do you know a lot about internet security shit or is that different? do you know what makes i2p better than tor?

let’s just scratch out that second sentence, i’m not going to help you do whatever sick child porn shit or whatever you’re trying to do

computer security is a broad topic. it can refer to things like file permissions, which are pretty simple. your user on your machine shouldn’t be allowed to read, for example, /etc/master.passwd as it contains sensitive information (password hashes). it can refer to things like antivirus software if you’re using a terrible operating system susceptible to those sorts of things. these things are boring and stupid, respectively.

“internet security shit” is a lot more interesting. it involves a ton of parts and spans many disparate fields and disciplines. it is, sans exaggeration, one of if not the most complicated topics in computing. when you type https:// instead of http:// and get that little green lock icon in your browser bar, there are billions of enormously delicate & precarious things going on that hopefully guarantee a secure line of communication between you and whatever server you’re talking to & absolutely nobody else (even though that data is flowing through dozens of nodes between you & and the server)

let’s explore some of these billions of things to try and give you a better idea cracks knuckles

cryptography is the foundation of computer security. cryptography (crypto) refers to the practice of taking some data and manipulating it in a way that is beneficial to you and most importantly disadvantageous to derelict parties trying to break your crypto. crypto is used for a lot of stuff you probably wouldn’t think it’d be used for, but first let’s cover the obvious case:

you use crypto algorithms to encrypt data such that it can be decrypted into its original form some time afterwords. when you encrypt your data, you turn it into a bunch of meaningless slop that does not resemble what it originally was. if you encrypt a text file and try and open it, you will be met with a bunch of goofy looking characters and weird line breaks et cetera. this is because your text file is no longer a text file, and no longer contains data representing letters and numbers and such

coming up with these algorithms is hard enough. you can very easily make a super-strong encryption algorithm, much stronger than AES, at the cost of needing many more resources (time, computing power, entropy, etc.) to encrypt/decrypt. you have to balance these factors to make an algo that’s secure enough to work for a number of years against the power of modern computers whose performance is rapidly increasing, but fast enough to be suitable for real-world uses

AES (advanced encryption standard) is an algorithm that encrypts data. it is extremely complicated. coming up with algorithms that encrypt data is not a job for me, not a job for an engineer. it is the job of mathematicians specializing in cryptography. the logic that goes behind developing algorithms like AES relies on the idea of non-computability. computers today are enormously fast and breaking crypto usually involves a computer making millions of guesses per second as to how to decode encrypted data. it makes a guess, checks to see if the output resembles readable data or properly formatted files or whatever, and then keeps going if it doesn’t. right now we rely on the fact that computations involving prime numbers are extremely resource-expensive to computers, which makes decrypting AES-encrypted data from scratch take as much time as the universe will exist, even with all the computing power in the world working constantly

generating huge prime numbers is a tough process. they need to be chosen “randomly” (as if the selection proccess was anything but random, an attacker could easily replicate it and skip the hard process of trying to guess them) but computers don’t really do “random” that well. this is where mathematicians’ job starts to end and my job as a computer engineer starts to begin. since computers are wholly deterministic machines, they can’t just “come up” with random numbers. we must provide them from an outside source in the form of entropy.

entropy is a fancy word for digital data that comes from a source that can’t readily be guessed. ideally, this comes from something like a hardware sensor detecting the radioactive decay of an isotope: a truly random process relying on the quantum nature of small energetic particles that cannot be observed, period. there is computer hardware in real life that does this, used mostly by national agencies and militaries and whatnot (they pay a real pretty penny for it too heheh). however in the case of your computer or my computer, we use a bunch of less-random sources like clock drift, which refers to the difference between your computer’s hardware clock and an authoritative clock (like a caesium atomic clock) that can be checked over a network via NTP. your piece of shit computer can’t keep time like an atomic clock can, and the slow desynchronization that inevitably results is a somewhat random phenomenon. another example is something like hardware interrupts coming from a hard drive which are the result of very small changes in temperature or air pressure inside the hard drive that throw off the read/write head. shit like that is not guessable but also not guaranteed to be constantly happening, hence the need to mix

your computer’s entropy is a great attack vector as it can’t be re-used (that wouldn’t be random, would it!). a malicious program can eat up all your entropy, leaving legitimate encryption programs with a bunch of crap that will be used to generate bad, non-random, deterministic crypto that can be broken

so once you have a good entropy source & a secure crypto algorithm/cipher, you’re all good right? no way. there are a ton of crafty, truly genius tricks people can pull to skirt the whole “non-computability” issue and break your encryption. examples of these tricks are timing attacks & side channel attacks. timing attacks are a side effect of how good networked computers are at synchronizing their time in the year 2015. on a wired, stable connection, you can get your computer clock within a couple hundred nanoseconds of whatever computers (NTP servers, usually) you’re synchronizing with. this is allowable as average network latency, or the time that transpires between you sending a packet over the internet and another computer receiving it at the other end, has fallen drastically in the last decade. since computer clocks are very closely synced, and because you can keep track of other computers on the network very very closely, it follows you can deduce approximately how long certain cryptographic operations are taking, which sheds light on what the juicy secrets (usually decryption keys) you’re after could be. you can’t know exactly what these secret keys are, and you certainly need to know exactly what they are for them to be of any use. however, with the information deduced from your timing attack, you have eliminated an enormous number of possible values the key you’re after could be. sometimes, you eliminate so many that straight-up guessing all the values left becomes a realistic endeavor. this is known as key space reduction

side channel attacks are a broad category of attacks that utilize the side effects of the computational cryptographic process to deduce the values of secret keys/etc. these are often totally unexpected and hilarious. for example, certain types of RAM make very absolute and specific noises you can easily attenuate to with a somewhat sensitive microphone. you can stick a microphone up real close to the DIMM sticks on a motherboard, and write a DSP program that translates the noises it picks up (at specific intervals) to real world values. since the key you’re after must exist in memory at some point in time, you can grab it this way. another example involves monitoring the electricity consumption of a target machine extremely closely. assuming you can feed a target machine some dummy data to encrypt or decrypt or whatever, you can profile its power usage and ascribe current draw increments/decrements to probability graphs which can be later used against the non-dummy data you’re trying to get

i touched on, literally, about 10% of what i wanted to in this post and i encourage you and anyone else to ask me questions about computer security

to answer your question, yes i do know just a tiny bit about “internet security shit”