david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Bullrun

posted November 2013

Bullrun or BULLRUN is a clandestine, highly classified decryption program run by the United States National Security Agency (NSA). The British signals intelligence agency Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the NSA's BULLRUN Classification Guide, which was published by The Guardian, BULLRUN is not a Sensitive Compartmented Information (SCI) control system or compartment, but the codeword has to be shown in the classification line, after all other classification and dissemination markings. Information about the program's existence was leaked in 2013 by Edward Snowden.

from https://en.wikipedia.org/wiki/Bullrun_%28decryption_program%29" target="_blank">wikipedia.

comment on this story

SecureDrop

posted October 2013

SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by the New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code.
from Schneier's blog

You can find http://deaddrop.github.io/" target="_blank">the website here and if you have something important to submit and do not want to go through Wikileaks, I think this is the best alternative.

The security audit was done by Schneier himself, who is pretty popular in the cryptography community, the work was started by Aaron Swartz who is also extremly popular, especially since his suicide last year.

comment on this story

New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks

posted October 2013

I just learned that TrueCrypt, the multi-OS solution to encrypt your personal data in a "very easy way" is coded and maintained by ... no one knows. Like bitcoin, the main creators are anonymous. http://www.truecrypt.org/downloads2" target="_blank">The source code is available here but no info about the coders can be found.

It seems like folks are getting a bit worried as TrueCrypt is wildly used, and money is being raised to conduct a security audit on them. http://arstechnica.com/security/2013/10/new-effort-to-fully-audit-truecrypt-raises-over-16000-in-a-few-short-weeks/" target="_blank">More info here.

Now I'm wondering, why is it that those huge cryptographic applications, that are polished and well maintained, are created by anonymous persons? Do they fear they would get pressure from governments? Mafia? Who knows...

comment on this story

Baidu now accepts bitcoins!

posted October 2013

It's official, http://www.baidu.com" target="_blank">Baidu, the chinese google, now accepts bitcoins.

"As a cutting-edge IT guy and a professional webmaster, what else can showcase our difference? The answer is that we have Bitcoin! Bitcoin, as a new electronic and digital currency, is being accepted internationally. It's also used in daily lives. You can use Bitcoin buy a cup of coffee, or easily convert it to cash. But in China, Bitcoin is still a fairly new thing. Today, we have a good news: from today, we are starting to officially accept Bitcoin as a payment method. You can use Bitcoin to buy all Baidu Jiasule services. Baidu Jiasule as an innovator in the Internet industry, is now the first cloud service provider to accept Bitcoin and give everyone a better payment method and experience."

Read more on https://bitcointalk.org/index.php?topic=310962.0" target="_blank">the bitcointalk about it.

The bitcoin who has been remarkably stable these past weeks, even after the silk road shutdown, has increased a bit more since the announcement.

comment on this story

Silk Road caught, Tor compromised?

posted October 2013

Silk Road and its owner have just http://www.reuters.com/article/2013/10/02/crime-silkroad-raid-idUSL1N0HS12C20131002" target="_blank">got caught by the FBI. If you didn't know, silk road (an illegal drug market) was hosted on the Tor network as an onion website, which was suppose to grant him total anonymity. Apparently the catch was made from a stupid human mistake :

1) Located the first reference to "silk road" on the internet. You can find this yourself on Google: "silk road" site:shroomery.org Date range: Jan 1,2011 - Jan 31,2011 * 2) The same username, "altoid", showed up on a bitcointalk days later. 3) Later in 2011 "altoid" made a post on bitcointalk with his email address, containing his real name, in it: https://bitcointalk.org/index.php?topic=47811.msg568744#msg5... If you search the name on Google it doesn't show up, but if you look at the user's page you can see it in his posts.

But some are skeptical, and many seems to think it could have been http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity" target="_blank">the NSA getting into the Tor Network. What do you think?

comment on this story

RSA-210 has been factored!

posted October 2013

The https://en.wikipedia.org/wiki/RSA_Factoring_Challenge" target="_blank">RSA Factoring Challenge has had one of its entry factored : RSA-210. More info here.

The RSA Factoring Challenge was a challenge put forward by RSA Laboratories on March 18, 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers and cracking RSA keys used in cryptography. They published a list of semiprimes (numbers with exactly two prime factors) known as the RSA numbers, with a cash prize for the successful factorization of some of them. The smallest of them, a 100 decimal digit number called RSA-100 was factored by April 1, 1991, but many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time.

The challenge is no longer active, this means no money for this brave Ryan P. And this doesn't mean RSA is less secure so no worries :)

comment on this story

Dread Pirate Roberts response to Atlantis' shutdown

posted September 2013

For someone like me who has some money invested in bitcoins and other cryptocoins (especially litecoin), seeing Atlantis rising (a drug market using litecoin as the main currency) was a very good news. Sadly they had to shutdown months after not doing so much for the https://btc-e.com/exchange/ltc_usd" target="_blank">LTC value.

Here's Silk Road's head statement on the news :

Atlantis was good for Silk Road and the community at large and I am sad to see it go. Yes they were a bit cocky and aggressive, but they never crossed the line and did anything unethical, and they served their customers well. They reminded us in the Silk Road administration that to stay #1, we have to be constantly thinking of our users and how to serve them best and can not take for granted your loyalty. There has been more than one occasion where I have wanted to quit as well. Without going into details, the stress of being DPR is sometimes overwhelming. What keeps me going is the understanding that what we are doing here is more important than my insignificant little life. I believe what we are doing will have rippling effects for generations to come and could be part of a monumental shift in how human beings organize and relate to one another. I have gone through the mental exercise of spending a lifetime in prison and of dying for this cause. I have let the fear pass through me and with clarity commit myself fully to the mission and values outlined in the Silk Road charter. If you haven’t read it yet, please do. Here is the link: “(link omitted)” The bottom line is… Silk Road is here to stay so long as there is breath in my lungs, a spark in my mind, and fire in my heart. I know many of you in this community feel the same way and is an honor to stand beside you here. Lastly, to anyone considering opening another market, you WILL face unexpected challenges one way or another, and if you don’t have the conviction to overcome them then your efforts will likely be in vain. And please open up a dialogue with me if you do open another site. Even competitors can talk from time to time on friendly terms :) Atlantis admins, if you are reading this, I hope you stick around and contribute as you are able.
comment on this story

Encryption is less secure than we thought

posted August 2013

A group of researchers at MIT just http://www.mit.edu/newsoffice/2013/encryption-is-less-secure-than-we-thought-0814.html" target="_blank">released a paper reconsidering a common mathematical assumption in Cryptography. This means, as the title implies, than most encryption systems are less secure than we thought, but not to worry, nowhere is it written the word "insecure" and it might really be negligible.

The problem here seems to be the definition of Entropy used.

In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. The Famous Wikipedia
In information theory, entropy is a measure of the uncertainty in a random variable.[1] In this context, the term usually refers to the Shannon entropy, which quantifies the expected value of the information contained in a message.[2] Entropy is typically measured in bits, nats, or bans.[3] Shannon entropy is the average unpredictability in a random variable, which is equivalent to its information content. Shannon entropy provides an absolute limit on the best possible lossless encoding or compression of any communication, assuming that[4] the communication may be represented as a sequence of independent and identically distributed random variables. The Famous Wikipedia
comment on this story