Showing posts with label surveillance. Show all posts
Showing posts with label surveillance. Show all posts

Wednesday, June 7, 2017

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outlet The Intercept. The documents outline the intelligence community's take on Russian efforts to hack a variety of companies responsible for facilitating US election voting. You can read the documents here.

Despite what anyone might have to say about the issue on Twitter, an arrest involving an accusation of any crime by any law enforcement agency in any country is not evidence of guilt. Even the most circumspect appraisal of the US justice system will reveal that tens of thousands of individuals are arrested every year only to have those charges *immediately* dismissed by a court, while nearly everyone who actually is *convicted* of a crime in this country has their charges reduced. Even in cases in which individuals have been convicted of the the most serious capitol crimes, courts have been forced to release dozens of individuals after DNA testing offered conclusive proof of innocence.

The point is this: being arrested is not being convicted. And being convicted is not proof-positive of guilt.

For the purposes of this post I will set aside the substance of the leak itself; again, I recommend reading the Intercept's initial reporting. This post is focused on reports of how law enforcement is claiming that it identified young Ms Winner and the consequences of these reports for computer users with an interest in privacy. The Electronic Frontier Foundation (EFF) describes the purported technique involved as follows:

Imagine that every time you printed a document it automatically included a secret code that could be used to identify the printer - and potentially the person who used it. Sounds like something from an episode of "Alias" right? Unfortunately the scenario isn't fictional. In a purported effort to identify counterfeiters the US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information. That means that without your knowledge or consent an act you assume is private could become public. A communication tool you're using in everyday life could become a tool for government surveillance. And what's worse there are no laws to prevent abuse.

The term for this technique is "forensic watermarking", "printer stenography" or "counterfeit deterrence system". The EFF definitively uncovered that a wide array of some of the most popular modern printers now print some form of watermark that can be used to definitively identify the device that printed a given document after a series of FOIA requests to some 10 US government agencies in 2008. The documents recovered through that FOIA request (some of whom date back to the 1990's) reveal that the watermarking techniques have been available since at least the 1980's, that printer manufacturers "voluntarily" adopted forensic watermarking under the ostensible justification of fighting counterfeiters, and that efforts to proliferate the use of watermarking involved the EU as well as the US.

The watermark involved in the documents published by the Intercept consists of a pattern of yellow dots that, when translated, identifies the serial number of the printer used and the date & time the document was printed. Here are those dots, made more visible by introducing additional contrast (images c/o Errata Sec's excellent post on this topic):
And here is the data gleaned from translating that watermark:
When this information is combined with the a standard corporate asset tagging system and printer logs, this watermarking can easily identify the workstation that printed a given document. The same technique can be used to create evidence that +a printer seized from a defendant's property generated a given document, as well.

So how does a privacy-conscience printer-user avoid this watermarking technique?

For one thing, do not assume that because you are unable to see any visible watermarking on documents from your printer that you are safe. Here is a photograph of a watermarked document taken in tandem with a Digital Blue QX5 microscope:

Even with the microscope the forensic dots are barely visible. Attempting to view the pattern without any form of artificial enhancement is a fool's errand.

A user can avoid purchasing one of the printers that EFF has tested and confirmed generates watermarks. Unfortunately, this list is not up-to-date; and as time goes on, the likelihood that *all* manufacturers will produce some form of watermarking increases.

The specific technique that involved the leaked documents published by the Intercept requires the use of color: the dots are a pale shade of yellow that is not easily visible without some form of digital enhancement. Avoiding the use of a color printer can avoid this specific technique. I am very skeptical of claims online that printing documents in "black & white" mode on color printers provides any form of protection: watermarks can easily be imprinted in greyscale (see "binary image watermarks"), and I have yet to see confirmation that this technique is anything other than *not* effective.

Even the use of a modern black and white printer leaves me uncomfortable. There are numerous means of imprinting imperceptible watermarks; the popular yellow dots are simply one technique of many. DCT based watermarking techniques are significantly more complex to identify than just adding some document contrast; until now the computational expense required for DCT was likely cost prohibitive for manufacturers. This is certain to change over time.

Tools designed specifically to protect users from this manner of technology are few to non-existent. I can't point the finger; I have not worked on this problem. I do have some ideas. Given that all water-marking techniques in use are unknown, it would likely be more reliable & perhaps cross-device-compatible to spoof identifying device information prior to reaching the printed document than attempting to identify & remove or modify the watermark itself. I have only marginal experience with peripheral firmware or drivers, but if anyone is interested in this type of project I learn fast & would be happy to help.

Tuesday, August 4, 2015

Afternoon Links 8/4/2015

I am a victim of my nostalgia. Yesterday, I revived a years-old post in which I provided bloggees with some of the latest Windows activation keys to update the data for Windows 10. I figured I might as well dredge up another bit I had let fall by the wayside; Weekly links! Exciting, I know.

   - Yahoo's ad network and Microsoft Azure's web hosting service were abused to circulate an enormous flood of malicious software. Malwarebytes is being credited with the discovery - which is a little amusing because Malwarebytes has for had their own issues with security for many years. h/t Washington Post

    - Planned Parenthood and a variety of other related organizations were brought offline by a sustained series of DDoS attacks. In what may or may not have been the work of the same group of individuals, someone has claimed they have hacked Planned Parenthood and retrieved an employee list database of some kind or another.
     AFAIK, this sort of thing is new to the abortion debate in the US - honestly the only political debates where this sort of thing typically comes to the fore are "internet" issues surrounding surveillance, cryptocurrency and the like. The "Culture Wars" are fought in city halls, lobbyist offices and in the bank transfers of PACs rather than through data center Meet Me rooms.
    Personally I am interested in finding out if the DDoS was outsourced or if there is, in fact, a pro-life botnet. Will online hooliganism become a part of the political conversation? h/t Rolling Stone

   - The Electronic Frontier Foundation and Muck Rock have partnered to file a butt-load of FOIA requests in order to provide the public with a better understanding of how biometrics is being used by law enforcement and federal government agencies to provide street level, warrantless surveillance of ordinary Americans. h/t Muck Rock

   - In a strange move, DHS Deputy Secretary Alejandro Mayorkas said that some provisions of the Cybersecurity Information Sharing Act (CISA) “could sweep away important privacy protections” and that proposed legislation “raises privacy and civil liberties concerns.” Apparently Mayorkas found nothing ironic about this statement, while the news outlets who retyped the message for public consumption found it completely normal. h/t Russia Today

Privacy is for closers says Microsoft

Heres part of the Microsoft's 12,000 word ToS for Windows 10:
Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies; 2.protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone; 3.operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or 4.protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.
In human-speak, this means by default the key-logging behavior that was noted in the preview version is a feature not a bug, the creepy always-on-camera that watches you masturbate from your Xbox One will now listen to you through your laptop microphone, your browser history of course gets shared, as does a whole bunch of other things.

surveillance joshua wieder ceiling cat

Word on the street is the spying can be disabled.

For users like me, this is exactly the sort of thing that makes it worth it to uninstall Windows and install Linux. Even on a brand new laptop where the outrageous cost of a Windows license was already factored in. Every other excuse - document handling, application functionality - has inexorably been resolved or made irrelevant. Being able to conveniently play video games is not a lot of value to exchange for non-stop advanced surveillance for anyone that does not possess the innocent and carefree mind of a child.

I'm already forced to pay strangers to spy on me through my taxes. I don't like it. Do you?

Wednesday, January 7, 2015

Gogo Inflight Internet Using SSL Exploit for Customer Surveillance

For many years in the IT community, it was assumed that time spent travelling on an airplane was wasted. At best, you could make do with expensive and often-unreliable cell network coverage for connectivity. Even that was an issue, though, because of the airline's histrionic and decades-out-of-date concern that electronic devices interfered with flight navigation equipment. On top of having to pay a premium for unreliable service, you had to be sneaky about it, as well.

Alec Baldwin, Josh Wieder, cell phone, airport, airplane, headline
Some of us handled the situation better than others
So when in-flight internet services first started to become integrated to major airline fleets en masse, many tech people applauded. Those of us who had to attend trade shows, travel to meet customers or were responsible for multiple data center locations could get things done as we bounced back and forth across the country.  The bandwidth was every bit as expensive as roaming cell network charges, regularly more expensive, but the planes were being equipped with some basic antennae to improve reception, and you didnt need to hide your computer from overzealous flight attendants.

One of the services that made this possible was Gogo Inflight Internet. And the whole deal seemed pretty reasonable. Sure, it was expensive and the service was unreliable at best, but there were serious financial, technical and regulatory obstacles to overcome in making airplanes into giant wireless antennae. It wasn't perfect, but it wasn't a scam, either - and it was getting better.

But then one savvy Gogo Inflight Internet user noticed something troubling. The customer was Adrienne Porter Felt, a Google engineer. As Ms Felt attempted to access Youtube, she noticed that the SSL provided on behalf of Youtube was forged.

To help illustrate whats going on I've included some more detailed images below.. Note that the interfaces are a bit different because the first image was taken on a computer running Windows and the second image was taken on a Mac; the aesthetic differences aren't relevant.

In the first image's SSL certificate, we see the certificate is signed by Google Inc. and that the Common Name is listed as * (in the Subject line, the first item is the Common Name or CN).

In the second image, the Organization is listed as "Gogo" and the Common Name is a private IP address,

This behavior is consistent with a Man in the Middle exploit. Requests for Youtube are being re-routed to, which is serving a forged SSL certificate for Youtube.

Youtube, Josh Wieder, SSL Certificate
This is what a Youtube SSL certificate normally looks like

Youtube, Josh Wieder, Gogo Internet, SSL Certificate,
This is what the Youtube SSL certificate looked like as provided to Ms Felt by Gogo Internet

Internet Service Providers are required by awful pieces of legislation like the Telecommunications Act of 1996 to provide law enforcement with what are referred to in the Telco industry as "lawful intercepts" at the expense of the ISP. However, what is occurring here appears to be far above and beyond the normal exercise of a lawful intercept.

For one thing, lawful intercepts are targeted at specific customers. There is no indication here that the man-in-the-middle exploit being used here is executed in a targeted fashion; if targeted traffic interception was the goal, such an exploit would be a bizaare way to go about it, because all traffic would regardless be collected. Targeting using such an exploit would involve discarding traffic from non-targeted customers, as the NSA claims it does in the company of the particularly credulous.

There is another reason to believe that something untoward is afoot here. And that is a recent FCC filing in which the nudity-obsessed Federal agency blatantly declared that Gogo Inflight Internet was cooperating with law enforcement in ways not required by law. You can review that filing here:

In their own defense, Gogo has claimed that the SSL forging and the traffic interception it is designed to cover-up has nothing to do with surveillance at all. Their CTO Anand Chari had this to say: 
Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience… We can assure customers that no user information is being collected when any of these techniques are being used.
Chari's excuse sounds quite reasonable to those with no experience with networking and system administration. To those that are familiar with solving bandwidth restricition delimmas, Chari's explanation is, at best, the ramblings of a man who is completely incompetent and, at worst, an outright lie.

Over the course of my career, I have had to address exactly the sort of problem that Chari claims this matter is a response to. Before I explain why Chari's response is preposterous, I should start by phrasing the problem in a way that is more understandable.

Most companies have a limited amount of bandwidth. Bandwidth, after all, is expensive. For small businesses of just a few people, its not so hard to tell that one of your workers is downloading from Pirate Bay instead of attending to his work, and in the process ensuring that no one can so much as check their email. But what if there are 500 workers? And what if the bandwidth use isnt intentional; what if its being caused by malware? Thats when a more technical response is called for.

This is a problem that has existed in commercial IT for decades; its a problem that predates streaming media, it predates the world wide web for that matter. Because the problem is so old, there are dozens of different approaches to resolving it, depending upon what kinds of resources are available and the overall structure of the network in which the problem is being addressed.

One of the many solutions to this kind of issue would be to implement a technology called Quality of Service. In a nutshell (this is a very simplified explanation), Quality of Service enables network administrators to give a priority to certain types of traffic over others. This function is extremely useful, if we think about it for a moment. Consider email and video streaming, for a moment. When you send and receive email, its not such a big deal if it takes a few extra seconds for the email to be transferred. If there is an extraordinarily long delay of many minutes, it can become annoying. But a delay of seconds is not noticeable to a user, and email applications are designed (when correctly configured) to deal with delays so that they aren't a problem. Now take streaming video. If you introduce a few seconds delay as a user is watching a video, such a delay would completely spoil the experience. If the delay is long enough, it will even crash the video player software. So we have established that delays are more important to video than email.

So let's imagine another circumstance. We are in a real world environment - an office, with a limited amount of bandwidth. One employee is playing a video, and another employee attempts to send an email with a large attachment. There is enough bandwidth for only one of these operations, but not both. What do we do?

By implementing QoS, we can give the video a higher priority than email; allowing the video to finish playing before sending the email. This ensures that both users have a good network experience, and no errors are introduced into the application layer. We can introduce QoS in such a way that we do not have to break encrypted services, as Gogo has done. Certain protocols can be prioritized, but we can also prioritize users and connections, accounting for a limited amount of bandwidth.

Not only would such a solution ensure the privacy of users, but it also tends to be faster and more reliable when scaling large amounts of traffic than what Gogo claims they are doing - which involves more than just routing and switching network "packets". Information sent over a network is divided into small packets that share certain standardized properties. This standardization allows for the packets to be handled consistently and reliably, even when the information iinside of the packets is unique. Handling packets as they travel is, in most circumstances, less resource-intensive than opening the packets up and dealing with the stuff inside of them. Consider the difference between your home wireless router, which handles the standardized packets in transit, and your home computer, which deals with the unique information inside of packets.

The gist of the story is this - information you send while using Gogo Inflight Internet is almost certainly being snooped on; its also possible, though not yet proven, that other similar services are also snooping. Do not trust SSL connections that are provided to you by Gogo; to avoid their snooping, VPN connections could help, but further research is needed to determine which VPN solutions can be compromised by Gogo's setup.

ht to read/write

Thursday, October 23, 2014

Why is the Washington Post Publishing Pro-Surveillance Propaganda? Can Government Surveillance Revelations Decrease Encryption Adoption?

For the last few days I've had great fun watching James Comey and his pack of Keystone Cyber Cops failing to convince the world that they should be CC'd on everyone's calls, tweets and texts and generally exposing himself as the incompetent, braying ass that he is.

James Comey, Braying Jackass, josh wieder
Keep in mind the camera adds 10 pounds
Dan Froomkin and Natasha Vargas-Cooper over at The Intercept exposing each of the examples that Comey used to indicate the necessity for breaking cell phone encryption as fabricated - the cases were real, but none of them relied on cell phones or computers to obtain a conviction.

In one case of infanticide, the parents who were eventually found guilty had been previously convicted of child cruelty and had the deceased child previously taken from their custody for neglect. Not only did the state not need to read the parents' phones for evidence, if they had read their own files and demonstrated some inter-agency cooperation they could very likely have prevented the killing entirely.

In another case, the defendant confessed to a hit and run when cops pulled him over for a DUI and noticed his car had just been in an accident almost immediately following discovery of the victim.

Comey has been calling in a few favors for his little power play. Assistant Attorney General Leslie R. Caldwell testified before Congress on July 15th, relying on some rather dramatic and almost Zoroastrian language to convince legislators of the evils of privacy advocacy:

"All the while, technological advances, including advances designed to protect privacy, such as anonymizing software and encryption, are being used to frustrate criminal or civil investigations and, perversely, protect the wrongdoers. Our cyber crimefighters must be equipped with the tools and expertise to compete with and overcome our adversaries."

Perhaps we should forgive Caldwell as a clearly incompetent simpleton. Its more difficult to understand what was going on over at the Washington Post when they published a now completely discredited op-ed in support of the Comey Conspiracy. 

Last month the Post printed a piece penned by Ronald T. Hosko. Ronald is currently the President of the Law Enforcement Legal Defense Fund (LELDF), whose primary mission is to pay for expensive lawyers for police who kill innocent and/or unarmed people. Without groups like LELDF, police officers might one day be held accountable for their crimes - but not while Ronald's on the case! In addition to his current hobby, Ronald is the former Assistant Director of the FBI Criminal Investigative Division. He was named Assistant Director in July of 2012. Before that, he was special agent in charge of the Washington Field Office (WFO) Criminal Division. Ronald has been a life-long cop, joining the FBI 30 years ago in 1984, with his first big assignment coming with his transfer to the FBI's Chicago Division, where he investigated white-collar and financial crimes in addition to serving on the SWAT team. One paragraph of his CV sticks out:

In 2003, Mr. Hosko was promoted to assistant special agent in charge of the Philadelphia Division, where he was responsible for investigations into criminal matters. While in this role, he led the division’s surveillance and technical operations, and he served as the program supervisor for crisis management. In 2005, Mr. Hosko served as the on-scene commander of FBI personnel deployed to Afghanistan in support of Operation Enduring Freedom. Later that year, he served as deputy to the senior fellow law enforcement official following Hurricane Katrina.

In other words, Ronald developed his surveillance bona-fides during the early years of the Bush Jr administration; an administration that is responsible for sparking he current FBI trend of creating fake terrorist plots to entrap young muslim men who they cajole and bribe into cooperation. Ronald was one of the "on-scene" FBI commanders in Afghanistan who failed to locate Osama Bin Laden or his top lieutenants before being shipped back to the states in time to play a law-enforcement role in the Hurricane Katrina disaster - the only hurricane in the United States in recent memory that is well known for police murdering residents trying to escape the flood zone and escaping any legal consequences for the killings

Ronald Hosko is no stranger to controversy. Rumors of Ronald Hosko's ever-present appearances at Furry conventions are all over the Internet. Of course the rumors of Hosko's Furry compulsions play no part in this debate. The Washington Post, if for no other reason, should be applauded for disregarding rumors of Ronald T. Hosko being an incorrigible fan of Furry Love. People who can only achieve arousal by dressing up as cartoon animals, as Ronald T. Hosko is frequently alleged to, have political opinions just as valid as the rest of us. I, for one, think these rumors are completely without merit. Even if I am wrong and Ronald T. Hosko is, in fact, a Furry, any rumors about his personal life are completely inappropriate and shouldn't play a role in this or any other debate. 

In his op-ed, Ronald ran through Comey's part line: The introduction of encryption in consumer devices are allowing violent criminals to walk free. Not all of the piece is bogus. Comey admits, for example that:

"Encrypting a phone doesn’t make it any harder to tap, or 'lawfully intercept' calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself."

In spite of this admission, Ronald still makes it clear that tapping the phone isn't enough. The data, contacts, photos and email are pivotal for convictions. To illustrate his point, Ronald relies on an example: the case of a kidnap victim in Wake Forest, North Carolina. The kidnappers were tracked down through a lawful intercept of their cell phone's SMS. In the original version of his op-ed, Ronald argues that without the ability to intercept SMS messages, police may never have been able to to identify and arrest the kidnappers. This is another point that is only fair to concede to Ronald. It is quite clear that without the texts the kidnappers could have very well escaped.

That said, Ronald's conclusion is  that encryption would have prevented the police's ability to track the text messages, is completely fantastic. Even a basic understanding of mobile networks and SMS connections forces us to realize that encryption would play no role in the Wake Forest investigation. 

Let's consider how the police got the text messages and what they did with them. First and foremost we must note that police sought and obtained a search warrant for the text messages. The search warrant enabled the police to go to the cell phone companies and request the SMS messages and the location of the handset when they were sent. SMS connection data is transmitted to the cell phone company, where it is stored. Police obtained the SMS data from the cell phone company, not from the cell phone hand set. Remember: at the time the police requested the warrant, they had no idea where the hand set was. The encryption policy that Apple implemented that is the target of Comey and his buddies ire encrypts information stored on the phone hand set, not information transmitted to and from the cell phone company. SMS messages transmitted using a mobile carrier will typically be stored by that carrier for some time. While some GSM carriers encrypt their SMS traffic while it is in transit, they do so using a stream cypher (typically A5/1 or A5/2). A5 stream cyphers are instrinsically weak; Cryptanalysis work containing resource-conservative attacks are well circulated and published. Such cyphers have been in use since the adoption of GSM SMS messaging years ago, and have nothing to do with Comey's attacks on encryption standardization. FBI agents who, unlike Ronald T. Hosko, know sh*t about computers would find breaking such cyphers to be a trivial task if asked to do so as part of an ongoing investigation. 

But all that is a bit besides the point. The FBI had a warrant for SMS data in the Wake Forest case. All of the data they received was provided to them by the cell phone company, including the geographic location of the handsets, which the cell phone company stores along with unencrypted logs of the SMS messages (because cell phone executives don't care about you or your privacy and when they do they have a funny way of ending up in prison).

The kidnappers could encrypt their phone all day long, and the FBI could still have gone to the cell phone carrier and gotten the information they needed to find them. At worst, such a claim is a deliberate lie. At best, Ronald T. Hosko, former FBI Philadelphia Division's director of "surveillance and technical operations", lacks a basic understanding of how the FBI uses cell phones to apprehend suspects. 

The Washington Post didn't bother to fact check Hosko's op-ed. They went ahead and published it, a shocking concession to a government official seeking to greatly expand government surveillance powers and shooting off a bunch of half-truths to justify it. Eventually someone with technical experience read the article and pointed out the piece's complete lack of credibility. As a result, the Post rewrote some of the more incredulous claims and providing readers with this non-apology to its readers: 

* Editors note: This story incorrectly stated that Apple and Google’s new encryption rules would have hindered law enforcement’s ability to rescue the kidnap victim in Wake Forest, N.C. This is not the case. The piece has been corrected.

The editors note was placed below the fold, at the very end of the article. A more ethical correction would place the editors note above the fold, at the beginning of the article to ensure that readers are not mislead and that the large percentage of readers who do not read the entire piece understand what happened. 

So what did these "corrections" consist of? In the original story, Ronald had not just incorrectly made the case that encryption would have hindered the ability of the FBI to locate the kidnappers. Hosko breathlessly alleged that: "Had this [encryption] technology been used by the conspirators in our case, our victim would be dead". The message is clear. Apple and Google, the two companies that Hosko cites in the lead as examples of companies using this dangerous encryption, will have blood on their hands if they continue to protect their user's privacy. 

Here is the original graph compared next to the still-incorrect "corrected" graph, which online periodical Techdirt first pointed out on their coverage of this debacle: 
Last week, Apple and Android announced that their new operating systems will be encrypted by default. That means the companies won’t be able to unlock phones and iPads to reveal the photos, e-mails and recordings stored within.

It also means law enforcement officials won’t be able to look at the range of data stored on the device, even with a court-approved warrant. Had this technology been used by the conspirators in our case, our victim would be dead. The perpetrators would likely be freely plotting their next revenge attack.
 Thats the first version.
Last week, Apple and Google announced that their new operating systems will be encrypted by default. Encrypting a phone doesn’t make it any harder to tap, or “lawfully intercept” calls. But it does limit law enforcement’s access to a data, contacts, photos and email stored on the phone itself.

Had this technology been in place, we wouldn’t have been able to quickly identify which phone lines to tap. That delay would have cost us our victim his life.The perpetrators would likely be freely plotting their next revenge attack.
And that is the "corrected version". Note how the writer (at this point its unclear who wrote the corrected version, Hosko or a Post employee) *still* hangs on to the disproved claim that SMS data subpoena'd from a cell phone carrier has anything to do with an encrypted filesystem on a cell phone by saying that the FBI "wouldn’t have been able to quickly identify which phone lines to tap".

Its at this point that I find it very difficult to forgive the Washington Post for their involvement in this. Not only have they allowed the FBI to manipulate their readers by betraying the public trust developed by actual journalists who have provided real reporting for the Post over the years; they have stood by their man in his hour of need, despite obvious evidence provided by a multitude of technology experts.

Corrections should correct a story, not reword lies to make them more palatable. Yet that is exactly what the Washington Post has done here.

Since the Snowden revelations, evidence of government malfeasance in their approach to surveillance supporting both foreign intelligence and domestic law enforcement has continued to mount. A significant number of Americans have made it clear that they support even the most totalitarian excesses of the intelligence-gathering community, dismissing centuries-long traditions of English-speaking rule of law with slogans like "I have nothing to hide". Authoritarianism has always been popular with a certain type.

What I have to admit is completely unexpected is evidence that I have found of individuals whose response to disclosures of government surveillance have lead them to dismiss the use of encryption as untrustworthy.

In the comments section of the Washington Post story discussed above, for example, one user added the following to the fray: 

Washington Post, Josh Wieder, encryption, user comment

Take note: ALL encryption is compromised! Those mathematicians? They're all on the payroll! There is a certain theatrical flourish that always seems to accompany the conspiracy theory. A "You May Think You're Smart But You're Not" sneer behind the 9/11 truth videos, the reptile photographs, the rest of it. We have all been fooled.

But there are reasons for concern that are not based in psychosis. A Web of Trust; one of the original components of Phil Zimmerman's PGP, can be viewed as a proto social network. Police love Facebook because it shows the people you trust and communicate with. A public key Web of Trust provides all the same data to the state just as readily. Public Webs of Trust should only be used with great care; and in a number of circumstances, should be abandoned entirely.

Another skepticism is that of the hosted provider using encryption. Apple and Google, whatever ire may be directed to them by the FBI now, are two of the founding corporate members of the NSA's PRISM program. Neither company has stopped responding to FISA court requests. If anything, encrypted storage seems like a concession - a way to change the narrative being foisted on consumer tech companies; a way to remind users that such companies are on the side of their customers and not the state; a way to do all these things without actually fighting any legal battles or compromising pre-existing relationships with agencies more politically connected than even the FBI.

The sense of compromise is pervasive, and leads to statements like this one: 

Hacker News, Josh Wieder, Ycombinator, encryption

So many companies have promised privacy to their users, and lied; encryption strikes users as just another scheme.

Added to this is the constant wave of half-explained media coverage of open source security research. How many readers, unfamiliar with internet technology, are struck by reports of  the discovery of the Poodle vulnerability as a bad thing - a failure? Encryption can easily appear to the layman as a flawed technology that depends on dishonest corporations for development and application.

Finally, we have a new wave of mobile applications and their associated startups. The vast majority of such startups are promising their users a new safety and privacy online through the use of whatever snake-oil they happen to be selling, and providing it using the same free-from-upfront-payment model that all of the most dangerous companies rely on. Satan requires no upfront payment, either. Is it any surprise that these companies engage in the same surveillance practices as the firms before them? Whisper, of course, stands out among firms that promise privacy while stealing it. It is my suspicion that Whisper's practices are nothing special.

As our knowledge of surveillance scandals continues to expand, confidence is shaken not just in the state. The public knows that the intelligence community and law enforcement has established extra-legal partnerships in the business community, using their customers as pools of data. The public knows that the intelligence community and law enforcement recruits from the same universities that develop encryption algorithms, providing cryptographers with the highest-paying jobs in the field and generously financing research and handing out grants. 

Is it possible to encourage skepticism in organizations whose approach to technology has been corrupted, while building trust that the same technology can protect us from those organizations?

There's only one thing I know for sure, no matter what anybody else may have to say about the matter. Ronald T. Hosko is not a furry.

Thursday, October 16, 2014

The Guardian Calls Bullsh*t on Whisper; Whisper Calls Bullsh*t on Guardian

Big drama today re: the popular messaging app Whisper.

Whisper markets itself as anonymous, calling itself “the safest place on the internet”. But The Guardian disagrees. This morning the influential British newspaper published a story alleging that whisper tracks the geographic location of users who have requested that such tracking be disabled - even more alarming, the Guardian claims that Whisper provides location data to the US Department of Defense about Whisper messages sent from military bases, ostensibly to identify whistleblowers. The Guardian also stated that Whisper sends user data to the FBI and MI5.

Whisper's terms of service changed after they found out that the Guardian was moving to publish. Now their TOS explicitly allows user tracking regardless of settings.

Neetzan Zimmerman, speaking for the Whisper corporate office, has responded with a series of online pronouncements that were full of sound and fury; calling the story a "pack of lies" that was "lousy with falsehoods".

Nevertheless, Zimmerman did confirm that Whisper is conducting a "DoD Study", responding to a pointed comment from Washington Post contributor Barton Gellman:

Finally, the Guardian also mentioned the Whisper is designing a Chinese version of the app that will conform to draconian Chinese censorship laws.

Zimmerman has uploaded what he claims is Whispers entire, unedited response to The Guardian via scribd. Because these things have a way of disappearing, a backup copy of Zimmerman's response is also available.

Sunday, October 12, 2014

NSA Targets Systems Administrators with no Relations to Extremism

The Details

This is a bit of an old story, but I've found to my unpleasant surprise that the issues surrounding the story are not widely understood or known. Here's the gist: leaks from the US intelligence service have explicilty confirmed that the NSA targets systems administrators that have no ties to terrorism or extremist politics. If you are responsible for building and maintaining networks, the NSA will place you under surveillance both personally or professionally; they will hack your email, social network accounts and cell phone. The thinking behind this alarming strategy is that compromising a sysadmin provides root-level access to systems that enable further surveillance; hack an extremist's computer, and you track just that extremist. Hack a sysadmin's computer, and you can track thousands of users who may include extremists among them (its a strategy that is remarkably similar to the targeting of doctors in war zones).

Five years ago such a lead paragraph would be among the most wild-eyed of conspiracy theories. Now, after the Snowden leaks and the work of other sources within the US Intelligence community, the sysadmin targeting scheme has been proven conclusively through supporting documents circulated through a "wiki" style system within the NSA and explained and reported by Ryan Gallagher and Peter Maas of The Intercept. The name of the scheme is I hunt sys admins. The entire document outlining the goals and methods of the I hunt sys admins scheme is available on The Intercept (While I typically publish source documents directly on this website for ease of use, publishing these documents present unique legal concerns that The Intercept is better equipped to handle - I apologize to users for the inconvenience of having to visit a second site to confirm sources but I assure you it is well worth the effort).

There are a few excerpts worth noting explicitly. First and foremost, the document describes that the surveillance typically begins by acquiring the administrator's webmail or Facebook account username. The NSA agent then uses an Agency tool called QUANTUM to inject malware into the admin's account pages. The Intercept has put together a video outlining the QUANTUM tool's capabilities that is worth watching. The existence and capabilities of the tool are themselves also confirmed through extensive NSA documentation. QUANTUM uses a Man-On-The-Side attack to hijack user sessions and redirect traffic to one of the NSA's Tailored Access Operations (TAO) Servers. In this case, the application server used is called FOXACID. The same application is used to compromise Firefox and Tor users (a related program in place at Britain's GCHQ called FLYING PIG offers similar functionality even while using SSL).

QUANTUM has a variety of different uses besides the one outlined above. QUANTUM has a series of plugins that allows NSA agents to take control or IRC networks, compromise DNS queries, run denial of service attacks, corrupt file downloads and replace legitimate file downloads with malware payloads.

The methodology is important as it demonstrates the importance of maintaining operational security even during personal time. These are not attacks that target political or military organizations; they do not even target corporations. They explicitly target individual system administrators.

And there's more.

NSA Agents use the tool Discoroute to retrieve router configurations from passive telnet sessions. NSA documents outline how, rather than use sysadmins to target the corporations they work for, NSA is interested in doing the reverse - using corporate router configurations to target individual sysadmins. For example, using Discoroute, a surveillance agent retrieves the access-list ruleset associated with the router. Using that access-list can reveal home IP addresses that admins use to login to systems remotely. While this may seem to be an egregious security oversight, the access-lists in question are not necessarily for core routers. The access-list could just as easily be retrieved from a PIX; an IP used to allow access to an intranet website.

The I hunt sys admins documents continue by outlining some methods to identify and surveil malicious users. The author of I hunt sys admins references the NSA's access to massive untargeted recordings of SSH sessions. Perhaps we can take some security in that the author apparently does not take it for granted that the NSA can easily decrypt SSH session data. However, quite a bit can be accomplished by analyzing encrypted data. In this instance, I hunt sys admins recommends reviewing the size of SSH login attempts to determine which are successful and which are failed. IP addresses which are recorded failing multiple attempts to large numbers of IPs can safely be identified as belonging to brute force attempters.

Why You Should Care About NSA Surveillance Even if You Do Not Care About NSA Surveillance

This is a website about technology; not politics. Whatever your opinions are about the legitimacy or warrantless surveillance, the actions of the NSA and the other Five Eyes surveillance agencies are having a significant and deleterious impact on the internet and those who build and support it. Additional leaks have demonstrated that NSA provided security firm RSA with $10 million to use the flawed Dual_EC_DRBG random number generator in its unfortunately-named BSAFE cryptographic library, providing a back door to all applications relying on BSAFE. Even more disturbing are confirmations that the NSA has obtained copies of root CA certificates and used them to compromise SSL implemented by major internet services.

But why should we care? I'm not guilty and so I have nothing to hide, as the oft-used rationalization goes. Warrantless surveillance by governments is only one consequence of the actions outlined above. Chief among concerns for the admins targeted by these policies that are unconcerned with government surveillance is that actors other than the Five Eyes nations can easily engage in the same practices as explained in the I hunt sys admins documents; frankly, few if any of the I hunt sys admins guidelines were actually invented by NSA. These are techniques designed by criminals, and criminals have massive incentives to continue innovating those techniques. To protect our privacy from criminals we must follow security best practices, and by following best practices we necessarily protect ourselves against government surveillance as well.

The fact remains that sysadmins will remain a desirable target for those seeking to break into protected systems. Protecting those systems and the users who depend on them is part of our mandate as administrators. Now that we know the extent to which the security environment has changed, the question becomes whether we continue to adapt to the new environment to best protect our applications and users, or whether we disregard our mandate.

Tuesday, December 11, 2012

Best to Hush on the Bus - Cities Across the US Install Surveillance Equipment on Public Transit

This IP camera with microphone, the Safety Vision SVC2200, is being installed on buses in San Francisco, California; Eugene, Oregon; Traverse City, Michigan; Columbus, Ohio; Baltimore Maryland; Hartford, Connecticut; and Athens, Georgia. The microphones are sensitive enough to record conversations audibly. This leads one to wonder what such technology could possibly be used for. Cameras can be used for evidence in cases of violent crime. Recordings are not nearly as important in establishing proof of violence as they are in assisting with more subversive forms of surveillance. No doubt this information is headed in a roundabout way to your local DHS "Fusion Center", where it will be shuffled, cataloged and shuffled again.

The IP cameras are listed as supporting the following protocols: IPv4/v6, TCP/IP, UDP, RTP, RTSP, HTTP, HTTPS, ICMP, FTP, SMTP, DHCP, PPPoE, UPnP, IGMP, SNMP, QoS & ONVIF, although one wonders in what capacity they 'support' QoS ... a few of these are likely the efforts of marketeers gone wild with acronym copy pasting. Whats important is they talk TCP/IP, and VPN compatibility is not on that list. They have an RJ-45 input and use PoE, but also have a microSD port. Finally,with a field of vision at 78° horizontal, 45° vertical, these devices provide a very tempting opportunity to the on-site hacker.

The cameras are supposed to connect to and be managed by a central web server - and remember the lack of VPN above, it looks like just a straightforward wireless of 3g-based network connection will be established to that server. While the video on that web server may not be so exciting to attackers, an opportunity to establish an "in" with a local network maintained by a city transportation administration or law enforcement agency would be an incredibly enticing target. Of even greater value would be the possibility of infecting video files with malicious software to be uploaded to whatever federal spy agency is its final destination. Finally, security cameras rely on motion detection in order to limit storage to relevant data. As the traffic on buses is continuous, there will be constant motion and noise. This will lead to huge data sets of worthless audio and video that will increase storage costs to absurd heights in short order (the alternative of a regular deletion schedule would defeat the purpose of collecting the data). As such, this project is a foolish one. There is little advantage to be gained in the data from these devices, and the system architecture as currently stated will lead to significant security failures. At best the devices would have a slight freezing effect on violent crimes that occur on the bus, which are few and far between to begin with. At worst these devices will turn into a blackhole for taxpayer money funneled into storage and maintenance costs that is somehow simultaneously worthless to law enforcement and reviled as a degradation of the 4th Amendment of the United States Bill of Rights for targeting a service provided almost exclusively to  the poor and in many cases to populations that are predominately black and latino (the 4th is the amendment that was intended to protect citizens from unreasonable searches and seizures).

***A Bit of Conjecture

There is one feature to this infrastructure that would be worth the trouble. Facial recognition capability is a hot topic for discussion amongst law enforcement officials of every jurisdiction. Imagine if you will a closely knit hodgepodge of surveillance video data that includes E-Pass toll cameras, red light cameras, intersection surveillance cameras these new public transportation cameras and drone-based surveillance. With immediate license plate identification and federal warrant checks based on video surveillance already in place in many US cities, facial recognition for off-the-roads automated identity checks is what is missing. This would provide a *huge* advantage for law enforcement. Man hunts would be a thing of the past. For fugitives, enemies of the state, and normal folks like you and I, there would be nowhere remotely resembling civilization to run. Even in this paranoid scenario, however, there is no need for audio recording.

[Hat Tip to Wired magazine for the scoop]

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...