Cryptographer: «Blockchain Is PR» - finews

Cryptography news and discussions

Cryptography is the art of creating mathematical assurances for who can do what with data, including but not limited to encryption of messages such that only the key-holder can read it. Cryptography lives at an intersection of math and computer science. This subreddit covers the theory and practice of modern and *strong* cryptography, and it is a technical subreddit focused on the algorithms and implementations of cryptography.
[link]

New Attack Against Electrum Bitcoin Wallets - Schneier on Security

New Attack Against Electrum Bitcoin Wallets - Schneier on Security submitted by nothingberg to TruthLeaks [link] [comments]

Reasons to believe Julian Assange is in CIA custody and WikiLeaks under duress.

UPDATE (11/01/2017 - UK Date Format): Julian Assange is alive and still in the Embassy. He confirms WikiLeaks has not been compromised. Julian took questions from the Reddit AmA but answered them via live, current and interactive video. He did this very intentionally, and by so doing, was true to his word. Watch a recording of the live event here:
https://www.youtube.com/watch?v=rC2EjKYMCeg
On the 26th of September 2016 Secretary of State John Kerry (self admitted Skull and Bones member) visited Colombia. WikiLeaks reported that inside sources had confirmed that John Kerry also met with Ecuadorean President Rafael Correa in Ecuador to personally ask Ecuador to stop Assange from publishing documents about Clinton. This was initially fervently denied in the press only later to be confirmed by the Ecuadorian embassy who admitted cutting off Julian’s internet due to pressure from the US. Ecuador wanted to appear impartial.
For over four years, the Ecuadorian embassy has been under surveillance and Julian's human rights violated as he has been unlawfully detained termed "illegal arbitrary detention" by a recent UN ruling. During that time, it has been possible for intelligence agencies to gather critical information and build a detailed profile and plan to circumvent Julian's dead man's switch.
Both John Kerry and US intelligence agencies know perfectly well that cutting off Julian's internet would have no impact on the release of the leaked emails that are damaging to Hillary's campaign. It has been very clear for a long time that many US officials wanted Julian Assange dead, Hillary Clinton even has remarked, "can't we just drone the guy".
The cutting off of Julian's internet access was not for the purpose of preventing the leaks of the Podesta and Hillary emails. Unless intelligence agencies are truly inept, they know that media organisations already have the entire leaked email database and a schedule for release, they also know WikiLeaks staff would continue to leak regardless of Julian's ability to communicate.
Removing Assange would not be enough, they would need to circumvent his dead man's switch and then tarnish WikiLeaks reputation. Removing Assange's internet could have the effect of causing Assange to take steps that can be followed to prevent the automatic triggering of his DMS.
From the day Julian's internet was cut off, a series of peculiar and uncharacteristic events started to take place. The same day that Julian's internet was cut off, CBS reported that Pamela Anderson visited Assange and had "Tortured" him with a vegan sandwich. A few days before on the 14th, John Podesta tweeted "I bet the lobster risotto is better than the food at the Ecuadorian Embassy". Then on October the 16th the SHA-256 prerelease keys were issued on WikiLeaks twitter feed, although these events are odd and seemingly inconsequential, combined with John Kerry being in the UK from the 16th to the 17th sparked concern among the community for Julian's safety.
Assange supporters started to gather at the embassy to keep Assange safe and witness any foul play, some of these witnesses have claimed that a very swift police armed raid took place that lasted only 5 minutes while the crowd was kept under control and prevented from approaching, there have also been reports that they were prevented from taking photographs and that their phones were confiscated. A live periscope feed was also cut off. There have also been some reports of the presence of a mobile jamming van.
If Assange has been seized, any recognition by mainstream media would be detrimental to Hillary's campaign. A covert operation with media blackout would be the only effective way of seizing him at this time. On October the 18th Fox News said that Julian Assange would be "arrested soon, maybe in a matter of hours.". The was video was then promptly removed and articles relating to it have disappeared. However, one reddit user was able to find an alternative source and now the video can be found again on YouTube.
Although Julian's primary DMS (the release of insurance file encryption keys) did not activate, on October the 18th one of Julian's contingencies did activate, a script was activated that made https://file.wikileaks.org/file publicly visible and set all the file date and time stamps to 01/01/1984 (Orwell reference). This file repository contains many documents that had not been released prior.
Staffers Kristinn Hrafnsson and Sarah Harrison, have gone silent while the Ecuadorian embassy is refusing to provide any updates on Assange’s fate. There is a recorded call made to the embassy by a journalist where the receptionist refused to confirm that Julian was at the embassy, she also refused to confirm that Julian was even alive. Julian has not made an appearance at the window of the embassy since being cut off.
WikiLeaks suggested in a tweet that its supporters were responsible for the DDOS attacks on the 21st. Neither Assange or WikiLeaks would ever insinuate such a thing. WikiLeaks deceptively tweeted a video of Michael Moore that was actually recorded in June. The video was posted on the 24th of October giving the impression that Michael Moore had been speaking with Assange in the embassy. Why would WikiLeaks do this when they know they are already under suspicion?
WikiLeaks have been using their Twitter account to give the appearance of his safety while providing no concrete evidence of his safety. They issued a poll asking what proof would satisfy the public that Julian was safe. WikiLeaks have yet to follow up on the conclusive result of a video or window appearance.
Julian Assange is known for his attention to detail and his consistently good spelling and grammar. Currently the twitter feed has very poor spelling, there are numerous uncharacteristic spelling errors, for example, an accomplished cryptographer knows how to correctly spell algorithm and so do WikiLeaks staff.
On the 21st of October, there was a massive widespread DDOS attack that disrupted US and EU internet. Also on the 21st of October London City Airport was evacuated. The next day (the 22nd), Gavin MacFayden is reported dead. WikiLeaks made a further blunder by stating his death as the 23rd.
There has been a number of high level WikiLeaks deaths recently too. John Jones QC - WikiLeaks U.N. lawyer died on April 16th 2016. Michael Ratner - WikiLeaks chief counsel died on May 11th 2016. Seth Rich - Employee of the Democratic National Committee (DNC) was fatally shot on July 10th 2016 and Gavin MacFadyen - WikiLeaks director died October 22nd 2016.
If WikiLeaks has been compromised, it is already preparing the scene for future discrepancy to seriously tarnish WikiLeaks reputation. Nothing WikiLeaks has shared since the 15th of October 2016 should be trusted until Julian has been fully verified as alive.
My speculative fears are that Julian has been seized and removed from the Embassy. His internet being cut not being related to the release of the emails, but rather as a component of a plan of 4 years in the making to as secretly as possible remove Assange from the embassy, circumvent his DMS and hijack WikiLeaks with the key team members silenced or under duress.
My fears would be confirmed by no future public (mass witnessing and recorded/televised) appearance of Julian Assange discussing recent topics. His death by whatever means after the US presidential election would be extremely suspect. Until proof of life, assume the following compromised:
SHA-256 verification Keys posted after the 15th. WikiLeaks submission process and/or platform. WikiLeaks twitter feed. Any WikiLeaks leaks after the 15th October 2016.
EDIT: (01/11/2016 - 17:18GMT) URL and spelling corrections.
EDIT: Update 16/12/2016
Why demanding proof that WikiLeaks is not compromised is necessary:
https://www.facebook.com/events/309760466089922/ (PoL Event @ Ecuadorian Embassy London 17th December 2016) – If you live in the UK please come and let’s get REAL PoL. Please circulate.
1) Still no PGP (GPG) signed short message from WikiLeaks. 2) RiseUp’s warning canary may be dead (RiseUp is believed to host WL Twitter email account) 3) Julian’s internet hasn’t been restored as promised 4) The pre-commitment file hashes released in October do not match the released insurance files 5) Julian’s Swedish defense lawyer Per Samuelson was denied access during case questioning. No one actually saw Julian through the whole process.
Additional points:
-UK disregard for international law -Capabilities of combined intelligence agencies -WikiLeaks down on October 17th -Mass censorship -WikiLeaks reposting old stuff -See timelines below
Various timelines, some with minor errors: https://www.reddit.com/WikileaksTimeline/wiki/index https://www.reddit.com/WhereIsAssange/comments/5dmr57/timeline_of_events_regarding_julian_assange_and/ https://regated.com/2016/11/julian-assange-missing/
[Still no PGP (GPG) signed short message from WikiLeaks] Watch this https://youtu.be/GSIDS_lvRv4 video for a simple and good explanation of public/private key cryptography. Here https://riseup.net/en/canary is an example of how a legitimate cryptographically capable organisation uses PGP to sign a message and prove authenticity. WikiLeaks has this setup too. Why do they not use it and prove they are not compromised?
WikiLeaks could easily do this. They have their private key. The public has WikiLeaks public key. Even if Julian isn’t in possession of the key, WL most certainly is, no excuse for WL not to prove themselves. This has been heavily requested of WikiLeaks. I’d like to hear from the individuals who claim that their requests were removed (please leave comments). Of all the red flags, not posting a PGP signed message is by far the most damming. If we are to believe that the person in the audio recording at the FCM 2016 is Julian Assange, then what he says about the keys is missing the point. If he himself is not in possession of the key, then WikiLeaks will be. If WikiLeaks use the key to prove themselves, then we know they are not compromised. By extension, we will also be assured that Julian is safe as an uncompromised WikiLeaks would be in a position to confirm his safety and be believed. This audio file includes everything that he says regarding PGP keys: http://picosong.com/UyVw/ (I am not convinced this is Julian).
[RiseUp’s warning canary may be dead (RiseUp is believed to host WL Twitter email account)] RiseUp is an activist ISP providing secure services to activists. Its mission is to support liberatory social change via fighting social control and mass surveillance through distribution of secure tools (https://en.wikipedia.org/wiki/Riseup). RiseUp use a warrant canary as a means to protect their users in case RiseUp are ever issued with a NSL or gag order etc (https://riseup.net/en/canary). This is renewed quarterly, assuming no warrant has been issued. However, this is now considerably overdue so the assumption is that the canary is dead, and just like the canaries used in coal mines, everyone should get the hell out of there when it dies. https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/. I would be grateful if someone could provide a source for the WikiLeaks twitter email account being hosted by RiseUp.
[Julian’s internet hasn’t been restored as promised] https://twitter.com/wikileaks/status/787889195507417088 https://twitter.com/wikileaks/status/788099178832420865 On the 26th of September 2016 Secretary of State John Kerry visited Colombia. WikiLeaks reported that inside sources had confirmed that John Kerry also met with Ecuadorean President Rafael Correa in Ecuador to personally ask Ecuador to stop Assange from publishing documents about Clinton. This was initially fervently denied in the press only later to be confirmed by the Ecuadorian Embassy who admitted cutting off Julian’s internet due to pressure from the US. Ecuador wanted to appear impartial.
Both John Kerry and US intelligence agencies knew perfectly well that cutting off Julian's internet would have no impact on the release of the leaked emails that were damaging to Hillary's campaign. The cutting off of Julian's internet access was not for the purpose of preventing the leaks of the Podesta and Hillary emails. Unless intelligence agencies are truly inept, they knew that media organisations already have the entire leaked email database and a schedule for release, they also knew WikiLeaks staff would continue to leak regardless of Julian's ability to communicate.
Now it is long after the election and Ecuador have still not restored Julian’s internet. Ecuador have no grounds to continue to restrict Julian’s internet. It does nothing apart from increase tensions and raise suspicion. Ecuador have always been supportive of Julian. However, after John Kerry applied pressure on Ecuador, that whole dynamic changed. Ecuador cut Julian's Internet. He then essentially threatened Ecuador, the UK and John Kerry by submitting those pre-commitment file hashes on Twitter. Since then we have only seen hostility towards Julian from all three parties. Ecuador didn't restore his internet and didn't let his lawyer interview him and no one actually saw him. The U.K. Denied him access to Gavin's funeral and denied him access to medical treatment. The UK also continually disregard the UN. The dynamic now is totally different. He has no political friends. It seems that both the UK and Ecuador are now working against Julian and Wikileaks. An environment where a collaborated siege would be feasible.
Finally, many have speculated about mobile signals being blocked at the Embassy. I can confirm that there is 4G signal right outside the Embassy door. I was there, with my phone, and tested it. There is no reason to think Julian cannot use a MiFi device (or similar) connected to a cellular network.
[The pre-commitment file hashes released in October do not match the released insurance files] Here are the October tweets with the file hashes:
https://twitter.com/wikileaks/status/787777344740163584 https://twitter.com/wikileaks/status/787781046519693316 https://twitter.com/wikileaks/status/787781519951720449
These 3 pre-commitment Twitter posts are SHA-256 file hashes. SHA-256 file hashes are 64 characters long. They are not encryption keys for insurance files. They simply are a mathematical formula for verifying that later released files are genuine and have not been altered.
These hashes were released because Julian felt threatened and in increased danger. They specifically targeted the UK FCO, Ecuador and John Kerry. All of whom are key players in his current predicament. On November 7th, WikiLeaks released 3 new insurance files. These files names match the names given in the pre-commitment hash tweets:
2016-11-07_WL-Insurance_EC.aes256 2016-11-07_WL-Insurance_UK.aes256 2016-11-07_WL-Insurance_US.aes256
EC = Ecuador, UK = UK FCO, US = John Kerry. Soon after these files were released, the 3 files hashes were compared to the 3 hashes posted on the 16th of October. They did not match. When this was brought to WikiLeaks attention, WikiLeaks released the following statement in a tweet: https://twitter.com/wikileaks/status/798997378552299521
“NOTE: When we release pre-commitment hashes they are for decrypted files (obviously). Mr. Assange appreciates the concern.”
This firstly proved that the hashes and the insurance files were related (a fact that was already clear). Secondly, it was a lie, as it implied historical use of pre-commitment hashes in this manner. Thirdly, the (obviously) comment was also a deception and an insult to supporters. It was not obvious to anyone, not even to our crypto guys in /cryptography/, on the contrary, they thought it highly suspicious. Additionally, what they suggest would be absolutely pointless. Pointless as a threat, as the UK, Ecuador and John Kerry would have no practical way of identifying the documents to confirm the threat. There's absolutely no scenario where an uncompromised WikiLeaks would either post bad file hashes or altered insurance files.
[Julian’s Swedish defense lawyer Per Samuelson was denied access during case questioning] This is highly unusual and very suspicious. Also, Jennifer Robinson was not in the room with Assange. https://www.youtube.com/watch?v=MYR0Pw9LfUQ&feature=youtu.be&t=9m55s and neither was the chief prosecutor http://www.bbc.co.uk/news/world-europe-37972528 “Swedish chief prosecutor Ingrid Isgren will not speak to Mr Assange directly”.
[UK disregard for international law] The UK threat is very real. Back in August 2012 the UK was poised to break international law citing the Diplomatic and Consular Premises Act of 1987 as a basis for entering the Embassy and arresting Assange (http://www.bbc.co.uk/news/world-19259623). It all became very public, very quickly and fortunately never happened (http://www.telegraph.co.uk/news/worldnews/southamerica/ecuado9488996/Ecuadors-president-raiding-embassy-to-snatch-Julian-Assange-suicidal.html). I expressed my concern at the time that the UK shouldn’t have even been contemplating such action, let alone threatening it in writing to Ecuador. More recently, the UK disregarded the UN ruling that Julian Assange was being arbitrarily detained (https://www.theguardian.com/media/2016/feb/04/julian-assange-wikileaks-arrest-friday-un-investigation). The UK appealed, and then finally lost their appeal in November (https://www.rt.com/news/368746-un-ruling-free-assange/). Julian has also been refused to leave the Embassy with a police escort for medical treatment as well as denied to attend Gavin MacFadyen’s funeral. The UK’s behaviour is appalling and clearly has no respect for international law. The reported raid on the Embassy during the latter part of October seems more plausible when taken in the context of past behavior.
This is the Britain I now live in: http://www.independent.co.uk/life-style/gadgets-and-tech/news/investigatory-powers-bill-act-snoopers-charter-browsing-history-what-does-it-mean-a7436251.html. I never used to be ashamed to be British.
[Combined capabilities of intelligence agencies] We know much about the combined powers of the intelligence agencies. We know what they are capable of, thanks to the leaks of Edward Snowden. The combined powers of the NSA, CIA and the UK’s GCHQ are capable of pulling off such a massive takeover of Wikileaks. We know the NSA works with other US intelligence agencies, we know that the NSA works with GCHQ.
We know about Tempora, we know about JTRIG, we know about PRISM, we know about HAVOK. We know that websites can be altered on the fly, we know that real-time voice profiling is trivial for these agencies. We know that censorship is happening.
https://usnewsghost.wordpress.com/2014/07/15/new-july-14-edward-snowden-nsa-leaks-gchq-attacks-and-censors-internet-nsa-leaks-recent/ http://www.independent.co.uk/life-style/gadgets-and-tech/gchqs-favourite-memes-and-sexual-slang-reveals-a-shared-culture-with-trolls-and-hackers-9608065.html https://en.wikipedia.org/wiki/Tempora https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
The NSA has a remit to be 10 years ahead of the curve. We have commercial products that can be purchased off the shelf today that can easily manipulate audio and video. Just imagine what the NSA and the military are capable of.
Real time facial manipulation: https://www.youtube.com/watch?v=ohmajJTcpNk Signs of editing: https://www.youtube.com/watch?v=2O9t_TEE1aw. Both Julian Assange and John Pilger are not filmed together at any time during the interview. There is also no establishing shot. It is also claimed that Assange’s audio is spliced and edited. No recent events mentioned by Assange, only Pilger. Unfortunately, this interview is not sufficient proof of life.
What the NSA can’t do, is that they cannot break PGP encryption. This has been expressed by Glenn Greenwald who was one of the journalists that Edward Snowden leaked to. He commented that he knows how secure PGP is because the NSA keep moaning about not being able to crack it in their documents he is reading. This is another reason why a signed PGP message can be the only true proof that WL isn’t compromised. Mathematics cannot lie, people can and do. A compromised WL can’t sign a message without the private key. Edward Snowden revealed that in 2013 the NSA were capable of 3 trillion password attempts per second. As it is now almost 2017, that number will likely be multiple times higher (anywhere between 9 to 15 trillion attempts per second would be my guess based on Moore’s law).
https://en.wikipedia.org/wiki/Joint_Threat_Research_Intelligence_Group https://en.wikipedia.org/wiki/Tempora https://en.wikipedia.org/wiki/PRISM_(surveillance_program) https://www.schneier.com/gchq-catalog/ https://en.wikipedia.org/wiki/Government_Communications_Headquarters
[WikiLeaks down on October 17th] The alleged raid on the Embassy supposedly took place on the 17th just after 1am GMT. On Monday the 17th of October 2016 WikiLeaks website was reported down (http://www.isitdownrightnow.com/wikileaks.org.html expand the comments) https://postimg.org/image/6t68fe4kj/. The internet was alive with reports of mass censorship around this time. This all coincides with when the alleged WikiLeaks takeover occurred. It also coincides with John Kerry being in the UK.
[Christine Assange audio only radio interview] Julian's family had their identities changed quite a few years ago after receiving death threats. It is odd that his mother has now revealed herself to a news agency. If you do a YouTube search for Christine Assange (her original name), you'll find all the videos are older than 3 years. She's in hiding, not openly talking on radio shows (https://en.wikipedia.org/wiki/Julian_Assange scroll down to the personal life section).
[WikiLeaks bitcoin account was emptied on the 18th of November] Interestingly it was after the bitcoin account was emptied that the encoded message in the blockchain was left. Why would WikiLeaks go to all that trouble when they could just sign a message with their PGP key? Is it because bitcoin accounts can be cracked and the PGP keys can’t?
[Mass censorship] Facebook is censoring this event (https://www.facebook.com/events/309760466089922/). It has been advertised for weeks now any only a handful of people are attending. Recently Wikileaks was live on FB. 50% of the viewers (roughly 2.5k) were commenting #PoL, #Whereisassange, RIP etc. The live event was only a prerecorded video being played in loop. Once it concluded, the whole Live event along with all the comments including the comments asking for PoL and PGP signed message were deleted. It was as if it never took place. When Julian’s DMS had supposedly been activated, I saw posts in threads being deleted within minutes. Supposedly with encryption keys, but it all happened too fast for anyone to collate. I took PDF printouts of the pages and then later noticed that posts and entire links were taken down. I have PDF's of pages that now no longer exist. I've been following this since mid-October and seen the censorship first hand. I know many people here on reddit witnessed the same (please comment with your experiences).
[WikiLeaks reposting old stuff] There are many examples of this already mentioned in the timelines. One for example is the Palantir Technologies report. Palantir Technologies prepared a report on how to destroy WikiLeaks that was leaked in 2011. The proposal was submitted to Bank of America through its outside law firm, Hunton & Williams. Palantir later apologised for their involvement. But WikiLeaks has recently regurgitated it as if it was new. There are many examples of this. I have watched as WikiLeaks have increasingly destroyed their credibility.
submitted by neonnexus to conspiracy [link] [comments]

Part 6. (Last part) I'm writing a series about blockchain tech and possible future security risks. Failing shortcuts in an attempt to accomplish Quantum Resistance

The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part.
Part 1, what makes blockchain reliable?
Part 2, The mathematical concepts Hashing and Public key cryptography.
Part 3, Quantum resistant blockchain vs Quantum computing.
Part 4A, The advantages of quantum resistance from genesis block, A
Part 4B, The advantages of quantum resistance from genesis block, A
Part 5, Why BTC is vulnerable for quantum attacks sooner than you would think.

Failing shortcuts in an attempt to accomplish Quantum Resistance
Content:
Hashing public keys
“Instant” transactions
FIFO
Standardized fees
Multicast
Timestamped transactions
Change my mind: If a project doesn't use a Quantum Resistant signature scheme, it is not 100% Quantum Resistant.
Here are some of the claims regarding Quantum Resistance without the use of a quantum resistant signature scheme that I have come across so far. For every claim, I give arguments to substantiate why these claims are incorrect.
“We only have public keys in hashed form published. Even quantum computers can't reverse the Hash, so no one can use those public keys to derive the private key. That's why we are quantum resistant.” This is incorrect.
This example has been explained in the previous article. To summarize: Hashed public keys can be used as an address for deposits. Deposits do not need signature authentication. Alternatively, withdrawals do need signature authentication. To authenticate a signature, the public key will always need to be made public in full, original form. As a necessary requirement, the full public key would be needed to spend coins. Therefore the public key will be included in the transaction.
The most famous blockchain to use hashed public keys is Bitcoin. Transactions can be hijacked during the period a user sends a transaction from his or her device to the blockchain and the moment a transaction is confirmed. For example: during Bitcoins 10 minute blockchain, the full public keys can be obtained to find private keys and forge transactions. Page 8, point 3 Hashing public keys does have advantages: they are smaller than the original public keys. So it does save space on the blockchain. It doesn't give you Quantum Resistance however. That is a misconception.
“Besides having only hashed public keys on the blockchain, we also have instant transactions. So there is no time to hijack a transaction and to obtain the public key fast enough to forge a transaction. That's why we are quantum resistant.” This is incorrect and impossible.
There is no such thing as instant transactions. A zero second blocktime for example is a claim that can’t be made. Period. Furthermore, transactions are collected in pools before they are added to a block that is going to be processed. The time it takes for miners to add them to a new block before processing that block depends on the amount of transactions a blockchain needs to process at a certain moment. When a blockchain operates within its maximum capacity (the maximum amount of transactions that a blockchain can process per second), the adding of transactions from the pool will go quite swiftly, but still not instantaneously.
However, when there is high transaction density, transactions can be stuck in the pool for a while. During this period the transactions are published and the full public keys can be obtained. Just as with the previous hijacking example, a transaction can be forged in that period of time. It can be done when the blockchain functions normally, and whenever the maximum capacity is exceeded, the window of opportunity grows for hackers.
Besides the risk that rush hours would bring by extending the time to work with the public key and forge transactions, there are network based attacks that could serve the same purpose: slow the confirmation time and create a bigger window to forge transactions. These types are attacks where the attacker targets the network instead of the sender of the transaction: Performing a DDoS attack or BGP routing attack or NSA Quantum Insert attack on a peer-to-peer network would be hard. But when provided with an opportunity to earn billions, hackers would find a way.
For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/
For BTC: https://eprint.iacr.org/2015/263.pdf
An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain.
That is exactly the recipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do.
This specific example seems to be fixed now, but it most definitely shows there is a risk of other variations to be created. Keep in mind, before this variation of attack was known, the common opinion was that it was impossible. With little incentive to create such an attack, it might take a while until another one is developed. But when the possession of full public keys equals the possibility to forge transactions, all of a sudden billions are at stake.
“Besides only using hashed public keys as addresses, we use the First In First Out (FIFO) mechanism. This solves the forged transaction issue, as they will not be confirmed before the original transactions. That's why we are quantum resistant.” This is incorrect.
There is another period where the public key is openly available: the moment where a transaction is sent from the users device to the nodes on the blockchain network. The sent transaction can be delayed or totally blocked from arriving to the blockchain network. While this happens the attacker can obtain the public key. This is a man-in-the-middle (MITM) attack. A MITM is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. No transaction is 100% safe from a MITM attack. This type of attack isn’t commonly known amongst average usergroups due to the fact communication is done either encrypted or by the use of private- public key cryptography. Therefore, at this point of time MITM attacks are not an issue, because the information in transactions is useless for hackers. To emphasize the point made: a MITM attack can be done at this point of time to your transactions. But the information obtained by a hacker is useless because he can not break the cryptography. The encryption and private- public key cryptography is safe at this point of time. ECDSA and RSA can not be broken yet. But in the era of quantum computers the problem is clear: an attacker can obtain the public key and create enough time to forge a transaction which will be sent to the blockchain and arrive there first without the network having any way of knowing the transaction is forged. By doing this before the transaction reaches the blockchain, FIFO will be useless. The original transaction will be delayed or blocked from reaching the blockchain. The forged transaction will be admitted to the network first. And First In First Out will actually help the forged transaction to be confirmed before the original.
“Besides having only hashed public keys, we use small standardized fees. Forged transactions will not be able to use higher fees to get prioritized and confirmed before the original transactions, thus when the forged transaction will try to confirm the address is already empty. This is why we are quantum resistant.” This is incorrect.
The same arguments apply as with the FIFO system. The attack can be done before the original transaction reaches the network. Thus the forged transaction will still be handled first no matter the fee hight.
“Besides the above, we use multicast so all nodes receive the transaction at the same time. That's why we are quantum resistant.” This is incorrect.
Multicast is useless against a MITM attack when the attacker is close enough to the source.
“Besides the above, we number all our transactions and authenticate nodes so the user always knows who he's talking to. That's why we are quantum resistant.” This is incorrect.
Besides the fact that you’re working towards a centralized system if only verified people can become nodes. And besides the fact that also verified nodes can go bad and work with hackers. (Which would be useless if quantum resistant signature schemes would be implemented because a node or a hacker would have no use for quantum resistant public keys and signatures.) There are various ways of impersonating either side of a communication channel. IP-spoofing, ARP-spoofing, DSN-spoofing etc. All a hacker needs is time and position. Time can be created in several ways as explained above. All the information in the transaction an original user sends is valid. When a transaction is hijacked and the communication between the user and the rest of the network is blocked, a hacker can copy that information to his own transaction while using a forged signature. The only real effective defense against MITM attacks can be done on router or server-side by a strong encryption between the client and the server (Which in this case would be quantum resistant encryption, but then again you could just as well use a quantum resistant signature scheme.), or you use server authentication but then you would need that to be quantum resistant too. There is no serious protection against MITM attacks when the encryption of the data and the authentication of a server can be broken by quantum computers.
Only quantum resistant signature schemes will secure blockchain to quantum hacks. Every blockchain will need their users to communicate their public key to the blockchain to authenticate signatures and make transactions. There will always be ways to obtain those keys while being communicated and to stretch the period where these keys can be used to forge transactions. Once you have, you can move funds to your own address, a bitcoin mixer, Monero, or some other privacy coin.
Conclusion
There is only one way to currently achieve Quantum Resistance: by making sure the public key can be made public without any risks, as is done now in the pre-quantum period and as Satoshi has designed blockchain. Thus by the use of quantum resistant signature schemes. The rest is all a patchwork of risk mitigation and delaying strategies; they make it slightly harder to obtain a public key and forge a transaction but not impossible.
Addition
And then there is quite often this strategy of postponing quantum resistant signature schemes
“Instead of ECDSA with 256 bit keys we will just use 384 bit keys. And after that 521 bit keys, and then RSA 4096 keys, so we will ride it out for a while. No worries we don’t need to think about quantum resistant signature schemes for a long time.” This is highly inefficient, and creates more problems than it solves.
Besides the fact that this doesn’t make a project quantum resistant, it is nothing but postponing the switch to quantum resistant signatures, it is not a solution. Going from 256 bit keys to 384 bit keys would mean a quantum computer with ~ 3484 qubits instead of ~ 2330 qubits could break the signature scheme. That is not even double and postpones the problem either half a year or one year, depending which estimate you take. (Doubling of qubits every year, or every two years). It does however have the same problems as a real solution and is just as much work. (Changing the code, upgrading the blockchain, finding consensus amongst the nodes, upgrading all supporting systems, hoping the exchanges all go along with the new upgrade and migrate their coins, heaving all users migrate their coins.) And then quite soon after that, they'll have to go at it again. What they will do next? Go for 512 bit curves? Same issues. It's just patchworks and just as much hassle, but then over and over again for every “upgrade” from 384 to 521 etc.
And every upgrade the signatures get bigger, and closer to the quantum resistant signature sizes and thus the advantage you have over blockchains with quantum resistant signature schemes gets smaller. While the quantum resistant blockchains are just steady going and their users aren’t bothered with all the hassle. At the same time the users of the blockchain that is constantly upgrading to a bigger key size, keep on needing to migrate their coins to the new and upgraded addresses to stay safe.
submitted by QRCollector to CryptoTechnology [link] [comments]

A Look at DCG & Bitfury's Incestuous Ties With the U.S. Government

Peter Todd Tweet in 2014: https://archive.is/vKZ9C
[email protected] I gotta say, looks really bad legally how Austin Hill's been negotiating deals w/ pools/etc. to get control of hashing power.
Board of Digital Currency Group
Glenn Hutchins
Advisory Board
Larry Summers
DCG of course is an investor in both Blockstream and BTCC.
DCG's money comes from:
DCG also owns Coindesk.
BTCC and Bitfury are the only two large mining pools who are outspoken in their support of Bitcoin Core.
The Bitfury Group Leadership to Present at Clinton Global Initiative (https://archive.is/MWKee)
Full Video (Begins at 32:00)
“The Bitfury Group is proud to be the world’s leading full service Blockchain technology company, we are deeply honored to represent this innovation to an audience of extremely dedicated game-changers, and we look forward to highlighting our company’s groundbreaking ‘Blockchain for global good’ work at such an important event, said Smith. “From the White House to the Blockchain, I know this technology has the power to deliver inclusion and opportunity to millions, if not billions, of people around the world and I am so grateful to work for a company focused on such a principled vision.”
Bitfury Lightning Implementation
  • In partnership with a French firm called ACINQ (http://acinq.co)
  • ACINQ is a subsidiary of the larger ACINQ Financial Services
  • CoinTelegraph: Bitfury Lightning Network Successfully Tested With French Bitcoin Company
  • TEAM: https://archive.is/Q5CNU
  • ACINQ’s US Headquarters is in Vienna, Virginia, a small town of only 16,000. Why would a global financial firm choose to locate here? -- Feeder community into Washington, D.C. Has an orange line metro stop. -- Located in Fairfax County, VA. -- The US Federal Government is the #2 largest employer -- Booz Allen Hamilton (NSA front company) is #6 largest employer -- In fact, most of the top employers in Fairfax County are either US Federal Gov’t or companies that provide services to Federal Government -- The county is home to the headquarters of intelligence agencies such as the Central Intelligence Agency, National Geospatial-Intelligence Agency, and National Reconnaissance Office, as well as the National Counterterrorism Center and Office of the Director of National Intelligence.
Chairman: Avinash Vashistha
CEO: Chaman Baid
CSO: Nandan Setlur
  • https://www.linkedin.com/in/nandansetlur https://archive.is/wp3L0
  • From 1986-1993 he worked for Information Management Consultants (imc) Ltd as a Technical Consultant with various federal government agencies. McLean, Virginia
  • 1993-2000 Technical Consultant for Freddie Mac, in McLean Virginia
  • From 2000-2007, President of InterPro Global in Maryland
  • From 2011-2012, Director of VibbleTV in Columbia, Maryland
  • From 2008-Present has been Executive Director at ACINQ and Managing Partner at Vine Management, both in Vienna, Virginia.
BitFury Enhances Its Advisory Board by Adding Former CFTC Chairman Dr. James Newsome and Renowned Global Thought Leader and President of the Institute for Liberty and Democracy Hernando de Soto (Businesswire)
Bitfury Board of Directors
Robert R Dykes
The other board members include two Bitfury founders, and an investor.
Bitfury Advisory Board
James Newsome
  • Ex-chairman of CFTC
  • Dr. Newsome was nominated by President Clinton and confirmed by the Senate to be at first a Commissioner and later a Chairman of CFTC. As Chairman, Newsome guided the regulation of the nation’s futures markets. Additionally, Newsome led the CFTC’s regulatory implementation of the Commodity Futures Modernization Act of 2000 (CFMA). He also served as one of four members of the President’s Working Group for Financial Markets, along with the Secretary of the Treasury and the Chairmen of the Federal Reserve and the SEC. In 2004, Newsome assumed the role of President and Chief Executive Officer of the New York Mercantile Exchange (NYMEX) where he managed daily operations of the largest physical derivatives exchange in the world. Dr. Newsome is presently a founding partner of Delta Strategy Group, a full-service government affairs firm based in Washington, DC.
Hernando de Soto
  • Hernando de Soto heads the Institute for Liberty and Democracy, named by The Economist one of the two most important think tanks in the world. In the last 30 years, he and his colleagues at the ILD have been involved in designing and implementing legal reform programs to empower the poor in Africa, Asia, Latin America, the Middle East, and former Soviet nations by granting them access to the same property and business rights that the majority of people in developed countries have through the institutions and tools needed to exercise those rights and freedoms. Mr. de Soto also co-chaired with former US Secretary of State Madeleine Albright the Commission on Legal Empowerment of the Poor, and currently serves as honorary co-chair on various boards and organizations, including the World Justice Project. He is the author of “The Other Path: the Economic Answer to Terrorism”, and his seminal work “The Mystery of Capital: Why Capitalism Triumphs in the West and Fails Everywhere Else.”
  • Frequent attendee at Davos World Economic Forum
  • Frequent Speaker @ Clinton Global Initiative http://www.dailymotion.com/video/x2ytfrs https://archive.is/MWKee
  • Criticisms: -- In his 'Planet of Slums'[104] Mike Davis argues that de Soto, who Davis calls 'the global guru of neo-liberal populism', is essentially promoting what the statist left in South America and India has always promoted—individual land titling. Davis argues that titling is the incorporation into the formal economy of cities, which benefits more wealthy squatters but is disastrous for poorer squatters, and especially tenants who simply cannot afford incorporation into the fully commodified formal economy. -- An article by Madeleine Bunting for The Guardian (UK) claimed that de Soto's suggestions would in some circumstances cause more harm than benefit, and referred to The Mystery of Capital as "an elaborate smokescreen" used to obscure the issue of the power of the globalized elite. She cited de Soto's employment history as evidence of his bias in favor of the powerful. https://www.theguardian.com/business/2000/sep/11/imf.comment http://www.slate.com/articles/news_and_politics/hey_wait_a_minute/2005/01/the_de_soto_delusion.html
Tomicah Tilleman
  • https://en.wikipedia.org/wiki/Tomicah_Tillemann
  • Dr. Tomicah Tillemann is Director of the Bretton Woods II initiative. The initiative brings together a variety of long-term investors, with the goal of committing 1% of their assets to social impact investment and using investments as leverage to encourage global good governance. Tillemann served at the U.S. State Department in 2010 as the Senior Advisor on Civil Society and Emerging Democracies to Secretary Hillary Clinton and Secretary John Kerry. Tillemann came to the State Department as a speechwriter to Secretary Clinton in March 2009. Earlier, he worked for the Senate Foreign Relations Committee, where he was the principal policy advisor on Europe and Eurasia to Committee Chairmen, Senators Joe Biden and John Kerry. He also facilitated the work of the Senate's Subcommittee on European Affairs, then chaired by Senator Barack Obama. Tillemann received his B.A. magna cum laude from Yale University. He holds a Ph.D. with distinction from the School for Advanced International Studies at Johns Hopkins University (SAIS) where he also served as a graduate level instructor in American foreign policy. http://live.worldbank.org/node/8468 https://archive.is/raDHA
  • Secretary Clinton appointed Tomicah Tillemann, Ph.D. as the State Department’s Senior Advisor for Civil Society and Emerging Democracies in October 2010. He continues his service under Secretary Kerry.
  • Mr. Tillemann and his team operate like venture capitalists, identifying ideas that can strengthen new democracies and civil society, and then bring together the talent, technology and resources needed to translate promising concepts into successful diplomacy. He and his team have developed over 20 major initiatives on behalf of the President and Secretary of State.
  • Mr. Tillemann came to the State Department as a speechwriter to Secretary Clinton in March 2009 and collaborated with her on over 200 speeches. Earlier, he worked for the Senate Foreign Relations Committee, where he was the principal policy advisor on Europe and Eurasia to Committee Chairmen, Senators Joe Biden and John Kerry. He also facilitated the work of the Senate's Subcommittee on European Affairs, then chaired by Senator Barack Obama. Mr. Tillemann’s other professional experience includes work with the White House Office of Media Affairs and five U.S. Senate and Congressional campaigns. He was a reporter with Reuters New Media and hosted a commercial radio program in Denver, Colorado. http://m.state.gov/md160354.htm https://www.newamerica.org/our-people/tomicah-tillemann/ https://archive.is/u2yF0
  • Director of “Bretton Woods II” initiative at New America Foundation Bretton Woods was an international summit that led to the creation of the IMF and the IBRD, one of five members of The World Bank
Jamie Smith
Jason Weinstein
Paul Brody (no longer appears on site, and his LinkedIn has no mention of Bitfury, but he is mentioned in a Press Release
  • https://www.linkedin.com/in/pbrody
  • Ernst & Young since 2015 as “Americas Strategy Leader”, “Global Innovation Leader”, and “Solution Leader”
  • Prior to E&Y, he was an executive at IBM since 2002
New America Foundation
Muskoka Group
[note: this is worthy of much more research]
  • https://www.bloomberg.com/news/articles/2016-08-29/blockchain-s-backers-embark-on-campaign-to-improve-its-image
  • Don Tapscott, co-author of the book “Blockchain Revolution,” hosted the meeting with his son and co-author Alex Tapscott at his family’s summer compound in Lake of Bays, Ontario. The group included some of blockchain’s biggest backers, including people with ties to IBM and JPMorgan. They considered ways to improve the governance and oversight of the technology behind the digital currency bitcoin as a way to fuel the industry’s growth. They included Jim Zemlin, executive director of the Linux Foundation; Brian Behlendorf, executive director of the Hyperledger Project, a blockchain supporter group that includes International Business Machines Corp., Airbus Group SE and JPMorgan Chase & Co.; and Ana Lopes, board member of the World Wide Web Foundation. Participants with blockchain industry ties include former deputy White House press secretary Jamie Smith, now chief global communications officer of BitFury Group Ltd., and Joseph Lubin, founder of startup Consensus Systems.
Blockchain Delegation Attends Democratic National Convention https://archive.is/k16Nu
Attendees:
Jamie Smith — The Bitfury Group & Blockchain Trust Accelerator Tomicah Tillemann— New America Foundation & Blockchain Trust Accelerator Alex Tapscott— co-author: Blockchain Revolution Brian Forde — MIT, Digital Currency Initiative
Brian Forde
  • Was the founding director of the MIT Digital Currency Initiative -Left his 4 year post as White House Senior Advisor for Mobile and Data Innovation to go directly to the MIT DCI
  • Brian Forde has spent more than a decade at the nexus of technology, entrepreneurship, and public policy. He is currently the Director of Digital Currency at the MIT Media Lab where he leads efforts to mainstream digital currencies like Bitcoin through research, and incubation of high-impact applications of the emerging technology. Most recently he was the Senior Advisor for Mobile and Data Innovation at the White House where he spearheaded efforts to leverage emerging technologies to address the President’s most critical national priorities. Prior to his work at the White House, Brian founded one of the largest phone companies in Nicaragua after serving as a business and technology volunteer in the Peace Corps. In recognition of his work, Brian was named a Young Global Leader by the World Economic Forum and one of the ten most influential people in bitcoin and blockchain. https://www.linkedin.com/in/brianforde https://archive.is/WjEGU
Alex Tapscott
World Economic Forum
  • Strategic Partners: https://www.weforum.org/about/strategic-partners
  • Includes Accenture (See Avinash Vashistha), Allianz, Deloitte (Scaling Bitcoin platinum sponsor, Blockstream Partner), Citigroup, Bain & Company (parent of Bain Capital, DCG investor), Dalian Wanda Group (working on blockchain technology), Ernst & Young (see Paul Brody), HSBC (Li-Ka Shing, Blockstream investor, used to be Deputy Chairman of HSBC), IBM, KPMG International, Mastercard (DCG Investor), PwC (Blockstream partner, also sponsor of Scaling Bitcoin)
  • Future of Financial Services Report [PDF] The word “blockchain” is mentioned once in this document, on page 23 (http://i.imgur.com/1SxyneJ.png): We have identified three major challenge areas related to innovation in financial services that will require multi-stakeholder collaboration to be addressed effectively. We are launching a project stream related to each area, with the goal of enabling tangible impact.... Decentralised systems, such as the blockchain protocol, threaten to disintermediate almost every process in financial services
  • The Steering Group who authored the report is a who’s who of the global financial elite. (Pages 4 & 5) http://i.imgur.com/fmYc1bO.png http://i.imgur.com/331FaX6.png
Bitfury Washington DC Office
Washington DC Office 600 Pennsylvania Avenue Suite 300 Washington, D.C. 20003
http://bitfury.com/contacts https://archive.is/ugvII
Bitfury Chosen for Ernst & Young Blockchain Startup Challenge
Deloitte Unveils Plan to Build Blockchain-Based Digital Bank http://www.consultancy.uk/news/12237/deloitte-unveils-plan-to-build-blockchain-based-digital-bank https://archive.is/UJ8Q5
submitted by 5zh8FoCiZ to btc [link] [comments]

Why demanding proof that WikiLeaks is not compromised is necessary

UPDATE (11/01/2017 - UK Date Format): Julian Assange is alive and still in the Embassy. He confirms WikiLeaks has not been compromised. Julian took questions from the Reddit AmA but answered them via live, current and interactive video. He did this very intentionally, and by so doing, was true to his word. Watch a recording of the live event here:
https://www.youtube.com/watch?v=rC2EjKYMCeg
Why demanding proof that WikiLeaks is not compromised is necessary: https://www.facebook.com/events/309760466089922/ (PoL Event @ Ecuadorian Embassy London 17th December 2016) – If you live in the UK please come and let’s get REAL PoL. Please circulate.
1) Still no PGP (GPG) signed short message from WikiLeaks.
2) RiseUp’s warning canary may be dead (RiseUp is believed to host WL Twitter email account)
3) Julian’s internet hasn’t been restored as promised
4) The pre-commitment file hashes released in October do not match the released insurance files
5) Julian’s Swedish defense lawyer Per Samuelson was denied access during case questioning. No one actually saw Julian through the whole process.
Additional points: - UK disregard for international law
Various timelines, some with minor errors:
https://www.reddit.com/WikileaksTimeline/wiki/index
https://www.reddit.com/WhereIsAssange/comments/5dmr57/timeline_of_events_regarding_julian_assange_and/
https://regated.com/2016/11/julian-assange-missing/
[Still no PGP (GPG) signed short message from WikiLeaks]
Watch this https://youtu.be/GSIDS_lvRv4 video for a simple and good explanation of public/private key cryptography. Here https://riseup.net/en/canary is an example of how a legitimate cryptographically capable organisation uses PGP to sign a message and prove authenticity. WikiLeaks has this setup too. Why do they not use it and prove they are not compromised?
WikiLeaks could easily do this. They have their private key. The public has WikiLeaks public key. Even if Julian isn’t in possession of the key, WL most certainly is, no excuse for WL not to prove themselves. This has been heavily requested of WikiLeaks. I’d like to hear from the individuals who claim that their requests were removed (please leave comments). Of all the red flags, not posting a PGP signed message is by far the most damming.
If we are to believe that the person in the audio recording at the FCM 2016 is Julian Assange, then what he says about the keys is missing the point. If he himself is not in possession of the key, then WikiLeaks will be. If WikiLeaks use the key to prove themselves, then we know they are not compromised. By extension, we will also be assured that Julian is safe as an uncompromised WikiLeaks would be in a position to confirm his safety and be believed. This audio file includes everything that he says regarding PGP keys: http://picosong.com/UyVw/ (I am not convinced this is Julian).
[RiseUp’s warning canary may be dead (RiseUp is believed to host WL Twitter email account)]
RiseUp is an activist ISP providing secure services to activists. Its mission is to support liberatory social change via fighting social control and mass surveillance through distribution of secure tools (https://en.wikipedia.org/wiki/Riseup).
RiseUp use a warrant canary as a means to protect their users in case RiseUp are ever issued with a NSL or gag order etc (https://riseup.net/en/canary). This is renewed quarterly, assuming no warrant has been issued. However, this is now considerably overdue so the assumption is that the canary is dead, and just like the canaries used in coal mines, everyone should get the hell out of there when it dies. https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/. I would be grateful if someone could provide a source for the WikiLeaks twitter email account being hosted by RiseUp.
[Julian’s internet hasn’t been restored as promised]
https://twitter.com/wikileaks/status/787889195507417088 https://twitter.com/wikileaks/status/788099178832420865
On the 26th of September 2016 Secretary of State John Kerry visited Colombia. WikiLeaks reported that inside sources had confirmed that John Kerry also met with Ecuadorean President Rafael Correa in Ecuador to personally ask Ecuador to stop Assange from publishing documents about Clinton. This was initially fervently denied in the press only later to be confirmed by the Ecuadorian Embassy who admitted cutting off Julian’s internet due to pressure from the US. Ecuador wanted to appear impartial.
Both John Kerry and US intelligence agencies knew perfectly well that cutting off Julian's internet would have no impact on the release of the leaked emails that were damaging to Hillary's campaign.
The cutting off of Julian's internet access was not for the purpose of preventing the leaks of the Podesta and Hillary emails. Unless intelligence agencies are truly inept, they knew that media organisations already have the entire leaked email database and a schedule for release, they also knew WikiLeaks staff would continue to leak regardless of Julian's ability to communicate.
Now it is long after the election and Ecuador have still not restored Julian’s internet. Ecuador have no grounds to continue to restrict Julian’s internet. It does nothing apart from increase tensions and raise suspicion.
Ecuador have always been supportive of Julian. However, after John Kerry applied pressure on Ecuador, that whole dynamic changed. Ecuador cut Julian's Internet. He then essentially threatened Ecuador, the UK and John Kerry by submitting those pre-commitment file hashes on Twitter. Since then we have only seen hostility towards Julian from all three parties. Ecuador didn't restore his internet and didn't let his lawyer interview him and no one actually saw him. The U.K. Denied him access to Gavin's funeral and denied him access to medical treatment. The UK also continually disregard the UN. The dynamic now is totally different. He has no political friends. It seems that both the UK and Ecuador are now working against Julian and Wikileaks. An environment where a collaborated siege would be feasible.
Finally, many have speculated about mobile signals being blocked at the Embassy. I can confirm that there is 4G signal right outside the Embassy door. I was there, with my phone, and tested it. There is no reason to think Julian cannot use a MiFi device (or similar) connected to a cellular network.
[The pre-commitment file hashes released in October do not match the released insurance files]
Here are the October tweets with the file hashes:
https://twitter.com/wikileaks/status/787777344740163584 https://twitter.com/wikileaks/status/787781046519693316 https://twitter.com/wikileaks/status/787781519951720449
These 3 pre-commitment Twitter posts are SHA-256 file hashes. SHA-256 file hashes are 64 characters long. They are not encryption keys for insurance files. They simply are a mathematical formula for verifying that later released files are genuine and have not been altered.
These hashes were released because Julian felt threatened and in increased danger. They specifically targeted the UK FCO, Ecuador and John Kerry. All of whom are key players in his current predicament.
On November 7th, WikiLeaks released 3 new insurance files. These files names match the names given in the pre-commitment hash tweets:
2016-11-07_WL-Insurance_EC.aes256
2016-11-07_WL-Insurance_UK.aes256
2016-11-07_WL-Insurance_US.aes256
EC = Ecuador, UK = UK FCO, US = John Kerry. Soon after these files were released, the 3 files hashes were compared to the 3 hashes posted on the 16th of October. They did not match. When this was brought to WikiLeaks attention, WikiLeaks released the following statement in a tweet:
https://twitter.com/wikileaks/status/798997378552299521
“NOTE: When we release pre-commitment hashes they are for decrypted files (obviously). Mr. Assange appreciates the concern.”
This firstly proved that the hashes and the insurance files were related (a fact that was already clear). Secondly, it was a lie, as it implied historical use of pre-commitment hashes in this manner. Thirdly, the (obviously) comment was also a deception and an insult to supporters. It was not obvious to anyone, not even to our crypto guys in /cryptography/, on the contrary, they thought it highly suspicious.
Additionally, what they suggest would be absolutely pointless. Pointless as a threat, as the UK, Ecuador and John Kerry would have no practical way of identifying the documents to confirm the threat.
There's absolutely no scenario where an uncompromised WikiLeaks would either post bad file hashes or altered insurance files.
[Julian’s Swedish defense lawyer Per Samuelson was denied access during case questioning]
This is highly unusual and very suspicious. Also, Jennifer Robinson was not in the room with Assange. https://www.youtube.com/watch?v=MYR0Pw9LfUQ&feature=youtu.be&t=9m55s and neither was the chief prosecutor http://www.bbc.co.uk/news/world-europe-37972528 “Swedish chief prosecutor Ingrid Isgren will not speak to Mr Assange directly”.
[UK disregard for international law]
The UK threat is very real. Back in August 2012 the UK was poised to break international law citing the Diplomatic and Consular Premises Act of 1987 as a basis for entering the Embassy and arresting Assange (http://www.bbc.co.uk/news/world-19259623). It all became very public, very quickly and fortunately never happened (http://www.telegraph.co.uk/news/worldnews/southamerica/ecuado9488996/Ecuadors-president-raiding-embassy-to-snatch-Julian-Assange-suicidal.html). I expressed my concern at the time that the UK shouldn’t have even been contemplating such action, let alone threatening it in writing to Ecuador.
More recently, the UK disregarded the UN ruling that Julian Assange was being arbitrarily detained (https://www.theguardian.com/media/2016/feb/04/julian-assange-wikileaks-arrest-friday-un-investigation). The UK appealed, and then finally lost their appeal in November (https://www.rt.com/news/368746-un-ruling-free-assange/). Julian has also been refused to leave the Embassy with a police escort for medical treatment as well as denied to attend Gavin MacFadyen’s funeral. The UK’s behaviour is appalling and clearly has no respect for international law. The reported raid on the Embassy during the latter part of October seems more plausible when taken in the context of past behavior.
This is the Britain I now live in: http://www.independent.co.uk/life-style/gadgets-and-tech/news/investigatory-powers-bill-act-snoopers-charter-browsing-history-what-does-it-mean-a7436251.html. I never used to be ashamed to be British.
[Combined capabilities of intelligence agencies]
We know much about the combined powers of the intelligence agencies. We know what they are capable of, thanks to the leaks of Edward Snowden. The combined powers of the NSA, CIA and the UK’s GCHQ are capable of pulling off such a massive takeover of Wikileaks. We know the NSA works with other US intelligence agencies, we know that the NSA works with GCHQ.
We know about Tempora, we know about JTRIG, we know about PRISM, we know about HAVOK. We know that websites can be altered on the fly, we know that real-time voice profiling is trivial for these agencies. We know that censorship is happening.
https://usnewsghost.wordpress.com/2014/07/15/new-july-14-edward-snowden-nsa-leaks-gchq-attacks-and-censors-internet-nsa-leaks-recent/ http://www.independent.co.uk/life-style/gadgets-and-tech/gchqs-favourite-memes-and-sexual-slang-reveals-a-shared-culture-with-trolls-and-hackers-9608065.html https://en.wikipedia.org/wiki/Tempora https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
The NSA has a remit to be 10 years ahead of the curve. We have commercial products that can be purchased off the shelf today that can easily manipulate audio and video. Just imagine what the NSA and the military are capable of.
Real time facial manipulation: https://www.youtube.com/watch?v=ohmajJTcpNk Signs of editing: https://www.youtube.com/watch?v=2O9t_TEE1aw. Both Julian Assange and John Pilger are not filmed together at any time during the interview. There is also no establishing shot. It is also claimed that Assange’s audio is spliced and edited. No recent events mentioned by Assange, only Pilger. Unfortunately, this interview is not sufficient proof of life.
What the NSA can’t do, is that they cannot break PGP encryption. This has been expressed by Glenn Greenwald who was one of the journalists that Edward Snowden leaked to. He commented that he knows how secure PGP is because the NSA keep moaning about not being able to crack it in their documents he is reading. This is another reason why a signed PGP message can be the only true proof that WL isn’t compromised. Mathematics cannot lie, people can and do. A compromised WL can’t sign a message without the private key.
Edward Snowden revealed that in 2013 the NSA were capable of 3 trillion password attempts per second. As it is now almost 2017, that number will likely be multiple times higher (anywhere between 9 to 15 trillion attempts per second would be my guess based on Moore’s law).
https://en.wikipedia.org/wiki/Joint_Threat_Research_Intelligence_Group https://en.wikipedia.org/wiki/Tempora https://en.wikipedia.org/wiki/PRISM_(surveillance_program) https://www.schneier.com/gchq-catalog/ https://en.wikipedia.org/wiki/Government_Communications_Headquarters
[WikiLeaks down on October 17th]
The alleged raid on the Embassy supposedly took place on the 17th just after 1am GMT. On Monday the 17th of October 2016 WikiLeaks website was reported down (http://www.isitdownrightnow.com/wikileaks.org.html expand the comments) https://postimg.org/image/6t68fe4kj/. The internet was alive with reports of mass censorship around this time. This all coincides with when the alleged WikiLeaks takeover occurred. It also coincides with John Kerry being in the UK.
[Christine Assange audio only radio interview]
Julian's family had their identities changed quite a few years ago after receiving death threats. It is odd that his mother has now revealed herself to a news agency. If you do a YouTube search for Christine Assange (her original name), you'll find all the videos are older than 3 years. She's in hiding, not openly talking on radio shows (https://en.wikipedia.org/wiki/Julian_Assange scroll down to the personal life section).
[WikiLeaks bitcoin account was emptied on the 18th of November] Interestingly it was after the bitcoin account was emptied that the encoded message in the blockchain was left. Why would WikiLeaks go to all that trouble when they could just sign a message with their PGP key? Is it because bitcoin accounts can be cracked and the PGP keys can’t?
[Mass censorship]
Facebook is censoring this event (https://www.facebook.com/events/309760466089922/). It has been advertised for weeks now any only a handful of people are attending. Recently Wikileaks was live on FB. 50% of the viewers (roughly 2.5k) were commenting #PoL, #Whereisassange, RIP etc. The live event was only a prerecorded video being played in loop. Once it concluded, the whole Live event along with all the comments including the comments asking for PoL and PGP signed message were deleted. It was as if it never took place.
When Julian’s DMS had supposedly been activated, I saw posts in threads being deleted within minutes. Supposedly with encryption keys, but it all happened too fast for anyone to collate. I took PDF printouts of the pages and then later noticed that posts and entire links were taken down. I have PDF's of pages that now no longer exist. I've been following this since mid-October and seen the censorship first hand. I know many people here on reddit witnessed the same (please comment with your experiences).
[WikiLeaks reposting old stuff]
There are many examples of this already mentioned in the timelines. One for example is the Palantir Technologies report. Palantir Technologies prepared a report on how to destroy WikiLeaks that was leaked in 2011. The proposal was submitted to Bank of America through its outside law firm, Hunton & Williams. Palantir later apologised for their involvement. But WikiLeaks has recently regurgitated it as if it was new. There are many examples of this. I have watched as WikiLeaks have increasingly destroyed their credibility.
submitted by neonnexus to WhereIsAssange [link] [comments]

Why the NSA revelations make me worried about the safety of Bitcoin

This has probably been discussed before, but I don't see how Bitcoin can be a safe method of storing wealth, given our current situation where the NSA observes EVERYTHING. Not just that, the NSA has installed backdoors in nearly all of our hardware. Both Intel and AMD processors likely have hardware backdoors for the NSA.
Back in 2010, the NSA broke a variety of cryptographic standards. In addition, we know that the NSA has lobbied organizations to implement weak cryptographic standards. Furthermore, we know that the NSA has pushed for flawed random number generators. Weak random number generators have previously led to the theft of large numbers of Bitcoin on mobile devices.
Bitcoin completely relies on the integrity of the SHA-256 algorithm, which was developed by the SAME NSA that intentionally pushes flawed cryptographic standards. Bruce Schneier no longer trusts the NSA's elliptic curve cryptography standard, as he believes they may have intentionally chosen a weak elliptic curve that the NSA can use. The numbers used are supposed to be random to make it unlikely that anyone could exploit a weak curve, but the NSA provided different numbers, that are non-random.
Vitalik Buterin argues that we can expect Bitcoin not to use a weak curve, as the numbers used in Bitcoin are fairly simple to calculate, whereas arbitrary numbers would create the possibility of Satoshi using an intentionally weak curve.
However, it seems to me that we can argue the exact opposite as well. For p, Bitcoin uses 115792089237316195423570985008687907853269984665640564039457584007908834671663, which is arrived at by calculating 2256 – 232 – 977 and seems fairly arbitrary to me as well.
Perhaps the main cause of my worries is the fact that the NSA in 1996 created a document outlining how to make a digital currency based on cryptography. Thus we know that the NSA has been studying the possibility of cryptocurrencies for a long period. Considering how the NSA manages to keep control over cryptography by releasing weak standards itself, is it possible that the NSA attempts to do the same with cryptocurrency?
Finally, I'm very worried about who this anonymous hacker who calls himself Satoshi Nakamoto might be. The Bitcoin source code contained different incomplete ideas that were never implemented, such as a decentralized marketplace (this is from memory, can't find the link). It all seems very ambitious to be the product of a single individual.
What is most worrying about Satoshi Nakamoto however is what is found in the blockchain. There's a non-random distribution of nonces in the early blockchain. What this means is that Satoshi Nakamoto was mining Bitcoin with a mining rig that was completely different from what everyone else was using back then.
It seems that he used 58 different computers, all with a different ID and all programmed to use different nonces to avoid checking the same possible solution multiple times, and at some point some of the computers broke down and were not put back up. This is not a genius amateur, but rather, someone with access to a lot of equipment. What makes all of this worse, is the fact that most of these blocks appear never to have moved. In other words, whatever entity mined these blocks probably still has control over them and doesn't seem to be motivated by personal gain. Rather, their control over about 1 million Bitcoin seems to have created a kind of "deathswitch", that allows them to crash the market at will.
Finally, Nakamoto's behavior is strange. As noted by others, his timezone seems to indicate he lived on the West Coast, yet his language uses British spelling. Furthermore, he took up to two weeks to respond to comments, indicating that anything he said seemed to require approval from higher ups, or agreement among multiple persons.
In conclusion, there is nothing here that indicates to me that we are dealing with a project designed by a regular Joe. Instead, we seem to be sitting on a ticking time bomb, a ten billion dollar experiment that could be deflated at will and cause economic chaos in the process.
submitted by accountt1234 to Bitcoin [link] [comments]

Quantum Conspiracy

This is not reality changing quantum computing meta-science / Mandela Effect / parallel universes bull.
The following is at least trying to be factual
I some information for you of which you may not be aware, as well as speculation related to such events.
Here is the gist...
TIMELINE
May 11th: WannaCry ransomware was released into the public.
May 15th: A small flurry of news articles on websites about quantum computation not effecting RSA encryption showed up.
June 13th: IOTA is added to the bitfinex exchange.
June 14th: Quantum market value passes 5 billion. Through D-Wave and IBM-Q
June 25th: The Petya ransomware released.
June 27th: A second test revision of the Petya ransomware released as NotPetya.
July 3rd or 4th: We will see. (This is only speculation.)
WHAT YOU NEED TO KNOW
The WannaCry ransomware is a private sector project disguised as a ransomware. The Petya ransomware is a revision of this project with some fixes re-released for testing. NotPeta was released shortly after, so that it was not as noticeable over the current threat.
IOTA is a cryptocurrency that you should probably put some money into, it will be important later. It is not generated via mining. It is does not have a blockchain. It is quantum computationally proof by design. It is currently worth more than 1 billion USD, becoming the 8th largest traded cryptocurrency in 14 days.
The major project is a programming project with the following goals.
@ This might be an attempt by combined forces to create a viral remote administration tool.
@ The active function of this secret tool would be primarily benign malicious. With goal to install this on as many internet of things devices, cellphones, and computers as possible in order to steal an unnoticeable amount of CPU and GPU resources (1%), from computers that stay idle for more than 6 hours. Effectively a world wide zombie botnet.
@ Here is the list of currently involved entities: TPTB, Google, D-Wave Systems, Microsoft, Intel, IBM, CERN, Cisco, CERT, a counter-collective group of approximately 2,200 people with backgrounds in information security, cryptography, mathematics, and quantum physics.
REVELATIONS
This is very important so listen.
@ I feel this is to use this computing power, piping it into the Google network in order to mask the internet traffic as legitimate.
@ These computing resources are being used to assist Google Deepmind in order to finish a computation project that when successful will result in artificially generated design for a cold operating quantum computer, possibly through carbon computation.
@ IOTA may have known about this project in advance. Developing a quantum proof cryptocurrency in order to capitalize from the downfall of other cryptomarkets. IOTA also is working in a very short timescale, implementing smart contracts to automate transactions over internet of things devices, presumably to prevent them from becoming idle.
@ After the project is complete, I assume TPTB will be able to effectively break nearly all encryption, and then all hell will break lose.
CAVEATS
@ I am not saying you should not drop all your bitcoin, because the timescale for this will be a few years. However, just keep in mind I feel this coming. If it is, there is nothing we can do.
submitted by SoaringMoon to conspiracy [link] [comments]

There's No Good Reason to Trust Blockchain Technology

This is the best tl;dr I could make, original reduced by 92%. (I'm a bot)
They're fond of catchphrases like "In code we trust," "In math we trust," and "In crypto we trust." This is trust as verification.
In his 2018 book, Blockchain and the New Architecture of Trust, Kevin Werbach outlines four different "Trust architectures." The first is peer-to-peer trust.
His second is leviathan trust, which corresponds to institutional trust.
What blockchain does is shift some of the trust in people and institutions to trust in technology.
In many ways, trusting technology is harder than trusting people.
To answer the question of whether the blockchain is needed, ask yourself: Does the blockchain change the system of trust in any meaningful way, or just shift it around? Does it just try to replace trust with verification? Does it strengthen existing trust relationships, or try to go against them? How can trust be abused in the new system, and is this better or worse than the potential abuses in the old system? And lastly: What would your system look like if you didn't use blockchain at all?
Summary Source | FAQ | Feedback | Top keywords: trust#1 blockchain#2 system#3 bitcoin#4 people#5
Post found in /technology, /Buttcoin, /hackernews, /techgeeks, /CryptoCurrency, /technology, /Wired_Top_Stories, /bprogramming, /Buttcoin and /Bitcoin.
NOTICE: This thread is for discussing the submission topic. Please do not discuss the concept of the autotldr bot here.
submitted by autotldr to autotldr [link] [comments]

Bitcoin Core uses RAND_bytes from OpenSSL to generate keys, but RAND_bytes relies on /dev/urandom, which "isn't very random" according to the *maintainer of /dev/random on Linux*! Can someone explain why this is not a problem?!

This is what I'm grappling with:
  1. Bitcoin Core uses RAND_bytes from OpenSSL to generate new bitcoin addresses. Source: https://bitcoin.stackexchange.com/questions/24722/what-kind-of-random-numbers-source-does-getnewaddress-in-bitcoin-core-api-bitco/24751#24751
  2. On Linux, RAND_bytes relies first on /dev/urandom to create the random data (only if /dev/urandom is not found does it use /dev/random). Source: https://security.stackexchange.com/questions/47598/why-openssl-cant-use-dev-random-directly/47882#47882
  3. According to the maintainer for Linux's /dev/random, /dev/urandom doesn't produce very random results. Source: https://www.schneier.com/blog/archives/2013/10/insecurities_in.html (search for "they end up with keys that aren't very random").
Why is this not a problem?
Can we really trust Bitcoin Core address generation mechanism?
submitted by 69520d0f929aeac8 to Bitcoin [link] [comments]

How DPR might spend his millions from inside of prison

I spent some time thinking about how DPR might spend his millions from behind bars. Here's what I came up with. Can you do better?
Imagine that DPR is in prison and he's got 80 million dollars worth of BTC in a brainwallet. For example, all stored with the passphrase "correct horse battery staple" (c.h.b.s for short). The Feds want that money and they're definitely not going to let him send it to anyone so they're not letting him use a computer, especially not one connected to the internet.
If he had access to a computer, he could write a transaction from behind bars and pass it on a piece of paper to someone on the outside. But he doesn't. And if he did, that computer would have a keylogger.
His next alternative is to write c.h.b.s on a piece of paper and pass that to someone. But he'd then be trusting all his 80 million to one person. That's not safe, either.
Assuming some planning, maybe he divided up his money into tens of thousands of bitcoin addresses, each one with, say, 20BTC. Now he can give out private keys as needed, written down, and spend money in increments of 20BTC.
The problem with that is that he has to memorize thousands of passphrases. One option, he could use:
but someone would catch on to the pattern and take all his money.
In prison he might have books. Instead of numbers, he could use the first letter of words in a line from a book, like Romeo and Juliet. Like this:
Harder to crack but it's just obfuscation. If someone figures out the book, he's screwed.
Ideally, he would have a hash function that could be computed with innocent things that you'd find in a prison: a deck of cards, a book, maybe a calculator. Bruce Schneier invented a cryptographic algorithm that uses a deck of cards. If you had a good hash function that you could do mechanically, you could use those outputs at http://brainwallet.org:
A deck of cards is surprisingly strong. The order of a random deck of cards is about 200bits of entropy, even more than a 160bit bitcoin hash, so a deck of cards could be useful.
That's as far as I got. Any better ideas? How do you store 10,000 brainwallets in your brain without using a computer? Or make transactions without a computer?
submitted by eyal0 to Bitcoin [link] [comments]

Large DDoS attacks cause outages at Twitter, Spotify, and other sites

This is an automatic summary, original reduced by 74%.
Dyn's general counsel Dave Allen added that, with the help of other infrastructure companies Akamai and Flashpoint, Dyn has determined that some of the traffic used in the attacks comes from the Mirai botnet, a network of infected Internet of Things devices used in other recent large-scale DDoS attacks.
Although DDoS attacks are sometimes accompanied by extortion letters that ask a company to hand over bitcoin in exchange for ceasing an attack, Dyn said it has not received any messages from its attackers.
The DDoS attack on Dyn follows on the heels of one of the largest DDoS attack in history, which used the Mirai botnet to target the website of independent cybersecurity journalist Brian Krebs.
Although DDoS attacks have historically used large networks of compromised computers called botnets to send junk traffic to sites, overwhelming them and making them inaccessible to legitimate users, the Krebs attack expanded in scale by using compromised Internet of Things devices like security cameras to build a botnet.
After the attack on Krebs' website, the code used to build the botnet leaked online, making more massive DDoS attacks all but inevitable.
Security researcher Bruce Schneier reported in September that several internet infrastructure companies had been targeted with DDoS attacks, although they had not caused the kind of widespread outages experienced today.
Summary Source | FAQ | Theory | Feedback | Top five keywords: attack#1 Dyn#2 DDoS#3 used#4 around#5
Post found in /argentina, /The_Donald, /inthenews, /Comcast_Xfinity, /news, /realtech, /battlefield_one, /cCloud, /news, /TheWatchTowers, /DailyTechNewsShow, /ScienceUncensored, /gadgets, /2007scape, /worldnews, /technology, /NoFilterNews and /PoliticsAll.
NOTICE: This thread is for discussing the submission topic. Please do not discuss the concept of the autotldr bot here.
submitted by autotldr to autotldr [link] [comments]

Someone is Learning How to Take Down the Internet

This is an automatic summary, original reduced by 78%.
These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down.
If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack.
Like the name says, this is an attack designed to prevent legitimate users from getting to the site.
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them.
While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "In Q2 2016, attacks continued to become more frequent, persistent, and complex."
One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on.
Summary Source | FAQ | Theory | Feedback | Top five keywords: attack#1 company#2 Internet#3 see#4 more#5
Post found in /Futurology, /DarkFuturology, /todayilearned, /The_Donald, /programming, /BitcoinAll, /Bitcoin, /China, /MrRobot, /hacking, /cybersecurity, /ARGIRC, /collapse, /techsnap, /RIPworldnews, /abetterworldnews, /technology, /dns, /linux, /geopolitics, /thisisthewayitwillbe, /TorontoCrypto, /impega, /security, /sysadmin, /Cyberpunk, /The_Donald, /SchneierOnSecurity, /netsec, /inthenews, /news, /technology and /politics.
NOTICE: This thread is for discussing the submission topic. Please do not discuss the concept of the autotldr bot here.
submitted by autotldr to autotldr [link] [comments]

An interesting problem social media is disappearing. DNS Server cannot be contacted. OMG Technical problem? I think not. Twitter down.

This is an automatic summary, original reduced by 74%.
Dyn's general counsel Dave Allen added that, with the help of other infrastructure companies Akamai and Flashpoint, Dyn has determined that some of the traffic used in the attacks comes from the Mirai botnet, a network of infected Internet of Things devices used in other recent large-scale DDoS attacks.
Although DDoS attacks are sometimes accompanied by extortion letters that ask a company to hand over bitcoin in exchange for ceasing an attack, Dyn said it has not received any messages from its attackers.
The DDoS attack on Dyn follows on the heels of one of the largest DDoS attack in history, which used the Mirai botnet to target the website of independent cybersecurity journalist Brian Krebs.
Although DDoS attacks have historically used large networks of compromised computers called botnets to send junk traffic to sites, overwhelming them and making them inaccessible to legitimate users, the Krebs attack expanded in scale by using compromised Internet of Things devices like security cameras to build a botnet.
After the attack on Krebs' website, the code used to build the botnet leaked online, making more massive DDoS attacks all but inevitable.
Security researcher Bruce Schneier reported in September that several internet infrastructure companies had been targeted with DDoS attacks, although they had not caused the kind of widespread outages experienced today.
Summary Source | FAQ | Theory | Feedback | Top five keywords: attack#1 Dyn#2 DDoS#3 used#4 around#5
Post found in /The_Donald, /inthenews, /news, /Comcast_Xfinity, /realtech, /battlefield_one, /cCloud, /news, /TheWatchTowers, /DailyTechNewsShow, /ScienceUncensored, /gadgets, /2007scape, /worldnews, /technology, /NoFilterNews and /PoliticsAll.
NOTICE: This thread is for discussing the submission topic. Please do not discuss the concept of the autotldr bot here.
submitted by autotldr to autotldr [link] [comments]

BTC-E.com safety checklist for noobs

DISABLE JAVA There's java zero day exploits being discovered all the time. One exploit still hasn't been fixed. You should do this permanently with your browser java is an exploit factory. IE you can't completely disable java so don't use it.
INSTALL NOSCRIPT ADDON https://addons.mozilla.org/en-US/firefox/addon/noscript/ or whatever shit script blockers Chrome/Safari use because Chrome is still lacking the required infrastructure for selective script disablement and object blocking so noscript isn't available, but inferior clones are. Whitelist only sites you need, like btc-e.com so it doesn't automatically load harmful scripts on untrusted sites.
GET AN ENCRYPTED PASSWORD SAFE http://www.schneier.com/passsafe.html Don't use any solution that 'encrypts in your browser' because it will need java and we disabled java remember?
MAKE NEW GMAIL ACCOUNT JUST FOR TRADING Make a random account name + password that can't be guessed. http://www.passwordgenerator.eu/
Store them in your password safe so you don't forget them. Never reuse that password on any site. ENABLE TWO FACTOR AUTHENTICATION.
Note that 2factor ID sometimes doesn't work if your phone time is off. You get 30 seconds to type in the code, if off by 10 seconds derp run out of time. Set your time manually if the shitty telco time server is off www.timeanddate.com
MAKE BTC-E ACCOUNT Use impossible to guess passwords from password generator + throw in your own random letters. Save in password safe. Do not pick a name anywhere close to being your email username.
ENABLE 2FACTOR ID Click Profile, then click 'Edit'
https://btc-e.com/profile#edit/home - confirm your email.
https://btc-e.com/profile#edit/security - enable "Withdraw only with request on E-Mail"
DO NOT CLICK ANY LINKS IN THE TROLLBOX!!!! No matter how innocent the link looks don't click anything in the chatbox. Hackers are dropping links full of java zeroday, redirectors that look just like btc-e login page and phish for passwords, all sorts of bad. Trollbox is also prone to misinformation being that it is a trollbox. Avoid.
If you chat on there, expect every PM sent to you will be from a hacker trying to mine information or get you to click a link. Assume every link is an exploit attempt. Notice how it displays your name, if you picked same name as your email, they can go to work on both by trying to break into your gmail account. This is another way how people get their coins stolen. Hacker takes chat name and tries it on gmail/hotmail/yahoo. If they get in because you didn't set up 2 factor expect to be robbed of coins.
DO NOT ENABLE API Unless you know what you're doing, do not enable this. Liberty Reserve disabled their API by default because of so many drained accounts.
DISCLAIMER Of course, be aware the exchange is in Russia or possibly Bulgaria and if anything happens the owner could just disappear, but this is highly unlikely. Why would you walk away from a money machine. Remember bitfloor (US) lost all it's customers bitcoins once, CryptoXchange (Australia) stole from users and disappeared, Bitcoinica (China?) stole or lost all the coins, and bitcoin-24 (German) has just lost their bank account and owner MIA. All exchanges carry risk no matter what country they are in.
You can fund btc-e through cash deposit in India, Singapore, Malaysia, Bangladesh, Nepal, Australia with http://www.ecurrencyzone.net/ which are authorized exchange listed on the Okpay.com site. They sell btc-e vouchers and Okpay. So does http://liliontransfer.org/ for wires and other methods.
If you want a really secure platform (you fear your comp is probably already infected with hidden java zeroday botnet) then download any linux live distro and make bootable USB or burn to CD. I recommend Liberty Linux http://dee.su and just use the non private browser (disable java and javascript!), NOT the Tor browser you don't want to trust SSL over Tor and risk a malicious exit node capturing traffic and running sslstrip on it or feeding you a MITM attack with spoofed certs.
If you want to know why watch this, nothing has changed since this talk was given: https://www.youtube.com/watch?v=Z7Wl2FW2TcA
submitted by Derpcoin to Bitcoin [link] [comments]

[Table] IAmA: I was a professional password cracker who taught government agents who's now working on a secure distributed communications & computation platform with bitcoin instead of upvotes. AMA!

Verified? (This bot cannot verify AMAs just yet)
Date: 2014-05-03
Link to submission (Has self-text)
Questions Answers
a more serious question, what is password cracking like? Bruteforcing hashes, looking through source code for vulnerabilities, doing advanced maths or something fourth? First I'd try to figure out if the software was merely using access denial or encryption. With access denial, the data isn't encrypted, but the software won't show you the data without the password. For purposes of criminal forensics, you're not allowed to change the data in any way for it to be admissible in court, but getting access to the file before you have a password can often be helpful. To figure that out, I'd just look at the file in a hex editor; if I could read it, it wasn't encrypted. The next easy step is to scan the program for cryptographic constants; these are things like s-boxes or tables of rotation constants or such that tell me what crypto functions, if any, are being used. For example, if I see 637c777b anywhere, I know it's probably using AES. If I see 77073096, that's a CRC32. If I see 67452301, it's using MD5. After that I'd use a debugger and a program like IDA Pro to start at the point where you type the password and figure out what the program does with it. This is what often took the most time and was the most tedious. Early versions of MS Access, for instance, just XORed the password with a fixed constant; anyone could break those passwords immediately. The toughest one that I was able to break was the encryption on WinZip; it was much better than most stuff I ran into, but still weak enough that I could break it. That was the one I enjoyed the most, like an extra-challenging Sudoku or something.
The hash function wasn't cryptographically strong, so I was able to run a lot of it backwards and get a enough constraints on the input to skip most possibilities. What is this process called if I wanted to learn about it in an academic setting? Cryptanalysis.
WinZip; it was much better than most stuff I ran into Is it any better than 7Zip? My attack was on the old encryption method. WinZip has since upgraded to AES, like 7-Zip. The only way to attack an archive made by a recent version of either of these is with a dictionary attack, trying every password.
What was the biggest password you ever cracked? Nowadays, most software companies use strong crypto, so the difficulty of cracking the password increases exponentially with the length. Back in the late 90s, it was mostly "roll your own", so the strength depended a lot more on the software than the password chosen.
That said, the password I was most pleased with was a 60-character randomly chosen password on a WinZip file using the ciphertext-only attack that later got published.
Was the content worth the effort? What was the content? The content was irrelevant to me; the fact that I had broken the encryption so thoroughly on such an important file format was the exciting bit. When it was in beta, the FBI started sending us files with suspected child porn for us to open. Thankfully I never had to look at any of it---that was someone else's job---but it felt good to know that I was able to help with that. Once we integrated it into the toolkit, of course, the FBI would just use our software themselves.
Now, though, I think that it's more important that people be taught what is right and have freedom---even if such drimes still exist---than to have a society in which every activity is so policed that crime is impossible. I think we should make it hard for the government to do such enormous, sweeping surveillance as we've discovered they've been doing.
If there's sufficient evidence to suspect someone of a crime, the government has plenty of resources to target that individual, and no software will prevent them getting the information they want. Splicious, if it is funded, will help in preventing surveilllance at national scales.
It's funny how no one seems to be responding to the thing you're actually talking about... it seems to me you're raising awareness about splicious. Can you say more about that? EDIT: I need to make clear that it doesn't fully exist yet! We need money to continue to make it real.
As I wrote above, it's a platform for encouraging the creation and curation of content. The idea is to reward both those who create content and those who share it. You may have seen that picture of handing out Facebook likes to 3rd world kids; merely "liking" something or upvoting it doesn't actually help somebody make a living. So all likes/upvotes have real money behind them in this system. The originator of content gets 90% of each upvote, while the remaining 10% is distributed down the chain of resharers to the donator.
We want artists and musicians to use it, but also scientists, authors, and journalists. We think the journalists will be particularly interested both because of the potential to get supported directly in the wake of digital media, but also because of the security features we intend to implement, like perfect forward secrecy.
We hope scientists will like it, because big academic publishers like Elsevier charge tens of millions of dollars for bundled access to their journals and have something like a 36% profit margin. The scientists write and review the articles and edit the journals for free; Elsevier turns around and charges them for the privilege. Splicious would allow people to set up electronic journals quickly, while contributions go directly to the authors and the editors.
Could you inbox me my password if you wanted or felt the need? That would require getting Reddit's collection of password hashes. It would take some effort, but probably a lot more than would be worth my while.
Well, it used to be easier. Wow! Yeah, hopefully they learned something after that. :P.
Could you be a very rich man if you used your powers for evil? I could have in the 90s. I think the FBI are a lot better at dealing with crime on the internet now than they were then.
Hi, I'm a math/CS undergraduate and find this stuff fascinating. However, I haven't a clue how to get started. Any reccomendations on how to get into password cracking and hacking? As to your specific topics, the days of easy password cracking are largely over: any software worth spending money on will use strong crypto. The best one can usually do is a dictionary attack distributed over many computers.
Awesome! What is your ed background? When I got the job I was getting my undergrad degree in physics. I went on to get a MSc and have just finished my PhD.
How much were you taught on the job vs what you had learned through self study? All of the math I learned in school or from Schneier's Applied Cryptography. I taught myself the rudiments of programming as a kid and all my electives at university were computer science classes. I learned to read assembly code on the job.
What would you say is the most lucrative area of infosec (both for black and white hats)? If you want to make enormous amounts of money, you start a company and get bought out or have a successful IPO. That's very risky, though; if you want stable good money in infosec, go join Google's security team: I did and loved it!
Are you employed now by Google? No, I left last year to start working on splicious. I'd like to keep doing so, but we need funding!
Whats this splicious you keep referring to? It's a distributed secure communications and computation platform. It has features to encourage the creation and curation of new content, but is intended to be a general purpose secure distributed computation platform.
The computation framework is based on pi calculus; I've written a paper with Greg Meredith and Sophia Drossopolou showing that we can use Caires' sspatial/behavioral types as a security policy language and let the compiler check that the implementation fits the policy. (TL; DR: We can prove that we don't have security flaws of various kinds.)
Are you Hackers or War Games fan? I loved it when you nuked Las Vegas. Suitably biblical ending to the place, don't you think?
Have you ever hacked people? Not without their permission.
That sounds a bit weird. Hahahaha. It's not much weirder than tattooing: Link to io9.com
Of course they still had to get the hashes somewhere, but there are some pretty powerful tools in the public domain these days, who knows what is behind the curtains in the federal side of the house...(proposed quantum computing password cracking for instance) People simply don't have the ability to remember passwords that are strong enough to resist the password crackers. If your service has the option to use two-factor authentication, use it; when attackers steal gmail accounts, the first thing they do is turn it on, because it makes it virtually impossible for the owner to get it back. If your service doesn't have 2-factor auth, use a long passphrase. Here's some math: if you just use lowercase letters and have a 16-character password, there are around 1022 passwords to try. If you start using numbers, too, there are around 1024, so a hundred times harder. But if instead you double the length of the password, there are around 1044, which is a sextillion times harder. Quantum computation is certainly interesting to the NSA, but the technology isn't up to code cracking yet; scientists are just at the edge of beating the error bound necessary for quantum computations with more than a handful of qubits. Link to www.news.ucsb.edu
How could a regular person like me learn the basics of this? What did you mean by "this"? Reverse engineering, password cracking, or secure distributed communications?
All of it and where should one start? I've done custom rainbow salt sables and attempted wpa2 attacks for fun and cracking hashes using Cain and Able. For reverse engineering, woodmann.com is the place to be. Get a copy of OllyDBG and IDA Pro; there is an older version available for free. Here's a reasonable intro to some of the techniques: Link to yurichev.com
Actual question how good is router security with passwords for example can you or have you hacked a router (guessing default passwords don't count)? I haven't ever tried breaking router passwords; I have my own router, so I don't need to use anyone else's.
Are you the guy that made this video: Link to www.youtube.com ? Yep. In addition to the content creation and curation stuff, there's also a notion of controlling who gets access to personal information. In the video, I drew how Alice can prevent Bob from knowing her name or address while still proving that she's 21.
But we need money to make it real.
Are you in fundraising mode? Are you doing crowd funding? Do you have a site? Yes, we're doing crowd funding. The site is linked in the description.
How is there such a huge disconnect between you and I? I send hours on the computer and can't do shit with it other than reddit and excel spreadsheets. How do you get into it? Is it a lot of reading? How does it work? I think you become good at doing what you spend time on, and you tend to spend time on things that you like doing. I learned this stuff because it made me happy. I get a thrill out of this sort of thing, so I keep coming back.
That said, with enough hard work, you can become good enough at something that it's no longer a drag: playing piano for the first few years sucks. Who wants to sit there plunking out "Mary had a little lamb"? But once you have the skill to actually read music and play it, then you're free to explore all your musical tastes. After you've played a lot of the music you love, you get a feeling for chord changes and what sounds good to you, so you can improvise your own music.
It's the same way with math and programming: there's some hard stuff at the start, but once you become good enough at it, you can start behaving like an artist and do your own thing.
The equivalent of learning "Mary had a little lamb" is introductory programming sites like KhanAcademy or codeacademy or code.org or a bazillion others.
What do you think of the new NSA, using the Patriot Act? I think the Patriot Act traded an enormous amount of liberty for what turned out to be virtually no increase in security.
Is that the same platform that this ex-Googler was talking about in this video Link to www.youtube.com. Yes, that's Vlad Patryshev. He was one of the guys who made Orkut. He was actually really excited about splicious and said, "I've been waiting for this since FidoNet."
Thanks. I'll look into all that. Lol, well that's a different story, a lucky one too. So you had no knowledge or experience with programming and they just hired you? What degree were you going to go after if you went to collee? Oh yeah, did you end up going to college after all or you just stuck with the job and learned from them? I had plenty of programming experience, but no crypto experience. I couldn't decide for a while between computer science and physics. Eventually I compromised and got a degree in applied physics; basically, all my electives were CS. I finished my bachelor's degree, then lost the job when the dot com bubble burst, went to New Zealand and got a MSc in CS, then started a PhD but ran out of money, went to work for Google's security team and started working on the PhD part time. I worked there for six years, then quit to work on splicious. I just finished the thesis and will defend later this year.
I might be late to the party, but what do you think of the XKCD password comic? This is the method I'm currently using with the help of Make Me A Passwords generator. It's spot on. When given the option, use long phrases rather than gibberish. LastPass can manage your online passwords by generating very long gibberish but only require you to use something memorable.
You actually suggest LastPass over KeePass(X)? I was using LastPass as an example of the genre, like how the southern US refers to any carbonated soft drink as "coke". I haven't made an extensive study of the offerings.
Are you Jesus? 'cause you look a lot like him. I was babysitting with another guy for a group of moms once, and when one of the moms dropped off her young kid---maybe four or five years old---he got really big-eyed and nervous. I thought he was afraid of the beard and hair: sometimes people would cross to the other side of the street when they saw me coming. So I invited him in, showed him the toys, and we all played and had a good time.
When his mom came to pick him up, he ran over and said, "Jesus is fun!"
Hey Mike, my understanding is that you've built a distributed platform and also adding on bitcoin support so that every post you make on splicious could potentially generate revenue. i would say that it's a new take on an alternate virtual economy and want to try as soon as they allow public use. are you planning to add some kind of reputation system to it? say, if i want to look for something a'la craig's list style rather than post my poetry? We've been thinking about reputation systems, but don't have any firm plans. Part of the problem with reputation systems online is that people do "pump & dump", using their reputation to steal something. If anyone has ideas or references about fighting this, please PM me.
Was most of your work just using parallelism brute forcing, or did you look for vulnerabilities in encryption standards. Also what is your opinion on the vulnerabilities of dual eliptic curve cryptography? Nearly all of my work was cryptanalysis of the relatively weak cryptography that was prevalent in the late '90s. We started turning to parallelism when MS Word improved its crypto to the 40-bit stuff that was the limit for software you could export.
The vulnerability in the PRNG for dual ECC was clearly inserted by the NSA and weakened everyone's crypto, even the US military and government's. I'm surprised that there's not more outcry from the other government organizations.
Last pass gotta remember that one. The o e thing I'm worried about though is my email is under yahoo and I've heard they are famous with being hacked because of crappy protection programs or leaks even is this true? Looks like Yahoo has 2-factor auth available. If you turn it on, then even if crackers do figure out your password, they won't be able to log in with it because they don't have your phone. That's the single best thing you can do.
Can you explain this like you would to someone who's never heard of hacking? There's no password you can remember that would stand up to modern cracking software. If you use a long passphrase, you might stand a chance. 2-factor auth is the only way to stay safe.
Can you tell me how to turn it on in a pm please. I'll just put it here, since everyone ought to know this: Link to www.zonealarm.com
What's your computelaptop specs? I had a Macbook Pro, like most of Google security team, and got myself another when I left. It has all the benefits of unix with really nice hardware and good suport.
What makes one password cracker different than another? Edit: Wonderful beard. Generally it's how well they take advantage of the parallelism in the GPU. And thanks!
Do you feel That bitcoin as a currency will make it even with all of the theft and ease at which people are being hacked and having coins stolen. I have no particular attachment to bitcoin as a currency. Ben Laurie, for example, has some excellent points about how to keep bitcoin secure, you either have to trust the software authors or spend half of all computing power for the rest of eternity. If you're going to trust people, there are much more efficient ways to mint money. Link to www.links.org
For our purposes, bitcoin provides a fairly simple micropayments service; any other distributed currency would probably work just as well.
We also don't store the wallets ourselves; we use blockchain.info.
I feel the success will be based on micro payments. IE reading a Wall Street journal article for a .05 or .10 fee and not having to buy the whole newspaper or article. Just my 2 cents.. Exactly. A journalist would write an article and share it with WSJ. WSJ would reshare it, and readers could support the journalist by contributing a mBTC. WSJ would get a cut and the journalist would get the lion's share.
So how hard would it to be to break a password of say"iFuCkInGHate2001!!" If crackers get hold of the file with the password hashes, nearly all passwords will be cracked, even quite long ones like yours. A similar password (18 printable chars) that has been hashed once with SHA with no salt would take less than an hour to crack on a single PC. Adding salt makes it harder to build tables where you can just look up the password instantly, but no slower to just brute force.
People REALLY need to use 2-factor auth to be secure.
So what can a person like me who doesn't know much on how to make a password more secure, except making it super long and complex to do to " feel safer" of not getting hacked. First, choose reputable services like GMail, where they take security very seriously. A cracker who can't get to the database of password hashes is forced to attempt to log in repeatedly, which can be detected and throttled to a safe rate.
Second, use 2-factor auth if it's available.
Third, use something like LastPass that generates a long random password for each site and stores it encrypted under a single password that you remember. You never type that password into anything online.
I bet your computer is awesome It's a Macbook Pro.
Last updated: 2014-05-09 00:53 UTC
This post was generated by a robot! Send all complaints to epsy.
submitted by tabledresser to tabled [link] [comments]

[249] Schneier on internet safety; Heinberg: ‘oil price decline is temporary’ The Bitcoin Game #29: Bitcoin Journalist Brian Cohen All Coin Daily News - YouTube Quanto vale Bitcoin adesso ?  Blockchain Caffe Wie funktioniert das Bezahlen mit Bitcoins? - Interview ...

The current protocols of KYC/AML of the crypto world are so far away from Bitcoin whitepaper’s philosophy—due to the evil doings of evil hackers, crooks and criminals, and the dark web—that cryptocurrencies have a LONG way to go, four or five decades, if ever…Meanwhile the rich are getting richer and the poor in Africa, Asia, and Latin America are getting poorer. Bitcoin is hovering around $3,600 handle, down 1.5% since the start of the day. The first digital asset retraced from the recent high of $3,707 late o Bitcoin is being tolerated because no political entity sees it as serious threat. But it has no long-term future as a currency unless it becomes adopted by a political entity and that political entity becomes culturally powerful. People have been inventing and promoting new currencies since the dawn of recorded history. Most of them fail. Given the fact that rumors of the Euro’s demise still He is equally withering of the now-famous bitcoin white paper written by the still-unidentified Satoshi Nakamoto in 2008: the paper revealed nothing of meaning that wasn't already known, Schneier said. «The technology didn't unleash a furore in the cryptography community.» Problems vs Usefulness. Schneier's comments to the Swiss publication follow an opinion piece in «» last month arguing ... More news articles. The indictment is here. Some of it is pretty horrifying to read. Posted on October 25, 2019 at 6:14 AM • View Comments. Blockchain and Trust. In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: “We have proposed a system for electronic transactions without relying on trust.” He was referring to blockchain, the system ...

[index] [43392] [49285] [42316] [40689] [9375] [24517] [29661] [1642] [47324] [1916]

[249] Schneier on internet safety; Heinberg: ‘oil price decline is temporary’

Our lead story: The ECB met on Thursday under growing pressure to prevent the blocs economy from entering into a recession. Policy makers had to judge how the plunge in oil prices would affect ... Welcome to Daily Sport News, the home of football on YouTube - where you'll find: Winners & Losers, Viral Footy News, Sunday Vibes , The 12th Man, Transfer T... I first became acquainted with Bitcoin journalist Brian Cohen in mid-2014, as we were both active on the then-new Let’s Talk Bitcoin platform. I saw he was doing some fairly serious Bitcoin ... Der Hype um den Bitcoin und Kryptowährungen ist derzeit groß. Aber Bitcoins sind nicht nur reines Spekulationsobjekt, sondern werden in einigen Online-Shops ... Website to access my charts: https://opticalartcrypto.com If you would like to email me! [email protected] follow me on twitter @opticalartchart trading...

#