Re: [cryptography] ICIJ's project - comment on cryptography tools
Some OT comments to an OT response... On Mon, Apr 8, 2013 at 8:30 AM, ianG i...@iang.org wrote: On 7/04/13 09:38 AM, Nico Williams wrote: [big snip] We've built a house of cards, not so much on the Internet as on the web (but not only!). Web application security is complete mess. And anyways, we build on foundations, but the foundations (operating systems) we built on are now enormous and therefore full of vulnerabilities. We're human -fallible-, and our systems reflect this -our failures-. Yeah, this is the popular explanation -- we're not good enough. Let me pose another thought question. Most of the long termers here understand how Skype, SSH and now Bitcoin were constructed. Peter adds iMessage to the list of successful crypto systems. Many of us here could make a fair stab at duplicating that in another product. I'd personally have confidence in that statement -- given the budget I'd reckon Steve, Jon, Peter, James, and a dozen other frequent posters could do that job well, or a similar one. Sorry, but I agree with Nico on this one. The problem is the brittleness of our systems. One tiny problem and it allows the entire system to break down and suffer vulnerabilities. An attacker only has to find one way in. And to be clear, as bad as developers handle cryptography, cryptography, even when used poorly, is seldom the weakest link. No...the problem is that humans just suck at writing secure code... for that matter, we suck at writing _correct_ code (which often results in insecure code). And while I can't comment on Bitcoin or iMessage, I do know that both Skype and openSSH have had their share of vulnerabilities and probably an order of magnitude or more of non-security related bugs. As humans, we make make lots of mistakes in many other endeavors, but in many of those cases, the human element itself is the end recipient / consumer of those systems and it is a lot more resilient than our computer systems are to errors. Case in point, see how many typos you can find in this particular email thread...spelling errors, grammatical errors, etc. Most of us probably read right through them. I'm pretty sure that none of those errors made our brain reboot. ;-) Try the analogous thing with computer code and at best you have a harmless bug, but often you get a security vulnerability. So far, we haven't invented computer systems that work on a Do What I Mean, Not What I Say. Fortunately the human brain seems to grok DWIMNWIS. (Google for Cna Yuo Raed Tihs? for one popular example.) I therefore suggest the popular explanation doesn't really pass muster. I say we really are good enough. That depends on what you mean by good enough. I would agree that most crypto is good enough, but one reason for that there generally are so many more easily exploitable vulnerabilities, why bother with the crypto. For instance, when you web app is full of XSS and SQLi, why would an attacker try some attack against TLS? It would be pointless. On the other hand, if all other vulnerabilities were somehow magically removed and only the crypto ones remained so that they were indeed the weakest link, I think the crypto-related exploits would start getting a lot more play. Why did they succeed, as an exception, but we did not, as the general rule? The strange names and origins are a possible clue. I suggest the same reason that a couple of bored scientists succeeded in creating a games platform that was then turned into a document preparation platform that then became a standard OS teaching tool and eventually by many steps is now in the hands of most of the planet: they did it without interference. They were in Area 11 (research) and back in the day, that research wasn't required to be directly applicable. Today I think something like this would be rare, at least outside of universities, because their is just too much pressure to turn everything into product in order to make profits. PS: ok, that last comment about Unix requires some mental juggery. The bored scientists did something that they were banned from doing. At the time, ATT was party to a cartel agreement with IBM that reserved computing to IBM and networking to ATT. How quaint! This had perverse effect of turning Ritchie Kerninghams' toy into a skunk Uh, that would actually be Ritchie and Thompson, but I'm sure you knew that. :) works project, in effect allowing everyone to politely ignore it. Unix survived and grew within Bell Labs because ATT could not commercialise it, and therefore the project was purely an academic exercise. Hence, the corporate interference was untypically low to non-existent. Hence, it grew in Universities only. OK, that last part is a bit misleading. I worked at Bell Labs from 79-96 and Unix was used in many of our internal systems, not just as development platforms but also as operations support systems, call routing systems, etc. So it was commercialized in a sense. ATT
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 8/04/13 04:06 AM, Peter Gutmann wrote: Kevin W. Wall kevin.w.w...@gmail.com writes: I think you're giving the NSA way too much credit on why security sucks. Even if we were to restrict 'security' to the scope of cryptography, even there, I think the NSA has much less to do with dumbing down crypto security than other factors. Exactly. If the NSA didn't exist at all the only difference we'd notice is that there'd be less of this weird obsession with ECDSA (via pressure to adopt Suite B). Computer security as a whole wouldn't suck any less. I think we all suffer a fair amount of cognitive dissonance on this one. We all know stories. DES is now revealed as interfered with, yet for decades we told each other it was just parity bits. The same process happened to GSM -- MiBs specified the 40 bit key, but because it was a secret design, they didn't need to create a legend to hide the 16 bits of zeroes. Add in export control regs, add in the war against PRZ. If someone where to do a longitudinal study of the public knowledge of the interference, I think it would mount up. Individually, we can ignore those stories as conspiracy theory, but in aggregate, much harder. IMO, the biggest factor is that 95% or more of developers are completely ignorant of best practices in cryptography. At the other end of the scale, 99.9% of developers who do know security have no idea how to create *usable* security. At the moment there are exactly two crypto-using products I can think of that I'd feel confident a random member of the public could walk up and use, those being Skype and iMessage. This is the good news. I think the message has finally got through that usability is more important than classical CIA, etc. (Unfortunately to the crypto-purists they're not good enough because they're MITM-able. You should be tunnelling SIP over OpenVPN, it's really easy, here's a pointer to a list of links to 100-page discussion threads on web boards for ways of doing this that may work sometimes). Yeah. This is a mystery to me, where did this crap come from? Although it aligns perfectly with the geek mentality, other specialties in CS tend to create a greater resistance to the guild mentality. I can't pin the causality on it as yet. Incidentally, the NSA is, from all the reports I've seen, even worse than we are at making security usable. My favourite publication on security usability, Laura Heath's An Analysis of the System Security Weaknesses of the US Navy Fleet Broadcasting System, 1967-1974, as exploited by CWO John Walker?, goes into this in more detail. A great read! An interference attack can be extremely high-leverage. Being good at it can do a lot of damage. This however doesn't mean that one is any good at defence. Peter. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Apr 8, 2013, at 7:38 AM, ianG i...@iang.org wrote: We all know stories. DES is now revealed as interfered with, yet for decades we told each other it was just parity bits. But it turned out that the interference was to make it *stronger* against attacks, differential cryptanalysis, that only the NSA and IBM knew about at the time. If history is a guide, weakness that TLAs insist on are transparent. They are about (effective) key size. We have no way to know whether this will continue to be the case, but I'd imagine that the gap in knowledge between the NSA and the academic community diminishes over time; so that makes me think that they'd be even more reluctant to try to slip in a hidden weakness today than in 1975. smime.p7s Description: S/MIME cryptographic signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 6/04/13 07:27 AM, Nico Williams wrote: On Fri, Apr 5, 2013 at 9:17 PM, NgPS n...@rulemaker.net wrote: In the movies and presumably in real life, bad guys have smart crooked lawyers advising them. Surely the bad guys have the resources to set up bunch of servers a la iMessage/Whatsapp, and write/deploy their own apps on their mobile devices, running stripped-down custom ROMs, to communicate via these servers, to avoid 3rd party MITM. Don't even need crooked developers, just advertise on Hacker News and whole bunch of hackers will jump on it. It'd be nice (for good guys certainly) to be able to open-code everything that one needs, or otherwise review all of the source code to the object code that one needs. In practice you cannot do this. It's ETOOMUCH. That's the best short description I've seen yet! In the worst case scenario for the LEA there's still traffic analysis and warrants/court orders/rubber hoses that they can resort to. Crypto only helps the good guys w.r.t. bad guys and other governments (and then only sometimes); crypto is just a polite way of saying try harder, get a warrant to the LEA with jurisdiction over you (or your devices). For LEA my guess is that the biggest problem isn't how to get at evidence, but how to know who the bad guys are: in a sea of traffic it's hard to tell when you don't even know what's needles and what's hay, which must be why LEA tend to have such a dislike for good guy crypto. This bit: We hope the NSA types haven't forgotten that good guys need crypto, whether LEA like it or not. I personally believe that the NSA's policy that the good guys don't need good crypto is the underlying root to the problem. A goodly portion if not all. Internally to the NSA this is known as 'the equity issue' or so I've heard. In economic terms, the NSA imposes a sort of tobin tax on crypto which results in a stupidity drag on all security, thus making it easier for all to avoid doing good work. Otherwise, I can't answer the question -- why as a society are we so good at internets, databases, apps, social networks, distribution of institutions, algorithms, all the good CS stuff, but we can't get our collective security act together? iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Thu, Apr 04, 2013 at 11:51:06PM +0300, ianG wrote: http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/ iang, who never even knew it was encrypted! Presumably messages are stored in clear text on Apple's servers, similarly on servers of Whatapp, Viber, LINE, Skype, etc., and are subject to LEA coercion, I mean, subpeona. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Thu, Apr 04, 2013 at 04:39:31PM -0500, Nico Williams wrote: Basically, this is complaint by the DEA is disinformation or misinformation (or both!). If the former case we might even be staring at the start of a new crypto wars period. In the movies and presumably in real life, bad guys have smart crooked lawyers advising them. Surely the bad guys have the resources to set up bunch of servers a la iMessage/Whatsapp, and write/deploy their own apps on their mobile devices, running stripped-down custom ROMs, to communicate via these servers, to avoid 3rd party MITM. Don't even need crooked developers, just advertise on Hacker News and whole bunch of hackers will jump on it. The CNET article sounds more like a cheapo trick to drive web traffic. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Fri, Apr 5, 2013 at 9:17 PM, NgPS n...@rulemaker.net wrote: In the movies and presumably in real life, bad guys have smart crooked lawyers advising them. Surely the bad guys have the resources to set up bunch of servers a la iMessage/Whatsapp, and write/deploy their own apps on their mobile devices, running stripped-down custom ROMs, to communicate via these servers, to avoid 3rd party MITM. Don't even need crooked developers, just advertise on Hacker News and whole bunch of hackers will jump on it. It'd be nice (for good guys certainly) to be able to open-code everything that one needs, or otherwise review all of the source code to the object code that one needs. In practice you cannot do this. It's ETOOMUCH. In the worst case scenario for the LEA there's still traffic analysis and warrants/court orders/rubber hoses that they can resort to. Crypto only helps the good guys w.r.t. bad guys and other governments (and then only sometimes); crypto is just a polite way of saying try harder, get a warrant to the LEA with jurisdiction over you (or your devices). For LEA my guess is that the biggest problem isn't how to get at evidence, but how to know who the bad guys are: in a sea of traffic it's hard to tell when you don't even know what's needles and what's hay, which must be why LEA tend to have such a dislike for good guy crypto. We hope the NSA types haven't forgotten that good guys need crypto, whether LEA like it or not. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] ICIJ's project - comment on cryptography tools
In a project similar to Wikileaks, ICIJ comments on tools it used to secure its team-based project work: ICIJ’s team of 86 investigative journalists from 46 countries represents one of the biggest cross-border investigative partnerships in journalism history. Unique digital systems supported private document and information sharing, as well as collaborative research. These included a message center hosted in Europe and a U.S.-based secure online search system. Team members also used a secure, private online bulletin board system to share stories and tips. The project team’s attempts to use encrypted e-mail systems such as PGP (“Pretty Good Privacy”) were abandoned because of complexity and unreliability that slowed down information sharing. Studies have shown that police and government agents – and even terrorists – also struggle to use secure e-mail systems effectively. Other complex cryptographic systems popular with computer hackers were not considered for the same reasons. While many team members had sophisticated computer knowledge and could use such tools well, many more did not. http://www.icij.org/offshore/how-icijs-project-team-analyzed-offshore-files hattip to Lynn Wheeler's lynn'o'gram. iang. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 4/04/13 21:43 PM, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 4, 2013, at 6:27 AM, ianG i...@iang.org wrote: In a project similar to Wikileaks, ICIJ comments on tools it used to secure its team-based project work: ICIJ’s team of 86 investigative journalists from 46 countries represents one of the biggest cross-border investigative partnerships in journalism history. Unique digital systems supported private document and information sharing, as well as collaborative research. These included a message center hosted in Europe and a U.S.-based secure online search system. Team members also used a secure, private online bulletin board system to share stories and tips. The project team’s attempts to use encrypted e-mail systems such as PGP (“Pretty Good Privacy”) were abandoned because of complexity and unreliability that slowed down information sharing. Studies have shown that police and government agents – and even terrorists – also struggle to use secure e-mail systems effectively. Other complex cryptographic systems popular with computer hackers were not considered for the same reasons. While many team members had sophisticated computer knowledge and could use such tools well, many more did not. http://www.icij.org/offshore/how-icijs-project-team-analyzed-offshore-files Thanks! This is great. It just drives home that usability is all. Just to underline Jon's message for y'all, they should have waited for iMessage: Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, it is impossible to intercept iMessages between two Apple devices even with a court order approved by a federal judge. The DEA's warning, marked law enforcement sensitive, is the most detailed example to date of the technological obstacles -- FBI director Robert Mueller has called it the Going Dark problem -- that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication. When Apple's iMessage was announced in mid-2011, Cupertino said it would use secure end-to-end encryption. It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers. http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/ iang, who never even knew it was encrypted! ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Apr 4, 2013, at 4:51 PM, ianG i...@iang.org wrote: On 4/04/13 21:43 PM, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 4, 2013, at 6:27 AM, ianG i...@iang.org wrote: In a project similar to Wikileaks, ICIJ comments on tools it used to secure its team-based project work: ICIJ’s team of 86 investigative journalists from 46 countries represents one of the biggest cross-border investigative partnerships in journalism history. Unique digital systems supported private document and information sharing, as well as collaborative research. These included a message center hosted in Europe and a U.S.-based secure online search system. Team members also used a secure, private online bulletin board system to share stories and tips. The project team’s attempts to use encrypted e-mail systems such as PGP (“Pretty Good Privacy”) were abandoned because of complexity and unreliability that slowed down information sharing. Studies have shown that police and government agents – and even terrorists – also struggle to use secure e-mail systems effectively. Other complex cryptographic systems popular with computer hackers were not considered for the same reasons. While many team members had sophisticated computer knowledge and could use such tools well, many more did not. http://www.icij.org/offshore/how-icijs-project-team-analyzed-offshore-files Thanks! This is great. It just drives home that usability is all. Just to underline Jon's message for y'all, they should have waited for iMessage: Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, it is impossible to intercept iMessages between two Apple devices even with a court order approved by a federal judge. The DEA's warning, marked law enforcement sensitive, is the most detailed example to date of the technological obstacles -- FBI director Robert Mueller has called it the Going Dark problem -- that police face when attempting to conduct court-authorized surveillance on non-traditional forms of communication. When Apple's iMessage was announced in mid-2011, Cupertino said it would use secure end-to-end encryption. It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers. http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/ There's a long thread on Twitter (look for Julian Sanchez, @normative) on this, with comments from me, Matt Blaze, Nick Weaver, and others. Also see Julian's blog post at http://www.cato.org/blog/untappable-apple-or-dea-disinformation --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On Thu, Apr 4, 2013 at 3:51 PM, ianG i...@iang.org wrote: On 4/04/13 21:43 PM, Jon Callas wrote: This is great. It just drives home that usability is all. Just to underline Jon's message for y'all, they should have waited for iMessage: Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals. [...] But note that this doesn't mean that iMessage can't be MITMed or otherwise be made susceptible (if it isn't already) to MITM attacks or plain traffic analysis. iMessage relies on Apple as a trusted third-party. Therefore Apple can MITM its users. The best case scenario is that the iMessage clients can add jey pinning to force the TTP to either never MITM or always MITM any pair of peers. But since the TTP also distributes the client software... Online we have lots of security problems that are difficult to resolve, from physical security of devices (there's not enough) to the lack and general difficulty/impossibility of reliably open-coding or reviewing everything that one has to trust (mostly software, and some firmware too). Basically, this is complaint by the DEA is disinformation or misinformation (or both!). If the former case we might even be staring at the start of a new crypto wars period. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
ianG i...@iang.org writes: An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, it is impossible to intercept iMessages between two Apple devices even with a court order approved by a federal judge. So Louis Freeh has joined the DEA? Or did they just strike the mid-90s dates on the reports and add today's date? Peter (still waiting for the sky to fall 20 years later). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 2013-04-05 10:47 AM, James A. Donald wrote: How does it work? Is it really secure, and if it is, how did they manage a not one click for security user interface? Already answered by others on this list. Not secure, apple can MIM it. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] ICIJ's project - comment on cryptography tools
On 5/04/13 05:36 AM, James A. Donald wrote: On 2013-04-05 10:47 AM, James A. Donald wrote: How does it work? Is it really secure, and if it is, how did they manage a not one click for security user interface? Already answered by others on this list. Not secure, apple can MIM it. Seems like. However, the barrier for that seems somewhat higher than an intercept or pen register. (Entering into full speculation mode here) I suspect that one would need a direct court order akin to a full search seizure in order to give the feds access to the messages; it seems to involve handing over the entire device key to clone the full personality. The original CNN article doesn't pass muster, a far more skeptical and analytical one is here: http://securitywatch.pcmag.com/none/310015-the-real-reason-the-feds-can-t-read-your-imessages iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography