John Young’s Effort To See The Snowden Documents Released

Cryptome, the infamous repository of daylighted classified information run by John Young and a number of other volunteers, posted a few interesting tweets on their feed about two weeks back suggesting that they may have possession of some of the unreleased (and unredacted) Snowden material and that they were going to release it in July to prevent a “war” – his later tweet clarified that he was speaking about the current ISIS situation, stating that “ISIS war would not be happening … [if documents were released] … July war not averted.”

Well, we are now well and truly within the month of July and I had yet to see anything more on this subject so I figured I would visit Cryptome to see if there has been any movement. On the site’s front page is a link to a PDF which is effectively a demand for the documents to be released, addressed to the relevant news organizations involved. So I don’t believe that this is going to happen, barring the intervention of a ‘safety’ (one assumes that Snowden gave a few of his most trusted buddies the raw material to release in the event that he was disposed of).

Unfortunately, it still remains in the interests of the newspapers involved to keep the documents and slowly roll out the stories over an extended period of time. I suspect that after the Guardian’s UK office was raided that the news organizations involved have been, uh, ‘briefed’ on what journalism really is all about in the 21st century, remembering that the government could potentially make things difficult for their newspaper companies (or easier for their competitors).

Young’s Cryptome has always been an excellent resource, but I just don’t think that this will even come to close to attaining the level of interest and inertia that such a protest would need in order to get the attention of the powers that be. However, I suspect that the documents will eventually see the light of public scrutiny. Edward Snowden isn’t an unintelligent man, and he would have ensured that multiple people with different agendas had access to the source material. One can’t keep a united front together indefinetely when there are ego’s at work.


The US House of Representatives today passed an amendment that will see NSA programs designed to introduce backdoors are no longer funded. The bipartisan agreement, entitled ‘Massie-Lofgren’ was billed as an exciting development by the EFF, with Mark Rumold – the Foundation’s counsel stating that they “applaud the House for taking this important first step, and we look forward to other elected officials standing up for our right to privacy.” Many, including myself, have questioned as to whether the new bill will truly be effective in curtailing the NSA’s spying – at least on the domestic front. I suspect that it will be business as usual for the NSA and their associated contractors and affiliates.

A Weekly Analysis Of Leaked NSA Documents

Many of the documents that Edward Snowden leaked have been in the public domain for quite some time yet a detailed analysis of the content within them has yet to occur. Sure, the affiliated newspapers have singled out what they believe are the most interesting parts of the story and folks like Bruce Schneier have done an excellent job dissecting some of the leaked slides on his blog over the last few months, but we haven’t seen the kind of intense interest that I personally expected. Perhaps this was a direct result of Greenwald and Co’s decision to slowly dribble out the information. Although this tactic was good for selling papers, it probably wasn’t optimal as far as Snowden was concerned if he was (and we must assume he was) primarily concerned with getting all of the information into the hands of the public, as these delays allowed authorities to severely curtail the ability of the news agencies involved to effectively continue leaking the documents, and thus actual informed discussion was replaced with editorials with speculation and inaccuracies. Clearly, this was mishandled – as was the decision to redact some of the most important information from the leaked material. Snowden gave up a well paying job in Hawaii to become persona non-grata; effectively he will need to watch his back for the remainder of his life, and his future safety is far from certain. Snowden was no Manning. He knew well in advance what the consequences of his actions would be, and he was forced to entrust members of the supposedly ‘free’ press to complete a task; that task being to spread the word about these unconstitutional programs, and in practical terms it was a success, but unfortunately due to the way the disclosures were conducted the small sample of documents released were far from edifying.

The redactions that were in many of the documents released were entirely un-necessary, and the explanations given as to their necessity were baffling. These were not names of secret agents who could be identified and killed abroad – no, these were names of VPN appliance vendors and software companies. The cynical observer would note that the redactions are likely due to the Guardian and friends aversion to process servers appearing in their offices. Unfortunately, this makes the leaked document pretty much useless when the vulnerable product is not identified. This is not an isolated example.

That said – I believe that in the case of a wholesale government document release like the Wikileaks/Manning disclosure before it, it is essential that we carefully go through each of the leaked documents with a fresh set of eyes to see if we can extract something ‘new’ out of material we have already seen. So I will be doing my best to examine the raw material that is available from both the Guardian’s website and, thankfully, a much more complete collection available for search and direct download from the ACLU. The most interesting documents I will devote a blog post to. Yes, I will apply experience and trade knowledge to editorialize on information not present to draw conclusions that may be inaccurate. Perhaps this makes me no better than those who I critized in the preceding paragraphs. Nonetheless, unlike the newspapers who had both access to raw material and the source himself to interview should any questions arise, I have none of the above and must try and understand what is going on – and in some of these documents – the lack of context and use of NSA codewords and jargon makes it quite difficult. In any case, I will try and make a weekly feature out of this – and we will examine known NSA operations and have a look at the source material, along with cooberating evidence already in the public domain.

NSA Custom Hardware: The FLUXBABBITT Implant (And Why It’s Important)

One of the more interesting documents to emerge from the Snowden leak was a single page detailing an implant known as FLUXBABBITT. The device appears to attach to the JTAG header of certain server class motherboards and provides “software application persistence” – in other words, it ensures that should, say the machine’s HDD fail and a new one is inserted and a fresh install of the OS installed, that their spyware can re-attain a foothold, perhaps via means not dissimilar to Computrace (and yes, I overuse that analogy, but it is such a good one: the BIOS module has minimal NTFS functionality, enough to dump itself over an existing Windows service that will normally be executed at boot time – and of course the real file is renamed and executed in due course by the uh, malware). The document specifically mentions that the Dell Poweredge 1950 and 2950 servers running Xeon processors were the target. The actual spyware which this device ensures persists on the system is code-named GODSURGE, and unfortunately we can only speculate on its purpose and capabilities. Nonetheless this particular disclosure was important as it showed us just a hint of what a custom hardware hack from a government agency would look like.

A leaked slide detailing the capabilities of a device that connects to a motherboard's JTAG header.

A leaked slide detailing the capabilities of a device that connects to a motherboard’s JTAG header.

It doesn’t take much imagination to think of all manner of crazy look-alike devices that the NSA would create to fulfill their roles – perhaps a keyboard with an integrated logger, a portable hard drive with a pinhole camera writing to a secreted few chips of flash, etc. but it appears that their most prized creations are devices used to sniff traffic off corporate sized networks – and forget about vampire taps, these things are allegedly so sensitive that they can reliably intercept data without even piercing the wire – well, unless your office happens to use the ultra-expensive shielded and armored stuff.

Stanislav over at Loper OS has written a very interesting piece on just how this device may function, and includes some pictures of the JTAG port of a machine similar to the targets referenced in the slide. Jacob Appelbaum also mentioned this and other covert devices in his presentation for 30c3, and fortunately there is an annotated transcript available on the Naked Capitalism blog.

Truecrypt Update

I figured it would be pertinent to update everyone on the Truecrypt situation. Ultimately, very little has changed and we don’t know all that much. Matthew Green had an exchange with Steven Barnhart on Twitter essentially stating that the development team simply got tired of updating the software and that this action was unrelated to the audit.

My belief that this shutdown was at the request of a government agency persists despite information flowing through to the contrary, and there are a few anecdotal indications that seem to indicate that the page posted to the website was a canary, remembering that directly stating that development has been discontinued due to the receipt of a NSL would violate the order’s secrecy provision and the likely result would be the party responsible would face a secret court. So, one can understand why double talk and innuendo are required when so much is at stake.

Posters on Bruce Schneier’s blog have pointed out the strange wording of the statement, “using Truecrypt is not secure as it may contain unfixed security issues”; perhaps they were specifically ordered not to fix a certain vulnerability in the code and instead wound up the project. Perhaps the statement on their website (emphasis mine) is a warning of such interference.

The other curious thing is that requests to resources on return a 410 (Credit: Andy). The 410, according to the hypertext RFC is used “if the server knows …. that an old resource is permanently unavailable … This status code is commonly used when the server does not wish to reveal exactly why the request has been refused”

Of course we are all just speculating. If the developers of the project truly wished to wind up their operations and everything was otherwise okay they would not have acted in this manner. Advising users of Windows to migrate to Bitlocker is anathema to the majority of TC’s userbase. A simple note on the website that the project has been discontinued due to a lack of funds/time/support/devs/etc. would have been far better and leave less questions surrounding the true circumstances of their abrupt exit from the market. Indeed, despite the fact that old and unmaintained software can have unpatched vulnerabilities, most would leave their full project page and download area active, albeit with the above caveat attached. A statement to the effect that they are abandoning the source code into the public domain or relicensing the code code with a FOSS-friendly license would have also been the responsible thing to do – allowing others to fork and build on the work that you started. Indeed, even if they did all of the above a fork may not be the best idea given the source code may be encumbered with non-free components (those unaware of the E4M controversy that occurred early in the life of TC should view the History section of the project’s Wikipedia page for a brief primer).

The smartest thing – moving forward – would be for a new project to begin. This project would aim to create a functional replacement for Truecrypt whilst not necessarily using TC code nor providing backward compatibility will provide a modern full disk encryption suite primarily for Windows systems.

The project should:

  1. support GPT/UEFI
  2. have an on-disk format compatible with LUKS or dm-crypt
  3. use a crypto accelerator if the motherboard has one fitted
  4. have a simple user interface and comprehensive help where options are unclear

Essentially all of the above (with the exception of points 1 and 3) were implemented in FreeOTFE almost ten years ago. The latter has also become abandonware but its source code – along with the Linux kernel source for LUKS and its associated modules – would be useful for someone attempting a (near) clean room re-implementation.

For the moment – the average Windows user has three choices. They can continue to use the deprecated v7.1a of Truecrypt despite the ominous warning, they can migrate over to a commercial solution like Bitlocker or PGPdisk or they can switch to a platform that has decent and open source FDE such as Linux or FreeBSD. The use of file based encryption tools is also a possibility but one fraught with danger on Windows, which is liable to leave unencrypted copies of your data everywhere (e.g. thumbnail caches, browser cache for viewed hypertext files, filenames at the very least stored in recent document lists, etc.).

As I said earlier, when the Snowden disclosures were brand new and still leaking out in a piecemeal fashion from the Guardian et. al. – the NSA have started something big, and the cumulative results of what amounted to them shaking the crypto-tree hard enough for some apples to fall out will be felt for a long time and result in definite changes to the way we conduct business and confidential transactions online. I believe that we are perhaps witnessing the opening salvos of a war between the government agencies and privacy advocates and the hackers who make privacy software happen. The EFF probably needs our support and funding, so if anyone has a spare few dollars and wants to donate to a good cause, the EFF is certainly a worthy foundation.

TrueCrypt Website Declares Project Dead

It appears that the truecrypt project is officially dead. At approximately 1800hrs the Truecrypt project’s sourceforge project page was updated, with the status being set to ‘inactive’ and new binaries posted – ostensibly of ‘Truecrypt v7.2′. The main page featured the warning that “Truecrypt is not secure as it may contain unfixed security issues.’ The signing keys used match those used previously. Krebs notes that there have been no changes to delegation, etc.

Their rationale that Truecrypt development was ended as a result of Windows XP becoming end-of-support seems curious as there appears no relationship between the two. Their advice to to abandon Truecrypt for propreitary solutions like Microsoft’s (almost certainly backdoored) BitLocker also seems odd.

Users on Schneier’s blog have been discussing the various possibilities with the most plausible mentioned being that the Truecrypt team were compelled via NSL or other government instrument to co-operate and that burning down the project was potentially the thing that they could have done. This is possibly why they were unable to give a legitimate explanation, instead citing the ludicrous one regarding Windows XP support. Another possibility is that Matthew Green et. al.’s TrueCrypt audit had spooked the authors in some way.

Just twelve hours ago I believed that this was a website compromise, but I am now convinced these actions were initiated by a member of the TC team and not by a malicious attacker. It is indeed possible that one of the developers has gone rogue, but I believe that it is almost a certainty at this point that TC – as we have known it, at least – is dead. Given the licensing issues (TC’s license is not completely FOSS friendly) it remains far from certain that anyone will fork the source from 7.1a and continue to develop the software.

This marks the death of the second free(ish) Windows full disk encryption suite with the first being FreeOTFE. The important thing to note is that Truecrypt had several very large stumbling blocks in the way of its acceptance by the community – some of them technical, some of them legal and license related, and the vast majority of them social. The shadowy Truecrypt Foundation and the way the organization attempted to shield themselves from any scrutiny made many understandably cautious of the software. Only several months ago on this very blog I detailed the myriad issues I have with Truecrypt and advised readers not to trust the product and to instead seek alternatives. That said, there are no free and trustworthy full disk encryption products for Windows (and obviously, Windows itself – and the underlying Wintel architecture – has some major trust issues of its own).


Complex Tech has an excellent article on the recently declassified documents that reveal further operational information. Unsurprisingly the court refused to allow the phone companies the right to protect their customer’s data from illegal search and seizure from the NSA. Why there has not been a 2014 revolution is anyone’s guess but I would bet that those in the seats of power are feeling very uneasy right about now. Better put off your Hawaiian holiday govt folks.