My Thoughts On Reset The Net

The Reset The Net initiative plans to run splash screens on major sites on June 5 encouraging users to protect themselves from mass surveillance. I have been asked what I think of the project and my answer is simple – any initiative that results in more people using encryption is a good thing. I am uncertain as to how effective this will be at actually bringing about the legislative change we need to actually address the root cause of the problem but remain hopeful that such a targeted response may indeed get some people talking.

The US Gov’t Will Never Apologize, Nor Will It Change

When the government is caught with their hand proverbially in the cookie jar – violating no less than the Constitution – you’d expect a platitude about what will be done to fix the situation, a kind of bureaucratic “mea culpa” if you will.

Sadly the US government has not provided a coherent and rational explanation as to why their covert intelligence agency was spying on the telephone calls and internet data of millions of perfectly law abiding Americans, and let us not forget the “Five Eyes” and the violations of a plethora of other nation’s countrymen.

Nope. We are told only that it is “us” – the IT security professionals, the journalists, the whistleblowers – who are at fault, or perhaps even a little misguided. The White House spin may even paint us as unpatriotic when the reverse is clearly the case. The official response has been one of confusion (“did we do that? I don’t have that information? Oh, that’s classified.”), minimization (“we are only collecting metadata”) and even flat out ridicule of those of us who would dare question a government that has effectively gone rogue and turned its spying apparatus on its people.

We must stop being naive and begin treating the Internet as an insecure place where all our data may be intercepted without our knowledge and kept for an indeterminate amount of time (and perhaps used to populate some kind of database on who you are based on your search habits, time of use, email contacts etc). This means that we need to get wise and stop using the Internet for tasks that we wouldn’t want our neighbors or business competitors to see.

Encryption is the key to solving this problem as it is clear that any political due process would be ineffective. But when major software companies are in bed with the US government, how can we even trust our operating system let alone our mail client, crypto software etc. Open source software projects have not been immune to subversion although the availability of source code for scrutiny serves as a disincentive for obvious modification (assuming people actually compile the software rather than download a binary; also it would be wise to mention the potential for an evil compiler aka a Thompson attack). The waters get murkier when we start looking at the potential for “bad” hardware. That RAID controller has DMA access and a nice little embedded OS of its own – imagine what it could do?

There are no clear answers here, unfortunately, just more questions as the paranoia and distrust reach higher and higher levels.

At a minimum we should be avoiding closed source operating systems and open source OS distributions with a commercial agenda. None of us can audit the entire kernel of, say Linux or FreeBSD so ultimately you have got to trust something. But you can build rings around your kingdom, so to speak and try and take a mutually distrustful approach to engineering any solution.

Link

An interesting article has been published by The Irish Times detailing the interception of Yahoo webcam traffic and the response of the Yahoo’s corporate elite (unsurprisingly – “we didn’t know”).

Security Protocols & Evidence Paper, and Some Thoughts

Schneier’s recent blog post on a paper published by Steven J. Murdoch and Ross Anderson entitled, aptly enough – “Security Protocols and Evidence: Where Many Payment Systems Fail” demonstrates what many have probably expected from the beginning. That is – a system designed primarily for transaction authentication may not have the same utility when used for evidentiary purposes.

I recall reading a similar paper published about fifteen years ago on the weaknesses of using RADIUS data from ISPs in court proceedings for offenses such as downloading inappropriate and illegal pornography (I am trying to be tactful; but understand that given the extremely harsh prison terms given to such offenders in many Western nations and their social repugnance, it would appear that clear determination as to whether such an act was committed would be pretty important. Not so.) On more than one occasion the ISP I was working within was ordered to provide RADIUS and later (when they realized we had it – we soon removed it once the privacy implications were made concrete in the rest of management’s head) proxy logs for individuals.

In the dialup era at least we had the ANI information. That too could be spoofed but it provided at least some kind of tangible connection with the user. The court orders generally ask – to paraphrase – “126.112.52.41 is part of one of your dynamic IP pools. Can you please supply logs for the user in possession of a lease for this address on 2000-02-01 03:23:14 UTC” which can present problems, especially when someone’s freedom is at risk and you know that half your equipment hasn’t synchronized to a reliable NTP server since Clinton entered into office.

Their response to an answer of – “this was on the cusp – two people occupied this lease within a few minutes of each other” isn’t to abandon this attempt and scald us for not having decent clock synchronization (the whip of big government’s rod would come later when we were forced to implement Cisco LI – uh legal interception – at our expense or lose our license), but rather to demand the two users and amend their request to include server content including their pop/imap boxes and personal web space. No doubt they had armed police storming these two residences knowing that *one* of them has to be their perpetrator. That isn’t good enough, even when heinous crimes have been committed.

We are fast becoming a society where guilt is assumed and innocent must be proven. Thanks to the PATRIOT ACT and co. your constitutional rights to a fair trial have been scrambled especially if they can connect your “case” to a vague concept they call “national security”. A child making a dry ice bomb and detonating it in a pond near a school could face such “justice” (enclosed in quotes because they have redefined this word. I must get an updated dictionary and reacquaint myself with what justice means today. The answer won’t please me nor anyone who considers themselves a “patriot” or even a free thinker.

NSA Program HAPPYFOOT Exploits Advertiser Metadata

The Washington Post has reported on an NSA program codenamed “HAPPYFOOT” that obtained device information mostly courtesy of the unencrypted traffic that comes from many cellular phones with “ad supported” apps and their respective advertising networks. It is buried in their article which attempts to explain how the NSA target cellular devices but I nonetheless found it interesting that the major advertising networks have yet to comment on whether they will be altering their business to prevent this from happening or at the very least SSLizing the communications.

NSA single-handedly destroys trust in US IT firms

Throughout the past few weeks we have seen numerous disclosures from former NSA contractor Edward Snowden regarding the massive surveillance apparatus that the United States government has brought to bear against civilians, foreign governments and even corporations. We have also heard allegations that the NSA have deliberately weakened open cryptographic standards. Perhaps the most worrying piece of information to come out of these disclosures is their program to systematically infect hardware.

The network appliances that route the majority of Internet traffic run closed source embedded router operating systems like Cisco’s iOS. If I were a government level adversary I would start with the switching fabric and routers rather than waste my time on the end points, especially considering we are now aware that through NSLs they were able to compel organizations to secretly disclose their SSL key and enable surviellance (as aside the gov’t seems to have angered Google or at least affected their bottom line as  they are now speaking of implementing PFS).

If we go further – can we really trust any hardware? Certainly not hardware produced from, say 2000 onwards. I don’t state that as some magic number or some line in the sand. Moreover it is an educated guess based on both political climate (things didn’t start getting super crazy until post 9/11) and technological capabilities at the time. Perhaps we are dead wrong in this regard too. After all, they have been trying to destroy civilian privacy online for about as long as the Internet has been accessible to the average Joe. Everyone no doubt remembers the Clipper chip of the 1990s. Well, the NSA clealy realized that key escrow just wasn’t going to stand up to public scrunity. I wonder how the boffins within the US intelligence committee will justify their promotion given the fallout from the Snowden saga?

No doubt many US based IT companies will be reassessing whether it is appropriate for them to continue conducting their business from within the United States or whether a move overseas may better suit them operationally. The damage that this could do to the IT industry in the US is immeasurable. While many in the industry are in damage control some (like Lavabit and today CryptoSeal Privacy) are shutting up shop, refusing to supply a public with a product that they may be forced (via a secret FISA court hearing or a NSL) to backdoor or otherwise modify to bypass the very anonymizing features the customer is paying good money for. This is a very bad time for the US’s image abroad – and it is all of the government’s own making.