Schneier on Security
A blog covering security and security technology.
« Michael Froomkin on Identity Cards |
| All-or-Nothing Encryption Program »
March 4, 2009
Commentary on the UK Government National Security Strategy
This is scary:
Sir David Omand, the former Whitehall security and intelligence co-ordinator, sets out a blueprint for the way the state will mine data -- including travel information, phone records and emails -- held by public and private bodies and admits: "Finding out other people's secrets is going to involve breaking everyday moral rules."
In short: it's immoral, but we're going to do it anyway.
Posted on March 4, 2009 at 12:32 PM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Post 9/11 mentality == pre-Magna Carta mentality. Nice.
Unfortunately, the British took 1984 as a guidebook rather than as a warning.
"In short: it's immoral, but we're going to do it anyway."
Actually, if it were acknowledging the immorality, this statement would at least have the virtue of honesty. What Sir David actually appears to be implying is that there is a _higher_ moral code, above "everyday moral rules", which must be applied here. I think the model they have in mind is that of exigent circumstances attending warfare.
The trouble with this model is that the "war" on terrorism will not end in our lifetimes. So accepting this implication is tantamount to agreeing to live under quasi-martial-law conditions, in perpetuity. The cure is far, far worse than the disease, but I guess people don't really account the cost of their liberty when they try to buy security.
@Carlo "War" indeed - The so called war on terror isn't a war. Labelling it as such is an easy war for governments to justify eroding the rights of their citizens.
"In short: it's immoral, but we're going to do it anyway."
Isn't this a description of most government action? As one author put it, "Wrong is wrong, putting on the funny hat of government doesn't make it right".
setup everything following the "smart endpoint, stupid network" mantra - very advisable anyways for hackers/arp/dns/mitm/spoofing etc
might work, unless they (MI5 etc) force you to give out your private key
besides, with DH the key never gets disclosed to the user, right?
would be nice to have email clients that setup encryption automatically for all users (like a 'wizard'), but then we would need a working PKI ...
actually, it is a war, by Miriam Webster's:
2 a: a state of hostility, conflict, or antagonism b: a struggle or competition between opposing forces or for a particular end c: variance , odds 3
I snipped the one definition I think fit. That being said, the gov't IS abusing the definition of war to get its connotations (not just its denotations). In particular, "a war against disease" is usually not foguht at the price of liberties or happiness.
@Carlo Graziani: "The trouble with this model is that the "war" on terrorism will not end in our lifetimes."
That was exactly the point in "1984". The war was endless, and even with shifting alliances. Just like Saddam Hussein was once our ally.....
In order to protect our way of life, we must destroy it...
The original article quotes Sir David, and I've removed some of the intervening verbiage while preserving the meaning:
"...this may have to be at the expense of some aspects of privacy rights... it is greatly preferable to... derogating from fundamental human rights."
Clearly he does not consider the right to privacy fundamental. Perhaps he could enumerate what exactly *are* fundamental rights?
@EdT the only way to preserve anything forever is in a nice big jar of formaldahyde.
Bramford's last book on the NSA reported that Poindexter's Total Information Awareness program hasn't stopped it's migrated to other development groups (probably in the 'exempt' world)
@Andre Thanks for the t-shirt!
"Is it moral?" in a place as diverse as the UK isn't a very useful question. "Is it Constitutional?" is the correct question - and judges will decide it.
"would be nice to have email clients that setup encryption automatically for all users (like a 'wizard'), but then we would need a working PKI ..."
I do wish people would stop talking about PKI or PK as being a way to solve problems.
I will leave Bruce to give his reasons again as to why PKI is not a good idea.
What I will say is that there is a significant problem with PK in that it can be easily backdoored.
There are a whole load of assumptions about the two primes pq used to make the public and private keys but usually little consideration is given as to what would happen if somebody decided to put in a fix...
The security of PK rests on the ability to factor the public key to get p or q.
So is it possible for the software that generates the keys to put a short cut in.
The answer is simply yes and it is quite simple to do...
A simple example would be that instead of using a real random guess at a prime each time untill a suitable one is found, is to make a random guess once then simply increment up by two untill you find a suitable prime.
Now suppose that the start point was not fully random for one of the primes. That is it's randomness is only equivalent to 16bits...
Then it is easy to see the search becomes quite trivial.
Or how about if sufficient of the most significant bits of the search point are encrypted and hidden in the top bits of the public key?
There are many ways that this could be done and examining either key is not going to help you. Even knowing p and q is not going to help you very much either.
You would need to actually study the software criticaly and carefully to be able to tell.
Let us suppose that as the software developer I decided to get "cute" and sabotage the process how could I go about it.
Well hear is one way,
Using a "true" random number generator seed an RC4 stream generator.
Using the same "true" random generator randomly select a large number N. Run the RC4 generator and take N bytes out of it and discard them. Use the next M bytes appended with the time and a seed derived from user input and hash it up to use as the starting point for your prime search.
Providing N and M are large enough then it would appear to be a good way to do it.
But as seen by an obsficated code contest there is a subtle way you can sabotage an RC4 generator by using a "bad swap" that will effectivly zero out the RC4 state array so it ends up not generating anything.
Which means that you are realy only hashing the time and a very small number of random user input bits...
The time will be available either in the certificate or in some other metadata...
However due to the hashing the fact that the majority of the input bits are zero will not be seen by examining the output.
@ Rupert H,
""Is it moral?" in a place as diverse as the UK isn't a very useful question. "Is it Constitutional?" is the correct question - and judges will decide it."
Last time I looked the UK did not have a "Constitution" in the American sense...
In all likleyhood it would be decided in the European Courts of Human Rights (ECHR). Unfortunatly the EU appears to be even worse than the UK at present when it comes to violating personal freedoms for the sake of security...
RE: "there is a _higher_ moral code, above "everyday moral rules", which must be applied here. I think the model they have in mind is that of exigent circumstances attending warfare."
Who says warfare demands exceptional moral codes? Even if we are under significant threat (which I don't accept) since when do the means justify the end?
This is particularly worrying in conjunction with the current progress of the reassuringly named "Motherhood and Apple Pie", sorry "Coroners and Justice Bill" (Who could possibly be against "Justice"?), This slides a tiny little mention into a larger bill which then has the effect of removing many of the existing protections against government data sharing.
One simple question,
If as a potential terrorist you know that this data is being collected is it going to stop you becoming a terrorist?
The answer is of course no.
The next question is,
As a terrorist if you know that this data is being collected is it going to stop you communicating with your superiors / equals / subordinates.
The answer is still no even if less obviously so.
You can keep asking these sorts of question and the answers will quickly tell you that the purpose of collecting the data is not to fight terrorism.
Which gives rise to what it's real purpose is.
If I said that most Governments realy could not care two figs about terrorism, only some of you would look surprised. But if you think about it, it is actually the case that terrorism is a public perception issue only that might effect votes.
What actually effects votes more is money by which squeaky wheels are greased by a nice dollop of fat pork.
The advantage of collecting this information in terms of reducing the "black economy" and "tax dodging" is quite large.
But... there has been a change in the way the UK Government raises money. They have gone about as far as they can with tax, they have however vastly increased their ability to impose fines on those with identifiable or imovable assets (cars and houses).
The joy of fines is the "you've done something wrong" asspect, tends to make them less unpopular than taxes with voters as a positive spin can be applied "for the environment" being the current excuse.
As a Government you can gain great advantage from the system. Firstly you let people with the ability to issue fines take a share of the money. As this counts as revenue as the government you can then cut back on grants to these people. So you get to keep more of the tax take to grease the voter.
You also make the whole process of fine gathering as hi-tech as possible. This invariably alows "party political funding" to be improved by those gratfull to be given the business...
Having access to this data makes the whole process of raising revenue either directly or indirectly so much easier...
Accepting that all security involves tradeoffs, we're still looking at a member of the peerage who will likely never be impacted by the policies he recommends.
Ultimately, though, it presume the 'enemy' can be tracked by their travel and purchasing data, and that tasking man- and processing power to the collection and analysis of such information is not only going to be worth savaging the individual's right to privacy, but be effective in stopping a foreign agent.
'true randomness' is difficult to achieve - IF it exists (but let's not go into philosophy here)
remember the RAND book with the random numbers? i think they generated sparks and counted them (or the time between), so that's a random looking event (unless you consider humidity, air pressure etc).
one could also take an antenna and amplify white noise and run the signal thru some filters, then XOR lots of A/D converter output
very random would be e.g. a user traceing a given outline on the screen with the mouse and using the inaccuracy to generate 'noise' (though it might depend on the blood-coffee-level of the user)
sounds like you don't like prime numbers cause of their 'limited' supply? guess it gets even easier to try them out since storage costs go down rapidly
@clive 2nd comment
of course it's politics - the one who looks 'tough on crime' gets more votes from the scared public, NOT the one who promises 'more crime prevention'
which leads to more $ addressing the problem (crime, terrorism, addiction etc) AFTER it occured rather than before
using high-tech-solutions looks good in public, too - only a few people really understand the tech (or math) but it seems you're 'on the cutting edge' and do whatever seems possible
Is it too late to suggest:
"All animals are equal, but some animals ar more equal than others."?
"sounds like you don't like prime numbers cause of their 'limited' supply? guess it gets even easier to try them out since storage costs go down rapidly"
No that is not the issue I was trying to make clear and the problem is due not to too few but too many prime numbers due to 0.5(n^2-n).
If you as an individual have no control over how the primes are selected then you have no way of knowing if they have been "deliberately" selected to put a back door in the resulting public key.
Simply knowing the two primes is not sufficient to say that there is not a back door.
Further due to the complexity and tedium of selecting primes for PK 99.99...% of people would use software.
And of those people more than 99.99% would use "black box" software supplied with the communications software.
Therefor as there is no way to prove there is not a back door in your PK from just the output of the software, you need to check the software it's self.
This gives rise to a problem what percentage of the worlds population are capable of spotting the issue?
The answer is way to small to do the job.
And if you think I'm blowing hot air, a simple programing mistake in an open source random number generator did infact give rise to just this problem of PK certificates that effectivly had a back door.
And Sun amongst others where caught out and some of these bad PK's are still in use on the Internet and can be found if you know how to look for them.
My point is, if it can happen by accident in Open Source and not get picked up untill after bad PKs were out there in use, what could a clever programer slide code through a review processes and not get picked up?
Further can they do it in a way with plausable deniability and the answer is most definatly yes...
> Therefor as there is no way to prove there is not a back door in your PK from
> just the output of the software, you need to check the software it's self.
So you are saying open source software is bad, right?
i thought you meant that since there are 16 bit numbers involved you end up with a certain range of prime # factors that are easy and fast to test one after another?
RE the random # - isn't that why one would use e.g. Pi for testing (and creating internal #s for keys and s-boxes etc)
AFAIK the debate is still going on IF even Pi is random or not, but we could use the first thousand digits to create more randomness from it
i'm also aware of the debian problem last summer where the random-function wasn't that random anymore after a programmer took a few lines of code out, but i'd trust open-source more than govt or MS supplied software (even though 'more review' doesn't mean 'smarter reviewers')
maybe we need to use code or schemes that come from e.g. china, india, russia and the U.S. and run our data thru all 4 programs one after another to be 'more' sure there's no backdoor (that one's agents know and could use)
The Bad Science column in the Guardian discusses why the "risk of false positives increases to unworkably high levels". This issue "will always make data mining unworkable when used to search for terrorist suspects in a general population"
"So you are saying open source software is bad, right?"
What I am saying is (as Bruce will probably agree),
1, Security is a very hard problem.
2, We do not currently know enough (and may never) to be able to test for all coding errors.
3, Humans are involved with the process and all humans have failings in one way or another.
4, Code review processess can only pick up faults known to the reviewers.
5, The best programers in an organisation are rarely the ones reviewing others code.
6, There will always be a percentage of the coding population for whatever reason will put back doors into code.
7, Security experts (if they exist ;) are very very few, therefore they are a scarce resource and not commonly available to review code.
Is that Clear?
It follows on from this that closed projects are less likley to be properly security reviewed than open projects.
However all projects open or closed, from big companies or private individuals, irespective of the budget and time spent are likley to have bugs. Most will be not particularly relevant some however will and it is almost impossible to say in advance what the consiquences are.
Likewise those who chose to backdoor security software will carry on doing it.
Importantly though with open code bases security experts are more likley to look at them simply because they can and some have a community spirit and give some of their scarce time freely at a point where it is most likley to do good.
As has once been observed security comes through eternal vigilance...
As the problems are an open issue (unknown knowns & unknown unknowns) then irespective of what we use we need to keep an eye on it.
I will always favour open source over closed source simply because when things do go wrong (as they always do) the time window left open is small, and if required I can get my hands dirty and put in a fix myself.
Also there is the "making a name" issue, those wishing to make a living in security as a "gun for hire" need to have a name.
The easiest way is to have a reputation of finding and fixing faults.
The easiest way to do this is by looking at open source code for a few reasons. The first and most obviously is it's publicaly available. The second is there is no "non disclosure agrement" etc in place to protect the guilty and cover your halo. Thirdly you don't "out" your potential customers. Fourthly it actually takes less resources unlike reading through disasembled close code or using fuzzing or other tools. Fifth, importantly you can make the fix your self and get it out their real quick. Sixth and perhaps most importantly the whole community (including closed code) can benifit from your efforts.
"Gentlemen do not read each others mail."
Stimson, Henry Lewis
Reason for closing the Black Chamber in 1926.
I guess postal mail and riding the bus will eventually become the de facto standards for people wanting to fly under the radar... In this era of high tech comms, this is just so ironic, isn't it? Strange days will find us.......
reducing the "black economy" and "tax dodging"
Craig's list is done for? Bummer
@miguel - re:mail. wasn't Nixon's FBI adept at flaps and seals? Just finished a new biography on Jackson and he authorized his Postmaster in SC to seize abolishenist literature at the post office. So mail survellience is old hat for them.
Re:buses DC buses will take money but mostly people use RFID passes. Also there's a placard "This vehicle subject to police observation". Never quite understood what they mean by that.
I agree with most of the general thrust of your comment, however:
2, I disagree; code is deterministic and therefore has a finite number of possible problems (however, programming is more about logical solutions to problems than it is about code, and so if the *project* is not addressing the problem in the excactly correct way - which will very likely change over time - then there are indeed an infinite number of possible bugs in the implementation - but not necessarily the code).
3, True, but not all human failings impair the ability to debug code correctly.
4, True, but a million monkeys…
5, True, of course, but since programming is inherently an exercise in logic, "best" is more usually used as a term for "more efficient" rather than "more correct" - the (dangerous and arguably invalid) assumption is that all code is equally correct if it does the same thing.
6, Hmm. You can't be certain about this. But I do agree that the whole power structure of the world as we know it does seem to encourage this behavior.
7, Perhaps true, but they do write books which a programmer can study; and that's very close to the same thing. To suppose that security knowledge cannot be learned is obviously not true, and security is as much about mindset as it is about knowledge/experience anyway.
@Skinner, well, in some parts of the world we just don't have enough resources to go into that kind of surveillance. So, in a way, these new technologies will open the possibility to effectively spy on other people’s communications and whereabouts. With a reasonable cost and efficiency, I mean. However, the low-end tech will still be possible because, as I wrote, there simply isn’t a practical way to do it. I do understand your point. But hey, we live in different realities, I guess ; )
"closed source are less likley to be properly security reviewed than open projects"
I disagree in principal not in point.
Do you recall the Sendmail compromise a couple of years back? The trojan versions of the distribution were online for a month before someone noticed and reported that the hash didn't compute. If people don't do the relatively simple task of a md5sum how much less likely are they to do complex and probably unprofitable source code review?
Has there been any attempt to audit open source repositories to get a measure of deliberate back doors?
Yes, open source is open for inspection but generally any sourceforge project is really a very small group of contributors.
My experience is that open source coders are writing because it's fun. How fun is it to your average programmer to secure review their source? This is the volunteer problem. Good labor as long as you only ask them to do what they like doing.
Closed source projects can, not saying that they do, but they can make stringent security requirements and source code review part of contract. It will cost more but if the customer is willing to pay then paid resources can be dedicated (i.e. "made") to identifing/correcting the flaw.
Painting all of this as a symptom of the war on terror is vastly misleading and unhelpful. In total the liberties states have taken with, well, liberty with anti-terrorism as the pretense do not represent the most serious threat to individual liberty, even in the UK and Europe where the state has taken even greater liberties than the US has with the Patriot act et al.
Rather, the most dangerous threats to our civil liberties have been in the works for much longer:
The war on drugs (which corrupts the criminal justice system, promotes social disunity by declaring literally millions of otherwise ordinary citizens as outlaws, puts money in the hands of violent organized crime, and has led to the militarization of police forces).
The corruption of politics (excessive influence of a clueless, careless, bumbling media and the consequent curtailing of legitimate public debate in favor of public spectacle has forced ordinary citizens out of politics, leaving only glory hounds, power seekers, and the corrupt to vie for office).
The infantilization of the individual (caused by and causing: growth of the welfare state, anti-corporatist sentiment, anti-self-defense sentiment, anti-entrepreneurial sentiment, the cult of victimology, and identity politics).
The paper is much less dramatic than you highlight. Yes, data mining is going to require gathering and analysing of people's activities, including the activities of innocent people. That's just how you get meaningful information.
For instance, identifying suspicious activity from people's behavior when correlating their motion from a set of CCTV feeds *requires* looking at the people that aren't doing anything wrong. It's the nature of the beast.
He's just highlighting the fact that a national debate is required to change people's perceptions about this stuff. Then morality follows.
@Robin Goodfellow: Exactly.
I would also add (at least for the US) that the things you list are bad not only per se, but also because in a free country (which the US claimed to be when I was in elementary school, although I haven't heard anyone in power say it recently) you should be, well; free - to do what you want to do, unless it has been overwhelmingly proven to be detrimental to the society. For example if you (as an adult) want to fry your brains on drugs and someone is willing to sell them to you and you have the money to pay for it (which if they weren't illegal would be a trivial amount since it takes about the same resources to make marijuana as it does tobacco or cocaine as ketchup), then it's none of the government's business. On the other hand if you consume those drugs and try to drive a car UI, THEN you are doing something "wrong" and that should be unlawful and government should step in.
Likewise people should be free to take financial risks, such as buying more house than they can afford under the assumption that it will increase radically in value, but then they should also be free to fail and suffer the consequences thereof if their judgement was incorrect. If there are no consequences to BAD judgement then GOOD judgement disappears.
Banks should be free to loan money (or not) based on FINANCIAL factors (ability to pay, history of payment, etc) but then if they choose poorly, they should suffer decreased profitability and be bought out by smarter banks.
Car manufacturers should be free to manufacture whatever type of car they choose (although government should be able to mandate things like pollution controls, ABS and air bags even though regulation makes those things noncompetitive) and make whatever collective bargaining arrangements they wish; same with the unions. Then if that company's choices are noncompetitive, people dont buy the car, the company disappears and the resources are taken over by smarter companies.
watching someone committing a crime will not stop him as long as he has reasons to commit it: poverty, addiction, rage, stupor etc
my thought is to put more money into avoiding hardships, offer rehab for users etc
go back a few decades when you (?) saw someone pointing a camera at you: didn't you feel uncomfortable?
how did we ever got so used to constant monitoring???
@bob: "in a free country... you should be, well; free - to do what you want to do, unless it has been overwhelmingly proven to be detrimental to the society."
And who is that society person? The good or bad of society is bullshit, a category error, antropomorphising an abstract and poorly defined concept. "Detrimental", similarly, is in the eye of the beholder.
Good or bad can be only in relation to specific people. Thus, in a free country one is free to do whatever he wants as long as it does not violate natural rights of other people. No need to rely on abstract nebulosities like "good of society".
The good and bad of society is judged by that society and needs to encompass the natural rights (whatever they may be). That can actually be deemed just as important as the natural rights of the individual.
I'll take a simple action of: It is a natural right for people to get to a destination for which they desire. That doesn't mean they have the right to drive through a red light. Society rights and wrongs determined there must be an order to provide for those individual rights.
The European Court of Human Rights approach seems not necessarily that useful, as the current government appears to treat its opinions as largely advisory.
"The good and bad of society is judged by that society"
Society cannot judge anything - it has no brain and no will. Only individual people can. So when you say "judged by society" what you really mean "judged by some people who claim to represent everybody else, in their own interests".
"...natural rights (whatever they may be)"
The notion of natural rights is very old and very well-defined - much so than of any legistlation. They are rights to property, inviolability of one's person, self-defense, and compensation for loss inflicted by others. Basically, it is the only logically consistent and universal (meaning applying equally to every member of society) system of law. To come up with that system one only needs some well-established empirical facts (i.e. that people are different, and can act in their own interests, etc), and some requirements (such as universality).
Here's the detailed discussion of the natural rights and their logical derviation: http://mises.org/rothbard/ethics/ethics.asp
"It is a natural right for people to get to a destination for which they desire."
No, it is not a _right_. It is a fact, but it is not something creating restrictions or obligations for other people on its own.
@Clive, I'm not sure why you imputed any "American sense...." The stated problem is specific to the UK, and the solution exists within the UK. Elected officials obviously and understandably generally do and say what their advisers advise in order to retain their seats. There are two groups of non-elected officials who might be able to correct the stated problem: public servants and Judges. I'll put a fiver on the Judges.
@ Rupert H.
'@Clive, I'm not sure why you imputed any "American sense...."'
My comment was about a Constitution, in the UK we do not have a constitution in the "sense of" / "or like" the American constitution or other documents that set out the basis for the relationship between the State and the People...
I was not indicating that the Americans had any more or less "sense" in the accademic / street wise / mental "sense".
No matter how much I look like one, I have no wish to be a troll or attract the disapprobation of the Moderator 8)
Life's a bitch. I will be forced to watch all the way through that captured "Nurse Girls Play Together" stream to check out if there are any hidden terrorist communications being mimed by the "actors".
It is scary.
After all, terrorism in the UK is a negligible threat. Far less dangerous than road traffic accidents.
Security is about balancing risk and response. The response in the UK is completely disproportionate.
As for a constitution, in the UK we are not treated as citizens, not even subjects, but a population of suspects.
But what is truly scary is when the private sector start assuming the right to do the same thing.
And more scary when their own security experts won't speak out against it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.