Building a Zero Trust *ssh.Client.

So there's a new system for building secure applications called OpenZiti.

The system allows you to create "dark" applications, by which they mean, applications that do not expose ports on the internet that can be discovered by attackers with port scanning. Regular ssh (secure shell, which gives you a command line on a remote machine), for example, uses port 22, so anyone who tries to connect to TCP port 22 will be able to connect to the ssh daemon running on the machine. The port number can be changed, but 22 is the standard for ssh. Once the user is connected, they still can't actually get a command line and run any commands, because they have to get through ssh's authentication process. But they can connect in the first place. What if the application could be made "dark" so there isn't any port to connect to at all?

The way this is accomplished is, a different set of machines are designated as "nodes" and one of them acts as a "controller". The application connects to one of the nodes, and the end user connects to a different node. The system is called "zero trust" because unauthenticated users are not allowed to connect to the nodes. The nodes are not allowed to run applications, only shuffle messages from place to place. The application is reached through the connection the application made to a node, not by having an open port on the application machine. So by the time any data reaches an application, the user has already been authenticated. The communication is end-to-end encrypted. So the authentication and privacy functions are moved out of applications and into the OpenZiti system.

The controller is necessary to set up the system, which by the way is called a "mesh network". Often they simply use the word "network" but it's important to distinguish between this "mesh network", which is made of software, and the physical network that is the internet.

Inside this "mesh network" is a complete public key infrastructure system. So instead of having ssh and HTTPS and every other system that wants secure communication to have its own ad-hoc public key infrastructure, you just make one public key infrastructure system for your whole organization.

It's written in Go but uses a library called libsodium for cryptography. The Go standard library has extensive cryptography services, so I wonder what it is missing that made them resort to using libsodium, which is written in C. Anyway, what's here is an example implementation of an ssh client that uses this system in Go. The reason it says "*ssh.Client" in the title is that "ssh.Client" is an interface in Go

and the "*" indicates a pointer. (And I put in that line break to keep diaspora from making boldface.)

This is an interesting idea -- outsourcing key security services to a mesh network, instead of having it reside in each application. I wonder if this idea will catch on.

Zero Trust *ssh.Client

#solidstatelife #cybersecurity #cryptography

The charges against Pavol Durov, CEO of Telegram. The French government has issued a press release detailing the specific changes against Pavel Durov, who was arrested Saturday, August 24 in Paris.

Besides the charges of not deleting salacious content, which I assume you have probably already heard about, the charges list things like: "Providing cryptology services aiming to ensure confidentiality without certified declaration," "Providing a cryptology tool not solely ensuring authentication or integrity monitoring without prior declaration," and "Importing a cryptology tool ensuring authentication or integrity monitoring without prior declaration."

Apparently in French law, there is a pre-declaration and pre-certification process software developers have to go through with the government. Pavel Durov has dual French and Russian citizenship. So I guess the French government figures their laws apply to him.

(Link goes to a PDF document. Pages 1 and 2 are in French and pages 3 and 4 have the same press release in English.)

Communiqué de presse

#solidstatelife #cryptography

Undo Arduino Encryption with an Oscilloscope

#arduinohacks #securityhacks #arduino #crypto #cryptography #poweranalysis #rsa #hackaday
posted by pod_feeder_v2

Cryptographers' Feedback on the EU Digital Identity’s ARF #200

This is the EU Digital Identity Wallet, eiDAS 2.0.

https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/200

Unfortunately, we believe that some of the currently suggested design aspects of the EUDI and its credential mechanism fall short of the privacy requirements that were explicitly defined after extensive debate in the Digital Identity regulation. The main reason for this shortcoming in the current proposal is that it relies on cryptographic methods that were never designed for such requirements. We do not see a way to fix the proposed solution to meet all the privacy features as required by the regulation; we believe that a larger redesign is in order.

#privacy #security #surveillance #identification #credential #eu-digital-identity #digital-identity #cryptographic #cryptography #digital-wallet #eu #digital-identity-wallet

"For those who don't yet know from their other social media: a week ago the cryptographer Yilei Chen posted a preprint, eprint.iacr.org/2024/555, claiming to give a polynomial-time quantum algorithm to solve lattice problems. For example, it claims to solve the GapSVP problem, which asks to approximate the length of the shortest nonzero vector in a given n-dimensional lattice, to within an approximation ratio of ~n4.5. The best approximation ratio previously known to be achievable in classical or quantum polynomial time was exponential in n."

"If it's correct, this is an extremely big deal. It doesn't quite break the main lattice-based cryptosystems, but it would put those cryptosystems into a precarious position, vulnerable to a mere further polynomial improvement in the approximation factor. And, as we learned from the recent NIST competition, if the lattice-based and LWE-based systems were to fall, then we really don't have many great candidates left for post-quantum public-key cryptography! On top of that, a full quantum break of LWE (which, again, Chen is not claiming) would lay waste (in a world with scalable QCs, of course) to a large fraction of the beautiful sandcastles that classical and quantum cryptographers have built up over the last couple decades--everything from Fully Homomorphic Encryption schemes, to Mahadev's protocol for proving the output of any quantum computation to a classical skeptic."

Wow, that's quite a lot. Let's see if we can figure out what's going on here.

First of all, I hadn't heard of these "lattice" problems, but doing some digging, I found they've been of great interest to people working on quantum computers, because they're thought to be resistant to attacks from quantum computers. Quantum computers have this magical ability to use the superposition of wavefunctions to test "all combinations at once" for a mathematical problem, which could be finding a key that decrypts an encrypted message. This magical ability is harder to tap into than it sounds because, first of all, you need enough qubits (quantum bits -- the superposition bits that quantum computers use instead of the regular 0 or 1 bits of regular computers), and that's really hard because all the qubits have to be entangled, and maintaining a boatload of entangled qubits usually involves freezing atoms to near absolute zero and other such difficult things. And second of all, you have to find an algorithm -- quantum computers are not straightforward to program, and can only "run" "programs" written specifically for quantum computers, with algorithms that have been invented to solve a particular mathematical problem using quantum physics.

What supposedly makes "lattice" problems harder to solve than RSA, Elliptic Curve Cryptography, and so on, is that with lattices, you can have any number of dimensions. This increase in dimensionality cranks up the number of qubits required much faster than traditional algorithms such as RSA, Elliptic Curve Cryptography, and so on. So they stand a much better chance of outpacing the advancement of quantum computers. Also, nobody has ever come up with an algorithm for cracking lattice problems...

...until now, maybe. That's what this post is about. Possibly this Yilei Chen cryptographer has found an algorithm. The specific encryption algorithm that he may have found a way to crack with a quantum computer algorithm is called GapSVP. SVP stands for "shortest vector problem" and clicking through on the link will take you to a Wikipedia page that explains the mathematics behind it. However if you scroll down in the original post you'll see there is discussion of a bug in cryptographer Yilei Chen's algorithm. It is not known whether the algorithm can be fixed or whether this means GapSVP and LWE remain unbroken.

Speaking of LWE, the post also mentions LWE without giving a clue what "LWE" means. LWE stands for "Learning With Errors". In fact if you clicked through on GapSVP to the Wikipedia page, you can find a handy link to the Learning With Errors page at the bottom in the "See also" section. With LWE, you have an n-dimensional "ring" of integers -- called a "ring" instead of a "vector" because they are all modulo some prime number (remember we make this hard by making the number of dimensions and the size of the prime number huge) -- which you run through some secret linear transformation function and then perturb with some error, perhaps drawn from a Gaussian distribution. To crack the system you have to recover the secret linear transformation function. Mathematicians have proven LWE is equivalent to lattice problems and therefore is a lattice problem.

The mention of Mahadev's protocol, which you can find out all about by clicking through on that link, refers to a method of verifying that a quantum algorithm works using a classical computer. The protocol works by forcing the qubits into states that are predetermined ahead of time, and then verifying those states are achieved. Of course a classical computer cannot verify the output of a quantum computer for any given input.

That IACR preprint

#solidstatelife #cryptography #quantumcomputing

A Binary Version of the Engima Machine

#3dprinterhacks #cryptography #enigma #enigmamachine #hackaday
posted by pod_feeder_v2

RNODE: A Portable Unrestricted Digital Radio

#radiohacks #3dprinted #aprs #cryptography #liliygo #lora #lxme #nomad #reticulum #sideband #ufl #hackaday
posted by pod_feeder_v2

Version 4.58 of EasyGPG is Published

EasyGPG is an easy-to-use GUI for GPG that uses Zenity and XClip.

The following changes were made.

• EasyGPG now, once again, works with Tails, if nemo or another graphical file manager that follows the FreeDesktop.org guidelines is installed. From now on, using nemo or one of the others, you can use EasyGPG with Tails pretty much the same way as with other distros.

The sha256sum of this new version of easygpg.sh is 4788bf28aeacb164af7cb0818977bd0ca59671c0307e2827c9993d418887f0ae.

---

Tails Users

This one time, because of the changes to Tails, you will have to update in a special way.

1. Install nemo or another graphical file manager that follows the FreeDesktop.org guidelines. Make sure it is marked to be installed every time you start Tails.
2. Download https://codeberg.org/giXzkGsc/EasyGPG/raw/branch/main/easygpg.asc
3. Move easygpg.asc to the Persistent folder.
4. Open a terminal window and cd to the Persistent folder. Then type gpg -d easygpg.asc | tar -x. This should create a file in your Persistent folder named easygpg.sh.
5. Open a window to Persistent with nemo or whatever else you installed. Move easygpg.sh into your EasyGPG folder, replacing the copy already there.
6. Double-click Rebuild EasyGPG to rebuild your EasyGPG folder.

Other Users

To update to this new version, just double-click Check for a new version of EasyGPG in the EasyGPG-Actions folder (or, if your version is earlier than 4.0, select Check for a new version of EasyGPG in the main menu).

If you update from a very old version, check to make sure you have the latest version. If not, update again.

To update a copy of EasyGPG older than 3.0, use the installer (below), but select your already-existing EasyGPG folder. If you do this correctly, you will be asked whether or not you want to replace the existing EasyGPG. Click “Replace” to replace your old version of EasyGPG with the latest version.

To install EasyGPG for the first time, click on one of the following links. This is a tar.gz file. Extract the contents of the file, which will be a folder called EasyGPG-Installer. Open the folder, and double-click Install EasyGPG. This will create your new EasyGPG folder, and build all the files and folders inside it. Refresh the GUI file manager window to ensure the icons are correctly displayed.

If the Desktop files (all the Actions and the main Desktop file) do not work, you will need to install a graphical file manager that complies with the XDG standards: nemo, caja, pcmanfm, thunar, or dolphin. None of these has to be made the default graphical file manager. You only need to install one or more of them.

https://codeberg.org/giXzkGsc/EasyGPG/raw/branch/main/EasyGPG-Installer.tar.gz
https://archive.org/download/easygpg/EasyGPG-Installer.tar.gz

[The installer is also available at
http://easygpg2.i2p/EasyGPG-Installer.tar.gz (I2P).]

EasyGPG Web Sites
https://codeberg.org/giXzkGsc/EasyGPG Codeberg (clearnet)
https://archive.org/details/easygpg Internet Archive (clearnet)
http://easygpg2.i2p/ I2P eepsite

EasyGPG Tor Onion Gopher Hole
gopher://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/

EasyGPG Minus Library
[minus://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/](minus://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/)

For news about EasyGPG, click on the #easygpg tag.

---

This project has never been on GitHub, though another project with the same name has. This project is not related in any way to the German government, though another project with the same name is.

When using software, the greatest threat to privacy and security is the Internet. EasyGPG will not attempt to communicate with the Internet unless you tell it to read a file from the Internet or check for a new version. I will make no attempt to discover who is using my software, where, when, how, or for what purpose.

#easygpg #gpg #encryption #privacy #surveillance #security #cryptography

New Version of EasyGPG Is Coming Soon

This is only important to users of Tails.

The most recent version of Tails removes all support for FreeDesktop.org Desktop files. This is a problem for EasyGPG because, beginning with version 4.0, EasyGPG has used Desktop files for almost everything.

** Until the new version is published**, here is what you should do. Install nemo. Nemo is the default graphical file manager for the Cinnamon DE. It supports FreeDesktop.org Desktop files. To install nemo type this into a terminal window.

sudo apt update
This reads all of the Tails repos. Then type this.
sudo apt install nemo
This installs Nemo. Be sure to mark nemo to be installed every time you start Tails.

Nemo will be the second item in the Accessories sub-menu of the Applications menu labeled "Files." Using Nemo, no other workarounds for Tails will be necessary. I will publish a new version of EasyGPG in the near future that will work with Tails much more like the way it works with other distros.

#easygpg #gpg #encryption #privacy #surveillance #security #cryptography

Cryptid claims:

"We offer flexible APIs for building zero-knowledge proof based authentication and authorization, authenticated provenance, verifiable authenticity, and privacy preserving decentralized identity that scales to billions of people and devices."

The idea here is to reinvent the whole concept of "authentication" based on a concept in cryptography called "zero-knowledge proofs".

In fact they say, "Cryptid's Oberon authentication and authorization approach streamlines the process of acquiring, onboarding, and managing clients. It is designed using modern cryptography to replace OAuth 2.0 with simpler constructs and protocol flow. It uses zero-knowledge proofs (ZKPs) to move API security from centralized or federated architecture to zero-trust architecture. Born out of the lessons learned from 30 years of Internet security, Oberon is the simplest and most secure way to streamline your customer acquisition process. Oberon is available as a simple API or as an on-premesis product."

I have solid grasp of cryptographic fundamentals, which are symmetric key ciphers, public key ciphers, and hash functions. Zero-knowledge proofs lie outside of my understanding.

Nonetheless, I'm going to try to impart the basic idea, using hash functions as a springboard. Using hash functions you can create something called a challenge-response system. In fact I do this in a file synchronization program I wrote that I use every day. The program works by connecting to a server and getting a list of file names and hashes that represent the hash of the contents of each file. It compares these to its local directory to determine which files are different between the server and the local directory. If they are different it has to look at the file times to determine which is newer and either pull the newest version from the server or push the newest version to the server.

Before all this can happen, though, it has to authenticate the user. It does this with both a traditional password and a challenge-response. When the user sends the traditional password, it runs it through a hash function and compares it with the hash stored on the server. If a hacker would be able to get a copy of all the data on the server, because a hash of the password rather than the actual password is stored, they still cannot impersonate the user. However, if an attacker could eavesdrop on the whole conversation, they could intercept the password as it crosses the network, and impersonate the user from that point onward. To prevent this, a challenge-response system is used as a second step. For this, there is an additional "shared secret" shared between the server and the user. The server generates a random 256-bit number and sends it to the user, which does a hash of it using the "shared secret" as the "salt" for the hash (the shared secret is incorporated into the hashing function). The result is sent back to the server, which performs the same hash calculation and allows the user to proceed if the results match. Because the eavesdropper does not have access to the shared secret, they cannot impersonate the responses to the challenge-response system. They could replay a past challenge-response episode, but because the server issues a new 256-bit random number as the challenge every time, they cannot generate the correct response. After this there are some additional details that I'll skip over regarding how the system changes the symmetric key for the whole communication channel, preventing the eavesdropper from getting copies of whatever files are transmitted over the network.

On the surface, this sounds like a "zero-knowledge" system, but it isn't. It seems like a "zero-knowledge" system because in the challenge-response process, the user never reveals the actual secret. They just prove that they know the secret.

The reason this doesn't qualify as "zero-knowledge", though, is because the eavesdropper, while they are not able to obtain the shared secret, do learn one piece of knowledge: that the user is in possession of the shared secret.

For the system to be truly "zero-knowledge", the eavesdropper must not even be able to tell that the user has possession of the shared secret. The mathematics of how this is done is beyond me, so I have to stop here.

Why Cryptid thinks they need to use zero-knowledge proofs for authentication is not clear to me.

Zero-knowledge proofs are the cryptographic mechanism behind the cryptocurrencies that provide true anonymity. Cryptocurrencies like Bitcoin, that don't, have "mixers" but someone with sufficient ability to eavesdrop on the mixers can figure out who is making all the transactions. Cryptocurrencies that use zero knowledge proofs to provide true anonymity include include Zcash, Monero, PIVX, and Zerocoin. (Link to the zk-SNARK system used by Zcash below).

Cryptid: Authenticity Starts Here

#solidstatelife #cryptography #zeroknowledgeproofs

Lie about Pearl Harbor

Under Friedman’s direction, the SIS cryptanalysts, and primarily the people from the Rowlett team, by 1940 achieved, with the help of their mathematical “magic,” truly great success in deciphering Japan’s secret correspondence. The main success was the massive breaking of a system codenamed Purple, a new Japanese cipher machine for diplomatic correspondence. And although the corre- spondence of the Japanese armed forces was decoded much worse and slower, the volume and efficiency of decrypting the Japanese Foreign Ministry materials gave intelligence analysts every reason to believe that the U.S. authorities were fully aware of plans and intentions of a potential enemy.

In particular, shortly before the disaster at Pearl Harbor, such an episode took place. Here it is reconstructed according to the per- sonal testimony of its participant, military linguist John Hurt (John Hurt. “The Japanese Problem in the Signal Intelligence Service”. NSA William F. Friedman Collection, Document A58132. https://www.nsa.gov/news-features/declassified-documents/friedman-documents), who translated those encrypted telegrams from the Japanese For- eign Ministry that were decoded by Friedman’s analysts.

In November 1941, 10 days before the attack, while Hurt and Friedman were visiting a mutual friend in a sanatorium, the cryp- tographer asked the interpreter how he assessed the current state of relations between the United States and Japan from decrypted dis- patches. Hurt replied that the negotiations between Tokyo and Washington seemed to be over. In turn, he asked Friedman what, in his opinion, such an escalation of relations meant. Friedman an- swered very briefly it meant war. Shocked by these words, Hurt emotionally asked the cryptographer, who was much closer to the high authorities, whether the United States was ready for such an escalation of hostility. “I hope so,” Friedman replied…

About what happened to Friedman on the day of the disaster, on Sunday, December 7 1941, his wife Elizebeth told this (Ronald Clark. The Man Who Broke Purple: The Life of Colonel William F. Friedman,

Who Deciphered the Japanese Code in World War II. Boston, MA: Little Brown, 1977):

Friedman himself, hearing the news of the Pearl Harbor attack on the radio, at first found it difficult to believe. For some while, his wife recalls, he could do no more than pace back and forth across the room, muttering to himself over and over again: “But they knew, they knew, they knew.”

But the most striking thing about this dramatic story is that a decade and a half later, William Friedman managed to change his views on what happened literally exactly the opposite. He wrote an analytical work where he very competently, authoritatively and ar- gued began to prove that in fact “they did NOT know.” Because this matter, you see, is far from straightforward..

https://4in1.ws/

#USA #us #american #japan #history #war #WWII #WW2 #lie #cryptography #Friedman

Current-Based Side-Channel Attacks, Two Ways

#reverseengineering #aes #balun #cryptography #current #esp32 #shunt #sidechannel #hackaday
posted by pod_feeder_v2

How near field communication antennas work to create tap-to-pay tech

Why Tap-to-Pay Is Safer Than a Credit Card Swipe

https://www.youtube.com/watch?v=S7dWigI7Soc

#Cards #CreditCard #NFC #Cryptography #Security

Version 4.57.6 of EasyGPG is Published

EasyGPG is an easy-to-use GUI for GPG that uses Zenity and XClip.

The following changes were made.

• One of the windows that appears when EasyGPG is first installed was too wide with recent versions of zenity. This bug is now fixed.

The sha256sum of this new version of easygpg.sh is f5116f0ed08d6f43875de800a19a3e29e1274232536e90fa80c26583cf03b380.

---

To update to this new version, just double-click Check for a new version of EasyGPG in the EasyGPG-Actions folder (or, if your version is earlier than 4.0, select Check for a new version of EasyGPG in the main menu).

If you update from a very old version, check to make sure you have the latest version. If not, update again.

To update a copy of EasyGPG older than 3.0, use the installer (below), but select your already-existing EasyGPG folder. If you do this correctly, you will be asked whether or not you want to replace the existing EasyGPG. Click “Replace” to replace your old version of EasyGPG with the latest version.

To install EasyGPG for the first time, click on one of the following links. This is a tar.gz file. Extract the contents of the file, which will be a folder called EasyGPG-Installer. Open the folder, and double-click Install EasyGPG. This will create your new EasyGPG folder, and build all the files and folders inside it. Refresh the GUI file manager window to ensure the icons are correctly displayed.

If the Desktop files (all the Actions and the main Desktop file) do not work, you will need to install a graphical file manager that complies with the XDG standards: nemo, caja, pcmanfm, thunar, or dolphin. None of these has to be made the default graphical file manager. You only need to install one or more of them.

https://codeberg.org/giXzkGsc/EasyGPG/raw/branch/main/EasyGPG-Installer.tar.gz
https://archive.org/download/easygpg/EasyGPG-Installer.tar.gz

[The installer is also available at
http://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/EasyGPG-Installer.tar.gz (Onionland) and
http://easygpg2.i2p/EasyGPG-Installer.tar.gz (I2P).]

EasyGPG Web Sites
https://codeberg.org/giXzkGsc/EasyGPG Codeberg (clearnet)
https://archive.org/details/easygpg Internet Archive (clearnet)
http://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/ Tor Onion Service web site
http://easygpg2.i2p/ I2P eepsite

EasyGPG Tor Onion Gopher Hole
gopher://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/

EasyGPG Minus Library
[minus://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/](minus://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/)

For news about EasyGPG, click on the #easygpg tag.

---

This project has never been on GitHub, though another project with the same name has. This project is not related in any way to the German government, though another project with the same name is.

When using software, the greatest threat to privacy and security is the Internet. EasyGPG will not attempt to communicate with the Internet unless you tell it to read a file from the Internet or check for a new version. I will make no attempt to discover who is using my software, where, when, how, or for what purpose.

#easygpg #gpg #encryption #privacy #surveillance #security #cryptography

It’s Numbers All The Way Down With This Tape Measure Number Station Antenna

#radiohacks #cryptography #espionage #radio #sdr #shortwave #spy #tapemeasure #hackaday
posted by pod_feeder_v2

"There are reasons to think that Signal may not be around for very long. The nonprofit's blog, meant to convince us of the elite nature of its engineers, has the unintentional effect of conveying the incredible difficulty of building any new software feature under end-to-end encryption. Its team numbers roughly 40; Moxie Marlinspike has just left the organization. Achieving impossible feats may be fun for a stunt hacker with something to prove, but competing with major tech companies' engineering teams may not be sustainable for a small nonprofit with Marlinspike no longer at the helm."

"Fittingly for an organization formerly led by an anarchist, Signal lacks a sustainable business model, to the point where you might almost call it anti-capitalist."

How Signal walks the line between anarchism and pragmatism

#solidstatelife #cryptography #privacy #signal

Google is developing something called Web Environment Integrity (WEI) and people are upset about it. Links on that below. Here, let's look at WEI and see what it is.

"With the web environment integrity API, websites will be able to request a token that attests key facts about the environment their client code is running in. For example, this API will show that a user is operating a web client on a secure Android device. Tampering with the attestation will be prevented by signing the tokens cryptographically."

Google wants this because it runs major sites that make money from advertising, but it can't guarantee its ads are being seen by actual humans rather than bots.

"It is expected that the attesters will typically come from the operating system (platform) as a matter of practicality, however this explainer does not prescribe that. For example, multiple operating systems may choose to use the same attester."

"Example use cases: Detect social media manipulation and fake engagement. Detect non-human traffic in advertising to improve user experience and access to web content. Detect phishing campaigns (e.g. webviews in malicious apps). Detect bulk hijacking attempts and bulk account creation. Detect large scale cheating in web based games with fake clients. Detect compromised devices where user data would be at risk. Detect account takeover attempts by identifying password guessing."

"How it works: The web page executing in a user's web browser. A third party that can 'attest' to the device a web browser is executing on, referred to as the attester. The web developers server which can remotely verify attestation responses and act on this information."

Web Environment Integrity Explainer

#solidstatelife #cybersecurity #cryptography

The Coalition for Content Provenance and Authenticity (C2PA) is a specification for both hardware and software for attaching metadata to every media file (images, video, audio, etc) and cryptographically signing it. The media can't be altered without voiding the cryptographic signature. You can alter the media, but the idea is the alterations will in turn also be logged and signed. The idea is, hardware like cameras and software like Photoshop will all do this. This will enable people to tell if something was generated by AI or altered by AI. The "provenance information" will tell the history of the media and indicate its authenticity. If it authentically came from InfoWars, you'll know that.

The future of "truth" on the Internet

#solidstatelife #aiart #deepfakes #cryptography #digitalsignatures

Hackaday Links: June 4, 2023

#hackadaycolumns #hackadaylinks #slider #amateurradio #cryptography #darksideofthemoon #decode #fcc #hakutor #ham #ingenuity #interference #jezero #mars #optics #perserverance #physics #pinkfloyd #prism #refractiveindex #seti #hackaday
posted by pod_feeder_v2

Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack

With no easy way to revoke compromised keys, MSI, and its customers, are in a real pickle.

https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/

This is, basically, the premise of Cory Doctorow's new novel Red Team Blues. I finished it recently, and I recommend it..

#supply-chain-attack #uefi #uefi-signing-keys #signing-keys #cryptography #security #leak