Category: Encrypt Everything

Encryption as Agorism

Encryption as agorism is something I’ve been thinking about recently.

Agorism, at least in my not so humble opinion, involved both withholding resources from the state and making the state expend the resources it currently possesses. Bleed them dry and not allow a transfusion if you will.

Widespread surveillance is relatively cheap today because a lot of data is unencrypted. This is unfortunate because encryption greatly raises the resources necessary to implement a widespread surveillance system.

Let’s assume the conspiracy theorists are correct and the government is in possession of magical supercomputers derived from lizard people technology. Even with such a magical device the cost of breaking encryption is greater than the costs of viewing plaintext data. In order to even know whether or not encrypted data may be useful you must decrypt it. Until it’s decrypted you have no idea what you’ve collected. Is it a video? Is it a phone call? Is it an e-mail? Who knows!

Now let’s look at reality. Even if the state possesses powerful computers that can break encryption in a useful amount of time those systems aren’t cheap (if they were cheap we would all have them). Any system dedicated to breaking a piece of encrypted data is unable to be used for other tasks. That means the more encrypted data that needs to be broken the more supercomputers have to be operated. And supercomputers take a ton of power to operate. On top of that you also need cryptanalysts with the knowledge necessary to break encryption and they don’t work cheap (nor are they in abundance). Because encryption is constantly improve you need to keep those cryptanalysts on hand at all times. You also need coders capable of taking the cryptanalysts’ knowledge and turning it into software that can actually do the work. And I haven’t even gotten into the costs involved in maintaining, housing, and cooling the supercomputers.

The bottom line is using encryption can certainly be seen as a form of agorism if you’re operating under a surveillance state like we are in the United States. Spying on individuals using encrypted data requires far more resources than spying on individuals using plaintext communications. Therefore I would argue that agorists should work to ensure as much data as possible is encrypted.

At Least It’ll Be a Legal Surveillance State Now

A lot of people arguing against the National Security Agency’s (NSA) mass surveillance apparatus are doing so by pointing out its illegal nature. The Fourth Amendment and a bunch of other words of pieces of paper have been cited. It looks like our overlords in Washington DC have finally tired of hearing these arguments. They’re now using their monopoly on issuing decrees to make state spying totally legal in every regard:

Last night, the Senate passed an amended version of the intelligence reauthorization bill with a new Sec. 309—one the House never has considered. Sec. 309 authorizes “the acquisition, retention, and dissemination” of nonpublic communications, including those to and from U.S. persons. The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations.

To be clear, Sec. 309 provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data.

There you have it, all those arguments about NSA spying being illegal can finally be put to rest!

This is why I don’t hold out any hope for political solutions. So long as you rely on your rulers to define what is and isn’t legal you are forever at their mercy. And they are very interested in keeping you under their boots. But technical solutions exist that can render widespread spying, if not entirely impotent, prohibitively expensive. Many have pointed out to me that if you are targeted by the government you’re fucked no matter what. That is true. If the government wants you dead it’s well within its power to kill you. The task is not to save yourself if you are being targeted though. What cryptography tools do is keep you from being a target and raising the costs involved in pursuing you if you become a target.

It costs very little for agencies such as the NSA to slurp up and comb through unencrypted data. Encrypted data is another story. Even if the NSA has the ability to break the encryption it has no way of knowing what encrypted data is useful and what encrypted data is useless without breaking it first. And breaking encryption isn’t a zero cost game. Most people arguing that the NSA can break encryption use supercomputers as their plot device. Supercomputers aren’t cheap to operate. They take a lot of electricity. There are also the costs involved of hiring cryptanalysts capable of providing the knowledge necessary to break encryption. People with such a knowledge base aren’t cheap and you need them on hand at all times because encryption is constantly improving. The bottom line is that the more encrypted data there is the more resources the state has to invest into breaking it. Anonymity tools add another layer of difficulty because even if you decrypt anonymous data you can’t tie it to anybody.

Widespread use of cryptography makes widespread surveillance expensive because the only way to find anything is to crack everything. Political solutions are irrelevant because even if the rules of today make widespread surveillance illegal the rulers of tomorrow can reverse that decision.

POODLE Attack Capable of Bypassing Some TLS Installations

SSLv3 is dead and POODLE killed it. After news of the attack was made public web administrators were urged to finally disable SSLv3 and only use TLS for secure communications. But the security gods are cruel. It turns out that some installations of TLS are vulnerable to the POODLE attack as well:

On Monday, word emerged that there’s a variation on the POODLE attack that works against widely used implementations of TLS. At the time this post was being prepared, SSL Server Test, a free service provided by security firm Qualys, showed that some of the Internet’s top websites—again, a list including Bank of America, VMware, the US Department of Veteran’s Affairs, and Accenture—are susceptible. The vulnerability was serious enough to earn all sites found to be affected a failing grade by the Qualys service.

Qualys’s SSL Labs testing tool is a wonderful piece of software. It tests for various SSL vulnerabilities including this new POODLE exploit. Using it I was able to confirm, quite happily, that this site is not vulnerable (check out that sexy A rating). But I’m a dick so I also checked a few other sites to see what everybody else was doing. My favorite result was Paypal’s gigantic F rating:

paypall-ssllabs-f-rating

Paypal is a major online transaction provider. You would think that their server administrators would be keeping everything as locked down as possible. But they’re apparently sleeping on the job. It should be embarrassing to a company like Paypal that a single individual running a few hobby sites has tighter security.

But if you administer any websites you should check your setup to make sure your security connections are up to snuff (and unsecured connections are disabled entirely because it’s 2014 and nobody should be communicating across the Internet in the clear).

GPGTools on OS X Yosemite

I finally upgrade my main system to OS X Yosemite. Why didn’t I upgrade it earlier? Because GPGTools, which I use for secure e-mail communications, wasn’t compatible with the new version of Mail. However the great team working on GPGTools released a beta earlier this month of a compatible version of their tools.

I’m happy to report that the beta works quite well (at least as far as my testing is concerned). One thing to keep in my is that the GPGTools team is going to charge for the final release of this updated tool. I have no problem with this because they do excellent work and have committed themselves to keeping the tool set open source. But Thunderbird and the Enigmail plugin are still free, which is something you may want to consider.

Encrypt Your Hard Drive

Modern versions of Windows, Linux, and Mac OS all have built-in utilities to completely encrypt the contents of your hard drives. Use these tools. Many people don’t encrypt their drives because they believe they have nothing to hide. But encryption your drive also protects against individuals altering the contents on your drive. This can be very valuable.

While an operating system will attempt to prevent unauthorized users from altering files or installing software when it has been booted by it will be rendered powerless if another method is used to boot the system, such as a boot disk. An encrypted hard drive, on the other hand, cannot be written to (any alteration of the encrypted data will appear to be garbage when you attempt to decrypt the drive) unless it is decrypted with the appropriate key.

That means an encrypted disk will prevent an attacker with physical access from installing software keyloggers, rootkits, and other potentially troublesome forms of malicious software.

I spent a decent portion of last night helping somebody deal with this scenario. As a related side note if you suspect your jealous and/or abusive significant other of having installed surveillance software on your system feel free to contact me. I will provide what assistance I can and I won’t charge a dime.

Another Reason to Implement HTTPS Everywhere

There is no reason for a website to not at least have an HTTPS connection available to users. When websites like StartSSL provide free certificates the old excuse of costs is no longer even applicable. Computer hardware has increased to the point where offering secure connection isn’t really that big of a drain on a server. And HTTP is just plain dangerous. Not only can any traffic sent over HTTP be viewed by anybody between the two communicating points but it can be altered without either point knowing. That is what Verizon is now doing to its customer’s HTTP traffic:

Over the past couple of days, there’s been an outpouring of concern about Verizon’s advertising practices. Verizon Wireless is injecting a unique identifier into web requests, as data transits the network. On my phone, for example, here’s the extra HTTP header.1

X-UIDH: OTgxNTk2NDk0ADJVquRu5NS5+rSbBANlrp+13QL7CXLGsFHpMi4LsUHw

After poring over Verizon’s related patents and marketing materials, here’s my rough understanding of how the header works.

[…]

In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges. Questionable. By default, the information appears to consist of demographic and geographic segments.2 If a user has opted into “Verizon Selects,” then Verizon also shares behavioral profiles built by deep packet inspection.

This is a dirty trick only made possible over unsecured connections. Secure connections, in addition to preventing anybody in between two communicating points from snooping on the communications, also provides mechanisms to verify that the data wasn’t altered when traversing between its start and end points. This is done with a wonderful algorithm called hashbased message authentication codes (HMAC). If the contents of the message are altered in any way the HMAC will not match and the receiver can verify that the message received doesn’t match the message that was sent. HTTP, unfortunately, has no way of providing this functionality so there is no way to know whether or not the data has been altered in transit.

The bottom line is HTTP needs to die and HTTPS needs to replace it for every website.

Google Releases Chrome Extension for End-to-End E-Mail Encryption

Like most large corporations I have a love/hate relationship with Google. The company’s practices as far as selling customer data disturb me but it releases a large number of really good products. Last week Google announced an alpha release of an alpha version of a Chrome extension that is meant to make e-mail encryption easier:

Developers at Google have released an experimental tool—for Gmail and other Web-based services—that’s designed to streamline the highly cumbersome task of sending and receiving strongly encrypted e-mail.

On Tuesday, the company unveiled highly unstable “alpha” code that in theory allows people to use the Google Chrome browser to generate encryption keys, encrypt e-mails sent to others, and decrypt received e-mails. Dubbed End-to-End, the Chrome extension also allows Chrome users to digitally sign and verify digital signatures of e-mails sent through Gmail and other services. The code implements a fully compliant version of the OpenPGP standard, which is widely regarded as providing virtually uncrackable encryption when carried out correctly.

OpenPGP is a great tool for communicating securely over e-mail. However using OpenPGP can be difficult for newcomers as it requires some technical knowledge. I haven’t had a chance to play with this extension yet but if it makes using OpenPGP with popular webmail providers it could be significant. Key management has traditionally been the biggest hurdle for newcomers to OpenPGP and if this extension can help make that easier it will really boost OpenPGP’s ease of use.

Google May Be Looking at Prioritizing Encrypted Sites in Search Results

One of the things that I believe to be unnecessary this day and age are unencrypted sites. When certificate authorities offer free certificates for personal use there are no real barriers left preventing the adoption of HTTPS on every website. Google may agree as it appears that it is looking into prioritizing websites that use HTTPS in its search results:

In a move that experts say could make it harder to spy on Web users, Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference.

The executive, Matt Cutts, is well known in the search world as the liaison between Google’s search team and website designers who track every tweak to its search algorithms.

Cutts also has spoken in private conversations of Google’s interest in making the change, according to a person familiar with the matter. The person says Google’s internal discussions about encryption are still at an early stage and any change wouldn’t happen soon.

I hope that the person familiar with the matter is correct. The information leaked by Edward Snowden demonstrated to all of us that an insecure Internet is no longer a viable option. We need to move to an Internet where all information is encrypted. Doing so wouldn’t just make it harder for organizations like the NSA to spy on our communications but it would also make it more difficult for malicious hackers to intercept user authentication information. By prioritizing encrypted sites Google could help convince more site administrators to use HTTPS for their sites.

Cryptocat for iOS

I’ve been experimenting with Cryptocat with a few friends for several months now. For those of you who haven’t heard of it, Cryptocat is an Off-the-Record (OTR) messaging client that runs as a browser plugin. I’m a fan. Cryptocat has undergone and passed at least one security audit, which makes the developers’ claims of security far greater than many other clients. More importantly, as somebody who is trying to convince people to use secure communication systems, Cryptocat is easy to use. After spending some time trying to convince people to use security methods of communication I’ve learned that the primary barrier is effort; the more effort a system requires the less apt people are to use it. Of course there are downsides to everything that the biggest downside to Cryptocat has been it’s lack of a mobile client.

Fortunately that issue has been partially resolved with the introduction of Cryptocat for iOS. I’ve been playing with it for roughly one week now and am impressed. The interface is straight forward, the client has no issue logging into Cryptocat conversations, and you receive iOS notifications when a new messages appears in a conversation. Unfortunately, due to Apple’s restrictions, Cryptocat is only able to run in the background for a few minutes before it’s unceremoniously killed. Since Cryptocat rooms don’t maintain a history of posted messages (by design) you can’t catch up on any message sent between the time your client is killed and you log back in. But when you’re working on Apple’s system you have to play by Apple’s rules.

I’m hoping an Android client will be released soon. Once that’s done a vast majority of smartphones will be able to access Cryptocat rooms, which will make the system more viable. Who knows, someday OTR may become commonly used for text communications.

Applied Crypto Hardening

I spend a lot of time urging people to utilize available cryptographic tools to secure their data. While I also admit that using cryptographic tools is less convenient that not and involves a learning curve, I believe that everybody has a duty to take their online self-defense into their own hands. To this end a group of people have gotten together and written a white paper that helps individuals utilized cryptographic features in popular software packages:

This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.

Initiated by Aaron Kaplan (CERT.at) and Adi Kriegisch (VRVis), a group of specialists, cryptographers and sysadmins from CERTs, academia and the private sector joined forces to write such a concise, short guide.

This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.). It is completely open sourced, every step in the creation of this guide is public, discussed on a public mailing list and any changes to the text are documented in a publicly readable version control system.

The document itself can be downloaded here [PDF]. I haven’t read through the entire guide but it is obviously still being written as there are quite a few omissions. But what is there is good information albeit information devoid of theory, which is OK, you have to start somewhere and enabling these features without fully understanding them is still better than not enabling them at all.