I said I was going to read fifty books in 2007, and I thought I was at 48, but when I was actually making the list earlier (because bored) it turned out I’d miscounted, and I had, in fact, read fifty.
Since it’s unlikely I’ll be finishing any of the books I’m reading right now before New Year (I tend to only read when skipping class), I’m just going to post it now and declare victory. As such, in alphabetical order by author:
Christmas and all that.
I got an iPod Nano (though I didn’t ask for one; I just mentioned I needed a new MP3 player, since my old one is a Sony one, and Sony is getting on my nerves; Apple obviously isn’t any better in terms of principles, but at least I can install Linux on it), The Art of Computer Programming, Volume 1, Fascicle 1 (bought because my mom was under the impression it was volume 1, which was a fair guess since it doesn’t even say anywhere on the cover that this is just an update to a single chapter of volume 1, not the actual volume; I don’t know whose idea it was to not label it explicitly, but that person shouldn’t be in marketing), and something purporting to be a chemistry set. Its main feature seems to be “supersnot”, so I question its usability in the manufacturing of high explosives.
Anyway.
I wrote a Facebook application, both because I was bored and because I wanted to see what the Facebook API looks like. Somewhat odd but not terribly complicated, turns out.
Basically all this app does is display your Muffins name and ID and level and avatar in your profile (and optionally your title, equipment, and/or companion as well), and show you a list of friends who added the application and their Muffins names and IDs and levels and avatars.
It’s not terribly useful for Muffins, perhaps, since we only have forty or so active players, and to the best of my knowledge fewer than ten of those use Facebook, but I made it anyway. It would have been handy to have this for something like KoL, but I’m not going to write it, in large part because, to make things simpler, I wrote a script that just queries the game database directly and outputs neatly-formatted code, which the Facebook app interacts with, which I wouldn’t have been able to do without admin access.
For KoL, you’d need an active player session to view player profiles and something to log back in when the session dies because of time-outs or rollover and a parser to extract the needed information and another bit to format that information again and then the whole thing catches on fire and you cry yourself to sleep. So no, not going to do it.
Now that we’ve seen an asymmetric cipher (sort of) and a symmetric stream cipher, maybe it’s time to look at a symmetric block cipher. Specifically, DES.
DES is perhaps the cannonical block cipher, but it’s also atypical in some ways. The main reason I picked it, though, is because it also has some history beyond “X thought it would be fun”, for people who aren’t interested in the messy details of the algorithm.
In the early ’70s, the American National Bureau of Standards (which is now NIST) decided the US government needed an encryption standard suitable for general use, and after consulting with the NSA, they decided to solicit suggestions from the general public.1
The first request was issued in 1973, but no acceptable candidates were found. After the second request in 1974, though, IBM developed and submitted a cipher that was deemed acceptable: Horst Feistel’s2 Lucifer algorithm.
After some additional prodding by the NSA, the proposed DES cipher was published and the public’s comments were requested.
A lot of textbooks make a distinction between classical cryptography and modern cryptography that is, in my mind, completely artificial. To demonstrate, allow me to explain one particular algorithm that many would put in the category of “classical” cryptography (because it doesn’t involve computers), but that’s a stream cipher using a pseudo-random number generator in a way that one would normally consider to be entirely modern.
The Solitaire cipher was developed in early 1999 by Bruce Schneier for Neal Stephenson’s novel Cryptonomicon (which I still haven’t read). It generates a reproducible random number stream and uses them as keys in a regular addition cipher.
And it’s done with playing cards.
Well, for a given value of useful. My Public Key is an application that displays your PGP public key in your Facebook profile, and lets you view which of your friends have public keys listed.
It’s a very simple application, but it’s quite useful for people who don’t want to deal with keyservers and the like.
PGP is, of course, a program for encrypting and decrypting things using asymmetric cryptography. It does more than that, but that’s the short of it. There are implementations available for every major OS.
(Actually, PGP is the original, non-free program. OpenPGP is the standard, which came later, and there are implementations of that available, of course. The most popular one is probably GnuPG, which is installed by default on many Linux systems.)
Using it is quite straightforward, once you’ve done it once.
The first thing you do is generate your own keypair. Using GnuPG (on the Lunix; may be different for other OSes), you type:
gpg --gen-key
And just follow instructions. If you aren’t sure about a question, just leave it on the default. It’s entirely possible your random number generator will run out of entropy while generating your key, especially for large keys. If this happens, just leave the window open and play a game for a bit.
Don’t forget to pick a solid passphrase, too. And if you pick a phrase from a famous book, at least substitute some of the words. I’m assuming it’ll let you use a single-word password as well, but why would you?
When that’s done, your keypair will automatically be added to your keychain. To see your public key, just type:
gpg --export -a
The -a is short for the --armor option, which outputs ASCII instead of binary (which is particularly useful, since binary output can fuck up your command prompt; if that happens, just type reset (though you’ll be typing blindly) to fix it).
The output from this command is what you paste into the My Public Key app.
To import a friend’s key, just save his key to a file and do the following:
cat FILENAME | gpg --import
Replacing “FILENAME” with the filename, of course.
You can also just use echo and paste the key directly into the prompt, of course, but it’s kind of long. The important bit is that the key is read from standard input.
If this is successful, you’ll get a message saying whose key you just imported.
To encrypt a message, you would do the following:
echo "Message" | gpg --encrypt -a -r "Recipient"
Where “Message” is your message (you can save your message to a file and use cat if you like; again, standard input), and “Recipient” is the message’s recipient. You can use just the name, or the name + e-mail, or whatever. It’s pretty lenient about that.
If you leave out a recipient (that is, use gpg --encrypt -a), you’ll be prompted for it.
Note the use of -a again. This isn’t necessary if you’re encrypting files (which you can also do), but most of time you’ll be encrypting messages to paste into e-mails and the like, so it’s useful to have a readable output.
An example:
xarn@xarn:~$ echo "Lol penis." | gpg --encrypt -a -r "Koen Crolla"
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.6 (GNU/Linux)
hQIOA6Lx7eVV8dSwEAgAo94SqA40e4+EYP5LPbpBdqZjq/yc14M5VQW34SN0foeQ
PPFAjKY2aZKaPSXSLPZON6Z5sTL7yIYppBdAbhFQJSEBJEqKE2tH/Gp9sGmB5Soq
pVMDoyg/tIZGXwf7neTJ71t2mTQVBi/z/jiWBa7Ys1QcY6qh3yUCBzKCrV7aLPOA
4U1kZDRNL3Vl8XDQzEWmZ3WYVxcn//ecceD3b122eFLtXGhLThVOFQhxh329qoe0
TkGvMK2NcITeud3tqR9d9E/7k5gOfeUQaGrantbqEm1jXbbSrBfcGib5u5LZed6G
5cz2OR/oztm/ZD/bhzwKpARiafmfLefVZHDjhza58ggArWr2z1rFiPNL1TH3tGnG
6ZbEBJZ47M9wODpta+3Ne2DDScKt/AvFe9mYOpaA6TlwpNi634YkwXydFu6OsC+w
JuqoOujizHaA74YEnLYinMPfvYBysH/nJxCbhcbGI+Ur/1ugrIbLxvTr9gDNbDDR
fFSmfDplsDWnk5kuBKbBwfqHSHr9aJsRCnm1tMwjp+qf77e2PkTqiXFuQCYo4FY/
Dq9J8Rx+q8yXkh1EAHGwCuMNQpgcPPGU8liDWnGHGJNVm4Z0ZhsNvi3gDtBRRqhX
lGZjGpLFqj4nHNkdsxLXsmaiiuWYTRGRJT+8PcVckR1pv89X37k1C08ruxAvPoTO
ZtJGAbgrwV+egZ+P/rBHANGj61LiTmLIehZSIJLARVAtmIVNGU2iygYbWII7KS6r
ZerQz3MRxQglKu3dtPPDPXSoCnsEabIFgw==
=EY8h
-----END PGP MESSAGE-----
If you’re using a friend’s key which you imported, it will probably give you a warning message about being unable to verify the key belongs to the person you think it belongs to. You can generally ignore that.
This output is what you send along to your friend, who can decrypt it doing:
cat FILENAME | gpg --decrypt
Where FILENAME is the name of the file with the message in it. Or, again, you could use echo. The program will automatically select the correct key from your private keychain, and you’ll be prompted for your passphrase to unlock it.
Obviously you’ll need the private key to decrypt the message, so you can’t test to make sure you encrypted a message you want to send to a friend correctly. If you want to test thing, you’ll need to test using your own keypair. It’s easy if you just pipe the encrypted message directly into the decryption command.
Anyway, all of this is rather involved, of course. There are graphical front-ends which make it a bit easier, and most major e-mail clients have at least one plug-in available to deal with the messy parts of PGP on its own (Thunderbird has Enigmail, for instance), so if you want to use it a lot and dislike the command line, look into those.
Since e-mail is slightly less private than writing your message on a postcard and giving it to a random stranger to mail (as I, and several other people, have mentioned before), I do encourage you to use it, though. Even Gmail’s totalitarian disregard for privacy becomes less pressing if you take control yourself.
At least until someone builds a quantum computer.
It’s been months since the last contribution, but that’s no reason to think the Raven Project is dead. Emily just recorded verse 11 (“Startled at the stillness broken…”).
Four to go. If you have a mic and haven’t recorded a verse yet, please do so.
A federal judge in Vermont has ruled defendants cannot be forced to reveal their PGP passphrase:
U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.
In this regard, the US is more sane than the UK.
This is good news, but not primarily from a constitutional angle.
The main problem with forcing people to turn over their encryption keys (any encryption keys, not just PGP passphrases) is that good encryption produces essentially random data, but on any computer, the empty space on the HD (for example) is going to contain pretty much random data as well (as deleting a file doesn’t actually zero out the bits, generally (ignoring tools like shred and the safe deletion option on Macs), but just flags the area it was stored in as being empty space), so the only thing a prosecutor would have to do if withholding encryption keys were against the law would be to claim (part of) the empty space is actually an encrypted file, cleverly hidden (which a lot of software is capable of doing). There would be no way of disproving it.
I use the empty space example, but of course this applies to steganography of any kind. If you look hard enough, you can find random data “hidden” anywhere, and that’s all you need to claim someone is hiding encryption keys and thus breaking the law. The UK’s RIPA can make criminals out of anyone.
Of course, what with the presumption of innocence it might take a mildly corrupt (or ignorant) judiciary to allow it, but let’s face it, those aren’t in short supply.
If this decision holds in appeal, this could be a very important precedent.
(Of course, since this involves an alleged pedophile, many people are getting entirely the wrong message out of this decision, and a lot of the knee-jerk retards are actually rooting for it to be overturned. Let’s hope the judge isn’t swayed by the public opinion, because the public is comprised of ignorant morons.)
I mentioned Diffie-Hellman key exchange in the context of asymmetric cryptography. I think it’s time to look at the algorithm a bit more closely.
As usual, Alice and Bob are trying to securely exchange some information, and they’re trying to agree on a key they can use for a symmetric algorithm. Perhaps they don’t know about asymmetric encryption, or they’re trying to exchange too much data for it to be feasible, or they need a stream cipher. Either way, they want to use symmetric encryption.
They have no secure way to exchange keys, because Eve is listening. After all, this is why they want to use the symmetric cipher as well. This is a very common situation on the internets.
I didn’t get anything. ;____;
I did, however, skip class to help my mom set up the Christmas tree. It’s made of blinky lights and tastelessness.
And then it turned out classes were cancelled anyway because of some student demonstration (well, not officially cancelled, but the “we won’t punish you if you don’t show up” type of cancelled, which is the same thing in a hogeschool) against some proposed law that would fund higher education based on the number of credits students acquire each year.
It doesn’t take a genius to figure out this is a fucking retarded idea, but apparently only 800 1,500 students (from all over Flanders) showed up to protest. I’m guessing the weather had something to do with that. And maybe the fact that although it was announced well in advance and there were posters all over our building, nobody actually knew what they were supposed to be protesting.
And of course, since the twit proposing it (Frank Vandenbroucke) is a member of the SP.a (the Flemish socialist party, which I voted for), the socialist education union didn’t support the manifestation, because obviously party loyalty comes before common sense, and even fucking party principles.
Neither did the KUL student council, by the way, though the KHL student council, which is technically subservient to said council, did. Of course, the problem with the KHL is that very few people there care about politics, what with the brain damage and everything.
Anyway, it’s just a proposal at this point. With luck it’ll get shot down in January.
(Side note: annual government funding for the entire Flemish higher education system is about a thirtieth of the endowment of Harvard University alone, even with the 10% increase in funding over the past decade or so.)
Edit: Okay, the Standaard said 800 students, VRT Nieuws said 1,500. I’m more inclined to trust the VRT.
1,500 still isn’t an enormous number, given the fact that there are nearly a hundred thousand students in just the five Flemish universities, and presumably considerably more than that in the hogescholen, but it’s better, at least.
TrueCrypt is shinywin. Try it.
It even comes with plausible deniability, in case you live in one of the more totalitarian countries.
I’d very much like to use PGP’s Whole Disk Encryption, like Schneier the Bruce, but I don’t have 141 € to drop on it, handy though it would be.
And I’m leery of crypto software that both is closed source (despite Schneier’s endorsement) and has an enterprise edition.
Speaking of Schneier, I’m getting Applied Cryptography for Christmas. :3
Last time, I talked about the difference between symmetric and asymmetric ciphers, and said the symmetric ones were further divided into block and stream ciphers. I’ll say a little about what that means, without getting too deeply into it, since it’s not really that important.
Well, I say symmetric, but I can’t think of a conceptual reason asymmetric ciphers also couldn’t be divided into those two classes. In practice, though, I don’t know of a single asymmetric cipher that isn’t basically a block cipher.
Another post in my series on cryptography for beginners. This time: the difference between symmetric and asymmetric encryption!
Basically, there are two main types of encryption: symmetric and asymmetric.
The most important difference between them is that symmetric encryption uses the same key for encrypting and decrypting, while asymmetric encryption uses different keys. Let’s see what this means.