Archive for the ‘Crypto-Anarchism’ tag
There has been a lot of bad stories and comments about Vault 7, the trove of Central Intelligence Agency (CIA) documents WikiLeaks recently posted. Claims that the CIA has broken Signal, can use any Samsung smart television to spy on people, and a whole bunch of other unsubstantiated or outright false claims have been circulating. Basically, idiots who speak before they think have been claiming that Vault 7 is proof that privacy is dead. But that’s not the case. The tools described in the Vault 7 leak appear to be aimed at targeted surveillance:
Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.
As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”
The threats of mass surveillance and targeted government surveillance are very different. Let’s consider Signal. If the CIA had broken Signal it would be able to covertly collect Signal packets as they traveled from source to destination, decrypt the packets, and read the messages. This would enable mass surveillance like the National Security Agency (NSA) has been doing. But the CIA didn’t break Signal, it found a way to attack Android (most likely a specific version of Android). This type of attack doesn’t lend itself well to mass surveillance because it requires targeting specific devices. However, if the CIA wants to surveil a specific target then this attack works well.
Avoiding mass surveillance is much easier to deal with than defending yourself against an organization with effectively limitless funds and a massive military to back it up that specifically wants your head on a platter. But unlike mass surveillance, very few people have to actually deal with the latter. And so far the data released as part of Vault 7 indicates the surveillance tools the CIA has developed are aimed at targeted surveillance so you most likely won’t have to deal with them.
Privacy isn’t dead, at least so long as you’re not being specifically targeted by a three letter agency.
WikiLeaks dropped a large archive of Central Intelligence Agency (CIA) leaks. Amongst the archive are internal communications and documents related to various exploits the CIA had or has on hand for compromising devices ranging from smartphones to smart televisions.
I haven’t had a chance to dig through the entire archive yet but there’s one thing that everybody should keep in mind.
The government that claims to protect you, that many people mistakenly believe protects them, has been hoarding vulnerabilities and that has put you directly in harm’s way. Instead of reporting discovered vulnerabilities so they could be patched, the CIA, like the NSA, kept them secret so it could exploit them. Since discovery of a vulnerability doesn’t grant a monopoly on its use, the vulnerabilities discovered by the CIA may very well have been discovered by other malicious hackers. Those malicious hackers could, for example, be exploiting those vulnerabilities to spread a botnet that can be used perform distributed denial of service attacks against websites to extort money from their operators.
Remember this the next time some clueless fuckstick tells you that the government is there to keep you safe.
While I haven’t had a chance to read through the archive, I have had a chance to read various comments and reports regarding the information in the archive. By doing this I’ve learned two things. First, the security advice posted by most random Internet denizens is reminiscent of the legal advice posted by most sovereign citizens. Second, the media remains almost entirely clueless about information security.
Case in point, a lot of comments and stories have said that the archive contains proof that the CIA has broken Signal and WhatsApp. But that’s not true:
It’s that second sentence that’s vital here: It’s not that the encryption on Signal, WhatsApp (which uses the same encryption protocol as Signal), or Telegram has been broken, it’s that the CIA may have a way to break into Android devices that are using Signal and other encrypted messaging apps, and thus be able see what users are typing and reading before it becomes encrypted.
There is a significant difference between breaking the encryption protocol used by a secure messaging app and breaking into the underlying operating system. The first would allow the CIA to sit in the middle of Signal or WhatsApp connections, collect packets being sent to and from Signal and WhatsApp clients, and decrypting the packets and reading the contents. This would allow the CIA to potentially surveil every WhatsApp and Signal user. The second would allow the CIA to target individual devices, compromise the operating system, and surveil everything the user is doing on that device. Not only would this compromise the security of Signal and WhatsApp, it would also compromise the security of virtual private networks, Tor, PGP, and every other application running on the device. But the attack would only allow the CIA to surveil specific targeted users, not every single user of an app.
The devil is in the details and a lot of random Internet denizens and journalists are getting the details wrong. It’s going to take time for people with actual technical knowhow to dig through the archive and report on the information they find. Until then, don’t panic.
I don’t have a lot of material for you today since I was busy prepping for tonight’s CryptoPartyMN meeting.
Tonight we’ll be discussing how cryptography can be used to defend against phishing scams. Everybody is welcome. We’re meeting at Rudolphs Bar-B-Que at 6:30 pm.
After eight years of unexplained absence, neoliberals who are critical of the State have returned. I’m not sure where they were hiding but I’m glad to see that they’re safe and sound. But a lot has change in eight years so I’m sure many of them are out of the loop when it comes to online security. For example, what if you’re a federal employee who was told by your employer to shut up and you wanted to criticize them for it but didn’t want to be fired from your parasitic job? This isn’t as easy as opening a Twitter account and blasting criticisms out 140 characters at a time. Your employer has massive surveillance powers that would allow it to discover who you are and fire you for disobedience. Fortunately, The Grugq has you covered.
The information in his post regarding Twitter is applicable to any activist who is utilizing social media and might raise the ire of the State. I think the most important piece of information in that article though is that you shouldn’t immediately jump in with the sharks:
These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.
Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.
If you’re planning to partake in activism you should do a few trail runs of creating and maintaining pseudonymous social media accounts. Maintaining the discipline necessary to avoid detection is no easy feat. It’s best to screw up when it doesn’t matter than to screw up when you could face real world consequences.
What happens when a government attempts to censor people who are using a secure mode of communication? The censorship is bypassed:
Over the weekend, we heard reports that Signal was not functioning reliably in Egypt or the United Arab Emirates. We investigated with the help of Signal users in those areas, and found that several ISPs were blocking communication with the Signal service and our website. It turns out that when some states can’t snoop, they censor.
Today’s Signal release uses a technique known as domain fronting. Many popular services and CDNs, such as Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly, and Akamai can be used to access Signal in ways that look indistinguishable from other uncensored traffic. The idea is that to block the target traffic, the censor would also have to block those entire services. With enough large scale services acting as domain fronts, disabling Signal starts to look like disabling the internet.
Censorship is an arms race between the censors and the people trying to communicate freely. When one side finds a way to bypass the other then the other side responds. Fortunately, each individual government is up against the entire world. Egypt and the United Arab Emirates only have control over their own territories but the people in those territories can access knowledge from anywhere in the world. With odds like that, the State is bound to fail every time.
This is also why any plans to compromise secure means of communication are doomed to fail. Let’s say the United States passes a law that requires all encryption software used within its borders to include a government backdoor. That isn’t the end of secure communications in the United States. It merely means that people wanting to communicate securely need to obtain tools developed in nations where such rules don’t exist. Since the Internet is global access to the goods and services of other nations is at your fingertips.
State socialism is quickly reaching its inevitable conclusion in Venezuela. The economy is in shambles. The nation’s currency, the bolivar, is in a state of hyperinflation, which makes buying even a loaf a bread with it difficult. While the Venezuelan government scrambles to maintain its control over the people the people are adapting. One of the adaptions they’re making is using an alternative currency, one that is effectively impossible for the Venezuelan government to control. That currency is, of course, Bitcoin:
Amid growing economic chaos, and the highest inflation rate in the world, some Venezuelans are swapping bolivars for bitcoins in order to buy basic necessities or pay their employees
The digital currency is free from central bank or government controls, and users in Venezuela see it as a safe alternative in an economy where the government has enforced strict foreign exchange controls, and inflation is running at an estimated 500%.
This week, Venezuelans rushed to unload 100-bolivar bills – the largest denomination – after the government announced that it would be withdrawn from circulation on Wednesday in what it described as a move against profiteering.
Mainstream economists have been decrying Bitcoin since it started becoming popular. Since the currency isn’t issued by a central bank the mainstream economists have declared it worthless. But the value of Bitcoin continues to rise. When I last checked it was around $800 per Bitcoin. Why does Bitcoin continue to succeed in spite of mainstream economists? Because mainstream economists are fools.
All of the things mainstream economists criticize Bitcoin for are actually important features. Not being controlled by a central bank means that a government can control it. Venezuela can’t just decide to withdraw Bitcoin or print more of it. The fact that there is a cap on the total amount of Bitcoin that will ever exist is also an important feature. Without the ability to print an infinite amount of Bitcoin no government can inflate it. The lack of inflation means that Bitcoin can be a safe method of preserving one’s purchasing power over time (a fancy way of saying savings). Bitcoin’s pseudoanonymity can protect users from the prying eyes of the State, which means it can be used in countries where the State would rather see people starve to death than utilize a currency it isn’t issuing.
Bitcoin’s popularity will likely continue to increase as more national currencies collapse. As its popularity continues to increase the technical limitations, the only valid criticisms against Bitcoin, will continue to be addressed and addressed more rapidly.
When a service describes itself as anonymous how anonymous is it? Users of Yik Yak may soon have a chance to find out:
Yik Yak has laid 70 percent of employees amid a downturn in the app’s growth prospects, The Verge has learned. The three-year-old anonymous social network has raised $73.5 million from top-tier investors on the promise that its young, college-age network of users could one day build a company to rival Facebook. But the challenge of growing its community while moving gradually away from anonymity has so far proven to be more than the company could muster.
But growth stalled almost immediately after Sequoia’s investment. As with Secret before it, the app’s anonymous nature created a series of increasingly difficult problems for the business. Almost from the start, Yik Yak users reported incidents of bullying and harassment. Multiple schools were placed on lockdown after the app was used to make threats. Some schools even banned it. Yik Yak put tools in place designed to reduce harassment, but growth began to slow soon afterward.
Yik Yak claimed it was an anonymous social network and on the front end the data did appear anonymous. However, the backend may be an entirely different matter. How much information did Yik Yak regularly keep about its users? Internet Protocol (IP) addresses, Global Positioning System (GPS) coordinates, unique device identifiers, phone numbers, and much more can be easily collected and transmitted by an application running on your phone.
Bankruptcy is looking like a very real possibility for Yik Yak. If the company ends up filing then its assets will be liquidated. In this day and age user data is considered a valuable asset. Somebody will almost certainly end up buying Yik Yak’s user data and when they do they may discover that it wasn’t as anonymous as users may have thought.
Not all forms of anonymity are created equal. If you access a web service without using some kind of anonymity service, such as Tor or I2P, then the service has some identifiable information already such as your IP address and a browser fingerprint. If you’re access the service through a phone application then that application may have collected and transmitted your phone number, contacts list, and other identifiable information (assuming, of course, the application has permission to access all of that data, which it may not depending on your platform and privacy settings). While on the front end of the service you may appear to be anonymous the same may not hold true for the back end.
This issue becomes much larger when you consider that even if your data is currently being held by a benevolent company that does care about your privacy that may not always be the case. Your data is just a bankruptcy filing away from falling into the hands of somebody else.
A while back I wrote a handful of introductory guides on using Pretty Good Privacy (PGP) to encrypt the content of your e-mails. They were well intentioned guides. After all, everybody uses e-mail so we might as well try to secure it as much as possible, right? What I didn’t stop to consider was the fact that PGP is a dead end technology for securing e-mails not because the initial learning curve is steep but because the very implementation itself is flawed.
I recently came across a blog post by Filippo Valsorda that sums up the biggest issue with PGP:
But the real issues I realized are more subtle. I never felt confident in the security of my long term keys. The more time passed, the more I would feel uneasy about any specific key. Yubikeys would get exposed to hotel rooms. Offline keys would sit in a far away drawer or safe. Vulnerabilities would be announced. USB devices would get plugged in.
A long term key is as secure as the minimum common denominator of your security practices over its lifetime. It’s the weak link.
Worse, long term keys patterns like collecting signatures and printing fingerprints on business cards discourage practices that would otherwise be obvious hygiene: rotating keys often, having different keys for different devices, compartmentalization. It actually encourages expanding the attack surface by making backups of the key.
PGP, in fact the entire web of trust model, assumes that your private key will be more or less permanent. This assumption leads to a lot of implementation issues. What happens if you lose your private key? If you have an effective backup system you may laugh at this concern but lost private keys are the most common issue I’ve seen PGP users run into. When you lose your key you have to generate a new one and distribute it to everybody you communicate with. In addition to that, you also have to resign people’s existing keys. But worst of all, without your private key you can’t even revoke the corresponding published public key.
Another issue is that you cannot control the security practices of other PGP users. What happens when somebody who signed your key has their private key compromised? Their signature, which is used by others to decide whether or not to trust you, becomes meaningless because their private key is no longer confidential. Do you trust the security practices of your friends enough to make your own security practices reliant on them? I sure don’t.
PGP was a jury rigged solution to provide some security for e-mail. Because of that it has many limitations. For starters, while PGP can be used to encrypt the contents of a message it cannot encrypt the e-mail headers or the subject line. That means anybody snooping on the e-mail knows who the parties communicating are, what the subject is, and any other information stored in the headers. As we’ve learned from Edward Snowden’s leaks, metadata is very valuable. E-mail was never designed to be a secure means of communicating and can never be made secure. The only viable solution for secure communications is to find an alternative to e-mail.
With that said, PGP itself isn’t a bad technology. It’s still useful for signing binary packages, encrypting files for transferring between parties, and other similar tasks. But for e-mail it’s at best a bandage to a bigger problem and at worst a false sense of security.
I’m always on the lookout for good guides on privacy and security for beginner’s. Ars Technica posted an excellent beginner’s guide yesterday. It covers the basics; such as installing operating system and browser updates, enabling two-factor authentication, and using a password manager to enable you to use strong and unique passwords for your accounts; that even less computer savvy users can follow to improve their security.
If you’re not sure where to begin when it comes to security and privacy take a look at Ars’ guide.
Everybody should have been suspicious of the giant unadorned building in New York City that looks like something ripped right out of the 1984 movie. As it turns out the building’s appearance betrays its purpose as it is part of the Orwellian surveillance state:
THEY CALLED IT Project X. It was an unusually audacious, highly sensitive assignment: to build a massive skyscraper, capable of withstanding an atomic blast, in the middle of New York City. It would have no windows, 29 floors with three basement levels, and enough food to last 1,500 people two weeks in the event of a catastrophe.
But the building’s primary purpose would not be to protect humans from toxic radiation amid nuclear war. Rather, the fortified skyscraper would safeguard powerful computers, cables, and switchboards. It would house one of the most important telecommunications hubs in the United States — the world’s largest center for processing long-distance phone calls, operated by the New York Telephone Company, a subsidiary of AT&T.
Documents obtained by The Intercept from the NSA whistleblower Edward Snowden do not explicitly name 33 Thomas Street as a surveillance facility. However — taken together with architectural plans, public records, and interviews with former AT&T employees conducted for this article — they provide compelling evidence that 33 Thomas Street has served as an NSA surveillance site, code-named TITANPOINTE.
Inside 33 Thomas Street there is a major international “gateway switch,” according to a former AT&T engineer, which routes phone calls between the United States and countries across the world. A series of top-secret NSA memos suggest that the agency has tapped into these calls from a secure facility within the AT&T building. The Manhattan skyscraper appears to be a core location used for a controversial NSA surveillance program that has targeted the communications of the United Nations, the International Monetary Fund, the World Bank, and at least 38 countries, including close U.S. allies such as Germany, Japan, and France.
TITANPOINTE? Again, we have a National Security Agency (NSA) codename that sounds really stupid. Considering how obvious they were trying to be with the building design and such were I the NSA I’d have just called the project BIGBROTHER.
TITANPOINTE appears to be another example of the public-private surveillance partnership I periodically bring up. While all of the cellular providers are in bed with the State to some extent, AT&T appears to have a very special relationship with the NSA. From Room 641A to 33 Thomas Street we have seen AT&T grant the NSA complete access to its services. This means that any surveillance performed by AT&T, which is often considering “safe” surveillance by many libertarians because it’s done by a private entity, becomes NSA surveillance without so much as a court order. Since your phone calls and text messages are available to AT&T they’re also available to the NSA.
Fortunately, you can take some measures to reduce the information available to AT&T and the NSA. While standard phone calls and text messages are insecure, there are several secure communication tools available to you. Apple’s iMessage is end-to-end encrypted (but if you backup to iCloud your messages are backed up in plaintext and therefore available to Apple) as are WhatsApp and Signal. I generally recommend Signal for secure messaging because it’s easy to use, the developers are focused on providing a secure service, and it has a desktop application so you can use it from your computer. None of these applications are magic bullets that will fix all of your privacy woes but they will reduce the amount of information AT&T and the NSA can harvest from their position in the communication routing system.