Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread Aaron Zauner
Wow. First appearance on this list. Somewhat lame though, just dropping of
a link.

On Thu, Jul 4, 2013 at 8:47 PM, Phillip Hallam-Baker wrote:

> I read an article today that claims one and a half million people have a
> Top Secret clearance.
>

http://projects.washingtonpost.com/top-secret-america/


azet
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread Richard Salz
> How could it be arranged that "if anything happens at all to Edward
> Snowden, he told me he has arranged for them to get access to the full
> archives"?

A lawyer or other (paid) confidant was given instructions that would
disclose the key.  "Do this if something happens to me."

It doesn't have to be an on-line mechanism.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread Phillip Hallam-Baker
I read an article today that claims one and a half million people have a
Top Secret clearance.

That kind of demonstrates how little Top Secret now means.


On Sun, Jun 30, 2013 at 2:16 PM, Florian Weimer  wrote:

> * John Gilmore:
>
> > [John here.  Let's try some speculation about what this phrase,
> > "fabricating digital keys", might mean.]
>
> Most likely, as part of his job at the contractor, he had
> administrator access to a system which was used for key management,
> perhaps to apply security updates, manage backups or fix the
> occasional glitch.  This is precisely the kind of low-level grunt work
> that I expect is outsourced to contractors.
>
> It's also possible that he was directly charged with key management.
> I can image that someone thought that as long as some agency committee
> made the actual decisions, it was fine to hire an external data typist
> who entered the committee decision in to the key management system.
>
> It's really funny that "NSA-level security" has now turned pejorative.
> ___
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>



-- 
Website: http://hallambaker.com/
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread Florian Weimer
* John Gilmore:

> [John here.  Let's try some speculation about what this phrase,
> "fabricating digital keys", might mean.]

Most likely, as part of his job at the contractor, he had
administrator access to a system which was used for key management,
perhaps to apply security updates, manage backups or fix the
occasional glitch.  This is precisely the kind of low-level grunt work
that I expect is outsourced to contractors.

It's also possible that he was directly charged with key management.
I can image that someone thought that as long as some agency committee
made the actual decisions, it was fine to hire an external data typist
who entered the committee decision in to the key management system.

It's really funny that "NSA-level security" has now turned pejorative.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread StealthMonger
John Gilmore  writes:

> [John here.  Let's try some speculation about what this phrase,
> "fabricating digital keys", might mean.]

>   John

John's question is not the only one raised by this episode.  Eli Lake:

> Glenn Greenwald, the Guardian journalist who Snowden first contacted
> in February, told The Daily Beast on Tuesday that Snowden "has taken
> extreme precautions to make sure many different people around the
> world have these archives to insure the stories will inevitably be
> published."  Greenwald added that the people in possession of these
> files "cannot access them yet because they are highly encrypted and
> they do not have the passwords."  But, Greenwald said, "if anything
> happens at all to Edward Snowden, he told me he has arranged for them
> to get access to the full archives."

How could it be arranged that "if anything happens at all to Edward
Snowden, he told me he has arranged for them to get access to the full
archives"?

Some months ago on another mailing list the question was raised whether
there could be a cryptographically strong "dead man switch" wherein as
long as the owner of a certain secret key is alive, his frequent signed
messages to an open-source robot somewhere would prevent that robot from
revealing the information it harbors, but if the messages stop coming
the robot would release the information (presumably further encrypted to
selected recipients). [1]

James A. Donald pointed out that it couldn't be done because one could
simply disconnect the robot from the Internet.

The effect could still be achieved though, by putting the robot in a
place that cannot be disconnected from the Internet, such as a widely
used public web server.  But this is not cryptographically strong.

So the question is how did Snowden get the effect of a "dead man switch"
in the present case.

[1] http://lists.randombit.net/pipermail/cryptography/2012-September/thread.html

-- 


 -- StealthMonger 
Long, random latency is part of the price of Internet anonymity.

   anonget: Is this anonymous browsing, or what?
   
http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain

   stealthmail: Hide whether you're doing email, or when, or with whom.
   mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html


Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key



pgp18Zsq3AOVz.pgp
Description: PGP signature
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread Damien Miller
On Sat, 29 Jun 2013, Alec Muffett wrote:

> My own, personal guess is that it is obfuscation which translates as "using
> passwords" or "accessing a portal over SSL" plus "we're too embarrassed to
> admit that it was that easy".

Or simply:

http://cms.intranet.boozallen.com/document?id=${N}
http://cms.intranet.boozallen.com/document?id=${N + 1}
etc.


___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread Russ Nelson
John Denker writes:
 > It is against NSA policy to attach a thumb drive.  I betcha some
 > folks really want to know how he did that without getting caught.

Take a mouse. Remove its own electronics. Substitute a Teensy 2 which
emulates a mouse AND a thumb drive, but only after a certain
combination of mouse keys is pressed. Later, at your leisure, remove
the micro-sd card and stick it inside a hollow nickle. Walk out with
it. Leave the mouse. Easy-peasy.

Trust nothing that plugs into a USB port. Not even an extender cable.

-- 
--my blog is athttp://blog.russnelson.com
Crynwr supports open source software
521 Pleasant Valley Rd. | +1 315-600-8815
Potsdam, NY 13676-3213  | Sheepdog   
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-07-04 Thread Phillip Hallam-Baker
I think that fabricating a key here is more likely to mean fabricating an
authentication 'key' rather than an encryption key. Alexander is talking to
Congress and is deliberately being less than precise.

So I would think in terms of application level vulnerabilities in Web based
document servers.

One of the things that I have thought weak in our current approach to use
of crypto is the way that we divide up access control into authentication
and authorization. So basically if Bradley had a possible need to see a
file then he has an authorization letting him see it. Using access control
alone encourages permissions to be given out promiscuously.

The Snowden situation sounds like something slightly different. Alexander
says he was not authorized but he was able to get access. The common way
that happens on the Web is that Alice has account number 1234 and
authenticates herself to the server and gets back a URI ending something
like ?acct=1234& To get access to Bob's account she simply changes that
to ?acct=1235&...

It should not work, but it works very often in the real world. Having
worked with contractors I have seen people hired out as 'programers' at
$1500 per day whose only coding experience was hacking Dephi databases. No
C, C++, Java or C#. Not even a scripting language.

So it would not shock me to find out that their document security comes
undone in the same way that it does in commercial systems.

Heads should be rolling on this one. But they won't.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-06-29 Thread Alec Muffett
>>[John here.  Let's try some speculation about what this phrase, "fabricating
digital keys", might mean.]

My own, personal guess is that it is obfuscation which translates as "using
passwords" or "accessing a portal over SSL" plus "we're too embarrassed to
admit that it was that easy".

-- 
http://dropsafe.crypticide.com/aboutalecm
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-06-29 Thread Ray Dillinger

On 06/28/2013 09:36 PM, Udhay Shankar N wrote:

On Sat, Jun 29, 2013 at 4:30 AM, John Gilmore  wrote:


[John here.  Let's try some speculation about what this phrase,
"fabricating digital keys", might mean.]


Perhaps something conceptually similar to PGP's Additional Decryption
Key [1]? If the infrastructure is in place for this, perhaps one might
be able to generate a key on demand, with the appropriate access
permissions.


I read it to mean that the NSA is using some sort of defeatable
cryptography in its own communications with contractors, presumably
to enable internal snooping for purposes of monitoring contractors.
If a contractor then discovers this system, and manages to cryptanalyze
it (or somehow obtain a copy of the snooping software, though that's
not strictly necessary to cryptanalysis) to figure out the corresponding
method of how the snoopers from the NSA generate keys out of thin
air for it, then he might use that method himself to get access to
all the material that other contractors on that system are working
with.

It would be a ridiculously stupid methodology for the NSA to manage
its security affairs this way, but if "fabricated keys" isn't a flat
out lie, then it's the only thing I can think of that makes sense.
And if it is a flat out lie, then lying to congress is fairly serious.
'Tho it wouldn't be the first time that's happened, either.

Bear
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-06-29 Thread John Denker
On 06/28/2013 04:00 PM, John Gilmore wrote:

> Let's try some speculation about what this phrase,
> "fabricating digital keys", might mean.

Here's one hypothesis to consider.
 a) The so-called "digital key" was not any sort of decryption key.
 b) The files were available on the NSA machines in the clear.
 c) The files were protected only by something like the Unix file
  protection mechanism ... or the SELinux Mandatory Access Controls.
 d) The "digital key" might have been not much more than a userID
  and password, plus maybe a dongle, allowing him to log in as a 
  shadow member of some group that was supposed to have access to 
  the files.

===

Crypto is great for protecting stuff while it is being transmitted
or being stored offline ... but when the stuff is in active use, 
the temptation is to make a cleartext working copy.  Then anybody
who can attach a thumb drive and can get past the access controls
can grab whatever he wants.

It is against NSA policy to attach a thumb drive.  I betcha some
folks really want to know how he did that without getting caught.

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-06-28 Thread Udhay Shankar N
On Sat, Jun 29, 2013 at 4:30 AM, John Gilmore  wrote:

> [John here.  Let's try some speculation about what this phrase,
> "fabricating digital keys", might mean.]

Perhaps something conceptually similar to PGP's Additional Decryption
Key [1]? If the infrastructure is in place for this, perhaps one might
be able to generate a key on demand, with the appropriate access
permissions.

Udhay

[1] http://www.symantec.com/business/support/index?page=content&id=TECH149500

-- 
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


[Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?

2013-06-28 Thread John Gilmore
http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html

The Daily Beast

Greenwald: Snowden's Files Are Out There if 'Anything Happens' to Him
by Eli Lake Jun 25, 2013 1:36 PM EDT

Snowden has shared encoded copies of all the documents he took so that they 
won't disappear if he does, Glenn Greenwald tells Eli Lake.

As the U.S. government presses Moscow to extradite former National Security 
Agency contractor Edward Snowden, America's most wanted leaker has a plan B. 
The former NSA systems administrator has already given encoded files containing 
an archive of the secrets he lifted from his old employer to several people. If 
anything happens to Snowden, the files will be unlocked.

Glenn Greenwald, the Guardian journalist who Snowden first contacted in 
February, told The Daily Beast on Tuesday that Snowden "has taken extreme 
precautions to make sure many different people around the world have these 
archives to insure the stories will inevitably be published." Greenwald added 
that the people in possession of these files "cannot access them yet because 
they are highly encrypted and they do not have the passwords." But, Greenwald 
said, "if anything happens at all to Edward Snowden, he told me he has arranged 
for them to get access to the full archives."

The fact that Snowden has made digital copies of the documents he accessed 
while working at the NSA poses a new challenge to the U.S. intelligence 
community that has scrambled in recent days to recover them and assess the full 
damage of the breach. Even if U.S. authorities catch up with Snowden and the 
four classified laptops the Guardian reported he brought with him to Hong Kong 
the secrets Snowden hopes to expose will still likely be published.

A former U.S. counterintelligence officer following the Snowden saga closely 
said his contacts inside the U.S. intelligence community "think Snowden has 
been planning this for years and has stashed files all over the Internet." This 
source added, "At this point there is very little anyone can do about this."

The arrangement to entrust encrypted archives of his files with others also 
sheds light on a cryptic statement Snowden made on June 17 during a live chat 
with The Guardian. In the online session he said, "All I can say right now is 
the U.S. government is not going to be able to cover this up by jailing or 
murdering me. Truth is coming, and it cannot be stopped."

Last week NSA Director Keith Alexander told the House Permanent Select 
Committee on Intelligence that Snowden was able to access files inside the NSA 
by fabricating digital keys that gave him access to areas he was not allowed to 
visit as a low-level contractor and systems administrator. One of those areas 
included a site he visited during his training that Alexander later told 
reporters contained one of the Foreign Intelligence Surveillance Act (FISA) 
Court orders published by The Guardian and The Washington Post earlier this 
month.

[John here.  Let's try some speculation about what this phrase,
"fabricating digital keys", might mean.]

John
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography