Re: [liberationtech] RNG in Raspberry Pi
On Wed, Oct 02, 2013 at 11:57:24PM -0500, Paul Elliott wrote: What is the quality of the Hardware RNG in the Raspberry Pi? Fairly unknown. The current driver used in Raspbian and so on, which exposes the RNG directly at /dev/hwrng is definitely *not* safe to use raw -- it needs a mixing pool at the very least, and should ideally be simply another input to the /dev/random entropy pool along with all of the standard sources of entropy. I have heard about the controversy about the intel chip and wondered if there were any parallel questions about the Raspberry Pi. The Intel chip at least has a published design -- the design is fairly easy to poke holes in, but at least they did *that* much. The Broadcom RNG has no public design documentation AFAIK. This is not a good sign for security. The best I've seen is the VIA independent evaluation: http://www.cryptography.com/public/pdf/VIA_rng.pdf Near as I can figure out if an Hardware RNG does not come automaticly with your desktop or laptop, the Raspberry Pi seems to be about the cheapest source of random numbers you can get. Far cheaper (in currency if not in time) is to use the audio amplifier on your computer. Here's one document on how: http://www.av8n.com/turbid/paper/turbid.htm There's also a RNG firmware for the FST-01 programmable USB peripheral: http://www.seeedstudio.com/wiki/FST-01 http://www.gniibe.org/memo/development/gnuk/rng/neug Entropy key are only 36 pounds, but they seem to have a long backlog. Apparently the small company that made them is having issues. I haven't seen any evidence of them coming back to life, unfortunately. What about using and Raspberry Pi for hard random number generation? Might work. I'd be cautious. The FST-01 hardware is perhaps better documented and easier to reverse engineer than the Broadcom chip. -andy -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] USB Block Erupters as RNG sources?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Curious; anyone know much about what these inexpensive (comparatively, price seems steadily falling) ASIC Block Erupter USB Bitcoin miners can be adapted to doing? Could they be repurposed as RNG sources? I know they are designed / programmed for running the SHA256 hashing employed in mining Bitcoin, but as the difficulty rate goes up, their value in that arena becomes less and less... Just wondering if they might find new life as inexpensive RNGs. Any pointers to the circuit or the code they run? Disclaimer: I have no idea if this is even remotely a valid or good idea... But a cheap hardware thumb drive RNG might be useful, no? DN - -- -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTTxSAAoJEDMbeBxcUNAeS6cH/2byF7EcXWk6/wFrAzTkNuWE AuL8VEdgPuhZwkN10JCrFcpk7AwwIWZfZq7gUkFaaWS/Zc/X3Fiwj6no/Sr+76ak ste9aIZJ7ZGA6Hkni7JXdvEZi/xyq40UyVl0RGJHCTOrtNirSwgGF5uE8h0WYgom LwrulVWE+QpblBgVWJ/vR8i18kWnK1skrOGwDBg9weqW3nmBRtye3bOcJipiYHXm qdkxrzAYCY6Odr2pI7Fiv1lM4lH9ryZyDbJ6VW3jmsq2sXBMZ/TfZugscjx78m39 AbIk87ubwNUj30B/36pIvQyA9ePX43JZ9Ojpy+y3McbHI0Zg65A+MNpLnLCenCc= =7P4e -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] USB Block Erupters as RNG sources?
On Thu, Oct 3, 2013 at 2:43 AM, d.nix d@comcast.net wrote: ... Curious; anyone know much about what these inexpensive (comparatively, price seems steadily falling) ASIC Block Erupter USB Bitcoin miners can be adapted to doing? Could they be repurposed as RNG sources? at best you *might* be able twist it into a DRBG that would still need to be seeded (and regularly reseeded) with robust entropy. these ASICs really are single purpose; they're useless for anything else. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] USB Block Erupters as RNG sources?
d.nix d@comcast.net writes: Curious; anyone know much about what these inexpensive (comparatively, price seems steadily falling) ASIC Block Erupter USB Bitcoin miners can be adapted to doing? Could they be repurposed as RNG sources? Very little, and no. They're basically custom Bitcoin-mining ASICs, I looked at one a while back for use in password-cracking and they're really not suited for it at all, you load a vector in and say go but since they're quite I/O-limited you can't easily adapt them for hash-breaking. As for RNG use, they're entirely deterministic, how would you use them as an RNG source? Peter. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] A Method for Identifying and Confirming the Use of URL Filtering Products for Censorship
Hi Lib Tech The Citizen Lab published a new research paper on URL filtering and censorship, which presents an initial methodology for identifying and confirming the use of URL filtering products around the world. The authors leverage the fact that many of these products accept user-submitted sites for blocking to confirm that a specific URL filtering product is being used for censorship. Using this method, the paper confirms the use of McAfee SmartFilter in Saudi Arabia and the United Arab Emirates (UAE) and Netsweeper in Qatar, the UAE, and Yemen. The results show that these products are being used to block a range of content, including oppositional political speech, religious discussion and gay and lesbian material, and speech generally protected by international human rights norms. The paper is authored by Citizen Lab's Ronald J. Deibert, Masashi Crete-Nishihata, Jakub Dalek, Bennett Haselton, Helmi Noman, and Adam Senft, and Phillipa Gill of the Department of Computer Science, Stony Brook University. https://docs.google.com/viewer?url=http%3A%2F%2Fconferences.sigcomm.org%2Fimc%2F2013%2Fpapers%2Fimc112s-dalekA.pdf Ronald Deibert Director, the Citizen Lab and the Canada Centre for Global Security Studies Munk School of Global Affairs University of Toronto (416) 946-8916 PGP: http://deibert.citizenlab.org/pubkey.txt http://deibert.citizenlab.org/ twitter.com/citizenlab r.deib...@utoronto.ca -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] A Method for Identifying and Confirming the Use of URL Filtering Products for Censorship
Hi Lib Tech The Citizen Lab published a new research paper on URL filtering and censorship, which presents an initial methodology for identifying and confirming the use of URL filtering products around the world. We leverage the fact that many of these products accept user-submitted sites for blocking to confirm that a specific URL filtering product is being used for censorship. Using this method, the paper confirms the use of McAfee SmartFilter in Saudi Arabia and the United Arab Emirates (UAE) and Netsweeper in Qatar, the UAE, and Yemen. The results show that these products are being used to block a range of content, including oppositional political speech, religious discussion and gay and lesbian material, and speech generally protected by international human rights norms. The paper is authored by Citizen Lab's Ronald J. Deibert, Masashi Crete-Nishihata, Jakub Dalek, Bennett Haselton, Helmi Noman, and Adam Senft, and Phillipa Gill of the Department of Computer Science, Stony Brook University. https://docs.google.com/viewer?url=http%3A%2F%2Fconferences.sigcomm.org%2Fimc%2F2013%2Fpapers%2Fimc112s-dalekA.pdf Data available at http://www.cs.stonybrook.edu/~phillipa/papers/URLFiltering.html Cheers Ron Ronald Deibert Director, the Citizen Lab and the Canada Centre for Global Security Studies Munk School of Global Affairs University of Toronto (416) 946-8916 PGP: http://deibert.citizenlab.org/pubkey.txt http://deibert.citizenlab.org/ twitter.com/citizenlab r.deib...@utoronto.ca -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Silent Phone source code available on GitHub
So, Silent Circle (well, Silent Phone) is finally open source! At least, the previous version, with the next one coming in a couple of weeks. This, to me, is absolutely wonderful news, as it is finally possible to get a proper security audit of the whole shebang. Github issue: https://github.com/SilentCircle/silent-phone-base/issues/5 The released repo: https://github.com/SilentCircle/silent-phone-android /P - Forwarded message from Jim Burrows notificati...@github.com - From: Jim Burrows notificati...@github.com To: SilentCircle/silent-phone-base silent-phone-b...@noreply.github.com Cc: pettter pett...@acc.umu.se Subject: Re: [silent-phone-base] Impact of ZRTP library critical security vulnerabilities (#5) @pettter, Soon is today, well, actually last night. We've just released the sources to Silent Phone for Android V1.6.5. And, yes, we released them one week after we released 1.6.6 to the Play Store, so they're a little bit stale, *BUT*... what delayed us was making sure that they were buildable from the GitHub repo outside our build environment. That means, assuming we got it right, that you can check out our repo here on GitHub, build your own APK, install it on your phone and run it instead of our Play Store version. And to make lemonade out of the lemons of being one release behind, we plan on releasing 1.6.6 in a couple of weeks, so, if you try to build 1.6.5 and find that we blew it somehow, you can post an issue here and we've already got a release planned to fix it in. I'm really sorry that soon took this long. It was absolutely NOT my plan, but this summer has been really really hectic (for obvious reasons) and we're a small company with limited resources. The slowness has really frustrated me, as has the fact that when I yell, What idiot set those priorities? each time something delayed posting here, the answer was always me. I can try to blame all the Snowden, NSA, Prism brouhaha and the time and resource pressures it has put us under, but in the end, I'm the one who grits his teeth and says, Yes, that's more important than the GitHub release. Make it so. I'd be happy to have you sympathize with me for the decisions I've faced this summer, but I absolutely would not disagree with you if you blamed me for the delay. I own it. Silent Phone for iOS sources, Silent Text for Android, and then Silent Phone for Android 1.6.6 source releases are all in the pipeline, and if you'll forgive me for using a word that I myself have sullied, they should all be here soon. - End forwarded message - -- Petter Ericson (pett...@acc.umu.se) -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] USB Block Erupters as RNG sources?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Very little, and no. They're basically custom Bitcoin-mining ASICs, I looked at one a while back for use in password-cracking and they're really not suited for it at all, you load a vector in and say go but since they're quite I/O-limited you can't easily adapt them for hash-breaking. As for RNG use, they're entirely deterministic, how would you use them as an RNG source? at best you *might* be able twist it into a DRBG that would still need to be seeded (and regularly reseeded) with robust entropy. these ASICs really are single purpose; they're useless for anything else. Thanks Peter, Coderman- Kinda what I suspected seeing as they are *Application Specific* IC's after all... Wishful thinking more than anything knowing that they are now saturating their market and loosing value rapidly. Cheers! DN - -- -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTZc/AAoJEDMbeBxcUNAen9AH/3e6uZXS0ot0k8OgSfhVnPQ/ kNhhkgS+xZEx3w7k5pBnw5SXxz4wnZ4pWi9+/16FLoryy5Jtped9GA8J/5iyU/84 RU8m1Uskb0fwqMX1U67EiV7jOhJnzCRpCc/0Vy7JwF1q06VRRgFHLOLVq9MEJuqc k7XyeCZRlvXflMjN9tB40xwq7hntBt+CqSdja9wAdzEIfRffiqkuNO02nSYVrtkC BV/UomkBtBed4lxXp/EmEA1WPt7hmsX6o+dJYDgvRi61RslADdy0Ye++A4iJRbYM qo2MS0PhvnZb7Tu59GjwlGT2GxFEXOADaK6Atq6zI6S33pb1OwuuFlxdhmjPEFU= =WXON -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] As F.B.I. Pursued Snowden, an E-Mail Service Stood Firm
DALLAS — One day last May, Ladar Levison returned home to find an F.B.I. agent’s business card on his Dallas doorstep. So began a four-month tangle with law enforcement officials that would end with Mr. Levison’s shutting the business he had spent a decade building and becoming an unlikely hero of privacy advocates in their escalating battle with the government over Internet security. http://www.nytimes.com/2013/10/03/us/snowdens-e-mail-provider-discusses-pressure-from-fbi-to-disclose-data.html?pagewanted=all -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
