Schneier on Security

"provides 2,048-bit encryption, an improvement over the 256-bit AES encryption"

They could have switched to RC4.

"But quotes like this make you wonder if they have any idea what they're talking about"

Of course it could be that the cryptologically illiterate media simply misinterpreted what the "security expert" said. After all, in many respects supporting 2K-bit RSA, with private keys that don't need to be moved around, is more secure than raw 256-bit AES with shared secrets, which are likely to be hashed passwords that as you rightly point out might be guessed. That complex statement could easily be mis-quoted and/or poorly edited into "the new 2048 encryption is better than the only 256 bit encryption".

@Bruce,
The quote you cite is not as damning as the quote from further on in the article...
'Henry' says... "someone could put the software on a USB memory stick, go to an Internet cafe, plug in the USB device and run Mujahideen Secrets 2 to encrypt any communications from that cafe."
I think that stands well on it's own without further comment from me.

Bruce, you mention Blowfish and Twofish. Would you have an issue if they were being used?

When people don't understand the principles behind a technology they push the numbers. 2048 is higher than 256, shure. And the lemmings go and eat that bait.
Noone tries to explain the difference between primebased public key crypto systems like RSA and symetric systems like AES, Twofish and the lot.

What I think of this? First there was never a problem in making 2048 bit keys for RSA or even bigger ones. The only sense this could make is:

1) making a name by pushing numbers
2) it might be a bait of the NSA

And I of cause -I assume- this software is not opensource anymore but a compiled product. I shurley don't know but "easy to use" sounds like this. Would be a quite nice job from the NSA to set such a trap - a cyphersoftware with a trapdoor in it and a signature that differs from everything that's on the mainstream.

If its like I say, we will see a nice little media blowup about this and some revival of "encryption should be better controlled" and "only who has to hide something is using encryption" by certain political fractions.

Darn, I nearly laghed myself to death. tHIS QUOTE IS ESPECIALLY HILLARIOUS : " Of note is the map in the background that provides locations of their global network." http://blogs.csoonline.com/a_gift_from_the_islamic_faithful_network_mujahedeen_secrets_2_program

I guess the whole point of this exercise is to make as many ppl as possible die of laughter.

If it is som then teh Terrerists win

Man, Jeff Bardin@CSO is dumb.

the program uses twofish

"Does it use Blowfish or Twofish?"

@Bruce,
Is this another way of saying "What am I...chopped liver?" ?!? :-)

There's some irony in the fact that two of the inventors of RSA are Jewish (and one of those is actually Israeli). I wonder if they realise this.

@Cairnavon: yes, but they used Arabic numerals to do it. The irony just never stops, does it?

@Trichinosis USA & @Cairnavon:

Among the big contributions of Arabic numeral system is the zero, signify "nothing" but doing a lot. Try doing heavy duty mathematics with, say, Roman numeral or the Hebrew letters as numbers systems.

The zero -- صÙ?ر - Sifr -- was so mysterious to many people and, eventually, the Arabic word led to the term cypher or cipher.

It is curious why this software instead of using PGP. Distrust of a US company might be a reason but there are international versions and the source code is open.

Maybe it is a morale thing. "Look we've got our own Mujahideen security tools, properly branded!" What next? Windows notepad for Mujahideen?

It's obvious to me that the 2048 bits of encryption is quoted to subliminally impress the veracity of the report.
The media is not that illiterate, unfortunately. It's an excuse they've been using for years.
Here is how it works: anyone reading the report makes the mental comparison that 2048 is greater than 256, and makes the latent deduction that this must make the encryption harder to break. Framed by the carefully picked name of the tool, it is a great way to make the average ignorant think that the danger is imminent.
The psychological trick works because nobody thinks they're an idiot, and therefore anything they conclude is given a high degree of credibility.
It doesn't matter if afterward, the facts used to make the deduction turn out to be false.
Researchers make that mistake all the time.
Anyone spotting the weakness of the facts first (like Bruce here) is better equipped to bust the veracity of the report, and its effects.
J.D.

@Trichinosis
"@Cairnavon: yes, but they used Arabic numerals to do it. The irony just never stops, does it?"

Numerals are actually Hindu, Europeans started calling them Arabic because Jews translated the Arab books for them in Spain after Moors.
Yes the irony doesn't stop there alone; there are a lot of you who known little about history or science.

@J.D. Abolins

>>@Trichinosis USA & @Cairnavon:
Among the big contributions of Arabic numeral system is the zero, signify "nothing" but doing a lot. Try doing heavy duty mathematics with, say, Roman numeral or the Hebrew letters as numbers systems.

The zero -- صÙ?ر - Sifr -- was so mysterious to many people and, eventually, the Arabic word led to the term cypher or cipher.<<

What a load of crap,

Decimal number system, Zero as well Infinity are Hindu contributions to mathematics, not Arabic; Know thy history.. it's not that hard.

here is a link "http://en.wikipedia.org/wiki/0_%28number%29"

In the program you can choose between Twofish, Rijndael, Mars, RC6 and Serpent.

@sooth_sayer

Hahahaha!!!!one1

You just told someone that they should know their history like you were all enlightened, but then you accidentally let the cat out of the bag. You didn't know this bit of history previous to posting! Admit the truth. You just looked this stuff up on wikipedia to look smart didn't you?

@shadow

I looked up wikipedia to include the link for smarty pants like you .. who won't believe me unless I pointed out an accepted source.

Given time I can find who your real father is .. so don't mess with me.

Hahahaha

@soot_sayer

not wanting to start a flame war I'm going to limit myself to one simple response.

"Given time I can find who your real father is "

WTF? Not that I would even care, but seriously wtf? Take your medication in the morning please.

@J.D. Abolins:
Regarding the Arabs with the "invention" of the zero:
My high school calculus teacher once said that when the Romans needed to do really serious math, they went and kidnapped an Arab.

Not only does this program not seem to provide anything more than PGP or equivalents, having it installed on your computer would be supremely stupid. These days, people will get suspicious if you have PGP installed, but what if you go through customs and the nice people there find "Mujahideen 2" on your laptop? I tend to think that people as (self-)destructively fanatic as your next-door terrorists need to be relatively stupid. But that stupid? It somehow makes me feel more secure.

@Bruce: I think you should publicly distance yourself from the *fish ciphers before it's too late. I bet aiding and abetting can be quite bad in terrorism cases.

You are allowed to try this program for 30 days. If you continue to use it past the 30 day trial, please send $15 to Osama. Upon payment you will receive a registration code that will disable this pop-up.

Wouldn't the FIRST thing you'd do as the US government be to replace whatever binary is being downloaded with your own version that allows you to quickly crack any "encrypted" messages?

Or wouldn't you fake the whole thing just to find the wannabes out there?

The thing is Blowfish and Twofish were not created by Schneier alone either -- IF at all. Little do any of you know Schneier himself is an NSA plant!

@JD

I heard zero was the Mayan's claim to fame.

Bruce, I've been guessing for the last year or so that Mujahideen Secrets is just a wrapper/GUI for GPG...

Zero is actually alien technology that was brought to earth centuries ago to help the Egyptians to build the pyramids.

Why would they put an M16 on the splash screen when the AK47 is AQ's preferred weapon. Unless of course, as Admiral Akbar so clearly said "Its a trap!"

I'm wondering why any self-respecting mujahideen would use a program called 'Mujahideen Secrets 2'.

*** "Now, you can send secret messages just like Osama bin Laden does! With Mujahideen Secrets 2, your secret plans to topple America will be safely hidden behind 2,048-bit encryption! But that's not all! If you call within the next five minutes, you'll also receive a vial of unidentified white powder! Don't delay! Call 1-888-672-8727! That's 1-888-NSA-TRAP! Call now!" ***

If it doesn't use blowfish/twofish, it's because terrorist have been reading Schneierfacts and they're afraid Bruce can brute-force their crypto with his fists.

I love the splash screens! It could only be better if they fired off a really loud sound sample on startup, of someone screaming "Terrororororist sittin over here! The guy with the panicky look in his eyes!"

Also "Activate Stealthy Cipher". Someone has watched the transformers movie.

@sooth_sayer,JD:

*cough* Mayan numerals *cough*

I would love to be a fly on the wall when terrorists were deciding what algorithm to use:

"So what's the deal Khalid, our brothers in Barcelona, New York, Istanbul, Madrid, and London have all been arrested by the infidels, and you want to use 3DES? Come on."

"Look Ahmed, it's better than AES, I don't trust AES."

"Why not? If it's good enough for NIST, it's good enough for Al Qaeda."

"Please, they chose it for speed and ignored security completely. Hell, it was ten-round Rijndael that was tested for speed, and this was just after the Counterpane team cracked nin-round variant."

"Yeah yeah yeah I get the point, Twofish got robbed. So you're saying we should use Twofish?"

"No, but definitely not AES."

"So what, then? Because I refuse to use 3DES."

"Well, RSA is still unbroken, that combined with a longer key length maybe ..."

"Oh give me a break Khalid, did you seriously not read Bernstein's number field sieve circuit paper?"

...

I hope they do use Twofish, because that means the government can crack the terrorist's communications.

I know it's true, because it was on 24.

CTU doesn't need block cipher cryptanalysts, they just need Jack Bauer and some lamp cord.

@Trichinosis
That would be ironic if Shamir and Adleman were as known for hating Arabs as these Mujahideen are for hating Jews and Israel.

Also re: zero, it's true the Mayas came up with it first, but the Indians developed it independently, and it's through them the rest of the world got it.
For people who are interested in this sort of thing, "The Nothing That Is" by Robert Kaplan is an excellent book on the history of zero.

Why would someone ask such an asinine question as to the use of PGP? I think Mr. Schneier is a self licking ice cream cone. The NSA wouldn't take him. His ego wouldn't fit through their doors.

@Nick Lancaster

I'd guess that the average "terrorist" that would use this tool is some frustrated, alienated, unemployed 20-something who sits in his bedroom and pretends his life is important by sending secret messages to all his 20-something buddies.

Since the splash screen shows an M-16 and American law enforcement specializes in just this kind of suspect, I'd guess it was put out by Homeland Security. What better proof that that lonely, disaffected 20 year old is a real terrorist than finding "Mujahideen Secrets 2" on his computer? I can't wait for "Mujahideen Voice Secrets". (Then they declare Phil Zimmermann a terrorist sympathizer, ban cryptography and install Clipper chips in all our communications devices. Or maybe someone just writes that into "24".)

What's the stinger missile equivalent for Bruce to shoot at Mujahideen Secrets 2?

I've heard that Al Gore invented all the zeroes on the Internet. :-)

After taking a quick look at the program it looks like it's written in Borland Delphi 5.

@aikimark: re Al Gore

Only partially true. Al actually invented chat rooms and blog-comment forms, which then attracted all the zeros that were aimlessly floating around in the real world.

Oops, forgot to sign the above post.

@Mr. Mostel

No, no, no. Al Gore made a law about using zero on the internet. He's a secret Hindu (although there are rumors he's also involved with the Mayans). You know how those Democrats are about pushing their alien religions on America.

Awesome comment, Timmy303!

"Bruce, you mention Blowfish and Twofish. Would you have an issue if they were being used?"

Not in the least. I would add it to my list of products that use those algorithms, though.

The security "expert" who helped the journalist with the evaluation of the program was J.M. Berger, who considers himself an expert on a bunch of other issues as well including but not limiting to national politics, fighting terrorism, and even science, where his major "contribution" is his unpublished book called "Quantum Chakras." Guess how much science you will find in a book with such a name...

"I would add it to my list of products that use those algorithms, though."

LULZ. Laden's endorsement of John Kerry's campaign in 2004 was a hell of a feather in Kerry's cap ...

begin quote ---
"Bruce, you mention Blowfish and Twofish. Would you have an issue if they were being used?"

Not in the least. I would add it to my list of products that use those algorithms, though.
end quote ---

I'll second the opinion that Bruce needs to distance himself from *fish'es ASAP, otherwise his next *fish might have to be written while he is enjoying his nice "vacation" in Guantanamo :-)

"Aiding and abetting" can be quite a b!tch ...

All of the better encryption algorithms and anonymization tools get used by persons, enterprises, and organizations all along the good-bad moral/behavioral continuum. Alarmed persons who demand nonuse of or distancing from any encryption algorithm or anonymization tool used by terrorists and criminals would not be quite so judgmental, perhaps, if presented with the names of some of its “good-guy� users.

a german blogger actually tried out the program thoroughly and made some fun about it (sorry, linking to german language blog entry).
why would someone who really wants to hide things use a *windows* *closed-source* software where he cannot be sure about anything?
I'd think it's a trapdoor software put out as a bait.
Remarkable that the choice of algorithms is exactly the last 5 participants of the AES challenge.

@ths: I'm far from shocked if the list of algos == the list of AES finalists. Those are the five most-studied unclassified block ciphers since DES.

J.D. Abolins:
"Among the big contributions of Arabic numeral system is the zero"

The Indians claim they invented zero and the Arabs brought it with them out of India to other parts of the world.

Mujahideen Clippy: It looks like you're planning jihaad. Would you like assistance?

Even better if it's Ad supported.

I'm surprised that no one has mentioned the threat of another attack on the basic freedom of speech implicit in this comment:

"Berger added that there is a "robust discussion" taking place within the counterterrorism community over the issue of online forums such as al-Ekhlaas being hosted on U.S.-based servers. Some people believe it is easier to monitor what’s going on in the forums when they are hosted on U.S.-based servers, he said. Others, though, want the Web sites to be taken down immediately."

Several comment on the Mujahideen Secrets topic...

First, Bruce thank you for covering this topic.

For Bruce's question "Does it use Blowfish or Twofish?"

I've looked briefly at the first version of the Mujahideen Secrets software (asrar.exe) from GIMF and it offers these options for "Symmetric Cipher Algorithm" --
“Rijndael with 256 bit key [AES]�, “RC6 with 256 bit key�, “Mars with 256 bit key�, “Serpent with 256 bit key�, and “TwoFish with 256 bit key�.

I am very thankful for Bruce taking a look at the reports on the Muhadeen Secrets software. The topic needed a look by somebody with cryptography expertise. The general reporting on this software has been jumbled and sometimes off on various details.

Much of this I attribute to problems tech press has in covering this type of software. Cryptography tools present the challenge of analyzing and explaining the crypto qualities.

The developers of programs such as Mujahideen Secrets and the e-jihad DDOS tool seek obscurity in the distribution of their wares. They don't put up the software and source code on, say, sourceforge and certainly don't send review copies to the tech media.

So the tech press reporters are getting little glimpses of the software from various sources who will talk to the tech press. Many people who've examined the software and have expertise are not talking to the press. I'm not saying that all the sources talking to the press lack expertise, not at all, just saying that the reporters are working with second and third hand information, never getting a full picture of a category of software that is challenging to review.

The security by obscurity in the distribution presents a cost to the developers and users. No chance for examination and probing for vuilnerabilities that can lead to fixes. Not likely to see Bugtraq reports on Mujahideen Secrets vulnerabilities.

But the Mujahideen Secrets software lacks obscurity in a different way. It's interface, keys, and other things clearly indicate a "Mojahedeen" connection. Maybe it was branding for morale and psyops boost. Plausible deniability is shot for a user if somebody spots the user interface or other artifacts of the software. Maybe the branding is a creation of a pool of users who'll be a distraction to the watchers while others use tools like pgp or gpg that are better tested and hide better in a large crowd of diverse users. Gpg comes pretty as standard part of Linux distros and its presence doesn't hint of affiliations.

The psychological effects of the "branding" also seems to work on the reporting of the software. Like the e-jihad DDOS tool "cyberjihad attack on Nov 11th" reporting last
fall, the naming of the software and association with certain groups may skew the perception of the tools, giving them a sinister appearance independent of their technical qualities. Not saying that the developer and users have innocuous intentions, just that the emotive qualities of the "mujahideen" and "jihad" labels can affect the reporting of the tools. Certainly makes for better headlines than "Ho hum, another DDOS tool" or "Attempt to cobble together a pgp-like program branded for the mujahideen, can it work?; Cryptography isn't so easy to do right".

"LULZ. Laden's endorsement of John Kerry's campaign in 2004 was a hell of a feather in Kerry's cap ..."

Was it really him or another cyber phantom courtesy of Langley ? :-)