Snowden's Dead Man's Switch

Edward Snowden has set up a dead man’s switch. He’s distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him.

Dead man’s switches have a long history, both for safety (the machinery automatically stops if the operator’s hand goes slack) and security reasons. WikiLeaks did the same thing with the State Department cables.

“It’s not just a matter of, if he dies, things get released, it’s more nuanced than that,” he said. “It’s really just a way to protect himself against extremely rogue behavior on the part of the United States, by which I mean violent actions toward him, designed to end his life, and it’s just a way to ensure that nobody feels incentivized to do that.”

I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it’s important to keep all of them in mind when designing a security system.

Tags: , , , , , ,

Posted on July 18, 2013 at 8:37 AM64 Comments

Comments

vladimir July 18, 2013 8:57 AM

If he has a switch like this. That is not only protect him from being killed by US authorities but motivate the same authorities to protect him from all other threats.

qzomn July 18, 2013 9:05 AM

I’m with @vladimir on this one – it’s quite an interesting “insurance policy”. The US authorities can’t afford to let somebody else kill him.

Alan July 18, 2013 9:26 AM

So the USA authorities could offer Snowden protection, and it would be up to him to decide if he trusts them enough to accept? It will be interesting to see how that ends. Will Snowden be able to endure the waterboarding before the documents are released? What happens to Snowden after the documents are automatically released and the USA no longer has an incentive to protect him?

paul July 18, 2013 9:29 AM

Any actors who would want to kill Snowden to get the material released must also have a fairly good idea of what’s in the unreleased material to be sure that it’s not also damaging to their interests.

jgor July 18, 2013 9:29 AM

That’s a most unfortunate url shorten.. I get a link to this article with “snowdens_dead_m.html” and have a small heart attack.

QnJ1Y2U July 18, 2013 9:32 AM

Also, even if these are encrypted docs, it’s naive to think foreign govts won’t decrypt them. They have nation-state resources, after all…

Quote on twitter by this guy, who also wrote a book on counter-terrorism.

Tim Hoddy July 18, 2013 9:34 AM

If the US does not want these secrets released then it is in their interests to keep him alive.

It’s also makes it more imperative to capture him in case anyone else kills him.

If captured, faced with the option, “You’ll get 30 years to life if you don’t tell use the way to operate your kill switch, otherwise you”l get 10 years”… what would you do ?

If captured it could be used to bargain for a lower sentence.

sudo July 18, 2013 9:36 AM

At the same time this makes him a target for people who would want all this data made public.

Rob July 18, 2013 9:43 AM

It would behoove those who have the resources and interest to keep Snowden alive… Therefore, the current plan causes the US to expend resources protecting Snowden from those who would have those documents released.

buntklicker.de July 18, 2013 9:53 AM

Whoever wants the documents released and has the means to kill Snowden can probably get him to release what he has without having to kill him.

haiku July 18, 2013 9:59 AM

A dead man’s switch must be reset on a regular basis, e.g. once every day or two.

It could make for an interesting situation if one were trying to prevent the release of the data.

Adam July 18, 2013 10:16 AM

China/Russia have probably already imaged the drive and have obtained the passwords with a bootkit.

NobodySpecial July 18, 2013 10:17 AM

Allegedly if Steve Balmer is ever forced out of Microsoft – a dead man switch will release clippy in windows 9

GB July 18, 2013 10:17 AM

He’s also got a price on his head now: anyone who wants this data released, just needs to move him out of the way…

wumpus July 18, 2013 10:30 AM

@QnJ1Y2U
Presumably Snowden’s (and Manning’s) data was strewn wildly without any “need to know” restrictions (he couldn’t possibly need to know anything about most of it). In other words, pretty much any nationstate could trivially get their hands on the encrypted data and relatively easily get their hands on the plaintext. Decrypting Snowden’s data is unlikely more difficult than grabbing all data available on these networks (unless they happen to know a few things about weak AES keys).

Also, considering the fact that the NSA appears to broadcast such critical data to just about anyone with a clearance, it can be assured that they don’t care at all about foreign governments learning about them. They are primarily concerned about their real enemy, US citizens, and tangentially concerned about the non-US public (Manning’s revelation that the US would no longer be able to support its oppressive allies lead to the Arab spring).

Captain Obvious July 18, 2013 10:38 AM

@Tim

Do you really think you can negotiate with the US Govt as a labeled accomplice to terrorists?

Thanks for the key Ed! Enjoy your early release!

What? Killed in car accident on the way home? So sad…

Nick P July 18, 2013 10:46 AM

@ Bruce Schneier

I’ve used the same scheme against capable adversaries. I learned it studying KGB tradecraft where it was called the ‘mailbox’ tactic. They’d give important documents/plans to a trusted partner and mail him a coded message at regular intervals. If an interval was missed, partner would open the package and take action. The scheme works so long as it’s carefully set up and the partners aren’t reachable by opponents. Short-term arrangement beats long term, as well. Commenter Vladimir hit the nail on the head about the solution to your criticism:

“If he has a switch like this. That is not only protect him from being killed by US authorities but motivate the same authorities to protect him from all other threats. ”

That’s exactly what’s going on. He’s setting it up so the information, if it’s really valuable to them, is worth them protecting despite what they think of him.

This scheme was also used recently in Nolan’s The Dark Knight Rises. They plant a nuke in the city. The city’s only ingress points by ground are several bridges. The villains warn the surrounding military that if anyone enters or leaves, they blow the nuke. The military spokesman incredulously asks him how his small force expects to hold back a whole city. The terrorist replies that they will do that instead or they’re responsible for the death of the whole city. And they certainly work hard at their “job.” 😉

Of course, a nuke in a US city is more motivating to our gov.’t than whatever Snowden’s carrying. Snowden’s success in this scheme will depend on the results of a risk assessment: the potential damage, operational & image-wise, of what he may release vs. the importance/likelihood of grabbing him in a foreign country vs. negative consequences of being caught grabbing him in that country. You can bet they’re weighing all of that as I type this.

dbh July 18, 2013 11:07 AM

To be realistic, by far the entity with the greatest capacity, interest, and history of violence is the US.

These worldwide terrorists, collectively, have killed far fewer people than has the US government. Not in their wildest dreams have they even come close. State actors, at least Russia for the moment, have something even better than the key, they have Snowden. They can make him give them the key. But while they would like to read the files (and may have already done so if he is cooperating) that does not mean they want them public. It would seem crazy for them to kill him to get the files released.

Terrorists, not state actors, ae unlikely to have the resources to review massive amounts of data anyway.

The only actor, absent a random crazy person, that would seek to kill him would be the US government.

xx July 18, 2013 11:34 AM

I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released.

The negative publicity he is bringing out on the US means US enemies probably are enjoying this considerably. The longer he remains out of jail, the longer and bigger this whole stage gets played.

I strongly doubt Russia or China did not know anything he is releasing. He was not some incredibly high level guy. It would be extremely strange if they did not have access much higher then Snowden.

(Not that Russia nor China are true US adversaries, nor that this information is truly damaging to America. It helps the freedom aspect of America and hurts the aspect that would curtail that important component of America.)

Also, no one knows what information he might release or if they could not get that better by setting him free in a relaxed environment where they could gain his trust.

NobodySpecial July 18, 2013 11:39 AM

However in this case the US knows that the data is going to be released eventually – so it has the perfect opportunity to control the release.

All the NSA’s black clad ninja assassins have to do is wait until the day that the royal baby is born or a kardasian gets married and kill him while the media is distracted.

tumblr July 18, 2013 11:45 AM

More amateur hour b.s., and yet more distraction from the policy issues.

Snowden and Greenwald’s story is that Snowden’s data is highly sensitive and has been vetted and released “responsibly.”

Now they’ve exposed it all to whomever can penetrate an increasingly expansive attack surface.

Who here has any confidence whatsoever that all of Snowden’s documents haven’t been already compromised by at least two state powers and whoever goes after Snowden’s “dead man” switch network.

It’s painfully obvious that Greenwald has no idea what he’s talking about. Harpers: “I almost lost one of the biggest leaks in national-security history because I didn’t bother to install encryption.”

Greenwald’s admission in Harpers is the essence of the Snowden leak — it’s all about irresponsible data security, rather than data policy or the 4th amendment because of silly distractions like dead man’s switches and other imbecilities.

Peter Maxwell July 18, 2013 11:46 AM

The first comment by vladimir hit the nail on the head: if the US doesn’t want the documents released, they not only cannot kill him but must protect him as well.

Depending on how adept at this Snowden is – and from evidence so far, he’s been doing not too bad at all – then he could also have protected himself against torture by using a duress signal or indeed having pre-instructed his friends to release a small number of documents if they feel Snowden is being tortured or otherwise pressured.

The one thing that isn’t on his side is time: as time goes on the probability of the US breaching the security of his “deadman’s switch” increases greatly while at the same time the value of the information he holds diminishes. He needs to find a safe-haven quickly and I suspect that is the only part of his plan so far that has not gone well… unfortunate really.

AC2 July 18, 2013 11:50 AM

Bruce, the people capable of killing him wouldn’t want a public distribution of his trove. They will just find the good people Snowden trusts and bribe/ pressure them to release the trove exclusively to them…

assangelol July 18, 2013 12:03 PM

Assange’s people probably got him to do this with shamirs secret sharing algo. Remember the Wikileaks giant encrypted torrent called insurance? (whos key was later leaked). Snowden is leaking top secret material though not just classified dip cables so there probably is shady US agents after him with orders to kill or kidnap for rendition to Somalia for unpleasant interrogation

robmandu July 18, 2013 12:14 PM

Bruce, I think you just ginned up yet another Movie-Style Terrorist Plot. Well played, sir.

Mike Gray July 18, 2013 12:17 PM

If Snowden has been honest, then he wants the information to get out to the public. What is the purpose of holding it back, other than slowing its release to a trickle in order to ensure the “story” stays in the media for a longer period of time. A dead man’s switch with multiple phases of timed release would appear to be a decent strategy.

Snowden has stated in previous comments he is not interested in the fame, but by holding on to the information, having a dead man switch, seeking asylum, etc. he is continuing to BE the story as covered by mainstream US media. He needs to go away in order stop being the story. That either means death, which triggers the dead man’s switch and releases the information – his stated goal; or it means asylum and disappearance. I would guess though that if he accomplished his supposed goal of getting asylum in Russia, Cuba, Nicaragua, Bolivia, etc. then he will be having several media days and talking to the press more and more, not less. (Not believing his stated intention not to be part of the story.)

He has stated before he knew or expected what would happen to him, his girlfriend, and family but decided to go forth on releasing this material anyway. If he has truly embraced his expected personal outcome, and if he doesn’t want to continue to cause the story to be about HIM, then he should surrender to US authorities. Normally that would cause a long drawn out court case with tons of media, but I am guessing he would be treated as a terrorist and therefore not given a public trial, not charged with anything, possibly taken to Gitmo, and then never heard/seen from in the mainstream media again. US government wouldn’t make him available for press interviews.

Another way to stop the story being about him is to commit suicide. Of course conspiracy theorists would go nuts, which would allow him to “live” forever – which appears more inline with his want/need for fame anyway.

Not sure if the Hollywood writers are involved, but this is more interesting than most of the “summer blockbusters”. No wonder we are seeing so many flops!

name.withheld.for.obvious.reasons July 18, 2013 1:07 PM

A version of a dead-man switch…

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)

hQQOA64oTlwybeNcEBAAh6vaE1wbAhpIoQGkMCG/HBQ8AEOVfK9mwXB3Qg9l+/UE
pGgGvawmSOPKzzntGM2cR6FtbGSY4f3TUBRvKOPCqqW58Y/GJK01VcUGcBR+FKpq
8MQQsWM4NrbhpfOgW8nAdiurzd0YxKyVJk9O2onHv38LOUCgh4MoOi9sPqmMLzBh
eT/Ijy9ynRsU8Fq/WNsuU1t8K13sN7MvVuIKo3fCeKhiDfaFuLo5uu91J+8xoJKn
s5QVwm+/SYsjCBLWQ93MPmCuaVzeJOQuRRSigDLvIbDVCFaiLRBhSAL0w6uH3roK
z1otkHF8+pAd+BPLn7+Mhw4fE+Ga6lOsul0EM6wI1NT1kPqyLcyMn/lR9Ursq4Cg
v31yMGDYq9aRIphyn+arz6hyykdfOoUSiA51QPOaOI97G1xud31JOn54Csyae7oM
lYmiIum6lOn5CTxOeTuguBxoqcVlJHc/w/uLALQ9baOkme7B2GPeV1QI1vyNBpvC
/03bHRobmW9m3H9itji+W119IV2xqxvPTEAIJ6RqVuRtbI1OeGaBML1pGCKEwQcf
705S0mXWDrM+XL4R/60Ilo7+lZ9nwwbJCj1rxX8oxp2aLOhu6Gb+gM/JT7A3vul7
t2tB7so401Ht229Zo8cPXE3ufxfmH5GcEepW0qp75ZHt+hClCVBgHAkHJCmYpXMP
/21eUcfRecnJe+d1xXy7BcEZd86T8/EH8uSEtgZj0tPunG4CRAngZD1Menr5NUta
BV1hs7PPYSRPr/iG3i0KvSRewTJso6LnOPd+g2i+/bI7FLQGldiOhDjudfh+n0P0
EqFoXXwx9+Ve3ggkJrojpgZmFs+hU96uDoFtGW0th1MEOSj7gNYIKp8RGE9sqeW2
UXnbRE+r84aofmgPGiRNsj/x9paujqydx2SKke1T2qU9k5rwizd6eCkJ/WKiyAeT
BvCdMLc4CpaiNRJNkXnbroay6bBjLf23zLd1rQddWVCm0cbYxIyzSRAOZO1jB0Z3
fE1GqCttUIxOyXOCzHRTw9rIKxzTxT6Dz1zVYanu7zE5ptcOZbOf0isymE16Kx9m
gyby7ceUCDSSOQ6hKpAzD4oxMw1dfkf6h7IchI98yl8UfAeThkltY21ervMNy21B
K+ubcZNaXQan+/j5Jd592g4/pYNP1C3/8mEPnBMt0D/rxOsrKNx6qW3SMXYUOZ5N
tIrDKMukVqMxFApm9SXhljLXk/Q8jg9LA6yeb5Zo2vhQEq9nzFhkLA4WQ+7GoiAy
rESlsw9Kt3Yiuz4kuSRnAyeRGav/hxOwbSXcAvppjCEtDH71/UHX8C1v4npnIfqo
PJ9HrbjF2FWYKLBY6m41ODNKdFAEdaHMTqDv++3tYxpJ0ukBbOqATlOT2tRmHGfy
dJW1Y7/pkZPxlEcDXoJ/CPeuN2Wq1PO+xusADoKBT7Rye3hszS0LuztY09C5QC4X
YWCnmwM4WlUNi2IVik959Vg1fMIwhJ414OvRgst2IKiMA1H9yuMDJShSk96hvEtN
6DSw79VJdDn4IQySLzMjCSey5o1M5aMCcrSEuZD0SN8io+cHwHT7iGyjecyXyxdx
XBd03Kn86FzjmhBENsi8AFRa51Jz2qbwyuJsxgIadTipdOerlQ0Gobl9fTVP42o5
WwNsLUrMvojQ6mToH85mvIOI+gv3DaQ15qEGMtV9Ho0egEAH1jxZ+Xx14ejHVF5a
AeHTqsOLACxhtkW/i5z8ZhkcQBZz1NjkaVVMLw7pZXJ8TjOU+YIPhHLy8KgkH6fN
JHeWkLEoFLr9cASwAAvNck8O8NoHWw+7e1IJfG3+wKrKkvu27PUJdSyx2y2vMIx7
54vCQ/pBlCfDt4cvYF/euDD87dbsfZWfd4gZtirssngHRLdAa2Tgif3oy5Ys+V7R
bfGoQoQoCJ05PG1Wr+XHO3gX1FNV1+HZsJuw035GJUL9+6vmBvAXPPKSYnxWShsI
vjwvFbg0TwZY59A6g4YTPdrUWvuIggNdeW3QiXveSdRqx0lOAprMuITpLWlWjrSB
MZXu9aqI94b1AdhPmnPIU/YtQsCzUUBY4LDq6GZIY0GPyZwRexp9m/V1wNa/nlng
M3kRiUosEDyiY+WSoAGooec9QKhlFrgUG07Cbom8DYWWWv5rzbdhqSSLT4GFi6HD
zZ98D5gy3nWirBOZalj2wm+AzHA9/5gAoRP2uPYhOrjLCvPhMNpqTZ8W9XAZpiry
6VdG/sT0A2tYM/n5uRS4+V//jRnryaAThLx1Xd99KAmujmaBti1sZAWlSO4lH3QR
Zjqik+ttr1+m1VqJEqu49ZKZd0H0WJmd4qA2VsTAT3EgDASr04siTyNn7BWhcnjJ
MnZELeRVLwluL3MEpvCM9nTFWYBD9uIUzrUu9rAywTQ6vWEgn8t2IH5AcnMF/mAg
zYp5BwzUAz6T8aD9tnjI9Tk81epZqghng3G1zmnBRj6ufwfe+o+zkj6huz/f7Af6
7Oh2+YMos1b1l1ycSW+WH4rVbH+f6qhgl2Y9iN0YpBE0Y1bhXVr9iF3mKDM4xbkr
lDNbZ2Jtfk8=
=gFl/
-----END PGP MESSAGE-----

Sam July 18, 2013 2:13 PM

This can work one way to his advantage if has already shared it secretly with top enemies such as China and Russia. Now, the US needs him to stay alive, and China and Russia don’t care if he stays alive.

Dale Allyn July 18, 2013 2:38 PM

Bruce said:

I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released.

That was exactly my reaction when I first read of the Dead Man’s Switch “proclamation”. The announcement seems to lack sophistication and foresight.

JS July 18, 2013 3:27 PM

Dictators or other fanatics (those who would kill him, presumably) are not interested in making U.S. more democratic. Why would they want to kill him? It’s not in their interest that U.S. would succeed in having democracy. Democracies are pain in the a** for dictators.

“I want a dead mans switch that deletes all my porn.”

Easy, just distribute it to all your friends and ask them to delete it* if you die..

  • Or ask them to distribute it to their friends, etc.

wes July 18, 2013 3:48 PM

Bruce, I value your insights a lot, but sometimes I think you’ve been doing so much good work among the security trees that you lose sight of the social forest.

I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it’s important to keep all of them in mind when designing a security system.

That would all assume that he understands his own physical security as being the most important factor. It seems clear to me that he doesn’t, and instead views the informing of the public to be of a greater importance. Now, obviously he’s not suicidal, so he’s not totally disregarding his safety–he clearly prefers to remain alive to usefully elaborate upon the leaked documents. But he’s already essentially given up his life for the sake of leaking, all but declared Homo sacer by a powerful fraction of the world’s governments. In that sort of context, worrying about “multiple adversaries” is spy [movie?] stuff, not whistleblower stuff.

xx July 18, 2013 3:53 PM

If Snowden has been honest, then he wants the information to get out to the public.

🙂 Maybe Snowden really is working for someone else.

If you notice his ARS (technica) comments from years past, he showed a face of being very gung-ho at keeping secrets. Maybe he was consistently showing that face so he could gain increasingly strong access.

One of these intel guys suggested he may have been working as a “penetration agent” for a media outlet. I do believe this thought was just your typical security guy’s mindset. By making this kind of argument, he would be able to justify watching journalists much stronger.

Which, I am sure they are very hard at work doing. “Maybe these media outlets are encouraging people in government as moles for them”.

But there may have been some other group, maybe even a corporate group involved. People love to talk up government conspiracies and the supremacy of government workers getting things done, but this can underestimate mercenary corporations.

Russia and China are likely suspects. 🙂

But probably too likely.

Maybe it is just Snowden has some ego problem, as your post seems to suggest. Maybe he just wants attention. Though, this does seem to be a very difficult route for that sort of personality to take. And he was not exactly a lifeless nobody, which the attention route person tends to go.

(Unless they are in music or the arts. 🙂 )

Alan July 18, 2013 4:22 PM

If I were him, I’d setup a dead man’s switch.

I’d also setup a mechanism to disable the dead man’s switch.

I’d convene (secretly) a committee of folks to evaluate if the dead man’s switch should be disabled.

I’d use Shamir’s Secret Sharing algorithm to cause a thresholded majority of those folks to agree and unlock the mechanism to disable the dead man switch.

e.g. – if (not something) within (timeperiod) then [deadman switch] unless (failsafe)

Of course, this expands the risk of improper disabling to the trusted group, but it allows the decision making to be distributed.

Tangurena July 18, 2013 5:45 PM

I disagree with the premise that the US wants to prevent the data from escaping. Based on previous situations, the goal is to punish leakers – at all costs.

Snowden will set up a “dead man’s switch”, and the feds will kill him. The message to future leakers will be “nothing you do will protect you from our revenge.”

Figureitout July 18, 2013 6:06 PM

By a “Dead man’s Switch” he may want a quick way to kill himself like a pill in case he gets picked up and tortured to death.

Clark and Son July 18, 2013 6:15 PM

So to deal with the moral hazard folks who may find quite the right incentive to undo his life and pop the treasure trove — could we expect an announcement that he will begin to release the information slowly over the next “your time period here” because it is important for civilization to know this and speed up the US “theoretical” protect Snowden scheme?

Can he get out of Russia? Does he want this? Have all the fancy jets been rented for the next 10 years?

Me .. I have no idea.

I believe there are probably only a very small number of groups who would want to have the data released. Who might they be? Now there’s a game!

Dirk Praet July 18, 2013 7:48 PM

@ Alan, @ Assangelol

Thanks for mentioning Shamir’s Secret Sharing Scheme (ssss). I was wondering how Snowden would have devised his dead man’s switch and this method makes perfect sense to me.

For those interested:
– Windows GUI at http://sourceforge.net/projects/secretsharp/ (last updated 2013-04-23 ) .
– Java implementation at http://sourceforge.net/projects/secretsharejava/ (last updated 2013-05-02 )
– *nix version at http://point-at-infinity.org/ssss/ (2006)

Darryl Daugherty July 18, 2013 8:44 PM

It seems to be a common assumption that the US wants Snowden back primarily to prevent the release of more information. This is unlikely to be the case; they simply want to make an example of him to deter others. It’s a virtual certainty that the first question asked internally after he bolted was “How badly can he hurt us?” and sufficient remediation has already been put in place. The changes that can be made, have been made. The cover stories are ready. False trail has been laid. And what little Snowden might have that can’t be fixed is in all likelihood growing less valuable by the day. Intelligence agencies may be run by people whose values one finds repugnant, but they aren’t run by fools.

wkwillis July 18, 2013 10:28 PM

Traffic analysis can do three things that Republican voters (as distinct from Republican donors) want most in the world.

  1. You can find out where the illegal aliens live and work by analysis of who they call and where they call and where they call from. This means they can all be expelled overnight, and at the government’s discretion their employers can be fined.
  2. You can find out who is not paying their taxes by analysis of when credit cards or cash are used at what locations when your phone is there. This credit card is registered to a Cayman Islands bank account that is now known to be theirs.
  3. You can find out who is illegally voting at a location that is not where they reside by analysing when your phone is where and for how long. That is, the tens of thousands of voters in Florida that are actually living in New York.

No wonder he’s so embarassing to the government.

rogerh July 19, 2013 1:23 AM

So what kind of secrets does he have anyway? The Wikicables showed a huge raft of mostly ho-hum stuff. So likely a few rather dull but embarrassing revelations of double-dealing in foreign govts – the names of a few blabbermouths. Then there may be details of how tank commanders in xyzistan communicate – who cares. Perhaps the US nuke launch codes – unlikely but already changed and no practical use. Only a complete idiot will be Googling ‘how to make a bang’ – sure, arrest them – but irrelevant. Decrypting Skype calls to xyzistan? all about sending money home to the kids.
The next problem will still come as a surprise.

So maybe the really embarrassing secret is that the US taxpayer has paid out a lot of money for something not worth a great deal.

Archibald Bomwitz July 19, 2013 9:54 AM

Hate to dissappoint you guys, but Snowden’s info is less useful than the newspaper used for a birdcage floor two years ago! Snowden has shot his arrow and been famous for his fifteen minutes! Glenn Greenwald is going to live a good life writing articles and books about Snowden. Why was Putin not impressed by Snowden? Because Russia had no use for the the info that Snowden could deliver. Intelligence and spying is about knowing things about your opponent that your opponent doesn’t know you know! It is about secrets! Snowden may in fact have harmed Russia if Russia had some specific knowledge on NSA’s systems that now are going to be changed! Russia may also have their own spies inside NSA and now they are at risk.

Victorag July 19, 2013 10:02 AM

Naive in the extreme to think the info would be protected by some sort of encryption scheme. NSA and about a hundred other spy organizations work night and day to decode such information. Aside from quantum methods, which have not yet been perfected, no encryption system is foolproof. I.e.: Sorry Mr. Snowden, but your secrets are already out there. Along with everyone else’s. 🙂

Clive Robinson July 19, 2013 10:28 AM

With regards,

    Any real-world situation involves multiple adversaries, and it’s important to keep all of them in mind when designing a security system

To do that requires you to know both the drivers and motivations of all potential attackers, which is probably not practical to do.

Thus you need to consider how to make yourself safer than a $10,000 Rolex at a pick pockets convention.

The easiest way to do that is to make your major adversary want to keep you safe and sound.

The question is how?

The answer is along the lines of ask J. Edger Hoover.

History has shown that in the UK for instance –and most other first world nations– having sufficient “blackmail material” on key members of society including members of the Lords and Royal Family has worked like a charm in the past.

I’m sure there are sufficient “great and the good” in the two US houses and amongst the 400 or so US citizens that control well over half the US –and a significant proportion of the world– net worth.

The information would probably not be of ordinary crimes because they are of short lived value. Probably more to do with sex/drugs –or worse– that the politicos keep going on about (ie has high hypocracy as well as immoral value). Such information is usually considered to have a life time of a minimum of 100years past the persons death depending on how promenent the persons are in society.

Now we can assume that either Mr Snowdens employers or those he worked for know fairly accuratly what he has accessed or could have accessed during his employment. So we can be fairly certain they know what is behind his “deadman’s switch”.

As for how to implement the “still alive” system, some blog readers will know that I’ve described a way to do this as a way to control a botnet without having an identifiable control head using search engines and blogs that allow anonymous comments or those that only require what looks like a valid email address –of which there are tens of thousands– and some kind of One Time Code identifier system.

As others have noted shared secret systems can provide a high degree of autonomy as can more old fashioned systems such as Tontiens that only require solicitors at any point in the world to make work.

Eric J. July 19, 2013 4:23 PM

Clearly this is all just a cover story to hide the NSA’s preparations for CASE NIGHTMARE GREEN.

Ben July 20, 2013 3:28 AM

It is not designed to secure his ass. It seems, after all he left behind, that the only cause is to ensure that the information get out, slower by the press or faster and available for all by his dead. somehow I think he has read Suarez and that a small part of the daemon is now out there listening to what happens.

mt July 20, 2013 6:37 AM

Would anyone offer a congruent guess on how such insurance files could actually technically work? Snowden claims that he can not be broken to reveal anything… but how?

One possibility, I suppose, is to encrypt the secret with a public key while the private key is with someone else. Or even better, split the private key with e.g. Shamir’s or similar scheme, and give it to several people, subset of which could recombine their keys and open the secret, if needed. But how do you stop them from betraying your intentions, and reconstructing the key for their own ends?

Would anyone have an ideal as to how could that be done safely in practice, given the power of adversaries? If Snowden is coerced to reveal the scheme (e.g. which people or computers have parts of keys), what prevents the governments from going after the escrows and reconstructing the key, if the secret is so valuable?

Is there any other sensible construct that could be used in such case?

Nick P July 20, 2013 7:54 AM

@ mt

There’s quite a few sensible constructs. Snowden’s case is a bit different than an operator in the field. Snowden already has a trusted link to the Guardian reporter. He can build on that as follows:

  1. Nation’s enemies get encrypted copies of secrets already.
  2. Keys go to the people that would release them upon something happening to Snowden.
  3. The people with keys and Snowden (or someone he’s with) have access to an online drop (eg. twitter, forum) that they post messages on. Snowden might post coded messages, messages about a specific topic, whatever. This forum must be reachable via relays, Tor, etc.
  4. If Snowden doesn’t post anything, these people should have an anonymous way of contacting a trusted source like Guardian reporter to verify Snowden’s situation.

  5. Otherwise, release the data.

(Automating steps using computers in non-cooperative jurisdictions was one of my old strategies I’ve mentioned here a few times. It would definitely help in this case, esp. for a release mechanism.)

Scott "SFITCS" Ferguson July 20, 2013 7:59 AM

@Bruce

I want to speculate on the “deadman switch” too! But the whole thing smells, um, wrong. Where is the original statement where Greenwald*1 said there was one?

Wired quotes La Nacion – as does Reuters, but La Nacion says nothing of “dead man” switches – or anything of the kind:-

Armendariz – Are you afraid that someone will try to kill him?

Greenwald – It’s a possibility, although I do not bring many benefits to anyone at this point. Already distributed thousands of documents and made sure that several people around the world have their entire file. If something were to happen, those documents would be made public. This is your insurance policy. The U.S. government should be on your knees every day praying that nothing happens to Snowden, because if something happens, all information will be revealed and that would be their worst nightmare.

NOTE: the interesting bit from Armendariz interview with Greenwald has been overlooked:-

Three men wait in the lobby of the hotel Royal Tulip with credentials of a congress of osteoporosis which the custodian has no idea. Are they really doctors or are following Greenwald? Appearances are deceptive.

*1 as opposed to the, um, vivid imaginings of a self-promoting author whose relevance to the story is extremely peripheral at best.

Clive Robinson July 20, 2013 8:51 AM

@ mt,

    Would anyone offer a congruent guess on how such insurance files could actually technically work? Snowden claims that he can not be broken to reveal anything… but how?

The quick answer is the files are simply encrypted files placed at various points and with various people around the world.

But having identical files around of the same size is not wise as it makes them easier to find. So at the very least I would expect the files within the encrypted file to be in different orders with some kind of unique file to each encrypted file inserted in the first position and one or more files of random data making the total size bigger by +10% to +50% put prior to compression and then encryption. Also I would double chain encrypt using two different effectivly orthagonal encryption systems say a good stream cipher first and a good block cipher second using appropriate modes for each.

Now this can all be done without ever seeing the keys used so they can not be beaten or druged out of Mr Snowden. The keys should then be split into a number of shared secrets (N) that require a minimum of (M) secrets be brought together to recover the keys. Idealy M should be two thirds or more of N with N being 20 or more to limit the possibility of “others” –not the NSA/FBI who already know the file contents– “rubber hosing” the secret holders.

That’s the easy bit done.

The first hard bit is actually distributing the encrypted files and shared secrets without anyone (including Mr Snowden) being able to find out where they are or get access to them.

The second hard bit is working out a method of sending out an unforgable and unspoofable “Still Alive” message without previous ones being used to track down the secret holders. It is this part that is the most dangerous part of the whole scheam, and thus the part that needs carefull consideration and planning.

The third hard part is working out how to arange for the secrets to be brrought together safely but unstoppably to ensure that the hidden encrypted files get found and decrypted and diseminated as widely as possible.

Get any one of these three hard bits done and potentialy it’s “game over” in a very short period.

I must admit I’m still in two minds over the release of the WikiLeaks file key. That is was the journalist who wrote the book that disclosed it being very stupid or very clever…

Pete July 20, 2013 10:28 AM

As Putin said, Snowden doesn’t tell us anything we don’t already know. At this point, with his still being blathered about in the news, we must assume that he is now a tactical tool against Russia. Putin must be amused at this point, but when that turns to aggravation, his comments will be more interesting.

Anon July 20, 2013 1:31 PM

One of the problems with Snowden’s plan is how to find a trusted associate:

1) If it’s a close, personal associate, I would guess the government could get a search warrant easily, unless the holder of the secret keys also left the country.

2) If it’s a journalist like Greenwald, then at some point Greenwald could decide using the information to win his next Pulitzer trumps any potential harm to Snowden.

  1. If it’s some civil libertarian, they could decide that the “public good” of disclosing the information outweighs the personal harm to Snowden, especially if the information is as half as significant as he claims.
  2. If he gives the information to a stranger, how does he know they won’t sell it to the highest bidder?

Given all that, how do you convince the USG that the information won’t be released eventually anyway.

Simavi Soysal July 20, 2013 7:14 PM

A dead man’s switch, but foolishly forgetting that there are countries and groups that would love to see his stolen information. Residing currently in Russia, hoping to depart to South America, Snowden is evading the one country that has reason to protect his life.

If this happened to Israel they would have recognized the ‘sunk costs’ of losing/revealing the data (which might or might not have been effectively encrypted) and would be actively targeting the man to send a signal to anyone thinking of doing something similar in future. It is a sign of weakness for the United States to not act similarly, and to not strongly push the line that this is a traitor.

Martijn Meijering (@mmeijeri) July 21, 2013 10:09 AM

“Given all that, how do you convince the USG that the information won’t be released eventually anyway.”

I don’t think he’s trying to convince the USG of that, he’s trying to convince the people of the world of that. He needs to convince the US that the dead man’s switch is effective, and to convince the public that it can’t go off by accident.

But an automated component would likely be part of his scheme if it exists and isn’t a bluff, as it easily could be. On another site there was a lot of discussion about the possible technical details of such a system. I don’t think we’ve come up with a fool-proof system, and I suspect Snowden’s system has only a relatively simple automated component, if at all.

These are some of the components that seem possible:

  • redundant network (botnet?) of Tor / I2P hidden services running the dead man’s switch
  • network controller node has a random password & URI Snowden no longer possesses himself
  • communication with that system through a broadcast system (Usenet, Bitmessage)
  • (But how to make sure he no longer knows and therefore cannot reveal the IP of all nodes? If he doesn’t remember the IPs, he’ll likely still remember how he found them.)
  • storage of encrypted data on Freenet
  • Shamir secret splitting system
  • secrets have been predistributed, but Snowden has kept one piece for himself
  • Snowden’s piece is released through the dead man’s switch if not contacted for X amount of time
  • Optionally (and least likely) an analysis script checking news headlines, Wikipedia etc that releases the missing piece if some hopefully sufficiently robust statistic that estimates whether Snowden is dead exceeds some pre-chosen threshold. Note that this wouldn’t automatically trigger a release, it would still rely on the judgement of the keepers of the others parts of the secret.

But, as I said above, it’s also quite possible that the dead man’s switch is only a bluff.

William Sailer July 21, 2013 2:59 PM

When I was selected by the Army for Counterintelligence, they did a complete background check. family, friends, foes,classmates, coworkers. Any association with untrustworthy people, or not passing two interviews with officers trained to weasel out any screwups and you were gone.

The United States Government gave Booz Allen the OK to select people and decide if they could be trusted with vital data. Guess what, he wasn’t. every country spies on every other country, we just do not like to admit it. What he has released is less important than finding out how many more idiots we have entrusted with our secrets by outsourcing to assholes.

Martijn Meijering (@mmeijeri) July 21, 2013 4:08 PM

“every country spies on every other country, we just do not like to admit it.”

That’s not the point, governments can spy on each other as much as they want. The problem is that governments are spying on all their citizens, and some governments on other nations’ citizens as well.

“What he has released is less important than finding out how many more idiots we have entrusted with our secrets by outsourcing to assholes.”

No, it’s much more important than that, although bad security is certainly an important problem too. That by itself is reason enough to fire Clapper and Alexander.

@mikk0j July 23, 2013 2:40 AM

Looks like U.S have only few options, depending how much they believe Mr. Snowden have information on possession.

  1. Explode / dismantle the bomb prior it explodes by releasing information and prosecuting half of the world. Sounds bad, but covers the initials.

  2. Wait what comes up and let it faint by ‘doing nothing’ – as tendency is anyway to do what they want, thus sacrificing citizens opinions should not matter.

  3. Find the key elements, render them unusable and say Mr. Snowden to come home.

  4. Paralyze the switch. Well, that requires understanding how he’s done it and if it is viable at all.

Thiago August 7, 2016 12:05 PM

— Edward Snowden (@Snowden) August 3, 2016:
Did you work with me? Have we talked since 2013? Please recontact me securely, or talk to @bartongellman. It’s time. https://t.co/AKmgF5AIDJ

— Edward Snowden (@Snowden) August 5, 2016:
ffdae96f8dd292374a966ec8b57d9cc680ce1d23cb7072c522efe32a1a7e34b0

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.