Tag: Encryption

Decrypting the Encryption Battle

President Barack Obama became the first president to address the annual technology and music festival, South by South West (SXSW), in Austin, Texas. Without mentioning the FBI’s battle with Apple over access to an encrypted i-Phone, his attempt at “healing the rift” between the tech industry and the government fell more than flat and he …

Continue reading

FBI’s Lastest Ploy to Spy on Everyone: ISIS

Torture authorizer and current FBI director, James Comey trotted out the latest “bogeyman” to justify unlocking encryption of private digital messages: ISIS. Apparently trying to scare people with kidnappers and child abusers failed.

(In) a preview of his appearance Wednesday before the Senate Intelligence Committee, Comey is playing the ISIS card, saying that it is becoming impossible for the FBI to stop their recruitment and planned attacks. (He uses an alternate acronym, ISIL, for the Islamic State.)

“The current ISIL threat… involves ISIL operators in Syria recruiting and tasking dozens of troubled Americans to kill people, a process that increasingly takes part through mobile messaging apps that are end-to-end encrypted, communications that may not be intercepted, despite judicial orders under the Fourth Amendment,” Comey wrote on Monday in a blog post on the pro-surveillance website Lawfare.

While providing no specific, independently confirmable examples, Comey has claimed that FBI agents are currently encountering problems because of encrypted communications as they track potential ISIS sympathizers and radicals.

Comey has long argued that sophisticated encryption technology being implemented by tech giants, including Google and Apple, will make it harder and harder for the FBI to track its targets. Encryption scrambles the contents of digital communications, making it impossible for users without the “key” to read messages in plain language.

The major problem with Comey’s argument, giving law enforcement a backdoor key to private encrypted communications, would be an open door for hackers and criminals.

On Tuesday, the group – 13 of the world’s pre-eminent cryptographers, computer scientists and security specialists – released the paper (pdf), which concludes there is no viable technical solution that would allow the American and British governments to gain “exceptional access” to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger. [..]

The authors of the report said such fears did not justify putting the world’s digital communications at risk. Given the inherent vulnerabilities of the Internet, they argued, reducing encryption is not an option. Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm – most recently at the United States Office of Personnel Management, the State Department and the White House – the security specialists said authorities cannot be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, it would spur China and other governments in foreign markets to do the same.

Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications

Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels going dark, these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

This was a bad idea in 1997 and still a bad idea today.

Edward Snowden Calls on Professionals to Protect Private Communications

On July 10, NSA whistleblower Edward Snowden sat down for an interview with Alan Rusbridger, editor-in-chief of the Guardian, and reporter Ewen MacAskill in Moscow.

Over the course of seven hours, he talked about the need for professionals to protect the confidentiality of their clients in the light of the surveillance by spy agencies. He also spoke about his life in Moskow and the specious accusations that he was spying for Russia or had given the information he took from the NSA to Russian authorities.

(Snowden):

• Said if he ended up in US detention in Guantánamo Bay he could live with it.

• Offered rare glimpses into his daily life in Russia, insisting that, contrary to reports that he is depressed, he is not sad and does not have any regrets. He rejected various conspiracy theories surrounding him, describing as “bullshit” suggestions he is a Russian spy.

• Said that, contrary to a claim he works for a Russian organisation, he was independently secure, living on savings, and money from awards and speeches he has delivered online round the world.

• Made a startling claim that a culture exists within the NSA in which, during surveillance, nude photographs picked up of people in “sexually compromising” situations are routinely passed around.

• Spoke at length about his future, which seems destined to be spent in Russia for the foreseeable future after expressing disappointment over the failure of western European governments to offer him a home.

• Said he was holding out for a jury trial in the US rather a judge-only one, hopeful that it would be hard to find 12 jurors who would convict him if he was charged with an offence to which there was a public interest defence. Negotiations with the US government on a return to his country appear to be stalled.

NSA and GCHQ Make Internet Privacy

Cross posted from The Stars Hollow Gazette

In a joint report by The Guardian, the New York Times, and ProPublica, courtesy of the documents leaked by Edward Snowden, it was revealed how the NSA and British GCHQ broke encryption to unlock unlock encryption used to protect emails, banking and medical records. The detailed article describes how the program, called “Bulrun,” foils the safeguards of our internet privacy:

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

A cryptographer and research professor at Johns Hopkins University, Michael Green summerizes some of the “bad things” that the NSA and GCHQ have been doing with the joint cost of $250 million per year:

   (1.) Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.

   (2.) Influencing standards committees to weaken protocols.

   (3.) Working with hardware and software vendors to weaken encryption and random number generators.

   (4.) Attacking the encryption used by ‘the next generation of 4G phones‘.

   (5.) Obtaining cleartext access to ‘a major internet peer-to-peer voice and text communications system’ (Skype?)

   (6.) Identifying and cracking vulnerable keys.

   (7.) Establishing a Human Intelligence division to infiltrate the global telecommunications industry.

   (8.) And worst of all (to me): somehow decrypting SSL connections.

Columnist on civil liberties and U.S. national security issues for The Guardian, Glenn Greenwald discussed this latest revelation with Amy Goodman and Juan González of DemocracyNow!.



Transcript can be read here

“It’s what lets you enter your credit card number, check your banking records, buy and sell things online, get your medical tests online, engage in private communications. It’s what protects the sanctity of the Internet.” [..]

“The entire system is now being compromised by the NSA and their British counterpart, the GCHQ,” Greenwald says. “Systematic efforts to ensure that there is no form of human commerce, human electronic communication, that is ever invulnerable to their prying eyes.”

Security technologist and a fellow at the Berkman Center for Internet and Society at Harvard Law School, Bruce Schneiner said, in an article at The Guardian, that the public has been betrayed by the US government and that the NSA has undermined the social contract with the public. He proposes that since it was engineers who built the internet, it is time that they “fix it”.

One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don’t cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers. [..]

Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.

Prof. Schneiner also offers a guide to staying secure and gives five piece of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

These are some of the programs he has been using: GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit and Password Safe. He also advises the use of a Linux operating system.

Encrypted E-Mail , FISA and Our Privacy Rights

Cross posted from The Stars Hollow Gazette

Last week, Lavabit, the privacy-conscious email service, suspended operations by its owner Ladar Levison while he fights the US government over Constitutional rights in the 4th Circuit Court of Appeals. In his letter to his customers, Mr. Levison wrote

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,

Ladar Levison

Owner and Operator, Lavabit LLC

(emphasis mine)

Lavabit allows its customers send highly encrypted emails that even if intercepted by a third party could not be opened without a password. Based in the US, it is the e-mail service that was allegedly used by whistleblower Edward Snowden.

In an exclusive interview with Amy Goodman on Tuesday’s Democracy Now!, Lavabit owner Ladar Levison and his lawyer, Jesse Binnall discuss why the decision was made to shut down rather than comply with a government order



Transcript can be read here

“I think if the American public knew what our government was doing, they wouldn’t be allowed to do it anymore.

“I mean, there’s information that I can’t even share with my lawyer, let alone with the American public. So if we’re talking about secrecy, you know, it’s really been taken to the extreme.

“And I think it’s really being used by the current administration to cover up tactics that they may be ashamed of.”

~Ladar Levison~

Another encrypted service, Silent Circle has also announced it has shut down. Although it had not yet received any government requests for data, Silent Circle told Tech Crunch that it knew the government would come after them because of the high-profile nature of its users.