Schneier on Security

Nick P • December 17, 2014 8:40 PM

@ HomerJ

That’s actually what I proposed. I had two different models. The centralized model meant you weren’t anonymous to the service provider (eg Anonymizer). They just used strong mechanisms to make you anonymous to everyone else. If a warrant is provided, they give over the data. Their own activities and systems are independently audited by mutually suspicious parties. Any accesses also generate audit logs that can be checked later on.

I also proposed a decentralized model with features akin to a discussion board or stackoverflow. The content is hosted on something akin to hidden services with an identifier. The police can suggest they be deanonymized. The users, a number of appointed people, or some other such social structure can all vote on whether to deanonymize the link. If they vote, the protocol will do so. Otherwise, it won’t. This is still pretty close to Tor, might even use most of its protocol, allows some lawful intercept, and reduces risk of censorship. It also discourages use of network for such content.

Honestly, I think the best thing would be for academics interested in anonymity schemes to put some effort into stuff like this. There’s going to be a constant battle between authorities and privacy lovers over anonymity technology. It will be much easier to swing courts toward privacy by default if we have a believable way to ID and/or eject crooks. It’s worth putting research into.

Nick P • December 17, 2014 10:05 PM

@ Kevin Kershaw

And that proves what? That cops can be jerks? So, all police powers from search to arrest are henceforth suspended? Nope. Both the American people and courts disagree with you on that. They think cops should be allowed to do their jobs, conduct warranted searches, etc with us able to criminally charge or sue dirty cops. Fully anonymity doesn’t allow that on either side. Absolute privacy is also illegal per US Constitution so even Founding Fathers didn’t push such ideological nonsense.

The only solutions in anonymity and security that have a chance of surviving the political onslaught make the right tradeoffs for key players. The result in many democracies isn’t so scary. In U.S., it’s scarier. And the bad part is that most claiming to do end-to-end are either unimportant or compelled by NSA/FBI to backdoor + lie about it. I’d rather have strongly assured protocols with a de-anonymize capability than black boxes in a surveillance state promising they don’t cooperate with the state. Snowden leaks indicate the latter approach failed across the board for major products and companies.

Nick P • December 18, 2014 10:31 AM

@ Daniel

” You view the matter as a difference between truth and lies but I see it as a choice between two sets of lies.”

I totally agree with that statement. I’d have to fight with them for my customers’ rights either way. If it gets vicious, the debate might swing in my favor given I at least allow warranted search. I might not win but I bet existing backdoors are far more permissible. I have a very real concern for their use to plant evidence, for instance. The GCHQ toolset has things that require that ability including manipulating votes online. Building a limited L.I. to avoid prison and protecting customers from other threats is the next principled option.

@ Justin

“You seem to have a very strange agenda here…”
” And you sound like one of those people not only willing, but actively trying to trade off MY rights to line YOUR pocket.”

You have an agenda. I’m just trying to get high assurance systems to market in a country with police state apparatus demanding backdoors and imprisoning/destroying the uncooperative. I come up with a compromise, people show up to accuse me of selling out. Those same people used deliberately weakened systems and backdoored Internet to do it. (rolls eyes) They then provide no alternative solution: only reiterate why mine are unacceptable. They demand their own selves are protected online by others risking imprisonment and financial ruin, then accuse those others of selfishness if they don’t go for that. (Lol)

Had I wanted to line my pocket, I’d have just made secure tech with the most obscure backdoor imaginable. My amplifying shielded cable concept ended up in TAO catalog so I’m clearly at the NSA level of stealthy backdoors. I know others that are better who I could’ve paid. Instead, I live in near poverty, work outside INFOSEC on purpose, no longer have references for INFOSEC work, and give trade secrets + patentable inventions away for free online for public good. Exactly what a capitalist in INFOSEC would do! Good call, Justin!

Meanwhile, those of us living in reality have to think of something that improves the situation without getting shutdown or fully subverted. I mean, it would be great if my traffic and machine weren’t wide open. Market hasn’t produced crap and NSA/FBI is forcing the few good ones to backdoor. So, my options in this surveillance state for a non-sell-out type company are simple:

1. Provide a L.I. capability (preferably limited) for U.S. HSA’s while blocking all foreign and domestic criminal ones. Make money on market. Deliver more solutions to customers. Things gradually get safer.
2. Don’t provide L.I. capability. Make no money. Customers use existing COTS or GOTS products. Prison.

You push very hard for me to do No 2. Many of you do. I just don’t see how our country’s situation improves as I sit in prison and my company’s products collect digital dust at archive.org. You might have just thought it out so far ahead of me. Did you want me to GPL it over BitTorrent just before I get convicted of their parallel construction? Did you solve the hardware subversion problem that I’d have to fight at enormous cost ($2-30mil) to prevent sneaky crap there? Do you have a stunning legal argument that someone trying No. 2 could give a federal judge in a closed hearing to stay free and on market? Did you come up with a way for me to leave America and push this business without extradition, CIA rendition, or bounty hunters picking me up?

You have no solutions to the very serious problems your proposal contains. I recommend all of you pushing No 2 come up with some instead of promoting suicide commitments from businesses. Right now, no sane person is going to prison so a tiny minority of customers can have a good system or software for one interation [before seizure/prison]. Closest thing was Levison and his ass proved my point: Lavabit doesn’t exist anymore. Customers with critical data in their inbox were reminded of another security property that only my solution would’ve ensured: Availability. If it ain’t available, it does nothing for anyone.

On top of that, it will help if you all get past this fiction that you have privacy rights for online data in the United States. I’ve seen no evidence for that from any branch of government. I’ve closely watched the American people’s response to the leaks and saw little to no evidence they cared. This is legally the same situation in the rest of the Five Eye’s countries far as I can tell. Any solution must start with reality and the reality here is that they’re getting the data if the product is to succeed. Otherwise, most IT systems stay maximally insecure to ALL attackers/snoops because your current providers are way less trustworthy or principled than me.

EDIT TO ADD:

@ BoppingAround
(saw your post just before Submit haha)

You’re right on the money. There’s either no security from many immediate threats or strong security with a few, mandated threats. A bullshit choice but I didn’t define them: that was Congress, President, courts, voters, etc. I tried to convince them otherwise and of middle grounds. I swear I talked to thousands of people and less than 20 would’ve taken action. Out of thousands I’ve evangelized at since 2002. And here we are in this legal situation. Just f***ing great…

I will add one thing to your post. I don’t want backdoors in products, although I see their arguments about L.I. needs. I previously argued it’s too great a risk to democracy. Then, democracy gave up their rights without a fight and now backdoors are mandatory plus done/enforced secretly. My designs would include one or more strong backdoors with a warrant-based escrow. I’ll probably also delay activating or putting in a backdoor until they show up with FISA order. But, if the law changes, I pull the backdoor(s) out immediately and destroy the escrow system in a way that it’s non-recoverable. The precondition is that American lawmakers or citizens get their heads out of their asses long enough to abolish the surveillance and police state powers.

Meanwhile, a backdoor goes in if mandated and stays in until mandate is removed. Any other approach is illegal. Status quo is everything backdoored in practice by bad design and/or subversion. My offering would be safer in measurable ways and more private.

Nick P • December 18, 2014 1:32 PM

@ Piggypiggy

You’re building a nice strawman there. I’m so pro-Consitutionalist I left the market to avoid backdooring things and warned as many as I could. I give away security designs, not sell them. And resisting FBI + court orders while intending to stay in business is indeed futile: plenty of shutdowns, seizures, and arrests to show it.

If you think otherwise, go start a business and build bulletproof stufc using what Ive shown you here. Then ignore FBI and NSA. I’ll just watch them tear you apart while you shout in vain.

Nick P • December 18, 2014 7:01 PM

@ Anura

Good analysis. I’ve always dreamed of a rarely discussed option where the elites fight government in a way that benefits us as a side effect. Elites concerned about their privacy and power could short-circuit at least the military-industrial complex part of things by using their wealth and power against the key politicians. The right kind of pressure could force them to stop doing mass domestic collection. The elites have a lot to risk if those tools are turned on them. I wasn’t surprised that the American people weren’t worried about it. I am surprised that the elites are letting the power get that centralized, although some are dissenting.

One explanation for this is that the elites are supporting it thinking of it as another tool of economic stability and control of the masses. Their vision, often labeled new world order, is an elite dominated globe with limited democracy. They might think they’re benefiting from it and be too cocky to see it being used on them. For some reason, they’re not acting and I’d really like to know why. Come to think of it, one lives nearby. Maybe I should pay him a visit to get his viewpoint.

@ Justin

The ECI leaks show they have three methods of forcing SIGINT enabling: FBI “compels” it somehow; INSCOM’s clandestine black bag teams; CIA’s clandestine and covert black bag teams. Two of those can legally do quite criminal things in support of their mission, with one (CIA) able to go extremely far while putting up smokescreens. These programs have high secrecy and the organizations criminal immunity. One can only wonder about the specifics. One document mentioned HUMINT: infiltration, sabotage, blackmail, extortion, etc. They could also throw costly investigations with asset freezes/seizures by FBI/IRS at them. They’ve done this before. Finally, blocking government contracts or exports would be a large blow to many firms.

Outside that, the Lavabit situation showed the federal judge would order a private key be delivered as part of a search and possibly jail someone for not doing it. I was following the case as it was a good test of whatever they’re actually doing. Then he shutdown so no way to know. Not being a lawyer, I can’t say too much on the subject except to say whatever they’re doing is working and I’m assuming that have something stronger than CALEA. And I bet it would work very well against a startup I do or someone like me that’s not going to win in the media.

We also don’t know if Google and Apple are tricking us. Those backdooring systems are supposed to lie about it. Lavabit was told they could lie to their users. Apple, for instance, was vulnerable for years to NSA and FBI. FBI and other agencies publicly talked about how difficult eg crypto was to break. Snowden leaks show NSA could break it, shared data with FBI/DEA, and they used parallel construction. So, I’m still not trusting any major U.S. firm (esp with govt sales) to not backdoor their products while U.S. govt has secret methods to force it and their victims have to (and often do) lie.

At least there’s some good news. Trend against bulk collection is getting more Congressional activity than I thought. Hope it goes somewhere as it might eliminate the need for conversations like this.

Nick P • December 18, 2014 10:00 PM

@ Soo-eeee

Thought someone might like that. Yeah, I put about a few hours into the backdoor concept. I’ve been thinking on the jurisdiction schemes for a lot longer. There are tricks to it, some people don’t think about.

1. The overt legal system must be able to protect the data, either mandatory or by contract.
2. The intelligence agencies must not be a threat or be less of a threat than Five Eyes.
3. The country must be independent enough to not cave to U.S. govt on these issues.
4. The country must not participate in secret U.S. govt programs such as extraordinary rendition.

5. The country must not extradite former U.S. citizens or their own citizens when U.S. feds make claims. They will certainly pull charges out of their ass.

6. The country ideally will have a culture where people are less likely to subvert their employers systems or processes.

7. Obviously, the country needs low crime, financial stability, low environmental risks, favorable international trade agreements, and so on. Good to do business in.

8. The country might need to be willing to leverage diplomatic or military transport for extra legal & physical protection of hardware shipments from foreign factories. The personnel should be ideological and well-paid.

9. Optionally the country should have both solid copyright and trade secret law. Software is protected by copyright. Hardware by trade secret. I’d prefer no patents except for self-defense.

10. The country’s patent system will ideally have as low risk of costly infringement judgments as possible. This is how NSA + private sector partnership will try to block sales. A few of my designs leverages only 20+ year old tech for that reason.

11. The country’s economy should be able to significantly benefit from more robust or secure INFOSEC technology.

Could be others I can’t recall at the moment. This is a start for the criteria, though. Source can be open or closed so long as it’s reviewed by qualified teams in mutually suspicious jurisdictions and comes with a sysgen utility. The System Generation requirement in Orange Book A1 systems created the site instance right from the vetted source, which was then installed and configured with vetted instructions. If closed source, the user gets binaries with a variety of signatures, a sysgen tool included in that, and instructions to turn that into a usable system. Either way, there’s strong reviews of a system developed in a subversion-resistant way in a country not involved in NSA-like activities.

So, that’s what I was thinking about. What could happen and what people will buy might be different entirely. Often was in the past. Post-Snowden, who knows. I think they’ll call it too expensive if it’s per product. So, I’m working on getting an alternative business model financed regardless of product or location specifics. It focuses on licensing or subscription with the products sold at cost. Keeps a steady income to fund all the expenses of SAP-style security (often 30% of organizational cost)

Nick P • December 20, 2014 5:11 PM

@ 01

“First, Nick P, your position is reasonable and laudable, so there’s that.”

I appreciate it.

“Yes, this particular scenario would not be a risk for your proposed system (since an angry cop only has enough to hire a measly script kiddie) but as we know, attacks only get better and this one does have some “good” potential (for definitions of “good” that are actually evil 🙂 ) even against very well-engineered systems.”

I understand your risk and worry about the same thing. It’s why I wanted to use high assurance development as much as possible to reduce that risk. Most attacks in my scheme would be detectable. The main risks against the system are: authorized, overreaching warrants; fake warrants by third parties; subversion of its gear; malicious insiders (intentional or coerced); the various in person attacks. There’s mitigating strategies for each.

The TLA’s might produce a remote attack on it. The trick is to design the device, whether hardware or software, where it can only do what it’s intended to do. There have been systems designed that way that NSA and private pentesters couldn’t beat. Unsurprisingly, they’re mostly sold to defense sector. 😉 Even those systems didn’t use the strongest assurance methods due to complexity. A basic backdoor with authentication system and limited internal state could use even better methods. So, seeing what those prior creations accomplished in the field I think my backdoor can do that or better if done with similar methods.

Note: Tor isn’t comparable because it’s a medium assurance implementation of a constantly changing protocol based on constantly changing anonymity theories and with dangerous low latency requirements. The constant failures naturally followed from this. There will be more for it or any anonymity scheme. A backdoor, by comparison, performs just a few functions using very well understood methods and theory. It’s more comparable to SSL/TLS, which have worked out much of the do’s and dont’s for me already.

I agree on the IP issue. I doubt it would come to that with my services as my users are known to me. They’d likely target an account. I’d keep accounts isolated and as much of their traffic out of my network as possible to reduce odds of warrant looking across users. I’m sure there are FISA warrants for that sort of thing. If not, there will be soon so it should be difficult by design. My stuff would only be for the search. They still have to find something a prosecutor would buy into from there.