Schneier on Security
A blog covering security and security technology.
« The Importance of Good Backups |
| Going Dark to Protest SOPA/PIPA »
January 17, 2012
Good operational security guide to Tor.
Posted on January 17, 2012 at 12:29 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm finding the tempest part the most interesting. The rest isn't really news to me.
From the "related reading:"
AX25 (is someone being sneaky and controlling your computer remotely through the air?) (the dirty hidden secret of AX25 and packet radio, or how your computer is capable of much more than you think, are we all rooted remotely?) (note: has nothing to do with Wifi)
Of course we all know that when a headline asks a question, the correct answer is usually "no." The answer here is probably "no," too, unless for some reason you've just failed to notice the extra interface card, radio, and antenna attached to your computer.
The problem, for me, is that if I can recognize the unwarranted conspiracy-theorist-grade paranoia in that tiny part of the document, what are the chances that there's more unwarranted paranoia elsewhere, where I'm not qualified to recognize it?
valuable take-away: while anonymous within Tor, do not access services that reveal your identity: email, facebook, etc.
When attempting to explain how to use services such as Tor and JonDonym, I'm lucky to get to the third sentence before starting to see glazed-over facial expressions. And that's even to coworkers with good technical skills.
Unless people start building in options to applications ( [x] Use Tor ) most people are not going to bother.
And you still don't know that the whole bloody thing isn't run by The Government.
Interresting use of trust here.
The basic gist of the post is don't trust anyone. Not Tails, not a live CD, not the tool to make a live CD.
But apparently trust GPG, trust Ubuntu, trust the Ubuntu repositories, trust Tor.
All trust has to start somewhere. It's up to you what you chose as starting point.
If an adversary is willing to serve me (personally) for example a rogue version of a live CD, I am in greater trouble than Tor can protect me from...
The most important tip is to understand what Tor provides and use common sense.
@parkrrrr: What, the 2 Meter yagi mounted on top of the LCD panel isn't just ornamental?
T Orville Roberts: "And you still don't know that the whole bloody thing isn't run by The Government."
Actually, IMHO, there is no better thing than having your exit node operated by, say, chinese intelligence and one of the middle nodes operated by the NSA -- unless you're doing things that would lead these two to cooperate...
Don't get to hung up on the TEMPEST asspects of the information as the links are in the main quite old and some are effectivly broken (see the slashdot refrencing New Sci).
The person talking about using a "frequency meter" is being at best a little fanciful as to that sort of test instruments capabilities with regards TEMPEST.
If you want to know more about TEMPEST / EmSec first go have a look at a good book on EMC testing and design or hunt out the HP application notes on it. Then have a search on this blog between myself, Nick P and RobertT or alternativly go and search the Cambridge labs blog (lightbluetouchpaper.org) for comments from myself with Markus Khun (try http://www.schneier.com/blog/archives/2008/10/... for starters it also has a link to the Camb Labs chat).
You can also look in the second edition of Ross J Andersons book and one or two patents he has applied for in the US.
The basics of passive EmSec are not to difficult to grasp however getting your head around active EmSec where you introduce RF carriers to be cross modulated etc or to inject faults can be much harder to understand.
To get a better grip on the "transport mechanisums" of EmSec have a look at the ARRL book on antenna design especially in the areas such as Gamma-matching. Also have a look at a bit of transmission line theory and look up the G-Wire transmission line, it's basicaly a single wire where the RF energy is coupled in by a conical launcher about three wavelengths in radius. As long as no other conductor comes within the "near field" the RF energy stays on the wire and can be taken off with the same arangment as the launcher reversed. It helps explain how a very local signal that should not radiate more than 50meters can be carried on a conductor such as a fence or overhead cable for 30Km...
OT : WRT active EmSec does anyone know of any specific laws forbidding this technique? assuming you are licensed to operate in the relevant bands.
Seems to me that a seek-n-peek team can leave behind a passive non-linear antenna something like an RFID tag antenna, which cross-modulates near-field emanations up shifting them to the active irradiation freq. This sort of thing could be put on the bottom of the bosses desk (just looks like some sort of RFID inventory tag). Almost impossible to find in a typical EmSec sweep but could easily broadcast for miles.
I was wondering the same thing myself. My first thought was that it would count as espionage (10-15 year mandatory sentence) or illegal surveillance. I just can't figure the US government allowing that to slide if it's some non-govt entity doing it. They'd want to set precedents in place to keep control of active EMSEC attack technology. They might even seize it on national security grounds and turn any related patent application into a "black patent." (google it)
The only way to do it for sure would be to use a deniable approach. Whatever waves are being broadcast should be, if possible, similar to a legal technology that can be the scapegoat. Otherwise, using an unmonitored frequency is good. I remember one bug hunting group mentioning a cheap 10GHz bug that could be built which was out of the detection range of many low-to-midrange detection tools.
WRT active EmSec does anyone know of any specific laws forbidding this technique?
It's very juresdiction dependant....
One of the links in the article goes to a page that discusses some of the law relating to EmSec, but it has not aged well.
And there is also other legislation that can bite quite hard unless you know how to work around it. In Europe for instance you have CE marking for equipment that is "sold into the market". However it was only ever intended for the consumer market of finished goods in that Business to Business and the sale of replacment parts and components was not designed to be covered. However the likes of certain idiots at OfCom (UK licencing authority) due to the political fall out of their ineptitude in dealing with their other responsabilities decided to use the RTTE legislation for purposes for which it was not intended, which was to restrict the trade of goods.
The UK has always had a peculiar view to the way things work so prior to joining the EU the Wireless Telegraphy Act applied (and still does). In order to stop people tuning in on various broadcasts it actually became an offence to "knowingly" receive trransmissions that were not specifically broadcast for the General Public or for which a licence was required. As some Police transmissions were broadcast around 100Mhz in the top part of the Broadcast FM band (88-108MHz) you had this problem in "tuning through the band". The semantics of the law made sense to bureaucratic legislators but not to the hard and fast real world of physics and technical knowledge based on the hard science involved.
The UK legal view point found it's way to many WASP and other nations due to the old "British Commonwealth".
Similar problems have happened in the US for instance to do with EMC and the FCC, because it's technicaly illegal to "shield equipment against TEMPEST attacks" but a requirment to meet FCC licencing requirments for the peaceful coexistence of equipment in the EM spectrum is a legal requirment...
So unless you fancy digging through all the respective legislation of a jurisdiction you intend to sell into I'd sell the items you are thinking about as "component parts or subassemblies" not "cased and finished items" and ensure that any paperwork sent with it made very specific note that "the component / subassembly is sold for use only within a system that is approved for use within the juresdiction of operation", and that "it is the purchasers responsability as the manufacture or maintainer of such a final system to ensure that the system meets all legislation requirments prior to operation".
It won't of necessity stop your items being siezed at the boarder but it should sufficiently muddy the legal waters to prevent you being extradited and prosecuted provided the equipment has a proper use other than just surveillance. This would usually be use such as "instrumentation for test and maintanence". After all the technical difference between a high spec spectrum analyser and a surveillance receiver is very small to the point of vanishing in some cases.
"I'd sell the items you are thinking about as "component parts or subassemblies..... it should sufficiently muddy the legal waters to prevent you being extradited and prosecuted"
Thanks its always handy to take steps, early on, that mitigate the worst case outcome...I'm way to old to do any serious time in the big-house.... Mind you fancy legal "other use" arguments have zero validity in non western countries..
I guess "sneek-n-peek" is always considered by local law enforcement to be "Break-n-Enter" so its definitely not legal. (what about if the cleaner leaves something behind?) It's also difficult to explain the presence of the tag once / if it is discovered. Maybe the best defense is to exactly copy the equivalent devices of some TLA....
Typical 900Mhz RFID tags have a number of nice built-in bugging features, (such as they are addressable) You could easily change the antenna tuning for resonance at 2.5Ghz (activation by WiFi) but the efficiency of the self powering RFID logic would limit deployable range to about 20m (line of sight)
I wonder if a legal remote sensing application could be invented. such as remote temp measurement, where you simply place the tag on a wall and paint the tag with a narrow RF beam to have it power-up and intentionally back-scatter the Temp information (or other information). I'm not sure what laws cover intentional back-scattering, especially if you keep levels well below appropriate FCC part15b masks.
Though it's more than 10 and getting on for 15years old in parts, so don't expect many of the links to work.
If people want to go for online info try the following Google search,
[Emsec RF emission TEMPEST teapot hijack nonstop]
Most of the things you will pull up will be relevant including Cambridge Labs Ross J. Andersons PDF on it.
Unfortunatly you will also get some biblical Shakesperian and "loony ranters" as well because of "Tempest in a teapot" has other meanings.
"The problem, for me, is that if I can recognize the unwarranted conspiracy-theorist-grade paranoia in that tiny part of the document, what are the chances that there's more unwarranted paranoia elsewhere, where I'm not qualified to recognize it?"
"It's only logical to assume that conspiracies are everywhere, because that's what people do. They conspire. If you can't get the message, get the man.'' -- Mel Gibson
Cointelpro tactics used on forums:
Everyone should read it.
@CliveR: do you know if Amtrak catenaries use G-wire trans lines?
Do you know if Amtrak catenaries use G wire trans lines?
No I know very little about Amtrak's signaling and comms other than what occasionaly pops up in specialist news or enthusiasts blogs (see http://www.railway-technology.com/projects/... or http://www.kb9ukd.com/rr.htm ). I know that atleast one reader of this blog has an enthusiasts interest in raily track and signaling (my vague interest comes from having contract designed some control systems for one of the UK companies involved with automated and remote control of rolling stock some years ago).
As a general rule of thumb since 9/11 specific or detailed information about any communications system connected with transport or infrastructure in the US has become the equivalent of a "State Secret" because of it's supposed "National Security" implications.
However as the UK investagative Journalist Duncan Campbell showed in the 1980's a knowledgable eye and sensible thought process will usually elicit sufficient information to turn "educated guesses" through "sensible hypotheses" into hard facts by the process of knowing where to look next. By this process he worked out a very significant amount about UK Government communications systems not just for the military but for some of the intelligence services as well. Unfortunatly in his case this earned him a "five oclock knock" as Special Branch on the instigation of the Government, kicked down his front door stole much of his private property and then tried to prosecute him under various acts more normaly reserved for spies.
Sadly they also stole his design for a telephone tap detecting system, which they gave to a Government scientist to "re-invent". If you can get hold of a copy you can read more in Peter Wright's "Spy Catcher".
So if you look at the two links I gave above you might come up with a working hypotheses (rightly or wrongly) that Amtrak are starting to use "trough rail" signaling for it's newer services and will possibly down grade or "free up" some of it's existing VHF systems and possibly even some UHF systems to be used for other services.
Currently I suspect that (as in a number of other places world wide) for these radio systems they will use either track side "leaky feeders" for the VHF, or medium or high gain yagi arrays bore sighted along lengths of track for UHF.
HUGE List of Security Blogs: Unix, Linux, Windows - Part 4
Is also on Cryptome's site, on the front page, listed under OFFSITE.
oddly enough the torproject website claims you should leave noscript to allow everything because the torbutton is a better more reliable java blocker.
tails is developed in france and cryptokeys used to auth iso images if you are worried same with liberte linux. this author spreading FUD
however tails and other live cds have a persistence fault where they grab guard nodes everytime you reboot but using a bridge fixes this.
"tails is developed in france and cryptokeys used to auth iso images if you are worried same with liberte linux. this author spreading FUD"
If a poisoned iso is put together, it doesn't matter how many times it is signed by the author(s). Tails is bloated, runs daemons which shouldn't be running on a security distro, contains applications non-relevant to Tor and security and may contain additional bugs to exploit.
The FUD is coming from you, and I'm guessing you're a developer of Tails looking to contain damage control, if not, I'd be surprised.
I would never trust a distro built for privacy and/or security, it's better, as outlined in the article, in use a known and regularly used/tested distro along with TBB or Tor and related packages.
Any more FUD? I'll clear it up for you just as I have now. If I signed this post, would you trust it more? Give me a *&^% break!
oddly enough the torproject website claims you should leave noscript to allow everything because the torbutton is a better more reliable java blocker.
NoScript has the option of blocking plugins like Java. TorButton blocks plugins by default while using Tor. The Tor Browser Bundle, which the project says to use instead, blocks plugins completely.
i took my old analogue radio for a tour around the house looking for RF radiation that might harm me ... and guess what? ... by far the biggest emitter in my home is the LCD panel! so efforts spent at mitigating tempest are pretty much a waste unless you live in a cave with a steel door ... baby/bath water and all that ... and as noted, if you DON'T live in a steel-lined cave and your opponent is resourced to make tempest- (and audio-) (assisted) attacks, most efforts at encryption of your data have minimal benefit against an active attacker. such attacks are probably not very hard, although making them undetectably probably is... but do you know how to check and is there any point checking when we already know NSA/KGB, etc etc have the globe encircled with satellites? these guys are also known to put most of their effort into propping up the various 'free market' commercial enterprises they rely on, btw, so don't imagine the data they garner is never used against civilian targets...
Encryption of idle (offline) data does have a benefit against unresourced, undetermined attackers (ie your own people, the ones you should be able to trust anyway); encrypting traffic has some degree of benefit on reducing your profile against marketers and other data aggregators ... but for any majorly resourced intruder, there's not much you can hide unless you are similarly resourced ... then again, perhaps you are not very interesting to them either, unless you are similarly resourced... or in a position to be of use by them against someone who is similarly resourced ... tor is a cloud of fog that obscures you, but to make an impregnable stronghold really requires an impregnable stronghold ... there is no virtual security solution for real-world threats to your communications confidence/integrity.
"but do you know how to check and is there any point checking when we already know NSA/KGB, etc etc have the globe encircled with satellites?"
try lining your windows with tinfoil and check it after a few months. You'll discover straight LINES and DOTS (tiny peep holes). This is with the tinfoil on the inside of the windows' surface, in-house/apartment. What causes this?
I believe most, if not all consumer computers and devices are, if not monitored, swept and mirrored by big bro using satellite technology.
One anonymous poster to pastebin, claiming to be representitive of Mossad, fired a shot across the bow of Anonymous and other hackers by saying, paraphrased, "All of your hard drives are mirrored in (locations A,B,C as I forget which countries were mentioned) certain places on Earth anyway.
I find this to be true, I've used Microsoft's SysInternals programs to monitor processes and discovered my drives being swept, a chat program running I never installed and could find no trace of, files where they had the most interest were mp3 and graphics files, but they scraped the whole drive, and an iso creator/mirroring utility was running.
You only make it easier for them if you willingly install video streaming programs (VLC) with command line counterparts, music programs with command line counterparts, Office programs, which I noticed PDF files were being made in the background, and all of this activity was happening when I was monitoring a computer isolated from any wired/wireless/LAN network(s).
Google: Subversion Hack archive for a glimpse into this mysterious activity
It's all about the waves.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.