Posts

Angry Mom and First Principles: What is the Nature of a Broken Lock?

/21 Comments/in , /by

This won’t be a cool, calm, collected post like Marcy writes, because it’s me, the angry mom. You might even have seen me Tuesday afternoon in the school parking lot waiting to pick up a kid after sports practice. I was the one gripping the steering wheel too tightly while shouting, “BULLSHIT!” at the top of my lungs at the radio.

The cause? This quote by President Obama and the subsequent interpretation by NPR’s Ari Shapiro.

President Obama to ABC’s new Latino channel, Fusion (1:34): It’s important for us to make sure that as technology develops and expands and the capacity for intelligence gathering becomes a lot greater that we make sure that we’re doing things in the right way that are reflective of our values.

Ari Shapiro (1:46): And, Audie, I think what you’re hearing in that quote is a sense that is widespread in this administration that technological improvements have let the government do all kinds of things they weren’t able to do before. They tapped the German Chancellor’s personal cellphone and nobody really stopped to ask whether these are things they should be doing. And so that question, just because we can do something, well, does it mean we should be doing it, that’s the question that seems to be the focus of this review.

Bullshit, bullshit, bullshit.

Here, let me spell this out in terms a school-aged kid can understand.

photo, left: shannonpatrick17-Flickr; left, Homedit

This is a doorknob with a lock; so is the second closure device on the right.

The lock technology used on the second door is very different; it’s no longer simple analog but digitally enhanced. The second lock’s technology might be more complicated and difficult to understand. But it’s still a lock; its intrinsic purpose is to keep unauthorized persons out.

If one were to pick either lock in any way, with any tools to enter a home that is not theirs and for which they do not have permission to enter, they are breaking-and-entering.

If it’s law enforcement breaching that lock, they’d better have a damned search warrant or a court order, in the absence of a clear emergency or obvious crime in progress.

The argument that information technology has advanced to the point where the NSA blindly stumbles along without asking whether they should do what they are doing, or asking whether they are acting legally is bullshit. They have actively ignored or bypassed the proverbial lock on the door. It matters not where the lock is located, inside or outside the U.S.

The Washington Post’s revelation Wednesday that the NSA cracked Yahoo’s and Google’s SSLsecure sockets layer — is equivalent to evidence of deliberately busted door locks. So is the wholesale undermining of encryption systems on computers, cellphones, and network equipment revealed in reports last month, whether by weakened standards or by willfully placed holes integrated in hardware or software.

The NSA has quite simply broken into every consumer electronic device used for communications, and their attached networks. When the NSA was forced to do offer explanations for their actions, they fudged interpretations of the Constitution and laws in order to continue what they were doing. Their arguments defending their behavior sound a lot like a child’s reasoning. Read more

Stupid Smartphones and Their Lying Lies

/23 Comments/in , /by

[Apple iPhone 5s via TheVerge.com]

[Apple iPhone 5c via TheVerge.com]

If you value emptywheel’s insights, donate the equivalent of a couple beers—and thanks for your readership and support.

My Twitter timelines across multiple accounts are buzzing with Apple iPhone 5s announcement news. Pardon me if I can’t get excited about the marvel that is iPhone’s new fingerprint-based biometric security.

Let’s reset all the hype:

There is no smartphone security available on the market we can trust absolutely to keep out the National Security Agency. No password or biometric security can assure the encryption contained in today’s smartphones as long as they are built on current National Institute of Standards and Technology (NIST) standards and/or the Trusted Computing Platform. The NSA has compromised these standards and TCP in several ways, weakening their effectiveness and ultimately allowing a backdoor through them for NSA use, bypassing any superficial security system.

There is nothing keeping the NSA from sharing whatever information they are gleaning from smartphones with other government agencies. Citizens may believe that information gleaned by the NSA ostensibly for counterterrorism may not be legally shared with other government agencies, but legality/illegality of such sharing does not mean it hasn’t and isn’t done. (Remember fusion centers, where government agencies were supposed to be able to share antiterrorism information? Perhaps these are merely window dressing on much broader sharing.)

There is no exception across the best known mobile operating systems to the vulnerability of smartphones to NSA’s domestic spying. Although Der Spiegel’s recent article specifically calls out iOS, Android, and Blackberry smartphones, Windows mobile OS is just as exposed. Think about it: if your desktop, laptop, and your netbook are all running the same Windows OS versions needing patches every month to fix vulnerabilities, the smartphone is equally wide open as these devices all use the same underlying code, and hardware built to the same NIST standards. Additionally, all Windows OS will contain the same Microsoft CryptoAPI believed to be weakened by the NSA.

If any of the smartphone manufacturers selling into the U.S. market say they are secure against NSA domestic spying, ask them to prove it. Go ahead and demand it — though it’s sure to be an exercise in futility. These firms will likely offer some non-denial denials and sputtering in place of a firm, “Yes, here’s proof” with a validated demonstration.

Oh, and the Touch ID fingerprint biometrics Apple announced today? You might think it protects not against the NSA but the crook on the street. But until Apple demonstrates they pass a gummy bear hackability test, don’t believe them.

And watch for smartphone thieves carrying tin snips.

NSA and Compromised Encryption: The Sword Cuts Both Ways

/19 Comments/in , /by

[Snapshot, Ralph Langner presentation re: Stuxnet, outlining payload extraction (c. 2012 via YouTube)]

[Snapshot, Ralph Langner presentation re: Stuxnet, outlining payload extraction (c. 2012 via YouTube)]

If you want fresh and weedy perspectives you won’t find in corporate-owned media, please donate!

A friendly handshake is offered;
Names are swapped after entry;
The entrant delivers a present;
The present is unboxed with a secret key…

And * BOOM *

Payload delivered.

This is cyber weapon Stuxnet‘s operations sequence. At two points in the sequence its identity is masked — at the initial step, when identity is faked by a certificate, and at the third step, when the contents are revealed as something other than expected.

The toxic payload is encrypted and cannot be read until after the handshake, the name swap, and then decrypted when already deep inside the computer.

In the wake of the co-reported story on the National Security Agency’s efforts to crack computer and network encryption systems, the NSA claims they are only doing what they must to protect the country from terrorists, criminals, and cyber attacks generated by individuals, groups, and nation-state actors.

Defense, though, is but one side of the NSA’s sword; it has two lethal edges.

While use of encryption tools may prevent unauthorized access to communications, or allow malicious code to be blocked, the same tools can be used to obstruct legitimate users or shut down entire communications systems.

Encryption APIs (ex: Microsoft CryptoAPI embedded in Windows operating systems) are often used by higher level applications — for example, a random number generator within the API used to create unique keys for access can also be used to create random names or select random event outcomes like a roll of the dice.

In Stuxnet alone we have evidence of encryption-decryption used as cyber warfare, the application planned/written/supported in some way by our own government. This use was Pandora’s Box opened without real forethought to the long-term repercussions, including unintended consequences.

We know with certainty that the repercussions weren’t fully considered, given the idiocy with which members of Congress have bewailed leaks about Stuxnet, in spite of the fact the weapon uncloaked itself and pointed fingers in doing so.

One of the unconsidered/ignored/unintended consequences of using weaponry requiring encryption-decryption is that the blade can cut in the other direction.

Imagine someone within the intelligence community “detonating” a cyber weapon built in the very same fashion as Stuxnet.

A knock at the door with a handshake;
Door open, package shoved in, treated as expected goods;
Encrypted content decrypted.

And then every single desktop computer, laptop, netbook, tablet, and smartphone relying on the same standardized, industry-wide encryption tools “detonates,” obstructing all useful information activities from personal and business work to telecommunications. Read more