TETRA vendors caught breaking a basic rule: don't roll your own bespoke cryptographic primitives.

cross-posted from: https://monero.town/post/554820

The two discuss the prominent blockchain privacy paper co-authored by Vitalik Buterin, the future of blockchain privacy vs surveillance coins. Alan explains why there’s a need to stop putting the state on a pedestal in the privacy debate in order to defend privacy in the future, the reason the US government doesn’t care as much about money laundering as long as it happens in US banks.

In this talk we will discuss the radio jailbreaking journey that enabled us to perform the first public disclosure and security analysis of the proprietary cryptography used in TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, prisons, emergency services and military operators. Besides governemental applications, TETRA is also widely deployed in industrial environments such as factory campuses, harbor container terminals and airports, as well as critical infrastructure such as SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. For over two decades, the underlying algorithms have remained secret and bound with restrictive NDAs prohibiting public scrutiny of this highly critical technology. As such, TETRA was one of the last bastions of widely deployed secret proprietary cryptography. We will discuss in detail how we managed to obtain the primitives and remain legally at liberty to publish our findings.

Spies used to meet in the park to exchange code words, now things have moved on - Robert Miles explains the principle of Public/Private Key Cryptography

note1: Yes, it should have been 'Obi Wan' not 'Obi One' :) note2: The string of 'garbage' text in the two examples should have been different to illustrate more clearly that there are two different systems in use.

Slides - https://authress.io/l/codemotion

Conference: Codemotion Madrid 2023 https://talks.codemotion.com/why-you-...

Can someone recommend a more secure method? I've been told many times that using git for secret management would present a potential vulnerability.

Video-Based Cryptanalysis

DEF CON Infosec super-band the Cult of the Dead Cow has released Veilid (pronounced vay-lid), an open source project applications can use to connect up clients and transfer information in a peer-to-peer decentralized manner.

The idea being here that apps – mobile, desktop, web, and headless – can find and talk to each other across the internet privately and securely without having to go through centralized and often corporate-owned systems. Veilid provides code for app developers to drop into their software so that their clients can join and communicate in a peer-to-peer community.

In a DEF CON presentation today, Katelyn "medus4" Bowden and Christien "DilDog" Rioux ran through the technical details of the project, which has apparently taken three years to develop.

The system, written primarily in Rust with some Dart and Python, takes aspects of the Tor anonymizing service and the peer-to-peer InterPlanetary File System (IPFS). If an app on one device connects to an app on another via Veilid, it shouldn't be possible for either client to know the other's IP address or location from that connectivity, which is good for privacy, for instance. The app makers can't get that info, either.

Veilid's design is documented here, and its source code is here, available under the Mozilla Public License Version 2.0.

"IPFS was not designed with privacy in mind," Rioux told the DEF CON crowd. "Tor was, but it wasn't built with performance in mind. And when the NSA runs 100 [Tor] exit nodes, it can fail."

Unlike Tor, Veilid doesn't run exit nodes. Each node in the Veilid network is equal, and if the NSA wanted to snoop on Veilid users like it does on Tor users, the Feds would have to monitor the entire network, which hopefully won't be feasible, even for the No Such Agency. Rioux described it as "like Tor and IPFS had sex and produced this thing."

"The possibilities here are endless," added Bowden. "All apps are equal, we're only as strong as the weakest node and every node is equal. We hope everyone will build on it."

Veilid

Big launch ... medus4, left, and DilDog at DEF CON

Each copy of an app using the core Veilid library acts as a network node, it can communicate with other nodes, and uses a 256-bit public key as an ID number. There are no special nodes, and there's no single point of failure. The project supports Linux, macOS, Windows, Android, iOS, and web apps.

Veilid can talk over UDP and TCP, and connections are authenticated, timestamped, strongly end-to-end encrypted, and digitally signed to prevent eavesdropping, tampering, and impersonation. The cryptography involved has been dubbed VLD0, and uses established algorithms since the project didn't want to risk introducing weaknesses from "rolling its own," Rioux said.

This means XChaCha20-Poly1305 for encryption, Elliptic curve25519 for public-private-key authentication and signing, x25519 for DH key exchange, BLAKE3 for cryptographic hashing, and Argon2 for password hash generation. These could be switched out for stronger mechanisms if necessary in future.

Files written to local storage by Veilid are fully encrypted, and encrypted table store APIs are available for developers. Keys for encrypting device data can be password protected.

"The system means there's no IP address, no tracking, no data collection, and no tracking – that's the biggest way that people are monetizing your internet use," Bowden said.

"Billionaires are trying to monetize those connections, and a lot of people are falling for that. We have to make sure this is available," Bowden continued. The hope is that applications will include Veilid and use it to communicate, so that users can benefit from the network without knowing all the above technical stuff: it should just work for them.

To demonstrate the capabilities of the system, the team built a Veilid-based secure instant-messaging app along the lines of Signal called VeilidChat, using the Flutter framework. Many more apps are needed.

If it takes off in a big way, Veilid could put a big hole in the surveillance capitalism economy. It's been tried before with mixed or poor results, though the Cult has a reputation for getting stuff done right.

Veilid Source

The first matter to address is the question "What is Veilid?" The highest-level description is that Veilid is a peer-to-peer network for easily sharing various kinds of data.

Veilid is designed with a social dimension in mind, so that each user can have their personal content stored on the network, but also can share that content with other people of their choosing, or with the entire world if they want.

The primary purpose of the Veilid network is to provide the infrastructure for a specific kind of shared data: social media in various forms. That includes light-weight content such as Twitter's tweets or Mastodon's toots, medium-weight content like images and songs, and heavy-weight content like videos. Meta-content such as personal feeds, replies, private messages, and so forth are also intended to run atop Veilid.

Kevin Mitnick (RIP) visits Google's NYC office to discuss his book "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" with Eran Feigenbaum, Google's Director of Security for Google Apps. This event took place on August 17, 2011, as part of the Authors@Google series.

Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world's biggest companies--and however fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn't just about technological feats-it was an old fashioned confidence game that required guile and deception to trick the unwitting out of valuable information.

Driven by a powerful urge to accomplish the impossible, Mitnick bypassed security systems and blazed into major organizations including Motorola, Sun Microsystems, and Pacific Bell. But as the FBI's net began to tighten, Kevin went on the run, engaging in an increasingly sophisticated cat and mouse game that led through false identities, a host of cities, plenty of close shaves, and an ultimate showdown with the Feds, who would stop at nothing to bring him down.

Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escape, and a portrait of a visionary whose creativity, skills, and persistence forced the authorities to rethink the way they pursued him, inspiring ripples that brought permanent changes in the way people and companies protect their most sensitive information.

Secret texts buried in a picture of your dog? Image Analyst Dr. Mike Pound explains the art of steganography in digital images.

DEFCON 31: August 10, 2023 - August 13, 2023 in Las Vegas, NV

In the early 1990s, a group of mathematicians, misfits, hackers, and hobbyists calling themselves "the cypherpunks" came together around a shared belief that the internet would either demolish society's artificial walls or lay the groundwork for an Orwellian state. They saw cryptography as a weapon against central planning and surveillance in this new virtual world.

The philosophical and technical ideas explored on the cypherpunks' widely read email list, which launched in 1992, influenced the creation of bitcoin, WikiLeaks, Tor, BitTorrent, and the Silk Road. The cypherpunks anticipated the promise and the peril that lay ahead when the internet went mainstream, including new threats to privacy and the possibility of building virtual platforms for communication and trade that would be impervious to government regulators.

In this video I explore an elaborate cryptographic internet puzzle orchestrated by a mysterious individual or group known as Cicada 3301.

Puzzle: The puzzle I hid in this video has been solved.

L0pht Heavy Industries testifying before the United States Senate Committee on Governmental Affairs, Live feed from CSPAN, May 19, 1998. Starring Brian Oblivion, Kingpin (Joe Grand), Tan, Space Rogue, Weld Pond, Mudge, and Stefan von Neumann.

This is the infamous testimony where Mudge stated we could take down the Internet in 30 minutes. Although that's all the media took from it, much more was discussed. See for yourself.

Soft White Underbelly interview and portrait of Gummo, a computer hacker from Jacksonville, Florida.

Here’s a link to a follow up interview with Gummo: Black Hat Hacker-Gummo (follow up)

Here's a good laugh. A stupid man interviews the "#1 ethical hacker in the world".

Cool projects are rare. Here I found one I want to show to you. An off-grid personal communicator. It includes a lot of new technologies: ESP32, Smartphones, LoRa, BLE, GPS, Mesh, and as you see, 3D printing. And it solves a problem that could be seen as a human right: Personal SMS style communication everywhere in the world, without the need for any infrastructure, and without mass surveillance. In addition, it shows the location of all your friends in your group on a map on your Smartphone. Everything open source, of course. How cool is that? Even "Sexycyborg" Naomi Wu likes it. I am a proud Patreon of GreatScott!, Electroboom, Electronoobs, EEVblog, and others.

Quantum computing will bring tumultuous change to the world of information security in the coming decade. As multi-qubit systems use quantum algorithms to slice through even 4096-bit PK encryption in seconds, new Quantum Encryption will be required to ensure data security. Join Konstantinos for a look at real world experiments in Quantum Key Distribution that BT and partners have recently performed that show what the future of encryption will look like. Remember the panic after Heartbleed when SOME passwords needed to be changed? Imagine a day when ALL communications are at risk of eavesdropping via Quantum Computers - a day when only new systems that exploit the weirdness of quantum mechanics can ensure privacy.

The Ace has returned with yet another Cyber Tech Tool review! Today we look at the Flipper Zero, a portable multi-tool for pentesters and hardware geeks that comes in the form of a tamagotchi. This hardware opens up the world of radio protocols, access control systems, hardware, and more to what was previously a niche security industry. Flipper Zero, on the other hand, is not some magical Watch Dogs-inspired hacking device that will allow you to control traffic lights, security cameras, or ATMs to give you money. It has very limited capabilities and is primarily intended for light pentesting and a gentle introduction to the world of sub-frequencies.

my first impressions of qubes os the reasonably secure operating system

John Perkins describes the methods he used to bribe and threaten the heads of state of countries on four continents in order to create a global empire and he reveals how the leaders who did not “play the game" were assassinated or overthrown. He brings us up to date about the way the economic hit man system has spread from developing countries to the US, Europe, and the rest of the world and offers a strategy for turning this around. “Each of us," he says, “can participate in this exciting revolution. We can transform a system that is consuming itself into extinction into one that is sustainable and regenerative."

John's books, including The New Confessions of an Economic Hit Man, have sold over a million copies, spent more than 70 weeks on the New York Times bestseller lists, and are published in more than 30 languages. As Chief Economist at a major consulting firm, his experiences advising the World Bank, UN, IMF, U.S. government, Fortune 500 corporations, and heads of state convinced him to devote his life to facilitating changes in social, political, and economic systems, as well as in general consciousness. He was founder and CEO of a highly successful alternative energy company and is a founder and board member of Dream Change and The Pachamama Alliance, nonprofits dedicated to creating a sustainable, just, peaceful, and thriving world. John's courage in writing his books and speaking out against his former bosses exemplifies the courage shown by our Founding Fathers and Mothers when they stood up to the British Empire. Like them, John defied threats and bribes and took action.

it gets interesting here

The real-world Jason Bourn is Pete Buttigieg.

perhaps we can come up with a way to pipe this to make it more fed friendly.