Comments

Steven Griffin October 4, 2013 4:36 PM

Steve Gibson, the guy behind the all together fantastic software known as SpinRite, came out with a new website login protocol.

https://www.grc.com/sqrl/sqrl.htm

Mr. Gibson’s description:
Summarizing this for your next cocktail party: “The website’s login presents a QR code containing the URL of its authentication service, plus a nonce. The user’s smartphone signs the login URL using a private key derived from its master secret and the URL’s domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it.”

Has anyone taken a look at it yet?

I’d love to know what the community here thinks of it.

-Steven Griffin

Scott October 4, 2013 4:51 PM

@Carpe

I’m surprised the NSA doesn’t just steal the private keys from all of the nodes. Seems like it would be much simpler that way.

Carpe October 4, 2013 5:07 PM

@Scott

One thing about military(esque) entities, they take multi-faceted approaches. They probably do that and any number of other things as well.

Okian Warrior October 4, 2013 5:12 PM

@Steven Griffin

I took a look at Steve Gibson’s system, and it looks pretty good. Some observations:

You don’t need a phone with camera, the processing could be done in the browser by reading the QR code from HTML data, or by a screen-capture program that finds and reads the QR code.

I would trust a browser app or screencap program if it were open-source and written by a trusted party – the people who do Tor or the Mozilla foundation, for instance.

A recent news article tells us that the FBI requested and was granted the SSL private key for Lavabit (with no limitations, and under a gag order which was why they shut down).

Since SSL can be completely transparent to the FBI upon request, I believe Steve’s system could be vulnerable to a MITM attack. A system could simulate the login experience while faking the SSL cert of the target system.

Other than that it looks good. We still need a way to securely communicate without SSL, though.

Scott October 4, 2013 5:30 PM

@Okian Warrior

Other than that it looks good. We still need a way to securely communicate without SSL, though.

SSL, especially the system for issuing certificates, is a complete mess, but there is no getting around a PKI for internet communications. I would like to see the IETF working on a successor to IPv6 which forces all network traffic, payload at the least, to be encrypted with a Diffie-Hellman scheme using 2 static keys, one for each IP address, and 2 ephemeral keys to ensure perfect forward secrecy and authenticity. There would be a certificate chain going all the way from IANA to the individual device’s IP. If you combine the client’s ephemeral key with the server’s static key, you could build a proxy protocol that allows the client to be assured that the proxy server/Tor exit node cannot decrypt the data. The proxy would have to pass its shared-secret generated by the server’s ephemeral key and the proxy’s static key back to the client, but that shouldn’t leak any information about the private keys.

I would also like to see the domains handled in a similar manner, with DNSSEC used to ensure the security of the DNS system, with a DNS entry for the domain signing certificate, which would sign the certificate used to verify the domain, which would either add an additional static key to the key-exchange protocol or be used as a signing certificate in the handshake (that way one IP address could host multiple domains).

Sure, if they started it today, it would be 20 years before anyone started implementing it, but 20 years from now is better than never.

TKS October 4, 2013 5:44 PM

@Steven Griffin

Looks good, but I don’t like the idea of having a private key on a mobile device.

BJ October 4, 2013 5:52 PM

Hi Bruce,

I found your article on Tor,
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
but I can’t remember where you posted about it so I’m replying here.

  1. thank you for writing the article
  2. “On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.”
    If they’re hacking the browser, then they be able to obtain the user’s real IP, right?
  3. this seems more serious to me than anything else the NSA has been revealed to be doing; they are hacking INTO people’s computers without warrants, etc.
    At least with MITM attacks, they’re only accessing internet data; with this they could access anything on the PC.
    Also, this appears to be indiscriminate; the MITM attacks seem to be targeted.
  4. how much does SSL for Google protect against this?

  5. other than patching the browser; what other protections can be implemented?

  6. I would expect that the NSA would be trying to hack Tor relays as well; any thoughts?

Thanks!

Scott October 4, 2013 6:09 PM

@Steven Griffin

The system seems a little overcomplex to me, and the justification for the complexity appears to be fallacious.

https://www.grc.com/sqrl/crypto.htm

The “Crypto Signature” and “Make Public Key” functions both take long 512-bit values as their “Private Key” input. We obtain this value from an HMAC-SHA512 (Hashed Message Authentication Code using a 512-bit Secure Hash Algorithm) where the HMAC is keyed with the user’s master key and the authenticating domain name is the message to be hashed. For this system to work, the master key input to the HMAC function must never change even as the user’s password is changed. The HMAC key is the user’s ultimate root identification. But in a real-world implementation, we want to allow (almost require) the user to provide a password every time the system is used to prove that they are the person holding the phone and authenticating. We implement this password function by processing the user’s password through a password-based key definition function (PBKDF — the well-known Scrypt sequential memory-hard function) which generates a 512-bit result. This value is then exclusive or’d (XOR) with the user’s current master identity key to produce the never-changing value which keys the HMAC private key generating function. An XOR function is used because, as the user’s chosen password is changed, the user’s master key can be updated to produce a consistent 512-bit value from the XOR output.

ONLY IF the user enters the correct password will the output of the PBKDF function correctly XOR with the current value of the identity master key to produce the correct original master key value which keys the private key generating HMAC function.

Every time the user changes their identity authentication password—including the first time when it is changed from a null password—the identity master key’s value is updated to preserve the post-XOR value which keys the private key generating HMAC function.

With that system, what is the point of changing the password? If you change your password after it is compromised, and you update the key so that the input to the HMAC function doesn’t change, then you have accomplished nothing. The new key and new password will produce the same result as the old key and previous password.

The other problem I have is that you need to store the “private key” on every server, and that is then simply hashed with a nonce. While it protects your password in transit (which encryption accomplishes as well), it does NOT offer you any protection, whatsoever, from a server compromise. It essentially forces the server to store all passwords in plaintext or with reversable encryption.

Scott October 4, 2013 7:10 PM

I didn’t fully read the article, the last part is a public key signing, not a hash, so recovering the public key does not compromise the users. That said, he is basically reinventing client certificates in a way that seems less usable.

Perseids October 4, 2013 7:35 PM

The Keccak team has published a statement regarding the current news on the NIST SHA3 changes: http://keccak.noekeon.org/yes_this_is_keccak.html

“””NIST’s current proposal for SHA-3, namely the one presented by John Kelsey at CHES 2013 in August, is a subset of the Keccak family. More concretely, one can generate the test vectors for that proposal using the Keccak reference code (version 3.0 and later, January 2011). This alone shows that the proposal cannot contain internal changes to the algorithm.“””

The whole article is definitely worth reading.

I hope it will help turn the tides in favour of the NIST proposed changes, or even better yet imho, in favour of setting the capacity to 512 for all output lengths (i.e. this proposal: http://keccak.noekeon.org/a_concrete_proposal.html).

Chris L October 4, 2013 9:22 PM

I have a question about passwords.

Picking an account database at random – say, Active Directory – I can find the password storage system and determine its bits of entropy. AD uses MD4 hashes, which have 128 bits of entropy as far as I know.

So what happens if I create a password with 5000 bits of entropy and use it for a service account? How many collisions would exist? Does that lower the effective entropy, and therefore the password security?

I know that in practice 128 bits is a lot, considering that a collision will most likely have unprintable characters and therefore require a hell of a brute force to guess it. But am I better – in principle – to require service accounts to use a password whose generation implies 128 or slightly fewer bits of entropy?

Am I just completely misunderstanding here?

Tom October 4, 2013 9:28 PM

I’m interested in Mr. Schneier’s thoughts (and those of others) on the unsealed court documents regarding Lavabit.

On the one hand the punch line is the kind of thing we’d expected (the USA demanded private SSL/TLS keys) but the details surrounding the request are worth discussing. The court accepted the government’s promise that the keys would only be used to examine one customer’s (redacted, but most likely Snowden’s) traffic. This is like the rationale given in support of gathering everybody’s metadata from cell phone carriers: trust us to only look at stuff we’re supposed to.

Perseids October 4, 2013 9:42 PM

@Steven Griffin
Remember that GRC are those behind the “Password Haystack”. Ever since reading that article I can’t take anything from GRC serious.

None the less the general concept seems sound as far as I have read it (though it is in no way new). Note that the site features only a sketch of the protocol. Even the “Detailed Cryptographic Design” has very little information. For example exporting the master key supposedly takes 60 seconds calculation time on the smartphone (using scrypt to purposefully lengthen the computation time). Yet I don’t see why one can’t simply copy the files the app stores on the device from one smartphone to the other.

Some other oddities:
– The private key is regenerated every time I want to log in on a website. I’ve never tried how fast key generation with NaCl can be on a smartphone (are there even libraries yet?), it might be blazingly fast, but it still looks like a waste of time as you could just safe the private key encrypted on the device using the master key.
– Also, why use asymmetric encryption at all? The site specific random data could be used as a shared secret between me and the site and then to MAC the login nonce. Still, if it is fast enough on my device and the server is willing to implement NaCl and take the added processing burden then it is nice that the site specific login secret is never transmitted over the internet, not even encrypted.
– Protecting the master secret by XORing it with the key derived from the password is strange. Encrypting it using a block cipher would be the usual way to go. If nothing else this makes talking about the master secret more difficult, because sometimes they use “master secret” in the sense of “master secret XOR key” and sometimes without XORing the key.
– What irritates me most of all is that it is promoted to be used at home with your own PC. I like QR code based authentication when I’m using an untrusted device (internet café, PC of a friend), but at home I would prefer a password manager (or some identity manager that might use asymmetric cryptography to log me in) installed on my PC so I don’t have to fetch my smartphone every time I want to log in somewhere.

Generally I’d like to have some standardized, non-centralized identification and authorization protocols that could replace the (security-wise) awful combination of password logins and E-mail password resets. They should handle secure authorization even on non-trusted systems, comfortable logins on trusted systems, backup keys and key/device revocation. It’s nice that someone tries to tackle the problem, but the GRC solution comes short on real world problems like multi-domain websites, revocation of a lost device (without the revocation of a backup login key so that I can still log in), etc.

blue eyes October 4, 2013 9:59 PM

Stealthy Dopant-Level Hardware Trojans.
Georg T. Becker, Francesco Regazzoni, Christof Paar and Wayne Burleson
Workshop on Cryptographic Hardware and Embedded Systems, CHES 2013, Santa Barbara, USA, August 20-23, 2013, to appear. PDF
http://people.umass.edu/gbecker/BeckerChes13.pdf

Implementing Hardware Trojans: Experiences from a Hardware Trojan Challenge.
Georg T. Becker, Ashwin Lakshminarasimhan, Lang Lin, Sudheendra Srivathsa, Vikram B. Suresh, and Wayne Burelson
29th IEEE International Conference on Computer Design (ICCD 2011), Amherst, USA, October 2011 PDF
http://people.umass.edu/gbecker/BeckerICCD2011.pdf

Jonathan Wilson October 4, 2013 10:07 PM

I would like to see a lot more push from entities like the EFF and Mozilla towards actually turning the various “better than SSL” proposals into actual working usable implementations.

Given that so many people admit SSL and the CA system that underlies it is broken, why has no-one started work on an alternative.

Done right it should be possible to produce a system that is a lot more resistant to MITM attacks (including attacks relying on compromised CAs and attacks based on the NSA subpoenaing the CA and asking for a fake properly signed certificate for “site x”) than the current system. It should also be possible to change the protocol so it uses a session key that is never sent over the network but instead uses something like Diffie-Helman to generate it in a way that only the app actually doing the SSL transactions can ever see the secret values used in the key exchange.

Ronnie October 4, 2013 10:37 PM

Infographic applying some math to the search for terrorists
http://www.topcomputersciencedegrees.com/nsa/

Does the NSA think you are a terrorist?

When the NSA sorts through American communications to find terrorists, what is their accuracy in identifying one?

One thing’s for certain, No Test on earth is 100% accurate.

False Positive: an erroneous ‘positive’ diagnosis resulting from testing inaccuracies.

Let’s assume the NSA’s Terrorist test is 99% accurate (a very generous accuracy assumption).

False positive: 1 out of 100 ‘positive results’ will actually be negative [misidentified].

If you receive a ‘positive’ then you are 99% likely to be a terrorist… right? <–WRONG.

The test will accurately measure 99% of terrorists who take it, NOT 99% of ‘positive results’ are terrorists.

This is a big difference and a common mistake.

… more

Richard October 5, 2013 12:15 AM

Among others, Lenore Skenazy talked about school security earlier in the year. Of particular note was a case where all but one of the doors at a Sunday school had been locked as a security measure; aside from the issue of forcing students and parents to pass through a busy parking lot, raising the danger of car traffic, there was an 11-year-old girl who asked about whether having everyone pass through one door would make it easier for an attacker to target that location. Skenazy stated that “That’s the kind of question you ask when you don’t have a stake in security theater.”

In some schools, there have been plans to have students fight back against shooters, but not suprisingly not everyone agrees. (It would seem likely that there are cases where fighting back helps, along with cases where fighting back puts more lives in danger. In addition, given that large-scale school shootings are unusual and that specific circumstances may be hard to predict (unlike responding to natural disasters), it may be problematic to recommend specific advice.)

In January, a high school newspaper did an editorial about lockdown security measures at the school having “some room for improvement.” Among other notes is that barricading doors is less effective when doors open outwards. (One’s guess is that the doors open outwards to facilitate evacuation in an event such as a fire.) The editorial recommends the installation of “Columbine locks” (who knew there was such a thing…?) onto the school doors that have push bars. A related article gives a comment from an administrator acknowledging “that no community can emotionally prepare for any kind of event that would invoke a real Code Red [armed intruder response procedure].”

Nick P October 5, 2013 1:12 AM

A few of us have been having a debate regarding the Lavabit situation in another thread. An anonymous poster shared a link to the court documents. In this, I was shocked to find that the situation almost flipped against the government and Lavabit’s attorney was unable to capitalize on it. My intuition locked on the conversation with the judge as I feel an opportunity to win in future cases is staring us in the face. No guarantees but let me show you where they lost, why they did, and you readers decide if it could be done better.

[REPOST FROM OTHER THREAD BELOW]

Takeaway for Privacy-centered Services: Most important thing in case!

This part right here that the judge said:

“I can understand why the system was set up, but I think the government is — government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that information just as they would from any telephone company or any other e-mail source that could provide it easily. Whether it’s – in other words, the difficulty or the ease in obtaining the information doesn’t have anything to do with whether or not the government’s lawfully entitled to that information.”

The judge says that every US company offering a service like this should anticipate that the court might need to acquire such information. Further, Lavabit was designed in a way (due to ultraprivacy needs) to require putting all its users at risk to comply with the order for information on just a few. This may not have been intentional. However, the judge found that the trouble Lavabit’s own design posed for handling an intercept was irrelevant to the requirement that Lavabit turn over the information. (Unsurprising.) If Lavabit wanted to create difficulties for intercepts, the consequences of that were Lavabit’s own responsibility.

The Big FAIL

People, the judge ASKED FOR AN ALTERNATIVE TO THE PEN REGISTER! The judge wanted a clear alternative that would get the job done [from his perspective]. The only alternative Lavabit suggested involved a week to put together, 60 days of delay for the data, a few grand, uncertainty ,and the requirement to trust the person whose been resisting so far. Some “alternative”… Lavabit screwed themselves at that point. They might have convinced the judge to adopt an alternative if it was cheap, quickly coded, and had independently verifiable integrity protection.

A Legal Problem With a Technical Solution?

Seeing how close Lavabit got, I think a future privacy-oriented communication service could do better if they design their system with high confidence, selective, real-time, lawful intercept in mind. I’d recommend using a TPM-based solution (e.g. NSA’s HAP from Gen Dynamics) as one could show documents proving that even NSA trusts such solutions to prevent software tampering and even helped design it for government use. All of US government and defence contractors’ product concepts on things such as attestable integrity would be evidence for the privacy-preserving company. (The irony!)

So, the service would be designed to protect individual users, intercept a subset of them, run software Feds could evaluate for potential integrity, run on trusted computing enabled machines to prove that software was running, and give them information in real time. I’d add support to shift select workload or IP’s activity in a way that’s unnoticeable to customers and only put targeted accounts on the machines Feds could access. Gives the Feds live data on targeted accounts and keeps other accounts off those machines. And for icing on the cake, throw in an independent evaluation by a government favored entity like SAIC or Cygnacom that says the software should work as described, with their signature on the system image.

This might work. If it does, it protects the majority of users while giving the court needed data with evidence of total compliance. If it doesn’t, it’s more evidence in the long-term case of their overreach. Least it’s something that might help the next company keep from having to compromise all their users to deliver data on a few.

desktop October 5, 2013 1:40 AM

BIOS/hardware is being attacked with 0days.

The anti-virus companies don’t give a shit about it.

Avoid alpha/beta versions of software – especially proprietary test suites where version changes are fluid and exploits can be delivered between versions quickly without much oversight.

Luker October 5, 2013 1:52 AM

@Okian Warrior,
@Scott,
@Jonathan Wilson
and @everyone who is wandering about ip or ssl replacements:

Changing the IP layer is much more complicated, as the deployment rate is too slow. Changing the Layer 4 can be done, but it’s slow nonetheless.

I am currently working on a solution (name: Fenrir) to replace SSL/TLS and basically also every other authentication scheme. It’s a federated, encrypted, transport protocol that can be run on top of UDP but can provide integrity and a lot of other functionalities.

Imagine google’s QUIC but with better integrated crypto and a lot more functionalities.

I have all the specification, and I’m working on the transport part, I hope I will be able to make it public in 3-4 months.

It doesn’t use the X.509 pki, and uses DNSSEC as its main root trust.

So yes, someone is working on some replacement :). But I’m also just a university student, so I can’t work on it full-time, even if it’s for my master thesis.

omg October 5, 2013 1:54 AM

@Nick

You just wrote such a load of crap. The object this was Edward Snowden. Not a mass murderer. No more acquiescing for a morally bankrupt system.

WAKE. UP.

65535 October 5, 2013 3:47 AM

These comments raise more question than answers. I will keep my thoughts short.

  1. I congratulate Bruce on explaining a complex subject in a way that Guardian readers can understand.
  2. Why hasn’t Firefox reacted to these specific attacks (which makes Firefox look foolish and culpable)?
  3. I believe that that Computer Fraud and Abuse Act (18 U.S.C.) and the Patriot Act make computer fraud, abuse, and data destruction illegal – yet, the NSA is doing exactly that. There has to be point where the NSA’s wide spread abuse has to stop!

Lastly, I have little hope in the US justice system or the Beltway Elites stopping NSA and it power hungry management from this intolerable abuse.

I hate to say it but, it’s time to defund the NSA until this Fourth Amendment abuse can be sorted out.

Mike the goat October 5, 2013 4:36 AM

Perseids: agree. I wouldn’t trust anything from this guy. He had a bit of cred for his spinrite tool back in ye olde DOS/Win9x days but ever since he launched his “ShieldsUp” service I have lost respect for the guy. His Password Haystack article is a good example. His online calculator assumes just 1,000 guesses/sec. Maybe on a Celeron from 2001 but these days with ASICs and GPU based tools like hashcat-ocl it is drastically underestimating time to crack using cheap COTS hardware. It’s conceivable that any attacker worth his salt (haha, salt.. I made a funny!) could spend a few dollars and setup an EC2 GPU instance (or ten) and not even have to spend a dime on hardware. Even that is probably unnecessary as many have a vast network of botnets. Ever since distributed.net started using this concept with the RSA challenge (and DES, amongst others) the blackhats have been installing hashing software on owned machines. I bet a few thousand owned machines could do a pretty reasonable job. With brute forcing you don’t even need to use bandwidth pulling down dictionaries nor do your clients need to keep in constant contact. Just divide up your search space, let your C&C server keep track of which chunks of the search space have been allocated and when each have been successfully searched give them a new chunk.

Moxie’s is one of a number of commercial offerings that have emerged recently. There is one run by a Russian entity – I won’t share the link here but it is an onion hidden service – that claims to have over ten thousand cores that can be devoted to the task. Given they only accept payment in bitcoin and run as a torified service I can only guess that those claimed 10,000 cores all belong to owned machines.

Anyway, my point is his calculator – like so much of GRC’s site – offers up information that is inaccurate, outdated or just plain wrong.

Mike the goat October 5, 2013 4:45 AM

Whoa, sorry about not ending that link. Am writing from my cellphone and the soft keyboard is a nightmare with substituting its suggestions (it is a nightmare on the shell – sh becomes she, ls becomes as, etc.)

RE tor – I am not surprised that it has been a thorn in their side. I guess one potential way for them to somewhat limit its effectiveness is for them to start operating many different relays and exit nodes (in differing locations, under false names/etc). As we saw with Freedom Hosting who ran a whole heap of them – it is indeed possible for a single group to run a heap of relays. By doing that they could make it increasingly likely that a path from entry to exit would go through their owned relays and thus decloak them. Another idea when dealing with just one user would be a timing attack – if they can see a large portion of the network then it may be possible for them to analyze when the connection to tor begins and where it ends and thus decloak them. This doesn’t seem to be possible as even though their dragnet is vast it doesn’t cover the whole Internet.

The Freedom Hosting attack was pretty clever. They couldn’t beat the network so instead they went for the weakest link – the browser running on the client machines.

It is an interesting time to be involved in internet security, particularly as it seems we are trying to stop our own fricking government !

Keccak October 5, 2013 4:49 AM

@Perseids: “More concretely, one can generate the test vectors for that proposal using the Keccak reference code (version 3.0 and later, January 2011).”

They do not provide a proof of this.
Maybe their test vectors, not submitted to the scrutiny of cryptographic community, is a sort of public key with a corresponding secret private key.

The page you linked to states that: “The corresponding two security strength levels are 128 bits, which is rock-solid, and an extremely high 256 bits”.

This unsubstantiated sentence is fundamental in their argument. Sounds like they are cooperating with NSA.

Mike the goat October 5, 2013 4:57 AM

65535: Firefox did respond. The tor browser bundle was running an old ESR of Firefox. The bug which allowed the shellcode execution was fixed months earlier. Unfortunately (this may have changed recently) this could have been avoided by disabling all JavaScript in their browser bundle. This has been a bone of contention amongst tor devs with many arguing that leaving js on is important for usability reasons. I disagree. If I really need js while browsing anonymously I can use an add-on that allows domain specific granularity in whitelisting who can and can’t have js enabled.

Mike the goat October 5, 2013 5:00 AM

Keecak: more importantly even if these NIST suggested changes to the proposed SHA3 improve performance etc. they should not be adopted and the Keecak which won the competition should be past through unmodified. I say this because community confidence in NIST is so low that any interference will result in decreased adoption of SHA3.

Richard Birenheide October 5, 2013 5:18 AM

@Nick P:

Seeing how close Lavabit got, I think a future privacy-oriented communication service could do better if they design their system with high confidence, selective, real-time, lawful intercept in mind.

There is another alternative: avoid US-based services like the plague. Why should one believe that such back-doors would:

a.) be used only for targeted and (non-secret) court approved intercepts
b.) not be used for spying on non-US residents en masse

This is definitely going to hurt US-based cloud services.

Mike the goat October 5, 2013 5:41 AM

Richard: The question is – do I trust the government of, say Russia any more than the United States and could the situation change in the future. Ideally we want to encrypt anything stored in the cloud so it doesn’t matter. Of course with current email you’ll still leak metadata in the headers. I am very skeptical of any web based service that claims they have security or deniability. We have seen with hushmail et al any webmail service that either is “in on the secrets” or uses an ActiveX/Java app to perform the encryption is vulnerable. In the case of the latter nothing stops the webmail provider from receiving a NSL that forces them to offer up a different ActiveX component to the targeted user that leaks the key.

A far more robust solution would be to have the users install a mail client that offers OpenPGP support but in doing this we lose portability. Even a browser add on like Enigform or the clipboard encrypt function of commercial software like PGP Desktop result in a loss of portability which is kinda the point of webmail.

Perhaps we should just give up on the idea of a secure webmail service and instead understand the risks involved in using a webmail service.

65535 October 5, 2013 7:50 AM

@Mike the G.

Thanks for that explanation. Js has always been a problem. No Scripts and the like seem to work but the user agent is constricted on a lot of sites that use js.

Next:

Who funds TOR?

Follow the money. If TOR is substantially funded by the US government it would indicate that the US government have enormous control over TOR.

From Bruce’s column in the Guardian:

‘Yet GCHQ documents show a disparaging attitude towards Tor users. One presentation acknowledges Tor was “created by the US government” and is “now maintained by the Electronic Frontier Foundation (EFF)”, a US freedom of expression group. In reality, Tor is maintained by an independent foundation, though has in the past received funding from the EFF.’

[and]

“To this end, it receives around 60% of its funding from the US government, primarily the State Department and the Department of Defense – which houses the NSA.”

[and]

“The efforts could also raise concerns in the State Department and other US government agencies that provide funding to increase Tor’s security – as part of the Obama administration’s internet freedom agenda to help citizens of repressive regimes – circumvent online restrictions.”

[and]

“The Broadcasting Board of Governors, a federal agency whose mission is to “inform, engage, and connect people around the world in support of freedom and democracy” through networks such as Voice of America, also supported Tor’s development until October 2012 to ensure that people in countries such as Iran and China could access BBG content. Tor continues to receive federal funds through Radio Free Asia, which is funded by a federal grant from BBG.”

See NSA targets TOR

Mike the goat October 5, 2013 8:20 AM

65535: yeah, it is interesting isn’t it?! Why the US govt funds tor on one hand while on another hand they are critical of its existence.

My gut feeling is that onion hidden services is broken or at least severely weakened. I have nothing solid to base this on – just consider the recent arrests of people who have run onion sites. In all of those cases law enforcement has gone to great lengths to claim how they were discovered (seized mail, bragging to friends, whatever) and how it was mundane police work that solved it. I call B.S. We know from Snowden that they manufacture lawful reasons for discovery so as to not reveal a secret program.

If I were running a tor hidden service right now I would be very worried. Then again if I were I’d have jumped through a series of owned computers, a few commercial VPN services and connecting through a WiFi hotspot nearby that I broke into. Multiple layers, multiple methods… Sure, ping times will be 500ms but if it is important enough to run hidden then surely it is important enough to use more than one method of anonymizing.

People need to realize that there is no such thing as anonymous – only difficult to trace back due to chaining.

65535 October 5, 2013 8:25 AM

It looks like the US government mostly funds TOR. According to the Daily Mail. Can anybody confirm?

[Side bar of Daily Mail]

“A large proportion of Tor’s funding comes indirectly from the U.S. state department’s internet freedom budget.”

See Marques extradited by FBI

I would think that US Government could weaken TOR or provide a trap door because the US government essentially funds TOR. This looks like a conflict of interest. That is not so good. It would be best if TOR were funded by and independent source.

65535 October 5, 2013 8:30 AM

@Mike the G.
I just saw your post. I agree with your assumption. I would be very worried if I depended on TOR for a critical site. It looks like the game is rigged.

Keccak October 5, 2013 8:35 AM

@Mike the goat: “I say this because community confidence in NIST is so low that any interference will result in decreased adoption of SHA3.”

NIST is toasted already.

If it wants to save SHA3, some of the member of NIST should send to wikileaks a complete archive of internal communications of NIST.

After each person involved would assure publicly the authenticity of emails quoting him, the community will continue to use the standard not tainted by NSA.

The community now has to invent ways to authenticate without trusting the server.

65535 October 5, 2013 8:47 AM

Now I am really confused as to who exactly funds TOR:

[Bottom of the Guardian article]

“This article was amended on 4 October after the Broadcasting Board of Governors pointed out that its support of Tor ended in October 2012.”

I assume this means the US State Department no longer funds TOR. Who does?

See amendment to Guardian article

-sign October 5, 2013 10:25 AM

@65535
The issue of Tor funding is exactly one good reason as to why I do not understand why it is often promoted as a solution for those desiring secrecy from The Government.

Whilst on the subject I also think “open source” is often assumed to be more secure than it necessarily is. Isn’t it a pain to have to go through thousands of line of code to inspect some implementation for backdoors and other ‘features’? Or perhaps there are some automated tools that can do such inspection?

Nick P October 5, 2013 10:55 AM

@ Richard

“There is another alternative: avoid US-based services like the plague. Why should one believe that such back-doors would:”

Oh I agree where possible. Many won’t be able to do that for a variety of reasons. So, I’m exploring alternatives where the company has to stay in the US. You could say I’m trying to make careful and reliable tradeoffs to minimize harm from LEO interventions.

Exploring your suggestion, minimizing the US’s effect would mean that the service would need to be offshore, the ownership non-American, and possibly the citizens running it not American. Additionally, the service couldn’t be in a country known to be one of our spying partners. Quite a tall order for an American wanting to start a privacy business. 😉

I think people in certain foreign countries are in a better position to do this. Even they must be careful though because over the years we’ve seen news reports of more countries doing the same shady stuff within their own borders.

@ Mike the goat

“Perhaps we should just give up on the idea of a secure webmail service and instead understand the risks involved in using a webmail service.”

Maybe. Or we could make it into a portable, painless desktop and phone app. It would look like email but need not actually be email if messages are sent internally. It could be stored in an email format, wrapped somehow, and transported along the system. Anyway, I think the users are going to have to decide between an app that might be hard for govt to tap, a webmail that would be easy for them to tap (but safe from others), and no protection. If they’re willing to give up a little convienced, we can engineer plenty of security in for them.

Nick P October 5, 2013 11:24 AM

re government and Tor: risks

Situation might not be as bad as people think. One problem with discussions on this is people often say “government” funds or developed Tor, as if “government” is one thing here. It’s not. It’s many different organizations with different missions and levels of trustworthiness. Tor was created and funded for operational use by NRL (an excellent lab) to provide a tool for US Navy’s operations.

“Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications.” (Tor web site)

So, their main goal with Tor was to build anonymous surfing as both a research prototype and something that gave them a capability to use against enemies. The latter means that they would want it to be secure to protect them. That military and intelligence still make use of Tor in their activities adds a bit of evidence to that. Although, it should be known that NSA often tries to subvert tools made for govt protection as well in a way that lets them in but not others. So, you can bet it’s a target of theirs and we should watch for such things.

As for funding, it’s defence contractor SRI International that funds them and contractors fund many tools they think will be useful for them (or Uncle Sam). Tor also received lots of funding from NGO’s, international groups, and foreign organizations. So, funding tells you SRI has a lot of financial influence but so do many groups with competing interests. Plus, it’s the people making the code and design that can subvert the system as a whole. Whose paying is less important than whose building and maintaining the system.

So who all is building the system? That I don’t know. Profiling that might be a fun little project for those of you looking into Tor. A few of them were interviewed and described a lot in the book This Machine Kills Secrets. They reminded me of some hackers I knew back in the day. I was of the impression that, if they’re subversives, it’s governments they’re subverting rather than the other way around. 😉

Mike the goat October 5, 2013 11:43 AM

Nick: I agree with you 100%. I recently was asked to do a code review on OpenSSL for a project and ended up giving up. There was no way I could reasonably analyze such tersely coded crud in a short period of time. We looked at alternative TLS libraries like Mozilla NSS, GNUTLS, etc. and whilst some were (much) better there was a level of complexity that wasn’t required nor desired, particularly as we didn’t need to handle a whole suite of ciphers, nor be compatible with earlier versions like SSL 2.x as we were designing a client to link back with a server which used TLS 1.2 exclusively and a specific cipherset. We ended up going with CyaSSL but that’s beside the point – complexity and the need to accommodate backward compatibility often come at a grave cost.

For this reason I think that any new secure mail replacement should be a complete rewrite from the ground up. It should also not rely on centralized PKI. Perhaps email addresses won’t even be name@realm (as that introduces issues in terms of verifying domain ownership – although DNSSEC or publishing a TXT record could suffice). A peer to peer protocol could be used for message handling. Perhaps existing anonymity services like tor or freenet could be leveraged to provide this layer (and indeed some people already run such concept projects) but I suggest we start from the beginning.

Any new replacement for email needs to address the following design challenges:

  • metadata should not be in plaintext. With SMTP even when the message content is encrypted using PGP or SMIME the metadata betrays who sent it, their IP, their useragent and the route it took to get there. This is all in plaintext. So is the subject line which is even worse!
  • it needs to be 8 bit clean. MIME is a hack. We shouldn’t have to base 64 encode binaries in this day and age.
  • there should be no centralized CA – certification should be distributed
  • everything should be encrypted. We are making traffic analysis easier if encryption is only set on important (secret squirrel) emails.
  • there should be no centralized authority who controls it

Perhaps we could take a leaf out of bitcoin and have a database which all nodes must keep and update.

As each user signs up (installs the software and becomes part of the network) they generate a keypair and broadcast their public key. Perhaps we should also include some sort of proof of work to ensure that account creation is computationally expensive to limit DoS attacks that seek to arbitrarily increase the database size. The network could also ratelimit joins so that there can only be X joins per hour. Clients who stay online and wait keep their place and eventually get listened to.

Anyway, their public key is listed into the database that all nodes keep and the user is now addressed by the fingerprint hash of their key. Because this is large and unfriendly some nodes could run name translation that maps a name to a hex hash (entries are only added or removed if the client can prove ownership to the public key). Friendly names could be arbitrary. Clients will cache the real name once a single email is sent like cert pinning.

The user can receive messages on any machine which has the private key loaded in. So long as they retain their key their address stays current. A store and forward system can be used where nodes on the network hold messages for users who are offline. Alternatively constant connection becomes a requirement and we lose that whole nightmare and it works like current MTAs – the other end just holds onto it until the recipient node can take it. The centralized database that is kept maintains a routing table and the active flag is updated to 1 if an ARP style broadcast is heard and set back to 0 after the keepalive delay is exceeded.

Anyway, these are just a few quick concepts. I am sure there are better ones. What is certain is that post PRISM/BULLRUN we (the software engineers) must adapt. We can’t rely on politics to fix this.

Czerno October 5, 2013 11:43 AM

Re funding of Tor in part by the gov of the USA – the Torproject and its manager (Roger Dingledine) are very open about it, about 60% of the funds do come from US government. They also have repeatedly stated they would /love/ that this proportion be much lesser, but it’s not so easy to find independent funding for the kind of project.

Roger and the Torproject also repeatedly & vigo(u)rously claimed that the present funding structure never did and never would compromise Tor’s design. Note that although initially funded by the US Navy, the conception of the onion router was entirely Dingledine’s child, and I trust him, fwiw.

Jaime Frontero October 5, 2013 12:41 PM

@Mike the Goat (October 5, 2013 11:43 AM):

“Perhaps we could take a leaf out of bitcoin and have a database which all nodes must keep and update.”

We have that. It’s called Bitmessage. Here:

https://bitmessage.org/wiki/Main_Page

…and they’re literally screaming for a proper security analysis.

It would be really nice if any of you security heavies would help them out…

name.withheld.for.obvious.reasons October 5, 2013 12:51 PM

Trip Adviser, a Web Site that aggregats comments on hotels and are ranked from “dirtiest” to clean, a court held that dirtiest is not provable–so it represents an opinion. Accountability for what a person posting to a blog is held to the blogger. This to me represents an abstraction two layers (or orders) away from the “Common Carrier” rules for copper and fiber (not using an OSI model for this).

But, I from a personal perspective, think it is useful to bloggers to avoid the “Rush Limbaugh”-like acrid posts–demeaning someone else to make your choices seem superior is an action that diminishes the involved parties. There should not be censorship in the community. As I see it, the participants for the most part are providing insightful and useful information that is not within the realm of the general public. Blog sites such as Bruce’s are rare, and it could be problematic given that the outside-the-bounds-of-courteous-discourse can wear down the value or perception of the value of the space Bruce has provided. Let me see if I can encapsulate the issue:

  • Freely available, does not require a “club card” to participate (a plus)
  • Broadest participatory opportunities (a plus)
  • Knowledgeable core group with “inside” information and technical acumen (a plus)
  • Signal to Noise ration (SNR) is moderate–though the moderator does a good job, but that’s what it is–a job (a cost)
  • Accuracy and completeness of information provide (caveat emptor, but still a minus)
  • The tendency to moderate sites down–>when the SNR becomes significant enough to exceed the site hysteresis, the moderator is overtaxed, costs rise, and the audience tends to walk away.

I am no fan of a “Blogging Police Force/Squad/Troopers” but I can say that a note about the risk can be useful from time to time. (Not trying to be paternal, I have exercised some self censorship that caused me some anguish–needed to get it off my chest). So this is a cathartic exercise…

mo October 5, 2013 1:08 PM

on ars technica there seem to be people who clicked on the foxacid tag example from bruce’s guardian article that was later removed. what should they do?

unimportant October 5, 2013 1:13 PM

Tor may be supported by the privacy branch of the government. Another branch has a different language or law which hunts down every attempt of using privacy for criminal activities as another crime. Now, with the ongoing incrimination of the civilization, you’ll get a damnation of privacy in general. One example of incriminating the public is the possession and distribution of child pornography in case of sexting between adolescents (which 30 % of the adolescents in Germany do). Criminalizing the public is therefore promoting the surveillance state and deflecting from the own corruption.

Mike the goat October 5, 2013 2:04 PM

Hmm… Just doing a bit of digging on the site that was mentioned on arstechnica. Seems if you connect to 2ndhalfplays.com you can see the directory listing and there is nothing interesting.

Google finds a subdomain (I won’t link it)
baseball2.2ndhalfplays.com/nested/attribs/bins/1/define/forms9952_z1zzz.html

Which has a link to the EFF protest.

Weird. My cell browser doesn’t let me view source but you can bet there is something odd here.

Bryan October 5, 2013 2:24 PM

I want some hardware. For both USB and SATA I want monitor hardware that logs all accesses, and maintains a log of all writes including the data written. They need to be separate from the host computer. They will also monitor configurable ranges of disk blocks and sound an alarm if any of them are written to. All writes will be logged to a separate disk, and a log of blocks read and written will be logged by the monitor host. Logs will be time stamped. This logging could also be combined with network logging to capture it for analysis along with the disk changes. I figure these could be used for fishing expeditions looking for exploit code like root kits, etc.. I think it may be possible to use the Raspberry PI camera interface to talk to a FPGA that will implement the low level logging functions in hardware. The FPGA would handle the write and read through to the primary hard disk, and log all writes to the log hard disk. It will also provide a block read/write log to the logging host, and allow reading of the disks. The Raspberry PI would then serve as the overall controller. Unfortunately I don’t have the FPGA development software, nor do I have the time to design and build them.

Another possibility is the logging hardware could be set up as a USB device. The hardware would only make the logs. The host machine would then be responsible for checking for writes to blocks that shouldn’t change.

It seams so useful, I’d be surprised it doesn’t already exist, but then I also don’t have thousands of dollars to spend on each one. I could see spending up to a hundred or so each.

Figureitout October 5, 2013 2:32 PM

<If they’re willing to give up a little convienced, we can engineer plenty of security in for them.
Nick P
–Quite an insincere statement, instead of just buying a product or taking a pill, users will have to educate themselves in “proper implementations”; you know the ones that always have a hidden gotcha that you can’t test for. So a major inconvenience is more truthful; and further be skeptical. Consulting is not engineering.

Mike the goat
–I like where you’re headed. I don’t know why people keep insisting on politicos to fix these problems, it’s not going to happen. I’d rather laws of physics be violated. The solution needs to be engineered w/ the right people (not feds). Go back old school until the tools get cheaper and better to test. Maybe even fundamentally flipping the protocols on their heads. Distributed so mutts will have to get some exercise to shut it down.

Jaime Frontero
–Mike the goat just said he didn’t have time to evaluate OpenSSL; used by Bitmessage, it is pretty intense.

Bryan
–Me too, good ideas. There’s a lot of products that should already exist but they’re difficult and even worse get attacked by our own gov’t. I would want all that hardware in a secure room too.

Nick P October 5, 2013 2:45 PM

@ Bryan

Then you might like my upcoming paper post. The next collection of cutting edge research and prototype papers I post is mostly on the topic of secure hardware. This includes memory encryption/integrity, stack protection, higher level ISA’s, software protection against low level attacks, and so on. It will probably be ready in a week or two.

@ Jaime Frontero

” they’re literally screaming for a proper security analysis.
It would be really nice if any of you security heavies would help them out…”

I’m not a protocol guy but I looked into it. Looks interesting and maybe workable. I like that the protocol description fits on a few pages and is conceptually easy. That will make for better analysis by pro’s and their tools. Reading the overview the stream management and the infinite rebroadcasting “with exponential backoff” concerned me a bit. These should get a bit of extra analysis for problems just in case. I think there might be a good replacement out there for the rebroadcasting strategy that’s more efficient.

Another issue is that all that broadcasting of traffic makes its anonymity weaker by design. One Reddit commenter pointed out that a network level eavesdropper (many TLA’s fit this) watching whats going into and out of node can easily discern whos talking to who. Maybe they need to rework the protocol to work over Tor like some others have. They might have done this already but I’m talking tight integration.

The proof of work for anti-spam won’t stop it but it’s a good idea as it will reduce volume. Billions of spam is a ridiculous number that current system makes more likely. Proof-of-work systems will cut that down considerably.

The last thing I like about BitMessage is that people are already spinning it onto new solutions. I saw a Twitter service, a social networking proposal, one without proof of work, a smartcard proposal, and so on. That people are finding it easy to extend can only be a good thing far as incentivizing further solutions. I hope they get some expert peer review from protocol people.

geewhiz October 5, 2013 3:01 PM

@unimportant:
Falkvinge has two articles on that which you posted about. I don’t have the links handy, but you can search.

nbd October 5, 2013 3:54 PM

@Bryan:•”I want some hardware. For both USB and SATA I want monitor hardware that logs all accesses”

Try a software solution, assuming you are on linux. http://nbd.sourceforge.net/ for example.
Or iscsi.

Set up the computer serving the block device so that it uses cowloop, and patch cowloop (very small code base) to log everything.

Humperdinck October 5, 2013 3:58 PM

Lots of wrong ppls being wrong at each other re tor.

.onion not compromised, dread pirate roberts used his real gmail for silk road devs, and the feds just followed the breadcrumbs. Laughable opsec right up until being caught INSIDE a SF library with his laptop open.

nsa feds laugh that tor bundle ff doesn’t have noscript enabled by default. See guardian dox.

big freakout that nsa feds are trying to break tor, but thats their freaking job. wtf are they supposed to do? if nairobi/let style attacked were being planned over tor and feds did nothing, what do you think the reax would be?

if you want to hate on the nsa config tor to exit through {ru}. But really how will that save anyone from rogue nodes?

what’s the 4th amendment angle on attacking tor? thats their job. whats the benefit of publishing a bunch of dox with the nsa admitting that they’re defeated by tor and tails? are we living in some magic land where tor is safe if only the nsa doesn’t attack it?

Bruce, are gg and the Guardian asking your advice about what to publish and what not to? Or will all this stuff get printed? What’s the rational for the filter?

Jacob October 5, 2013 4:04 PM

The Guardian had the author John Lanchester write an essay about the current state of affair re NSA and GCHQ. A long read but worth it.

Mr. Lanchester had seen some material that has not been published yet. Some of the details he provided, and his unique view vis a vis societal implications are very well laid.

One interesting tech detail in his essay: NSA spends $250m a year alone on weakening encryption.
I’d say that for that amount of money, there is much more for us to be concerned about. I think that Bruce owes the community to divulge what he has seen that lead him to totally change the way he operates with sensitive stuff. If Messrs. Clapper and Alexander can play with words and meanings, so can Bruce – don’t tell us directly what you have read since it is under NDA, but please throw us some bones we can act upon…

http://www.theguardian.com/world/2013/oct/03/edward-snowden-files-john-lanchester

Bruce Schneier October 5, 2013 4:57 PM

Re the Tor story:

“1. thank you for writing the article”

You’re welcome.

“2. ‘On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.’ If they’re hacking the browser, then they be able to obtain the user’s real IP, right?”

I don’t think so. I think they can just push the attack anonymously back from the middle of the Internet to the browser without actually knowing where the browser is.

“3. this seems more serious to me than anything else the NSA has been revealed to be doing; they are hacking INTO people’s computers without warrants, etc.
At least with MITM attacks, they’re only accessing internet data; with this they could access anything on the PC. Also, this appears to be indiscriminate; the MITM attacks seem to be targeted.”

This is targeted too, but it’s targeted without knowing who the target is.

“4. how much does SSL for Google protect against this?”

That’s an interesting question. Would redirection attacks work against SSL-protected web traffic?

“5. other than patching the browser; what other protections can be implemented?”

That’s it. I think that, in general, the NSA can successfully hack anyone’s computer using these general techniques.

“6. I would expect that the NSA would be trying to hack Tor relays as well; any thoughts?”

They seem not have had any success with that attack.

Bruce Schneier October 5, 2013 4:58 PM

“I’m surprised the NSA doesn’t just steal the private keys from all of the nodes. Seems like it would be much simpler that way.”

That would be hard to pull off.

Bruce Schneier October 5, 2013 4:59 PM

“The Keccak team has published a statement regarding the current news on the NIST SHA3 changes.”

I posted an update to my SHA-3/Keccak post.

Bruce Schneier October 5, 2013 5:03 PM

“Why hasn’t Firefox reacted to these specific attacks (which makes Firefox look foolish and culpable)?”

The specific attacks we wrote about — EGOTISTICALGOAT and EGOTISTICALGIRAFFE — were fixed in Firefox. We do not know the specifics of the Firefox vulnerability the NSA is using now, assuming there is one. I think the Firefox team is doing a really good job minimizing the number of security vulnerabilities in their code.

Bruce Schneier October 5, 2013 5:04 PM

“I would be very worried if I depended on TOR for a critical site. It looks like the game is rigged.”

I think the moral of this story is that Tor is fundamentally secure.

Bruce Schneier October 5, 2013 5:06 PM

“on ars technica there seem to be people who clicked on the foxacid tag example from bruce’s guardian article that was later removed. what should they do?”

I don’t know. One person emailed me to say that it was registered moments after the article became publish, and was serving malware to visitors. That’s why we removed it.

Absinthe October 5, 2013 7:21 PM

@Bruce
I don’t know. One person emailed me to say that it was registered moments after the article became publish, and was serving malware to visitors. That’s why we removed it.

So it was not originally included in the article? Instead the NSA (or who it now may have been) noticed a great place to add a link to their virus factory? But if they have modified the web page would that not mean that the ars technica site is compromised?

Sorry if I am misreading what you are writing here Bruce.

Mike the goat October 5, 2013 11:46 PM

Stanislav: it served up a black page with a link to the EFF. Only JavaScript that was enabled was a bone stock Google ads/site tracker one. When you look at the source there is a commented out section (again nothing too interesting) with the letters NSA at the begin comment. It did not attempt to serve me anything. Maybe it senses user agent.

Figureitout October 6, 2013 12:11 AM

Humperdinck
–Believe me, random citizens acting purely by themselves w/ bogus tiny fractions of resources get a belly ache at how incompetent some investigators are. Little to no tech needed. If these are the guys/gals protecting me from terrorists, they’re not only endangering themselves but give me no confidence in protecting the public and they will tip off their targets so now the attacks will really be random. Opsec lol, that’s overrated b/c there’s so much surveillance that you almost give yourself away or become suspicious for having Opsec in the first place. Forget that for now, they need to learn how to properly approach a target and not give themselves away after the first encounter.

Bruce
–Not asking to reveal anything of significance, but have you noticed any strange encounters or peculiarities w/ any of your devices? Surely they know and you have already prepared yourself for this. There are some very low level attacks that can’t be explained w/ anything other than periods of direct access or hidden backdoors that I haven’t figured out yet. Your computer is toast once this is on it.

Figureitout October 6, 2013 12:33 AM

Mike the goat
–As they say, “It’s an ongoing investigation”; and I feel like I reveal operational capabilities doing so. Ask an intelligence agency about suspected attacks, see their response. Once I do figure it out and find its creators, it’s going to be all over the internet; hell I may even make a facebook acct again.

Mike the goat October 6, 2013 12:38 AM

Figureitout: a months I would have thought you were crazy, but as we know until we have fully auditable hardware anything is potentially possible. This is coming from someone that has had knowledge of dragnet surveillance for about ten years (about the time I discovered an optical splitter cabinet in the MCI Colo facility pur ISP used)

Figureitout October 6, 2013 1:00 AM

Mike the goat
–Yeah I can respect that skepticism. Fact of the matter is I have invested so much time and much of my life to this cause, especially when I was certain covert surveillance was conducted on ME. This needs to stop and no one’s life should be severely affected or more or less ruined by this abuse ever again. They wasted a backdoor on me and I’m going to find it; but I really want to find the creators and pay them a little visit.

Mike the goat October 6, 2013 1:50 AM

Absinthe: given it seems to have been registered after the attack I would say that it is just someone who wanted to cash in on curious users looking at the link featured in the disclosed info. It is a shame as it would have been a great opportunity to get a look at the ‘sploits of a nation state. That doesn’t happen very often (last two I looked at were the torsploit shellcode and stuxnet&flame).

tenthousandsquidsforahorseshoenail October 6, 2013 2:01 AM

@Mike the G

Question: how would you get a piece of hardware you could trust? Put together a computer from component parts? From factories in different countries?

Mike the goat October 6, 2013 2:13 AM

Absinthe FYI:

   Domain Name: 2NDHALFPLAYS.COM
   Registrar URL: http://www.godaddy.com
   Updated Date: 2013-10-04 11:07:14
   Creation Date: 2013-10-04 11:07:14
   Registrar Expiration Date: 2014-10-04 11:07:14
   Registrar: GoDaddy.com, LLC

There is nothing remotely interesting here.

Mike the goat October 6, 2013 2:34 AM

10ksquids…: That’s the thing (I am sure Stanislav will chime in here) – it is impossible to build a trusted PC, at least with modern parts. x86 is so convoluted, so complicated that the attack surface is just too wide. There are myriad ways they could have compromised it. Some of it has been touched on before – Intel AMT in vPro’s are essentially an embedded computer on your motherboard which has LAN access by design (for management), you can imagine the risks there. At least IPMI implementations are usually restricted to the secondary NIC, which doesn’t necessarily improve things too much anyway as we know it has bus level access. A hardware hack doesn’t even need to be online to be effective – their mod could just be, say modifying the keyboard so that the buffer will be spewed out if a secret magic code is entered to assist operatives who arrive on site. Similar things were done with ATA password implementation (e.g. western digital drives can be unlocked by using a secret master password… Making LEOs lives easier where reflashing the firmware would take effort). Additional more passive concepts are just ensuring that compromising emanations from consumer PCs are strong enough to be detected from some distance. We have known about TEMPEST for decades yet PCs and graphics adaptors aren’t hardened. We have seen articles on stealthy dopant level modifications to chips so there are myriad ways. We have seen bootkits that introduce themselves before the OS loader and no doubt there have been instances of malware patching a BIOS to make it persistent (the defunct computrace tracking software used to be burned into Dell laptops’ BIOS. It would overwrite a windows file that was executed during boot (if I recall correctly it was rpcnet) with a shim that loaded itself and then loaded the original exe. The BIOS code was quite sophisticated and had to include NTFS write support to achieve just this. The idea was that even if a thief reinstalled the OS it’d still resurface).

So as you can imagine there is nothing we – as laymen – can do to verify that the hardware is known to be trustworthy. Even if we audited every single line of source of our OS; even if we replaced the BIOS with something open like coreboot there are still hardware vectors.

How do we get around this? The most practical solution is to use very old hardware and use a FOSS O/S on it, for example NetBSD on VMS.

I have an old SPARCStation that contains my PGP private keys. I obviously have subkeys which I use on less trusted systems but the primary key stays there. Every time I need to sign someone’s key I transfer it over offline and bring it back into my ‘red’ zone on a disk.

Anyway, I don’t mean to sound defeatist but fact is until we can trust our hardware we will never truly be safe.

Wael October 6, 2013 2:39 AM

@ Mike the goat,

Anyway, I don’t mean to sound defeatist but fact is until we can trust our hardware we will never truly be safe.

I’ll sound defeatist, and say:
Fact is, EVEN if we can trust our hardware we will never truly be safe.

Figureitout October 6, 2013 3:27 AM

Mike the goat
Additional more passive concepts are just ensuring that compromising emanations from consumer PCs are strong enough to be detected from some distance.
–You’re pretty spot on, on one vulnerability. Bluetooth. Disable it or kill the module literally w/ a soldering iron; it’s a backdoor and the only time I used it (very recently) was to send this pic. And the BIOS, my comp. is screwed so now I have to go out and use other comps or find a secret one; and bury it.

My dumb phone just activated its embedded bluetooth again on its own and w/o my permission and was acting funnier than I’ve ever seen. Totally out of control. Had to yet again take out the battery while it sits in timeout.

I need some trusted hardware in a shielded room so I can take my sledgehammer to my current crap.

Figureitout October 6, 2013 3:44 AM

Mike the goat
–Isn’t it pathetic, most security experts, recommending “absolute security”, will revert to machines made like 30 years ago…Either hackers then were epic (and way superior to us) or we’ve tried to integrate way too many things to be “social” and “multi-platform”. F-off w/ your fanboy crap and I just want a secure computing machine I control and securely program w/ no crapware; makes me so mad…Sick of the market for 13-year old girls and give us engineers what we want w/o all the crap.

Mike the goat October 6, 2013 3:51 AM

Figureitout: have you considered getting yourself an old (Pentium 3 era) PC, two (pre 1999) NIC cards, a WiFi card with a driver that does not rely on a proprietary HAL (see OpenHAL for supported cards that have a reverse engineered source code available HAL available for them, e.g. ath5k) nor binary blob drivers and a Bluetooth analyzer like the cheap Ubertooth?

Install your favorite Linux distribution (avoid Canonical stuff like the plague though). Download fresh kernel source (away from your home DSL connection if you suspect something), verify the hash and build your Linux kernel from source, carefully disabling everything you don’t need in your .config and install a fresh kernel.

Bridge your two Ethernet adaptors, enable promisc and start dumping traffic with tcpdump. If you have multiple PCs on your network an old 10base hub will give you a look at traffic between them or just put your ‘net connection on one NIC and your LAN on the other to monitor egressing traffic.

Likewise monitor wifi traffic and dump it into a pcap file. You should force your AP to 802.11b so your old WiFi card can capture it. Ditto on Bluetooth.

Use your PCs as usual for a week or so then take your pcaps and have a good critical look through them.

Of course if the hardware we are using is subverted you’ll see nothing but let us play the numbers and hope it isn’t. You might find something interesting.

Secret Police October 6, 2013 4:05 AM

Hey Bruce, did you see this paper? http://eprint.iacr.org/2013/338.pdf

/dev/urandom and /dev/random on linux are terrible PRNGs. it’s being presented in Nov at the ACM Conference on Computer and Communications Security.

It’s no wonder that spy agencies are able to run roughshod over our cryptography when half the servers of the world are handing out deterministic random numbers.

As for the Tor breach, a quick solution would be to make your own relays since they are unwilling (according to the leaked slides) to exploit relays. Torservers.net wiki has instructions how to do this so you can create your own bridge and entrance relay to avoid GCHQ evil relays that re-route your traffic into their private network of relays.

You can also configure Torrc to use your own relays, bridges, and to use semi trusted exit nodes like those provided by Torservers.net

As for Firefox 17-ESR being exploited, that’s nothing new. Loïc Duflot has spent the last decade pwning Xorg/XFree86 and has written it off as impossible to rely on for security. Dropping in a highly complex browser running with too many permissions crammed full of exploitable java doesn’t help much.

If you use Tails, open a terminal and type “lynx”. Use that browser if what you’re doing requires attention of spy agencies. You can change the user-agent to read TBB 17-ESR.

Figureitout October 6, 2013 4:10 AM

Mike the goat
–Yes, I’m getting ready to make some moves to get at least a semi-secure developing environment. I have close to 1999, but not sure if it’s pre-1999. I have multiple secret comps but that is beside the point; I hesitate to access them b/c of the surveillance. Sure I buy some off “ebay” and it’s infected w/ a 0-day…I don’t want anything to do w/ any kinds of “teeth”; I will kill it all, backdoors they are. I don’t want wifi, any of these standards, screw them I want the wire. If anything an obscure digital radio protocol I approve of. I HATE bluetooth, and it’s being embedded in EVERYTHING.

I will find this backdoor, maybe it’s merely a variant of a normal BIOS backdoor/rootkit. May not surprise you but merely icing on the cake…It’s not the only exploit, like a flurry of attacks have been launched at me; so disorienting…

Mike the goat October 6, 2013 4:32 AM

SecPol: the scary thing is that the Linux PRNG (see random.c) when running on supported hardware – simply XOR’s the RdRAND output with its output stream, almost as if it is an afterthought. I believe that when the PRNG was constructed it was based on a hash rather than a cipher as at the time there was the very restrictive crypto export policy and the T’so was an American citizen. I much prefer the *BSD RNG based on Bruce’s famous yarrow.

PRNGs are so crucially important to Internet security that you can bet that the NSA has explored each and every OS’s implementation. Looking at – for example Cisco iOS bug where the PRNG output was predictable on startup as it lacked a source of entropy (aside from NIC activity) or the Debian OpenSSL bug gives us some idea as to how a seemingly minor (to a layperson) bug can have massive implications.

Re tor – a colleague of mine ran an exit node just to analyze the traffic that egressed from the network. Not surprisingly a lot of it was unsavory. I am certain that if the NSA had enough resources they could at least actively decloak targetted tor users by rerouting their traffic into their tor relays and exit nodes. This isn’t necessarily hard to do – answer back quicker than the real tor relay and MITM it. Given we don’t know who owns many of the relays and exit nodes it is possible for them to just run a massive number of relays and exits and hope that at least some people are going to have a contiguous path that goes only through their equipment.

The smartest approach is likely an ‘assisted’ timing attack where packets are marked to make them stand out when they come out the other side. This combined with timing may identify some users.

Re browsers – agreed. A text based browser, run with limited privileges (and with no JavaScript – e.g. links has js support) is likely your best bet.

Bruce Schneier October 6, 2013 5:23 AM

“So it was not originally included in the article? Instead the NSA (or who it now may have been) noticed a great place to add a link to their virus factory? But if they have modified the web page would that not mean that the ars technica site is compromised?”

It was originally included in the article. The Guardian deleted it after someone registered it.

I will include it when I republish the piece on my blog tomorrow. Just don’t click on it unless you know what you’re doing.

Bruce Schneier October 6, 2013 5:27 AM

“Not asking to reveal anything of significance, but have you noticed any strange encounters or peculiarities w/ any of your devices? Surely they know and you have already prepared yourself for this. There are some very low level attacks that can’t be explained w/ anything other than periods of direct access or hidden backdoors that I haven’t figured out yet. Your computer is toast once this is on it.”

Honestly, there’s so much wacky stuff going on in the background on today’s computers, it’s hard to tell. And, of course, whenever anything happens I assume it’s enemy action.

I believe that if the U.S. government wants into my computer, they’re in. I do know that I entered the U.S. on Thursday, and had no trouble at the border.

Natanael L October 6, 2013 5:41 AM

@chris & Mike the goat: CJDNS! It’s probably not exactly what you wanted, but it lets you create mesh network links with IPv6 addresses in the fc range based on a hash of your public key, and all connections are encrypted. You need to be connected to a number of nodes in the network to use it, and all nodes route traffic (if they are connected to multiple nodes themselves).

@Nick P: Screw servers, try I2P with Bote mail. It has already been around for quite a while now, actually. It uses DHT, public keys as addresses and everything is encrypted. http://www.i2p2.de, and once it’s been set up go to http://plugins.i2p/plugins/i2pbote/ or just directly to http://i2pbote.i2p/ (Privoxy should help you set up your browser with I2P, only forwarding .i2p TLDs).

@Jaime Frontero: Bitmessage is horrible for this purpose: https://bitmessage.org/forum/index.php?topic=1666.0

Regular email with PGP beats Bitmessage. And Bitmessage isn’t scalable.

Natanael L October 6, 2013 5:44 AM

@Bruce: Could you check out Bote mail for I2P? See my links from my above post. Would you be willing to try it and post an Bote mail address of yours?
No pressure on you keeping it “alive”, you could just emphasise it’s for temporary testing. Note that with the DHT network, messages stay no more than a month in the network if they haven’t yet been fetched by the recipient, they’re deleted from it when fetched.

65535 October 6, 2013 7:20 AM

@Bruce Thanks for responding in a positive fashion to my posts. Keep safe and thanks for your valuable input.

@Nick P. It’s somewhat reassuring that Stanford Research Institute is funding TOR (or a percentage of TOR). I will say that I would be more reassured if TOR and Ultra Surf (the proxy used by a lot of us) was funded by independent interests. I do understand funding has to come from somewhere. Still, I am also concerned by side channel attacks, tags, cookies from giggle, malware from Uncle Sam, and exploitation of browser vulnerabilities (in addition to the funding conflict of interests).

CallMeLateForSupper October 6, 2013 10:40 AM

TLA (Total Leak Awareness; MY acronym) will take at least another 26 years, according to this:
http://cryptome.org/2013/10/26-years-snowden.htm
Someone actually did the maths.

Just two days ago I remarked to a friend that publication of the Snowden trove is taking place at a glacial pace, and that we might expire before all of it is out.

i2p October 6, 2013 12:28 PM

Bitmessage has problems http:// pastebin.com/vH9z5pNm

Using a good ol nym server + tor should be fine. Retrieve you encrypted messages on alt.anonymous.msgs

name.withheld.for.obvious.reasons October 6, 2013 1:42 PM

Another WTF moment by the courts, from the wired magazine article by Ken Paulson, it seems obvious that the judge doesn’t know what a “lawfull order” is! Quoted from the article:

By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

This situation is just out of control! It’s becoming harder and harder to justify the relevance of our system of governance and the blatant failure of our justice system. I cannot imagine anyone capable of defending the very existence of these institutions. The United States has done more damage to democratic principals than any other single event that I can think of-either in recent or the complete history of the US. I believe it is time to take Thomas Jefferson’s advice, it is well past twenty years. I implore all to read, or re-read, Thomas Paine’s “Common Sense”. I believe it is time to tell the emperor that he’s naked.

tenthousandsquidsforahorseshoenail October 6, 2013 2:09 PM

Hi Mike the G

Thanks for making effort to reply even if it’s depressing. I will go away and have a think tank session in the bath with Col. Duck. I am sure something unorthodox can be done to mitigate the problem but evidently it would be far away from the obvious, like using very old hardware as you suggested.(suddenly, a mysterious series of thefts at comp sci museums worldwide!)

Main concern is the generation of secret keys using a random number generators that isn’t compromised. I know people sell hardware ones but that seems like a weird proposition. So long as I could achieve that I think I’d have a leg to stand on.

tenthousandsquidsforahorseshoenail October 6, 2013 2:16 PM

Funny as hell we were worried about Huawei a while ago. Already I suffer from nostalgia.

Ethernetusb October 6, 2013 2:53 PM

@tenthousandsquidsforahorseshoenail: “I am sure something unorthodox can be done to mitigate the problem but evidently it would be far away from […] using very old hardware as you suggested.”

See https://www.schneier.com/blog/archives/2013/09/senator_feinste.html#c1808782
In short: Intel AMT and IPMI will “surely” be defeated by an ethernet-over-USB dongle. Additionnal precautions are discussed in that link.
You will still suffer from TEMPEST: for that, build a faraday room with current source from APC.

As of random sources, if you want to stick to linux: use echo 145153 > /dev/random, with the random replaced by repeated dice readings. Oh, you may want to take away RDRand, read https://www.schneier.com/blog/archives/2013/09/my_new_gpgpgp_a.html#c1732548

There was a video on a gaming site who decided to build a random generator with hundreds of dice with automatic reading. But, no luck, I have not bookmarked it.

NobodySpecial October 6, 2013 4:57 PM

@Richard re: school security 11 year old
From “The Top 100 Things I’d Do If I Ever Became An Evil Overlord”

“One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.”

PRNGs October 6, 2013 8:19 PM

Cloudflare also wrote a timely article about questionable linux PRNGs though I don’t think they’ve seen that paper with a full analysis determining it wasn’t robust
http://blog.cloudflare.com/ensuring-randomness-with-linuxs-random-number-generator

Surprised they aren’t using OpenBSD or FreeBSD since they are primarily involved in enterprise networking services and firewalls, and considering OpenBSD has been rewriting protocols and insecure services such as OpenSMTPD, OpenNTPD, and OpenBGP. They all have somewhat uniform configuration too, and *BSD allows for fully aware switches with the pf firewall that can detect external packet spoofing. I can only imagine the nightmare that is keeping up with the linux kernel blob race of forcing in as many binary blob drivers as possible with each new release.

name.withheld.for.obvious.reasons October 6, 2013 8:50 PM

From the arstechnica web server at about the time the problem was reported here:

\r\n
302 Found


302 Found


nginx\r\n

name.withheld.for.obvious.reasons October 6, 2013 8:55 PM

From the arstechnica web server at about the time the problem was reported here:

\\r\n
\\302 Found\\
\
\\
302 Found\
\
\
\\nginx\\r\n
\\
\

Okay, that got it. Forgot that the post would be lexically altered by the cgi script…oops.

name.withheld.for.obvious.reasons October 6, 2013 8:56 PM

From the arstechnica web server at about the time the problem was reported here:

\\r\n
\\302 Found\\
\
\\
302 Found\
\
\
\\nginx\\r\n
\\
\

name.withheld.for.obvious.reasons October 6, 2013 9:00 PM

MODERATOR, et al…

Please forgive my transgressions upon your fine web service, but, the preview feature lied to me twice. In “escaping” the tags regex style the preview lead me to believe the message would go intact. It did not. And, the second attempt was sans the preview assuming the double lexical parsing would not incur the same result. No love there either. So please forgive me, I was trying to get some info I had from a PCAP source that I used to debug the arstechnica website and I wanted to get it posted. Thank you in advance, NWFOR

Brian M. October 6, 2013 9:18 PM

Oh, come on! Really, when was the last time any of you actually used “verifiable hardware?” Seriously, when was the last time any of you used an 80386?

The 80386 is the last Intel chip made that you could hook a logic analyzer on the pins, and then decode the instructions. Yes, truly, HP made logic analyzers that did that. Once the cache went into the die, what the CPU executed had nothing to do with the reads and writes occurring on the pins. After that add in the optimizations for out-of-order execution, an amazing load of optimizations, and it’s no longer trivial to know what’s going on.

As for your computer emitting RFI, if you think that someone can decode what a multi-gigaherz computer is doing from a block away when you can’t figure it out with a logic analyzer hooked directly on the bus, then that’s some good stuff you’re smoking.

Face it, you’re going to have to use a keyboard with built-in encryption. Yeah, it’s back to the Rotor keyboard.

Want to strike back at the NSA? For real? Flood the net with encrypted garbage. Everybody go and grab a copy of Freenet Project and TOR and whatever P2P encrypted software that you can load on your machine. Let it just run day and night, creating enormous amounts of network traffic for no good reason at all. Transfer cat videos or whatever. Increase the traffic by an order of magnitude, and let them choke on it.

roadie October 6, 2013 9:54 PM

three quotes. unrelated of course.

If your government shuts down the internet. Shutdown your government.

Asked why Republicans in the Congress had shut down the government over a bill that had passed both Houses, been signed into law by the president and then been upheld by the supreme court, Paul said it was “Congress’s job to oversee spending”. “It’s not their obligation once something is law to never change it,” he said. “It’s a silly argument for Democrats to say: ‘Oh the law’s been passed, we can never change it.'”

Suppose you were an idiot. And suppose you were a member of congress. But I repeat myself. — Mark Twain

roadie October 6, 2013 10:07 PM

@Brian M
Want to strike back at the NSA? For real? Flood the net with encrypted garbage.

+1
lets setup thousands of blogs and use the blog by email feature to publish the encrypted mail traffic and then of course surf those blogs with millions of cronjobs. I’m in. 🙂

roadie October 6, 2013 10:19 PM

and you would have to search google to find those blogs since there are so many of them. maybe the blogs even have a ‘like’ button … I seem to remember something like that.

Figureitout October 6, 2013 10:28 PM

Bruce
–Yeah agreed, and a bunch of modules and crapware I have absolutely no desire for and never use. Sick of feeling excessive centripetal force like these idiots. Doesn’t end well… Good to hear no physical meeting yet…

Brian M.
Really, when was the last time any of you actually used verifiable hardware?
–Hmm…never. That’s the damn problem. And I have less a problem w/ spewing out RFI b/c I can spew a lot; than I do w/ hidden modules I don’t want taking commands from my neighbors on some random freq.

Nick P October 6, 2013 11:13 PM

@ Brian M.

“As for your computer emitting RFI, if you think that someone can decode what a multi-gigaherz computer is doing from a block away when you can’t figure it out with a logic analyzer hooked directly on the bus, then that’s some good stuff you’re smoking.”

I was smoking that real stuff. Every hit brings out hard reality:

http://lasecwww.epfl.ch/keyboard/

“Oh, come on! Really, when was the last time any of you actually used “verifiable hardware?” ”

Last verifiable hardware I had was a Playstation 2. An understanding of console economics and the strategic planning behind subversions say with high confidence NSA didn’t have a backdoor in it. 😉 And you can do plenty with it compared to the Dreamcast a friend was using.

(Note: The Japs, on the other hand, might have backdoored it. I wouldn’t presume to be able to understand anything about how they think. I just never know with them. Fortunately, they weren’t in the threat profile of how the system would be used.)

My recent exploration into non-NSA subverted hardware is here with an attempt at an exhaustive list of options.

Figureitout October 6, 2013 11:30 PM

Nick P
–Not to be a dick or anything, but if the Japs “could” have backdoored it and you can’t say for certain it isn’t, then technically it’s not “verifiable hardware”? No? It’s an extremely irritating problem to me and I can’t let it go.

RobertT October 7, 2013 12:13 AM

@BrianM
“”As for your computer emitting RFI, if you think that someone can decode what a multi-gigaherz computer is doing from a block away when you can’t figure it out with a logic analyzer ……”

In most cases the purpose of emissions analysis is not to disassemble the program execution but rather to weaken encryption by giving the attacker accurate timing information. For this I usually don’t need cycle for cycle accuracy I only really need to know the difficulty of a Multiply or the order of an ADD. This is precisely where “out-of-sequence” instruction execution gives the attacker insight into the nature of the arithmetic result. So if the emissions “signature” changes when a cache hit or an out-of-sequence instruction occurs than both events leak information about the calculations. This style of cryptanalysis is a form of “Timing attack”

Now I doubt anyone can successfully implement an RFI attack from a block away, but it sure helps to understand what information your adversary wants to gain before you assume the task is impossible.

I mentioned some active RFI injection attacks methods last week, the purpose of these attacks is usually to create “common mode” imbalance in the balanced differential signaling methods used within modern PC’s (SATA, LVDS, DVI, HDMI…..), differential imbalance increases RFI leakage by at least an order of magnitude.

Mike the goat October 7, 2013 1:18 AM

Brian re RFI: the object isn’t on determining exact processor state but rather using emanations from controllers and peripherals to compromise security (e.g. Van Eck, keyboard phreaking, etc.) In a sense you don’t need to know everything a system is doing to bring the whole stack of cards flying down. Smartcard vul’ns involving just power analysis prove this.

Re 80386. Indeed many autopilot systems on commercial aircraft utilize processors of this vintage for that reason.

Re flooding net with garbage. It may be counterproductive given many exit nodes pay for their bandwidth and this kind of action amounts to a DDoS on them. That said I now encrypt all my email correspondence with PGP (where recipients have support) for the reason that I think Zimmerman originally spoke of – if we all wrote our mail on postcards those using envelopes would get scrutiny.

Mike the goat October 7, 2013 1:21 AM

RobertT: LVDS leakage from laptops is particularly striking. I saw a demo once that shocked me. The clarity of received display was amazing considering it was over 100′ away and through two walls.

Mike the goat October 7, 2013 2:33 AM

I wonder if all this strange spam we see on schneier’s blog isn’t some kind of steganographic dead drop. It is kinda amusing. “As the frigate settled on to the spaceport landing area” … Deep.

Clive Robinson October 7, 2013 3:16 AM

@ Brian M,

    Oh, come on! Really, when was the last time any of you actually used” verifiable hardware?” Seriously, when was the last time any of you used an 80386?

As I’ve said many times on this blog over many years I frequently use earlier than 80386 hardware.

As for “verifiable hardware” that is the least of the security issues you should worry about. You need to ask “verifiable as what?”

Once upon a time people used to say “once they get to the front pannel it’s game over” but this does not need to be true if you think about what it is you want to “secure” and “against whom” and “have knowledge of their methods”.

One of the problems I come up against is peoples views on how secure products should be designed. Usually they have significant bias to their chosen field of endevor and as a result over engineer in one area and fail to consider other areas or even know of their existance, much to the detriment of the final product.

QnJ1Y2U October 7, 2013 3:40 AM

I do know that I entered the U.S. on Thursday, and had no trouble at the border.

That’s … stunning. Laura Poitras has been detained repeatedly at the border, and Greenwald has been (probably wisely) unwilling to risk it since this whole thing began. We’ll probably never know if your non-eventful entry was the result of some level-headed bureaucrats or some slow-moving bureaucrats.

I’m guessing you didn’t take many electronic devices or memory cards with you :-).

GTA V hooker October 7, 2013 3:58 AM

“I wonder if all this strange spam we see on schneier’s blog isn’t some kind of steganographic dead drop. It is kinda amusing.”

That – or TLA seeding links to exploit the “prefetch-“ (see about:config) value in FF and other browsers to track users by IP to controversial threads.

name.withheld.for.obvious.reasons October 7, 2013 4:40 AM

—- FISA, and NSA HYPOCRISY ALERT VER. 1.0 —-
7 October 2013, The judgment is in, FISC–FAIL.

Can it be that the RECORD for the FISC is distorted–by their own documents the hypocrisy that is the FISC and the NSA is reflected by this statement from the FISC Amended Memorandum of Section 215.
“…that queries of the BR metadata for intelligence analysis purposes will be initiated using only a selection term that has been RAS-approved. Whenever the BR metadata is accessed for foreign intelligence analysis purposes or using foreign intelligence analysis query tools, an auditable record of the activity shall be generated[6]…”

[6] This auditable record requirement shall not apply to accesses of the results of RAS-approved queries.
—- END OF FISA/NSA HYPOCRISY ALERT —-

Mike the goat October 7, 2013 5:06 AM

GTA V hooker » I hadn’t considered that. I don’t use the feature as I consider prefetch wasteful (and often use text browsers anyway). But it is a very clever idea. Sorta achieves the same thing as an embed or an img pointing to a server under their control, only they can implement it where these tags are filtered. Sure they’ll only get Mozilla users with prefetch enabled but it may just snare a few.

Qn: it disgusts me that they can treat one of their own citizens like that. Essentially the way they think is “we can’t justify a warrant but we have got time – tag them and we’ll give them a good search when they next meet customs”.. This is unconstitutional. I would not carry digital media with me when crossing borders. Even encrypted as I may be compelled to release a passphrase, illegal perhaps but as we know these folks don’t respect the constitution.

Clive: I too use or have recently used old hardware. SPARC and VAX!

ben October 7, 2013 5:59 AM

Firstly: One problem is that the current pen-register laws are based on the assumption that these are “business records”. I.e. that these are records that the Telco has anyway as part of their day-to-day business, for billing purposes or technical needs. All the government is asking for is to look at records the Telco has.

What is different with LavaBit is that they were asked to create records which they do not need or want for business purposes, indeed for which there business is predicated on the idea that they don’t keep those records.

That’s a very different kettle of fish.

Secondly: The pen-register thing is only lawful because corporations don’t have full 4th amendment protections. They get 1st amendment protections because the supreme court recognised that the ability to incorporate is important to allow your voice to be heard. (Think Citizens United, Planned Parenthood, and political parties). Stripping corporations of free speech rights would allow congress to very effectively silence people they didn’t want to hear. Yes, you could still get on a bus and stand outside in the rain, but it would mean an end to putting money into a bucket and having someone else do it for you. This is why corporations need to be considered “persons” for 1st amendment purposes.

Until now there was no convincing argument as to why corporations deserved or needed 4th amendment rights.

This is the reason. Corporations need 4th amendment rights against warrantless searches so they can resist this kind of intrusion on our behalf.

Mike the goat October 7, 2013 6:20 AM

name.withheld.for.obvious.reasons: Unfortunately my copy of pgg (pretty good government) could not import your alert. I believe the headers are incorrect. Please see to it that this is corrected. As you can see below three minor changes needed to be made to bring your alert to OpenPGG standard.

1c1,3
 -----BEGIN FISA/NSA HYPOCRISY ALERT-----
> Version: pgg v1.0
> 
9c11
 -----END FISA/NSA HYPOCRISY ALERT-----

Please ensure the underlying transport for pgg messages sets the evil bit to 1 as per RFC3514. This has been a real problem for us folks at the NSA so please ensure your software is complaint so we know what to cache for analysis.

Clive Robinson October 7, 2013 6:35 AM

@ QnJ1Y2U,

    That’s … stunning. Laura Poitras has been detained repeatedly at the border, and Greenwald has been (probably wisely) unwilling to risk it since this whole thing began

Err acording to some reports Laura got the third degree each time not just in the UuS but other places, untill it went public via a documentry and she named names. Then mysteriously it stopped…

With regards Greenwald we’ll probably never know what’s in his head some of the things he has done are somewhat irational.

As for Bruce going across borders uneventfully the TSA/DHS know he has a very public profile and is more than willing to publish every single failing they make. Thus they do not want to turn him into a flag carrying marter for not just the SecInd but most technical people to rally around.

If they are going to do it they are going to wait untill they figure Bruce has over relaxed and is carrying something worth having. But even then I suspect they will find some means they can justify it in some way, ranging from IRS type preasure to dropping something illegal in/on his luggage so sniffer dogs etc pick up on it.

That is if they can find one of the “four horsemen of the Tech Age epocolypse” on him then they can make lots of noise about that and destroy his public persona. At which point they’ve burnt his rallying flag, and can then get on with the real business of showing “That their world view is the only view that will prevail”.

As hardened criminals have found such as mobsters, gangsters and the Mafia, the IRS is their achiles heal. As history has noted many times even the most honest of us commit atleast one crime a day or can be treated as such, in part because there are more laws than any one person can memorize and some laws are deliberatly vague and contradict other laws so “Damed if you do, Damed if you don’t” and the US is well proven to not respect human rights…

Mike the goat October 7, 2013 6:53 AM

Clive: not to mention Greenwald & Co.’s self censorship of the revelations. One of the first documents leaked mentioned a specific VPN technology by name but this was redacted (not by the NSA, but by Guardian/ProPublica/et. al.) You could argue that this is “responsible journalism” as if it was a commercial solution it would affect the company’s bottom line but frankly I don’t care. If SSL accelerators, hardware VPN appliances, TRNG implementations etc. are broken then we need to know about it and screw the consequences. I have my suspicions as to the NSA’s actions in this arena (suffice to say I would not trust any black box VPN appliances nor would I rely upon a hardware crypto accelerator card¹).

I would assume that at least one of the Snowden insurance files that appeared on bittorrent is the unredacted data as supplied to Greenwald and friends. Given the Guardian are leaking only what they see fit and this is occurring at snail’s pace I can only hope that someone who knows the passphrase publishes it. If you recall correctly the wikileaks insurance file met a similar fate (allegedly through poor opsec. Having known Assange prior to him starting wikileaks I can state that he is a lot of things but sloppy isn’t one of them. He likely intended that book which contained the passphrase to be published given he had lost control of many of the original people from wiki leaks. I also can’t say much more but there is much more to the Assange story than meets the eye. Let me just say that he is a puppet and that he isn’t this rogue civilian leaker he is made out to be. He is not on a personal mission – er, more an assignment. That’s as much as I am willing to say.)

name.withheld.for.obvious.reasons October 7, 2013 9:49 AM

@ Mike the Goat,

name.withheld.for.obvious.reasons: Unfortunately my copy of pgg (pretty good government) could not import your alert. I believe the headers are incorrect. Please see to it that this is corrected. As you can see below three minor changes needed to be made to bring your alert to OpenPGG standard.

Must have missed it in unit test, since I haven’t checked it in I can update the tree and do a refresh on the test build version prior to submission for system test. It showed up here when my web stream editor script (lynx -source http://www.schneier.com/blog | sed -s ‘\</.//’ > sblogclean).

When I get it fixed and tested it can go in to the next release.

Clive Robinson October 7, 2013 10:35 AM

@ Ben,

    Firstly: One problem is that the current pen-register laws are based on the assumption that these are “business records”. I.e. that these are records that the Telco has anyway as part of their day-to-day business, for billing purposes or technical needs. All the government is asking for is to look at records the Telco has.

This is part of the thought I had the other day which I mentioned when posting to Nick P & Wael. I realised that all the USG would have to do is force the MTA to record the records unless they could not.

Which is why the use of techniques from both TOR and some P2P networks might come in handy.

Look at it this way, if the service center never sees the metadata it cannot reecord it.

As a first cut idea, the service center is in effect a directory that contains nothing but a list of destination Email addresses their coresponding IP/DNS addresses and the associated PubKey.

Thus a user requests the record through a TOR like process then having got the record they make a P2P connection through TOR to send the message to the recipient.

Only this won’t work securely enough and needs the destination machine connected all the time.

So a second cut would involve anonymous stores attached. To TOR nodes. The user gets the record through a TOR like process and having got the record they make a P2P attachment through TOR to a randomly selected anonymous store. They use the PubKey from the record to encrypt the outgoing message that they send to the store along with the PubKey. The store then allocates a serial number encrypts that along with it’s node address etc under the PubKey and using TOR sends this to the central service or other asigned store-n-forward service where the recipient can at some future point download it to find the serial number and anonymous server node address to retreive the message.

Yes there are still some flaws in this but you can begin to see that the metadata does not go to the service center in any form that it can use. Further once the sender has the recipient record then they have no need to go back to the service center again (or ever if the recipient sent the details themselves to the sender). This breaks one link that might otherwise be monitored by an attacker. The use of randomly selected anonymous store over TOR breaks the return link back to the sender, and by not informing them of the serial number etc and not keeping records after sending on the info to the asigned store-n-forward or central service over TOR breaks the link from the anonymous store…

In this way the metadata only becomes visable to the recipient, not to anyone else, and with a few other tweaks it can be shown to a judge that not only can the service not get acccess to the metadata nor can they even know if a message has been sent, nor do they know who any given record belongs to, even for billing reasons. But more importantly the service can show that even if they modify their software there is still nothing they can do to captcher the details of existing senders.

Clive Robinson October 7, 2013 11:29 AM

@ Mike the goat,

With regards the leaking of the key to the wikileaks security files, the “dumb journo” angle was a little to pat for my liking. However as was seen with Mordechai Vanunu sometimes journo’s are either dumb (Sunday Times) or down right malicious (Bob Maxwell is reputed to have actually sold Mordechi to Mossad for a nice little profit).

Either way it enables the US to ignore the “Israeli nukes” and keep sending Israel between 2 and 6 billion USD in aid, specificaly significant amounts of military hardware at significantly less than cost… Oh and whilst China and two of their Telco companies have been cited by congress on alledged APT backdoors it is noticable that Israel specificaly devisions of Motorola out there who have without any doubt backdoored telco products have not been mentioned in congress…

Mike the goat October 7, 2013 12:07 PM

Clive: indeed it seems hypocritical for them to complain so loudly about Huawei given what is now public knowledge.

Nick P October 7, 2013 4:49 PM

@ figureitout

“Not to be a dick or anything, but if the Japs “could” have backdoored it and you can’t say for certain it isn’t, then technically it’s not “verifiable hardware”? No? It’s an extremely irritating problem to me and I can’t let it go.”

I think what’s irritating you isn’t what appears to be irritating you. Let me explain. Many people want a “Secure,” “verified,” “reliable,” etc. system for a given purpose. The truth, if we’re honest with ourself, is that there is no such thing in the real world. We just make that crap up so it’s easier for us to understand. In the real world, any such claim only represents a belief we have about something that comes with certain justifications (evidence/proofs) and confidence rating.

So, in reality, a system can have a 99.999% uptime rate but it’s not “reliable.” A system can provably be immune to many classes of vulnerability and illicit information flow but it’s not “secure.” A system can have correctness in implementation according to a formal model but it’s not really “verified.” These words are inherently imprecise and what they mean is usually relative. So, if you can accept that about the world, that it’s inherently uncertain and chaotic to quite an extent, it will help you maintain your sanity when picking what to worry about and how much.

So, for this discussion, my definition of verified is “strong argument of correctness.” The property is lack of subversion. The threat (implied) was NSA. So, for certain reasons, I say there’s a “strong argument made for a lack of subversion of PS2 by NSA/FBI.” So, I consider it “verified” in that sense. You didn’t gripe about NSA/U.S. claim so I guess you agree there and take issue with Jap claim so onto it.

The Who/Why argument is that Japanese intelligence was outside of my threat profile. I hadn’t really even considered them a threat to me at all at the time. My activities might have been an interest to FBI or US intelligence groups. The Japs are mainly concerned with protecting their national security, acquiring intellectual property, and giving themselves an edge in business/politics. I learned the most critical security lessons from sources available to the public and Japs had been doing it longer than me. So, all in all, it just didn’t seem like they’d interfere with anything I was doing that would concern US intelligence and they have more valuable I.P. than me.

The What argument concerns operations. The PS2 is a device targeted at gamers with software locked (poorly) to just play games. It also wasn’t intended for the kind of Internet presence of today’s machines. Ignoring rigging it with a physical bug (wink), the dedicated gaming device would virtually never possess significant information and would have no easy way to move it. So, operationally, it seemed highly unlikely that they’d take the risk to subvert such a system.

The last point, correct operation, might be worth a mention. The system wasn’t formally verified or anything like that. It was developed, tested, and widely used. All those hours of gameplay by so many people with few problems all running the same exactly hardware configuration means it’s pretty robust in practice. For short runs, the hardware shouldn’t crash. So, highly reliable in practice + extremely low probability of subversion = verified… enough. 😉

Dirk Praet October 7, 2013 8:51 PM

@ Clive

Which is why the use of techniques from both TOR and some P2P networks might come in handy.

Exactly. Freenet and I2P have been working on some interesting mail solutions (Freemail/I2P-Bote), and TorBirdy is Tor’s own intiative to obfuscate some metadata. I especially like I2P-Bote because of its fully decentralised and distributed nature that (alledgedly) does not expose any e-mail headers. It can be downloaded and installed from within I2P. I2P being German instead of American gives it some considerable additional appeal. Downside: Java based.

It’s actually quite sad that nobody seems to be working on further development of type II (mixmaster) and type III remailers (mixminion) anymore.

If Apple, Google, Microsoft and other Prism collaborators (voluntarily or coerced) would really care about their user’s privacy, making some extremely generous – and probably even tax deductable – donations to the Tor Project, Freenet, I2P and the like would make for a very convincing and entirely legal way to substantiate that claim. As in putting your money where your mouth is.

Figureitout October 7, 2013 11:20 PM

Nick P
–Fair enough, just seems like a random machine to be “secure from NSA infiltration”. I have a NES, a SNES, a N64, an old Xbox, and a Wii, as well as all those stupid gamebois scattered somewhere. Ok, the original gameboy was pretty cool and I want to find that. I think true security lies in being able to almost w/o doubt guarantee that your machine can do very little, very slowly, very visibly. This was only possible in era’s when we couldn’t make components as tiny and functional like today; so it’s insanity and security is going to get much worse. Thus all the security experts out there can’t have much confidence in anything other than older hardware, back to 1970’s-1980’s era. My dad jokes w/ me, that back in the ’80’s people were saying “RS-232 is going to die”, lol it’s um still here and there isn’t much of a standard to replace it.

Off topic, I have this really old toy electric cash register from Target. It really creeps me out b/c first off it’s batteries haven’t died (the thing’s like 10 years old at least) and it’s supposed to only say things when the cash register closes or I “scan” an item. Well, it’ll randomly turn on when I pass it like some damn sensor and say it’s stupid f*cking line…”Thank you! Come Again!”. So creepy.

Mike the goat October 8, 2013 12:36 AM

Figureitout: didn’t you know they used a RTG to power those toy cash registers? Seems they went back to batteries when the kids started eating the cesium 😉

Figureitout October 8, 2013 12:47 AM

Mike the goat
–Lol, yeah I lost it tonight and gave it a few good kicks. Seriously like some R-N-G just chilling in unfinished storage; I don’t know what’s triggering it! If I hear that stupid line again w/ that voice, that thing is done for; no one’s going to miss or notice it.

Moderator October 9, 2013 2:32 PM

The Russian and Japanese language spam should be stopped now, or at least greatly reduced. Those spams should have been blocked several times over by simple keyword filtering, except that something they’re doing with their Unicode causes Movable Type’s keyword filter to crash when it tries to decode them. Clever, if it was on purpose.

Figureitout October 9, 2013 8:02 PM

Moderator
–Was about to say, “there’s another one”; but it got sniped lol. I imagine it’s on purpose; kind of expected on a public security site someone’s going to find a hole.

Clive Robinson October 10, 2013 10:21 PM

@ Nick P,

Passphrases bring up that question which nobody likes to answer of “How much entropy?”.

As I’ve explained to a few people the real problem is the human brain not being capable of remembering “random” without considerable practice.

So I ask them “how random is a line of poetry?” And you get various answers based on letter frequency, binime trinime frequency, word frequency etc. But nobody ever says “it depends on how popular the poem is”…

The point is most people these days only know one or two poems of a small handfull of popular poems, and of these they probably only know the first couple of lines reliably (same as it is with songs, we know the chorus and the hooks).

Which means that for the majority a line of poetry is probably going to be maybe one of as few as thirty lines ranging up to just over a hundred so around 5 to 7 bits of entropy even though the line such as,

“The owl and the Pussy cat went to sea in a beautiful pea green boat”

Would appear on some simple analysis to contain over 100 bits of entropy…

Though there is higher entropy in “DIY phrases” that are memorable such as,

“Micro$haft Mess-Dross & Windy-doze”

Which was once used as a passphrase for a master file of random keys used for encrypting off site backup storage back in the Win95 days for a company that has long since been repeatedly taken over past the point of oblivion.

name.withheld.for.obvious.reasons October 11, 2013 3:31 AM

Internet Service Providers the new Post Office?

In the United States the Constitution, Article I, section 8, specifies that congress shall maintain the Post Office and Postal roads.

What was the rationale for this provision?

I’d argue (and I am not going to go into the history) that we have a similar situation today with Internet service. Now I am not a fan of the United States government or more specifically the FCC. But, what I will argue as a person that has to acquire metered Internet services from a provider that the basis for the post office structure could be argued based on my and other’s access to on-line services.

Currently I have a 4G connection to a service provider (limited types of access, no DSL, cable, etc.) that charges a flat $50.00 dollars a month for 5 GBytes. After hitting the threshold, the charges are $10.00 a GByte thereafter. On average, without doing anything but the minimal on-line activity, the bill comes in at $70.00 a month. With the piece of junk that Microsoft products are, in the last two months one of my machines required 1/4 Gbytes of updates (that’s one machine). In a sense I am taxed for Microsoft’s quality control process. I find this unacceptable. With two different types of Windows systems I average a $10.00 a month UPDATE TAX.

Clive Robinson October 11, 2013 5:46 AM

@ Figureitout, Nick P, RobertT, Wael,

You might find this “Ahh diddums” comment amusing,

http://www.foreignpolicy.com/articles/2013/10/10/nsa_veterans_the_white_house_is_hanging_us_out_to_dry?page=full

Apparently senior NSA staff are hinting they “are not feeling the lurve” from the White House whil those put out to pasture are making rumblings about what would be breaches of covernant.

And an almost throw away line about unpayed furloe of some NSA staff means the run of the mill shlobs are starting to feel the pinch…

Although it’s worse for others apparantly BAe have actualy laid off 1200 staff rather than put them on “unpayed leave” which might have repercussions if others who might hold their own cach of “secret documents” decide to even the score…

Nick P October 11, 2013 8:20 AM

@ Clive

Interesting. Their alliances are quite unstable right now. Might be time for anyone with a large amount of political power to fight them in Washington and their programs. If they get the bills through, Obama will probably not veto them. If it becomes law, then arguments that NSA is rogue can more easily be made and the agency’s power reduced.

Figureitout October 11, 2013 11:19 AM

Clive Robinson
–Yeah maybe we’ll see some more Navy-yard incidents. I’ve told my brother to be ready to leave his job in the MIC.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.