Re: [cryptography] Snowden: Fabricating Digital Keys?
On Tue, Jun 25, 2013 at 5:17 PM, Bill Scannell b...@scannell.org wrote: This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. Snowden persuaded other NSA workers to give up passwords, http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
At 12:55 PM 11/8/2013, you wrote: Snowden persuaded other NSA workers to give up passwords, http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108. The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization. From the FISA Improvements Act of 2013 (30 October 2013): (5) AUTOMATED REPORTING. (A) REQUIREMENT FOR AUTOMATED REPORTING. The Director of the National Intelligence, in consultation with the head of the agency responsible for acquisitions pursuant to orders subject to the requirements of this subsection, shall establish a technical procedure whereby the aggregate number of queries performed pursuant to this subsection in the previous quarter shall be recorded automatically, and subsequently reported to the appropriate committees of Congress. (B) AVAILABILITY UPON REQUEST.The information reported under subparagraph (A) shall be available to each of the following upon request: (i) The Inspector General of the National Security Agency. (ii) The Inspector General of the Intelligence Community. (iii) The Inspector General of the Department Justice. (iv) Appropriate officials of the Department of Justice. (v) Appropriate officials of the National Security Agency. (vi) The Privacy and Civil Liberties Oversight Board. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
On Tue, Jun 25, 2013 at 5:17 PM, Bill Scannell b...@scannell.org wrote: This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. General Keith Alexander admitted just last week that the NSA is using MS SharePoint to share security information with other state agencies. These tools are favored because they tend to support the ad-hoc ebb and flow of natural human collaboration across blurry corporate boundaries http://www.wired.com/insights/2013/07/snowdens-impact-on-the-enterprise-how-mobile-security-is-evolving-post-nsa-leak/. I really question who is fabricating what. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
that if Snowden has access to them - other people who wish to have access may also have these document - too bad none of them seem to care to educate the public or to expose the incredibly illegal interpretation The incidence/depth of leakers/leaks over time seems to be increasing. Whether or not the outcome of this particular one will change that remains to be seen. There could be a bit of wait and see going on here. Snowden himself said that these controls are irrelevant - his leaks are ... 1) More detail on how direct NSA's accesses are is coming ... He clearly doesn't think that privacy by policy is as effective as privacy by design - where by design, he clearly endorses the use of cryptography with the caveat that NSA breaks into computer systems: Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it. A note: this was a quote in the context of users asking if their use of crypto would defeat the NSA, not as to internal NSA policy/application. Even under what might be this new post 911 open sharing model, it would seem reasonable to assume that information regarding actual cryptanalysis capabilities would be compartmented [perhaps far and securely] away from the areas that have produced the current stream of news stories. There hasn't been much said of those capa's, no? After more than a decade of talking with people about these issues, it is incredible to see this shift happen and it was nearly over night for some people! Unfortunately, unlike those with their ear to the ground for these sort of things (which really doesn't require any hearing aid to begin with), some people just refuse to get it until it's on newsprint in front of them. Now they're begging for help to the very same people they laughed off earlier. As much as we might want to say get lost, it still feels good to finally be recognized as having been right all along. And the advice is still the same in general: encrypt everything. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/28, Nico Williams wrote: How would one fabricate a digital key? They probably meant something that sounds close. E.g., minted a certificate, or a ticket, or token, or whatever the thing is, by subverting an issuing authority or its processes (possibly via social engineering). personally, i'm skeptical as to whether it was even necessary for snowden to fabricate digital keys. He used his root access to get into other people's accounts. Depending on how careless the others are one might not even need root. It can be very easy to escalate privilege when people are careless. many of the documents that have been publicly released thus far have been classified at the top secret level. many (if not all) of those were also categorized under various special access programs. if these top secret documents were being stored in an environment that was in compliance with security policies, snowden would not have been able to access them (even if he legitimately had root access). these files should have been stored on systems with mandatory access controls in place and they should have been properly labeled. if they had been, he would not have been able to access the files and we would not be having this discussion. the alternative explanation is that all of these security controls were in place and that snowden did, in fact, somehow fabricate digital keys in order to gain access to the files. without serious lapses in security, however, neither should be possible. - -chl -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQF8BAEBCgBmBQJRznyrXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5RUE3NjY3OTY3NTE0RjAyMDgyRTNBQzAy QkE2NTVENTVDODgzNUVCAAoJECumVdVciDXrbWkH+gPY0n8pjbt6NgRMgNjDOUjM OM8b6xk5EbFLyavirnl0vTdzrm4mV7nzP0SnBrNs743zxJal5Y//QL143tb+Se42 s72ggU3NowQGFKO/ERrl+AqGknCl9xkx7/R6ImH9g3K3WRft1vxwwPlH6XdrmhVc i2maXDV1Mbasd4r3yRq07wm6lKrfN7vNEvZIY4LrnZUwN/ivBA0rdnUusVw1cemQ v2faITNbxy61Q9SOScCD4Xx1HgCMTHPcLNoZq+gertvmjURKLORgH4hvblecKlPm Mniqik4QiCeZEBcyIgwfl5cSk5pfoZJZwALJlLbd+XNSGF2kUmTF1SmMvrSxbtw= =VUkL -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
On Tue, Jun 25, 2013 at 6:01 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: How would one fabricate a digital key? They probably meant something that sounds close. E.g., minted a certificate, or a ticket, or token, or whatever the thing is, by subverting an issuing authority or its processes (possibly via social engineering). It's not like there are many people outside [a very small part of] the tech industry who'd understand what was said or meant (or meant to be said), or even what actually happened. What does it matter if a journalist writes digital key when perhaps what they heard was digital certificate followed by a brief, overly simplified explanation of PKI concepts? We're not the audience, and the public won't know the difference -- it''s all gibberish unless analogized to off-line concepts. I don't think there's any chance that Snowden broke a public key algorithm in use at the NSA -- there's always an easier path, particularly for a well-placed insider. Insiders are usually the biggest threat to any organization. There isn't much you can do about them except limit the scope of damage they may cause (e.g., by limiting the size of the data collection they may access, by, e.g., not being such a large organization). He used his root access to get into other people's accounts. Depending on how careless the others are one might not even need root. It can be very easy to escalate privilege when people are careless. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Snowden: Fabricating Digital Keys?
This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. How would one fabricate a digital key? -Bill ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
That depends on the system. Consider how HDCP encryption was broken; https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection It used a scheme where access to enough keys allowed you to calculate the master key, breaking the entire scheme. 2013/6/25 Bill Scannell b...@scannell.org This Daily Beast story on Causa Snowden ( http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. How would one fabricate a digital key? -Bill ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
On Jun 25, 2013, at 5:38 PM, Thor Lancelot Simon wrote: On Tue, Jun 25, 2013 at 05:17:04PM -0400, Bill Scannell wrote: This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. How would one fabricate a digital key? Presumably using administrative access to the machinery of a certificate authority or a signing system for security assertions. That makes sense. I figured that the easiest way would be through the CA. While I understand the NSA paradox in that the lower one is in their organization, the more one knows, what puzzles me is how or why a random low-level contractor would have root CA access, assuming that was the case. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
maybe he just used other people's ssh keys that were protected by a weak (or no) passphrase? fabricate is a pretty strong word, but under the least untruthful standard that James Clapper says he's applied to congressional testimony, there are numerous interpretive possibilities. On Jun 25, 2013, at 2:32 PM, Natanael natanae...@gmail.com wrote: That depends on the system. Consider how HDCP encryption was broken; https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection It used a scheme where access to enough keys allowed you to calculate the master key, breaking the entire scheme. 2013/6/25 Bill Scannell b...@scannell.org This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. How would one fabricate a digital key? -Bill ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
On Tue, Jun 25, 2013 at 5:47 PM, Mark Seiden m...@seiden.com wrote: maybe he just used other people's ssh keys that were protected by a weak (or no) passphrase? fabricate is a pretty strong word, but under the least untruthful standard that James Clapper says he's applied to congressional testimony, there are numerous interpretive possibilities. What's more likely is there were little/no/improper access controls (Bradley Manning FTW!), and the the government is fabricating the claim. Jeff On Jun 25, 2013, at 2:32 PM, Natanael natanae...@gmail.com wrote: That depends on the system. Consider how HDCP encryption was broken; https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection It used a scheme where access to enough keys allowed you to calculate the master key, breaking the entire scheme. 2013/6/25 Bill Scannell b...@scannell.org This Daily Beast story on Causa Snowden (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html) contains the following sentence: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. How would one fabricate a digital key? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Snowden: Fabricating Digital Keys?
Bill Scannell b...@scannell.org writes: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. How would one fabricate a digital key? He used his root access to get into other people's accounts. (Running a fake CA? You people are really over-thinking these things :-). Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography