When Strong Encryption Isn’t Enough to Protect Our Privacy

When Strong Encryption Isn’t Enough to Protect Our Privacy
By Bill Blunden
Feb 26 2015
<http://www.alternet.org/print/news-amp-politics/when-strong-encryption-isnt-enough-protect-our-privacy>

“None of the claims of what comsec works is to be taken saltless: Tor, OTR, ZTRP are lures.” —Cryptome [3], Dec. 30, 2014

In the aftermath of Edward Snowden’s disclosures, the American public has been deluged with talking points that advocate strong encryption as a universal solution for protecting our privacy. Unfortunately the perception of strong encryption as a panacea is flawed. In this report I’ll explain why strong encryption isn’t enough and then present some operational guidelines which can be used to enhance your online privacy. Nothing worthwhile is easy. Especially sidestepping the Internet’s global Eye of Providence.

Anyone who reads through privacy recommendations published by the Intercept [4] or the Freedom of the Press Foundation [5] will encounter the same basic lecture. In a nutshell they advise users to rely on open source encryption software, run it from a CD-bootable copy of the TAILS operating system, and route their Internet traffic through the TOR anonymity network.

This canned formula now has a degree of official support from, of all places, the White House. A few days ago during an interview with Re/Code, President Obama assured [6] listeners that “there’s no scenario in which we don’t want really strong encryption.” It’s interesting to note how this is in stark contrast to public admonishments [7] by FBI director James Comey this past October for key escrow encryption, which is anything but strong.

So it would appear that POTUS is now towing a line advocated by none other than whistler-blower Snowden who asserted [8] that “properly implemented strong crypto systems are one of the few things that you can rely on.”

Only there’s a problem with this narrative and its promise of salvation: When your threat profile entails a funded outfit like the NSA, cyber security is largely a placebo.

Down To the Metal

A report [9] released by Moscow-based anti-virus vendor Kaspersky Lab proves that, despite the self-congratulatory public relations messaging of Google or Apple, strong encryption might not be the trendy cure-all it’s cracked up to be. The NSA has poured vast resources into hacking hardware platforms across the board, creating firmware modifications [10] that allow[11] U.S. spies to “capture a machine’s encryption password, store it in ‘an invisible area inside the computer’s hard drive’ and unscramble a machine’s contents.”

On a side note, Kaspersky Lab is one of two companies authorized [12] by Russian security service to provide anti-virus technology to the Russian government. The company’s founder, Eugene Kaspersky, a former [13] Soviet intelligence officer himself, has links to the Russian Federal Security Service, or FSB. So it makes sense that the one company with the audacity and skill to publicly showcase a global espionage program by the NSA would also be a company aligned with a countervailing power center outside of the United States.

Anyway, when it comes to bare-metal skullduggery there are plenty [14] of proof-of-concept [15] examples available in the public domain. But these experiments are nothing compared to the slick production-level malware deployed by NSA spies. When the Pentagon aims for information dominance[16] it doesn’t screw around. Hence blind trust in encryption software is exposed as a sort of magical thinking.

Some people would argue that the NSA’s hardware hacks aren’t a big deal because they’re used selectively for targeted intrusions. One problem with this stance is that spy gear has a habit of filtering down into the underworld because spies and crooks are kindred spirits who often work together. Another problem is that the NSA is actively working to industrialize [17] attacks so that they can be pulled off on a mass scale against large swathes [18] of users. The recent discovery of pre-installed malware [19] on Lenovo PCs should offer an unsettling hint [20] of where spies and their front companies are taking things.

Face it, an intelligence agency that makes off [21] with the encryption keys from a large multinational company that manufactures billions of SIM cards each year is an agency that’s doing much more than just small-scale targeted hardware attacks. They want to “collect it all.”

OPSEC Is Law

“Iraqi Assault to Retake Mosul from Islamic State Is Planned for Spring” —New York Timesheadline, Feb. 20, 2015

Given the sorry state of software engineering and the sheer scope of clandestine subversion programs, if spies want to root your machine they’ll probably find a way. The Internet is akin to a vast swamp in the Deep South. Users wade through a hostile murky environment surrounded by alligators prowling silently just below the surface.

And don’t think that tools like Tor [22] will protect you. The FBI has demonstrated repeatedly that it can unmask [23] Tor users with exploits. The FBI’s collection of cyber scalps includes [24] a high-ranking cyber security director who probably thought his game was tight. The litany of Tor’s failures have led security researchers to conclude [25] that, “Tor makes you stick out as much as a transgender Mongolian in the desert.”

Hence when going toe-to-toe with spies from the NSA’s Office of Tailored Access Operations [26] or, heaven forbid, its more daunting CIA brethren [27]in the Special Collection Service [28], operational security (OPSEC) becomes essential. This isn’t cynical “privacy nihilism” but rather clear-headed contingency planning. Once the NSA owns a computer the only things that stands between the user and spies is OPSEC. It takes groundwork, patience and (most of all) discipline. Even the professionals get this wrong. And when they do the results can be disastrous.

For a graphic illustration of this contemplate the case of Ross Ulbricht, the creator of Silk Road. The celebrated Tor anonymity network did very little [29]to stop the feds from getting a bead on him. To make matters worse you’d think Ulbricht would know better [30] to work with his back to the room so the feds could sneak up on him before he could log off, leaving his encrypted laptop in a decidedly vulnerable state.

It didn’t help that the Silk Road’s servers were configured to auto-login certain client machines and that Ulbricht’s laptop just happened to be connected to the Silk Road servers as a full administrator. Ditto that for Bitcoin wallets on the aforementioned laptop which allowed law enforcement agents to trace [31]over $13 million in Bitcoins to Ulbricht. 

[snip] 

Re: Thoughts On Today’s FCC Net Neutrality Ruling

Note:  This comment comes from reader Brett Glass.  DLH]

Date: February 27, 2015 at 00:06:27 EST
To: “Dewayne Hendricks” <dewayne@warpspeed.com>
From: Brett Glass <brett@lariat.net>
Subject: Re: Thoughts On Today’s FCC Net Neutrality Ruling | Internet Society

Dewayne, and everyone on the list:

This discussion reminds me of the very first science fiction book I read as a child (which inspired me to read more sci-fi and ultimately become an engineer): “A Wrinkle in Time” by Madeleine L’Engle. At the climax of the book, the (female) protagonist — facing a monstrous, brain-like entity that forces humans into complete conformity — shouts, “Like and equal are not the same thing at all!”

Truer words were never spoken. To treat USERS of the Internet — the ones who matter — fairly, we must treat bits differently and perhaps “unfairly” (if, just for the sake of discussion, we anthropomorphize them).

That’s why the very first Internet routers — the PDP-11-based systems affectionately known as “Fuzzballs” — had code in them to prioritize interactive protocols such as Telnet over non-interactive ones such as FTP. Since this is a somewhat technical mailing list, it hopefully is not too geeky to post the actual code (in PDP-11 macro assembly language):

; Precedence and weight assignment policies
; r1 = buffer pointer (preserve r0)
;
; Note: Precedence is established by a sixteen-bit field. The high-order eight
; bits are copied from the TOS field in the IP datagram. The low-order eight
; bits are set at one for tcp/telnet and zero otherwise. Weight is established
; by a sixteen-bit field, which is set at the number of octets in the datagram
; rounded up to the next 64-octet boundary.
;
WOLFF:  MOV     R0,-(SP)        ;save
MOV     PH.OFS(R1),R0   ;compute total length
ADD     PH.LNG(R1),R0
ADD     #77,R0          ;round up to 64-octet boundary
BIC     #77,R0
MOV     R0,PH.WGT(R1)
CLRB    PH.PRC(R1)      ;set precedence field
MOVB    IH.TOS(R1),PH.PRC+1(R1)
CMPB    IH.PRO(R1),#P.TCP ;is this tcp-telnet
BNE     2$              ;branch if no
MOV     R1,R0
ADD     PH.OFS(R1),R0
CMP     (R0)+,#S.TEL
BEQ     1$              ;branch if yes
CMP     (R0)+,#S.TEL
BNE     2$              ;branch if no
1$:     INC     PH.PRC(R1)      ;yes. bump precedence
2$:     MOV     (SP)+,R0        ;evas
RTS     PC

As one can see from the code, the router took into account the priority desired by the user (encoded in the header of the packet), the size of the packet, and whether the session was a Telnet session, and created a priority word that other parts of the code could use to determine how packets were dequeued in the event of congestion. The result: users would be less likely to suffer maddening delays while typing, while downloaders would barely notice the difference in the speeds of long file downloads because the prioritized Telnet packets were short. (The subroutine bears the name of Stephen Wolff, one of the “fathers” of the Internet, who worked on ARPANET, NSFNet, and more recently Internet2 — a special, government-funded Internet “fast lane” for academic institutions. He is also, among other things, a recipient of the Internet Society’s Postel Award.)

This was, and is, a good engineering solution. But we can’t — and shouldn’t — expect politically appointed bureaucrats ever to understand it. Nor should we expect corporations not to exert political pressure (as Google and Netflix did, when they goaded the White House to push for the regulations) to have their own packets prioritized.

The best we, as engineers, can do is ask that the regulators keep their hands off the Net unless there is an actual problem to solve — and it is one that can be solved via a political, rather than engineering, solution. The current so-called “network neutrality” regulations are not in any way “neutral.” They’re a “solution” that doesn’t work to a “problem” that doesn’t exist. And what’s more, they are illegal according to the plain language of Title II itself! (See 47 USC 230 for that language.) Let’s hope that the courts overturn them quickly and that engineers are allowed to optimize networks so as to provide the best user experience without government interference.

–Brett Glass

Thoughts On Today’s FCC Net Neutrality Ruling
By Sally Wentworth
Feb 26 2015
<http://www.internetsociety.org/blog/public-policy/2015/02/thoughts-todays-fcc-net-neutrality-ruling>

A different cluetrain

[Note:  This item comes from friend David Rosenthal.  DLH]

A different cluetrain 
By Charlie Stross 
Feb 25 2015 
<http://www.antipope.org/charlie/blog-static/2015/02/a-different-cluetrain.html <http://www.antipope.org/charlie/blog-static/2015/02/a-different-cluetrain.html>>

Right now, I’m chewing over the final edits on a rather political book. And I think, as it’s a near future setting, I should jot down some axioms about politics …

• We’re living in an era of increasing automation. And it’s trivially clear that the adoption of automation privileges capital over labour (because capital can be substituted for labour, and the profit from its deployment thereby accrues to capital rather than being shared evenly across society).

• A side-effect of the rise of capital is the financialization of everything—capital flows towards profit centres and if there aren’t enough of them profits accrue to whoever can invent some more (even if the products or the items they’re guaranteed against are essentially imaginary: futures, derivatives, CDOs, student loans).

• Since the collapse of the USSR and the rise of post-Tiananmen China it has become glaringly obvious that capitalism does not require democracy. Or even benefit from it. Capitalism as a system may well work best in the absence of democracy.

• The iron law of bureaucracy states that for all organizations, most of their activity will be devoted to the perpetuation of the organization, not to the pursuit of its ostensible objective. (This emerges organically from the needs of the organization’s employees.)

• Governments are organizations.

• We observe the increasing militarization of police forces and the priviliging of intelligence agencies all around the world. And in the media, a permanent drumbeat of fear, doubt and paranoia directed at “terrorists” (a paper tiger threat that kills fewer than 0.1% of the number who die in road traffic accidents).

• Money can buy you cooperation from people in government, even when it’s not supposed to.

• The internet disintermediates supply chains.

• Political legitimacy in a democracy is a finite resource, so supplies are constrained.

• The purpose of democracy is to provide a formal mechanism for transfer of power without violence, when the faction in power has lost legitimacy.

• Our mechanisms for democratic power transfer date to the 18th century. They are inherently slower to respond to change than the internet and our contemporary news media.

• A side-effect of (7) is the financialization of government services (2).

• Security services are obeying the iron law of bureaucracy (4) when they metastasize, citing terrorism (6) as a justification for their expansion.

• The expansion of the security state is seen as desirable by the government not because of the terrorist threat (which is largely manufactured) but because of (11): the legitimacy of government (9) is becoming increasingly hard to assert in the context of (2), (12) is broadly unpopular with the electorate, but (3) means that the interests of the public (labour) are ignored by states increasingly dominated by capital (because of (1)) unless there’s a threat of civil disorder. So states are tooling up for large-scale civil unrest.

• The term “failed state” carries a freight of implicit baggage: failed at what, exactly? The unspoken implication is, “failed to conform to the requirements of global capital” (not democracy—see (3)) by failing to adequately facilitate (2).

• I submit that a real failed state is one that does not serve the best interests of its citizens (insofar as those best interests do not lead to direct conflict with other states).

• In future, inter-state pressure may be brought to bear on states that fail to meet the criteria in (15) even when they are not failed states by the standard of point (16). See also: Greece.

[snip]

The everyday terror we all live with

The everyday terror we all live with 
By digby
Feb 16 2015
<http://digbysblog.blogspot.com.br/2015/02/the-everyday-terror-we-all-live-with.html>

I realize that terrorism is scary and I certainly hope that the US doesn’t suffer any more attacks from Islamic extremists any time soon.

But this is the kind of thing that really scares the hell out of me and it’s all too common in America:
After giving her 15-year-old daughter a driving lesson in the parking lot of a Las Vegas middle school last Thursday night, Tammy Meyers nearly hit another car on their drive home. That car apparently followed them home, police say, where one passenger opened fire, hitting Meyers in the head. Meyers, 44, died at University Medical Center Saturday after her family took her off life support.

According to the Las Vegas Review-Journal, after avoiding the wreck with the other vehicle, Meyers pulled over, and got into an argument with the three people reportedly in the second car; one apparently threatened her.

The car allegedly followed the Meyers’ home, and after the mother and daughter pulled in front of their house, opened fire. Tammy’s husband, Robert, told the Associated Press that after hearing gunshots, the couple’s adult son ran out of the house with a handgun, firing several shots. ABC News reports the daughter had run inside before the shooting started.

We live in a shooting gallery in this country. The bullet of a random armed asshole angry about a fender bender is far more likely to kill us than a terrorist:

[snip]

Why Does the FBI Have To Manufacture Its Own Plots If Terrorism and ISIS Are Such Grave Threats?

[Note:  This item comes from friend David Rosenthal.  DLH]

WHY DOES THE FBI HAVE TO MANUFACTURE ITS OWN PLOTS IF TERRORISM AND ISIS ARE SUCH GRAVE THREATS?
By GLENN GREENWALD
Feb 26 2015
<https://firstlook.org/theintercept/2015/02/26/fbi-manufacture-plots-terrorism-isis-grave-threats/>

The FBI and major media outlets yesterday trumpeted the agency’s latest counterterrorism triumph: the arrest of three Brooklyn men, ages 19 to 30, on charges of conspiring to travel to Syria to fight for ISIS (photo of joint FBI/NYPD press conference, above). As my colleague Murtaza Hussain ably documents, “it appears that none of the three men was in any condition to travel or support the Islamic State, without help from the FBI informant.” One of the frightening terrorist villains told the FBI informant that, beyond having no money, he had encountered a significant problem in following through on the FBI’s plot: his mom had taken away his passport. Noting the bizarre and unhinged ranting of one of the suspects, Hussain noted on Twitter that this case “sounds like another victory for the FBI over the mentally ill.”

In this regard, this latest arrest appears to be quite similar to the overwhelming majority of terrorism arrests the FBI has proudly touted over the last decade. As my colleague Andrew Fishman and I wrote last month— after the FBI manipulated a 20-year-old loner who lived with his parents into allegedly agreeing to join an FBI-created plot to attack the Capitol — these cases follow a very clear pattern:

The known facts from this latest case seem to fit well within a now-familiar FBI pattern whereby the agency does not disrupt planned domestic terror attacks but rather creates them, then publicly praises itself for stopping its own plots.

First, they target a Muslim: not due to any evidence of intent or capability to engage in terrorism, but rather for the “radical” political views he expresses. In most cases, the Muslim targeted by the FBI is a very young (late teens, early 20s), adrift, unemployed loner who has shown no signs of mastering basic life functions, let alone carrying out a serious terror attack, and has no known involvement with actual terrorist groups.

They then find another Muslim who is highly motivated to help disrupt a “terror plot”: either because they’re being paid substantial sums of money by the FBI or because (as appears to be the case here) they are charged with some unrelated crime and are desperate to please the FBI in exchange for leniency (or both). The FBI then gives the informant a detailed attack plan, and sometimes even the money and other instruments to carry it out, and the informant then shares all of that with the target. Typically, the informant also induces, lures, cajoles, and persuades the target to agree to carry out the FBI-designed plot. In some instances where the target refuses to go along, they have their informant offer huge cash inducements to the impoverished target.

Once they finally get the target to agree, the FBI swoops in at the last minute, arrests the target, issues a press release praising themselves for disrupting a dangerous attack (which it conceived of, funded, and recruited the operatives for), and the DOJ and federal judges send their target to prison for years or even decades (where they are kept in special GITMO-like units). Subservient U.S. courts uphold the charges by applying such a broad and permissive interpretation of “entrapment” that it could almost never be successfully invoked.

Once again, we should all pause for a moment to thank the brave men and women of the FBI for saving us from their own terror plots.

[snip]

Thoughts On Today’s FCC Net Neutrality Ruling

Thoughts On Today’s FCC Net Neutrality Ruling
By Sally Wentworth
Feb 26 2015
<http://www.internetsociety.org/blog/public-policy/2015/02/thoughts-todays-fcc-net-neutrality-ruling>

Today the eyes of many people around the world have been focused on Washington, DC, as the U.S. Federal Communications Committee (FCC) held an Open Meeting where they voted on a Report and Order around “Protecting and Promoting the Open Internet”. More commonly known as the ruling on “Network Neutrality”, the vote today represents what is a potentially major shift in the longstanding policy of the United States with regard to regulation of Internet services.

The Internet Society has always supported the fundamental values of a global, open Internet grounded in transparency, access and choice. We believe that openness should be the guiding principle that continues to enable the success and growth of the Internet. The goals of the U.S. Federal Communication Commission’s (FCC) Open Internet Order – providing U.S. consumers with meaningful transparency, addressing concerns over blocking and discrimination, clarifying the role of reasonable network management, and enabling the permissionless innovation that has led to the success of the Internet today – are all really important.

However, if we look at this in light of a range of proposals around the world that aim to apply policies designed for telecommunications networks and services to the Internet, we consider it possible that such an approach could result in the opposite consequences. We realize that there are unique legislative and procedural challenges in the U.S., but we are concerned with the FCC’s decision to base new rules for the modern Internet on decades-old telephone regulations designed for a very different technological era.

Regulatory approaches that could affect the sustainability of the global, open Internet need to take into account the technical reality of how networks are operated and managed. Allowing the necessary technological flexibility to keep pace with rapid innovation is integral to ensuring the continued growth and success of the Internet. We believe we need to be careful that this flexibility is not undermined by the use of a regulatory framework designed to govern the old telecommunications system.

The explosive innovation that has occurred over the last two decades has allowed for communities across the world to participate in and benefit from connectivity, both socially and economically. Promoting Internet access and availability is integral to the success of our digital future, and global public policies should continue to be guided by the fundamentals that have contributed to the Internet’s growth. We believe a regulatory paradigm ill-suited for the current and future Internet ecosystem could have severe implications on this continued success.

As a global organization, we recognize that the FCC’s decision today applies only to the United States, but we also realize that other nations may look to the FCC’s ruling as a model for their own regulations. For that reason it’s critical to us that regulations of this nature be compatible with the principles that have led to the innovation and opportunity that are the hallmarks of today’s global Internet.

We know that these are complex issues and that working to maintain the benefits of an open Internet presents us all with an ongoing challenge. We look forward to reviewing the full text of the FCC’s Order once it’s released.

FCC votes for net neutrality, a ban on paid fast lanes, and Title II

FCC votes for net neutrality, a ban on paid fast lanes, and Title II
Internet providers are now common carriers, and they’re ready to sue.
By Jon Brodkin
Feb 26 2015
<http://arstechnica.com/business/2015/02/fcc-votes-for-net-neutrality-a-ban-on-paid-fast-lanes-and-title-ii/>

The Federal Communications Commission today voted to enforce net neutrality rules that prevent Internet providers—including cellular carriers—from blocking or throttling traffic or giving priority to Web services in exchange for payment.

The most controversial part of the FCC’s decision reclassifies fixed and mobile broadband as a telecommunications service, with providers to be regulated as common carriers under Title II of the Communications Act. This decision brings Internet service under the same type of regulatory regime faced by wireline telephone service and mobile voice, though the FCC is forbearing from stricter utility-style rules that it could also apply under Title II.

The decision comes after a year of intense public interest, with the FCC receiving four million public comments from companies, trade associations, advocacy groups, and individuals. President Obama weighed in as well, asking the FCC to adopt the rules using Title II as the legal underpinning. The vote was 3-2, with Democrats voting in favor and Republicans against.

Chairman Tom Wheeler said that broadband providers have the technical ability and financial incentive to impose restrictions on the Internet. Wheeler said further:

The Internet is the most powerful and pervasive platform on the planet. It is simply too important to be left without rules and without a referee on the field. Think about it. The Internet has replaced the functions of the telephone and the post office. The Internet has redefined commerce, and as the outpouring from four million Americans has demonstrated, the Internet is the ultimate vehicle for free expression. The Internet is simply too important to allow broadband providers to be the ones making the rules.

This proposal has been described by one opponent as “a secret plan to regulate the Internet.” Nonsense. This is no more a plan to regulate the Internet than the First Amendment is a plan to regulate free speech. They both stand for the same concepts: openness, expression, and an absence of gate keepers telling people what they can do, where they can go, and what they can think.

Wheeler also said putting rules in place will give network operators the certainty they need to keep investing.

Commissioner Mignon Clyburn, the longest-tenured commissioner and someone who supported Title II five years ago, said the net neutrality order does not address only theoretical harms.

“This is more than a theoretical exercise,” she said. “Providers here in the United States have, in fact, blocked applications on mobile devices, which not only hampers free expression, it also restricts innovation by allowing companies, not the consumer, to pick winners and losers.”

Clyburn convinced Chairman Tom Wheeler to remove language that she believed was problematic.

“We worked closely with the chairman’s office to strike an appropriate balance and, yes, it is true that significant changes were made at my office’s request, including the elimination of the sender side classification, but I firmly believe that these edits have strengthened this item,” she said.

Clyburn, Google, and consumer advocacy groups told Wheeler that language classifying a business relationship between ISPs and Web services as a common carrier service could give ISPs grounds to charge online content providers for access to their networks. This language was apparently removed, but service that ISPs offer to home and business Internet users was still reclassified as a common carrier service. FCC officials believe this classification alone gives them power to enforce net neutrality rules and oversee network interconnection disputes that affect consumers.

Internet service providers such as Comcast, AT&T, and Verizon lobbied heavily against the Title II decision and could sue to overturn the rules. But Wheeler believes Title II puts the FCC on stronger legal ground. The FCC previously passed net neutrality rules in 2010, relying on some of its weaker authority, but the rules were largely overturned after a Verizon lawsuit.

By winning that case, Verizon inadvertently opened itself and all other Internet providers up to even stricter rules. The new rules go beyond the net neutrality rules passed in 2010. And this time around, the FCC is applying the rules equally to fixed and mobile broadband, whereas its 2010 rules went easier on Verizon’s wireless subsidiary and other cellular companies.

The core net neutrality provisions are bans on blocking and throttling traffic, a ban on paid prioritization, and a requirement to disclose network management practices. Broadband providers will not be allowed to block or degrade access to legal content, applications, services, and non-harmful devices or favor some traffic over others in exchange for payment. There are exceptions for “reasonable network management” and certain data services that don’t use the “public Internet.” Those include heart monitoring services and the Voice over Internet Protocol services offered by home Internet providers.

The reasonable network management exception applies to blocking and throttling but not paid prioritization.

[snip]