Tag: Crypto-Anarchism

The Sorry State of E-Mail

As I briefly mentioned last week I’ve been spending time setting up a new e-mail server. For years I’ve been using OS X Server to run my e-mail server because it was easy to setup. But there are a lot of things I dislike about OS X Server. The biggest problem was with the change from 10.6 to 10.7. With that update OS X Server went from being a fairly serious piece of server software that a small business could use to being almost completely broken. Apple slowly improved things in later released of OS X but its server software remains amateur hour. Another thing that I dislike about OS X Server is how unstable it becomes the moment you open a config file and make some manual changes. The graphical tool really doesn’t like that but it also don’t give you the options necessary to fine tune your security settings.

My e-mail server has grown up and now runs on CentOS. I’ve tried to tighten up security as much as possible but I’ve quickly learned how sorry of a state e-mail is in. One of my goals was to disable broken Transport Layer Security (TLS) settings. However this presents a sizable problem because there are a lot of improperly configured e-mail servers out there. Unlike web servers where you can usually safely assume clients will be able to establish a connection with a sever using properly configured TLS no such assumptions can be made with e-mail servers. Some e-mail servers don’t support any version of TLS or Secure Socket Layer (SSL) and those that do often have invalid (expired, self-signed, etc.) certificates. In other words you can’t disable unsecured connections without being unable to communicate with a large number of e-mail servers out there. Let me just say that as much as I hate how everybody uses Google because it makes the government’s surveillance apparatus cheaper to implement I appreciate that the company actually has properly configured e-mail servers.

Another problem with securing e-mail servers is that they rely on the STARTTLS protocol. I say this is a problem because the first part of establishing a secure connection via STARTTLS is asking the server if it supports it through an unsecured connection. This has allowed certain unscrupulous Internet service providers (ISPs) to intercept and edit out the mention of STARTTLS support from a server’s reply, which causes the client to revert to an unsecured connection for the entire communication. This wouldn’t be a problem if we could safely assume all e-mail servers support TLS because then you could configure servers to only use TLS.

What’s the answer? Ultimately I would say it is to move away from e-mail as we currently know it. But that’s easier said than done so I will continue to strong urge people to utilize Pretty Good Privacy (PGP) to encrypt and sign their e-mails. Even if a PGP encrypted e-mail is transmitted over an unsecured connection the amount of data a snoop can collect on you is far less (but since PGP can only really encrypt the contents of the e-mail a great deal of metadata is still available to anybody observing the communication between e-mail servers).

I also urge people to learn how to setup their own e-mail servers and to do it. Ars Technica and Sealed Abstract have good guides on how to setup a pretty secure e-mail server. However there is the problem that many ISPs block the ports used by e-mail server on their residential packages. So implementing an e-mail server out of your home could require getting a business account (as well as a static Internet protocol (IP) address). A slightly less optimal (because your e-mail won’t be stored on a system you physically control) option of setting up your e-mail server on a third-party host is a way to bypass this problem. Unless people stop relying on improperly configured e-mail servers there isn’t a lot of hope for salvaging e-mail as a form of secure communication (this should give people involved in professions that require confidentiality, such as lawyers, a great deal of concern).

Many people will probably become discouraged after reading this post and tell themselves that securing themselves is impossible. That’s not what you should take away from this post. What you should take away from this post is that the problem requires us to roll up our sleeves, further our knowledge, and fix it ourselves. Securing e-mail isn’t hopeless, it just requires us to actually do something about it. For my part I am willing to answer questions you have regarding setting up an e-mail server. Admittedly I won’t know the answer to every question but I will do my best to provide you with the knowledge you need to secure yourself.

Is Your App a Benedict Arnold

Most smartphone users rely on apps to access much of their online data. This can be problematic though since many app developers have little or no knowledge about security. A research project has unveiled a number of Android apps, many of which are developed by companies with deep enough pockets to hire dedicated security personnel, that communicate user credentials over plaintext:

Researchers have unearthed dozens of Android apps in the official Google Play store that expose user passwords because the apps fail to properly implement HTTPS encryption during logins or don’t use it at all.

The roster of faulty apps have more than 200 million collective downloads from Google Play and have remained vulnerable even after developers were alerted to the defects. The apps include the official titles from the National Basketball Association, the Match.com dating service, the Safeway supermarket chain, and the PizzaHut restaurant chain. They were uncovered by AppBugs, a developer of a free Android app that spots dangerous apps installed on users’ handsets.

By communicating your credentials over plaintext these apps are betraying your account security to anybody listening on the network. What makes this particular problem especially worrisome is that it’s difficult for the average user to detect. How many users are going to connect their phone to their wireless network, open up Wireshark, and ensure all of their apps are communicating over HTTPS?

Developers should be expected to understand HTTPS if they’re communicating user credentials back to a server. But the real source of this problem is the fact plaintext is still allowed at all. We’re well beyond the point where HTTP should be deprecated, in fact Mozilla is planning to do exactly that, in favor of HTTPS only. If HTTP is no longer allowed then we don’t have to worry about apps communicating data over it (we still have to worry about improperly configured HTTPS but that’s something we have to worry about currently).

OpenBazaar Will Kill Us All

Mainstream economists are obsessed with control. Unlike the Austrian tradition, which correctly states that there is no way to control economies, mainstream economists believe that an ideal economy, whatever that is, can be had if a strong enough centralized power forces people to obey the correct plan. This obsession leads them to see doom and gloom in the strangest of places. Consider OpenBazaar. OpenBazaar is a decentralized commerce platform that allows anybody to buy and sell goods online without going through a middleman such as Amazon or eBay. Sounds empowering, doesn’t it? Not according to mainstream economists. To them the idea of OpenBazaar undermines the control they worship and is therefore a threat to humanity:

While Hoffman could be right that OpenBazaar will revolutionize online commerce, its business model could also potentially threaten America’s tech industry. The wild and uncontrollable nature of OpenBazaar’s technology, especially if it winds up being used to facilitate terrorism, could push authorities to launch a broad crackdown on other technologies as well that law enforcement considers an impediment to its work.

And if the potential harm from a marketplace seems limited to you, consider what could happen from the combination of this type of technology with Artificial Intelligence. As AI evolves, even tech visionaries like Microsoft founder Bill Gates and Tesla chief Elon Musk have expressed concern over the ability of humans to control the outcome, especially if machines are eventually able to ‘think’ autonomously. Now apply OpenBazaar’s decentralized and police-resistant model to this and you have a recipe for disaster: machines with free will and the ability to communicate with each other under the human radar. Maybe an Isaac Asimov-inspired fantasy at one time, this is hardly an impossible scenario anymore given the rapid pace of technological development.

You have to admire how he states OpenBazaar could hurt the technology industry and immediately turn around and explain how it could greatly enhance the technology industry by helping artificial intelligence (AI) advance (although, again due to an obsession with power, he sees the advancement of AI as extremely dangerous).

This article shows just how insane of an obsession with power mainstream economists possess. Anything that could be potentially disruptive, which all technology can be, is seen as a threat. Computers were originally feared by many mainstream economists because they stood to replace a lot of human labor. In fact this attitude is still alive. Light bulbs probably had numerous mainstream economists shitting their pants because they would replace the candle.

Here we have a platform that enabled individuals to buy and sell goods without having to go through a middleman or front the expense of running their own commerce front end. It could allow some little old lady in the backwoods of Alabama to sell the excellent arts and crafts she’s known locally for. A manufacturer or parts for old automobiles who only sold locally could setup an online presence and sell to anybody in the world. There is so much potential for this kind of platform but mainstream economists don’t see it because the potential derives from an ability to bypass controls.

Let us also not forget the cost of control. Silk Road was revolutionary not because it allowed people to buy and sell illicit drugs but because it protected people participating in voluntary trade from violent law enforcers. It made the illicit drug trade much safer for everybody involved because the biggest threat to somebody buying or selling illicit drugs is a group of heavily armed trigger happy cops kicking down their door at oh dark thirty in the hopes of finding a little baggy of pot and a dog to shoot (not necessarily in that order). The control mainstream economists worship requires violence and tools that protect people from that violence stand to make the world a safer place. That’s why I don’t believe tools like OpenBazaar are a danger to society. If anything they stand to save a lot of peaceful people from the truncheon of the state.

Lazy Libertarians

This weekend several of my friends and I had the privilege of running the CryptoParty for B-Sides MSP. It wasn’t the first CryptoParty I’ve either hosted or helped host but all of the previous ones were for various libertarian groups. I cannot properly express the difference between being a part of a CryptoParty with security professionals versus libertarians. Unlike the libertarian CryptoParties I’ve been involved with, none of the people at B-Sides MSP went on a tirade about how the otherwise entirely incompetent government can magically crack all crypto instantly.

Libertarians like to consider themselves the paragons of personal responsibility. However, time and again, I see that a lot of libertarians putting more effort into making excuses for their laziness than doing anything productive. Using secure communication tools is one of these areas where supposedly responsible libertarians like to be entirely irresponsible. This is kind of ironic because libertarians tend to be the ones bitching about government surveillance the loudest.

It was during the CryptoParty at B-Sides MSP that I made a decision. From now on I’m going to call out lazy libertarians. Whenever I host or otherwise participate in a CryptoParty for libertarians and one of them goes off about the incompetent government suddenly being incredibly competent I’m just going to tell them to shut the fuck up so the adults can continue talking. If you are a libertarian and you sincerely oppose government surveillance then prove your sincerity by utilizing the really awesome and very effective tools we have available to secure our communications. Use Pretty Good Privacy (PGP) to encrypt your e-mails, call people with Red Phone or Signal, send text messages with TextSecure or Signal, and encrypt your computer and mobile device’s storage. Unless you’re doing these things I can’t take any claims you make about hating government surveillance seriously. If you want to be lazy and make up conspiracy theories that’s your thing but I am going to call your ass out for it.

Actual security professionals, some of whom knew a hell of a lot more about cryptography than me (not that that’s very hard), took these tools seriously and so should as well. The only people claiming that the government can break all cryptography instantly are conspiracy theorists who know absolutely dick about cryptography and people wanting to justify their laziness. Don’t be either of those. Instead embrace the personal responsibility libertarians like to tout and take measures to make government surveillance more expensive.

When is Discussing Cryptography a Jailable Offense

A 17 year-old is facing 15 years in a cage because he discussed cryptography. Specifically he discussed how members of the Islamic State could utilize cryptography to further their goals:

A 17-year-old Virginia teen faces up to 15 years in prison for blog and Twitter posts about encryption and Bitcoin that were geared at assisting ISIL, which the US has designated as a terror organization.

The teen, Ali Shukri Amin, who contributed to the Coin Brief news site, pleaded guilty (PDF) Thursday to a federal charge of providing material support to the Islamic State in Iraq and the Levant.

Dana Boente, the US Attorney for the Eastern District of Virginia, said the youth’s guilty plea “demonstrates that those who use social media as a tool to provide support and resources to ISIL will be identified and prosecuted with no less vigilance than those who travel to take up arms with ISIL.”

According to the defendant’s signed “Admission of Facts” filed Thursday, Amin started the @amreekiwitness Twitter handle last June and acquired some 4,000 followers and tweeted about 7,000 times. (The Twitter handle has been suspended.) Last July, the teen tweeted a link on how jihadists could use Bitcoin “to fund their efforts.”

According to Amin’s court admission (PDF):

The article explained what Bitcoins were, how the Bitcoin system worked and suggested using Dark Wallet, a new Bitcoin wallet, which keeps the user of Bitcoins anonymous. The article included statements on how to set up an anonymous donations system to send money, using Bitcoin, to the mujahedeen.

Some may point out that this is obviously bad because it supports the “enemies of America.” But it brings up a very important question. Where is the line drawn between aiding an enemy and simply discussing cryptography? I write a lot of posts about how encryption can be used to defend against the state. That information could very well be read by members of the Islamic State and used to secure their communications against American surveillance. Have I aided the enemy? Has every cryptographer who has written about defending against government surveillance aided the enemy?

Lines get blurry when governments perform widespread surveillance like that being done by the National Security Agency (NSA). Regular people who simply want to protect their privacy, which is supposedly protected by the Constitution in this country, and military enemies of the government suddenly find themselves using the same tools and following the same privacy guides. What works, at least in regards to secure communications and anonymization, for people wanting privacy and military enemies is the same. Therefore a guide aimed at telling people how to encrypt their e-mail so it can’t be read by the NSA also tells an agent of the Islamic State how to do the same.

Where is the line drawn? Is it the language used? If you specifically mention members of the Islamic State as the intended audience are you then guilty? If that’s the case wouldn’t the obvious solution be writing generic guides that explain the same things? Wouldn’t that mean the information written by Ali Shukri Amin would have been perfectly fine if he simply didn’t tailor it for members of the Islamic State?

As the state’s use of widespread surveillance is utilized to enforce more laws the desire of regular people to secure their communications will increase (because, after all, we’re all breaking the law even if we don’t intent to or know we are doing it). They will use the same tools and guides as members of the Islamic State could use. Will every cryptographer face the same fate as Ali Shukri Amin?

Thou Shalt Not Discuss Manufacturing Firearms

The United States government has been trying fruitlessly to stifle the spread of any information it deems inappropriate for centuries (at least since the passage of the Alien and Sedition Acts). Back in the 1990s the government was trying to restrict the sharing of information about of strong cryptography, claiming such algorithms were munitions (I’m not making this up). Now the government is doubling down on its stupidity and trying to prevent the sharing of information related to manufacturing 3D printed firearms:

As readers of Reason know well, Cody Wilson is living proof the government has already been acting on the belief they have this power to prevent certain technical details about gun making from spreading to the Internet without their approval—in Wilson’s case, CAD files to for a 3D printed plastic handgun. And they’ve already been sued for it by Wilson.

Wilson this morning tells me that in making this regulatory move public, it’s almost like the people he’s suing are begging for an injunction to stop them. The proposed regulation is even signed by one of the same people Wilson is suing, C. Edward Peartree, director of the Office of Defense Trade Controls Policy. (One might argue that this is a person being sued in some sense backtracking to cover his own legal ass by stating that the seemingly objectionable actions he’s being sued over are settled lawful regulations, though I don’t know if a court would agree with that argument one way or the other.)

The State Department, Wilson says, could have gone to the next hearing on his case on July 6 “and say we are changing the rule, we will address [Wilson’s complaints about the 1st, 2nd, and 5th amendment issues with their censorious practice], moot the case.” Instead they are “completely explicit” with these new announced regs, “doubling down” on their supposed power to require government license for certain kinds of speech related to weapons usable for self-defense.

Wilson says his suit had to try to demonstrate that the government had such a policy for prior approval of speech. Now the government is “saying our policy is literally that there is such a requirement and always has been.” Wilson seems to think it might make it easier to get an injunction against the government’s threats to him to take down from his servers information related to the home-making of plastic guns via 3D printers. We’ll see.

Attempts to restrict the proliferation of information don’t worry me. The state can write as many laws as it wants but in the end people will always ignore restrictions on sharing information. Thanks to strong cryptographic tools, which the state tried but failed to control in the 1990s, it’s trivial for people to post and read information anonymously. And the task will only become more futile as the state tightens its grip. Arrests, charges, prosecutions, and imprisonments will encourage more and more people to utilize tools such as Tor to protect their anonymity. As more people use these tools the task of the state to identify and attack sharers of information will become more infeasible.

This battle has been waging since at least the invention of the printing press and will continue to wage until humanity rids itself of the yoke of statism. But it is a battle that the state can never win because it is only a handful of individuals going against the collected creativity of the masses.

Reminder of Tonight’s Panel Discussion with William Binney, Todd Pierce, and Myself

Tonight I have the honor of being a part of a panel discussion on mass surveillance with William Binney and Todd Pierce. The event will be held at the Bent Creek Golf Club located 14490 Valley View Rd, Eden Prairie, Minnesota 55344. Doors, and the bar, open at 18:30 and the discussion is scheduled to start at 19:00. There will also be free pizza served at 20:30.

All the information you need can be found on the event’s Facebook page.

Thwarting Cellular Interceptors

The United States government has been using planes equipped with cell phone interceptors to surveil large areas. Recently planes have been spotted around the Twin Cities circling areas of interest for hours and it appears that they’re equipped with surveillance equipment:

The plane’s flight path, recorded by the website flightradar24.com, would eventually show that it circled downtown Minneapolis, the Mall of America and Southdale Center at low altitude for hours starting at 10:30 p.m., slipping off radar just after 3 a.m.

“I thought, ‘Holy crap,’ ” said Zimmerman.

Bearing the call sign N361DB, the plane is one of three Cessna 182T Skylanes registered to LCB Leasing of Bristow, Va., according to FAA records. The Virginia secretary of state has no record of an LCB Leasing. Virtually no other information could be learned about the company.

Zimmerman’s curiosity might have ended there if it weren’t for something he heard from his aviation network recently: A plane registered to NG Research — also located in Bristow — that circled Baltimore for hours after recent violent protests there was in fact an FBI plane that’s part of a widespread but little known surveillance program, according to a report by the Washington Post.

[…]

Zimmerman, who spotted the plane over Bloomington, said he pored through FAA records to find the call letters for each plane and then searched for images of them. He found photographs that show the planes outfitted with “external pods” that could house imagery equipment. He also found some of the planes modified with noise-muffling capability. That’s not common for a small plane, he said.

[…]

Other devices known as “dirtboxes,” “Stingrays” or “IMSI catchers” can capture cellphone data. Stanley said it’s still unclear what technologies have been used in the surveillance flights.

It’s unknown if these planes are surveillance craft or equipped with cell phone interceptors but the evidence of the former is great and the government’s program to use such craft for cell phone interception indicates the latter is likely. That being the case I feel it’s a good time to discuss a few tools you can use to communicate more securely with your cell phone.

Modern cellular protocols utilize cryptography. What many people don’t realize is that, at least in the case of Global System for Mobile (GSM), the cryptography being used is broken, which is why cell phone interceptors work. Furthermore cryptography is only used between cell phones and towers. This means your cellular provider, and therefore law enforcement agents, can listen to and read your calls and text messages.

What you really want is end-to-end encryption for your calls. Fortunately tools that do that already exist. Three tools I highly recommend are Signal, RedPhone, and TextSecure from Open Whisper Systems. Signal is an iOS application that encrypts both voice calls and text communications. RedPhone is an Android app for encrypting calls and TextSecure is an Android app for encrypting text communications. Signal, RedPhone, and TextSecure are all compatible with one another so iOS users can securely communication with Android users. All three applications are also easy to use. When you install the applications you register your number with Open Whisper System’s servers. Anybody using the applications will be able to see you have the applications installed and can therefore communicate with you securely. Since the encryption is end-to-end your cellular provider cannot listen to or read your calls and text messages. It also means cell phone interceptors, which rely on the weak algorithms used between cell phones and towers, will be unable to surveil your communications.

As the world becomes more hostile towards unencrypted communications we must make greater use of cryptographic tools. It’s the only defense we have against the surveillance state. Fortunately secure communication tools are becoming easier to use. Communicating securely with friends using iOS and Android devices is as simple as installing an app (granted, these apps won’t protect your communications if the devices themselves are compromised but that’s outside of the threat model of planes with cell phone interceptors).

Market Solutions Versus State Solutions: Google Edition

Xcel Energy demonstrated the difference between how markets and the state utilize drones. Now Google unwittingly provided another demonstration. When Google created the Play Store it saw it as a service that would improve the lives of their customers by providing a method to easily download Android applications. When the National Security Agency (NSA) saw the Play Store it saw it as a method to infect Android phones so they could be surveilled:

The information about Irritant Horn comes from documents provided by Edward Snowden to The Intercept and CBC. The program, which appears to have been in its early stages in 2011-2012, had NSA analysts use a type of man-in-the-middle attack to implant spyware on Android devices connecting to the Android Market or Samsung’s apps store. Basically, besides the requested app, the targets were served malicious software that allowed spooks to eavesdrop on everything that happened on the device. The NSA even explored using the capability to modify the target device, for propaganda or disinformation purposes.

Google wants to provide Android users with Firefox so they can browse the web. The NSA wants to provide Android users with a modified version of Firefox that reports on their browsing habits and potentially feeds them disinformation.

Whether the NSA was successful in highjacking Google’s service is up in the air. I think the answer to that heavily depends on the security used by the Play Store. If the Play Store uses effective tools to encrypt communications between an Android device and the Play Store as well as digitally sign provided software the likelihood of the NSA being successful is low. This is because a properly secured connection cannot be highjacked and digitally signing the software will alert you if it has been altered. Even if Google cooperated with the NSA the user would be able to tell if the software was modified so long as the developer signed it (that still leaves the possibility of the NSA enlisting the developer but then the problem isn’t the Play Store).

Two lessons should be taken away from this story. First, the market sees services as means to fulfill consumer wants whereas the state sees services as means to exploit them. Second, proper security is important and markets actors should focus on it to protect consumers from the state (and other malicious entities).

Come See Me On a Panel Discussion with William Binney and Todd Pierce

Wednesday June 3rd I will be participating in a panel discussion with National Security Agency (NSA) whistle blower William Binney and retired Judge Advocate General (JAG) Todd Pierce. The event will be focused on ending mass surveillance in our lifetime. Binney will likely be addressing the issue from a political activism viewpoint, Pierce will likely focus on legal matters, and I’ll be addressing the issue from a technical viewpoint.

The event will be held at the Bent Creek Golf Club in Eden Prairie. It’s scheduled to start at 19:00 and end at 20:30. There is no admission fee but drinks are going to cost you.