Schneier on Security

Clive Robinson • September 7, 2015 10:52 AM

@ Bruce,

But in reality, there’s no difference. Technically, they’re the same: a method of third-party data access that works despite the intentions of the data owner.

I guess it depends on your view of the world…

Surveillance has the usual tenses of past, current and future.

The trick this “collect everything” idea is trying to work is to eliminate the past tense and make it all current tense. That is in effect they are trying to build an ‘Informational time machine’.

However you can not record everything only a small percentage of things, which is where the “wiggle room” comes in on this “backdoor/frontdoor” issue in their –not our– minds.

Look at it this way, you have a computer sitting between a user and some kind of communication off to a storage medium of some form somewhere. You have a choice of “Points of View” to consider for surveillance. Firstly the User, Secondly the Communications and thirdly the computer either looking towards the user or towards the communication.

What we tend to ignore is the first option when we talk about computer and communication security, that is watching what the user sees, what the user does and hearing what they hear and say. Importantly this is a mistake in a great many peoples heads, because it tends to fall into the realms of traditional “Physical Security” not “ICT security”.

From an LEO perspective, the second option is problematic as there is no supportable “chain of evidence” for a whole heap of technical reasons. So they like the IC prefere the first option, with the added bonus of the issue of wiretap and other legislation does not arise. From their point of view they want such surveillance to be the equivalent of “being present” or “looking in from public property” etc and we have seen this “in plain sight” argument pushed further and further in the courts.

There are two basic ways they can surveil the user. The first is via the traditional “Mark 1 eyeball” or the more modern equivalent of CCTV, microphone etc that is in range of the users environment. The second is by getting low level access to the computer effectivly below the OS at the driver or IO hardware level.

Thus an argument can be made that remote surveillance via laser microphone and high performance optical side channels into the users environment from outside is the equivalent of “in plain sight”.

The argument can then be pushed further, that is the use of optical methods to transducers such as vases, crisp packets and plastic cups etc is logically the same as electrical connections to other transducers in the users environment that the user has chosen to put there. Such as the computers microphone, camera, keyboard and screen. All they have to do is push the demarcation point in court, which they have been trying to do for years with other systems in the users environment…

Thus in the IC and LEO minds –not ours– because these devices are bellow the OS or CPU level in the computer, any signals that come from them are not from the computer just objects the user has in plain sight in their environment.

Thus adding a device that takes the output from these plain sight transducers and makes it more available as part of the low level functioning is an argument they are likely to consider as a “front door”. Thus providing it functions below the CPU or OS level to send it’s data out or through the computer transparently to the network would not in their minds be a “backdoor” on the computer as it in no way effects the computers operation, and nothing you can do in the way of OS or Application software is going to change that.

The idea is not new, think back to CarrierIQ where the NSA benifited greatly from the “test function” the phone companies had installed in users phones that then sent plaintext of key strokes etc back to CarrierIQ’s servers across the internet…

This is also a further issue they might consider which is the danger of Microsoft and Win 10. MS as a commercial organisation are making what you do on your computer “their business records” and thus available via a very broad NSL etc. Thus they don’t need “golden keys” or “backdoored software”.

Arguably from their limited perspective if you are a US Win 10 user this “user data” will only be available on “US Networks segments” therefore from this deliberatly limited view point “unavailable” to anyone else.

We know otherwise, but you try convincing a politico who is getting the usual lobbying presentations and incentives, you won’t get on the hill let alone across the threshold of any room they are in.

Clive Robinson • September 8, 2015 3:24 AM

@ CallMeLateForSupper, Coyne Tibbets

One wonders: why “Five Eyes”? Why not “Ten Eyes”, unless each country has just one eye? Odd.

Firstly remember who set it all up, it was those running Bletchly Park, amongst whom Gordan Welchman (read his “Hut Six Story”) realised that the British who were bankrupted by WWII needed to take the lead on what has become known as “The Special Relationship” that rose up from the BRUSA agreement on Intel Sharing.

Those “Bletchly types” all originated from Oxford or Cambridge as did most of the seniors in the UK IC post war.

Such “scholars” usually have a sense of humour that is both childish and reliant on “in jokes” and knowledge. One such distinguisher is the prerequisite knowledge on “Classics” not just Roman and Greek but Anglo-Saxon, Germanic and Norse mythology as well.

In there you will find the story of Wodan / Odin (from which we get Wednesday) and the story of how he traded “one eye for wisdom” which is very much how the British saw the Americans when it came to Intelligence Matters. And it’s still how many in GCHQ and Hanslop Park see things, “The Brits bring the brains, the Americans the cash and manufacturing”.

But as with all such “old boy network” jokes there are several subtexts or layers to it.

Often Odin is pictured with animal companions or familiers, Geri and Freki the wolves but more importanty the ravens Huginn and Muninn, who bring him information from all over the world thus the Brits also brought their own “ravens” to the table which were Australia, Canada and New Zeland.

But there is another layer which is actually quite important, and revolves around the wolves and Odin’s eight legged horse Sleipnir. Which not only takes him across the sky but also importantly into the underworld as well. The British may have been bankrupt, but they controled directly and indirectly a lot of territory and as a result hand quite extensive Humint resources and still does, which they also brought to the table.

The US did not have Humint resources and got “hurt” politicaly when they tried to develop them in a “technical” not “human” manner. Thus the US carried on down the “Technical Surveillance” route, not the Humint route, which lead to further embarrassment via the U2 which also helped push along the space race side which the NRO has proved adept at.

The British however have paid quite a significantly price under the Special Relationship in all sorts of ways. The British development of the worlds first super sonic plane, had progressed into a fully built aircraft that was due for it’s first test flight, only to be stopped from flying at the very last moment by US political preasure. Likewise the first fly by wire aircraft, which is why many in the military aviation industry wonder how the Jump Jet made survived. We know the only reason Concorde did not get canceled was because of the French applying more political power on the British than the US was prepared to do. Further the UK holds a unique position when it comes to the race for space thanks to the US. The British having developed safer and more cost effective rockets and payloads had put their first satellite into space, it was again canceled via US intervention in the politics of the UK. The only reason the satellite got up was it was already in transit to launch and payment guarantees signed with other nations. When Maggie Thatcher came to power it was the US use of “the war debt” for political leverage she determinedly got rid of. She also pushed forward UK development of space technology, however greed and corruption by UK MIC brought the Secret Surveillance Satellite side crashing down, before it got off the ground. Luckily the academic side had started to achive a firm set of foundations and non governmental funding, which is why the UK is one of the leaders in payload design.

But the pain goes on as those watching the pantomime of UK defence spending have a look at the current state of the process on the UK’s two new aircraft carriers… and how the UK has ended up doing a “time share” on a French aircraft carrier. Oh and as for time share look at the UK’s supposadly independent nuclear deterrent. Due to more special relationship nonsense the UK has to officialy ask permission from the US prior to using this deterrent… hardly “independent” then, and the current UK political encumbrents have just anounced a 500,000,000GBP investment in it to in part keep “the US sweet” and in the main to cause trouble “north of the border” and to other political threats, all whilst trying to cover up the fact it’s policies are killing thousands of disabled people.

Clive Robinson • September 8, 2015 5:28 PM

@ Nick P,

In your point one, you specify no bounds on access only access via a secure tunnel.

Because you did not specify bounds you incotlrectly state that this secure tunnel must therefore forfill the requirments of a lawfal front door.

The problem is that a lawfull front door as described by Comey et al is that it must technicaly obay all laws for warents etc.

An ssl tunnel without bounds can not meet the requirments of “lawfull access”.

So as I’ve said in the past the problem you are trying to solve is one where there are bounds on the secure tunnel in that LEO must be stopped by technical means from not only gaining access without a warrant, but also when the warrant expites the LEO must have their access revoked by technical means. The technical means must not in any way alter the suspects computer (ie no “tipping off”) and must have cast iron security from the LEOs to avoid their well known unlawfall behaviour. Further what ever the technical means is it must be uniquely keyed to each and every computer individually such that the scope of a search can not be illegaly broadened by the LEO’s to other computers within the lawfull time frame. Lastly the technical means needs to be secure against hacking to stop it or it’s methods being used unlawfully.

Even with some kind of key escrow for each computer the technical means can not be achieved by the technology we currently have.

Solving the warrant controled access issue whilst still maintaining the “no tipping off” aspect appears to be not possible.

However as I’ve pointed out it’s not access to the computer LEOs actually want it’s access to what the user sees, hears, says and does that LEOs realy want.

Clive Robinson • September 9, 2015 9:46 AM

@ Nick P,

The common statements act as if the mechanism itself doesn’t exist. That’s my gripe.

Whilst I agree parts of the “mechanism” are available in some circumstances, I’m also very certain neither all parts required are available, and even if they were they would in fact not be of any use in the cases Comey / Alexander consider to be the reason they –publicaly– say they are a “must have”.

Thus I can only conclude that the reason they want the mechanisum is for reasons very diferent to those they publicaly state. The reason for this is that the size of the group of people they claim to be after who are either “ill informed / stupid” is so small as to not be economically justifiable financialy or in terms of lost life / physical and mental injuries, thus there must be non –publicaly– stated reasons for what they want, all of which as far as I can see are not legal unless very deceptivly carried out (such as routing US internal traffic across boarders to make it appear foreign traffic). Thus I’m concluding that the real reason for their need is to strip the rights of law abiding US citizens for political or economic reasons.

As for the parts that are not available, you first have to make some valid assumptions. The first of which is that once the secret data is encrypted with a suitable algorithm it is not obtainable without knowledge of the key. A second assumption is that if the resulting ciphertext is then put inside other carrier data via suitable stegonography that renders the ciphertext insufficiently distinguishable from the surrounding carrier data thus it’s existance can not be proven as is (the constraint on the carrier data is the same as that for an OTP keystream which makes life complex at higher levels).

If the assumed actions are carried out either manually –via say fair dice, paper and pencil– or via a mechanical or electronic device that is seperated from the transmitting computer via an “enhanced airgap” –ie no energy or storage coupling to it or the environment– then it does not matter a jot if the transmitting computer has any kind of back, side or front door lawfull or otherwise, it’s not going to allow access to the secret data.

This has been known for well over a century, which is one of the reasons why radio operators and cipher clerks were kept as tasks to be done by seperate individuals in seperate “chinese walled” environments, often with a third individual “super-enciphering” the ciphertext in between as another isolating step.

Neither Comey or Alexander can be ignorant of this and to have been appointed into the various senior positions they have been in over the past decade or so. It’s part of the “reading in” process as well as being public knowledge in many open sources, including very popular fiction such as the “James Bond” books (see “From Russia with love”) amongst many others.

So the “door” of any type on any computer is fairly easily avoidable by those who care to practice some not very demanding OpSec. The only thing they need is the basic knowledge, the ability to understand it and most importantly the patience to practice the OpSec reliably and maintain those “chinese walls”. The thing about “Chinese walls” is not only are they an idea that is thousands of years old, they have since the stock market crash of 1929 become more and more a legislated buiness process and they are a basic requirment of nearly all financial processes currently. So the required OpSec is not only nothing new, they are actually well understood by very many people almost implicitly all be it by a different name.

Thus the “Golden Key”, “Lawfull Front Door” or any other kind of technical mechanism on ICT can not do what Comey, Alexander, Cameron, May, et al claim of it, no mater how they claim otherwise.

And this brings us onto the next point in your post,

The policy, key management, and other aspects of your post are the next part of the discussion. And why it’s impractical.

As I’ve already indicated I realy don’t think “their policy” is about what thay –publically– claim. Thus in the main the points although valid are kind of moot, even though it’s not possible to meet them.

The point which is most definitely not moot to them is “tipping off”, it’s why they hate warrants and public court orders etc, and also why amongst other things they want more “conspiracy legislation” that can not be defended against.

It is why as I’ve said before about Comey, Alexander, Cameron May et al, “it’s the users enviroment they want access to”. And this can clearly be seen not just with the arguments the FBI and other US Federal legal argument, but also “Police Chiefs” in every WASP nation and just about all other Western Nations. Importantly it’s not just ICT they have in the cross hairs it’s also your movments, workplace, home, papers, possessions and friends and loved ones without exception. They want compulsory 24/7 surveillance on the masses from cradle to grave and beyond it’s what drives the “Collect it ALL mentality”.

It’s a point people are not paying sufficient attention to, and one which will ultimately hurt us all if we don’t address it publicaly as well. I’m not the first to notice this it’s again in open literature, scientific, social/cultural and fiction. It’s afterall a main stay plot argument in the first part of the one book by George Orwell every person who has ever heard of him can name, as well as many people who have never heard of him, “1984”.

Which brings me back to the point I made at the top of this thread about Win 10 and their IC community previous “wet dream made real” CarrierIQ.

The idea is simple, if people are “technicaly reliant” turn the technology into surveillance systems the users not the IC community pay for.

The marketing industry is as far as I can tell not just the “biggest dollar industry” in the world, it’s also the most invasive. It collects, stores, collates, analyses and makes available more data on this planets occupents than has ever been available to anyone at any point in our entire human history. The only problem the various Governments have on getting this data, is they “have to pay” and this is very noticable and often news worthy. Likewise both the LEOs and IC see the “have to pay” issue not just as a resource issue but also as “tipping off”, worse they want not the “analysed data” but the “raw data”, because “marketing” has different aims and objectives therefor different analysis.

Thus both the LEO’s and IC want to get at the raw surveillance data as close to the “sensor” as they can. By happy coincidence those involved in the mass collection of raw data for the marketing analysis also want to get to “what people do” rather than “what people say they do”. They also want to do it in as lower cost way as they can to maximise profit potential, and you can not get a much better deal than making people pay you for the surveillance you use…

Low cost goes hand in hand with low security, thus the communication of raw data back to the analysts is not going to be secure unless it’s legislated for, which I suspect Comey, Alexander, et al will push against quite hard in one way or another.

But even if security is legislated for, it will be no more effective than WEP. But even if more secure processes were used, it would not solve the massively exploitable hole the KeyMat issue is. Thus you would end up with at best a low bit size PK infrastructure, but even if the bit size was large, the master private key would become a target. We know from Stuxnet Private Keys used by corporations for important security get known to the IC one way or another.

Thus with Microsoft and the hard forcing of Win10 onto ordinary users you have to start asking questions.

The first being “tipping off”, because surveillance is an inbuilt feature of Win10 it’s an active process from day one. Thus the LEO’s and IC do not need to change anything, thus a user can not see any difference by monitoring of it in any way, so can not be “tipped off”. If Microsoft or some part of it –as many suspect– is complicit with the US Gov, IC and LEO’s then upgrading the type of monitoring will not happen to one individual using Win10 but all users using it via the standard patching process.

Thus from the IC community view point, no “tipping off”, no “sensor cost”, no “communications infrastructure cost”, no “deployment cost”, oh and “plausable deniability”, what’s not to like from their point of view… As for the LEO’s all they have to do is play along via “parallel construction” which we suspect they are upto already, and in a number of cases they directly or indirectly control “public place surveillance” via CCTV and road tolls etc all of which is going to rise as technology costs, so they have “bargening power” with the IC for quid-pro-quo.

But the problem is Win10 is not ubiquitous nor are other commercial OS’s, so there is a fly in the ointment not on the wall. How to solve this… well the recent anouncment by the FCC gives a solution, even if it was not intentional behaviour by the IC or LEO’s.

Soon, you will not be able to buy a consumer computer without some kind of RF transmitter in it under software control, it’s the way of the marketplace and unavoidable without legislation. The FCC along with the desire of manufactures to increase profits will make the likes of Open Source software at lower levels less and less viable. Provided the “mechanism” used for the “sensors” and “wireless” remain at or below these levels then it’s “game over” for by far the majority of uses.

I fully expect to see other “safety” legislation and rules that not only protect vested interests in the market but also make the IC and LEO’s reach much greater as it has in the past with telephone standards… As I’ve mentioned before this sort of “finessing” is a game they have been playing since before the end of the Second World War.

The sad thing is that even though there is much documented “previous” on this, Joe Public does not want to come to terms with it partly because believing the FUD of Comey, Alexander, et al is easier than actually doing something like think. So as a result slowely slowely the net closes around society, because they have been sold a belief in “beads and baubles” whilst being robbed blind (something native american history, and what little is known of the Aztecs and many others can tell us).