Cryptography as a speed-bump

I've talked to a lot of folks over the years about crypto, and while some of them (usually geeks) "get it," there are a few who still don't understand the significance of using good cryptographic protection to secure your files, and some conspiracy-theorist types who believe it's no good against corrupt governments or tyrants (trying really hard not to make a political statement here) because "the government can break it anyway" or "the government has more powerful computers than we do."

Yes, they can, and yes, they do.

But it's still not enough. What people fail to understand is that encrypting data is far less resource-intensive than brute-forcing decryption of data when you don't know the key. With a known key, encrypting and decrypting are roughly equivalent in how much CPU muscle (and time!) they require. However, a post on Slashdot really clarifies this imbalance that we see in the case of a brute-force attack.

[Begin /. Quote]
----------------------
Just the act of counting from 1 to 2^256 at a rate of 1 trillion keys per second would take approximately 2^191 years (3 x 10^57).

That's 3,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years.

This is WAY longer than the universe has been in existence and probably longer than it will continue to exist in the future. That's just counting the keys. Actually testing them would probably slow your key rate down significantly.

The math as I see it:

1 trillion keys per second = 2^40

2^40 * 86,400 * 365 = 3.4 x 10^19 keys per year

- or 2^65 keys per year

2^256 keys / 2^65 keys per year = 2^191 years (256 - 65 = 191)

- or 3 x 10^57 years
---------------------------------
[End /. Quote]

The fact of the matter is that any cryptographic protection can and will be broken. HOWEVER, proper use of the technology can make it sufficiently difficult or drawn-out that the data will be irrelevant by the time it is deciphered.

Yes, the government has "powerful computers." They're not so powerful that they can shave 3,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years down to something practical. No computer system is.

When, in most cases, a mere 3 years would be enough to render the encrypted data useless by way of irrelevance, and certainly long enough to run out the statute of limitations in many jurisdictions, a figure like the one above is obviously overkill in more ways than I care to count (many of which whose mere mention would insult your intelligence).

So, in conclusion, you have plenty to gain in the way of privacy, and nothing to lose (save for a few minutes of your time) by encrypting your data. If you're not comfortable with command-line/*nix/"advanced"/get-your-hands-dirty tools, try something like PGP Desktop that makes it easy.

Useful Utilities

I was recently introduced to a wondrous website full of useful, small, and free utilities for system analysis and security. The site can be found at http://www.sysinternals.com, and contains what is now one of my favourite freeware utilities, SDelete. It's a simple command-line tool for Win32 systems that lets a user specify a file to securely delete and the number of passes to make when overwriting it. The tool will then overwrite the sectors previously occupied by the file with random data, repeating as per the number of passes you specify, rendering the file unrecoverable.

This is another great asset to have in the battle for protecting individual privacy. I intend to use it quite extensively.

Child pornography and computer consultants

In a conversation over dinner yesterday, I got on the topic of computer forensics and the proper methods for inspecting a system for evidence or, as was the case yesterday, objectionable material.

The issue was that of a computer, owned by a minor, on which were found pictures of said minor engaging in activities of a sexual nature.

Now, in this particular case, the problem was handled by the family and there were no outside parties (e.g. authorities) involved.

However, consider the case of a simple troubleshooting or tech-support house call. If I or another consultant were to perform maintenance on a user's home system and discover material that could land the owner in serious legal hot water...what's the best course of action to take? As a professional, as a member of society, as someone who, quite frankly, wants nothing to do with it.

Consider also the case of deleting files on a client's system to improve performance. If cache files contained images or other binary files that could be used as evidence in a child-pornography investigation, and a consultant were to delete them as part of a system cleanup (unwittingly, of course), does that make him an accessory to the crime? Is he aiding and abetting a sex offender by removing evidence, even if he only aimed to clear out unnecessary data? How does intent play into a scenario such as this?

Also, what if he offered backup services in the form of binary system images (think PQDI or Ghost), and a customer's system contained information that was considered illegal or "suspect," such as a PDF copy of the Anarchist's Cookbook. He'd have those files, albeit not individually accessible, on backup media in his possession as a means of data protection for his client. Does this mean he's now in possession of child porn or terrorist handbooks?

Questions, comments, and other feedback are welcome. The law is a bizarre and tricky beast, to be sure.

Debut

Welcome, readers, to my humble InfoSec-meets-multimedia blog, Cipherpixel. Having cut my teeth on blogging in the foul quagmire of personal blogs, overpopulated by teenagers whining to the world on the internet, I opted (finally!) to publish a news-oriented blog light on personal details (they'll be there, but only when significant and relevant to a greater topic) and heavy on, well, geek news.

Yeah, this constitutes humble beginnings and will likely be one of those posts I'll want to mask or delete if this blog ever makes it big. Remember your humble beginnings. Remember them well.