What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

More Crypto...

- Part Two: It probably ain't

But even if you're connecting to a site that can do the whole secure thang, and even if you do connect and see the "locked" looking thing in the corner, you probably aren't any more secure than you were before.  "Why" you ask? Cuz even then, the crypto connection that your browser is using is probably weak.

- Part Three: Here's why it ain't

Here's the skinny.  Our U.S. government people consider crypto technology a weapon, because twenty years ago back in the cold war it was a dangerous thing for your enemy to have.  The United States "Export Law" says that since it's considered a weapon, it's illegal to export out of the country.

Why is it such a big freakin deal?  Well, America has interests spread out all over the place, and we have spies who pay real close attention to what goes on all over the world, especially in terrorist countries.  If terrorists start using strong crypto, we can't eavesdrop on them and maybe tell when they're gonna blow stuff up (Not that our spying on these people has kept them from blowing stuff up before now).

Now before you get all in a frenzy, people have been trying to reach an agreement with our intelligence people for a while now..  There are a lot of bills in the House and the Senate trying to fix this, but no luck yet.  I mean, heck, Congress has only been at it for about six years now, give em a little time ...

So when you download a browser off the net, most people get stuck downloading what's called an "export-grade" web browser.  That means one whose crypto stuff is weak enough for the government to feel okay about you exporting it.  Don't buy anything off the web with those wimpy little browsers, cuz any cyber-moron that knows how to use a packet sniffer and a cracking utility can read your credit info that you buy stuff with.

>Boooooo! Hissssss!<

Part Four: Here's why that sucks

Netscape can work with all the great crypto stuff out there through its Secure Sockets Layer but people are usually limited to 40-bit encryption stuff, which is really weak and super lame.  Crypto stuff that weak has been cracked left and right.  Heck, Bruce Schneier will even give you a SCREEN SAVER that can crack this type of encryption, and it even BRUTE FORCES IT!!!!  Can you imagine how weak that is?  Sheesh!!  You can get it at http://www.counterpane.com/smime.html

Part Five: Fix it!

Help is here!  >sound of trumpets<  This super high-class software guy named Farrell McKay and some of his friends put together a little set of files called "Fortify" that you download right into your browser's home directory, run them, and they just strengthen the SNOT outta your browser.  They pump it UP, my friends.

Here's what you should do.  First send me a million dollars.  Then, go to the "Fortify" website at http://www.fortify.net/index.html.   Then check what your connection security is for right now at the link that says "SSL checker" (Yes, that stands for "Secure Sockets Layer Checker").  It will tell whether or not your browser is set on "wimpy mode" or whether or not it can connect to a server in a safe way.  It will even list all the different secure connections you could have along with what you actually have.

If that page tells you that your connection is weak, go to the "download" page and get the version that's right for your computer (there isn't a version available for Macs yet).  Stick the stuff in the directory that your browser is in and follow whatever other instructions there are.  It's easy and really quick to do, and then you have to restart your browser.

Now to check if it worked.  Go back to the SSL checker at their site, you might have to hit reload.  See what it says?  Most versions should connect at a full 128-bit RC-4!

Note: Remember the cryptogenius Ron Rivest who helped create RSA?  RC-4 is one of his own special algorithms, and a sweet one at that.

So, you can send and receive super-secret encrypted email that nobody can read, and you can connect with whopping 128-bit RC-4 to participating websites.  This would be a good time to rub your hands together and cackle maniacally.  Now I know you're hooked ...
 

V. WRAP UP STUFF

A. All that confuses is not crypto
 
 The biggest thing to keep in mind when you dig around for good crypto stuff to play with is this:  Just because it has a fancy-schmancy name like "cryptographic module" and seems to screw up text real good doesn't mean that it is real cryptography.  Even if it comes from a big name software company, it ain't necessarily worth your while.
 
 Real cryptography is incredibly difficult to make secure.  Most of these companies churning out software packages that protect passwords and encrypt little documents and stuff don't bother with any kind of real work in that area.  I won't even go into these wiseguys on the web and in hacker rags that write their own stuff and then try to sell you on it.  Sheesh!  Most of them have no idea what they're getting themselves into.  Cryptography is just too tough and experts are few and far between.  These warnings are covered a bit more in the web resources section later on.  So ...
 
 
B. Beware "kindergarten cryptography"
 
 Don't just take someone else's word for it.  There are all kinds of
interesting ideas floating around about new crypto stuff from people who only sound like they know what they're talking about.  From hacker magazines, to newsgroup postings from alleged elite experts, to rave reviews in big computer magazines, everybody seems to know what crypto should be and where to find the good stuff.
 
 Ugh.
 
 It ain't the wares that the journalists rave about.  It ain't the program that your favorite hacker writes.  It ain't the impressive looking plug-in that your favorite software company tries to sell you.
 
 The "good stuff" is what survives the tests by the experts.  Remember this: learn the names of the experts.  Learn the names of the algorithms and cryptosystems.  After a long, long, long time on the market and after a wayyyyy lot of tests, the algorithms and systems that live on are the good ones.  And that's only for today.  Breakthroughs in computing power have made more than one seemingly secure cryptosystem obsolete.
 
 Every algorithm that is untested or unreleased to the public, every algorithm that flies in the face of established mathematical law and number theory, every algorithm that claims to be great but isn't available to be proven is not cryptography, but kindergarten cryptography.
 
 Using kindergarten cryptography is even worse than using no cryptography at all.  You know why kindergarten cryptography is so dangerous?  Because it fools you into thinking it's cryptography, and you use it on private stuff that it isn't really going to protect.  If you didn't try to use any crypto at all, at least you would know enough to save the private stuff for later and it would never be at risk!
 
  More crypto--->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.