Protecting E-Mail from Eavesdropping

In the wake of the Snowden NSA documents, reporters have been asking me whether encryption can solve the problem. Leaving aside the fact that much of what the NSA is collecting can’t be encrypted by the user—telephone metadata, e-mail headers, phone calling records, e-mail you’re reading from a phone or tablet or cloud provider, anything you post on Facebook—it’s hard to give good advice.

In theory, an e-mail program will protect you, but the reality is much more complicated.

The program has to be vulnerability-free. If there is some back door in the program that bypasses, or weakens, the encryption, it’s not secure. It’s very difficult, almost impossible, to verify that a program is vulnerability-free.
The user has to choose a secure password. Luckily, there’s advice on how to do this.
The password has to be managed securely. The user can’t store it in a file somewhere. If he’s worried about security for after the FBI has arrested him and searched his house, he shouldn’t write it on a piece of paper, either.
Actually, he should understand the threat model he’s operating under. Is it the NSA trying to eavesdrop on everything, or an FBI investigation that specifically targets him—or a targeted attack, like dropping a Trojan on his computer, that bypasses e-mail encryption entirely?

This is simply too much for the poor reporter, who wants an easy-to-transcribe answer.

We’ve known how to send cryptographically secure e-mail since the early 1990s. Twenty years later, we’re still working on the security engineering of e-mail programs. And if the NSA is eavesdropping on encrypted e-mail, and if the FBI is decrypting messages from suspects’ hard drives, they’re both breaking the engineering, not the underlying cryptographic algorithms.

On the other hand, the two adversaries can be very different. The NSA has to process a ginormous amount of traffic. It’s the “drinking from a fire hose” problem; they cannot afford to devote a lot of time to decrypting everything, because they simply don’t have the computing resources. There’s just too much data to collect. In these situations, even a modest level of encryption is enough—until you are specifically targeted. This is why the NSA saves all encrypted data it encounters; it might want to devote cryptanalysis resources to it at some later time.

Tags: cryptography, Edward Snowden, email, encryption, FBI, law enforcement, NSA, security engineering, surveillance

Posted on July 8, 2013 at 6:43 AM • 61 Comments

Comments

joe • July 8, 2013 6:50 AM

you’ve got a missing </ul> after your list there

Natanael L • July 8, 2013 6:59 AM

Yup, joe’s right – your front page on the site looks broken due to that post.

Bruce Schneier • July 8, 2013 7:03 AM

Fixed. Thank you.

Martijn Meijeringmartijn@mevs.nl • July 8, 2013 7:09 AM

Regarding metadata: Bitmessage attempts to solve this problem. They are looking for an expert security audit, maybe you could help there?

Nicholas Weaver • July 8, 2013 7:10 AM

The other problem: PGP (although FINALLY getting usable with gpgtools on the mac at least) may be secure if your system is secure, but does nothing to prevent traffic analysis/metadata analysis.

In many cases which a reporter has to worry (e.g. a leak investigation), the metadata only is sufficient to reveal to law enforcement what they want to know: that source X communicated with reporter Y.

(This is why I didn’t bother discussing encryption in my Wired OPSEC-for-sources guide: you need good OPSEC first).

A.Lizard • July 8, 2013 7:20 AM

While it’s a PITA, doesn’t using Tor + anon mixmaster-based web-based emailers deal with the metadata problem?

NickNolan • July 8, 2013 7:27 AM

Criminal organizations have been using gmail (gmail uses ssl by default) to communicate using the following trick:

They create single anonymous gmail account per communication channel. They write their messages in plain text but don’t send them. They just save it as a draft in gmail and the receiver logs in to read the messages. If they access that gmail account trough Tor browser bundle, cops don’t get any identifying information (ip adresses, or email account information) to use. Sending user data request becomes impossible when they don’t know the gmail account in question.

SWAK • July 8, 2013 7:36 AM

Bitmessage and an “expert security audit” — the NSA may have cryptographic resources beyond what we know, so even if an expert security analysis says that its secure, it might not be.

“You know nothing, Jon Snowden.”

CIA-Director?? • July 8, 2013 7:48 AM

@NickNolan Those “criminals” are really stupid, while thinking that they are smart 😀
Because in that case the mails, even not send, are hanging around on Gmail-servers, unencrypted. Believe me, Google cooperates entirely with law enforcement !
Also, remember, a married man, David Petraeus (age 60), at that moment the director of CIA, was “smart” enough to communicate in that way with his mistress, married woman Paula Broadwell (age 40), during their extramarital sex-affair.

Why i did write their age?? because they have together 100 years of life-exprience, so they should have known better !

PPaulsen • July 8, 2013 7:51 AM

True, but some of those concerns can be moderated with the use of smartcards. PINs replacing complex passwords, no possibility to extract the keys if this is not build in by design. Even a vulnerable programm need the card to be present for any spying.

And also true on the part that any encryption will make it almost impossible for the NSA to gather any information if you are specifically targeted.

At least for E-Mails, but i doubt those are the NSAs major source of information since there are many other places where we give away or information for free and for public use.

Me • July 8, 2013 8:00 AM

I brainstormed a while back with a coworker of mine as to what one could do if you were really paranoid about being targeted by NSA-style electronic data gathering, but still wanted to stay internet connected. Here’s what we came up with:

First, avoid smart phones. If you’re really committed, give up any wireless mobile devices, however for most they would need at least a basic cell in today’s society (perhaps a pre-paid basic phone). At the very least, you can make it less pervasive by turning it off when you don’t need it.
Second, your computer(s) should have whole-disk encryption, period, and be password protected. PGP Desktop and TrueCrypt work well for this. I don’t know if I trust BitLocker…
Third, consider running the OS off of a live-boot DVD with all the necessary programs to ensure viruses cannot infect it. Have it auto-mount the encrypted drive, perhaps with a different password than the login password. Never write those passwords down, and use a more secure process (as Bruce points out) when creating those passwords.
Fourth, have Tor auto-run at startup and configure it to have multiple Socks ports available. Force everything you possibly can through Tor. Here’s the key: each socks port configured uses a separate circuit, so you can have the email go through one, the web browser go through another, etc. You can even configure auto-proxy for certain sites through addons like ProxySwitchy Sharp, so that certain sites go through different circuits than the rest of the traffic.
Fifth, whichever browser you run, make sure features like adblock, ghostery, and HTTPS Everywhere are installed, and configure it to run in incognito mode by default.
Sixth, have a separately installed OS (or second OS live-boot disk) for any action, no matter how minor, you don’t want associated with the first activity. In other words, have a different boot for playing WoW and banking than for watching porn.

That’s the gist of it. I’d be interested to hear what modifications or additions people would make. All the steps were chosen with the idea that while they require a change of habits, none except the “no smart phones” one is that hard to maintain with just a little thought. It’s very computer-centric for obvious reasons, so I hope you’ll forgive…

Chris W • July 8, 2013 8:08 AM

@NickNolan

That’s what the CIA director David Petraeus did to keep his affair hidden. IIRC someone messed up causing the FBI to investigate the email account, they correlated the IP addresses used to access the accounts with hotel guest records.
Yes, they got caught by the correlation of metadata. The content was largely irrelevant.

Deaddrops are a lot safer than sending mails over SMTP, but it isn’t guaranteed safe, especially if you’re using something like gmail for it.

Tor may seem secure, but it’s just a layer of an onion to be peeled by the NSA.
Don’t you think the NSA and partners have a permanent tap on as much exit nodes and relay nodes as possible? Granted, they won’t use that for criminal investigations.
It’s one of reasons why running a Tor node in the Amazon cloud doesn’t improve tor security.

Ryan Leaf • July 8, 2013 8:10 AM

You said that any emails being read on a tablet or phone cannot be protected.

On Android, there’s actually numerous mail clients that support PGP. I’ve had good luck with R2Mail2 (because I wanted proper PGP/MIME support), but there are free alternatives such as K9Mail + APG.

As for iOS, I’m not aware of a native mail client that supports crypto. However, couldn’t you use a CLI mail client like Mutt through SSH on an iPad (not really feasible for an iPhone)?

Snarki, child of Loki • July 8, 2013 8:11 AM

For the “NSA collecting everything, analyzing only the ‘interesting stuff'” scenario, I have a suggestion:

Encrypt your message with PGP (or other strong encryption).

For each byte of the encrypted message, select a sentence randomly from a large collection of ‘normal’ text (hello, Gutenberg project!) that has an MD5 hash with the least significant byte that is equal to the encrypted byte.

Add occasional paragraph breaks, and send.

Yes, it’s steganography, but on top of hard crypto; the main goal is to make the message look like random chatter, so if it doesn’t trigger any keywords, it won’t be saved for detailed analysis.

Simon • July 8, 2013 8:32 AM

No one can answer what it is exactly that the NSA hopes to do at a later date. I mean if a message were protected by strong encryption.

Often this raises the topic Quantum Computing. Generally it’s agreed if/when QC emerges you say bye-bye to key exchange. But isn’t the commercial system in wide use already vulnerable to CA corruption?

Invariably someone points out that QC can/will have little impact on private key encryption usually block-based like the sacred AES. Proposing solutions to some types of problems can be accelerated because they can be operated similtaneously. But some can’t – the output from one step is needed as input to the subsequent step. So Grover’s Algorithm is pointed out as the best possible and no one is going to come with a better one. But that’s because the model used is searching an unsorted list. Also, someone will recommend just doubling the key length, as if key management isn’t already a fat headache. But this causes at least a third increase in processing (more rounds, etc) and there’s no proof doubling key length is stronger in EVERY way.

You already know this, but what no one mentions is that there is nothing to stop a QC from being built that is DESIGNED for breaking AES, and I don’t mean pounding on keys. It’s not simply daisy-chaining QCs either, after all, multiplying proposed solutions each less than 100% will deteriorate rapidly. My concern is that overdependence on AES is taking us someplace we will not want to be. They just keep repeating the same things over and over again, like doubling key lengths.

Does anyone else see what the real problem is? The cipher text they collect has permanently captured the information. It is carved in stone and you’re left hoping the message will never be extracted.

bitmsg • July 8, 2013 8:42 AM

Bitmessage is pretty solid. You can PGP encrypt your message anyways, then the protocol eliminates any metadata or traffic analysis. Its sort of like using alt.anonymous.msgs and a nym server

NickNolan • July 8, 2013 8:44 AM

@CIA-Director?? & @Chris W

Petraeus was caught because his girlfriend used her anonymous account to send threatening mail to third part. Rookie mistake.

If you use gmail trick together with tor browser bundle, there is no IP adresses to track.

Chris • July 8, 2013 8:58 AM

“This is why the NSA saves all encrypted data it encounters”

So for certain types of communication, if the NSA only saves encrypted data, you might be better off not encrypting at all in order to avoid attracting attention. Hiding in plain sight, if you will.

The fact that the NSA saves encrypted traffic because it might be interesting is an extension of the principle that says “if you’re trying to hide something, then you must be doing something illegal.”

The best defence I can think of against this is to start massively encrypting everything.

officerX • July 8, 2013 9:12 AM

Account of how the (encrypted) email contact with Snowdon came about:

http://www.salon.com/2013/06/10/qa_with_laura_poitras_the_woman_behind_the_nsa_scoops/

Michael. • July 8, 2013 10:14 AM

I communicate with my cell by posting encrypted and steganographic messages to message boards. Hidden in the spam of various sites that are known not to delete or edit posts (e.g. /.) are things that look like spam (see 123.com for your FREE penis enlargement!), but actually contain encrypted messages. It’s slightly troublesome because the bandwidth is quite small, but it works. (I won’t give away how we determine which messages are not actually spam, but it’s relatively simple if you know the formula.)

Similarly, using free webmail (like Gmail) and then saving the text of the encrypted message in the draft folder works. You can share the account with multiple people, and because they all have their own key pairs, they can’t read messages not intended for them. No ‘metadata’ is leaked, ’cause there are no headers. And using Tor means that the IP addresses are also misleading.

Paste bins and image boards are also a great resource.

So yeah, as mentioned already, dropboxes, and such. And with asymmetric encryption you can use the same system for multiple people, and no one can read other people’s messages.

For encrypting HDs, I would just suggest Ubuntu (or Debian, or another Debian derivative that was known to be safe) and the built in encryption. But certainly not MS Windows.

HJohn • July 8, 2013 10:21 AM

I think the bulk and clutter is scary. On one hand, each person may be a needle in a haystack so the individual risk of a random person may be small. There is, however, a flip side…

The Petraeus undoing was largely due to personal indiscretions, behaviors that are, unfortunately, very common. Even decent people tend to have secrets and wrongdoings that would embarrass them.

Then we also have laws and codes. The codes used by the IRS are massive. The Affordable Care Act (commonly called ObamaCare), when stacked, is several feet tall, and that doesn’t include the provisions yet to be written in accordance with. As the internet grows, laws and regulations governing internet usage grow.

The point of this is not to argue what kind of a person Petraeus is, the merits of our tax system, or the appropriateness of new health care laws. The point is that at least 99% of the population has secrets that can humiliate them even if not illegal, they or their business are probably in some violation of some laws or codes that they may not even know exist, or have engaged in otherwise innocent activity that is either prohibited somewhere or could be misconstrued to embarrass them.

The danger is not just that the government can compile stats on all of us, or even look for red flags…. it is that once they have singled anyone out, perhaps for personal or political reasons, they can then find enough to discredit or destroy them.

As the old saying goes “give me six lines written by an honest man, and I’ll find a reason to hang him.” Try that with 6 hundred thousand bits of information about anyone.

Simon • July 8, 2013 10:40 AM

@michael – wtf does “known to be safe” mean? Explain. And what’s the problem with MS? Please don’t say “oh those bad ms guys can’t be trusted” like a fan boy then add “but all open source is good”.

NobodySpecial • July 8, 2013 10:51 AM

@michael – perhaps all spam is actually secret steganography messages !

bitmsg • July 8, 2013 11:10 AM

The draft email trick is useless as drafts aren’t covered by warrants anybody (LE, lawyers, ppl pretending to be LE) can access them with a standard req

Steganography is security through obscurity and easy to find. Remember the fbi busting that anna chapman russian spy ring with their wifi uploaded pics with hidden msgs? Also open to traffic analysis and unless you use PGP totally useless.

The only tried and true method is pgp and a mixmaster that prevents traffic/timing analysis, and a nym server address which forwards to alt.binaries.msgs a decentralized service operating much like bitmsg.

Or just use bitmsg tunneled through Tor/vpn and pgp encrypt it. Bitmsg can also act as a private network mailing list you broadcast a msg and only give certain ppl the key to decrypt/find it or hand out a public key and use bitmsg as your activist info service, no way to determine who is posting what esp if behind Tor/I2p.

Lots of work being done with GnuNet right now too to further conceal bitmessages

ramriot • July 8, 2013 11:16 AM

A close look at the threat model is needed here to determine the correct course of action. Many commentators have the kernel’s of good ideas but often run off proposing things beyond normal user capabilities.

In my estimation from current released information the NSA etc have ‘taps’ at concentrator points close to the targeted organisations (google, facebook etc), say at the Level 2 /1 peering trunk.

That gives them the fire-hose of all data flowing to or from that organisation but does not give them access into encrypted channels (ssl, sftp, pgp etc), it does though give all unencrypted metadata to use for targeting a possible follow on warrant to the the organisation for a specific users data.

Also assuming no cryptographic back doors and perfect forward secrecy, then a single communication over say SSL could be cracked with a custom built ASIC device with an economy of say $1M Vs 1year, i.e. if you have $1M it will take 1year and if you have $365M it will take 1day.

Taking that into account it seems to me that for the bulk or users their best method of avoidance is to use a wrapper model with layers determined by the importance Vs time to break strength i.e.

Every public emails: Use a randomized proxy to connect to google over SSL.

Private email: As above and only communicate with other google email users.

Secret email: As above and use PGP etc to encrypt content.

Really Secret email: As above but use a temporal key Like the MIT Vanish system prior to using PGP, so even if you private key is rubber hose decrypted, so long as 8 hours have passed the content is useless as the Vanish keys have evaporated.

Also as a final protection, protect all keys in a secure encrypted key-chain and never record the password where it can be later found without excessive effort.

Finally if you really want to be paranoid, train yourself to forget your passwords if you are ever arrested or detained. For me that is not such a problem as Senior moments happen randomly and often leave me unable to recall vital information.

tzine3 • July 8, 2013 11:18 AM

As for email: one could simulate project Highfire from Cryptorights leveraging existing technologies.
Using tormail exclusively would obscure the metadata in the email headers. Using gpg create an key without having the email address and assign that key to the account with the client such as Thunderbird. The public key could be distributed freely without any metadata assigned to it.

Jim • July 8, 2013 11:20 AM

PGP or similar application where there is no MITM server.

OS should be usb load up, with an OS dedicated only to secure email exchanges. Kali Linux does this nicely. Less input touching the system the more secure it is. Less clients you are talking to on the OS, the better. The OS should not be persistent.

All encryption should be end to end. Users should not use any manner of nickname in their email accounts which is identifying.

With PGP, you should treat as a potential attack any “out of band” PGP messages. Any PGP messages coming from other parties should be treated as a potential attack.

If you are a high profile journalist believe that you are under surveillance 24/7 and operate accordingly. Do not let yourself pretend you are not.

The majority of the security relies on the source remaining anonymous. This is hard for them to do if the journalist is under surveillance by a nation state. If they send from their home city, this can be revealing. If they travel to send data, this, also can be revealing.

Best bet is to rely on a third party in such situations, but the wider the group of people involved, the more difficult it is to keep the secret.

A nation state will wire your home. They will get into your system. They are always uplink and they archive all of that data. They will get at your routers wired or wireless.

Internet cafe for sources is revealing. Piggybacking on random wifi can be more safe if it is in the same city and the city has a large pool of potential sources.

Dead drop online systems can be used, such as usenet or file sharing systems. Steganography is one of the better methods to do this, though the data still needs to be encrypted. The application should be well security tested. Opensource is better then closed source. There are source code scanners, using two is a good idea.

Steganography applications could have flaws which produce individualistic signatures that could be detected through systems like what the NSA has. This signature flaws could be different from file to file. This is unlikely but possible.

Be wary of attacks on the client application. Which is why any out of band message should be considered potentially an attack.

The dead drop location should be some place where the journalist would ordinarily browse to. If they are seen browsing to some obscure forum or site they do not ordinarily go to, that could lead to inspection. The attacker then could have every IP address accessing that location analyzed.

This could be a new site they have not in the past used. But it should be a site they start to use so most of their traffic there is not dealing with spy stuff and can be excused by surveillance as ordinary, non-suspicious behavior.

Good idea to make several backups of all data to disclose and leave in secure locations.

If the data is in one dump to a journalist, the source could visit the journalist’s home city, leave it in a location they believe is secure. Then, they can wait sometime so that their travel plans are unlikely able to be absolutely confirmed to them. Months, weeks. Then, direct the journalist to the location. The journalist likely will need proof of bonafides in the first place, however, before tramping off to some park to get such a thing.

Jim • July 8, 2013 11:28 AM

“Steganography is security through obscurity and easy to find. Remember the fbi busting that anna chapman russian spy ring with their wifi uploaded pics with hidden msgs? Also open to traffic analysis and unless you use PGP totally useless.”

She used several means of communication which were detected by the FBI because the FBI was watching her directly. All means of communication were caught.

She was not caught because she used steganography. Principles of obscurity were involved in most of her communications.

The first and main thing a nation state wants to know is “who are they talking to” so they can map out their networks and find bigger fish and all threats.

Obscurity of communication is necessary for an agent to talk with their handler.

Steganography or encrypt all communication are two ways of making more privileged conversation secretive. Where obscurity is a sin here is where one or more parties forgets to assume they are always under total surveillance.

To communicate is to take a known risk.

The source can remain anonymous. The conversations can not remain anonymous. Under those dictates. Risk is involved and should be calculated.

bitmsg • July 8, 2013 12:05 PM

As you can see real anonymity to prevent the kind of metadata the nsa/fbi/csis/mi6/fsb wants to collect to identify networks of people requires disciplined and careful comsec.

Bruce’s response to the press should be for regular people to vote for somebody who dismantles this Kafka/1984 system completely. Failing that spend a serious amount of time reviewing opsec starting with the grugqs video on youtube called opsec for hackers, research pgp, research tor,read up on mixmasters and check out bitmessages. Something no average user will do so just vote the paranoid fascists we have in government out 😉

noble_serf • July 8, 2013 1:11 PM

As a non-technical person, I look at this and think about the message itself.

I sort of understand the hoops you could go through to communicate routinely and reduce risk of leaving tracks.

However, the whistle-blower / leaker / traitor (depending on your viewpoint) could go to all the trouble of perfect “burner” device methodology and still get caught / identified through human factors.

The data he or she provided would have clues as to who leaked it, even in this era of fusion centers.
His or her friends or co-workers may have information or clues or speculation — “See something say something”
He or she may have ego to contend with. After all, they must think they are “doing good,” and would want to take credit. The era of “deepthroat” may be over, yes?

I just think the tech how-to is interesting, but the social side of it is just as important. I’m also amazed at how many of my associates are ready to hang the “leakers” as long as they are lower-level employees, but they seem to freely share the “news” leaked by high level officials as if it’s both legit and important.

Nick P • July 8, 2013 2:25 PM

The Old Solution [That Still Works]

So, people want to know how to communicate securely and anonymously by email. This is actually a problem solved long ago by the “cypherpunks.” A combination of a dedicated machine, popular FOSS software, confuring OS/software to reduce leaks, encrypted storage, PGP-type email, metadata cleansing and mixmaster type networks. There’s certain usage requirements (OPSEC) that goes with them, but they’re checklist-able.

(I find it’s also helpful to use randomly generated, written on paper TrueCrypt passwords for triple encrypted volumes. Store any emails in there. When you want to delete some, create a new volume w/ new password, move those you want to keep into it, get rid of old volume and burn paper with password. Now you can’t turn in the evidence even if you want to. Rubber-hose resistant. 😀 You can do this with HD’s as well if you have two and have the patience to clean install + massive move data on a regular basis. Another side effect is it keeps your system lean and protected from peristent OS-level malware. Total erasure of data is a simple as burning a key.)

Honestly, the amount of security you get depends on the effort you put into it. Let’s look into a few potential solutions for reducing your risk of subversion, the main risk imho. We gradually increase effort and risk avoidance.

Solve physical subversion problem by buying dedicated hardware with cash or prepaid card. Foreign and/or generic is ideal. BIOS, not UEFI. TPM optional. Lock BIOS after disabling unnecessary features. Optional tamper-evident techniques on inside and outside. (People into embedded design have so many possibilities for internal tamper evidence or resistance, yeah? wink) Maintain an updated LiveCD w/ necessary software for sensitive operations, use a NAT router, and wired Ethernet.

(Diversity of OS’s, tools, protocols and hardware platforms give defenders an advantage.)

A simple technique is using a regular mail client on a Live CD, messages temporarily stored in RAM, and a proxy application/device handles the technical security aspects. This is already done in certain Tor bundles and distros. Nexor also uses the security-enhancing gateway/proxy approach to secure email and directory services. Considering Nexor is a leader in protected messaging, I think this proves that the proxy method is probably the best in terms of various tradeoffs. Email security and FOSS lovers should just look at those products’ features/design strategies and copy the most important ones. (source: Picasso)
Putting more effort in. Keep the dedicated PC, LiveCD and proxy concept. Add an old school Mail Guard between the source PC and the Net. The mail guard runs on a very secure, minimal OS. It enforces mandatory controls and assured pipelines. Prohibited for most software activity are pointer operations, direct memory accesses, and risky API calls. Stuff is copied between processes via very controlled means, all input from internet is extensively validated, all outgoing traffic is cleansed/protected, and the overall process is simple enough to use high assurance development methods.

Matter of fact, Orange Book A1 class technology was originally used for MLS timesharing, VPNs, network guards and… mail guards. The Standard Mail Guard did most of what I just described. And that was a long time ago. Let’s call it the Old, Old, Old Secure Email Strategy. 😉 GEMSOS, Boeing SNS, and BAE STOP OS still exist today for use in guard technology consistently updated with new use cases or integrations with other tech.

Of course, we’ve over time learned that PC are inherently insecure due to how stacks, memory and DMA work. This could ruin 3 if attackers want to get extra targetted and clever. So next step is further breaking it into components: clientcomputer ->(non-DMA line w/ simple protocol)->mail guard->(non-DMA line w/ simple protocol)->PCforTransportStackandBasicInternetDefenses->InternetConnection. Deprivileged processes written in typesafe code handle each step of the pipeline. This means there are no longer attacks in the design that give an easy way in and injection-free (or nearly so) implementations of simpler protocols are possible. Formal methods at HLL design, policy and protocol level are also possible here.
The next step reduces guard’s TCB. I’d pull from the Nizza and MicroSINA architectures for simplicity. There would be at least logical partitions: client side; guard software; Internet side. User-mode drivers handle moving data to-from the non-DMA hardware. Communication between processes/partitions is done via IPC w/ capability security. A robust microkernel, such as seL4, is used. Most of the logic in the system uses type-safe, managed code with minimal runtime. (Safety-critical Ada or Java runtimes come to mind.) Each component has its own runtime. Activity happens in the system through a fixed, ARINC-style scheduler with an extra countermeasure or two I’m leaving out to prevent both timing channels, priority inversions and resource starvation issues. TCB is now extremely small, problems are isolated into components, least privilege is used throughout, all interactions are controlled and verification is much easier.
Final step would be to work bottom up. Start with verified hardware components, from trustworthy DMA devices to tagged processors supporting typesafe system code. Bare minimum would be a processor, two ROMs, RAM, a dedicated line to local storage (HD or separate PC to simplify), and two dedicated lines for internal and external communications. One ROM is highly assured, only verifies and loads the other. The other is the real BIOS/firmware/system/whatever. Gives us dual benefit of a fixed trust anchor and updates of low level software later.

The tags/types/capabilities at a minimum would distinguish between control flow, data, and trusted software (can bypass security). Protecting the integrity of a system is 90+% of security and architectures of the past that did the above had few security issues. (Some might have had none in practice.) Per my modern take on an old A1 requirement, any code to be executed in the secure system is created on a separate trusted system, bundled into a file/image, signed and sent to secure processor over dedicated (serial?) channel. The updates can only happen in a maintenance mode, the mode is turned on via physical switch, a Red LED is blinking during maintenance, and the system must be [trusted] booted into the mode before anything happens. (Nothing else runs.) This ensure the system gets from Power On to a Trusted and Secure Initial State.

In production mode, the system does the trusted boot, it loads/verifies the code, the processor marks it as such, and then the Main method (or equivalent) is called to begin the running phase. In production mode, executable code can’t be changed at all so as to prevent control flow attacks of all kinds. (In conjunction with type and memory safety, of course.) This tactic was used in Sandia Secure Processor. I add a requirement from my old bag of tricks that communications and storage devices aren’t even allowed to operate until the main system code is in immutable mode to aid in creating secure initial state.

Other projects with tech that might be usable in at least a type or memory safe foundation for secure email are JX, House/HASP, SPIN-derived projects and Mirage. They’ve all produced usable prototypes ranging from web servers to network file systems to GUI’s. An email proxy is… quite simple in comparison. 😉

Anonymity

Others covered it pretty well. A rehash of some ideas, maybe an extra thrown in here and there.

Tor, I2P and Freenet. They each have pretty good protection for anonymity right now. Tor has more users and expert scrutiny so that makes it a bit better. Best to use a distro that builds it in with all the metadata stripping and stuff.
Mixmaster networks. They bounce emails around. Enough people use them you get the “lost in the crowd” benefit that Tor has. It’s also easier to anonymized asynchronous communication than a nearly-real-time communication. Use this for the messaging and Tor + online storage site for the file drops.
Offshore hosting in non-cooperative countries. One old trick of mine was to pay for hosting services in these countries. You can get plenty of functionality even out of a PHP-supporting host as it can run arbitrary scripts and store files. Might be used in many ways. Combined with above two steps, it’s an extra layer.
Wifi + widely used service. Coordinating and contacting via public residential wifi over a widely used service like Gmail has the advantage that it doesn’t look like you’re hiding something. Unless they’re targeting you specifically, they probably won’t notice you. This method is best for initiating communication and setting up a better method. By the time eavesdroppers get the messages, they’re already almost useless to them.
Burner cellphone (pref chinese) + SMS. Buy two, set them up with right information, and mail one to the reporter. Get the reporter to mention a phrase or something in an online channel they control to acknowledge it’s really them in possession of the phone. The phone can be used for both communications and as an out of band channel for secrets. A secret can be negotiated by splitting a master key into pieces sent over email, net, Tor, phone, SMS or however many channels you like. They’re combined on a dedicated, LiveCD running device to create a master secret written on paper and highly protected. This secret can be used to derive others for various protected communications using publicly exchanged nonces.

So many methods, so many tradeoffs, and so little time. Hope some of this gets someone thinking. Or keeps them safe.

Michael. • July 8, 2013 2:25 PM

@Simon
I could have sworn I read about Microsoft handing over exploit and bug information to the NSA before patching it and distributing the patch.
Anyway, it doesn’t matter if it’s MS or anyone else, if I can’t see the source code, or pay someone else to vet it for me, I can’t trust it. And anyway, MS aren’t good guys. That should be obvious to anyone.

Debian is pretty likely to be safe. It’s developed in an open manner, with anyone free to look at how it is developed. Similarly, Ubuntu is pretty open, and I think Knoppix and Mint are both also developed openly. Known to be safe, in this context, is “we are pretty sure that there isn’t anything nasty going on behind the scenes”.

Basically, talking about security, well used, and developed by many people Free Software is invariably going to be safer than non-Free software. How hard would it be for the NSA to put a backdoor into MS Windows? Who knows, we can’t see the code or the development process. What about for Debian? Pretty hard I think.

@NobodySpecial
It’s been suggested before.

Nick P • July 8, 2013 2:36 PM

@ Michael and NobodySpecial

It’s been done before, too. And now you can do it. Sample message below. I’m curious if this post will get stuck in the spam filter.

Dear Friend ; We know you are interested in receiving
cutting-edge announcement . If you are not interested
in our publications and wish to be removed from our
lists, simply do NOT respond and ignore this mail !
This mail is being sent in compliance with Senate bill
1627 ; Title 3 , Section 305 . This is NOT unsolicited
bulk mail ! Why work for somebody else when you can
become rich as few as 85 days . Have you ever noticed
nobody is getting any younger & most everyone has a
cellphone . Well, now is your chance to capitalize
on this ! WE will help YOU SELL MORE plus use credit
cards on your website ! The best thing about our system
is that it is absolutely risk free for you . But don’t
believe us ! Mrs Simpson of Idaho tried us and says
“Now I’m rich, Rich, RICH” ! We are a BBB member in
good standing ! We beseech you – act now ! Sign up
a friend and you’ll get a discount of 20% . God Bless
. Dear Cybercitizen ; Especially for you – this hot
announcement . We will comply with all removal requests
! This mail is being sent in compliance with Senate
bill 1623 , Title 4 ; Section 301 ! THIS IS NOT A GET
RICH SCHEME ! Why work for somebody else when you can
become rich in 56 WEEKS ! Have you ever noticed more
people than ever are surfing the web and nobody is
getting any younger . Well, now is your chance to capitalize
on this ! WE will help YOU increase customer response
by 160% plus deliver goods right to the customer’s
doorstep . You can begin at absolutely no cost to you
. But don’t believe us . Ms Simpson who resides in
Ohio tried us and says “Now I’m rich, Rich, RICH” !
This offer is 100% legal ! We implore you – act now
. Sign up a friend and you’ll get a discount of 40%
. Thank-you for your serious consideration of our offer
! Dear Salaryman , Especially for you – this red-hot
news ! If you no longer wish to receive our publications
simply reply with a Subject: of “REMOVE” and you will
immediately be removed from our mailing list ! This
mail is being sent in compliance with Senate bill 2516
; Title 2 , Section 306 ! This is NOT unsolicited bulk
mail ! Why work for somebody else when you can become
rich as few as 44 weeks ! Have you ever noticed how
many people you know are on the Internet & most everyone
has a cellphone ! Well, now is your chance to capitalize
on this . We will help you decrease perceived waiting
time by 140% plus sell more ! You are guaranteed to
succeed because we take all the risk . But don’t believe
us ! Mr Ames who resides in Alaska tried us and says
“I was skeptical but it worked for me” ! We are licensed
to operate in all states ! We implore you – act now
. Sign up a friend and you get half off . God Bless
.

marc • July 8, 2013 2:46 PM

a great post. I hope the NSA likes spam, since thats the only email I seem to get!

Sylvain • July 8, 2013 3:01 PM

Like many have said, it really depends on the threat model.

I would give 2 methods that a reporter could use, and the second one a trusted friend could help with, if the reporter is tech clueless.

Pick a provider that has a proven track record of either fighting (US based) or ignoring (foreign based) US requests to fish through email accounts. These providers will also have a FAR less chance of having backdoor equipment installed. Riseup.net has gone to court and prevented their users email from being released. They are US based, and run by activists. Always access via Tor/VPN, and always use PGP. There is also Tormail. YES, who knows who runs it, but everything will be PGP’d anyway…as a hidden service it is protected by the Tor system as far as worrying about exit nodes and hiding the originating IP’s. Countermail is based in Sweden and has a lot of nice features. YES, can you trust them? (Sweden has some worrisome co-operation with US, but on the flipside has decent privacy law for email providers and VPN – but NOT ISP). You make that decision. Java applet via browser (yeah, but they give you the hash to the applet), BUT can be used with Thunderbird and Enigmail = no Java needed. There’s another provider called something like “Austici” that looked good. As long as you accessed always, from Tor or VPN, and always used PGP, I think pretty good safety.
The reporter could run his own email server. There are some really easy packages out there that don’t require a PhD to set up. A self signed cert would allay any CA compromise. It is on his own property, so barring a Watergate mission, he’ll know if someone wants his data. He can relay what times the server will be up and running (only when he is home, for example) and all other times, it can be in a TrueCrypt container…on a fully encrypted TC drive. Again, always access via VPN/Tor, and always use PGP. Turn all logging off. If it’s on a laptop, he can take it with him…or cameras and a phone app could watch his residence.

But yes, Bitmessage seems tailor made, or OTR messaging via some obscure XMPP server (Chaos Computer Club runs one, as does DuckDuckGo. Countermail has one too.

Slv

J.M. Porup • July 8, 2013 3:05 PM

As a journalist who has been targetted by the NSA, what I would really like to know is what (if anything) I can do to safeguard my privacy.

Like you just said: “In these situations, even a modest level of encryption is enough — until you are specifically targeted.”

OK, so now what do I do? What realistic countermeasures can a journalist or activist take?

Do I need to build a Faraday cage in my office, and carry my laptop with me wherever I go…?

Glyndwr Michael • July 8, 2013 3:05 PM

Many of these responses so far are great at coming up with potential technical solutions, but they miss the main problem: people don’t care enough.

Tell someone that if he wants to send email as securely as possible he will need to learn about public key cryptography, operating systems on live CDs, Tor, Freenet, metadata, etc., AND convince the people he communicates with to do the same thing, and it will be overwhelming. He will give up because it looks like an impossible task.

Look, we’re still trying to get the public to stop picking “password1” as their passwords. Why don’t they stop? Because it isn’t causing problems for them. It won’t be a problem until they are directly affected by a security breach, their password is exposed, and someone uses it to drain their bank account.

Nobody is going to bother doing any of this fancy cryptological wizardry when they don’t see how broad government surveillance affects them. The key is to show why it’s bad, and hopefully more people can be convinced to look for solutions seriously.

TS • July 8, 2013 4:12 PM

Edward Snowden pointed out, that endpoint security is the biggest problem, when sending encryted email. I think, messages should be written and encrypted in an allways-offline computer, transfered to Internet-enabled computer using physical media and sent there. The other end should have an identical configuration.

Sedia Locin • July 8, 2013 4:35 PM

@Glyndwr: The public at large can only be served by turnkey security solutions (if such are ever developed). They would have to be transparent to your average user. They would have to be an inherent part of web usage and implemented automatically by suppliers of web services. There may be no demand for this, or governments may legally force trapdoors and businesses may resist for commercial reasons.

This particular thread is about the vastly more important (to democracy) topic of providing secure interactions for journalists and their sources. These folks are hopefully considerably more intelligent than the average person and are highly motivated and capable of implementing properly explained techniques of self preservation.

Nick P • July 8, 2013 4:38 PM

@ Glyndwr Michael

“Tell someone that if he wants to send email as securely as possible he will need to learn about public key cryptography, operating systems on live CDs, Tor, Freenet, metadata, etc., AND convince the people he communicates with to do the same thing, and it will be overwhelming. He will give up because it looks like an impossible task.”

It’s good that this is unnecessary. Most of the designs I mentioned can be packaged into something with a near seemless usability. Plug in the cord, turn device on, maybe insert a CD, and it’s all on by default. Tails distro is a good example of integrating much of the anonymity and crypto stuff together. It could be done even better.

(I’ll also add that many big news organizations have IT staff. They might be of use in setting up an IT project for the laymen.)

“It won’t be a problem until they are directly affected by a security breach, their password is exposed, and someone uses it to drain their bank account. ”

“Nobody is going to bother doing any of this fancy cryptological wizardry when they don’t see how broad government surveillance affects them. The key is to show why it’s bad, and hopefully more people can be convinced to look for solutions seriously. ”

It’s true for many people. Irrelevant here, though, because the point of the article assumes the person cares and asks “what can they do?”

@ TS

I agree that there should be some separation between the two. I included it in my designs. Problem is that many internet protocols and devices that use them are inherently insecure. A gateway is a better solution than pure offline approach b/c we know what people will use to move the files otherwise: USB thumb drives. Malware hits the Internet connected PC, piggybacks on whatever USB/Firewire device they’re using, and bam the main PC is infected. (CD-R’s would be much better, but they take money and time.)

In your setup, an air gap attempt I think, a data diode will suffice. They can be made out of Ethernet cords using online instructions. Or bought commercially. And they’re so simple that they can be made very secure (EAL7).

Natanael L • July 8, 2013 5:23 PM

On Bitmessage security: https://bitmessage.org/forum/index.php?topic=1666.0

It’s not anonymous against ISP level snoopers.

My suggestion is I2P with Bote mail.

Simon • July 8, 2013 5:52 PM

@TS – for that matter, build an Email appliance all HW. Turn it on like a toaster and type in your message. Press “Send”. Still need to get private keys to other guy. If it’s that important, carry them physically. Use ’em once then destroy.

Dirk Praet • July 8, 2013 7:38 PM

I would recommend anyone who’s really serious about the issue to re-read Nick P.’s posts a couple of times and experiment with some of the solutions proposed.

Unfortunately, most are too complicated to handle for the average layman like a journalist or a whistleblower seeking to communicate securely with members of the press willing and able to publish sensitive information.

Although far from being perfect, The Amnesic Incognito Live System (or TAILS ; https://tails.boum.org/ ) distribution already mentioned by Nick provides a relatively easy and secure solution bypassing the headache of installing/configuring all kinds of specialised software on probably already compromised Windows and Mac boxes. It can be run off DVD or USB, and even be built as a virtual machine using Rake, Vagrant and VirtualBox (for those stuck on an UEFI-based machine). TAILS allows for persistent encrypted volumes to store data like email and files. All connections automatically go through Tor and it supports I2P, OTR chat/instant messaging and PGP mail out of the box.

TAILS is well maintained (latest version 0.19 is from June 23rd 2013) and adopted by the Tor Project. Although it has a basic installation and user documentation, it is far from complete and would definitely benefit from (highly sollicited) contributions in this area by kind souls as to make its adoption easier by laymen in need of communications privacy and anonimity. (see https://tails.boum.org/contribute/how/documentation/ )

I believe it is safe to assume that at least one NSA analyst is monitoring this blog and laughing his *ss off over our impotent whining about surveillance states, erosion of civil liberties and attacks on the US Constitution. Expert contribution to the TAILS documentation (or features) as to offer future journalists and whistleblowers a decent standard platform to securely communicate IMHO would be a particularly unappreciated but perfectly legal display of civil disobedience by anyone who is less than happy with the police state that Mr. Snowden has revealed.

Figureitout • July 9, 2013 1:49 AM

it is safe to assume…
Dirk Praet
–So, it will slowly end w/ an awkward laugh, then silence when the stupid f*ck realizes that all his own comms are compromised too.

They can get their mouths ripped off trying to drink from the firehose of data; some of which is in fact fecal matter, yummy!

RF comms too people, the gov’t is having spectrum issues.

JeffH • July 9, 2013 3:28 AM

This stuff is hard not just at the conceptual level, but because a number of people in the know appear to insist on throwing out vague terms of ‘connect this bunch of FOSS together in these devices’ as though that’s easy to do right. If the FOSS community want to really do something effective in the fight for privacy or anonymity, make a end-to-end turnkey solution as NickP suggests. Ideally two handheld devices that e.g. a journalist can give to a source by some means.

I’d consider myself to have a reasonable background in both software & electronics (though by no means an expert). On reading most of the solutions in this thread, there are just too many moving parts to be sure of. If someone approached me and said ‘can you build me something secure’ I think I’d drown in helpful suggestions that led me off into a year’s worth of reading, and probably a lot of time spent with an oscilloscope.

There’s too much to configure, check, secure, and then there’s the what-ifs? Is this the right distro? How many guides by different people do I need to read to make sure I’m actually operating securely, rather than merely secure according to one person? When should I update for bugfixes? When the command that someone references has been retired, what should I use instead to achieve the same security? How will I know that a fix added by some helpful FOSS developer hasn’t just compromised security by creating a side-channel?

There’s huge domain-specific knowledge required here. It is beyond practical to require every user & every developer to understand everything about all of this (unless NickP is volunteering for cloning ;). We’re talking about an order of magnitude above merely stopping a web server being hacked by Lulzsec; we’re talking about keeping a source safe from a nation-state intelligence service.

At the moment, we appear to still be operating at the fundamentals of ‘read the source, examine the packets’ to verify that something is operating in a vaguely secure manner. That simply does not scale, not even for technically oriented people. This is why Tor Browser is a great piece of software even if it has shortcomings on its own. Someone has attempted to democratise security knowledge, and people can throw rocks at one hardened point rather than everyone building their own versions with varying degrees of success.

We need more of that. If nothing else, competition is good and we do need more than one solution to pick from.

@Dirk Praet – Thanks for the TAILS reference; good to know someone is heading in that direction.

Danny Moules • July 9, 2013 4:52 AM

“Why i did write their age?? because they have together 100 years of life-exprience, so they should have known better !”

@CIA-Director So does that mean if you have twenty 5 year olds together they should know better than two 40 year olds?

“Do I need to build a Faraday cage in my office, and carry my laptop with me wherever I go…?”

@J.M. Porup One of these is fanciful, one is entirely feasible. Why conflate them? I do carry my laptop with me everywhere I go. I perceive that to be an appropriate response to the threats I’ve modeled. It also has fitness and convenience benefits. Win-win!

Nathanael • July 9, 2013 8:04 AM

Basic principle of security, which Schneier has mentioned before: know what threat you are responding to.

In my case, I’m really only worried about deranged NSA agents taking a dislike to me and deciding to harass me for no reason whatsoever, or because they don’t like my publicly stated opinions.

In the case of a journalist reporting on crimes committed by the government, they are facing an extremely difficult threat profile.

h4xx • July 9, 2013 8:41 AM

@TS

that’s why the NSA and other agencies want this metadata. if you can id who is talking to each other one of them will have terrible endpoint security you can bypass and listen in on.

as for Tails it is far too complex now, they are making a huge DVD live o/s with so much junk added they need to do dozens of security updates every 2 weeks. too bad liberte linux is a dead project it didnt cram itself full of codecs and other exploitable 3rd party programs

zoli • July 9, 2013 8:54 AM

considering the lifecycle of the e-mails there are many points for sniffing, not only the cable or the muscle movements of the typer…so, we need an implant crypto chip that catches the idea and transforms it into bits to be sent through the info channel, and then the target decrypts it with a crypto eyeglass or embedded brainchip.

towards from Google glass to Human Ambient Crypto Knowledge 😉

HotJam • July 10, 2013 3:08 PM

The NSA collect encrypted communications for this very important reason:

Much of the encrypted communication is engineered by amateurs (CryptoCat is the prime example) and is easily crackable.

The NSA simply waits for cracks to go public.

Their work is done for them.

Nick P • July 10, 2013 8:35 PM

@ HotJam

I seriously doubt that for a few reasons. It is a clever idea though. 😉

Neil Cavanagh • July 11, 2013 9:04 AM

I’ve seen numerous attempts by organizations over the years to help secure emails including secure routes over VPN and leased-line connections, dedicated separate (and supposedly secure mailboxes), PGP and all sorts of wonderful bolt-ons to enable users to send encrypted messages via HTTPS links from their email clients. Government connect is a good example of this over in the UK.

I often found some amusement in the fact that access to these “secure mail services” was permitted over the internet through webmail on single-factor authentication.

Nevertheless, nearly all email clients need to be able to send messages unencrypted via SMTP and here is the weakness; many users forget to use their additional secure mailboxes or secure email addresses and just send the stuff straight out over the internet on SMTP unencrypted.

Perhaps it’s time SMTP started to disappear? But I guess there isn’t much chance of that!

gwern • July 12, 2013 12:56 PM

This seems entirely too pessimistic and an example of how a fine-grained analysis can be overly despair-inducing: Snowden was asked specifically during the Guardian online interview if encrypting email worked. He said the NSA could not crack your ordinary consumer-grade PGP-encrypted email.

So the answer you should have given the reporter is: “yes! your email is perfectly safe if you PGP encrypt it! the only problem you have to worry about is keeping decrypted copies of it around.”

JohnP • July 12, 2013 4:52 PM

Seems to me the NSA should stop spying and start doing Geek-Squad work for all the other government entities so we don’t have millions and millions of $$$ in PCs, keyboards and mice destroyed by idiots trying to be “tough on terror.”

US citizens would be more secure that way.

Kirk • July 15, 2013 6:10 PM

Processing data is like lending money: it’s a time/return cost-benefit analysis.

Unless there’s some exigent circumstances, the vast, vast amount of processing can be held in abeyance, or await improved technical capacity, or similarly await capacity to better decouple, sift, and reconstitute data.

Most data is, of course, useless. Until it is. Determining that is getting better and better with every passing moment.

mm • July 15, 2013 7:09 PM

Can anyone please comment on safety in using tor and https for webmail as mentioned in opular Online Email Services
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail

Nick P • July 15, 2013 10:15 PM

@ mm

Following through links connected to your link I found that Tor project recommends torbirdy. Here’s their page.

https://trac.torproject.org/projects/tor/wiki/torbirdy

Advice from EFF

https://www.eff.org/deeplinks/2012/11/tutorial-how-create-anonymous-email-accounts

mm • July 16, 2013 5:26 PM

thanks but from mentioned link -Are they saying trafic from your email server to another wemail server goes unencrypted-even though you used https to dispatch your email(so your and email address of the person you are writting to can be intercepted) ?
(and some of webmail providers fall prey every now and then to diffrent exploits allowing for hacking the account password!_

‘Even when an user views (or receives or sends) emails via HTTPS secured but when email from one server goes to another different destination email server, it still remains non-encrypted. Employees of such email service provider…’

TERRAT • July 17, 2013 7:07 AM

With Tor ? :

http://ipduh.com/anonymity-check/

No reverse DNS ok ?

Validate :

https://www.grc.com/x/ne.dll?bh0bkyd2

mm • July 17, 2013 5:28 PM

tor should take care of that i guess
and webmail https session ought to encrypt email header(from,to etc),
but is there a way to configure your webmail account (gmail,hotmail ,other ) to make the server encrypt the email traffic to the recipients server ?

Kahuru Numi • March 2, 2014 7:33 AM

You wrote:

Leaving aside the fact that much of what the NSA is collecting can’t be encrypted by the user — telephone metadata, e-mail headers […]

But e-mail headers can be encrypted. Christian Danner’s remailer gateway OmniMix uses a method he calls WME (Whole Message Encryption). It encrypts the whole mail including all headers plus a variable amount of dummy load and adds to the resulting PGP block only those few header lines absolutely required to send that message to the destination.

Schneier on Security

Protecting E-Mail from Eavesdropping

Comments

Leave a comment Cancel reply