CIA Director John Brennan Pretends Foreign Cryptography Doesn't Exist

Last week, CIA director John Brennan told a Senate committee that there wasn’t any strong cryptography outside of the US.

CIA director John Brennan told US senators they shouldn’t worry about mandatory encryption backdoors hurting American businesses.

And that’s because, according to Brennan, there’s no one else for people to turn to: if they don’t want to use US-based technology because it’s been forced to use weakened cryptography, they’ll be out of luck because non-American solutions are simply “theoretical.”

Here’s the quote:

“US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them,” Brennan said.

“So although you are right that there’s the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues.”

Is he actually lying there? I suppose it is possible that he’s simply that ignorant. Strong foreign cryptography hasn’t been “theoretical” for decades. And earlier this year, I released a survey of foreign cryptography products, listing 546 non-theoretical products from 54 countries outside the US.

I know Sen. Wyden knows about my survey. I hope he asks Brennan about it.

Slashdot thread. HackerNews thread.

EDITED TO ADD (6/22): Herb Lin comments.

Posted on June 20, 2016 at 12:24 PM89 Comments


de La Boetie June 20, 2016 12:43 PM

Does this mean that measures in the UK’s Investigatory Powers Bill (passed its third reading recently) to force companies to provide backdoors to their products using encryption in messaging, is pointless because they can’t be using advanced encryption?

Or is it, as in the US, a spectacular shoot-your-own-software-companies own-goal?

For sure, they will not recompense reputational and loss-of-business damages.

z June 20, 2016 12:48 PM

I sat here typing and deleting about a dozen different responses. None have come close to adequately describing how dumb this statement is. I just don’t even know what to say anymore.

Gweihir June 20, 2016 1:19 PM

The real problem here is that a person with massive influence on policy is either extremely ignorant or extremely dishonest. A statement this far off is more like something the delusional regime of Northern Korea would originate. Not good at all.

Who? June 20, 2016 1:20 PM

What about OpenBSD and related projects like OpenSSH?

I agree with Brennan, U.S. corporations currently dominate international markets as far as encryption technologies but… will them continue dominating encryption in the future? I would say the United States will end destroying the only pillar that supports this market: confidence. Once lost, the United States will be out of the security market forever.

cujo June 20, 2016 1:22 PM

Clearly, because no other countries are as good at math as we are. (facepalm)

I don’t know which concerns me more: That Brennan is so ignorant that he actually believes this, or that he’s so duplicitous that he wants to sell this committee on such an obvious falsehood. Neither option is reassuring.

John Other June 20, 2016 1:28 PM

I do not think Brennan is being disingenuous.

Unless I missed it, there’s been no report indicating threat groups or individuals are organising at a level to implement their own secure comms. Instead, at least for public consumption, there is every indication that semi covert channel use of mass communications, is the preferred option. In this case, US dominance is quite assured. Use of mass / consumer channels is also a necessity, unless there is a perfect, easy, way to hermetically introduce users to a closed loop system without passing details of that system by another channel.

Halflinger June 20, 2016 1:36 PM

I think any elected or high ranking appointed official should be fined one dollar per constituent of their elected body (ie. congress members pays all US citizens) anytime they are caught telling a lie to the american public. This includes during testimony to congress. Works out to about $320 Million according to the US Census Bureau.

Yellow cake? What yellow cake??

Kenny June 20, 2016 2:09 PM

I think he’s just not talking about actual crypto. The key is ‘available through these various apps’.

If we look at the problem instead as ‘how much US crypto is used’ it’s more clear. Sure, there’s lots of non-US product in use, but I’d suggest (with no data to back it up) that the bulk of traffic is over US-based app.

Say Google, Apple, and Microsoft had to add backdoors to communication tools (Voice, Facetime, Skype), that alone would include a massive amount of traffic.

They could further require backdoors in platforms (Android, iPhone, WP, IntelME) that would make almost any attempt at strong crypto vulnerable.

Of course what they don’t realize is that the end result may be to have tech moved outside of the US.

Ban on all banking and commerce June 20, 2016 2:49 PM

@John Other

Have you ever used a bank? Have you ever bought anything? Have you ever used a web site? Or a computer? Sorry pal! It’s all banned, if you get your way!

Let me be clear:

Almost ALL WEBSITES worldwide are managed remotely, via strong crypto, so that they aren’t constantly broken into by hackers… You ban this, you ban the creation and management of all web sites. Period. Internet goes dark.

Most banking is done online nowadays, and inter-bank transfers are done electronically nowadays too. You want to ban all that?

Most commerce is done online nowadays too, and almost all business-to-bank communication requires strong crypto too. You want to ban all buying and selling?

Why are so many people so intent on making us go back to the stone age? What’s the matter with everyone? You really want to barter with shells to get your stuff?

I know you’re going to say “no, I’m not promoting banning anything… just requiring… blah blah blah”… uhh.. yeah.. requiring something that DOES NOT EXIST…. so…. that requires a ban on everything that DOES EXIST! It’s simple logic…

We do have all AUDIO PHONE CALLS interceptable, but not all other electronic communication of money and commerce and connections between computers. You’re asking every single IT person to have everything they do every day be declared illegal, so someone can “spy” on it at will. That’s just not how things work. Learn something about the world.

Never fear, Feinstein to the rescue! June 20, 2016 2:59 PM

Never fear, Feinstein has it right, just do it her way… we can ban paper shredders, garbage dumps, compost piles, and toilets! That’s what really needs to happen!

PhilS June 20, 2016 3:16 PM

How did Brennan get to his position???

And why is he being paid with taxpayer’s money????

Spaceman Spiff June 20, 2016 3:32 PM

That’s the problem with the CIA. They are so used to lying that telling the truth is beyond their capabilities.

Feinstein says... June 20, 2016 4:08 PM

When all “obfuscation” devices like toilets are banned, we’ll show the world… there may be raw sewage up to our armpits everywhere, but boy will we be safe from terrorism! They won’t dare swim in our beloved cesspool any longer!

And if banning all computers, banking, and commerce, is what it takes, well it’s a small price to pay… Me Dianne… You Tarzan.

HaveYouEverNoticed... June 20, 2016 4:51 PM

How I feel the comments work:
1; The lucky starter that shapes the conversation, or just says something funny/crazy.
2-10; Intelligent discussion to show problems
11-16; Intelligent replies that have a darker side.
17-20; Replies about what is wrong, that are angry.
21-50ish; Hatred towards the people involved(Some of the anger is earned) and pessimism about tomorrow.

71+; Many Months later, a new reader finds this blog, makes a brilliant comment, and nobody reads it.

Feinstein mocker :) June 20, 2016 5:26 PM


Very observant. I just can’t think of a good way to help anyone see the ridiculousness other than mocking our government right now… everyone’s entrenched one way or the other by now, no amount of actual reasoning will change anyone’s minds… that’s futile.

Dirk Praet June 20, 2016 5:59 PM

The kind of silly, badly informed statements that eventually will break the dominance of the US tech sector. What a blockhead …

Managed Development June 20, 2016 7:09 PM

two words – server persecution. If, in a world where 2+2 really did equal 4, network neutrality resulted in every ordinary home internet user being able to host their own open source servers, the crypto picture would be radically different. It’s curious to me that I don’t see anyone else noticing this. With the situation as it stands, high barriers to entry narrowing the points of origination to a manageable number, things can easily be controlled at minimal expense and exposure of criminal management tactics. If however the barrier to entry were lowered to the point where every high school student could compete, the current landscape would quickly evolve and be seen as the orwellianly primitive joke it is. Removing words from a dictionary is somewhat analagous to removing good empowerment ideas from cybersecurity development. Focus on how many influential developers shout down even the concept of forking. Forking is what can sufficiently mitigate the threat surface of government managed development.

Mark June 20, 2016 7:27 PM

These congressional hearings that you Yanks have are a complete joke. Why are these idiots simply allowed to lie or play word games?

Puppy June 20, 2016 7:34 PM

It’s a ‘zen stick’ moment for sure. As in, one is so stunned there are no thoughts just an eternal, reveberating silence in all directions
One can also presume Private Clappy or Private Schlepper or Clapped Out or whatever his name is, experiences such a state of mental silence 24/7

Few things to consider
1. such people, in such positions, of such organisations, really are that disingenous and narrow
2. On the other hand, sometimes they say stupid stuff because they know it will antagonise those whom know better. Politicians do this all the time
3. One really must have the discipline to ignore and not bite.
Focus on your objectives and ignore the morons

Steve June 20, 2016 10:03 PM

What a minute, is this the same John Brennan that got his AOL email account hacked by a US high school teenager? And it was discovered he was using the account for some CIA memos. Seems to me that if he can make statements about US crypto policy, then he should know better than to have used commercial email for government business. I think he’s a couple cards shy of a full deck.

65535 June 20, 2016 10:24 PM

@ All

Returning to Bruce’s main point:

CIA director John Brennan is misinforming the US Senators that there is no alternative to USA built and back-doored encryption products. Hence, implanting backdoor in USA made encryption products will not harm US Business – which is nonsense.

Once, the word gets out that most USA made encryption products are back-doored then there will be a flight from USA built products to other country’s encryption products. This will harm US Business and by extension National Security.

“Last week, CIA director John Brennan told a Senate committee that there wasn’t any strong cryptography outside of the US… Is he actually lying there? I suppose it is possible that he’s simply that ignorant…” –Bruce S

That statement makes CIA director Brennan a liar or an ignoramus. Either way it reflects poorly on the CIA as a whole.

For those posters who want to correct Bruce’s list of encryption product available to the public I am sure it is helpful.

I would like to see a full list of all civilian and military encryption products to judge the total harm to US Businesses because back-door’d encryption products or the tarnish/damage that back-doored US Products have to the business health of the nation.

I short, I agree with Bruce’s main point that Brennan should be called out on this issue because of the damage to US Industry he could cause.

CallMeLateForSupper June 20, 2016 11:14 PM

“These congressional hearings that you Yanks have are a complete joke.”

Yes. That is true. One must stay calm and become one with the fact that hearings can have one or more of several purposes. A hearing empowers one group to put a disliked person or group on the hot seat. A hearing also says to the huddled masses “something is being done”. Sometimes a hearing sprouts from a previous, rotting hearing. Contrary to logic, the particular reason at the … er.. root of a hearing need not be grave. Take for example the recent rumblings of conducting a hearing about the Orlando club thing. Orlando authorities will sort it all out on their own; they don’t need Congress.

“Why are these idiots simply allowed to lie or play word games?”

Hey… those folks write their own rules and procedures. Not even the President has the power to force them.

It’s confounding, I know. But it’s really nothing compared to the rules of croquet. Or cricket.

Vatos June 20, 2016 11:27 PM

“Once, the word gets out that most USA made encryption products are back-doored then there will be a flight from USA built products to other country’s encryption products”

Has such a flight occurred yet?

Government Propagandist Troll Squad June 20, 2016 11:30 PM

As former NSA Director and Director of National Intelligence Mike McConnell puts it, rather than trying to fight the inevitable, government investigators need to adapt to a world with widespread encryption: “Don’t get in the way of progress. Don’t get in the way of innovation and creativity, because this is going to happen. Somebody’s going to provide this encryption.” Therefore, law enforcement must “adapt,” says McConnell. “If law enforcement starts to change the way they think about this, I think there are many, many ways to carry out the mission, given that you are faced with a situation where technology is not going to be reversed.

As you’ll see, all of the encryption apps considered “safest” by ISIS are open source, foreign-based, or both, as are three out of the four apps considered “safe”. Therefore, of the nine apps recommended as “safe” or “safest”, eight of them are outside of U.S. regulation’s reach.

dave from toronto June 20, 2016 11:42 PM

@CallMeLateForSupper Cricket and Baseball can be adequately described as perversions of each other (rather an enjoyable exercise over a pint or two). However, neither is so perverse as this.

Dave Howe June 21, 2016 3:06 AM

To be fair, there is a sense in which he is right – and that is system defaults.

While readers of this list are almost certainly technologically savvy enough to seek out and install secure communications software, they will also almost certainly discover the discouraging truth – that about the only other people they can talk to with their new secure system is the same subset of slightly paranoid, technologically savvy that read lists like this – and compared to the population, that is a rounding error.

On the whole, the TLAs don’t care so much about what terrorists are doing – I know that is the “reason” for all this, but a terrorist is more likely to use tradecraft and, if they need good security, seek out and install it.

But for most users, the people the international bulk data collection scoops up, will barely stir themselves to turn on encryption if it comes pre-installed and bulk adoption pretty much requires they are secure by default and have to turn it off if they don’t want it. Almost every email client on the planet supports S/Mime – I could count on one hand the number of people I regularly correspond with who even know what that is, never mind have current certs for it.

So, what it comes down to is that default-on encryption in iOS, in Android, in Windows, in WhatsApp – those are the major threats to bulk collection, and they are pretty much exclusively American.

Sancho_P June 21, 2016 4:29 AM

+1 (@Dave Howe)

Disingenious or stupid doesn’t matter, clearly the poor guy can’t say what he wants.
But he is right – when we take what he can’t say:

a) Terrorists are ignorant, stupid persons. Having little horizon and knowledge, they will use the same mainstream platforms as John Doe and other criminals.

b) We are the Internet, the Intenet is us, the Intenet is U.S.
Whatever makes the Internet, from facecrook to shitter, amagon to playpal, is U.S.
When we introduce “good” encryption the whole world has to follow and everybody will use it.

The point is what will be used by the plebs, not what could be used by the informed.
And not (rocket) science.

Dave Howe June 21, 2016 4:56 AM


It is more than that. By being users of strong cryptography, terrorists will be standing out in traffic/metadata in a way they cannot allow; the lack of good crypto for the general population means that terrorists also use unencrypted comms, sms, anything that will not stand out – and use tradecraft (cryptic speech rather than encrypted speech) to hide their intentions.

In a lot of ways, that is actually worse for TLAs – with poorly written or badly keyed crypto, the TLAs can access explicitly phrased plans, but if a terrorist discusses a “delivery” of “flowers” to “my grandmother” on “her birthday” – how can you tell in advance what those code phrases mean, and how can you tell that apart from normal traffic?

Grauhut June 21, 2016 5:10 AM

I think in Brennans world NATO countries are simply US property. 0wned.

Is this technically wrong?

fajensen June 21, 2016 5:10 AM

Maybe Brennan just has the advantage of knowing what is inside TISA and TTIP?

Don’t wanna use US encryption!? Well, Go right ahead to a 3-lawyer kangaroo-court and pay trillions in legal fees and damages to the estimated future profits that investors have a treaty-given right to have!

Cassandra June 21, 2016 5:59 AM

There is a discussion thread on this topic on Soylentnews, which has some good points in it.

Key point is, yes, software-based encryption is available from outside the USA, but USA cpu manufacturers have a lock on cpus used in the vast majority of PCs (laptops, desktops, and servers) sold today. Cryptographically signed firmware for on-die adjunct processors, used for remote management. The owner of the PC cannot audit this, or upload their own, or prevent new firmware being applied (unless absolutely paranoid about network firewalls). The adjunct processors have full access to the PC’s memory, so any keys used for software-based encryption on general purpose cpus are vulnerable to being discovered by suitably programmed firmware.

Note that cellphone modems have similar adjunct processors, again where the owner of the cellphone has no or poor access to firmware.

None of this is news, but very few people join the dots.

blake June 21, 2016 6:12 AM

@Dave Howe

To be fair, there is a sense in which he is right – and that is system defaults.

You might end up in a conversation that has the same structure as some of the online game / film DRM dialogue. We’re looking at a system which:

a/ won’t be cheap or technically easy to deliver

b/ will hurt the majority of legitimate users (via privacy invasion & increased attack surface)

c/ won’t affect the targets because they’ll still just use something else

As far as I’m aware, the consensus on the one issue is “game DRM doesn’t work” because of the above three. So that’s not a good place for the other, if that is John Brennan’s stance.


Maybe Brennan just has the advantage of knowing what is inside TISA and TTIP?

If there’s that crazy clause about companies being able to sure countries, then the recommended move is to found a non-American company that delivers customer-privacy-focused encryption services and your revenue ends up being the fees you win from the US government when their backdoor legislation is incompatible with your business model.

blake June 21, 2016 6:15 AM


USA cpu manufacturers have a lock on cpus used in the vast majority of PCs (laptops, desktops, and servers) sold today

Just out of interest, do you happen to know what proportion of networking kit is made in China?

Cassandra June 21, 2016 6:41 AM


Not offhand. I could look it up. But I understand the point you are driving at. However:

1) Once the encrypted payload is injected into the network, it is too late to get the key.

2) Most CPUs are not made in high security manufacturing plants. The physical site may be secure, but the processes that go into making a cpu can be compromised. But the more subtle point that the cpus themselves may be compromised at a physical hardware level ( Hardware level compromises: ) rather than the firmware level is one well appreciated by the USA government, which is why, for the most sensitive equipment, the USA has access to secure manufacturing facilities. See the Trusted Hardware Access Program Office: ; and the list of accredited suppliers in the Trusted Foundry Program:

I would be unsurprised to learn that the NSA and possibly other security and intelligence agencies know the signing key or keys needed to update the firmware for the on-die remote management processors for all current x86 cpus. It is too useful a thing for them not to know.

Grauhut June 21, 2016 7:10 AM

@Cassandra: Even Intel “Ring -3” ME is not invincible. The three letter guys bullied Apple, i am quite sure they did the same with Intel.

But ME is relatively stupid. If you setup a fitting server for it, bind your device to it and switch off that server afterwards ME is not so universal anymore. It will helplessly try to contact that dead server. 🙂

And if you use a dumb ethernet nic instead of the onboard one ME relies on it waits for a connection that never comes.

The OS community is working on a replacement: see

Clive Robinson June 21, 2016 8:05 AM

@ Vatos,

Has such a flight occurred yet?

Yes and no.

Some US companies such as Cisco have reported losing orders to non US competitors. They have blaimed the Snowden revelations etc. However we do not actually know what the lost business was down to, thus the complaint may be for “shareholder ears”.

Whilst there appears to be a trend it is still very much early days. But any sensible non US/UK based organisation should look to non US/UK crypto as a matter of “due dilligence”. The days of “Nobody got fired for buying IBM/Microsoft” are long over.

Tatütata June 21, 2016 8:25 AM

@Ministry of Truth:

I would hardly describe ETSI as a hotbed of cryptographic science. It’s really not much more than a bureaucracy.

After all, those are the guys who standardized the flawed A5/x series as crypto standards for GSM and co., and thought that security through obfuscation would be feasible.

OK, OK, they were implementing instructions from above, but still…

paul June 21, 2016 9:57 AM

Some of us older types have seen this play out repeatedly. If I were snarky, I would ask why the US wants so desperately to subsidize software companies in other countries.

blake June 21, 2016 10:22 AM


the processes that go into making a cpu can be compromised …

for the most sensitive equipment, the USA has access to secure manufacturing facilities

Yes, however:

Brennan is talking about having lockdown on consumer electronics for essentially domestic intelligence purposes. But what we’ve just stated is that any foreign state actor worth their salt will be able to provide their own tech on which they will have lock-down. So Brennans “snoop all the CPUs” plan works except in the most high stakes case, when it doesn’t. The actual threats are not perturbed by these measures.

The other part of the point was the symmetry – eg China having such deep intelligence tendrils in our infrastructure. Imagine a Chinese Brennan-equivalent saying not to worry about Chinese router backdoors affecting business because they have market dominance.

the NSA and possibly other security and intelligence agencies know the signing key … it is too useful a thing for them not to know.

And for the same reason, it’s so useful that other state actors might try to get it too. Let’s not assume NSA has perfect lockdown on all it’s secrets, Snowden has already been mentioned in this thread.

This is probably but one of the reasons why Schneier etc insists that there’s no such thing as a good backdoor.

AJWM June 21, 2016 11:02 AM

It is more than that. By being users of strong cryptography, terrorists will be standing out in traffic/metadata in a way they cannot allow;

So they re-encrypt their strongly encrypted message using the weaker public crypto, ie a “plain brown envelope”. It won’t stop someone intent on opening (decrypting) that envelope, that’s what the inner strong crypto level is for, but it keeps their message from standing out as “different”.

This presumes that there isn’t enough computing power available to decrypt all message traffic on the fly, which may not be a safe assumption. Or maybe that’s why Brennan wants a backdoor, never mind that they’re not supposed to be reading everyone’s messages on the fly anyway.

JdL June 21, 2016 11:58 AM

Steganography renders moot the quality of cryptography used, as it conceals that anything is hidden in an image or sound file. It’s difficult to outlaw something you can’t even prove is present. As government thugs, in the U.S. and elsewhere, try harder to clamp down on basic freedoms, including private communication, I expect steg to become more popular.

Clive Robinson June 21, 2016 11:58 AM

@ Grahut,

If you setup a fitting server for it, bind your device to it and switch off that server afterwards ME is not so universal anymore.

Have you tried it?

And do you know what it does about inbuilt WiFi networking?

Clive Robinson June 21, 2016 12:55 PM

@ Tatütata,

After all, those are the guys who standardized the flawed A5/x series as crypto standards for GSM and co.

There is rather more behind the implementation of A5 than is generaly talked about.

Let’s just say it was a “finesse” by certain people. It’s something I’ve mentioned before about “telephone” standards. Members on the various committees which are effectivly independent of ETSI (similar to the way NIST got finessed) are not just making “technical decisions” they have their “masters bidding” to get slid in as well (often under the gise of “Safety Considerations”).

It’s especialy interesting when you consider A5 only covers the “air interface” not the back haul which is enclair. Thus it’s fairly pointless for the sovereign Law Enforcment Authorities in the country the phone is being used in.

However when you consider non sovereign agencies in their Embassies or others doing ‘Find Fix and Finish” fly overs with drones or more distant stand off with SigInt Aircraft –like the Boeing RC135 ‘Rivet Joint’– it appears most fortuitous.

However if you look at the MO of the UK IC during ‘The Troubles’ back when Maggie Thatcher was PM, the UK IC tried where possible to avoid having anything what so ever to do with the British Telco –Bruces, past employer– not just for secrecy reasons but “deniability” as well. Thus it was that the UK country side got strange “grain silos” owned by the UK Gov “Property Services Agency” poping up just where the secondary side lobes of the microwave links then used for long distance trunk crossed. They got sold off a few years later as the trunks switched over to much higher capacity fiber networks…

The investigative journalist Duncan Campbell, realy screwed it up for Maggie and the IC because he “got on his bike” and went around the country mapping out both BT’s and the Millitary microwave comms links. He photographed the towers and antennas making maps of the network and all sorts of interesting things. He wrote it up for use by Open University Students as well as working out the relationship with Echelon. He was a real Thorn in Maggie’s side, and she tried to have him imprisoned. Unfortunatly the Gov witnesses at his trial did very badly on the witness stand which put the lid on the coffin of the case. But the final nail was the allegation he had published the “Oh so secret” address of GCHQ in Cheltenham. The prosecution put lots of gusto into this to then be shot down in flames when the defence barrister held up a copy of Wirless World Magazine in court. In the back of which was a full page jobs advert for GCHQ helpfully giving their full address… It would have been historically funny if it was not so sad.

Ministry of Truth June 21, 2016 1:17 PM


True. It certainly wasn’t my intention to extol the virtues of ETSI. The point I was trying to make in response to Brennan’s ridiculous insinuations is that, when it comes to international cryptography, the maths, the products and even the standards agencies are pretty well established outside the USA. Anyone who has traveled outside their own state can see that. A lot of the cryptography running in our phones was developed outside the USA. If they push too hard and give the world a good chance to really mistrust American products it might became painfully apparent just how rapidly the rest of the world can fill in the gap. Ask India and Germany how they’d feel about the opportunity to take a chunk out of Silicon Valley’s business model.

Spooky June 21, 2016 2:10 PM

Brennan’s comments are certainly strange, as substantial portions of today’s crypto did not originate from the US (Rijndael/AES, SAFER, Serpent, IDEA, etc). And lest he forget, non-US researchers were able to break 31 of 32 rounds of NSA’s Skipjack at Crypto ’98–so, he’s on fairly thin ice when crowing about the alleged superiority of US designs (which includes RC4 and MD5, also considered broken). His smugness is quite unjustified, IMHO.

@ Cassandra,

I believe Intel ME/AMT started to show up around 2008. Certainly, all processors and products manufactured after that year would be suspect, although I’m not sure if all budget tier CPUs received the functionality during the initial rollout. Due to the out of band communications abilities of this onboard processor and its unrestricted access to all host memory, my personal feeling is that a computer that contains ME cannot and should not be trusted with sensitive data–ever. No matter the TPM and secure boot strategy, no matter the security of the overlying OS (Qubes, Subgraph, Tails, etc) you have to consider that the software running on that alternative processor has access to every keystroke, every certificate or private key, the internal state of every PRNG, the camera and microphone, etc. And because it has direct access to the NIC, it can easily exfiltrate that data at any time (even after the host has been powered down). Yes, some systems are equipped with a BIOS menu option to disable ME but you have to keep in mind that this just a menu setting on a screen full of text; you have no way of actually verifying what the alternative processor is doing. It could be ignoring your settings and doing anything at all, you’d be none the wiser (until NSA starts using your MS-issued vendor cert to sign their malware). I do not see a fix for this. The existance of this additional processor essentially destroys the ability to build an unbroken chain of trust on modern Intel hardware.


Grauhut June 21, 2016 2:40 PM

@Clive: I did some ME tricking tests, but not too deep (no packet tail fillup analysis on legit packets for instance, scs setup was boring enough). I was just a little curious. Wintel stuff is part of my offical me, in this dmz i dont mind (and log). But even with cheap tricks like this possible i wouldnt place hot, sensitive stuff on them. Sunxi based devel boards are small, cheap, fast, they dont need firmware blobs and there is a lot of os support for them…

And yes, imho one needs to replace all Intel nics, wireless also. I left the Intel eth nic active with a dead end 10/8 dhcp ip address on it, connected to an old china crap openwrt router. gives you the needes infos.

remo June 21, 2016 3:16 PM


So they re-encrypt their strongly encrypted message using the weaker public crypto, ie a “plain brown envelope”. It won’t stop someone intent on opening (decrypting) that envelope, that’s what the inner strong crypto level is for, but it keeps their message from standing out as “different”.

Wouldn’t that still show up as a suspicious message? In my understanding anything we would consider to be a “strong” crypto level would end up having a huge message size compared to “normal” messages for these communication platforms. Messages getting passed back and forth over whatsapp in the form of huge blocks of encrypted data would be much larger than just a “lol” or “hey” like most people send.

It wouldn’t hurt to put it in the plain brown envelope but when yours is stuffed to the brim and the others are all paper thin, it’s pretty easy to tell which one to open.

Cassandra June 22, 2016 3:47 AM


You and I are singing from the same hymn sheet.

Many people do not want to hear this as it makes their lives too difficult.

I wonder how long it will be before criminals exploit this.

Jonathan Wilson June 22, 2016 4:15 AM

I suspect a large amount of the cryptography in common use today (in western countries at least) is produced by companies or organizations that are US based.

Chrome, Chrome OS, Google, GMail, Android, OSX, iOS, Safari, Firefox, Apache, RedHat, Java, .NET, Facebook, WhatsApp, Windows, Internet Explorer, Edge, IIS, Outlook, Exchange, Office, iMessage. All developed in the USA or by companies headquartered there.

Clive Robinson June 22, 2016 6:27 AM

@ Jonathan Wilson,

I suspect a large amount of the cryptography in common use today (in western countries at least) is produced by companies or organizations that are US based.

That is “default” usually link based privacy crypto that comes part and parcel of the “third party” communications providers in their hardware and software. In the same way A5/2 in GSM Phones and WEP etc in WiFi.

Such third party privacy crypto is not ment to be secure to any secrecy standard. We have in the past seen this well demonstrated with the WiFi “Wired Equivalent Privacy”. The name indicates exactly what it’s purpose was, the fact they did it badly –for whatever reason– ment it was quickly attacked and thus later superseded. Likewise the GSM A5 crypto only covers the air interface link for “privacy” and the back haul is entirely unprotected.

SSl is likewise a default comms link protection in that it is inside the comms link not outside of the comms link. It had a slightly higher ambition of providing a modicum of security for financial transactions. If you analyse it it is also not under the users control but the third party CA’s.

Secure end to end encryption lies beyond not just the communications end point, it also is not default, nor importantly under control of a third party.

It is in this arena that non US organisations provide “user choice”, but it is never “default” or “under third party control”. Untill recently it has been a very minor niche market.

The main hurdle with non default non third party control is the issue of usable compatability.

Aside from actual crypto protocols and modes the issue is Key Managment. That is how do you get two things,

1, Authenticate the unknown user.
2, Transfer a session or other key securely.

There are various ways to do the second part, but many have relied on a third party in some way. The first part is the one we have not solved without the use of one or more third parties.

Thus for the bulk of Internet usage and users the “defult” comms link encryption controled by third parties is the only way they can go.

Thus the question arises of how to reduce or eliminate the third party control threat.

Whilst there are changes that can be made the two main threats are,

1, Hierarchical structures.
2, End runs in end point systems.

There are two ways to get at the contents of encrypted communications, decryption or access the plaintext. Decryption requires either breaking the system or having access to the keys. The second involves a minor attack at most betond the crypto end point.

For by far the majority of users the default communications end point is in the end equipment that is under the control of a third party, so “end runs” are the prefered way to go with third party backdoor access in the Apps, OS or underlying hardware. All of which we know most definitely exist currently.

Failing that hierarchical trust systems such as PKcerts can be abused to “put a comms end point in the middle” and get at the plaintext that way. We know that companies sell such equipment to do these Man in The Middle attacks, and also that many Certificate Authorities have very poor security, so abusing the hierarchies of the many “default” root certificates is not much harder than doing an end run.

Thus I suspect the panic in legislators for “mandatory access” is not for the default third party controled crypto endpoints of the masses, but the beyond comms end equipment not under third party intervention crypto equipment that more people are investigating and using since the Ed Snowden revelations.

But the people who use such crypto hardware equipment are not currently terrorists, or the usuall FUD horsemen of the Internet apocalypse criminals either. Nor for that matter are they likely to be in the future. They are people and organisations with legislated requirments for secrecy in their proffessional activities. Which brings up the question of economic espionage etc yet again.

These issues are getting overlooked by the main protagonists in this debate and it’s well past time things were made a lot clearer for people to understand.

Clive Robinson June 22, 2016 6:54 AM

@ Grauhut,

But even with cheap tricks like this possible i wouldnt place hot, sensitive stuff on them. Sunxi based devel boards are small, cheap, fast, they dont need firmware blobs and there is a lot of os support for them…

Thanks for the reply.

I must admit my thoughts on Intel ME are perhaps not “for younger readers” and I’m not sure my keyboard has sufficient non alpha keys to give full vent.

In fact I’ve come to the conclusion that Intel is not only not for me, but should also be proactively “gapped” for even low end business use. So either full disconnect or back to the days of proper “Bastion Hosts” and DMZs as the base game plan, with instrumentation and logging and augmented where reguired with more modern data diodes, guards, pumps and sluices not based on either Intel or one single microcontroler manufacturer.

With regards Sunix, I was looking at the “$9” computer that uses the same family of SoC’s. For certain people the fact they are “Chinese” might be a deterant, but it may not be an issue with a little thought.

I guess it’s time to put my hand in my wallet and disturb a few moths 😉

Grauhut June 22, 2016 7:26 AM

@Clive: Have a look at something in the pine64 class for power or banana pi for widest compatibility.

Geoff Nicoletti June 22, 2016 7:43 AM

Schneier has provided—or should I say Brennan has provided a little light reading for Rob Joyce. I still don’t know why we don’t have paswords of 128 digits, generated by two large primes, generated by the user’s two private phrases—passwords should challenge…prime number equivalents should be memorized. One way function trapdoors could be generated by granny beside banks. This 11 digit password is nonsense. Only I know the two phrases for the primes and, unbless, the hacker has a keystroke exploit going, he can’t break my composite…my password.

Cassandra June 22, 2016 9:02 AM


The products available from Olimex and Rhomus Tech, as pointed to here:

show potential promise, but the key point is that not only should the processor not have unauditable firmware, but any peripheral devices, such as network interfaces or storage devices, should also not have unauditable firmware.

Both Android/Linux and most distributions of GNU/Linux make use of ‘binary blob’ software in device drivers, as it is almost not possible to find hardware that has open firmware – especially as the usual low-cost end of the market.

Linus Torvalds takes a studiedly disinterested position on this issue. If you choose to use binary blobs, that is YOUR issue.

As others point out, in a perfect world, one also needs to be able to audit the hardware. this is difficult, but if you want a demonstrably reasonably secure system you will always need to be able to audit the software, so efforts to do so are not wasted.

Clive Robinson June 22, 2016 9:20 AM

@ Geoff Nicoletti,

I still don’t know why we don’t have paswords of 128 digits, generated by two large primes, generated by the user’s two private phrases

It’s simply that the human mind can not reliably remember enough entropy.

For instance take an English sentance, the first character of each independent word has the most entropy at three to four bits, the next charecter with some (Q then U) zero or near zero bit exceptions has two or three bits, the next few about 1 to 2 bits and often the last two or three have zero bits of entropy (I then NG). But after a couple of words the next word is not independent and can often be only one or two bits of entropy.

But even though the XKCD “horse battery…” method is initially a lot better, there is a problem with the random words and the average or below mental ability. Like remembering PINs four words/numbers are the low water mark of many people with the high water mark being six words/numbers for many. That only gives 10bits of entropy at most per word and sometimes less. Worse a number of people will often rearange the words knocking upto a couple of bits of entropy of each word. So even six words may only just give 50bits of entropy, which is a long way short of your 128digits (~420bits)… To remember two random word phrases each around 45 words long acurately is well beyond what all but a handfull of people in the world can accomplish.

Andrew June 22, 2016 12:25 PM

encryption = processor + controller + memory + BIOS + OS + storage + algorithm
encryption <> cryptography
=> brennan is right

Anura June 22, 2016 2:01 PM

@Clive Robinson

Diceware, when used properly, has a little less than 13 bits of entropy per word. So four words is over 50 bits. Pretty respectable, but not amazing. However, this assumes the attacker knows you are using Diceware. For the most part, they go after the low hanging fruit first and try simple dictionary attacks, followed by more complex dictionary attacks.

It really depends on your threat. If you use the same password everywhere, odds are someone is going to be storing it in plain text, or is going to get malware that scrapes login details before they can be hashed. In this case, you are pretty much screwed regardless.

Now, if your password is in a leak of a million passwords stored with a simple unsalted hash, there is a relatively high chance that someone will use the resources to go through every four word diceware password. If the hashes are salted, the probability goes down significantly, but not so much that you can consider that password to be safe.

If the passwords are stored with PBKDF2 with 1024 iterations, this is effectively the same security as a password with a regular salted hash that has an extra 10 bits of entropy. BCrypt or another algorithm that provides resistance to GPUs can add additional security.

If you are being explicitly targeted, then it is a matter of how much resources the attacker has. If they have the resources to attack a service you use and install malware on the servers, you are screwed, and the best you can do is avoid password reuse for important services (banking, email).

Five word diceware (64.6 bits of entropy)is probably the lower bound to protect yourself against a leak of salted hashed passwords where you are not explicitly targeted, but absolutely no password or server-side hashing will protect you against servers that have malware installed. It’s probably prudent to remember a separate 6 word password for each financial service you use, and your primary email. Or simply go with a 20 character random alphanumeric password generated and stored with KeePass or a similar utility.

Nicola June 22, 2016 3:52 PM

This will come back to haunt him in so many ways in which he can’t comprehend right now.

A storm is coming

Grauhut June 22, 2016 5:18 PM

@Cassandra: Wich blob do i use on this A20 board? 🙂

Sunxi is not a Broadcom system like the Pi, where the GPU is a second blobed CPU…

root@some:/home/# lshw
description: Computer
width: 32 bits
description: Motherboard
physical id: 0
description: System memory
physical id: 0
size: 905MiB
physical id: 1
bus info: cpu@0
size: 1008MHz
capacity: 1008MHz
capabilities: cpufreq
description: Ethernet interface
physical id: 1
logical name: eth0
serial: 02:43:04:c4:31:45
size: 100Mbit/s
capacity: 100Mbit/s
capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=sunxi_emac driverversion=1.01 duplex=full ip= link=yes multicast=yes port=MII speed=100Mbit/s

root@some:/home/# lsmod
Module Size Used by
sg 24630 0
cpufreq_stats 4165 0
cpufreq_powersave 1387 0
cpufreq_conservative 6730 0
cpufreq_userspace 3602 0
iptable_filter 1718 1
iptable_mangle 1696 0
iptable_nat 5313 0
nf_nat 20041 1 iptable_nat
nf_conntrack_ipv4 16143 3 nf_nat,iptable_nat
nf_defrag_ipv4 1579 1 nf_conntrack_ipv4
nf_conntrack 91229 3 nf_nat,iptable_nat,nf_conntrack_ipv4
ip_tables 13759 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 19272 4 ip_tables,iptable_filter,iptable_mangle,iptable_nat

(and no, these are not my real mac / ip addresses;)

Richard June 22, 2016 11:06 PM

I did find John Brennan’s comments particularly silly and ironic given the fact that yesterday I was playing around with a nice crypto library that runs full AES encryption (with 128, 192, or 256 bit keys no less) on a tiny Arduino Nano.

The ironic part given Brennan’s statements being that this is a cipher designed by two Belgians running on electronics manufactured in China, based on a hardware design from Italy, running code originally written by a guy from the UK – and with a little tweaking would be totally unbreakable by all the massive resources of the CIA and NSA.

I was just looking to create a security dongle type module, but with very little additional effort, this hardware and software could be used to create a very secure offline cipher machine.

The Arduino Nano has more than enough resources to run AES, and with the addition of a few other readily available libraries, one could easily implement code that would allow the Arduino to read characters from a PS2 style keyboard, AES encrypt the text, and display the resulting HEX (or Base64) encoded ciphertext on a local LCD creating, which along with the reverse sequence for decryption, would create the modern day equivalent of an AES based Enigma machine.

Taking a historical lesson from the original Enigma (which much to the German’s dismay, turned out to be crackable) we could even up the game a little by super-encrypting AES with RC4 (plain text > AES-CBC[secret IV] > RC4 > cipher text) since this would not be hard to do, even given the limited resources of the Arduino, and would result in a composite cipher which is provably much more secure.

It would be virtually impossible to attack this composite AES-RC4 cipher, because the AES-CBC secret IV acts as a one-time-pad that not only makes the first block unconditionally secure, but also cascades unpredictable randomness throughout following CBC blocks, one after the other, making it theoretically impossible to guess ANY specific bit or byte value at ANY specific location (not just difficult, IMPOSSIBLE), and without this kind of information it will also be impossible to mount an effective attack to recover RC4’s internal state and break the upper level RC4 cipher.

Kind of ironic don’t you think that after the NSA has spent billions in attempts to subvert encryption worldwide – that anyone who is really interested in doing so could easily combine a three dollar microcontroller module with readily available open-source software libraries, to create a totally unsubvertable unbreakable off-line cipher machine, which unlike its historical Enigma counterpart, would offer truly uncrackable security.

Bruce says that “security is hard”, so I don’t want to understate the importance getting the details right, but with care, remarkably simple hardware and software can provide virtually unassailable cryptographic security.

So given that a three dollar micro-controller from China, can quite easily create coded messages that can’t be broken by a three trillion dollar NSA super computer – it would seem that it is effectively IMPOSSIBLE to prevent random individuals from being able to communicate securely over the Internet if they wish to do so.

So a reasonable question at this point might be – Why waste billions and potentially TRILLIONS constructing an oppressive surveillance state, when the battle is effectively lost before it has even started?

Andrew June 23, 2016 11:33 AM

Plus its more fun to use gear backdoor-ed by enemy. At least they are further.

Daniel June 23, 2016 12:44 PM

I thought Herb Lin’s commentary was thoughtful and well spoken but I think he makes a major error. He writes, “Second, over many decades it’s pretty much been shown that most consumers (aka the general public) will trade away their privacy for very small benefits in cost or convenience.” That is true but the key question is whether the future will mimic the past. And there is excellent reasons to believe it won’t. One excellent reason to believe it won’t is generational–that most consumers in the past were not security conscious because they did not grow up in a security conscious culture. There is no doubt that this is changing. Whether it changes enough to invalidate Lin’s point is an open question. The other reason to suspect that the future will not be just like the past is because of the more general observation that in human affair the future is almost never like the past. The internet didn’t exist in its current form 25 years ago.

SO in the end, Lin’s “observation” is really nothing more than a prediction about how consumers will behave in the future. A prediction that intelligent analysis has reason to believe is dubious.

Richard June 23, 2016 4:25 PM

@ Andrew

Avoiding backdoors in PC, Tablet, and Smartphone hardware is pretty much a lost cause…

… but it would be MUCH harder for any would-be evildooers to try to install a backdoor in every micro-controller module, with about a hundred variations of Arduino modules alone – and that’s not even counting the Microchip, Freescale, and other micro-controller ecosystems.

Also, they would get caught out fairly quickly, since with a simple text based off-line crypto system EVERYTHING it sends can be seen and verified quite easily.

For example, one common trick used by malicious crypto code is to encrypt the users key information and leak it as part of the supposedly random ‘salt’ value, that is used to insure that each encryption session is unique. This can easily be avoided by making the Salt value a secure hash of the plain text plus a unique date-time-stamp.

This would allow message integrity validation and insure that the Salt would be deterministic, while remaining secure and unique.

Thus EVERYTHING output by the micro-controller, can be made to be 100% deterministic (so it can be externally validated), and there would be NOTHING transmitted as part of the message that could be used as a side channel to leak key material.

I suppose that the evildooers could get really clever and start shipping chips that incorporate something like an ESP8266 WiFi core, but they would get caught-out pretty quickly when a supposedly non-WiFi enabled microcontroller suddenly starts drawing 10 times the power that it should, and trying to find and connect to an unsecured WiFi hub.

One thing is certain, regardless of all the possible hypothetical tin-foil-hat scenarios, there is little doubt that a small scale, simple, micro-controller based crypto system would be one hell of a lot more secure than anything PC, Tablet, or Smart Phone related.

Clive Robinson June 23, 2016 4:53 PM

@ Richard,

One thing is certain, regardless of all the possible hypothetical tin-foil-hat scenarios, there is little doubt that a small scale, simple, micro-controller based crypto system would be one hell of a lot more secure than anything PC, Tablet, or Smart Phone related.

Having spent a good chunk of my time on this blog promoting the same ideas (beyond ad nauseam some would say 😉 that I was actually talking and promoting about from the mid 1990’s onwards, I know that pushing that particular rock up the hill, can be frustrating.

There is however one argument against it which eventually you will have to find a solution for. Which is the “It’s not integrated/integral to the communications system”. This has various points behind it, one of which is OpSec. That is walking around with the device in your pocket can put you on the spot with the authorities if the search you for some reason.

It’s one of the reasons I personaly think it should be aimed primarily at “The protection by strong authentication of financial transactions”. That way the perception of the device is radicaly different to the alternative one of “Spy Kit”.

It’s not a new idea, for instance Bruce’s password manager software can also act as a file encryptor. Perceived by LEO’s and the judiciary as a “Password Manager” it’s regarded as a good thing, as a “file encryptor” a bad thing…

Richard June 23, 2016 6:33 PM

@ Clive Robinson

Actually, it’s funny that you would mention Bruce’s password safe, as this is exactly along the lines of what I was thinking would be a PERFECT application for an external micro-controller based cryptography dongle.

With the ATmega32u4 based Arduinos you get a few extra bytes of RAM, and the capability to fully emulate a USB keyboard device.

So using one of these, it would be fairly trivial to build a small box with a PS2 keyboard input port, a 40 character by 2 line LCD display, and a USB output cable.

The device would act as an enhanced PS2 to USB keyboard converter.

The main enhanced feature would be that the box would provide secure password storage allowing you to store long highly random, highly secure, maximum entropy passwords for all your website and other system logins.

Unlike Bruce’s software, this hardware would not be operating system specific, and not vulnerable to having its master key compromised by a PC based trojan, or key sniffer.

Of course, when operating in standard USB keyboard compatible mode (just as with any standard keyboard) your individual passwords could still be read by a keylogger as they are auto-typed for you by the device, but this vulnerability could be greatly reduced by implementing a custom device driver to securely encrypt keystrokes between the driver and hardware.

So Clive, getting back to your point – the main ‘legitimate’ function of the device would be to let you hit a hot-key, then quickly scroll up and down through your stored passwords with the keyboards arrow keys, and ‘type’ any of them instantly with a single stroke of the ‘enter’ key.

–but nothing would prevent us adding a ‘fun’ utilities menu that would allow you to exchange ‘fun’ captain midnight decoder ring style secure message with your friends – with the “decoder ring” encryption being defined as the unbreakable 512 bit composite AES-CBC[secret IV] -> RC4 cipher that I described earlier.

— Just because, I think it’s much more ‘fun’ to ‘play’ with a cipher knowing that it can’t be broken even if you turned every electron in the universe into a quantum super computer, and let them work from the big-bang to till the big-crunch…

WhiskersInMenlo June 23, 2016 6:36 PM

There is a conflict of logic information and agenda regarding personal computers
in various departments within local, state and federal law, law enforcement
and the minds of judges.

Some courts are saying any “personal” computer connected to the Internet will get hacked.
Some agencies are saying that they need a back door.
No agency has a back door repair strategy. Recall that courts are telling us
all computers will get hacked thus the backdoor will get hacked and will need repair.

If hacking is so prevalent, it is also unreasonable to accept apparent evidence from the computer
because there can be no expectation that the machine was not hacked and the content inserted
in the machine by the hacker not the owner of the machine.

Hacking by an investigative agency that reduces security of the machine
for the facility of the agency further diminished to nil any content that
one of the hackers might assert was evidence.

“For example, hacking is much more prevalent now than it was even nine years ago, and
the rise of computer hacking via the Internet has changed the public’s reasonable expectations of

Andrew June 23, 2016 8:58 PM

“one common trick used by malicious crypto code is to encrypt the users key information and leak it as part of the supposedly random ‘salt’ value”
Another one is to write it temporary on disk and “delete” it without overwriting.

Spooky June 23, 2016 9:53 PM

@ Richard,

I admire your obvious enthusiasm; the ideas are good ones. I will say this, though: NSA has little need to break algorithms directly; instead, they will analyze and attack weaknesses present in the components of a system (typically at endpoints) or target exploitable interactions among components. Personally, I love the idea of a simple, stateless, hardened device. It’s hard to know what to do about the necessity of keyboard input, that being one of the most trivial components to attack (it exposes not only the plaintext message but passphrases and passwords as well, unless certs are used religiously). Perhaps the system supplies a random re-mapping of keyboard keys with each boot (that could be displayed onscreen while you type, or perhaps on the keycaps themselves via OLEDs). If your screen consisted of a headset that painted the text directly on to your retinas with a laser, that might be a bit harder to intercept (well, apart from the fact that–unless deliberately obfuscated–the draw time of each glyph is probably unique, so recording the periodic emissions caused by switching the beam on and off would probably allow you to easily decode the message text). Yeah, this stuff pretty hard. It certainly lies well outside my capabilities. Beyond a certain point, it just seems more prudent to leave computers, cellphones and the Internet behind completely. You eventually reach a point where it appears to be doing far more harm than good (and perhaps that point is different for every person). As much as I love programming computers and using the Internet to learn new things, there is still much joy to be had from reading books, playing board games, using my old set of microscopes and having face to face conversations with real people. If the only point of getting online is to be continuously surveilled by corporate and government interests and be force fed endless streams of advertising, then I can honestly say that I’m not really interested. Sorry for the ramble! 🙂


Figureitout June 23, 2016 10:39 PM

–That still doesn’t change the fact that someone has to actually do the work and that the more times any kind of attack is used the greater chance it gets a nice breakdown blog post and a patch or maybe even a slight design change. And stumbling upon encrypted comms or data, isn’t just automatic to decrypt, especially when you chain ciphers. Think it’s mostly FUD at that point and not in line w/ reality, and that if people actually made daily use of offline MCU-based security devices, comms at the least would be secure. Internet connected endpoints of all kinds are pretty tainted these days thanks to intel agencies and other hackers too b/c one person can easily attack multiple machines, that’s not the case w/ offline MCU’s, and the reward is less too since they’re very disposable too. The main thing we need is an easy to build data diode for transporting data one-way from MCU endpoint to internet connected node.

You can always go off the grid lol, but gets lonely.

–pjrc has a nice PS2 library, and Mikroe has a nice PS2 breakout board. One of my first projects w/ arduino was a morse keyboard. It’s not as secure, but I really like the mini USB wireless keyboards, they’re about the size of a cellphone. I use it for my RasPi, since I’m using Jessie Lite and won’t download the X GUI, I just need a keyboard to manuever around. TFT screen on top, and it’s quite the portable hacking machine (you can just lounge around w/ the keyboard anywhere since it’s a tiny wireless one) and you can run all kinds of more powerful programs.

Spooky June 24, 2016 2:26 AM

@ Figureitout,

If you make it easy enough, there’s really not much work for them to do. Your adversary can be sitting curbside, recording the noisy EM radiation produced by your keyboard and logging every keypress. They get the plaintext of your message for free, as you’re typing it, before it has an opportunity to be passed to the MCU and subsequently encrypted. The game is over, before it has even begun. That’s what I was getting at–the keyboard itself is an enormous problem, from a security standpoint. If you scramble the key-to-letter mapping with every boot, it requires them to know a lot more than what key was pressed; now, they have to find a way to capture the specific key map used for that session. Once you power cycle, it’s gone forever.

In all fairness, typing on a scrambled keyboard every day would be a serious PITA. But if the operators of the German Enigma machines could manage similar duties for years without losing their sanity, so can you. 🙂


Spooky June 24, 2016 3:29 AM

@ Figureitout,

You can always go off the grid lol, but gets lonely.

I hear that quite a bit, actually. 🙂 Do you really believe it? You’d think that all of the people from my generation (and earlier) who grew up before the existance of online communications lived these lonely, desperate and unconnected lives. That weeks of privation, dangerous transoceanic voyages and signal flares were somehow required to look for mating opportunities, etc. I can promise you, it was not that bad! People tended to spend their time a bit differently but they were not left wanting for entertainment options or social engagement. Not being continuously exposed to so much information 24/7 certainly made the world seem like a calmer, quieter place. That perception may not have been accurate, but I cannot say it was entirely bad either…


Figureitout June 24, 2016 6:54 AM

–Yeah that’s if you’re lazy. If you’re lazy and don’t work harder than the attackers then you’re screwed regardless, there’s no helping you. It’s easy enough to move to different places to type (or write) things, huh, odd concept eh? IF you need that level of security. Reliably reading the EM signature from a keyboard, so far all the attacks are pretty line of sight, so you could probably spot the attacker. You can then see the hilarious hollywood black van out in the burger king parking lot as you’re typing your OTP in the bathroom. They would need to be able to do that everywhere (you see the FUD starting to creep in..?). What about your local park, they have keyboard EM signature readers in the trees? What about a parking garage? I know the cameras, you can usually spot those easy enough. Then you get into types of keyboards, what about a hex keypad? On a touch screen you can remap the characters. You can map the characters differently in flash too, that’s what we did on my school MCUs. You can physically layout a hex keypad however, map the characters differently in software (there was pull down and pull up which would make you return either a 1 or 0 on the keypad, then you can change if you’re looking for 1 or 0 w/ an instruction (beq, or bne)).

RE: loneliness off the grid
–Look up Doug Coulter, he got interviewed. He’s got a nice community setup. Certainly possible to not be lonely if the community is good. I know a place where everyone waves regardless if you know them; and they lend grown produce and let people borrow stuff etc.

But actually being off the grid does get lonely (depends on what you call off the grid), and you don’t know what’s going on in the world, which kills me a bit.

Nick P June 24, 2016 8:28 AM

@ Spooky

We did indeed. I lived in a rural area too much. So, we had to improvise as kids. We used our imagination more for sure. Did hiding/hunting games, wrestling matches, arbitrary contests, and whatever. Learned to climb about any surface. Tested the patience of animals in farms and woods. Ran terrified from some animals in farms and woods who weren’t as cute as cartoons indicated. Cooked or burned all kinds of stuff in bonfires. Took in plentiful sights of nature in a variety of weather conditions. Practiced meditation. Wrote things in journals. Improvised what we saw on TV or heard on radio. Jammed to music. Four wheeling. Fishing. Crafting. Carpentry. Tear down and rebuild vehicle or appliances in junk heaps people inevitably have. All sorts of things.

No wonder that, on average, we’re much more versatile than the next generation. 🙂

Actually have a funny story on that. First example. Family was bored so we found a nice spot in the woods for a camp fire, tent, food, and fishing nearby. My friend and I never excited by that stuff if it’s just sitting around. Rather explore. Walking and talking aimlessly through the woods eventually dumps us into an open field. A snort or some noise makes us look up to find two cows about 30-50 yards away staring at us.

Me: “Hey, it’s some cows. That’s cool. Maybe they’ll let us pet them or something.”

Him: “Yeah man!”

(Cow begins shaking head vigorously clockwise and counter-clockwise.)

Me: “What’s that mean? Is his head itching or does it mean he…”

(Both cows charge toward us at full speed making noises a tad scarier than the cartoons. I was no longer confused.)


Our adrenaline kicked in on top of us both being talented sprinters. I told him to zig-zag given bigger things usually can’t turn on a dime. Ran around every tree I could see. I could hear them crushing wood under their feet early on. Didn’t look back even when that noise disappeared as I wasn’t chancing it. Eventually stopped running, caught our breath, still anxiously looking/listening for animals, and returned to camp site with good story. It was first, reality check I got far as how animals act in real life. Plus, how many people can say they outran a bull or cow? Haha.

Note: Snakes, on the other hand, we’re taught about during an early age since they’re everywhere. The venom didn’t stop us from coming up with creative ways to catch and screw with them. Probably the neat way that they move, coil, and strike that kept us fascinated with them. In comparison, many suburban or city people freak out seeing a garden spider… near the garden. Lol.

@ Figureitout

“But actually being off the grid does get lonely (depends on what you call off the grid), and you don’t know what’s going on in the world, which kills me a bit.”

Good points on community and grid. It’s true you get lonely or isolated. That’s not the worst part, though. The worst part is that it becomes like an echo chamber of sorts where you’re likely to be incidentally brainwashed into one way of thinking due to little exposure to everything else. Better to be in a more, diverse area that’s still stable. Better to be on grid even. Trick is to learn to worry as little as possible about shit. Far as being watched, just look at all kinds of random stuff using the same accounts so your real interests disappear in the noise. Use paper & non-networked cameras w/ cards for secret stuff. Tell people you prefer talking face to face if they say important stuff on surveillance-oriented messengers. Not that you worry about surveillance but that you prefer face-to-face as it’s more deniable.

Little things can help you. Just don’t get isolated as that erodes the mind.

r June 24, 2016 12:46 PM


There is only a limited amount of time left when we will remain able to see the attacker, likely: Amazon is not the only entity considering drone delivery.



blockquote>I suppose that the evildooers could get really clever and start shipping chips that incorporate something like an ESP8266 WiFi core, but they would get caught-out pretty quickly when a supposedly non-WiFi enabled microcontroller suddenly starts drawing 10 times the power that it should, and trying to find and connect to an unsecured WiFi hub.

Not necessarily, while I have absolutely zero EE background I still believe you’re assuming a little much.

The transmitter doesn’t need to be in listening mode often or at all, or even transmitting in an outsider predictable (intermittently, hourly, daily) fashion very often at all.

Low power + intentionally bad frame checksums should be enough for most people to overlook communication nodes in common (non emsec) environments.

You just make your output resemble noise. Perception is everything and quality and structure are the variables between garbage, noise, encrypted data, plaintext and misdirection.

Figureitout June 24, 2016 10:36 PM

Nick P
–Being off the grid is very secure though, Doug Coulter gets basically all his power from solar panels, you can’t monitor that power usage besides bugging the house.

Looking at random sht is a waste of time, don’t really care anymore so long as they stay the fck away from me and outta my way. It’s no secret I love MCU’s, radio, low level programming, some crypto, etc.

–Uh huh, sure. Wanna make a bet on that? There’s way way too many problems w/ such a scenario. Wonder what happens when a child gets de-scalped playing in the backyard? People complain about antennas as an eyesore and fight to the death over it, think a bunch of drones buzzing around is going to look pretty? Going to be way too many busted drone parts littering everywhere.

Also wanna make a bet I can evade drones too?

r June 25, 2016 8:44 AM


I’m not saying using the drone as a repeater, I’m talking about using drones to deliver a small repeater (a fixed position drone).

What kind’ve weight limits do the smaller ones have?

Attacks only improve: the security of your body, fingers and eyes don’t include planned upgrades.

Richard June 25, 2016 2:27 PM

@ r

… I still believe you’re assuming a little much.

Again, thanks for keeping me honest.

Yes, I am making a broad assumption here – namely, that the device will attempt to connect via standard WiFi protocols.

— and yes, as you stated, there are a number of tricks that can be used to try to fly-below-the-radar on WiFi, but ultimately my point was that, when the device does succeed in establishing a connection through an insecure target-of-oportunity WiFi node (open or WEP), it risks leaving an audit trail.

But if you will allow me to put on my tin-foil-hat for a moment – then I would have to agree wholeheartedly that MUCH more dangerous attack vectors are likely to exist – and may well already be being exploited.

Spread spectrum has been used for years by the military and intelligent services to implement secure low intercept, jam resistant communications (long before it’s use in WiFi, Bluetooth, etc).

Modern WiFi chipsets use programmable hardware to impalement both direct sequence and frequency hopping spread spectrum (for the original 802.11 and 802.11b standards) plus sophisticated OFDM modulation (used in 802.11a/g/n).

So by simply compromising the proprietary ‘blob’ of code used in programming the chip (or accessing the existing code in ‘diagnostic’ mode), an attacker could alter the parameters of the spread spectrum transmission to create an alternate mode that is not only invisible to ‘WiFi Radar’ type scanners, but which also can not be easily detected using generic RF scanning equipment like a spectrum analyzer.

At the receiving end, we re-correlate the signal energy and recover the original data stream, but to do this we need to the frequency hopping or digital ‘chip’ pattern used in creating the original signal. These patterns are typically created using a simple non-secure method like a LFSR, but if we substitute a cryptographically secure psudo random source (CSPRG) instead, then it will be very difficult to even detect the signal without the correct cryptographic ‘key’.

This is because by exploiting the high ‘processing gain’ possible in spread spectrum modulation we can actually send signals at levels well BELOW the background thermal noise floor.

Spread spectrum won’t let you violate Shannon’s channel capacity, so you need the same total transmitted power to overcome a given amount of background Gaussian noise for a given bit rate, but it will let you spread that transmitted power over a large bandwidth to hide it under the existing background noise – and Shannon does let you trade off a lower bitrate for lower power (or longer transmission distances at the same power), so if we limit the bandwidth to a few kilobits per second, the standard WiFi power levels of a few hundred milliwatts could drive a signal a mile or more.

To help facilitate this type of attack, the fine folks at Microsoft have added nifty “virtual WiFi” network hooks to allow your WiFi chip to spawn secondary devices. The legitimate motivation for such a capability is to let your computer spawn legitimate WiFi Hotspot hubs like some cell phones – but Microsoft doesn’t seem to be doing much to advertise this support, so who do you suppose was pushing for it???

Of course, for all this to work, the transmitting and receiving points would have to be compromised with the same malware so that they would both be using the same secret modulation scheme, but given the sophistication of some of the attacks that have already been exposed, it’s not to hard to imagine that overlaid with virtually every home and business WiFi there is a hidden NSA.NET hotspot.

r June 25, 2016 3:35 PM


Dang, thanks for the time+investment responding to that.

I was reading up on the SDR wiki last night, learned some things that reinforced other beliefs i had and some of what you’re referring to here.

Muito Bueno. 🙂

r June 25, 2016 4:35 PM


Also, my intent is not to keep you honest: it’s to improve myself and others. I didn’t want to see someone making what I saw as a risky assumption. I’m not a state actor just some slideshow skiddie and if I’m aware of accessible semi stealthy misuses others who are more dangerous or mischievous may be aware and already there (close by).

Thanks again.

Clive Robinson June 25, 2016 6:18 PM

@ Richard,

These patterns are typically created using a simple non-secure method like a LFSR, but if we substitute a cryptographically secure psudo random source (CSPRG) instead, then it will be very difficult to even detect the signal without the correct cryptographic ‘key’.

Whilst you can use most LFSR’s with a shortish sequence, you need the result to be balanced well within an individual symbol duration. This is because you are in effect producing a DSBSC signal and any imbalance will produce a baseband offset which will effect the data recovery. Many crypto algorithms don’t guaranty the required balance as they are not “linear codes”.

Oh and something else to consider you say,

Spread spectrum has been used for years by the military and intelligent services to implement secure low intercept, jam resistant communications (long before it’s use in WiFi, Bluetooth, etc).

Actualy SS had been used for years, for it’s “Low Probability of Intercept” (LPI), but not any longer. Modern SDR type techniques have rendered spectrum spreading to be almost as easily detectable as any other suppresed carrier (SC) system.

Also modern modulation systems are now aproaching what looks like “white noise” to most non modulation specific test kit. With the addition of various FEC codes bringing bandwidth utilization about as close to the Shannon limit as you can get, and MIMO techniques SS is very much old hat in the LPI game.

Figureitout June 25, 2016 10:07 PM

–What does that “drone” do? Audio, visual, wifi, cellular? So its another static bug…The weight limits of the small ones are…small. Like a few grams or couple pounds. I had a friend lose control of his drone, it just flew straight up until you couldnt see it then smashed to the ground. That couldve landed on someones head. Also pilots of all aircraft, this is a threat to them. There has been some really close calls but no plane crashes yet afaik.

JLal July 13, 2016 5:28 PM

How did a lot of US companies start? projects for the CIA, NSA, DIA, ONI etc. (some “borrowed”…. ask Larry Ellison)

How do you create a honeypot to collect world data including facial recognition, easily , cheap and freely, some say the three amigos:
GFT: Google-Facebook-Twitter

There are a lot of interest coordinating behind the so called venture capital funding llcs.

So he is seriously deceptive on purpose (food for the masses).

Chris July 15, 2016 2:19 AM

He is correct.

Office365 and Google.

If there’s anyone else that businesses use, it’s not foreign.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.