Did you know that #GNU/ #FSF has its own #darknet application and protocol stack?

What is #GNUnet?

GNUnet is an #alternative #network stack for building #secure, #decentralized and #privacy-preserving #distributed applications. Our goal is to replace the old insecure Internet protocol stack. Starting from an application for secure #publication of #files, it has grown to include all kinds of basic protocol components and applications towards the creation of a GNU internet.

Today, the actual use and thus the social requirements for a global network differs widely from those goals of 1970. While the Internet remains suitable for military use, where the network equipment is operated by a command hierarchy and when necessary isolated from the rest of the world, the situation is less tenable for civil society.

Due to fundamental Internet design choices, Internet traffic can be misdirected, intercepted, censored and manipulated by hostile routers on the network. And indeed, the modern Internet has evolved exactly to the point where, as Matthew Green put it, "the network is hostile".

We believe liberal societies need a #network #architecture that uses the #anti-authoritarian #decentralized #peer-to-peer paradigm and #privacy-preserving #cryptographic #protocols. The goal of the GNUnet project is to provide a Free Software realization of this ideal.

The #chatmail #fosdem talk from @compl4xx is public. It goes into topics such as

- why chatmail servers?
- how to setup a server with your child
- (avoiding) spam filtering
- metadata and guaranteed end to end encryption in #deltachat
- #cryptographic #interoperability for email message routing

Thanks to attendees for the great energy even if was the last talk on the day and also for questions and conversations afterwards!

https://ftp.fau.de/fosdem/2025/k4601/fosdem-2025-5217-chatmail-server-networks-for-anonymous-end-to-end-encrypted-messaging.mp4

Scientists in #China use #quantum computers to crack military-grade #encryption — quantum attack poses a "real and substantial threat" to #RSA and #AES. According to a report published by the SCMP, the researchers utilized a #DWave #quantumcomputer to mount the first successful quantum attack on widely used #cryptographic algorithms.
https://www.tomshardware.com/tech-industry/quantum-computing/chinese-scientists-use-quantum-computers-to-crack-military-grade-encryption-quantum-attack-poses-a-real-and-substantial-threat-to-rsa-and-aes

The #cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas.
#security
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

#YubiKeys Are a #Security Gold Standard—but They Can Be Cloned

Security researchers have discovered a #cryptographic flaw that leaves the #YubiKey 5 vulnerable to attack.
#privacy

https://www.wired.com/story/yubikey-vulnerability-cloning/

#PuTTY #SSH client flaw allows recovery of #cryptographic #privatekeys
The vulnerability (CVE-2024-31497) was discovered by Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum and is caused by how PuTTY generates #ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for SSH authentication. The main repercussion of recovering the private key is that it allows unauthorized access to SSH servers or sign commits as the developer.
https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/

The important role #OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it.
The open source #cryptographic #software library secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies,
but it operates on a shoestring budget.
OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year
and has just one employee who works full time on the open source code.

Given that, perhaps we shouldn’t be surprised by the existence of #Heartbleed, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites.

OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code.
Chief among them is probably the #Linux operating system #kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies.
Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.
That’s never been the case with OpenSSL, but the Linux Foundation wants to change that.
️The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects️
—with OpenSSL coming first.
Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “#Core #Infrastructure #Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.
To be clear, the money will go to multiple open source projects
—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million.
The initiative will identify important open source projects that need help in addition to OpenSSL.

https://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/

Does anyone have suggestions that can do #cryptographic signature verification of streaming data (as in a pipe)? The problem with #gpg in this case is that it will emit all the data out the pipe, only indicating with an exit code if the signature was good - at which point most of the data may have been processed. #SequoiaPGP is slightly better, withholding the last 25MB until things are fully verified.

I suspect I need something that signs blocks of the input. Does it exist? #askFedi

In a first, cryptographic keys protecting SSH connections stolen in new attack
An error as small as a single flipped memory bit is all it takes to expose a private key.
https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/ #cryptographic #keys #SSH #connections #stolen #attack #IPsec

In a first, #cryptographic keys protecting #SSH connections stolen in new attack
#security #encryption
https://arstechnica.com/?p=1983026

New #cryptographic protocol aims to bolster #opensource software security

https://www.zdnet.com/article/new-cryptographic-protocol-aims-to-bolster-open-source-software-security/

The Comedy of Errors That Let China-Backed Hackers Steal Microsoft’s #SigningKey

After leaving many questions unanswered, #Microsoft explains in a new postmortem the series of slipups that allowed attackers to steal and abuse a valuable #cryptographic key.
#privacy #security #encryption #china

https://www.wired.com/story/china-backed-hackers-steal-microsofts-signing-key-post-mortem/

@skye We can gain some insights from benchmarks of other known systems. this answer for instance quantifies #security levels by measuring the effort needed to do a similar number of #hash operations as is denoted by the "security level" of a #cryptographic system.

So, let's say the "super computer" is all of the bitcoin miners on Earth today. They can do more than 292 hashes a year. Let's make them 16 million times more powerful. 16 million is 224. So, they'd be able to do more than 292 x 224 = 2116 hashes a year. So, if these super miners were to try to guess the key for a single encrypted message that used a cipher with 128-bit security, then after a year of trying, they'd only have a 2-12 (or 1 / 4096) chance of finding the correct key.

(Passwords)[https://en.wikipedia.org/wiki/Argon2] are way easier to guess than (cryptographic)[https://en.wikipedia.org/wiki/Key_(cryptography)] keys, so (memory-hard)[https://en.wikipedia.org/wiki/Memory-hard_function] functions are often used to make it more difficult.