Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
Wow. First appearance on this list. Somewhat lame though, just dropping of a link. On Thu, Jul 4, 2013 at 8:47 PM, Phillip Hallam-Baker wrote: > I read an article today that claims one and a half million people have a > Top Secret clearance. > http://projects.washingtonpost.com/top-secret-america/ azet ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
> How could it be arranged that "if anything happens at all to Edward > Snowden, he told me he has arranged for them to get access to the full > archives"? A lawyer or other (paid) confidant was given instructions that would disclose the key. "Do this if something happens to me." It doesn't have to be an on-line mechanism. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
I read an article today that claims one and a half million people have a Top Secret clearance. That kind of demonstrates how little Top Secret now means. On Sun, Jun 30, 2013 at 2:16 PM, Florian Weimer wrote: > * John Gilmore: > > > [John here. Let's try some speculation about what this phrase, > > "fabricating digital keys", might mean.] > > Most likely, as part of his job at the contractor, he had > administrator access to a system which was used for key management, > perhaps to apply security updates, manage backups or fix the > occasional glitch. This is precisely the kind of low-level grunt work > that I expect is outsourced to contractors. > > It's also possible that he was directly charged with key management. > I can image that someone thought that as long as some agency committee > made the actual decisions, it was fine to hire an external data typist > who entered the committee decision in to the key management system. > > It's really funny that "NSA-level security" has now turned pejorative. > ___ > The cryptography mailing list > cryptography@metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography > -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
* John Gilmore: > [John here. Let's try some speculation about what this phrase, > "fabricating digital keys", might mean.] Most likely, as part of his job at the contractor, he had administrator access to a system which was used for key management, perhaps to apply security updates, manage backups or fix the occasional glitch. This is precisely the kind of low-level grunt work that I expect is outsourced to contractors. It's also possible that he was directly charged with key management. I can image that someone thought that as long as some agency committee made the actual decisions, it was fine to hire an external data typist who entered the committee decision in to the key management system. It's really funny that "NSA-level security" has now turned pejorative. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
John Gilmore writes: > [John here. Let's try some speculation about what this phrase, > "fabricating digital keys", might mean.] > John John's question is not the only one raised by this episode. Eli Lake: > Glenn Greenwald, the Guardian journalist who Snowden first contacted > in February, told The Daily Beast on Tuesday that Snowden "has taken > extreme precautions to make sure many different people around the > world have these archives to insure the stories will inevitably be > published." Greenwald added that the people in possession of these > files "cannot access them yet because they are highly encrypted and > they do not have the passwords." But, Greenwald said, "if anything > happens at all to Edward Snowden, he told me he has arranged for them > to get access to the full archives." How could it be arranged that "if anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives"? Some months ago on another mailing list the question was raised whether there could be a cryptographically strong "dead man switch" wherein as long as the owner of a certain secret key is alive, his frequent signed messages to an open-source robot somewhere would prevent that robot from revealing the information it harbors, but if the messages stop coming the robot would release the information (presumably further encrypted to selected recipients). [1] James A. Donald pointed out that it couldn't be done because one could simply disconnect the robot from the Internet. The effect could still be achieved though, by putting the robot in a place that cannot be disconnected from the Internet, such as a widely used public web server. But this is not cryptographically strong. So the question is how did Snowden get the effect of a "dead man switch" in the present case. [1] http://lists.randombit.net/pipermail/cryptography/2012-September/thread.html -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key pgp18Zsq3AOVz.pgp Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
On Sat, 29 Jun 2013, Alec Muffett wrote: > My own, personal guess is that it is obfuscation which translates as "using > passwords" or "accessing a portal over SSL" plus "we're too embarrassed to > admit that it was that easy". Or simply: http://cms.intranet.boozallen.com/document?id=${N} http://cms.intranet.boozallen.com/document?id=${N + 1} etc. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
John Denker writes: > It is against NSA policy to attach a thumb drive. I betcha some > folks really want to know how he did that without getting caught. Take a mouse. Remove its own electronics. Substitute a Teensy 2 which emulates a mouse AND a thumb drive, but only after a certain combination of mouse keys is pressed. Later, at your leisure, remove the micro-sd card and stick it inside a hollow nickle. Walk out with it. Leave the mouse. Easy-peasy. Trust nothing that plugs into a USB port. Not even an extender cable. -- --my blog is athttp://blog.russnelson.com Crynwr supports open source software 521 Pleasant Valley Rd. | +1 315-600-8815 Potsdam, NY 13676-3213 | Sheepdog ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
I think that fabricating a key here is more likely to mean fabricating an authentication 'key' rather than an encryption key. Alexander is talking to Congress and is deliberately being less than precise. So I would think in terms of application level vulnerabilities in Web based document servers. One of the things that I have thought weak in our current approach to use of crypto is the way that we divide up access control into authentication and authorization. So basically if Bradley had a possible need to see a file then he has an authorization letting him see it. Using access control alone encourages permissions to be given out promiscuously. The Snowden situation sounds like something slightly different. Alexander says he was not authorized but he was able to get access. The common way that happens on the Web is that Alice has account number 1234 and authenticates herself to the server and gets back a URI ending something like ?acct=1234& To get access to Bob's account she simply changes that to ?acct=1235&... It should not work, but it works very often in the real world. Having worked with contractors I have seen people hired out as 'programers' at $1500 per day whose only coding experience was hacking Dephi databases. No C, C++, Java or C#. Not even a scripting language. So it would not shock me to find out that their document security comes undone in the same way that it does in commercial systems. Heads should be rolling on this one. But they won't. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
>>[John here. Let's try some speculation about what this phrase, "fabricating digital keys", might mean.] My own, personal guess is that it is obfuscation which translates as "using passwords" or "accessing a portal over SSL" plus "we're too embarrassed to admit that it was that easy". -- http://dropsafe.crypticide.com/aboutalecm ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
On 06/28/2013 09:36 PM, Udhay Shankar N wrote: On Sat, Jun 29, 2013 at 4:30 AM, John Gilmore wrote: [John here. Let's try some speculation about what this phrase, "fabricating digital keys", might mean.] Perhaps something conceptually similar to PGP's Additional Decryption Key [1]? If the infrastructure is in place for this, perhaps one might be able to generate a key on demand, with the appropriate access permissions. I read it to mean that the NSA is using some sort of defeatable cryptography in its own communications with contractors, presumably to enable internal snooping for purposes of monitoring contractors. If a contractor then discovers this system, and manages to cryptanalyze it (or somehow obtain a copy of the snooping software, though that's not strictly necessary to cryptanalysis) to figure out the corresponding method of how the snoopers from the NSA generate keys out of thin air for it, then he might use that method himself to get access to all the material that other contractors on that system are working with. It would be a ridiculously stupid methodology for the NSA to manage its security affairs this way, but if "fabricated keys" isn't a flat out lie, then it's the only thing I can think of that makes sense. And if it is a flat out lie, then lying to congress is fairly serious. 'Tho it wouldn't be the first time that's happened, either. Bear ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
On 06/28/2013 04:00 PM, John Gilmore wrote: > Let's try some speculation about what this phrase, > "fabricating digital keys", might mean. Here's one hypothesis to consider. a) The so-called "digital key" was not any sort of decryption key. b) The files were available on the NSA machines in the clear. c) The files were protected only by something like the Unix file protection mechanism ... or the SELinux Mandatory Access Controls. d) The "digital key" might have been not much more than a userID and password, plus maybe a dongle, allowing him to log in as a shadow member of some group that was supposed to have access to the files. === Crypto is great for protecting stuff while it is being transmitted or being stored offline ... but when the stuff is in active use, the temptation is to make a cleartext working copy. Then anybody who can attach a thumb drive and can get past the access controls can grab whatever he wants. It is against NSA policy to attach a thumb drive. I betcha some folks really want to know how he did that without getting caught. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
On Sat, Jun 29, 2013 at 4:30 AM, John Gilmore wrote: > [John here. Let's try some speculation about what this phrase, > "fabricating digital keys", might mean.] Perhaps something conceptually similar to PGP's Additional Decryption Key [1]? If the infrastructure is in place for this, perhaps one might be able to generate a key on demand, with the appropriate access permissions. Udhay [1] http://www.symantec.com/business/support/index?page=content&id=TECH149500 -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html The Daily Beast Greenwald: Snowden's Files Are Out There if 'Anything Happens' to Him by Eli Lake Jun 25, 2013 1:36 PM EDT Snowden has shared encoded copies of all the documents he took so that they won't disappear if he does, Glenn Greenwald tells Eli Lake. As the U.S. government presses Moscow to extradite former National Security Agency contractor Edward Snowden, America's most wanted leaker has a plan B. The former NSA systems administrator has already given encoded files containing an archive of the secrets he lifted from his old employer to several people. If anything happens to Snowden, the files will be unlocked. Glenn Greenwald, the Guardian journalist who Snowden first contacted in February, told The Daily Beast on Tuesday that Snowden "has taken extreme precautions to make sure many different people around the world have these archives to insure the stories will inevitably be published." Greenwald added that the people in possession of these files "cannot access them yet because they are highly encrypted and they do not have the passwords." But, Greenwald said, "if anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives." The fact that Snowden has made digital copies of the documents he accessed while working at the NSA poses a new challenge to the U.S. intelligence community that has scrambled in recent days to recover them and assess the full damage of the breach. Even if U.S. authorities catch up with Snowden and the four classified laptops the Guardian reported he brought with him to Hong Kong the secrets Snowden hopes to expose will still likely be published. A former U.S. counterintelligence officer following the Snowden saga closely said his contacts inside the U.S. intelligence community "think Snowden has been planning this for years and has stashed files all over the Internet." This source added, "At this point there is very little anyone can do about this." The arrangement to entrust encrypted archives of his files with others also sheds light on a cryptic statement Snowden made on June 17 during a live chat with The Guardian. In the online session he said, "All I can say right now is the U.S. government is not going to be able to cover this up by jailing or murdering me. Truth is coming, and it cannot be stopped." Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level contractor and systems administrator. One of those areas included a site he visited during his training that Alexander later told reporters contained one of the Foreign Intelligence Surveillance Act (FISA) Court orders published by The Guardian and The Washington Post earlier this month. [John here. Let's try some speculation about what this phrase, "fabricating digital keys", might mean.] John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography