"A Court Order Is an Insider Attack"

Ed Felten makes a strong argument that a court order is exactly the same thing as an insider attack:

To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.

From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.

This is why designing Lavabit to be resistant to court order would have been the right thing to do, and why we should all demand systems that are designed in this way.

Also on BoingBoing.

Tags: courts, email, insiders

Posted on October 17, 2013 at 12:50 PM • 93 Comments

Comments

Jeff Martin • October 17, 2013 1:27 PM

Anyone have any interesting resources on how exactly an organization can be made resistant to court orders?

Jim • October 17, 2013 1:28 PM

What are proposed designs to make something “resistant to court order”? I can’t imagine a setup that uses SSL that would be resistant to a court order.

Nicholas Weaver • October 17, 2013 1:30 PM

Unfortunately you can not make an email system that communicates on SMTP resistant to court orders, and you can not make a webmail system without a plugin resistant to court orders: the basic protocols are incompatible with the security requirements needed to protect against an insider.

Toni • October 17, 2013 1:36 PM

So really, the question is: can any centralized system be built that’s resistant to a court order? Sure – the email message can be encrypted: but somewhere along the line the metadata is in clear.

The P2P/I2P/etc distributed messaging schemes like Bitmessage are starting to look like the only option for truly secure communication.

Are there any others?

JimFive • October 17, 2013 1:45 PM

I think there is one major difference between Lavabit and Guavabit in the example. The Lavabit admin who is extracting user data doesn’t need to worry about leaving an audit trail.

JimFive

Sean Kelley • October 17, 2013 1:46 PM

This is why designing Lavabit to be resistant to court order would have been the right thing to do, and why we should all demand systems that are designed in this way.

I wonder if ‘design’, in this context, means controls or policy/ToS. Not actual technology. The technology piece could be applied to the access the user that copies the data, sure.

Brian M. • October 17, 2013 1:46 PM

This is why designing Lavabit to be resistant to court order would have been the right thing to do, and why we should all demand systems that are designed in this way.

The only way that a company can be designed to be resistant to court order is if the company is outside the bounds of any court. Merriam-Webster defines a company as, “a business organization that makes, buys, or sells goods or provides services in exchange for money.” OK, so where does that leave a person who wants to start a court order-resistant company?

Here’s some problems:

Your business license can be revoked.
You can be fined.
You can be jailed.
You can be kidnapped and tortured.

Sure, there’s some technological ways around giving up data to “unauthorized” parties, but motivational factors like the above are really quite extraordinary. And they work.

Technological means would be to simply provide a hosting service for files. (Which has been done before, with repercussions.) Provide a public key management service for your customers, and that’s it. All files that touch that service are encrypted. Any custom software is open source, and hosted on a public repository service like GitHub.

A technologically secure site doesn’t mean that it is sociologically secure. It just means that when a court says, “you must allow our total surveillance or we’ll throw your hairy butt in jail,” your hairy butt goes to jail, and the rest of you follows along with it.

In the example where the employee gives data to the cartel, the dead giveaway about that problem might be fingers in the mail. The cartel, or the courts, might not be sophisticated enough to realize that your technological solution really does mean that you can’t comply with their demands.

So, how do you run an anonymous, legal, business?

Wang-Lo • October 17, 2013 1:47 PM

I think Professor Felten’s point is that if the state legally forbids me to build or operate a communication technology resistant to the first scenario, that state thereby dooms me to be vulnerable to the second scenario.

Chelloveck • October 17, 2013 1:48 PM

I don’t think it’s possible. The only way for a system to be resistant to insiders if if the system never, ever has the ability to decrypt the data. That reduces the server to a transport mechanism, but everything else has to be done at the endpoints. Webmail would be impossible. You’d have to do the decryption via a plugin that is not provided by the webmail service. (If it is provided by the service, then the service could easily insert a backdoor.) There would be no way to search a large online mailbox — the server can’t decrypt the mailbox, so the best it could do is send down one or more encrypted blobs for searching on at the endpoint. If there’s some way to make a useful webmail server invulnerable to this sort of insider attack I’d love to hear about it.

Gweihir • October 17, 2013 2:15 PM

@Wang-Lo: Indeed. And also dooms you to any possible mixture of both scenarios, like corrupt officials.

Brian M. • October 17, 2013 2:29 PM

@Chelloveck:

Homomorphic encryption would allow the host servers to search your files for data inside them.

There have been some recent developments in the field. The phys.org link goes into a few details about functional-encryption and its applications.

Using this scheme, you could possibly have general web mail, but it might take a lot of computational work on the client end, too. (Homomorphic encryption is hard on the CPU.)

John Schilling • October 17, 2013 2:30 PM

Since when has the “purely technological standpoint” been particularly relevant to security discussions? Security ultimately comes down to people and institutions, and instutitionally speaking, the two cases are completely different.

When Guavabit’s IT department, or its senior management or an outside law enforcement agency, learn what is going on, they will act to stop it, and they will have access to institutional mechanisms optimized for stopping that sort of thing. At Lavabit, these institutions will instead act to facilitate and conceal the intrusuion.

Guavabit needs a tripwire that will alert it to the breach. Lavabit needs a technology that somehow can’t be meddled with even by its de facto and de jure owners, or an institution impervious to the law, or new laws.

Bob Robertson • October 17, 2013 2:38 PM

There are lots of very good reasons for considering “governments” to be nothing but the most successful criminal gang in a given territory.

One of the best reasons is that their methods and results are exactly the same.

Northern Realist • October 17, 2013 2:48 PM

Nased on the logic presented, handing information over to your company’s external auditors would then also consitute an insider attack.

Tito • October 17, 2013 2:58 PM

@Northern Realist

Not sure about the auditors you’ve worked with, but the auditors I’ve worked with want process docs, designs, test results, information flows, control documentation, etc. E.g. stuff to show that your enterprise is “secure”.

(Ok, ok, now that we’ve all had a good laugh… they check for “compliance” which “in theory” means “secure”…)

Auditors don’t ask for private keys. Auditors don’t ask for a copy of the sensitive customer/patient/cardholder data being protected.

Simon • October 17, 2013 2:58 PM

This makes me wonder about Lastpass . They claim that all passwords are encrypted client-side, so even if they hand over data, it’s safe.
Assuming this is true, and there’s no back door in the encryption, are they technically breaking some law by setting up in this manner?

bcs • October 17, 2013 3:05 PM

You might be able to differentiate between the two via a form of “two man” rules. For example, if complying with a court order took the active participation from the manager of the involved system, a VP in legal and two CxO’s then you would need a conspiracy from that same group of people to execute an insider attack (and with that list; an insider attack is more or less the same as an unannounced policy change).

NobodySpecial • October 17, 2013 3:09 PM

@Brian M – the solution is to have Lavabit (USA) inc’s servers constantly monitored by Lavabit (Switzerland) SA and by Lavabit (Venezula) ltd.
There was a description of a similar system by one of the torrent sites. They were hosted on multiple anonymous cloud services with multiple load balancers in different jurisdictions. Only the address of the load balancer is visible to the public (and so law enforcement).

Everytime one of the load balancers is shut down one in another jurisdiction notices and spins up another copy of the site. The only way to close them would be simultaneous raid by the police in US/China/Russia/Venezuela/Cuba etc.!

Carpe • October 17, 2013 3:20 PM

@NobodySpecial

I have been thinking about this too. It was thepiratebay, by the way. I haven’t heard of a better evasion setup yet. It would help prevent shutdown, but not necessarily mitm. I actually was thinking that if someone started an entire hosting service based on that model that it might be a viable business.

Bauke Jan Douma • October 17, 2013 3:21 PM

General comment.

Technological solutions.
Political solutions.
Sociological solutions.

Solutions to what?
Many (most) dont’ even know what’s up, let alone what the problem is.

Let’s face it.

Q2 2013 has been a bad year for cryptographers. Basically they saw that
the government has made their whole line of business a ridicule. With subversion,
collusion, corruption, fraud, false representation, intimidation, extortion —
whatever.

There must be a lot of shell shock there, from all these revelations. And I don’t
mean the NSA — I mean the cryptographic/cryptanalistic community.

Whatever technological means they, the free-thinker crytopgrapher kind, devise,
there’s no denying that a government that is intent on having its ways, is going
to prevail in the end — whether by technological means (read: throwing taxpayer’s
money by the bollions at programs to f*k that same taxpayer), or going to previal
in the end simply by leveraging the power it has amassed (even more awesome
than military power) to see laws being passed that would make technological
attempts to circumvent simply illegal (laws with a ‘future reach’).
In fact, I think a case can be made that we entered that last phase long ago.

What does that tell you?
Where should we invest our energies?

Tim Hoddy • October 17, 2013 3:39 PM

Another important difference in these two attacks is that in the case of Guavabit, the company may not know that it has indeed been attacked.

Tom • October 17, 2013 3:45 PM

John has hit the nail on the head above. Fire engines are indistinguishable from strawberry jam from a purely colour standpoint. It’s not very relevant to deciding how to fight fires. Likewise the purely technological standpoint is not very relevant to deciding the security-liberty tradeoff.

65535 • October 17, 2013 4:10 PM

I agree.

“The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack.” –Freedom To Tinker

We are slowly but surely morphing into a state akin to Communist China via “National Security” laws. It’s unsettling that Cisco Systems helped build the Chinese Censorship Wall (considering Bruce’s discussion on router trap doors). Further, the punishment of crossing the Communist Party is huge:

[Wikipedia]

“In 2001, Wang Xiaoning and other Chinese activists were arrested and sentenced to 10 years in prison for using a Yahoo email account to post anonymous writing to an Internet mailing list. On 23 July 2008, the family of Liu Shaokun was notified that he had been sentenced to one year re-education through labor for “inciting a disturbance”. As a teacher in Sichuan province, he had taken photographs of collapsed schools and posted these photos online. On 18 July 2008, Huang Qi was formally arrested on suspicion of illegally possessing state secrets. Huang had spoken with the foreign press and posted information on his website about the plight of parents who had lost children in collapsed schools.Shi Tao, a Chinese journalist, used his Yahoo! email account to send a message to a U.S.-based pro-democracy website. In his email, he summarized a government order directing media organizations in China to downplay the upcoming 15th anniversary of the 1989 crackdown on pro-democracy activists. Police arrested him in November 2004, charging him with “illegally providing state secrets to foreign entities”. In April 2005, he was sentenced to 10 years’ imprisonment and two years’ subsequent deprivation of his political rights.”

“In mid-2013 police across China announced the arrests of hundreds of people accused of spreading false rumors online. Chinese authorities have said the crackdown is directed at abuses such as fraud, fakery, and slander. But the accusations against many of the arrested microbloggers have a political edge with many of the rumors called outrageously false by the government dealing with the sins of officials: corruption, venality, and sexual escapades. The suspicion is that the crackdown is intended to break up online networks of like-minded people whose ideas could challenge the Communist Party. Some of China’s most popular microbloggers have been arrested. In September 2013 China’s highest court and prosecution office issued guidelines that define and outline penalties for punishing online rumors and slander. The rules give some protection to citizens who accuse officials of corruption, but they say that a slanderous message forwarded more than 500 times or read more than 5,000 times could result in up to three years in prison.”

https://en.wikipedia.org/wiki/Internet_censorship_in_the_People's_Republic_of_China

[Ars Technica]

‘China bans unlicensed e-mail servers’

“The Chinese Ministry of Information Industry has released new rules designed …”

“A new provision in an anti-spam law has apparently made it illegal to run an unlicensed e-mail server in China. The Chinese Ministry of Information Industry recently promulgated rules designed to crack down on the country’s spam epidemic, but buried in the new legislation is a requirement that so-called “E-mail Service Providers” must register with the government and receive a license in order to legally operate their mail servers…”

http://arstechnica.com/uncategorized/2006/04/6611-2/

NobodySpecial • October 17, 2013 4:52 PM

@Bauke Jan Douma – on the contrary I think it has enormously boosted crypto.
Last year all management cared about was that our cloud service had https = “that meant everything was secure didn’t it?”

Now they want to know who has our data, which bits can be stored encrypted, what shouldn’t go into the cloud, what shouldn’t be emailed etc etc

tz • October 17, 2013 4:59 PM

Not quite, as I posted there, the trustworthy owner who has his very reputation at stake and would never voluntary agree to compromise is FORCED to do so. An employee might put a gun to your head and force you to open the safe or direct deposit the entire cash balance. But a court is an outsider. And can be an interloper even if you don’t have an employee.

n • October 17, 2013 6:37 PM

To be resistant to court orders, you need these properties:
1) forward secrecy
2) don’t store user data in a way you can retrieve

The court can’t order you to hand over data you don’t have.

Tim L • October 17, 2013 7:01 PM

@NobodySpecial – on the contrary I think it has enormously boosted crypto.

NobodySpecial’s got it right.

Like Sputnik boosted science education, the sudden revelation of NSA crimes has given crypto a huge boost.

Another Kevin • October 17, 2013 7:13 PM

@n: “The court can’t order you to hand over data you don’t have.”

As several commenters said above, it can indeed order you to do so. And it can throw you in jail when you fail to comply. If the technology renders compliance impossible, that’s not the court’s problem.

Dirk Praet • October 17, 2013 8:25 PM

The only diffrence I see is that the legality of the act gives it a certain degree of salonfähigkeit in a context where the general public has been indoctrinated that anything that is legal is by definition also OK.

@ Jeff Martin

Anyone have any interesting resources on how exactly an organization can be made resistant to court orders?

You either buy, out-smart or out-gun those issuing them. A good place to start looking for specific guidelines would be Wall Street.

@ Nicholas Weaver

Bang on the money. We need new protocols.

George William Herbert • October 17, 2013 8:38 PM

Another Kevin:

As several commenters said above, it can indeed order you to do so. And it can throw you in jail when you fail to comply. If the technology renders compliance impossible, that’s not the court’s problem.

No, they can’t, unless your totally encrypted service is in violation of some US law requiring tappable services.

For email, there is no such law.

For telephones, there is. CALEA violations would be a problem here.

George William Herbert • October 17, 2013 8:47 PM

Chellovek:

I don’t think it’s possible. The only way for a system to be resistant to insiders if if the system never, ever has the ability to decrypt the data. That reduces the server to a transport mechanism, but everything else has to be done at the endpoints. Webmail would be impossible. You’d have to do the decryption via a plugin that is not provided by the webmail service. (If it is provided by the service, then the service could easily insert a backdoor.) There would be no way to search a large online mailbox — the server can’t decrypt the mailbox, so the best it could do is send down one or more encrypted blobs for searching on at the endpoint. If there’s some way to make a useful webmail server invulnerable to this sort of insider attack I’d love to hear about it.

Webmail being impossible is a feature, not a bug; in postmodern (post-Snowden) security, trusting the things in between is a bug.

One could establish a new protocol, and implement at first with a browser plugin of some sort. To avoid the email provider corrupting the plugin, establish a third party plugin provider and strong checksum checking trust web. Make the plugin open source and encourage people to write real mail clients to use the protocol rather than using the plugin, so that the window of vulnerability by exploiting the plugin vector shrinks away.

Alon • October 17, 2013 9:26 PM

There is a big difference between an insider threat and a court order, which is that insiders usually work alone, or in small groups, while many people could be privy to a court order. A secret sharing scheme could be used to require multiple sign-offs to release confidential information, and these multiple parties could be outside the company.

The simplest design is a key escrow, where the company hosting the data encrypts it with a public key owned by an escrow service. Now the court order must ask both the escrow service and the hosting provider for the key. If we are concerned that an insider at the escrow service is compromised, we can use any number of escrows in a secret sharing scheme so that only if all of them cooperate could the confidential information be revealed, which is unlikely in the classic insider scenario.

dimitris • October 17, 2013 9:29 PM

What about a “webmail” service that consists of:

A browser-side code that implements SMTP and TLS/PKI.
A service-provided tunnel through which the client code talks to the recipient’s MX port 25, and
In addition to recurring service fees (if any), a (zerocoin?) deposit that will be forfeit if the client uses the service for spam.

Obviously a lot of holes here, at least in any conceivable practical implementation. However, the idea is that if the service provider is ( criminally | judicially ) compelled to attempt a MITM, they have to update the client side code/script. A sophisticated user or, slightly less theoretically, a simple, change-review-friendly client-side environment (DSL?) creates a decent chance in spotting that.

( Your Honor | Don Corleone ), I can try to do this, or I can show you how, but it may expose the ( investigation | hit ) to the target.

Brian M. • October 17, 2013 10:10 PM

@Dirk Praet
Bang on the money. We need new protocols.

I disagree completely. Both the protocols and the services using them can be implemented securely.

The problem is the lack of a secure implementation. How many smtpd implementations keep the data in encrypted files? And how about the POP3 and IMAP4 implementations?

Big companies that get their revenue from packaging you as a product are not going to make the effort to protect you, because you aren’t paying them a dime. If you want protection like that, it has to come from a private service.

Another point is that simply sending and receiving communications means that you can come under surveillance. Unless the entire route is encrypted and sealed, it’s open to someone recording who, where, and when. For current methods, the email header info would have to be encrypted and decrypted repeatedly along its route.

There are encryption cards to help with high volume traffic, like the SafeNet Luna PCI-E, but I just can’t see Google or Yahoo! or whomever investing in stuff like that.

Jay • October 17, 2013 10:33 PM

@JimFive:

How is a court order with a gagging/secrecy provision, or a UK-style superinjunction, any different from an insider attack where the insider has to hide the audit trail?

An audit trail does the user no good if the only people who can see it are co-opted as the user’s adversaries!

Mike the goat • October 18, 2013 12:12 AM

Brian M: the problem with email is it leaks metadata by design. Sure, you can keep the email encrypted etc but the powers that be will still be able to track the route of a message. Only a DHT style distributed solution will solve that problem.

But I agree with you nonetheless – the current implementations (especially M$ Exchange) suck. The Unix world isn’t great either, hell look at the abortion that is sendmail.

Enforcing the use of TLS for SMTP and ensuring that all users use a SSLized POP or IMAP session would go a hell of a long way to stop casual eavesdropping. Perhaps enforcing message encryption (or at least pushing people to implement it en masse) will also help.

Nick P • October 18, 2013 12:17 AM

Been a while since I posted an indepth solution to a tough problem on this blog. Used to love doing it. I’ve solved this particular problem repeatedly in many forms, even posting an anonymous cross-jurisdiction email system concept here before. It was implemented in production as defence against FBI, NSA and a few others with success far as we could tell.

Anyway, here’s a few things designing against governments taught be about making such services trustedworthy. Enjoy:

The servers must be in a country that will protect them from the threatening legal system. This can be done using privacy laws, paying off government, pressuring government officials, etc. Options range from total protection to simply giving you a heads up so you can destroy the data before the door is kicked in.
Ideally, several mutually distrusting parties are used. My old solution involved US to China, Israel to certain Arab country, and so on. My solution was asynchronous so I did relays and made sure at least 3 uncooperative jurisdictions were crossed. A live, synchronous service can do at least one. It’s important that the entity owning/operating each relay is believably local.
Beware of traffic analysis exposure or leaving breadcrumbs. The solution to the former that I often promote is continuous transmission of data between nodes at a fixed rate with fixed (often maximal) packet sizes. Highly robust link encrypters are a good idea here. The systems should also overwrite fields on the packets that can be used as a covert storage channel. Breadcrumb problem solved by using RAM for operations and ensuring logs are stored in encrypted volumes whose RAM-stored keys are automatically lost after a period of time. The diversity/obfuscation I mention later helps too.
If it has to be U.S. and it’s serious, use foreign operated anti-tamper setup. The idea is all sensitive computations are run on a computer stored in a tamper detecting container that can detect radiation, temperature changes, power surges, excessive microwaves, etc. Tamper detection = data wipe or thermite. The container will be an EMSEC safe and the sensors/PC’s will always be located in a different spot in it. The system is foreign built and operated with the user having no control of its operation except what software runs in deprivileged VM’s in it. Status is monitored remotely. It helps to modify code so that most sensitive stuff like keys are stored in certain spot in memory that will be erased almost instantly.
Another commenter had the nice idea that servers in one country monitor what servers in another do. This doesn’t work so well on a live protocol and is harder to do against a TLA than people think. The workable version for a live service is Byzantine style processing of each protocol step of the service. Each node should have a different implementation of the same behavior, be managed by different people, and the system never proceed unless all nodes agree on the output. The service can combine this with jurisdiction crossing I mentioned. Naturally, there’s going to be authentication built into this so random nodes can’t just jump in to DOS you. A side benefit is that many systems using other systems to help verify their own activity, with protocol messages all looking about the same, is that traffic analysis is harder.
People are the weakest link in many organizations but they’re potentially the strongest link here. In many cases, an organization will have an easier time finding trusted personnel for a given threat model than tech. In this case, they should optimize the setup to block as much as possible, detect violations, and let the people make the decisions on them. Exchange of important authenticating information can be done in person with trusted couriers as well. That part can also be semi-automated in case they’re captured.
A previous point touched on diversity. I promote it endlessly because even open systems are going to have flaws, the TLA’s have more labor/time, and they WILL GET IN… only if their 0-day hunters have your code. 😉 So, diverse implementations and obfuscations of any many layers/components as possible helps. There needs to be a ridiculous number of permutations. System setups should also be obfuscated or altered in ways that (a) reduce their rate of success and (b) increase rate of detection. More work for them across the board. Make sure that each change has no negative impact on security, though.
Practical deniability is important: you don’t know what you know, don’t have what you have, and can’t access what you have access too. Creating paradoxes like this are important across the board. Certain encrypted volumes had randomly generated keys that were stored in a way that they went bye bye if I didn’t regularly attend to them. My right to remain silent would buy me time for the data to be unrecoverable while giving some protection against obstruction. The obfuscations on code can be automated and randomized, with the resulting executable encrypted until it runs. I have no idea what algorithm or key it used before I shipped the server to Hong Kong so I can’t tell them, can I? Create many valid options that are strong, many compositions, manually apply what you must, and automate the rest so you can deny knowledge effectively. And always keep some design documents on them for court later and showing how they beat “the Chinese hacker threat to our I.P.” 😉
Every aspect of it must be simple to describe, analyse and implement. The design should be modular, layered, have clearly defined interfaces, and avoid any complicated protocol or algorithm. This reduces the number of defects that will be found. Design by contract, type safety, static analysis, coverage testing, etc should all be used where applicable. Watch for the build toolchain screwing up your code’s security checks and stuff.
Turn complicated security problems into simple ones. For instance, viewing web content on an intranet might involve using IP, TCP, DNS, HTTP, and SSL in combination securely. Good luck lol. One of my setups had the client send a UDP port knock with ultra fast shared secret crypto, an encrypted reply told what port to use next with session secret, and then all requests by the custom app were sent as individual (rather than HTTP’s hundreds) requests over protected UDP packets. The packets also looked about the same for almost every message so no clear pattern on the network. The client requirements: UDP/IP, tiny bit of reliability code on top of it, and basic symmetric crypto operations. Tiny, simple, easy to analyse, content neutral and fast as hell. Required custom comms library linked to client and server apps. There were other advantages to that, though, that I can’t go into. 😉
Remember that the TCB is important. The easiest technique for minimizing it is to pipeline the work through several components each with just enough privilege and functionality, all using message passing instead of shared memory. The cool thing about this is that you can do these arbitrary setups to the system: separate modules in a typesafe linked application; separate processes on Linux/BSD; combo of separate processes and VM’s on something like Xen; combo of separate processes or VM’s on robust microkernel; separate active objects running on an object/tagged/capability processor; separate processes running on separate hardware with optional OS fine-tuned for that process. The trick is to design your system for secure decomposition from the beginning so you have many options for immediate or gradual assurance increases, also benefiting from future advances.

All I’m saying for right now. Hope it helps someone building the next great project keep from legally dooming themselves.

Mike the goat • October 18, 2013 12:26 AM

Nick: good advice, and make sure that the only penetration into your safe is optical only. You can get 10W optical power transmitters which would be sufficient to run an embedded PC.

Why Johnny Can't Compute • October 18, 2013 12:41 AM

@Bauke Jan Douma ‘Whatever technological means they, the free-thinker crytopgrapher kind, devise,
there’s no denying that a government that is intent on having its ways, is going to prevail in the end…’

Momentary domination is not sufficient. To prevail in the long run, a government must be able to reproduce itself from one generation to the next. And that poses something of a problem for a military dictatorship trying to propagate through a hostile culture.

Also, Mises explained why statism fails economically. The essential problem is that a centralized control system can’t perform the vast computational load required to produce the goods that individuals need.

Nick P • October 18, 2013 12:58 AM

@ Mike the goat

I’m thinking you’re talking about a piece of glass on the container with optical data exchange through it, right? Part of the security of the tamper detection is they can’t see the equipment and have to take risk going through a safe. I’m not sure if the glass would work as easily as it might mess with security properties. The common practice (I think) is a spot for a few wires to go through with a EM filter on them. It can be pretty small.

I know Clive previously pushed me to use IR transmission for certain things which turned out to be a good idea. Maybe I’m missing how to incorporate your optical transmission into the box properly just b/c I don’t usually design the hardware solutions. Thanks for the tip, anyway. Do you have any ideas on how to incorporate it into an obfuscated, self-defending safe without breaking those properties?

Note: If it’s TEMPEST shielded, I’m thinking along these lines. I figure there’s gonna be a hole for a power cord unless we throw a fuel cell in there. 😉 So, a high capacity fiber line should add little extra space to squeeze through there. If you have a better optical idea, I’m all for it being an option.

Mike the goat • October 18, 2013 2:29 AM

Nick: the only thing that penetrates the safe is two tiny strands of fiber. They can’t see into the box. By putting a battery and a charger circuit in the box the only thing that they can infer is the mean current draw of the black box. The optical power transmission system is basically a laser on the unsecured end to ‘transmit’ the power, and a receiver inside the box (the receiver is basically just a photovoltaic panel and a few optics to spread the light over the PV module). The benefit of using light to transmit both power and data is they can’t try and get your unit to do something unexpected by, say EMP down one of the conductors or by over/undervolting the power etc…

Assume the battery inside your black box gives you 24 hours autonomy. Perhaps setup the black box to wipe the keys if power is not restored within X hours. You could incorporate a mercury switch or a gyro to initiate the wipe should any movement occur, etc.

Or if you’re doing it in a rack mount form factor perhaps measure the resistance between the left and right brackets and should the circuit be interrupted or the resistance change, again wipe the data.

That said if your box is in a data center in Japan I guess it’ll keep getting tripped by earthquakes.

Your final protection would be some kind of tamper switch. I would put a photodiode inside the box (so if someone drills or puts a scope in to have a peek) and use that to trigger. Secondary triggers can be as simple as a pressure plate, have a conductive foil matrix around the edges, vibration sensor (to pickup on drilling), etc. I guess you could have some passive protection by putting an inert atmosphere in the box and put a nice big block of phosphorous to initiate your thermite reaction. Idiot opens the box and it is going to spoil their day.

Mike the goat • October 18, 2013 2:32 AM

Nick: if you only need a few watts then you could power it passively putting some Seebeck modules in the black box with a heatsink making contact with the other side. Given data centers have cooling from the floor, if your module is sitting at the very bottom of the rack and you have all your hardware above it there might be enough of a gradient to keep a low power device going indefinitely. Low power being the key.

JeffH • October 18, 2013 2:59 AM

I think Mr Felten’s article, whilst a good head-scratcher (especially reading some of the resulting comments), rather misses the other fundamental ‘insider attack’ that goes on all the time, namely: employee copies user data and passes it to an advertiser for revenue.

A significant proportion of the huge surge in popularity of Internet services is driven by the fact that our user data is now our currency – most people just haven’t stopped to care.

If my searches or my email were so secure that even a court order couldn’t make Google give them up, how would they make ad revenue off them? This isn’t about technology any more; it’s about business model. You have to change that first or all the technology in the world won’t matter.

Mike the goat • October 18, 2013 3:13 AM

Jeff: re employees stealing data – this is where granular access control and the principle of least privilege help. They’ll at least limit what the employee can steal. Robust audit logs will red flag suspicious behaviour (e.g. scraping or dumping of data en masse). Finally, digital watermarking where each download of, say a PDF has distinguishing features embedded so that you can substantiate that they indeed were responsible and perhaps launch civil action. This includes slightly modifying formatting or font dimensions, the introduction of noise (e.g. a dot here and there, not dissimilar to how printers encode serial numbers), steagnographic modifications to embedded images, and the most obvious – overt tagging of metadata. Many of these techniques can withstand reencoding into other formats – some will even persist into a paper copy.

R2D2 • October 18, 2013 4:03 AM

Mike the goat
Nick P

I like your discussion about optical power transmission and have a question about optical data transmission.

Is ist possible to identify the data stream by analyzing the power consumption of the laser power supply?
Is it (theoretically) possible to inject data by manipulating the power supply to change the amplitude of the laser beam?

Sorry, if these are stupid ideas, but I think it’s much more possible in practice (after Snowden) than I thought just a year ago.

jake • October 18, 2013 4:10 AM

we have made an attempt to solve exactly this problem for online backups with Cyphertite, an open source client-side encrypted backup. the code is hosted on github, runs on most OSes and has some shell integration for windows.

short of being ordered to include a backdoor in the client code, which is open source, cyphertite is court-order proof.

Clive Robinson • October 18, 2013 4:34 AM

@ Mike the goat, Nick P,

There are two problems to overcome the first is energy storage reliability the ssecond is the fact that analog sensors which you use for detecting various attacks are generaly far from perfect and suck power. So the more you use the greater the power requirment especialy that for storage.

But the worst of the two in some respects is that electrical storage technology is crap and very very short life in most respects (self discharge, electrolyte breakdown/poisoning, etc). Which is why “energy storage/electrical generation” sensors and door locking mechanisms are “hot button” subjects in the nuclear fuels industry when dealing with high security storage of waste.

Obviating energy storage by conventional “chemical” batteries is the only way to go currently which has a knock on effect in the areas of power consumption. And “clockwork” appears to be the best longterm option in terms of longterm storage, life expectancy and reliability (I kid you not).

With the power of sensors issue in mind the solution I’ve looked at in the past is a “safe within a safe”. You put the secret stuff inside the inner safe and make it as low power as possible, this usuaually means custom design using microcontrolers with switchable clock rates etc. It’s internal alarms are of the physical ingress variety which draw no or very little electrical power (I have a friend who is a skilled glass blower and we have “ship in a bottle” style encapsulated custom micro controlers before).

This inner safe is mounted inside another safe that has the power hungry analog sensors and the back ends for them, this takes it’s power in in an appropriate way from an external source.

For obvious reasons it’s not just the batteries in the outer safe that will need regular servicing so you need to come up with protocols and deigns that take this into account but for equally obvious reasons I’m not going to discuse those in any great depth.

William Lee • October 18, 2013 5:18 AM

“The gang and the government –
They’re no different.”
~Janes Addiction, 1%

Winter • October 18, 2013 5:19 AM

About untracable communication. Maybe practical settups can be found in criminal gangs?

I remember a piece about pedophile wares peddlers who used encrypted, memory only, virtualized images on hosted servers and their own encrypted DNS. I forgot the details.

The effect was that it was very difficult to follow the down/upload requests and whenever a server was found, nothing was available on persistent storrage.

Mike the goat • October 18, 2013 6:26 AM

R2D2: providing the optical power receiver feeds a charging circuit and the device runs off the charging circuit it should be sufficient to buffer the highs and lows. No doubt there will be attacks that we haven’t anticipated but it is pretty good.

Clive: zinc air batteries are good for applications like this – unfortunately the box is hermetically sealed so these options aren’t available (nor are direct methanol fuel cells etc).

If you wanted to shy away from chemical storage I guess you could use an accumulator. Have your low wattage power source drive a small (very small) electric motor. You may need capacitors and a starting circuit to deal with startup surges.

The tiny motor drives a gearbox that ultimately drives a compressor which slowly takes gas from the expansion chamber and pushes it into the high pressure side. A turbine provides a constant supply of power and with a controller you can probably open valves to give “surge” capacity so long as it isn’t for an extended duration.

Personally I think that your run of the mill gelled cell lead acid battery would do the trick just fine. You should get a few years at least out of.such a battery. Lithium ion in one form or another is another option. You could also have “hot spares” – batteries that are kept charged (ie float charged) but never used until the existing battery array is degraded.

I guess the final option would be a radioisotope thermal generator. Rumor has it these are indeed available from the soviet bloc area and I have no doubt that with a bit of cash you could get your hands on one. Another thing worth exploring are 70s era “plutonium batteries” that were used in pacemakers. Some people a still living with their original device still in them. I recall reading on a site dedicated to acquiring as many samples of elements in the periodic table as possible that the guy got one from a mortician, as they must remove them before cremation for obvious reasons. You might run foul of the NRC however. If your server is in a soviet country however you may indeed be able to get a license to “lease” such a device. Obviously you couldn’t use a physical “self destruct” (I think nick suggested thermite!) as you’d basically have a dirty bomb.

Mike the goat • October 18, 2013 7:09 AM

Nick: as an afterthought people who demolish buildings have to pay about $40 per tube to legally decommission and dispose of tritium exit sign tubes. If you can get a hold of a heap that aren’t too old (without reading up I think its half life is about 12 years) you could put a whole heap of them and use an arrangement of mirrors to direct the light and then focus it into a PV array. This would only be viable if you are using an embedded PC and can get your power consumption right down there. You could use supercaps instead of chemical storage to “buffer” the output to cope with fluctuations in demand. Some of the largest tritium tubes can output 55 lux! I suggest over provisioning by 50% to account for the (not necessarily linear) reduction in brightness over time. You should be able to get 7 years if you appropriately over provision.

The other good news is that unlike a RTG you won’t need licensing in order to acquire it.

Clive Robinson • October 18, 2013 8:37 AM

@ Mike the Goat, Nick P,

As I said “chemical storage” including tthe likes of sealed lead acid have a shortish life time (1/2life is usually less than five years even with care). I’ve had a little “solar driven” motor tipping a self winding watch on my window sill for about fifteen years now and it still works even in winter without problem. I also have a solar cell and supercap digital clock in a sealed glass tube that’s been doing OK for over five years.

As I said the Nuke storage bods are looking a century+ and they’ve been looking at “clockwork” systems basicaly imagine what looks like a “cookoo clock” weight and chain system in what might as well be a six foot flourescent tube. This generates a couple of watt hours sufficient to operate an electromagnetic door release. The grovy bit is how it gets rewound but I’ll let you go and look it up.

I was thinking along the lines of a “heat pipe” and either semiconductor or thermocouple system or even Sterling engine driven generator I’ve seen home built ones run from the heat from your hand…

If the inner safe is made from a heat sealed glass envelope with low preasure dry nitrogen or even vacuum there is no reason a simple PV pannel should not power the inner safe electronics.

The requirments for power consumption could be easily scaled back by issolating just the required security asspects.

Ard • October 18, 2013 8:44 AM

One way to prevent a court order of keys would be a hardware based crypto device where you can put keys in, but cannot get them out, making sure the firmware is such that any update first wipes the keys.
There are a few reasons this would be nice – hardware acceleration for TLS and other crypto functionality, protection of keys in case of a breach and if one doesn’t have access to they keys, then they cannot be supplied.

Stanislav Datskovskiy • October 18, 2013 8:46 AM

A court order is just a special case of rectothermal cryptoanalysis. Proceed from there.

Nick P • October 18, 2013 9:02 AM

@ Ard

“but cannot get them out, making sure the firmware is such that any update first wipes the keys. ”

Good idea.

Skeptical • October 18, 2013 9:30 AM

From a purely technological standpoint, I suppose bank robberies and government seizure of illicitly gained assets are identical as well. Nonetheless, well designed bank vaults don’t require the capability to defeat a lawful government order to be considered secure.

They do require the capability to defeat and detect unauthorized employee access, but it’s possible to build that in without removing the ability of the government to gain lawful access. As at least one person has pointed out above, requiring the notification and consent of multiple parties is a good way to make criminal access difficult to impossible (at least via threatening/bribing a single employee) but leave a court order just as effective.

Figureitout • October 18, 2013 10:38 AM

Nick P
–I’m going to be a dick again (b/c I care lol). While your “in depth solution” was nice to read and nicely structured, I would consider it more high-level brainstorming; still necessary but it isn’t a solution. As you know there are 1000’s of ways for it to go wrong. I could give an obvious problem for each of your bold points that cannot be solved beyond taking a leap of faith. Plus none of your solutions matter if your machine is already rooted; so this should be step 1.

Why don’t you link to an instructable as an example of one of those systems you describe?

Aspie • October 18, 2013 10:52 AM

If this has already been said/done then forgive the repetition.

Host a site which uses a server that does only one thing: associates fixed-length keys (say 64-bytes) with fixed length blocks (say 4096-bytes).

Provide software to subscribers that allows them to commit their data files to the repository by the following:

The user-app adds a unique random string (created during software setup) to a normal-style (say UNIX) file path. The resultant string is hashed with SHA512 and is used as the header-block identifier.

The service returns an encrypted block which is decrypted locally by the user’s (protected) key (either set-up as a default or provided as a passphrase).

The decrypted block contains a header which tells the local software where to find (and what are the SHA512 checksums) of all the other blocks (also encrypted) in that file. The software queries each block one-by-one from the remote and they are assembled on the user’s machine in the form of the file.

Since the user has the keys and the blocks are not only stored encrypted but there’s no way to group blocks into files or to tell who they belong to, would that make a secure service for the user and a safe business for the provider?

Mike the goat • October 18, 2013 11:16 AM

Clive, Nick: okay, now I am going to have to get my hands on a handful of tritium radioluminescent “Exit sign” light sources and see how much power I can get out of, say four of them. Each one has 67GBq when new and they are about 150mm in length. Maybe if I put a few in a mirror clad ABS project box and direct the light onto two small panels I can charge an internal lithium ion battery and then use that to charge my cellphone. Hmm, now there’s an idea. A portable charger that never needs charging.

Aspie • October 18, 2013 11:35 AM

@Mike the goat

lt seems that tritium has a half-life of 12.3 years.

I seem to remember that the USSR (as was) had hundreds of Strontium-90 RTGs powering beacons in remote parts of the country.

Many are probably still there – all kinds of records and small devices of similar types apparently disappeared in the transition.

Probably corroded, cumbersome but the Strontium-90 in them has a half-life of nearly 29 years.

Beyond trying for 80+ years with plutonium this might be a useful middle-ground to get you off the grid.

Clive Robinson • October 18, 2013 12:14 PM

@ Mike the Goat,

Before getting trit lights I sugest you look up their spectral output and compare it to the spectral requirments of your PV device of choice. If my brain remembers correctly you are in for a disapoitment…

@Aspie,

The Russian’s were and still are the experts on isotope batteries. The US and other WASP nations nolonger have the sort of reactors to make the required isotopes (apparently terrorism fears etc etc). It’s got so bad that NASA that needs these sort of batteries for far solar system missions don’t have any to spare for lander exploration of various “heavenly bodies” such as “stable moons” with far side low libido [1]

It’s sad to say that those in the 50’s through 70’s who designed such space systems and equivalent subsea systemsare now rather rapidly dying out. We lost Scott Carpenter just the other day who was a Mercury Astronaut (Aura 7) and came back after a very difficult flight where a major part of the automaticsystems failed and like Neil Armstrong on a more famous flight he had to take manual control of his craft to land it safely. Enthused with possibilities of sub sea exploration he took leave from NASA and was involved with SeaLab and later used his diving skills (like Buzz Aldrin) to train astranauts for space walks and EV technical work. He was not just an astrounaut and aquanaut but also an engineer of substance. As one of the original Mercury 7 he is only succeeded by John Glenn.

[1] Lets see how many filters that lot trips 😉 and before anyone has a fit of the sensibilities the terms are if I remember correctly being used more or less correctly.

Aspie • October 18, 2013 1:23 PM

@Clive Robinson

…with far side low libido…

Do you read much Gary Larson?
I think you mean albedo. 🙂

The torch must be handed on. But I agree, there was a certain bold adventuring then and, coupled with Kennedy’s push to be the first on that airless rock, money was available.

It takes administrations with courage and vision and more distantly separated/insulated from the spells of the MIC to keep this kind of pioneering going.

Joe Smith • October 18, 2013 2:04 PM

This whole scenario is silly. It boils down to trust. At some point, all entities (whether companies or governments) rely on the “motivations” of people to keep things secure, including “user data”. This is no different that a paper hardcopy example. Instead of the data being copied onto removable media, it would be stuffed inside a bag ans walked out. So do we try to worry about making the company resistant by focusing on the doors? The last door becomes cyber access at some point. So unless it is possible to eliminate trust, it is not possible to defend against all scenarios, regardless of motivation.

Nick P • October 18, 2013 4:58 PM

@ figureitout

The overall post is more like the Saltzer and Shroeder principles than a particular secure system. Several of these are pretty straightforward to apply and benefit from. Most of them are principles for people to incorporate into their projects’ design, implementation and maintenance.

“Why don’t you link to an instructable as an example of one of those systems you describe?”

Statute of limitations might not have passed for all of my past activity. They might have archived data on the transmissions themselves. So why would I post the specifics of how I anonymized and obfuscated it all as an instructable? Might as well send them a video confession signed with my private key while I’m at it. 😉

Figureitout • October 18, 2013 5:09 PM

Statute of limitations might not have passed for all of my past activity.
Nick P
–I know for damn sure me neither; but they broke the law too. So everyone should know that before you try any of Nick P’s suggestions, that you are taking a serious risk and there may be hidden “gotchas” and no matter the impeccable opsec you think you have, it may be meaningless b/c there’s too much surveillance. You need to move slow and (sadly) when probing allow someone else to go first…

Nick P • October 18, 2013 5:22 PM

@ figureitout

True. That warning goes for the entire security field, though, if the threat model is a TLA. Most solutions aren’t designed even considering them really. That one advantage I think many of my approaches have.

Safest option is to not piss off TLA’s, leak documents, etc. Anyone taking a more dangerous route better have mentally prepared themselves for a stressful existence that might end in failure (e.g. prison/death). No solution is guaranteed, not even mine. It’s why I always say keep the specifics secret and obscure as possible just in case. Might cover a slip up later on.

Clive Robinson • October 18, 2013 5:42 PM

@ Figureitout,

Plus none of your solutions matter if your machine is already rooted; so this should be step 1.

Err step 1 of a user instalation perhaps but there is a lot more to do before you even get to that stage.

Stoping NSL’s etc is a socio-legal problem not a technical one, it’s something we tend to forget to our detriment. As has been pointed out once in a court you are “deadmeat” as no actual law needs to be transgressed, the judge mearly has to find you in contempt to keep you jailed effectivly indefinatly. I believe the US record is over seventeen years for a man involved in divorce proceadings, because he could not prove he did not have what his ex-wife claimed he did (even though she could offer no evidence in her favour). Thus not having something and the logical proposition of not being able to prove a negative won’t stop you doing significant time…

Thus you need to solve that, the easiest way is to be in another juresdiction without any extradition arangments with the courts you wish to avoid. However this gives rise to quite a few difficulties when providing services to people in the reach of that court…

The solution is to set up a limited liability company in the courts juresdiction that is owned through another company outside the juresdiction and importantly not have any directors in the juresdiction (with the exception of a financial officer that is infact a firm of accountants with no other executive function).

But that on it’s own is insufficient, the juresdictional company MUST only provide non traffic related services in effect it is just a “Directory Organisation” that provides directory services to it’s customers as a “Mirror service”. It does not carry traffic nor does it supply client software.

Think of it as a combined DNS –for a mixnet– and a validated PubCert db using for arguments sake LDAP. What the company provides is authentication of subscribers but not the joke of current ICT-based-ID of current CAcerts, but that based on legal documentation presented personaly. These customers provide their own certificats which they have “self signed” from their own personal and private signing only PKcert. If the subscriber provides the correct documentation then the company provides validation of the subscribers PubCert into the global DB of which they keep a local mirror. BUT the DB mirror like all others is part of the mix-network and only responds to anonymous mix-network originted requests.

Any user of the DB can access it from various global mix-net mirrors including their own local juresdiction copy. They do not have to do this for every message or any message. Because the client software should make wildcard style requests that get not just the person they are looking for but many others as well.

The client software should be an Open Source project that is developed by an unrelated company or persons who are either anonymous or out of juresdiction or both. Idealy a specification should appear anonymously much like that of BitCoin.

This makes any judges life slightly problematic, the company has no directors within the juresdiction to summon into court and no extradition arangments to bring them in range. Company employes have contracts of employment with terms and conditions that prevent them being involved with non company related software development and specificaly working on software of the type used for communicating across mix-nets. So it would be pointless ordering them to put backdoors in as any they do would not provide any usefull information metadata or otherwise. Even substituting PubCerts would not get them anywhere because when a client tries to talk to another client the Cert in the directory will only work if the recipient of a message put it in their client software. Providing the receiving client does a reverse lookup a Man in The Middle attack won’t work either.

The only thing a Judge can do is order the company to register a false persona. Thus it falls back to basic human trust or don’t trust and LEO’s etc will have to follow the old “undercover operative” rules and procedures of establishing “Back Stories” and “Credible ledgends” which is both expensive and difficult.

However there is a problem for them, whilst they might compel the company in the juresdiction to “forward on” the false persona they cannot compel the out of juresdiction company to accept it to put up in the global directory mirrors. If one of the requirments is for a copy of the “passport file” which is signed by the passport issuing country it’s either a genuine ID or the country has coluded in supplying false passports which is against triety requirments. It also provides the global DB with “facial recognition” checks which might well “out” the LEO under cover operatives, which will probably make them very wary about going down that route…

I’ll leave you to consider pros/cons/probs with the above outline.

Figureitout • October 18, 2013 5:44 PM

Nick P
–Yeah well if the MIC is so big you basically have to submit to anything like more TSA ‘lest you piss them off, they piss me off. They get special priviledges like using massive amounts of power (and then f-up) and can break the law. It really sucks, doesn’t feel like the public is getting more security, and I’m going to have to hear “Well, he didn’t have the ‘proper implementation’ ” or “His opsec was lacking” forever when it’s impossible and the advice isn’t very helpful. Just go paper in a shielded room, that’s the best advice I think.

Figureitout • October 18, 2013 6:02 PM

I’ll leave you to consider pros/cons/probs with the above outline.
Clive Robinson
–Yeah ok I’ll be awhile b/c it doesn’t make sense. I heard a talk where some girl claimed “rape” and got a man on deathrow for 17 years.

Anon • October 18, 2013 7:42 PM

I’m surprised no one looked at it from the angle of Guavabit. Let’s say the owner/coder’s family is kidnapped by the drug cartels. He doesn’t contact the police because we’ll assume some of the police are corrupt and if the drug cartel is tipped off, they’ll kill his family immediately. What system should he have in place so that it’s impossible for him to obtain access by either legal or illegal means to the content of the emails of his clients?

Clive Robinson • October 18, 2013 8:11 PM

@ Aspie,

I think you mean albedo. 🙂

I did indeed but it would not trip a filter, hence my disclaimer 😉

I was thinking of working in other astronomical terms that would likewise trip filters –such as the common name for stars that have colapsed to the point where even light cannot escape them– but I thought nagh It would be to obvious. Not that such considerations stop others… Some years ago I was reading “my stars” in the London Metro free paper when I read “uranus is moving into mars” and the hot brown liquid nearly got sprayed across the train carrige.

But back to NASA it was said in 69 that the space race ended when armstrong’s foot touched the lunar surface and Nixon “kissed him off from the oval office”. And in many other respects the US died that year. The sixties began with JFK’s “within this decade” speach which launched the “can do” attitude that rose then fizzeled out as politics became all “fill me boots” with congress critters et al snorting at the swill and all sorts of other nastyness slimed out the swap to put on a shap suit or uniform and crawled up the hill to grease or be greased with wads of high denomination notes. I still remember all the words to Barry McGuire’s career killing song “Eve of Destruction” from the mid sixties it was so evocative of the times and scared record company execs who under political preasure or not would not release any more of his work. It was in effect baned in the UK by the BBC and this actually promoted it. But NASA failed they made reaching the moon look easy and routien it was the ill fated Appolo 13 that briefly jerked the worlds eyes skywards again as did the later Space Shuttle disasters but the US public in the main were more interested in repeats of old sitcoms not new science, and we see this “road crash” mentality on the 24 hour news programs of Fox & Co. It appears to be “blood and guts” with the “steak and chips” TV dinner with science pushed to some small hours slot for insomniacs…

Mike the goat • October 19, 2013 1:31 AM

Clive: I realize they aren’t particularly bright. I have a small trit light on my keyring ;-). If we can squeeze just enough power to keep an 8-bit AVR humming along then that is all we would need to at least keep the ‘brain’ of the box (that controls the intrusion protection features) alive. Then again I am certain we can come up with something more elegant than that.

Given a lithium ion battery in my cell phone lasts a good year or two with myriad charge and discharge cycles and the black box is likely going to be opened every few years anyway, is there a negative to keeping it simple and using a lithium ion battery inside charged using a charging circuit powered by a PoF receiver?

Wesley Parish • October 19, 2013 3:02 AM

Oh the shark has pretty teeth dear, And he shows them pearly white: Und Macheath, der hat ein Messer, Doch das Messer sieht man nicht …

Slightly off-topic, but I had an idea a while ago about developing a tiny office suite. I decided not to lump a pile of small software together and call it an office suite, because we know from MS Office that that approach doesn’t work terribly well.

I thought it should be based primarily on the communication concept instead of tacking that on later – that was the reason why MS Office sucks [tacks]. And I thought the only suitable model for the communication base was the distributed/concurrent version control system. From that you could build several version of the communication system with minimal pain – one to one, one to many, many to one; time-delayed or instantaneous. It already has suitable crc built in; one could easily build in encryption.

All this discussion about suitable secure communications systems has brought it back to mind. I left it in the design stage: what do people think? Should I dig it up and re-start it?

Clive Robinson • October 19, 2013 5:49 AM

@ Mike the goat,

It’s not the brightness or lack there of I was worried about. PV devices tend to have narrowish spectrum often towards one end of visable light, the trit lights also have a narrow spectrum but in another part of the band…

I also remembered that the light output half life of trit lights was considerably less than the trit half life due to the ionising radiation degrading the phospher.

In googling around for data I found the following PhD thesis and the research litriture review in chapter two tells you much of what you need to know,

http://www.ideals.illinois.edu/bitstream/handle/2142/16849/1_Yakubova_Galina.pdf

The data is what I suspected and you might want to save your money for another method…

Mike the goat • October 19, 2013 6:12 AM

Thanks for the info Clive. Yeah, was just a thought… Seeing as they are so readily available. Looks like tried to do just that… ignore his misguided idea that he has somehow made a “nuclear reactor” by taping a GTLS to a PV panel, of course. What about the long lived power sources they use in pacemakers (obviously they had to replace the Pu atomic batteries with something less dangerous) … I wonder what their longevity is like.

Remember that the battery will be continuously charged from the PoF link .. It will only actually be drained if the power dies, which is really its most important time to shine as it must do its destruction routine.

Perhaps you could use a number of supercaps that initiated a chemical battery for the delete routine. I.e. power is lost, tiny circuit that runs off a bunch of supercaps starts the clock ticking… At a certain point it uses the last bit of power to move the tiniest of solenoids that pulls a seal that divides the electrolytes of a battery (or breaks a seal that allows a phial of water to drop into a water activated battery like the ones they use on maritime ELTs) …

I quite enjoy purely academic brainstorming sessions. I know you feel the same Clive, given your previous posts!

James Sutherland • October 19, 2013 6:28 AM

JeffH: You have a valid point about Google’s business model for Gmail relying on poking through the email contents to figure out which ads will make most money for them – but there are perfectly sound business models in place already which don’t rely on that: I pay for my own email account, with Fastmail. They hold my email for me, I give them money. No analysis or advertising involved anywhere, and both sides are happy. (They’re in NYC, so no protection against federal government intrusion there, but it does solve the business model problem.)

Nick P • October 19, 2013 11:05 AM

@ Wesley Parish

I think an application-level middleware is going to be how it’s done. The government went with that option for a few designs, including the new stealth ship. The management of connections, security and anonymity can be handled by it with parameters given by the users. Site maintainers will have default (known safe) configurations available on their site.

Example middleware for inspiration include ZeroMQ, Ensemble, Spread communications toolkit, and ICE.

Mike the goat • October 19, 2013 12:41 PM

Did anyone else notice the title of that blog spam a few posts up was “true religion for infants”. I wonder how this stuff is generated? Markov chain? Or something more complex?

Mike Nomad • October 20, 2013 1:33 AM

Not having read all the comments…

Court Order proof? Depends on how you define victory. House whatever computing rig in a magnesium/thermite case, wired to go up with some sort of deadman-switch, and figure out who in the organization will least mind getting sent to Gitmo.

ahh_biz • October 20, 2013 8:31 PM

Sounds like having an automated system for encryption is a weakness that NSA can exploit.

Did anyone think of some sort of shorthand manual data sheet that you would fill out with a pen or pencil after manually doing the computations, then just scanning and uploading to a blog or website as a JPG? Maybe a one time pad based algorithm.

Yes it’s inconvenient, but one time pads work and are unbreakable.

If you use a computer for anything other than transmitting an already encrypted message (that was encrypted offline, manually) you are asking for trouble. It’s obvious NSA will start with your operating system and get the message from there before it is encrypted.

Think you will outsmart that by having a computer that is simply not connected to the internet to encrypt / de-crypt your message? Think again, the same technology that allows for smart electric meters, so the power company doesn’t have to send a meter reader guy to your house; could allow your computer to communicate through AC power lines.

I’m trying to be helpful here, I don’t have all the answers and I don’t have the time to do all the research, but I fully support the idea that unbreakable and anonymous encryption should be available to the masses to protect us against an out of control government surveillance state.

I don’t like where any of this surveillance of innocent American citizens is heading and I feel powerless to stop it, and that our government has been bought and paid for by the rich and powerful.

“Terrorists” are not the real enemy of the state, the real enemy of the state is educated citizens who can think critically and intelligently, and see through the propaganda. That’s what all this surveillance is really about; the powerful trying to stay in power though any means, using our own government against us; The People.

I’,m already “on the list” and I’m proud of it! At least I don’t live like a scared refugee in a “thug” country that professes to be free, but isn’t. Snowden is a true American hero!

Mike the goat • October 21, 2013 3:31 AM

Mike Nomad: I dunno, do the manufacturers of safes and ATMs that incorporate UV note marking “bombs” that are primarily designed to destroy currency but have been responsible for human injuries (of people trying to break into the machines) sent to Gitmo? I would think that a similar “self destruct” system – if prominently placaded and proportional (i.e. using only enough energy to destroy the data and not, say 5 lbs of PETN) would not be much different. Perhaps a pneumatically fired system or borrow the way car airbags produce a huge amount of N2 using sodium azide in order to drive a push a ramrod into the flash chip that houses the keymat. I guess you could come up with a more passive system by housing your key on a stick of standard LPDDR but keep it in a temperature controlled environment within your black box. There are many potential ways you could do this I guess without necessarily using enough explosive to cause damage to a human.

Clive Robinson • October 21, 2013 5:02 AM

@ Mikes goat & nomad,

The problem is destruction of what the court sees is “evidence”…

Now everything / action made by every enterty legal or natural or for that matter tangible or intangible is in theory “evidence”.

However there is legal recognition that not everything can be recorded/kept.

One dodge some legal birds of prey (pick your choice of Eagle or Vulture 😉 are pushing is “policy” that is if your company policy on protecting and retaining data stipulates certain conditions to meet compliance etc then records destroyed are “due to policy” not “destruction of evidence”.

So ensure the “deadmans” is in the policy to prevent theft of data that might be used for ID theft etc that would put the organisation in breach of compliance and customers at risk if the theft occured…

And indoctrinate the staff that anybody with out appropriate “approved by the company” paperwork will be assumed to be thieves even if in uniform and carrying badges guns etc. Obviously as this necessitates having photocopies of such approved paperwork for staff to verify against anything that cannot be photocopied cannot go in the file and so does not meet the requirment for “approved”.

After all if people did not “impesonate” LEO’s for criminal activities there would not be laws against doing it. And if there were not criminals trying to steal peoples ID etc there would not be the need for either compliance or proceadures dictated by trying to stay within compliance…

If done correctly it should cause no end of legal tangles that even a “secret court” could not keep under control and thus secret. And once the “cat is out the bag” there tends to be quite a bit of blood drawn before it’s finally put back and “secret courts” and the organisations that abuse them don’t like tangles or blood it tends to make them nervous.

Chris • October 21, 2013 12:38 PM

Simon: Lets presume Lastpass (or Google or pick your favorite online backup) really does encrypt on the client side and doesn’t have access to the unencrypted data at all. If they get a court order to detect when Simon logs in and push a plugin update only to him that passes the encryption key back, can they comply? (I’ll give you a hint: US v Tyler Stumbo) Would you know if they did?

Encrypting on the client raises the work needed to get your data, but it doesn’t put it beyond the reach of a major nation state. (For that matter, encrypting using an outside program like KeePass and distributing with Dropbox raises it vastly more, but if the NSA really wants your data, they could get it)

Anon • October 21, 2013 8:25 PM

Some of these comments seem like they come from another planet.

Thermite – great way to be on the “no fly” list for life in the best case scenario

randomly generated keys that go “bye bye” if you don’t regularly attend to them – if you’re running an actual commercial service and are in a car accident or have some other emergency, having all your customers lose all their data can’t be good for business

indoctrinate the staff that anybody with out appropriate “approved by the company” paperwork will be assumed to be thieves even if in uniform and carrying badges gun – The idea that your employees are going to resist the FBI is insane, even the drug cartels usually know it’s game over when the feds show up. Resisting a court order is a great way to go to jail, but if you really believe the officers are “fake”, you can report the crime after the fact.

Nick P • October 21, 2013 9:27 PM

@ Anon

“Some of these comments seem like they come from another planet.”

That was my reaction. It’s just not realistic to think most of these solutions would work in the US and not put someone in jail. It’s why I recently broached the topic of creating of a lawful intercept system that both the government and users could trust, maybe via trusted computing or independent vetting. Might help at least when they’re kind enough to use warrants for specific users or information.

Clive Robinson • October 22, 2013 4:22 AM

@ Anon,

Firstly these points have been discussed on this blog before and you might want to go back and read them.

Secondly you have to remember that there is an “international” asspect to this blog which also happens to mean “multi-juresdictional” and that has some usefull side efects. So ignoring this, and not using it to your advantage is not perhaps the wisest thing to do.

Thirdly for several thousand years people have known that one way to defeat a strong enemy is by using their strengths against them. Thus an army designed to defeat equivalent armies is generaly usless against small highly mobile groups of people who can think on their feet and respond in a fast and fluid way. As has been observed “even mighty mountains get washed away in time”.

As for “thermite” it’s a tool and making / owning / using it is actually not illegal or for that matter even requires a licence or permit in many juresdictions. This is because it’s not an explosive, and very stable in use and a lot lot safer than sitting on top of a tank full of fuel or household cleaning agents, and it is a very usefull tool used in quite a few industries. Like all tools it’s agnostic to it’s use and the notion of good-v-evil use is in the heads of observers, and thus it’s use for a particular task may be regarded as a crime and that is another issue all together because it’s about the actions of individuals not tools. As for your comment about “the no fly list” I’m tempted to use the long time insult of “only in America” instead I will say that if you care to go and look you will find that many countries don’t have a “no fly list”.

As for “keys that go bye-bye” you are again making assumptions that are not valid. If a key does become lost in any juresdiction it does not mean that copies of the key or the actual data are not held and used in other juresdictions. The fact that you can make arangments such that it cannot be retrevied from inside the juresdiction it is “lost in” and thus you cannot be compelled to supply it is something most law makers have chosen to ignore and various methods of doing this –such as m of n key shares– have been discussed on this blog before. As for “business continuity” after 9/11 and the stoping of flights many backup plans include an international dimension such that business will continue, just in other countries thus juresdictions.

As for destruction of data and courts, there has been much debate about this in various parts of the legal proffession due to a new(ish) game in town called “electronic discovery” and other similar names. In essence the main rule of the game is “begger thy neighbour”, by running up their legal costs, and if that fails use other tactics around electronic records such as emails etc, including aledging willfull destruction of evidence.

The advice given by those in the legal proffession boils down to,

1, Keep only what the law requires and for the minimum length of time.
2, Keep what the business needs to the minimum and for the minimum length of time.
3, Have clear and well enforced policy on data destruction.
4, Keep all data not just financial and PII in a secure form.
5, Keep date clearly segregated
6, Limit access to data at all times to prevent misuse.
7, Have proceadures in place for dealing with court orders.

Now please feel free to visit a corperate lawyer to discuss this if you feel it’s somehow wrong but expect to receive a very expensive and non-commital reply.

But also remember if and when the Feds turn up they are initialy as impotent as any other person and cannot prevent alarms being tripped in the time period between arival and establishing control of an area. They know this which is why they generaly don’t announce they are comming and hope on the “rabbit in the headlight” response to get what they want.

They also know that once an automatic process that can take micro seconds to compleat is in progress they are to late, which is why they try not to trigger or cause to be triggere such systems. So oddly enough they generaly try to be calm polite and not cause alarm and generaly don’t turn up wearing uniforms or quasi-military garb.

Also I would suggest you look at bank protection systems used in various countries to prevent holdups before you say resisting people with guns is insane, because that is exactly what those systems are designed to do.

As for court orders being resisted it actually happens rather more frequently than you think, and mostly people do not end up in jail, but in court fighting delaying tactics that can and do go on for very lengthy periods of time.

As a general rule the only advantage the Feds have is “surprise” and as a general rule they don’t turn up “mob handed” to deliver court orders unless they have reason to justify such significant expense to their superiors.

And beleive it or not mostly LEOs of all types follow the same behaviour unless they have reason to beleive their might be a violent or life threatning situation occuring.

Dirk Praet • October 22, 2013 8:04 AM

@ Anon

Some of these comments seem like they come from another planet.

Perhaps some comments appear outlandish to you because you keep ignoring the international dimension of both this blog and the unprecedented nature of the global US surveillance dragnet at hand, the latter being more reminiscent of the dystopian nation of Oceania than of a free and democratic country that calls itself the leader of the free world.

name.withheld.for.obvious.reasons • October 22, 2013 10:29 AM

@ Clive

“Only in America!” can no longer be used to denigrate the United States:

1.) The whole country is involved in a devolution in both thinking and action. So it’s redundant to insult them.
2.) This could be a conspiracy affected by the British as revenge for the revolution. Makes sense, a tit-for-tat over the revolution. My thought is that the Brits couldn’t be clever enough to cause.all Americans to be so ignorant. That can only happen in America.

Skeptical • October 22, 2013 10:46 AM

Clive, so you’d consider the threat of thieves removing data while impersonating government agents to be greater than the risk of your employees interfering with government agents executing a lawful order? Obviously if a company employee tries to stop a federal agent from removing items seized pursuant to a lawful order, that employee will be arrested. If you make it a company policy that federal agents are to be interfered with unless they have “company approved paperwork,” you’ll be arrested too. And here’s the thing: if the government can’t quite make whatever case they were looking at originally, the US Attorney will push ruthlessly for full punishment on every obstruction, interference, and conspiracy charge. Hell, sheer annoyance at such a policy would probably play a motivating role.

Now, the company can certainly call the office of whatever agency is claimed to be conducting a search, and can verify the identifies of the agents on the scene. Some security systems will physically require any overrides of procedures designed to admit only pre-authorized individuals to be okay’d by someone higher in the chain of command. That may provide time to verify the identities of the agents asking for entrance, but God help you if that higher up doesn’t give approval the moment he sees the warrant and the identifications, or if the process is ever perceived to be an excuse to stall.

Regarding data retention policy, if you’re a business, be wary of anyone telling you that you should have a policy that simply retains data for the minimum amount of time needed for business operations. Obligations to retain data will vary by type and by jurisdiction and by other circumstances.

As to the US and the 1984 comparison… that’s a little overwrought, no? The Guardian sent its work and data to what country because of the better laws protecting that data from the government? It wasn’t Oceania.

Dirk Praet • October 22, 2013 6:13 PM

@ Skeptical

As to the US and the 1984 comparison… that’s a little overwrought, no?

It was me who hinted at 1984, not Clive. And no, it isn’t. The Five Eyes accidentally are all part of Oceania. Orwell was even a visionary in making the UK part of it, as opposed to the rest of Europe that is in Eurasia. Which is pretty much how Britain is perceived in the EU these days.

As for your waning freedoms: note that CISPA is on the legislative agenda again and that the Feinstein/Rogers tandem is pushing very hard for a new (still secret) bill aimed at continuing collection of every American’s phone records unabated, beit thinly disguised as something intended to rein in the NSA’s activities.

Your 4th and 5th Amendments have been curtailed for a while by PA and FISA. Just sit tight for the same to happen to the 1st when idiots like Sen. Dick Durbin get their way. And then remember how a handful of silly sods tried to warn you, but that like a mother defending her crack addicted son you preferred to stick your head in the sand instead of doing something about it as your slightly more courageous ancestors did in taking on the Brits.

Anon • October 22, 2013 6:48 PM

@Clive

I almost guarantee that any employees in the US who pushed the panic button when two FBI agents presented a warrant would almost certainly be arrested and sent to a federal prison, especially if it put the remaining keys or data outside of US jurisdiction. No employee is ever going to be brave enough to test that theory and risk getting arrested by pushing some panic button. If an FBI employee got burned by your thermite while trying to disassemble your tamper resistant safe, you could get charged with assaulting a federal officer. If you don’t believe me, come to the US and try setting up your email service. I do agree some type of split key system among multiple jurisdictions could work.

Dirk Praet • October 22, 2013 7:45 PM

@ Anon

I almost guarantee that any employees in the US who pushed the panic button when two FBI agents presented a warrant would almost certainly be arrested and sent to a federal prison …

Easily circumvented by a person at the gate pushing the panic button, confirmed by a 2nd person receiving the agents while a 3rd one at the ops console upon reception executes the panic procedure without knowing why it was invoked or even understanding what it does. One and two can claim plausable deniability about knowing what procedure would be executed, while number three can do the same about the company receiving an NSL or whatever. Need-to-know, dual controls and segregation of duties are wonderful concepts when implemented correctly.

If an FBI employee got burned by your thermite while trying to disassemble your tamper resistant safe

This would have legal ramifications in any jurisdiction and would need to be executed before they can physically get to the device. Could be part of the automated panic procedure in which a band of thermite could be remotely ignited by something as simple as a radio signal. IIRC, that’s the type of failsafe the original creator of the Blue Box had built in.

If you don’t believe me, come to the US and try setting up your email service

No thanks. If ever I were to set one up, I’d never do it in the US.

Figureitout • October 22, 2013 10:30 PM

Anon
–Most anyone half competent in security will see a “covert” FBI investigation before they get to the thermite. They’re that bad and will only catch the derpers and not make an actual dent in the real criminals.

Schneier on Security