Schneier on Security

Clive Robinson • January 15, 2016 6:19 AM

@ Wumpus,

After various celebs got their “personal” iPhones etc hacked, I suspect that those who could think or had publicity agents that could think, got a better class of OpSec fairly quickly.

@ ALL,

Which brings me to that “paragraph” that is apparently causing security experts so much difficulty… Perhaps they should read it point by point in reverse order, it kind of makes more sense if you do [1],

<>My head is swimming, labeling TracPhones (burners), one per contact, one per day, destroy, burn, buy, balancing levels of encryption, mirroring through Blackphones, anonymous e-mail addresses, unsent messages accessed in draft form. It’s a clandestine horror show for the single most technologically illiterate man left standing. At 55 years old, I’ve never learned to use a laptop.</>

What do,

1, I’ve never learned to use a laptop.
2, [I’m] the single most technologicalky illiterate man left standing.

Tell you?

Simple he is not in the driving seat on this and that he almost certainly is not going to use terms in a domain specific way.

But also he is probably not “touching the tech” he’s got the equivalent of a personal secretary etc to do that. This is afterall the way it has been done since ancient times untill the early 1990’s. The boss would dictate, the scribe/secretary would make it look nice etc etc.

So backwards and upwards,

3, unsent messages accessed in draft form.

There is nothing particularly wrong with this provided you know what you are doing.

Firstly and importantly “don’t use plain text”. Secondly don’t use widely geographicaly seperated IP addresses for sender and recipient, unless you are both using a “known” VPN / Tor / mixnet node to stop the email service supplier detecting you appear to be in two or more widely different places. Google for instance has been known to cause problems if they see widely dispersed connect points. Thirdly the account needs real or real appearing traffic going through it in both send and receive for some months befor an operation and afterwards so it does not stand out like the proverbial “boil on a pigs bum” (one way to do this is to become a user of “mail lists”). There are several other things to do but you should have the general idea. But if as I suspect this is being done for him by a scribe/secretary then he would not be hence the way it reads.

As for,

4, anonymous e-mail addresses

If he is a inexperienced with the ways of the likes of major web based e-mail services, then the addresses would look nonsensical, anonymous or not. So there is not much percentage arguing over a meaning for this.

5, mirroring through blackphones

Don’t think of “mirroring” in a technical way think in a much more ordibary way which would be akin to “reflecting” or “bouncing”. Or in more technical terms “relaying through a switching point”.

So you would use a pair of “burner” phones as the first step in the link. At the first node the “opperator” reads the message off the burner and types it into the Blackphone to send it out of country to the second Blackphone who’s operator reads the message off and then forwards to the appropriate recipient. This importantly means that no international or long distance charges get put on the first burner phone thus avoiding attention and payment issues. Also the first and second nodes have a high degree of mobility making tracking difficult and expensive for an agency.

Back in the day the likes of Mossad used switching centers and the like to bounce messages around the globe. It’s a technique that works, pluss if done correctly gives issolation as “getting a node” will not alow you to go any further.

6, balancing levels of encryption

Now this is where it gets interesting, and defiantly indicates he had a team working for him.

As most readers are aware there are “types” of encryption and “modes” of encryption, but “levels” indicates a less common approach these days.

There are “codes” and “ciphers”, in times past a message would be coded with the addition of message identifiers. Then it would have routing information added before it was “super enciphered” then key and other identifiers would be added before it was sent, where it might additionaly be enciphered by link encryption. This was often explained as “levels of encrption”.

Most people not involved with traffic level activities where the use of computers and their applications is either not allowed or not possible don’t tend to think about this “old school” behaviour and it’s pros and cons.

A “code book” serves two purposes one is “message compression” another is as a form of “substitution cipher” which uses unknown length plaintext as input and fixed length –often numeric– codes. The down side of code books is what do you do with words, names, phrases and other data not in the code book. The usuall solution is to spell them out in some way, which has disadvantages. A better way is to have an “adaptive code book” these work in a similar way to some compression algorithms where the new data gets sent once and has a “spare code” appended to it, which is then entered into both code books at either end of the link.

An adaptive code book can get very high compretion ratios if used properly and thus an SMS when suitably coded could contain the equivalent of a sentance for every 2 or three char code.

This can be done by a well trained scribe / secretary who puts what the boss said into a standard form before coding (almost the same as “short hand” of days gone by). If you are used to using such systems when super enciphered correctly they will be a match if not beat many modern systems.

It’s certainly a “low tech” “pencil and paper” way of communicating various people are still taught to use even these days.

7, labeling TracPhones (burners), one per contact, one per day, destroy, burn, buy

Asside from the possible “lost in translation” on “TracPhones” which could have been due to dictation, word pro spell checker or even the magazines sub-Ed etc the rest is correct.

When it comes to “burner phones” you do have “one per person per time interval” and when that interval is up, if you are wise you do indeed “destroy and burn” with a hammer and a use once picnic barbeque and it you can get hold of it “coal or coke” where the burn tenprature can be up in the 1200C range.

As for “buy” yes you buy them one at a time, preferably second hand in the area you are to use it. Then you move to an entirely different area for the next one.

As I’ve indicated befor those in certain types of crime in London own or have good relations with “second hand phone” stalls. The crook borrows a phone uses it for just a couple of messages and then it’s back on that or another stall somewhere else 24hours later to be sold on to some unsuspecting person.

8, My head is swimming

Yup clear indicator he’s very new to the game, and thus probably had a support team doing it for him.

If I was a betting man it was not the communications side of things that gave the location away, but something else.

The question you should ask is “why did they meet where they did”, almost rule number one is “don’t mess on your own doorstep” it’s not wise for anything even mildly illicit like a one night stand, and realy ill advised when you are a big time fugitive…

And if not the comms “who gave the location away” that is the Five Million Dollar question, and if you were the smart person picking that money up or getting rid of the boss man, then you would have prepared several different “scape goats” after all it’s not just your life on the line, it’s also the rather unplesant way you would probably lose it…

[1] The same is true for quite a few posts on this blog over the years. That is non experianced narrators tend to put what they think is important first, when in fact they should be putting what they see as the least important first as it leads an unknown reader in, in a way they can best understand.

Clive Robinson • January 16, 2016 1:33 AM

@ 65535,

Thus, if the corporate email server is in the 5eyes jurisdiction your mail will probably be read.

They will also see it on the network just upstream of the webmail service as well. Which is why the devil as always in the details.

What you and @Nick P, did not read were the conditions of using a webmail drafts box as a “communications system”. I will repeate them again,

Let me put it another way, you are using it “as encrypted communications” the content is no more or less vulnerable than an equivalent encrypted communication. That is it is you are using it for “store and forward” or the electronic equivalent of a dead letter drop in a public space.

The point of using a VPN / Tor / Mixnet is to hide the recipient and sender locations. Which is the electronic equivalent of making sure you are “not tailed” to or from the drop point.

It’s important to not have a “knee jerk reaction” to something because somebody else broke the rules and lost their job because of it. Because I suspect that the releasing of “Petraous Sacked for Using Drafts Folder on WebMail” was done by LEO/IC “to send a message” or three one of which was precisely to scare people out of using what is an otherwise well proven fieldcraft method.

The important thing about OpSec is “details matter”, it’s getting them wrong that causes you pain as the General found out.

But if you want a slightly more secure method than webmail go find my past posts on this blog about how to set up Command and Control for Botnets without using a server that can be got at by the authorities or amatures.

With regards,

This sounds good in theory, but the last time I looked into Blackberry Business services one had to “signup with Blackberry” giving away billing information.

Blackphone is from “Silent Circle” not Blackberry…

Anyway it’s not very difficult to set up anonymous “shell companies” and “disconect” the shell company via the likes of a “Limited Liability Partnership” (LLP) a nice little “financial vehicle” the auditors insisted the UK government set up to protect their proffits. It just so happens that money launders, tax avoiders, those bribing officials to get business contracts in the likes of Saudi etc just love to use LLP’s for a whole variety of reasons.

As for NSL’s they only work on US based entities, you can set up servers in various parts of the world with shell companies to suit.

Interestingly I’m not sure if NSLs travel down a corporate tree. That is a US firm that has a business relationship with a company in another country can act as a legal “fire break” if setup correctly, that is as an “investor / shareholder” not “owner” of the company (it’s yet another use of LLP’s that major US Corps use for various mortgages and IP protection).

Clive Robinson • January 17, 2016 4:45 AM

@ 65535,

As for Silent Circle’s encryption, it was reportedly successfully monitored according to Medium dot Com’s article in the above post of mine.

Err, the article you provide a link to mentions the BlackBerry Messenger (BBM),

Which was used between the fugitive and the actress for many months pior to the visit. But the article does not mention Silent Circle or the BlackPhone at all currently.

BBM has been known to have been broken for some years now, with various countries demanding and getting access to the RIM managed servers Pakistan being the most recent in the news.

It’s an open question as to if the other “business oriented” BlackBerry service where the “business” runs the server can be got at or not.

With regards,

As I understand it, you are saying to encrypt the email then some how use Webmail as a dead drop. That sounds good in theory. What set of programs or browsers would you use to encrypt a Gmail draft?

What I am saying is you first transform the secret plaintext content of your message into a non secret form, and you do this outside of the communications link / letter drop.

For arguments sake transform with pencil and paper and OTP by hand, you encrypt the secret plaintext into ciphertext. Just as very many spies have over the years. Then type the cipher text into the webmail.

Rule number one of all spycraft / fieldcraft / OpSec is – You never ever communicate secret plaintext over a communications link.

You can encipher or code or use another transformation method but the secret plaintext does not go outside of your direct “physical control” or that of the recipient.

So unless you are using “energy gapped” computers to transform the plain text, then computer programs are out of the question. Which is why I talked about adaptive code books and,

With regards the USA Freedom nonsense you mention,

Take a look at the new changes to so called USA Freedom Act and you will see the vast methods of tracking a person via searching a “Facility” in a bulk fashion and chaining the data/metadata.

It’s just a way of putting lipstick on a pig. That is the pig is already doing it’s thing and won’t change, the lipstick is just for the onlookers to make the pig look more human and thus garner a bit of sympathy from those who can not see through it. Terry Pratchett drew attention to this human failing with cats, he observed that because they look cute and fluffy and playfull, that this prevents many from seeing “what nasty buggers they are underneath”.

When you apply this to the IC you will see the FISC etc being used as “lipstick” with the LEO’s you will see NSL’s and ambiguously worded wiretap requests likewise being used as “lipstick”, all to preserve the vener of legal niceties whilst in fact they are rapping the citizens back front and sideways.

So if the IC/LEOs can not get a legal stamp on what they do it does not stop them, they simply change the meaning of words to either make things fit or cover them up. They have been doing this since befor the ink was dry on the Church Report. The only change for the pigs is technology is making them fat and lazy, which actually means they are becoming grossly inefficient and torpid porkers. Thus like a couch potato quater back they can talk a good game to get their food, but the practical asspects of the game are quickly becoming out of their reach.

The real players are thus fit and fleet of foot and can run circles around the porkers if they have the knowledge of the best paths to take to keep out of the porkers sight / way.

When it comes to privacy then knowing “good OpSec” and what “Methods and sources” the porkers are using can keep you ahead of the game, all you have to do is stay “fit, knowledgeable and fleet of foot”, but also take care not to hamstring yourself by practicing poor or bad OpSec.

The problem is that with OpSec the “Devil is in the details” and the policy of “Collect it all” catches errors and ommisions, and saves them away untill some one sees them. But to do that they have to “join the dots”, which as Marcie Wheeler points out is what the algorithms they use –and are not covered by legislation– are all about.

For algorithms to work they have to be able to distinguish signals from noise in a way that humans can understand otherwise false positives go up and up. Thus there are two approaches you can take “become noise” or more subtly “become a false negative”.

The art to “become noise” is to appear in a random way where your covert actions appear to have no visable relations to each other or your overt actions. The art to “become a false negative” is in part the issue of “Ceaser’s Wife” in that you become “above suspicion”. Combining both is what “moles” and “infiltrators” do over and above the more general spycraft activities.

Whilst this is getting harder in the electronic data communications realm, the fact that this is where the IC/LEOs are expending their effort makes non electronic communications fieldcraft easier. The trick is to subsume a limited set of electronic communications into what are traditionaly non elrctronic communications fieldcraft skills.

An example of this –that went wrong hence we know about it– was what has been dubbed the “Moscow Spy Rock” ( https://www.theguardian.com/world/2012/jan/19/fake-rock-spy-russia-britain ).

As I’ve said the devil is in the details, I suspect the Moscow Spy Rock was found by months of very close traditional counter espionage on a known target and a process of elimination not other high tech methods that people tend to fixate on these days.

It’s known that such fixations are flawed. After various incidents the US pulled out of HumInt and became heavily reliant on SigInt and Imagery. This has been found to be a mistake for a number of reasons and we now see the IC/LEOs falling into the same for mass citizen surveillance of “collect it all”. Thus aquainting yourself with the various reasons why SigInt failed is a worthwhile activity if you want to protect your privacy.