Tag: infosec Page 1 of 4

Back Doors are for Bad Guys

The UK Prime Minister, David Cameron, says he’s going to ban strong encryption within his country. Somehow this is going to make everyone safe from terrorists. I have some questions:

  • Are terrorists the ones who will abide by such a law, first and foremost?
  • Is it your intention to shut down all  e-Commerce in the UK?
  • How will it improve the welfare of British citizens to have the UK cut off from the rest of the Internet?

When that notoriously left-wing publication, Forbes, caught up with Internet security expert Bruce Schneier for his reaction, he was uncharacteristically hyperbolic: “My immediate reaction was disbelief, followed by confusion and despair.”  It makes no sense even to try this, according to Schneier.

Technically, there is no such thing as a “backdoor to law enforcement.” Backdoor access is a technical requirement, and limiting access to law enforcement is a policy requirement. As an engineer, I cannot design a system that works differently in the presence of a particular badge or a signed piece of paper. I have two options. I can design a secure system that has no backdoor access, meaning neither criminals nor foreign intelligence agencies nor domestic police can get at the data. Or I can design a system that has backdoor access, meaning they all can.

So try, and join the rogues’ gallery of China, Iran, Syria, Pakistan, Russia, Kazakhstan, and Belarus, who have all tried to censor the Internet and have all failed.

Cameron and Xi Jinping, censorship BFFs

It is worth remembering that the internet was designed beginning in the 1960s as a project of the Advanced Research Projects Administration, a DoD agency.  The original idea was to have a digital communications network with enough redundancy and resiliency that nuclear strikes would not disable it, merely slow it down.

The millions of routers that run the Internet are designed to have a primary way to get the next unit of data where it needs to go, and one or more backup ways if the primary fails (yes that’s a vast oversimplification).  More to the point, there is no truly central controller.  Every node in the network shares routing information and rules on how to apply it with every other node.  To kill “the Internet” you would have to kill so many nodes, you might as well be planning to end civilization.

Network architect John Gilmore pointed out an interesting consequence of this design.  He said, “The Net interprets censorship as damage and routes around it.”

Cameron’s try at the Great Firewall has the stated goal of making us safer from terrorists.  This objective is so far beyond the reach of his proposal as to be simply ludicrous.   The real result would either be as porous as China’s and the rest, or would take his country to the information-economy status of North Korea.  In any case, Cameron, or someone advising him, must know this.

So which one is the one that he wants?

Spoiler Alert: Government Spy Agencies Might Be Lying

UK intelligence agencies are claiming that they are having to move agents who are endangered in the field, and according to this report the reason is… Edward Snowden!

I must say, this has the stink of the barnyard.  Information about the nature of surveillance programs, which is what Snowden revealed, is so far from operational info about field agents that it might as well be the 1997 Minnesota Twins’ box scores.  If agencies are having their networks compromised they should look to the flaws in their protocols that allowed Snowden to take any files out, not to the actual files Snowden took out.

Assuming they are not flat-out lying about having to roll up field networks (a BIG-ass-umption), they are simply scapegoating the man they love to hate.

The Chinese just breached a carload of US government data from security clearance applications. So now they know:

  • Who has clearance
  • At what level
  • What is all the garbage those people had in their background that had to be vetted out to give them the clearance.

Now which one is more likely to have compromised field agents?  That?  Or a detailed description of how Verizon rolls over and gives the gov’t all your call data?

But wait – what could the government POSSIBLY want with distracting you from the Chinese breach and turning attention back on Snowden?  Such a mystery.

Simple Truths

Email I received from the ACLU this morning. Timely!

Also attributed to Mr. Snowden – and I love this one:

Saying privacy doesn’t matter to you because you have nothing to hide is like saying freedom of speech doesn’t matter to you because you have nothing to say.
———- Forwarded message ———-
From: Edward Snowden, ACLU Action <aclu@aclu.org
Date: Fri, Jun 5, 2015 at 7:47 AM
Subject: Simple truths
To: [me]

ACLU Action
David–

Today is the two year anniversary of the first of Edward Snowden’s revelations about the NSA’s mass surveillance programs. And on Tuesday, the Senate overwhelmingly passed the USA Freedom Act – a bill that limited mass surveillance under Section 215 of the Patriot Act and other authorities.

While USA Freedom Act is a start, no one should mistake it for comprehensive reform – it leaves many of the government’s most intrusive surveillance powers untouched, and it leaves disclosure and transparency loopholes.

Read Edward’s message below, and then take the next step: call the president’s office and tell him to rein in Executive Order 12333. It’s been used to collect info about millions of innocent people without any judicial oversight. It’s time to bring the government’s surveillance practices back in line with democratic values.

Anthony for the ACLU Action team

Hi David–

Simple truths can change the world.

Two years ago today, in a Hong Kong hotel room, three journalists and I waited nervously to see how the world would react to the revelation that the National Security Agency had been collecting records of nearly every phone call in the United States.

Though we have come a long way, the right to privacy remains under attack.

Last month, the NSA’s invasive call-tracking program was declared unlawful by a federal appeals court in ACLU v. Clapper, and it was disowned by Congress. And, after a White House investigation found that the program never stopped a single terrorist attack, even President Obama ordered it terminated.

This is because of you. This is the power of an informed public.

Ending mass surveillance of private phone calls under the Patriot Act is a historic victory for the rights of every citizen. Yet while we have reformed this one program, many others remain.

We need to push back and challenge the lawmakers who defend these programs. We need to make it clear that a vote in favor of mass surveillance is a vote in favor of illegal and ineffective violations of the right to privacy for all Americans.

As I said on Reddit last month, arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.

We can’t take the right to privacy for granted, just like we can’t take the right to free speech for granted. We can’t let these invasions of our rights stand.

While we worked away in that hotel room in Hong Kong, there were moments when we worried we might have put our lives at risk for nothing – that the public would react with apathy to the publication of evidence that revealed that democratic governments had been collecting and storing billions of intimate records of innocent people.

Never have I been so grateful to have been so wrong.


Edward Snowden for ACLU Action

Read Edward’s Reddit “Ask Me Anything” conversation with the ACLU’s Jameel Jaffer, and check out his op-ed in today’s New York Times – Anthony

Reddit: Just days left to kill mass surveillance under Section 215 of the Patriot Act. 

New York Times: Edward Snowden: The World Says No to Surveillance 

Why Security on the Internet is an Afterthought

This WaPo article gives us an historical perspective on why the Internet was designed to operate mostly with no encryption.  The money quote:

“Back in those days, the NSA still had the ability to visit a professor and say, ‘Do not publish that paper on cryptography.’ ”
As the ’70s wound down, [Vint] Cerf and [Robert] Kahn abandoned their efforts to bake cryptography into TCP/IP, bowing to what they considered insurmountable barriers.

This is really a great piece on how the internet morphed from an academic & defense research project to the collective nervous system of humanity.  I came into the field during the second decade of the Internet and it was not really a part of my life until about four or five years in.  I really enjoyed the insight into the earlier days.  Note the role Richard Stallman took back then – it hasn’t really changed much, at its core.

h/t to Rob Slade via CISSPForum.

We Are Secure Website Developers

We website developers put up with a lot from those security folks.  We’re constantly hearing them nag us to do boring things like scrub inputs to prevent SQL injection flaws.  Enforce up-to-date encryption standards.  Quit putting auth tokens into URLs.  All of these things would make our web applications more genuinely secure.  None of them, however, is visible to the user as evidence that we Take Security Very Seriously™.   What shall we do?

Well, nothing says “Security!” to our users who know nothing about security like passwords.  Long, inconvenient, hard-to-remember passwords.  Let’s make our password authentication as difficult as possible!  Then they will know that we Take Security Very Seriously™!

We’ll require a diverse character set.  Their passwords will have to have two capital letters, three lowercase letters, two numerals and a special character.  Donald Duck, perhaps?  Brad wanted it also to have to include the tears of a virgin, but HR sent us a really nasty email about the test we were going to implement for that.  

We’ll not allow passwords shorter than 8 characters, but also no longer than 14 — the DBAs are worried about the space it will require for that.  Why aren’t we hashing the passwords?  Well, yes, that would make the storage a non-issue, since all we’d ever store for each password is a constant-length hash.  But then how will we be able to send users those friendly reminder emails when they forget their passwords, with the password in clear text?

Of course, they won’t be able to use that clear text password to log in, because we have not yet finished demonstrating that we Take Security Very Seriously™!  See, now that we’ve made the passwords inhumane, we’re going to fix the front end to be sure that the ONLY way they can enter those inhumane passwords is to type them, one agonizing character at a time.  Never mind the users who want to use really random passwords, so they get password managers that load the clipboard or fill in passwords for them.  That black magic seems like a hacking tool to us, we won’t allow it.  No sir, only human fingers on a keyboard will be permitted here!

After all, we Take Security Very Seriously™.

Page 1 of 4