Friday Squid Blogging: Squid Jigging

Good news from Malaysia:

The Terengganu International Squid Jigging Festival (TISJF) will be continued and become an annual event as one of the state's main tourism products, said Menteri Besar Datuk Seri Ahmad Said.

He said TISJF will become a signature event intended to enhance the branding of Terengganu as a leading tourism destination in the region.

"Beside introducing squid jigging as a leisure activity, the event also highlights the state's beautiful beaches, lakes and islands and also our arts, culture and heritage," he said.

I assume that Malaysian squid jigging is the same as American squid jigging. But I don't really know.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 18, 2014 at 4:16 PM • 109 Comments

Comments

name.withheld.for.obvious.reasonsApril 18, 2014 4:27 PM

@ Bruce Schneier, moderator
My apologies for the previous off topic post. This seems the more appropriate forum.

TWO STATEMENTS ABOUT PPD 20

(A) Presidential Policy Directive 20, or PPD-20, authorizes the United
States Defense Department, the Pentagon, on the finding by Secretary of
Defense, the Undersecretary of Defense, and all Intelligence Community
Department heads that have agreed to the authority with the aforementioned
secretaries; the non-legislative, non-statutory prerogative to declare war
in the case of a "cyber warfare" attack. Presidential authority to devolve
the extraordinary authority-by definition the greatest constitutional
prerogative-to unelected agency and department heads within the executive
branch is unprecedented. There is no historic equivalent in the United
States of America that divests constitutionally held privileges to parties
that are not enumerated in the constitution itself.

(B) The Department of Defense, along with most of the 17 identified
intelligence community members including the Central Intelligence Agency,
National Security Agency, Department of Homeland Security, and Defense
Intelligence Service(s) report to an agency within the DoD's sphere of
operations. The National Director of Intelligence was born out of
recommendations from the 9/11 Commission Report of 2004 and is the oversight
agency to the other intelligence agencies; including agencies outside of DoD
command. This is an odd arrangement, as it asserts a quasi-civilian
authority outside of DoD's mandate to the rule-makings of the NDI. In
essence, the separation of military command from the civilian domain has
been breached-in a less than obvious scheme to maintain "complete control of
all intelligence activities".

This are statements of fact that are of concern, a third is currently under
review with respect to the overt coupe of civilian law and authority. Which
leads me to provide the an extract from a recent research project I've
undertaken...

1 INTRODUCTION
The democratic republic of the United States of America, a "representative
democracy" by function, as a simple statement of fact is not rational, but
descriptive and the basis for doctrine and law. Stated more simply, the
United States of America is a system using the applied theory of
"representative democracy". The loci, of two terminus functions; the
theoretical basis for the governance of peoples, in this case by the people,
and the use of rational law for managing the application of the theoretical
system, denote a co-linear relationship between these distinct functions.
Elucidating the vectors of subordinate functions to these two primary
functions clearly begins by identifying the basis in law extrapolated from
the non-rational (the theory, in this case the "Declaration of Independence"
and the Constitution of the United States of America) as theoretical
postulates. Additionally, public law and statues of the United States of
America represent the basis for defining rational functions codified
separately as lemmas. To calculate the "efficacy" of the applied theory,
public law and statue, as it relates to the theoretical statements, the
founding documents, may be considered and exercise of limited use-but-it
could be argued that making such measurements could prove instructive to
scholars, political scientists, and other researchers.

Further research based on this research could be stated as follows:
Measuring the direct and causal relationships of U.S. Federal systems to
other entities and governmental systems is not possible today. The task of
enumerating the Unites States Federal government, which demonstrates
complete knowledge of all the member and component systems, exceeds our
capacity to define to a degree of certainty. However, the instruments of
governance can be gauged and calibrated; the foundation, procedural and
operational rules, authorities, and the institutional supports for the task
of governance can be finely measured-the problem is in that it is not well
understood. Formal descriptions of the means of governance, the historic
record in use and exercise, and current legislative analysis provide a basis
for scientific research as to produce a finite and elemental governance
model affected by judiciousness of law. Currently the Supreme Court is
unable to conduct this type of analysis and it is suggested that "not
performing a robust level of analysis" amounts to intellectual fraud and at
a minimum demonstrates professional incompetence.

JacobApril 18, 2014 5:08 PM

From a forum - a new level of paranoia with some amazing keyboard playing capabilities:

"I think you might have underestimated my "paranoidness" to some degree... :) my current setup is like this:

Windows Host (encrypted whole drive TC) -> TC container no. 1 -> TC container no. 2 -> VM Windows Guest (encrypted drive TC) -> TC container no. 1 -> TC container no. 2 -> sensitive data. Each container has a different 45+ character random password (not saved anywhere)

I have already set the paging file for auto deletion after PC shutdown - in fact every possible precaution listed in the TC documentation is addressed by me. (At least I hope so.)
.
.
.
"So basically: Host is encrypted as a rule. The first two containers are there to protect the VM (I want to keep the activities within it a secret). And the two extra containers with my most sensitive files were moved into the VM for convenience.

All of that is topped off by the fact that I am a pianist, and I have extremely good muscle memory in my hands - it doesn't take me longer than a few minutes to memorize a 60+ character random password - I only need to write it down on a piece of paper and type it into the keyboard a few times, and I've got it memorized in my fingers, and after using it for a few weeks - in my head as well. So it isn't any kind of inconvenience for me to have to type in and remember so many passwords.

So basically, it's not that at some point I decided "ok, to be really safe, I have to....". It sort of evolved like that from point to point."

anonymousApril 18, 2014 6:48 PM

Recommendations for an Android app to record and (hopefully) upload unwelcome encounters with the Man?

Insecurity of EverythingApril 18, 2014 7:10 PM

In other news OpenVPN is still exploitable on some platforms because they use a feeble bundled SSL library that was never updated with the heartbleed patch. In even worse news somebody was using this exploit to bypass multi-authentication https://www.mandiant.com/blog/attackers-exploit-heartbleed-openssl-vulnerability-circumvent-multifactor-authentication-vpns/

OpenVPN has the same kind of terribad codebase as OpenSSL. Luckily there are small replacements (or wrappers, to add extra padding to your existing OpenVPN traffic) that have a readable codebase you can actually audit to see what is going on: http://frozenriver.net/SigmaVPN

JTApril 18, 2014 8:08 PM

For those that like to take up a cause... I've contacted Kickstarter about the following project, and I think it'd help if more people would alert them to the question of its legitimacy.

https://www.kickstarter.com/projects/857935876/privus-fully-encrypted-email-chat-and-texting-made

I started the following reddit thread in /r/kickstarter : http://www.reddit.com/r/kickstarter/comments/22xe41/psa_fraudulent_crypto_kickstarter_campaign/

I really fear that this is just capitalizing on people's fear and the entire Crypto community will suffer from this project.

ALFApril 18, 2014 9:07 PM

@JT
...Do you think Kickstarter cares?

I think they only care about whether something looks legit enough to promote, not whether it actually is legit or leads to much of anything.

Their motto seems to be Caveat Emptor...even if Privus really was not legit but they did it 'in good faith', that may be sufficient to them.

After all, if they had done their due diligence, they would have noticed the issues you mention in your reddit entry.

On another hand I am curious about their understanding of crypto seems to be entirely wrong, as you mention in your reddit entry. If true that would be pretty bad for anyone relying on that tool.

ALFApril 18, 2014 9:15 PM

@JT
So I just checked their website which you mention on your post...(www.privus.com)..it's just a small image and one paragraph of text.

So they are probably a startup that has not existed previously as a business...i.e. one that relies on the Kickstarter campaign to actually start-up.

BenniApril 18, 2014 9:16 PM

Seems the russians are now finally modernizing their aeroplane industry.

Even if a treaty signed by us says so, the us defense department does not want to allow the newest russian spyplanes the permission to fly over america:

https://news.yahoo.com/russian-spy-planes-u-skies-025817534--politics.html

http://www.weeklystandard.com/blogs/secret-fight-over-russia-obama-administration_786823.html

In the past few years, the Russian Federation completed construction of two new Open Skies aircraft that will support digital photograph equipment, sideways-looking synthetic aperture radar, and infrared equipment

The first response from Pentagon was, according to one government official close to the situation, "You've got to be kidding."

Jonathan WilsonApril 18, 2014 11:45 PM

I believe the aircraft in question are not spyplanes but instead aircraft designed to enforce this treaty
http://en.wikipedia.org/wiki/Treaty_on_Open_Skies
And I bet the problem the DoD has is that their Boeing OC-135 Open Skies aircraft (which they use for the same treaty purpose) are not as good as these new Russian ones.

JTApril 19, 2014 12:11 AM

@ALF, as someone who has run a successful kickstarter myself, I know they are only in it for the money. They have no liability for any fraudulent campaign... well not until someone with enough $ decides to go after them just for the point of it.

I could care less about Kickstarters public image, I'm more worried about what these guys are going do to the already tarnished reputation of the software side of the crypto community. We're not in the greatest shape right now due to HeartBleed. These guys are just capitalizing on that to scam people for money.

As for their website... even if they are a startup... it's not hard to throw up a simple wordpress page on a godaddy server for 4$ a month. Hell godaddy has preconfigured sites you can just type text into. That they put ZERO effort into their public image beyond kickstarter and twitter just seems off. Furthermore, their 'corporate' website is actually hosted on a webdevelopers server.

What REAL *security* company is going to host their official corporate site on a cheap webdev companies box?

ismarApril 19, 2014 12:46 AM

Bruce,
What software do you use to gather and filter through all the info about squids for this weekly post to select a particular story?
Ismar

EvenMoreApril 19, 2014 1:06 AM

As they kind of lost the advantage over encryption, probably they will focus in the next years (if not already) on alternate side attacks, like embeding backdoors or access software in processors, mainboards, BIOS, routers.... so whats the point of having a safe OS from USB if memory is already controled?

BenniApril 19, 2014 1:52 AM

@Jonathan: I guess its the sensors that they have a problem with, as the russian plane is probably just an old tupolev. It is not said which of the sensors they nsa has a problem with, but the russian flight would not make sense if they could get better pictures or other information from their spy satelites, so the sensor must somehow outresolve satelite capabilities. Apparently the nsa does not like it when someone collects information from them.

DBApril 19, 2014 2:19 AM

@ EvenMore I agree, and so hardware people need to start thinking about security too... and it needs to be done using an open design model, or nobody can trust its result either, since the US government can legally coerce any closed source hardware/software entity to put in backdoors. There's also the further problem of how could you trust chip fabrication plants not to secretly mass substitute your open design for an NSA-furnished one, and I have no really good solution to that.

Clive RobinsonApril 19, 2014 5:18 AM

@ Benni, Jonathan,

I guess its the sensors that they have a problem with, as the russian plane is probably just an old tupolev.

No it cannot be the sensors.

The treaty requires that the sensors be not only certified independently but are also available for sale to other signatory nations. Further there are limits on the sensors resolving powers of ~1ft.

The Russians have sold entire systems befor for instance Germany purchased one, then a nation who shall remain unnamed flew a C-130 into it mid air...

So unless either it's "lost sales" or the US have been upto something they should not within the treaty constraints that's making them sore, I guess what's upsetting the US is that the Russian's are --according to US sources-- stoping US drones and similar from spying on them (because that equipment is not covered in the treaty as far as I'm aware).

Clive RobinsonApril 19, 2014 6:04 AM

@ DB,

There's also the further problem of how could you trust chip fabrication plants not to secretly mass substitute your open design for an NSA- furnished one, and I have no really good solution to that.

I suspect it's still an open problem, however if you think back a couple of years ago the US DoD put out "open tenders" for technology to do this. Interestingly it all now appears to have gone under cover in one way or another.

Nick P did put up a list of some of the original contenders so it might be possible to track them down and see how far they got (on the assumtion it did not work out). Or to try and track team members to see what they are upto now.

SkepticalApril 19, 2014 10:47 AM


Re Open Skies:

Clive is correct that the sensors must be within types and capabilities specified by Treaty. However, Putin would like to upgrade the sensors used on Russian planes, and has asked the US to agree.

We don't know the nature of the upgrade requested, or what the implications of the requested upgrade would be.

So it's impossible to make any informed judgment as to why there is disagreement about this.

I will very, very speculatively raise a possibility not being considered above:

Putin requests a sensor upgrade knowing it will be rejected. This rejection is used for propaganda purposes as a pretense for Russia to escalate rhetoric about the US driving Russia to resume a Cold War nuclear posture (the target of the rhetoric would be Europe, particularly Germany).

Frankly, there is increasing concern about Putin's long-term goals with respect to the international community in general and former Eastern Bloc states in particular. Increased caution is merited.

SkepticalApril 19, 2014 11:00 AM

@DB: since the US government can legally coerce any closed source hardware/software entity to put in backdoors.

This was discussed at great length previously. The law does require that communications providers maintain the capability to provide wiretaps to the government on lawful request. Businesses are also required to turn over business records upon lawful request (or to challenge the request in court).

But beyond that, the government cannot legally compel, say, a fabrication plant to alter designs and insert a backdoor. I don't see Intel, for example, agreeing to assume catastrophic legal liability, and a fatal business risk, by inserting backdoors into its chips.

War GeekApril 19, 2014 11:59 AM

@Clive

It was a US C-141 that hit the German Open Skies TU. I doubt the nine dead US crew members were seriously considering Kamikaze status (nor would their families appreciate that insinuation).

DBApril 19, 2014 12:15 PM

@skeptical...

"But beyond that, the government cannot legally compel, say, a fabrication plant to alter designs and insert a backdoor."

And yet... they have coerced software companies to alter their designs to insert a backdoor. There is positive proof of this in the news. What's so different about hardware? They're both protected by the exact same principles of contract under law. If they can legally subvert one, why not the other? Your assertions make no logical sense at all. You just cannot see the NSA as doing any wrong, you love the surveillance state, and you are too drunk on power. You have the morals of a turnip.

JacobApril 19, 2014 12:18 PM

@Skeptical

You see, this is the beauty of secret body of laws and FISC: you can never know what they are doing "legally".

"The law does require that communications providers maintain the capability to provide wiretaps to the government on lawful request"

- Chips and hardware do have channels of communication. I can see some opened legal doors here to tap the comm channels with some added circuitry on the silicon.

"I don't see Intel, for example, agreeing to assume catastrophic legal liability, and a fatal business risk, by inserting backdoors into its chips."

- nothing happened to AT&T after the revelation of an on-site tapping room, or to Google which, according to some well-respcted newspapers, did the same (reportedly came to light after the NSA investigated a Chinese break-in into Gmail accounts through NSA equipment at Google).

name.withheld.for.obvious.reasonsApril 19, 2014 12:34 PM

@ Skeptical
Not again? You've mixed authorities and statue. CALEA, compelled vendors to make devices that are used in communications that allows federal law enforcement to do Pen Register, Trap and Trace, and I am pretty sure there is a hand-off feature available. This law has been in affect since 1997, it's called the telecommunications reform act. CALEA, as adjunct to the statue. And deadlines were made for vendors and telcos to comply.

This should not be confused with their rights to compel backdoors--although clearly under CALEA--they have done it.

@ Jacob
And to your point about AT&T's immunity from prosecution--this is one of the most aggregis acts in recent history. The constitution forbade post facto law--this is what Kings used to do if they made an agreement--and then changed their minds about some term, condition, or standing in royal law. The framers knew of these abuses and clearly knew in the future someone would attempt to make such accomodations.

LinoApril 19, 2014 1:27 PM

"I don't see Intel, for example, agreeing to assume catastrophic legal liability, and a fatal business risk, by inserting backdoors into its chips."

Funny, I don't see a single CPU chip (at least from those exported outside US) without some kind of killswitch, if not some kind of other form of control trigger, usable at least in case of nuclear war, for example. I think this will be a huge mishap from NSA, dont you think?

JDApril 19, 2014 2:09 PM

RedHat, Fedora and CentOS, are now under "EAR":

"Export Regulations

By clicking on and downloading Fedora, you agree to comply with the following terms and conditions:

By downloading Fedora software, you acknowledge that you understand all of the following: Fedora software and technical information may be subject to the U.S. Export Administration Regulations (the “EAR”) and other U.S. and foreign laws and may not be exported, re-exported or transferred (a) to any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR (currently, Cuba, Iran, North Korea, Sudan & Syria); (b) to any prohibited destination or to any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) for use in connection with the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems. You may not download Fedora software or technical information if you are located in one of these countries or otherwise subject to these restrictions. You may not provide Fedora software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions. You are also responsible for compliance with foreign law requirements applicable to the import, export and use of Fedora software and technical information."
https://fedoraproject.org/en_GB/get-fedora

Is Red Hat Working for the NSA?
http://fossforce.com/2014/01/red-hat-working-nsa/

Hugh Shelton is now chairman at RedHat:
https://en.wikipedia.org/wiki/RedHat

Did Linus Torvalds not make a joke after all? But the backdoor is bugdoors in RedHat, Fedora and CentOS?

Tejun Heo statement:"Not that I can talk about."
http://www.theregister.co.uk/2013/09/19/linux_backdoor_intrigue/


"Summary: Why companies which are based on the United States cannot be trusted as US law requires them to provide access to personal information (or even back doors) without ever disclosing this" http://techrights.org/2013/11/24/tpm-back-doors-patriot-act-etc/

JDApril 19, 2014 2:13 PM

Take look here:
https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org
"This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. There is no support for secure renegotiation. The server does not support Forward Secrecy with the reference browsers."

and "An error occurred during a connection to download.jitsi.org. Peer attempted old style (potentially vulnerable) handshake. (Error code: ssl_error_unsafe_negotiation)"

but https://jitsi.org/ is fine.. but no Forward Secrecy.

and https://addons.mozilla.org does not support Forward Secrecy..
and this error can occur: "An error occurred during a connection to addons.mozilla.org. SSL received a record with an incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_read)"

but https://www.mozilla.org/ does support Forward Secrecy..

Regarding the javascript bug that was exploited in the Mozilla browser used by the Tor Browser Bundle where noscript is off by dafault and thereby javascript is on by default, shortly thereafter Mozilla made changes, i.e. removed the ability to turn off javascript under the preferences menu, now one have to turn off javascript under about:config making this more difficult for less knowledgeable users that maybe even does not know what noscript is or does.

DBApril 19, 2014 2:18 PM

As a Russian friend of mine once said, "Sure, you're free to do whatever you want, they put you in jail."

So-called American freedom is fast approaching this. It is utterly totalitarian and oppressive the way they can now supposedly "legally" coerce American companies to do whatever they want, and force them to stay quiet about it. This makes all other human rights, contracts, and laws null and void, effectively. Heil Obama! Concentration camps are not far off in our future. And all those who steadfastly defend this system no matter what have the morals of a turnip.

JacobApril 19, 2014 2:58 PM

@Clive

I see a very disturbing develpment where the rule of law and the constitutional amendments are routinely violated by the various agencies of the executive branch. It is like an abusive and vindictive and agressive open season and the prey is the public at large.

It is all fed by and reinforced by the inaction of the White House and the autistic Commander In Chief.

1. The NSA revelations - no actual change to their operations.
2. Clapper lied to Congress - nothing happend to him
3. Sen. Feinstein accused the CIA in public that they had penetrated staff computers illegaly - the WH said that "The President does not wish to take sides in this matter"
4. From the ACLU link you provided, a link to another ACLU article shows that the "3 Hops collection" is alive and well at the San Francisco DA office: while investigating an "Illegal Assembly" during a demonstartion last year, he issued a subpoeana to 2 individuals' Twitter accounts:

"But the subpoenas at issue here were nothing more than a fishing expedition, seeking all sorts of information having no connection to the alleged crimes. The DA sought not only tweets by Smith and Donohoe, but also all tweets about them written by other Twitter users over a ten-month range, as well as the list of all Twitter users who followed them, thus potentially sweeping in information about untold numbers of Twitter users who had no connection to the protest or alleged crimes. The subpoenas even sought tweets on topics unrelated to the protest. The subpoenas were broadly worded to include private Direct Messages and tweets from accounts that may have been protected from public view, which also raises Fourth Amendment privacy concerns."

I have other examples from the NYC DA office...

5. And today (again) - the FBI and the CIA. Amazing illegal and brazen disregard to the law and people's rights:
http://www.nytimes.com/2014/04/19/us/politics/covert-inquiry-by-fbi-rattles-9-11-tribunals.html

Don't worry - nothing will happen to them. Not even a slap on the wrist.

SkepticalApril 19, 2014 3:03 PM

@DB: And yet... they have coerced software companies to alter their designs to insert a backdoor. There is positive proof of this in the news.

False. RSA was not legally compelled to insert a backdoor. That's the only case, if it is one, that I'm aware of.

More importantly DB, there is no law that would permit the government to legally compel a chip manufacturer to insert a backdoor (with the usual qualification for CALEA, which is largely inapplicable here).

As your opinion seems to be based on a mistaken view of the facts, perhaps you ought to reconsider it.

@Jacob: You see, this is the beauty of secret body of laws and FISC: you can never know what they are doing "legally".

No. There is a an area of gray where we can say we're unsure about how exactly the FISC would interpret a given provision in FISA, but that doesn't mean that we have no idea as to what the law is.

There is nothing in FISA, or any other law, of which I'm aware, that would allow the government to legally compel a chip manufacturer to insert a backdoor. There is no plausible interpretation of any law that would permit it.

Chips and hardware do have channels of communication. I can see some opened legal doors here to tap the comm channels with some added circuitry on the silicon.

Nah, CALEA's scope doesn't extend to just anything that could possibly be used to communicate.

nothing happened to AT&T after the revelation of an on-site tapping room, or to Google which, according to some well-respcted newspapers, did the same (reportedly came to light after the NSA investigated a Chinese break-in into Gmail accounts through NSA equipment at Google).

AT&T and the other telecoms received an extraordinary grant of immunity from civil suits by an act of Congress which took years to pass. That's not something you want to rely on getting as a company. And the ramifications of Intel inserting a backdoor into a chip would be several orders of magnitude more problematic than what the telecoms did.

RichApril 19, 2014 4:06 PM

Squid are always on topic, right? Here's some squid merchandise:

(The Salty Squid is a bar in The Leviathan Chronicles, a high-production-value audio serial SF/Mystery/Adventure:
)

Sancho_PApril 19, 2014 6:27 PM

@ Skeptical, DB:

… the government cannot legally compel, say, a fabrication plant to alter designs and insert a backdoor.

OK, fine, there is no such law.

However, there is no need for such a law.

“ ***
Of course, you can start to fab your chips whenever you want,
but before selling them we have to make sure they comply to a/b/c/ … /x/y/z.
Sorry, that’s the law.
We’d need, say, 100 chips out of your production, and roughly 7 years to test them.
Um, that would be too long for your business?
So let me see … [cough]
If we only could test them later, when they are at the final customer,
or have a kill switch, in case any “terrorist” would use these chips?

-> What about both, access and switch? How long would it take you then?
*** “

All this boils down to one point:
Do you blindly trust in all of your government (+ establishment)?

If yes, why?
If not, why?

.

There is no crime, no ruse, no trick, no fraud, no vice which does not live by secrecy. Bring this secrets to light, unveil and ridicule them to everybody. Sooner or later the public opinion will sweep them out.
Publication may not be enough - but it is the only means without which all other attempts will fail.
”

(Joseph Pulitzer 1847-1911)
[Apologize my attempt to translate, didn’t find that in English]

Goebbel's tearsApril 19, 2014 6:40 PM

Let's parse skep's lie of the week. Note how he hammers on legally. That's because there's no law authorizing what the US government did to Nacchio, for instance, when he didn't play ball: investigate the man and not the crime until you scrape up any old thing you can put him away for. Classic NKVD stuff. And note the characteristic deception when skep feints toward the practical disadvantages of sabotaging network infrastructure under NSA's direction. Skep pretends that commercial considerations can trump government extortion on the Nacchio model.

At least skep is dropping his risible early pretense of objectivity and is increasingly trying to sound authoritative. This will give the world a whole new treasury of comedy gold as he steps on his crank explaining the law to us.

SkepticalApril 19, 2014 8:40 PM

@Sancho_P: However, there is no need for such a law.

“Of course, you can start to fab your chips whenever you want,
but before selling them we have to make sure they comply to a/b/c/ … /x/y/z.
Sorry, that’s the law.
We’d need, say, 100 chips out of your production, and roughly 7 years to test them.
Um, that would be too long for your business?
So let me see … [cough]

Nope, for several reasons.

Here are the three most important.

First, power in the US Government is less concentrated than in most other systems. Even if an agency within law enforcement or intelligence asked for such pressure to be brought, it would have to first:
(a) overcome bureaucratic resistance from the various regulatory agencies who would actually have to make this threat, and no one at the regulatory agencies will be thrilled or want to do it,
(b) overcome the resistance from state officials who, when they hear that a federal agency is threatening 7 years of delay to a business that will bring them jobs and revenue, will be furious,
(c) overcome resistance from various Members of Congress who will, for similar reasons, have a fit.

We could actually stop here, as those considerations are enough to make it very unlikely. But the two additional considerations will seal it:

Second, a company could, and likely would, quite energetically litigate should they be threatened with such a delay. And they'd win. Needless to say, lobbying groups from across the business spectrum would be heavily involved.

Third, this is the kind of threat that practically guarantees exposure of the program. Why? Because the threat only works in the US if it's secret, and there's no way to keep such a threat secret (and no, NSLs are not applicable here).

The key to having a good understanding of what are viable actions by the US Government, and what are NOT viable actions, is having an understanding of how limits on the power and influence of any one entity in the USG work. There are a lot of moving parts, and a surprisingly large number of effective checks. If your model is a unified government, a kind of black box entity, then your model is too simple.

BenniApril 19, 2014 8:44 PM

@JD:

Regarding Redhat:

his kernel dev is with right proud that he resisted pressure from intel developers, to make the linux random number generator solely dependent on the hardware random number generator:

https://plus.google.com/+TheodoreTso/posts/SDcoemc9V3J

After sometime, he got strange mailings from a claimed redhead dev, who made exactly the same argument that these openssl devs were having above:

If you would use only the hardware random number generator, then you would have "better performance" on "some systems". But the redhead dev does, even after being explicitely questioned, not tell, which systems should run faster, and for which applications a superfast random number generator is of advantage.

If one reads the following discussion, one must get the impression that this redhead developer was bought by some agency:

https://lkml.org/lkml/2013/9/5/212

>> On Thu, Sep 05, 2013 at 08:18:44AM -0400, Prarit Bhargava wrote:
>> The current code has two exported functions, get_bytes_random() and
>> get_bytes_random_arch(). The first function only calls the entropy
>> store to get random data, and the second only calls the arch specific
>> hardware random number generator.
>>
>> The problem is that no code is using the get_bytes_random_arch()
>> and switching over will require a significant code change. Even if the
>> change is made it will be static forcing a recompile of code if/when a
>> user has a system with a trusted random HW source. A better thing
>> to do is allow users to decide whether they trust their hardare random
>> number generator.

> Theodore Ts'ö wrote
> "I fail to see the benefit of just using the hardware random number
> generator. We are already mixing in the hardware random number
> generator into the /dev/random pool, and so the only thing that using
> only the HW source is to make the kernel more vulnerable to an
> attack where the NSA leans on a few employee and forces/bribes
> them to make a change such that the last step in the RDRAND's
> AES whitening step is changed to use a counter plus a AES key
> known by the NSA."

>> On Thu, Sep 05, 2013 at 11:08:28AM -0400, Prarit Bhargava wrote:
>>
>> The issue isn't userspace /dev/random as much as it is the use of
>> get_random_bytes() through out the kernel. Switching to
>> get_random_bytes_arch() is a search'n'replace on the entire kernel. If
>> a user wants the faster random HW generator why shouldn't they be
>> able to use it by default?

> Theodore Ts'ö wrote
> "Where is the speed of the random number generator a bottleneck?

> In general, adding knobs when users can make what might be
> potentially the wrong chance is very dangerous. There is a reason why
> there aren't convenient knobs to allow users to select the use of the
> MD4 checksum, "because it might be faster, why shouldn't the user be
> allowed to shoot themselves in the foot"?

> BTW, note the following article, published today:

> http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all

> "By this year, the Sigint Enabling Project had found ways inside some
> of the encryption chips that scramble information for businesses and
> governments, either by working with chipmakers to insert back
> doors...." Relying solely and blindly on a magic hardware random
> number generator which is sealed inside a CPU chip and which is
> impossible to audit is a **BAD** idea."

>> On Fri, Sep 06, 2013 at 08:08:52AM -0400, Prarit Bhargava wrote:
>> Your argument seems to surround the idea that putting stuff on the
>> internet is safe. It isn't. If you've believed that then you've had your
>> head in the sand and I've got a lot of land in Florida to sell you.

> Theodore Ts'ö wrote
> "I have no idea how you are getting this idea. My argument is that
> putting all of our faith in one person (whether it is DNI Clapper lying to
> the US Congress), or one company (like Intel, Qualcomm, TI, etc.) is
> a bad idea. Software can be audited. Hardware can not. We can at
> least test whether or not a network card is performing according to its
> specifications. But a HWRNG is by definition something that can't be
> tested. Statistical tests are not sufficient to prove that the HWRNG
>has not been gimmicked.

> Hence, unless you can show me where the speed advantage of
>bypassing the entropy pool is needed, why should we do this? And if
> there is a specific place where need to consider adjusting the security
> vs. performance tradeoff, let's do that on a case by case basis,instead
> of making a global change.

> Hence, your patch is IMHO irresponsible. It exposes us to more risk,
>for an undefined theoretical benefit.

> Of course nothing on the internet is going to be perfectly safe. But that
> doesn't mean that we shouldn't make it harder for any government
> agency, whether it is the Chinese MSS, the US NSA, or the UK GHCQ,
> from being able to easily
> perform casual, dragnet-style surveillence."

Nick PApril 19, 2014 9:09 PM

@ Benni

Thanks for sharing that one as it's an interesting exchange. I agree that whoever was pushing the hardware RNG had a motive other than security. Question is what is that motive? There are a few possibilities:

1. Trying to subvert it (most likely)

2. Works for the maker of the TRNG and is pushing use of their product. In this case, the person might even have worked on it and truly thinks a software CRNG is a waste of time given hardware option.

3. A third party with similar motivation pushing the hardware option.

I've seen each happen before. Given the deception involved, I've labeled option 1 as most likely. That they were pushing a TRNG for an American company that's tight with American govt indicates it was probably BULLRUN-related.

BleedingHeartApril 19, 2014 9:30 PM

EvenMore said:

"As they kind of lost the advantage over encryption, probably they will focus in the next years (if not already) on alternate side attacks, like embeding backdoors or access software in processors, mainboards, BIOS, routers.... so whats the point of having a safe OS from USB if memory is already controled?"

My response:

You're right, there is no point. I would be surprised if NSA doesn't already have backdoors in most COTS hardware now. The Budget Report from the Snowden documents already mentions one such breach of "encryption chips" used in VPN routers (maybe it was Broadcom, I don't know because the Guardian decided to redact the vendor's name). Intel and AMD are both American companies, so there isn't much doubt in my mind that they have also been compromised.

One way to determine what NSA is up to is to see what they do for defense. They raised holy hell over Huwaei and the "backdoors" in that hardware. The way they knew how Huwaei's equipment was compromised was "classified" according to the hearings I saw. No doubt they know because they use the same techniques themselves. The hypocrisy is amusing.

Also, it speaks volumes that NSA has its own chip fab plant. They don't trust consumer stuff for a good reason, and neither should we. If you rely on COTS hardware and buggy as hell (and backdoored) consumer software for any real security you are fooling yourself. If you want real COMSEC you have to A) control and manufacture the hardware yourself and B) have complete control over the software development. None of us have that ability. Therefore, if we want COMSEC, we have to do it face-to-face in a cave somewhere.

That's how it is and it's never going to change. Once government obtains a new power, it never lets it go (and never has historically in any nation). The NSA will only grow in strength, it wont be weakened. People who think otherwise are idiots.

Lives of others USAApril 19, 2014 10:11 PM

Now here's skep trying to sell elite pluralism as your protection. This is a variant of CIA's 'somebody woulda talked' canard. But skep's doughty commercial freedom fighter is as phony as his law-abiding NSA civil servant. One more fairy tale for enlisted dopes and impressionable youngsters.

NSA spies are criminals who get away with it by picking and choosing the laws they will obey. It's always worked for them so far, and it will keep on working until the civilized world gets involved. What is the outside world demanding?

Rule of law.

(a) take all necessary measures to ensure that its surveillance activities, both within and outside the United States, conform to its obligations under the Covenant, including article 17; in particular, measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity regardless of the nationality or location of individuals whose communications are under direct surveillance;

(b) ensure that any interference with the right to privacy, family, home or correspondence be authorized by laws that (i) are publicly accessible; (ii) contain provisions that ensure that collection of, access to and use of communications data are tailored to specific legitimate aims; (iii) are sufficiently precise specifying in detail the precise circumstances in which any such interference may be permitted; the procedures for authorizing; the categories of persons who may be placed under surveillance; limits on the duration of surveillance; procedures for the use and storage of the data collected; and (iv) provide for effective safeguards against abuse;

(c) reform the current system of oversight over surveillance activities to ensure its effectiveness, including by providing for judicial involvement in authorization or monitoring of surveillance measures, and considering to establish strong and independent oversight mandates with a view to prevent abuses;

(d) refrain from imposing mandatory retention of data by third parties;

(e) ensure that affected persons have access to effective remedies in cases of abuse.

Don't listen to skep's NSA lies. Ask him why Americans should not have this.

BenniApril 19, 2014 10:32 PM

@Nick_P, and please see the similarity to this here:

https://github.com/openssl/openssl/blob/master/ssl/s3_both.c

#ifndef OPENSSL_NO_BUF_FREELISTS
/* On some platforms, malloc() performance is bad enough that you can't just
* free() and malloc() buffers all the time, so we need to use freelists from
* unused buffers. Currently, each freelist holds memory chunks of only a
* given size (list->chunklen); other sized chunks are freed and malloced.
* This doesn't help much if you're using many different SSL option settings
* with a given context

And the code that then follows is really ugly, and is used for ALL systems, not only some slow ones. Note that they do not specify which systems have a malloc and free so slow that you can not use it. Similarly to this redhat dev, who argues, on some systems a purely hardware rng might be of speed advantage, and thus, one must use unsecure code on all systems.

Please note that this code was inserted into openssl at the time when Openbsd created their exploit mitigation, thereby circumventing their security systems:

http://marc.info/?l=openbsd-misc&m=139698608410938&w=2

BenniApril 19, 2014 10:42 PM

To that it falls into place that openssl feeds a screnshot on windows machines to the prng, and on all systems the private key is feed into the prng, which may well be a pluggable system. Openssl supports hardware crypto cards, so the secret service just has to sell a phony crypto card that, when being fed with your private key, sends this to Pullach or Forth meade.

You think they can not pull that off?

Well the german BND can even own the majority of the shares of crypto hardware manufacturers: http://cryptome.org/jya/cryptoa2.htm and make their engineers weaken the algorithms.

With Pullach cryptography fully functioning, the BND predicted an invasion of Soviet and other Warsaw Pact troops into Czechoslovakia. CIA analysts on the other hand did not support the notion of "fraternal assistance" by the satellite states of Moscow; and US ambassador to the Soviet Union, Llewellyn Thompson, quite irritated, called the secret BND report he was given "a German fabrication".[8] At 23:11 on 20 August 1968, BND radar operators first observed abnormal activity over Czech airspace. An agent on the ground in Prague called a BND out-station in Bavaria: "The Russians are coming." Warsaw Pact forces had moved as forecast.[11]

http://en.wikipedia.org/wiki/Bundesnachrichtendienst

That was, because the stupid russians had bought crypto boxes prepared by BND, which could read everything from the russians, while NSA and CIA were completely blind.

Now some of the openssl developers live in Dachau, only 20 minutes with the tube away from BND Headquaters, could just be a coincidence of course........


laundry dayApril 19, 2014 10:52 PM

"The NSA will only grow in strength, it wont be weakened."

Cypher: You know, I know this steak doesn't exist. I know that when I put it in my mouth, the Matrix is telling my brain that it is juicy and delicious. After nine years, you know what I realize?

[Takes a bite of steak]

Cypher: Ignorance is bliss.

BenniApril 20, 2014 1:35 AM

Of cource, it could be that the russians would use their own crypto suite, similar as the nsa calls their set of algorithms suite A and B.

With a setup that feeds the private key into the rigged crypto hardware, http://marc.info/?l=openbsd-cvs&m=139773689013690&w=2

and with the russians buying BND rigged crypto boxes since 1968,

the russians only need to be lured somehow, into using openssl:

http://www.openxpki.org/docs/gost-howto.html

"Since late summer of 2006 a production branch of OpenSSL version 0.9.9 has a built-in support for arbitrary asymmetric cryptography, and provides an extended set of russian national algorithms (GOST) as an example of foreign cryptography."

Well, I guess there must be SOME way, to intercept the russian government communication.

It is a bit sad, that the openbsd folks now have, besides closing the feeding of the private keys into the prng, also removed the russian gost algorithms:
http://freshbsd.org/commit/openbsd/a7eb3ada8b28820fa25a11c48b2567ba83c04064

Poor BND....


DBApril 20, 2014 2:07 AM

@skeptical

There doesn't have to be a law that explicitly states in writing "The government can compel any company to insert any backdoors it wants in any hardware" for this to be true. There are other "legal ways of compelling" than that. For example:

1) "legal blackmail" -- put in the backdoor or we'll put in you in prison for something else unrelated, like Nacchio.
2) "legal fraud" -- for example NSA lied to RSA and told them it was a "security enhancement"
3) "legal bribery" -- RSA might have been this instead, since they were paid 10 mil for it.

So the government certainly CAN compel hardware makers to subvert their tech, using these means. Obviously with fraud, blackmail, and bribery it could be argued that it's not legal, but who's gonna prosecute and win? As long as they keep doing it and getting away with it, then by precedent it's as good as "legal".... hey, if they can freely directly lie under oath or defraud the whole US Congress and get away with it, why not some lowly company?

By defending this kind of system, you have the ethics and morals of a turnip.

FigureitoutApril 20, 2014 2:42 AM

Mike the goat RE: this post (avoiding too much OT)
--Windows no doubt is completely untrustworthy and too big to personally verify w/in one's head. I enjoy programming Vim much more now; all the buttons on a modern IDE are really distracting from what should solely be code. The problem is what choices do people like doctors or *good* lawyers or *good* journalists have as a product to buy and have a pre-programmed OS. We don't need to be able to diagnose ourselves to use medicine; but they're expected to practice extreme *I mean* basic OPSEC on their computers. Then there's all the doubt surrounding frickin' everything. I'm chugging along on what I'm doing for my computer and at least have file transfer not just LED blinking memory addresses (will need a camera to record output for more certainty); but I'm going back in time, not forward. And if security keeps heading the way it is now all the "secure" older components will rot away and we're all forced to use bluetooth/wifi sniffing computers; oh and there's wireless power research, not RFID or NFC but longer distance, it will destroy security unless you shield or actively jam at all times, filling the airwaves w/ garbage.

BleedingHeart
Therefore, if we want COMSEC, we have to do it face-to-face in a cave somewhere.
--Just use an OTP before putting data on a device; no talking. Assuming intel agencies can't see literally every nook and cranny on the Earth, and you can write on a piece of paper. Use a few sheets to just scribble and enclose the message incase there's some chemical detector of ink for the transfer, where all the security relies on. Make sure the OTP has "emergency/distress" codes and multiple physical locations for the next transfer. Don't use the internet to make your OTP for more security; just go to the library and write down random words in books (watch out for the cameras).

This is what we're f*cking being forced to do. It will be very hard to crack that.

RE: Intel subversion
--Intel CEO himself took a little bit before he finally at least verbally dismissed complete subversion of the the company's chips:

http://www.reddit.com/r/IAmA/comments/1ycs5l/hi_reddit_im_brian_krzanich_ceo_of_intel_ask_me/cfltop4

And of course we have an NSA slide w/ the slogan "TAO Inside".

http://cdn2.spiegel.de/images/image-584021-galleryV9-yenq.jpg

Coyne TibbetsApril 20, 2014 2:43 AM

@Skeptical That's the only case, if it is one, that I'm aware of.

More importantly DB, there is no law that would permit the government to legally compel a chip manufacturer to insert a backdoor (with the usual qualification for CALEA, which is largely inapplicable here).

You keep saying that, "...there is no law..." First of all, there is no public law but, as we saw just this last week (US Has A 'Secret Exception' To Reasonable Suspicion For Putting People On The No Fly List) there are all of these "secret exceptions" and "secret interpretations" to the public law that intelligence agencies use to accomplish what they want.

You also keep saying, "...legally compel...," which is actually the same kind of weasel words that NSA uses. When the mugger has a gun pointed at your head, the fact that his compulsion is illegal is of little use. There's no proof that Joseph Naccio was ruined because he refused to let NSA tap QWest customers, but there's lots of good reason to suspect that's the case; and if his destruction was illegal, what good is it to him? Do you think his successor refused?

I think it is quite clear that NSA can find a "gun" to point at--find means to coerce--anyone who refuses to do something the NSA wants. If that isn't compulsion (legal or not) what is?

FigureitoutApril 20, 2014 2:50 AM

One more thing, here's a simple circuit to take in IR from say a remote control and send along bytes via RS232 to say a storage device. Work would need to be done for a single button file transfer; but this kind of thing was done in the past. This has advantages over physical exchange of OTPs in that there is no physical contact but just people happen to be in the nearly same location. Another one of the things I'm messing around w/...

http://galia.fc.uaslp.mx/~cantocar/comunic_datos/INFRAROJO/infrared-control/Silicon%20Junction%20-%20IR%20Receiver%20for%20Sony%20Remotes.htm

You aren't limited to Sony protocol either, another great site:

http://www.sbprojects.com/knowledge/ir/index.php

eye of sauronApril 20, 2014 5:02 AM

NSA uses Fedora for developing SELinux according to the mailing list, prob use RHEL for all their internal servers, as do many other government agencies worldwide.

Cuba can still use OpenBSD and Suse

JacobApril 20, 2014 8:06 AM

I hope that the following 2 excerpts from the Sep 5 2013 NYTimes article about the NSA will put to rest Skeptical's claim that the government cannot legally compel a compny to subvert its own products:

"In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door."

".... the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.

Microsoft asserted that it had merely complied with “lawful demands” of the government, and in some cases, the collaboration was clearly coerced."

AbsintheApril 20, 2014 8:29 AM

Researchers use Twitter to predict crime
http://phys.org/news/2014-04-twitter-crime.html


Hidden in the Twittersphere are nuggets of information that could prove useful to crime fighters—even before a crime has been committed.

Researchers at the University of Virginia demonstrated tweets could predict certain kinds of crimes if the correct analysis is applied.

A research paper published in the scientific journal Decision Support Systems last month said the analysis of geo-tagged tweets can be useful in predicting 19 to 25 kinds of crimes, especially for offenses such as stalking, thefts and certain kinds of assault.

The results are surprising, especially when one considers that people rarely tweet about crimes directly, said lead researcher Matthew Gerber of the university's Predictive Technology Lab.

Gerber said even tweets that have no direct link to crimes may contain information about activities often associated with them.

"What people are tweeting about are their routine activities," Gerber told AFP. "Those routine activities take them into environments where crime is likely to happen.

"So if I tweet about getting drunk tonight, and a lot of people are talking about getting drunk, we know there are certain crimes associated with those things that produce crimes. It's indirect."

name.withheld.for.obvious.reasonsApril 20, 2014 10:22 AM

Sunday Arm Chair Analysis, EFF and the Federal Court(s)


EFF compiled the legal case and documents in their, from what I know, their 3rd attempt to reach a court for redress. My sense of EFF's effort indicates that legal counsel is proceeding in an incremental, step-wise, manner that I am certain serves several purposes. My suggestion, if I were Emperor, quills of many wells, at once, drawing multiple points around any number of "crimes" carried out by the government against the sovereign.
I don't know why a case could not be brought that a compliant might take the form of "The Citizen Sovereign v. U.S. Government; Breach of Contract, Fraud, Material Theft, Operating under the Color of Law to misdirect/misled, Excessive use of Authority, and conspiracy to overthrow the citizen.

Comments on the legal motions under the Jewel v. NSA and Hepting v. AT&T.
Based on the EFF motion, NSA Telecom Records Litigation, and request for jury trial, entered into the U.S. 4th District Court; a summary of the elements of interest or that stands out in the Jewel V. NSA case.

In response to National Security Agency Telecommunications Records Litigation, filed 15 Nov 2007, submitted to Walker, the Deputy Chief of Staff for operations for SIGINT [NAME REDACTED] denoted authorities for collection(s) citing EO 12333. From what I understand, the most problematic issue with EO 12333 is the unlimited collection of "anything" when taken from "overhead"--I am assuming that this could include photographs. If so, this is a new wrinkle in the legal morass that NSA continues to embrace and extends the overreach.

My response to authority given for overhead collection--wartime enemy. And, the AUMF congress has used repeatedly IS NOT A DECLARATION OF WAR. The use of an instrument calling for the use of the military, for reasons other than war or for convenience, is not supported constitutionally.

How I understand what the Constitution and the framers saw the use of force by the government:

  1. At first incursion, as in the bombing of Pearl Harbor or the twin towers, the Militia is called upon to be the "First Responders"; in essence the President dials 911. This is purposeful, as the military is under the direct control of the President, vesting the immediate emergency power to use lethal instruments employing forces not under the direct control of the President (prevent the Executive from use the military to seize the government).
  2. If the event triggers further aggression, causing a continued conflict brought about by the first incursion, congress is entrusted to act by means of a declaration of war.

No other authority is enshrined anywhere in the constitution that says, and this is by way of a literary instrument; Article II, Section 20 (if our current reps wrote the constitution):
If, during the course of normal governmental affairs wherein things go wrong, congress can draft any type of document they want to do whatever to whomever.

WinterApril 20, 2014 1:21 PM

@Somebody
"router manufacturers re-adding patched backdoors!"

Sounds like a brilliant marketing move. This is the kind of "error" that drives companies into bankruptcy.

Will be interesting to see who is going to save the owners.

DBApril 20, 2014 5:26 PM

@somebody, Winter:

Even before the Snowden revelations, I had become convinced that all "consumer grade" routers were utter crap security-wise, and I started building my own router out of open source software. I just didn't know that it was intentional back then... I was under the delusion that to stay in business, companies had to at least try to put the customers' best interest first, even if they weren't in fact doing a good job at it. Now, I've come to realize that the only way for this principle to still hold true is that the people who buy the things aren't actually the customers, they're the product. The NSA and other government agencies are the only customers that matter to them.

Sancho_PApril 20, 2014 6:57 PM

Re: Router backdoors.

Not sure if such “backdoors” are required by the Stasi.
Both, vendors and ISP’s need them in the first place:
Imagine to produce & deliver 4(+)Mio devices for a telco, just to find there is a problem in the FW and you couldn’t access them without physically visiting each final customer.
Or, as a telco, to explain to my neighbor on the phone how to download and flash a new FW (e.g. because her iPad-air doesn’t reliably work with the old one).
Or my brother, who was playing with the settings until the device was unusable.
Imagine how many traveling technicians a telco would need.

There were routers before TR-069, and I think CWMP is not fully supported yet by new devices / all ISP’s.

Of course any “backdoor” can and therefore will be abused, no doubt.

DBApril 20, 2014 7:06 PM

@ Sancho_P

Aren't you talking about those "rented" routers you can get from your ISP, where the router isn't really yours anyway it's theirs? I was more talking about the ones you buy as an end user, and then tell your ISP to keep theirs because you have your own. In the latter case, the ISP should not have an intentional "remote access" backdoor into my router. I paid for it, it's mine, stay out. If it needs an update or if I brick it, it's my responsibility to deal with it, not the ISP.

Nick PApril 20, 2014 7:16 PM

@ Sancho_P

There's a difference between a remote access tool and a backdoor. Let's use SSH in a router as an example. If it's disabled by default, it poses about no risk. If it's enabled, a configuration tool might automatically choose safe configuration. The device owner see's this in their admin interface, with the ability to turn the feature on or off. *This* is a remote access solution which poses little risk from black hats.

What was in the linked article has the properties of a backdoor. With secure remote access tools available, the existence of a backdoor should only disturb device owners. If its existence is obfuscated, it should be enough reason to avoid buying the product and probably any other from that vendor.

And to think I thought there was no market or hope for my subversion-resistant networking designs... Existing companies keep this kind of sneaky (or incompetent) stuff happening some demand for real security might pop up. Then, I might be in business.

Nick PApril 20, 2014 7:22 PM

@ name.withheld

"If, during the course of normal governmental affairs wherein things go wrong, congress can draft any type of document they want to do whatever to whomever."

It's actually in Article VIII of the Constitution where it says "this agreement may be subject to change without notice."

DBApril 20, 2014 8:06 PM

Ah yes, that secret Article VIII. So that's where all the secret law comes from. :)

SkepticalApril 21, 2014 6:11 AM

@DB:

Let's be clear on where I disagree with you.

This is what you claimed:

the US government can legally coerce any closed source hardware/software entity to put in backdoors

That's much too strong a claim. I would agree, as I've said before, that a company can voluntarily agree to provide the NSA with access. But your claim states that any closed source hardware/software entity can be legally coerce[d] to put in backdoors. And that's just not true.

With that distinction in mind, let's look at your three ways in which you say it can happen.

There are other "legal ways of compelling" than that. For example: 1) "legal blackmail" -- put in the backdoor or we'll put in you in prison for something else unrelated, like Nacchio.

People need to stop using Nacchio as an example. He was convicted of a massive securities fraud, in which he and several others pumped the share price of Qwest and then sold it in huge quantities before the true situation was revealed. At trial, he brought up the defense that the NSA cancelled contracts in retaliation for his refusal, seven months before 9/11, to institute a wiretapping program.

In any event, even if a CEO has committed a serious crime, while the DOJ can indeed offer leniency in exchange for cooperation in an ongoing investigation or on another matter of importance, it would be improper in the extreme for the DOJ to ask that a CEO violate his obligations to his shareholders and make a corporate decision in which he has a massive conflict of interest and which may harm the shareholders in exchange for personal gain.

This is extraordinarily unlikely to occur. The DOJ isn't going to want to engage in this at all, and it opens the DOJ and the government as a whole to risk of a massive scandal, congressional investigations, and possibly criminal prosecutions.

In any case, even if you think the DOJ would engage in this kind of conduct, the application is limited to instances where the CEO is on the hook for a serious crime, and I somehow doubt that every closed source hardware/software firm is in such circumstances.

2) "legal fraud" -- for example NSA lied to RSA and told them it was a "security enhancement"

It'd be more accurate to call this one deception than "legal fraud." This type of thing is easily taken care at the contract level by requiring that the NSA make certain representations and warranties regarding the feature they would like included.

But sure, it is possible that the NSA could trick a company into inserting a backdoor. For legal reasons, and that of the NSA's own self-interest, I'd judge this very unlikely. And while possible, it's not legal compulsion.

3) "legal bribery" -- RSA might have been this instead, since they were paid 10 mil for it.

The price tag is part of what makes me doubt the alg inclusion was a backdoor, actually. But in any event, leaving the RSA aside, it's possible for a company to voluntarily agree to insert a backdoor. Quite obviously that is not the same as legal compulsion.

By defending this kind of system, you have the ethics and morals of a turnip.

We're having a disagreement about facts, DB, not a disagreement about morals. So, sticking to your horticultural theme, you'd want to say something along the lines of "you have the view of a mushroom on the system: you're kept in the dark and fed lots of BS."

Clive RobinsonApril 21, 2014 6:36 AM

@ DB,

The site says the shirt colour is "asphalt" which should camoflage people nicely "when on the road"... the trouble is they'd be very lucky if the first motorist didn't flatten them for being lay abouts ;-)

Proof that things don't always work the way they dictionary or other sources claim :-) So remember "boys and girls" a certain amount of that rare commodity "common sense" will give you "evolutionary advantage" and not make you a "Darwin Award" contender...

http://www.darwinawards.com/

SkepticalApril 21, 2014 6:44 AM

@Jacob: "In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door."

The article here seems to make a vague reference to Lavabit which apparently designed its system in such a way that it could not comply with subpoenas and pen register orders without divulging a crucial part of encryption for all users.

Lavabit is a rather special case (the outcome there is due mostly to the design of the system and the owner's initial conduct).

".... the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.

Yes, the government can serve warrants and obtain that information. This isn't an area of disagreement.

Clive RobinsonApril 21, 2014 6:47 AM

@ Skeptical,

Depnding on what you consider "US Gov" there are one or two examples publicaly known of offers of "Backdoor or jail" being made. And in one particular case insisting the developer "run the backdoor for the US Gov" which if he had done so would have made him an international criminal...

I've posted the details befor whilst you've been commenting on this blog so you should be aware of the case...

kronosApril 21, 2014 9:07 AM

@ Anura: He didn't even have to take his shoes off.

If the general public ponders the advantages of completely avoiding TSA security theatre (taking shoes off, going through all baggage, groping/pat-downs, limited liquids, etc.), then the wheel wells might get crowded on future flights. ;)

DBApril 21, 2014 1:38 PM

@Skeptical

You are using weasel words to argue against me, the exact same way as the NSA does. You are totally insincere when you do this, just trying to pull one over on us, just like them. This is why I keep using horticultural metaphors on you.

You are concentrating on the word "legal" and saying "no it's not legal"... and entirely ignoring the rest of what I'm saying.... that is... that it can happen. The GOVERNMENT CAN COMPEL PEOPLE TO INSERT BACKDOORS. Yes... of course it can be argued that it's not legal... BUT THEY CAN STILL DO IT... AND THEY CAN ALSO ARGUE THAT IT IS LEGAL AND THEY WILL WHEN THEY DO IT TO YOU. And you are unlikely to win any challenge in court against it, the way things are currently going, regardless of your legality/illegality arguments, and regardless of how right you may be by resisting. So therefore most people just cave, and as you claim, "voluntarily" insert backdoors (when it wasn't really voluntary at all! that's just another weasel word!)

If important people can commit felonies right in front of the US Congress, and even write A CONFESSION LETTER TO CONGRESS ADMITTING IT ("apology" letters are legally confessions), and NOTHING HAPPENS TO THEM.... then it's clear that important people get away with WHATEVER THEY WANT in this country. And using various loopholes in any restrictive laws like "national security" and "terrorism" they not only get away with it, but also claim it's legal. So therefore, when I say it's "legal" I'm using their argument, not what the constitution says, obviously.

When I say something bad and evil is "legal" I'm not trying to say it's "right"... I'm trying to point out that there's something wrong with our laws in this country, and we need to fix those laws. Doing that means putting pressure on Congress.

vas pupApril 21, 2014 3:46 PM

@Winter:"Everyone in the USA can be thrown in jail for some or other offence."
The culprit (as I see it) not police or other LEA, or even prosecutors), but rather accordeon-type laws with such level of vagueness which provide huge opportunity for selective application of justice. LEAs are just opportunists. But all this applies mainly to the person with no substantial financial resources to prove the case in the court with good team of lawyers who could turn that vagueness professionally to person's benefits with jury trial.
Otherwise, they will give you plea bargain option: actually you are forced to select less evil, but still go to jail even being not guilty at all.
And finally, with their resources if you selected as a target, your only defense (no dirty tricks utilized by LEAs) is being angel today and tomorrow and all your questionable actions in the past are covered by the statute of limitations.

Passer-ByApril 21, 2014 4:09 PM

@DB, Skeptical

We should recall that the BULLRUN slides included one from GCHQ that had a bullet point "Do not ask or speculate on sources or methods underpinning BULLRUN successes".
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Considering that the intended viewers would have very high level clearances, I take this to imply something very underhanded. If it were simply a court order, why the hush - hush?

The old acronym MICE comes to mind:
Money
Ideology (patriotism)
Compromise (extortion)
Ego

These are the common methods of recruiting agents. I believe the "hush - hush" is because the NSA is using these tactics in the US (and GCHQ in the UK).

Sancho_PApril 21, 2014 4:49 PM

@ DB: (Re: “rented” routers)

Yes, basically I was talking about routers from the ISP. It will depend on country / region, but I guess that will be about 90% the case, at least in the EU.
Often the device is part of a “package”, the device is “free of charge”, not “rented”.

In the EU the ISPs would like to legally compel the customer to use their equipment as part of the “last mile”, but that’s heavily disputed.

On the other hand, most residential routers from stock are internally quite similar to those of the ISP’s bundles.

And all are vulnerable per design.
So all need “emergency access” by the vendor / ISP, even the “premium” ones.

E.g. (if I understood the news correctly):

In Germany they have a famous local router brand which has / had a nasty “backdoor bug”. Exploits are available in the Net, known damage in the 100k€.
An update was released and some ISP’s seem to have auto-updated their devices.
But today, weeks after the release of the new FW, there are still more than 30% (close to a million devices?) un-patched, likely because the users don’t know about any issue.
Their ISPs don’t tell them, probably because it’s not their device or they don’t know which device it is (?).

There is a similar known “backdoor” in Spain with a different router but from a telco.
(No, it’s not marked as “This is the backdoor, please knock twice”).

- Who is really held liable in case of damage, the vendor, the ISP or the user?

- Would it be better to have a device “free of charge” from the iSP,
or to have a router bought at RadioShack (“… it’s mine, stay out.”)?

- What if your ISP sues you for a damage YOUR router has caused THEM?

The courts will tell us, obviously “case by case”.
Big business for lawyers ... (my brother’s eagerly waiting for the first call).

Sancho_PApril 21, 2014 4:52 PM

@ Nick P: (Re: access tool versus backdoor)

If its existence is obfuscated, …” sounds funny, how would I know?

… avoid buying the product …
At least where I live there are millions who can’t even name the device they got from their ISP, but they use it on a daily basis.
No chance to buy, let alone to set up a different device.

I’m afraid your subversion-resistant networking design would fall on deaf ears here ;-)

DBApril 21, 2014 5:59 PM

@ Sancho_P

- Who is really held liable in case of damage, the vendor, the ISP or the user? - What if your ISP sues you for a damage YOUR router has caused THEM?

This line of questioning would lead to the conclusion that ALL network devices in your entire house and business must be backdoored by the ISP... for liability reasons. Thinking too much about danger and liability and trying to reduce it to absolute zero everywhere will tend to cause people to never get out of bed, for fear of stubbing a toe or getting sued when someone else does.

I think it might be more healthy to take a less extreme approach to life. Own property. Do what is reasonable. If you are tossed in prison unjustly because someone sued you, well, when you get out eventually, think about what's really important in life I guess...

Nick PApril 21, 2014 6:22 PM

@ Sancho_P

It's about as bad where I'm at far as the apathy and ignorance of the products. However, one can use custom gear with these ISP's despite them using tricks such as MAC locking as obstacles. The basic home routers at the electronics store tend to have a setting that makes the new router pretend to be the PC. A secure router could take the place of that one. There's also room for my designs which use trusted computers that rely on untrusted computers for networking, storage, etc.

If the vendor installs software on the PC, it get's a bit trickier. My method of dealing with that is to set up a Windows box on something like a VIA Artigo or other small PC. The WAN and ISP software goes on that box. Its firewall is set to act as a middleman for traffic between the WAN and my *real* router. The real router is likewise a small, embedded board probably sitting right next to the Windows box. It might be connected to Windows box through a management port that lets it reboot it, collect operation details, restore its files, etc. Trusted boot & write protected medium are a nice baseline as the Windows box might eventually get owned by... any number of attackers.

I was about to add that a System of a Chip Windows box would be nice. Then, I Google it just in case and find this. The design currently takes the space of two routers. Might eventually fit in the space of one. :)

name.withheld.for.obvious.reasonsApril 21, 2014 6:41 PM

WTFOT--This is long--but I believe worth the read...enjoy.


1 The Big [DATA] Picture
In engineering, the focus is on delivering to customers a product or service and understanding what they want...not an especially simple process. It requires actually listening to the customer's requirements, perceptions, expectations, and experiences with other platforms. Over the years recognizing when a client is not clear on their needs or if a vendor is more interested in what they are selling, my job is to pull back the stick, hit the throttle and plan another approach for a clean landing.
This is not a common approach-others might see this as a chance to "tell" the customer what they want and attempts to deliver a product that the customer may not understand or want and might often be sold using the phrase "includes new technology". The technology is not a product as much as it is a regulatory instrument where individuals unaware of the nature, behavior, use or application and cannot perceive its presence or effect in their lives. In addition, little is understood about "future" effects on society let alone on each individual. This I believe is where the greatest damage is done and where organizations should be focusing more of their efforts. We MUST stop blindly embracing technological "solutions" and instead concentrate on solving problems.


1.1 Social Contract
The path future generations may be heading is away from very valuable core lessons and methods that have provided resilience and performance in society. An example is the cyber security insurance model for risk mitigation, or, the displacement of "care"; no reasonable person would sign a contract that resembles many software license(s) / EULA agreement(s). What would make more sense would be a "net positive" development, innovation, and business model instead of an "extraction model". Instead, suppliers seek cover behind a contract irrespective of product flaws and failures; customers continue to experience constant maintenance requirements, costs, and undue risk to business operations that may be supplemented by insurance (yet another additional cost). Quality can provide value and must be the first consideration instead of changing the expectations of the customer/client/consumer. One only has to review the periodic vulnerability reports issued by U.S. CERT to understand the extent of the problem.


1.2 Ignorance is Bliss?
In addition, relying on the use of willful and unknowing ignorance of a/the customer is not an opportunity. It is potentially an immoral act; saying to others that how companies and engineers get to market is not as important as the arrival (by whatever means necessary). Taking advantage of individuals without requiring an "informed" process is also plainly unethical and I would argue unlawful. The recent spat surrounding the authority, rules, management, and processes of the intelligence community is endemic and is a reflection of any number of other systems or institutions. Education, both higher and continuing education, fails to produce the requisite critical thinking that provides the necessary feedback when addressing flawed processes or procedures within any number of institutions. For example, the National Security Agency's behavior as documented by the FISC April 11, 2011 report demonstrates that the agency asks for forgiveness, not permission, when looking for approval from their oversight body the FISC. I am reminded of the culture that grew out of NASA by the 1980's and the Challenger space shuttle investigation-the internal focus (historically the institution supported a culture of excellence) changed focusing more on the "things" and "costs" and not the quality and safety of their processes and procedures. And so goes the NSA.


1.3Your Data has been Pwned
Commercial data warehouse companies, credit reporting agencies, government agencies, and retail businesses stand on one side of the financial, and non-financial, credit market (Big Data). The other side, without representation or recourse, is the both the victim and customer. Using the information that has been gleaned (aggregating most forms of behavior, public, and private transactions while informing the customer that they are being responsible) entities claim to represent your interests and are notbeing intellectually honest as they do not providing anything but your data as a service to others. Protecting the class of persons that can be described as finance, commerce, and government is important-individuals/customers/citizens are not. The credit reporting agencies collect, store, and sell credit reports (credit report is an inaccurate description-it is a dossier) to anyone willing to pay. Collection is simple, there are no restraints on the addition of records to a dossier, and does not require vetting and verifying the veracity or completeness of information-the victim/customer is held liable for a system that they are unable to attend in any meaningful fashion. Individual credit reports have "redacted" information about you that you cannot be privy to-a modern dayscarlet letter.

1.3.1Here Come the Aggregators
In addition, these agencies have no compunction or sense of responsibility with data that they "collect" but do not "create". The Fair Credit Reporting Act is legislation that states a relationship between the data broker, reporting entities, and the customer/client (credit report data). It is a one-way relationship wherein the customer is subservient to the business and agencies that hold information about you. In agreements where the business claims to "not disclose information to third parties", another clause holds them harmless if the data is "inadvertently" disclosed. Not only have these agencies promised to be discrete, the fact is that this data is SOLD to other companies that do more than just analyze it-they aggregate data from many sources and provide clearinghouses for information on persons that aren't even aware that the data exists.

The problem here is the broad scope of record sets, the number of persons for which data is recorded, and the inability to do proper discovery in a court case is not possible. For this reason, the legal framework and justification for this data collection must be stopped. Legal actions that might include sources that cannot be discovered or tested before a court represents an obvious problem.
This gets much worse if we consider what the United States government is capable of; the vast collect of personal data represents the single largest threat to liberty in the history of the country. I do not believe that technology is providing a service to humanity-we need to rethink our role and responsibility.


1.4 It is not my Job
The individuals responsible for corporate direction (rewarded for success) have little to do with processes that are necessary when failure occurs and find others (punished for failure) to hold accountable. Whether it is trade, policy, financial and commercial monocultures, highly consolidated centers of power, the blatantly dishonest and dishonorable statements made by top-level representatives of an organization go unquestioned by those tasked with vetting the integrity of these organizations. When British Petroleum, and/or their agents, spill millions of gallons of oil in the ocean, how is it that not one person is held criminally culpable-if I accidently dropped a dixie cup on the sidewalk I could be fined one thousand dollars and possibly charged with a felony if a spotted owl were present at the scene. But, if I have a business with the financial means to influence the outcome-I can.

1.4.1 It is no my Problem
Fairness in our society is mostly conceptual, the presence of institutions that fain fairness are many. The courts, large monopolies (telephone and communications companies are a classic example), and the medical and insurance industries are a few examples of organizations that post placards to fairness on the wall but fail to meet the criteria. If I have money, I can access these institutions and expect the outcome to be positive and in my favor-without money the opposite is true. In other words, the worst part of a capitalist system is considered the most favorable-by a few. It appears from an intellectually rationale perspective, persons without money can EXPECT to be treated unfairly irrespective of their circumstances, character, or intent.

1.4.2 Professional Trade
Professionalism, as a process, is not unlikey the days of guilds where inexperienced craftspersons could learn from the masters. Interestingly, this parallels the need to do the same within the context of society (irrespective of the scope of community). Proessional trade(s), and Engineering is a good example, as a pratice today is about conformance--and not to excellence, results, or innovation.
Corporate consolidation is narrowing the opportunities for other participants in technology markets and the focus on acquiring technology is replacing the development of technology that is useful to society. Mentoring citizens within communities in a loosely organized manner could provide greater social continuity and meaning in even the simplist terms.
Unless addressed, the benefits of technology will continue to be accrued to a few and the responsibility or burden to be held by the wider public. This does not represent a net positive outcome of the use of technology-it may appear to work in specific enclaves but in the wider context the risk side of the equation is ignored or dismissed.


1.5 Going to Fail
An example of the combination of effects that result in institution failure is an anecdotal description that is generalized for brevity (scores of researchers have performed exhaustive analysis regarding the problem[s] identified).

1.5.1 This does not Compute
Defense industry contractors are an example of "guided completion" where the vendors and management control the processes and the "customer" is tied to a chair until payments are made. Where Pentagon program managers may begin with an initial requirement (the ability of the DoD to perform useful projections of future requirements is not laudable) and solicits bids from domestic sources (there are source/content requirements 60/40). The contracting space is "owned" by a select number of manufacturers and thus the DoD procurement process is a captive market. Everyone knows the rules, understands that government contractors suck from the tit that is the taxpayer but all turn a blind eye to the fact that this is a broken system.
Pentagon procurement itself is a significant drag on DoD performance in almost every measure. Why does this never get fixed-the taxpayer is "customer" and is never present or informed about their purchase so to speak. Program managers may engage a program with a company that initially promises meeting specific contract performance metrics-the most frequent result is slipped schedules and cost overruns. Congressional oversight is ineffectual-congress member's election is dependent on contributions from defense contractors and they are not willing to hold the industry accountable. Ultimately, the result is the misappropriation of hundreds of billions of dollars and the unnecessary growth of budgets where cost containment is anything but possible.

1.5.2 How much for the Hammer?
Over a decade, multiple trillion-dollar losses in efficiency can be identified but the courage to fix this problem remains elusive.
A summary of issues:

  • Multiple missions and mission creep, clarity of purpose and respect for historic roles and responsibilities is lacking and the need for external/independent review.

  • Estimating future requirements is an exercise in reading crystal balls, The Pentagon embraces an asymmetric operational model that supports big programs over multiple generations with limited value.

  • Procurement process and the industry is largely inefficient; budget cycle time scales are fixed, expenditure calendar, program and requirement specifications and management, production management, and supplier acquisition market structure work against cost containment.
  • Industry participants know the problem; contractors, Pentagon officials, congress, and most secondary supply chain vendors are cognizant of the problem too and are not incentivized to resolve these problems.

  • Elected officials cannot respond to the problem, fear and perception rules the day. The loss of campaign funds drive the way congresspersons vote and how effectively they perform oversight.

  • Taxpayers are effectively held hostage to a budget and process that they cannot resolve. The public is in essence left out of their representative government by this process. Thus, the customer (citizen) is not able to participate in a system where they are financially responsible and at the same time send their sons and daughters to serve a government that does not serve them.

Sancho_PApril 21, 2014 6:49 PM

@ DB:

Your conclusion is correct only with two provisions:

(i) Substitute “ALL” by “the first”
(ii) We agree that we expect routers to have backdoors / bugs.

So I have my own router (a different brand, hopefully with a different backdoor) behind their router.

Thanks, thinking doesn’t pose any problem to me, and MY router was reasonably cheap :))

AlanSApril 21, 2014 7:39 PM

For a good discussion of CALEA (and much more) see Susan Landau's Surveillance or Security?: The Risks Posed by New Wiretapping Technologies. It is a little dated in parts as it was published pre-Snowden but a good discussion of many issues. It has a good section on CALEA. CALEA was an attempt to deal with new technologies that were making wire-tapping more difficult. But what starts to happen with CALEA is that surveillance is built into communications technologies. Laudau points out that this may improve surveillance but probably weakens security. A prime example of bad consequences from CALEA is the Greek wire-tapping scandal. For a more recent paper on the issue by Landau and others see: Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, 2014.

DBApril 21, 2014 7:45 PM

@ Sancho_P

Why only the first? all devices on the network anywhere in the world really can communicate and possibly may cause "damage" to each other... not only the first device.

I agree that I expect the ISP-owned "rented" or "free" router to be controlled by them. That's why I've never used it. That's not a safe way to run a network.

The safe way to run a network is: There are two routers, my router, and their router. My router connects to their router. All of my stuff is "behind" my router, and all their stuff (including other customers) is "behind" their router. My router protects me from them, and their router protects them from me. But I should only have physical access to my router (not theirs), and they should only have physical access to their router (not mine). Here in the USA, as far as I know, this is usually accomplished by my router being here at my house, and their router being physically located in their local office (NOT in my house). Both routers may have "remote access" enabled on them, but theirs is for them to remotely manage theirs, and mine is for me to remotely manage mine... NOT vice versa. This is the way separate independently-managed networks are supposed to be joined together safely, with this separation of responsibilities and concerns and physical locations.

The problem is when I can't buy a router that doesn't have a backdoor in it ("backdoor" meaning, an unwanted remote access method that I can't control, it's under someone else's control, even though I bought and paid for the thing and it's mine). Then there's no way for me to set up a network properly. It's someone else's network, not mine.

All your networks and communications belong to the NSA. Your physical persons are property of the US Government too. Bend over. :)

WinterApril 22, 2014 12:41 AM

@vas pup
"Otherwise, they will give you plea bargain option: actually you are forced to select less evil, but still go to jail even being not guilty at all."

That is, you are denied a fair trial. Prosecution can keep you in jail for up to five years without a trial (see the case of Kevin Mitnick). There is no redress. So, you have a choice of being bankrupted and jailed for years and admit guilt to something you have not done.
https://en.wikipedia.org/wiki/Kevin_Mitnick

@vas pup
"And finally, with their resources if you selected as a target, your only defense (no dirty tricks utilized by LEAs) is being angel today and tomorrow and all your questionable actions in the past are covered by the statute of limitations."

This sounds impossible. Anyhow, the talk in the link explains that you cannot know which laws you break. It strongly advices everyone to "Don't talk to the police".
https://www.youtube.com/watch?v=6wXkI4t7nuc

@vas pup
"with good team of lawyers"

That is the difference between Russia and the USA: In Russia, lawyers do not make a difference in court.

The USA courts do not try to do justice, only due process. The courts in Russia are only a process. A process whose outcome is fixed at the start.

name.withheld.for.obvious.reasonsApril 22, 2014 6:15 AM

EFF Court Proceeding, Motions and Request for Jury Trial
Continued Arm Chair Analysis of Jewel v. NSA
Excerpt from answer to claims in Jewel and Hepting v. NSA
----------
On page 12 of the government response, provided by the NSA Deputy Director of Operations SIGINT, about performance/maintenance of data contains a footnote (line 23-25). That footnote states that the NSA inadvertently lost raw telephony intercept data it collected from June 2005 to December of the same year.
----------
QUESTION: Is this the NSA's 'Nixon Tapes' moment? What or could the agency be covering something up? Is the time frame significant, does it parallel some other legally questionable issue that needs 'plausible deny-ability'?

BleedingHeartApril 22, 2014 8:34 AM

Passer_By Said:

"We should recall that the BULLRUN slides included one from GCHQ that had a bullet point "Do not ask or speculate on sources or methods underpinning BULLRUN successes"."

Bingo. The Bullrun program was also referred to in the slides as one of the most sensitive programs in the U.S. The extreme secrecy (details weren't released even to insiders) is quite telling. It has "we called up Microsoft and Intel and told them to compromise their products" written all over it. I see no other reason for keeping such details from people already cleared for the program. From their perspective, this level of secrecy makes sense because it is quite scandalous -- it would not only vastly hurt NSA's credibility but would potentially cause severe damage to the U.S. economy.

Of course, those of us who are familiar with technology and how it works already suspected NSA was engaging in precisely these sorts of underhanded tricks (as they did with CryptoAG back in the day). Nothing in the Snowden slides surprised me at all, except perhaps the level of (willful) involvement of corporations. Also I did not think they would be so bent on compromising U.S. security for surveillance. It appears almost everything they have done in regard to "cyber-security" has a been a ruse in order to rig the game in favor of their intelligence arm (which appears to comprise 90% of the agency). But this actually should come as no surprise -- NSA was founded on breaking codes. It's an arm of the military and ran by a general, and we all know how generals think -- they would rather launch a nuke than engage in negotiations. Thus, it shouldn't surprise us that the "INFOSEC" part of the NSA is nothing but a cover for more sinister activities. NSA will only secure our infrastructure to a degree that only they can break (and the easiest way to do this is with backdoors).

Essentially, the NSA has went ahead with the clipper-chip except this time they didn't bother to tell us about it.

SkepticalApril 22, 2014 10:11 AM

@DB: You are concentrating on the word "legal" and saying "no it's not legal"... and entirely ignoring the rest of what I'm saying.... that is... that it can happen. The GOVERNMENT CAN COMPEL PEOPLE TO INSERT BACKDOORS. Yes... of course it can be argued that it's not legal... BUT THEY CAN STILL DO IT...

When you say that government can "legally compel" any company to insert backdoors, then you're making a claim about the law. Knowing what the law enables the government to do, and does not, is important, especially if one thinks reforms are advisable.

Words matter DB. If you don't want to make such a sweeping claim, then don't. Say "government is able to provide monetary incentives for companies to insert backdoors, and these can be persuasive." Say "government is able to trick companies into inserting backdoors," then say that. If instead you assert that government can legally compel any company to insert backdoors, I'm going to address those words.

Government can legally compel communications providers as set forth in CALEA and applicable regulations to ensure that their services can comply with a legal order for information, such as a search warrant.

Government can legally compel persons to disclose information in the form of testimony or things if a valid legal order is served and any privilege that protects the sought for information is overcome.

On the "legally compel" side, that's about it (unless one is facing criminal charges, in which case one's cooperation might be requested in exchange for a lesser charge or penalty, and even here there are limits).

I'd add that there is nothing improper about those powers, by the way. There is no absolute right to privacy in the US, and it's important that the government be able to gather information where and when the law permits the government to do so.

If you want to discuss government paying companies to insert backdoors, or deceiving companies into inserting backdoors, that's great. But those don't fall under "legal compulsion."

Fair enough?

@Winter: Everyone in the USA can be thrown in jail for some or other offence.

This is very much mistaken.

@AlanS: I appreciate the link, and will look at it.

@Passer-By: Considering that the intended viewers would have very high level clearances, I take this to imply something very underhanded. If it were simply a court order, why the hush - hush?

Why would classification imply something underhanded? There are many valid reasons for classifying information. Concealment of some impropriety would of course furnish a motive for (improper) classification, but as there are many valid reasons for classification as well, it's hard to see why the mere fact of classification would imply wrongdoing.

@name.withheld: I appreciate the amount of thought that went into your comment. I'm still chewing some of it over, but I think you make some good points.

SkepticalApril 22, 2014 10:33 AM

@Clive: Depnding on what you consider "US Gov" there are one or two examples publicaly known of offers of "Backdoor or jail" being made. And in one particular case insisting the developer "run the backdoor for the US Gov" which if he had done so would have made him an international criminal...

I had a chance to briefly look at that case. It appears to involve an investigation into gambling in NY (where gambling is apparently illegal), in which the investigators apparently concluded that a developer was knowingly creating tools for, and receiving income from, entities that controlled illegal gambling operations. A local DA in NY offered the developer a plea bargain in exchange for his cooperation, which I gather would involve altering the tools mentioned so as to enable surveillance of what were allegedly illegal gambling operations. The developer first agreed, and then changed his mind.

It's impossible to tell whether the charges brought against the developer were legitimate without knowing a lot more about the facts. If they were, then it was probably not improper for the prosecutors to offer a plea bargain in exchange for the developer, who appears to be the sole proprietor of his business, enabling surveillance of whatever the targets of the investigation were. Depending on what the "enabling" involved, the prosecutors may have had to overcome additional legal hurdles in order to actually make use of it. Getting an individual's cooperation to enable surveillance against a target doesn't necessarily empower the government to go through with the surveillance; an additional warrant may be necessary that would apply to the target.

DBApril 22, 2014 7:32 PM

@ Skeptical

You're still ignoring what I'm saying:

The government can compel companies to insert backdoors into their products. They can use various means to do the compelling that are legal for them to do. At great expense you can argue in court that their so-called legal means are illegal, but you are unlikely to win, even if you are right.

Words matter, yes, but you are PURPOSEFULLY OBFUSCATING WHAT I'M SAYING. You are a fraud. You pretend to care about words, but you are really just using them to deliberately confuse.

Prinz von der SchemeringApril 23, 2014 2:37 AM

Just a nice little story about Feral Government overreach. How long till the border is defined as including Minneapolis, Bruce? How long before Americans get off their overweight butts and stub out this Feral Government?

name.withheld.for.obvious.reasonsApril 23, 2014 4:05 AM

After reading the EFF motion for jury trial in Jewel V. NSA, several interesting statements devoid of rational are posited by the U.S. government (the Executive). The government's response (the Executive) to the claims for adjudication for enumerated harm(s) to parties of the motion construe an inherent right which is not recognized constitutionally--only one right may be suspended under limited circumstances. Congress, not the Executive, in Article I, section 9, paragraph 2...the right of habeas in Cases of rebellion or Invasion. The claim by the Executive, of a right held by the Executive, is implied by saying these powers are in force during war time, is a bridge too far.

Statements in the EO is replete with literary license--not legal rational or basis in law. For example, Part 1, section 1.1 paragraph (b), implies a reverse right--the government claims the right to "protect fully" the rights of citizens...that is not how the Bill of Rights and the U.S. Constitution works. The Bill of Rights enumerate rights held by the sovereign--these rights are not given by the government--they are held by the sovereign exclusively. The governments role is to defend the borders and to protect and defend the constitution. Text from Executive Order 12333 (Amended 13284, 13355, 13470) reads as follows:

b) The United States Government has a solemn obligation, and shall continue in the conduct of intelligence activities under this order, to protect fully the legal rights of all United States persons, including freedoms, civil liberties, and privacy rights guaranteed by Federal law.

So much in this assertion is clearly misguided; it is unbelievable that persons with the constitutional authority to determine who lives or dies, be so circumspect about legal framework(s) and the place or scope of authority. And the fun continues, from "Intelligence Community Elements" section 1.7, subsection d, paragraph 1; the NRO is tasked with...

The National Reconnaissance Office
(1) Be responsible for research and development, acquisition, launch, deployment, and operation of overhead systems and related data processing facilities to collect intelligence and information to support national and departmental missions and other United States Government needs; and

The specificity of the role of the NRO is underwhelming--could this be any more vague? Yes, from section 2.3, paragraphs h) and i) assume broad authorities--there is no basis for this authority. PERIOD. From the EO:

Those procedures shall permit collection, retention, and dissemination of the
following types of information:
...
(h) Information acquired by overhead reconnaissance not directed at specific United States persons;
(i) Incidentally obtained information that may indicate involvement in activities that may violate Federal, state, local, or foreign laws; and

I leave you to determine the legal basis and rational for the authorities given to the Executive, by the Executive, to subvert foundational law.

BenniApril 23, 2014 6:17 AM

Now they seem to have found something that looks more as a real deliberately inserted backdoor in openssl:

http://freshbsd.org/commit/openbsd/f868fc6f39a2c45a6c2bab70addc92525d467904

So it turns out that libcrypto on i386 platforms, unconditionaly compiles this little gem called OPENSSL_indirect_call(), supposedly to be ``handy under Win32''.

In my view, this is a free-win ROP entry point. Why try and return to libc when you can return to libcrypto with an easy to use interface?

Better not give that much attack surface, and remove this undocumented entry point.

-# This function can become handy under Win32 in situations when
-# we don't know which calling convention, __stdcall or __cdecl(*),
-# indirect callee is using. In C it can be deployed as
-#
-#ifdef OPENSSL_CPUID_OBJ
-# type OPENSSL_indirect_call(void *f,...);
-# ...
-# OPENSSL_indirect_call(func,[up to $max arguments]);
-#endif
-#
-# (*) it's designed to work even for __fastcall if number of
-# arguments is 1 or 2!
-&function_begin_B("OPENSSL_indirect_call");
- {
- my ($max,$i)=(7,); # $max has to be chosen as 4*n-1
- # in order to preserve eventual
- # stack alignment
- &push ("ebp");
- &mov ("ebp","esp");
- &sub ("esp",$max*4);
- &mov ("ecx",&DWP(12,"ebp"));
- &mov (&DWP(0,"esp"),"ecx");
- &mov ("edx",&DWP(16,"ebp"));
- &mov (&DWP(4,"esp"),"edx");
- for($i=2;$i - {
- # Some copies will be redundant/bogus...
- &mov ("eax",&DWP(12+$i*4,"ebp"));
- &mov (&DWP(0+$i*4,"esp"),"eax");
- }
- &call_ptr (&DWP(8,"ebp"));# make the call...
- &mov ("esp","ebp"); # ... and just restore the stack pointer
- # without paying attention to what we called,
- # (__cdecl *func) or (__stdcall *one).
- &pop ("ebp");
- &ret ();
- }
-&function_end_B("OPENSSL_indirect_call");
-
&function_begin_B("OPENSSL_ia32_rdrand");
&mov ("ecx",8);
&set_label("loop");

SkepticalApril 23, 2014 7:21 AM

@DB: I've enumerated the manner in which government can compel some companies, under some circumstances, to provide access capability or to provide information. It remains incorrect to say that government can compel all companies, whenever government so desires, to insert backdoors. The fact is that government power in this area is more qualified and complicated than you seem to have believed. If that belief is some analogue of a sacred cow to you, well, then at least try to enjoy the beef, because it just isn't true.

WinterApril 23, 2014 7:57 AM

@Skeptical
"@Winter: Everyone in the USA can be thrown in jail for some or other offence.

This is very much mistaken."

Here is the opinion of two renowned law professors:

Ham sandwich nation
http://columbialawreview.org/ham-sandwich-nation_reynolds/

Don't Talk to the Police
http://www.youtube.com/watch?v=6wXkI4t7nuc

They both say that irrespective of your past and current behavior, you can be held in jail. Note that I did not say convicted, because you can be held in jail until you sign a plea bargain. For years, if needed. If you go bankrupt during the "investigations", you will not get effective representation and you will go to jail anyhow.

If two renowned law professors say everyone on US soil can be thrown in jail and an anonymous commenter says it cannot, who shall I believe?

I do make an exception to those who have paid enough contributions to people in the house or senate. Obviously, these people are above the law.

DBApril 23, 2014 2:04 PM

@ Skeptical

So you've given up arguing about the word "legal" and now you're going to argue about the word "all"? Interesting. And pedantic.

vas pupApril 23, 2014 4:16 PM

@Winter:"The USA courts do not try to do justice, only due process. The courts in Russia are only a process. A process whose outcome is fixed at the start." Yeah, Winter I agree with you. You know it is short poem (my translation from Russian) by M. Lermontov "Everything mine - said the gold; everything mine - said the sword. Everything buy - that the gold; everything take - said the sword".
I mean that before Putin's era (1991-2000) the outcome was defined by money only (gold - pure bribe to involved in court decision versus in the US - money giving you the ability to have good team of lawyers, but still gold is in charge). In Putin's era outcome fixed at the start but with substantially switching the balance/outcome towards 'sword' - force of power who has it and may affect decision of court regardless of bribe provided, but usually it is interplay of gold and force with no justice involved. Bitter observation. As you can see, average Joe or Ivan are in the same shoes in the courts. Thank you for your post!

Wesley ParishApril 23, 2014 5:15 PM

@DB, forget Gullible - I'm reminded irresistibly of a certain gentleman who "did not have sex with that woman" and his redefinitions of "is". You just can't talk with such people.

SkepticalApril 23, 2014 8:35 PM

@Winter: They both say that irrespective of your past and current behavior, you can be held in jail. Note that I did not say convicted, because you can be held in jail until you sign a plea bargain. For years, if needed. If you go bankrupt during the "investigations", you will not get effective representation and you will go to jail anyhow.

I see. I don't view either of the citations you gave as very authoritative (I appreciate them of course, but I'd note that one is a six page essay written by a law professor who, so far as I can tell, has no background in criminal law). But that said, I may have misunderstood your original point (the fault is mine).

If the question is whether it is easy for a prosecutor to indict someone, then the answer is a qualified yes. There is a lower bar to indict an individual, and a prosecutor can have as many bites of the apple as he wants.

But, that doesn't mean that a prosecutor can throw anyone in jail. There are many reasons for this, but first I'd emphasize that Reynolds (and especially some of the books he cites) dramatically overstates the case. The bar is lowered to indict, but there's still a significant bar.

Now, of course the bar is supposed to be lower than it is for a conviction. Is too low? Should grand juries be more independent? More limited? All good questions. I can give arguments for either side of those questions, but frankly I don't know the answer.

However, with respect to the "anyone can be thrown into jail" claim, someone indicted on weak to little evidence who poses no danger to the community and is unlikely to flee will almost certainly be released pretrial. And if there's really no question as to the insufficiency of the prosecutor's case, then the matter may well be dealt with expeditiously by motion.

@DB: So you've given up arguing about the word "legal" and now you're going to argue about the word "all"?

I stated quite clearly where, and when, I thought that government can legally compel certain companies, in certain circumstances, to provide access capability to processes on their networks, or to provide information from their networks or records.

I contrast that very qualified statement with your sweeping claim that the government can legally compel any hardware/software manufacturer to insert backdoors.

There's a big difference between those two statements.

DBApril 24, 2014 12:32 AM

@ Wesley Parish

At this point, I refuse to just "give up" and "give in"... that's like welcoming our authoritarian overlords to power because we're too lazy to fix things. Of course if a moderator tells me to pipe down I will, this is their site after all :)

@ Skeptical

Any company could be compelled by our government to subvert their own products via some sort of legal means. Some means are more directly "legal" like CALEA, NSL, etc, others are more indirect like blackmail (catch someone in an unrelated crime, then make him violate human rights of all his customers to avoid prison, for example). The word "could" subdues the superlatives since obviously not all companies have been subverted. But any could be, therefore it's not safe to truly fully 100% trust any, since we can't necessarily tell which have and which haven't. Of course there can still be degrees of trust, since some are actually more likely to have been subverted than others (and certainly the degrees of likelyhood could be argued), but the likelihood is still not a perfect zero amount for all of them. You can argue more details beyond this all day and pick apart words, and claim a special meaning for "legal" before "compel" that supposedly means a different thing than "legal" after the word "compel", but it doesn't change the facts. You can also outright disagree with me too, since truth doesn't depend on people knowing it, agreeing to it, nor admitting it.

FigureitoutApril 24, 2014 1:25 AM

DB
I refuse to just "give up" and "give in"
--Prepare yourself now for physical break-ins. Then you will see what I've been dealing w/ for years now; I can have a secure computer but not w/ the break ins. Before the break-ins happen you need a really good way to store data many places. After they happen, they are looking at your methods and they're broken the second you implement them.

Seriously those kinds of statements attract the brainwashed gov't drones (they kill any leaders trying to start any kind of movement to implement real change); and I'm saying yet again, some of these groups behave exactly like a mafia. I believe they have stolen many funds from US taxpayers and they'll kill anyone exposing their racket. All it takes is a single break in and sprinkling some chemicals in your house or taking a cup of liquid around faucets you drink from (that's when I noticed the lumps in my body, immediately after a known break-in).

DBApril 24, 2014 8:08 PM

@ Figureitout

Being killed for my beliefs won't deter me from them. I can't do much, but where I can, I try. That's all we can do, right? We each have our tiny little part to play. And while the overall struggle of mankind might seem hopeless, I don't see my own individual struggle as hopeless, it's what keeps me sane.

FigureitoutApril 25, 2014 12:11 AM

DB
--It's brave, just even speaking up these days. First things first, you need to organize a group to implement an actual change. It *will* get infiltrated or at least attempted; you should be able to detect some of them as they are horribly incompetent, and adjust your operations. Me speaking out (the extent of what I could do as the system just needs to be burned down and ostracizes anyone telling these weak people the harsh truth), I expect to not be able to work for any gov't contractors b/c I'm a "security risk" when it's simply not true. As the gov't continues to kill off the free market and sucks it up or sells it off to China or Russia; my employment opportunities go way down. There's a lot of tech. security jobs thru the gov't that would benefit w/ my paranoia and I'll find a f*cking hole to patch up; ain't happening though.

You need to be prepared though, this country is a police state that employs private and public assassins to kill any threats to their control of the purse strings (and now big jail sentences or hopefully lethal injection for those f*cks). I'm dying a slow death, my body is withering away. The first area the lumps popped up was my "manhood"; and I'm experiencing some severe issues there, very painful, probably chemical castration. Next are your bones, they shrink and get brittle, I feel like my shin bones could crack very easily. I have to work out and run a lot to deal w/ the pain of the lumps in my abdomen and keep any sort of muscle mass on my skin and bones. And the lumps spread to my throat so I'm pretty sure they've hit the lymphatic system which means I'm f*cked.

I'm letting this happen to me b/c I'm not afraid anymore; I'm free to speak my mind b/c I have nothing to lose and I've become a martyr. I'm trying to better my life but it's been so f*cked beyond belief from agents that it won't get very far; I've been unemployed going on about...sh*t I don't even know how long, a couple years. And what's really sad is my parents want me to get a girlfriend and have grand kids. Maybe if they find out I'm impotent or maybe have testicular cancer and serious medical issues they won't ask anymore, and just cry.

SkepticalApril 25, 2014 6:00 AM

@DB: others are more indirect like blackmail (catch someone in an unrelated crime, then make him violate human rights of all his customers to avoid prison, for example).

That's largely fantasy. The individual's lawyer would insist, of course, on a written deal, in which the terms of cooperation would be spelled out. So the notion of implementing broad backdoors to gather foreign intelligence in mass produced products via threat of legal prosecution for a crime isn't plausible. And that's before we get to the legal issue of whether simply the placement of such backdoors would require judicial authorization.

Listen, if someone with resources wants to contract a foundry to fabricate ICs of his own design for sale to the public, then he's able to do so with very high confidence that his design will be produced to spec (and the foundry will be able to offer verification of that). Conspiracy theories about Nacchio and what not are basically FUD.

Quite frankly, I am more confident of supply chain integrity within the United States than within any other country.

DBApril 26, 2014 1:25 AM

@ Figureitout

"I'm not afraid anymore; I'm free to speak my mind"

That's a good attitude to have about it. Don't give up, speaking out does have an effect, even if you can't easily see it.

@Skeptical

"I am more confident of supply chain integrity within the United States than within any other country."

To be honest, I agree with you there... but that's not really saying much. I don't see it as staying the same or getting better, I only see things as generally going downhill. It's like the 2nd law of thermodynamics applied to society at large. I know you don't agree (strongly disagree even), that's still just how I see it.

Clive RobinsonApril 26, 2014 3:44 AM

@ Skeptical, DB,

It's funny you should mention the US and supply chains.

Some security experts give credance to the fact that the US has a long history of supply chain poisoning going back at least as far as WWII if not earlier.

The latest theory on this is that Stuxnet was actually put into the supply chain of the Iranian lead contractor, rather than on a USB key of a nuclear regulatory inspector,

http://www.csmonitor.com/content/view/full/820183

Clive RobinsonApril 26, 2014 3:54 AM

@ Skeptical,

Have you looked further into the NY "gambaling" case?

As reported it appears that he most certainly was preasurised (SWAT team at his home etc) and then thretened with long jail sentance unless he not only put a backdoor in his code but also agreed to operate it for the NY dept. Which if he had of done would have made him a criminal in quite a few juresdictions.

DBApril 27, 2014 1:52 AM

@ Clive

Of course he'll argue that that's Iran, not our supply chain... and that "interdiction" isn't the "supply chain"... But he always overlooks the big picture. The fact that we disrupt our distribution of products to put stuff on them routinely means our products can't be fully trusted. Which means logically to trust stuff, we have to actively defend against our own government abuse, which is totally backwards from how it should be in a "free" country! That's only the way it should be in dictatorial countries. But of course he'll just pooh pooh all this.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.