1984 was a Warning not a Blueprint – Page 40

James Clapper to Front Privacy Review Committee

What happens when you’re the Director of National Intelligence and lie to Congress during a review of your actions that clearly violated the privacy of the American people? You’re appointed to head a review committee that is tasked with determining whether or not you violated the privacy of the American people:

At the direction of the President, I am establishing the Director of National Intelligence Review Group on Intelligence and Communications Technologies to examine our global signals-intelligence collection and surveillance capability.

The Review Group will assess whether, in light of advancements in communications technologies, the United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust.

I know many people are outraged by this but if you look at it from a political standpoint it makes sense. Congress was briefed on and approved the National Security Agency’s (NSA) widespread spying operations. Clapper provided Congress with an out by lying to it, which gave it the opportunity to claim it was misinformed about the NSA’s operations. Since Clapper was a good sport and gave Congress a means of covering its ass, he is being rewarded by being placed in a position where he can further cover Congress’s, and the president’s, ass.

Politics is a dirty game that rewards the meritless.

NSA Planning to Lay Off 90 Percent of Its System Administrators

In a mad panic to ensure another whistle blower doesn’t follow in the footsteps of Edward Snowden the National Security Agency (NSA) is planning to eliminate 90 percent of its system administrators:

(Reuters) – The National Security Agency, hit by disclosures of classified data by former contractor Edward Snowden, said Thursday it intends to eliminate about 90 percent of its system administrators to reduce the number of people with access to secret information.

Keith Alexander, the director of the NSA, the U.S. spy agency charged with monitoring foreign electronic communications, told a cybersecurity conference in New York City that automating much of the work would improve security.

“What we’re in the process of doing – not fast enough – is reducing our system administrators by about 90 percent,” he said.

Although Keith Alexander is selling this move as a security enhancement it’s really nothing more than shuffling around potential weaknesses in the NSA’s networks. In order to replace so many system administrators their jobs will have to be automated, which will require developers to create new administrative tools. Instead of worrying about a system administrator leaking information to the public the NSA will now have to worry about a back door being created in its new automation tools. As the Underhanded C Contest has demonstrated numerous times, hiding malicious code is surprisingly easy. Replacing human administrators with automated systems will also give attackers a new source of potential exploits.

Lavabit Shutdown and Silent Circle Shutters Its E-Mail Service

Lavabit, the e-mail host that gained recent popularity by being the go to host for Edward Snowden, has been forced to shutdown. By the looks of it the order to shutdown came from the glorious defender of freedom known as the United States government:

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

Since Mr. Levison wrote that he’s unable, for legal reasons, to discuss why he’s being forced to shutdown it’s likely that he either received a national security letter or the National Security Agency (NSA) demanded he created a backdoor in his service less he be harassed with legal charges for cause harm to national security.

As a preemptive move to avoid suffering the same fate, Silent Circle, another organization that attempts to provide means of secure communications, has shuttered its e-mail service:

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Yesterday, another secure email provider, Lavabit, shut down their system less they “be complicit in crimes against the American people.” We see the writing on the wall, and we have decided that it is best for us to shut down Silent Mail. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

We’ve been debating this for weeks, and had changes planned starting next Monday. We’d considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that in this case the worst decision is no decision.

Shutting down their e-mail service before receiving a national security letter or being coerced into installing a backdoor for the NSA is a smart move. At least Silent Circle is able to publicly discuss their reason for doing so, unlike Lavabit.

These shutdowns go to show how far this police state of a country has gone. An organization can’t even provide secure e-mail hosting without becoming a target of the state’s aggression. I can only hope Mr. Levison and the people at Silent Circle moves their operations to a country that respects a man’s privacy, such as Iceland, so they can continue offering services their customers want.

American Freedom

I really do enjoy the people who continue to say that United States isn’t a police state. You have to admire somebody who can perform such blatant acts of cognitive dissonance without instantly suffering from a mental breakdown. After all, nothing says not a police state like having a quarter of your population arrested:

We’ve heard a lot of talk lately about mass incarceration, the stop-and-frisk policies in New York, reforming the drug laws, and mandatory minimum sentencing. There’s also been discussion about over-criminalization — that we have too many laws, too broadly enforced — from groups as ideologically diverse as the Heritage Foundation, the ACLU, the Cato Institute, and the National Association of Criminal Defense Lawyers.

But here’s a related statistic that’s pretty mind blowing in and of itself: According to the FBI, in 2011 there were 3991.1 arrests for every 100,000 people living in America. That means over the course of a single year, one in 25 Americans was arrested.

While that statistic doesn’t tell the whole story, as each arrest of the same person is counted separately in the raw numbers, it does tell a frightening one nonetheless. The fact that there have been, on average, 399.1 arrests for every 100,000 people is insane. If such a statistic doesn’t prove that this country has too many laws on the books I don’t know what can.

How the Tables Have Turned

I wasn’t alive for the height of the Cold War but I remember my teachers constantly pounding into my head that the Soviet Union was a land where the government spied on everybody and any dissenter was whisked away to a labor camp. America was the land people defected to in order to flee the Soviet Union. The tables have turned. Edward Snowden revealed that the National Security Agency (NSA) has been spying on every American for years and, in so doing, was forced to flee to Russia in order to seek asylum from the United States government, which was hunting him down like a rabid dog. Now, as a form of punishment for housing Snowden, Obama is calling off his meeting with Putin:

US President Barack Obama has cancelled a meeting with Russian President Vladimir Putin after Russia’s decision to grant asylum to intelligence leaker Edward Snowden, the White House said.

But Mr Obama will still attend the G20 economic talks in St Petersburg.

A White House aide said Mr Snowden’s asylum had deepened the pre-existing tension between the two counties.

The former intelligence contractor has admitted leaking information about US surveillance programmes to the media.

The decision to cancel the talks, announced during a trip by the president to Los Angeles, comes the morning after Mr Obama said he was “disappointed” with Russia’s decision to offer Mr Snowden asylum for a year.

If you ask me it sounds like Obama is rewarding Putin. Seriously, who wants to be stuck in an boring political meeting? Nothing exciting happens during those meetings. Two politicians, who are overly concerned with how they appear to the general public, make continuous bland statements that lack any real content just so they can appear on camera.

But it’s interesting to see how different things are today. Americans, fearing the wrath of the United States government, are forced to flee to Russia. The Cold War may restart because of the United States and its determination to have an all pervasive surveillance state without any dissenters.

What We Know About the Attack on Freedom Hosting

If you’ve been following this blog for any length of time you know that I’m a huge fan of location hidden services. While a huge chunk of the security community was busy at Defcon the feds made their move against the largest hidden service provider, Freedom Hosting. Most media outlets have simply indicated that the Federal Bureau of Investigations (FBI) made a major strike against the world’s “largest child pornography dealer”:

US authorities are seeking the extradition of a 28-year-old Irishman described in the High Court by an FBI special agent as “the largest facilitator of child porn on the planet.”

Eric Eoin Marques appeared before Mr Justice Paul Gilligan on foot of an extradition request by the FBI, which alleges he is involved in the distribution of online child pornography.

The High Court yesterday put Mr Marques back in custody until next Thursday.

Fortunately we no longer have to rely exclusively on major media outlets for our news. Over at Bitcoin Talk infested999 posted a far better summary of what went down. Mr. Marques is the owner of Freedom Hosting, which is a hosting service for Tor location hidden services. Unsurprisingly, distributors of child pornography have moved their operations to location hidden services and, also unsurprisingly, the FBI moved against the only entity it could identify, the owner of the hosting service. Since the nature of location hidden services prevent client and server identification it’s difficult to determine who owns and operates a hidden website and who visits it. This is where the more interesting part of the story comes into play. Not only did the FBI seize Freedom Hosting, it also loaded malicious JavaScript onto the sites in an attempt to locate visiting clients:

Attackers exploited a recently patched vulnerability in the Firefox browser to uncloak users of the Tor anonymity service, and the attack code is now publicly circulating online. While the exploit was most likely designed to identify people alleged to have frequented a child porn forum recently targeted by the FBI, anonymity advocates say the code could be used against almost any Tor user.

A piece of malicious JavaScript was found embedded in webpages delivered by Freedom Hosting, a provider of “hidden services” that are available only to people surfing anonymously through Tor. The attack code exploited a memory-management vulnerability, forcing Firefox to send a unique identifier to a third-party server using a public IP address that can be linked back to the person’s ISP. The exploit contained several hallmarks of professional malware development, including “heap spraying” techniques to bypass Windows security protections and the loading of executable code that prompted compromised machines to send the identifying information to a server located in Virginia, according to an analysis by researcher Vlad Tsrklevich.

According to the Tor mailing list the vulnerability used was specific to older versions of Firefox (the Tor Browser Bundle is based on Firefox 17) and users of the latest version of the Tor Browser Bundle weren’t affected. Likewise, at some point in the Tor Browser Bundle’s history the developers decided to enable JavaScript by default. Previously JavaScript was disabled by default. This recent exploit demonstrates why it’s important to have the latest version of your browser software and why JavaScript is, in general, a dangerous thing.

The exploit has been confirmed to phone home to an Internet Protocol (IP) address owned by the National Security Agency (NSA), adding further credence to the belief that the malicious JavaScript was inserted by an agency of the United States government to unveil Tor users.

From a technical standpoint this is an intriguing case. The FBI are beginning to adapt to hidden services. It has found a weak point, known providers of location hidden service hosting, and is using exploits to an attempt to locate anonymous users. It will be interesting to see what comes of this case.

Considerations Regarding Encryption: Cost to Benefit Analysis

Since I began advocating crypto-anarchy I’ve met a surprising amount of resistance from an unexpected group. Many of my fellows in the liberty movement have taken a defeatist approach to technology. Now that they know that the National Security Agency (NSA) is scooping up every data packet it can get its grubby hands on, an almost Luddite-esque sect has developed in the liberty movement. They believe that the Internet, and all forms of electronic communications, should be avoided because they feel that no force on Earth can stand up to the power of the federal government (an ironic attitude from a movement that advocates standing up to the federal government). These people have become critical of advocating cryptographic and anonymizing tools to protect against unwanted spying.

One of the criticisms they often raise is that the NSA can simply decrypt whatever data it captures. This belief partially stems from the belief that the state is omnipotent and partially from misunderstanding the purpose of encryption. In this post I plan to briefly address the latter (I believe I’ve sufficiently addressed the former in my extensive posting history).

Encryption isn’t a magic bullet that will prevent unauthorized individuals from reading your data for all eternity. It is a tool that stands to greatly delay an unauthorized individual from reading your data. Anything that has been encrypted can be decrypted. If that wasn’t he case then encryption would be useless as it would prevent unauthorized and authorized individuals from reading the data. There are numerous ways to decrypt encrypted data.

The first, and most obvious, method is getting a copy of the decryption key. In order to allow authorized individuals to read encrypted data there has to be a way to legitimately decrypt it. This is done by giving authorized individuals decryption keys. Decryption keys can take many forms including a pre-shared key that is known to both you and other authorized individuals and asymmetric keypairs, one of which is secret and (ideally) known only to you and another which is public.

The second method is brute force. A brute force attack, in regards to cryptography, involves trying every possible decryption key. While this method will eventually decrypt encrypted data, it’s very time consuming if proper cryptographic algorithms and practices are used. Depending on the amount of computational power available, decrypting the data via brute force may take years, decades, or (possibly) centuries. In other words, brute force attacks are expensive.

The third method is to exploit the encryption algorithm itself. This method is cheaper than brute force but it depends on finding an exploitable vulnerability in the algorithm used to encrypt the data. Depending on the algorithm used, this method can decrypt encrypted data very quickly or it can be impossible (at least for the time being).

Humans always perform a cost to benefit analysis before taking an action. The state is no different. While the NSA, theoretically, has a tremendous amount of computing power available to it, using that computing power isn’t free. Computing power requires time and electricity. So long as you have computers dedicated to decrypting one set of data you can’t dedicate them to decrypting other sets of data. It’s unlikely that the NSA is using brute force to decrypt every encrypted set of data it has intercepted. Instead, it is likely using brute force only after it has decided to target an individual.

Algorithm exploits are another concern. Many people believe that the NSA has exploits that allow it to decrypt data encrypted by every known algorithm. Those people often believe that the NSA also has backdoor access to every electronic device (which would make the former mostly irrelevant). Such knowledge still requires a cost to benefit analysis. While the cost in time an electricity is very low the cost in revealing that it has an exploit is very high. Let’s say you encrypted your hard drive with AES-256 and the NSA had an exploit that allowed it to decrypt the drive. Now that it has that information it can use it to target you but, in so doing, it would have to reveal how it obtained that information. In other words, it would have to explain to a court that it has an exploit that allows it to decrypt AES-256 (many people may point out that they don’t have to give you a trail if they whisk you off to Guantanamo Bay, to which I would point out that they wouldn’t need evidence of wrongdoing either). After that information was revealed everybody wanting to hide information from the NSA would encrypt their information with a different, hopefully more secure, algorithm. Unless the NSA knows what algorithm its intended targets decided to use and had an exploit for that algorithm it would have effectively tossed away its most effective tool to get one person. The same risk applies to revealing information about backdoors installed in systems. That’s a tremendous cost.

That leaves us with the method of obtaining the decryption key. This is, most likely, the cheapest option for the NSA to use if it wants to target a specific individual. Even if an individual is unwilling to voluntarily provide their decryption key the NSA can always resort to rubber-hose cryptanalysis. Rubber-hose cryptanalysis relies on the use of coercion to get a decryption key from a target. An example of this method being was a woman in Colorado who was held in contempt of court for refusing to decrypt her hard drive. By holding her in contempt until she decrypted her hard drive the state gave her an ultimatum: either rot in prison indefinitely or face the chance of rotting in prison if incriminating evidence is found on the decrypted hard drive. Another way to use rubber-hose cryptanalysis is physical force. If you torture somebody long enough they will almost certainly surrender a decryption key. I will point out that an agency willing to torture an individual to retrieve a decryption key is unlikely to concern itself with retrieving evidence in the first place so the point would be moot.

Looking at the costs associated with the above mentioned decryption methods we can develop a rudimentary cost to benefit analysis. In most cases, for the state, the cheapest option is to simply get the decryption key from the user. Holding somebody in concept of court for refusing to surrender their decryption key has a positive (for the state) side effect: the person is detained until they provide the decryption key. Such a case is win-win for the NSA because keeping you in a cage also takes you out of the picture. Brute force would likely be resorted to if the NSA was interested enough in decrypting the data that it would be willing to take the time and front the electrical cost of throwing a good amount of computing power at the task. In other words, it is unlikely to brute force every encrypted piece of data. Instead, it would likely use brute force only after it has decided to specifically target an individual. The only time the NSA would resort to an algorithm exploit (if it has one), in my opinion, is if the data is needed immediately and the consequences of any delay would be very high.

There are no magic bullets in security. Encrypting your data won’t prevent unauthorized individuals from reading it for all time. But encrypting your data raises the cost of reading it, which will likely deter fishing expeditions (decrypting all data and selecting people to target based on the decrypted information). By encrypting your data you will likely remain under the radar unless the NSA has some other reason to target you. If that is the case it won’t matter if you use modern technology or not. Once you’re a target the NSA can use old fashioned surveillance methods such as bugging your dwelling or dedicating an individual to follow you around. There is no sense in handicapping yourself in order to avoid Big Brother. Big Brother can watch you whether your use a cell phone or only communication with individuals in person. If you use the best tools available you can enjoy almost the same level of security using modern communication technology as you enjoy when having face-to-face discussions.

Bradley Manning Facing Over a Century in a Cage for Doing the Right Thing

The who trial of Bradly Manning finally concluded yesterday. Manning was acquitted of the most severe charge, aiding the enemy, but was found guilty of 19 other charges:

FORT MEADE, Md. — Bradley Manning, the Army intelligence analyst who laid bare America’s wars in Iraq and Afghanistan by covertly transmitting a massive trove of sensitive government documents to WikiLeaks, has been convicted on 19 of 21 charges, including 6 counts of espionage. He was found not guilty of aiding the enemy, the most serious and controversial charge laid against him.

[…]

Manning now faces up to 136 years in prison on his convictions.

Over a century in a cage for revealing the war crimes? The message being sent by the state is quite clear. While the state can intercept and listen to our phone calls, collect and read our e-mails, keep records of our purchases, and otherwise collect intelligence on us without our knowledge the agreement isn’t reciprocal. Or, to put it more succinctly:

Image courtesy of the Punk Rock Libertarians Facebook page.

The state wants to maintain tabs on every person but will throw anybody who attempts to maintain tabs on it into a cage for the rest of their miserable life. Charges of cowardice were aimed at Edward Snowden when he fled the country but Manning’s trial demonstrates that Snowden did the smart thing. Staying in the United States after revealing its misdeeds is a recipe for disaster.

The Price of a Pervasive Surveillance State

In an unsurprising turn of events it appears as though the National Security Agency’s (NSA) pervasive surveillance operation is having some negative consequences (besides making the serfs all uppidy):

Two years ago, I was interviewing the CIO of a major Canadian healthcare organization for a story on cloud computing, and asked if he had considered using US cloud providers or software-as-a-service. He said that he couldn’t even begin to consider those because of concerns because of Canadian patient privacy laws—not just because of differences between US and Canadian laws, but because of the assumption that NSA would gain access to patient records as they crossed the border.

At the time, the concern might have sounded a bit paranoid. But now that those concerns have been validated by the details revealed by Snowden, US cloud providers are losing existing customers from outside the US, according to the CSA study. The survey of members of the organization found that 10 percent of non-US member companies had cancelled contracts with US providers as a result of revelations about PRISM.

The PRISM revelations are also making it harder for US companies to get new business abroad. Of the non-US respondents to the survey, 56 percent are now less likely to consider doing business with a US service provider. And 36 percent of respondents from US companies said that the Snowden “incident” was making it harder for them to do business overseas.

The serfs aren’t the only people upset by the NSA’s antics. Online service providers, who need to please the serfs enough to convince them to sign up for online services, aren’t very happy either. I’m sure the potential economic impact was one of the key reasons that the NSA kept its program so quiet (if people start making a mass exodus away from the services the NSA is using to spy on people then they won’t be able to spy on those people as effectively).

The Feds Want Everything

The federal government sure is a grabby little bastard. First it taps all of our phones and Internet connections and now it’s demanding passwords and Secure Sockets Layer (SSL) certificates. Let’s start with their demands that online service providers hand over their customers’ passwords:

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

The difficulty of handing over user passwords is that any system administrator worth his salt (pun intended, deal with it) only stores a hash of the password. For those of you who don’t know, a hash is the result of a one-way algorithm. You put some text in and the hashing algorithm gives you some output. Ideally, the input cannot be recovered from the output and the algorithm gives a different output for each unique input. Salts are often added to the hashing algorithm to trip up word list attacks, as the added information to the input creates a different output than sending the clear text password alone.

Assuming the system administrator or software developer properly implemented this system (which is difficult to do), receiving the password hashes would do the federal government very little good. They may be able to reverse individual passwords given enough time and computing power but it’s almost certainly outside their capabilities to revere every user’s password. I would be less concerned about the federal government receiving and reversing my password than I would be of it performing rubber-hose cryptanalysis on it.

The other thing the federal government has apparently been demanding from only service providers are their SSL private keys:

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.

If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.

“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

Having a service provider’s SSL private keys would allow a malicious individual to intercept and decrypt any SSL secured traffic going to or coming from a service provider’s network. This concern can be put to rest if service providers began implementing forward secrecy (which I enabled on this site beginning last month). Forward secrecy negotiates temporary session keys for SSL connections. The temporary keys are used to encrypt and decrypt data going between a service provider and a customer. After the session concludes the keys, at least ideally, are to be disposed of. Implementing forward secrecy means that an attacker is unable to decrypt SSL secured traffic even if they are in possession of the correct private key. Unfortunately, as a recent study by Netcraft noted, very few service providers currently implement forward security (leading one to wonder why a guy operating a free blog is able to implement security technologies before multi-billion dollar corporations). It would be wise, especially in light of recent developments, to put pressure on service providers to implement forward secrecy.

While it’s annoying that the federal government has become a surveillance state, there are technologies that allow us to mitigate many of their demands. We live in a world where the spying powers of the state are incredible but the power to avoid surveillance is also very powerful. The state is a collection of a handful of individuals fighting the rest of the world. With such high odds against it, the state will be unable to win in the long run.