Two Good Readings on the Encryption "Going Dark" Debate

Testimonies of Matt Blaze and Danny Weitzner, both on April 19th before the House Energy and Commerce Committee. And the hearing.

Posted on April 27, 2016 at 6:46 AM • 69 Comments

Comments

Drip dripApril 27, 2016 8:03 AM

One of the reasons encryption is going dark is that good people are increasingly ashamed to participate in the government's totalitarian privacy interference. It's always been a job for creeps, but the patriotic idiocy of the government's 9/11 own-goal gave Stasi work a temporary luster. Now that it's metastasized out of control, the war on privacy has a Vietnam syndrome of its own. The troops aren't fragging yet but they're deserting. Nobody's spitting on them. We're welcoming them back.

https://intelexit.org/

Cindy RaellaApril 27, 2016 9:33 AM

It looks like this debate has a twenty year cycle.

Maybe it has something to do with Anniversary Editions of Applied Cryptography?

PhinoApril 27, 2016 9:36 AM

From the testimony of Charles Cohen:

"As far as I know, the FBI is not exaggerating or trying to mislead anyone when they say that there is currently no way to recover data from newer iPhones.
Data from the San Bernardino County iPhone was able to be accessed because it was an iPhone 5c with a 32-bit processor.
iPhone models that are 5s or newer have 64-bit processors. Essentially, a faster processor can support more powerful encryption.
I am aware of no current means available to law
enforcement to defeat the encryption of 64-bit iPhones running iOS 8 or higher."

Should companies be forced to stop producing 64-bit CPU's now?

ScaredApril 27, 2016 10:01 AM

Encryption that can't be defeated? Sounds like a pretty poor design. What went wrong?

boo hooApril 27, 2016 10:34 AM

@Scared

I dunno, were you expecting a "design feature" that let criminals break encryption and steal your entire bank account every day? Who are you? The disappointed criminal?

boo hooApril 27, 2016 10:43 AM

@Phino

Sure, because reversing time by 10 or 15 years will fix all our problems... Nowadays a ban on 64 bit computing is a ban on basically all modern computers.

It might make more sense to just ban cars and roads because bank robbers use them to get away with their cash... (i.e. why not just reverse time by 100s or 1000s of years, won't that fix it even better)

boo hooApril 27, 2016 10:48 AM

Oh, I know, let's just make the inventors of wheels liable for all crimes committed involving wheels (i.e. they are forced by law to redesign their wheels to make it easier for law enforcement to catch fleeing bank robbers, for example)... That's Feinstein's way of dealing with it...

The angry bloggerApril 27, 2016 11:25 AM

@Scared I hope your being sarcastic you can't possibly be that stupid, although no Encryption is really unbreakable just practically unbreakable within a reasonable time frame using todays tech

Narcs bark a stark dark larkApril 27, 2016 11:30 AM

@boo hoo

Clearly you're not a true American patriot who is prepared to bleed for the red, white and blue - I heard terrorists use food too. Urgent legislation requires an indefinite ban on consuming food. We're going dark I tell ya! Dark!

Did you hear the one about a [redacted], a [redacted] and a [redacted] who walk into a bar?

"Heh", says the barman is this [redacted]?

Senator HarumphApril 27, 2016 11:56 AM

The current legal restrictions on homonyms are obviously not enough, either. What about the restriction on people saying "bomb" at airports? Obviously, terrorists can slip right by that one. They can claim they were just quoting Alan Turing ("I've got a bombe!") or Jesus Christ ("I've got a balm!"). Will this permissive madness never end?

Senator HarumphApril 27, 2016 12:15 PM

@scared:

Unbreakable encryption IS the answer. Simply make it unbreakable by ANYONE -- the sender, the recipient, the interceptor, ANYONE.

This plan has the added benefit of extreme simplicity. Simply encrypt ALL words as "qwerty". That way, the phrase "qwerty qwerty qwerty qwerty" can be interpreted by law enforcement officials as a threat, and EVERYONE can be arrested.

Trust me, folks, this means JOBS!

KenApril 27, 2016 3:04 PM

Part of the problem with all these "experts" speaking to congress is that they don't understand their audience. Congress isn't a bunch of undergrads hanging on every word and phrase they have to say, analyzing every issue. Some of these folks don't even use email, and most have the Internet knowledge of a gnat.

They want solutions from the tech sector - and I have to confess that they deserve some. I'm all for end to end encryption. But, the only person so far that has provided any possible solutions was Susan Landau, and her solutions were buried in her 25 page diatribe ("Solutions for Locked Phones: FBI Investigatory Capabilities for the Twenty-­‐first Century).

For Daniel Weitzner to say after 18 pages ". . . there are a number of avenues Congress can explore to be sure that legitimate public safety needs are met . . ." is a disservice to everyone. WTF? A number of avenues? After 18 pages that's the best he has for a conclusion?

And Matt Blaze after 11 pages:

"The technical vulnerabilities that would inevitably accompany design requirements for law enforcement access being proposed will harm our security far more than they will help law enforcement." At least he says something definitive.

I'd wager half the audience was asleep.

Know your audience. Write at a level they can understand and get to the point.

hermanApril 27, 2016 4:13 PM

@ Senator:
Do you recognize this movie script:

Inspector, what is that?
It is a behm.
A what?
A behm.
What is a - behm?
A behm is something that goes... KABOOOOMMM!!!

Clive RobinsonApril 27, 2016 4:57 PM

@ Bruce,

There are a number of other important questions that are not been asked and thus not being answered, which are rather more important than "Why can't Johny Terrorist Encrypt".

The first question that people should ask is,

1, Will any legislation stop people using codes and ciphers if they wish?

The answer to this is very obviously no. Anyone can use pencil and paper crypto based on dice throw generated OTP's. The knowledge on how to do this is more than a century old and has been in the public domain for more than the average life time. Likewise it is well known that the BBC transmitted code messages to people in the occupied countries, like the One Time Pad these codes were unbreakable.

So the question arises as to what people hope to achive with this apparently nonsensical legislation?

That is any criminal with the intelligence to keep their money movments covert will find no dificulty in generating and using One Time ciphers and codes. Thus their communication will be pushed past any LEO efforts to recover them, especially in the much touted "Emergancy Access Scenarios".

But the use of carefully selected codes unlike ciphers allows messages to be passed in plain sight, so the LEO's would be unable to even see the secret communication, let alone prove it's existance.

So on the assumption the reason for the law is general surveillance of the population who are not half sensible criminals a more important question arises which is "limitations". So two other questions arise,

2, Will there be hard time limitations?

3, Will "Privileged Communications" be hard protected?

When you ask these questions after just a few seconds thought it becomes clear that the much touted "Emergency Access Scenarios" are designed to make the answer to these questions NO.

Thus the law is deliberatly designed to exceed the current limitations on state power outlined in the prohibition of general warrants or for that matter any warrants or recognisable legal oversight (Which NSL's, FISCs, and other secret arangments/courts most definitely are not).

In general it can be said that society is about balancing risks and advantages. For instance there is clear scientific evidence that if all road vehicals in the US were hard limited to 20MPH the levels of road fatalities of people within them would drop close to zero, and likewise fatalities of pedestrians. However doing so would have significant economic costs which society sees as harms. Thus a balance is made between the economic harms of fatalities and the more general economic harms of speed limitations.

This is a standard trade off that is well established in society. One asspect of this is the harm of incarceration of the innocent against a number of alledged wrong doers walking free. That is it is accepted for the good of society that the law should not be overreaching as this has undesirable effects not the least of which is abuse by those in positions of influance.

But the speed of road vehicals is even more general, it accepts that harm should befall a small percentage (~0.01%) of society in terms of fatalities, in order that society reaps the advantages of faster movment of goods and people.

Thus it is fair to ask what percentage of the population should be allowed to come to harm for the "greater good" of society. With encryption you need to ask in two directions. Firstly we know that lack of strong protections is alowing crime to take place on the Internet, it is unclear what the dollar cost currently is but the bulk of it goes uninvestigated by the majority of LEO's who "buck pass" it around and do nothing. It can only be,imagined how much worse this situation would be if the "LEO Backdoor" was inplace and exploited by criminals. Secondly is the collateral damage to one of the few industries that provide reliable employment in the US and earns export dollars. If the law was brought into place it would not take long for the US software industry to take a hit and tax recipts to drop likewise exports. So serious questions need to be asked that boil down to,

4, Will the US profit from this law?

For which the answer is almost certainly NO.

Obviously from the above this is a very bad law, but there is something else that needs to be asked,

5, Does this law increase personal privacy?

6, Does this law increase personal security?

7, Does this law increase personal freedom?

8, Does this law increase societal freedom?

I think most would agree the answer to all these questions is NO.

Thus you have to question the motives of those who want a law that is going to be significantly detrimental to society.

Jesse ThompsonApril 27, 2016 5:53 PM

@Ken
> Know your audience. Write at a level they can understand and get to the point.

This is the solution: adjust your expectations, and stop expecting digital omniscience.

The FBI needs to focus on solving crimes using ordinary police-work instead of destroying every wall any American tries to build to form any structure at all in cyberspace.

Especially since any person beyond our borders can build software that flouts our laws, and criminals will simply use the software that is less risky for them to use, stigmatizing anything any American company tries to build.

Simply stop and think about it. Would you, or any other Americans purchase software from China that dialed home to the Chinese Ministry of State Security to spy on everything you were doing? Building a dossier of your personal vulnerabilities and embarrassments they could use against you, to blackmail or to attack you if or whenever they chose to?

Nobody else would touch it with a ten foot pole either, so do not force American industries to build precisely that bullshit.

@Ken, would that be simple enough language for this audience?

Dirk PraetApril 27, 2016 6:05 PM

@ Herman

A behm is something that goes... KABOOOOMMM!!!

Peter Sellers in the "The Pink Panther": "Special delivery, it's a beumb!"

To date the funniest man to have ever graced the silver screen. I still giggle when I even hear his name.

@ Clive

One asspect of this is the harm of incarceration of the innocent ...

Especially when locked up with a very muscular but also very lonely guy called Bubba.

@ Ken

Know your audience. Write at a level they can understand and get to the point.

Which is really not that hard: "Dear Congress, you each get $1 million if you vote for/against this bill." It's not any different than giving monkeys a banana for successfully executing a simple task that is well within their intellectual capability.

DanApril 27, 2016 6:51 PM

@Ken

You want to write for your audience?

What is so hard about this:

"You want to ban strong encryption because terrorists might use it? Why don't you also ban cars, roads, food, even air... because terrorists might use them? All these things are equally logical... Or illogical... as the case may be."

But here's the issue: congress critters don't want logic. They just want votes, money, and power. That is it. You give them that, and they'll sell their souls to satan for it... literally, if necessary.

Marcos MaloApril 27, 2016 7:01 PM

Senator: You lost me at "robust and reliable computing and communications", Dr. Blaze. Could you put that into layman's terms? Maybe it would help if you used an automotive metaphor.

Nick PApril 27, 2016 9:00 PM

@ Ken

Good point. I've been working toward a solution to this problem. So, I'll run two by you.

"Congress, what these laws ask for is to have a master key into every email, confidential letter, bank account, private home, economic secret, and so on in America. Currently, everyone handles the level of privacy and access differently. This makes things harder for both criminals and law enforcement to access their stuff without permission or notification. However, the master key would put all of that access in one place in one organization using one method. It would be like Fort Knox except a digital version of gold can be moved untraceably from any location on Earth and often without physical access. That data can be copied while leaving original intact means it would look like all the gold was untouched. All American's information that spies and crooks find useful all in one vault to be robbed all at once by the first person that gets in.

So, how likely is that scenario? I've submitted government reports indicating that neither the largest corporate teams nor the likes of NSA can keep their secrets safe from hackers. Many Fortune 100 companies and defense contractors had their I.P. stolen using straight-forward attacks by hackers. These sometimes didn't get noticed for months to years. The government has had similar problems. Even worse, the government has been unable to identify who to trust on the inside with devastating leaks: Afghanistan and Iraq war records; all State Dept cables, including many damaging diplomacy; most significant NSA operations to spy on foreigners and Americans down to names, locations, and tech involved; personnel files of everyone with a clearance and likely access to secrets like these along with 10 years worth of blackmail material to use against them. The U.S. law enforcement and intelligence agencies, along with big business, have repeatedly failed at protecting small amounts of secrets to the point their whole mission and personnel were at risk. They are not up to protecting all secrets all the time.

Further, I'll add that I'm from the sub-field of security that aims to stop strongest attacks. Decades of work in this field has worked wonders on many aspects of the problem. Yet, since our field is relatively new, bright researchers and criminals alike discover new ways to attack systems each year. Worse, the security restrictions on systems like we contemplate means it might be hard to update them to counter attacks moving fast. The worst part, though, is what we'd be facing when we put all our golden eggs in one basket we shake at criminals and spies: every intelligence agency, organized crime, and hacking group on Earth will all target that one organization. Even high-security occasionally falls to attackers with business and government being thoroughly compromised by relatively low-skilled attackers. If they can't take a few, how will they protect you and I's secrets from all of them at once throwing all their brains at hacking one target?

The answer is they can't. They won't. They'll fail with disasterous consequences across every political and industry sector. So, it's best to never give them the chance. Let everyone be responsible for their own security with law enforcement simply using court-issued warrants to search or seize what they need and justify to a judge. This has worked for a few hundred years. It should work for at least a few decades more while we research answers to these security problems that are currently impossible to address."

So, how you like that? Kind of off the top of my head and not revised. Feedback welcome.

Insecure Comm(ies)April 27, 2016 9:11 PM

@all:

I think it is clear that we are way beyond "security". They've already expended all the arguments for weakening general security "for your own good".

The question must now be: what is the end goal of all this?

Crypto McCryptofaceApril 27, 2016 9:45 PM

The goal? Why,son, it's right there between those uprights. Don't tell me you didn't know where this was going when the stadium became the biggest thing on campus. ;|

DroneApril 27, 2016 10:01 PM

There is no real "Debate" about "Going Dark" due to encryption. Those in-power will get what they want in the end regardless - encryption or no encryption.

The only difference is: With bad encryption, guilty or not you meet your end via a sham legal system. With good encyption, you meet your end as a bloody meat sack hanging from the ceiling after confessing to whatever they want. You know... on second thought I think the sham legal system is the less painful way to go; so bad encryption might just have the upper hand here.

justamonkeyApril 27, 2016 11:26 PM

Former Tor developer created malware for the FBI!

By Patrick Howell O'Neill - Apr 27, 2016, 4:32pm CT

"How does the U.S. government beat Tor, the anonymity software used by millions of people around the world? By hiring someone with experience on the inside.

A former Tor Project developer created malware for the Federal Bureau of Investigation that allowed agents to unmask users of the anonymity software."

"Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago.

Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases.

"It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware," the Tor Project confirmed in a statement after being contacted by the Daily Dot."

Article:

https://www.dailydot.com/politics/government-contractor-tor-malware/

Mason BoyleApril 28, 2016 2:11 AM

With the news break earlier this month that Whatsapp and Viber has put encryption on messsaging which become headlines and users got buzzing reading that! But are we sure about the other messaging apps we use on mobile? Here is a blog I read which make a list of apps which are encrypted and which aren't and guide about the tool to encrypt them.

https://www.purevpn.com/blog/messaging-apps-encryption/

ToxApril 28, 2016 2:51 AM

@Mason Boyle

You should use Tox. It's P2P like Skype, with strong encrytion.
I'm using Tox for months and you'll also like it.
(qTox for Windows and Antox for Android)

@All

If you're a crypto nerd, join to Tox force!
https://tox.chat/

Clive RobinsonApril 28, 2016 4:26 AM

@ Bruce,

Part of the "going dark" argument that the LEO's are keen to avoid is the "Chilling effect" it has on society.

There is a paper comming out of Berkley that shows access to certain "Wiki Pages" has appreciably diminished since the Ed Snowden Revelations,

http://www.reuters.com/article/us-wikipedia-usage-idUSKCN0XO080?feedType=RSS&feedName=topNews

Whilst some may think "so what" or worse "it's a good thing" are missing the fact that authoritarian behaviour rarely if ever solves either societies or sciences problems. In fact authoritarian behaviour can be shown on balance to be mainly harmful, and once established leads eventually to increasingly worse behaviour that results in it's own destruction.

The chilling asspect of unrestricted access via a crypto backdoor to peoples thoughts, research and private lives is very much a nail in the coffin lid of society and science. It can be seen as a new form of slavery or middle ages surfdom, where peoples entire existance is dictated by fear of having any kind of position or property they have achived being arbitarily taken from them.

Just over eight hundred years ago this iniquity caused the Baron's in England to rebel against this iniquitous behaviour by King John by force of arms, which gave rise to King John applying the Royal Seal to the "Garand Charter of the Liberties (Magna Carta Libertatum) the first of the "Grand Charters" on which societies freedoms are based (though John got the Pope to nullify it a few weeks later, hence the repeated charters).

PenisscalpelApril 28, 2016 9:09 AM

@Drone, Honeypot? Why so? Because some obscure shady character called Bruce Schneier appears in their introductory video? And that notorious possible future sellout Tom Drake?

By the way, there's some interesting forum-sliding up there. (Pro tip: it works better when comments are paged.)

Admiral Rogers is scratching his head with his mouth open, wondering why morale is so bad. Secret agents don't like getting the rubber hose as insider threats... Who woulda thunk it?

Bumble BeeApril 28, 2016 9:10 AM

I am sick to the point of puking my guts out of cryptanalysts' complaints of "going dark." We all know the pope doesn't get up till ten o'clock in the morning.

It's curfew time. Lights out till reveille. Period. That's it.

paulApril 28, 2016 10:07 AM

The problem with written congressional testimony is that it has to be polite. I used to know both of these guys, and so can imagine what they might say if not constrained by the fact that this stuff goes in the congressional record. (They're also constrained by the fact that multiple smart folks from the other side will be paid to dissect what they say and use any inaccuracies in a metaphor or analogy to attempt to discredit the entire testimony.)

Bumble BeeApril 28, 2016 12:50 PM

@ "Yeah, it's dark in the shitcan, huh?"

That depends what you mean by "shitcan." This is downtown Baltimore, after all. Do you mean just the jail, or the entire downtown area, or southwest Baltimore? Anyways, yes, it's dark here, in a really morbid sense. "Noir," I could say, but excuse my French, let's just speak English.

I am at the downtown medical library of the University of Maryland. The really bad place is known as MPRC, (Maryland Psychiatric Research Center) 55 Wade Ave, Catonsville, where they do psychiatric "research" on their victims in locked wards. A funeral home and a crematory are conveniently located nearby on Frederick Rd to dispose of the remains when they are done with their experiments.

PhilSApril 28, 2016 3:34 PM

@Clive

"But the use of carefully selected codes unlike ciphers allows messages to be passed in plain sight, so the LEO's would be unable to even see the secret communication, let alone prove it's existance."

For example:

"One if by land, two if by sea"

Rick TaggardApril 28, 2016 3:34 PM

The Conspiracy (TM) is simply to

A. offshore encryption
B. offshore trustworthy technical solutions (from OS to social media and IM)
C. make any enemy of the united states be highly wary of using us made products except for purposes of disinformation programs

Why?

I can not figure this one out.

Their vast and mysterious motives elude me.

It reeks of what victims of disinformation programs do.

Snowden seems like the eight ball in their behavior, as they themselves suspect.

That puts them stuck in an battlefield not of their own choosing. They are playing hyper defensive and so sabotaging their own best interests.


Unknown Party X Manipulator seems to be trying to get them to make these stances for actually the reason which is most apparent.


Anon10April 28, 2016 8:52 PM

@Nick P

I think you're ignoring the fact that there already are master keys or something close, the private keys of the root certificates that come pre-installed in the major internet browsers.

Anon10April 28, 2016 9:59 PM

@Nick P

The other problem with what I'll call the resistance is futile argument is that it raises as many questions as answers. Let's follow the argument Fortune 100 companies get hacked, therefore all systems with high value will get hacked, therefore, this system will get hacked. If effective computer security is as impossible as you make it seem, why haven't we seen hacks of major financial institutions? The financial system probably would have imploded a long time ago if companies like Visa hadn't figured out a way to prevent cyber criminals from getting into their core networks.

Nick PApril 28, 2016 10:44 PM

@ Anon10

Browser CA's dont give attacker access to full CPU and memory state. Far as banks, they loose money in hacks all the time. Some make the news. Most they just suppress or shift blame to businesses. HSM's, mainframes hackers don't understand, and leased lines are contributors to what actyal security they have. Would this be true if all banks used same exact setup as in escrow attack? No.

Anon10April 28, 2016 11:10 PM

@Nick P

Browser CAs don't get give full access to your memory state, but they make MITM attacks trivial, which can give them access to your financial accounts, e-mail, social networking, and anything on the cloud. For the average user, that's probably close to a total compromise.

When was the last time a hacker stole from a US bank by hacking its servers? I'm guessing never.

Nick PApril 28, 2016 11:53 PM

@ Anon10

"but they make MITM attacks trivial, which can give them access to your financial accounts, e-mail, social networking, and anything on the cloud. For the average user, that's probably close to a total compromise."

Did you see that Snowden leak that was one page where NSA said they didn't need 0-days or implants because they have the CA's? I didn't either. Apparently, a bit more complicated or rarely successful type of attack.

"When was the last time a hacker stole from a US bank by hacking its servers? I'm guessing never."

Google is your friend. Would've found you some examples. Besides, following IT or programming sites for a while lets you run into lots of people that worked for banks. Usually previously. Their security is on average way worse than you think and I always see gripes. I also already said they cover up problems where they can. They're very good at it.

Anon10April 29, 2016 12:08 AM

@Nick P

Google is your friend.

At some point, I think we'll reach a singularity where the top Google results all tell you to use Google. From a quick search, the instances that came up either involved hacks that compromised data, but didn't result in financial transfers, were foreign in nature, or were compromises on the client end not the bank.

Clive RobinsonApril 29, 2016 2:58 AM

@ Nick P, Anon10,

HSM's, mainframes hackers don't understand, and leased lines are contributors to what actual security they have.

You have forgoton the labyrinthine byzantine security rules banks had in place to stop insider fraud/theft long prior to computers. And though many of those rules are not required for computerised accounting / operation, they remain in place automated across computer systems. Thus they sit there like hiden tripwires for the unwary.

Thus the central systems are sufficiently "scary" to make external or outsider attackers belive attacking the client end of the system is by far the lower hanging fruit.

In the U,K GCHQ has a cipher called Rambutin, a number of people have said that like the fruit it is prickely and hard on the outside whilst soft and yielding inside.

It is this "Rambutin mentality" that banks use along with a "maze of twisty little passages" to scare off attackers. All in some strange CLI applications runing on a near unknown OS (VMS) on hardware that is effectivly unavailable for research. Along with the banks well practiced and very proficient ability to externalise risk onto others. Thus the effects of attacks the banks frequently suffer falls on their reluctant customers, who have little or no choice but to suffer the banks terms and conditions, as banking is a very venal cartel. As the various scandals this century should be telling politicians, there is a Herculean task of shoveling the waste from this modern Ageian Stables, but they chose insted to let it rot and fester undisturbed.

Bumble BeeApril 29, 2016 10:51 AM

@Anon10

why haven't we seen hacks of major financial institutions?

Err, perhaps you haven't been following the news or reading your bank statements. For example I had one account at a small but publicly traded bank whose balance changed in ways that were unaccounted-for by any particular transaction. I went to the bank, showed them my last statement and got a credit in my account for a "balance adjustment." I once set up an automatic savings plan to transfer money from that checking account to a savings account at another bank. Seven transactions for the same amount of money (about $90) were deposited in the savings account, but only six ever cleared my checking account. What a "gift!"

In another (online) account at a major national bank, the sum of $100 mysteriously disappeared and then reappeared a few days later.

Eastern European organized crime networks ("thieves in law" with connections to Vladimir Putin) are known to program spyware and infect the tellers' desktop computers at the bank with it in order to gain credentials of various kinds. Then they program ATM machines to dispense unaccounted-for cash at prearranged times and places where runners or "mules" pick it up... NEWS FLASH! ...They do this at major banks in the USA!

Of course the banks would prefer to keep quiet about it. Or no one wants to be first to open her mouth about it, and the criminals themselves are powerful enough to disappear any news about it. For such reasons you don't "see" or hear of hacks of major banks in the USA.

Bumble BeeApril 29, 2016 12:27 PM

It's a sorry excuse for a court for a sorry excuse for a nation that allows such atrocities to take place, but remember that God is the Lord of Sabaoth, and He alone is able to raise up armies from the dead to fight for what is just and right.

Nick PApril 29, 2016 1:31 PM

@ Clive

"And though many of those rules are not required for computerised accounting / operation, they remain in place automated across computer systems. Thus they sit there like hiden tripwires for the unwary. "

That's a VERY IMPORTANT point I forgot to bring up. The legacy systems in banks have this both in just how the software works and in its security controls. They aren't documented in a way where you can see them at the interface level. The knowledge of how to avoid tripping them is usually taught on the job as just a part of using the system effectively. Others aren't taught at all as security team hides them. This is essentially a grand obfuscation of whole organization's operation. History shows it's defeatable by pro's especially that embed into the organization. Amateurs are easily caught or don't go near it.

"All in some strange CLI applications runing on a near unknown OS (VMS) on hardware that is effectivly unavailable for research."

This is a point I made and keep making but the hardware part is worth elaborating on. The VMS, AS/400, and so on systems that many banks used start at tens of thousands of dollars. Getting the used ones working without support is a chore in itself. Mainframes from various vendors are leased for enough to buy a new house or mansion a year. The common, destructive hackers that learn by tinkering simply can't afford to acquire one to tinker with and especially take risks that might brick it. So, use of such systems is quite a barrier to entry.

There is some possibility for change now that IBM and others are leasing mainframes that are inexpensive to get more people using it and developing for it. That started with the z9 mainframe for businesses that was around $100k. They have a z10 for Linux apps that's around $50k but idk if it runs z/OS. This 18yr old bought a z890. Unisys, which owns Burroughs legacy systems, created MCP Express for people to learn MCP on a PC. That they moved their systems to x86 should increase MCP's attack surface nicely over the 1961 models. :) The price is still a barrier to entry with cheapest $325k or $900k depending on which is the MCP one. Can't recall off top of head. Other significant ones are Bull's, Unisys's other OS, Fujitsu's, and Russia's Elbrus mainframes. Idk their status aside from Unisys's in six digit of course.

Note: I think it's worth revisiting this topic sometime in FOSS vs proprietary for security as proprietary's "disadvantage" of acquisition cost is an "advantage" here in INFOSEC against many threat models.

Nick PApril 29, 2016 1:47 PM

@ Anon10

A very philosophical way to ask me to Google for you the losses of U.S. banks. I'll be nice and help out. My first search showed the results used the term "cybertheft" a lot. My next search was "cost of cybertheft from bank heists." Here's some results on page one:

How hackers stole from 100 banks and rigged ATM's to spew cash

Largest cyber-theft in bank history: Over 100 banks in 30 countries

Hackers take $1 billion a year from company accounts while banks blame their customers

I next typed in "banking sector security breaches" to see if that would give me something:

Symantec report on banking security and threats

Note: First thing I see is Citigroup, one of richest and biggest spenders on INFOSEC, was breached in 2011 with 300,000 accounts affected. Exact kind of risk I'm talking about in my original post. Also notes habit that size and losses from those are "rarely disclosed."

Damage of a Security Breach...

Note: Quotes FBI as saying 500 million records compromised across financial sector in 12 months. PricewaterhouseCoopers reports 39 percent hit by cybercrime and 67 percent by internal threats.

Top 8 largest data breaches in financial services

Note: Has JP Morgan and Heartland Payment Systems on the list. They're two, major firms in finance and INFOSEC spending.

Conclusion

Three Google searches showed that the biggest spenders in financial system are getting slammed by hackers inside and outside their networks. Also showed all kinds of attacks at the interfaces to financial firms. Supports my claim that U.S. finance is very vulnerable to hacking despite being one of top contenders in risk management in commercial sector. Putting all eggs in one basked in government or an escrow organization will likely have similar results.

Anon10April 29, 2016 6:47 PM

@Nick P

Let's start with Citigroup. According to Citi, However, data that is critical to commit fraud was not compromised: the customers' social security number, date of birth, card expiration date and card security code (CVV).
http://citigroup.com/citi/press/2011/110610c.htm

The hackers didn't appear able to get any of the customer's critical data, but if they had what would that prove? If you could actually hack Visa, MasterCard, or American Express, and get millions of records at a time, then it would be horribly inefficient to try hacking individual customer's devices to get at their information. This actually strengthens the FBI's case for example, an iPhone backdoor, because, the competent hackers would all be targeting corporations and not individuals.

Anon10April 29, 2016 7:02 PM

@Nick P

Also notes habit that size and losses from those are "rarely disclosed."
I mostly disagree with this. If a company is publicly traded, then there are numerous SEC regs that force a company to disclose material adverse information to their shareholders. If you're a private company, then it might be a lot easier to hide bad news.

Nick PApril 29, 2016 7:57 PM

@ Anon10

So what? There were rules against trading mortgages they didn't own, not securing ACH, money laundering, and tax avoidance. Big banks have been caught doing all of these with only one resulting in huge fines. Which came out of taxpayer bailout.

You should do some research on banking industry corruption and bullshit from first-hand, high-level sources. It seems like yiur jaw would stay dropped whole time given you so far believe banks comply with all laws of US or always get caught when they don't. Especially look up Goldman Sachs who just have government write new laws making schemes legal.

Note: Also look up who shutdown Wikileaks during their peak after many hackers, governments, spies, and private parties failed to. They then threatened one of America's "Owners." Response was swift, surgical execution of their organization by that sector's elites.

Anon10April 29, 2016 10:15 PM

@Nick P
Did you see that Snowden leak that was one page where NSA said they didn't need 0-days or implants because they have the CA's? I didn't either. Apparently, a bit more complicated or rarely successful type of attack.

I never saw the Snowden leak, which said NSA had the private keys of the CAs, which is what you seem to be implying. I missed that one too. Or, if you want to claim that it's nearly impossible to steal the private keys of the CAs, that would demonstrate that it is possible to keep a master key secure, not that the CAs don't hold the equivalent of master keys to the commercial internet.

Nick PApril 29, 2016 11:41 PM

@ Anon10

"but they make MITM attacks trivial, which can give them access to your financial accounts, e-mail, social networking, and anything on the cloud."

*trivial* was the key word. Apparently, they aren't trivial. They're hard enough to require either going around them or a confidential way to pretend you didn't hack them. Most likely, they subverted a bunch then use alternative methods for option B. In any case, it's anything but trivial unless the CA isn't worth a shit. Subversion is most likely with members of HSM vendors working with culprits. Narrows problem space quite a bit while HSM vendors get little attention from mainstream.

Nick PApril 30, 2016 1:16 PM

@ Anon10

Thanks for the link. Even if I take it off my list, we still have the anonymous data collected from banks themselves in other one saying half of them have been hit with cybercrime and two thirds with internal attacks. Reports like that, including Verizon's data breach report, say they also underreport breach damage by marking them as a cost instead of a loss from fraud. That's what bankers I know told me as well. Doesn't that contradict the overall claim that U.S. banks are safe from hackers and/or internal threats like spies? Do we really need more data past their own admission that 2/3 got compromised in a single year?

Also, I have first-hand experience in these issues outside of what bankers and pentesters that work for them tell me. A Fortune 100 company outside of banking I worked for did the same shit despite SEC regulations, etc. They bought a solution for, what I was told, was about $300 million across the whole company. I know it had to be at least $50mil for equipment alone. It didn't work at all & actually disrupted operations anytime it was used. They were fooled by a referral from another huge company that publicly labeled it as an expensive, but successful, investment to save face. Guess what my employer did? The same, fucking thing. The annual report mentions high costs that year while talking about strategic investments for growth. Investors assumed that's where money went. They also mention the system as one of their successful initiatives. To this day, they still invest millions a year in maintaining and expanding it. It still doesn't work and any employee will tell you they ignore it in favor of manual alternatives unless their bosses are watching them.

This sort of thing isn't an exception: it's the rule among big companies whose CEO's and such want to maintain their image. They cover the hacks and other big failures where-ever possible. They will *never* make the sacrifices necessary for a true, high-security operation. You can't have IBM mainframes, Windows NT servers, or web access for that as nearly every product in existence failed security analysis or pentesting. The 0-days & misconfigurations are there waiting to be found. Survey data and security services (eg Verizon) reports indicates they're being hit constantly. Yet, only a handful of damaging reports make it into the news each year. Kind of strange inconsistency, eh? ;)

Bumble BeeApril 30, 2016 1:31 PM

@Nick P, Anon10
UTSA offers an MBA with a concentration in cybersecurity. Your undergraduate degree doesn't have to have anything to do with computer science to be admitted to the program. Just a few business classes. You are right. The fraud, waste, and leaked and stolen national secrets are just a cost of doing business.

Anon10April 30, 2016 8:00 PM

@Nick P

If you're a cybercriminal and your goal is to transfer funds, but fail to transfer any funds, then your hack failed at some point in the process(elevating permissions etc). If your goal is to get credit card information, but you don't even get the CVV data, then I label that a failure. Data breaches are fairly common, but banks seem good at protecting any of the truly important data and processes. The PWC definitions are too broad(39% cybercrime), which seem to include everything from DDOS to customers falling for spear phishing scams. Those both cost the banks money, but are mostly outside the bank's control.

Bumble BeeMay 1, 2016 2:29 PM

More on that location that I mentioned, 55 Wade Ave in Catonsville, Maryland. It's called Spring Grove Hospital Center on some maps, but signs at the location identify the site as MPRC or Maryland Psychiatric Research Facility. There is a homeless "shelter" of sorts there. The men go one place, and the women and children go another place. I'm told the shrinks have a gas chamber there.

Soon, and perhaps already now, shall the seraphim appear over that place, those ones who worship God day and night, crying one to another, "Holy, holy, holy is the Lord of Sabaoth!" whose faces only the Lord God Almighty is able to behold, and whose wings fan the flames of the wrath and vengeance of the Eternal God.

God's host, O arise!!!

Bumble BeeMay 2, 2016 9:37 AM

Not only that, they have some kind of creepy square and compass shit going on at that site, where the shrinks have to advance from the 32nd to the 33rd degree by committing some kind of murder — it's supposed to be "premeditated," and it involves tampering with the jury, pay for play, bribery, and shit like that and it's not like they go to jail or anything like that, because if they get caught, they stay in the 32nd degree, and their work is "slipshod" in whatever profession they're in and never comes to perfection, like the apples of Sodom that never come to ripeness.

DISCLAIMER: I am not a freemason or oes or anything like that, and I have no idea what they do or say to become initiated into the 1st degree, or advance from that point all the way up to the 32nd degree; it's just that when the worst of the worst of it begins to infringe on my civil liberties, I feel like puking my guts out.

And now they've got this weird "title" thing going on with Dr/Mr/Ms/Miss Sir/Ma'am shit or whatever they want to call people these days, and women aren't supposed to own property anymore unless they have a master's degree in useless fluff from some crumbling brick university or something like that.

And excuse me if you're in the military and address your superiors like that, but in that case you're already smart enough not to pronounce Sir and Ma'am like "Cur" and "Bitch."

Bumble BeeMay 3, 2016 7:26 AM

And in case you don't know what the word "Sabaoth" means, it is God's great Army. Armies of armies, and more and more armies, all under One Almighty Command, Whose anger and indignation you have kindled against yourselves with the abominations you contemplate and commit in those accursed lodges of "free" masonry. Brick by brick shall they be dismantled by the cherubim, the mortar sliced through by a flaming sword.

For inquisition shall be made into the counsels of the ungodly, and the sound of his words shall come unto the Lord for the manifestation of his wicked deeds.

And also the other edge of the sword must strike more directly at those complaints of "going dark." Here in Baltimore, the locals are experiencing marked racial discrimination in federal government employment, and those complaints of "going dark" are actually a reflection of misguided pre-Illuminist fears of "miscegenation" of certain bloodlines that like to think of themselves as royalty in the United States, as if racial integration or "miscegenation" were somehow less wholesome than the excessive degree of consanguinity that has developed over the generations in those bloodlines.

Anon10May 3, 2016 5:06 PM

@Nick P

I would also argue that you aren't being honest here: Let everyone be responsible for their own security with law enforcement simply using court-issued warrants to search or seize what they need and justify to a judge. This has worked for a few hundred years.

If you actually design a system that can stop a legal attack, which is what most posters here seem to want, then, by definition, you have system where a search warrant can no longer be used to gather useful or intelligible communications.

Nick PMay 3, 2016 7:03 PM

@ Anon10

"If you actually design a system that can stop a legal attack, which is what most posters here seem to want, then, by definition, you have system where a search warrant can no longer be used to gather useful or intelligible communications."

That's true if it works and usually for the country you design it against. I gave a brief overview of principles involved here. Some of the technical aspects here.

Clive RobinsonMay 4, 2016 12:23 AM

@ Anon10,

If you actually design a system that can stop a legal attack... you have system where a search warrant can no longer be used to gather useful or intelligible communications.

Not true, it might not be specific message intelligible, but even the knowledge that a single message has gone from one party to another can be very "useful" and provide direct actionable intelligence.

The real issue is what type of law enforcment do you want, one that acts against actual crimes, or one that is continuously looking to show conspiracies, from a mear thought or casual word/musing?

I would say --as an outsider to the US-- based on what the press has reported, the likes of the FBI are running as fast as possible away from conventional crime fighting to trying to coin it in from conspiracies. The reason is conspiracies are very profitable for them, it alows them to "invent crime" and turn it into a virtual reality that they can sell almost entertainment style to the political purse string holders and the public.

For all but the tax payers and coerced individuals it's a win-win senario. Untill that is real threats and criminals turn up. Against which neither the FBI or the vast eye wateringly expensive collect it all surveillance system is of any real use.

Whilst the idea that you can only catch people before the act with the contents of the communications sounds logical, it's actually a fallacy. A falsely seductive and dangerous one at that the very least, it presupposes many things that are at best assumptions.

The first assumption is that criminals are either unaware or do not care that the authorities are listening to their communications. Whilst that might be true for rank amateurs, it is most certainly not true for the types you actually want to catch.

The second assumption is that they have to communicate in a way the authorities can monitor. As we have seen with actual terrorists both patheticaly stupid and disorganised or quite intelligent and organized this is just not true. In the case of the former they keep their activities and communications "in the family" or small group that is extreamly difficult at best and more frequently impossible to infiltrate, likewise with turning individuals, so word of mouth, a look, or vague gesture all out of sight gives them most of the communications they need. Of the latter well there is all sorts of methods they have at their disposal, and their success can be measured not just in the expense but collateral damage caused in trying to stop their communications as well as the fact their activities continue with little impediment.

The third assumption is that if you can get to the plaintext it will be both intelligible and of use. Again whilst this might just be the case for those who are unaware or just don't care, it's not likely to be the case for those who have put even a modest amount of thought into it and don't get complacent.

There are many other assumptions but the reality is when plaintext is available, the authorities spend hundreds if not thousands of hours waiting for people to make a mistake, in the hope it might be actionable. It is by and large a pointless waste of resources for them.

But more importantly because understanding traffic analysis and contact/network analysis is difficult for most people at the best of times, this is where the majority of communications intel comes from, not from plaintext content. This is made harder to avoid because anonymous communications in electronic form is extreamly difficult, even burner phones and mixnets etc fail unless used with caution and extream discipline. And of course in the case of phones the raw data is meticulously kept as "business records" that do not require a warrant etc.

But unfortunatly for the authorities neither traffic or contact/network analysis is something you can take to court as the authorities have found. Because in most peoples minds it makes little or no sense and thus does not even make it as believable circumstantial evidence.

If people were watching carefully they would realise the authorities are using "going dark" as a front.

That is the authorities know that despite the front they put up that communications is not going to give them what they want --your unguarded thoughts etc-- the very clear "chilling effect" shows that. Which it's why the authorities are not realy going after communications any more, but peoples "personal data repositories" which have not yet suffered from the "chilling effect".

Smart phones are becoming "personal data repositories" with a phone tacked on. In many cases they are taking the place of computers and paper documents, thus contain much actionable evidence, not just intelligence, but also peoples unguarded thoughts from which conspiracies can be woven (of which Cardinal Richelieu was so fond[1]).

But to most people when the likes of an Apple iPhone and the FBI gets mentioned in the press they think of phone calls and communications than they do "data repository" unless the writter takes pains to point it out. And it's why the authorities are pulling their little charade over "going dark". If they can force the issue over mainly usless comms then they know that they can also get at the data repositories more and more of us are using by just a little ambiguous wording in the legislation they can bust the "secure in their papers" restriction...

What surprises me is that journalists have not thought that far ahead, nor have computer pundits and very very few security people.

[1] Cardinal Richelieu's famed quote of,

    If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

Anon10May 6, 2016 9:48 PM

@Nick P

Most likely, they subverted a bunch then use alternative methods for option B. In any case, it's anything but trivial unless the CA isn't worth a shit.

My original point, which seems to have been lost, had nothing to do with the NSA. There's not a cybercriminal alive who wouldn't sell out his own mother for access to Verisign's private key. If cybercriminals haven't compromised Verisign's private key or certificate creation process, it's because there's not a cybercriminal in the world with the ability to do so.

Nick PMay 6, 2016 10:12 PM

@ Anon10

If cybercriminals haven't compromised Verisign's private key or certificate creation process, it's because there's not a cybercriminal in the world with the ability to do so."

People used go tell me the same thing about the NSA compromising thousands of computers and subverting dozens of products. There wasn't public evidence of it. So, it wasn't happening. Despite my models saying certain outcomes were likely due to the nature of target and attackers. We saw who came out right then.

I have no idea whether a specific CA is compromised or not. I just know individual techs theg depend on have historically been beaten inexpensively. And many others with stacks of defenses lost TB of data without knowing it. So, what trust level to put into Verisign's stack of defenses? Higher than many maybe? (Shrugs)

Bumble BeeMay 7, 2016 10:02 AM

@Clive Robinson, Anon10, and other legal pickpockets

!!! NEWS FLASH !!!

(for the couch potatoes)

Here in the USA, "legal" means conforming first to our highest and most basic law, the U.S. Constitution, and thereunder in the appropriate jurisdiction to U.S. Code and military or other federal regulations that have been established in accordance with the Constitution, then to the constitutions of the individual states, and lastly to state and local legislation of appropriate constitutionality and jurisdiction.

Care to offer an opinion here?

Take a quiz. What is a "serious crime" vs. a "felony" vs. a "crime involving moral turpitude" vs. a "capital, or otherwise infamous crime" here in the Unites States?

Can a crime be all four of these or just one or two or three and not the others?

Anon10May 8, 2016 8:03 PM

@Nick P

If that's true, then Apple was completely wrong, if not intentionally misleading, in its arguments it made against govtOS. If cybercriminals have the private keys of the root CAs, then they wouldn't need govtOS to get access to a person's financial information and accounts, as they already have far more powerful tools to get access to that data. The only criminals who would benefit from govtOS, would be, "rank amateurs", who according to Clive, aren't the "types you actually want to catch."

Nick PMay 8, 2016 10:55 PM

@ Anon10

Realize that there are very few types of criminal that would have private keys of a root CA. I mean, we're talking top-tier talent. There would be few of them, they wouldn't advertise what they did, and they'd use it *very* selectively. Far as Apple, that has nothing to do with anything given Apple doesn't have that level of talent, FBI vs Apple was about a legal precedent to expand effortless collection of data, and even Richard Clark implied NSA could hack their stuff.

All still a separate issue from my original claim that even root CA style protection of one site with keys to every American system wouldn't survive all the attacks spies and criminals threw at it. Even one getting it long enough to download a good chunk would be unacceptable. So, it's better not to do it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.