to corporations and individuals alike.
A gun's primary purpose is to inflict severe wounds. Most people will not reap the benefits of inflicting severe wounds.
The big issue is not what sane people, whether lawful or unlawful, will do with these items. The big question is what will the insane do.
Cryptography in the hands of the insane is highly unlikely to rob any more mothers of their children. Firearms, on the other hand, may well do so.
Gun control is much like control of any weapon. It's not about those who are sane, but those who go crazy. And last I checked, in the "Me first, I'm an individual" society, you weren't too good at spotting the real crazies.
conspiracy theorie! (Score:3, Insightful)
Two journalist are in Afghanistan, one of their laptop is broken, so they deside to buy anther one.
So far, so good, I would probably have tried to repair it and ask for replacement, but then, I am not in Afghanistan.
They buy two computers, another laptop and a desktop. What did they buy the desktop for again?
And they buy it from people who are looting buildings? I always thought journalist to have low ethics anyway...
Instead of re-installing the PC, they decide to look at what is on it. Ok, I can understand that, but they must have spent quite some time looking at those files to determine that they were willing to spend five days to crack some of the encrypted files they found.
In other words, two american journalist pick up a PC (they had no reason to buy), and they happen to find Terrorist secret files on it. Sounds too good to be true. I don't buy it, it's a setup.
And now they use that to attest of the validity of the export restriction on encryption.
If the BSA or RIIA is going after me because I have some illegal stuff on my hard disk, I can just claim that I got my PC second hand, and that all this stuff was left there by the terrorists who had the PC first...
Um, duh? (Score:2, Insightful)
And laws against theft don't stop determined shoplifters, and laws against copyright infringement don't stop determined Napster users, et cetera, et cetera. But that's not the point. The point is to make it (a) difficult and (b) punishable if someone does it, in order to keep it to a minimum.
A better argument would be to point out that there are ways to circumvent the law without breaking it -- by simply creating the software/hardware in another country using the same mathematical principles, for instance. But for the love of Pete, people, stop using "laws can always be broken" as an argument against making laws.
It wasn't the 40 bit encryption that was at fault (Score:4, Insightful)
If this guy was informed about cryptography (not necessarily knowledgable, but informed - sort of like having the equivalent of a financial planner for cryptography) he would've used one of a number of bolt on products to really secure his computer. Some of these products are commercial, others are open source. He may have more difficulty getting (and if he's properly informed - less trust in) the higher grade commercial packages but it'd still be doable. Fly to California, go to Fry's and buy it. If he goes for the source code route its just about impossible to police. You can get it anywhere in the world where there's an internet connection or a mail system (CD ROM or a package of floppies through the mail).
Saying that 40 bit encryption is an assistance to the CIA/FBI/NSA is only true if you rely on having stupid terrorists, in this case it was obviously true. Suppose they hired the equivalent of a director of IT though, who would come up with approved solutions. Life would become more difficult for the government. Whether the solutions that are proposed are legal or not doesn't matter. You're planning on blowing up aircraft, knocking down buildings and killing people. You won't even bat an eyelash at breaking encryption laws.
What low grade encryption really helps with is gathering data against ordinary citizens such as the guy who was a bit less than honest about his tax return.
Also, despite this low grade encryption the attack wasn't stopped. It's only after everybodies eyes were on this guy that his computer was examined and found to have low grade encryption.
Empirical evidence no match for clever theory? (Score:5, Insightful)
But everyone seems to conveniently ignore the fact that this group DID rely on the export strength encryption that they had available. They DIDN'T use PGP or any one of the myriad of other options for better encryption. Perhaps the premise that a slashdot reader is familiar with other encryption techniques isn't equivalent to the premise that an Al-Qaida member will be familiar with other encryption techniques.
Any reasonable and complete argument against limiting export strength encryption at least needs to address this fact. One could argue that it is an unusual case, that it won't be repeated, that you don't care if non-US folks have default access to better encryption, etc.
But arguing that it will never stop anyone from using better techniques seems silly when presented with this case of a group using exactly the default abilities that they were given in Win2k.
Encryption should be available to everyone (Score:3, Insightful)
If the US could somehow ensure that we were the only ones who provided encryption, this may be an argument on national security bounds. However, we cannot.
If anything, all of this talk about encryption has provided criminals with the knowledge that we can eventually break in. Even if that were not the case, better encryption is available in any of over a hundred countries, many with little concern for US regulations. I believe 128-bit encryption has been freely available for years, provided by companies outside the US.
We need freely available encryption of every higher levels to stay ahead of our enemies (and some would argue our friends). Consider it only took five days to break the 40-bit encryption. How long would it take someone to brute force his or her way into a financial institution? Banks, trading firms; electronic merchants, etc. are and or should be constantly upgrading their security and encryption levels.
Encryption should be viewed like a car. A car has very powerful, valuable, perhaps even essential uses. Unfortunately, people can use cars to rob, kidnap, and murder. Still, we allow and even encourage access to cars because the benefits far outweigh the problems that periodically occur.
40 bits is useless (Score:5, Insightful)
Correct. 40-bit keys have no protective value. Remember the article about IBM's crypto chip being broken? (Somebody please provide the link to /. article, I can't at the moment.) In practice, they broke single DES, 56 bits worth of security in a good block cipher. In brute force.
It took at most 2 days with ~1000 $US worth of gear to find the key. Let's assume that they needed the full 48 hours to get that key broken. Simple math follows:
48 hours is 48*3600 seconds. It takes this much time to brute-force a 56-bit key. 40 bits is 1/(2^16) times the size of that, hence the time to break a 40-bit key with similar equipment is 48*3600/(2^16) seconds. This is no more than about 2.6 seconds.
To underline this as clearly as I can: 40-bit keys provide NO security. They may have provided some, at a time - but definetely not for some time now.
Re:Why YOU should care about crypto freedom. (Score:3, Insightful)
You are absolutely right. I'm surprised that sheer profit motive alone hasn't pushed big software corporations and their pals in Congress to permit and even encourage the export of more sophisticated encryption. Using weak encryption makes about as much sense as guarding your premises with flimsy locks and corrugated fences. I'm just as interested in keeping the government out of my business as I am keeping out competitors.
So what if better code-making leads to better code-breaking? You build better bullet-proof glass, and someone comes up with better bullets. (Likewise missile shield: missiles; mousetrap: mouse, etc.) It's progress. It's full employment for developers, programmers and marketers. I think profit motive will trump "patriotism" on this issue.
Re:Why not? (Score:4, Insightful)
You might have a point if US citizens never traveled on non-US airlines. That simply isn't true. Terrorism is a global problem.
What I see here is an instance where, because of our export restrictions, we WERE able to crack terrorist comms. The old argument of "They won't use handicapped software" doesn't seem to hold as much water as it used to.
It's very easy to fall into the trap of assuming that al-Queda are stupid. I am not committing sedition by saying they are in all likelihood just as smart as the law enforcers hunting them. With no technology, and (relatively) little money, massively outnumbered and outgunned, Osama and his people are still free. No-one knows where he as, and he is able to communicate with his organization at will.
Let me give you an analogy. The minimum wage high-school dropout flipping hamburgers doesn't mean that the global fast-food corporation isn't run by Harvard MBAs. The Shoebomber was a pawn in this, nothing more.
I have some familiarity with cryptography, because of my work, but it's not a life-or-death thing for me. You can bet every terrorist with a computer is googling for "crypto" right now.
The news is the who, not the what. (Score:4, Insightful)
When the NSA can uncover my deepest secrets, that's one thing. When a potential employer can decrypt anything protected with twenty year old technology, I don't worry yet, but talk to me again in my mid-40s. I wonder when some of the early posts to alt.anonymous.* will become decipherable.
Re:Why not? (Score:3, Insightful)
When did he say the data intercepted would be domestic? Terrorists operate worldwide, you know.
What I see here is an instance where, because of our export restrictions, we WERE able to crack terrorist comms. The old argument of "They won't use handicapped software" doesn't seem to hold as much water as it used to.
How do you know it was because of our restrictions, as oppossed to simple lack of knowledge of the topic? Because strong encryption is available to anyway who really wants to get it... Especially if you have agents inside the US anyway.
Re:When Strong Crypto Is Outlawed (Score:1, Insightful)
What we have here, is an example of a STOOPID outlaw. One who was too stupid to know that you don't attempt to light your shoes in the cabin (where your seat-neighbour might stop you), but you do go to the toilet for that. After all he doesn't shit in the cabin either, now does he?
Re:Shoe bomber = idiot (Score:5, Insightful)
I fear that that thought process is what got us into this mess in the first place. We have always assumed that these terrorists were unorganized nutcases running around with bombs attached to themselves.
And then on 9/11 we found out how organized and intelligent they could be and how ignorant we were. The truth is that there are some scarily intelligent people in these terrorist organizations who are using religious ferver to control otherwise sane individuals.
"If ignorant both of your enemy and yourself, you are certain to be in peril." - Sun Tzu. The Art of War
Re:It doesn't matter because: (Score:4, Insightful)
I implemented Blowfish back in high school, using readily-available information
The problem with that is that your implementation may be flawed - this accounts for the bulk of the cracked encryption. That's why it's best to use known good encryption.
Interesting question... (Score:3, Insightful)
Despite this public knowledge, Al Quaeda has been using weak (MS-supplied) crypto to protect sensitive information... that could be discovered within days. Therefore:
Just my US$0.02...
Re:Yeah (Score:1, Insightful)
from getting hold of it. Good thing, too. Next
time it could save lots of lives.
But that is not as important as being able to
encrypt your latest treatise on Klingon grammar
to protect it from the prying eyes of rival
Klingon scholars.
Re:Yeah (Score:2, Insightful)
Yeah because prohibiting the export of this will prevent anyone evil from getting hold of it...
I think you've got the problem backwards here... The article describes how the export version which was being used by al'Queda was able to be decrypted, revealing valuable information. This is important, because it gives the regulations that prevent strong encryption from being exported worked. Thus, the people backing those laws now have something concrete to point to and say "hey look, terrorists used encryption, but because it was U.S. export grade encryption, we got them anyways!" One more excuse for politians to not withdraw the regulation.
Re:Yeah (Score:1, Insightful)
Why not export (Score:1, Insightful)
This is another example of protecting people vs. limiting your rights.
I believe everyone should (be able to) use encyription in day-to-day communication. Why not? Nobody else but the intended recepient has the right to see what we talk about.
It is just like the US government pulling some stuff, that was previously public, back from libraries. Where does my right to privacy end and where does Big brother start?
Everything, including encryption can be used and misused. And just because it can be misused does that mean you should also stop the legitimate use? If I can attack you with a butter knive does that mean butter knives should be illegal?
Didn't think so.
Re:Yeah (Score:3, Insightful)
Closer analogy than you think.
Cryptography's purpose is to hide information. The user who generates and uses that information determines if the hidden information is used for good or evil.
A gun's purpose is to fling a mass accuratly in a particular direction with great speed. The user of the gun picks the target, be that target for good or evil.
Either device (crypto or firearm) in the hands of someone bent on evil can be used to further evil. Just as either device can be used by someone to do good.
Re:It doesn't matter because: (Score:2, Insightful)
I'll trust a peer reviewed algorithm long before I trust my own, regardless of any knowledge I have of advanced mathematics.
True (Score:5, Insightful)
What the crypto regulations really do is prevent most people in the USA from adopting it. None of the three-letter agencies want everyone encrypting their E-mail or network traffic by default. That simply wouldn't do -- if everyone did it, how would they know who actually has something to hide? So they make it a pain in the ass for software developers to incorporate it into their software and they make it a pain in the ass for most users (Who don't know to go to international sites where you don't have to fill out a form to download the software) to get it.
The irony is that now they're bitching because the network is so insecure and how a cyber-attack could bring down public utilities and banks and things. Well they're just reaping what they've sown. The network would have tended to cryptographic authentication and tighter security except for the artificial and fundamentally useless restrictions the federal government has put in place.
Re:Yeah (Score:2, Insightful)
As much as I'm against encryption controls, this argument is easily refuted by noting that, in this case, the export controls *did* cause this particular bad guy to use weaker encryption.
Maybe sophisticated terrorists could get around export controls trivially - but most of them probably aren't terribly sophisticated.
Too right! (Score:3, Insightful)
This is dead-on accurate. The line between "terrorist" and "freedom fighter" is pretty damn thin, probably even non-existant. Mostly, the thing that determines what label applies is which side you are on.
By current standards, the actions of the French Resistance in WWII would be considered "terrorism". However, the partisans of the French Resistance will probably never be refered to as terrorists, because their opponents (the Nazis) are nearly universally recognized as being evil and (more importantly) they were on the winning side
IMHO what seperates the terrorist from a legitimate partisan is that the latter will not intentionally target civilians. The Pentagon was a valid military target by the accepted standards of warfare and international law; the WTC was not. If the 9/11 bombers had taken over the planes on the ground and evacuated the passengers first before making their kamakazi attacks, and if they had restricted themselves to military & government targets, the US would not have the near-universal international support we are currently enjoying for our military efforts in Afghanistan. If you want to be treated as a soldier and not a murderer, you need to play by the accepted rules of warfare. The fact that al-Queda and other terrorist groups fail to understand this basic premise just goes to show how ignorant and delusional they really are.
Why has no-one bashed Microsoft yet? (Score:2, Insightful)
Soon, Bill will claim that this is a reason why the government should strengthen the Windows monopoly (SSSCA anyone?) rather than break it up. After all, if al-Queda had used a non-Microsoft OS, the FBI might have less evidence against Reid.
Re:It doesn't matter because: (Score:2, Insightful)
If I'm not mistaken, quite a number of computers and related materials were found at sites supposedly connected to Al Qaeda. I don't remember any reports about any form of encryption being employed in any of these materials--in fact, it was pointed out in a couple of occasions that the terrorists did not use any encryption in their communications.
Why the prohibition of strong encryption should have been instrumental in their non-use of encryptions escapes me completely. Your comment is not insightful, it's stupid.
If the terrorist attacks tell us anything about the use of encryption by terrorists or mere criminals, it would be that they didn't rely on technology to perpetrate their atrocities, but on plain personal trust and dedication. And it has been noted that the reliance on SIGINT and related fields instead of classic espionage was partly responsible for the agencies being as clueless about this as they apparently were.
excerpts from a recent conversation... (Score:1, Insightful)
[...]
>
> Hey man can they decrypt cypher texts from a decent encrpytion algorithm
Depending on the algorithm, yes.
> (what does pgp use?)
PGP uses asymmetric encryption, which is also known as public key
encryption. RSA (Rivist, Shamir and Adleman) Labs held the patents,
which expired a year or two ago, for public key cryptography.
The algorithm is based upon the current "fact" that factoring the
product of two prime numbers is *difficult* (notice I didn't say
impossible). In general, you can substitute any one-way (and note
that "one-way" needs to be interpreted as computationally difficult
to go in the other direction) NP-hard or NP-incomplete task.
Primes just happen to be the current mathematically expedient
method.
There's a lot of other stuff wrapped around that algorithm that makes
it usable and there are numerous attacks, most of which center around
discovering or weakening the private keys which must be held in
absolute secrecy.
> that uses like a 4096 bit key yet? Theres some people
> where I work at that seem to think that it can be done. That encryption
> book I bought back in 95 says fat chance (before the sun goes super nova).
You probably were reading "Applied Cryptography", right? This book
is on it's thrid update. You should probably browse the most recent
copy in a bookstore/library (or download it with MyNapster, my favorite
GNUtella client). Schneier has also written a good follow up to his
Applied Cryptography book called "Secrets & Lies: Digital Security
in a Networked World", in which he explains how some of the assertions
he made in "Applied Cryptography" about cryptography solving problems
were completely wrong. It's a completely non-technical book, but
good reading none-the-less.
There's a large gap between theory and practice and all encryption
algorithms fall given enough time. There are several events/trends
that I have noticed that give one reason to pause:
1 - Twinkle optical factoring:
http://www.lns.cornell.edu/spr/1999-05/msg0016243
(remember, this guy is the "S" in RSA)
2 - NA PGP Client Software key specification hack:
http://www.cert.org/advisories/CA-2000-09.html
3 - NSA/FBI trojan/hardware backdoor keystroke loggers
http://slashdot.org/article.pl?sid=01/11/28/17320
http://slashdot.org/articles/02/01/04/1735230.sht
http://www.keyghost.com/
4 - Quantum computing:
http://slashdot.org/article.pl?sid=01/12/20/00622
I have some minor quibbles with some of the mathematical methods
used in public key encryption... namely prime number derivation is
statistical process and you're not necessarily guaranteed to get a
large prime out of the function used to derive them. Also, some of
the hashes used in message signing processes don't necessarily
uniquely identify the data they hash... but hey, I'm a mental midget
compared to the folks that invented the process... I'm simply
not capable of quantifying the what the impact would be on the
actual encryption process and how it might effect cryptoanalysis.
Twinkle is probably real for a handful of countries and can be built
by even the most modest nation-state NSA equivalents. It's only good
to 512bit keys, but who's to say that some cleaver mathematician
couldn't extend/parallelize the apparatus a bit. The NSA has a *huge*
research budget; I'm positive that they've taken the concept as far as
it can go... how many bits? Who's to say how far... I'm sure there's
only a handful of people in the world who actually know.
PGP key specification tweaking is real and has been put into commercial
software (actually, if you look at lotus notes, you'll see that IBM
did something vaguely similar to the public key encryption system used
in that software as well). You're probably safe if you're using GPG
or some other open source product that undergoes constant peer review
and code maintenance. Of course, if you're communicating with a far
end that's using some lame unofficially NSA tweaked software, then you
run the risk of them re-transmitting text you encrypt with your strong
key using their weak key... in which case you can expect a certain
amount of leakage, but, in theory, you'll be able to repute that it's
yours (and it's not like that's a legal standard or anything).
The big gotcha' with all encryption is the compromising of keys
(symmetric keys or asymmetric private keys). I see some of the more
recent crypto software is starting to sport "virtual keyboards"
that you point and click at to input your keys... two problems with
that... Van Eck radiation:
http://www.infowar.com/class_2/99/class2_112099a_
and trojans... it's a bit of a cat and mouse game really; however,
all said and done, it's usually *far* easier to steal someone's
keys rather than try to break them using traffic cryptoanalysis.
Besides, if you get good at stealing keys, you never have to reveal
how good you've become at cracking them in the lab... I think
there are some legal issues, as well, involving the prohibition
of using the NSA to "spy" on US citizens (while they're in the US).
The most preterite reference that I've run across with regard to
this issue was the fact the Kevin Mitnick used encryption on
some of the evidence that the government was in possession of. To
my knowledge this encryption was *never* cracked:
http://www.kevinmitnick.com/52098.html
That's not to say that the US government wasn't capable of cracking
his keys... in fact, this points out the savvy of the prosecutors,
intent on doing as much damage as they could, who did not want to
present evidence that was obtained in violation of the NSA's charter,
thus providing a potential legal (potentially constitutional)
challenge to their case.
Anyway, the government has gotten a lot smarter since 199x and now
the material compromise of private keys is standard operating
procedure... personally, I think we've strayed very far from:
The Constitution of the United States of America - Amendment IV
The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and seizures,
shall not be violated, and no warrants shall issue, but upon
probable cause, supported by oath or affirmation, and particularly
describing the place to be searched, and the persons or things to
be seized.
911 changes a lot of things, so we very well might see the NSA and
US government in general being a hell of a lot less coy about what
their capabilities and limitations actually are.
That little rant aside...
Quantum computing. This will change everything... entire sets of
NP-hard problems disappear with the availability of even a single
quantum computer with a significant number of "bits". I won't even
pretend to understand everything there is to know about might be
possible; however, I know that there are people who are already
writing "code" and developing operating interfaces (even though they
do not have a quantum computer on which to test... very much like
Babbage building the mechanical computer that set the stage for the
introduction of electro-mechanical computes). Factoring products
of primes is one of the problems that quantum computers can
potentially solve in real-time. If the US has a working quantum
computer, then again only a handful of people probably know/get
time on it.
My advice in general?
Use open source, peer reviewed software
consider using a solid-state memory device to store encryption keys:
http://pendrive.com/intro.php
(the Feds can't subvert/seize what they don't have access to;
material subversion of private keys is their current modius
operandi)
change keys often... at least once a month; some exchange methods
change keys as often as once a message or even once a symbol (one
time pads).
use a layered strategy (encrypted file system housing public key
encrypted messages that cover a symmetric key encrypted plain text;
use PGPfone or an out of band method to exchange symmetric keys)
use stenography and nontraditional media (sound/pictures) that
doesn't lend itself to easy analysis.
use a virtual systems to encapsulate a sessions from a potentially
compromised base platform (things like vmware and connectix's
virtual PC)
use microsoft products selectively, for cypher text transport only
and/or/in general as little as possible.
don't use encryption for anything that would cause a government
(local, state or federal) to take an interest in knowing your
encryption keys. If they're going to black-bag your residence
to install a keystroke logger, what else are they going to find/do?
I think most people fail to understand that final point. One sure
way to attraction attention is to act/look suspicious/conspicious.
If your operation has finial terminus (an end point at which the
opposition can't touch you), there's absolutely zero reason to
stand out by using encryption. If you must operate under constant
scrutiny and fear of punishment... well good luck, you're going to
need it.
> Are they still NOT using a good key length/algorithm in NT?
Microsoft has a crypto API. How well it's implemented god (and the
NSA) only know. One thing to remember... you can have the world's
best crypto, but if the base platform is easily compromised and the
keys exposed, it doesn't make a bit of difference. I don't believe
that Microsoft uses strong encryption/good key lengths in any of
their product's default settings.
[...]
Re:Shoe bomber != idiot (Score:3, Insightful)