Opsec Details of Snowden Meeting with Greenwald and Poitras

I don't like stories about the personalities in the Snowden affair, because it detracts from the NSA and the policy issues. But I'm a sucker for operational security, and just have to post this detail from their first meeting in Hong Kong:

Snowden had instructed them that once they were in Hong Kong, they were to go at an appointed time to the Kowloon district and stand outside a restaurant that was in a mall connected to the Mira Hotel. There, they were to wait until they saw a man carrying a Rubik's Cube, then ask him when the restaurant would open. The man would answer their question, but then warn that the food was bad.

Actually, the whole article is interesting. The author is writing a book about surveillance and privacy, one of probably a half dozen about the Snowden affair that will come out this year.

EDITED TO ADD (8/31): While we're on the topic, here's some really stupid opsec on the part of Greenwald and Poitras:

  • Statement from senior Cabinet Office civil servant to #miranda case says material was 58000 ‘highly classified UK intelligence documents
  • Police who seized documents from #miranda found among them a piece of paper with the decryption password, the statement says
  • This password allowed them to decrypt one file on his seized hard drive, adds Oliver Robbins, Cabinet Office security adviser #miranda

You can't do this kind of stuff when you're playing with the big boys.

Posted on August 30, 2013 at 1:54 PM • 114 Comments

Comments

QnJ1Y2UAugust 30, 2013 2:31 PM

And as always, it takes just one person who doesn't understand opsec details for things to go wrong. In today's example, carrying a written password along with the encrypted file:

http://www.telegraph.co.uk/news/uknews/crime/...

Lots of caveats apply to this report: among other things, the folks at the Telegraph apparently don't like the Guardian; the linked article is all based on a single source in the UK government, and it's rather poorly organized; and there's no indication about how much that single password exposes.

Alan KaminskyAugust 30, 2013 2:50 PM

This is exactly what James Bond would do to make contact with the other government's agent at the beginning of the movie. Now we know where Snowden got his opsec expertise . . .

BuckAugust 30, 2013 3:20 PM

Ha! I just caught the beginning of "Duplicity" (2009) on television last week. In the movie, corporate spies were using Rubik's Cube key-chains as identifying tokens. Now I really want to watch the rest of it...

LeftyAceAugust 30, 2013 3:31 PM

Why didn't he just email them an encrypted photo of himself? Anyone who'd compromised their communication channel would have just arrested the guy carrying the Rubik's cube...

SquarkAugust 30, 2013 3:47 PM

The part of this article that first caught my attention: Assume an adversary that can guess a trillion passwords a second. That and not trusting existing PKI.

ChristianOAugust 30, 2013 3:49 PM

... after you find the man with the rubics cube get to a table and take out the cards I sent you.
He will give you my message during a round of crypto Solitair. Leave immediately! Burn the cards asap.

AlexTAugust 30, 2013 4:00 PM

Snowden seems to have quite good grasp of what he is doing and Greenwald might have learned a trick or two. Which makes it even more suspect (for lack of better words such a "stupid" or "provocative") that Miranda transited Heathrow via supposedly 50000 "secret documents" (http://uk.news.yahoo.com/classified-material-seized-miranda-uk-court-told-190845949.html)

Clive RobinsonAugust 30, 2013 4:03 PM

@ QnJ1Y2U,

In the UK the "Grauniad" is also called the "pink one" because of it's left of center liberal leanings. The "Torygraph" is also known to some as "blue rinse" and is known for it's right of center authoritarian leanings. The UK satirical magazine "Private Eye" dishes the dirt on newspapers in their "Street of Shame" column, they also rib the Torygraph for it's "Fruity Girls" policy which is increasingly making the Torygraph look like a "Red Top".

Needless to say no love is lost between the editors and certain managment and executives of both papers.

But as far as poor OpSec goes the biscuit has to go to the author of a book that had the password to the Manning Wiki leaks assurance file in it, which Bruce posted about some time ago.

@ Alan Kaminsky,

You should remember that the Ian Flemming, the author of Chitty Chitty Bang Bang and James Bond books was a notable intelegence officer during WWII and much of what appears in the Bond books is reasonably accurate. For instance in "From Russia With Love" is a quite accurate description of the internals of a mechanical cipher machine.

aaaaAugust 30, 2013 5:45 PM

Snowden [...] followed that up with a step-by-step guide on how to encrypt communications, which Greenwald ignored. Snowden then sent a link to an encryption video, also to no avail. "It’s really annoying and complicated, the encryption software"

Hard to argue with that one.

Jenny JunoAugust 30, 2013 7:20 PM

Trying to read between the lines of the telegraph article about Miranda's opsec it sounds like they used TrueCrypt, the password on the paper was for the main volume which contained 75 files but that there is probably a hidden volume that they can't decrypt.

The government claiming 58,000 files that have yet to be decrypted is suspicious because you can't know how many files are in a TrueCrypt hidden volume unless you've decrypted the volume. I suppose it is possible that each of individual files were also encrypted. It is hard to know exactly what procedures they would have used given that Poitras/Greenwald/Miranda are relatively knew to encryption.

Nick PAugust 30, 2013 8:11 PM

Interesting article. Glad Bruce posted it. The OPSEC can use some improvements. Three things jumped out at me:

1. The Rubiks cube stuff made me think Snowden was going on books and movies. Snowden would have been better off telling them to show up at a crowded place and stand in one specific spot (he could send a pic). He'd observe from a distance to make sure it was them, look for anyone else that might be with them, and then [if he felt safe] pay a kid to go deliver a message to them with where to go next.

Note: It can help to make people move through several locations with known crowd patterns to try to identify surveillance teams. Unless they have a large, experienced team, one or more team members will likely move with the people they're supporting.

2. The article said that when they came in Snowden's house they took the batteries out of their phone. That means their entire path was traceable until the rare moment when the signal disappeared. That makes it easier to figure out where an important location is if a TLA adversary is monitoring cell location. The better way is to always keep the batteries out until you need them to make a call. And never do that from a secret spot.

3. The air-gapping of communication system Poitras did was one of the smartest moves. For interested readers, these additions can greatly enhance security: a netbook can be purchased with cash, a basic RAM-based Linux LiveCD used, "cantenna" to public wifi from long distance, all temporary data stored in RAM disk, and TrueCrypt volumes for persistent storage with whole (or partial) key on easily hidden/burned paper. Also, run a strong password through a hashing utility like SHA-2 to generate the TrueCrypt key if you want to make it harder for them to crack volumes they read at the border.

More: Public wifi instead of Tor at the home to provide deniability. It's also better to use SSL proxies (rather than Tor) in neutral foreign countries for doing research because it can be made to look like vanilla SSL traffic, esp with two relays. Cigarette paper is good for the keys b/c it's easily burned. You can also leverage face-to-face meetings to share master secrets, code words, synchronize future events or other very critical stuff. Think of it as a trust anchor for the remote methods. Finally, if you want to delete something, do this: create a new volume with new strong key, copy files you want to keep to it, delete old volume, and burn it's key on paper. And only use plain text messages for protected comms.

There you go, privacy lovers. Remember, the methods must be strong, everyone must use them all of the time, and it's better if methods are used that look normal to the untrained eye (or default traffic analysis systems).

DanielAugust 30, 2013 9:18 PM

I think the Rubic's cube angle is overplayed. Snowden undoubtedly already knew what both of them looked like because both were semi-public figure whose images would have been available via Goole image search. If I were in his shoes I would have been upset about them being early etc from a viewpoint of operational discipline rather than worries about identity authentication. I would not have even pulled out the cube unless I was 90% certain it was them.

I do agree with Nick P about the battery issue. But again I think they were less concerned about their location being found out than their communications being intercepted. Remember, the US Government had an interest in at least her prior to and irrespective of any involvement with Snowden.

If Snowden is as good as everyone says he is then I'd imagine that at this point in time he's confident that NSA isn't on to him yet. He's more worried about inadvertent compromises than he is about a targeted intervention; the element of surprise is still in his corner.

AshleyAugust 30, 2013 11:18 PM

Nick those are some good tips but just a few questions. When you say encrypt everything important and use a ram based Linux distro, most of those distros don't have truecrypt installed. Which ram based Linux do you recommend?

I guess the part that's confusing is if I boot up a ram based distro, it only comes with what's installed by default for that distro. Of course I can always install truecrypt / macchanger etc.. But after a reboot those changes and programs are not saved. I feel like there is an important step I am missing here.

mcjtomAugust 31, 2013 5:11 AM

Not quite on opsec, but on the Rubic Cube - someone mentioned it being used in a movie as a token.

It looks to me that there are some 65 bit of possible Rubic Cube permutations. That's a semi-decent random passphrase, especially if strengthened by e.g. PBKDF2 or bcrypt to produce a key, isn't it?. Two cubes should be able to hold a 128bit key. Could a shuffled rubic cube be used as a key, that a courier would move between parties?

But how to easily and unambiguously code the cube arrangement into a alphanumeric key?

While such key can be captured in transit, just like the one on paper (Miranda?) the key can be destroyed by merely re-shuffling the cube: there are 18 possible single turns (9 leyers * 2 spin directions each), so some 16 random turns would make the new cube arrangement some 65 bit away from the actual key that it held before, I think.

That's probably more difficult to call 'destroying evidence' and practically easier to do, than burning paper.

Holding a random key in a Rubic Cube arrangement is in a way similar to the famous AACS 'Freedom of Speach' flag, where the 09 F9 key was represented as 24bit colours.

watch_more_spy_moviesAugust 31, 2013 8:19 AM

@aaaa:
It makes them potentially more suspicious if they linger in the meeting spot for an extra ten minutes, and it gives adversaries more time to react, and to organize a response. E.g. suppose an adversary knew their general location but hadn't yet spotted them visually. (Suppose they were following around a cell phone signal, or a toll-booth transponder on the car, something like that). By arriving early and standing around, the adversary has a chance to "catch up" and wrap a net of surveillance around them. Of course a paranoid person must assume they might be under surveillance anyway even with perfect opsec, but you don't want to give potential adversaries any extra opportunities if you can avoid it.

In this case, they were probably worried about being late to the meeting and missing the scoop and didn't realize that arriving early might be a bad idea.

CallMeLateForSupperAugust 31, 2013 8:43 AM

"...material was 58000 ‘highly classified UK intelligence documents'"

From everything I've read, they admit that they are unable to decrypt those files. So how could they possibly **know** :
1) the number of documents
2) the classification of each document
3) that documents are "UK intelligence"
???

It don't add up.

StephenAugust 31, 2013 8:52 AM

Anyone thought that it was all just a test? I know that Greenwald is not stupid and after all these leaks he had to know the brits will pull this trick? there is no reason to believe otherwise.

Did Greenwald not claim he already had everything?

just a thought....but it seems the story was getting boring to most and why not run his partner through Heathrow or where ever it was and see what happens....

mcjtomAugust 31, 2013 9:20 AM

One of the previous posters speculated that the thumbs may have been encrypted with TrueCrypt or the likes, and may have had a hidden volume. So perhaps it was a good idea to write a outer volume password down and give it away - that may protect what's on the hidden part and still satisfy the interrogators?

Clive RobinsonAugust 31, 2013 12:34 PM

For those making comment on the 58000 file statment by Mr Oliver Robbins, there is a copy of his witness statment in PDF format at,

http://s3.documentcloud.org/documents/781973/...

I would read very carefully paragraph 4 because he is basicaly saying his witness statment is full of "hearsay" evidence.

The problem with the court alowing what is "hearsay" is it could easily be lies that Mr Robbins "choses to believe" for the sake of his pay packet etc.

You will see in Par 13 when talking about the 58000 files he attributes the information to having been briefed, importantly without any kind of attribution.

All in all his statment is unverifiable except where he seaks to quote publicaly available material which is in some paragraphs clearly "journalistic hyperbole" that Mr Robbins has selected because it alows him to make totaly unwaranted and unsupportable claims.

If this is the quality of evidence the UK Home Secretary is relying on then all I can say is it's not evidence but hearsay and as it is not given by an acknowledged expert the witnesses statment should in no way be treated as "Expert Opinion" and thus the Judge should reject it.

However since Tony Blair PM and Lord Falconer eviserated the UK Judicial service a few years ago it appears that any nonsense from a person whos is questionably not sound in mind can be taken as evidence if dressed up right.

However no matter how much lipstick you stick on a pig it's certainly not going to sing or dance like a diva, nor is it going to fly unless you stick a rocket up it's 455

Avid ReaderAugust 31, 2013 1:22 PM

>>Stephen
I completely agree with you. There was a news report a few weeks back with a similar situation. Greenwald and his partner had a Skype conversation. Greenwald tells his partner about some encrypted documents on their home computer (i.e. the trap), and the next day the computer, and only the computer is stolen. I think the airport stunt is a way of showing the public what happens when you become the target of an investigation.

>>Nick P
I liked your comments. I would request a HowTo guide on setting these methods up for less computer savvy people. SSL tunneling can be difficult to figure out on your own.

I would disagree with you on the cigarette written partial/password. It will make the volume much harder to crack, but if it gets intercepted or stolen, it makes it that much easier. You'd be left with a memorized password, or no password at all. If you're in the middle of being arrested, you don't have the second or two to destroy it.

I disagree with using SHA2 or any other hashing algorithm to generate the password as well. All it is is obfuscate the method of encryption. Password->SHA2->Truecrypt. If they know you added SHA2 as a preamble, then they will do the same and try to crack the original password. This is a different story if you hashed the password 1000's of times, but that is essentially what PBKDF2 and the like does.

I would recommend this as an alternative. Truecrypt has an excellent option of using keyfiles with a password. Generate 1000 files, each made of 64 bytes of random data. Save them to your non-writable media with identical C/M/A time stamps. Use 10-15 of them along with your password for the input to Truecrypt. It is still a guessing game as too which numbered files you use.

My only other input to this rather intelligent OPSEC conversation is this. When you are using your ram only computer at the coffee shop, bring your laptop power converter and take out the laptop's battery, and set a bios password. If you should be raided as you are working, yank the cord out of the computer. The computer will loose power, and the only two options they will have of data recovery is to try to freeze the ram and do a quick read on it for encryption keys, and crack your passwords. The bios password and quick decay rate of ram should work well to thwart them. A lulzsec member was taken down with his computer running. On site forensics is standard procedure these days.

Nick PAugust 31, 2013 1:32 PM

@ Ashley and other's curious about RAM/truecrypt distros

Re: Linux Live distro

You're mainly just picking one you think you can use. That you can use and accept a given distro is more important than any other factor because people tend to stop using things that piss them off. ;) Usability, interface styles, supported apps, hardware support and more vary among distros. My basic security goals are that

(a) they're not windows,
(b) they run in RAM,
(c) you can install TrueCrypt on them, and
(d) they work with your hardware.

So, I list a few under this paragraph. Download them and burn them onto CD's. Try each on your machine. Many have simple interfaces such as busybox which are good for security due to less features, yet not so good for usability. I'd say start with Ubuntu Live as you'll figure it out quickly. Then, if can get a hardened one to work, then start using it instead.

Ubuntu Live CD: The default. You get several options at startup. Choose to "try it" instead of installing it. Then, everything loads from CD (or USB). It's heavyweight because it's designed for features and usability. Your security will probably be OK if you're not targetted specifically: the obscurity of Linux alone makes most malware miss it.

Damn Small Linux: This is a tiny Linux made to run totally in RAM and comes with a minium of applications. Only runs on x86 processors. Uses Fluxbox window manager and optionally can add on popular software. Designed for old machines more than security.

Puppy Linux: Security engineering veteran Terry Ritter sold me on using this one for security purposes. Brian Krebs likes it too. Similar to Damn Small Linux but: much easier to use across the board; better interfaces available; you can save changes to the file system incrementally on the DVD itself. Ritter argued the latter feature was a nice compromise for data persistence on a mostly no persistence distro. Krebs and Ritter on using Puppy.

Lightweight Portable Security: LPS is an interesting option because it's made by Dept of Defense for protecting their systems. It's goal is making sure the system starts clean, doesn't change the disk, and can act as a secure thin client. And it's free for us too. :) They also include an encryption tool they use. Does that tool have backdoors or something? Who knows. However, most tools they make to protect their systems are pretty good and quite a few people outside DOD use this distro. So, I'll include it for those reasons.

Tin Hat Linux: Last, but certainly not least, is a distro with this goal: "The central design consideration in Tin Hat is to construct an operating system that can hide data from an attacker even if he has physical access to the computer." I haven't used it yet so I'm not sure of its quality. It has interesting security features, though, and meets the basic requirements I stated early on. It also uses the Hardened Gentoo project's technology which provides resistance to certain attacks.

Note: One additional motivation for my choosing these different platforms is diversity. Schneier blog readers know I'm a fan of different codebases to reduce odds of success in one-size-fits-all attacks. These systems use Gentoo, Slackware, Ubuntu, Knoppix, etc.

Note for Windows or Mac lovers: the solution for you people is "Write Protect." Seems to be a forgotten, but effective, technology. You install Windows, install needed apps, do ALL updates, clean temp files out, run hardening procedures in online guides, and then turn on write protect. Any changes to the running system, by you or by malware, will not be saved. That basic mechanism gives you the same protection as a LiveCD if it's hardware based (usually a switch). There's also security software, from OS hooks to virtualization schemes, that claim to do this. They might work, might not. You can also set up VM's with very restrictive configurations to do this. However, the simpler the better and that would be switches at the storage hardware level.

Re TrueCrypt

"I guess the part that's confusing is if I boot up a ram based distro, it only comes with what's installed by default for that distro. Of course I can always install truecrypt / macchanger etc.. But after a reboot those changes and programs are not saved. I feel like there is an important step I am missing here."

Good catch. There are two main solutions:

1. Install it upon every bootup.

2. "Remaster" the LiveCD to include it.

Install Each Time

I used this method early on. It was inconvenient, but required little technical knowledge. I booted up a Live CD for which truecrypt has a graphical, few-clicks installer. I kept the truecrypt installer on my main HD partition in main folder. So, upon LiveCD boot, I performed these steps:

1. Made sure there was no internet connectivity to reduce risk. My laptops have hardware switches for wireless.

2. Run a mount command to active my HD.

3. Open the HD folder with the installer and run it.

4. Unmount my HD just in case.

This whole process took a minute or two. I had to google the mount commands and figure out which Linux device represented my actual hard disk. I just went through sda, sdb until i saw my disk's folders in the mounted folder. I'll add that Ubuntu and some distros might automatically see it in "Places" menu at the top. In them, you basically just click on it and the system mounts + opens it.

Remaster Onto LiveCD

This the better (and harder) route. Remastering means you customize whats on the disc. You might change the interface, add TrueCrypt/OpenOffice/VLCmediaplayer, etc. Each distro does this differently and whether you can figure it out might be a factor in which you pick. There's googleable step by step guides on "remastering" or "changing apps on a LiveCD" for many I listed. If you get one to work on your PC and like it, then Google changing it to try those steps. If the steps work, then add in TrueCrypt and whatever necessary apps you need. And TAKE OUT any you don't need cuz they're wasted space and extra attack surface.

Conclusion

Sorry if I couldn't give a simple recommendation. These operating systems are all made by different people with different preferences, goals and levels of maturity. Choosing a Live distro is a very personal thing that only you can do. Ubuntu is great as a start. Puppy is endorsed by pro's like Ritter, so that's even better if it works on your machine. So, get one, figure out how to get it on Internet/wifi, get firefox + noscript, get truecrypt, and start using it for basic workflow. If nothing else, you're "I've been infected!" days are over. ;)

AshleyAugust 31, 2013 3:33 PM

Nick I really appreciate your help. I will definitely take a look at the links you posted.

A perfect linux distro for me would have the following features:

- installed by default: truecrypt / tor / bleachbit / gpg / macchanger / openvpn

- linux distro that runs off ram

- random mac address on every startup

- random hostname on every startup

- system locked down (no unnecessary services runnings & ports open)

Since there is no distro like this I think the next best thing to do would be to find a distro (probably one of the ones Nick mentioned) install it on a usb 3.0 memory stick and install the programs I need and remove the ones I do not. Optimize and clean it up and final step would be to write protect the usb. Once all of this is complete I will have a clean linux distro that meets most of my requirements. I can now simply go to a random coffee shop with my laptop (one with no hard drives), put in the usb drive and boot from it. Whatever I do is stored temporarily in ram, and nothing writes to the usb drive. This will be a good weekend project.

Hopefully some other people can chime in with tips and comments about this setup.


ChuckAugust 31, 2013 3:34 PM

I wonder, why a messenger has to schelp a fullworking system with him/her (except for deception)? An encrypted 64gb mircoSD should be enough for many thousands of crappy handcrafted PowerPoints and should fit into a toothpaste tube made of aluminum or so...

Nick PAugust 31, 2013 3:52 PM

@ Avid Reader

"I liked your comments. I would request a HowTo guide on setting these methods up for less computer savvy people. SSL tunneling can be difficult to figure out on your own. "

I might write one up in the future along with recommended tools and configuration steps. Meanwhile, there's excellent resources on using proxies that are one Google (or DuckDuckGo) away. And many have screenshots of each step. :)

re secrets on paper beats $5 wrench cryptanalysis

"I would disagree with you on the cigarette written partial/password. It will make the volume much harder to crack, but if it gets intercepted or stolen, it makes it that much easier. You'd be left with a memorized password, or no password at all. If you're in the middle of being arrested, you don't have the second or two to destroy it."

I certainly need to revise how I presented that idea. There's two categories of usage here:

1. A trusted place that nobody will be looking at or with visibility to give you the 2-3 seconds it takes to burn a note.

2. On the move in unknown places where you can get grabbed or searched without notice.

The key on cigarette paper idea is definitely for situation 1. It can also be disabled for when you're doing no 2 so it's not really a weakness: just not available there. The advantage of it is that it allows a totally random, long password. And you can change the password often because it's as simple as writing the new one down and burning the old one. Even if tortured, you cannot reveal the secret because you don't know it. The reasoning here is that most people can't remember nearly uncrackable passwords or change them often. Yet, most people can hide a tiny piece of paper in their house or bury it in a box in the woods.

Another common variety of this trick is a strong password + key file on tiny flash card or thumb drive. Another is to enter a strong password plus a bunch of random characters from a piece of paper. Brings extra benefits I'll identify in next reply.

re my using hashes to preprocess secrets

"I disagree with using SHA2 or any other hashing algorithm to generate the password as well. All it is is obfuscate the method of encryption."

That's the classic argument people give me on all kinds of my obfuscation methods. Yet, the argument is weak because experience shows sound techniques + extra guesswork for the attacker is A Good Thing.

1. They can't work around what they don't know.
2. The obfuscation methods can vary on an individual basis, requiring custom attacks for each target.
3. Certain obfuscation methods are very simple to implement.
4. Some obfuscation methods can cover weaknesses in usage of other tools.

In this example, the truecrypt volume is protected by a password. The TrueCrypt tool runs that password through some steps to generate needed keys. Attackers familier with TrueCrypt and knowing nothing else will run vanilla anti-TrueCrypt tools on your volume that essentially try to crack the password. This means the password should be very random and long to resist their attacks. Interesting enough, the output of good hash functions has that property even if you input the crappiest password (see 4 above). So, I included these options into my enhanced truecrypt scheme:

1. Pick at random a one way crypto function to use that generates long, random output. Make sure it's an option in a popular, easy to use hashing/crypto tool so the tool's existence doesn't give away the precise methods.

2. Generate a 128-bit (minimum) salt. This was what I put on the cigarette paper. Use either hex or BASE64 encoding.

3. Chose a number of times to run the hash function. (optional)

4. Input your STRONG password and salt into the hash. Optionally, do the iterations. Use the result as the TrueCrypt passphrase.

Now, what we've done is that we've made it impossible for them to crack the TrueCrypt volume without knowing (a) your password, (b) salt and (c) the specific steps you taken. Those steps use proven primitives in a safe way to accomplish the obfuscation. The steps become both extra entropy and computational complexity for the attacker. And the 128bit salt can be easily destroyed at any time. Extra obfuscations to consider and not exhaustive list by far:

- Instead of password, use a passphrase that combines a variety of characters (my default for all user secrets)

- Use a combination of hashes and iterations in this process. Assign each one a number (in order of appearance in tool's help file). Then, the obfuscation is essentially a pin: 4917 might mean 4th hash 9 times, then 1st hash 7 times. Limited by your memory and max number of available algorithms/iterations.

- Build extra obfuscation into the tool itself. They have to checksum/hash it to see it's modified. Reduce deniability, though.

- Tie the activation of crypto to a certain location (advanced method). Will reduce deniability if custom software is used to accomplish it, but there are 3 party methods that don't require that.

- Any time a file must be deleted, create a new volume, write the salt for it down, move any files you keep to it, and burn the salt to the old one. Again, you sure aren't going to remember a 128-bit secret and they aren't going to crack it. So, call it "perfect forward secrecy" for data at rest. :)

(Note: this is also the best way to move critical informations between documents such as Word or PDF that can contain much metadata. New document, copy what you keep, and delete the old one.)

So, what we have is...

1. Strong password. Required anyway. Proven value. Is baseline.

2. Hidden extra steps. Increases attackers' work, observation and sophistication requirements.

3. Perfect forward secrecy or entropy boosting via keyfiles or paper secrets.

Obfuscation has saved many of my designs and systems from attack over the years. This has worked with software, protocols, system configurations, firewalls, physical security and so on. In some cases I got to watch the attacker try all kinds of really clever stuff, fail, and move on. The combination of strong security engineering with secrecy and tight usage controls is also key component of NSA's Type 1 crypto systems. They'd probably fail more quickly if NSA open sourced them.

So, obfuscation has proven value used properly. It's even protected my life at times. The examples people give that supposedly "prove" it doesn't work involve security designs built *only* on obfuscation, often poor obfuscation at that. Such foolish approaches led to fool's (false) security. Good security engineering practices + obfuscation techniques that don't undermine their assurances equals better overall security posture against majority of attacks.

Note: none of this stuff by itself will save you from conviction due to not turning over a key to law enforcement. It seems like a rare situation, though. Online dead drops are one solution. Brings me to another advantage of paper: unlike files and flash drives, it's extremely easy to hide going through a border crossing even with PC inspection, metal detectors and strip searching. Parts of the secret can even be specific scratches or imperfections on your clothing. They gonna take everyone's clothes? I think not!

"I would recommend this as an alternative. Truecrypt has an excellent option of using keyfiles with a password. Generate 1000 files, each made of 64 bytes of random data. Save them to your non-writable media with identical C/M/A time stamps. Use 10-15 of them along with your password for the input to Truecrypt. It is still a guessing game as too which numbered files you use. "

It's an interesting idea. It meets the requirement of extra step the enemy has to figure out and boosts entropy to final key. The key weakness is it might take extra manual steps or an unusual executable on your system. It's also more complex. The simplest version of my truecrypt scheme is a strong password and salt (on paper or hidden device) entered directly into the TrueCrypt password box. That's two factor, entropy boosting, requires no extra software, takes one step and allows the salt to be destroyed. The next version uses a generic tool to combine the password and salt with a cryptographic function for more of the same benefits. Simple, easy and deniable. ;)

I'll also add that people the salt can even be the stuff on your state ID, a page of a magazine you carry, and so on. That tradeoff means you carry nothing unusual at all (compared to the average user of privacy tools). Their attack requires (1) knowing you're using extra steps; (2) knowing what the input source is; (3) knowing any transforming trick you use such as starting point or typing words backwards. Near total deniability: you're just another truecrypt user and can pass a full physical inspection.

Privacy/security maxims to remember: As simple as necessary to meet requirements. Used proven primitives, principles and procedures to achieve critical security properties. Optimize obfuscations to minimize users' activity and maximizing opponent's. Use nothing that stands out to auditors.

So, if you do design your own solution, just remember these maxims to improve your safety and success.

Re removing the battery

"My only other input to this rather intelligent OPSEC conversation is this. When you are using your ram only computer at the coffee shop, bring your laptop power converter and take out the laptop's battery, and set a bios password. If you should be raided as you are working, yank the cord out of the computer. The computer will loose power, and the only two options they will have of data recovery is to try to freeze the ram and do a quick read on it for encryption keys, and crack your passwords. The bios password and quick decay rate of ram should work well to thwart them. A lulzsec member was taken down with his computer running. On site forensics is standard procedure these days."

That is a *great* tip and made me feel foolish for forgetting to mention the issue (facepalm). I'll add, though, that it *may* be a risk. A lay judge or jury might consider it suspicious if you're wifi, have LEO defeating tools, and pulled the plug when cops walk in to question you. "Destruction of evidence," "obstruction," etc. Anyone worried about that can use this improvement that I came up with after my battery died.

Use a totally dead battery. Tada! Craigslist one if needed. Also, use Puppy Linux as your basic setup. Your defence will be that you were just following Brian Kreb's security advice and your laptop is "an old piece of s***... the battery doesn't even work anymore I always have to find an outlet to use at these places. So lame..." Makes for a more believable excuse. ;)

(There's other tricks that can be built on top of that idea. I leave them to readers imagination.)

Nick PAugust 31, 2013 4:07 PM

@ Ashley and GH

Yeah, TAILS is another good idea. Thanks for mentioning it. Dirk Praet and I have endorsed it before. It's purpose built for privacy, anonymity, etc. I was focusing on the other's because they have more deniability: they're just distros with better malware resistance and light on resources/maintenance. Many people use them for this. Tools like truecrypt are popular for privacy. And so on.

Let me put it this way:

1. TAILS will have excellent anonymity/privacy out of the box while sending a clear signal you're main goal is hiding stuff.

2. The others, by installing a few apps, can have "good enough" privacy or anonymity while giving you the "following malware prevention advice" or "tired of Windows bloat/price/headaches" cover stories. Which are also real benefits. :)

And I'm sure there will be jurors who can relate to your gripes about both.

@ Ashley

That's a pretty good list. Most of those can be covered by adding a few apps or scripts to a distro above. Do try TAILS, Ubuntu, Puppy and Tin Hat. They're your best options for security/privacy in that scenario. And two can be customized in a weekend for sure.

Good luck! :)

(Note: if anyone is trying to hand-roll anonymous browsing through Tor go to their website for instructions on combining a browser proxy with Tor. Stops the browser from leaking information. TAILS might be a better option if anonymous browsing is your main consideration as it's hard to do right.)

JeffAugust 31, 2013 4:40 PM

@Clive

The FT is the paper known as the pink 'un, because it'sprinted on pink paper. It's never been used to describe the guardian.

MarkHAugust 31, 2013 4:49 PM

@Clive:

Eloquently stated.

We all know that you're a knowledgable cuss ... but now I learn that you also have the soul of a poet.

Clive RobinsonAugust 31, 2013 6:54 PM

@ Nick P et al,

With regards versions of linux / BSD / Windows that run from CD/DVD in memory.

When it comes to tools to include or check for, one I've found to be very valuable over the years is an arbitary precision command line calculator that is either programable or usable from simple shell scripts.

Whilst MS OSs don't come with one you can download MS OS versions of the unix classic "bc" (short for Bench Calculator and was originaly a front end for "dc" the Desktop Calculator).

http://en.m.wikipedia.org/wiki/...

By a carefull use of "bc" and the BASH inbuilt shell programing language you can actually implement various crypto algorithms and link them together in interesting ways of your own devising (think Nick P's obsfication ideas).

As an alternative think about Perl which is fairly standard "admin" program found on most *nix platforms and quite a few MS OS platforms from Win2000 onwards.

As for obsfication or "Security by Obscurity" it works well in the physical world, but less so in the information world. Often this is because people think novel is equivalent to obscurity and it's not, further they tend to vastly under estimate what is required in terms of effort to make obscurity work in the information world.

Whilst it is true that using a hash function in a known way does not add entropy to a "secret" (just complexity or efffort), using a hash multiple times can add entropy by way of the number of times and ways it's used providing it to is a nondetermanistic "secret".

One such way is to hash a known start seed a number of different times, and add the results together in a suitable moduls (in effect you are making a tapped shift register, where the tap points are a "secret" and the shift is not a simple value copy but the one way function of the hash).

Clive RobinsonAugust 31, 2013 7:15 PM

@ MarkH,

As Shakespear observed "all the world's a stage" in "As You Like It".

But he probably stole it from Petronius's "quod fere totus mundus exerceat histrionem" (which does not mean what school boys think it does on hearing it the first time ;-)

Thus it's perhaps not the originality of the content, but the performance and context that pleases the audiance the most.

Peter B.August 31, 2013 8:41 PM

Is AES256 broken????
The story claims Miranda carried the TrueCrypt password on a piece of paper. Only if Snowden, Greenwald and Poitras are idiots, and that's not the case.
If the Brits got the password, why would it take days to decrypt those files? Maybe, as some commentators have suggested, Miranda carried a decoy password to satisfy the cops. Maybe, too, the assertion that the material contained highly classified BRITISH documents is just smoke.
Or maybe AES is broken, and it just takes some time to crack an individual file.
Wikileaks recently posted some hundreds of gigs of files assertedly encrypted with AES 256 (at least that was the file type). Snowden commented that "no digital communication is secure." Why not
just e-mail (strongly encrypted, of course) the key to Greenwald?
Why does AES use only a 128 bit block size, when Rijndael offers 256 bit blocks? The NSA passed on AES before it was adopted - did they know then they could break it?
Just asking.

name.withheld.for.obvious.reasonsAugust 31, 2013 9:11 PM

My suggestion for running a system that is immune to most known and many unknown vulnerabilities is to use Amiga DOS, open VMS, straight DOS 6.2 and use a network translation layer (LUA/SNA, Token ring, IPX, or other transports). This is also convenient for use as a straight router. I'd tell you what I use but then I'd have to take my equipment offline. Give you a hint, it rhythms with CPM.

As often mentioned here the use of an air gapped system with sanitized media (controlling both up and down stream chains) is the only way to go for secured use. Of course that begs the question about supply chain verification, board and component level inspection, traceability of materials, binaries, firmware, and the like. Not something easily accomplished from commercial sources. Building your own, including the SMT bonding of inspected components and source code builds with "qualified" compilers is going to beb a trick. So, unless you can fab, assembly, test, inspect, and verify with a strong change and configuration management control regime--the exercise is mostly academic.

Currently I am having issues the FPGA vendors that are too tightly coupled to their IP cloud model. I only use them for design and testing purposes but the tendency for the FAB sources to change tool chain, source, and modeling functionality with an ever greater exposure to network components is concerning.

Prinz Wilhelm Gotha-Saxe-CobergSeptember 1, 2013 12:15 AM

One thought I had on the issue of passwords scribbled down on paper is the ease of access to the paper and the difficulty of getting rid of it in a hurry:

paper's not easy to swallow. Rice paper is much, much easier. And you can code the position of the letters (in the Western alphabet) by the number of strokes in the Chinese glyph. Good luck for the border guards waiting for you to excrete it. Some people have all the luck!

For a salt, if it's known you're into electronics, there's nothing to stop you carting around some resistors and capacitors. I'll bet most border guards won't have a clue how to read them for electronics purposes, let alone for their presumed purpose as a salt.

And an audio CD? Who'd sneeze at that? While audio steganography's not a lost art, having hardly begun to exist, it's not what I'm suggesting. As a portable salt, though, it's ideal. Best to carry a small collection around, though, and a CD walkman. No point in taking the enjoyment of the hunt away from the feralists.

AutolykosSeptember 1, 2013 2:06 AM

Can anyone here make heads or tails of this:

In her witness statement submitted to the British court on Friday, Detective Superintendent Caroline Goode, who said she was in charge of Scotland Yard's Snowden-related investigation, said that among materials officials had seized from Miranda while detaining him was an "external hard drive" containing data encrypted by a system called "True Crypt," which Goode said "renders the material extremely difficult to access."
Goode said the hard drive contained around 60 gigabytes of data, "of which only 20 have been accessed to date." She said that she had been advised that the hard drive contains "approximately 58,000 UK documents which are highly classified in nature, to the highest level."
Goode said the process to decode the material was complex and that "so far only 75 documents have been reconstructed since the property was initially received."
Source: http://www.reuters.com/article/2013/08/30/...
Highlight by me.

What's going on here? Are there critical implementation flaws in TrueCrypt? Is AES (or Twofish, or Serpent) broken? Was Miranda using bad passwords (and if so, why didn't they decode the volume key and all the data)? Or is Scotland Yard just treating us like mushrooms (keeping us in the dark, feeding us bullshit and removing anyone who sticks his head out)?

lost in the thicketSeptember 1, 2013 2:35 AM

@ Nick P

How important is it for the distro to be on a CD and not on say a USB stick? How exposed is a USB-based live boot?

Lost in the thicket

AutolykosSeptember 1, 2013 3:53 AM

@lost in the thicket:
Once someone gets physical access to your stuff, a USB stick can be manipulated (AFAIK, you can't set them to read-only permanently). And since the read-only is based on software, it's not 100% trustworthy anyway.
Sure, they could also switch a CD, but chances are you'd notice. Especially with a hand-written label.

lost in the thicketSeptember 1, 2013 5:52 AM

@Autolykos, Nick P et al

Yes, the evil maid can manipulate the USB stick. How exposed is the stick, given it is a non-Windows live boot, to malware from the Internet? It seems that it would have to be specifically targetted, but maybe I'm being naive.

rpoSeptember 1, 2013 6:34 AM

Two tweets from Glenn Greenwald on Aug 30:

https://twitter.com/ggreenwald/status/373412918156472320

UK Govt: their op-sec was sloppy, but we can't get access to their docs because they're all "heavy encrypted" #GlaringContradictions

https://twitter.com/ggreenwald/status/373451644794449922

Anyone claiming that David Miranda was carrying a password that allowed access to documents is lying. UK itself says they can't access them.

A comment by Guardian US editor Janine Gibson from a recent Q&A doesn't inspire great confidence on the quality of the Guardian's opsec:

Tricky to talk about what specific [security] measures we have taken and are taking, but suffice it to say we use extraordinary care. This story is being reported from Brazil, the UK, the US and for a while from Hong Kong as well as being edited from New York and London. Secure communications and the movement of material have been by some measure the hardest challenges - we’ve had to do a great deal of flying people around the world.

http://discussion.theguardian.com/...

Nick PSeptember 1, 2013 8:34 AM

@ Clive Robinson

"When it comes to tools to include or check for, one I've found to be very valuable over the years is an arbitary precision command line calculator that is either programable or usable from simple shell scripts."

That's an interesting thought. It reminded me of another one though: TI graphing calculators. I remember putting all kinds of programs on them in the past. I even thought of using them as a trusted path due to the screen size, keyboard, and programmability. Settled on electronic organizers type designs b/c their letters are easy to work with. But, yeah, a traveling student with a graphing calculator and the program section locked might be deniable.

"My suggestion for running a system that is immune to most known and many unknown vulnerabilities is to use Amiga DOS, open VMS, straight DOS 6.2 and use a network translation layer (LUA/SNA, Token ring, IPX, or other transports). This is also convenient for use as a straight router. I'd tell you what I use but then I'd have to take my equipment offline. Give you a hint, it rhythms with CPM."

It works well enough so long as they don't know what you're using. Plus you get to be different. (!!!) Since it's obfuscation, though, you might as well use a desktop Linux. There's almost no malware for it. And the others you listed (except VMS) will be even easier to hit when they target you due to little security focus. So, you might as well use a BSD, Linux or a "trusted" UNIX.

Btw, although I long recommended it, VMS was recently EOL'd by HP. They acquire a rock solid system, invest almost nothing in it, don't try to market it at all, and then kill it. It was one of their most profitable divisions. Imagine what VMS would have been if received about 5% of the money and development Linux got. They wasted such a good opportunity.

@ Prinz Wilhelm

Rice paper: yes! That's the one I was trying to name! I forgot so I said cigarette paper instead b/c at least it burns well. But, yes, I think old spooks used rice paper for some of their communications. Your other ideas are nice too. :)

@ lost in the thicket

"How important is it for the distro to be on a CD and not on say a USB stick? How exposed is a USB-based live boot?"

I'm actually not sure in a practical sense. The assumption is that the enemy never gets their hands on it regardless b/c physical possession = compromise. Also, you're booting up into a clean machine. So, you're main remote threat profile here is:

1. People hacking your machine while it's running to steal your data or somehow rootkiting it.

2. People subverting the update process.

The 2nd one is a separate issue. Wrt the first, a CD/DVD-R have the benefit of being write once. The USB might get written to while you're using the system. So, that's the main risk. If you want USB performance, then you can mitigate the risk by using a write protected USB drive, preferrably with a physical switch (floppies had that). This USB's sticks design is a perfect example of how simple system integrity can be. ;)

"Yes, the evil maid can manipulate the USB stick. How exposed is the stick, given it is a non-Windows live boot, to malware from the Internet? It seems that it would have to be specifically targetted, but maybe I'm being naive."

Another advantage of paper is that it isn't executable. Using any executable media means you *definitely* have to hide it. If they grab it, you must assume it's untrustworthy. At that point you have to ditch your data or put the USB in *another* machine (Walmarts? wink) to pull the key files off it. Then, you transfer that keyfile to the private machine in a way that doesn't allow compromise. You can use hashes as part of a tamper detection strategy if you want but it's easier to just protect the USB device.

Dirk PraetSeptember 1, 2013 9:14 AM

I'm a bit surprised that we all seem to be missing the giant elephant in the room here. I refer to paragraph 13 of the witness statement by Deputy National Security Advisor Robbins, when he says

... They have been able to determine that the external hard drive contains approximately 58,000 highly classified UK intelligence documents.

It seems obvious that a huge stash of documents one way or another is accompanied by one or more index files describing their contents. If I were Snowden, that's what I would have done too. If Mr. Robbins' statement is truthful, then as per paragraph 13 it would appear that the digital forensics team has been able to recover one or more index files using the password found on a piece of paper David Miranda alledgedly was carrying.

Trying to make sense of Detective Superintendent Caroline Goode's statement that only 20 out of 60Gb. of data on an external hard drive had been accessed so far can easily be explained by these 20 Gb. being unencrypted data, whereas the 75 documents "reconstructed" so far may just be Greenwald/Poitras working documents encrypted in a less secure way and/or with an easy password.

My point however is that unless the UK and its IC are fully owned subsidiaries of the US, how come the NSA is sitting on 58k highly classified UK documents, disclosure of which is said to represent a serious risk to public safety and national security ? Are these just documents on joint programs, or would they also contain other information as in the US spying on their closest ally or their IC's collaborating in ways less known to the public of even HMG ? If I were a British MP, peer or working at GCHQ/MI5/MI6, that's the question that would be on my mind now.

Clive RobinsonSeptember 1, 2013 10:29 AM

@ Autolykos,

    What's going on here? Are there critical implementation flaws in TrueCrypt? Is AES (or Twofish, or Serpent) broken? Was Miranda using bad passwords(and if so, why didn't they decode the volume key and all the data)? Or is Scotland Yard just treating us like mushrooms (keeping us in the dark feeding us bullshit and removing anyone who sticks his head out)?

If it's only 75 out of many thousand thats been "reconstructed" my guess is it's not TrueCrypt.

First off ask yourself if this witness is actually in any way an expert in the field --most probably not-- or if she is giving first hand knowledge? (both of which are extreamly unlikely due to the "informed" comment).

Now consider the use of the word "reconstructed" instead of the more normal "recovered" it might have significant implications as to "the creating of evidence" for instance.

But it may be possible it is the correct usage. Consider that the drive concerned is refered to as an external hard drive not memory stick, if that is correct then there is a distinct possibility that the drive has been used repeatedly and not as a single use throw away item.

It may have been used at one time to store the documents in plaintext form and then been improperly reformated befor the TrueCrypt container was added.

Further the reformating may possibly have marked blocks as bad or ignored blocks that were already marked as bad and thus there are plaintext reminents that have been found containing one or two fragments that could be used to identify individual documents from a suspected list of documents.

Either way the stupidity of the current UK Home Secretary is very likely to leak lots of information that effects "methods and sources" rather more than the Snowden Documents themselves. Which makes comments I've heard about her (see my post on another page of this blog which contains the words "psychotic baboon") all the more belivable.

The last time we saw this sort of behaviour from a woman Conservative politician was from Maggie Thatcher over the likes of "spy catcher" a third of a centuary ago, so there realy is no excuse that the Home Sec does not know just how much harm she is likely to cause. I'd be realy suprised that "the powers that be" in the Home Office / MI5 or over in the Forign Office / MI6 or even GCHQ have not advised quite strongly against it.

On another historical note, Mr Miranda is now at home in Brazil, and has a recognisable "family life" with Mr Greenwald. The UK has a very poor record when it comes to "extradition" with South America esspecialy Brazil (look up Ronnie Biggs and "The Great Train Robbery" especialy where a "family life" with a Brazilian national is concerned) thus it is extreamly unlikely that the UK will be able to extradite either of them to face criminal proceadings. Likewise Ms Poitras although a US national is currently residing in Berlin in Germany, which is a country where the politicos are currently talking rather seriously about sanctions against the US.

Further as far as we know Mr Snowden did not steal any --alleged-- UK Documents from the UK but only from the NSA which "might" have been given them by the UK. And so far nobody has suggested that these alledged 58,000 documents or the supposed 75 "reconstructed" documents have come from any another source, or where copied by Mr Snowden anywhere other than on US soil.

Also there is a reasonable probability that they are in fact not UK documents but actually US documents, because under copyright law if you use with permission part or all of a document within another document, which is a new document and thus a "new work" or at best a derived work and copyright would be held by the author or the employers of the author of the derived new document.

The reason for thinking this may be the case is usually an intel assessment document is very much a derived document for security considerations to hide "methods and sources". Such assessments consist of the "sanitised" assessment it's self that in turn consists of sanitised "managment summeries" and quotations from the original documents. This alows those of lower security clearance to see the assesment. The full assesment ment for a very restricted few may also have attached as supliments or apendicies the original documents the assessment used. Thus a fragment of an assesment or it's apendix could point to both the compendium assessment as well as the original document...

Outside of UK juresdiction the UK classification of a document has no legal meaning unless there is prior agreament that it should be placed in the new juresdictions classification system. Thus in the case of Brazil and probably Germany as well no crime has been committed by Mr Miranda, Mr Greenwald or Ms Poitras, only potential copyright infringment, that may well be covered by the respective nations journalists "shield laws" and as such "protected communications" from Mr Snowden.

So all in all it's difficult to see what "criminal" or for that mater "terrorist" activity the UK Police are investigating.

Oh and "airside" of airports might be considered as either "international waters" or "territorial waters" as such there are international treaties under which persons in them do have legal rights, and thus as treaties generaly are considered to have greater legal priority over juresdictional legislation the UK could be found guilty of amongst other things "Piracy", "restriction of trade" and breaches of "Human Rights" all of which England has been accused of and in quite a few cases found to be guilty of, or more diplomaticaly "have been found to act unlawfully".

X9821001September 1, 2013 11:07 AM

Question regarding the linux distros discussed above:

LPS does not contain any drivers to mount any existing HDD. My understanding is that Puppy Linux, and others, do contain these drivers.

Suppose your primary security concern is that, while using LPS or Puppy on a machine with a HDD and connected to the internet, the HDD be protected even if one encounters a malicious website or file. That is, the malicious website or the malware "downloaded" may compromise that particular session of LPS, but it will be unable to access the hard drive.

Is LPS superior to Puppy, or other alternatives, for this purpose?

PeterSeptember 1, 2013 11:54 AM

All those strong or less strong encryption techniques are worthless if you don't protect your passwords. And even the strongest password is worthless if a well equipped hostile intelligence agency is logging all your keystrokes.

That's why top secret information always have to be handled in highly secured facilities. Bringing them out into the open and working with them there is almost the same as handing them over to say the Russians or the Chinese.

JonSeptember 1, 2013 12:31 PM

It's also quite possible that these 'authorities' are lying their asses off in order to scare other potential leakers.

Keep that in mind when stories start to get internally contradictory.

Jon

FigureitoutSeptember 1, 2013 12:36 PM

The hardest part of opsec is finding individuals paranoid to take the process as seriously as you do; otherwise you're working by yourself which while you can track leaks you can't do nearly as much in a timely manner. The next is the leap of faith that all your background investigation failed you and you trust an agent.

Also if your device is already compromised you're wasting your time installing an OS (from the internet lol; download sites are never spoofed or files corrupted...) on a keylogged bluetooth machine unless you just want to check it out.

I prefer no memory barest to the bone devices in these scenarios, you miss the message, connection lost; try again later. Nothing to analyze except your location/time/etc and the airwaves which last I checked is so chock full of waves it would make your head explode.

It's not fun, takes a lot of time (usually wasted doing something that should take no more than an hour in a non-police state) and I avoid it like the plague; b/c even if you're doing it right you may still be showing your methods to be stolen and copied if you're really under surveillance.

Sorry for being "Mr. Obvious", but you might as well just stop right now if you don't address these fundamentals; stressing yourself out for no reason and looking like Austin Powers. Patience is needed.

Daniel September 1, 2013 1:27 PM

Regarding the documents being reconstructed vs recovered.

I wonder if the slipped up and were using SSDs rather than disc hard drives.

Never ever use TrueCrypt or any other encryption program with an SSD. This is especially true with the newer SSDs with TLC NAND. If you do not understand why read here:

http://www.anandtech.com/show/5067/...

In essence, TLC NAND does not ever truly wipe data from the hard drive once disk wear sets in. Even if the drive looks encrypted at the software level it can still leak data at the physical layer. It very difficult to recover but if national security interests were at stake it would not surprise me that they could successfully reconstruct data.

Disc-based hard drives also have data leakage such as the block removal issues Clive talks about but generally are preferred over SSDs.

name.withheld.for.obvious.reasonsSeptember 1, 2013 2:40 PM

@figureitout

Sorry for being "Mr. Obvious",


You should try being "Caption Obvious", or, "Admiral Obvious". It can be a lot of fun.

name.withheld.for.obvious.reasonsSeptember 1, 2013 2:54 PM

@Nick P

Yeah, I remember when HP acquired DEC, it meant the end. It really was the last of the "old school" shops. Today few remember classic engineering practices and are far removed from what it takes to effectively exercise engineering that represents a roubust approach to design, development, and production.

Today it is all about the "App", whatever that means. So much is overburdened by high-level abstraction code that requires ever faster processors and platforms. Amazing, I would have thought by now I could have a cellular telephone that ran off batteries without a charge for a month. I still have a Nokia that will remain powered for over five days. The iPhone I have requires being cycled with power at least once every 30 hours--or less.

Recently I had to deal with a 4G problem (carrier, NAP, and provider would not solve the problem--radio issue of convergence and radio protocol negotiation). I eventually dropped the service but that was after doing a radio survey, convergence analysis, and service acquisition negiotiation. I even tore down the Qualcomm device (uses Ajax for the backend/presentation layer). There is even a device timing management component used within the Ajax application layer. It is a modern day piece of junk. I was so surprised, I would never put my name on something like that damn thing. I'd be more specific but I don't want to run the issue into the ground. I suggest anyone look at any data card/USB devices and the design--sad. Qualcomm owns the consumer data modem card/USBmarket--I think there are three or four different OEM labels that these devices run under.

With the amount of outsourcing of these designs it is obvious that quality is being sacraficed for profit.

A Different ViewSeptember 1, 2013 3:26 PM


Snowden's distribution system for his documents may explain it.

Suppose his system were as follows:

Encrypted documents are distributed to various journalists. Each delivery contains a group of documents divided into differently encrypted subsets. Snowden wants to stagger releases, and control access, and so the keys to those subsets are sent by Snowden individually, over periods of time.

Perhaps he prefers to send a delivery of documents by trusted courier. Perhaps the trusted courier in this case received the key for the first subset of the documents delivered, which he wrote down. The first subset contains the index for all the documents (to show the journalist what he'll be getting if things go well), a number of actual documents to get things started, and an encrypted container (in which all the rest, in a series of encapsulated encrypted containers, exist).

So - the trusted courier is intercepted, his package is taken, and the key to first slice of documents in the package is obtained.

This would explain how the British know the number of documents, and how they have been able to view 75 of them.

But, let's say instead that first container holds just the index and another encrypted container.

Now, here's a question for the real cryptography experts:

Suppose the British have this index, and so know what is contained in the encrypted container. Would they be able to use that knowledge to then decrypt the container and prove that the documents listed on the index are actually in the container?

If they could, would this process proceed in a way that would allow recovery of some documents before others, or would success happen all-at-once or not-at-all?

Alain from SwitzerlandSeptember 1, 2013 4:21 PM

This story makes it sound like a lot of secret data got out of the NSA into the hands of people who are not able to protect it strongly. So, maybe there are really lives of spies in various countries at stake at the moment or similar things, which would make some recent "government" actions a bit more understandable even from the point of view of a free and democratic society.

But let me step back a bit and look at the fundamental problem with the NSA: No matter how sophisticated and good minded the NSA might be, this affair shows that you cannot get security right if you are sitting alone in your box.

Just like today's common cipher algorithms are public and only the keys secret, the structure of an organisation like the NSA should maybe also essentially be public, only the actual data should be secret.

A future NSA that would be structured such that it can efficently detect the bad guys, but not such that it can broadly spy on regular citizens nor such that its data can be easily stolen, is something that probably lots of people inside and outside of the USA would support, and those knowledgable enough would be glad to help structure it within a publicly open process, similar to how AES came to be.

Too blue eyed, too naive? Maybe. I am just a physicist from Switzerland, a country that like the USA once had to fight for its freedom and democracy - that actually never stops, staying free is a constant effort by everybody...

AutolykosSeptember 1, 2013 4:26 PM

Suppose the British have this index, and so know what is contained in the encrypted container. Would they be able to use that knowledge to then decrypt the container and prove that the documents listed on the index are actually in the container?
I'm not an expert on cryptography (more of an interested amateur, really), but that would amount to a successful known-plaintext attack, and by today's standards that means the cypher is broken. I'd be very surprised if they could pull something like that off, because it would mean they're far ahead of anything public research could even dream of. The best I expect them to be able to is compare file size (unless the containers are padded/oversized, and I expect Snowden to be smart enough to do that). Similar file sizes might convince a kangaroo court, but they are worlds away from actually proving anything.

MarkHSeptember 1, 2013 4:54 PM

@Daniel:

I didn't follow the logic of your warning about using TrueCrypt (for example) with SSDs (solid state mass storage devices).

I think what you meant to say, is never store plaintext (unencrypted files) on an SSD whose physical security is not adequately protected. Did I get that right?

Surely, if TrueCrypt (or other hopefully sound encryption software) is used to encrypt plaintexts from a physically secured source (such as an adequately guarded/disposed mass storage device), and the resulting encrypted file(s) created on, or copied to, an SSD ... then the data remanence properties of the SSD don't matter.

martinrSeptember 1, 2013 6:28 PM

There are a number of things at play.

The agencies currently don't know everyone (and/or for sure) who is holding copies of data from Snowden. By forcing the "known" ones to destroy their copies, whenever governments find a possibility to abuse the law, they might be able to discover yet unknown folks holding copies by doing traffic analysis on the known reporters that are trying to obtain another copy. Vague similarity to Harry Potter chasing and destroying Horcruxes.


The problem with leaks the (assumed) size of Edward Snowden is that it may impair the agencies abilities to detect new leaks and to distinguish a traditional "small leak" that adversely and significantly affects specific operations from side-effects of a "huge leak".

The agencies are probably monitoring the performance of their own operations very closely, and would notice leaks about specific operations fairly quickly through their statistics (comparing how the numbers evolve individually and in comparison between different countries).

Maybe it was so easy for the NSA and GCHQ to subvert and secretly monitor their respective national news/press reporter activities, that they have to assume foreign intelligence to have similar capabilities, and therefore obtain all data that reporters are decrypting and reading.

How did GCHQ know exactly which Guardian Hardware needed to be destroyed, and there really was no other copies left on other equiment -- other than by closely monitoring what the folks at Guardian (and their equipment) is doing?


Clive RobinsonSeptember 1, 2013 6:31 PM

@ Daniel,

    Never ever use TrueCrypt or any other encryption program with an SSD. This is especially true with the newer SSDs with TLC NAND.

Actually it should be "Never uses Solid State or Flash memory twice"

Which is what my (understated) comment about single use thumb drives above is about.

But as with all rules there are exceptions but... leave them to real "experts" who have the standard "side arm" toting minnions to ensure not just the rules but exceptions and auditing are strictly adheared to by all regardless of rank...

From a practicle view point for many people transporting CryptoMat, QIC or DAT tapes have many advantages besides being cheap and easily bulk erased (they burn fairly easily and some have quite low temp demagnitizing properties). Also some recordable CD/DVD stock require quite low temps for the data "pits" to be rendered unusable in ordinary equipment (not sure if there is specialised optical equipment that might do it).

Obviously DON'T re-use CD/DVD media twice even if it is re-writable due to data retention issues. However even Write Once recordable CD/DVD has a "gotchher" in that a "closed session" can be re-opened and data added. Providing you know this it's fairly simple to add "tamper detection" safe guards to make it obvious that the data has been tampered with.

To play safe you should use "tamper detection" on all transfers and preferably at all levels (ie as a minimum do it to the plaintext, encrypt it and then do it to the cipher text, and watch out for protocol gotchers of which there are several).

As for KeyMat, it's generation and correct handeling and auditing are more difficult than getting basic two party encryption working (hence the love of PubKey and PKI, both of which realy should be treated with a lot of care and caution these days).

Shiping of KeyMat can be problematic, in times passed it was carried by "diplomatic couriers" in some cases as photographic film negatives that had been neither fixed or developed. Later it was carried in electronic "fill-guns" and these days specialised "Crypto Ignition Keys". With the exception of photographic film none of the other methods are available these days for ordinary individuals.

Another method of old was to use a "genuine lead" pencil to mark a book, the lead after gentle erasing was not visable to the human eye or optical techniques of the time but would show up on low level X-Ray images. Technology has moved on and chemical sprays and flouroscopes etc reveal such techniques.

However it has been noted that old fashioned "book codes" can with a little extra effort work today. Put simply the more sentances you add together the closer it becomes to a flat distrubution, you also need to add some further tricks but it's possible to memorise a method without needing to carry the book across borders or send by surface mail etc.

WaelSeptember 1, 2013 6:37 PM

@ name.withheld.for.obvious.reasons,

Yeah, I remember when HP acquired DEC, it meant the end.

To be precise, Compaq acquired DEC. Then Compaq and HP merged. The product I liked from DEC was the Alpha processor, which was subsequently sold with some of the engineers to Intel. If my memory is correct, a lot of the Windows NT architecture came from DEC, especially the device driver model with it's "Object oriented" nomenclature. Adapter Objects, Device Objects, Driver Extensions,... Lookup Dave Cutler.

The end started long time ago, when stakeholders chose to outsource / offshore engineering for a near-term profit. Good tactic, horrible strategy. Yes! I agree that means the end by way of self destruction. If the MO continues on the same path, then it's just a matter of time before the inevitable. I read at one point, maybe in the late eighties or early nineties, that the mighty English empire could not produce a single engineer to build a bridge and had to import that skill set...

name.withheld.for.obvious.reasonsSeptember 1, 2013 6:46 PM

@Wael

I didn't see the acquisition of DEC by Compaq as problematic. Compaq had only limited data center exposure and no real mid level server platform. In fact you could barely tell anything had changed at DEC.

When HP came into the picture it was obvious that there would not be an Alpha/Apollo platform. And, HP at the time of the purchase was preparing to spin Agilent, the T&M group seemed to have its stuff together. Sad days.

The PhantomSeptember 1, 2013 6:49 PM

@Autolykos • September 1, 2013 2:06 AM


...containing data encrypted by a system called "True Crypt," which Goode said "renders the material extremely difficult to access."
Goode said the hard drive contained around 60 gigabytes of data, "of which only 20 have been accessed to date." She said that she had been advised that the hard drive contains "approximately 58,000 UK documents which are highly classified in nature, to the highest level."
Goode said the process to decode the material was complex and that "so far only 75 documents have been reconstructed since the property was initially received."

So based on above, one alternative could be (anyone feel free to correct me if this sounds wrong) that:


  • Data encrypted by TrueCrypt may be difficult ,but not impossible, to access. This difficulty would conceivably result in a slow process.

  • UK had so far been able to "access" (I guess this means "make readable") the MBR and 20GB of the available data.

  • This 20GB consisted of the 75 documents.

WaelSeptember 1, 2013 6:54 PM

@ name.withheld.for.obvious.reasons

I see. Compaq also acquired Tandem which gave it a lot of exposure to ATM. I believe the DEC acquisition was part of a bigger strategy that included Tandem with it's non-stop operating system, Himalaya? HP Spinning off Agilent was a mistake in my view.

Dirk PraetSeptember 1, 2013 7:02 PM

@ Clive

If it's only 75 out of many thousand thats been "reconstructed" my guess is it's not TrueCrypt.

Occam's razor probably applies. I believe these 75 "reconstructed" documents are one or more index files recovered with the password on paper, the recycled contents of Miranda's OSX trashcan as well as a number of password protected Office documents. If they were naieve enough to think Miranda could get through Heathrow without problems, they probably wouldn't have taken the precaution to use proper encryption on anything they were working on either.

As for the legal angle, the witness statement by Deputy National Security Advisor Robbins in paragraph 5 says Miranda's stuff was being detained pursuant to paragraph 11 of Schedule 7 to the Terorrism Act 2000 (TA) for fear that the contents represented a risk to national security. Having consulted with several lawyers over the weekend, they are unanimous that although this paragraph is applicable for the seizure of properties indeed, the Met/HMG had no legal grounds whatsoever to detain Mr. Miranda, neither under international law or TA 2000. This would have required probable cause that he was in some way affiliated with terrorists or had plans to disclose sensitive documents to terrorists. This was obviously not the case. The argumentation used here is that of (unintentional) "aiding the enemy", a charge Pfc. Manning was also recently acquitted of, thus setting an interesting precedent for other such cases.

One person argued that under this reasoning, and without proper amendments to Schedule 7, in its current form the government can use and abuse it at will to detain anyone suspected of having even something as silly as a dishwasher manual on his laptop/smartphone.

@ Figureitout

The hardest part of opsec is finding individuals paranoid to take the process as seriously as you do

Hear, hear !

I think this was exactly the frame of mind Snowden was trying to get them in when setting up the Rubik's Cube meeting. Unfortunately, the analogy of getting people to do backups comes to mind. You can point out the dangers of not doing so a million times, you can cite countless examples of folks who lost all of their data/pictures/contacts, but they still won't do it until it happens to them (twice).

Perhaps we should use the combined brainpower of this blog to write a decent opsec manual for investigative journalists and send in some cool presentation for next year's Black Hat or Def Con.

Nick PSeptember 1, 2013 7:49 PM

@ Wael

"Compaq also acquired Tandem which gave it a lot of exposure to ATM. I believe the DEC acquisition was part of a bigger strategy that included Tandem with it's non-stop operating system, Himalaya? HP Spinning off Agilent was a mistake in my view."

It's funny you mentioned that. I was trying not to get too far off topic but my pre-revision post included NonStop. My hypothesis was that both NonStop and VMS target the same market segment (mostly), so they competed against themselves. And they might have felt for one reason or another they should ditch VMS to focus on NonStop for that segment. Unfortunate for diversity and options for consumers.

@ X9821001

"LPS does not contain any drivers to mount any existing HDD. My understanding is that Puppy Linux, and others, do contain these drivers."

If any of them don't (excluding LPS), you can probably find online help to fix that. An LPS review said you use a RAM disk or flash drive so flash drive would be where you store your truecrypt volume for it.

"Is LPS superior to Puppy, or other alternatives, for this purpose?"

Can't tell. LPS is designed specifically for that kind of thing. Puppy is often used for that kind of thing b/c you're not messing with the HD by default. Then there's using Write Protect, your BIOS settings, or disconnecting the cable to protect your hard disk. All in all, though, I don't see these distro's being hit by malware because (1) not being targetted really and (2) limited window of opportunity.

Anything more being said would require a strong review and evidence to back it up. It would be guesswork otherwise.

Re Truecrypt risk

I don't think there is a risk for SSD. Data's encrypted with strong algorithms and an effective mode before it hits the SSD. Probably not an issue.

gonzoSeptember 1, 2013 11:07 PM

There are only two things that can make heads or tails of the information available in the press regarding Truecrypt:

Scenario A: The mule really did have a password written down, but (let us suppose) it was only for a single encrypted volume among many. Here, the explanation would be that from its format, the security apparatus set about to perform brute force searching of related passwords. Since Truecrypt performs thousands of hashes of the pass phrase and salt to yield the volume encryption keys, that would explain the statements of it taking some time to find files.

Scenario B: This is the considerably more troubling conclusion that, alas, all the bellyaching about Truecrypt potentially being a product of the intelligence apparatus is TRUE. Consider the long griped about difference between the header files in the Windows and Linus versions.

In a nutshell: The Windows source code provides for filling unused encryption header space filled random data, which is then encrypted; the linux source code fills the unused header space with zeros, which are then encrypted. There is no explanation for this difference, and its consequence is that on a Linux system, one can verify the lack of any "unintended" inclusions in the unused header space by decrypting the header and finding zeros in that space. Decrypting a Windows header yields "random" data.

The concern, of course, being that the pre-compiled Windows executable could be created so as to place more than just random data in that space.

I'll add that there's also enough room in the unencrypted 64 bytes of salt for a master and xts key for a single cipher.

Extraction of individual files using backdoor keys would require specialized software, and perhaps some extra work. An intelligence apparatus that knows it would be able to get at the content of these drives due to the back door -- but finding itself disinclined to reveal the backdoor directly -- might, it seems to me, decide to "leak" a false indication that the subject was found with a password written down, thus supplying a ready explanation for their being able to access those files.

Of course, one would think that if the intelligence world had the ability to decrypt Truecrypt files, Snowden would be aware of that and would not have permitted his press contacts to use that system. Or perhaps he DID know that, and this little adventure was intended to provide the focal point for a soon to occur "reveal" of this capability.

DanielSeptember 2, 2013 12:16 AM

@ Nick P

"I don't think there is a risk for SSD. Data's encrypted with strong algorithms and an effective mode before it hits the SSD. Probably not an issue."

This is a common misunderstanding. The problem with solid state drives has to do with the physics of silicon. A typical hard drive operates using a series of binary 0/1 bits where a state is magnetically flipped from one polarity to the other. On the other hand, silicon uses "fuzzy" voltages to achieve the same effect. A logic gate in silicon is never in a true 0/1 position but only is so approximately. Further, silicon also has a "memory effect" that the magnetic coating of hard drives does not have. On top of this most large SSDs also use wear leveling logarithms implemented via firmware .

The article I linked to above explains the physics in more detail. The upshot is that even though the firmware on the SSD controller views a cell of silicon as "erased" it is not actually erased. It is only "fuzzily" erased. Silicon does not wear uniformly; it tends to wear more to one side of the logic gate than the other. The more voltage cycles that are applied the worse this problem becomes. The net result is that when data is read off the disk, encrypted, and written to the disk again there is a physical legacy on the SSD that with careful analysis can be ascertained. It doesn't take much detritus spread across gigabytes of data for some unencrypted data to be reconstructed.

Unlike Clive, I wouldn't go so far as to say that solid state drives should never be used twice. But they do have additional attack surfaces that a magnetic hard drives do not. I would never advise using one for a system OS with whole disk encryption, for example. That's asking for trouble. But even a USB drive could be suspect if it was used heavily or if it was cheap triple cell.

name.withheld.for.obvious.reasonsSeptember 2, 2013 1:52 AM

@ Wael, Nick P

Wow--I haven't heard Himalaya in quite some time--makes me feel old.

Seems you both are "old-school" and I mean that in the positive sense of the word. It also seems you are in good company with Dirk and Clive. If you guys say something I tend to pay attention. There are others here that are quite astute, seasoned and informed pros that have a deep history, and I appreciate your comments. Which allows me to regain the ground I'd lost by going so far-a-field.

1.) Was the original, or First, Snowden PSYOP the flight out of Bolivia that was intercepted in Europe--could this be a part of his determination as to his exposure (he's effectively grounded in Russia)? I believe the Russians were performing the OP to determine the veracity of what Snowden had revealed. Using the opportunity that was his presence in Russia to test some communications.

2.) Does Snowden's OPSec look genuine? There seem to be bits and pieces that don't make sense--can't put my head around it. The issue about his deliberate appearance within the NSA seems to out of the norm unless he was associated with some nation state. Individual motivations to out an organization seems to have some socio-political component to it...

3.) Could he be under the management of a handler? It seemed at first the most effective way to get releases of this data would be to recruit from within. Find a lower level person that is sympathetic to your cause. Not hard to determine who the "Patriots" are. Use that person as the conduit to effect some outcome? Seems something at a senior level would do to shield themselves (probably knows that their is an immediate cost--assassination for example).

All of this is supposition on my part, don't really like making guesses at what is going on but in situations such as this conjecture is about as good as it gets.

4ammerSeptember 2, 2013 2:37 AM

With everyone running around on their "fancie" quest to use classical ncryptn skeem applied to theater, I can't help but wonder 1 theeng. This is modern tweny-furst sintury. D-Wave dcryptshon is quick. I thought cutting-edge cryptoh "is" in quanta.

And please don't underestimate the power of stupid people or the way they move, inflect, or act. They may spew stupidity on 3/5 "passive" senses, but they would have any annalyst guessing for years if what they did or said had any basis for intelligent life/ movement (you may need NASA. Whoops, added an 'A'). Meh-sheens are good phorse multypliers, but you have to be looking in the korrect direction to apply them f-ectivly.

4giv the typose.

WaelSeptember 2, 2013 2:46 AM

@ name.withheld.for.obvious.reasons,

Age is just a number. I pay close attention to what you say as well, along with Sir Clive Robinson, Nick P, Dirk Praet, RobertT, and a few others who gained my respect...

As for Mr. Snowden, and News in general, I tend to be more of a listener than an active participant. You guys analyze things in ways I can not imagine -- in the good sense of the word as well.

Good, possible suppositions you mention there.

Me? I can't tell news truth from falsehood these days. Information and disinformation is so mixed up it's mind boggling. Security Agencies, you know, are not stupid. They hire the best minds in both technical and psychological fields. It takes an immense amount of effort to extract truth and intent -- if these even exist. I learned a long time ago that politicians are taught to be liars -- so I believe none of them.

Clive RobinsonSeptember 2, 2013 8:08 AM

@ Nick P,

    I don't think there is a risk for SSD. Data's encrypted with strong algorithms and an effective mode before it hits the SSD. Probably not an issue.

You are taking a way to narrow view, think "human failings", not "technical failings"...

Humans are very good at being inventive due to being lazy, having accidents on an almost daily basis and importantly very bad memories. Almost by definition humans are "A walking disaster area" and should have died out due to evolutionary pressure, it's why we joke about "Sod's Law" in general and "Murphy's law" with technology... All of which is disasterously bad for OpSec as history shows with the repeatability of a run on a hammster wheel.

Rule Number 1 with humans is KISS, and number 2 is nothing is "Fool Proof" (as fools are never available due to everybody knowing they are smarter than that ;-)

Hence making the "Never use twice Rule" it reduces the "human element" if they follow it absolutly (if they don't just shoot them, it's probably kinder in the long run as potentialy you are saving them a life time of hurt).

From the technical point of view both magnetic media and flash chips are hidden behind controlers, and as a general rule delete only means "change the meta data" not "over write the data", further neither are reliable hence "bad block marking" and "wear leveling".

In the case of flash it's so unreliable that the real size of memory is upto 50% bigger than that the user sees, and wear leveling walks slowly across it all untill it's forced to perform a very expensive "erase cycle". Which means you cann't use "secure erase" products because you don't overwrite memory just perform a write to the next block on the hidden "free list".

Which means that a well technicaly resourced opponet "leap frogs over" the controler and talks directly to the flash memory with the certainty of reading data that a user considered erased but was only "hidden" from them by the controler...

So on --non battery backed memory such as-- typical solid state drives (flash chips) nearly everything writen to it in normal use is still there, it's only in the exceptional case where a user has written one and a half times the advertised drive capacity that data finaly gets erased/over written, and then only if it erased reliably which quite often it won't...

So getting back to humans, the chances are if you allow re-use then they will copy some plaintext on it and then forget about it because they will assume incorrectly it's been erased...

But there are other "re-use" issues which users don't understand and quite a few security consultants don't either and that's "crypto modes" that you mentioned.

Whilst it's not generaly much of an issue with "communicating data" it is a very serious issue with "ordinary use storage", and it's an example of "Efficiency-V-Security". The fastest and easiest way to encrypt a hard drive is with a stream cipher, where the stream is generated by a HD LBA sector number related cipher, because it alows easy random access and pre-computation. It's also very insecure due to the "Never use an OTP twice" problems.

Now consider this on a flash drive with leveling and a standard office application with "auto save" on. The app writes out to the drive and "overwrites" the same position in the file, the OS sends this to the same LBA sector, and thus encrypts with the same segment of stream cipher. However on the flash chip on the other side of the wear leveling controler the old LBA is not over written it's just written anew. Now in the flash chip you have two blocks of differing plain text stream ciphered under the same segment of stream which is the major "No No of OTP use".

There are similar issues with block cipher modes as well, however the "open community" knowledge in the use of modes for HD encryption is not as well researched as it could be so there may well be "gotchers" we are currently unaware of which are known to the likes of the closed communities of the NSA, GCHQ et al.

Thus "Efficiency-V-Security" in cipher modes is why HD encryption is a very hard problem especialy where "reuse" can happen, especialy if the HD encryption is assuming "LBA sector overwrite" is valid (ie for magnetic media not flash).

So the "Never use media twice" rule eliminates known and unknown mode issues that arise from media/mode assumptions, for what is in effect a very low cost when it comes to the likes of "thumb drives" and low end SSDs.

As has been frequently observed "You pays your money and you make your choice" and hope your risk analysis is valid...

WinterSeptember 2, 2013 8:31 AM

A question. Consider the following use case:

I copy a TrueCrypt container onto a virgin USB flash (thumb-)drive and then open the TrueCrypt container directly from the flash drive.

1) Is there any information about the read and write operations on the opened TrueCrypt container stored on the electronics or memory area of the flash drive? Say, some kind of cache memory of transferred bytes?

2) Will the OS (which OS?) store files or directory information in cache files?

Nick PSeptember 2, 2013 11:07 AM

@ Daniel, Clive

I appreciate the reply. I haven't heard of any compromise that's happened in practice. Yet, the possibilities you both present mean that using the SSD's is a bad idea. I previously avoided them because of their wear levelling algorithms. Now a new reason.

While analysing this, I also looked into SSHD's. These are the hybrid devices that combine a HD for storage and SSD-style flash for performance boost. I was trying to determine the risk the SSD element poses. Ideally, there would be no direct access to the SSD portion except in its hardware. My quick research showed that this is not the case: vendors might use firmware, drivers, client software, etc. There's not really a standardized method that I see. So, we should probably consider the SSHD's bad for crypto too.

@ name.withheld

"Seems you both are "old-school" and I mean that in the positive sense of the word. It also seems you are in good company with Dirk and Clive. If you guys say something I tend to pay attention. There are others here that are quite astute, seasoned and informed pros that have a deep history, and I appreciate your comments. Which allows me to regain the ground I'd lost by going so far-a-field."

Why thank ya! Re your three bullet points, I have no comment because there are many variables and a lack of concrete data to go on. More speculation than anything else.

FigureitoutSeptember 2, 2013 12:11 PM

name.withheld.for.obvious.reasons
--Check this out (lol, this is the best one.

Dirk Praet
--Yeah, I probably would've made a little longer of an easter egg hunt but maybe there's some details being left out.

I love calls for collaboration and action, but I don't really like true opsec, makes me too anxious. I want to be an engineer not a spy. I would be willing to post some simple 2-way radio comms solutions though; and we need a shielded briefcase; and we need a device that burns its entire contents (extremely reliably) at the push of a button of course so that instant before the Stasi gets you your secret is secure.

Z.LozinskiSeptember 2, 2013 12:51 PM

Figureitout: " and we need a device that burns its entire contents (extremely reliably) at the push of a button of course so that instant before the Stasi gets you your secret is secure."

Good luck with that. I have a distant memory of a device designed to do that for the US military (1960s?) whose failure mode was that the thermite charge burnt straight through the case and came out the bottom, but didn't actually incinerate all the contents. Tracing the origin of the legend might be interesting, but it wasn't in the first two places I checked: Ross Anderson's Security Engineering and Risks Digest.

FigureitoutSeptember 2, 2013 1:50 PM

Z.Lozinski
--Thanks I'll need it. I was thinking more along the lines of simple butane and piezo-ignition for thin paper destruction. Maybe add a fan/battery to blow the ashes into oblivion. Small handheld and finger on the trigger when transporting.

Nick PSeptember 2, 2013 2:12 PM

@ figureitout, Z.Lozinsky

Many of the NSA designed devices in the past came with a "zeroize" function that wiped key material with a button press. My own similar designs copied that albeit with random overwrite instead. Another trick I use is keeping the critical data in a specific section of physical memory (e.g. first so many bytes) so it's easier to guarantee its destruction.

Old discussion about these things:
https://www.schneier.com/blog/archives/2011/03/erasing_data_fr.html

I'll add that, since then, several new possibilities have appeared:

1. Using a SOC like Aegis, SecureCore, or SecureME processor that encrypts pretty much everything going out of it. Makes everything else untrusted.

2. The Air Force's HAVEN virtualization system uses an FPGA system to encrypt the RAM of running machines. Run your sensitive data that way and now you're mainly worried about destroying a key. That's one zeroize button away. ;)

3. Although Clive and I worked out nice thermite solutions, Skunkworks improved on them nicely with a recipe that could be used in a server room w/out harming other equipment. Or in your house without harming... your house.

Just make sure, for thermite solutions, you use at least triple redundancy, very simple components, and shielding from environmental stuff. It's also best to keep them in a concrete enclosure both to contain the mess and to keep an incoming attacker from simply knocking it over to interrupt the progress.

Clive RobinsonSeptember 2, 2013 2:53 PM

@ Figureitout,

    ... we need a device that burns its entire contents (extremely reliably) at the push of a button

Such devices exist but they don't use fuels but oxidating solutions (conc acid).

The problem with trying to burn things in a closed container is invariably not a lack of fuel (which paper plastic etc are) but very quickly a compleate lack of oxygen.

The problem with intense heat sources like thermite is that unless they start secondary fuel burning there is insuficient energy to cause destruction of what are in fact rather good insulators that don't melt untill much higher tempratures (heat resistant tiles on some structures are made of modified paper, and "sprayed paper" is used as a heat retardant around steel structures in buildings etc to meet A ratings, because the surface scorches but cann't burn without a lot of free oxygen).

Acid and other chemicals on the other hand tend to soak in where they can.

To see this all in action use granulated sugar. If you use a blow/cutting torch on it you "caramalise" the surface but 10cc of conc sulfuric on the same size pile and you end up with a large chared pile of carbon by products.

All that said if you want to test just how difficult the problem is get a few old telephone directories, they don't burn, they don't melt, they are very difficult to soak through by pooring liquid on them, they are fairly impervious to bullets and likewise they survive quite powerfull explosions rather well.

All in all it's a difficult problem with paper, even the paper used with tabbaco products is chemicaly impregnated to make it burn reliably...

And this chemical preperation of the paper with nitrates or permanganates to cause release of oxygen is the way such things have been done in the past, however the process is in effect the "nitration of celulose" which is the first step on making explosives. During the late 1800's nitrated celulose (celuloid) was the second man made plastic (casin from milk was the first) to be used in industrial scale manufacturing. One product made was billiard balls and there were reports of these balls sometimes exploding in use.

Another use was and still is for coatings on playing cards, however as they age with use they leave traces on players hands that show positive in most tests for explosives...

So all in all destroying paper with information on it is quite problematical and risky. Which is why I prefer QIC and DAT cassets they melt quickly and fairly consistantly (better than floppies in this respect) with quite small quantities of thermite.

Z.LozinskiSeptember 2, 2013 5:26 PM

Figureitout, Nick P, Clive, Buck. I found one reference, to a Perkin-Elmer device from the 1990s which is designed to incinerate a canned electronic package: "For example, these devices could be used to destroy sensitive components to prevent their capture by adversaries."

There is an interesting discussion of the failure mode of the original device, where 2 of 19 devices failed to function. The "electric match" (a bridgewire detonator) that was supposed to initiate the thermite, only melted the thermite due to a change in tolerances from design to manufacturing, and as a result particles blocked what should have been the exit hole for the hot gas. Fizzle.

Lessons Learned Developing a Pyrotechnic/Thermite Torch,
A.C. Munger, B.T. Neyer, E&G OptoElectronics / Star City , Perkin-Elmer Optoelectronics.
Presented at the Munitions Technology Symposium IV Conference, Reno, NV, February 1997.

http://neyersoftware.com/Papers/NDIAFuze/...

WaelSeptember 2, 2013 6:50 PM

Self criticism...

@Wael (yes, talking to myself)

If the MO continues on the same path, then it's just a matter of time before the inevitable.

No kidding! Isn't that redundant? "The inevitable" implies it will surely come after a period of time -- long or short.

You probably should have said something along the lines:
If the MO continues on the same path, then the inevitable will come much sooner than later...

Geez!

Dirk PraetSeptember 2, 2013 7:49 PM

@ Nick P, Clive

On secure drive erase/overwrite:

A while ago, I came across the Blancco product line, referred to their site by the DBAN home page.

- Different products for different devices, flash media being one of those.
- They guarantee 100% data sanitisation on all IT assets with an entire list of certifications such as DoD5220.2M, NIST 800-88, Common Criteria, NATO approval, 6+ other, HIPAA, SOX, PCI and GLB.
-As references, they list NATO (included in NIAPC), the Defence INFOSEC Product Co-Operation Group (DIPCOG) of the UK’s Ministry of Defence and US DoD (meeting and exceeding NISPOM requirements). Caveat: no mentioning of NSA.
- On the technical side, they claim to not only erase user addressable areas but also remapped sectors and hidden areas.

It is however hard to determine from their rather simple Flash videos and product sheets to which extent their Blancco Flash solution tackles the specific problems you guys brought up. I've dropped them a note asking if one of their engineers would care to comment. Interesting fact is that they are a Finnish company, so not subject to US "insecure by law"-issues. Downside: Windows only.

@ Figureitout

... we need a device that burns its entire contents (extremely reliably) at the push of a button

If Mr. Miranda would have carried one passing through Heathrow, he'd now be keeping Captain Underpants and the Shoe Bomber company, having done the Met/HMG a huge favour making their terrorist suspicions/legal argumentation stick.

I want to be an engineer not a spy

I'm afraid for us to be better engineers we will all have to learn their tricks in order to defeat them as it would seem that they nowadays are upon us everywhere and all of the time.

@ name.withheld.for.obvious.reasons

Re. your three bullet points

1) The Morales flight you mention originated in Moskva and was heading for Bolivia. I'm not really sure what the Russians possibly could have gained passing false information on to the US/NATO that Snowden was on board. Unless it was part of an elaborate plan to deliberately evoke a US/EU intervention as to scare the sh*t out of Snowden and keep him in Russia to try and get at his document treasure trove. It has recently been rumoured that Cuban authorities didn't want Snowden on a flight to Havana, which they of course categorically deny. In this scenario, the request to do so did not originate from the White House, but from the Kremlin.

2/3) If Snowden was working for a state actor, he would just have passed on his stash to an agent, kept his mouth shut and boarded a flight to whatever safe destination he had been given by his handler(s). I sincerely believe we are dealing with a radicalised idealist who carefully planned his every move and in his opsec had learned a lot from the mistakes made by Manning, Assange and Wikileaks.

@ @ X9821001

LPS does not contain any drivers to mount any existing HDD

If the main purpose of your minimised/hardened security distribution is communications, why would you need the hard drive ? That's actually best practices when for example you're backpacking through Asia or Africa, and finding yourself in need of using some probably heavily infested machine at a local hotel/internet cafe. Just boot off your USB/CD/DVD, and off you go.

@ Gonzo

all the bellyaching about Truecrypt potentially being a product of the intelligence apparatus is TRUE

There has so far been no credible evidence whatsoever that Truecrypt has been broken. I refer to the tips and techniques explained by Nick P. as to do it right. There are however a number of concerns about its license and because it is developed in a closed fashion. That's the reason that it's no longer recommended by the developers of TAILS who are in the process of searching for a viable migration path.

Prinz Wilhelm Gotha-Saxe-CobergSeptember 2, 2013 10:14 PM

@Dick Praet

2/3) If Snowden was working for a state actor, he would just have passed on his stash to an agent, kept his mouth shut and boarded a flight to whatever safe destination he had been given by his handler(s). I sincerely believe we are dealing with a radicalised idealist who carefully planned his every move and in his opsec had learned a lot from the mistakes made by Manning, Assange and Wikileaks.

Stuck out like a sore thumb. You mint your fortune from state secrets.

Which makes this so unintentionally funny.

Like it or not, there's a "sunk cost" in setting up employment tests to check for one particular threat, while the threat may in fact be from some other direction entirely. The British Empire spent big on setting up the guns at Singapore's port. The Japanese came from the other direction.

Allan DyerSeptember 3, 2013 12:21 AM

@Nick P - I don't think your method of telling them to wait at a particular spot and follow instructions from 'a kid' would work, particularly in Kowloon. An obvious tourist standing around will be targeted by tailor's touts and (in the news yesterday) drug dealers, so, after they've bought a dozen suits and a pocket full or recreational substances, they'll miss your kid. Plus, there is the language barrier and modern communications... most HK locals have a little English, but not enough to reliably communicate specific directions (as friends of mine know from waiting an hour at the wrong ferry pier, being told all the time it was correct), and most people's response to being asked to pass on a message these days would be, "why don't you phone them?".

FigureitoutSeptember 3, 2013 1:46 AM

nick P
--I'm only talking about thin paper for me. That was a good thread though (discussions repeat just like a wave which is a part of my theory of the universe), I'm still reading the archives but math/programming takes up some time too now for school. I would use electrical devices that do not store any information and paper/pencil and hand en/decode my messages. Who wants to talk to me this way?--crickets-- I won't really trust any other way at this time for "secure comms" until I feel more in control of my devices w/ memory which at this time I do not at all. Even my beloved microcontrollers need to be programed w/ my infected pos.

Clive Robinson
--I understand it's a hard problem, but I think I can make a working device that will have vents for air and maybe fans to "fan the flames". I'm holding off on the thermite for now, I don't have a good lab nor a ventilation chamber for these fumes and even as a kid I never had the urge to test the child safety caps on poisons.

Z.Lozinski
--Nice reference, easy site to read.

Dirk Praet
--Yeah well you can't have any protection against non-state criminals? I'm not going to stand for that, having a secret doesn't make you a terrorist. And the incompetent spies don't have tricks that weren't given to them by engineers, they just get paid to stalk people and their properties and use data bases set up by threat of force by dogs that do as they're told. No special talents, creeps all the way. Adopting their lifestyle will kill the human race, I will put my name on that prediction.

Prinz Wilhelm Gotha-Saxe-Coberg
@Dick Praet
--Watch yourself.

name.withheld.for.obvious.reasonsSeptember 3, 2013 11:04 AM

@Dirk Praet

d2/3) If Snowden was working for a state actor, he would just have passed on his stash to an agent, kept his mouth shut and boarded a flight to whatever safe destination he had been given by his handler(s). I sincerely believe we are dealing with a radicalised idealist who carefully planned his every move and in his opsec had learned a lot from the mistakes made by Manning, Assange and Wikileaks.

What if the objective of the OP was to out or shed light on the NSA that would cause a quantifiable level of impedance. Publicity has the effect of rearranging the activities and priorities of an organization. Kind of a disinformation campaign in reverse.

KeymasterSeptember 3, 2013 1:50 PM

@EVERYONE
@Bruce

It will come as a surprise to many of you, but through an official presentation for US Attorneys named "Computer Forensics For Prosecutors" from February 2013 it already became known (not widely yet, though) that - I quote:

Backdoors are "currently available for major encryption software - Microsoft Bitlocker, FileVault, BestCrypt, TrueCrypt etc."

Also, the presentation explains that backdoors are "currently implemented by major cloud storage provider to comply with NCMEC requirements."

The presentation then goes on to explain the legal framework concerning these backdoors. The author states that the "Patriot Act allows for the use of backdoors for counter-terrorist investigations", and that "requests for backdoor access can be initiated as part of a counter-terrorism investigation." The author explains that the "fruit of the poisonous doctrine" can be "circumvented" in criminal (non-terrorist) investigations/trials, because

"-The use of backdoors cannot be detected or proven
-Vendors are legally and commercially prevented from acknowledging their backdoors. Defense will not be able to prove their existence
-The files can be described as 'forensically obtained'"

Now you might ask: Can this really be true? Yes, it can, and it is.

The existence of this presentation was first reported by the website "Tech Arp" on April 1, 2013, after the author heard a rumour about it, and then found it after a long search:

http://www.techarp.com/showarticle.aspx?...

However, this revelation has been completely overlooked. The post at "Tech Arp" is also quite "user-unfriendly", as you have to click through several pages until you finally find the "interesting parts" and a download link.

Is the presentation genuine? You can still download the original presentation from the website of the "North Dakota State's Attorneys' Association", although I only found this download link when I searched/googled for the exact title of the presentation. I didn't find a way to get to this download link through the home page of the website.

Link:

www.ndsaa.org/Computer_Forensics_for_Prosecutors.pdf

I do not believe that this is supposed to be a "public" presentation.

In case the "official" download link goes dead:

http://www.fileswap.com/dl/2GRzV4lXPX/...

KeymasterSeptember 3, 2013 2:03 PM

Regarding my above comment:

I am afraid to say that the download link to the NDSAA website I gave above (now???) goes to the 2012 presentation (by the same person), not the 2013 presentation I was talking about. I am now actually unable to find the "original" link to the 2013 presentation, which I was still able to find a few days ago (I am sure it was this link).

But through the download link to the fileswap site you can access the 2013 presentation (which is also reported by the article in "Tech Arp" that I mentioned).

KeymasterSeptember 3, 2013 2:36 PM

AGAIN (sorry):

I am now unable to find the direct download link to the 2013 presentation any more via google ("official link", download from the NDSSA.ORG website). Above I apparently mixed up the link to the 2012 presentation with the link to the 2013 presentation.

But I was definitely still able to find the "official" link to the 2013 presentation via google just a few days ago. This is not the case any more.

"Tech Arp" also provided a download link in April:

http://www.techarp.com/article/LEA/...

Very sorry for the confusion!

gonzoSeptember 3, 2013 2:56 PM

@Dirk

Re: Truecrypt, I was trying to make sense of the public reporting on what the authorities accessed, or not.

On Truecrypt, whether it is "broken" or not, there is that discrepancy in the way Windows handles the headers, and it is a very legitimate concern given, as you noted, the closed manner of development.

I'm going to put DiskCrypt on a test bed soon, as I really do find the Truecrypt issues to be more and more disconcerting the longer I think about them: I mean, really, ..... You have this application developed in a closed fashion, with a very polished web page, seemingly unlimited bandwidth, completely anonymous authors, and the issues where, even putting aside the app signing, people reportedly cannot compile the windows source into an executable that seems to match the pre-compiled distributable.

I used to think the guys who put on their tin foil and said Truecrypt was a product of the intelligence services were off their rocker. Now I'm not so sure.

KeymasterSeptember 3, 2013 3:09 PM

@gonzo

Not sure if you have already seen my previous posts.

The presentation from February 2013 by Detective Michael Smith for the National Districts Attorney Association explicitly states that TrueCrypt has a backdoor, just like other commercial encryption software, and that the vendors are legally prevented to acknowledge this fact.


http://www.techarp.com/article/LEA/...

So it does appear that TrueCrypt could in fact be a "government front organization."

gonzoSeptember 3, 2013 3:43 PM

@keymaster...

Alas... I hit reply early this morning, started typing, and then had a half dozen calls and a meeting, and finally finished my reply and did not see your intervening posts.

It is quite troubling. I would love to see a body that does something in terms of peer review and evaluation of whole disk encryption in the same way that we scrutinize the proposed ciphers themselves.

Its no use having all these great unbreakable codes if one of the most crucial, and thus complicated, ways of implementing the codes are not reviewed and can be subject to a crisis of confidence as now seems justified at least as to Truecrypt and the others mentioned in the slide deck you linked.

KeymasterSeptember 3, 2013 4:33 PM

@gonzo

I never understood why so many people believe that TrueCrypt is 100% trustworthy. The magical word "open source" somehow seems to suppress critical thinking.

So why should we have been concerned?

In 2004 TrueCrypt was first presented to the world, a wonderful, free, pretty complex encryption program which quickly evolved and quite soon became available for all systems - Windows, Mac and Linux. The "truecrypt.org" website was already registered in November 2003:

http://who.is/whois/truecrypt.org

We were made to believe that there is somewhere a selfless bunch of top-programmers (apparently from the Czech Republic, it was first rumored) who want to remain totally anonymous and want no public credit, and who have nothing else to do than to work on a highly complex program, which is available for free for anyone, even for commercial use. They even have their own "association" in the USA (why the USA???), the "TrueCrypt Developers Association, LC" which apparently resides in PA.

If you look closer, you find many curious details:

- The forum at their website is heavily monitored and censored, you find quite a number of reports about this on the internet
- They don't want anyone from the outside to help them, according to reports I have seen in comments
- On their website, they state:

http://www.truecrypt.org/faq

We have not implemented any 'backdoor' in TrueCrypt (and will never implement any even if asked to do so by a government agency), because it would defeat the purpose of the software. TrueCrypt does not allow decryption of data without knowing the correct password or key. We cannot recover your data because we do not know and cannot determine the password you chose or the key you generated using TrueCrypt. The only way to recover your files is to try to "crack" the password or the key, but it could take thousands or millions of years (depending on the length and quality of the password or keyfiles, on the software/hardware performance, algorithms, and other factors). If you find this hard to believe, consider the fact that even the FBI was not able to decrypt a TrueCrypt volume after a year of trying.

So all is great, right? No backdoor! Why should they lie to us???

Well, why should they...?

If you dig a little bit deeper, you find their disclaimer - and suddenly it becomes obvious that in fact nothing which they publish on their website can be believed, because they have one of the "strangest" disclaimers you will ever see:

http://www.truecrypt.org/legal/disclaimers

THE CONTENT OF THIS WEBSITE (AND OF ANY ASSOCIATED WEBSITES/SERVERS) IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY. THE CONTENT OF THIS WEBSITE (AND OF ANY ASSOCIATED WEBSITES) MAY BE INACCURATE, INCORRECT, INVALID, UNTRUE, FALSE, INCOMPLETE AND/OR MISLEADING. THE ENTIRE RISK AS TO THE QUALITY, CORRECTNESS, ACCURACY, OR COMPLETENESS OF THE CONTENT OF THIS WEBSITE (AND OF ANY ASSOCIATED WEBSITES) IS WITH YOU. THE AUTHOR(S), OWNER(S), PUBLISHER(S), AND ADMINISTRATOR(S) OF THIS WEBSITE (AND ASSOCIATED WEBSITES/SERVERS), AND APPLICABLE INTELLECTUAL-PROPERTY OWNER(S) DISCLAIM ANY AND ALL WARRANTIES OF ANY KIND.

It "may be untrue, false or misleading"...!

It is always very difficult to believe that people lie to you. But consider this: One day, some very intelligent guys stuck their heads together and thought: "Well, why should we spend lots of money and resources on very complex and maybe impossible decryptions, when we could in fact just write our own 'irresistible' high-quality encryption program anonymously, distribute it for free to the world, keep it all secret, and have a backdoor! Tell people that it's open source, and they surely will believe it, and they won't have the capability to check it anyway, because we will make it too complex for them. For the other commercial programs, we will just make it mandatory to have a backdoor, and the vendors are obliged to keep this fact secret as well. That would save us a lot of trouble, wouldn't it?"

gonzoSeptember 3, 2013 5:49 PM

@keymaster...

Food for thought, indeed.

Here's one more: The inexplicable disappearance of Sarah Dean, of FREEOTFE fame, her entire web site, her domain, and herself, completely from any communication with anyone on the internet.

Its almost like she got some kind of secret order that she can't talk about or something.

KeymasterSeptember 3, 2013 6:14 PM

@gonzo

Interesting, I hadn't heard that about Sarah Dean!

I think you got the right idea there.

Also remember what the Lavabit-founder Levison said...or couldn't say. When I saw this presentation I linked above, I thought immediately that it completely conforms with the "hints" that Levison gave in his interviews.

http://www.youtube.com/watch?v=Ui3KpztUzVg

According to the presentation:

1. Encryption programs (just US-vendors or US-based??) need to have backdoors for the authorities. The vendors cannot talk about it.

2. Cloud storage providers need to have backdoors as well. (Obviously they are forbidden to talk about it as well)

So it's pretty obvious now (certainly was already, pretty much) why Levison shut down his business.

The presentation doesn't say anything about the procedures, just mentions that the Patriot Act is the general foundation for these measures. So maybe through National Security Letters? I don't know.

KeymasterSeptember 3, 2013 6:37 PM

Already in 2004 there were hints that something is "wrong" with Truecrypt.

Interesting discussion here:

http://forums.windowsecurity.com/viewtopic.php?...

Author: jeshim, PostPosted: Fri Nov 19, 2004 10:19 am Post subject:
----
I don't know about the quality of TrueCrypt, but their developers seem very paranoid about any negative comments or criticisms on their software. Anyone that right is anything they remotely dislike will be deleted from the forums and banned.

As one of the people said before, just because something is open source does not make it automatically secure the very next day. Someone actually has to peer review the code. I tested the forum by asking whether any users knew of any independent reviews of the code, and what do you know the post is deleted within a few hours and the user cannot log on anymore.

if they were confident about their code, they wouldn't be so guarded about people questioning them.

MarkHSeptember 3, 2013 7:58 PM

@Keymaster:

• 2012 presentation "Computer Forensics for Prosecutors" available online from a seemingly valid site

• 2013 version, claiming various backdoors, with identical title and purporting to be conducted about 13 months after the one above, apparently not available from source website, but can be found on TECHarp

• the first several slides are nearly identical between the two versions -- but with some odd changes, for example "Micah" has morphed into "Michael" and "Kaplan" into "Kahlan" (BTW, there appears to a Micah Smith at the Linn County Sherrif's Office, but no Michael Smith)

• the last slide of the 2013 version announces that parts 2 and 3 will be conducted respectively by "Detective Stu Pitt" (sounds not unlike stupid) and "Detective Laughlin Foo" (sounds not unlike laughing fool)

• TECHarp article is dated April Fool's day

Nick PSeptember 3, 2013 8:04 PM

@ Allan Dyer

Interesting points. I'm not current on the Kowloon situation so I'll just accept the one you outlined.

Snowden's apparent requirements and my original setup:

A. Meet in person

B. Specific location

C. Visual ID first

D. Avoid surveillance

A, B, and C can be accomplished by telling them to appear at a specific place. D is easier if you send them to one place, then tell them to go to a new one to spot tale's. It should also be difficult for the surveillance to follow them stealthily (takes some thought to pull off). The last part of my plan was to use a third party to perform the final step b/c they apparently didn't trust their phones. Personally, I think a phone call or text would suffice in this situation.

If not, I've found street hustlers (or their children) can be particularly helpful in areas where people hustle to survive. The offer should be a partial payment (10-25% of total) up front, the directions, a sensible cover story playing on your businessman/tourist image, rest of money on delivery and the message should be on paper in a small envelope. The cover story should imply or easily lead to a justification for a private contact. This will work if you pick the right person. If you fail, you loose a small amount of money and a piece of paper with info that has only temporary value.

Modifying it

Your first objection mostly amounts to distractions and small crowds. The first shouldn't be a problem in this situation as these people meant business. The second can be dealt with using minor modifications. The objection with the most weight is the language issue. Snowden might need a translator or carefully thought out pre-translated messages to use. Otherwise, it's back to my preferred phone/text approach or him just walking over to them.

KeymasterSeptember 3, 2013 8:22 PM

@MarkH

Yes, good points, I am now very confused myself. Yes, it could be an April's fool joke. If that's the case, then I really have to apologize to everyone. Very sorry. It would be a very strange joke, but anyway, could be.

I was really sure that I downloaded it from the original site as well, but I could have been mistaken, and maybe I confused it with the 2012 presentation. Sorry! Anyway, it was still an interesting discussion...

Dirk PraetSeptember 3, 2013 8:30 PM

@ Keymaster

THE CONTENT OF THIS WEBSITE (AND OF ANY ASSOCIATED WEBSITES) MAY BE INACCURATE, INCORRECT, INVALID, UNTRUE, FALSE, INCOMPLETE AND/OR MISLEADING

I have to admit that I have never seen any such disclaimer before, and it's absolutely ludicrous. I don't know if it has ever been tested in a court of law, but I think any judge with even an ounce of common sense would void it on the spot when used by a lawyer challenged by his opponent as to the veracity of their faq statement concerning backdoors.

That said, Truecrypt has been questioned more than once in the past giving reason for some legitimate concern, and especially in the current context it would be reassuring to get some sort of formal statement from the TrueCrypt Developers Association, bearing in mind the powers the USG has given itself under PA Sect. 215 and FISA Am Section 702.

I was equally surprised by your information about Sarah Dean, whose website is indeed unreachable since June 2013 and the domain name registered by another owner. There is a copy of the site left on the Wayback Machine, though, and the latest version (5.21) of FreeOTFE available from Sourceforge would seem to indicate that it hasn't been updated since February 2010. Perhaps this project is just dead and has been so for a while. Which for me is already sufficient reason to discontinue using its software for all but legacy purposes.

KeymasterSeptember 3, 2013 8:46 PM

@Dirk Praet

Despite this strange "business" with the presentation which might not be genuine (although this is still a big mystery for me), my concerns regarding Truecrypt remain (I didn't trust Truecrypt even before I found this document on Tech ARP).

Key WestSeptember 3, 2013 9:13 PM

There are people on this blog who actually seem to be working for The Government Disinformation Department.

MarkHSeptember 4, 2013 12:02 AM

@Dirk:

I'm not taking any position as to the goodness (or lack thereof) of TrueCrypt. I've no legal training and I don't pretend to know what might or might not be defensible in a court of law.

However, with respect to the extraordinary disclaimer -- which does not necessarily inspire confidence -- perhaps there's just a little bit less than meets the eye.

This is my absolutely non-expert suggestion of a possible interpretation:

The US Federal Trade Commission has applied a three-part criterion to determine a category of prohibited advertising. By this standard, a claim is prohibited if and only if it is false, misleading, and deceptive. All three must apply.

"false" is an inherent property of a claim

"misleading" refers to the likely effect of the claim on the decision-making process of a reasonable person

"deceptive" refers to the intent of the entity making the claim

For an example, consider a food product labeled as "cholesterol free", which is likely to increase the blood cholesterol of those who consume it. This claim may be misleading, even though true.

A claim may be both false and misleading, but if the entity making the claim either believed it to be true, or the content was altered (say, by clerical error in a publishing process), then it may not be deceptive.

Someone may knowingly and intentionally assert a false claim, making it also deceitful -- but if that false claim is not likely to materially influence the decision making of those making purchase decisions, or using the product or service (i.e. no harm, no foul) then that claim is not misleading, and so is not prohibited.

In the case of the mysterious TrueCrypt developers, I suppose they might have been thinking that a representation they make in good faith (for example, concerning a security characteristic) could prove out to be objectively false (somebody finds a crack), and misleading inasmuch as people relied on the security claim when deciding to use their product.

Considering that the consequences could be very severe, they might reasonably wish to shelter themselves against liability.

I don't know the thinking of the developers, but rather offer an hypothesis.

Peter SullivanSeptember 4, 2013 5:07 AM

This was the best tweets I got after Snowden

UK Govt: their op-sec was sloppy, but we can't get access to their docs because they're all "heavy encrypted" #GlaringContradictions.

What next to Snowden and is he will get bail.

gonzoSeptember 4, 2013 6:25 AM

Lets consider requirements for WDE that would be for confidence in the implementation:

I have a few:

A. Option for user to supply his/her own salt bytes. The salt can be analyzed for sufficient randomness, but the user should be able to select it in order to preclude any possibility of use of salt bytes as a carrier of hidden backdoor information.

B. Fully commented source code susceptible of review and analysis.

C. Directions for preparation of compiled executable that can produce identical files to those offered for distribution.

D. User selected strings or characters for fill of unused / reserved header areas.

E. Option for user to skip inclusion of backup headers incorporated into container / partitions. (users can and must create separate backup headers that can be restored in case of problems of course)

Other thoughts?

Nick PSeptember 4, 2013 10:28 AM

On TrueCrypt: Safe or Subverted?

There are some legitimate concerns in using TrueCrypt. However, there's more concerns with NOT using TrueCrypt. Here's what we know about it from a security perspective:

1. It's maintained by a closed group of developers with a shared approach to building the project (good for code quality).

2. Its design and crypto approach have mostly favorable reviews by people in that domain.

3. That it maintains security properties, speed and reliability on 2-3 platforms speaks to the developers' skill.

4. The source code has been reviewed more than once without finding backdoors.

5. I've never seen evidence posted about a backdoor being detected.

6. The TrueCrypt encryption has foiled the Feds plans on numerous occasions.

All together, it seems like the evidence is in TrueCrypt's favor. The main backdoor risks I see are these:

1. The binary is the source + a backdoor.

2. Any drivers or hardware interfaces used for full-disk encryption might facilitate a bypass due to their privileged status.

3. Users assume because one version passes an audit that the binary for the next is safe. And it's backdoored.

The solution to these is to compile from audited source. And check the hashes of the source to make sure it's what the auditors had. If that fails, one might be able to get a copy from the auditors. People wanting even more assurance can always raise some funds to pay a well-known security persona or company to dig into the code for them. That TrueCrypt has a decent amount of time between releases that would allow the cost to be spread out over time.

Re Their terms saying they can lie to you

Far as I can tell, the TrueCrypt agreement isn't much different than the norm in practice. Many say anything can change without notice and give the vendor no liability. There's plenty of ways to combine those two to make the users anything but happy. ;) The TrueCrypt claim, if not a legal tool, to me seems like John C Dvorak's goofy Terms of Use or a similar mockery on how bogus agreements are. Non-conformists in software shops are known to do stuff like that.

Re Licensing issues

This is the most legit gripe. I say just ignore their license. Anyone *really* needing to modify it can attempt to negotiate it with the developers, maybe for a large donation. If that doesn't work, then one might just have the mod done in a country that doesn't recognize the laws that protect their code. The TrueCrypt team coming after you legally would only shed more light on them and provide an opportunity to use the discovery process against their organization. Just a guess here but their code has probably been incorporated into many systems with little to no regard for their licensing terms. ;)

Re Subversion resistance

The only way to provide maximal assurance against developer subversion of software is to use an EAL7-type development process with several qualified reviewers and development tools that you trust. And you need a few things on top of that. And clever people still have a few opportunities to maybe slip something in there. Good luck finding an encryption app for personal use that meets such a standard. Meanwhile, TrueCrypt has been good enough for many years now.

MarkHSeptember 4, 2013 12:59 PM

@Nick P:

Agreed.

While skepticism is encouraged, "reasonable paranoia" is meant to be a joke (paranoia by definition is unreasonable).

Those deterred from using TrueCrypt (or other highly respected privacy tools) by Dread Nameless Fear are likely to end up using alternatives which may be ACTUALLY insecure.

Those who fear that TrueCrypt is subverted might profit from spending a few minutes pondering that there are Computer Science departments all over the world with many hundreds of professors and thousands of graduate students, some of whom specialize in infosec/crypto.

Because TrueCrypt is so widely used and relied upon, the first CompSci department to announce that they'd proved a backdoor in TrueCrypt would be world-famous, attract rivers of funding, and have the best imaginable prospects for their future careers.
____________________________________

About the TrueCrypt license: it specifically permits modification of the software, and distribution of modified software (including for commercial sale). This is in the general pattern of other open source licenses I have seen.

The license imposes one salient restriction: modified versions can't be called TrueCrypt or any variation thereof. But there's nothing to prevent a developer from modifying TrueCrypt and selling it (or giving it away) as Ernie's Privacy Software.

Furthermore, Ernie isn't prohibited from telling people that his software is based on TrueCrypt: in fact, the license REQUIRES Ernie to do so.

I see nothing in the legal disclaimer, nor in the license, that is inconsistent with the TrueCrypt developers being on the up and up.

MarkHSeptember 4, 2013 1:17 PM

@Clive, September 2, 2013 8:08 AM:

One of the points you made was about the insecurity of using incompletely erasable storage (like SSD) with drive encryption based on a stream cipher.

I agree with the logic of the argument. I also agree that using a stream cipher is an "obvious" way to do fast full-disk encryption, that would appeal to a naive developer.

However, the stream cipher approach is desperately insecure for reasons you gave! I believe that decent encryption packes in general -- and I know for a fact, TrueCrypt in particular -- use XTS (or a similar mode) which is much stronger!

For any given position (basically, address) in the encrypted drive, XTS uses the identical function for encryption. So if you write the same data to the same position (or simply leave it unchanged), an attacker able to compare the two versions (say, copies of the drive made at different times) knows that the plaintext at that position has not changed. Therefore, differences between two versions prove that content at those positions HAVE changed.

In this limited sense, XTS leaks information to an attacker who can compare versions. This is why the TrueCrypt documentation recommends backups be made by creating a new container (which will have its own key) rather than copying the container to be backed up.

However, XTS doesn't XOR the plaintext against the same bit sequence as stream encryption would, and comparison of the two versions reveals NO information about the difference in content (how many bits changed, which bits, etc.) of the changed blocks, nor what the content was in any of the various versions.

For the purposes of the "Snowden incident," is there any security issue at all about reusing solid state storage devices?

Werner AlmesbergerSeptember 4, 2013 5:58 PM

Regarding the risk of OTP reuse in combination with a stream cipher modes (and alleged similar issues in block ciphers modes): wouldn't the same issue exist if a medium that is in active use is repeatedly scanned ? I.e., if the reuse happens over time, not space.

In this case, I think re-encryption of the content with a new key between a) each potential exposure that may be followed by modifications of sensitive data and b) the next potential exposure should prevent such attacks. Iff you're able to correctly tell when such exposures may occur, or at least always err on the safe side.

The reuse in space issue also suggests a reason for working with "bare" NAND. Many embedded systems use NAND chips that don't have all the niceties of wear leveling, bad block handling, and such, and leave all these gruesome tasks to the operating system, which in turn provides an abstraction that looks like a "normal" file system. E.g., on Linux, you'd have JFFS(2), YAFFS and UBI+UBIFS for such tasks.

Such a file system does know the physical block location and could therefore generate the key based on that, instead of the logical block number.

Something that should avoid all these problems would be to generate a random salt each time a logical block is written/modified and store that on the media as well. Drawbacks: increased write activity (affects speed and wear), reduces available storage, and - probably the hardest part - need for a good and fast entropy source.

- Werner

Clive RobinsonSeptember 4, 2013 8:00 PM

@ MarkH,

I'm aware of XTS but I'm not that keen on it as it has a number of issues that give me pause for thought. I prefere EME [1] but like many modern cipher modes it's encombered by a patent.

Microsoft's Bitlocker [2] is an example of a conservative design by Niels Furgusson, however it's bassed on AES in CBC mode with the initial IV being tweakable via the sector number and the design overloads the mode to give "Poorman's Authentication" which is weak.

As you note some developers will go with whatever gives them the easiest time. Likewise marketing want the fastest and the bean counters and legal eagles don't want to use anything that is going to require licencing or invoke legal action both of which eat profits faster than the tax man.

You have also brought up another issue to do with time related sector updates that are in effect "snapshots" which rasies issues with journaling file systems, NAS boxes, SAN systems and backup tapes. Which I've mentioned in the past and is one of the reasons I recomend the use of application level encryption on files as well as disk level encryption as well as using encryption in the backup systems.

It appears that UCSD has done research on encryption on SSDs and found that file level overwriting/shreading is as I indicated a near usless activity, and SSD firmware is sufficiently badly implemented that the bets are off on it functioning correctly.

As for the Snowden issue it all depends on the "human" element as to what might have been previously stored / erased on the devices. And as USB memory sticks are now down around 6USD for 8GByte devices "single use" would not in any way be cost prohibitive. It would also appear to fall in with Ms Poitras's general OP-Sec behaviour.

[1] You can read more on EME at,
http://www.cs.ucdavis.edu/~rogaway/papers/eme.ps

[2] You can read more about Bitlocker at,
http://download.microsoft.com/download/0/2/3/...

[]

Nick PSeptember 4, 2013 8:25 PM

@ MarkH

Re first section of your comment

I couldn't have said any of it better.

Re truecrypt license

Here is what I was talking about. The license had issues for some time. The Wikipedia article on TrueCrypt also references this, but says they fixed most or all of it by version 7.1. They quote a guy saying it's consistent with free software licenses. So, maybe it's good now.

MarkHSeptember 4, 2013 10:14 PM

@Nick:

The linked post is almost 5 years old.

When I perused the TrueCrypt license, I didn't see the language that was the subject of the complaining post.

Tho I'm absolutely not a legal mind, and neither an expert on open source licensing, the present TrueCrypt license seems to me to be along the general lines, and in the spirit, of typical open source licenses.

I was reading the license with the question in mind, "how would this constrain me if I wanted to distribute my own customized version of TrueCrypt?" If the license raises any obstacles, I didn't notice them.

MarkHSeptember 4, 2013 10:26 PM

@Clive:

Accepting that any practical FDE system probably has imperfections ... are you aware of any weakness in XTS that might enable actual plaintext recovery from a single copy, or even multiple variant copies, of an encrypted volume?

Here I mean plaintext recovery as distinct from (for example) leakage of which blocks have changed among multiple variant copies of an encrypted volume.

Like many others I am sure, I value your willingness to share your accumulated knowledge (too bad about the EME patent...)

Clive RobinsonSeptember 5, 2013 4:24 AM

@ MarkH,

No I'm not aware of any practical plaintext recovery attacks against a single instance of data at rest encrypted using XTS.

But there are, as with AES side channel attacks during encryption and decryption. And as with most "efficient" implementations of HD encryption "bread crumb" and "traffic analysis" attacks which are not present in other less efficient and more thoughtful implementations.

XTS comes across as brittle not robust and this alone would give pause for thought, it also has other issues that give me cause for further thought, and thus I've steared a path around it where possible.

Without doubt HDE is a significant problem to resolve and the assumption of equivalance to "single message encrypted communications" is mostly not valid unless significant steps are taken to make it so.

Without doubt the examination of primatives needs to be investigated in the light of HDE issues, and I suspect that the notion of "non-expansion" will have to be revisited in either the data or meta-data.

Nick PSeptember 5, 2013 9:15 AM

@ MarkH

"When I perused the TrueCrypt license, I didn't see the language that was the subject of the complaining post."

Good to know. I might make more use of it in the future then. :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..