Erik L. Arneson — Writer and Software Developer

Driftwood Public Library Follow-Up

2017-05-01T17:27:58+00:00

Driftwood Public Library is great! I had a wonderful time in Lincoln City speaking about secret societies and cryptography. Links to my slides are below.

Secret Societies in Fiction How Computers Changed Cryptography

For a bibliography for “How Computers Changed Cryptography”, check my notes for my OMSI Science on Screen talk.

Also, I would like to thank the ‘D’ Sands Condominium Motel for sponsoring the talks and providing me with a really lovely room.

[caption id=”attachment_708” align=”aligncenter” width=”1024”] This is the view from my motel room balcony at the ‘D’ Sands.[/caption]

Upcoming Lectures at Driftwood Public Library

2017-04-13T17:04:39+00:00

Driftwood Public Library in Lincoln City has selected Mr. Penumbra’s 24-hour Bookstore for their 2017 Everybody Reads event. They’ve invited me to give two lectures. This is going to be fun!

Secret Societies in Fiction

Tuesday, April 25, 6:30pm

This is going to be a lecture about secret societies. I’m going to talk about what a secret society is, and then we’ll look at how they’re portrayed in fiction. We will also talk about how fictional secret societies have sometimes become real secret societies, and the relationship between secrecy and fiction in the real world.

How Computers Changed Cryptography

Wednesday, April 26, 2:00pm

If you saw my OMSI talk, then you already know that this is a subject I’m passionate about! I will be discussing the history of computers and how it’s intertwined with the cryptography arms race. Maybe I will even introduce some hand ciphers to the crowd! I am going to have fun with this one.

I am sure that more information on both of these will be available soon, including Facebook events and other such things. In the meantime, visit the Driftwood Public Library website for more information.

OMSI Science on Screen Wrapup

2017-03-29T16:51:34+00:00

My talk at OMSI last night, “Computers and the Dawn of Modern Cryptography,” went really well. It was a great crowd and there was a good Q&A session afterwards. I’m going to keep this post really brief. First, there will be slides for my talk. Following that will be a brief bibliography if you’re interested in learning more about this fascinating topic.

Click here to download my slides.

Bibliography

Singh, Simon. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Reprint edition. New York: Anchor, 2000. This book is the best resource I've found for a logical breakdown of how cryptography and cryptanalysis worked for WWII cryptology.
Boone, J. V. A Brief History of Cryptology. Annapolis, Md: Naval Institute Press, 2005.
Copeland, B. Jack, ed. Colossus: The Secrets of Bletchley Park’s Codebreaking Computers. Oxford ; New York: Oxford University Press, 2006. I can't wait to explore this book more! It is a massive collection of articles and papers from a wide array of authors.
Drea, Edward J. MacArthur’s ULTRA: Codebreaking and the War against Japan, 1942-1945. Modern War Studies. Lawrence, Kan: University Press of Kansas, 1992.
Wilcox, Jennifer, United States, National Security Agency/Central Security Service, and Center for Cryptologic History. Sharing the Burden: Women in Cryptology during World War II. Fort George G. Meade, Md.: Center for Cryptologic History, National Security Agency, 1998.

In addition, almost all of the photos and information on individual cipher machines can be found at Crypto Museum. This is a rich and bountiful resource for those interested in the internal workings of modern encryption.

OMSI Science on Screen: The Imitation Game

2017-03-17T20:17:00+00:00

On March 28th, I will be giving a lecture called “Computers and the Dawn of Modern Cryptography” at OMSI as part of their Science on Screen program. I’ll be speaking and answering questions just before a screening of The Imitation Game, starring Benedict Cumberbatch and Keira Knightley. I am really excited about this opportunity! Please come down to OMSI for an informative lecture and an excellent film.

Buy Tickets Here

From StartCom to Let's Encrypt

2017-01-20T00:33:04+00:00

This past Fall, a bunch of big names removed StartCom from their trusted SSL Certificate Authority list. As a result, when I renewed my SSL certificates this year, I went with Let’s Encrypt. It was a pleasant experience, because Let’s Encrypt uses a command-line client called Certbot that does most of the heavy lifting for you.

After certificate renewal, everything is still looking pretty good. Please let me know if you have any SSL problems with my website through the contact form.

Still Doing Well with SSL

2016-01-29T20:10:47+00:00

I renewed my SSL certificate today and updated the configuration. Still doing pretty well!

OpenPGP for WordPress Now Supports Contact Form 7

2016-01-20T16:54:43+00:00

OpenPGP Form Encryption for WordPress now supports Contact Form 7. You can download version 1.4.0 at the WordPress plugin site and start using a safer contact form on your website today!

How to Increase Your Privacy on the Web

2015-06-12T15:01:30+00:00

This week, I’m going to share a few links about how to lock down your PC to increase your privacy on the Web. There are a number of things that can be done, even if it’s something as small as turning on tracking protection in Firefox. As I’ve written about many times, our privacy has been under attack since before the Internet existed. You are not powerless, regardless of what you may think.

https://twitter.com/runasand/status/606958744396828673

Why Firefox?

If you want to increase your privacy, Firefox is your best bet. The author of Security Spread wrote a thorough analysis, in which he said, “I’m looking at this review from just the security and privacy perspective and I must say that Mozilla’s Firefox is the best. Both when it comes to ‘out of the box’ features and available add-ons.” He’s not the only one. Many security experts, analysts, and amateurs seem to agree that Firefox provides the strongest privacy protection.

Firefox is also available for most mobile devices, as are the extensions I mention below.

Configuring For Privacy

Now that you’ve listened to me and a bunch of other strangers on the Internet, you’ve got Firefox installed. Let’s get started! The first and easiest step is the “Do not track” setting. Go into the Privacy panel of your Preferences and check Tell sites that I do not want to be tracked.

This setting sounds good, but it might not do much. Mozilla says on their website, “Companies are starting to support Do Not Track, but you may not notice any changes initially.” This means that it’s only the nice, polite companies who didn’t realize they were doing something unsavory who are going to stop tracking you.

You should also disable third-party cookies. These are cookies set by a website that can be read by another. For example, Facebook “Like” buttons do this. Sometimes they’re necessary, but you should experiment and see what works for you. You should still be on the Privacy panel, so select “Use custom settings for history” from the History > Firefox will: drop down. Then change Accept third-party cookies to “Never”.

These settings are a good start, but there’s more we can do. To go further, you’ll need some add-ons and plugins.

Privacy-Enhancing Plugins

Remember that you need to try to protect your privacy not only from parties trying to track you via cookies, ads, and websites, but also network providers, corporations, and governments who have access to your raw Internet traffic. The add-ons below attempt to address both of these situations.

HTTPS Everywhere

The Electronic Freedom Foundation provides HTTPS Everywhere. This is an extension that works for Firefox, Chrome, and Opera, so even if you ignored my advice to install Firefox, you should still be able to use this. It does everything it can to try to make an encrypted connection to a website. In Firefox, it provides you with a drop down menu that lets you know how many encrypted and unencrypted connections you’ve made to the current page.

Ghostery

Ghostery is an extension that blocks third-party tracking. It works with Firefox, Safari, Chrome, and Opera. Currently, it claims to block 2,019 different trackers, which seems like a lot. It has a nice interface that lets you pick and choose which trackers you will block on each site. For instance, you could allow WordPress analytics to work on this website, or you could universally allow Cedexis Radar for performance reasons.

Adblock Plus

On top of Ghostery, you’ll want to install Adblock Plus. This extension is available for Firefox, Safari, Chrome, Opera, and a number of other lesser-known browsers. Addblock Plus can be used to block additional content and trackers that Ghostery might not be catching. However, it takes more configuration. You will want to visit the Addblock filter list to decide what to block.

And Others

There are other add-ons and extensions out there. Here’s a pretty good list. Note that I didn’t cover some of the other staples, like NoScript. This is because I don’t want you to get frustrated by usability issues on the Web and give up on protecting your privacy all together.

Heavy-Duty Privacy: Tor

If you really want privacy, and you’re really serious about it, you’ll want to use Tor. Using it correctly takes some learning, though. I would advise you to read as much as you can, and then ask me questions about it. To get started as fast as possible, you should check out the Tor Browser, which is of course based on Firefox.

That's Just a Start

Unfortunately, you have to remember that most eCommerce websites, advertisers, and governments don’t want you to remain private. You will need to pay attention to what you’re doing online. Be mindful of your activities and remember that anything you release into the wilds of the Internet might be traceable back to you—forever.

"Privacy is not something that I'm merely entitled to, it's an absolute prerequisite." ― Marlon Brando

The featured image is a screenshot of the SSL certificate for rya.nc. RyanC writes about how he created the certificate here.

Send Secure Email with Entrypt.to Service

2015-06-08T15:48:03+00:00

While my OpenPGP plugin for WordPress might be very helpful, the Encrypt.to service allows you to quickly send encrypted email with just one click. It looks powerful.

You can click here to send me encrypted email or visit the source code.

Security Link Rodeo: Silk Road, the Patriot Act, Alan Turing, and Your Passwords

2015-06-05T17:33:25+00:00

The man behind the Silk Road, Ross Ulbricht, received a life sentence after being convicted of money laundering and drug trafficking. It’s estimated that he made around $18 million on the website, which ran as a hidden service in the Tor network. Some of the operators for the Silk Road argue that it was a haven for libertarian philosophy, but does that really excuse the amount of damage they enabled? The Economist notes that since the Silk Road fell, illegal drug sales on the Internet have doubled.

Security Intelligence discusses the effectiveness of password security questions, pointing out that they are particularly weak points in a system. Two-factor authentication or some kind of physical key are definitely better. And when it comes to passwords, there’s a better way that produces easy-to-remember pass phrases!

Bitstamp, an online Bitcoin marketplace and wallet, now offers debit cards. I’ve used Bitstamp many times in the past and it’s always worked well for me.

Section 215 of the Patriot Act finally expired! Not willing to really stop bulk surveillance, Congress then pushed through the USA Freedom Act, which has nothing to do with freedom. Find out how long your mobile phone carrier will retain your call data in this handy chart. Demand Progress rightfully foamed at the mouth.

https://twitter.com/demandprogress/status/605849691675189248

Phil Zimmerman is still not happy with the state of privacy in the United States. He’s right to be concerned.

Two more papers are available from Alan Turing, the father of modern computing and an important cryptologist.

Finally, the UK Government has documented security guidance for Ubuntu. Read the document. It has a lot of really good suggestions for securing your Linux machines.

https://twitter.com/OUHOSCollection/status/603588936020131843

A Look Back on the History of Cryptography

2015-06-01T15:30:02+00:00

In May, I taught a class on the History of Cryptography at Portland Underground Grad School. I’m extremely grateful to PUGS for asking me to teach, because I’d never done it before. It was a great experience. My students were intelligent and the discussion was good. I learned quite a few things in the process.

Teaching Isn't the Same as Lecturing

I have a lot of experience with public speaking. I spent time in Toastmasters International and have given many lectures. In fact, here’s a video of me giving a lecture on the art of memory back in 2013. (( I embedded this video just to exploit a neat WordPress feature. ))

https://www.youtube.com/watch?v=-WpxbPHkq4A

I knew that teaching would be different, but I didn’t know what to expect. Luckily, Douglas Tsoi, the mastermind behind PUGS, helped me design my four-week curriculum and gave me a lot of advice. The two main differences that I noticed are that, first, teaching is a lot more like a conversation, and second, you continue following up week after week. Conversation and continuity!

Douglas’s help was invaluable. He’s the reason that PUGS is able to bring in experts without teaching experience while providing a rich educational environment.

It's Hard to Boil Down Experience

"There is so much to learn! I enjoyed being able to ask questions at will and go deeper into the subject with a knowledgeable instructor." -- An anonymous student

A PUGS class lasts four weeks, and there’s only one class per week. That’s not a lot of time to cover a complicated subject. Going into the class, I just didn’t realize how difficult it is to cram decades of experience into just a few weeks. In our third class, while discussing Phil Zimmerman and the creation of PGP, I realized that I’d been learning about cryptography for over 20 years.

The learning curve in cryptography is staggering. I didn’t realize that going into it, but it’s really difficult to introduce things like the Diffie-Hellman key exchange protocol to people who had just learned to do an alphabetic substitution cipher for the first time. All of my students were very intelligent people, but none of them were computer scientists or mathematicians. My curriculum is going to take some adjustment.

Teaching is Fun

Through this class I met many interesting people. While preparing for the class, I had to brush up on a lot of dusty knowledge. In the process I learned a lot. The entire thing was mentally engaging, socially stimulating, and a blast. I hope that PUGS will have me again, because this class is only going to get better.

If you enjoy learning, you owe it to yourself to take a class at the Portland Underground Grad School. Go check them out!

Security Link Rodeo: The Patriot Act, Logjam, and Hacked Websites

2015-05-29T17:51:59+00:00

Kind of good news: Senators Ron Wyden and Rand Paul teamed up to squash the Patriot Act extension. It’s going to expire on June 1st unless another vote is called on the 31st. The USA Freedom Act (which I think is good?) unfortunately didn’t make it through Senate, either.

https://twitter.com/RonWyden/status/601979044318547969

Regarding the Logjam vulnerability that I mentioned last week, if you’ve got a cloud server and you’re generating new Diffie-Hellman parameters, make sure you’ve got good random numbers! Digital Ocean has advice on generating sufficient random data on cloud servers. The short version is that you should be running haveged on all of your servers.

https://twitter.com/dholmesf5/status/601848616525942784 Here’s an informative and easy-to-understand description of the Logjam attack by Matthew Green. He just happens to be one of the cryptographers who helped discover the problem. And the EFF talks about the implications of Logjam and how the NSA is a bunch of jerks who really don’t care about our privacy at all. Seriously, NSA. It’s like you don’t even want to be our friend!

The creepy mobile spyware app mSpy was recently hacked, resulting in a leak of about 400,000 user accounts. They spent a long time denying it. You can check HaveIBeenPwned to see if you’re one of the users.

Last week it was also revealed that AdultFriendFinder was hacked, leaking about 3.9 million user records. Even worse, it is possible that “AdultFriendFinder may not get rid of data after customers leave.” This is just a reminder that you need to be mindful about what you share on the Internet. If you want to keep information secret and secure, make sure that you are the only one in control of it.

https://twitter.com/SwiftOnSecurity/status/601854610018414592

The featured image for this post is from Flickr user Jason Hollinger.

Good, solid SSL

2015-05-24T02:12:06+00:00

I’m in the middle of some major migrations and upgrades on the Arnesonium servers. So far, the results have been positive. For instance, the SSL/TLS configuration on my webserver is finally awesome. I’ve also got MaxCDN configured properly, so the entire website is now served via SSL/TLS only!

Here’s what the Qualys SSL Labs checker had to say:

Security Link Rodeo

2015-05-22T20:57:00+00:00

My four-week History of Cryptography class at Portland Underground Grad School is almost over. While I’ve had plenty of experience with speaking to audiences about difficult subjects, this has been my first time with an ongoing class. I think I’m learning as much as my students! Because this class has helped rekindle my passion for cryptography and computer security, this link rodeo is going to focus on those subjects.

Crypto superstar Bruce Schneier has written a good overview of the new Logjam attack against the Diffie-Hellman key exchange protocol. If you want to test your browser and various websites against the bug, check this website. The CloudFlare blog also has a good explanation of the Logjam attack.

https://twitter.com/NSA_PR/status/601163480499093505

GNU Privacy Guard (GnuPG) version 2.1.4 was released earlier this month. Read the announcement here. The exciting thing about the 2.1 releases is that they support elliptic curve cryptography (ECC), and allow you to create ECC public keys. I still find ECC difficult to understand, but here’s a pretty good introduction written by Nick Sullivan.

Finally, back in February, Moxie Marlinspike wrote about how he hopes OpenPGP will die someday. I, on the other hand, still use it regularly and enjoy it! In fact, I’m going to encourage you to check out the FSF Email Self Defense website so you can get started with encrypting your email today. When you’re ready, drop me a line using my OpenPGP key.

The featured image for this post is courtesy of Flickr user Jaymis Loveday.

New Release of OpenPGP for WordPress

2015-05-13T18:16:07+00:00

Version 1.3.0 of the OpenPGP Form Encryption for WordPress plugin is now available. It’s important to upgrade. It includes the following changes.

Updates OpenPGP.js to version 1.0.1
Tests the plugin against WordPress 4.2.2
Ensures that the browser can support OpenPGP.js

There are a few new features planned for this plugin. Expect a major version release in the next few months.

Check out the plugin page on the WordPress Plugin Repository.

The History of Cryptography at PUGS

2015-04-21T15:11:17+00:00

Portland Underground Graduate School (PUGS) has invited me to teach a class on the history of cryptography starting May 4th. The class will be four sessions and is very affordable: only $40!

We will cover the basics of cryptography, where it came from, and why it’s important. In addition, I will teach you how to use a number of manual cryptographic techniques. I’m really excited about this class, and I can’t wait to share my knowledge!

To learn more and to sign up, please visit the PUGS class listing here.

Should WordPress Encrypt All Email?

2015-04-13T15:13:43+00:00

WordPress sends out email sometimes, and it doesn’t encrypt any of them by default. Integration of WordPress and OpenPGP for a better security is a case study by Paweł Bulwan that examines the security implications of all of these emails. Are they leaking important information? Should WordPress site owners worry about them?

Only Limited Security Threats

Mr. Bulwan only found five potential security threats, which is pretty good news. None of them are show-stoppers. However, I believe he missed something important, which is that any information that is leaked about login credentials can cause issues. Leaked information can be used to limit an attacker’s problem space, reducing the complexity of an attack.

Mr. Bulwan’s idea of providing OpenPGP encryption for any emails that WordPress sends is a great one. In fact, if WordPress provided an OpenPGP API, it would spell the obsolescence of my OpenPGP Form Encryption for WordPress plugin.

That would be really cool.